SpringBoot SSL bundles to support the windows certificate store.

This is an enhancement request for SSL bundles to support (gasp) the windows certificate store.

Thank you for providing the SSL bundle support. We have spring boot applications that use TLS for restful services, clients, jdbc and rabbitmq connections - they will come in very handy. But.... we run these on windows. And, just like William S Burroughs - users of SSL bundles "go around looking younger for a few days. Then they need more"....

I am using javax.net.ssl.trustStoreType=WINDOWS-ROOT, set via JAVA_OPTS, which is great for trust store material, and our in house PKI/CA - but it would make it even easier, if using an alias, or thumbprint, an SSL bundle could fetch keystore material (for server and client certificates) from the windows cert store. I know that alias and friendly name differences can manifest, but since java keystores support a pkcs12/p12/pfx format that aligns with the standard windows format, is this feasible ?

There are various stack overflow posts on using the crypto api to load material, and the jdk itself, has an implemention for trust material dk.crypto.mscapi\sun\security\mscapi\CKeyStore.java, and you've kindly make sslBundles an interface https://github.com/spring-projects/spring-boot/blob/1130ec54a955525bd2a375728fd140dc8b920702/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/SslBundle.java#L28. My point here being that even if the jks support for pfx formats doesn't provide "standard" code for manipulating certs in that format, this other code might.

I'm envisaging a properties that look like

  ssl:
    bundle:
      windows:
        thestuff:
          key:
            alias: "server"
            password: "changeit"
          keystore:
            location: "WINDOWS-MY"
            password: "changeit"

So my questions are - Is this on the road map already ? - Is it feasible ? (someone will know a lot more about any issues in this space than i do) - Would the current interface support it ? - If it's not on the roadmap, is there a mechanism to get spring to load this from extenal code. Pardon my ignorance, but at first glance these bundles aren't beans, so i'm not sure what other mechanism might be available to wire them in.

If you think it's viable, and the interface would support it, i'd be happy to crib some code together to further illustrate the idea - but i've never built spring-boot itself, so i think it would be a long road for me to submit a PR. And obviously there is a cost to supporting any feature, so if this is something you actively choose not to implement or support i'm fine with that too.

Thanks for any consideration

Comment From: scottfrederick

Is this on the road map already ?

This is not something that is on the roadmap as an enhancement in Spring Boot itself.

Is it feasible ? (someone will know a lot more about any issues in this space than i do) Would the current interface support it ? If it's not on the roadmap, is there a mechanism to get spring to load this from extenal code. Pardon my ignorance, but at first glance these bundles aren't beans, so i'm not sure what other mechanism might be available to wire them in.

The SSL bundles feature was designed with this type of extension in mind. The mechanism for loading bundles from an external source is the SslBundleRegistrar. When a bean of this type is contributed to the application context, it can create named bundles and add them to the list of bundles that are available for use by the application.

The SslPropertiesSslBundleRegistrar class is an example of this that reads the spring.ssl.bundle properties and creates bundles from the provided properties. You could use that as a model, create your own properties class, implement your own registrar that reads the properties and loads the content from the Windows store, and contribute the registrar as a bean.

All this can be done outside of Spring Boot, which gives you the ability to iterate on it separate from Boot's release cycle (and without having to build Spring Boot itself).

Comment From: alister995199

Hi @scottfrederick ,

Thank you for the reply and the tips ! That seems pretty manageable - I'll give it a shot - though i'm nervous about the need for elevation for private key access etc and other "gotcha's". So i'm not assuming it will be possible.

I'll raise a stack overflow related to this, to garner any input, but also to possibly self post an implementation - since it's the de rigueur place to look for code solutions. I'll link that here today - after which feel free to close this issue.

Edit: https://stackoverflow.com/questions/78111646/spring-ssl-bundle-for-certificate-material-from-windows-certificate-stores-ser