Welcome to sslcontext-kickstart Discussions!

[Hakky54]

👋 Welcome!

We’re using Discussions as a place to connect with other members of our community. We hope that you:

• Ask questions you’re wondering about.
• Share ideas.
• Engage with other community members.
• Welcome others and are open-minded. Remember that this is a community we
  build together 💪.

To get started, comment below with an introduction of yourself and tell us about what you do with this community.

[lxjoyner]

Question, Im currently writing code to use the PemUtils, do the library get the password from the private key within the key.pem file and save it to keyPassword or do I have to create the variable and save the password to keyPassword manually. Speaking of line item 302 from PemUtils.class.

[Hakky54]

Hey @lxjoyner the line number you mentioned references to a blank line on the latest source code. Which version of the library are you using?

[lxjoyner]

Using sslcontext-kickstart-for-pem 7.0.3

[lxjoyner]

here is the code

/**
* Loads the identity material based on a certificate chain and a private key
* from the filesystem and maps it to an instance of {@link X509ExtendedKeyManager}
*/
public static X509ExtendedKeyManager loadIdentityMaterial(Path certificateChainPath, Path privateKeyPath, char[] keyPassword) {
return loadIdentityMaterial(certificateChainPath, privateKeyPath, keyPassword, IOUtils::getFileAsStream);
}

[Hakky54]

Yes, now it is clear! The library does not get the password from the pem file itself. You should provided it. You should create a variable indeed, similar to this unit test here

sslcontext-kickstart/sslcontext-kickstart-for-pem/src/test/java/nl/altindag/ssl/util/PemUtilsShould.java

Line 268 in 2a716fb

DEFAULT_PASSWORD

Here is an encrypted pem file is being used and a separate password is provided.

[lxjoyner]

Question, I have 3 pem files, ca.pem, privatkey.pem an publicert.pem; currently viewing the PemUtils.java file trying to decide which code snippet to use. Can I use this one to get material needed, or do I need to use the code snippet for each pem file type from PemUtils.java.

private static X509ExtendedKeyManager parseIdentityMaterial(Certificate[] certificatesChain, PrivateKey privateKey) {
try {
KeyStore keyStore = KeyStoreUtils.createKeyStore();
keyStore.setKeyEntry(CertificateUtils.generateAlias(certificatesChain[0]), privateKey, DUMMY_PASSWORD, certificatesChain);
return KeyManagerUtils.createKeyManager(keyStore, DUMMY_PASSWORD);
} catch (KeyStoreException e) {
throw new GenericKeyStoreException(e);
}
}

static PemUtils getInstance() {
    return INSTANCE;
}

private JcaPEMKeyConverter getKeyConverter() {
    return keyConverter;
}

private JcaX509CertificateConverter getCertificateConverter() {
    return certificateConverter;
}

[Hakky54]

I think the unit test here: PemUtilsShould should give you insight of how to use all of the methods and it should also be helpful to decide which method to use. The unit test uses files from the test resources, see here: https://github.com/Hakky54/sslcontext-kickstart/tree/2a716fb5d7b6f2a7a157ef66027ec4c833dc79af/sslcontext-kickstart-for-pem/src/test/resources/pem which also should give you an idea which files are being used at which place and in that way you could easily make the link between this and your own situation

[lxjoyner]

Pertaining to PemUtils I keep getting error message for the below code I used certificatePaths as the variable to hold the actual filesystem path for the dev.pem certificate. I get error: cannot find symbol loadCertificate(certificatePaths). Where is the method loadCertificate or do I have the path incorrect .......................................... ^
private static final Path certificatePaths = Path.of("C:/Users/lj43090/git/167251/src/main/resources/dev.pem")

public static X509ExtendedTrustManager loadTrustMaterial(Path certificatePaths) {
return mapTrustMaterial(
loadCertificate(certificatePaths)
);
}

[Hakky54]

I think you specified your path incorrectly. On windows you need to specify the slash other way and also escape it. Can you retry with: Paths.get("C:\\Users\\lj43090\\git\\167251\\src\\main\\resources\\dev.pem");

[lxjoyner]

The PemUtils is only used as a library correct, because I created a PemUtils.java in my application but I also see it inside the kickstart-for-pem library. So Im assuming I dont need to use the PemUtils directly. Let me know if I'm on the right track.

[Hakky54]

It is not so clear what you mean. Can you try to explain it different or demonstrate what you are trying to do? It would be easier if you have an example project on your git repo so the context would be more clear to me.

