diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml index 976f68821c..f74d30d238 100644 --- a/application/src/main/resources/thingsboard.yml +++ b/application/src/main/resources/thingsboard.yml @@ -77,13 +77,13 @@ mqtt: timeout: "${MQTT_TIMEOUT:10000}" # Uncomment the following lines to enable ssl for MQTT # ssl: -# key-store: keystore/mqttserver.jks -# key-store-password: password -# keyStoreType: JKS +# key_store: keystore/mqttserver.jks +# key_store_password: password +# key_store_type: JKS # TrustStore can be the same as KeyStore -# trust-store: keystore/mqttserver.jks -# trust-store-password: password -# trustStoreType: JKS +# trust_store: keystore/mqttserver.jks +# trust_store_password: password +# trust_store_type: JKS # CoAP server parameters coap: diff --git a/dao/src/main/java/org/thingsboard/server/dao/EncryptionUtil.java b/dao/src/main/java/org/thingsboard/server/dao/EncryptionUtil.java index 71541cc7b2..0ce5ac2f49 100644 --- a/dao/src/main/java/org/thingsboard/server/dao/EncryptionUtil.java +++ b/dao/src/main/java/org/thingsboard/server/dao/EncryptionUtil.java @@ -27,8 +27,12 @@ public class EncryptionUtil { private EncryptionUtil() { } + public static String trimNewLines(String input) { + return input.replaceAll("\n","").replaceAll("\r",""); + } + public static String getSha3Hash(String data) { - String trimmedData = data.replaceAll("\n","").replaceAll("\r",""); + String trimmedData = trimNewLines(data); byte[] dataBytes = trimmedData.getBytes(); SHA3Digest md = new SHA3Digest(256); md.reset(); diff --git a/dao/src/main/java/org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.java b/dao/src/main/java/org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.java index 2a52b5cd1d..10e329ad4d 100644 --- a/dao/src/main/java/org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.java +++ b/dao/src/main/java/org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.java @@ -29,8 +29,6 @@ import org.thingsboard.server.dao.exception.DataValidationException; import org.thingsboard.server.dao.model.DeviceCredentialsEntity; import org.thingsboard.server.dao.service.DataValidator; -import java.util.Optional; - import static org.thingsboard.server.dao.DaoUtil.getData; import static org.thingsboard.server.dao.service.Validator.validateId; import static org.thingsboard.server.dao.service.Validator.validateString; @@ -73,16 +71,18 @@ public class DeviceCredentialsServiceImpl implements DeviceCredentialsService { private DeviceCredentials saveOrUpdare(DeviceCredentials deviceCredentials) { if (deviceCredentials.getCredentialsType() == DeviceCredentialsType.X509_CERTIFICATE) { - encryptDeviceId(deviceCredentials); + formatCertData(deviceCredentials); } log.trace("Executing updateDeviceCredentials [{}]", deviceCredentials); credentialsValidator.validate(deviceCredentials); return getData(deviceCredentialsDao.save(deviceCredentials)); } - private void encryptDeviceId(DeviceCredentials deviceCredentials) { - String sha3Hash = EncryptionUtil.getSha3Hash(deviceCredentials.getCredentialsId()); + private void formatCertData(DeviceCredentials deviceCredentials) { + String cert = EncryptionUtil.trimNewLines(deviceCredentials.getCredentialsValue()); + String sha3Hash = EncryptionUtil.getSha3Hash(cert); deviceCredentials.setCredentialsId(sha3Hash); + deviceCredentials.setCredentialsValue(cert); } @Override diff --git a/tools/src/main/shell/onewaysslmqttclient.py b/tools/src/main/shell/onewaysslmqttclient.py index 63d129ee1f..b0824e64d4 100644 --- a/tools/src/main/shell/onewaysslmqttclient.py +++ b/tools/src/main/shell/onewaysslmqttclient.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- # # Copyright © 2016-2017 The Thingsboard Authors # diff --git a/tools/src/main/shell/simplemqttclient.py b/tools/src/main/shell/simplemqttclient.py index 91b3e3410c..9ec3250ca2 100644 --- a/tools/src/main/shell/simplemqttclient.py +++ b/tools/src/main/shell/simplemqttclient.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- # # Copyright © 2016-2017 The Thingsboard Authors # diff --git a/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java b/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java index 70b748de60..6b293382a7 100644 --- a/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java +++ b/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java @@ -1,12 +1,12 @@ /** * Copyright © 2016-2017 The Thingsboard Authors - * + *
* Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *
+ * http://www.apache.org/licenses/LICENSE-2.0 + *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -45,18 +45,18 @@ import java.security.cert.X509Certificate;
public class MqttSslHandlerProvider {
public static final String TLS = "TLS";
- @Value("${mqtt.ssl.key-store}")
