UPDATE:
Here is the link to the official API documentation.
And here is a video with the requests I made from NodeJS and here is the java client app that I implemented.
I have a request in NodeJS and now I want to implement the same request in Java for my Android app.
The NodeJS request looks like this:
var options = {
method: 'GET',
url: 'https://webapi.developers.erstegroup.com/api/bcr/sandbox/v1/aisp/v1/accounts',
cert: "-----BEGIN CERTIFICATE-----....-----END CERTIFICATE-----",
key: "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----",
headers:
{
'x-request-id': '30fb2676-8c2e-11e9-b683-526af7764f64',
'web-api-key': '#########',
'Accept': 'application/json'
}
};
request(options, function (error, response, body) {
console.log(body);
});
My problem is that I don't know how to include that certificate and private key to make the request.
I found this answer regarding how to read the certificate and the key in Java, but I don't know how to configure the SSLContext to use the certificate and also the key.
Currently, I tried the next solution, but don't work. The first problem I have is that I get an error when I parse the key:
The error message: org.bouncycastle.openssl.PEMException: malformed sequence in RSA private key
The method used to read the key:
private static PrivateKey readPrivateKey(String filename) throws Exception {
PEMParser pemParser = new PEMParser(new BufferedReader(new InputStreamReader(Main.class.getClassLoader().getResourceAsStream(filename))));
JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
PEMKeyPair pemKeyPair = (PEMKeyPair) pemParser.readObject();
KeyPair kp = converter.getKeyPair(pemKeyPair);
return kp.getPrivate();
}
The private key:
-----BEGIN RSA PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJZunh6Nj5aBtb
hJJ9eaSDjDiiERBOZfVrmEwz9Ea5ldLAf8NUy+t71etzGeHtCKyTuSlhj1Clhla+
iG/r1uz25H3T6wUQbmw1+pFsaSovkamQaKy+2GJSPCx66li6z2JBv0I66DtoGl6Q
Xcy5JO2sBjZaO4m11bcFFVkvo9lh2QCC2x68w8bHeBuPUMnU6rupVQfgPPWMH+Wq
qaPgxoQr5KmQ03ItY2/TBqoX6xTTbL6+B8OMbX41Lxah+g+5XPOlDoC64HiBO2T+
FL62W+51ehUCORuuUt6/AYzXcCHSu1FXsk25KeObe9Na2AfobGNL83I68Bl0K2Wt
jbEtHs1FAgMBAAECggEAb7K3Bga4x2IYwiH9iL99IUQUaLXkAEcF3N2DbdENpIHW
d9KkB5RtDqouwhBZv7du1yL7M1Njm9mspFFRGVCC7c79hhmzHlDPjQRhwOl2bxlv
HFsha1rg9NDQrn7oJPs9eE9VsQv5Xpw5VAHht9EmS6DKZjLdBk74CUa0xvotZtkS
UrvRLOWhedsS0Ckf3vDfqU5NZBEecEj1vLGnD1ET6znRhag2VqUYS83fKUR5UpLq
X4PqMfYucF40ddd+L/iMeAnGmKukYEfew1R3ez5rKSS+cyJkoAKtL1WR0nFSDskw
zFQaf6PNIUIL7CDnOdUlyiRYx6a5y6NzJcQyI0bn5QKBgQDhUPck4ekVT8z29Llf
kkXWoF15l7KNiiq2DZfWlH2pax4G3NBUimb62fHcSQVovD0aLCJOF8N0n6vv5YbF
MIURRWXRTNxO2S16xUpUMD2Ospv50UpNIMAJlgnkTt/DTsd6MYQx2j+qyf4wPvWO
QSOQNpdebd/59LWbAye5WROuJwKBgQDk1D4sEWti9dR0LTJS0B+FHLPPJhpNg+cD
zqFEXvSICQjAhyJ3Fir/u3HhX4966+dhODaDphAOQcG+4iyXUQVEh+qQJ5p+MJQU
ue0yZgQvPIo5a+gnFyzEmCOtaENBqJqK1tbCklFZtbJswVEtlqjq+qMAzjNOzf2F
6krA9VC4swKBgQCIrJ5eJxNGNDP2kZho2se2W2yYN2a96NPjvvcd2NEpFasPKp7M
yW+SNuY5Y6n+UEEYQTFGAbA0bC7VxHst3jK5uUj73w28Xozx7f8adnDAwKNQtJ3H
j1gt+G9jqFyfkof6HVM9ElCQfxrLlUVK10SFVDgZtbipXMFUmGNeUSRY/QKBgQCW
a/Lmsxi9d84OBLvk9k0SCrkkfe6icAfHV+ho8maamh23ud1tHRRtAYIt3cyKyFJU
dUhYqCw7wvwih7k6SxdEYnhOBMqpEzP0n/gNvkQX7RsL/iQgtjpGjaA+WKCFo9jb
