From e75d45ca456e9f83d9eb9ab2fb00fca2e403755b Mon Sep 17 00:00:00 2001
From: Ian Chan <icha024@gmail.com>
Date: Mon, 7 May 2018 00:10:06 +0100
Subject: [PATCH] Use empty trust-store password if SSL store provider present

For Tomcat, if an SslStoreProvider is configured,
`SslStoreProviderUrlStreamHandlerFactory` stores the trust-store with an
empty password. Previously, if a password was supplied using the
ssl.trust-store-password property, that would be the password used to
load the trust-store and the connector would warn with "Password
verification failed" message.

Fixes gh-12688
---
 .../boot/web/embedded/tomcat/SslConnectorCustomizer.java         | 1 +
 .../boot/web/embedded/tomcat/SslConnectorCustomizerTests.java    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java
index e3f9703fbf..3e10360b05 100644
--- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java
+++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizer.java
@@ -118,6 +118,7 @@ class SslConnectorCustomizer implements TomcatConnectorCustomizer {
 						SslStoreProviderUrlStreamHandlerFactory.KEY_STORE_URL);
 			}
 			if (sslStoreProvider.getTrustStore() != null) {
+				protocol.setTruststorePass("");
 				protocol.setTruststoreFile(
 						SslStoreProviderUrlStreamHandlerFactory.TRUST_STORE_URL);
 			}
diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java
index a81747a3a2..caef605e30 100644
--- a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java
+++ b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/web/embedded/tomcat/SslConnectorCustomizerTests.java
@@ -170,6 +170,7 @@ public class SslConnectorCustomizerTests {
 		Ssl ssl = new Ssl();
 		ssl.setKeyPassword("password");
 		ssl.setKeyStorePassword("secret");
+		ssl.setTrustStorePassword("trustStoreSecret");
 		SslStoreProvider sslStoreProvider = mock(SslStoreProvider.class);
 		given(sslStoreProvider.getTrustStore()).willReturn(loadStore());
 		given(sslStoreProvider.getKeyStore()).willReturn(loadStore());