We Keep Coding

Arduino UNO WiFi Rev 2 not posting to SSL connections

I've been having an issue trying to get my UNO WiFi Rev 2 to make a POST request to my https azure server. I've been able to successfully POST to this server using a MKR1000 using the WiFi101 library, so it's weird that I can't get the UNO to POST using the WiFiNINA library. I've tried two approaches to this POST request, if anybody could offer a solution to either of them, I would appreciate it.
My first attempt was based off the WiFININA libary's example for HTTPS POST:
This example creates a client object that connects and transfers
data using always SSL.
It is compatible with the methods normally related to plain
connections, like client.connect(host, port).
Written by Arturo Guadalupi
last revision November 2015
*/
#include <SPI.h>
#include <WiFiNINA.h>
///////please enter your sensitive data in the Secret tab/arduino_secrets.h
char ssid[] = "secret"; // your network SSID (name)
char pass[] = "secret"; // your network password (use for WPA, or use as key for WEP)
int keyIndex = 0; // your network key index number (needed only for WEP)
int status = WL_IDLE_STATUS;
// if you don't want to use DNS (and reduce your sketch size)
// use the numeric IP instead of the name for the server:
//IPAddress server(74,125,232,128); // numeric IP for Google (no DNS)
char server[] = "secret"; // name address for Google (using DNS)
// Initialize the Ethernet client library
// with the IP address and port of the server
// that you want to connect to (port 80 is default for HTTP):
int HTTP_PORT = 443;
String HTTP_METHOD = "POST";
char HOST_NAME[] = "secret";
//IPAddress server(secret);
String PATH_NAME = "/wtid/logCovid";
WiFiSSLClient client;
String queryString = "uuid=5555&manufacturerID=6666";
void setup() {
//Initialize serial and wait for port to open:
Serial.begin(9600);
while (!Serial) {
; // wait for serial port to connect. Needed for native USB port only
}
// check for the WiFi module:
if (WiFi.status() == WL_NO_MODULE) {
Serial.println("Communication with WiFi module failed!");
// don't continue
while (true);
}
String fv = WiFi.firmwareVersion();
if (fv < WIFI_FIRMWARE_LATEST_VERSION) {
Serial.println("Please upgrade the firmware");
}
// attempt to connect to WiFi network:
while (status != WL_CONNECTED) {
Serial.print("Attempting to connect to SSID: ");
Serial.println(ssid);
// Connect to WPA/WPA2 network. Change this line if using open or WEP network:
status = WiFi.begin(ssid, pass);
// wait 10 seconds for connection:
delay(10000);
}
Serial.println("Connected to WiFi");
printWiFiStatus();
Serial.println("\nStarting connection to server...");
// if you get a connection, report back via serial:
if (client.connect(server, HTTP_PORT)) {
Serial.println("connected to server");
// Make a HTTP request:
// MUST HAVE THESE HEADERS AND IN THIS ORDER!!!
client.println(HTTP_METHOD + " " + PATH_NAME + " HTTP/1.1");
client.println("Host: " + String(HOST_NAME));
client.println("User-Agent: Arduino/1.0");
client.println("Connection: close");
client.println("Content-Type: application/x-www-form-urlencoded");
client.print("Content-Length: ");
client.println(queryString.length());
client.println();
// Body AKA the data we are sending to the server
client.print(queryString);
}
}
void loop() {
// if there are incoming bytes available
// from the server, read them and print them:
while (client.available()) {
char c = client.read();
Serial.write(c);
}
// if the server's disconnected, stop the client:
if (!client.connected()) {
Serial.println();
Serial.println("disconnecting from server.");
client.stop();
// do nothing forevermore:
while (true);
}
}
void printWiFiStatus() {
// print the SSID of the network you're attached to:
Serial.print("SSID: ");
Serial.println(WiFi.SSID());
// print your board's IP address:
IPAddress ip = WiFi.localIP();
Serial.print("IP Address: ");
Serial.println(ip);
// print the received signal strength:
long rssi = WiFi.RSSI();
Serial.print("signal strength (RSSI):");
Serial.print(rssi);
Serial.println(" dBm");
}
Here is the Serial monitor response whenever I upload that script:
Starting connection to server...
disconnecting from server.
My second approach was using the ArduinoHttpClient with a WiFiSSLClient, but again no luck:
#include <ArduinoHttpClient.h>
#include <WiFiNINA.h>
///////please enter your sensitive data in the Secret tab/arduino_secrets.h
/////// WiFi Settings ///////
char ssid[] = "secret"; // your network SSID (name)
char pass[] = "secret"; // your network password (use for WPA, or use as key for WEP)
char serverAddress[] = "secret"; // server address
int port = 443;
WiFiSSLClient wifi;
HttpClient client = HttpClient(wifi, serverAddress, port);
int status = WL_IDLE_STATUS;
void setup() {
Serial.begin(9600);
while ( status != WL_CONNECTED) {
Serial.print("Attempting to connect to Network named: ");
Serial.println(ssid); // print the network name (SSID);
// Connect to WPA/WPA2 network:
status = WiFi.begin(ssid, pass);
}
// print the SSID of the network you're attached to:
Serial.print("SSID: ");
Serial.println(WiFi.SSID());
// print your WiFi shield's IP address:
IPAddress ip = WiFi.localIP();
Serial.print("IP Address: ");
Serial.println(ip);
}
void loop() {
Serial.println("making POST request");
String contentType = "application/x-www-form-urlencoded";
String postData = "uuid=4444&manufacturerID=5555";
client.post("/wtid/logCovid", contentType, postData);
// read the status code and body of the response
int statusCode = client.responseStatusCode();
String response = client.responseBody();
Serial.print("Status code: ");
Serial.println(statusCode);
Serial.print("Response: ");
Serial.println(response);
Serial.println("Wait five seconds");
delay(5000);
}
Here is the Serial monitor response whenever I upload that script:
making POST request
Status code: -2
Response:
Wait five seconds
I've updated the WiFiNINA firmware and uploaded the SSL certificates via the arduino IDE to the board as well, and I am able to make SSL GET requests to sites like google.com without issue. I do get Serial responses ensuring that I connected to the wifi, just didn't want to put that part of the Serial monitor response.
Thank you to anyone who can help!
:)

