Web server fails to start due to "Resource location must not be null" when attempting to use a PKCS 11 KeyStore #32179
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…xception: Could not load key store 'null'" / "IllegalArgumentException: Resource location must not be null" when using PKCS11 keystore type ('server.ssl.key-store-type') with undefined/null 'server.ssl.key-store' property (as there is no keystore file to be specified for a PKCS#11 HSM) on a Spring Boot Reactor Netty configuration.
- Added unit tests in spring-boot-project/spring-boot SslServerCustomizerTests class with a mock PKCS#11 keystore provider implementation to validate the fix
- Added TestContainers integration test loading a Spring Boot Webflux (Netty SSL server) app with an actual PKCS#11 HSM (SoftHSM) for the keystore: to make sure it works with real implementation: see project spring-boot-tests/spring-boot-smoke-tests/spring-boot-test-webflux-ssl
|
@cdanger Please sign the Contributor License Agreement! Click here to manually synchronize the status of this Pull Request. See the FAQ for frequently asked questions. |
spring-projects-issues
added
the
status: waiting-for-triage
|
@cdanger Thank you for signing the Contributor License Agreement! |
wilkinsona
changed the title
wilkinsona
added
type: bug
Member
|
Thanks very much for the PR, @cdanger. |
Member
|
The problem isn't limited to Netty. For example, Tomcat fails in a similar manner: As part of merging this, we should also make similar changes for Jetty, Tomcat, and Undertow. |
…for Netty previously. This is part of PR spring-projects#32179.
Contributor
Author
OK I made similar changes for Jetty, Tomcat and Undertow in new commits. |
Contributor
Author
|
Could any maintainer approve this? or tell me whether anything else is needed. Thanks. |
Member
|
Thanks for your patience, @cdanger. We'll approve and merge the changes as soon as we can. |
mhalbritter
removed
the
for: merge-with-amendments
Contributor
|
Thank you! |
mhalbritter
pushed a commit
that referenced
this pull request
Dec 1, 2022
mhalbritter
added a commit
that referenced
this pull request
Dec 1, 2022
philwebb
added a commit
that referenced
this pull request
Dec 21, 2022
Remove `spring-boot-smoke-test-webflux-ssl` since it's more of an integration test than a smoke test. We could consider relocating it to `spring-boot-integration-tests` but since we have unit tests with a mock PCKCS11 security it's probably best to see if we can get away without it. See gh-32179
krenson
pushed a commit
to krenson/test-push
that referenced
this pull request
Mar 15, 2023
…ot-starter-parent from 2.3.5.RELEASE to 2.7.7 (minor) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [org.springframework.boot:spring-boot-starter-parent](https://spring.io/projects/spring-boot) ([source](https://github.com/spring-projects/spring-boot)) | parent | minor | `2.3.5.RELEASE` -> `2.7.7` | --- ### Release Notes <details> <summary>spring-projects/spring-boot</summary> ### [`v2.7.7`](https://github.com/spring-projects/spring-boot/releases/tag/v2.7.7) [Compare Source](spring-projects/spring-boot@v2.7.6...v2.7.7) #### 🐞 Bug Fixes - Fix typo in LocalDevToolsAutoConfiguration logging [#​33569](spring-projects/spring-boot#33569) - Web server fails to start due to "Resource location must not be null" when attempting to use a PKCS 11 KeyStore [#​32179](spring-projects/spring-boot#32179) #### 📔 Documentation - Improve gradle plugin tags documentation [#​33614](spring-projects/spring-boot#33614) - Improve maven plugin tags documentation [#​33609](spring-projects/spring-boot#33609) - Fix typo in tomcat accesslog checkExists doc [#​33460](spring-projects/spring-boot#33460) - Document that the shutdown endpoint is not intended for use when deploying a war to a servlet container [#​17398](spring-projects/spring-boot#17398) #### 🔨 Dependency Upgrades - Upgrade to Byte Buddy 1.12.20 [#​33570](spring-projects/spring-boot#33570) - Upgrade to Dropwizard Metrics 4.2.14 [#​33571](spring-projects/spring-boot#33571) - Upgrade to Elasticsearch 7.17.8 [#​33572](spring-projects/spring-boot#33572) - Upgrade to HttpClient 4.5.14 [#​33573](spring-projects/spring-boot#33573) - Upgrade to HttpCore 4.4.16 [#​33574](spring-projects/spring-boot#33574) - Upgrade to Infinispan 13.0.14.Final [#​33575](spring-projects/spring-boot#33575) - Upgrade to Jaybird 4.0.8.java8 [#​33576](spring-projects/spring-boot#33576) - Upgrade to Jetty 9.4.50.v20221201 [#​33577](spring-projects/spring-boot#33577) - Upgrade to MSSQL JDBC 10.2.2.jre8 [#​33578](spring-projects/spring-boot#33578) - Upgrade to Neo4j Java Driver 4.4.11 [#​33579](spring-projects/spring-boot#33579) - Upgrade to Netty 4.1.86.Final [#​33580](spring-projects/spring-boot#33580) - Upgrade to Reactor 2020.0.26 [#​33543](spring-projects/spring-boot#33543) - Upgrade to Spring Integration 5.5.16 [#​33581](https://github.com/spring-projects/spring...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes the error Unable to start reactive web server / WebServerException: Could not load key store 'null' / IllegalArgumentException: Resource location must not be null (see spring-boot-error.log for the details) when using PKCS11 keystore type (
server.ssl.key-store-typeproperty) with undefined/nullserver.ssl.key-storeproperty (as there is no keystore file in the case of a PKCS#11 HSM) on a Spring Boot Reactor Netty configuration; e.g. running with arguments:--server.ssl.enabled=true --server.ssl.key-store-provider=SunPKCS11-SoftHSM --server.ssl.key-store-type=PKCS11...This also adds:
spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-webflux-sslfor more extensive validation: loading a Spring Boot Webflux (Netty SSL server) app with an actual PKCS#11 library (SoftHSM) for the keystore, in order to make sure it works with a full PKCS#11 implementation.