Received fatal alert: bad_certificate

[OR]

Hello everyone,

I am new to rest api testing and recently came across rest-assured.

I am stuck at authentication. The api I am trying to test uses basic authentication along with some certificate setting(I am lost how it works).

I wrote this code:

@Test

    public void testRead()

    {

        given()

            .auth().basic("username","passwd")

        .expect()

              .statusCode(200)

        .when()

            .get ("URL");

    }

FAILED: testRead

javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

at sun.security.ssl.Alerts.getSSLException(Unknown Source)

at sun.security.ssl.Alerts.getSSLException(Unknown Source)

at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)

I understand I need to implement some certificate setting, something to do with Truststores and keystores and SSLs. But I am totally at loss here as in where & how to begin, what are the things I need to set and in what order.

Can some one please walk me through this or provide me some doc links I can go through.

Thanks.

[Johan Haleby]

Have you tried relaxedHTTPSValidation?

Regards,

/Johan

--
You received this message because you are subscribed to the Google Groups "REST assured" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rest-assured...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[OR]

Hello Johan,

Thanks for the quick response.

I looked in to the link you shared, I am not sure what do we mean by relaxedHTTPSValidation.

But to give it a try added this line my test tesRead, code looks like this now:

@Test

    public void testRead()

    {

        given().relaxedHTTPSValidation()

            .auth().basic("username","passwd")

        .expect()

              .statusCode(200)

        .when()

            .get ("URL");

    }

Is this what I was supposed to do? And I am still getting the same error.

Developers of the web service have also implemented authentication(not using rest-assured though) some truststore, keystore thingy when they need to call one webservice from another webservice, and I am all confused what it all means and how it works.

Could you please help?

Thanks.

[OR]

Basically what I am trying to understand here is the flow of authentication process(whether we import trustore/keystore or provide some creds etc?) and  and what libraries/classes to use for implementing it.

[Johan Haleby]

Hmm if you mean certificate authentication you can try specifying a truststore or keystore or use auth().certificate(..)

[OR]

okay, so I am all confused here. Here is the list of things I am confused about:

1. Is SSL authentication or Certificate authentication two different thing?

2. Does trust store and keystore come into play only in case of certificate auth?

3. If answer to second question is yes, that means webservice I am trying to test uses certificate auth, then why am I seeing SSL related errors in error trace?

Also, could you please point me to some doc/tutorial on how to implement cert auth using rest-assured?

Thanks.

[Johan Haleby]

On Wed, Feb 10, 2016 at 12:48 PM, OR <objectre...@gmail.com> wrote:

okay, so I am all confused here. Here is the list of things I am confused about:

1. Is SSL authentication or Certificate authentication two different thing?

They're the same (afaik). auth().certificate(..) is just a shortcut for settings in SSLConfig. 

 

2. Does trust store and keystore come into play only in case of certificate auth?

Yes, if I remember it correctly it's more or less syntactic sugar loading a keystore or truststore.

 

3. If answer to second question is yes, that means webservice I am trying to test uses certificate auth, then why am I seeing SSL related errors in error trace?

It might be that the server has a self-signed cert?

 

Also, could you please point me to some doc/tutorial on how to implement cert auth using rest-assured?

The only docs on this is the javadoc. Contributions are appreciated. 

[OR]

ok, I will go through the Javadoc thoroughly. Last question here:

Is rest-assured is sufficient to handle certificate authentication process or do we need to use some other third party or java inbuilt libraries along with rest-assured?

[Johan Haleby]

Rest Assured uses apache http client under the hood which is very capable. So if there's something you find missing or can't configure let's try to improve things together.

Regards 

/Johan

[Johan Haleby]

BTW I think what you're looking for is to provide a keystore to rest assured (which I believe certificate authentication creates under the hood).

[OR]

I read the java doc for auth().certificate(..).

