Sunday, March 12, 2017

How to security a website in public key infrastructure (PKI) – Basic Concept

Let’s suppose you are a owner of a website, which has domain name www.shengw.com

Here is the flow and it’s basic idea behind it.

image

 

CA’s role is to make sure the public key, PK1, that client used to to decode message is really belongs to www.shengw.com. Furthermore to prove any message succefully deocded by PK1 is really come from www.shengw.com's private key.

Client talks to www.shengw.com can be a browser or a Java application. In the last step what if the CA's public key is not known to the client (e.g  certificate file is not from a famous CA orgnization or even self-signed)?

  • If client is a browser, then install the CA’s root certification to the operating system’s trusted root certification authorities store.
  • If client is a java application, then  import the certificate from CA into application’s truststore jks file.

Saturday, March 11, 2017

Use Fiddler to debug https request from java application

Fiddler is a very handy tool for http related debug.  After starting, it automatically start to capture any http request go through system proxy. Also it by default listen to port 8888. For debug Java application, we stop the automatic capturing, only use the port 8888. 

image_thumb4

This articlae is for debug HTTPS  request from java application, if the java application send out HTTP request, please go to this article.

Target

You have a java application, which send https requestion out.  For debugging purpose, You want to find out what exactly be sent out as well as its response.

image

Solution

Different from http, proxy https request need more steps.

1. Get Fiddler Root Ceretificate file ( .cer file)

Open Fiddler, tools->Telerik Fiddler options

image

Choose HTTPS tab-> Export Root Certificate to Desktop.

image

Now you should be able to find the Certificate file “FiddlerRoot.cer” on desktop.  Let’s copy this file to directory C:/keystore.

image

2. Create truststore file from Fiddler Root Certificate (.cer file –> .jks file)

Use keytool to generate keystore file.

keytool -importcert -alias fiddler -file c:\keystore\FiddlerRoot.cer -keystore c:\keystore\fiddler_keystore.jks -storepass abcd1234

image

Now we have the fidder_keystore.jks file. From command line you can also find the storepass was set to “abcd1234”

3. Set proxy for JVM

Set http proxy for JVM either from java command or inside java code, here is a simple example by setting System properties in Java code.

package com.shengwang.demo;

import org.springframework.web.client.RestTemplate;

public class DemoMain {
  public static void main(String[] args) {
    enableHttpsProxy();
    RestTemplate restTemplate = new RestTemplate();
    String text = restTemplate.getForObject("https://www.facebook.com/", String.class);
    System.out.println(text);
  }

  private static void enableHttpsProxy() {
    System.setProperty("https.proxyHost", "127.0.0.1");
    System.setProperty("https.proxyPort", "8888");
  }
}

At the beginning of the code, we set proxy for https for JVM, then we try to access facebook by https.

4. Use the truststore file when running your Java application

If directly run the previous DemoMain class, you will get a Exception during the SSL handshaking, complain unable to find a validate certificate. So we need to run the DemoMain class with following JVM options:

-Djavax.net.ssl.trustStore=c:/keystore/fiddler_keystore.jks -Djavax.net.ssl.trustStorePassword=abcd1234

These 2 options tell JVM where to find the keystore file and the corresponding password to use the keystore. After you run the DemoMain with above options, we should be able to see the https request and its response from fiddler UI. Both request and response are decoded, so it’s very helpful during development.

image

Use Fidder to debug http request from java application

Fiddler is a very handy tool for http related debug.  After starting, it automatically start to capture any http request go through system proxy. Also it by default listen to port 8888. For debug Java application, we stop the automatic capturing, only use the port 8888.  

image

This articlae is for debug HTTP  request from java application, if the java application send out HTTPS request, please go to this article

Target:

You have a java application, which send http requestion out.  For debugging purpose, You want to find out what exactly be sent out as well as its response.

image

Solution:

Set http proxy for JVM either from java command or inside java code, here is a simple example by setting System properties in Java code.

