Hi,--I am trying to programmatically reproduce what I do without difficultly using http to obtain an authorization token from an SSL end point providing it:$ echo '{"grant_type":"client_credentials","client_id":"xxxx","client_secret":"yyyy","ip":"10.0.0.1","scope":"tbd"}' | http -v -j --print b https://dev.fubar.com:9443/v1/token --cert trust.pem --cert-key ./key.pem
{
"access_token": "blah blah blah",
"expires_in": 7776000,
"refresh_token": null,
"scope": "tbd",
"status": null,
"token_type": "Bearer"
}
So my thinking following the docs here: https://www.playframework.com/documentation/2.5.x/ExampleSSLConfig
is to simply reuse same pem files for trust and key managers respectively in my config:
# ssl configuration
play.ws {
ssl {
# Configuration for the key manager
keyManager {
# The key stores
stores = [
{type: "PEM", path = "/tmp/key.pem"}
]
}
trustManager {
# The trust stores
stores = [
{type: "PEM", path = "/tmp/trust.pem"}
]
}
# Debug configuration
debug {
# Turn on all debugging
all = true
# Turn on ssl debugging
ssl = true
# Turn certpath debugging on
certpath = true
# Turn ocsp debugging on
ocsp = false
# Enable per-record tracing
record = false
# hex dump of record plaintext, requires record to be true
plaintext = false
# print raw SSL/TLS packets, requires record to be true
packet = true
# Print each handshake message
handshake = true
# Print hex dump of each handshake message, requires handshake to be true
data = true
# Enable verbose handshake message printing, requires handshake to be true
verbose = false
# Print key generation data
keygen = true
# Print session activity
session = false
# Print default SSL initialization
defaultctx = false
# Print SSLContext tracing
sslctx = true
# Print session cache tracing
sessioncache = false
# Print key manager tracing
keymanager = true
# Print trust manager tracing
trustmanager = true
# Turn pluggability debugging on
pluggability = false
}
}
}
which results in this exception:
java.security.cert.CertificateParsingException: signed fields invalid
java.security.cert.CertificateParsingException: signed fields invalid
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1791)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:471)
at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:356)
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462)
at play.api.libs.ws.ssl.FileBasedKeyStoreBuilder.readCertificates(KeyStore.scala:110)
at play.api.libs.ws.ssl.FileBasedKeyStoreBuilder.build(KeyStore.scala:85)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder.buildKeyManager(SSLContextBuilder.scala:186)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder$$anonfun$3.apply(SSLContextBuilder.scala:130)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder$$anonfun$3.apply(SSLContextBuilder.scala:129)
at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:245)
at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:245)
at scala.collection.mutable.ResizableArray$class.foreach(ResizableArray.scala:59)
at scala.collection.mutable.ArrayBuffer.foreach(ArrayBuffer.scala:48)
at scala.collection.TraversableLike$class.map(TraversableLike.scala:245)
at scala.collection.AbstractTraversable.map(Traversable.scala:104)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder.buildCompositeKeyManager(SSLContextBuilder.scala:128)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder.keyManagers$lzycompute(SSLContextBuilder.scala:112)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder.keyManagers(SSLContextBuilder.scala:111)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder.build(SSLContextBuilder.scala:100)
at play.api.libs.ws.ahc.AhcConfigBuilder.configureSSL(AhcConfig.scala:265)
at play.api.libs.ws.ahc.AhcConfigBuilder.configure(AhcConfig.scala:140)
at play.api.libs.ws.ahc.AhcConfigBuilder.build(AhcConfig.scala:151)
at HowsMySSL2Spec.createClient(HowsMySSL2Spec.scala:42)
code is derived from test specs2 from here: https://github.com/typesafehub/ssl-config/blob/master/documentation/src/sphinx/code/HowsMySSLSpec.scala
with minimal mods aside from reading config from file and posting some json to different URL:
/*
* Copyright (C) 2015 Typesafe Inc. <http://www.typesafe.com>
*/
import java.io.File
import akka.actor.ActorSystem
import akka.stream.ActorMaterializer
import com.typesafe.config.ConfigFactory
import com.typesafe.sslconfig.ssl.debug.DebugConfiguration
import org.asynchttpclient.AsyncHttpClientConfig
import org.specs2.specification.AfterAll
import play.api.libs.json.{JsSuccess, Json}
import play.api.libs.ws._
import play.api.libs.ws.ahc._
import play.api.test._
import play.api.{Environment, Mode}
import spray.examples.{Creds, MySslConfiguration}
import scala.concurrent.duration._
class HowsMySSL2Spec extends PlaySpecification with AfterAll {
val system = ActorSystem("howsMySSLSpec")
implicit val materializer = ActorMaterializer()(system)
def afterAll(): Unit = {
system.terminate
}
def createClient(rawConfig: play.api.Configuration): WSClient = {
val classLoader = Thread.currentThread().getContextClassLoader
val parser = new WSConfigParser(rawConfig, new Environment(new File("."), classLoader, Mode.Test))
val clientConfig = new AhcWSClientConfig(parser.parse())
// Debug flags only take effect in JSSE when DebugConfiguration().configure is called.
import com.typesafe.sslconfig.ssl.debug.DebugConfiguration
clientConfig.wsClientConfig.ssl.debug.withSSLContext.withKeyManager.withTrustManager.withSSL.withAll /*debug.map {
_.debug.map(new DebugConfiguration().configure)
} */
val builder = new AhcConfigBuilder(clientConfig)
val client = new AhcWSClient(builder.build())
client
}
def configToMap(configString: String): Map[String, _] = {
import scala.collection.JavaConverters._
ConfigFactory.parseString(configString).root().unwrapped().asScala.toMap
}
"WS" should {
"verify common behavior" in {
val configWithSystemProperties = ConfigFactory.load() //(configWithPem)
val playConfiguration = play.api.Configuration(configWithSystemProperties)
val client = createClient(playConfiguration)
val credJS = Json.obj(
"grant_type" -> "client_credentials",
"client_id" -> "xxxx",
"client_secret" -> "yyyy",
"ip" -> "10.0.0.1",
"scope" -> "tbd"
)
val response = await(client.url("https://dev.fubar.com:9443/v1/token").post(credJS))(5.seconds)
response.status must be_==(200)
val jsonOutput = response.json
val result = (jsonOutput \ "tls_version").validate[String]
result must beLike {
case JsSuccess(value, path) =>
value must_== "TLS 1.2"
}
}
}
}
Is this logic sound as?
Thanks,
Henry
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framework+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/20887bae-86e2-49a5-a28b-c28073405ed7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.