[lxjoyner]

I have written a class titled PemService.java, I have written code within the class to return keyManager and another to return trustManager but I dont know how to get the return keyManager and trustManager to an api in springboot. I tried looking for examples but all I see using the default springboot that is setup using apppplication.yml. Im using the sslcontext-kickstart-for pem. Here are the files I created.
@service
public final class PemService{
private static final Logger log = LoggerFactory.getLogger(PemService.class);

static {
     Security.addProvider(new BouncyCastleProvider())
}

private static final String PEM_LOCATION = "src/main/resources";
private static final char[] DEFAULT_PASSWORD = "fdc1234".toCharArray();

public static X509ExtendedKeyManager loadEncryptedPrivateKeyAndCertificateAsIdentityFromClassPath(){

    X509ExtendedKeyManager keyManager = PemUtils.loadIdentityMaterial(PEM_LOCATION + 
        "dev.pem", PEM_LOCATION + "devkey.pem", DEFAULT_PASSWORD);
	
	if(keyManager != null){
	 log.debug("keyManager is not null")
	 
	 }else{
	     log.debug("keyManager is null, check key and file location");
		 
		 }
		 return keyManager;
}

public static X509ExtendedTrustManager loadSingleTrustMaterialFromClassPathAsSingleFile(){

    X509ExtendedTrustManager trustManager = PemUtils.loadTrustMaterial(PEM_LOCATION + "devca.pem");
	
	if(trustManager != null){
	 log.debug("trustManager is not null")
	 
	 }else{
	     log.debug("trustManager is null, check trust and file location");
		 
		 }
		 return trustManager;
}

}

[Hakky54]

Hi @lxjoyner

Spring boot has by default an embedded tomcat server which is only configurable through properties such as application.yml As far as I know tomcat does not expose any endpoint to configure the ssl configuration through ssl context, keymanager or Trust manager or sslserversocketfactory.

If you don't want to change anything to your server, than i would recommend to import the pem files into a p12 keystore file and configure the path to your keystore through the application.yml

But if you still want to use this library with spring boot that i would suggest to have a look at this sub project here: https://github.com/Hakky54/java-tutorials/tree/main/instant-server-ssl-reloading

This project demonstrates how to set a custom ssl configuration with this library for a spring boot server. I removed tomcat and added jetty as the embedded server. I would recommend to go through the pom file and the ssl configuration, see here https://github.com/Hakky54/java-tutorials/tree/main/instant-server-ssl-reloading/server/src/main/java/nl/altindag/server/config you can ignore all other java classes as that is added to demonstrate the hot swappable ssl configuration.

[lxjoyner]

That is the reason that I'm using Jetty server, I excluded Tomcat server. I don't know how to use spring boot to get the keyManager and trustManager from the code example PemService.java I sent you. If you have a example api that obtains the keyManager and trustManager materials and open an ssl connection using the PemService.java I sent to you would be great.

[Hakky54]

I have rewritten your pemservice into the follow code snippet, can you try it out?

import nl.altindag.ssl.SSLFactory;
import nl.altindag.ssl.util.JettySslUtils;
import nl.altindag.ssl.util.PemUtils;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.springframework.boot.web.embedded.jetty.JettyServerCustomizer;
import org.springframework.boot.web.embedded.jetty.JettyServletWebServerFactory;
import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import java.util.Collections;

@Configuration
public class ServerConfig {

    @Bean
    public ConfigurableServletWebServerFactory webServerFactory(SslContextFactory.Server sslContextFactory) {
        JettyServletWebServerFactory factory = new JettyServletWebServerFactory();

        JettyServerCustomizer jettyServerCustomizer = server -> {
            ServerConnector serverConnector = new ServerConnector(server, sslContextFactory);
            serverConnector.setPort(8443);
            server.setConnectors(new Connector[]{serverConnector});
        };
        factory.setServerCustomizers(Collections.singletonList(jettyServerCustomizer));

        return factory;
    }

    @Bean
    public SslContextFactory.Server sslContextFactory(SSLFactory sslFactory) {
        return JettySslUtils.forServer(sslFactory);
    }

    @Bean
    public SSLFactory sslFactory() {
        X509ExtendedKeyManager keyManager = PemUtils.loadIdentityMaterial("dev.pem", "devkey.pem", "fdc1234".toCharArray());
        X509ExtendedTrustManager trustManager = PemUtils.loadTrustMaterial("devca.pem");

        return SSLFactory.builder()
                .withIdentityMaterial(keyManager)
                .withTrustMaterial(trustManager)
                .build();
    }

}

You need the following two dependencies:

<dependency>
    <groupId>io.github.hakky54</groupId>
    <artifactId>sslcontext-kickstart-for-jetty</artifactId>
    <version>7.4.3</version>
</dependency>
<dependency>
    <groupId>io.github.hakky54</groupId>
    <artifactId>sslcontext-kickstart-for-pem</artifactId>
    <version>7.4.3</version>
</dependency>

[lxjoyner]

We use Artifactory that have sslcontext-kickstart-for-jetty-7.0.3, is there a big difference between 7.0.3 or 7.4.3

[Hakky54]

No there is no change on that library. You can use the older version without an issue. Although the version number is different it was updated to match the other submodules of this project.

