Browse Source

X509 cert saved in db

pull/32/head
Valerii Sosliuk 10 years ago
parent
commit
3ffb970ecd
  1. 12
      application/src/main/resources/thingsboard.yml
  2. 6
      dao/src/main/java/org/thingsboard/server/dao/EncryptionUtil.java
  3. 10
      dao/src/main/java/org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.java
  4. 1
      tools/src/main/shell/onewaysslmqttclient.py
  5. 1
      tools/src/main/shell/simplemqttclient.py
  6. 35
      transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java
  7. 8
      transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/util/SslUtil.java
  8. 9
      ui/src/app/device/device-credentials.controller.js
  9. 2
      ui/src/app/device/device-credentials.tpl.html

12
application/src/main/resources/thingsboard.yml

@ -77,13 +77,13 @@ mqtt:
timeout: "${MQTT_TIMEOUT:10000}"
# Uncomment the following lines to enable ssl for MQTT
# ssl:
# key-store: keystore/mqttserver.jks
# key-store-password: password
# keyStoreType: JKS
# key_store: keystore/mqttserver.jks
# key_store_password: password
# key_store_type: JKS
# TrustStore can be the same as KeyStore
# trust-store: keystore/mqttserver.jks
# trust-store-password: password
# trustStoreType: JKS
# trust_store: keystore/mqttserver.jks
# trust_store_password: password
# trust_store_type: JKS
# CoAP server parameters
coap:

6
dao/src/main/java/org/thingsboard/server/dao/EncryptionUtil.java

@ -27,8 +27,12 @@ public class EncryptionUtil {
private EncryptionUtil() {
}
public static String trimNewLines(String input) {
return input.replaceAll("\n","").replaceAll("\r","");
}
public static String getSha3Hash(String data) {
String trimmedData = data.replaceAll("\n","").replaceAll("\r","");
String trimmedData = trimNewLines(data);
byte[] dataBytes = trimmedData.getBytes();
SHA3Digest md = new SHA3Digest(256);
md.reset();

10
dao/src/main/java/org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.java

@ -29,8 +29,6 @@ import org.thingsboard.server.dao.exception.DataValidationException;
import org.thingsboard.server.dao.model.DeviceCredentialsEntity;
import org.thingsboard.server.dao.service.DataValidator;
import java.util.Optional;
import static org.thingsboard.server.dao.DaoUtil.getData;
import static org.thingsboard.server.dao.service.Validator.validateId;
import static org.thingsboard.server.dao.service.Validator.validateString;
@ -73,16 +71,18 @@ public class DeviceCredentialsServiceImpl implements DeviceCredentialsService {
private DeviceCredentials saveOrUpdare(DeviceCredentials deviceCredentials) {
if (deviceCredentials.getCredentialsType() == DeviceCredentialsType.X509_CERTIFICATE) {
encryptDeviceId(deviceCredentials);
formatCertData(deviceCredentials);
}
log.trace("Executing updateDeviceCredentials [{}]", deviceCredentials);
credentialsValidator.validate(deviceCredentials);
return getData(deviceCredentialsDao.save(deviceCredentials));
}
private void encryptDeviceId(DeviceCredentials deviceCredentials) {
String sha3Hash = EncryptionUtil.getSha3Hash(deviceCredentials.getCredentialsId());
private void formatCertData(DeviceCredentials deviceCredentials) {
String cert = EncryptionUtil.trimNewLines(deviceCredentials.getCredentialsValue());
String sha3Hash = EncryptionUtil.getSha3Hash(cert);
deviceCredentials.setCredentialsId(sha3Hash);
deviceCredentials.setCredentialsValue(cert);
}
@Override

1
tools/src/main/shell/onewaysslmqttclient.py

@ -1,3 +1,4 @@
# -*- coding: utf-8 -*-
#
# Copyright © 2016-2017 The Thingsboard Authors
#

1
tools/src/main/shell/simplemqttclient.py

@ -1,3 +1,4 @@
# -*- coding: utf-8 -*-
#
# Copyright © 2016-2017 The Thingsboard Authors
#

