I am trying to write a Java code where I need to fetch data from a RESTful Api using Apache HttpClient.
My web server has a self signed certificate. The code I have used is as follows:
public class WebClientDevWrapper {
public static HttpClient wrapClient(HttpClient base) {
try {
ClientConnectionManager ccm = base.getConnectionManager();
SSLSocketFactory sslsf = new SSLSocketFactory(new TrustSelfSignedStrategy());
Scheme https = new Scheme("https", 444, sslsf);
ccm.getSchemeRegistry().register(https);
return new DefaultHttpClient(ccm, base.getParams());
} catch (Exception ex) {
ex.printStackTrace();
return null;
}
}
public static void main(String[] args) throws ClientProtocolException, IOException{
HttpClient client ;
client = new DefaultHttpClient();
client = WebClientDevWrapper.wrapClient(client);
HttpGet request = new HttpGet("https://localhost/restapi");
HttpResponse response = client.execute(request);
BufferedReader rd = new BufferedReader (new InputStreamReader(response.getEntity().getContent()));
String line = "";
while ((line = rd.readLine()) != null) {
System.out.println(line);
}
}
}
On running this code, I am getting the following error:
"javax.net.ssl.SSLException: Certificate for doesn't contain CN or DNS subjectAlt"
Please help.
You need to import the SSL certificate in your JAVA. Use the below line
<JAVA_HOME>\bin\keytool -import -v -trustcacerts
-alias [Your Alias name] -file [Your Certificate location]
-keystore [Keystore location] -keypass [Your Password]
-storepass [Your Password]
Related
I am writing the client code which has to consume a web service which requires client certificate to authenticate.
Code:
String KEYSTOREPATH = "C:\\jks\\client.p12";
String KEYPASS = "password";
SSLContext sslContext = SSLContexts.custom()
.loadKeyMaterial(
new File("C:\\jks\\client.p12"),
KEYPASS.toCharArray(), KEYPASS.toCharArray(),
(PrivateKeyStrategy) (aliases, socket) -> "client")
.loadTrustMaterial(new File(KEYSTOREPATH), KEYPASS.toCharArray(), (chain, authType) -> true).build();
// Allow TLSv1 protocol only
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sslContext,
new String[] { "TLSv1.2" },
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpclient = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.build();
try {
HttpGet httpget = new HttpGet("https://localhost:8443/test");
System.out.println("Executing request " + httpget.getRequestLine());
CloseableHttpResponse response = httpclient.execute(httpget);
try {
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
EntityUtils.consume(entity);
} finally {
response.close();
}
} finally {
httpclient.close();
}
Error:
javax.net.ssl|DEBUG|01|main|2019-06-29 19:29:33.244 IST|SunX509KeyManagerImpl.java:401|matching alias: 1
javax.net.ssl|WARNING|01|main|2019-06-29 19:29:33.245 IST|CertificateRequest.java:699|No available client private key
javax.net.ssl|DEBUG|01|main|2019-06-29 19:29:33.246 IST|ServerHelloDone.java:142|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|01|main|2019-06-29 19:29:33.246 IST|CertificateMessage.java:291|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|01|main|2019-06-29 19:29:33.247 IST|CertificateMessage.java:322|Produced client Certificate handshake message (
"Certificates": <empty list>
)
Command to generate the p12 file
openssl pkcs12 -export -out client.p12 -inkey client.key.pem -in client.cert.pem
Why it is not able to find the client certificate from the client.p12 file? What I am missing here?
I'm new to certificate concept can any one help how to send the certificate in https request.
My CURL command is below:
curl -d "grant_type=password&client_id=SmartRest&client_secret=594a27f3-4432-4d37-9196-2ba49de52758&username=user123&password=welcome123" https://xxxxxxx.xxx.in:8543/auth/realms/restapi/protocol/openid-connect/token --cacert ./ca_bundle.crt
Same thing i need to send in my java code, i have only one .crt file, I don't have keypass or anything.
