開発ä¸ã®ãƒ†ã‚¹ãƒˆç’°å¢ƒã¨ã‹ã§ã€ã‚ˆãã‚ã‚‹ãƒã‚¿ï¼Ÿçš„ãªã€‚
Apache HttpComponentsï¼Clientを使ã£ã¦ã€SSL自己署å証明書を使ã£ã¦é€šä¿¡ã—ãŸã‚Šã€ãƒ›ã‚¹ãƒˆåã®æ¤œè¨¼ã‚’無効化ã™ã‚‹æ–¹æ³•ã«ã¤ã„ã¦ã€ãƒ¡ãƒ¢ã¨ã—ã¦æ›¸ã„ã¦ãŠãã¾ã™ã€‚
Apache HttpComponents – Apache HttpComponents
ã„ã¤ã‚‚微妙ã«ã‚„り方を忘れã¦ã€æ¯Žåº¦æ¯Žåº¦èª¿ã¹ã‚‹ã“ã¨ã«ãªã£ã¦ã„ã‚‹ã®ã§ã€å‚™å¿˜éŒ²çš„ã«ã¨ã€‚
ã‚‚ã¡ã‚ã‚“ã€ã”利用ã¯ãƒ†ã‚¹ãƒˆãªã©ã§ã®ç¯„囲ã§ã€ã§ã™ã。
ã¡ãªã¿ã«ã€java.net.URLConnectionを使ã†å ´åˆã«ã¤ã„ã¦ã¯ã€ä»¥å‰æ›¸ãã¾ã—ãŸã€‚
JavaでSSL証明書の検証無効化、ホスト名検証の無効化…とデバッグ - CLOVER
準備
Apache HttpComponentsã£ã¦ã€ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã§ã‘ã£ã“ã†ã‚³ãƒã‚³ãƒAPIãŒå¤‰ã‚ã‚‹ã®ã§ã€ã€Œã“ã‚Œï¼ã€ã¨ã„ã†ã®ã¯è¨€ã„ã¥ã‚‰ã„ã®ã§ã™ãŒã€ä»Šå›žã¯Apache HttpComponents(ã¨ã„ã†ã‹Client)ã®4.5.1を対象ã«ã—ã¾ã™ã€‚
<dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpclient</artifactId> <version>4.5.1</version> </dependency>
テストコードã«ã¯ã€JUnit+AssertJを利用。
<dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>4.12</version> <scope>test</scope> </dependency> <dependency> <groupId>org.assertj</groupId> <artifactId>assertj-core</artifactId> <version>3.2.0</version> <scope>test</scope> </dependency>
ã¾ãŸã€ãƒ†ã‚¹ãƒˆç”¨ã®SSLを有効ã«ã—ãŸWebサーãƒãƒ¼ã¯ã€Ubuntu Linuxã§ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã§ãã‚‹SSLを有効ã«ã—ãŸApacheã¨ã—ã¾ã—ãŸã€‚
サンプルコードã§ä½¿ã†importæ–‡
以é™ã®ã‚µãƒ³ãƒ—ルコードã§ã¯ã€ä»¥ä¸‹ã®importæ–‡ãŒã‚ã‚‹ã“ã¨ã‚’å‰æã«ã—ã¦ã„ã¾ã™ã€‚
import java.io.IOException; import java.nio.charset.StandardCharsets; import java.security.KeyManagementException; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLHandshakeException; import javax.net.ssl.SSLPeerUnverifiedException; import org.apache.http.HttpStatus; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.conn.ssl.TrustSelfSignedStrategy; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.apache.http.ssl.SSLContexts; import org.apache.http.ssl.TrustStrategy; import org.apache.http.util.EntityUtils; import org.junit.Test; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatThrownBy;
ã§ã¯ã§ã¯ã€æ›¸ã„ã¦ã„ã£ã¦ã¿ã¾ã™ã€‚
事象ãã®1ã€è‡ªå·±ç½²å証明書ãªã®ã§ã‚¨ãƒ©ãƒ¼ã«ãªã‚‹
通信時ã«ã€ã“ã‚“ãªã‚¹ã‚¿ãƒƒã‚¯ãƒˆãƒ¬ãƒ¼ã‚¹ãŒå‡ºåŠ›ã•ã‚Œã‚‹ã‚ˆã†ãªã‚±ãƒ¼ã‚¹ã€‚
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
SSL証明書ã®æ¤œè¨¼ã§ã€NGã¨ãªã‚‹å ´åˆã§ã™ã。自己署å証明書ã ã¨ã€ã“ã‚Œã«éé‡ã™ã‚‹ã¨æ€ã„ã¾ã™ã€‚
テストコードã¯ã€ã“ã‚“ãªæ„Ÿã˜ã€‚
