From 8f3d033dccb00abcdd2d1fa4f37c0f977b2f2517 Mon Sep 17 00:00:00 2001 From: nickAS21 Date: Sat, 13 Feb 2021 17:40:58 +0200 Subject: [PATCH] Lwm2m: back: start DTLS -one bootstrap 4 security --- application/src/main/resources/logback.xml | 5 +- .../src/main/resources/thingsboard.yml | 25 +- ...TransportBootstrapServerConfiguration.java | 94 ++++--- .../LwM2MTransportServerConfiguration.java | 109 ++++---- .../LwM2MTransportServerInitializer.java | 2 +- .../resources/credentials/serverKeyStore.jks | Bin 3047 -> 3953 bytes .../credentials/shell/lwM2M_credentials.sh | 247 ++++++++---------- .../credentials/shell/lwM2M_keygen.properties | 6 +- .../lwm2m/LwM2MTransportConfigServer.java | 4 +- .../main/data/credentials/serverKeyStore.jks | Bin 3047 -> 3953 bytes .../credentials/shell/lwM2M_credentials.sh | 247 ++++++++---------- .../credentials/shell/lwM2M_keygen.properties | 6 +- .../src/main/resources/tb-lwm2m-transport.yml | 19 +- 13 files changed, 365 insertions(+), 399 deletions(-) diff --git a/application/src/main/resources/logback.xml b/application/src/main/resources/logback.xml index 6d10a74854..25a021c5f0 100644 --- a/application/src/main/resources/logback.xml +++ b/application/src/main/resources/logback.xml @@ -34,6 +34,9 @@ + + + @@ -41,4 +44,4 @@ - \ No newline at end of file + diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml index f90f35a42b..cadabb92ae 100644 --- a/application/src/main/resources/thingsboard.yml +++ b/application/src/main/resources/thingsboard.yml @@ -577,7 +577,7 @@ transport: # model_path_file: "${LWM2M_MODEL_PATH_FILE:./common/transport/lwm2m/src/main/resources/models/}" model_path_file: "${LWM2M_MODEL_PATH_FILE:}" recommended_ciphers: "${LWM2M_RECOMMENDED_CIPHERS:false}" - recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:false}" + recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:true}" request_pool_size: "${LWM2M_REQUEST_POOL_SIZE:100}" request_error_pool_size: "${LWM2M_REQUEST_ERROR_POOL_SIZE:10}" registered_pool_size: "${LWM2M_REGISTERED_POOL_SIZE:10}" @@ -593,7 +593,7 @@ transport: key_store_path_file: "${KEY_STORE_PATH_FILE:}" key_store_password: "${LWM2M_KEYSTORE_PASSWORD_SERVER:server_ks_password}" root_alias: "${LWM2M_SERVER_ROOT_CA:rootca}" - enable_gen_psk_rpk: "${ENABLE_GEN_PSK_RPK:true}" + enable_gen_new_key_psk_rpk: "${ENABLE_GEN_NEW_KEY_PSK_RPK:false}" server: id: "${LWM2M_SERVER_ID:123}" bind_address: "${LWM2M_BIND_ADDRESS:0.0.0.0}" @@ -602,11 +602,14 @@ transport: bind_address_security: "${LWM2M_BIND_ADDRESS_SECURITY:0.0.0.0}" bind_port_security: "${LWM2M_BIND_PORT_SECURITY:5686}" # Only for RPK: Public & Private Key. If the keystore file is missing or not working -# create_rpk: "${CREATE_RPK:}" - public_x: "${LWM2M_SERVER_PUBLIC_X:405354ea8893471d9296afbc8b020a5c6201b0bb25812a53b849d4480fa5f069}" - public_y: "${LWM2M_SERVER_PUBLIC_Y:30c9237e946a3a1692c1cafaa01a238a077f632c99371348337512363f28212b}" - private_s: "${LWM2M_SERVER_PRIVATE_S:274671fe40ce937b8a6352cf0a418e8a39e4bf0bb9bf74c910db953c20c73802}" - # Only Certificate_x509: + # create_rpk: "${CREATE_RPK:}" +# - Public Key (Hex): [ 3059301306072a8648ce3d020106082a8648ce3d03010703420004b47a14ea87ab31cce28f24df0ae0a4cfcdb845134bcd088f2fac393b4d4843d140ebc1bfd8f5e0ec402fb8308c5c07bc380783276a385f89ef0da0b1a2545c25 ] +# - Private Key (Hex): [ 3041020100301306072a8648ce3d020106082a8648ce3d030107042730250201010420b65b265abfb9e67be12a7699c13123cf081c72c974688fb4faba82be129ef367 ], +# - Elliptic Curve parameters: [ secp256r1 [ NIST P-256, X9.62 prime256v1 ] (1.2.840.10045.3.1.7) ] + public_x: "${LWM2M_SERVER_PUBLIC_X:b47a14ea87ab31cce28f24df0ae0a4cfcdb845134bcd088f2fac393b4d4843d1}" + public_y: "${LWM2M_SERVER_PUBLIC_Y:40ebc1bfd8f5e0ec402fb8308c5c07bc380783276a385f89ef0da0b1a2545c25}" + private_s: "${LWM2M_SERVER_PRIVATE_S:b65b265abfb9e67be12a7699c13123cf081c72c974688fb4faba82be129ef367}" + # Only Certificate_x509: alias: "${LWM2M_KEYSTORE_ALIAS_SERVER:server}" bootstrap: enable: "${LWM2M_BOOTSTRAP_ENABLED:true}" @@ -617,10 +620,10 @@ transport: bind_address_security: "${LWM2M_BIND_ADDRESS_BS:0.0.0.0}" bind_port_security: "${LWM2M_BIND_PORT_SEC_BS:5688}" # Only for RPK: Public & Private Key. If the keystore file is missing or not working - public_x: "${LWM2M_SERVER_PUBLIC_X_BS:993ef2b698c6a9c0c1d8be78b13a9383c0854c7c7c7a504d289b403794648183}" - public_y: "${LWM2M_SERVER_PUBLIC_Y_BS:267412d5fc4e5ceb2257cb7fd7f76ebdac2fa9aa100afb162e990074cc0bfaa2}" - private_s: "${LWM2M_SERVER_PRIVATE_S_BS:9dbdbb073fc63570693a9aaf1013414e261c571f27e27fc6a8c1c2ad9347875a}" - # Only Certificate_x509: + public_x: "${LWM2M_SERVER_PUBLIC_X_BS:f6e4e77f76296472bd72acfb6b2dd26fd858042f9075b44b45e2ebeb41cae387}" + public_y: "${LWM2M_SERVER_PUBLIC_Y_BS:3e97534c6b833639f71916041b0596ecd616748d81174d19c59ef02bbb21c822}" + private_s: "${LWM2M_SERVER_PRIVATE_S_BS:3e97534c6b833639f71916041b0596ecd616748d81174d19c59ef02bbb21c822}" + # Only Certificate_x509: alias: "${LWM2M_KEYSTORE_ALIAS_BOOTSTRAP:bootstrap}" # Redis redis_url: "${LWM2M_REDIS_URL:''}" diff --git a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapServerConfiguration.java b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapServerConfiguration.java index ecc8e7c83e..80d3187cc0 100644 --- a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapServerConfiguration.java +++ b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapServerConfiguration.java @@ -52,7 +52,15 @@ import java.security.spec.InvalidParameterSpecException; import java.security.spec.KeySpec; import java.util.Arrays; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256; import static org.thingsboard.server.transport.lwm2m.server.LwM2MTransportHandler.getCoapConfig; @@ -62,6 +70,7 @@ import static org.thingsboard.server.transport.lwm2m.server.LwM2MTransportHandle public class LwM2MTransportBootstrapServerConfiguration { private PublicKey publicKey; private PrivateKey privateKey; + private boolean pskMode = false; @Autowired private LwM2MTransportContextBootstrap contextBs; @@ -105,9 +114,24 @@ public class LwM2MTransportBootstrapServerConfiguration { /** Create and Set DTLS Config */ DtlsConnectorConfig.Builder dtlsConfig = new DtlsConnectorConfig.Builder(); - dtlsConfig.setRecommendedSupportedGroupsOnly(!this.contextS.getCtxServer().isRecommendedSupportedGroups()); + dtlsConfig.setRecommendedSupportedGroupsOnly(this.contextS.getCtxServer().isRecommendedSupportedGroups()); dtlsConfig.setRecommendedCipherSuitesOnly(this.contextS.getCtxServer().isRecommendedCiphers()); - dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); + if (this.pskMode) { + dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256); + } + else { +// dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); + dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, + TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, + TLS_ECDHE_ECDSA_WITH_AES_128_CCM, + TLS_ECDHE_ECDSA_WITH_AES_256_CCM, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); + } /** Set