# Add optionality to the CAs

**Problem Statement**

The challenge is the dynamic updating and management of certificates in an application that supports mTLS and interacts with client services that are frequently added and removed.

Suppose your application needs to support mTLS with two well-known client services, `foo` and `bar`, each having a specific intermediate CA (Certificate Authority). Client services are dynamically installed/removed from the cluster. For improved resiliency/manageability, you do not want to change the deployment of your application whenever a new client service is installed in the cluster: the client CAs must be dynamically added/removed to your server truststore as their services installed/removed from the cluster.

**Proposed Solution**

This PR aims to address this issue by allowing certificates to be marked as optional. With this feature, the application can start and continue running regardless of the availability of these certificates.

**Current Status**

This pull request is currently a draft/proof of concept. It does not yet include tests or documentation and is intended to gather feedback. The implementation includes several TODOs, such as:

- Extending optionality to the private key (only added to the certificate).
- Adding necessary validations.

An example of `application.yaml` with optionality would look like:

```
spring.ssl.bundle.pem.server.keystore.certificate=/var/run/secrets/foo/server.crt
spring.ssl.bundle.pem.server.keystore.private-key=/var/run/secrets/foo/server.key
spring.ssl.bundle.pem.server.keystore.private-key-password=123456
spring.ssl.bundle.pem.server.reload-on-update=true
spring.ssl.bundle.pem.server.truststore.certificate=optional:/var/run/secrets/foo/ca.crt

```

**Related Issue**

This PR is related to a comment is this issue [spring-projects#38754](spring-projects#38754 (comment))

Author: elisabetesantos

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/BundleContentProperty.java

@@ -35,6 +35,8 @@
  */
 record BundleContentProperty(String name, String value) {
 
+	private static final String OPTIONAL_URL_PREFIX = "optional:";
+
 	/**
 	 * Return if the property value is PEM content.
 	 * @return if the value is PEM content
@@ -51,13 +53,24 @@ boolean hasValue() {
 		return StringUtils.hasText(this.value);
 	}
 
-	Path toWatchPath() {
+	boolean isOptional() {
+		return this.value.startsWith(OPTIONAL_URL_PREFIX);
+	}
+
+	String getRawValue() {
+		if (isOptional()) {
+			return this.value.substring(OPTIONAL_URL_PREFIX.length());
+		}
+		return this.value;
+	}
+
+	WatchablePath toWatchPath() {
 		try {
-			Resource resource = getResource();
+			Resource resource = getResource(getRawValue());
 			if (!resource.isFile()) {
 				throw new BundleContentNotWatchableException(this);
 			}
-			return Path.of(resource.getFile().getAbsolutePath());
+			return new WatchablePath(Path.of(resource.getFile().getAbsolutePath()), isOptional());
 		}
 		catch (Exception ex) {
 			if (ex instanceof BundleContentNotWatchableException bundleContentNotWatchableException) {
@@ -68,9 +81,9 @@ Path toWatchPath() {
 		}
 	}
 
-	private Resource getResource() {
+	private Resource getResource(String value) {
 		Assert.state(!isPemContent(), "Value contains PEM content");
-		return new ApplicationResourceLoader().getResource(this.value);
+		return new ApplicationResourceLoader().getResource(value);
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/FileWatcher.java

@@ -74,7 +74,7 @@ class FileWatcher implements Closeable {
 	 * @param paths the files or directories to watch
 	 * @param action the action to take when changes are detected
 	 */
-	void watch(Set<Path> paths, Runnable action) {
+	void watch(Set<WatchablePath> paths, Runnable action) {
 		Assert.notNull(paths, "Paths must not be null");
 		Assert.notNull(action, "Action must not be null");
 		if (paths.isEmpty()) {
@@ -133,7 +133,11 @@ private void onThreadException(Thread thread, Throwable throwable) {
 		}
 
 		void register(Registration registration) throws IOException {
-			for (Path path : registration.paths()) {
+			for (WatchablePath watchablePath : registration.paths()) {
+				Path path = watchablePath.path();
+				if (watchablePath.optional() && !Files.exists(path)) {
+					path = path.getParent();
+				}
 				if (!Files.isRegularFile(path) && !Files.isDirectory(path)) {
 					throw new IOException("'%s' is neither a file nor a directory".formatted(path));
 				}
@@ -210,19 +214,23 @@ public void close() throws IOException {
 	/**
 	 * An individual watch registration.
 	 */
-	private record Registration(Set<Path> paths, Runnable action) {
+	private record Registration(Set<WatchablePath> paths, Runnable action) {
 
