All geek questions in one place

RestTemplate with pem certificate

I have a pem certificate with a secret key and a server certificate. I can execute it with curl and everything works fine.

curl -O -k --cert-type pem --cert mypem.pem url

But I want to use it with java, most preferably RestTemplate from spring.

+3
source share
2 answers

Knowledge of using the pem certificate with RestTemplate is distracted.

The steps to be taken are:

  • Add a server certificate to trustStore using keytool or portecle. If you want to use custom trusttore, use a script

  • Then configure ssl to RestTemplate. This can be done as shown below:

     @Configuration public class SSLConfiguration { @Value("${certificate.name}") private String name; @Bean(name = "sslContext") public SSLContext sslContext() throws Exception { Security.addProvider(new BouncyCastleProvider()); return SSLContexts.custom().loadTrustMaterial(null, new TrustSelfSignedStrategy()).useTLS().build(); } @Bean(name = "sslSocketFactory") public SSLSocketFactory sslSocketFactory() throws Exception { return new ConnectionFactoryCreator(name, sslContext()).getSocketFactory(); } @Bean(name = "httpClient") public HttpClient httpClient() throws Exception { return HttpClientBuilder.create().setSslcontext(sslContext()) .setSSLSocketFactory(new SSLConnectionSocketFactory(sslSocketFactory(), new AllowAllHostnameVerifier())) .build(); } @Bean public ClientHttpRequestFactory httpClientRequestFactory() throws Exception { return new HttpComponentsClientHttpRequestFactory(httpClient()); } @Bean public RestTemplate restTemplate() throws Exception { return new RestTemplate(httpClientRequestFactory()); } }

and

 public class ConnectionFactoryCreator { private final String pemName; private final SSLContext context; public ConnectionFactoryCreator(String pemName, SSLContext context) { this.pemName = pemName; this.context = context; } public SSLSocketFactory getSocketFactory() throws Exception { InputStream resourceAsStream = getClass().getResourceAsStream(pemName); byte[] certAndKey = ByteStreams.toByteArray(resourceAsStream); byte[] certBytes = parseDERFromPEM(certAndKey, "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----"); byte[] keyBytes = parseDERFromPEM(certAndKey, "-----BEGIN PRIVATE KEY-----", "-----END PRIVATE KEY-----"); X509Certificate cert = generateCertificateFromDER(certBytes); PrivateKey key = generatePrivateKeyFromDER(keyBytes); KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(null); keystore.setCertificateEntry("cert-alias", cert); keystore.setKeyEntry("key-alias", key, "changeit".toCharArray(), new Certificate[] { cert }); KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(keystore, "changeit".toCharArray()); KeyManager[] km = kmf.getKeyManagers(); context.init(km, null, null); return context.getSocketFactory(); } private byte[] parseDERFromPEM(byte[] pem, String beginDelimiter, String endDelimiter) { String data = new String(pem); String[] tokens = data.split(beginDelimiter); tokens = tokens[1].split(endDelimiter); return DatatypeConverter.parseBase64Binary(tokens[0]); } private PrivateKey generatePrivateKeyFromDER(byte[] keyBytes) throws InvalidKeySpecException, NoSuchAlgorithmException { PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes); KeyFactory factory = KeyFactory.getInstance("RSA"); return factory.generatePrivate(spec); } private X509Certificate generateCertificateFromDER(byte[] certBytes) throws CertificateException { CertificateFactory factory = CertificateFactory.getInstance("X.509"); return (X509Certificate) factory.generateCertificate(new ByteArrayInputStream(certBytes)); }

Finally, you can use add restTemplate to connect to the URL.

+5
source

You need to import the certificate into the java trust store.

BTW and cer (t) files are the same, just a different name for the extension

Sitelinks

0
source

Source: https://habr.com/ru/post/1276081/

More articles:


All Articles