spring-boot icon indicating copy to clipboard operation
spring-boot copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Web server fails to start due to "Resource location must not be null" when attempting to use a PKCS 11 KeyStore

Open cdanger opened this issue 2 years ago • 7 comments

This fixes the error Unable to start reactive web server / WebServerException: Could not load key store 'null' / IllegalArgumentException: Resource location must not be null (see spring-boot-error.log for the details) when using PKCS11 keystore type (server.ssl.key-store-type property) with undefined/null server.ssl.key-store property (as there is no keystore file in the case of a PKCS#11 HSM) on a Spring Boot Reactor Netty configuration; e.g. running with arguments: --server.ssl.enabled=true --server.ssl.key-store-provider=SunPKCS11-SoftHSM --server.ssl.key-store-type=PKCS11...

This also adds:

  • Unit tests in spring-boot-project/spring-boot SslServerCustomizerTests class, using a mock PKCS#11 keystore provider implementation, for basic validation of the fix.
  • TestContainers integration test (requires Docker) in new sub-module spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-webflux-ssl for more extensive validation: loading a Spring Boot Webflux (Netty SSL server) app with an actual PKCS#11 library (SoftHSM) for the keystore, in order to make sure it works with a full PKCS#11 implementation.

cdanger avatar Aug 27 '22 17:08 cdanger

@cdanger Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

pivotal-cla avatar Aug 27 '22 17:08 pivotal-cla

@cdanger Thank you for signing the Contributor License Agreement!

pivotal-cla avatar Aug 27 '22 17:08 pivotal-cla

Thanks very much for the PR, @cdanger.

wilkinsona avatar Sep 01 '22 20:09 wilkinsona

The problem isn't limited to Netty. For example, Tomcat fails in a similar manner:

org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Could not load key store 'null'
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:163) ~[main/:na]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:577) ~[spring-context-5.3.22.jar:5.3.22]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:145) ~[main/:na]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:745) [main/:na]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:420) [main/:na]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:307) [main/:na]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1317) [main/:na]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1306) [main/:na]
	at smoketest.tomcat.ssl.SampleTomcatSslApplication.main(SampleTomcatSslApplication.java:26) [main/:na]
Caused by: org.springframework.boot.web.server.WebServerException: Could not load key store 'null'
	at org.springframework.boot.web.embedded.tomcat.SslConnectorCustomizer.configureSslKeyStore(SslConnectorCustomizer.java:132) ~[main/:na]
	at org.springframework.boot.web.embedded.tomcat.SslConnectorCustomizer.configureSsl(SslConnectorCustomizer.java:92) ~[main/:na]
	at org.springframework.boot.web.embedded.tomcat.SslConnectorCustomizer.customize(SslConnectorCustomizer.java:57) ~[main/:na]
	at org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.customizeSsl(TomcatServletWebServerFactory.java:364) ~[main/:na]
	at org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.customizeConnector(TomcatServletWebServerFactory.java:342) ~[main/:na]
	at org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.getWebServer(TomcatServletWebServerFactory.java:203) ~[main/:na]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.createWebServer(ServletWebServerApplicationContext.java:182) ~[main/:na]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:160) ~[main/:na]
	... 8 common frames omitted
Caused by: java.lang.IllegalArgumentException: Resource location must not be null
	at org.springframework.util.Assert.notNull(Assert.java:201) ~[spring-core-5.3.22.jar:5.3.22]
	at org.springframework.util.ResourceUtils.getURL(ResourceUtils.java:130) ~[spring-core-5.3.22.jar:5.3.22]
	at org.springframework.boot.web.embedded.tomcat.SslConnectorCustomizer.configureSslKeyStore(SslConnectorCustomizer.java:129) ~[main/:na]
	... 15 common frames omitted

As part of merging this, we should also make similar changes for Jetty, Tomcat, and Undertow.

wilkinsona avatar Sep 01 '22 20:09 wilkinsona

As part of merging this, we should also make similar changes for Jetty, Tomcat, and Undertow.

OK I made similar changes for Jetty, Tomcat and Undertow in new commits. Is it now OK for approval?

cdanger avatar Sep 11 '22 01:09 cdanger

Could any maintainer approve this? or tell me whether anything else is needed. Thanks.

cdanger avatar Oct 02 '22 13:10 cdanger

Thanks for your patience, @cdanger. We'll approve and merge the changes as soon as we can.

wilkinsona avatar Oct 02 '22 19:10 wilkinsona

Thank you!

mhalbritter avatar Dec 01 '22 12:12 mhalbritter