how to send SSL certificate in POST request?

[Pierre Masci]

Hi, I am new to Clojure and using clj-http for the first time, to implement a REST client.
I don't find anywhere how to indicate where my SSL certificate is located.
Here is what I did:

(ns my-client.core
  (:require [clj-http.client :as client]
            [clojure.pprint :refer :all]))

(def my-appkey "...")

(defn login [username password appkey]
  (client/post "https://.../api/certlogin"
               {:headers     {"X-Application" appkey
                              "Content-Type" "application/x-www-form-urlencoded"}
                :form-params {"username" username "password" password}}))

(defn -main []
  (pprint (login "..." "..." my-appkey)))

This sends me back a response which indicates that I need to send the SSL certificate.
When I send the same request with curl and indicate the certificates, it works. This is the successful curl request:

curl -q -k --cert client-2048.crt --key client-2048.key https://.../api/certlogin -d "username=...&password=..." -H "X-Application: ..."

 

[James Reeves]

There's an article here that might be useful to you:

https://www.lvh.io/posts/https-requests-with-client-certificates-in-clojure.html

With clj-http, you have to use a Java keystore. I wrote a library a few years ago for importing certificates into keystores in Clojure, though I'm not sure how well it works now. Otherwise you can use the normal Java process.

https://github.com/weavejester/crypto-keystore

- James

--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clo...@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michael Ball]

I had to do the same several months ago. You will need to create a java key store with the certificate. Once you have a keystore,  here's the clj-http docs on how to include it in an http request.

https://github.com/dakrone/clj-http#keystores-trust-stores

(client/post "https://example.com" {:keystore "/path/to/keystore.ks"
                                    :keystore-type "jks" ; default: jks
                                    :keystore-pass "secretpass"})

I don't know if it's much use to you but here's how I created the keystore using openssl first to convert to pkcs12 then the java keytool to build the keystore. 

openssl pkcs12 -export -in cert.pem -inkey "private_key.pem" -certfile cert.pem -out keystore.p12

 

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks

 

keytool -import -alias ejbca -keystore keystore.jks -file VDPCA-Sandbox.pem -storepass password

[mascip]

Amazing, thank you James, thank you Micheal, it works!

In Perl things are often pretty complex, but in this specific case the code is dead easy:

my $client = REST::Client->new(

  cert => '/path/to/ssl.cert',

  key => '/path/to/ssl.key');

my $response = $client->POST(

        'https://.../api/certlogin', 

        'username=' . $username . '&password=' . $->password);

-- Pierre Masci

--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clo...@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---

You received this message because you are subscribed to a topic in the Google Groups "Clojure" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/clojure/Bh0gl5QEUsI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to clojure+unsubscribe@googlegroups.com.

[Kevin Corcoran]

On Thu, Feb 23, 2017 at 5:11 PM, mascip <mas...@gmail.com> wrote:

Amazing, thank you James, thank you Micheal, it works!

In Perl things are often pretty complex, but in this specific case the code is dead easy:

my $client = REST::Client->new(

  cert => '/path/to/ssl.cert',

  key => '/path/to/ssl.key');

my $response = $client->POST(

        'https://.../api/certlogin', 

        'username=' . $username . '&password=' . $->password);

-- Pierre Masci

Pierre, you might be interested in https://github.com/puppetlabs/clj-http-client.  It provides an HTTP client which has an interface like you're describing.  The docs appear to be a bit lacking, but you can basically write:

(let [client (http/create-client
              {:ssl-cert "/path/to/ssl.cert"
               :ssl-key "/path/to/ssl.key"
               :ssl-ca-cert "/path/to/ssl.cert"})]
  (http/post client "https://.../api/certlogin"))

[mascip]

Nice :-)

Under the hood it uses (puppetlabs.http.client.common/make-request) . I found the definition of the protocol, but not the actual implementation of make-request .

Well, that doesn't matter so much, now I've got something that works!

Thank you again

-- Pierre Masci