[lxjoyner]

Im getting an error when I run the application it gradle builds with no issues but once running the application I get this error: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.beans.factory.UnstatisfiedDependencyException: Error creating bean with name 'webServerFactory' defined in class path resource [com/citi/sddc/api/config/ServerConfig.class]: Unsatisfied dependency expressed through met hod 'webServerFactory' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'sslContextFactory' defined in class path resource [com/citi/sddc/api/config/ServerConfig.class]: Unsatisfied dependency expressed through method 'sslContextFactory' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sslFactory' defined in class path resource [com/citi/sddc/api/config/ServerConfig.class]

[lxjoyner]

Caused by: nl.altindag.ssl.exception.GenericIOException: java.lang.IllegalArgumentException: No valid InputStream has been provided. InputStream must be present, but was absent.

[Hakky54]

It seems that during application runtime the inputstream you have provided is null. Please check why it is null

[lxjoyner]

Are you speaking of the actual pem files

[Hakky54]

That could be the case indeed when you are trying to load the pen files from the classpath. If that's the case, than you need to make sure those files are present at the classpath.

[lxjoyner]

I added this to the ServerConfig.java class trying to make sure the pem files are being accessed: private static final String PEM_LOCATION = "src/main/resources";
then added this;
@bean
public SSLFactory sslFactory() {
X509ExtendedKeyManager keyManager = PemUtils.loadIdentityMaterial(PEM_LOCATION + "dev.pem", PEM_LOCATION "devkey.pem", "fdc1234".toCharArray());
X509ExtendedTrustManager trustManager = PemUtils.loadTrustMaterial(PEM_LOCATION + "devca.pem");

    return SSLFactory.builder()
            .withIdentityMaterial(keyManager)
            .withTrustMaterial(trustManager)
            .build();
}

[Hakky54]

Can you retry without the prefix src/main/resources

[lxjoyner]

Also I'm using version 7.0.3 of sslcontext-kickstart-7.3.0 and version 7.2.0 of sslcontext-kickstart-for-jetty. Would that make a difference.

[Hakky54]

I don't think that is causing the issue, but my answer here should probably do the trick #34 (reply in thread)

[lxjoyner]

Here is the exception Im getting now that I removed the prefix: "src/main/resources"

Factory method 'sslFactory' threw exception; nested exception is nl.altindag.ssl.exception.PrivateKeyParseException: org.bouncycastle.openssl.PEMException: exception processing key pair: JCE cannot authenticate the provider BC.

[Hakky54]

Your issue looks exact the same as this one #171 (comment)

Can you follow the steps which i described here: #171 (comment)

[lxjoyner]

Sounds like I may have a bad password must be a way to check it.

[lxjoyner]

I double checked the password using command prompt "openssl rsa -in src/main/resources/devkey.pem then put in the password I have and it worked so I know its not the password. But the password is encrypted will that make a difference.

[lxjoyner]

found the problem I was using Bouncycastle lib outside of your library, no longer receiving error now I have to fix the actual rest call since it is a secure call.

[lxjoyner]

Its working now, question can I use the sslcontext-kickstart to update certificate without restarting server.

[Hakky54]

Awesome, you are making some good progress! And indeed it is possible to reload the ssl configuration but it requires a slightly different setup with the SSLFactory. See here for the documentation https://github.com/Hakky54/sslcontext-kickstart#support-for-swapping-keymanager-and-trustmanager-at-runtime

[lxjoyner]

Should I create a new java class for it or put it within the ServerConfig.java class

[Hakky54]

I would recommend to edit the ServerConfig.java file

[lxjoyner]

Thank you for all your help, I will add it to the ServerConfig.java file.

[lxjoyner]

Question in (SSLFactory baseSslFactory = SSLFactory.builder()
.withIdentityMaterial("identity.jks", "password".toCharArray())
.withTrustMaterial("truststore.jks", "password".toCharArray())
.withSwappableIdentityMaterial()
.withSwappableTrustMaterial()
.build();)
Do I suppose to change the identity.jks and trustore.jks since my cert files are in pem format.

[Hakky54]

You can pass the key manager and trust manager object which you created from the pemutils to those methods of the SSLFactory instead of the keystores

[lxjoyner]

Question, do you have any information on getting the CN common name and OU organizational unit from certificate to allow access.

[Hakky54]

Yes, i have two different examples here: https://github.com/Hakky54/java-tutorials

[lxjoyner]

Great examples of CN is it possible to use CN and OU as our organization is very large and only certain CN with a certain OU is allowed to access with certificate authentication.

[Hakky54]

Yes it is possible