X509 cert saved in db

application/src/main/resources/thingsboard.yml

@@ -77,13 +77,13 @@ mqtt:
   timeout: "${MQTT_TIMEOUT:10000}"
 # Uncomment the following lines to enable ssl for MQTT
 #  ssl:
-#    key-store: keystore/mqttserver.jks
-#    key-store-password: password
-#    keyStoreType: JKS
+#    key_store: keystore/mqttserver.jks
+#    key_store_password: password
+#    key_store_type: JKS
 # TrustStore can be the same as KeyStore
-#    trust-store: keystore/mqttserver.jks
-#    trust-store-password: password
-#    trustStoreType: JKS
+#    trust_store: keystore/mqttserver.jks
+#    trust_store_password: password
+#    trust_store_type: JKS
 
 # CoAP server parameters
 coap:

dao/src/main/java/org/thingsboard/server/dao/EncryptionUtil.java

@@ -27,8 +27,12 @@ public class EncryptionUtil {
     private EncryptionUtil() {
     }
 
+    public static String trimNewLines(String input) {
+        return input.replaceAll("\n","").replaceAll("\r","");
+    }
+
     public static String getSha3Hash(String data) {
-        String trimmedData = data.replaceAll("\n","").replaceAll("\r","");
+        String trimmedData = trimNewLines(data);
         byte[] dataBytes = trimmedData.getBytes();
         SHA3Digest md = new SHA3Digest(256);
         md.reset();

dao/src/main/java/org/thingsboard/server/dao/device/DeviceCredentialsServiceImpl.java

@@ -29,8 +29,6 @@ import org.thingsboard.server.dao.exception.DataValidationException;
 import org.thingsboard.server.dao.model.DeviceCredentialsEntity;
 import org.thingsboard.server.dao.service.DataValidator;
 
-import java.util.Optional;
-
 import static org.thingsboard.server.dao.DaoUtil.getData;
 import static org.thingsboard.server.dao.service.Validator.validateId;
 import static org.thingsboard.server.dao.service.Validator.validateString;
@@ -73,16 +71,18 @@ public class DeviceCredentialsServiceImpl implements DeviceCredentialsService {
 
     private DeviceCredentials saveOrUpdare(DeviceCredentials deviceCredentials) {
         if (deviceCredentials.getCredentialsType() == DeviceCredentialsType.X509_CERTIFICATE) {
-            encryptDeviceId(deviceCredentials);
+            formatCertData(deviceCredentials);
         }
         log.trace("Executing updateDeviceCredentials [{}]", deviceCredentials);
         credentialsValidator.validate(deviceCredentials);
         return getData(deviceCredentialsDao.save(deviceCredentials));
     }
 
-    private void encryptDeviceId(DeviceCredentials deviceCredentials) {
-        String sha3Hash = EncryptionUtil.getSha3Hash(deviceCredentials.getCredentialsId());
+    private void formatCertData(DeviceCredentials deviceCredentials) {
+        String cert = EncryptionUtil.trimNewLines(deviceCredentials.getCredentialsValue());
+        String sha3Hash = EncryptionUtil.getSha3Hash(cert);
         deviceCredentials.setCredentialsId(sha3Hash);
+        deviceCredentials.setCredentialsValue(cert);
     }
 
     @Override

tools/src/main/shell/onewaysslmqttclient.py

@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 # Copyright © 2016-2017 The Thingsboard Authors
 #

tools/src/main/shell/simplemqttclient.py

@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 #
 # Copyright © 2016-2017 The Thingsboard Authors
 #

transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java

@@ -1,12 +1,12 @@
 /**
  * Copyright © 2016-2017 The Thingsboard Authors
- *
+ * <p>
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- *
+ * <p>
  * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -45,18 +45,18 @@ import java.security.cert.X509Certificate;
 public class MqttSslHandlerProvider {
 
     public static final String TLS = "TLS";
-    @Value("${mqtt.ssl.key-store}")
+    @Value("${mqtt.ssl.key_store}")
     private String keyStoreFile;
-    @Value("${mqtt.ssl.key-store-password}")
+    @Value("${mqtt.ssl.key_store_password}")
     private String keyStorePassword;
-    @Value("${mqtt.ssl.keyStoreType}")
+    @Value("${mqtt.ssl.key_store_type}")
     private String keyStoreType;
 
-    @Value("${mqtt.ssl.trust-store}")
+    @Value("${mqtt.ssl.trust_store}")
     private String trustStoreFile;
-    @Value("${mqtt.ssl.trust-store-password}")
+    @Value("${mqtt.ssl.trust_store_password}")
     private String trustStorePassword;
-    @Value("${mqtt.ssl.trustStoreType}")
+    @Value("${mqtt.ssl.trust_store_type}")
     private String trustStoreType;
 