@Test public void testSelfSignedFailure() throws IOException { try (CloseableHttpClient client = HttpClients.createDefault()) { HttpGet get = new HttpGet("https://localhost"); assertThatThrownBy(() -> { try (CloseableHttpResponse response = client.execute(get)) { assertThat(response.getStatusLine().getStatusCode()) .isEqualTo(HttpStatus.SC_OK); assertThat(EntityUtils.toString(response.getEntity(), StandardCharsets.UTF_8)) .contains("apache2"); } }) .isInstanceOf(SSLHandshakeException.class) .hasMessageContaining("sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"); } }
自己署å証明書ã§ã‚‚OKã«ã™ã‚‹ã«ã¯
ã“れをパスã™ã‚‹ã«ã¯ã€ä»¥ä¸‹ã®ã‚ˆã†ãªã‚³ãƒ¼ãƒ‰ã‚’書ã„ã¦SSLContextを作æˆã—ã¾ã™ã€‚
TrustStrategy trustStrategy = new TrustSelfSignedStrategy();
SSLContext sslContext =
SSLContexts
.custom()
.loadTrustMaterial(trustStrategy)
.build();
TrustStrategyã®å®Ÿè£…ã§ã‚ã‚‹ã€TrustSelfSignedStrategyを使用ã™ã‚‹ã“ã¨ã§è‡ªå·±ç½²å証明書ã§ã‚‚OKã«ãªã‚Šã¾ã™ã‚ˆã€ã¨ã€‚
ã§ã€ã“ã¡ã‚‰ã‚’使ã£ã¦HttpClientを作æˆã™ã‚‹ã€ã¨ã€‚
try (CloseableHttpClient client = HttpClients .custom() .setSSLContext(sslContext) .build()) { HttpGet get = new HttpGet("https://localhost");
ã“ã‚Œã§ã€è¨¼æ˜Žæ›¸ã®ã‚¨ãƒ©ãƒ¼ã¯å›žé¿ã§ãã¾ã™ã€‚
事象ãã®2ã€ãƒ›ã‚¹ãƒˆåã®æ¤œè¨¼ã§ã‚¨ãƒ©ãƒ¼ã«ãªã‚‹
ã“ã‚Œã ã‘ã§ã¯ã¾ã エラーã«ãªã‚‹å ´åˆãŒã€SSL証明書ã«æ›¸ã‹ã‚Œã¦ã„るホストåãŒã€å®Ÿéš›ã«ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã„るホストã¨åˆã‚ãªã„å ´åˆã€‚
ã“ã®ã‚±ãƒ¼ã‚¹ã ã¨ã€ã“ã®ã‚ˆã†ãªã‚¹ã‚¿ãƒƒã‚¯ãƒˆãƒ¬ãƒ¼ã‚¹ãŒå¾—られã¾ã™ã€‚
javax.net.ssl.SSLPeerUnverifiedException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=e611e15f9c9d) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
å…ˆã»ã©ã®SSL証明書ã®æ¤œè¨¼ã‚’è¡Œã‚ãªã„ã ã‘ã®ã‚³ãƒ¼ãƒ‰ã¯ã€ã“ã®ã‚ˆã†ãªæ„Ÿã˜ã«ãªã£ã¦ã„ã¾ã™ã€‚
@Test public void testHostNameFailure() throws IOException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { TrustStrategy trustStrategy = new TrustSelfSignedStrategy(); SSLContext sslContext = SSLContexts .custom() .loadTrustMaterial(trustStrategy) .build(); assertThatThrownBy(() -> { try (CloseableHttpClient client = HttpClients .custom() .setSSLContext(sslContext) .build()) { HttpGet get = new HttpGet("https://localhost"); try (CloseableHttpResponse response = client.execute(get)) { assertThat(response.getStatusLine().getStatusCode()) .isEqualTo(HttpStatus.SC_OK); assertThat(EntityUtils.toString(response.getEntity(), StandardCharsets.UTF_8)) .contains("apache2"); } } }) .isInstanceOf(SSLPeerUnverifiedException.class) .hasMessageContaining("Host name 'localhost' does not match the certificate subject provided by the peer (CN=e611e15f9c9d)"); }
ãŒã€ã“ã‚Œã ã¨ä»Šå›žç”¨æ„ã—ãŸç’°å¢ƒã§ã¯ã€ãƒ›ã‚¹ãƒˆåãŒè¨¼æ˜Žæ›¸ã¨ã‚¢ã‚¯ã‚»ã‚¹ãƒ‘スã§ä¸ä¸€è‡´ã®ãŸã‚ã€ã‚¨ãƒ©ãƒ¼ã«ãªã‚‹ã¨ã€‚
ãã“ã§ã€ã“ã“ã§ã¯HostnameVerifierを使用ã—ã¾ã™ã€‚
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
