From 3ffb970ecdd402bb6245a8e5270cdf3464ed13d9 Mon Sep 17 00:00:00 2001 From: Valerii Sosliuk Date: Fri, 13 Jan 2017 18:45:48 -0500 Subject: [PATCH] X509 cert saved in db --- .../src/main/resources/thingsboard.yml | 12 +++---- .../server/dao/EncryptionUtil.java | 6 +++- .../device/DeviceCredentialsServiceImpl.java | 10 +++--- tools/src/main/shell/onewaysslmqttclient.py | 1 + tools/src/main/shell/simplemqttclient.py | 1 + .../mqtt/MqttSslHandlerProvider.java | 35 ++++++++++--------- .../server/transport/mqtt/util/SslUtil.java | 8 +++-- .../device/device-credentials.controller.js | 9 +++-- ui/src/app/device/device-credentials.tpl.html | 2 +- 9 files changed, 49 insertions(+), 35 deletions(-) diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml index 976f68821c..f74d30d238 100644 --- a/application/src/main/resources/thingsboard.yml +++ b/application/src/main/resources/thingsboard.yml @@ -77,13 +77,13 @@ mqtt: timeout: "${MQTT_TIMEOUT:10000}" # Uncomment the following lines to enable ssl for MQTT # ssl: -# key-store: keystore/mqttserver.jks -# key-store-password: password -# keyStoreType: JKS +# key_store: keystore/mqttserver.jks +# key_store_password: password +# key_store_type: JKS # TrustStore can be the same as KeyStore -# trust-store: keystore/mqttserver.jks -# trust-store-password: password -# trustStoreType: JKS +# trust_store: keystore/mqttserver.jks +# trust_store_password: password +# trust_store_type: JKS # CoAP server parameters coap: diff --git a/dao/src/main/java/org/thingsboard/server/dao/EncryptionUtil.java b/dao/src/main/java/org/thingsboard/server/dao/EncryptionUtil.java index 71541cc7b2..0ce5ac2f49 100644 --- a/dao/src/main/java/org/thingsboard/server/dao/EncryptionUtil.java +++ b/dao/src/main/java/org/thingsboard/server/dao/EncryptionUtil.java @@ -27,8 +27,12 @@ public class EncryptionUtil { private EncryptionUtil() { } + public static String trimNewLines(String input) { + return input.replaceAll("\n","").replaceAll("\r",""); + } + public static String getSha3Hash(String data) { - String trimmedData = data.replaceAll("\n","").replaceAll("\r",""); + String trimmedData = trimNewLines(data); byte[] dataBytes = trimmedData.getBytes(); SHA3Digest md = new SHA3Digest(256); md.reset(); diff --git a/dao/src/main/java/org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.java b/dao/src/main/java/org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.java index 2a52b5cd1d..10e329ad4d 100644 --- a/dao/src/main/java/org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.java +++ b/dao/src/main/java/org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.java @@ -29,8 +29,6 @@ import org.thingsboard.server.dao.exception.DataValidationException; import org.thingsboard.server.dao.model.DeviceCredentialsEntity; import org.thingsboard.server.dao.service.DataValidator; -import java.util.Optional; - import static org.thingsboard.server.dao.DaoUtil.getData; import static org.thingsboard.server.dao.service.Validator.validateId; import static org.thingsboard.server.dao.service.Validator.validateString; @@ -73,16 +71,18 @@ public class DeviceCredentialsServiceImpl implements DeviceCredentialsService { private DeviceCredentials saveOrUpdare(DeviceCredentials deviceCredentials) { if (deviceCredentials.getCredentialsType() == DeviceCredentialsType.X509_CERTIFICATE) { - encryptDeviceId(deviceCredentials); + formatCertData(deviceCredentials); } log.trace("Executing updateDeviceCredentials [{}]", deviceCredentials); credentialsValidator.validate(deviceCredentials); return getData(deviceCredentialsDao.save(deviceCredentials)); } - private void encryptDeviceId(DeviceCredentials deviceCredentials) { - String sha3Hash = EncryptionUtil.getSha3Hash(deviceCredentials.getCredentialsId()); + private void formatCertData(DeviceCredentials deviceCredentials) { + String cert = EncryptionUtil.trimNewLines(deviceCredentials.getCredentialsValue()); + String sha3Hash = EncryptionUtil.getSha3Hash(cert); deviceCredentials.setCredentialsId(sha3Hash); + deviceCredentials.setCredentialsValue(cert); } @Override diff --git a/tools/src/main/shell/onewaysslmqttclient.py b/tools/src/main/shell/onewaysslmqttclient.py index 63d129ee1f..b0824e64d4 100644 --- a/tools/src/main/shell/onewaysslmqttclient.py +++ b/tools/src/main/shell/onewaysslmqttclient.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- # # Copyright © 2016-2017 The Thingsboard Authors # diff --git a/tools/src/main/shell/simplemqttclient.py b/tools/src/main/shell/simplemqttclient.py index 91b3e3410c..9ec3250ca2 100644 --- a/tools/src/main/shell/simplemqttclient.py +++ b/tools/src/main/shell/simplemqttclient.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- # # Copyright © 2016-2017 The Thingsboard Authors # diff --git a/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java b/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java index 70b748de60..6b293382a7 100644 --- a/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java +++ b/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java @@ -1,12 +1,12 @@ /** * Copyright © 2016-2017 The Thingsboard Authors - * + *

* Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

* Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -45,18 +45,18 @@ import java.security.cert.X509Certificate; public class MqttSslHandlerProvider { public static final String TLS = "TLS"; - @Value("${mqtt.ssl.key-store}") + @Value("${mqtt.ssl.key_store}") private String keyStoreFile; - @Value("${mqtt.ssl.key-store-password}") + @Value("${mqtt.ssl.key_store_password}") private String keyStorePassword; - @Value("${mqtt.ssl.keyStoreType}") + @Value("${mqtt.ssl.key_store_type}") private String keyStoreType; - @Value("${mqtt.ssl.trust-store}") + @Value("${mqtt.ssl.trust_store}") private String trustStoreFile; - @Value("${mqtt.ssl.trust-store-password}") + @Value("${mqtt.ssl.trust_store_password}") private String trustStorePassword; - @Value("${mqtt.ssl.trustStoreType}") + @Value("${mqtt.ssl.trust_store_type}") private String trustStoreType; @Autowired @@ -108,8 +108,7 @@ public class MqttSslHandlerProvider { break; } } - X509TrustManager x509TmWrapper = new ThingsboardMqttX509TrustManager(x509Tm, deviceCredentialsService); - return x509TmWrapper; + return new ThingsboardMqttX509TrustManager(x509Tm, deviceCredentialsService); } static class ThingsboardMqttX509TrustManager implements X509TrustManager { @@ -136,18 +135,22 @@ public class MqttSslHandlerProvider { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { + DeviceCredentials deviceCredentials = null; for (X509Certificate cert : chain) { try { String strCert = SslUtil.getX509CertificateString(cert); String sha3Hash = EncryptionUtil.getSha3Hash(strCert); - DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByCredentialsId(sha3Hash); - if (deviceCredentials == null) { - throw new CertificateException("Invalid Device Certificate"); + deviceCredentials = deviceCredentialsService.findDeviceCredentialsByCredentialsId(sha3Hash); + if (deviceCredentials != null && strCert.equals(deviceCredentials.getCredentialsValue())) { + break; } } catch (IOException e) { - e.printStackTrace(); + log.error(e.getMessage(), e); } } + if (deviceCredentials == null) { + throw new CertificateException("Invalid Device Certificate"); + } } } } diff --git a/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/util/SslUtil.java b/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/util/SslUtil.java index 8fdf721cd4..d1ea59b7c1 100644 --- a/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/util/SslUtil.java +++ b/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/util/SslUtil.java @@ -16,6 +16,7 @@ package org.thingsboard.server.transport.mqtt.util; import lombok.extern.slf4j.Slf4j; +import org.thingsboard.server.dao.EncryptionUtil; import sun.misc.BASE64Encoder; import java.io.ByteArrayOutputStream; @@ -32,11 +33,12 @@ public class SslUtil { private SslUtil() { } - public static String getX509CertificateString(X509Certificate cert) throws CertificateEncodingException, IOException { + public static String getX509CertificateString(X509Certificate cert) + throws CertificateEncodingException, IOException { ByteArrayOutputStream out = new ByteArrayOutputStream(); BASE64Encoder encoder = new BASE64Encoder(); encoder.encodeBuffer(cert.getEncoded(), out); - return new String(out.toByteArray(), "UTF-8").trim(); + return EncryptionUtil.trimNewLines(new String(out.toByteArray(), "UTF-8")); } public static String getX509CertificateString(javax.security.cert.X509Certificate cert) @@ -44,6 +46,6 @@ public class SslUtil { ByteArrayOutputStream out = new ByteArrayOutputStream(); BASE64Encoder encoder = new BASE64Encoder(); encoder.encodeBuffer(cert.getEncoded(), out); - return new String(out.toByteArray(), "UTF-8").trim(); + return EncryptionUtil.trimNewLines(new String(out.toByteArray(), "UTF-8")); } } diff --git a/ui/src/app/device/device-credentials.controller.js b/ui/src/app/device/device-credentials.controller.js index 315bc08318..537df5d1bb 100644 --- a/ui/src/app/device/device-credentials.controller.js +++ b/ui/src/app/device/device-credentials.controller.js @@ -52,13 +52,16 @@ export default function ManageDeviceCredentialsController(deviceService, $scope, function valid() { return vm.deviceCredentials && (vm.deviceCredentials.credentialsType === 'ACCESS_TOKEN' - || vm.deviceCredentials.credentialsType === 'X509_CERTIFICATE') - && - vm.deviceCredentials.credentialsId && vm.deviceCredentials.credentialsId.length > 0; + && vm.deviceCredentials.credentialsId + && vm.deviceCredentials.credentialsId.length > 0 + || vm.deviceCredentials.credentialsType === 'X509_CERTIFICATE' + && vm.deviceCredentials.credentialsValue + && vm.deviceCredentials.credentialsValue.length > 0); } function clear() { vm.deviceCredentials.credentialsId = null; + vm.deviceCredentials.credentialsValue = null; } function save() { diff --git a/ui/src/app/device/device-credentials.tpl.html b/ui/src/app/device/device-credentials.tpl.html index f74f71fd42..9dd4553b08 100644 --- a/ui/src/app/device/device-credentials.tpl.html +++ b/ui/src/app/device/device-credentials.tpl.html @@ -51,7 +51,7 @@ -