     @Autowired
@@ -108,8 +108,7 @@ public class MqttSslHandlerProvider {
                 break;
             }
         }
-        X509TrustManager x509TmWrapper = new ThingsboardMqttX509TrustManager(x509Tm, deviceCredentialsService);
-        return x509TmWrapper;
+        return new ThingsboardMqttX509TrustManager(x509Tm, deviceCredentialsService);
     }
 
     static class ThingsboardMqttX509TrustManager implements X509TrustManager {
@@ -136,18 +135,22 @@ public class MqttSslHandlerProvider {
         @Override
         public void checkClientTrusted(X509Certificate[] chain,
                                        String authType) throws CertificateException {
+            DeviceCredentials deviceCredentials = null;
             for (X509Certificate cert : chain) {
                 try {
                     String strCert = SslUtil.getX509CertificateString(cert);
                     String sha3Hash = EncryptionUtil.getSha3Hash(strCert);
-                    DeviceCredentials deviceCredentials = deviceCredentialsService.findDeviceCredentialsByCredentialsId(sha3Hash);
-                    if (deviceCredentials == null) {
-                        throw new CertificateException("Invalid Device Certificate");
+                    deviceCredentials = deviceCredentialsService.findDeviceCredentialsByCredentialsId(sha3Hash);
+                    if (deviceCredentials != null && strCert.equals(deviceCredentials.getCredentialsValue())) {
+                        break;
                     }
                 } catch (IOException e) {
-                    e.printStackTrace();
+                    log.error(e.getMessage(), e);
                 }
             }
+            if (deviceCredentials == null) {
+                throw new CertificateException("Invalid Device Certificate");
+            }
         }
     }
 }

transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/util/SslUtil.java

@@ -16,6 +16,7 @@
 package org.thingsboard.server.transport.mqtt.util;
 
 import lombok.extern.slf4j.Slf4j;
+import org.thingsboard.server.dao.EncryptionUtil;
 import sun.misc.BASE64Encoder;
 
 import java.io.ByteArrayOutputStream;
@@ -32,11 +33,12 @@ public class SslUtil {
     private SslUtil() {
     }
 
-    public static String getX509CertificateString(X509Certificate cert) throws CertificateEncodingException, IOException {
+    public static String getX509CertificateString(X509Certificate cert)
+            throws CertificateEncodingException, IOException {
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         BASE64Encoder encoder = new BASE64Encoder();
         encoder.encodeBuffer(cert.getEncoded(), out);
-        return new String(out.toByteArray(), "UTF-8").trim();
+        return EncryptionUtil.trimNewLines(new String(out.toByteArray(), "UTF-8"));
     }
 
     public static String getX509CertificateString(javax.security.cert.X509Certificate cert)
@@ -44,6 +46,6 @@ public class SslUtil {
         ByteArrayOutputStream out = new ByteArrayOutputStream();
         BASE64Encoder encoder = new BASE64Encoder();
         encoder.encodeBuffer(cert.getEncoded(), out);
-        return new String(out.toByteArray(), "UTF-8").trim();
+        return EncryptionUtil.trimNewLines(new String(out.toByteArray(), "UTF-8"));
     }
 }

ui/src/app/device/device-credentials.controller.js

@@ -52,13 +52,16 @@ export default function ManageDeviceCredentialsController(deviceService, $scope,
     function valid() {
         return vm.deviceCredentials &&
                (vm.deviceCredentials.credentialsType === 'ACCESS_TOKEN'
-                  || vm.deviceCredentials.credentialsType === 'X509_CERTIFICATE')
-               &&
-               vm.deviceCredentials.credentialsId && vm.deviceCredentials.credentialsId.length > 0;
+                   && vm.deviceCredentials.credentialsId
+                   && vm.deviceCredentials.credentialsId.length > 0
+                   || vm.deviceCredentials.credentialsType === 'X509_CERTIFICATE'
+                   && vm.deviceCredentials.credentialsValue
+                   && vm.deviceCredentials.credentialsValue.length > 0);
     }
 
     function clear() {
         vm.deviceCredentials.credentialsId = null;
+        vm.deviceCredentials.credentialsValue = null;
     }
 
     function save() {

ui/src/app/device/device-credentials.tpl.html

@@ -51,7 +51,7 @@
 				</md-input-container>
 				<md-input-container class="md-block" ng-if="vm.deviceCredentials.credentialsType === 'X509_CERTIFICATE'">
 					<label translate>device.rsa-key</label>
-					<textarea required name="rsaKey" ng-model="vm.deviceCredentials.credentialsId"
+					<textarea required name="rsaKey" ng-model="vm.deviceCredentials.credentialsValue"
 							  cols="15" rows="5" />
 					<div ng-messages="theForm.rsaKey.$error">
 						<div translate ng-message="required">device.rsa-key-required</div>