Re: [play-framework] SSL/TLS configuration under play 2.5.2

728 views

Skip to first unread message

Will Sargent

unread,

Aug 19, 2016, 4:30:46 PM8/19/16

to play-fr...@googlegroups.com

> I am trying to programmatically reproduce what I do without difficultly using http to obtain an authorization token from an SSL end point providing it:

I don't understand what you're trying to do here. You're trying to get Play working over HTTPS as a server, and using Play WS SSL as the client? There is an example template that you can use that will set that up for you: https://github.com/typesafehub/activator-play-tls-example

Will.

Will Sargent

Engineer, Lightbend, Inc.

will.s...@lightbend.com

On Fri, Aug 19, 2016 at 12:09 PM, Henry Katz <freemar...@gmail.com> wrote:

Hi,

I am trying to programmatically reproduce what I do without difficultly using http to obtain an authorization token from an SSL end point providing it:

$ echo '{"grant_type":"client_credentials","client_id":"xxxx","client_secret":"yyyy","ip":"10.0.0.1","scope":"tbd"}' | http -v -j --print b https://dev.fubar.com:9443/v1/token --cert trust.pem --cert-key ./key.pem

{

"access_token": "blah blah blah",

"expires_in": 7776000,

"refresh_token": null,

"scope": "tbd",

"status": null,

"token_type": "Bearer"

}

So my thinking following the docs here: https://www.playframework.com/documentation/2.5.x/ExampleSSLConfig
is to simply reuse same pem files for trust and key managers respectively in my config:

# ssl configuration
play.ws {
ssl {

# Configuration for the key manager
keyManager {

# The key stores
stores = [
{type: "PEM", path = "/tmp/key.pem"}
]
}

trustManager {

# The trust stores
stores = [
{type: "PEM", path = "/tmp/trust.pem"}
]
}

# Debug configuration
debug {

# Turn on all debugging
all = true

# Turn on ssl debugging
ssl = true

# Turn certpath debugging on
certpath = true

# Turn ocsp debugging on
ocsp = false

# Enable per-record tracing
record = false

# hex dump of record plaintext, requires record to be true
plaintext = false

# print raw SSL/TLS packets, requires record to be true
packet = true

# Print each handshake message
handshake = true

# Print hex dump of each handshake message, requires handshake to be true
data = true

# Enable verbose handshake message printing, requires handshake to be true
verbose = false

# Print key generation data
keygen = true

# Print session activity
session = false

# Print default SSL initialization
defaultctx = false

# Print SSLContext tracing
sslctx = true

# Print session cache tracing
sessioncache = false

# Print key manager tracing
keymanager = true

# Print trust manager tracing
trustmanager = true

# Turn pluggability debugging on
pluggability = false

}
}
}

which results in this exception:

java.security.cert.CertificateParsingException: signed fields invalid
java.security.cert.CertificateParsingException: signed fields invalid
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1791)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195)
at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:471)
at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:356)
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462)
at play.api.libs.ws.ssl.FileBasedKeyStoreBuilder.readCertificates(KeyStore.scala:110)
at play.api.libs.ws.ssl.FileBasedKeyStoreBuilder.build(KeyStore.scala:85)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder.buildKeyManager(SSLContextBuilder.scala:186)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder$$anonfun$3.apply(SSLContextBuilder.scala:130)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder$$anonfun$3.apply(SSLContextBuilder.scala:129)
at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:245)
at scala.collection.TraversableLike$$anonfun$map$1.apply(TraversableLike.scala:245)
at scala.collection.mutable.ResizableArray$class.foreach(ResizableArray.scala:59)
at scala.collection.mutable.ArrayBuffer.foreach(ArrayBuffer.scala:48)
at scala.collection.TraversableLike$class.map(TraversableLike.scala:245)
at scala.collection.AbstractTraversable.map(Traversable.scala:104)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder.buildCompositeKeyManager(SSLContextBuilder.scala:128)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder.keyManagers$lzycompute(SSLContextBuilder.scala:112)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder.keyManagers(SSLContextBuilder.scala:111)
at play.api.libs.ws.ssl.ConfigSSLContextBuilder.build(SSLContextBuilder.scala:100)
at play.api.libs.ws.ahc.AhcConfigBuilder.configureSSL(AhcConfig.scala:265)
at play.api.libs.ws.ahc.AhcConfigBuilder.configure(AhcConfig.scala:140)
at play.api.libs.ws.ahc.AhcConfigBuilder.build(AhcConfig.scala:151)
at HowsMySSL2Spec.createClient(HowsMySSL2Spec.scala:42)

code is derived from test specs2 from here: https://github.com/typesafehub/ssl-config/blob/master/documentation/src/sphinx/code/HowsMySSLSpec.scala

with minimal mods aside from reading config from file and posting some json to different URL:

/*
* Copyright (C) 2015 Typesafe Inc. <http://www.typesafe.com>
*/

import java.io.File

import akka.actor.ActorSystem
import akka.stream.ActorMaterializer
import com.typesafe.config.ConfigFactory
import com.typesafe.sslconfig.ssl.debug.DebugConfiguration
import org.asynchttpclient.AsyncHttpClientConfig
import org.specs2.specification.AfterAll
import play.api.libs.json.{JsSuccess, Json}
import play.api.libs.ws._
import play.api.libs.ws.ahc._
import play.api.test._
import play.api.{Environment, Mode}
import spray.examples.{Creds, MySslConfiguration}

import scala.concurrent.duration._

class HowsMySSL2Spec extends PlaySpecification with AfterAll {
val system = ActorSystem("howsMySSLSpec")
implicit val materializer = ActorMaterializer()(system)

def afterAll(): Unit = {
system.terminate
}

def createClient(rawConfig: play.api.Configuration): WSClient = {
val classLoader = Thread.currentThread().getContextClassLoader
val parser = new WSConfigParser(rawConfig, new Environment(new File("."), classLoader, Mode.Test))
val clientConfig = new AhcWSClientConfig(parser.parse())
// Debug flags only take effect in JSSE when DebugConfiguration().configure is called.
import com.typesafe.sslconfig.ssl.debug.DebugConfiguration
clientConfig.wsClientConfig.ssl.debug.withSSLContext.withKeyManager.withTrustManager.withSSL.withAll /*debug.map {
_.debug.map(new DebugConfiguration().configure)
} */
val builder = new AhcConfigBuilder(clientConfig)
val client = new AhcWSClient(builder.build())
client
}

def configToMap(configString: String): Map[String, _] = {
import scala.collection.JavaConverters._
ConfigFactory.parseString(configString).root().unwrapped().asScala.toMap
}

"WS" should {

"verify common behavior" in {
val configWithSystemProperties = ConfigFactory.load() //(configWithPem)
val playConfiguration = play.api.Configuration(configWithSystemProperties)

val client = createClient(playConfiguration)

val credJS = Json.obj(
"grant_type" -> "client_credentials",
"client_id" -> "xxxx",
"client_secret" -> "yyyy",
"ip" -> "10.0.0.1",
"scope" -> "tbd"
)
val response = await(client.url("https://dev.fubar.com:9443/v1/token").post(credJS))(5.seconds)
response.status must be_==(200)

val jsonOutput = response.json
val result = (jsonOutput \ "tls_version").validate[String]
result must beLike {
case JsSuccess(value, path) =>
value must_== "TLS 1.2"
}
}
}
}

Is this logic sound as?

Thanks,
Henry

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framework+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/20887bae-86e2-49a5-a28b-c28073405ed7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward

0 new messages