 		Registration {
-			paths = paths.stream().map(Path::toAbsolutePath).collect(Collectors.toSet());
+			paths = paths.stream().map(watchablePath ->
+							new WatchablePath(watchablePath.path().toAbsolutePath(), watchablePath.optional()))
+					.collect(Collectors.toSet());
 		}
 
 		boolean manages(Path file) {
 			Path absolutePath = file.toAbsolutePath();
-			return this.paths.contains(absolutePath) || isInDirectories(absolutePath);
+			return this.paths.stream()
+					.map(WatchablePath::path)
+					.anyMatch(absolutePath::equals) || isInDirectories(absolutePath);
 		}
 
 		private boolean isInDirectories(Path file) {
-			return this.paths.stream().filter(Files::isDirectory).anyMatch(file::startsWith);
+			return this.paths.stream().map(WatchablePath::path).filter(Files::isDirectory).anyMatch(file::startsWith);
 		}
 	}
 

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/PropertiesSslBundle.java

@@ -29,6 +29,7 @@
 import org.springframework.boot.ssl.pem.PemSslStoreDetails;
 import org.springframework.core.style.ToStringCreator;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * {@link SslBundle} backed by {@link JksSslBundleProperties} or
@@ -40,6 +41,8 @@
  */
 public final class PropertiesSslBundle implements SslBundle {
 
+	private static final String OPTIONAL_URL_PREFIX = "optional:";
+
 	private final SslStoreBundle stores;
 
 	private final SslBundleKey key;
@@ -100,7 +103,7 @@ public static SslBundle get(PemSslBundleProperties properties) {
 		PemSslStore keyStore = getPemSslStore("keystore", properties.getKeystore());
 		if (keyStore != null) {
 			keyStore = keyStore.withAlias(properties.getKey().getAlias())
-				.withPassword(properties.getKey().getPassword());
+					.withPassword(properties.getKey().getPassword());
 		}
 		PemSslStore trustStore = getPemSslStore("truststore", properties.getTruststore());
 		SslStoreBundle storeBundle = new PemSslStoreBundle(keyStore, trustStore);
@@ -118,8 +121,19 @@ private static PemSslStore getPemSslStore(String propertyName, PemSslBundlePrope
 	}
 
 	private static PemSslStoreDetails asPemSslStoreDetails(PemSslBundleProperties.Store properties) {
-		return new PemSslStoreDetails(properties.getType(), properties.getCertificate(), properties.getPrivateKey(),
-				properties.getPrivateKeyPassword());
+		return new PemSslStoreDetails(properties.getType(), getRawCertificate(properties.getCertificate()), properties.getPrivateKey(),
+				properties.getPrivateKeyPassword(), isCertificateOptional(properties.getCertificate()));
+	}
+
+	private static boolean isCertificateOptional(String certificate) {
+		return StringUtils.hasText(certificate) && certificate.startsWith(OPTIONAL_URL_PREFIX);
+	}
+
+	private static String getRawCertificate(String certificate)	{
+		if (isCertificateOptional(certificate)) {
+			return certificate.substring(OPTIONAL_URL_PREFIX.length());
+		}
+		return certificate;
 	}
 
 	/**

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/SslPropertiesBundleRegistrar.java

@@ -16,7 +16,6 @@
 
 package org.springframework.boot.autoconfigure.ssl;
 
-import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
@@ -54,14 +53,14 @@ public void registerBundles(SslBundleRegistry registry) {
 	}
 
 	private <P extends SslBundleProperties> void registerBundles(SslBundleRegistry registry, Map<String, P> properties,
-			Function<P, SslBundle> bundleFactory, Function<Bundle<P>, Set<Path>> watchedPaths) {
+			Function<P, SslBundle> bundleFactory, Function<Bundle<P>, Set<WatchablePath>> watchedPaths) {
 		properties.forEach((bundleName, bundleProperties) -> {
 			Supplier<SslBundle> bundleSupplier = () -> bundleFactory.apply(bundleProperties);
 			try {
 				registry.registerBundle(bundleName, bundleSupplier.get());
 				if (bundleProperties.isReloadOnUpdate()) {
-					Supplier<Set<Path>> pathsSupplier = () -> watchedPaths
-						.apply(new Bundle<>(bundleName, bundleProperties));
+					Supplier<Set<WatchablePath>> pathsSupplier = () -> watchedPaths
+							.apply(new Bundle<>(bundleName, bundleProperties));
 					watchForUpdates(registry, bundleName, pathsSupplier, bundleSupplier);
 				}
 			}
@@ -71,7 +70,7 @@ private <P extends SslBundleProperties> void registerBundles(SslBundleRegistry r
 		});
 	}
 