DTLS Config */ builder.setDtlsConfig(dtlsConfig); @@ -133,14 +157,16 @@ public class LwM2MTransportBootstrapServerConfiguration { /** by default trust all */ builder.setTrustedCertificates(new X509Certificate[0]); } - } else if (this.setServerRPK(builder)) { - this.infoParamsServerRPK(); - } else { - /** by default trust all */ - builder.setTrustedCertificates(new X509Certificate[0]); - log.info("Unable to load X509 files for BootStrapServer"); - this.infoParamsServerPSK(); } + } else if (this.setServerRPK(builder)) { + this.infoPramsUri("RPK"); + this.infoParamsBootstrapServerKey(this.publicKey, this.privateKey); + } else { + /** by default trust all */ + builder.setTrustedCertificates(new X509Certificate[0]); + log.info("Unable to load X509 files for BootStrapServer"); + this.pskMode = true; + this.infoPramsUri("PSK"); } } catch (KeyStoreException ex) { log.error("[{}] Unable to load X509 files server", ex.getMessage()); @@ -175,15 +201,23 @@ public class LwM2MTransportBootstrapServerConfiguration { private void infoParamsServerX509(X509Certificate certificate, PublicKey publicKey, PrivateKey privateKey) { try { - log.info("Bootstrap Server uses X509 : \n X509 Certificate (Hex): [{}] \n Public Key (Hex): [{}] \n Private Key (Hex): [{}]", - Hex.encodeHexString(certificate.getEncoded()), - Hex.encodeHexString(publicKey.getEncoded()), - Hex.encodeHexString(privateKey.getEncoded())); + this.infoPramsUri("X509"); + log.info("\n- X509 Certificate (Hex): [{}]", + Hex.encodeHexString(certificate.getEncoded())); + this.infoParamsBootstrapServerKey(publicKey, privateKey); } catch (CertificateEncodingException e) { log.error("", e); } } + private void infoPramsUri(String mode) { + log.info("Bootstrap Server uses [{}]: serverNoSecureURI : [{}], serverSecureURI : [{}]", + mode, + this.contextBs.getCtxBootStrap().getBootstrapHost() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortNoSec(), + this.contextBs.getCtxBootStrap().getBootstrapHostSecurity() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortSecurity()); + } + + private boolean setServerRPK(LeshanBootstrapServerBuilder builder) { try { this.generateKeyForBootstrapRPK(); @@ -231,41 +265,31 @@ public class LwM2MTransportBootstrapServerConfiguration { } } - private void infoParamsServerRPK() { + private void infoParamsBootstrapServerKey(PublicKey publicKey, PrivateKey privateKey) { /** Get x coordinate */ - byte[] x = ((ECPublicKey) this.publicKey).getW().getAffineX().toByteArray(); + byte[] x = ((ECPublicKey) publicKey).getW().getAffineX().toByteArray(); if (x[0] == 0) x = Arrays.copyOfRange(x, 1, x.length); /** Get Y coordinate */ - byte[] y = ((ECPublicKey) this.publicKey).getW().getAffineY().toByteArray(); + byte[] y = ((ECPublicKey) publicKey).getW().getAffineY().toByteArray(); if (y[0] == 0) y = Arrays.copyOfRange(y, 1, y.length); /** Get Curves params */ - String params = ((ECPublicKey) this.publicKey).getParams().toString(); - String privHex = Hex.encodeHexString(this.privateKey.getEncoded()); - log.info("Server uses RPK -> serverNoSecureURI : [{}], serverSecureURI : [{}], \n" + - "Public Key (Hex): [{}] \n" + - "Private Key (Hex): [{}], \n" + - "- public_x : [{}] \n" + - "- public_y : [{}] \n" + - "- private_s : [{}] \n" + + String params = ((ECPublicKey) publicKey).getParams().toString(); + String privHex = Hex.encodeHexString(privateKey.getEncoded()); + log.info("\n- Public Key (Hex): [{}] \n" + + "- Private Key (Hex): [{}], \n" + + "public_x: \"${LWM2M_SERVER_PUBLIC_X_BS:{}}\" \n" + + "public_y: \"${LWM2M_SERVER_PUBLIC_Y_BS:{}}\" \n" + + "private_s: \"${LWM2M_SERVER_PRIVATE_S_BS:{}}\" \n" + "- Elliptic Curve parameters : [{}]", - this.contextBs.getCtxBootStrap().getBootstrapHost() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortNoSec(), - this.contextBs.getCtxBootStrap().getBootstrapHostSecurity() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortSecurity(), - Hex.encodeHexString(this.publicKey.getEncoded()), - Hex.encodeHexString(this.privateKey.getEncoded()), + Hex.encodeHexString(publicKey.getEncoded()), + Hex.encodeHexString(privateKey.getEncoded()), Hex.encodeHexString(x), Hex.encodeHexString(y), privHex.substring(privHex.length() - 64), params); } - - private void infoParamsServerPSK() { - log.info("Server uses PSK -> serverNoSecureURI : [{}], serverSecureURI : [{}]", - this.contextBs.getCtxBootStrap().getBootstrapHost() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortNoSec(), - this.contextBs.getCtxBootStrap().getBootstrapHostSecurity() + ":" + this.contextBs.getCtxBootStrap().getBootstrapPortSecurity()); - } - } diff --git a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/LwM2MTransportServerConfiguration.java b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/LwM2MTransportServerConfiguration.java index 48ff2adc51..fbe25028f1 100644 --- a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/LwM2MTransportServerConfiguration.java +++ b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/LwM2MTransportServerConfiguration.java @@ -19,7 +19,6 @@ import lombok.extern.slf4j.Slf4j; import org.eclipse.californium.scandium.config.DtlsConnectorConfig; import org.eclipse.leshan.core.node.codec.DefaultLwM2mNodeDecoder; import org.eclipse.leshan.core.node.codec.DefaultLwM2mNodeEncoder; -import org.eclipse.leshan.core.node.codec.LwM2mNodeDecoder; import org.eclipse.leshan.core.util.Hex; import org.eclipse.leshan.server.californium.LeshanServer; import org.eclipse.leshan.server.californium.LeshanServerBuilder; @@ -54,7 +53,15 @@ import java.security.spec.InvalidParameterSpecException; import java.security.spec.KeySpec; import java.util.Arrays; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8; +import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256; import static org.thingsboard.server.transport.lwm2m.server.LwM2MTransportHandler.getCoapConfig; @@ -64,6 +71,7 @@ import static org.thingsboard.server.transport.lwm2m.server.LwM2MTransportHandle public class LwM2MTransportServerConfiguration { private PublicKey publicKey; private PrivateKey privateKey; + private boolean pskMode = false; @Autowired private LwM2MTransportContextServer context; @@ -81,9 +89,8 @@ public class LwM2MTransportServerConfiguration { LeshanServerBuilder builder = new LeshanServerBuilder(); builder.setLocalAddress(this.context.getCtxServer().getServerHost(), serverPortNoSec); builder.setLocalSecureAddress(this.context.getCtxServer().getServerHostSecurity(), serverSecurePort); - builder.setEncoder(new DefaultLwM2mNodeEncoder()); - LwM2mNodeDecoder decoder = new DefaultLwM2mNodeDecoder(); - builder.setDecoder(decoder); + builder.setDecoder(new DefaultLwM2mNodeDecoder()); + /** Use a magic converter to support bad type send by the UI. */ builder.setEncoder(new DefaultLwM2mNodeEncoder(LwM2mValueConverterImpl.getInstance())); /** Create