Support for Client side certificate and custom list of trusted certificates

[Hakky54]

This pull request is regarding the implementation of the issue number #91

This feature will enable loading the client certificate into the http client which could be used when the server requires client authentication based on certificates. The client will also have the ability to trust specific certificates by loading a list of trusted certificates.

This PR is for now a WIP as the jvm part is finished but the node part is still pending

[Hakky54]

@hmil I did an attempt for the initial version of the implementation. The jvm version is mostly done, but I am not quite sure how to implement node version. I think I need the following fields within the RequestOptions:

pfx: js.UndefOr[String] = js.undefined,
passphrase: js.UndefOr[String] = js.undefined,
ca: js.UndefOr[String] = js.undefined

I am also not quite sure if the type String is correct here and I am also not sure how to correctly load a file into this field as I am not sure if it should be a String. Node has the following documentation at their page for loading a pfx or pem file:

onst https = require('https');
const fs = require('fs');

const options = {
  pfx: fs.readFileSync('test/fixtures/test_cert.pfx'),
  passphrase: 'sample'
};

I can fetch the path of the pfx with from the sslconfig within the backendConfig of the request. But I am not quite sure how to properly load it. What do you think?

[hmil]

Just checking, how portable is this?
I'm not 100% aware of the limitations of the javax package.

[Hakky54]

What do you mean exactly by portable?

[hmil]

The doc says the last argument can be left empty, in which case the default implementation is used. Why not leave it empty?

[Hakky54]

I wasn't aware that by passing null it would use the default implementation. I will refactor it

[hmil]

The documentation for newInputStream doesn't specify that this can be null. So I guess this means it cannot be null?

[Hakky54]

Ah yes indeed, very sharp! I just tested it and if the file cannot be found it will throw a NoSuchFileException
I thought it was similar to getClass.getClassLoader.getResourceAsStream() which will return a null when it cant find the file. I will drop the null check

[hmil]

Same here for non-nullable

[Hakky54]

Yes, I will also refactor this one

[hmil]

I can fetch the path of the pfx with from the sslconfig within the backendConfig of the request

Just use fs.readFileSync. It's the easiest to get started.

I am realizing now that this solution re-creates the whole SSL config from disk for each request. It can be quite wasteful and can even become a performance bottleneck if someone uses the lib to make many requests. A better solution would be to pre-configure a client with the SSL config and then use that client to make requests.

But this is a long shot. All in all implementing proper support for SSL might take more than just one PR.

I would advise that you focus only on what you need for your specific use case. If you do not need Node.js, then in the JS backend just throw an exception when an ssl config is specified. We'll add to the limitations that SSL is only supported on the JVM. If you feel like adding it or if someone else needs this feature, then support for Node.js can be added in a following PR.

[Hakky54]

I am realizing now that this solution re-creates the whole SSL config from disk for each request. It can be quite wasteful and can even become a performance bottleneck if someone uses the lib to make many requests. A better solution would be to pre-configure a client with the SSL config and then use that client to make requests.

Yes the best way would actually create the sslcontext once, reuse it multiple times for every new request. But I wasn't quite sure what would be a good implementation for that as every new request within the current implementation "recreates" the HttpConnection and executes a request with the given parameters.

But this is a long shot. All in all implementing proper support for SSL might take more than just one PR.

I would advise that you focus only on what you need for your specific use case. If you do not need Node.js, then in the JS backend just throw an exception when an ssl config is specified. We'll add to the limitations that SSL is only supported on the JVM. If you feel like adding it or if someone else needs this feature, then support for Node.js can be added in a following PR.

I actually don't feel very comfortable applying changes to the Node.js part as I have no experience yet with it. So I would gladly pass it to someone else who wants to implement it if you are also ok with it.

[hmil]

Hey, sorry I don't have any time at all to maintain this package right now. Feel free to publish your own version to bintray.

I refer to #58 to focus discussions around finding a package maintainer or a serious fork.

[Hakky54]

Ah too bad to hear that, but I can understand that