-	private void watchForUpdates(SslBundleRegistry registry, String bundleName, Supplier<Set<Path>> pathsSupplier,
+	private void watchForUpdates(SslBundleRegistry registry, String bundleName, Supplier<Set<WatchablePath>> pathsSupplier,
 			Supplier<SslBundle> bundleSupplier) {
 		try {
 			this.fileWatcher.watch(pathsSupplier.get(), () -> registry.updateBundle(bundleName, bundleSupplier.get()));
@@ -81,33 +80,33 @@ private void watchForUpdates(SslBundleRegistry registry, String bundleName, Supp
 		}
 	}
 
-	private Set<Path> watchedJksPaths(Bundle<JksSslBundleProperties> bundle) {
+	private Set<WatchablePath> watchedJksPaths(Bundle<JksSslBundleProperties> bundle) {
 		List<BundleContentProperty> watched = new ArrayList<>();
 		watched.add(new BundleContentProperty("keystore.location", bundle.properties().getKeystore().getLocation()));
 		watched
-			.add(new BundleContentProperty("truststore.location", bundle.properties().getTruststore().getLocation()));
+				.add(new BundleContentProperty("truststore.location", bundle.properties().getTruststore().getLocation()));
 		return watchedPaths(bundle.name(), watched);
 	}
 
-	private Set<Path> watchedPemPaths(Bundle<PemSslBundleProperties> bundle) {
+	private Set<WatchablePath> watchedPemPaths(Bundle<PemSslBundleProperties> bundle) {
 		List<BundleContentProperty> watched = new ArrayList<>();
 		watched
-			.add(new BundleContentProperty("keystore.private-key", bundle.properties().getKeystore().getPrivateKey()));
+				.add(new BundleContentProperty("keystore.private-key", bundle.properties().getKeystore().getPrivateKey()));
 		watched
-			.add(new BundleContentProperty("keystore.certificate", bundle.properties().getKeystore().getCertificate()));
+				.add(new BundleContentProperty("keystore.certificate", bundle.properties().getKeystore().getCertificate()));
 		watched.add(new BundleContentProperty("truststore.private-key",
 				bundle.properties().getTruststore().getPrivateKey()));
 		watched.add(new BundleContentProperty("truststore.certificate",
 				bundle.properties().getTruststore().getCertificate()));
 		return watchedPaths(bundle.name(), watched);
 	}
 
-	private Set<Path> watchedPaths(String bundleName, List<BundleContentProperty> properties) {
+	private Set<WatchablePath> watchedPaths(String bundleName, List<BundleContentProperty> properties) {
 		try {
 			return properties.stream()
-				.filter(BundleContentProperty::hasValue)
-				.map(BundleContentProperty::toWatchPath)
-				.collect(Collectors.toSet());
+					.filter(BundleContentProperty::hasValue)
+					.map(BundleContentProperty::toWatchPath)
+					.collect(Collectors.toSet());
 		}
 		catch (BundleContentNotWatchableException ex) {
 			throw ex.withBundleName(bundleName);

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/ssl/WatchablePath.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright 2012-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.ssl;
+
+import java.nio.file.Path;
+
+record WatchablePath(Path path, Boolean optional) {
+}

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/LoadedPemSslStore.java

@@ -58,7 +58,7 @@ private static UncheckedIOException asUncheckedIOException(String message, Excep
 	}
 
 	private static List<X509Certificate> loadCertificates(PemSslStoreDetails details) throws IOException {
-		PemContent pemContent = PemContent.load(details.certificates());
+		PemContent pemContent = PemContent.load(details.certificates(), details.optional());
 		if (pemContent == null) {
 			return null;
 		}
@@ -72,6 +72,11 @@ private static PrivateKey loadPrivateKey(PemSslStoreDetails details) throws IOEx
 		return (pemContent != null) ? pemContent.getPrivateKey(details.privateKeyPassword()) : null;
 	}
 
+	@Override
+	public boolean optional() {
+		return this.details.optional();
+	}
+
 	@Override
 	public String type() {
 		return this.details.type();

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemContent.java

@@ -104,6 +104,21 @@ public String toString() {
 		return this.text;
 	}
 
+	/**
+	 * Load {@link PemContent} from the given content (either the PEM content itself or a
+	 * reference to the resource to load).
+	 * @param content the content to load
+	 * @param isOptional the content to load may be optional
+	 * @return a new {@link PemContent} instance
+	 * @throws IOException on IO error
+	 */
+	static PemContent load(String content, Boolean isOptional) throws IOException {
+		if (isOptional && !Files.exists(Path.of(content))) {
+			return null;
+		}
+		return load(content);
+	}
+
 	/**
 	 * Load {@link PemContent} from the given content (either the PEM content itself or a
 	 * reference to the resource to load).

