Want to pass encrypted passwords to keystore and truststores in springboot 2.3 for creating rest template

Question

I have been scratching my head since long and encountered very weird behaviour of spring boot 2. In my application I am simply creating a rest template bean by :

  @Bean
    public RestTemplate restTemplateFactory() {
        return new RestTemplate();
    }

The bean gets created successfully and invokes the desired rest end point if I pass below 4 properties as VM arguments:

-Djavax.net.ssl.trustStore=<<Path to trust store>>-Djavax.net.ssl.trustStorePassword=<<Unencrypted password of trust store>>-Djavax.net.ssl.keyStore=<<keystore path>> -Djavax.net.ssl.keyStorePassword=<<Unencrypted password of keystore>>

I tried using jasypt library to encrypt the passwords and pass them as VM arguments while using property jasypt.encryptor.password in my properties file but got the below error:

Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:782) ~[na:1.8.0_271] at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[na:1.8.0_271] at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[na:1.8.0_271] at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_271] at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_271] at sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(TrustStoreManager.java:365) ~[na:1.8.0_271] at sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:313) ~[na:1.8.0_271] at sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:55) ~[na:1.8.0_271] at sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49) ~[na:1.8.0_271] ... 42 common frames omitted Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) ~[na:1.8.0_271

]

Then I tried passing encrypted password of truststore in my properties files(javax.net.ssl.trustStorePassword=zYdvWFIHBL3OMNW6lFsdwUhdLcvnyK7MC8LxKbNMsYOIQB0WxW9HI6AH/PTDTBK+) and passed below 3 as vm arguments,it worked fine:

-Djavax.net.ssl.trustStore=<<Path to trust store>>]-Djavax.net.ssl.keyStore=<<keystore path>> -Djavax.net.ssl.keyStorePassword=<<Unencrypted password of keystore>>

But while passing encrypted password of both key store and trust store via properties file, I experienced the issue again:

Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext) at java.security.Provider$Service.newInstance(Provider.java:1711) ~[na:1.8.0_271] at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) ~[na:1.8.0_271] at sun.security.jca.GetInstance.getInstance(GetInstance.java:164) ~[na:1.8.0_271] at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) ~[na:1.8.0_271] at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96) ~[na:1.8.0_271] at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122) ~[na:1.8.0_271] at javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:332) ~[na:1.8.0_271] at javax.net.ssl.HttpsURLConnection.(HttpsURLConnection.java:289) ~[na:1.8.0_271] at sun.net.www.protocol.https.HttpsURLConnectionImpl.(HttpsURLConnectionImpl.java:99) ~[na:1.8.0_271] at sun.net.www.protocol.https.Handler.openConnection(Handler.java:62) ~[na:1.8.0_271] at sun.net.www.protocol.https.Handler.openConnection(Handler.java:57) ~[na:1.8.0_271] at java.net.URL.openConnection(URL.java:1001) ~[na:1.8.0_271] at org.springframework.http.client.SimpleClientHttpRequestFactory.openConnection(SimpleClientHttpRequestFactory.java:187) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE] at org.springframework.http.client.SimpleClientHttpRequestFactory.createRequest(SimpleClientHttpRequestFactory.java:145) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE] at org.springframework.http.client.support.HttpAccessor.createRequest(HttpAccessor.java:124) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE] at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:733) ~[spring-web-5.2.15.RELEASE.jar!/:5.2.15.RELEASE] ... 18 common frames omitted Caused by: java.security.UnrecoverableKeyException: Get Key failed: null at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:438) ~[na:1.8.0_271] at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96) ~[na:1.8.0_271] at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70) ~[na:1.8.0_271] at java.security.KeyStore.getKey(KeyStore.java:1023) ~[na:1.8.0_271] at sun.security.ssl.SunX509KeyManagerImpl.(SunX509KeyManagerImpl.java:145) ~[na:1.8.0_271] at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) ~[na:1.8.0_271] at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[na:1.8.0_271] at sun.security.ssl.SSLContextImpl$DefaultManagersHolder.getKeyManagers(SSLContextImpl.java:1146) ~[na:1.8.0_271] at sun.security.ssl.SSLContextImpl$DefaultManagersHolder.(SSLContextImpl.java:1021) ~[na:1.8.0_271] at sun.security.ssl.SSLContextImpl$DefaultSSLContext.(SSLContextImpl.java:1186) ~[na:1.8.0_271] at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_271] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_271] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.8.0_271] at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[na:1.8.0_271] at java.security.Provider$Service.newInstance(Provider.java:1689) ~[na:1.8.0_271] ... 33 common frames omitted Caused by: java.lang.NullPointerException: null at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:374) ~[na:1.8.0_271] ... 47 common frames omitted

I tried passing server.ssl.key-store & server.ssl.key-store-password properties as well but encountered the below exception:

Caused by: java.io.IOException: keystore password was incorrect at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2068) ~[na:1.8.0_271] at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:238) ~[na:1.8.0_271] at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_271] at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_271] at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:69) ~[tomcat-embed-core-9.0.46.jar!/:na] at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:216) ~[tomcat-embed-core-9.0.46.jar!/:na] at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207) ~[tomcat-embed-core-9.0.46.jar!/:na] at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:282) ~[tomcat-embed-core-9.0.46.jar!/:na] at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246) ~[tomcat-embed-core-9.0.46.jar!/:na] at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.46.jar!/:na] ... 34 common frames omitted Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can aris e if a bad key is used during decryption. ... 44 common frames omitted

I checked various answers on stackoverflow but could not find any particular solution of how we can use encrypted passwords for ssl. Can somebody please provide pointers?