CoAP Config */ @@ -102,17 +109,30 @@ public class LwM2MTransportServerConfiguration { /** Create DTLS Config */ DtlsConnectorConfig.Builder dtlsConfig = new DtlsConnectorConfig.Builder(); - dtlsConfig.setRecommendedSupportedGroupsOnly(!this.context.getCtxServer().isRecommendedSupportedGroups()); + dtlsConfig.setRecommendedSupportedGroupsOnly(this.context.getCtxServer().isRecommendedSupportedGroups()); dtlsConfig.setRecommendedCipherSuitesOnly(this.context.getCtxServer().isRecommendedCiphers()); - dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); + if (this.pskMode) { + dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256); + } + else { +// dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256, +// TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256); + dtlsConfig.setSupportedCipherSuites(TLS_PSK_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, + TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, + TLS_ECDHE_ECDSA_WITH_AES_128_CCM, + TLS_ECDHE_ECDSA_WITH_AES_256_CCM, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384); + } + /** Set DTLS Config */ builder.setDtlsConfig(dtlsConfig); - /** Use a magic converter to support bad type send by the UI. */ - builder.setEncoder(new DefaultLwM2mNodeEncoder(LwM2mValueConverterImpl.getInstance())); - - /** Create LWM2M server */ return builder.build(); } @@ -138,14 +158,16 @@ public class LwM2MTransportServerConfiguration { return endpoint.startsWith(expectedX509CommonName); } })); - } else if (this.setServerRPK(builder)) { - this.infoParamsServerRPK(); - } else { - /** by default trust all */ - builder.setTrustedCertificates(new X509Certificate[0]); - log.info("Unable to load X509 files for LWM2MServer"); - this.infoParamsServerPSK(); } + } else if (this.setServerRPK(builder)) { + this.infoPramsUri("RPK"); + this.infoParamsServerKey(this.publicKey, this.privateKey); + } else { + /** by default trust all */ + builder.setTrustedCertificates(new X509Certificate[0]); + log.info("Unable to load X509 files for LWM2MServer"); + this.pskMode = true; + this.infoPramsUri("PSK"); } } catch (KeyStoreException ex) { log.error("[{}] Unable to load X509 files server", ex.getMessage()); @@ -169,8 +191,7 @@ public class LwM2MTransportServerConfiguration { builder.setCertificateChain(new X509Certificate[]{serverCertificate}); this.infoParamsServerX509(serverCertificate, publicKey, privateKey); return true; - } - else { + } else { return false; } } catch (Exception ex) { @@ -181,15 +202,22 @@ public class LwM2MTransportServerConfiguration { private void infoParamsServerX509(X509Certificate certificate, PublicKey publicKey, PrivateKey privateKey) { try { - log.info("Server uses X509 : \n X509 Certificate (Hex): [{}] \n Public Key (Hex): [{}] \n Private Key (Hex): [{}]", - Hex.encodeHexString(certificate.getEncoded()), - Hex.encodeHexString(publicKey.getEncoded()), - Hex.encodeHexString(privateKey.getEncoded())); + infoPramsUri("X509"); + log.info("\n- X509 Certificate (Hex): [{}]", + Hex.encodeHexString(certificate.getEncoded())); + this.infoParamsServerKey(publicKey, privateKey); } catch (CertificateEncodingException e) { log.error("", e); } } + private void infoPramsUri(String mode) { + log.info("Server uses [{}]: serverNoSecureURI : [{}], serverSecureURI : [{}]", + mode, + this.context.getCtxServer().getServerHost() + ":" + this.context.getCtxServer().getServerPortNoSec(), + this.context.getCtxServer().getServerHostSecurity() + ":" + this.context.getCtxServer().getServerPortSecurity()); + } + private boolean setServerRPK(LeshanServerBuilder builder) { try { this.generateKeyForRPK(); @@ -207,7 +235,7 @@ public class LwM2MTransportServerConfiguration { /** - * From yml^ server + * From yml: server * public_x: "${LWM2M_SERVER_PUBLIC_X:405354ea8893471d9296afbc8b020a5c6201b0bb25812a53b849d4480fa5f069}" * public_y: "${LWM2M_SERVER_PUBLIC_Y:30c9237e946a3a1692c1cafaa01a238a077f632c99371348337512363f28212b}" * private_s: "${LWM2M_SERVER_PRIVATE_S:274671fe40ce937b8a6352cf0a418e8a39e4bf0bb9bf74c910db953c20c73802}" @@ -241,41 +269,32 @@ public class LwM2MTransportServerConfiguration { } } - private void infoParamsServerRPK() { + private void infoParamsServerKey(PublicKey publicKey, PrivateKey privateKey) { /** Get x coordinate */ - byte[] x = ((ECPublicKey) this.publicKey).getW().getAffineX().toByteArray(); + byte[] x = ((ECPublicKey) publicKey).getW().getAffineX().toByteArray(); if (x[0] == 0) x = Arrays.copyOfRange(x, 1, x.length); /** Get Y coordinate */ - byte[] y = ((ECPublicKey) this.publicKey).getW().getAffineY().toByteArray(); + byte[] y = ((ECPublicKey) publicKey).getW().getAffineY().toByteArray(); if (y[0] == 0) y = Arrays.copyOfRange(y, 1, y.length); /** Get Curves params */ - String params = ((ECPublicKey) this.publicKey).getParams().toString(); - String privHex = Hex.encodeHexString(this.privateKey.getEncoded()); - log.info("Server uses RPK -> serverNoSecureURI : [{}], serverSecureURI : [{}], \n" + - "Public Key (Hex): [{}] \n" + - "Private Key (Hex): [{}], \n" + - "- public_x : [{}] \n" + - "- public_y : [{}] \n" + - "- private_s : [{}] \n" + + String params = ((ECPublicKey) publicKey).getParams().toString(); + String privHex = Hex.encodeHexString(privateKey.getEncoded()); + log.info(" \n- Public Key (Hex): [{}] \n" + + "- Private Key (Hex): [{}], \n" + + "public_x: \"${LWM2M_SERVER_PUBLIC_X:{}}\" \n" + + "public_y: \"${LWM2M_SERVER_PUBLIC_Y:{}}\" \n" + + "private_s: \"${LWM2M_SERVER_PRIVATE_S:{}}\" \n" + "- Elliptic Curve parameters : [{}]", - this.context.getCtxServer().getServerHost() + ":" + this.context.getCtxServer().getServerPortNoSec(), - this.context.getCtxServer().getServerHostSecurity() + ":" + this.context.getCtxServer().getServerPortSecurity(), - Hex.encodeHexString(this.publicKey.getEncoded()), - Hex.encodeHexString(this.privateKey.getEncoded()), + Hex.encodeHexString(publicKey.getEncoded()), + privHex, Hex.encodeHexString(x), Hex.encodeHexString(y), privHex.substring(privHex.length() - 64), params); } - private void infoParamsServerPSK() { - log.info("Server uses PSK -> serverNoSecureURI : [{}], serverSecureURI : [{}]", - this.context.getCtxServer().getServerHost() + ":" + Integer.toString(this.context.getCtxServer().getServerPortNoSec()), - this.context.getCtxServer().getServerHostSecurity() + ":" + Integer.toString(this.context.getCtxServer().getServerPortSecurity())); - } - } diff --git a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/LwM2MTransportServerInitializer.java b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/LwM2MTransportServerInitializer.java index b62287a845..2805fd7f91 100644 --- a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/LwM2MTransportServerInitializer.java +++ b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/LwM2MTransportServerInitializer.java @@ -41,7 +41,7 @@ public class LwM2MTransportServerInitializer { @PostConstruct public void init() { - if (this.context.getCtxServer().getEnableGenPskRpk()) { + if (this.context.getCtxServer().getEnableGenNewKeyPskRpk()) { new LWM2MGenerationPSkRPkECC(); } this.startLhServer(); diff --git a/common/transport/lwm2m/src/main/resources/credentials/serverKeyStore.jks b/common/transport/lwm2m/src/main/resources/credentials/serverKeyStore.jks index 5fcb65d351bb46660fe699b5544ca74a92b745ad..9f6748f8fdab7179b895eccd71421fe1565d27db 100644 GIT binary patch literal 3953 zcma))bx;%z)5nh^B?XQyLAp7*Bo*X91*AKVQc}9^C}}tZ36TTzM~5Ouheyj1(nv@i zDIBE-2s}Q|JUR3J@y^cd&V0YSJF}lzNjS|jAOWEyoQ9v|mTK996TyMHe`IY*H~||8#XqMg$q9f+*pMWwUs8yK{9odq)oetdQ_gGR z4T$BWB#}?2jlIAsRq*>YAR(aV2@xzeO6mvpf_l~}$|iUS+@DFL!