+ @Value("${mqtt.ssl.key_store}")
private String keyStoreFile;
- @Value("${mqtt.ssl.key-store-password}")
+ @Value("${mqtt.ssl.key_store_password}")
private String keyStorePassword;
- @Value("${mqtt.ssl.keyStoreType}")
+ @Value("${mqtt.ssl.key_store_type}")
private String keyStoreType;
- @Value("${mqtt.ssl.trust-store}")
+ @Value("${mqtt.ssl.trust_store}")
private String trustStoreFile;
- @Value("${mqtt.ssl.trust-store-password}")
+ @Value("${mqtt.ssl.trust_store_password}")
private String trustStorePassword;
- @Value("${mqtt.ssl.trustStoreType}")
+ @Value("${mqtt.ssl.trust_store_type}")
private String trustStoreType;
@Autowired
@@ -108,8 +108,7 @@ public class MqttSslHandlerProvider {
break;
}
}
- X509TrustManager x509TmWrapper = new ThingsboardMqttX509TrustManager(x509Tm, deviceCredentialsService);
- return x509TmWrapper;
+ return new ThingsboardMqttX509TrustManager(x509Tm, deviceCredentialsService);
}
static class ThingsboardMqttX509TrustManager implements X509TrustManager {
@@ -136,18 +135,22 @@ public class MqttSslHandlerProvider {
@Override
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
+ DeviceCredentials deviceCredentials = null;
for (X509Certificate cert : chain) {
try {
String strCert = SslUtil.getX509CertificateString(cert);
String sha3Hash = EncryptionUtil.getSha3Hash(strCert);
- DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByCredentialsId(sha3Hash);
- if (deviceCredentials == null) {
- throw new CertificateException("Invalid Device Certificate");
+ deviceCredentials = deviceCredentialsService.findDeviceCredentialsByCredentialsId(sha3Hash);
+ if (deviceCredentials != null && strCert.equals(deviceCredentials.getCredentialsValue())) {
+ break;
}
} catch (IOException e) {
- e.printStackTrace();
+ log.error(e.getMessage(), e);
}
}
+ if (deviceCredentials == null) {
+ throw new CertificateException("Invalid Device Certificate");
+ }
}
}
}
diff --git a/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/util/SslUtil.java b/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/util/SslUtil.java
index 8fdf721cd4..d1ea59b7c1 100644
--- a/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/util/SslUtil.java
+++ b/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/util/SslUtil.java
@@ -16,6 +16,7 @@
package org.thingsboard.server.transport.mqtt.util;
import lombok.extern.slf4j.Slf4j;
+import org.thingsboard.server.dao.EncryptionUtil;
import sun.misc.BASE64Encoder;
import java.io.ByteArrayOutputStream;
@@ -32,11 +33,12 @@ public class SslUtil {
private SslUtil() {
}
- public static String getX509CertificateString(X509Certificate cert) throws CertificateEncodingException, IOException {
+ public static String getX509CertificateString(X509Certificate cert)
+ throws CertificateEncodingException, IOException {
ByteArrayOutputStream out = new ByteArrayOutputStream();
BASE64Encoder encoder = new BASE64Encoder();
encoder.encodeBuffer(cert.getEncoded(), out);
- return new String(out.toByteArray(), "UTF-8").trim();
+ return EncryptionUtil.trimNewLines(new String(out.toByteArray(), "UTF-8"));
}
public static String getX509CertificateString(javax.security.cert.X509Certificate cert)
@@ -44,6 +46,6 @@ public class SslUtil {
ByteArrayOutputStream out = new ByteArrayOutputStream();
BASE64Encoder encoder = new BASE64Encoder();
encoder.encodeBuffer(cert.getEncoded(), out);
- return new String(out.toByteArray(), "UTF-8").trim();
+ return EncryptionUtil.trimNewLines(new String(out.toByteArray(), "UTF-8"));
}
}
diff --git a/ui/src/app/device/device-credentials.controller.js b/ui/src/app/device/device-credentials.controller.js
index 315bc08318..537df5d1bb 100644
--- a/ui/src/app/device/device-credentials.controller.js
+++ b/ui/src/app/device/device-credentials.controller.js
@@ -52,13 +52,16 @@ export default function ManageDeviceCredentialsController(deviceService, $scope,
function valid() {
return vm.deviceCredentials &&
(vm.deviceCredentials.credentialsType === 'ACCESS_TOKEN'
- || vm.deviceCredentials.credentialsType === 'X509_CERTIFICATE')
- &&
- vm.deviceCredentials.credentialsId && vm.deviceCredentials.credentialsId.length > 0;
+ && vm.deviceCredentials.credentialsId
+ && vm.deviceCredentials.credentialsId.length > 0
+ || vm.deviceCredentials.credentialsType === 'X509_CERTIFICATE'
+ && vm.deviceCredentials.credentialsValue
+ && vm.deviceCredentials.credentialsValue.length > 0);
}
function clear() {
vm.deviceCredentials.credentialsId = null;
+ vm.deviceCredentials.credentialsValue = null;
}
function save() {
diff --git a/ui/src/app/device/device-credentials.tpl.html b/ui/src/app/device/device-credentials.tpl.html
index f74f71fd42..9dd4553b08 100644
--- a/ui/src/app/device/device-credentials.tpl.html
+++ b/ui/src/app/device/device-credentials.tpl.html
@@ -51,7 +51,7 @@