Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance okhttp-tls to allow using existing keystores and select from multiple keys #4306

Closed
yschimke opened this issue Oct 7, 2018 · 5 comments
Closed

Enhance okhttp-tls to allow using existing keystores and select from multiple keys #4306

yschimke opened this issue Oct 7, 2018 · 5 comments
Labels
enhancement Feature not a bug
Milestone
Backlog

Comments

@yschimke
Copy link
Collaborator

yschimke commented Oct 7, 2018

Some notes and usage questions

I assumed I could use this library to easily setup a client authenticated TLS request. This turned out to not be possible, so not sure if I'm doing something wrong. The same code via the old path worked fine.

val keystore = KeyStore.getInstance("PKCS12").apply {
  load(File("me.p12").inputStream(), password.toCharArray())
}

val alias = keystore.aliases().toList().single()

val kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
kmf.init(keystore, password.toCharArray())

val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(null as KeyStore?)

val context = SSLContext.getInstance("TLS")
context.init(kmf.keyManagers, tmf.trustManagers, SecureRandom())

val ssf = context.socketFactory
val tm = tmf.trustManagers[0] as X509TrustManager

val authClient = client.newBuilder().sslSocketFactory(ssf, tm).build()

I tried replacing this with

var keystore = KeyStore.getInstance("PKCS12").apply { 
  load(File("me.p12").inputStream(), keyPass.toCharArray()) 
} 
var key = keystore.getKey(keyName, keyPass.toCharArray()) as PrivateKey 
val cert = keystore.getCertificate(keyName) as X509Certificate
val certChain = keystore.getCertificateChain(keyName)

val handshakeCertificates = HandshakeCertificates.Builder().apply { 
  addPlatformTrustedCertificates() 
  heldCertificate(HeldCertificate.Builder().keyPair(cert.publicKey, key).build(), *certChain) 
}.build()

val client = OkHttpClient.Builder().sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager()).build()

It failed because it doesn't end up using a valid chain, I can separately send the ssl debug output that shows the difference.

Is it worth extending the API to allow introspecting a keystore for available keys, selecting one, and setting up a client to use one? Or is this too niche, what falls in and out of scope for this library?
@yschimke
Copy link
Collaborator Author

yschimke commented Oct 7, 2018

cc @swankjesse ^

@swankjesse
Copy link
Member

Yeah, the library is currently intended to help create new TLS credentials, not to load existing ones.

@swankjesse
Copy link
Member

... which isn't to say it shouldn't do both! My first priority with this package is to try do it without bouncycastle.

@yschimke yschimke changed the title Feedback on okhttp-tls Enhance okhttp-tls to allow using existing keystores and select from multiple keys Oct 7, 2018
@swankjesse swankjesse added the enhancement Feature not a bug label Nov 4, 2018
@swankjesse swankjesse added this to the 3.13 milestone Nov 4, 2018
@swankjesse
Copy link
Member

Related: https://stackoverflow.com/questions/55749569/curl-command-with-p12-certificate-as-okttp-in-java

@yschimke
Copy link
Collaborator Author

yschimke commented Jan 5, 2020

Now has a method to load existing certs.

@yschimke yschimke closed this as completed Jan 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Feature not a bug
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
2 participants
@swankjesse @yschimke