35
transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java

@ -1,12 +1,12 @@
/**
* Copyright © 2016-2017 The Thingsboard Authors
*
* <p>
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* <p>
* http://www.apache.org/licenses/LICENSE-2.0
* <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@ -45,18 +45,18 @@ import java.security.cert.X509Certificate;
public class MqttSslHandlerProvider {
public static final String TLS = "TLS";
@Value("${mqtt.ssl.key-store}")
@Value("${mqtt.ssl.key_store}")
private String keyStoreFile;
@Value("${mqtt.ssl.key-store-password}")
@Value("${mqtt.ssl.key_store_password}")
private String keyStorePassword;
@Value("${mqtt.ssl.keyStoreType}")
@Value("${mqtt.ssl.key_store_type}")
private String keyStoreType;
@Value("${mqtt.ssl.trust-store}")
@Value("${mqtt.ssl.trust_store}")
private String trustStoreFile;
@Value("${mqtt.ssl.trust-store-password}")
@Value("${mqtt.ssl.trust_store_password}")
private String trustStorePassword;
@Value("${mqtt.ssl.trustStoreType}")
@Value("${mqtt.ssl.trust_store_type}")
private String trustStoreType;
@Autowired
@ -108,8 +108,7 @@ public class MqttSslHandlerProvider {
break;
}
}
X509TrustManager x509TmWrapper = new ThingsboardMqttX509TrustManager(x509Tm, deviceCredentialsService);
return x509TmWrapper;
return new ThingsboardMqttX509TrustManager(x509Tm, deviceCredentialsService);
}
static class ThingsboardMqttX509TrustManager implements X509TrustManager {
@ -136,18 +135,22 @@ public class MqttSslHandlerProvider {
@Override
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
DeviceCredentials deviceCredentials = null;
for (X509Certificate cert : chain) {
try {
String strCert = SslUtil.getX509CertificateString(cert);
String sha3Hash = EncryptionUtil.getSha3Hash(strCert);
DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByCredentialsId(sha3Hash);
if (deviceCredentials == null) {
throw new CertificateException("Invalid Device Certificate");
deviceCredentials = deviceCredentialsService.findDeviceCredentialsByCredentialsId(sha3Hash);
if (deviceCredentials != null && strCert.equals(deviceCredentials.getCredentialsValue())) {
break;
}
} catch (IOException e) {
e.printStackTrace();
log.error(e.getMessage(), e);
}
}
if (deviceCredentials == null) {
throw new CertificateException("Invalid Device Certificate");
}
}
}
}

8
transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/util/SslUtil.java

@ -16,6 +16,7 @@
package org.thingsboard.server.transport.mqtt.util;
import lombok.extern.slf4j.Slf4j;
import org.thingsboard.server.dao.EncryptionUtil;
import sun.misc.BASE64Encoder;
import java.io.ByteArrayOutputStream;
@ -32,11 +33,12 @@ public class SslUtil {
private SslUtil() {
}
public static String getX509CertificateString(X509Certificate cert) throws CertificateEncodingException, IOException {
public static String getX509CertificateString(X509Certificate cert)
throws CertificateEncodingException, IOException {
ByteArrayOutputStream out = new ByteArrayOutputStream();
BASE64Encoder encoder = new BASE64Encoder();
encoder.encodeBuffer(cert.getEncoded(), out);
return new String(out.toByteArray(), "UTF-8").trim();
return EncryptionUtil.trimNewLines(new String(out.toByteArray(), "UTF-8"));
}
public static String getX509CertificateString(javax.security.cert.X509Certificate cert)
@ -44,6 +46,6 @@ public class SslUtil {
ByteArrayOutputStream out = new ByteArrayOutputStream();
BASE64Encoder encoder = new BASE64Encoder();
encoder.encodeBuffer(cert.getEncoded(), out);
return new String(out.toByteArray(), "UTF-8").trim();
return EncryptionUtil.trimNewLines(new String(out.toByteArray(), "UTF-8"));
}
}

9
ui/src/app/device/device-credentials.controller.js

@ -52,13 +52,16 @@ export default function ManageDeviceCredentialsController(deviceService, $scope,
function valid() {
return vm.deviceCredentials &&
(vm.deviceCredentials.credentialsType === 'ACCESS_TOKEN'
|| vm.deviceCredentials.credentialsType === 'X509_CERTIFICATE')
&&
vm.deviceCredentials.credentialsId && vm.deviceCredentials.credentialsId.length > 0;
&& vm.deviceCredentials.credentialsId
&& vm.deviceCredentials.credentialsId.length > 0
|| vm.deviceCredentials.credentialsType === 'X509_CERTIFICATE'
&& vm.deviceCredentials.credentialsValue
&& vm.deviceCredentials.credentialsValue.length > 0);
}
function clear() {
vm.deviceCredentials.credentialsId = null;
vm.deviceCredentials.credentialsValue = null;
}
function save() {

2
ui/src/app/device/device-credentials.tpl.html

@ -51,7 +51,7 @@
</md-input-container>
<md-input-container class="md-block" ng-if="vm.deviceCredentials.credentialsType === 'X509_CERTIFICATE'">
<label translate>device.rsa-key</label>
<textarea required name="rsaKey" ng-model="vm.deviceCredentials.credentialsId"
<textarea required name="rsaKey" ng-model="vm.deviceCredentials.credentialsValue"
cols="15" rows="5" />
<div ng-messages="theForm.rsaKey.$error">
<div translate ng-message="required">device.rsa-key-required</div>

Loading…
Cancel
Save