mockserver icon indicating copy to clipboard operation
mockserver copied to clipboard
verified publisher icon mock-server

withClientCertificateChain() doesn't work?

Open pavilalopes opened this issue 2 years ago • 0 comments

Describe the issue Couldn't figure out how to use the method withClientCertificateChain():

  • When used with verify() it does nothing (verify succeeds even if the condition is not met)
  • When used with when(), the server complains that the expectation request is malformed - example code and error below

MockServer version 5.15.0 (but also tested in latest git version)

To Reproduce Steps to reproduce the issue:

  1. How you are running MockServer (i.e maven plugin, docker, etc) - In Java via ClientAndServer.startClientAndServer()
  2. Code you used to create expectations 
         mockServer.when(
             request()
                     .withClientCertificateChain(List.of(new X509Certificate().withIssuerDistinguishedName("CN=whatever")))
                     .withMethod("POST")
                     .withPath("/v1/customer/update"), Times.once())
             .respond(response()
                     .withStatusCode(200));
  3. What error you saw 
     java.lang.IllegalArgumentException: incorrect expectation json format for:
   {
     "httpRequest" : {
       "method" : "POST",
       "path" : "/v1/customer/update"
     },
     "id" : "b3100a82-c364-4617-81ea-3e6d6889219c",
     "priority" : 0,
     "timeToLive" : {
       "unlimited" : true
     },
     "times" : {
       "unlimited" : true
     }
   }

  schema validation errors:

   11 errors:
    - $.httpError: is missing, but is required, if specifying action of type Error
    - $.httpForward: is missing, but is required, if specifying action of type Forward
    - $.httpForwardClassCallback: is missing, but is required, if specifying action of type ForwardClassCallback
    - $.httpForwardObjectCallback: is missing, but is required, if specifying action of type ForwardObjectCallback
    - $.httpForwardTemplate: is missing, but is required, if specifying action of type ForwardTemplate
    - $.httpOverrideForwardedRequest: is missing, but is required, if specifying action of type OverrideForwardedRequest
    - $.httpResponse: is missing, but is required, if specifying action of type Response
    - $.httpResponseClassCallback: is missing, but is required, if specifying action of type ResponseClassCallback
    - $.httpResponseObjectCallback: is missing, but is required, if specifying action of type ResponseObjectCallback
    - $.httpResponseTemplate: is missing, but is required, if specifying action of type ResponseTemplate
    - oneOf of the following must be specified [httpError, httpForward, httpForwardClassCallback, httpForwardObjectCallback, httpForwardTemplate, httpOverrideForwardedRequest, httpResponse, httpResponseClassCallback, httpResponseObjectCallback, httpResponseTemplate]

   OpenAPI Specification: https://app.swaggerhub.com/apis/jamesdbloom/mock-server-openapi/5.15.x
   Documentation: https://mock-server.com/mock_server/creating_expectations.html

EDIT

Regarding using withClientCertificateChain() with verify(): I just found in the logs that the client includes the certificate chain information in the verify request, so it's the server that is ignoring it (otherwise this verification would have failed because the DN does not match the request):

2023-08-31 20:46:31,709 INFO  [erver-EventLog0] o.mockserver.log.MockServerEventLog  : 22222 verifying requests that match:
  {
    "httpRequest" : {
      "method" : "POST",
      "path" : "/v1/customer/update",
      "headers" : {
        "Content-Type" : [ "application/json(;.+)?" ],
        "Authorization" : [ "Bearer test-api-key-1234567890" ]
      },
      "secure" : true,
      "clientCertificateChain" : [ {
        "issuerDistinguishedName" : "CN=whatever"
      } ]
    },
    "times" : {
      "atLeast" : 1,
      "atMost" : 1
    }
  }

Corresponding request (note the server detected the client certificate correctly):

2023-08-31 20:46:31,597 INFO  [erver-EventLog0] o.mockserver.log.MockServerEventLog  : 22222 received request:

  {
    "method" : "POST",
    "path" : "/v1/customer/update",
    "headers" : {
      "user-agent" : [ "ReactorNetty/1.0.24" ],
      "host" : [ "localhost:22222" ],
      "content-length" : [ "177" ],
      "accept" : [ "*/*" ],
      "Content-Type" : [ "application/json" ],
      "Authorization" : [ "Bearer test-api-key-1234567890" ]
    },
    "keepAlive" : true,
    "secure" : true,
    "clientCertificateChain" : [ {
      "serialNumber" : "705115929530326732747218164685338766837834795324",
      "issuerDistinguishedName" : "CN=Client CA",
      "subjectDistinguishedName" : "CN=test client",
      "signatureAlgorithmName" : "SHA256withRSA"
    } ],
    "protocol" : "HTTP_1_1",
    "localAddress" : "127.0.0.1:22222",
    "remoteAddress" : "127.0.0.1:37244",
    "body" :  // ommited
  }

EDIT 2

Is the server discarding the clientCertificateChain information entirely? Because when we retrieve the above request with mockServer.retrieveRecordedRequests(null, Format.JSON), the clientCertificateChain field is not included in the request information.

At this point I'm out of ideas. There seems to be no way to assert the client certificate information.

pavilalopes avatar Aug 31 '23 19:08 pavilalopes