Hi everyone I m trying to call via Wiremock an external endp WireMock #wiremock-java

Hi everyone, I'm trying to call via Wiremock an ex...

Alessandro Bramati

03/02/2023, 9:52 AM

Hi everyone, I'm trying to call via Wiremock an external endpoint protected by mutual authentication; here the config:

Copy code

wireMockConfiguration = options()
                        .disableRequestJournal()
                        .usingFilesUnderDirectory(rootFolder)
                        .port(Integer.parseInt(getProperty("port")))
                        .adminAuthenticator(getAdminAuthenticator())
                        .jettyAcceptors(Integer.parseInt(getPropertyOrDefault("acceptor.threads", DEFAULT_ACCEPTOR_THREADS)))
                        .keystorePath(getProperty("keystore.path"))
                        .keystorePassword(getProperty("keystore.password"))
                        .trustStorePath(getProperty("truststore.path"))
                        .trustStorePassword(getProperty("truststore.password"))
                        .extensions(
                                new AdminRequestLoggingFilter(),
                                new ServiceRequestLoggingFilter(),
                                new ServiceResponseLoggingFilter(),
                                new ResponseTemplateTransformer(true));

Here the error:

Copy code

SL failure trying to make a proxied request from WireMock to ...
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

My keystore contains my private cert and the truststore contains the server certificate (everything ok with curl). Is there something missing? Thanks Alessandro

Rob Elliot

03/02/2023, 10:10 AM

The exception suggests that your trust store does not contain the necessary certificates to communicate with the remote server. Have you tried writing a simple main method that uses the java http client to call the remote server using your trust store?

Alessandro Bramati

03/02/2023, 10:49 AM

Hi @Rob Elliot, yes it works perfectly with the same keystore and truststore.

Alessandro Bramati

03/02/2023, 12:31 PM

Is there a way to override the default HttpClientFactory?

<https://github.com/wiremock/wiremock/blob/2.35.0/src/main/java/com/github/tomakehurst/wiremock/http/HttpClientFactory.java>

Rob Elliot

03/02/2023, 2:40 PM

BTW are you doing client certificates as well as server certificates? The WireMock client doesn't do client certificates I'm afraid

Rob Elliot

03/02/2023, 2:42 PM

No, there's no easy way to inject a different HttpClientFactory sadly - it's constructed statically in

ProxyResponseRenderer

🙁

Alessandro Bramati

03/02/2023, 2:45 PM

I think the problem is about the server certificates, since calling other endpoints with the certificates previously trusted in cacerts, everything is ok. So it seems that the client cert are correctly used by Wiremock, but not the server ones :-(

Rob Elliot

03/02/2023, 2:46 PM

Can you share your test main method? Presumably the trust store only contains public certs, so you could perhaps share that too?

Alessandro Bramati

03/02/2023, 3:22 PM

Yes I can, but the endpoint is not testable since the domain is not exposed on Internet

Alessandro Bramati

03/02/2023, 3:26 PM

Copy code

import javax.net.ssl.*;
import java.io.BufferedReader;
import java.io.DataOutputStream;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.net.URL;
import java.security.KeyStore;

public class MutualAuthHttpClient {
    private static final String KEYSTORE_TYPE = "JKS";
    private static final String KEYSTORE_PASSWORD = "password";
    private static final String TRUSTSTORE_TYPE = "JKS";
    private static final String TRUSTSTORE_PASSWORD = "password";
    private static final String KEY_MANAGER_ALGORITHM = "SunX509";
    private static final String SSL_CONTEXT_PROTOCOL = "TLS";

    public static void main(String[] args) throws Exception {
        String endpointUrl = "endpoint";
        String keystoreFilePath = "path/to/keystore";
        String truststoreFilePath = "path/to/keystore";

        KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
        keyStore.load(new FileInputStream(keystoreFilePath), KEYSTORE_PASSWORD.toCharArray());
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KEY_MANAGER_ALGORITHM);
        keyManagerFactory.init(keyStore, KEYSTORE_PASSWORD.toCharArray());

        KeyStore trustStore = KeyStore.getInstance(TRUSTSTORE_TYPE);
        trustStore.load(new FileInputStream(truststoreFilePath), TRUSTSTORE_PASSWORD.toCharArray());
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(KEY_MANAGER_ALGORITHM);
        trustManagerFactory.init(trustStore);