Here is the syntax that I came across:

auth().certificate("keystore.jks", "my_password", certAuthSettings().allowAllHostNames());

THis only allows specifying keystore, where do I specify truststore details?

Please help.

On Wednesday, February 10, 2016 at 7:01:08 PM UTC+5:30, Johan Haleby wrote:

[Johan Haleby]

I believe this is broken. Since I've never had to use this myself I tried to implement it to the best of my knowledge (and last time I looked into to it I interpreted truststore and keystore to essentially be the same thing but a truststore was essentially a keystore applied with a password. I remember I read this in a blog somewhere) but with my current understanding this was a big and embarrassing mistake. I'll try to look into this a bit today and hopefully be able to push out a new snapshot. If so I'll let you know asap so that you can try it out.

On Mon, Feb 8, 2016 at 3:11 PM, Maciej Gawinecki <mgawi...@gmail.com> wrote:

Hi Johan,

I'm using REST-Assured 2.8.0. I'm having a problem to authenticate to a certain service with RestAssured using both keystore and truststore. Keystore is used to identity myself in front of the service and truststore is used to trust the service.

        KeyStore trustStore;
        try {
            trustStore = KeyStore.getInstance("JKS");
            trustStore.load(DontKnowYetWhatIAmTesting.class.getResourceAsStream("/keys/trusted.jks"), "changeit".toCharArray());
        } catch (IOException | NoSuchAlgorithmException | CertificateException | KeyStoreException e) {
            throw Throwables.propagate(e);
        }

        RestAssured.given()
                .trustStore(trustStore)
                .keystore("/keys/internal.jks", "changeit")
                .when()
                .get("https://protected.resource.com")
        .then().log().all().statusCode(200);

I started to debug with -Djavax.net.debug=all and found that only certificates from my trustustore are listed. I started to analyze the problem and found that in com.jayway.restassured.internal.KeystoreSpecImpl you are creating SSLFactory only with truststore

    ssl = new SSLSocketFactory(truststore);

You never use the SSLSocketFactory constructor that enabled defining both truststore and keystore, e.g.:

    public SSLSocketFactory(final KeyStore keystore, final String keystorePassword, final KeyStore truststore)

Or I am using something wrong?

In general, I found the code of KeystoreSpecImpl a bit confusing. In KeystoreSpecImpl.createTrustStore() method you create truststore by reading a keystore file. 

Regards,
Maciej

-- 
You received this message because you are subscribed to the Google Groups "REST assured" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rest-assured...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Object Repository]

While I am waiting fo rthe fix in rest-assured, I implemented this using apche http client libarary for the time being and was able to get a successful response. While trying to convert that code to rest-assured DSL, there is another thing that I could not find in rest-assured api.

How do we provide credentials in certifiacte auth in rest-assured. I achieved this using CredentialProvider class of http client.

Is this also something missing from rest-assured or if something similar is there, there could you please point me where it is. I couldn't find it.

--
You received this message because you are subscribed to a topic in the Google Groups "REST assured" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rest-assured/9rObiJz60fM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rest-assured...@googlegroups.com.

[Johan Haleby]

Could you share the implementation in apache http client? That would probably make things much easier for me.

[Object Repository]

Hey Johan, 

I shared that code in another mail chain on the group started by Maciej, he was struggling with same issue. Let me know if you dont find it, i will resend. I am out for a while, will share as soon as i m back home.
Subject line of that mail chain is: KeyStore configuration ignored

Thanks,

OR

[Object Repository]

Hey Johan,

Here you go:

The rest api i was trying to access uses keystore, trust store and user name password. I haven't been able to figur eout how to specify user name password in rest-assured.

