The latest articles on DEV Community by Hakky54 (@hakky54). https://dev.to/hakky54 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F625907%2F4778d148-3720-4e66-90a4-ff2e4c07a1d8.jpeg https://dev.to/hakky54 en Hakky54 Wed, 05 May 2021 12:06:58 +0000 https://dev.to/hakky54/easily-configure-ssl-tls-connection-2him https://dev.to/hakky54/easily-configure-ssl-tls-connection-2him <p>Setting up encryption for your application, how hard can it be? I thought it would be easy, after all, all communication with modern web applications should be encrypted, right? Well, my expectations were wrong. While setting it up, I encountered a couple of hidden difficulties. For example, the configuration is vague, verbose, not straight-forward to set it up, hard to debug, and not unit-test friendly.</p> <p>I want to provide a couple of examples to explain the hidden difficulties when setting up a secure connection with HTTPS and certificates in vanilla Java. For this example, I will use Apache HttpClient with mutual authentication.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">org.apache.http.HttpResponse</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.http.client.HttpClient</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.http.client.methods.HttpGet</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.http.conn.ssl.DefaultHostnameVerifier</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.http.impl.client.HttpClients</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.net.ssl.SSLContext</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.net.ssl.TrustManagerFactory</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.net.ssl.KeyManagerFactory</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.IOException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.KeyManagementException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.KeyStore</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.KeyStoreException</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.NoSuchAlgorithmException</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">App</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">Path</span> <span class="n">trustStorePath</span> <span class="o">=</span> <span class="nc">Paths</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"/path/to/truststore.jks"</span><span class="o">);</span> <span class="nc">InputStream</span> <span class="n">trustStoreStream</span> <span class="o">=</span> <span class="nc">Files</span><span class="o">.</span><span class="na">newInputStream</span><span class="o">(</span><span class="n">trustStorePath</span><span class="o">,</span> <span class="nc">StandardOpenOption</span><span class="o">.</span><span class="na">READ</span><span class="o">);</span> <span class="nc">KeyStore</span> <span class="n">trustStore</span> <span class="o">=</span> <span class="nc">KeyStore</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="nc">KeyStore</span><span class="o">.</span><span class="na">getDefaultType</span><span class="o">());</span> <span class="n">trustStore</span><span class="o">.</span><span class="na">load</span><span class="o">(</span><span class="n">trustStoreStream</span><span class="o">,</span> <span class="s">"password"</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">());</span> <span class="nc">TrustManagerFactory</span> <span class="n">trustManagerFactory</span> <span class="o">=</span> <span class="nc">TrustManagerFactory</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="nc">TrustManagerFactory</span><span class="o">.</span><span class="na">getDefaultAlgorithm</span><span class="o">());</span> <span class="n">trustManagerFactory</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="n">trustStore</span><span class="o">);</span> <span class="nc">Path</span> <span class="n">identityPath</span> <span class="o">=</span> <span class="nc">Paths</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"/path/to/identity.jks"</span><span class="o">);</span> <span class="nc">InputStream</span> <span class="n">identityStream</span> <span class="o">=</span> <span class="nc">Files</span><span class="o">.</span><span class="na">newInputStream</span><span class="o">(</span><span class="n">identityPath</span><span class="o">,</span> <span class="nc">StandardOpenOption</span><span class="o">.</span><span class="na">READ</span><span class="o">);</span> <span class="nc">KeyStore</span> <span class="n">identity</span> <span class="o">=</span> <span class="nc">KeyStore</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="nc">KeyStore</span><span class="o">.</span><span class="na">getDefaultType</span><span class="o">());</span> <span class="n">identity</span><span class="o">.</span><span class="na">load</span><span class="o">(</span><span class="n">identityStream</span><span class="o">,</span> <span class="s">"password"</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">());</span> <span class="nc">KeyManagerFactory</span> <span class="n">keyManagerFactory</span> <span class="o">=</span> <span class="nc">KeyManagerFactory</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="nc">KeyManagerFactory</span><span class="o">.</span><span class="na">getDefaultAlgorithm</span><span class="o">());</span> <span class="n">keyManagerFactory</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="n">identity</span><span class="o">,</span> <span class="s">"password"</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">());</span> <span class="nc">SSLContext</span> <span class="n">sslContext</span> <span class="o">=</span> <span class="nc">SSLContext</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"TLS"</span><span class="o">);</span> <span class="n">sslContext</span><span class="o">.</span><span class="na">init</span><span class="o">(</span> <span class="n">keyManagerFactory</span><span class="o">.</span><span class="na">getKeyManagers</span><span class="o">(),</span> <span class="n">trustManagerFactory</span><span class="o">.