I trusted the certificate by below keytool command.
keytool -import -trustcacerts -file "ca_bundle.crt" -alias "alias" -keystore "C:\Program Files\Java\jdk1.8.0_131\jre\lib\security\cacerts"
Below code works fine, no need to skip ssl validation.
public static void main(String[] args) throws Exception {
HttpsURLConnection con = (HttpsURLConnection) new URL("https://xxxx.xxx.xx:8543/auth/realms/restapi/protocol/openid-connect/token").openConnection();
con.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
String urlParameters = "grant_type=password&client_id=SmartRest&client_secret=594a27f3-4432-4d37-9196-2ba49de52758&username=user123&password=welcome123";
con.setDoOutput(true);
DataOutputStream wr = new DataOutputStream(con.getOutputStream());
wr.writeBytes(urlParameters);
wr.flush();
wr.close();
BufferedReader in = new BufferedReader(new InputStreamReader(con.getInputStream()));
String inputLine;
StringBuffer response = new StringBuffer();
while ((inputLine = in.readLine()) != null) {
response.append(inputLine);
}
in.close();
//print result
System.out.println(response.toString());
}
i got the result.
I am trying to set up a mutually authenticated SSL between a Linux Server and Android APP.
So far, I have been able to get the app to work with the server certificate communicate via SSL but once I set the server to only accept client certificates it stops working. The server configuration seems ok, but I am a kind of stuck. My best guess is that the client certificate is not correctly being presented to the server but got no idea how to test it next. I tried using the .pem for the client in my OS X keychain but the browsers does not seem to work with that certificate. Then again the Server certificate works perfectly because I can achieve https connection and the APP Accepts my unsigned server certificate.
The code I have been I am using is the combination of various tutorials, answers this is the main ones I have bookmarked:
http://www.androidhive.info/2012/05/how-to-connect-android-with-php-mysql/
Self-signed SSL acceptance on Android
Securing communication [Authenticity, Privacy & Integrity] with mobile app?
(For the Server Config) https://security.stackexchange.com/questions/34897/configure-ssl-mutual-two-way-authentication
This are the two main classes I am using for the connection:
1) This class handles the JSON parsing and does the REQUESTS
package edu.hci.additional;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.util.List;
import android.content.Context;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.utils.URLEncodedUtils;
import org.json.JSONException;
import org.json.JSONObject;
import android.util.Log;
public class JSONParser {
static InputStream is = null;
static JSONObject jObj = null;
static String json = "";
// constructor
public JSONParser() {
}
// function get json from url
// by making HTTP POST or GET mehtod
public JSONObject makeHttpRequest(String url, String method,
List<NameValuePair> params, Context context) {
// Making HTTP request
try {
// check for request method
if(method == "POST"){
// request method is POST
// defaultHttpClient
SecureHttpClient httpClient = new SecureHttpClient(context);
HttpPost httpPost = new HttpPost(url);
httpPost.setEntity(new UrlEncodedFormEntity(params));
HttpResponse httpResponse = httpClient.execute(httpPost);
HttpEntity httpEntity = httpResponse.getEntity();
is = httpEntity.getContent();
}else if(method == "GET"){
// request method is GET
SecureHttpClient httpClient = new SecureHttpClient(context);
String paramString = URLEncodedUtils.format(params, "utf-8");
url += "?" + paramString;
HttpGet httpGet = new HttpGet(url);
HttpResponse httpResponse = httpClient.execute(httpGet);
HttpEntity httpEntity = httpResponse.getEntity();
is = httpEntity.getContent();
}
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
try {
BufferedReader reader = new BufferedReader(new InputStreamReader(
is, "iso-8859-1"), 8);
StringBuilder sb = new StringBuilder();
String line = null;
while ((line = reader.readLine()) != null) {
sb.append(line + "\n");
}
is.close();
json = sb.toString();
} catch (Exception e) {
Log.e("Buffer Error", "Error converting result " + e.toString());
}
// try parse the string to a JSON object
try {
jObj = new JSONObject(json);
} catch (JSONException e) {
Log.e("JSON Parser", "Error parsing data " + e.toString());
}
// return JSON String
return jObj;
}
}
This second class handles the SSL Authentication:
package edu.hci.additional;
import android.content.Context;