`c`rL3iVH33RkI z=qKJZ`i__}yg#mJT$p9k*|&Rj?ra%XsPymxNh@R)swj7DXeIOetTIxEP?-5L%rCoN zF4U4Jw6rn4pc7tZ|I8zt9i9G#(tkZ*oFObGf1+^_`Hd4(M?0A9rg+PGJoHeLHT?DS zH)o)pU!uEL%A)S4d3!%}%Q=g;q|_zZ{(bi?kQ6m1CBPrx0`LO_{yj@_|HovI0uj+Y zb${k^M@mjg8Vr_GkognfKX|zRUwHUvtLoTn^?(F;d4|c|#!RD^36}rD(@1`yU^VT? zcq>QwDOo0DO-Qcm7|ES!e_)-BWttCJ4TB45T?uCQbQ{)vSyGlggmh4Mey^NU4vJwx zt0}H9N;J;9e>u;AdY$qzumhnM5z!5jrjKbQjkU~&NX{CCU$1xZ$3UJ_1O{cn<_BuF@A;U6gvNC5a#5dU!q{^zSm{{B@5 zqaVw*18nZhAq5TN!r^?x`60Ldfh`(NX`X&{*YuvMzbr;-oq2D8xr~ze1^0luS$_VR z@G>W*_6-UCWN}JGHsX~o%|08LV}ceTWS5RuGUacV|9JCR$y6IVXn#?{uIbGLFIEFz zH@`4A9NT0?h`>#*vWhMW5JLfXxQuE#^q+f-73@}*6q4JV!y^Dj(h}*?9=|ZZjOOX@TWg`*-rHslT&z#A{?JLjz7%R<0?-7l? z(uIQmH~Eh;dw4>Rt)DhJ4aBxLYsd!Tj@S;~=br;E~UlRlfYA#wIDnY*cJHk?A$X_!DTKJIDGnPLYb8IO+ z0Di~_@fYv1ItVu783@uJj`qqsn4D!c%7L#=NT(${VeftI^H#pYkAzJ#)x2x*HlDW< z9#b}u^NMrE5XLxN=l)yXq$eG!Ym-_GD-P%Xe4F-Y@X@jQ+xceiGD*6e$NQIU*jZG~ zkv&kudzx8&!#>rUd=ia#7<3w#C{4|3^ME0RN2ZL>eCi4cXRYmN?;xG?U6-*JhGVNXx19E+pW7#w0zJX^( zmEoq8Q@#F9^mb~c)v}E>1LKpXUs@lO{6CCs=p`&1`*B2+U+=r*wh|}uDi>y~a46bk zgQEP&6Z|_l7V%=`1AL*YJeZ+7McWc~N{S-wJR1ZsGFJyx-jw$X!)jmO;}z81*M5BS zVyh~~uVS&L#P)UltDeoHAfF7jTHn)inBrUdQp|j5sto< zUv-wE)Pc00z~I3cYclNEFji0-r(r#|~ zQLEh?u-w}tthGy9qp%&N)E&U>6TP}u`rT0N1ytb zx`>;D_*LIh?aKQ&Fh?^N_^`B~>q<@I zHM?)P(XWcGK3K}#=k=xbS-?2olV(rIgQkA}c3WA}5aV0TV(3?Vl>;^yjh95rxx-7{ z_~~+TxgeoOY2W5>18$MyWagRXgbc5#xd;tt?Fk*!n@E3i<|l7uRvFo?tYPdsVAHHh z*v8Hp`?M(h@|9g2&E7;IC%2)Ot`(oHDF_g?+F$*>z9{ml0|?Mb(v5=0le9EJ`E+ND zsxH3A=~CI=G=8BfVWI1&s^(+pwqS;=Yz~F@-|T7Kaj>>%vw0>NEP^%r>#m&jI^Sm} zFv0tr

40jr534wW+TuJ(Cs7Q%)W)AJBo6f;K;Qwo!mdGJ;5{-1h?-_~g4bR_-(T z&Q`67N1Bc3G2sOTH=`bHhTEms7Oy}n3ucS-%qS?)jtXazgdfkI_>?DSmvD!^yzets zG=t*UP3Ue}e*x(8^Jin3-tMW<1Cw~|9C1}cwK@Id!&;!iNZtTx(YeAixpk}1=o-Jc z2fyAiBr`hppf|h_Y@C(fyHJNgSrSI^!yEL^hEAbn+a93cZ7ejuz$)u1#lmXXm>V?R(4?DTAMCKKR@N7>+1{(2wqfNqL~-v?V>gFjVe(Amg0)@G z95aerOk*>i+*ITKOHgLj7Ak+_(rBreOs$vRl<8IsWb3o6r$GJTDYNX zxO|m|kz#@5CuN+*$hh`+1$~>7?cmjytoyAZczI13H%yu<>l2_ARlVFLpvR4XC*xlXfI<};D5W4TQ$PFjf5_3e{wk>3&>N? zPG`JqK%3@1Z;pK6;4#8G2nim}p0MCaUR^YqIHGdCzWw4utf;VYM&59}mN|M%e0%I7 zWaVSw#9|y!79DatnqscfxdSA|%Q2Ge<1{;>UJgpq~ z>sLz!wY)$<_i9lMrT$?93X)H|;~yhV2DN1}F%U_8XSR zIN@4#(@F1Afi^b%;r?Ac19tTl|3tV-&C8m>Wj_C3W+Mr7w%^~~yiGPoP1#a_bAOy))@gWujk4zq5Bf#WZ_xgQ@CZn8U zYRMW#+_N&ujfFX_B=1RbOWqj@a9=h5Hud7R{P5(1tii3;CYAyFqiyAbcHe$&e<~{eXI00_ zK;O+mIp34J{!eu|V#c1ApErBnq?=vh58p02HPPL@Cs4WWRn2zGgU2)`xpA|H{fF9&}#EIXUoFOWKd}+X&}zV z9LmDXBaoAyoS2i5UtFS41Pn1}M?(<Rg~9&8>E(< zhsC=xvkaz)gNGZ$Rq#*BNh~fgFa!cqizp!12#IS@ zV<=-F1#y}%!fEixgjqo&*F_o#v$2DNiHQ*!Ud)W_%uWm}eG(JS`A$if;Qnp)I8Vgx z-x`Mr%Qkv!Vrys;`o&fxG$n1W^=*Znz6aPZ-&r|t1@~dwoZP78wt`!PXSC&}C`~=M zxbeI};~9g-RY1SVDzh{$GH9INAR^kg%5|xSn2pm^}xKXANFo~sxA`vtN!xoTlZJ~p1)h$r>@a_x?Q>%+c}w! z{c)`G78@BD81RGAg)k%Ie->5)W*~)>P_QLv%!H!IuxHol8)tqg{pft;|IW~_X40Oi zPk0pXYICn(?c8xC`5F_GLXm|IOY>3v3@PQ?@&b7`?>z42TXbdB9r@P1_48Ah-US1T zJw^t$;?$zD)FNmRAAq}vU#_}zrrW{iHFkS0{+K&|p7G1Ta;X((^wwLQtN1%vzojDX z%pHB3Z;WX*ci+^qzxa}RZ(We-ijM|cb}c9~-060DD|b1SEPn5XQY-HY{7T~hOF8O|j=gRV5A%{|U}w$5-S?lFUSs_9`cs$jeGU8fQ%qX=9hyy;cJ5O87oq5r_uIv!(rRT#Qfax* zOfIgoyyfR2P>cAzz>KjIh~uCcL*s-}g=VDHALMWzzygF|5sy7%Kw@&>%6E?R7FC~f zMLWVXH~c%$%~RxX*I2*%?fyd5Z?i9)IX&?~q}ifr6Zy`~`Qv#{+Am4^j70Pwo!RXd zOB}znGMoFXAKK;n*?$JCU*B$6T=DXy_~z(~oH7zeW*{dgW={qKH(=@A9McukC%?gP zm0yHf!jYq=#gkK(FFFuAIUqq}Lz_QWJ5b54tL8iV+=(I7bWkP!@_?Q6r&%|6OzBoZ!55>@!0g!m?Fwyq&Y8_b&hv_R)g? diff --git a/common/transport/lwm2m/src/main/resources/credentials/shell/lwM2M_credentials.sh b/common/transport/lwm2m/src/main/resources/credentials/shell/lwM2M_credentials.sh index 3167cca2b5..dcf38b4f10 100755 --- a/common/transport/lwm2m/src/main/resources/credentials/shell/lwM2M_credentials.sh +++ b/common/transport/lwm2m/src/main/resources/credentials/shell/lwM2M_credentials.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # # Copyright © 2016-2021 The Thingsboard Authors # @@ -15,77 +15,35 @@ # limitations under the License. # -#p) CLIENT_CN=LwX50900000000 +#/home/nick/Igor_project/Thingsboard_Perfrmance_test/performance-tests/src/main/resources/credentials/shell/lwM2M_credentials.sh -p LwX509 -s 0 -f 2000 -a client_alias_ -e client_self_signed_ -b bootstrap -d server -j serverKeyStore.jks -k clientKeyStore.jks -c client_ks_password -w server_ks_password + +#p) CLIENT_CN=$CLIENT_PREFIX00000000 #s) client_start=0 #f) client_finish=1 -#a) CLIENT_ALIAS=client_alias_00000000 +#a) CLIENT_ALIAS=CLIENT_ALIAS_PREFIX_00000000 +#e) CLIENT_SELF_ALIAS=CLIENT_SELF_ALIAS_PREFIX_00000000 #b) BOOTSTRAP_ALIAS=bootstrap #d) SERVER_ALIAS=server #j) SERVER_STORE=serverKeyStore.jks #k) CLIENT_STORE=clientKeyStore.jks #c) CLIENT_STORE_PWD=client_ks_password #w) SERVER_STORE_PWD=server_ks_password +#l) ROOT_KEY_ALIAS=root_key_alias -#while test $# -gt 0; do -# case "$1" in -# -h|--help) -# echo "$package - attempt to capture frames" -# echo " " -# echo "$package [options] application [arguments]" -# echo " " -# echo "options:" -# echo "-h, --help show brief help" -# echo "-a, --action=ACTION specify an action to use" -# echo "-o, --output-dir=DIR specify a directory to store output in" -# exit 0 -# ;; -# -a) -# shift -# if test $# -gt 0; then -# export PROCESS=$1 -# else -# echo "no process specified" -# exit 1 -# fi -# shift -# ;; -# --action*) -# export PROCESS=`echo $1 | sed -e 's/^[^=]*=//g'` -# shift -# ;; -# -o) -# shift -# if test $# -gt 0; then -# export OUTPUT=$1 -# else -# echo "no output dir specified" -# exit 1 -# fi -# shift -# ;; -# --output-dir*) -# export OUTPUT=`echo $1 | sed -e 's/^[^=]*=//g'` -# shift -# ;; -# *) -# break -# ;; -# esac -#done - - -while getopts p:s:f:a:b:d:j:k:c:w: flag; do +while getopts p:s:f:a:e:b:d:j:k:c:w:l: flag; do case "${flag}" in - p) client_prefix=${OPTARG} ;; + p) client_pref=${OPTARG} ;; s) client_start=${OPTARG} ;; f) client_finish=${OPTARG} ;; - a) client_alias=${OPTARG} ;; + a) client_alias_pref=${OPTARG} ;; + e) client_self_alias_pref=${OPTARG} ;; b) bootstrap_alias=${OPTARG} ;; d) server_alias=${OPTARG} ;; j) key_store_server_file=${OPTARG} ;; k) key_store_client_file=${OPTARG} ;; c) client_key_store_pwd=${OPTARG} ;; w) server_key_store_pwd=${OPTARG} ;; + w) root_key_alias=${OPTARG} ;; esac done @@ -96,9 +54,8 @@ cd $script_dir # source the properties: . ./lwM2M_keygen.properties - -if [ -n "$client_prefix" ]; then - CLIENT_PREFIX=$client_prefix +if [ -n "$client_pref" ]; then + CLIENT_PREFIX=$client_pref fi if [ -z "$client_start" ]; then @@ -109,8 +66,12 @@ if [ -z "$client_finish" ]; then client_finish=1 fi -if [ -n "$client_alias" ]; then - CLIENT_ALIAS=$client_alias +if [ -n "$client_alias_pref" ]; then + CLIENT_ALIAS_PREFIX=$client_alias_pref +fi + +if [ -n "$client_self_alias_pref" ]; then + CLIENT_SELF_ALIAS_PREFIX=$client_self_alias_pref fi if [ -n "$bootstrap_alias" ]; then @@ -137,23 +98,37 @@ if [ -n "$server_key_store_pwd" ]; then SERVER_STORE_PWD=$server_key_store_pwd fi +if [ -n "$root_key_alias" ]; then + ROOT_KEY_ALIAS=$root_key_alias +fi + +CLIENT_NUMBER=$client_start + echo "==Start==" echo "CLIENT_PREFIX: $CLIENT_PREFIX" echo "client_start: $client_start" echo "client_finish: $client_finish" -echo "CLIENT_ALIAS: $CLIENT_ALIAS" +echo "CLIENT_ALIAS_PREFIX: $CLIENT_ALIAS_PREFIX" +echo "CLIENT_SELF_ALIAS_PREFIX: $CLIENT_SELF_ALIAS_PREFIX" echo "BOOTSTRAP_ALIAS: $BOOTSTRAP_ALIAS" echo "SERVER_ALIAS: $SERVER_ALIAS" echo "SERVER_STORE: $SERVER_STORE" echo "CLIENT_STORE: $CLIENT_STORE" echo "CLIENT_STORE_PWD: $CLIENT_STORE_PWD" echo "SERVER_STORE_PWD: $SERVER_STORE_PWD" +echo "CLIENT_NUMBER: $CLIENT_NUMBER" +echo "ROOT_KEY_ALIAS: $ROOT_KEY_ALIAS" end_point() { echo "$CLIENT_PREFIX$(printf "%08d" $CLIENT_NUMBER)" } + client_alias_point() { - echo "$CLIENT_ALIAS$(printf "%08d" $CLIENT_NUMBER)" + echo "$CLIENT_ALIAS_PREFIX$(printf "%08d" $CLIENT_NUMBER)" +} + +client_self_alias_point() { + echo "$CLIENT_SELF_ALIAS_PREFIX$(printf "%08d" $CLIENT_NUMBER)" } # Generation of the keystore. @@ -264,73 +239,30 @@ keytool \ -keystore $SERVER_STORE \ -storepass $SERVER_STORE_PWD -echo -echo "${H1}Client Keystore : ${RESET}" -echo "${H1}==================${RESET}" -#echo "${H2}Creating client key and self-signed certificate with expected CN...${RESET}" -#keytool \ -# -genkeypair \ -# -alias $CLIENT_ALIAS \ -# -keyalg EC \ -# -dname "CN=$CLIENT_SELF_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \ -# -validity $VALIDITY \ -# -storetype $STORETYPE \ -# -keypass $CLIENT_STORE_PWD \ -# -keystore $CLIENT_STORE \ -# -storepass $CLIENT_STORE_PWD -#keytool \ -# -exportcert \ -# -alias $CLIENT_ALIAS \ -# -keystore $CLIENT_STORE \ -# -storepass $CLIENT_STORE_PWD | \ -# keytool \ -# -importcert \ -# -alias $CLIENT_SELF_ALIAS \ -# -keystore $CLIENT_STORE \ -# -storepass $CLIENT_STORE_PWD \ -# -noprompt - -echo -echo "${H2}Import root certificate just to be able to import need by root CA with expected CN...${RESET}" -keytool \ - -exportcert \ - -alias $ROOT_KEY_ALIAS \ - -keystore $SERVER_STORE \ - -storepass $SERVER_STORE_PWD | +if [ "$client_start" -lt "$client_finish" ]; then + echo + echo "${H2}Import root certificate just to be able to import need by root CA with expected CN to $CLIENT_STORE${RESET}" keytool \ - -importcert \ + -exportcert \ -alias $ROOT_KEY_ALIAS \ - -keystore $CLIENT_STORE \ - -storepass $CLIENT_STORE_PWD \ - -noprompt - -#echo -#echo "${H2}Creating client certificate signed by root CA with expected CN...${RESET}" -#keytool \ -# -certreq \ -# -alias $CLIENT_ALIAS \ -# -dname "CN=$CLIENT_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \ -# -keystore $CLIENT_STORE \ -# -storepass $CLIENT_STORE_PWD | \ -# keytool \ -# -gencert \ -# -alias $ROOT_KEY_ALIAS \ -# -keystore $SERVER_STORE \ -# -storepass $SERVER_STORE_PWD \ -# -storetype $STORETYPE \ -# -validity $VALIDITY | \ -# keytool \ -# -importcert \ -# -alias $CLIENT_ALIAS \ -# -keystore $CLIENT_STORE \ -# -storepass $CLIENT_STORE_PWD \ -# -noprompt + -keystore $SERVER_STORE \ + -storepass $SERVER_STORE_PWD | + keytool \ + -importcert \ + -alias $ROOT_KEY_ALIAS \ + -keystore $CLIENT_STORE \ + -storepass $CLIENT_STORE_PWD \ + -noprompt +fi cert_end_point() { - echo "${H2}Creating client key and self-signed certificate with expected CN $CLIENT_SELF_CN ${RESET}" + echo + echo "${H1}Client Keystore : ${RESET}" + echo "${H1}==================${RESET}" + echo "${H2}Creating client key and self-signed certificate with expected CN CLIENT_ALIAS: $CLIENT_ALIAS${RESET}" keytool \ -genkeypair \ - -alias $CLIENT_CN_ALIAS \ + -alias $CLIENT_ALIAS \ -keyalg EC \ -dname "CN=$CLIENT_SELF_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \ -validity $VALIDITY \ @@ -340,7 +272,7 @@ cert_end_point() { -storepass $CLIENT_STORE_PWD keytool \ -exportcert \ - -alias $CLIENT_CN_ALIAS \ + -alias $CLIENT_ALIAS \ -keystore $CLIENT_STORE \ -storepass $CLIENT_STORE_PWD | keytool \ @@ -349,13 +281,28 @@ cert_end_point() { -keystore $CLIENT_STORE \ -storepass $CLIENT_STORE_PWD \ -noprompt +# +# echo +# echo "${H2}Import root certificate just to be able to import ned by root CA with expected CN...${RESET}" +# keytool \ +# -exportcert \ +# -alias $ROOT_KEY_ALIAS \ +# -keystore $SERVER_STORE \ +# -storepass $SERVER_STORE_PWD | +# keytool \ +# -importcert \ +# -alias $ROOT_KEY_ALIAS \ +# -keystore $CLIENT_STORE \ +# -storepass $CLIENT_STORE_PWD \ +# -noprompt +# echo - echo "${H2}Creating client certificate signed by root CA with expected $CLIENT_CN_NAME ${RESET}" + echo "${H2}Creating client certificate signed by root CA with expected CN CLIENT_ALIAS: $CLIENT_ALIAS CLIENT_CN: $CLIENT_CN${RESET}" keytool \ -certreq \ - -alias $CLIENT_CN_ALIAS \ - -dname "CN=$CLIENT_CN_NAME, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \ + -alias $CLIENT_ALIAS \ + -dname "CN=$CLIENT_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \ -keystore $CLIENT_STORE \ -storepass $CLIENT_STORE_PWD | keytool \ @@ -367,22 +314,30 @@ cert_end_point() { -validity $VALIDITY | keytool \ -importcert \ - -alias $CLIENT_CN_ALIAS \ + -alias $CLIENT_ALIAS \ -keystore $CLIENT_STORE \ -storepass $CLIENT_STORE_PWD \ -noprompt } -while [ "$CLIENT_NUMBER" != "$client_finish" ]; do - CLIENT_CN_NAME=$(end_point) - CLIENT_CN_ALIAS=$(client_alias_point) - echo "$CLIENT_CN_NAME" - echo "$CLIENT_CN_ALIAS" - cert_end_point - CLIENT_NUMBER=$(($CLIENT_NUMBER + 1)) - echo "number $CLIENT_NUMBER" - echo "finish $client_finish" -done +if [ "$client_start" -lt "$client_finish" ]; then + echo "Файл содержит, как минимум, одно слово Bash." + echo + echo "==Start Client==" + while [ "$CLIENT_NUMBER" -lt "$client_finish" ]; do + echo "number $CLIENT_NUMBER" + echo "finish $client_finish" + CLIENT_CN=$(end_point) + CLIENT_ALIAS=$(client_alias_point) + CLIENT_SELF_ALIAS=$(client_self_alias_point) + echo "CLIENT_CN $CLIENT_CN" + echo "CLIENT_ALIAS $CLIENT_ALIAS" + echo "CLIENT_SELF_ALIAS $CLIENT_SELF_ALIAS" + cert_end_point + CLIENT_NUMBER=$(($CLIENT_NUMBER + 1)) + echo + done +fi echo echo "${H0}!!! Warning ${H2}Migrate ${H1}${SERVER_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}" @@ -393,11 +348,13 @@ keytool \ -deststoretype pkcs12 \ -srcstorepass $SERVER_STORE_PWD -echo -echo "${H0}!!! Warning ${H2}Migrate ${H1}${CLIENT_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}" -keytool \ - -importkeystore \ - -srckeystore $CLIENT_STORE \ - -destkeystore $CLIENT_STORE \ - -deststoretype pkcs12 \ - -srcstorepass $CLIENT_STORE_PWD +if [ "$client_start" -lt "$client_finish" ]; then + echo + echo "${H0}!!! Warning ${H2}Migrate ${H1}${CLIENT_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}" + keytool \ + -importkeystore \ + -srckeystore $CLIENT_STORE \ + -destkeystore $CLIENT_STORE \ + -deststoretype pkcs12 \ + -srcstorepass $CLIENT_STORE_PWD +fi diff --git a/common/transport/lwm2m/src/main/resources/credentials/shell/lwM2M_keygen.properties b/common/transport/lwm2m/src/main/resources/credentials/shell/lwM2M_keygen.properties index 18f851e4dd..7b3cd9c09a 100644 --- a/common/transport/lwm2m/src/main/resources/credentials/shell/lwM2M_keygen.properties +++ b/common/transport/lwm2m/src/main/resources/credentials/shell/lwM2M_keygen.properties @@ -41,9 +41,9 @@ BOOTSTRAP_SELF_CN="$DOMAIN_SUFFIX bootstrap server LwM2M self-signed" # Client CLIENT_STORE=clientKeyStore1.jks CLIENT_STORE_PWD=client_ks_password1 -CLIENT_ALIAS=client_alias_1 -CLIENT_PREFIX=LwX509_ -CLIENT_SELF_ALIAS=client_self_signed +CLIENT_ALIAS_PREFIX=client_alias_1 +CLIENT_PREFIX=LwX509___ +CLIENT_SELF_ALIAS_PREFIX=client_self_signed_1 CLIENT_SELF_CN="$DOMAIN_SUFFIX client LwM2M self-signed" # Color output stuff diff --git a/common/transport/transport-api/src/main/java/org/thingsboard/server/common/transport/lwm2m/LwM2MTransportConfigServer.java b/common/transport/transport-api/src/main/java/org/thingsboard/server/common/transport/lwm2m/LwM2MTransportConfigServer.java index 9894cb79ea..0d4df60248 100644 --- a/common/transport/transport-api/src/main/java/org/thingsboard/server/common/transport/lwm2m/LwM2MTransportConfigServer.java +++ b/common/transport/transport-api/src/main/java/org/thingsboard/server/common/transport/lwm2m/LwM2MTransportConfigServer.java @@ -147,8 +147,8 @@ public class LwM2MTransportConfigServer { private String rootAlias; @Getter - @Value("${transport.lwm2m.secure.enable_gen_psk_rpk:}") - private Boolean enableGenPskRpk; + @Value("${transport.lwm2m.secure.enable_gen_new_key_psk_rpk:}") + private Boolean enableGenNewKeyPskRpk; @Getter @Value("${transport.lwm2m.server.id:}") diff --git a/transport/lwm2m/src/main/data/credentials/serverKeyStore.jks b/transport/lwm2m/src/main/data/credentials/serverKeyStore.jks index 5fcb65d351bb46660fe699b5544ca74a92b745ad..9f6748f8fdab7179b895eccd71421fe1565d27db 100644 GIT binary patch literal 3953 zcma))bx;%z)5nh^B?XQyLAp7*Bo*X91*AKVQc}9^C}}tZ36TTzM~5Ouheyj1(nv@i zDIBE-2s}Q|JUR3J@y^cd&V0YSJF}lzNjS|jAOWEyoQ9v|mTK996TyMHe`IY*H~||8#XqMg$q9f+*pMWwUs8yK{9odq)oetdQ_gGR z4T$BWB#}?2jlIAsRq*>YAR(aV2@xzeO6mvpf_l~}$|iUS+@DFL!`c`rL3iVH33RkI z=qKJZ`i__}yg#mJT$p9k*|&Rj?ra%XsPymxNh@R)swj7DXeIOetTIxEP?-5L%rCoN zF4U4Jw6rn4pc7tZ|I8zt9i9G#(tkZ*oFObGf1+^_`Hd4(M?0A9rg+PGJoHeLHT?DS zH)o)pU!uEL%A)S4d3!%}%Q=g;q|_zZ{(bi?kQ6m1CBPrx0`LO_{yj@_|HovI0uj+Y zb${k^M@mjg8Vr_GkognfKX|zRUwHUvtLoTn^?(F;d4|c|#!RD^36}rD(@1`yU^VT? zcq>QwDOo0DO-Qcm7|ES!e_)-BWttCJ4TB45T?uCQbQ{)vSyGlggmh4Mey^NU4vJwx zt0}H9N;J;9e>u;AdY$qzumhnM5z!5jrjKbQjkU~&NX{CCU$1xZ$3UJ_1O{cn<_BuF@A;U6gvNC5a#5dU!q{^zSm{{B@5 zqaVw*18nZhAq5TN!r^?x`60Ldfh`(NX`X&{*YuvMzbr;-oq2D8xr~ze1^0luS$_VR z@G>W*_6-UCWN}JGHsX~o%|08LV}ceTWS5RuGUacV|9JCR$y6IVXn#?{uIbGLFIEFz zH@`4A9NT0?h`>#*vWhMW5JLfXxQuE#^q+f-73@}*6q4JV!y^Dj(h}*?9=|ZZjOOX@TWg`*-rHslT&z#A{?JLjz7%R<0?-7l? z(uIQmH~Eh;dw4>Rt)DhJ4aBxLYsd!Tj@S;~=br;E~UlRlfYA#wIDnY*cJHk?A$X_!DTKJIDGnPLYb8IO+ z0Di~_@fYv1ItVu783@uJj`qqsn4D!c%7L#=NT(${VeftI^H#pYkAzJ#)x2x*HlDW< z9#b}u^NMrE5XLxN=l)yXq$eG!Ym-_GD-P%Xe4F-Y@X@jQ+xceiGD*6e$NQIU*jZG~ zkv&kudzx8&!#>rUd=ia#7<3w#C{4|3^ME0RN2ZL>eCi4cXRYmN?;xG?U6-*JhGVNXx19E+pW7#w0zJX^( zmEoq8Q@#F9^mb~c)v}E>1LKpXUs@lO{6CCs=p`&1`*B2+U+=r*wh|}uDi>y~a46bk zgQEP&6Z|_l7V%=`1AL*YJeZ+7McWc~N{S-wJR1ZsGFJyx-jw$X!)jmO;}z81*M5BS zVyh~~uVS&L#P)UltDeoHAfF7jTHn)inBrUdQp|j5sto< zUv-wE)Pc00z~I3cYclNEFji0-r(r#|~ zQLEh?u-w}tthGy9qp%&N)E&U>6TP}u`rT0N1ytb zx`>;D_*LIh?aKQ&Fh?^N_^`B~>q<@I zHM?)P(XWcGK3K}#=k=xbS-?2olV(rIgQkA}c3WA}5aV0TV(3?Vl>;^yjh95rxx-7{ z_~~+TxgeoOY2W5>18$MyWagRXgbc5#xd;tt?Fk*!n@E3i<|l7uRvFo?tYPdsVAHHh z*v8Hp`?M(h@|9g2&E7;IC%2)Ot`(oHDF_g?+F$*>z9{ml0|?Mb(v5=0le9EJ`E+ND zsxH3A=~CI=G=8BfVWI1&s^(+pwqS;=Yz~F@-|T7Kaj>>%vw0>NEP^%r>#m&jI^Sm} zFv0tr

40jr534wW+TuJ(Cs7Q%)W)AJBo6f;K;Qwo!mdGJ;5{-1h?-_~g4bR_-(T z&Q`67N1Bc3G2sOTH=`bHhTEms7Oy}n3ucS-%qS?)jtXazgdfkI_>?DSmvD!^yzets zG=t*UP3Ue}e*x(8^Jin3-tMW<1Cw~|9C1}cwK@Id!&;!iNZtTx(YeAixpk}1=o-Jc z2fyAiBr`hppf|h_Y@C(fyHJNgSrSI^!yEL^hEAbn+a93cZ7ejuz$)u1#lmXXm>V?R(4?DTAMCKKR@N7>+1{(2wqfNqL~-v?V>gFjVe(Amg0)@G z95aerOk*>i+*ITKOHgLj7Ak+_(rBreOs$vRl<8IsWb3o6r$GJTDYNX zxO|m|kz#@5CuN+*$hh`+1$~>7?cmjytoyAZczI13H%yu<>l2_ARlVFLpvR4XC*xlXfI<};D5W4TQ$PFjf5_3e{wk>3&>N? zPG`JqK%3@1Z;pK6;4#8G2nim}p0MCaUR^YqIHGdCzWw4utf;VYM&59}mN|M%e0%I7 zWaVSw#9|y!79DatnqscfxdSA|%Q2Ge<1{;>UJgpq~ z>sLz!wY)$<_i9lMrT$?93X)H|;~yhV2DN1}F%U_8XSR zIN@4#(@F1Afi^b%;r?Ac19tTl|3tV-&C8m>Wj_C3W+Mr7w%^~~yiGPoP1#a_bAOy))@gWujk4zq5Bf#WZ_xgQ@CZn8U zYRMW#+_N&ujfFX_B=1RbOWqj@a9=h5Hud7R{P5(1tii3;CYAyFqiyAbcHe$&e<~{eXI00_ zK;O+mIp34J{!eu|V#c1ApErBnq?=vh58p02HPPL@Cs4WWRn2zGgU2)`xpA|H{fF9&}#EIXUoFOWKd}+X&}zV z9LmDXBaoAyoS2i5UtFS41Pn1}M?(<Rg~9&8>E(< zhsC=xvkaz)gNGZ$Rq#*BNh~fgFa!cqizp!12#IS@ zV<=-F1#y}%!fEixgjqo&*F_o#v$2DNiHQ*!Ud)W_%uWm}eG(JS`A$if;Qnp)I8Vgx z-x`Mr%Qkv!Vrys;`o&fxG$n1W^=*Znz6aPZ-&r|t1@~dwoZP78wt`!PXSC&}C`~=M zxbeI};~9g-RY1SVDzh{$GH9INAR^kg%5|xSn2pm^}xKXANFo~sxA`vtN!xoTlZJ~p1)h$r>@a_x?Q>%+c}w! z{c)`G78@BD81RGAg)k%Ie->5)W*~)>P_QLv%!H!IuxHol8)tqg{pft;|IW~_X40Oi zPk0pXYICn(?c8xC`5F_GLXm|IOY>3v3@PQ?@&b7`?>z42TXbdB9r@P1_48Ah-US1T zJw^t$;?$zD)FNmRAAq}vU#_}zrrW{iHFkS0{+K&|p7G1Ta;X((^wwLQtN1%vzojDX z%pHB3Z;WX*ci+^qzxa}RZ(We-ijM|cb}c9~-060DD|b1SEPn5XQY-HY{7T~hOF8O|j=gRV5A%{|U}w$5-S?lFUSs_9`cs$jeGU8fQ%qX=9hyy;cJ5O87oq5r_uIv!(rRT#Qfax* zOfIgoyyfR2P>cAzz>KjIh~uCcL*s-}g=VDHALMWzzygF|5sy7%Kw@&>%6E?R7FC~f zMLWVXH~c%$%~RxX*I2*%?fyd5Z?i9)IX&?~q}ifr6Zy`~`Qv#{+Am4^j70Pwo!RXd zOB}znGMoFXAKK;n*?$JCU*B$6T=DXy_~z(~oH7zeW*{dgW={qKH(=@A9McukC%?gP zm0yHf!jYq=#gkK(FFFuAIUqq}Lz_QWJ5b54tL8iV+=(I7bWkP!@_?Q6r&%|6OzBoZ!55>@!0g!m?Fwyq&Y8_b&hv_R)g? diff --git a/transport/lwm2m/src/main/data/credentials/shell/lwM2M_credentials.sh b/transport/lwm2m/src/main/data/credentials/shell/lwM2M_credentials.sh index 3167cca2b5..dcf38b4f10 100755 --- a/transport/lwm2m/src/main/data/credentials/shell/lwM2M_credentials.sh +++ b/transport/lwm2m/src/main/data/credentials/shell/lwM2M_credentials.