Add SSL bundle support to spring-boot module

Add classes to support SSL bundles which can be used to apply SSL
settings in a centralized way. An `SslBundle` can be registered with
an `SslBundleRegistry` and obtained from an `SslBundles` instance. The
`DefaultSslBundleRegistry` provides a default in-memory implementation.

Different client libraries often configure SSL in slightly different
ways. To accommodate this, the `SslBundle` provides a layered approach
of obtaining SSL information:

	- `getStores` provides access to the key store and trust stores
	  as well as any required key store password.

	- `getManagers` provides access to the `KeyManagerFactory`,
	  `TrustManagerFactory` as well as the `KeyManger` and
	  `TrustManager` arrays that they create.

	- `createSslContext` provides a convenient way to obtain a new
	  `SSLContext` instance.

In addition, the `SslBundle` also provides details about the key being
used, the protocol to use and any options that should be applied to the
SSL engine.

See gh-34814

Author: scottfrederick

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/AliasKeyManagerFactory.java

@@ -0,0 +1,149 @@
+/*
+ * Copyright 2012-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.ssl;
+
+import java.net.Socket;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.KeyManagerFactorySpi;
+import javax.net.ssl.ManagerFactoryParameters;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedKeyManager;
+
+/**
+ * {@link KeyManagerFactory} that allows a configurable key alias to be used. Due to the
+ * fact that the actual calls to retrieve the key by alias are done at request time the
+ * approach is to wrap the actual key managers with a {@link AliasX509ExtendedKeyManager}.
+ * The actual SPI has to be wrapped as well due to the fact that
+ * {@link KeyManagerFactory#getKeyManagers()} is final.
+ *
+ * @author Scott Frederick
+ */
+final class AliasKeyManagerFactory extends KeyManagerFactory {
+
+	AliasKeyManagerFactory(KeyManagerFactory delegate, String alias, String algorithm) {
+		super(new AliasKeyManagerFactorySpi(delegate, alias), delegate.getProvider(), algorithm);
+	}
+
+	/**
+	 * {@link KeyManagerFactorySpi} that allows a configurable key alias to be used.
+	 */
+	private static final class AliasKeyManagerFactorySpi extends KeyManagerFactorySpi {
+
+		private final KeyManagerFactory delegate;
+
+		private final String alias;
+
+		private AliasKeyManagerFactorySpi(KeyManagerFactory delegate, String alias) {
+			this.delegate = delegate;
+			this.alias = alias;
+		}
+
+		@Override
+		protected void engineInit(KeyStore keyStore, char[] chars)
+				throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
+			this.delegate.init(keyStore, chars);
+		}
+
+		@Override
+		protected void engineInit(ManagerFactoryParameters managerFactoryParameters)
+				throws InvalidAlgorithmParameterException {
+			throw new InvalidAlgorithmParameterException("Unsupported ManagerFactoryParameters");
+		}
+
+		@Override
+		protected KeyManager[] engineGetKeyManagers() {
+			return Arrays.stream(this.delegate.getKeyManagers())
+				.filter(X509ExtendedKeyManager.class::isInstance)
+				.map(X509ExtendedKeyManager.class::cast)
+				.map(this::wrap)
+				.toArray(KeyManager[]::new);
+		}
+
+		private AliasKeyManagerFactory.AliasX509ExtendedKeyManager wrap(X509ExtendedKeyManager keyManager) {
+			return new AliasX509ExtendedKeyManager(keyManager, this.alias);
+		}
+
+	}
+
+	/**
+	 * {@link X509ExtendedKeyManager} that allows a configurable key alias to be used.
+	 */
+	static final class AliasX509ExtendedKeyManager extends X509ExtendedKeyManager {
+
+		private final X509ExtendedKeyManager delegate;
+
+		private final String alias;
+
+		private AliasX509ExtendedKeyManager(X509ExtendedKeyManager keyManager, String alias) {
+			this.delegate = keyManager;
+			this.alias = alias;
+		}
+
+		@Override
+		public String chooseEngineClientAlias(String[] strings, Principal[] principals, SSLEngine sslEngine) {
+			return this.delegate.chooseEngineClientAlias(strings, principals, sslEngine);
+		}
+
+		@Override
+		public String chooseEngineServerAlias(String s, Principal[] principals, SSLEngine sslEngine) {
+			return this.alias;
+		}
+
+		@Override
+		public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
+			return this.delegate.chooseClientAlias(keyType, issuers, socket);
+		}
+
+		@Override
+		public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+			return this.delegate.chooseServerAlias(keyType, issuers, socket);
+		}
+
+		@Override
+		public X509Certificate[] getCertificateChain(String alias) {
+			return this.delegate.getCertificateChain(alias);
+		}
+
+		@Override
+		public String[] getClientAliases(String keyType, Principal[] issuers) {
+			return this.delegate.getClientAliases(keyType, issuers);
+		}
+
+		@Override
+		public PrivateKey getPrivateKey(String alias) {
+			return this.delegate.getPrivateKey(alias);
+		}
+
+		@Override
+		public String[] getServerAliases(String keyType, Principal[] issuers) {
+			return this.delegate.getServerAliases(keyType, issuers);
+		}
+
+	}
+
+}