NoopHostnameVerifierを使用ã™ã‚‹ã¨ã€ãƒ›ã‚¹ãƒˆåã®æ¤œè¨¼ã‚’無効化ã§ãã¾ã™ã€‚
SSL証明書ã®æ¤œè¨¼ã¨ã€ãƒ›ã‚¹ãƒˆåã®æ¤œè¨¼ã‚’全部åˆã‚ã›ãŸã‚³ãƒ¼ãƒ‰ã¯ã€ã“ã®ã‚ˆã†ãªå½¢ã«ãªã‚Šã¾ã™ã€‚
@Test public void testSelfSignedSuccess() throws IOException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException { TrustStrategy trustStrategy = new TrustSelfSignedStrategy(); SSLContext sslContext = SSLContexts .custom() .loadTrustMaterial(trustStrategy) .build(); HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE; try (CloseableHttpClient client = HttpClients .custom() .setSSLContext(sslContext) .setSSLHostnameVerifier(hostnameVerifier) .build()) { HttpGet get = new HttpGet("https://localhost"); try (CloseableHttpResponse response = client.execute(get)) { assertThat(response.getStatusLine().getStatusCode()) .isEqualTo(HttpStatus.SC_OK); assertThat(EntityUtils.toString(response.getEntity(), StandardCharsets.UTF_8)) .contains("apache2"); } } }
HostnameVerifierã¯ã€setSSLHostnameVerifierã§æŒ‡å®šã—ã¾ã™ã€‚
try (CloseableHttpClient client =
HttpClients
.custom()
.setSSLContext(sslContext)
.setSSLHostnameVerifier(hostnameVerifier)
.build()) {
ã¨ã‚Šã‚ãˆãšã€ç›®çš„ã¯é”æˆã§ãã¾ã—ãŸã‚ˆã£ã¨ã€‚
別解
SSLContextã¨SSLConnectionSocketFactoryã®çµ„ã¿åˆã‚ã›ã§ã‚‚ã€åŒæ§˜ã®ã“ã¨ãŒå®Ÿç¾ã§ãã¾ã™ã€‚
@Test public void testSelfSignedSuccessAnother() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException, IOException { TrustStrategy trustStrategy = new TrustSelfSignedStrategy(); SSLContext sslContext = SSLContexts .custom() .loadTrustMaterial(trustStrategy) .build(); HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE; SSLConnectionSocketFactory sslConnSocketFactory = new SSLConnectionSocketFactory(sslContext, hostnameVerifier); try (CloseableHttpClient client = HttpClients .custom() .setSSLSocketFactory(sslConnSocketFactory) .build()) { HttpGet get = new HttpGet("https://localhost"); try (CloseableHttpResponse response = client.execute(get)) { assertThat(response.getStatusLine().getStatusCode()) .isEqualTo(HttpStatus.SC_OK); assertThat(EntityUtils.toString(response.getEntity(), StandardCharsets.UTF_8)) .contains("apache2"); } } }
ã“ã®å ´åˆã¯ã€setSSLSocketFactoryを使用ã—ã¾ã™ã€‚
try (CloseableHttpClient client =
HttpClients
.custom()
.setSSLSocketFactory(sslConnSocketFactory)
.build()) {
以上ã§ã—ãŸãƒ¼ã€‚
å‚考)
JSSE_Fortify_SCA_Rules/ApacheHTTPClientFluentExample.java at master · GDSSecurity/JSSE_Fortify_SCA_Rules · GitHub
How do you create SSL socket factory in new Apache Http Client 4.3? - Stack Overflow
