The server side gave me a .p12
certificate file which I've clicked and installed on my machine and then I can access the HTTPS
site through browser. Now they want me to crawl their site with the certificate given. I'm stuck at the very first stage of it, trying to get the inputStream
from the httpsURLConnection
. The site has no login. It only checks if you have the certificate or not.
What I've done so far was to use Firefox to export out the certificate in a .crt
file format. Then I used the keytool command to import it (the .crt
file, not the .p12
) into java keystore. Then in the code:
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); File ksFile = new File(keystorePath); in = new FileInputStream(ksFile); ks.load(in, "changeit".toCharArray()); X509Certificate cert = (X509Certificate) ks.getCertificate(certificateAlias); SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); HttpsURLConnection con = (HttpsURLConnection) (new URL(urlString)).openConnection(); con.connect(); con.getInputStream(); con.disconnect();
The getInputStream()
will give me 403 error forbidden access. I've searched through other related topics and are actually deeply more confused than before reading them. Would greatly appreciate answers.
Additional Details:
How to open a P12 file. To install a p12 key on a Windows or Mac PC, simply double-click the file. The Certificate Import Wizard (Windows) or Add Certificates Wizard (Mac) will appear to guide you through installing the key.
The . p12 contains both the private and the public key, and also information about the owner (name, email address, etc. ) all being certified by a third party. With such certificate, a user can identify himself and authenticate himself to any organization trusting the third party.
Your P12 file must contain the private key, the public certificate from the Certificate Authority, and all intermediate certificates used for signing. Your P12 file can contain a maximum of 10 intermediate certificates.
If you want to attempt to code up the SSL configuration, you could use the P12 file given to you without having to convert it into a JKS. Also, you will need to use the private key in the P12, and not just the certificates that you copied into the JKS. Not sure if this will suit your needs directly, but this may put you on the right path:
KeyStore clientStore = KeyStore.getInstance("PKCS12"); clientStore.load(new FileInputStream("test.p12"), "testPass".toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(clientStore, "testPass".toCharArray()); KeyManager[] kms = kmf.getKeyManagers(); KeyStore trustStore = KeyStore.getInstance("JKS"); trustStore.load(new FileInputStream("cacerts"), "changeit".toCharArray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(trustStore); TrustManager[] tms = tmf.getTrustManagers(); SSLContext sslContext = null; sslContext = SSLContext.getInstance("TLS"); sslContext.init(kms, tms, new SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory()); URL url = new URL("https://www.testurl.com"); HttpsURLConnection urlConn = (HttpsURLConnection) url.openConnection();
Configuring the trustStore this way is optional. You could create a JKS with all of the certificates in the chain of your P12, or just make sure they are in your JRE's cacerts file. As for keytool, for reference, you can run keytool commands on a P12 (specify -storetype pkcs12), but cannot import a P12 into a JKS. You also cannot export just a key from a P12 with the keytool command.
I have no servers setup at the moment to test out this code, so give it a shot and see if you still receive the 403 error.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With