Testing with untrusted Https

 

Testing web applications in developmental environments that attempt to utilize Https through unsigned certificates can be challenging, especially if you’ve never had the pleasure of working with Sun’s keytool utility and X.509 security certificates.

This issue manifests itself as javax.net.ssl.SSLHandshakeExceptions and sun.security.validator.ValidatorExceptions. For example, attempting to access untrusted Https through Java may yield stack traces with these tidbits:

Javax.net.ssl.SSLHandshakeException: 
 sun.security.validator.ValidatorException: 
  PKIX path building failed: 
    sun.security.provider.certpath.SunCertPathBuilderException:
	 unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: 
 PKIX path building failed: 
  sun.security.provider.certpath.SunCertPathBuilderException:
   unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
 unable to find valid certification path to requested target

Solving this problem requires two steps. First, the web server’s certificate must be captured. Then, the certificate must be imported with Sun’s keytool utility (which comes with Java).

Obtaining a copy of the certificate in X.509 format requires Microsoft’s Internet Explorer. By placing the https URL into the browser window, a dialog will pop up requesting permission to accept the certificate. Click the View Certificate button and then the Details tab. In this tab, click the Copy to File button, then click Next and select the Base-64 encoded X.509 (.CER) option. After that, click Next to save the resulting file.

Importing the .cer file requires using the keytool utility, which can be found in bin directory of a Java installation. Via this tool, the .cer file is imported into a cacerts file, which is located in the lib/security directory of a Java installation. The easiest thing to do is to copy the .cer file obtained via Internet Explorer to my Java home dir/lib/security.

For example, if using the Java sdk for 1.4.2, the location on windows could be something like: C:/j2sdk1.4.2_05/jre/lib/security.

Once the .cer file has been copied to that directory, open a command prompt and either go to the security directory or use qualified paths. Type the following command:

$ ../../bin/keytool.exe -import -storepass changeit -file mycert.cer 
 -keystore cacerts -alias mycert

The only aspects requiring changes is the name of the certificate (in this case mycert.cer) and the alias (mycert).
The keytool will issue a series of statements describing the certificate and finally request whether or not to trust the certificate. Type yes and hit enter.

The problem should be solved. Verifying things is as easy as writing a test case. For instance, the following JUnit test verifies an untrusted Https site can be hit via Jakarta’s HttpClient.

package test.com.srv.rls.https.submit;

import junit.framework.TestCase;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.methods.GetMethod;

public class HttpsSubmitTest extends TestCase {

 public void testHttpsConnection() throws Exception{
  HttpClient httpclient = new HttpClient();
  GetMethod httpget =
   new GetMethod("https://prf.acme.com:4175/invoke/ir/rve");
  try {
   httpclient.executeMethod(httpget);
   assertEquals("should have been 200",
      200, httpget.getStatusLine().getStatusCode());
  }finally {
   httpget.releaseConnection();
  }
 }
}

Now testing web applications via JUnit extensions like jWebUnit or HttpUnit is a breeze, so long as they run in the VM which contains the updated keystore.