package com.shengwang.demo;

import org.springframework.web.client.RestTemplate;

public class DemoMain {
  public static void main(String[] args) {
  
    enableHttpProxy(); // set system properties for http proxy
	
    RestTemplate restTemplate = new RestTemplate();
    String text = restTemplate.getForObject("http://www.bbc.com/", String.class);
    System.out.println(text);
  }


  public static void enableHttpProxy() {
    System.setProperty("http.proxyHost", "127.0.0.1");
    System.setProperty("http.proxyPort", "8888");
  }
}

This simple code just try to access www.bbc.com. After running it, we should be able to see the Http request and response from fiddler like below.

image

Spring RestTemplate useful hints

RestTemplate a widely used client tool from Spring framework. Here are some useful hints when using Spring RestTemplate.

  • How to use basic authentication with RestTemplate?
  • How to add arbitrary Http header, e.g.”Content-Type”, “Accept”, with RestTemplate?
  • How to bypass(not solve) Https error “java.security.cert.CertificateException: No name matching <some url> found”?

1. Basic authentication for RestTemplate

  RestTemplate restTemplate = new RestTemplate();

  // set username/password for http basic authentication
  restTemplate.getInterceptors().add(new BasicAuthorizationInterceptor("myUserName","myPassword"));

  // use restTemplate to send requst
  // .....

2. Add  arbitrary http header for RestTemplate

Like above for adding basic authentication, this time need your own ClientHttpRequestInterceptor implementation. (BasicAuhorizationInterceptor for basic authentication is already predefined in spring). 

  RestTemplate restTemplate = new RestTemplate();

  // set content-type=application/json http header
  restTemplate.getInterceptors().add(new ClientHttpRequestInterceptor() {
    @Override
    public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException {
      request.getHeaders().add("Content-Type", MediaType.APPLICATION_FORM_URLENCODED.toString());
      return execution.execute(request, body);
    }
  });
		
  // use restTemplate to send requst
  // .....

For java8 +, using lamda can make it look more neat.  Functionally they are equivalent.

  RestTemplate restTemplate = new RestTemplate();

  // set content-type=application/json http header, use lamda 
  restTemplate.getInterceptors().add((request, body, execution) -> {
    request.getHeaders().add("Content-Type", MediaType.APPLICATION_FORM_URLENCODED.toString());
    return execution.execute(request, body);
  });
		
  // use restTemplate to send requst
  // .....

Above example add content-type to http header, it can be used to add anything you like to http header.

3. Bypass Https error “java.security.cert.CertificateException: No name matching <some url> found”

When use RestTemplate to access resource with protocol https, it may has the exception complain something like “java.security.cert.CertificateException: No name matching <some url> found”. This is because the java applicatoin doesn’t has the right certification in its keystore.  As a developer you probably don’t want to get blocked when someone is working on the CA procedure.  You can continue by ignore this SSL host verification like below.  But this is only a temporary solution, should not be used on any production environment.

@Configuration
public class ByPassSSLVerificationConfig {
  // This RestTemplate actually ignore the SSL hostname verification
  @Bean
  public RestTemplate getRestTemplate() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
    TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
    HostnameVerifier allPassVerifier = (String s, SSLSession sslSession) -> true;  // ignore hostnaem checking

    SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
        .loadTrustMaterial(null, acceptingTrustStrategy).build(); // keystore is null, not keystore is used at all

    SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext, allPassVerifier);
    CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build();
    HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();

    requestFactory.setHttpClient(httpClient);
    return new RestTemplate(requestFactory);
  }
}

Then inject your own RestTemplate bean and send https requests, the Exception will gone. But again this is only a bypass, not a final solution for this Exception.

Powered by Blogger.

About The Author

My Photo

Has been a senior software developer, project manager for 10+ years. Dedicate himself to Alcatel-Lucent and China Telecom for delivering software solutions.

Pages

Unordered List