</span><span class="na">getTrustManagers</span><span class="o">(),</span> <span class="kc">null</span> <span class="o">);</span> <span class="nc">HttpClient</span> <span class="n">httpClient</span> <span class="o">=</span> <span class="nc">HttpClients</span><span class="o">.</span><span class="na">custom</span><span class="o">()</span> <span class="o">.</span><span class="na">setSSLContext</span><span class="o">(</span><span class="n">sslContext</span><span class="o">)</span> <span class="o">.</span><span class="na">setSSLHostnameVerifier</span><span class="o">(</span><span class="k">new</span> <span class="nc">DefaultHostnameVerifier</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">HttpGet</span> <span class="n">request</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HttpGet</span><span class="o">(</span><span class="s">"https://localhost:8443/api/hello"</span><span class="o">);</span> <span class="nc">HttpResponse</span> <span class="n">response</span> <span class="o">=</span> <span class="n">httpClient</span><span class="o">.</span><span class="na">execute</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>As you can see this really verbose, but this is a common code snippet which is being used when setting up ssl/tls for a http client. It is also hard to unit test a SSLContext object because you can't get any information from it that will tell if the trustmanager is really initialised well and if it contains all the trusted certificates. The only way to really validate your code is by writing an integration test, where the client actually sends a request to a real server with HTTPS enabled.</p> <p>Some other HTTP clients even require a different setup (e.g., Netty HttpClient, AsyncHttpClient, and Dispatch Reboot). These clients only accept an SSLContext from Netty's library instead of the one from the JDK. </p> <p>I faced the same challenges as my colleagues. They also didn't enjoy setting it up. It was just a configuration that needed to be set up once, well enough to do the job, and after that, we were scared to touch it again. And it got even tougher when we wanted to use multiple keystores.</p> <p>I wanted to help myself out from the verbosity make my life easier. One library to configure them all! It should be painless to use, easy to test and debug, and fun to set-it-up. The project is available at <a href="https://github.com/Hakky54/sslcontext-kickstart" rel="noopener noreferrer">GitHub - SSLContext-Kickstart</a></p> <p>Add the folowing maven dependency:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.github.hakky54<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>sslcontext-kickstart<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>6.6.0<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>Let's refactor the above code snippet while using the library.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">nl.altindag.ssl.SSLFactory</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.http.HttpResponse</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.http.client.HttpClient</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.http.client.methods.HttpGet</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.apache.http.impl.client.HttpClients</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.nio.file.Paths</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">App</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">SSLFactory</span> <span class="n">sslFactory</span> <span class="o">=</span> <span class="nc">SSLFactory</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">withIdentityMaterial</span><span class="o">(</span><span class="nc">Paths</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"/path/to/identity.jks"</span><span class="o">),</span> <span class="s">"password"</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">())</span> <span class="o">.</span><span class="na">withTrustMaterial</span><span class="o">(</span><span class="nc">Paths</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"/path/to/truststore.jks"</span><span class="o">),</span> <span class="s">"password"</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">HttpClient</span> <span class="n">httpClient</span> <span class="o">=</span> <span class="nc">HttpClients</span><span class="o">.</span><span class="na">custom</span><span class="o">()</span> <span class="o">.</span><span class="na">setSSLContext</span><span class="o">(</span><span class="n">sslFactory</span><span class="o">.</span><span class="na">getSslContext</span><span class="o">())</span> <span class="o">.</span><span class="na">setSSLHostnameVerifier</span><span class="o">(</span><span class="n">sslFactory</span><span class="o">.</span><span class="na">getHostnameVerifier</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">HttpGet</span> <span class="n">request</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HttpGet</span><span class="o">(</span><span class="s">"https://localhost:8443/api/hello"</span><span class="o">);</span> <span class="nc">HttpResponse</span> <span class="n">response</span> <span class="o">=</span> <span class="n">httpClient</span><span class="o">.</span><span class="na">execute</span><span class="o">(</span><span class="n">request</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Advantages: </h3> <ul> <li>No need for low-level SSLContext configuration anymore.</li> <li>No knowledge about SSLContext, TrustManager, TrustManagerFactory, KeyManager, KeyManagerFactory, and how to create it is needed.</li> <li>The above classes will all be created by just providing an identity and a trustStore.</li> <li>Create a sslcontext with multiple identities and trustStores.