Arduino (ESP8266) with AWS: Cant setup SSL connection

Im using a standart ESP8266 (No NodeMCU) to connect with AWS:
and everything goes normally, I can upload the code to my module:
Im using the libraries 2.5 for esp8266
I already did my part in AWS
/*
ESP8266 AWS IoT demo
Simple demo code to provide static data into AWS IoT platform
#include <ESP8266WiFi.h>
#include <AmazonIOTClient.h>
#include >
Esp8266HttpClient httpClient;
Esp8266DateTimeProvider dateTimeProvider;
AmazonIOTClient iotClient;
ActionError actionError;
const char* ssid = "Bra";
const char* password = "12345678";
void initWLAN()
{
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED)
{
delay(500);
}
}
void initAWS()
{
iotClient.setAWSRegion("us-east-2");
iotClient.setAWSEndpoint("amazonaws.com");
iotClient.setAWSDomain("QWERTYU");
iotClient.setAWSPath("/things/thingy/shadow");
iotClient.setAWSKeyID("XDDDDDD");
iotClient.setAWSSecretKey("XDDDDDDI");
iotClient.setHttpClient(&httpClient);
iotClient.setDateTimeProvider(&dateTimeProvider);
}
void setup() {
Serial.begin(115200);
delay(10);
Serial.println("begin");
initWLAN();
Serial.println("wlan initialized");
initAWS();
Serial.println("iot initialized");
}
void loop()
{
char shadow[100];
strcpy(shadow, "{\"state\":{\"reported\":{\"test_value1\":123, \"test_value2\":234}}}");
Serial.println("Trying to send data");
Serial.print(shadow);
char* result = iotClient.update_shadow(shadow, actionError);
Serial.print(result);
delay(10000);
}
It seems that everything works fine but, the module load perfect...
Im getting the error:
" can't setup SSL connection "
Any ideas? Honestly Im lost

