Merge pull request #8367 from AndriiLandiak/feature/x509-device-provisioning

Fix/X509 device provisioning
2023-04-14 14:05:51 +03:00 · 2023-04-14 14:05:51 +03:00 · 3cfd0daffc
commit 3cfd0daffc
parent 3b5270a29f 1fc8d7a52b
1 changed files with 19 additions and 0 deletions
--- a/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java
+++ b/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java
@ -141,6 +141,9 @@ public class MqttSslHandlerProvider {

        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+            if (!validateCertificateChain(chain)) {
+                throw new CertificateException("Invalid Chain of X509 Certificates. ");
+            }
            String clientDeviceCertValue = SslUtil.getCertificateString(chain[0]);
            final String[] credentialsBodyHolder = new String[1];
            CountDownLatch latch = new CountDownLatch(1);
@ -176,5 +179,21 @@ public class MqttSslHandlerProvider {
                log.error(e.getMessage(), e);
            }
        }
+
+        private boolean validateCertificateChain(X509Certificate[] chain) {
+            try {
+                if (chain.length > 1) {
+                    X509Certificate leafCert = chain[0];
+                    for (int i = 1; i < chain.length; i++) {
+                        X509Certificate intermediateCert = chain[i];
+                        leafCert.verify(intermediateCert.getPublicKey());
+                        leafCert = intermediateCert;
+                    }
+                }
+                return true;
+            } catch (Exception e) {
+                return false;
+            }
+        }
    }
 }