        SSLContext sslContext = SSLContext.getInstance(SSL_CONTEXT_PROTOCOL);
        sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

        HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

        HttpsURLConnection.setDefaultHostnameVerifier((String hostname, SSLSession session) -> true);

        URL url = new URL(endpointUrl);
        HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
        connection.setRequestMethod("POST");
        connection.setRequestProperty("Content-Type", "application/json");
        connection.setDoOutput(true);

        
        DataOutputStream outputStream = new DataOutputStream(connection.getOutputStream());
        outputStream.flush();
        outputStream.close();

        BufferedReader in = new BufferedReader(new InputStreamReader(connection.getInputStream()));
        String inputLine;
        StringBuffer response = new StringBuffer();
        while ((inputLine = in.readLine()) != null) {
            response.append(inputLine);
        }
        in.close();

        System.out.println(response.toString());
    }
}

Rob Elliot

03/02/2023, 3:57 PM

It looks like you're using WireMock as a reverse proxy, not a forward/browser proxy, correct?

Rob Elliot

03/02/2023, 3:59 PM

(i.e. you haven't called

enableBrowserProxying(true)

when you configured WireMock, so presumably instead you are configuring a specific stub to proxy to the endpoint, and calling WireMock directly)

Alessandro Bramati

03/02/2023, 4:29 PM

Yes, using it in this way: just proxying a specific endpoint configured in /mappings.

Rob Elliot

03/02/2023, 4:30 PM

That’s particularly odd because WireMock should not validate certs when doing that…

Rob Elliot

03/02/2023, 4:32 PM

(The theory is that you know what you’re doing when you explicitly proxy to an endpoint and privately signed certs are very common in testing)

Alessandro Bramati

03/03/2023, 7:17 AM

@Rob Elliot sorry but I didn't get it: the way I use WM is actually not the right one? Anyway thanks for your support :-)

Rob Elliot

03/03/2023, 8:39 AM

It might be worth seeing if it will work without the trust store settings… I’ll have a look when I get in.

Alessandro Bramati

03/03/2023, 9:21 AM

This is the only way I make it working:

Copy code

wireMockConfiguration = options()
                        .disableRequestJournal()
                        .usingFilesUnderDirectory(rootFolder)
                        .port(Integer.parseInt(getProperty("port")))
                        .adminAuthenticator(getAdminAuthenticator())
                        .jettyAcceptors(Integer.parseInt(getPropertyOrDefault("acceptor.threads", DEFAULT_ACCEPTOR_THREADS)))
                        .keystorePath(getProperty("keystore.path"))
                        .keystorePassword(getProperty("keystore.password"))
                        .trustStorePath(getProperty("keystore.path"))
                        .trustStorePassword(getProperty("keystore.password"))
                        //.notifier(new ConsoleNotifier(true))
                        .extensions(
                                new AdminRequestLoggingFilter(),
                                new ServiceRequestLoggingFilter(),
                                new ServiceResponseLoggingFilter(),
                                new ResponseTemplateTransformer(true));

I forced the truststore reading the keystore and I trusted the root CA in my cacerts. If I don't set the truststore (even wrong) it doesn't work throwing this error:

Copy code

SSL failure trying to make a proxied request from WireMock to *endpoint*
Received fatal alert: handshake_failure

I found a similar problem here: https://groups.google.com/g/wiremock-user/c/SugVgCVypss

Alessandro Bramati

03/03/2023, 1:47 PM

Hi @Tom, any suggestion? Thanks in advance

Alessandro Bramati

03/14/2023, 3:07 PM

Hi @Tom, @Rob Elliot have you read this thread? https://groups.google.com/g/wiremock-user/c/SugVgCVypss

Rob Elliot

03/15/2023, 9:47 AM

Ah, sorry, I missed the "mutual authentication" in the original. Hence why you are using reverse proxying and why you still get TLS errors despite WireMock ignoring them. The diagnosis in that thread seems fairly sound You could raise an issue with a PR and some good tests and we could look to fixing it. I can't make any promises on timescale though I'm afraid.

Alessandro Bramati

03/16/2023, 9:28 AM

Hi @Rob Elliot, thank you very much for the support; I'm looking forward to do it 🙂

149 Views

Open in Slack

Previous Next