VbjdNKPnbep5VWcQqc4mkVXfrKzLq9txUX+McnZ6wwKBgAy2RVQ/ja3mvVUiZ3ZN
U4Y+nObKV6Z9JoMC4VNbbwufVPSoj/j20jj8uB29WupQ/BG2W0jHS3GfjrwH9IiN
7Pm+Nco8E/Yywh7YYNFJOxNesc7kB7RJuhfTabif9Ea+LqF6CQQ10rHzzT3WlY5p
rAJmu7k+JlKn5Aad+KQF4RXJ
-----END RSA PRIVATE KEY-----
The rest of the code:
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
final X509Certificate cert = readCertificate("public-key-bcr.cer");
keyStore.setCertificateEntry("key-bcr", cert);
keyStore.setKeyEntry("key-bcr", readPrivateKey("private-key-bcr.key"), "".toCharArray(), new Certificate[]{cert});
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
final SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, tmf.getTrustManagers(), null);
final OkHttpClient.Builder builder = new OkHttpClient.Builder()
.sslSocketFactory(sslContext.getSocketFactory())
.hostnameVerifier(new HostnameVerifier() {
#Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
OkHttpClient client = builder.build();
Also, I want to know if there is an easier alternative.
TLDR: your keyfile is labelled wrong.
Your privatekey file has PEM labels claiming it is RSA PRIVATE KEY which according to the de-facto standard should contain data which is the encoded form of a PKCS1-format privatekey. However, the data in your file is actually a PKCS8-format PrivateKeyInfo, which per rfc7468 should have labels PRIVATE KEY (NO RSA).
If you correct your file's labels to PRIVATE KEY with no RSA, BouncyCastle can read it, but you need to change the type and method used:
PEMParser pemParser = new PEMParser(/* appropriate Reader */);
JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
// you don't actually need to set the provider, the default provider(s) work fine.
PrivateKeyInfo privkey = (PrivateKeyInfo) pemParser.readObject();
return /*PrivateKey*/ converter.getPrivateKey(privkey);
However, you don't need BouncyCastle; this (unencrypted) format can be read by Java crypto directly:
String pem = /* read all chars from file/resource/whatever, or read all bytes and convert to String */;
byte[] der = Base64.getDecoder().decode( pem.replaceAll("-----(BEGIN|END) PRIVATE KEY-----\r?\n", "") );
KeyFactory fact = KeyFactory.getInstance("RSA");
return /*PrivateKey*/ fact.generatePrivate(new PKCS8EncodedKeySpec(der));
Finally, your security scheme doesn't make sense. You aren't actually using this key for anything; you seem to be using the cert, only, as a CA cert (trust anchor). If this cert is indeed a CA cert, by including the CA's privatekey in your app you have allowed everyone who has a copy of the app to replace or impersonate your server(s?) and steal, modify, or destroy all your data -- and publishing it on Stack extends this to everyone in the world. Your nodejs code, in contrast, configures this key&cert to be used as a client key&cert and not as a CA or anchor at all -- although the server you specify in your URL doesn't appear to request a client key&cert at all, and it uses a cert under a normal root (Digicert) that doesn't require any modification to the Java defaults, and has a correct serve rname which also doesn't require disabling hostname verification.
The problem was that you are not able to use .cert and .key files in Java because the KeyStore doesn't know to work with these files.
To fix it you need to convert your files to .p12 (PKCS#12) file. To do this I used KeyStore Explorer.
After I converted the file I was able to make the call.
The solution code is here:
private static SSLSocketFactory getFactory(String fileName, String password) {
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(Main.class.getClassLoader().getResourceAsStream(fileName), password.toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
keyManagerFactory.init(keyStore, password.toCharArray());
SSLContext context = SSLContext.getInstance("SSL");
context.init(
keyManagerFactory.getKeyManagers(),
null,
new SecureRandom()
);
return context.getSocketFactory();
}
public static void main(String[] args) throws Exception {
final OkHttpClient.Builder builder = new OkHttpClient.Builder()
.sslSocketFactory(getFactory("converted_file.p12", "1234"))
.hostnameVerifier((hostname, session) -> true);
OkHttpClient client = builder.build();
//...
}
Related
Im making the methods for signature and verification and need to make the keys that correspond with eachother from the keystore. The methods im using for signature and verification gets the keys from my JCEKS keystore and will use them to sign and verify the signature.
I tried the signature/verification methods with regular KeyPair generation and it seems to work by returning true on verify, but when i try with key's from the keystore it returns false.
Here is a method i tried earlier that would return false:
public Certificate[] generateCertificateChain() throws IOException, CertificateException {
CertificateFactory cf = CertificateFactory.getInstance("X509");
Resource certRes = resourceLoader.getResource("file:cert.pem");
X509Certificate cert = (X509Certificate) cf.generateCertificate(certRes.getInputStream());
Certificate[] certificateChain = {cert};
return certificateChain;
}
KeyFactory factory = KeyFactory.getInstance("RSA");
RSAPublicKeySpec rsaPublicKeySpec = new RSAPublicKeySpec(publicKeyData.getModulusInteger(), publicKeyData.getPublicExponentInteger());
PublicKey publicKey = factory.generatePublic(rsaPublicKeySpec);
keyStore.setKeyEntry(alias, publicKey.getEncoded(), generateCertificateChain());
OutputStream writeStream = new FileOutputStream(keyStorePath);
keyStore.store(writeStream, keyStorePassword);
I may be generating and storing my certificate wrong. Here is the method im trying now without using the two above: Here i get error message: Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER length
#Override
public void storePublicKey(String alias, RsaPublicKeyData publicKeyData)
throws CertificateException,
IOException,
NoSuchAlgorithmException,
InvalidKeySpecException,
KeyStoreException {
KeyFactory factory = KeyFactory.getInstance("RSA");
RSAPublicKeySpec rsaPublicKeySpec = new RSAPublicKeySpec(publicKeyData.getModulusInteger(), publicKeyData.getPublicExponentInteger());
PublicKey publicKey = factory.generatePublic(rsaPublicKeySpec);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(publicKey.getEncoded()));
keyStore.setCertificateEntry(alias, cert);
OutputStream writeStream = new FileOutputStream(keyStorePath);
keyStore.store(writeStream, keyStorePassword);
}
i have key and cert (combined) into one cert.pem file ,
and i getting ,
"exception": "javax.net.ssl.SSLHandshakeException",
"message": "Received fatal alert: bad_certificate",
pem file is right, but i think problem is how i generating jks keystore file.
.pem cert format
BEGIN CERTIFICATE
...
END CERTIFICATE
BEGIN CERTIFICATE
...
END CERTIFICATE
BEGIN RSA PRIVATE KEY
...