AsyncUDP example on two ESP32s not working: "WL_NO_SSID_AVAIL"

I am attempting to create a direct Client-Server WiFi network between two ESP32 DEVKITV1s powered by my two computer's USB ports.
I have loaded the example using the Arduino IDE (with the additional boards manager URL https://dl.espressif.com/dl/package_esp32_index.json) and the WiFi status (on both boards) is WL_NO_SSID_AVAIL.
The client code:
#include "WiFi.h"
#include "AsyncUDP.h"
const char * ssid = "my_ssid";
const char * password = "my_password";
AsyncUDP udp;
void setup()
{
Serial.begin(115200);
WiFi.mode(WIFI_STA);
WiFi.begin(ssid, password);
if (WiFi.waitForConnectResult() != WL_CONNECTED) {
Serial.println("WiFi Failed");
while(1) {
delay(1000);
}
}
if(udp.connect(IPAddress(192,168,1,100), 1234)) {
Serial.println("UDP connected");
udp.onPacket([](AsyncUDPPacket packet) {
Serial.print("UDP Packet Type: ");
Serial.print(packet.isBroadcast()?"Broadcast":packet.isMulticast()?"Multicast":"Unicast");
Serial.print(", From: ");
Serial.print(packet.remoteIP());
Serial.print(":");
Serial.print(packet.remotePort());
Serial.print(", To: ");
Serial.print(packet.localIP());
Serial.print(":");
Serial.print(packet.localPort());
Serial.print(", Length: ");
Serial.print(packet.length());
Serial.print(", Data: ");
Serial.write(packet.data(), packet.length());
Serial.println();
//reply to the client
packet.printf("Got %u bytes of data", packet.length());
});
//Send unicast
udp.print("Hello Server!");
}
}
void loop()
{
delay(1000);
//Send broadcast on port 1234
udp.broadcastTo("Anyone here?", 1234);
}
The server code:
#include "WiFi.h"
#include "AsyncUDP.h"
const char * ssid = "my_ssid";
const char * password = "my_password";
AsyncUDP udp;
void setup()
{
Serial.begin(115200);
WiFi.mode(WIFI_STA);
WiFi.begin(ssid, password);
if (WiFi.waitForConnectResult() != WL_CONNECTED) {
Serial.println("WiFi Failed");
while(1) {
delay(1000);
}
}
if(udp.listen(1234)) {
Serial.print("UDP Listening on IP: ");
Serial.println(WiFi.localIP());
udp.onPacket([](AsyncUDPPacket packet) {
Serial.print("UDP Packet Type: ");
Serial.print(packet.isBroadcast()?"Broadcast":packet.isMulticast()?"Multicast":"Unicast");
Serial.print(", From: ");
Serial.print(packet.remoteIP());
Serial.print(":");
Serial.print(packet.remotePort());
Serial.print(", To: ");
Serial.print(packet.localIP());
Serial.print(":");
Serial.print(packet.localPort());
Serial.print(", Length: ");
Serial.print(packet.length());
Serial.print(", Data: ");
Serial.write(packet.data(), packet.length());
Serial.println();
//reply to the client
packet.printf("Got %u bytes of data", packet.length());
});
}
}
void loop()
{
delay(1000);
//Send broadcast
udp.broadcast("Anyone here?");
}
Has anyone else had problems running the example code on their ESP32 using the Arduino IDE?