import android.util.Log;
import edu.hci.R;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.params.HttpParams;
import java.io.IOException;
import java.io.InputStream;
import java.security.*;
public class SecureHttpClient extends DefaultHttpClient {
private static Context appContext = null;
private static HttpParams params = null;
private static SchemeRegistry schmReg = null;
private static Scheme httpsScheme = null;
private static Scheme httpScheme = null;
private static String TAG = "MyHttpClient";
public SecureHttpClient(Context myContext) {
appContext = myContext;
if (httpScheme == null || httpsScheme == null) {
httpScheme = new Scheme("http", PlainSocketFactory.getSocketFactory(), 80);
httpsScheme = new Scheme("https", mySSLSocketFactory(), 443);
}
getConnectionManager().getSchemeRegistry().register(httpScheme);
getConnectionManager().getSchemeRegistry().register(httpsScheme);
}
private SSLSocketFactory mySSLSocketFactory() {
SSLSocketFactory ret = null;
try {
final KeyStore clientCert = KeyStore.getInstance("BKS");
final KeyStore serverCert = KeyStore.getInstance("BKS");
final InputStream client_inputStream = appContext.getResources().openRawResource(R.raw.authclientcerts);
final InputStream server_inputStream = appContext.getResources().openRawResource(R.raw.certs);
clientCert.load(client_inputStream, appContext.getString(R.string.client_store_pass).toCharArray());
serverCert.load(server_inputStream, appContext.getString(R.string.server_store_pass).toCharArray());
String client_password = appContext.getString(R.string.client_store_pass);
server_inputStream.close();
client_inputStream.close();
ret = new SSLSocketFactory(clientCert,client_password,serverCert);
} catch (UnrecoverableKeyException ex) {
Log.d(TAG, ex.getMessage());
} catch (KeyStoreException ex) {
Log.d(TAG, ex.getMessage());
} catch (KeyManagementException ex) {
Log.d(TAG, ex.getMessage());
} catch (NoSuchAlgorithmException ex) {
Log.d(TAG, ex.getMessage());
} catch (IOException ex) {
Log.d(TAG, ex.getMessage());
} catch (Exception ex) {
Log.d(TAG, ex.getMessage());
} finally {
return ret;
}
}
}
To Create the keys I used openssl with this command:
openssl req -nodes -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 500
To get the keys to BKS for Android I used the bouncy castle bcprov-jdk15on-150.jar located at: http://www.bouncycastle.org/latest_releases.html
And used the command:
keytool -import -v -trustcacerts -alias 0 -file ~/cert.pem -keystore ~/Downloads/authclientcerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ~/Downloads/bcprov-jdk15on-150.jar -storepass passWORD
Finally the lines I added to /etc/httpd/conf.d/ssl.conf to require the client certificate and check for the certificate validity (which match the client certificate I created) in Fedora 19 are:
...
SSLVerifyClient require
SSLVerifyDepth 5
...
<Location />
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "Develop" \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "Operations", "Dev"} )
</Location>
...
SSLOptions +FakeBasicAuth +StrictRequire
I tried a lot of combinations on this config file and all ended in the same result twrowing me a "SSLPeerUnverifiedException: No peer certificate" Exception. I comment this lines on the SSL config file of the server and all works great but the server accepts all clients which is not what I need.
Thanks in advance :)
UPDATE
#EJP's Answer did the trick
First I had to add the certificate to the correct ( /etc/pki/tls/certs/ )path and load it by using:
rename the cert: mv ca-andr.pem ca-andr.crt
And now load the certificate:
ln -s ca-andr.crt $( openssl x509 -hash -noout -in ca-andr.crt )".0"
This will create a openSSL readable symlink with a name similar to “f3f24175.0”
Then I set the new Certificate file in the /etc/httpd/conf.d/ssl.conf Configuration file.
…
SSLCACertificateFile /etc/pki/tls/certs/f2f62175.0
…
Now restart the http service and
test the if the certificate is loaded with:
openssl verify -CApath /etc/pki/tls/certs/ f2f62175.0
If all is ok you should see:
f3f24175.0: OK
And you can end the testing with:
openssl s_client -connect example.com:443 -CApath /etc/pki/tls/certs
This should return the list of trusted client certificates (If you see the one you added, is working)
Now the second part of the problem was that my authclientcerts.BKS din’t contain the private key, so the password I supplied was never used and the server would not authenticate the cert. So I exported my key and cert to pkcs12 and updated the JAVA code accordingly.