END RSA PRIVATE KEY###`
combine it with keytool comand comand is
keytool -import -trustcacerts -alias yourdomain -file combined.pem -keystore yourkeystore.jks
java code is
public class HttpsTrustManager implements X509TrustManager {
#Override
public void checkClientTrusted(X509Certificate[] arg0, String arg1)
throws CertificateException {
// TODO Auto-generated method stub
}
#Override
public void checkServerTrusted(X509Certificate[] arg0, String arg1)
throws CertificateException {
// TODO Auto-generated method stub
}
#Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[]{};
}
}
request is
FileInputStream instream = new FileInputStream(
new File(this.resourcePath()+"/path_to.jks")
);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(instream, "password".toCharArray());
SSLContext sslContext = SSLContexts.custom()
.loadKeyMaterial(keyStore, "password".toCharArray()) // use null as second param if you don't have a separate key password
.build();
sslContext.init(null,new X509TrustManager[]{new HttpsTrustManager()}, new SecureRandom());
HttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).build();
HttpResponse response = httpClient.execute(
new HttpPost("https://url")
);
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
EntityUtils.consume(entity);
When you use Apache SSLContexts.custom().loadKeyMaterial().build() it initializes the built context with the specified keystore and the default trustmanager. You then call sslContext.init() to re-initialize it with no keymanager and the specified trustmanager; this ignores and discards the prior initialization. As a result your context has no keymanager, and cannot do client auth.
You need to be consistent. Either use Apache and give the (same) builder both loadKeyMaterial and loadTrustMaterial corresponding to what you want -- in particular httpclient 4.5.4 adds org.apache.http.conn.ssl.TrustAllStrategy which implements "cheerfully let all thieves and crooks see and change my supposedly secure data". Alternatively, use JSSE to directly create an SSLContext with .getInstance() and .init() it (once!) with your zero-security trustmanager and a keymanager created from your keystore (and an explicit SecureRandom if you like but if you omit that it defaults).
However, this may not work because the keytool command you show is correct only if yourdomain was a pre-existing PrivateKeyEntry matching the cert chain you imported to it. Use keytool -list -alias yourdomain to make sure it's a PrivateKeyEntry and NOT a TrustedCertEntry. If not, and if you need to use the privatekey from the PEM file (rather than one already in a keystore) you need to first convert the key and cert chain to PKCS12 with OpenSSL, and then depending on your Java maybe convert the PKCS12 to JKS with keytool. There are dozens of Qs (and As) on several Stacks for this.
There are three hosts that an android app do the authentication and authorization. Final host is the REST API. For the first time using Oauth authentication and authorization process it works without issue.
But if user kills the app after login and accessing the services provided by REST API and then again open the app, this issue arise. In this time authentication and authorization process is not happening, only the REST API. It caused to java.security.cert.CertPathValidatorException but it was working during the first use (login and then use the app).
Can someone explains the scenario behind this exception and whats wrong with the app. This works if certification exceptions are ignored as bellow according to this SO answer.
SSLSocketFactory sslSocketFactory = null;
try {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
// Initialise the TMF as you normally would, for example:
try {
tmf.init((KeyStore)null);
} catch(KeyStoreException e) {
e.printStackTrace();
}
TrustManager[] trustManagers = tmf.getTrustManagers();
final X509TrustManager origTrustmanager = (X509TrustManager)trustManagers[0];
// Create a trust manager that does not validate certificate chains
TrustManager[] wrappedTrustManagers = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return origTrustmanager.getAcceptedIssuers();
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
try {
origTrustmanager.checkClientTrusted(certs, authType);
} catch(CertificateException e) {
e.printStackTrace();
}
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
try {
origTrustmanager.checkServerTrusted(certs, authType);
} catch(CertificateException e) {
e.printStackTrace();
}
}
}
};
//TrustManager[] trustAllCerts = TrustManagerFactory.getInstance("SSL").getTrustManagers();
// Install the all-trusting trust manager
final SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, wrappedTrustManagers, new java.security.SecureRandom());
// Create an ssl socket factory with our all-trusting manager
sslSocketFactory = sslContext.getSocketFactory();
} catch (NoSuchAlgorithmException | KeyManagementException e) {
e.printStackTrace();
}
return sslSocketFactory;
I am using Okhttp 3 for the http requests. Any suggestion would help to solve the issue. And please let me know if I use above code snippet, is it a security violation? will it effect to the security of the app?
