mTLS support - Githubissues

rymsha commented 3 years ago

Provide a way to specify client certificate, similar to how curl --cert option does.

rymsha commented 3 years ago

Limitations:

RSA, DSA not supported. Only PKCS #8 - this is what okhttp library supports
curl --cert supports encrypted keys, okhttp does not. So, pem files cannot contain -----BEGIN ENCRYPTED PRIVATE KEY-----. Such files must be decrypted
intermediate certificates not implemented. I have no idea how often they are in use and how to implement them best. It seems like even curl developers change their mind. But it is certainly possible to do, if/when needed.

rymsha commented 3 years ago

Test

download badssl.com-client.pem https://badssl.com/download/
openssl pkey -in badssl.com-client.pem -out badssl.com-client.decrypted.key (password is badssl.com) https://github.com/chromium/badssl.com/issues/369
concatenate certificate and decrypted key into clientCertrificate

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDHN18R6x5Oz+u6
...
GTH3fhaM/pZZGdIC75x/69Y=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEqDCCApCgAwIBAgIUK5Ns4y2CzosB/ZoFlaxjZqoBTIIwDQYJKoZIhvcNAQEL
...
g0Y2YBH5v0xmi8sYU7weOcwynkjZARpUltBUQ0pWCF5uJsEB8uE8PPDD3c4=
-----END CERTIFICATE-----

run

 var clientCertificate = io.newStream(/*clientCertificate string goes here*/)
  var result = http.request({
      url: 'https://client.badssl.com',
      clientCertificate: clientCertificate
  });
  log.info(JSON.stringify(result))

resutl.status should be 200

enonic / lib-http-client

mTLS support #59