Export command:
openssl pkcs12 -export -in ~/cert.pem -inkey ~/key.pem > android_client_p12.p12
Then the I changed the parts of the SecureHttpClient.java Class to make the client certificate with PKCS12 instead of BKS.
To change the key store type from BKS to PKCS12
I Replaced:
final KeyStore clientCert = KeyStore.getInstance("BKS”);
For this:
final KeyStore clientCert = KeyStore.getInstance("PKCS12");
And then I updated the references to the actual key store files located on res/raw/
By Replacing:
final InputStream client_inputStream = appContext.getResources().openRawResource(R.raw.authclientcerts);
For this:
final InputStream client_inputStream = appContext.getResources().openRawResource(R.raw.android_client_p12);
And that did the trick :D
When the server asks for the client certificate, it provides a list of CAs that it will accept certificates signed by. If the client doesn't have a certificate signed by one of them, it won't send a certificate in reply. If the server is configured to require a client certificate, as opposed to just wanting one, it will then close the connection.
So, ensure that the client has a certificate which is acceptable to the server's truststore.
I have been trying to get a client to communicate with a server securely through SSL. I created my own self-signed certificates and it seems like that the client can connect to the server using the certificates, but the client never seems to be getting the response from the server. I tried printing the content-length which returns -1 and the actual content seems to be an empty string, although a simple HTML 'hello world' is expected.
What am I doing wrong?
Server:
public class SSLServer {
public static void main(String[] args) {
String ksName = "key.jks";
char ksPass[] = "password".toCharArray();
char ctPass[] = "password".toCharArray();
try {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(ksName), ksPass);
KeyManagerFactory kmf =
KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, ctPass);
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), null, null);
SSLServerSocketFactory ssf = sc.getServerSocketFactory();
SSLServerSocket s
= (SSLServerSocket) ssf.createServerSocket(8888);
System.out.println("Server started:");
// Listening to the port
SSLSocket c = (SSLSocket) s.accept();
BufferedWriter w = new BufferedWriter(
new OutputStreamWriter(c.getOutputStream()));
w.write("HTTP/1.0 200 OK");
w.write("Content-Type: text/html");
w.write("<html><body>Hello world!</body></html>");
w.flush();
w.close();
c.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
Client:
public class TestSSLActivity extends Activity {
/** Called when the activity is first created. */
#Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
// Instantiate the custom HttpClient
DefaultHttpClient client = new MyHttpClient(getApplicationContext());
HttpGet get = new HttpGet("https://192.168.15.195:8888");
// Execute the GET call and obtain the response
HttpResponse getResponse;
try {
getResponse = client.execute(get);
HttpEntity responseEntity = getResponse.getEntity();
Log.i("Connection",responseEntity.getContentLength()+"");
BufferedReader reader = new BufferedReader(new InputStreamReader(responseEntity.getContent(), "UTF-8"));
StringBuilder builder = new StringBuilder();
for (String line = null; (line = reader.readLine()) != null;) {
builder.append(line).append("\n");
}
Log.i("Connection","build: "+builder.toString());
} catch (Exception e) {
Log.i("Connection",e.getMessage());
}
}
Custom HTTP client:
public class MyHttpClient extends DefaultHttpClient {
final Context context;
public MyHttpClient(Context context) {
this.context = context;
}
#Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
// Register for port 443 our SSLSocketFactory with our keystore
// to the ConnectionManager
registry.register(new Scheme("https", newSslSocketFactory(), 443));
return new SingleClientConnManager(getParams(), registry);
}
private SSLSocketFactory newSslSocketFactory() {
try {
// Get an instance of the Bouncy Castle KeyStore format
KeyStore trusted = KeyStore.getInstance("BKS");
// Get the raw resource, which contains the keystore with
// your trusted certificates (root and any intermediate certs)
InputStream in = context.getResources().openRawResource(R.raw.key);
try {
// Initialize the keystore with the provided trusted certificates
// Also provide the password of the keystore
trusted.load(in, "password".toCharArray());
} finally {
in.close();
}
// Pass the keystore to the SSLSocketFactory. The factory is responsible
// for the verification of the server certificate.