In summary, my misunderstandings were:
The AsyncUDP example does not allow direct client-server communication. It requires an intermediary router, e.g. a home router. This is because of the WiFi.mode(WIFI_STA) setting - the server needed to be set to WiFi.mode(WIFI_AP) for other ESP32s to be connected to.
Both the client and server need to use the udp.listen(port) function to receive messages (where you can specify the port). To send messages, use udp.broadcast(message) for the server and udp.broadcastTo(message, port) for the client.
The following code is the smallest example I could make that still worked. I'm sure there are better examples available, but this is the way I got the example to work to communicate between the two ESP32s without HTTP requests, using an intermediary router, etc...
The client side:
#include "WiFi.h"
#include "AsyncUDP.h"
const char * ssid = "my_ssid";
const char * password = "my_password";
AsyncUDP udp;
int port = 1234;
void setup() {
Serial.begin(115200);
WiFi.mode(WIFI_STA); // Make this the client (the server is WIFI_AP)
WiFi.begin(ssid, password);
delay(100);
Serial.print("Connecting...");
// Display a period every 0.5 s to show the user something is happening.
while (WiFi.waitForConnectResult() != WL_CONNECTED) {
Serial.print(".");
delay(500);
}
Serial.println("");
if(udp.listen(port)) {
udp.onPacket([](AsyncUDPPacket packet) {
Serial.print("Received data: ");
Serial.write(packet.data(), packet.length());
Serial.println();
});
}
}
void loop(){
delay(1000);
udp.broadcastTo("A message for the server from the client.", port);
}
The server side:
#include "WiFi.h"
#include "AsyncUDP.h"
const char *my_ssid = "my_ssid";
const char *password = "my_password";
int port = 1234;
AsyncUDP udp;
void setup(){
Serial.begin(115200);
WiFi.mode(WIFI_AP);
WiFi.softAP(my_ssid, password);
delay(100);
if(udp.listen(port)) {
udp.onPacket([](AsyncUDPPacket packet) {
Serial.print("Data: ");
Serial.write(packet.data(), packet.length());
Serial.println();
});
}
}
void loop() {
delay(1000);
udp.broadcastTo("Anyone here? Love from the server.", port);
}

This is just a modest addition to Jeremy's answer.
The text states that server uses udp.broadcast(message) while the client uses udp.broadcastTo(message, port)
On the other hand, the provided code uses broadcastTo both sides.
I was wondering why that and after nosing around in the source code AsyncUPD.cpp I saw that udp.broadcast will actually do its job by calling udp.broadcastTo using as the second parameter the local port.
Refer to: https://github.com/espressif/arduino-esp32/blob/master/libraries/AsyncUDP/src/AsyncUDP.cpp line 809.
It is a minor detail but I think worth mentioning it. It allowed me to pair ESP32 boards of same type and (most important to me) using same code for the UDP iteractions. Hence, the two boards may work together (hierarchically or not) or autonomously.

convert rsa private key from .DER format to .PEM format programatically using opensl

How to convert rsa private key from .DER format to .PEM format programatically using openssl api. Manually I am able to convert using openssl exe. Kindly suggest programtically how to do this.