I am answering to this to give an idea about the scenario and solution as per the android developer site for others benefit. I have solved this using custom trust manager.
The problem was with the server certificate, it misses intermediate certificate authority. However with the first flow certificate path is completed somehow and result was successful certificate path validation.
There is a solution for this in android developer site. it suggest to use custom trust manager that trusts this server certificate or it suggest to server to include the intermediate CA in the server chain.
custom trust manager. source: https://developer.android.com/training/articles/security-ssl.html#UnknownCa
// Load CAs from an InputStream
// (could be from a resource or ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// From https://www.washington.edu/itconnect/security/ca/load-der.crt
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
// Tell the okhttp to use a SocketFactory from our SSLContext
OkHttpClient okHttpClient client = new OkHttpClient.Builder().sslSocketFactory(context.getSocketFactory()).build();
UPDATE: My problem was solved after intermediate certificate authority added to the certificate chain from the server side. It is the best solution, Bundling the certificate with the app requires app to be updated on certificate expiring or any other issues related with certificate management.
UPDATE:03/09/2017 Easiest way to load certificate file I found is use of raw resource.
InputStream caInput = new BufferedInputStream(context
.getResources().openRawResource(R.raw.certfilename));
where certfilename is the certificate file placed in resources/raw folder. Also okhttp's sslSocketFactory(SSLSocketFactory sslSocketFactory) has been deprecated and suggested approach in the okhttp api doc can be used.
Also when getting the certificate from the server it is better to use openssl.
openssl s_client -connect {server-address}:{port} -showcerts
Because I used to grab that from firefox and faced situation where it was altered by the virus guard.
Paste your cert.pem in raw folder
Create a method
private SSLSocketFactory getSSLSocketFactory(){
try {
CertificateFactory cf;
cf = CertificateFactory.getInstance("X.509");
Certificate ca;
InputStream cert = context.getResources().openRawResource(R.raw.cert);
ca = cf.generateCertificate(cert);
cert.close();
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
return sslContext.getSocketFactory();
}
catch (Exception e){
return null;
}
}
Call like this
final OkHttpClient client = new OkHttpClient();
//pass getSSLSocketFactory() in params
client.setSslSocketFactory(getSSLSocketFactory());
String appURl = context.getString(R.string.apis_app_url);
final RestAdapter restAdapter = new RestAdapter.Builder()
.setEndpoint(appURl).setClient(new OkClient(client)).
build();
I'm programming a JAX-WS client in Java. The access to the WebService is protected with a client certificate. I know the client certificate is right because I can get the WSDL in Firefox only if the client certificate was imported (in Firefox).
But I have problems to write my java application which should use the WebService. What I have do is following:
MyOwnService svc = new MyOwnService(getServerURL(), MYOWNSERVICE_QNAME);
...
...
private URL getServerURL() throws IOException {
URL url = new URL((String) cfg.get(ConfigData.SERVER_URL));
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
try {
con.setSSLSocketFactory(getFactory(new File("/etc/pki/wildfly/client.keystore"), "123456"));
} catch (Exception exc) {
throw new IOException("Client certificate error!", exc);
}
return url;
}
private SSLSocketFactory getFactory(File pKeyFile, String pKeyPassword )
throws ... {
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
KeyStore keyStore = KeyStore.getInstance("PKCS12");
InputStream keyInput = new FileInputStream(pKeyFile);
keyStore.load(keyInput, pKeyPassword.toCharArray());
keyInput.close();
keyManagerFactory.init(keyStore, pKeyPassword.toCharArray());
SSLContext context = SSLContext.getInstance("TLS");
context.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());
return context.getSocketFactory();
}
But this didn't work. If I run this I get following exception in the MyOwnService constructor
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty.
How is the correct way to implemnting a JAX-WS client which supports client certification?