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/DefaultSslBundleRegistry.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright 2012-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.ssl;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.springframework.util.Assert;
+
+/**
+ * Default {@link SslBundleRegistry} implementation.
+ *
+ * @author Scott Frederick
+ * @since 3.1.0
+ */
+public class DefaultSslBundleRegistry implements SslBundleRegistry, SslBundles {
+
+	private final Map<String, SslBundle> bundles = new ConcurrentHashMap<>();
+
+	public DefaultSslBundleRegistry() {
+	}
+
+	public DefaultSslBundleRegistry(String name, SslBundle bundle) {
+		registerBundle(name, bundle);
+	}
+
+	@Override
+	public void registerBundle(String name, SslBundle bundle) {
+		Assert.notNull(name, "Name must not be null");
+		Assert.notNull(bundle, "Bundle must not be null");
+		SslBundle previous = this.bundles.putIfAbsent(name, bundle);
+		Assert.state(previous == null, () -> "Cannot replace existing SSL bundle '%s'".formatted(name));
+	}
+
+	@Override
+	public SslBundle getBundle(String name) {
+		Assert.notNull(name, "Name must not be null");
+		SslBundle bundle = this.bundles.get(name);
+		if (bundle == null) {
+			throw new NoSuchSslBundleException(name, "SSL bundle name '%s' cannot be found".formatted(name));
+		}
+		return bundle;
+	}
+
+}

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/DefaultSslManagerBundle.java

@@ -0,0 +1,86 @@
+/*
+ * Copyright 2012-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.ssl;
+
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
+
+/**
+ * Default implementation of {@link SslManagerBundle}.
+ *
+ * @author Scott Frederick
+ * @see SslManagerBundle#from(SslStoreBundle, SslBundleKey)
+ */
+class DefaultSslManagerBundle implements SslManagerBundle {
+
+	private final SslStoreBundle storeBundle;
+
+	private final SslBundleKey key;
+
+	DefaultSslManagerBundle(SslStoreBundle storeBundle, SslBundleKey key) {
+		this.storeBundle = (storeBundle != null) ? storeBundle : SslStoreBundle.NONE;
+		this.key = (key != null) ? key : SslBundleKey.NONE;
+	}
+
+	@Override
+	public KeyManagerFactory getKeyManagerFactory() {
+		try {
+			KeyStore store = this.storeBundle.getKeyStore();
+			this.key.assertContainsAlias(store);
+			String alias = this.key.getAlias();
+			String algorithm = KeyManagerFactory.getDefaultAlgorithm();
+			KeyManagerFactory factory = getKeyManagerFactoryInstance(algorithm);
+			factory = (alias != null) ? new AliasKeyManagerFactory(factory, alias, algorithm) : factory;
+			String password = this.key.getPassword();
+			password = (password != null) ? password : this.storeBundle.getKeyStorePassword();
+			factory.init(store, (password != null) ? password.toCharArray() : null);
+			return factory;
+		}
+		catch (RuntimeException ex) {
+			throw ex;
+		}
+		catch (Exception ex) {
+			throw new IllegalStateException("Could not load key manager factory: " + ex.getMessage(), ex);
+		}
+	}
+
+	@Override
+	public TrustManagerFactory getTrustManagerFactory() {
+		try {
+			KeyStore store = this.storeBundle.getTrustStore();
+			String algorithm = TrustManagerFactory.getDefaultAlgorithm();
+			TrustManagerFactory factory = getTrustManagerFactoryInstance(algorithm);
+			factory.init(store);
+			return factory;
+		}
+		catch (Exception ex) {
+			throw new IllegalStateException("Could not load trust manager factory: " + ex.getMessage(), ex);
+		}
+	}
+
+	protected KeyManagerFactory getKeyManagerFactoryInstance(String algorithm) throws NoSuchAlgorithmException {
+		return KeyManagerFactory.getInstance(algorithm);
+	}
+
+	protected TrustManagerFactory getTrustManagerFactoryInstance(String algorithm) throws NoSuchAlgorithmException {
+		return TrustManagerFactory.getInstance(algorithm);
+	}
+
+}

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/NoSuchSslBundleException.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2012-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.ssl;
+
+/**
+ * Exception indicating that an {@link SslBundle} was referenced with a name that does not
+ * match any registered bundle.
+ *
+ * @author Scott Frederick
+ * @since 3.1.0
+ */
+public class NoSuchSslBundleException extends RuntimeException {
+
+	private final String bundleName;
+
+	/**
+	 * Create a new {@code SslBundleNotFoundException} instance.
+	 * @param bundleName the name of the bundle that could not be found
+	 * @param message the exception message
+	 */
+	public NoSuchSslBundleException(String bundleName, String message) {
+		this(bundleName, message, null);
+	}
+
+	/**
+	 * Create a new {@code SslBundleNotFoundException} instance.
+	 * @param bundleName the name of the bundle that could not be found
+	 * @param message the exception message
+	 * @param cause the exception cause
+	 */
+	public NoSuchSslBundleException(String bundleName, String message, Throwable cause) {
+		super(message, cause);
+		this.bundleName = bundleName;
+	}
+
+	/**
+	 * Return the name of the bundle that was not found.
+	 * @return the bundle name
+	 */
+	public String getBundleName() {
+		return this.bundleName;
+	}
+
+}