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # # Copyright © 2016-2021 The Thingsboard Authors # @@ -15,77 +15,35 @@ # limitations under the License. # -#p) CLIENT_CN=LwX50900000000 +#/home/nick/Igor_project/Thingsboard_Perfrmance_test/performance-tests/src/main/resources/credentials/shell/lwM2M_credentials.sh -p LwX509 -s 0 -f 2000 -a client_alias_ -e client_self_signed_ -b bootstrap -d server -j serverKeyStore.jks -k clientKeyStore.jks -c client_ks_password -w server_ks_password + +#p) CLIENT_CN=$CLIENT_PREFIX00000000 #s) client_start=0 #f) client_finish=1 -#a) CLIENT_ALIAS=client_alias_00000000 +#a) CLIENT_ALIAS=CLIENT_ALIAS_PREFIX_00000000 +#e) CLIENT_SELF_ALIAS=CLIENT_SELF_ALIAS_PREFIX_00000000 #b) BOOTSTRAP_ALIAS=bootstrap #d) SERVER_ALIAS=server #j) SERVER_STORE=serverKeyStore.jks #k) CLIENT_STORE=clientKeyStore.jks #c) CLIENT_STORE_PWD=client_ks_password #w) SERVER_STORE_PWD=server_ks_password +#l) ROOT_KEY_ALIAS=root_key_alias -#while test $# -gt 0; do -# case "$1" in -# -h|--help) -# echo "$package - attempt to capture frames" -# echo " " -# echo "$package [options] application [arguments]" -# echo " " -# echo "options:" -# echo "-h, --help show brief help" -# echo "-a, --action=ACTION specify an action to use" -# echo "-o, --output-dir=DIR specify a directory to store output in" -# exit 0 -# ;; -# -a) -# shift -# if test $# -gt 0; then -# export PROCESS=$1 -# else -# echo "no process specified" -# exit 1 -# fi -# shift -# ;; -# --action*) -# export PROCESS=`echo $1 | sed -e 's/^[^=]*=//g'` -# shift -# ;; -# -o) -# shift -# if test $# -gt 0; then -# export OUTPUT=$1 -# else -# echo "no output dir specified" -# exit 1 -# fi -# shift -# ;; -# --output-dir*) -# export OUTPUT=`echo $1 | sed -e 's/^[^=]*=//g'` -# shift -# ;; -# *) -# break -# ;; -# esac -#done - - -while getopts p:s:f:a:b:d:j:k:c:w: flag; do +while getopts p:s:f:a:e:b:d:j:k:c:w:l: flag; do case "${flag}" in - p) client_prefix=${OPTARG} ;; + p) client_pref=${OPTARG} ;; s) client_start=${OPTARG} ;; f) client_finish=${OPTARG} ;; - a) client_alias=${OPTARG} ;; + a) client_alias_pref=${OPTARG} ;; + e) client_self_alias_pref=${OPTARG} ;; b) bootstrap_alias=${OPTARG} ;; d) server_alias=${OPTARG} ;; j) key_store_server_file=${OPTARG} ;; k) key_store_client_file=${OPTARG} ;; c) client_key_store_pwd=${OPTARG} ;; w) server_key_store_pwd=${OPTARG} ;; + w) root_key_alias=${OPTARG} ;; esac done @@ -96,9 +54,8 @@ cd $script_dir # source the properties: . ./lwM2M_keygen.properties - -if [ -n "$client_prefix" ]; then - CLIENT_PREFIX=$client_prefix +if [ -n "$client_pref" ]; then + CLIENT_PREFIX=$client_pref fi if [ -z "$client_start" ]; then @@ -109,8 +66,12 @@ if [ -z "$client_finish" ]; then client_finish=1 fi -if [ -n "$client_alias" ]; then - CLIENT_ALIAS=$client_alias +if [ -n "$client_alias_pref" ]; then + CLIENT_ALIAS_PREFIX=$client_alias_pref +fi + +if [ -n "$client_self_alias_pref" ]; then + CLIENT_SELF_ALIAS_PREFIX=$client_self_alias_pref fi if [ -n "$bootstrap_alias" ]; then @@ -137,23 +98,37 @@ if [ -n "$server_key_store_pwd" ]; then SERVER_STORE_PWD=$server_key_store_pwd fi +if [ -n "$root_key_alias" ]; then + ROOT_KEY_ALIAS=$root_key_alias +fi + +CLIENT_NUMBER=$client_start + echo "==Start==" echo "CLIENT_PREFIX: $CLIENT_PREFIX" echo "client_start: $client_start" echo "client_finish: $client_finish" -echo "CLIENT_ALIAS: $CLIENT_ALIAS" +echo "CLIENT_ALIAS_PREFIX: $CLIENT_ALIAS_PREFIX" +echo "CLIENT_SELF_ALIAS_PREFIX: $CLIENT_SELF_ALIAS_PREFIX" echo "BOOTSTRAP_ALIAS: $BOOTSTRAP_ALIAS" echo "SERVER_ALIAS: $SERVER_ALIAS" echo "SERVER_STORE: $SERVER_STORE" echo "CLIENT_STORE: $CLIENT_STORE" echo "CLIENT_STORE_PWD: $CLIENT_STORE_PWD" echo "SERVER_STORE_PWD: $SERVER_STORE_PWD" +echo "CLIENT_NUMBER: $CLIENT_NUMBER" +echo "ROOT_KEY_ALIAS: $ROOT_KEY_ALIAS" end_point() { echo "$CLIENT_PREFIX$(printf "%08d" $CLIENT_NUMBER)" } + client_alias_point() { - echo "$CLIENT_ALIAS$(printf "%08d" $CLIENT_NUMBER)" + echo "$CLIENT_ALIAS_PREFIX$(printf "%08d" $CLIENT_NUMBER)" +} + +client_self_alias_point() { + echo "$CLIENT_SELF_ALIAS_PREFIX$(printf "%08d" $CLIENT_NUMBER)" } # Generation of the keystore. @@ -264,73 +239,30 @@ keytool \ -keystore $SERVER_STORE \ -storepass $SERVER_STORE_PWD -echo -echo "${H1}Client Keystore : ${RESET}" -echo "${H1}==================${RESET}" -#echo "${H2}Creating client key and self-signed certificate with expected CN...${RESET}" -#keytool \ -# -genkeypair \ -# -alias $CLIENT_ALIAS \ -# -keyalg EC \ -# -dname "CN=$CLIENT_SELF_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \ -# -validity $VALIDITY \ -# -storetype $STORETYPE \ -# -keypass $CLIENT_STORE_PWD \ -# -keystore $CLIENT_STORE \ -# -storepass $CLIENT_STORE_PWD -#keytool \ -# -exportcert \ -# -alias $CLIENT_ALIAS \ -# -keystore $CLIENT_STORE \ -# -storepass $CLIENT_STORE_PWD | \ -# keytool \ -# -importcert \ -# -alias $CLIENT_SELF_ALIAS \ -# -keystore $CLIENT_STORE \ -# -storepass $CLIENT_STORE_PWD \ -# -noprompt - -echo -echo "${H2}Import root certificate just to be able to import need by root CA with expected CN...${RESET}" -keytool \ - -exportcert \ - -alias $ROOT_KEY_ALIAS \ - -keystore $SERVER_STORE \ - -storepass $SERVER_STORE_PWD | +if [ "$client_start" -lt "$client_finish" ]; then + echo + echo "${H2}Import root certificate just to be able to import need by root CA with expected CN to $CLIENT_STORE${RESET}" keytool \ - -importcert \ + -exportcert \ -alias $ROOT_KEY_ALIAS \ - -keystore $CLIENT_STORE \ - -storepass $CLIENT_STORE_PWD \ - -noprompt - -#echo -#echo "${H2}Creating client certificate signed by root CA with expected CN...${RESET}" -#keytool \ -# -certreq \ -# -alias $CLIENT_ALIAS \ -# -dname "CN=$CLIENT_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \ -# -keystore $CLIENT_STORE \ -# -storepass $CLIENT_STORE_PWD | \ -# keytool \ -# -gencert \ -# -alias $ROOT_KEY_ALIAS \ -# -keystore $SERVER_STORE \ -# -storepass $SERVER_STORE_PWD \ -# -storetype $STORETYPE \ -# -validity $VALIDITY | \ -# keytool \ -# -importcert \ -# -alias $CLIENT_ALIAS \ -# -keystore $CLIENT_STORE \ -# -storepass $CLIENT_STORE_PWD \ -# -noprompt + -keystore $SERVER_STORE \ + -storepass $SERVER_STORE_PWD | + keytool \ + -importcert \ + -alias $ROOT_KEY_ALIAS \ + -keystore $CLIENT_STORE \ + -storepass $CLIENT_STORE_PWD \ + -noprompt +fi cert_end_point() { - echo "${H2}Creating client key and self-signed certificate with expected CN $CLIENT_SELF_CN ${RESET}" + echo + echo "${H1}Client Keystore : ${RESET}" + echo "${H1}==================${RESET}" + echo "${H2}Creating client key and self-signed certificate with expected CN CLIENT_ALIAS: $CLIENT_ALIAS${RESET}" keytool \ -genkeypair \ - -alias $CLIENT_CN_ALIAS \ + -alias $CLIENT_ALIAS \ -keyalg EC \ -dname "CN=$CLIENT_SELF_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \ -validity $VALIDITY \ @@ -340,7 +272,7 @@ cert_end_point() { -storepass $CLIENT_STORE_PWD keytool \ -exportcert \ - -alias $CLIENT_CN_ALIAS \ + -alias $CLIENT_ALIAS \ -keystore $CLIENT_STORE \ -storepass $CLIENT_STORE_PWD | keytool \ @@ -349,13 +281,28 @@ cert_end_point() { -keystore $CLIENT_STORE \ -storepass $CLIENT_STORE_PWD \ -noprompt +# +# echo +# echo "${H2}Import root certificate just to be able to import ned by root CA with expected CN...