SSLSocketFactory sf = new SSLSocketFactory(trusted);
// Hostname verification from certificate
// http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
return sf;
} catch (Exception e) {
throw new AssertionError(e);
}
}
}
You might want to change the server code to read the request from the client before sending the response. It could be that the client is blocking (and then timing out?) waiting for the server to read the request.
Does anyone have any friendly tips on how to perform client authentication via an x509 certificate using HTTPClient 4.0.1?
Here is some code to get you going. The KeyStore is the object that contains the client certificate. If the server is using a self-signed certificate or a certificate that isn't signed by a CA as recognized by the JVM in the included cacerts file then you will need to use a TrustStore. Otherwise to use the default cacerts file, pass in null to SSLSockeFactory for the truststore argument..
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
import org.apache.http.params.BasicHttpParams;
import org.apache.http.params.HttpParams;
...
final HttpParams httpParams = new BasicHttpParams();
// load the keystore containing the client certificate - keystore type is probably jks or pkcs12
final KeyStore keystore = KeyStore.getInstance("pkcs12");
InputStream keystoreInput = null;
// TODO get the keystore as an InputStream from somewhere
keystore.load(keystoreInput, "keystorepassword".toCharArray());
// load the trustore, leave it null to rely on cacerts distributed with the JVM - truststore type is probably jks or pkcs12
KeyStore truststore = KeyStore.getInstance("pkcs12");
InputStream truststoreInput = null;
// TODO get the trustore as an InputStream from somewhere
truststore.load(truststoreInput, "truststorepassword".toCharArray());
final SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("https", new SSLSocketFactory(keystore, keystorePassword, truststore), 443));
final DefaultHttpClient httpClient = new DefaultHttpClient(new ThreadSafeClientConnManager(httpParams, schemeRegistry), httpParams);
Another solution (copied from another example). I've used the same keystore for both 'trusting' (trustStore) and for authenticate myself (keyStore).
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream instream = new FileInputStream(new File("miller.keystore"));
try {
trustStore.load(instream, "pw".toCharArray());
} finally {
instream.close();
}
SSLContext sslcontext = SSLContexts.custom()
.loadTrustMaterial(trustStore) /* this key store must contain the certs needed & trusted to verify the servers cert */
.loadKeyMaterial(trustStore, "pw".toCharArray()) /* this keystore must contain the key/cert of the client */
.build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
CloseableHttpClient httpclient = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.build();
try {
HttpGet httpget = new HttpGet("https://localhost");
System.out.println("executing request" + httpget.getRequestLine());
CloseableHttpResponse response = httpclient.execute(httpget);
try {
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (entity != null) {
System.out.println("Response content length: " + entity.getContentLength());
}
EntityUtils.consume(entity);
} finally {
response.close();
}
} finally {
httpclient.close();
}
I used the following from a sample code on HttpClient's website (custom SSL context if I remember correctly).
{
KeyStore keyStore = KeyStore.getInstance("PKCS12"); //client certificate holder
FileInputStream instream = new FileInputStream(new File(
"client-p12-keystore.p12"));
try {
trustStore.load(instream, "password".toCharArray());
} finally {
instream.close();
}
// Trust own CA and all self-signed certs
SSLContext sslcontext = SSLContexts.custom()
.loadKeyMaterial(keyStore, "password".toCharArray())
// .loadTrustMaterial(trustStore, new TrustSelfSignedStrategy()) //if you have a trust store
.build();
// Allow TLSv1 protocol only
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sslcontext, new String[] { "TLSv1" }, null,
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
CloseableHttpClient httpclient = HttpClients
.custom()
.setHostnameVerifier(
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER) //todo
.setSSLSocketFactory(sslsf).build();
try {
HttpGet httpget = new HttpGet("https://localhost:8443/secure/index");
System.out.println("executing request" + httpget.getRequestLine());
CloseableHttpResponse response = httpclient.execute(httpget);
try {
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (entity != null) {
System.out.println("Response content length: "
+ entity.getContentLength());
}
EntityUtils.consume(entity);
} finally {
response.close();
}
} finally {
httpclient.close();
}
}