There are some functions in C OpenSSL API with name i2d_* to parse an internal type (for the c programming language are structures with name X509,RSA ...) to DER and d2i_* to parse DER to an internal type and this is how you can convert an x509 certificate file from DER format to PEM with the c programming language.
#include <stdio.h>
#include <openssl/x509.h>
int main(int argc,char* argv[]){
if(argc != 3) {
printf("Usage: der2pem derfile pemfile\n");
return 1;
}
// try open the derfile
FILE* derfile = fopen(argv[1],"r");
if(derfile) {
// try open or create the pemfile
FILE* pemfile = fopen(argv[2],"w+");
if(pemfile) {
// parse DER to internal X509 structure
// d2i is d for DER and i for internal which means c data
X509* internal = d2i_X509_fp(derfile,NULL);
if(internal) {
// write from the internal X509 to pemfile
PEM_write_X509(pemfile,internal);
}
else {
printf("wasn't possible to parse to X509 from the 'derfile'\n");
}
fclose(pemfile);
}
else {
printf("can't create or open the 'pemfile' file\n");
return 1;
}
fclose(derfile);
}
else {
printf("can't open the 'derfile' file\n");
return 1;
}
return 0;
}
The X.509 digital certificate is a data structure that contains, at minimum, the following fields:
The distinguished name of the owner of the public key, also called
the subject's name
The distinguished name of the issuer of the certificate, also called
the issuer's name
The public key itself
The time period during which the certificate is valid, also called
the validity period
The certificate's serial number as designated by the issuer
The issuer's digital signature.
source http://publib.boulder.ibm.com/infocenter/zos/v1r11/index.jsp?topic=/com.ibm.zos.r11.icha700/xcerts.htm
Which means this example is not for private keys of any type, certificate requests, certificate revocation lists. If you need to convert from these types of DER files you have to dive more into the OpenSSL API, because for example the private keys have to do with encryption and decryption.
Something #owlstead said and that is true ... the PEM format is the base64 encoding of the DER format plus the header and footer. Then i wrote one more example in c, but you need to know the right header and footer to create a complete PEM file:
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <openssl/bio.h>
#include <openssl/evp.h>
int main(int argc,char* argv[]){
if(argc != 5) {
printf("Usage: der2pem_simple derfile pemfile \"-----BEGIN CERTIFICATE-----\" \"-----END CERTIFICATE-----\"\n");
return 1;
}
// to create a buffer as small as possible
// we need the size of the input file
struct stat fistat;
if(stat(argv[1],&fistat)<0) {
printf("derfile not found\n");
return 1;
}
// open the derfile
FILE* derfile = fopen(argv[1],"r");
if (!derfile){
printf("can't open derfile\n");
return 1;
}
char buff[fistat.st_size];
// write the derfile to the buffer
fread(buff,fistat.st_size,1,derfile);
fclose(derfile);
// open pemfile
FILE* pemfile = fopen(argv[2],"w+");
if (!pemfile){
printf("can't open or create pemfile\n");
return 1;
}
// create a BIO context with base64 filter
BIO* bio_base64 = BIO_new(BIO_f_base64());
// create a BIO for the pemfile
BIO* bio_out = BIO_new_fp(pemfile,BIO_NOCLOSE);
// write the header
BIO_write(bio_out,argv[3],strlen(argv[3]));
BIO_write(bio_out,"\n",1);
// combine bio_base64->bio_out : enables base64 filter
bio_out = BIO_push(bio_base64,bio_out);
// write the buffer
BIO_write(bio_out,buff,fistat.st_size);
// flush before disable base64 filter
BIO_flush(bio_out);
// uncombine bio_base64 X bio_out : disables base64 filter
bio_out = BIO_pop(bio_base64);
// write the footer
BIO_write(bio_out,argv[4],strlen(argv[4]));
// flush to free the BIO resources
BIO_flush(bio_out);
BIO_free_all(bio_out);
fclose(pemfile);
}
and this example in Java:
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import org.apache.commons.codec.binary.Base64;
//import org.apache.commons.codec.binary.Base64OutputStream;
public class der2pem {
public static void main(String args[]) {
if(args.length < 4) {
System.out.println("Usage: der2pem_simple derfile pemfile \"-----BEGIN CERTIFICATE-----\" \"-----END CERTIFICATE-----\"");
return;
}
FileOutputStream pemfile;
try {
// open the pemfile
pemfile = new FileOutputStream(args[1]);
} catch (FileNotFoundException e) {
try {
// try to create if not found
new File(args[1]).createNewFile();
} catch (IOException e1) {
System.out.println(e1.getMessage());
return;
}
try {
// if created open it
pemfile = new FileOutputStream(args[1]);
} catch (FileNotFoundException e1) {
e1.printStackTrace();
return;
}
}
FileInputStream derfile;
try {
// open the derfile
derfile = new FileInputStream(args[0]);
} catch (FileNotFoundException e) {
// if not found print error and get out
System.out.println(e.getMessage());
try {
pemfile.close();
} catch (IOException e1) {
e1.printStackTrace();
}
return;
}
try {
//---- last part
// write the header to pemfile
pemfile.write(args[2].getBytes());
pemfile.write('\n');
// get the size of the derfile and create a buff that fits to this file
int derf_size = (int) new File(args[0]).length();
byte[] buffer = new byte[derf_size];
// read from derfile and write to buffer
derfile.read(buffer);
// create the Base64 object for the encoding
Base64 base64 = new Base64(64,"\n".getBytes());
// encode and write to pemfile
pemfile.write(base64.encode(buffer));
// write the footer to pemfile
pemfile.write(args[3].getBytes());
// flush to cleanup
pemfile.flush();
pemfile.close();
derfile.close();
//---- last part end
} catch (IOException e) {
e.printStackTrace();
}
}
}
I tried to use a method with Base64OutputStream but has some unexpected results on the PEM file. If you wanna check just replace the last part with this:
// write the header to pemfile
pemfile.write(args[2].getBytes());
pemfile.write('\n');
// get the size of the derfile and create a buff that fits to this file
int derf_size = (int) new File(args[0]).length();
byte[] buffer = new byte[derf_size];
// read from derfile and write to buffer
derfile.read(buffer);
// create the Base64OutputStream object for the encoding
Base64OutputStream b64f_pemfile = new Base64OutputStream(pemfile,true,64,"\n".getBytes());
// write to b64f_pemfile which encodes to base64
b64f_pemfile.write(buffer);
// flush before write the footer
b64f_pemfile.flush();
// write the footer
pemfile.write('\n');
pemfile.write(args[3].getBytes());
// flush to cleanup
pemfile.flush();
b64f_pemfile.close();
pemfile.close();
derfile.close();
I compiled it with:
javac der2pem.java -classpath "$CLASSPATH:/usr/share/java/commons-codec.jar"
and ran with:
java -classpath "$CLASSPATH:/usr/share/java/commons-codec.jar" der2pem test.der tttttt "-----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----"
something similar you have to do in your system.

