Avoids using "password" as default password when loading / reading ke…

…y stores. Fix quarkusio#29573. This should be considered as a breaking change for users using "password" as password.
cescoffier · Jan 30, 2023 · 9d426d3 · 9d426d3
1 parent dd48b4f
commit 9d426d3
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 17 deletions.
diff --git a/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/GrpcSslUtils.java b/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/GrpcSslUtils.java
@@ -52,7 +52,6 @@ static boolean applySslOptions(GrpcServerConfiguration config, HttpServerOptions
         final Optional<Path> certFile = sslConfig.certificate;
         final Optional<Path> keyFile = sslConfig.key;
         final Optional<Path> keyStoreFile = sslConfig.keyStore;
-        final String keystorePassword = sslConfig.keyStorePassword;
         final Optional<Path> trustStoreFile = sslConfig.trustStore;
         final Optional<String> trustStorePassword = sslConfig.trustStorePassword;
 
@@ -77,15 +76,19 @@ static boolean applySslOptions(GrpcServerConfiguration config, HttpServerOptions
             switch (type) {
                 case "pkcs12": {
                     PfxOptions o = new PfxOptions()
-                            .setPassword(keystorePassword)
                             .setValue(Buffer.buffer(data));
+                    if (sslConfig.keyStorePassword.isPresent()) {
+                        o.setPassword(sslConfig.keyStorePassword.get());
+                    }
                     options.setPfxKeyCertOptions(o);
                     break;
                 }
                 case "jks": {
                     JksOptions o = new JksOptions()
-                            .setPassword(keystorePassword)
                             .setValue(Buffer.buffer(data));
+                    if (sslConfig.keyStorePassword.isPresent()) {
+                        o.setPassword(sslConfig.keyStorePassword.get());
+                    }
                     options.setKeyStoreOptions(o);
                     break;
                 }
@@ -97,7 +100,7 @@ static boolean applySslOptions(GrpcServerConfiguration config, HttpServerOptions
         }
 
         if (trustStoreFile.isPresent()) {
-            if (!trustStorePassword.isPresent()) {
+            if (trustStorePassword.isEmpty()) {
                 throw new IllegalArgumentException("No trust store password provided");
             }
             String type;

diff --git a/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/config/SslServerConfig.java b/extensions/grpc/runtime/src/main/java/io/quarkus/grpc/runtime/config/SslServerConfig.java
@@ -44,8 +44,8 @@ public class SslServerConfig {
     /**
      * A parameter to specify the password of the key store file. If not given, the default ("password") is used.
      */
-    @ConfigItem(defaultValue = "password")
-    public String keyStorePassword;
+    @ConfigItem
+    public Optional<String> keyStorePassword;
 
     /**
      * An optional trust store which holds the certificate information of the certificates to trust

diff --git a/...ns/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java b/...ns/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonConfig.java
@@ -257,10 +257,10 @@ public static class Jwt {
             public Optional<String> keyStoreFile = Optional.empty();
 
             /**
-             * A parameter to specify the password of the key store file. If not given, the default ("password") is used.
+             * A parameter to specify the password of the key store file.
              */
-            @ConfigItem(defaultValue = "password")
-            public String keyStorePassword;
+            @ConfigItem
+            public Optional<String> keyStorePassword;
 
             /**
              * The private key id/alias
@@ -271,8 +271,8 @@ public static class Jwt {
             /**
              * The private key password
              */
-            @ConfigItem(defaultValue = "password")
-            public String keyPassword;
+            @ConfigItem
+            public Optional<String> keyPassword;
 
             /**
              * JWT audience ('aud') claim value.
@@ -456,8 +456,8 @@ public enum Verification {
         /**
          * A parameter to specify the password of the key store file. If not given, the default ("password") is used.
          */
-        @ConfigItem(defaultValue = "password")
-        public String keyStorePassword;
+        @ConfigItem
+        public Optional<String> keyStorePassword;
 
         /**
          * An optional parameter to select a specific key in the key store. When SNI is disabled, if the key store contains

diff --git a/...ons/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java b/...ons/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcCommonUtils.java
@@ -147,12 +147,16 @@ public static void setHttpClientOptions(OidcCommonConfig oidcConfig, TlsConfig t
             try {
                 byte[] keyStoreData = getFileContent(oidcConfig.tls.keyStoreFile.get());
                 io.vertx.core.net.KeyStoreOptions keyStoreOptions = new KeyStoreOptions()
-                        .setPassword(oidcConfig.tls.keyStorePassword)
                         .setAlias(oidcConfig.tls.keyStoreKeyAlias.orElse(null))
                         .setAliasPassword(oidcConfig.tls.keyStoreKeyPassword.orElse(null))
                         .setValue(io.vertx.core.buffer.Buffer.buffer(keyStoreData))
                         .setType(getStoreType(oidcConfig.tls.keyStoreFileType, oidcConfig.tls.keyStoreFile.get()))
                         .setProvider(oidcConfig.tls.keyStoreProvider.orElse(null));
+
+                if (oidcConfig.tls.keyStorePassword.isPresent()) {
+                    keyStoreOptions.setPassword(oidcConfig.tls.keyStorePassword.get());
+                }
+
                 options.setKeyCertOptions(keyStoreOptions);
 
             } catch (IOException ex) {
@@ -310,8 +314,18 @@ public static Key clientJwtKey(Credentials creds) {
                 } else if (creds.jwt.keyStoreFile.isPresent()) {
                     KeyStore ks = KeyStore.getInstance("JKS");
                     InputStream is = ResourceUtils.getResourceStream(creds.jwt.keyStoreFile.get());
-                    ks.load(is, creds.jwt.keyStorePassword.toCharArray());
-                    key = ks.getKey(creds.jwt.keyId.get(), creds.jwt.keyPassword.toCharArray());
+
+                    if (creds.jwt.keyStorePassword.isPresent()) {
+                        ks.load(is, creds.jwt.keyStorePassword.get().toCharArray());
+                    } else {
+                        ks.load(is, null);
+                    }
+
+                    if (creds.jwt.keyStorePassword.isPresent()) {
+                        key = ks.getKey(creds.jwt.keyId.get(), creds.jwt.keyPassword.get().toCharArray());
+                    } else {
+                        key = ks.getKey(creds.jwt.keyId.get(), null);
+                    }
                 }
             } catch (Exception ex) {
                 throw new ConfigurationException("Key can not be loaded", ex);

diff --git a/...ons/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java b/...ons/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/CertificateConfig.java
@@ -96,7 +96,7 @@ public class CertificateConfig {
 
     /**
      * A parameter to specify the password of the key store file. If not given, and if it can not be retrieved from
-     * {@linkplain CredentialsProvider}, then the default ("password") is used.
+     * {@linkplain CredentialsProvider}.
      *
      * @see {@link #credentialsProvider}
      */