package testPkg;

import java.io.FileInputStream;

import java.io.InputStream;

import java.security.KeyStore;

import org.apache.http.HttpResponse;

import org.apache.http.auth.AuthScope;

import org.apache.http.auth.Credentials;

import org.apache.http.auth.UsernamePasswordCredentials;

import org.apache.http.client.CredentialsProvider;

import org.apache.http.client.HttpClient;

import org.apache.http.client.methods.HttpGet;

import org.apache.http.conn.ssl.SSLSocketFactory;

import org.apache.http.impl.client.BasicCredentialsProvider;

import org.apache.http.impl.client.HttpClientBuilder;

import org.apache.http.util.EntityUtils;

public class TestClient {

public static void main(String[] args) throws Exception {

testAuth();

}

public static String testAuth() {

String KEY_STORE_PATH = give keystore file path here

String KEY_STORE_PASSWORD = give key store password here

String TRUST_STORE_PATH = give truststore path here

String TRUST_STORE_PASSWORD = give trust store password here

String SERVICE_USER = givelogin id here

String SERVICE_ACCT_PASSWORD = give password here

CredentialsProvider provider = new BasicCredentialsProvider();

UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(SERVICE_USER, SERVICE_ACCT_PASSWORD);

provider.setCredentials(AuthScope.ANY, (Credentials) credentials);

try {

KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());

InputStream keystoreInput = new FileInputStream(KEY_STORE_PATH);

keystore.load(keystoreInput, KEY_STORE_PASSWORD.toCharArray());

System.out.println("Keystore has " + keystore.size() + " keys");

KeyStore truststore = KeyStore.getInstance(KeyStore.getDefaultType());

InputStream truststoreInput = new FileInputStream(TRUST_STORE_PATH);

truststore.load(truststoreInput, TRUST_STORE_PASSWORD.toCharArray());

System.out.println("Truststore has " + truststore.size() + " keys");

SSLSocketFactory sslSocketFactory = new SSLSocketFactory(keystore, KEY_STORE_PASSWORD, truststore);

HttpClient httpClient = HttpClientBuilder.create()

.setSSLSocketFactory(sslSocketFactory)

.setDefaultCredentialsProvider(provider).build();

HttpGet httpGet = new HttpGet(GIVE REST API URL HERE);

HttpResponse httpResponse = httpClient.execute(httpGet);

String response = EntityUtils.toString(httpResponse.getEntity());

System.out.println("response::" + response);

System.out.println("responseCode " + httpResponse.getStatusLine().getStatusCode());

return response;

} catch (Exception e) {

System.out.println(e.getCause());

e.printStackTrace();

}

return null;

}

}

I found this method named certificate in AuthConfig class in package com.jayway.restassured.internal.http. It looks like it might do the trick, haven't tried it though. I am not sure what would be passed as port number and x509HostnameVerifier.

Do let me know if you are able to get the code working in rest-assured.

http://static.javadoc.io/com.jayway.restassured/rest-assured/2.8.0/com/jayway/restassured/internal/http/AuthConfig.html#certificate-java.lang.String-java.lang.String-java.lang.String-int-java.security.KeyStore-org.apache.http.conn.ssl.X509HostnameVerifier-org.apache.http.conn.ssl.SSLSocketFactory-

Thanks,

OR

[Johan Haleby]

Thanks OR! Unfortunately I couldn't find time to look into it this weekend so I'll try to look the next weekend instead. 

[Object Repository]

Hey Johan,

Did you get a chance to fix this? I am stuck because of this. :(

Thanks,

OR

[Johan Haleby]

No not yet unfortunately. You're of course welcome to provide a pull request as well but I hope to be able to look into it soonish (but I can't make any promises).

[Johan Haleby]

I've now tried to get this working. I've now deployed a new snapshot that should address these issues. Please try version 2.8.1-SNAPSHOT after having added the following Maven repository:

<repositories>

        <repository>

            <id>sonatype</id>

            <url>https://oss.sonatype.org/content/repositories/snapshots/</url>

            <snapshots />

        </repository>

</repositories>

Please try it out and tell me if it works. 

Regards

/Johan

[Johan Haleby]

I'm also a bit uncertain if keystore is actually needed at all from a client perspective? Can you use a keystore to verify the server?