Java SSL - InstallCert recognizes certificate, but still "unable to find valid certification path" error?

Thinking I'd hit the same issue as other folks, I've been going through the numerous similar problems and potential solutions, but with no luck.
The trust store I'm using is cacerts, located in lib/security of a Java 1.6.0 JRE (build 1.6.0_20-b02... could this be the root of the problem?). I've also tried with jssecacerts.
Using InstallCert (per other similar issues posted), I can see my certificate is in fact installed and valid (and I've removed it, re-imported it, etc to make sure I'm seeing the right data):
java InstallCert <my host name>
Loading KeyStore jssecacerts...
Opening connection to <my host name>:443...
Starting SSL handshake...
No errors, certificate is already trusted
Checking in keytool and Portecle, re-importing the cert (I've tried generating from openssl with -showcert, exporting from browsers and scp'ing it over, etc) gives me "That already exists under this other alias over here" type of message. So there doesn't appear to be any issue with the way the cert is getting into the tool(s).
Forcing explicit trustStore paths in the code doesn't make any difference, and in all cases what I end up seeing when I turn on debugging (via a setProperty of javax.net.debug to "all") is:
main, SEND TLSv1 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1 Alert, length = 2 [Raw write]: length = 7 0000: 15
03 01 00 02 02 2E ....... main, called
closeSocket() main, handling exception:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Unfortunately I can't allow overriding the check by implementing my own TrustManager - it has to actually check.
The certificate I get from the host has a number of extensions (9, to be exact), which makes me wonder if they're somehow part of this issue.
What else can I check/try? Change over to a different JRE version?

