SpringBoot Allow key password to be set for a PemSslStoreBundle

Background

We have a custom component for watching for changes on PEM files and reloading some components such as tomcat. We are using PemSslStoreBundle to load the PEM files into keystores. This class has a limitation of not allowing to specify the key password: it is always null.

Problem

Tomcat currently cannot pickup null key passwords: if the key password is null, it'll attempt to use the keystore password and consequently fail to load the keys. See: SSLUtilBase. Even though the limitation should be fixed on tomcat, other 3pp components could have a similar issue, hence it would be great to improve this algorithm to take the key password as parameter.

Workaround

A workaround for this case is to provide tomcat an empty string password: tomcat will use the empty string to load the keys, and surprisingly keyStore.getKey("alias", "".toCharArray()) works for keys saved with null password on Open JDK 17, however it looks like an odd undocumented behavior which may not work on future versions.

Comment From: scottfrederick

@chicobento Do you have a case where you need to provide a value other than "empty" for the key password, or do you just need it not be null (as in your workaround example) to keep Tomcat from trying to use the keystore password?

Comment From: chicobento

Hi @scottfrederick , I dont have any case so far.

My only concern is that there might be cases were a component receives the keystore configuration in a config file, lets say, yaml. In this case it would be a little tricky to represent an empty string depending on how the component will interpret it. Also, some components could be doing some dumb emptiness comparison to fall back to keystore password or something.