</li> </ul> <h3> Returnable values </h3> <p>The SSLFactory can return different kind of values for all sort of use cases. See below for the overview:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">nl.altindag.ssl.SSLFactory</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">nl.altindag.ssl.model.KeyStoreHolder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.net.ssl.HostnameVerifier</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.net.ssl.SSLContext</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.net.ssl.SSLEngine</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.net.ssl.SSLParameters</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.net.ssl.SSLServerSocketFactory</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.net.ssl.SSLSocketFactory</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.net.ssl.X509ExtendedKeyManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">javax.net.ssl.X509ExtendedTrustManager</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.security.cert.X509Certificate</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.List</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Optional</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">App</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">main</span><span class="o">(</span><span class="nc">String</span><span class="o">[]</span> <span class="n">args</span><span class="o">)</span> <span class="o">{</span> <span class="nc">SSLFactory</span> <span class="n">sslFactory</span> <span class="o">=</span> <span class="nc">SSLFactory</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">withIdentityMaterial</span><span class="o">(</span><span class="s">"keystore.p12"</span><span class="o">,</span> <span class="s">"secret"</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">(),</span> <span class="s">"PKCS12"</span><span class="o">)</span> <span class="o">.</span><span class="na">withTrustMaterial</span><span class="o">(</span><span class="s">"truststore.p12"</span><span class="o">,</span> <span class="s">"secret"</span><span class="o">.</span><span class="na">toCharArray</span><span class="o">(),</span> <span class="s">"PKCS12"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">SSLContext</span> <span class="n">sslContext</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getSslContext</span><span class="o">();</span> <span class="nc">HostnameVerifier</span> <span class="n">hostnameVerifier</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getHostnameVerifier</span><span class="o">();</span> <span class="nc">Optional</span><span class="o">&lt;</span><span class="nc">X509ExtendedKeyManager</span><span class="o">&gt;</span> <span class="n">keyManager</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getKeyManager</span><span class="o">();</span> <span class="nc">Optional</span><span class="o">&lt;</span><span class="nc">X509ExtendedTrustManager</span><span class="o">&gt;</span> <span class="n">trustManager</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getTrustManager</span><span class="o">();</span> <span class="nc">Optional</span><span class="o">&lt;</span><span class="nc">KeyManagerFactory</span><span class="o">&gt;</span> <span class="n">keyManagerFactory</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getKeyManagerFactory</span><span class="o">();</span> <span class="nc">Optional</span><span class="o">&lt;</span><span class="nc">TrustManagerFactory</span><span class="o">&gt;</span> <span class="n">trustManagerFactory</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getTrustManagerFactory</span><span class="o">();</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">X509Certificate</span><span class="o">&gt;</span> <span class="n">trustedCertificates</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getTrustedCertificates</span><span class="o">();</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">KeyStoreHolder</span><span class="o">&gt;</span> <span class="n">identities</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getIdentities</span><span class="o">();</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">KeyStoreHolder</span><span class="o">&gt;</span> <span class="n">trustStores</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getTrustStores</span><span class="o">();</span> <span class="nc">SSLSocketFactory</span> <span class="n">sslSocketFactory</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getSslSocketFactory</span><span class="o">();</span> <span class="nc">SSLServerSocketFactory</span> <span class="n">sslServerSocketFactory</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getSslServerSocketFactory</span><span class="o">();</span> <span class="nc">SSLEngine</span> <span class="n">sslEngine</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getSslEngine</span><span class="o">(</span><span class="n">host</span><span class="o">,</span> <span class="n">port</span><span class="o">);</span> <span class="nc">SSLParameters</span> <span class="n">sslParameters</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getSslParameters</span><span class="o">();</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">ciphers</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getCiphers</span><span class="o">();</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">protocols</span> <span class="o">=</span> <span class="n">sslFactory</span><span class="o">.</span><span class="na">getProtocols</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Tested Http Clients </h3> <p>The library has been tested with over 40 different http client for Java, Kotlin and Scala. See here for the <a href="https://github.com/Hakky54/sslcontext-kickstart/issues/8" rel="noopener noreferrer">complete overview</a></p> <h3> Conclusion </h3> <p>This was a small introduction to get you started with SSL/TLS for a Http Client. It provided an alternative setup compared to the traditional one so you as a developer can easily set it up by your self without the need of low-level knowledge. Looking for more advanced setup? Please check out all the different configurations here: <a href="https://github.com/Hakky54/sslcontext-kickstart#table-of-contents" rel="noopener noreferrer">Overview of configurations</a></p> java security ssl client