You can still check the certificate by implementing your own trust manager. I ran into a similar issue here. I also tried adding the certificate to cacerts but to no avail.
In your trust manager, you need to explicitly load up the certificates. Essentially what I had to do was something like this:
First I create a trust manager that uses the actual certificate files:
public class ValicertX509TrustManager implements X509TrustManager {
X509TrustManager pkixTrustManager;
ValicertX509TrustManager() throws Exception {
String valicertFile = "/certificates/ValicertRSAPublicRootCAv1.cer";
String commwebDRFile = "/certificates/DR_10570.migs.mastercard.com.au.crt";
String commwebPRODFile = "/certificates/PROD_10549.migs.mastercard.com.au.new.crt";
Certificate valicert = CertificateFactory.getInstance("X509").generateCertificate(this.getClass().getResourceAsStream(valicertFile));
Certificate commwebDR = CertificateFactory.getInstance("X509").generateCertificate(this.getClass().getResourceAsStream(commwebDRFile));
Certificate commwebPROD = CertificateFactory.getInstance("X509").generateCertificate(this.getClass().getResourceAsStream(commwebPRODFile));
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, "".toCharArray());
keyStore.setCertificateEntry("valicert", valicert);
keyStore.setCertificateEntry("commwebDR", commwebDR);
keyStore.setCertificateEntry("commwebPROD", commwebPROD);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
trustManagerFactory.init(keyStore);
TrustManager trustManagers[] = trustManagerFactory.getTrustManagers();
for(TrustManager trustManager : trustManagers) {
if(trustManager instanceof X509TrustManager) {
pkixTrustManager = (X509TrustManager) trustManager;
return;
}
}
throw new Exception("Couldn't initialize");
}
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
pkixTrustManager.checkServerTrusted(chain, authType);
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
pkixTrustManager.checkServerTrusted(chain, authType);
}
public X509Certificate[] getAcceptedIssuers() {
return pkixTrustManager.getAcceptedIssuers();
}
}
Now, using this trust manager, I had to create a socket factory:
public class ValicertSSLProtocolSocketFactory implements ProtocolSocketFactory {
private SSLContext sslContext = null;
public ValicertSSLProtocolSocketFactory() {
super();
}
private static SSLContext createValicertSSLContext() {
try {
ValicertX509TrustManager valicertX509TrustManager = new ValicertX509TrustManager();
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, new ValicertX509TrustManager[] { valicertX509TrustManager}, null);
return context;
}
catch(Exception e) {
Log.error(Log.Context.Net, e);
return null;
}
}
private SSLContext getSSLContext() {
if(this.sslContext == null) {
this.sslContext = createValicertSSLContext();
}
return this.sslContext;
}
public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException {
return getSSLContext().getSocketFactory().createSocket(host, port, clientHost, clientPort);
}
public Socket createSocket(final String host, final int port, final InetAddress localAddress, final int localPort, final HttpConnectionParams params) throws IOException {
if(params == null) {
throw new IllegalArgumentException("Parameters may not be null");
}
int timeout = params.getConnectionTimeout();
SocketFactory socketFactory = getSSLContext().getSocketFactory();
if(timeout == 0) {
return socketFactory.createSocket(host, port, localAddress, localPort);
}
else {
Socket socket = socketFactory.createSocket();
SocketAddress localAddr = new InetSocketAddress(localAddress, localPort);
SocketAddress remoteAddr = new InetSocketAddress(host, port);
socket.bind(localAddr);
socket.connect(remoteAddr, timeout);
return socket;
}
}
public Socket createSocket(String host, int port) throws IOException {
return getSSLContext().getSocketFactory().createSocket(host, port);
}
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException {
return getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
}
public boolean equals(Object obj) {
return ((obj != null) && obj.getClass().equals(ValicertSSLProtocolSocketFactory.class));
}
public int hashCode() {
return ValicertSSLProtocolSocketFactory.class.hashCode();
}
}
Then I just registered a new protocol:
Protocol.registerProtocol("vhttps", new Protocol("vhttps", new ValicertSSLProtocolSocketFactory(), 443));
PostMethod postMethod = new PostMethod(url);
for (Map.Entry<String, String> entry : params.entrySet()) {
postMethod.addParameter(entry.getKey(), StringUtils.Nz(entry.getValue()));
}
HttpClient client = new HttpClient();
int status = client.executeMethod(postMethod);
if (status == 200) {
StringBuilder resultBuffer = new StringBuilder();
resultBuffer.append(postMethod.getResponseBodyAsString());
return new HttpResponse(resultBuffer.toString(), "");
} else {
throw new IOException("Invalid response code: " + status);
}
The only disadvantage is that I had to create a specific protocol (vhttps) for this particular certificate.

The SSL debug trace will show which cacerts file you are using, as long as you don't manually load it yourself. Clearly you aren't using the one you think you are.

My guess is either of these things happened:
a) You run your code on a web server. They often use their own trust store - so are you really sure that it's cacerts that's being used when your code is executed?
b) By default, Java will try to check the validity of the certificates by downloading and interpreting CRLs. If you are behind a proxy, the download fails, and as a consequence the whole PKIX check would fail.