${RESET}" +# keytool \ +# -exportcert \ +# -alias $ROOT_KEY_ALIAS \ +# -keystore $SERVER_STORE \ +# -storepass $SERVER_STORE_PWD | +# keytool \ +# -importcert \ +# -alias $ROOT_KEY_ALIAS \ +# -keystore $CLIENT_STORE \ +# -storepass $CLIENT_STORE_PWD \ +# -noprompt +# echo - echo "${H2}Creating client certificate signed by root CA with expected $CLIENT_CN_NAME ${RESET}" + echo "${H2}Creating client certificate signed by root CA with expected CN CLIENT_ALIAS: $CLIENT_ALIAS CLIENT_CN: $CLIENT_CN${RESET}" keytool \ -certreq \ - -alias $CLIENT_CN_ALIAS \ - -dname "CN=$CLIENT_CN_NAME, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \ + -alias $CLIENT_ALIAS \ + -dname "CN=$CLIENT_CN, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \ -keystore $CLIENT_STORE \ -storepass $CLIENT_STORE_PWD | keytool \ @@ -367,22 +314,30 @@ cert_end_point() { -validity $VALIDITY | keytool \ -importcert \ - -alias $CLIENT_CN_ALIAS \ + -alias $CLIENT_ALIAS \ -keystore $CLIENT_STORE \ -storepass $CLIENT_STORE_PWD \ -noprompt } -while [ "$CLIENT_NUMBER" != "$client_finish" ]; do - CLIENT_CN_NAME=$(end_point) - CLIENT_CN_ALIAS=$(client_alias_point) - echo "$CLIENT_CN_NAME" - echo "$CLIENT_CN_ALIAS" - cert_end_point - CLIENT_NUMBER=$(($CLIENT_NUMBER + 1)) - echo "number $CLIENT_NUMBER" - echo "finish $client_finish" -done +if [ "$client_start" -lt "$client_finish" ]; then + echo "Файл содержит, как минимум, одно слово Bash." + echo + echo "==Start Client==" + while [ "$CLIENT_NUMBER" -lt "$client_finish" ]; do + echo "number $CLIENT_NUMBER" + echo "finish $client_finish" + CLIENT_CN=$(end_point) + CLIENT_ALIAS=$(client_alias_point) + CLIENT_SELF_ALIAS=$(client_self_alias_point) + echo "CLIENT_CN $CLIENT_CN" + echo "CLIENT_ALIAS $CLIENT_ALIAS" + echo "CLIENT_SELF_ALIAS $CLIENT_SELF_ALIAS" + cert_end_point + CLIENT_NUMBER=$(($CLIENT_NUMBER + 1)) + echo + done +fi echo echo "${H0}!!! Warning ${H2}Migrate ${H1}${SERVER_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}" @@ -393,11 +348,13 @@ keytool \ -deststoretype pkcs12 \ -srcstorepass $SERVER_STORE_PWD -echo -echo "${H0}!!! Warning ${H2}Migrate ${H1}${CLIENT_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}" -keytool \ - -importkeystore \ - -srckeystore $CLIENT_STORE \ - -destkeystore $CLIENT_STORE \ - -deststoretype pkcs12 \ - -srcstorepass $CLIENT_STORE_PWD +if [ "$client_start" -lt "$client_finish" ]; then + echo + echo "${H0}!!! Warning ${H2}Migrate ${H1}${CLIENT_STORE} ${H2}to ${H1}PKCS12 ${H2}which is an industry standard format..${RESET}" + keytool \ + -importkeystore \ + -srckeystore $CLIENT_STORE \ + -destkeystore $CLIENT_STORE \ + -deststoretype pkcs12 \ + -srcstorepass $CLIENT_STORE_PWD +fi diff --git a/transport/lwm2m/src/main/data/credentials/shell/lwM2M_keygen.properties b/transport/lwm2m/src/main/data/credentials/shell/lwM2M_keygen.properties index 18f851e4dd..7b3cd9c09a 100644 --- a/transport/lwm2m/src/main/data/credentials/shell/lwM2M_keygen.properties +++ b/transport/lwm2m/src/main/data/credentials/shell/lwM2M_keygen.properties @@ -41,9 +41,9 @@ BOOTSTRAP_SELF_CN="$DOMAIN_SUFFIX bootstrap server LwM2M self-signed" # Client CLIENT_STORE=clientKeyStore1.jks CLIENT_STORE_PWD=client_ks_password1 -CLIENT_ALIAS=client_alias_1 -CLIENT_PREFIX=LwX509_ -CLIENT_SELF_ALIAS=client_self_signed +CLIENT_ALIAS_PREFIX=client_alias_1 +CLIENT_PREFIX=LwX509___ +CLIENT_SELF_ALIAS_PREFIX=client_self_signed_1 CLIENT_SELF_CN="$DOMAIN_SUFFIX client LwM2M self-signed" # Color output stuff diff --git a/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml b/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml index ee06cf9a93..1ac5a8a632 100644 --- a/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml +++ b/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml @@ -53,7 +53,7 @@ transport: # model_path_file: "${LWM2M_MODEL_PATH_FILE:./common/transport/lwm2m/src/main/resources/models/}" model_path_file: "${LWM2M_MODEL_PATH_FILE:}" recommended_ciphers: "${LWM2M_RECOMMENDED_CIPHERS:false}" - recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:false}" + recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:true}" request_pool_size: "${LWM2M_REQUEST_POOL_SIZE:100}" request_error_pool_size: "${LWM2M_REQUEST_ERROR_POOL_SIZE:10}" registered_pool_size: "${LWM2M_REGISTERED_POOL_SIZE:10}" @@ -69,7 +69,7 @@ transport: key_store_path_file: "${KEY_STORE_PATH_FILE:}" key_store_password: "${LWM2M_KEYSTORE_PASSWORD_SERVER:server_ks_password}" root_alias: "${LWM2M_SERVER_ROOT_CA:rootca}" - enable_gen_psk_rpk: "${ENABLE_GEN_PSK_RPK:true}" + enable_gen_new_key_psk_rpk: "${ENABLE_GEN_NEW_KEY_PSK_RPK:false}" server: id: "${LWM2M_SERVER_ID:123}" bind_address: "${LWM2M_BIND_ADDRESS:0.0.0.0}" @@ -79,9 +79,12 @@ transport: bind_port_security: "${LWM2M_BIND_PORT_SECURITY:5686}" # Only for RPK: Public & Private Key. If the keystore file is missing or not working # create_rpk: "${CREATE_RPK:}" - public_x: "${LWM2M_SERVER_PUBLIC_X:405354ea8893471d9296afbc8b020a5c6201b0bb25812a53b849d4480fa5f069}" - public_y: "${LWM2M_SERVER_PUBLIC_Y:30c9237e946a3a1692c1cafaa01a238a077f632c99371348337512363f28212b}" - private_s: "${LWM2M_SERVER_PRIVATE_S:274671fe40ce937b8a6352cf0a418e8a39e4bf0bb9bf74c910db953c20c73802}" + # - Public Key (Hex): [ 3059301306072a8648ce3d020106082a8648ce3d03010703420004b47a14ea87ab31cce28f24df0ae0a4cfcdb845134bcd088f2fac393b4d4843d140ebc1bfd8f5e0ec402fb8308c5c07bc380783276a385f89ef0da0b1a2545c25 ] + # - Private Key (Hex): [ 3041020100301306072a8648ce3d020106082a8648ce3d030107042730250201010420b65b265abfb9e67be12a7699c13123cf081c72c974688fb4faba82be129ef367 ], + # - Elliptic Curve parameters: [ secp256r1 [ NIST P-256, X9.62 prime256v1 ] (1.2.840.10045.3.1.7) ] + public_x: "${LWM2M_SERVER_PUBLIC_X:b47a14ea87ab31cce28f24df0ae0a4cfcdb845134bcd088f2fac393b4d4843d1}" + public_y: "${LWM2M_SERVER_PUBLIC_Y:40ebc1bfd8f5e0ec402fb8308c5c07bc380783276a385f89ef0da0b1a2545c25}" + private_s: "${LWM2M_SERVER_PRIVATE_S:b65b265abfb9e67be12a7699c13123cf081c72c974688fb4faba82be129ef367}" # Only Certificate_x509: alias: "${LWM2M_KEYSTORE_ALIAS_SERVER:server}" bootstrap: @@ -93,9 +96,9 @@ transport: bind_address_security: "${LWM2M_BIND_ADDRESS_BS:0.0.0.0}" bind_port_security: "${LWM2M_BIND_PORT_SEC_BS:5688}" # Only for RPK: Public & Private Key. If the keystore file is missing or not working - public_x: "${LWM2M_SERVER_PUBLIC_X_BS:993ef2b698c6a9c0c1d8be78b13a9383c0854c7c7c7a504d289b403794648183}" - public_y: "${LWM2M_SERVER_PUBLIC_Y_BS:267412d5fc4e5ceb2257cb7fd7f76ebdac2fa9aa100afb162e990074cc0bfaa2}" - private_s: "${LWM2M_SERVER_PRIVATE_S_BS:9dbdbb073fc63570693a9aaf1013414e261c571f27e27fc6a8c1c2ad9347875a}" + public_x: "${LWM2M_SERVER_PUBLIC_X_BS:f6e4e77f76296472bd72acfb6b2dd26fd858042f9075b44b45e2ebeb41cae387}" + public_y: "${LWM2M_SERVER_PUBLIC_Y_BS:3e97534c6b833639f71916041b0596ecd616748d81174d19c59ef02bbb21c822}" + private_s: "${LWM2M_SERVER_PRIVATE_S_BS:3e97534c6b833639f71916041b0596ecd616748d81174d19c59ef02bbb21c822}" # Only Certificate_x509: alias: "${LWM2M_KEYSTORE_ALIAS_BOOTSTRAP:bootstrap}" # Redis