Search code examples
javassloauthscribeself-signed

Java oAuth using self-signed client certificate

I had a perfectly working oauth with a self-signed client certificate, until suddenly it stopped working. I get SocketException: Connection Reset. According to Xero, the API that I'm integrating with, everything is ok on their side now, but they did have SSL problem one week ago.

Since the last time it worked we moved to Java 8, which I rolledback for this test. Initially I had it working with this oauth project, because it was the only one that would, kind of, support self-signed client certificates. Today I hacked Scribe a bit, in order to add the certificate to the request. When I finally got it working, I got the same exception again.

The certificate that I have is in a KeyStore (.p12), which I exported into my java cacerts. This step should not be needed though, since it was working without it.

So, this is how I create the SSLContext that is injected in the HttpClient (in the oauth project) and in the HttpsUrlConnection (in Scribe).

Set<KeyManager> keymanagers = new HashSet<KeyManager>();
final KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(
    KeyManagerFactory.getDefaultAlgorithm());
kmfactory.init(entrustStore, password.toCharArray());
final KeyManager[] kms = kmfactory.getKeyManagers();
if (kms != null) {
    for (final KeyManager km : kms) {
        keymanagers.add(km);
    }
}

// TrustManagerFactory tmf =
//     TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
// tmf.init(keyStore);

SSLContext sslContext = SSLContext.getInstance(SSLSocketFactory.TLS);
sslContext.init(
    keymanagers.toArray(new KeyManager[keymanagers.size()]),
    null, // tmf.getTrustManagers()
    null);


// in the oauth project
SSLSocketFactory socketFactory = new SSLSocketFactory(sslContext);
Scheme scheme = new Scheme("https", 443, socketFactory);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(scheme);
BasicClientConnectionManager cm = 
    new BasicClientConnectionManager(schemeRegistry);
httpClient = new DefaultHttpClient(cm);

// ---------------------------------

// in Scribe
HttpsURLConnection connection = 
    (HttpsURLConnection) new URL(completeUrl).openConnection();
connection.setSSLSocketFactory(sslContext.getSocketFactory());

I suspect this is the code that might be causing the exception, since this is the only common part between both implementations.

Solution

  • The issue was related to TLS version after all. Using TLSv1.1 did the trick.