CODEWITHSUNDEEP
javaapispring-bootsslsslhandshakeexception
Owen Nel
Owen Nel

Reputation: 417

Springboot SLL API consume

I am trying to consume an API from a 3rd party server. The 3rd party sent me an SSL certificated named certificate.p12 which is the cert file which I use to do the handshake. I have created a custom RestTemplate with SSL as follows:

@Configuration
public class CustomRestTemplate {
    private static final String PASSWORD = "fake_password";
    private static final String RESOURCE_PATH = "keystore/certificate.p12";
    private static final String KEY_TYPE = "PKCS12";

    @Bean
    public RestTemplate restTemplate(RestTemplateBuilder builder) throws Exception {
        char[] password = PASSWORD.toCharArray();

        SSLContext sslContext = SSLContextBuilder
                .create()
//                .loadKeyMaterial(keyStore(RESOURCE_PATH, password), password)
                .loadKeyMaterial(keyStore(getClass().getClassLoader().getResource(RESOURCE_PATH).getFile(), password), password)
                .loadTrustMaterial(null, new TrustSelfSignedStrategy())
                .build();

        HttpClient client = HttpClients
                .custom()
                .setSSLContext(sslContext)
                .build();

        return builder
                .requestFactory(() -> new HttpComponentsClientHttpRequestFactory(client))
                .build();
    }

    private KeyStore keyStore(String file, char[] password) throws Exception {
        KeyStore keyStore = KeyStore.getInstance(KEY_TYPE);

        File key = ResourceUtils.getFile(file);
        try (InputStream in = new FileInputStream(key)) {
            keyStore.load(in, password);
        }

        return keyStore;
    }
}

I then call the endpoint using the following code:

@Component
@Service
public class TransactionService implements TransactionInterface {
    @Autowired
    private CustomRestTemplate restTemplate = new CustomRestTemplate();

    private static final String BASE_URL = "https://41.x.x.x:xxxx/";

    @Override
    public List<Transaction> getUnsentTransactions(int connectionId) throws Exception {
        HttpEntity<?> httpEntity = new HttpEntity<>(null, new HttpHeaders());

        ResponseEntity<Transaction[]> resp = restTemplate
            .restTemplate(new RestTemplateBuilder())
            .exchange(BASE_URL + "path/end_point/" + connectionId, HttpMethod.GET, httpEntity, Transaction[].class);

        return Arrays.asList(resp.getBody());
    }
}

I get an the following stacktrace when trying to consume the api:

org.springframework.web.client.ResourceAccessException: I/O error on GET request for \"https://41.x.x.x:xxxx/path/endpoint/parameters\": Certificate for <41.x.x.x> doesn't match any of the subject alternative names: [some_name_here, some_name_here];

I do not have much experience with TLS or SSL certificates. I am really stuck at the moment and hoping I can get some help here. The 3rd party provided me with a testing site where I can test the endpoints and after importing the certificate.p12 file into my browser I can reach the endpoints using their testing site but my Springboot application still does not reach the endpoint.

Do I need to copy the cert into a specific folder? This does not seem like the case because I get a FileNotFoundException if I change the path or filename and I get a password incorrect error if I enter the wrong password for the certificate.p12 file. I tried using Postman to test it but Postman returns the same stacktrace as my web application.

Looking at the information above, am I missing something? Is the keystore not being created during runtime? Do I need to bind the certificate to the JVM or my outgoing request?

Any help would be appreciated.

Thanks

Upvotes: 0

Views: 731

Answers (1)

JPinzon01
JPinzon01

Reputation: 116

It looks like you are trying to connect to a server which doesn't have a valid name in the certificate. For example, if you are connecting to "stackoverflow.com", the certificate needs that domain in the "subject" or the "subject alternative names" field.

Even a testing site should have a valid certificate, but if that's not possible (as it's a third party site and you can't change it yourself), you can disable the verification using this question

Of course, this should only be done for testing.

Upvotes: 1

Related Questions