I’m trying to automate some tasks on a website using Java. I have a valid client for that website (works when I login using firefox), but I keep getting a 403 error when I try to login using http client. Note that I want my trust store to trust anything (I know it’s not safe, but at this point I am not worried about that).
Here’s my code:
KeyStore keystore = getKeyStore();//Implemented somewhere else and working ok
String password = "changeme";
SSLContext context = SSLContext.getInstance("SSL");
KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmfactory.init(keystore, password.toCharArray());
context.init(kmfactory.getKeyManagers(), new TrustManager[] { new X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] arg0, String arg1)
throws CertificateException {
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] arg0, String arg1)
throws CertificateException {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
} }, new SecureRandom());
SSLSocketFactory sf = new SSLSocketFactory(context);
Scheme httpsScheme = new Scheme("https", 443, sf);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(httpsScheme);
ClientConnectionManager cm = new SingleClientConnManager(schemeRegistry);
HttpClient client = new DefaultHttpClient(cm);
HttpGet get = new HttpGet("https://theurl.com");
HttpResponse response = client.execute(get);
System.out.println(EntityUtils.toString(response.getEntity(), "UTF-8"));
The last statement prints out a 403 error. What am I missing here?
Figured it out own my own. The 403 error was getting was because Java SSL was not selecting my client certificate.
I debugged the SSL handshake and found that the server asked for a client certificate issued by a list of authorities and the issuer of my client certificate wasn’t on that list. So Java SSL simply couldn’t find an appropriate certificate on my keystore. It looks like web browsers and Java implement SSL a little differently since my browser actually asks me which certificate to use, no matter what the server certificate asks for in terms of issuers of client certificates.
In this case, the server certificate is to blame. It is self-signed and the list of issuers it informs as acceptable is incomplete. And that doesn’t mix well with the Java SSL implementation. But the server isn’t mine and there is nothing I can do about it, except for complaining about the brazilian government (their server). Without further due, here’s my work around:
First, I used a TrustManager that trusts anything (like I did in my question):
Then I implemented a key manager that always uses the key I want from a PKCS12 (.pfx) certificate:
This would work if my pfx also contained its issuer certificate. But it doesn’t (yay!). So when I used the key manager as above, I got a SSL handshake error (peer not authenticated). The server only authenticates the client if the client sends a certificate chain that the server trusts. Since my certificate (issued by a Brazilian agency) doesn’t contain its issuer, its certificate chain contains only itself. The server doesn’t like that and denies to authenticate the client. The work around is to create manually the certificate chain:
After that, it was just a matter of putting my custom key and trust managers to good use: