5

I need to be able to send a certificate file (.pem, I think), with a get request using scala and dispatch.

How do you do that?

Urist McDev
  • 498
  • 3
  • 14
user1491739
  • 1,017
  • 2
  • 11
  • 16

2 Answers2

2

Based on the Java code in @sbridges sample, I came up with the following Scala code using dispatch. It creates a custom SSL context containing the certificates you provide (and only those; the default store of trusted root certificates is not used by this code when verifying the remote host).



    class SslAuthenticatingHttp(certData: SslCertificateData) extends Http {
      override val client = new AsyncHttpClient(
        (new AsyncHttpClientConfig.Builder).setSSLContext(buildSslContext(certData)).build
      )

      private def buildSslContext(certData: SslCertificateData): SSLContext = {
        import certData._

        val clientCertStore = loadKeyStore(clientCertificateData, clientCertificatePassword)
        val rootCertStore = loadKeyStore(rootCertificateData, rootCertificatePassword)

        val keyManagerFactory = KeyManagerFactory.getInstance("SunX509")
        keyManagerFactory.init(clientCertStore, clientCertificatePassword.toCharArray)
        val keyManagers = keyManagerFactory.getKeyManagers()

        val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
        trustManagerFactory.init(rootCertStore)
        val trustManagers = trustManagerFactory.getTrustManagers()

        val context = SSLContext.getInstance("TLS")
        context.init(keyManagers, trustManagers, null)

        context
      }

      private def loadKeyStore(keyStoreData: Array[Byte], password: String): KeyStore = {
        val store = KeyStore.getInstance(KeyStore.getDefaultType)
        store.load(new ByteArrayInputStream(keyStoreData), password.toCharArray)
        store
      }
    }

    case class SslCertificateData (
      clientCertificateData: Array[Byte],
      clientCertificatePassword: String,
      rootCertificateData: Array[Byte],
      rootCertificatePassword: String)

which would be used as in:



    val certificateData = SslCertificateData(/* bytes from .jks file for client cert here */, "secret!",
                                             /* bytes from .jks file for root cert here */, "also secret!")
    val http = new SslAuthenticatingHttp(certificateData)
    val page = http(req OK as.String)
    println(page())

Note that this keeps the certificate data in memory, which is not the most secure way to do it and consumes memory unnecessarily. It may in many cases be more suitable to store an InputStream or a filename in the SslCertificateData case class.

reinierl
  • 63
  • 1
  • 8
0

I am assuming you want to do https with client certificates. I think this needs to be set up at the jvm level, there is a good explanation here how to do it.

There seems to be a way to do this with ning directly, as explained here, the code is copied below,

// read in PEM file and parse with commons-ssl PKCS8Key
// (ca.juliusdavies:not-yet-commons-ssl:0.3.11)
RandomAccessFile in = null;
byte[] b = new byte[(int) certFile.length()];
in = new RandomAccessFile( certFile, "r" );
in.readFully( b );
char[] password = hints.get( "password" ).toString().toCharArray();
PKCS8Key key = new PKCS8Key( b, password );

// create empty key store
store = KeyStore.getInstance( KeyStore.getDefaultType() );
store.load( null, password );

// cert chain is not important if you override the default KeyManager and/or
// TrustManager implementation, IIRC
store.setKeyEntry( alias, key.getPrivateKey(), password, new DefaultCertificate[0] );

// initialize key and trust managers -> default behavior
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance( "SunX509" );

// password for key and store have to be the same IIRC
keyManagerFactory.init( store, password );
KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

TrustManagerFactory tmf = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
tmf.init( store );
TrustManager[] trustManagers = tmf.getTrustManagers();

// override key and trust managers with desired behavior - for example
// * 'trust everything the server gives us' -> TrustManager#checkServerTrusted
// * 'always return a preset alias to use for auth' -> X509ExtendedKeyManager#chooseClientAlias, X509ExtendedKeyManager#chooseEngineClientAlias
for ( int i = 0; i < keyManagers.length; i++ )
{
    if ( keyManagers[i] instanceof X509ExtendedKeyManager )
    {
    AHCKeyManager ahcKeyManager = new AHCKeyManager( (X509ExtendedKeyManager) keyManagers[i] );
    keyManagers[i] = ahcKeyManager;
    }
}

for ( int i = 0; i < trustManagers.length; i++ )
{
    if ( tm instanceof X509TrustManager )
    {
    AHCTrustManager ahcTrustManager = new AHCTrustManager( manager, (X509TrustManager) trustManagers[i] );
    trustManagers[i] = ahcTrustManager;
    }
}

// construct SSLContext and feed to AHC config
SSLContext context = SSLContext.getInstance( "TLS" );
context.init( keyManagers, trustManagers, null );

ahcCfgBuilder.setSSLContext(context);
Community
  • 1
  • 1
sbridges
  • 24,960
  • 4
  • 64
  • 71
  • That's so awful! I hope you are wrong! :-/ BTW, Dispatch 0.9 is based on Ning Async HttpClient, which is based on NIO. So the answer has to work for that -- not saying the link you provided doesn't, just putting some remark here for anyone else who comes up. – Daniel C. Sobral Sep 10 '12 at 01:41