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStore.java

@@ -33,6 +33,9 @@
  */
 public interface PemSslStore {
 
+
+	boolean optional();
+
 	/**
 	 * The key store type, for example {@code JKS} or {@code PKCS11}. A {@code null} value
 	 * will use {@link KeyStore#getDefaultType()}).
@@ -164,6 +167,11 @@ public PrivateKey privateKey() {
 				return privateKey;
 			}
 
+			@Override
+			public boolean optional() {
+				return false; //TODO
+			}
+
 		};
 	}
 

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java

@@ -82,7 +82,7 @@ public KeyStore getTrustStore() {
 	}
 
 	private static KeyStore createKeyStore(String name, PemSslStore pemSslStore) {
-		if (pemSslStore == null) {
+		if (pemSslStore == null || pemSslStore.optional() && pemSslStore.certificates() == null) {
 			return null;
 		}
 		try {

spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreDetails.java

@@ -36,13 +36,14 @@
  * @param privateKey the private key content (either the PEM content itself or a reference
  * to the resource to load)
  * @param privateKeyPassword a password used to decrypt an encrypted private key
+ * @param optional certificates/privateKey may be optional
  * @author Scott Frederick
  * @author Phillip Webb
  * @since 3.1.0
  * @see PemSslStore#load(PemSslStoreDetails)
  */
 public record PemSslStoreDetails(String type, String alias, String password, String certificates, String privateKey,
-		String privateKeyPassword) {
+								 String privateKeyPassword, boolean optional) {
 
 	/**
 	 * Create a new {@link PemSslStoreDetails} instance.
@@ -71,9 +72,10 @@ public record PemSslStoreDetails(String type, String alias, String password, Str
 	 * @param privateKey the private key content (either the PEM content itself or a
 	 * reference to the resource to load)
 	 * @param privateKeyPassword a password used to decrypt an encrypted private key
+	 * @param optional certificates/privateKey may be optional
 	 */
-	public PemSslStoreDetails(String type, String certificate, String privateKey, String privateKeyPassword) {
-		this(type, null, null, certificate, privateKey, privateKeyPassword);
+	public PemSslStoreDetails(String type, String certificate, String privateKey, String privateKeyPassword, boolean optional) {
+		this(type, null, null, certificate, privateKey, privateKeyPassword, optional);
 	}
 
 	/**
@@ -86,7 +88,7 @@ public PemSslStoreDetails(String type, String certificate, String privateKey, St
 	 * reference to the resource to load)
 	 */
 	public PemSslStoreDetails(String type, String certificate, String privateKey) {
-		this(type, certificate, privateKey, null);
+		this(type, certificate, privateKey, null, false);
 	}
 
 	/**
@@ -97,7 +99,7 @@ public PemSslStoreDetails(String type, String certificate, String privateKey) {
 	 */
 	public PemSslStoreDetails withAlias(String alias) {
 		return new PemSslStoreDetails(this.type, alias, this.password, this.certificates, this.privateKey,
-				this.privateKeyPassword);
+				this.privateKeyPassword, this.optional);
 	}
 
 	/**
@@ -108,7 +110,7 @@ public PemSslStoreDetails withAlias(String alias) {
 	 */
 	public PemSslStoreDetails withPassword(String password) {
 		return new PemSslStoreDetails(this.type, this.alias, password, this.certificates, this.privateKey,
-				this.privateKeyPassword);
+				this.privateKeyPassword, this.optional);
 	}
 
 	/**
@@ -118,7 +120,7 @@ public PemSslStoreDetails withPassword(String password) {
 	 */
 	public PemSslStoreDetails withPrivateKey(String privateKey) {
 		return new PemSslStoreDetails(this.type, this.alias, this.password, this.certificates, privateKey,
-				this.privateKeyPassword);
+				this.privateKeyPassword, this.optional);
 	}
 
 	/**
@@ -128,7 +130,7 @@ public PemSslStoreDetails withPrivateKey(String privateKey) {
 	 */
 	public PemSslStoreDetails withPrivateKeyPassword(String privateKeyPassword) {
 		return new PemSslStoreDetails(this.type, this.alias, this.password, this.certificates, this.privateKey,
-				privateKeyPassword);
+				privateKeyPassword, this.optional);
 	}
 
 	boolean isEmpty() {