How can I get a different KeyStore Type in Wiremock

[abha gupta]

Hi,
I am trying to make https run in Wiremock mocking server with Android. Android supports 'BKS' keystore type instead of 'JKS' .

Wiremock is using Jetty Server which should provide this keystore type internally . Wiremock is using the storetype which is returned by default KeyStore.getDefaultType(), which is good. see here
But there has to be a way by which Jetty Server used by Wiremock can be configured to use 'BKS' key store type.
In a standalone Jetty Server, this setting can be changed in a file like jetty-ssl-context.xml. with property

<Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="BKS"/></Set>

I have been walking through the source code of wiremock to see where this file is present or if its exposed for changes. Not been very successful so far. If there is any clue on how to change this setting, it would help me save a lot of time. Any other suggestion is also welcome.

For reference, here is error stack

Caused by: java.security.KeyStoreException: java.security.NoSuchAlgorithmException: KeyStore JKS implementation not found
at java.security.KeyStore.getInstance(KeyStore.java:119)
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:52)
at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:871)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:273)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:256)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:236)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at org.eclipse.jetty.server.Server.doStart(Server.java:366)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at com.github.tomakehurst.wiremock.jetty9.JettyHttpServer.start(JettyHttpServer.java:101)

Thanks

[Tom Akehurst]

It looks like it'll be necessary to patch WireMock to make this work. Here's where the Jetty SSL context gets set up: https://github.com/tomakehurst/wiremock/blob/2.0-beta/src/main/java/com/github/tomakehurst/wiremock/jetty9/JettyHttpServer.java#L164

I think a call to SslContextFactory.setKeyStoreType(...) would be needed.

[abha gupta]

Thanks Tom,

I will give it a shot. Thanks for pointing the file to make the change.

Abha

[Tom Akehurst]

If you manage to get it working I'd be happy to accept a PR adding an option to switch it. I'm sure this will be very useful to other Android devs out there.

[marius....@gmx.ch]

Hi,

I made a quick implementation to set the key store type and trust store type.

https://github.com/policybased/wiremock/tree/2.0-beta

There is one more issue. The SSLParameters implementation on Android has no method implementation of setEndpointIdentificationAlgorithm, which is used in the jetty.

Cheers,

[abha gupta]

 I also made the change as Tom suggested but now I am running into an issue of  

 javax.net.ssl.SSLHandshakeException.   Basically, the Jetty server stops right away when handshake happens between client and server.  I have investigated a lot about how the handshake works between client and server and what role does certificate play.  I have made sure that BKS keystore  is read successfully .  Also implemented the suggestions by Android to train the HttpsUrlConnection to trust the certificate as provided by a custom CA  (in my case generated by openssl tool).  I am still getting the same error.  @Marius,  I am not sure if you ever got this issue during your investigation. If yes, please let me know if I am missing anything.

Thanks for posting your reply.

[abha gupta]

Tom, 

I am sure there is a logger  setting for Jetty server. How can I set that to verbose? I found Wiremock is using SLF4J, i found how to turn the setting on for standalone process, but couldn't find for integrated wiremock server. Any guidance in this area would be very helpful.

Thanks

Abha

On Wednesday, June 8, 2016 at 9:15:39 AM UTC-7, abha gupta wrote:

[Tom Akehurst]

Jetty uses slf4j so it should just be a case of dropping an slf4j implementation (e.g. Logback) into your project and configuring it to log Jetty classes at DEBUG.

The standalone version bakes in a logging impl, but when you include it as a library you have to pick your own.

[Marius]

Hi abha gupta,

Yes I got the excepetion no method implementation of setEndpointIdentificationAlgorithm, while testing a Android app with the patched wiremock link (https://github.com/policybased/wiremock/tree/2.0-beta).

I ignore certificate for HttpURLConnection. So I do something like this (Of course never in production code):
https://gist.github.com/aembleton/889392

And ignore also host name verification (Of course never in production code):
http://stackoverflow.com/questions/6031258/java-ssl-how-to-disable-hostname-verification

Cheers

[Marius]

Hi abha gupta again,

And when you modify https://github.com/policybased/wiremock/blob/2.0-beta/src/main/java/com/github/tomakehurst/wiremock/jetty9/JettyHttpServer.java#L164

and override the customize method like the original implementation without the code line:

sslParams.setEndpointIdentificationAlgorithm(_endpointIdentificationAlgorithm);

WireMock is running with ssl. https://localhost:8080/__admin is working fine.

[abha gupta]

Not sure if my last message was sent successfully, hence sending again.  I am doing the exact same thing s, so it has to be the way I am creating the certificates . I am using https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs "Generate Self-Signed Ceritificate" to create a certificate and then running keytool -importcert -v -trustcacerts -file "cert.crt" -alias IntermediateCA -keystore "myKeystore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "path_to_bouncycastle/bcprov-jdk16-145.jar" -storetype BKS -storepass password.

Can you share the steps you took to create a certificate.

Abha

--
You received this message because you are subscribed to a topic in the Google Groups "wiremock-user" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wiremock-user/oDExHctRPCc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wiremock-use...@googlegroups.com.
To post to this group, send email to wiremo...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/wiremock-user/15ed39e2-784e-49f3-8be8-aac0bc38e8b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Marius]

Hi,

I used http://www.keystore-explorer.org/ to generate my keystore. Generate new keystore type BKS. Generate a key pair with a self-signed certificate. Save it and that's it. I attached an example.

Cheers

[abha gupta]

Thank you Marius. 

We got your KeyStore file and it just worked. Now ideally, I should not be using your keystore, and I will be using the tool you mentioned to create my own keystore, but we have overcome that hurdle.

Thanks again,

Abha