Forget my code above. Seem's that the only thing you must do is to specify the keystore as environment variables like:
-Djavax.net.ssl.keyStore=/etc/pki/wildfly/client.keystore -Djavax.net.ssl.keyStorePassword=123456
If I do so and specifying the correct keystore it works. If I specify an invalid keystore file (which contains a other/wrong certificate/key) it don't works :) .
But I'm not sure how Java gets the right key/cert from the keystore if the keystore contains more as one PrivateKeyEntry. Specifying javax.net.ssl.keyStoreAlias will be have no effect. May be Java tries the PrivateKeyEntrys until the right one was found ...
However: The only thing to do is to specify the right keystore as environment variable.
I have a Client Server Communication scenario in JBOSS and browser as client(JAVA PROGRAM). Initially when the connection is made, Client sends its Certificate to Server. Server extracts the public key of client from certificate and thus communication will continue.
Now my question is
How to send certificate(.cer) from Client to Server?
How to receive the certificate and extract its public key in Server?
How to send certificate(.cer) from Client to Server?
Client certificate (.cer, .crt, .pem) and it's corresponding private key (.key) should be packaged into PKCS#12 (.p12, .pfx) or JKS (.jks) container first (keystore). You also should have server's CA certicate packaged as JKS (truststore).
Example using HttpClient 3.x:
HttpClient client = new HttpClient();
// truststore
KeyStore trustStore = KeyStore.getInstance("JKS", "SUN");
trustStore.load(TestSupertype.class.getResourceAsStream("/client-truststore.jks"), "amber%".toCharArray());
String alg = KeyManagerFactory.getDefaultAlgorithm();
TrustManagerFactory fac = TrustManagerFactory.getInstance(alg);
fac.init(trustStore);
// keystore
KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
keystore.load(X509Test.class.getResourceAsStream("/etomcat_client.p12"), "etomcat".toCharArray());
String keyAlg = KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory keyFac = KeyManagerFactory.getInstance(keyAlg);
keyFac.init(keystore, "etomcat".toCharArray());
// context
SSLContext ctx = SSLContext.getInstance("TLS", "SunJSSE");
ctx.init(keyFac.getKeyManagers(), fac.getTrustManagers(), new SecureRandom());
SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = new SslContextedSecureProtocolSocketFactory(ctx);
Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory) secureProtocolSocketFactory, 8443));
// test get
HttpMethod get = new GetMethod("https://127.0.0.1:8443/etomcat_x509");
client.executeMethod(get);
// get response body and do what you need with it
byte[] responseBody = get.getResponseBody();
You may find working example in this project see X509Test class.
With HttpClient 4.x configuration and syntax would be slightly different:
HttpClient httpclient = new DefaultHttpClient();
// truststore
KeyStore ts = KeyStore.getInstance("JKS", "SUN");
ts.load(PostService.class.getResourceAsStream("/truststore.jks"), "amber%".toCharArray());
// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing truststore
if(0 == ts.size()) throw new IOException("Error loading truststore");
// tmf
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ts);
// keystore
KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");
ks.load(PostService.class.getResourceAsStream("/" + certName), certPwd.toCharArray());
// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing keystore
if(0 == ks.size()) throw new IOException("Error loading keystore");
// kmf
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, certPwd.toCharArray());
// SSL
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
// socket
SSLSocketFactory socketFactory = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
Scheme sch = new Scheme("https", 8443, socketFactory);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
// request
HttpMethod get = new GetMethod("https://localhost:8443/foo");
client.executeMethod(get);
IOUtils.copy(get.getResponseBodyAsStream(), System.out);
How to receive the certificate and extract its public key in Server?
You server must be configurated to require X.509 client certificate authentication. Then during SSL handshake servlet container will recieve certificate, check it against trustore and provide it to application as a request attribute.
In usual case with single certificate you could use this method in servlet environment to extract certificate:
protected X509Certificate extractCertificate(HttpServletRequest req) {
X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
if (null != certs && certs.length > 0) {
return certs[0];
}
throw new RuntimeException("No X.509 client certificate found in request");
}