Thursday, January 9, 2014

InstallCert.java - console app that allows you to get and download ssl keys from webservice you're trying to work with

Recently i was working on one of my Test Frameworks for API and i had to work with https. I faced with : 
javax.net.ssl.SSLHandshakeException: 
   sun.security.validator.ValidatorException: PKIX path building failed: 
   sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
 
Caused by: sun.security.validator.ValidatorException: 
   PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
 
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
exception during their execution. The reason was that i was working with dev server that has self signed certificate, which was absent in my local keystore. So, i googled a little bit and found this nice Java console app that allowed you in a very simple manner get a certificate. But in my case i need to use Proxy sometimes and that's why i decided to improve this app and add proxying possibilities to it. Final result can be found here    
Here's how it works : The most simple way is 
java InstallCert host=google.com
In this case InstallCert will look for ssl certificates on https://google.com:443. Here's it's output 
host = google.com
Connecting to address without enabled proxy settings.
Loading KeyStore C:\Program Files\Java\jre7\lib\security\cacerts...
Opening connection to google.com:443...
Starting SSL handshake...

No errors, certificate is already trusted

Server sent 3 certificate(s):

 1 Subject CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
   Issuer  CN=Google Internet Authority G2, O=Google Inc, C=US
   sha1    3c 6b de 6c a0 a1 ae 6a e9 d5 bf b3 67 ab 12 4e 1b 98 8b fb
   md5     27 91 da c0 73 30 85 db e3 23 ef 7d 6f aa 7f cd

 2 Subject CN=Google Internet Authority G2, O=Google Inc, C=US
   Issuer  CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
   sha1    d8 3c 1a 7f 4d 04 46 bb 20 81 b8 1a 16 70 f8 18 34 51 ca 24
   md5     9e 4a c9 64 74 24 51 29 d9 76 67 00 41 2a 1f 89

 3 Subject CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
   Issuer  OU=Equifax Secure Certificate Authority, O=Equifax, C=US
   sha1    73 59 75 5c 6d f9 a0 ab c3 06 0b ce 36 95 64 c8 ec 45 42 a3
   md5     2e 7d b2 a3 1d 0e 3d a4 b2 5f 49 b9 54 2a 2e 1a

Enter certificate to add to trusted keystore or 'q' to quit: [1]
You simply press 1 and hit Enter button. As a result, you'll have your certificate added to your default keystore 
[
[
  Version: V3
  Subject: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun EC public key, 256 bits
  public x coord: 656756547611416355835880201008930358845723006450213197
628251447943028
  public y coord: 396827319974765304927937356957360152389742209992235777
66752587796918
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.
  Validity: [From: Wed Dec 11 13:34:50 CET 2013,
               To: Thu Apr 10 02:00:00 CEST 2014]
  Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
  SerialNumber: [    4445eb4c d2c191ad]

Certificate Extensions: 9
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://pki.google.com/GIAG2.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://clients1.google.com/ocsp
]
]
...

[9]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4E A2 DC AC DF 9C 45 35   DE A0 F7 C1 0A A6 88 19  N.....E5.......
0010: B7 6B D1 F7                                        .k..
]
]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 71 BD 84 65 33 2E 28 65   AB 5D 2A C8 1F 38 47 9A  q..e3.(e.]*..8G
0010: 43 DF BF 49 70 45 56 4C   D9 D8 31 67 53 B5 82 40  C..IpEVL..1gS..
0020: 4B BE D4 61 39 82 A7 25   7A 7F 27 B9 AE F0 1F 32  K..a9..%z.'....
0030: 38 1E 7B 32 C9 8A A1 8E   C6 66 5B 45 96 85 25 FB  8..2.....f[E..%
0040: DB D7 05 9B 40 1B 44 DC   8D 19 2D 94 0F FE 0B 67  ....@.D...-....
0050: E9 7D 8F 2B 93 50 B4 51   DF D0 97 4A A1 73 B3 46  ...+.P.Q...J.s.
0060: 26 A8 E7 21 20 5D 5E 86   5D C2 1B D9 0B B9 E5 95  &..! ]^.]......
0070: FE 87 2F 2A 99 B1 3D 8D   F9 59 A6 B6 0B A4 A4 91  ../*..=..Y.....
0080: 81 4E EA 03 8F 6C 42 18   89 27 2C 88 C6 E9 50 A9  .N...lB..',...P
0090: 45 69 1E 82 BD 22 48 2B   A0 5C E9 37 86 51 CD 57  Ei..."H+.\.7.Q.
00A0: 8B C6 ED 7E FE E7 B6 F8   FC 82 9E AE E5 9D 1E 74  ...............
00B0: 18 5C 34 4C 2B 7A C5 3C   C1 9B D5 AF F3 33 6C E8  .\4L+z.<.....3l
00C0: AE 94 B1 3A 0B CD BD EF   9D 75 46 BD 91 F0 C0 55  ...:.....uF....
00D0: D2 87 46 5B AF 8B A1 9A   0F 8E 06 C4 F1 42 7C AB  ..F[.........B.
00E0: 58 79 59 A5 F3 4D 98 6C   8C 97 93 B0 0E 8E A1 3E  XyY..M.l.......
00F0: BF 11 83 D0 95 22 27 69   6A E8 66 84 8C 59 0D 49  ....."'ij.f..Y.

]

Added certificate to keystore 'cacerts' using alias 'google.com-1'
To check that everything went well you can run this command again and you should see : 
Opening connection to google.com:443...
Starting SSL handshake...

No errors, certificate is already trusted
Besides that you can also specify :
  • Host port. If it's not standart 443 then you need to add to your command hostPort=[portNumber]
  • If you would like to address your request through proxy first, then you need to specify proxyHost=[hostName] proxyPort=[portNumber]
  • If your keystore has non-default password then passphrase=[passphrase] should be also added to the command. That's it :)
    • Posted by at 2 comments:
    Subscribe to: Posts (Atom)