Translate NodeJS request with cert and key to Java

Question

UPDATE:

Here is the link to the official API documentation.

And here is a video with the requests I made from NodeJS and here is the java client app that I implemented.

I have a request in NodeJS and now I want to implement the same request in Java for my Android app. The NodeJS request looks like this:

var options = {
  method: 'GET',
  url: 'https://webapi.developers.erstegroup.com/api/bcr/sandbox/v1/aisp/v1/accounts',
  cert: "-----BEGIN CERTIFICATE-----....-----END CERTIFICATE-----",
  key: "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----",
  headers:
  {
    'x-request-id': '30fb2676-8c2e-11e9-b683-526af7764f64',
    'web-api-key': '#########',
    'Accept': 'application/json'
  }
};

request(options, function (error, response, body) {
  console.log(body);
});

My problem is that I don't know how to include that certificate and private key to make the request. I found this answer regarding how to read the certificate and the key in Java, but I don't know how to configure the SSLContext to use the certificate and also the key.

Currently, I tried the next solution, but don't work. The first problem I have is that I get an error when I parse the key:

The error message: org.bouncycastle.openssl.PEMException: malformed sequence in RSA private key

The method used to read the key:

 private static PrivateKey readPrivateKey(String filename) throws Exception {
    PEMParser pemParser = new PEMParser(new BufferedReader(new InputStreamReader(Main.class.getClassLoader().getResourceAsStream(filename))));
    JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
    PEMKeyPair pemKeyPair = (PEMKeyPair) pemParser.readObject();
    KeyPair kp = converter.getKeyPair(pemKeyPair);
    return kp.getPrivate();
  }

The private key:

The rest of the code:

    String keyStoreType = KeyStore.getDefaultType();
    KeyStore keyStore = KeyStore.getInstance(keyStoreType);
    keyStore.load(null, null);

    final X509Certificate cert = readCertificate("public-key-bcr.cer");
    keyStore.setCertificateEntry("key-bcr", cert);
    keyStore.setKeyEntry("key-bcr", readPrivateKey("private-key-bcr.key"), "".toCharArray(), new Certificate[]{cert});

    // Create a TrustManager that trusts the CAs in our KeyStore
    String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
    tmf.init(keyStore);

    final SSLContext sslContext = SSLContext.getInstance("SSL");
    sslContext.init(null, tmf.getTrustManagers(), null);

    final OkHttpClient.Builder builder = new OkHttpClient.Builder()
        .sslSocketFactory(sslContext.getSocketFactory())
        .hostnameVerifier(new HostnameVerifier() {
          @Override
          public boolean verify(String hostname, SSLSession session) {
            return true;
          }
        });

    OkHttpClient client = builder.build();

Also, I want to know if there is an easier alternative.

score 0 · Answer 1 · edited Oct 07 '21 at 13:33

TLDR: your keyfile is labelled wrong.

Your privatekey file has PEM labels claiming it is RSA PRIVATE KEY which according to the de-facto standard should contain data which is the encoded form of a PKCS1-format privatekey. However, the data in your file is actually a PKCS8-format PrivateKeyInfo, which per rfc7468 should have labels PRIVATE KEY (NO RSA).

If you correct your file's labels to PRIVATE KEY with no RSA, BouncyCastle can read it, but you need to change the type and method used:

    PEMParser pemParser = new PEMParser(/* appropriate Reader */);
    JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
    // you don't actually need to set the provider, the default provider(s) work fine.
    PrivateKeyInfo privkey = (PrivateKeyInfo) pemParser.readObject();
    return /*PrivateKey*/ converter.getPrivateKey(privkey);

However, you don't need BouncyCastle; this (unencrypted) format can be read by Java crypto directly:

    String pem = /* read all chars from file/resource/whatever, or read all bytes and convert to String */;
    byte[] der = Base64.getDecoder().decode( pem.replaceAll("-----(BEGIN|END) PRIVATE KEY-----\r?\n", "") );
    KeyFactory fact = KeyFactory.getInstance("RSA");
    return /*PrivateKey*/ fact.generatePrivate(new PKCS8EncodedKeySpec(der));

Finally, your security scheme doesn't make sense. You aren't actually using this key for anything; you seem to be using the cert, only, as a CA cert (trust anchor). If this cert is indeed a CA cert, by including the CA's privatekey in your app you have allowed everyone who has a copy of the app to replace or impersonate your server(s?) and steal, modify, or destroy all your data -- and publishing it on Stack extends this to everyone in the world. Your nodejs code, in contrast, configures this key&cert to be used as a client key&cert and not as a CA or anchor at all -- although the server you specify in your URL doesn't appear to request a client key&cert at all, and it uses a cert under a normal root (Digicert) that doesn't require any modification to the Java defaults, and has a correct serve rname which also doesn't require disabling hostname verification.

First of all, thanks for your answer. I think the certificate and the private key are used for SSL stuff. I don't think is ok to alter the content of the private key. I made a video of using the cert and private key files in requests using NodeJS. Can you review the next video [1] and answer me back? Thanks. https://drive.google.com/open?id=1P5U6gw3PZ_4uPk-cfpWrpqVQVAugidtj — GameZone RO, Mar 30 '20 at 10:16
NodeJS is able to read the privatekey file because it uses a part of the OpenSSL library that ignores the PEM labels and handles both algorithm-specific (including PKCS1) and PKCS8 key data. I didn't suggest altering the content at all (which would be a bad idea), only correcting the labels. I can't watch videos on my computer. — dave_thompson_085, Mar 31 '20 at 10:12

score 0 · Answer 2 · answered Mar 31 '20 at 08:29

The problem was that you are not able to use .cert and .key files in Java because the KeyStore doesn't know to work with these files.

To fix it you need to convert your files to .p12 (PKCS#12) file. To do this I used KeyStore Explorer.

After I converted the file I was able to make the call. The solution code is here:

private static SSLSocketFactory getFactory(String fileName, String password) {
    KeyStore keyStore = KeyStore.getInstance("PKCS12");
    keyStore.load(Main.class.getClassLoader().getResourceAsStream(fileName), password.toCharArray());
    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
    keyManagerFactory.init(keyStore, password.toCharArray());

    SSLContext context = SSLContext.getInstance("SSL");
    context.init(
        keyManagerFactory.getKeyManagers(),
        null,
        new SecureRandom()
    );
    return context.getSocketFactory();
}

public static void main(String[] args) throws Exception {
    final OkHttpClient.Builder builder = new OkHttpClient.Builder()
        .sslSocketFactory(getFactory("converted_file.p12", "1234"))
        .hostnameVerifier((hostname, session) -> true);

    OkHttpClient client = builder.build();
    //...
}

`KeyStore` can't handle those files directly, but it can handle the objects created by reading them. Using a PKCS12 file is indeed an alternative, although I wouldn't call it simpler, but the much more important difference here compared to the question you posted is that you use this key&cert for the KeyManager (only) and not the TrustManager; that is a completely different thing to do and does match what your nodejs did. — dave_thompson_085, Mar 31 '20 at 10:17

Translate NodeJS request with cert and key to Java

2 Answers2