diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml index 3b83c3d3b6..65601aa174 100644 --- a/application/src/main/resources/thingsboard.yml +++ b/application/src/main/resources/thingsboard.yml @@ -647,42 +647,40 @@ transport: bind_address: "${LWM2M_BIND_ADDRESS:0.0.0.0}" bind_port: "${LWM2M_BIND_PORT:5685}" security: - bind_address: "${LWM2M_BIND_ADDRESS_SECURITY:0.0.0.0}" - bind_port: "${LWM2M_BIND_PORT_SECURITY:5686}" + bind_address: "${LWM2M_SECURITY_BIND_ADDRESS:0.0.0.0}" + bind_port: "${LWM2M_SECURITY_BIND_PORT:5686}" # Only Certificate_x509: - alias: "${LWM2M_KEYSTORE_SERVER_ALIAS:server}" - password: "${LWM2M_KEYSTORE_SERVER_PASSWORD:server_ks_password}" + key_alias: "${LWM2M_SERVER_KEY_ALIAS:server}" + key_password: "${LWM2M_SERVER_KEY_PASSWORD:server_ks_password}" skip_validity_check_for_client_cert: "${TB_LWM2M_SERVER_SECURITY_SKIP_VALIDITY_CHECK_FOR_CLIENT_CERT:false}" bootstrap: enable: "${LWM2M_ENABLED_BS:true}" id: "${LWM2M_SERVER_ID_BS:111}" - bind_address: "${LWM2M_BIND_ADDRESS_BS:0.0.0.0}" - bind_port: "${LWM2M_BIND_PORT_BS:5687}" + bind_address: "${LWM2M_BS_BIND_ADDRESS:0.0.0.0}" + bind_port: "${LWM2M_BS_BIND_PORT:5687}" security: - bind_address: "${LWM2M_BIND_ADDRESS_SECURITY_BS:0.0.0.0}" - bind_port: "${LWM2M_BIND_PORT_SECURITY_BS:5688}" + bind_address: "${LWM2M_BS_SECURITY_BIND_ADDRESS:0.0.0.0}" + bind_port: "${LWM2M_BS_SECURITY_BIND_PORT:5688}" # Only Certificate_x509: - alias: "${LWM2M_KEYSTORE_BS_ALIAS:bootstrap}" - password: "${LWM2M_KEYSTORE_BS_PASSWORD:server_ks_password}" + key_alias: "${LWM2M_BS_KEY_ALIAS:bootstrap}" + key_password: "${LWM2M_BS_KEY_PASSWORD:server_ks_password}" security: # Certificate_x509: # To get helps about files format and how to generate it, see: https://github.com/eclipse/leshan/wiki/Credential-files-format # Create new X509 Certificates: common/transport/lwm2m/src/main/resources/credentials/shell/lwM2M_credentials.sh key_store_type: "${LWM2M_KEYSTORE_TYPE:JKS}" # key_store_path_file: "${KEY_STORE_PATH_FILE:/common/transport/lwm2m/src/main/resources/credentials/serverKeyStore.jks" - key_store: "${LWM2M_KEY_STORE:lwm2mserver.jks}" - key_store_password: "${LWM2M_KEY_STORE_PASSWORD:server_ks_password}" - root_alias: "${LWM2M_SERVER_ROOT_CA:rootca}" - enable_gen_new_key_psk_rpk: "${ENABLE_GEN_NEW_KEY_PSK_RPK:false}" + key_store: "${LWM2M_KEYSTORE:lwm2mserver.jks}" + key_store_password: "${LWM2M_KEYSTORE_PASSWORD:server_ks_password}" + root_alias: "${LWM2M_SERVER_ROOT_CA_ALIAS:rootca}" + recommended_ciphers: "${LWM2M_RECOMMENDED_CIPHERS:false}" + recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:true}" timeout: "${LWM2M_TIMEOUT:120000}" - recommended_ciphers: "${LWM2M_RECOMMENDED_CIPHERS:false}" - recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:true}" uplink_pool_size: "${LWM2M_UPLINK_POOL_SIZE:10}" downlink_pool_size: "${LWM2M_DOWNLINK_POOL_SIZE:10}" ota_pool_size: "${LWM2M_OTA_POOL_SIZE:10}" - registration_store_pool_size: "${LWM2M_REGISTRATION_STORE_POOL_SIZE:100}" clean_period_in_sec: "${LWM2M_CLEAN_PERIOD_IN_SEC:2}" - log_max_length: "${LWM2M_LOG_MAX_LENGTH:100}" + log_max_length: "${LWM2M_LOG_MAX_LENGTH:1024}" # Use redis for Security and Registration stores redis.enabled: "${LWM2M_REDIS_ENABLED:false}" snmp: diff --git a/application/src/test/resources/application-test.properties b/application/src/test/resources/application-test.properties index d82de51785..6e6f33ac46 100644 --- a/application/src/test/resources/application-test.properties +++ b/application/src/test/resources/application-test.properties @@ -1,7 +1,7 @@ transport.lwm2m.security.key_store=lwm2m/credentials/serverKeyStore.jks transport.lwm2m.security.key_store_password=server edges.enabled=true -transport.lwm2m.server.security.alias=server -transport.lwm2m.server.security.password=server -transport.lwm2m.bootstrap.security.alias=server -transport.lwm2m.bootstrap.security.password=server \ No newline at end of file +transport.lwm2m.server.security.key_alias=server +transport.lwm2m.server.security.key_password=server +transport.lwm2m.bootstrap.security.key_alias=server +transport.lwm2m.bootstrap.security.key_password=server \ No newline at end of file diff --git a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapService.java b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapService.java index 015cf1cbcf..6224be059d 100644 --- a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapService.java +++ b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapService.java @@ -18,48 +18,26 @@ package org.thingsboard.server.transport.lwm2m.bootstrap; import lombok.RequiredArgsConstructor; import lombok.extern.slf4j.Slf4j; import org.eclipse.californium.scandium.config.DtlsConnectorConfig; -import org.eclipse.leshan.core.util.Hex; import org.eclipse.leshan.server.bootstrap.BootstrapSessionManager; import org.eclipse.leshan.server.californium.bootstrap.LeshanBootstrapServer; import org.eclipse.leshan.server.californium.bootstrap.LeshanBootstrapServerBuilder; import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression; import org.springframework.stereotype.Component; -import org.thingsboard.server.common.data.StringUtils; import org.thingsboard.server.transport.lwm2m.bootstrap.secure.LwM2MBootstrapSecurityStore; import org.thingsboard.server.transport.lwm2m.bootstrap.secure.LwM2MInMemoryBootstrapConfigStore; import org.thingsboard.server.transport.lwm2m.bootstrap.secure.LwM2mDefaultBootstrapSessionManager; import org.thingsboard.server.transport.lwm2m.config.LwM2MTransportBootstrapConfig; import org.thingsboard.server.transport.lwm2m.config.LwM2MTransportServerConfig; -import org.thingsboard.server.transport.lwm2m.secure.LWM2MGenerationPSkRPkECC; import org.thingsboard.server.transport.lwm2m.server.DefaultLwM2mTransportService; import javax.annotation.PostConstruct; import javax.annotation.PreDestroy; -import java.math.BigInteger; -import java.security.AlgorithmParameters; -import java.security.KeyFactory; import java.security.KeyStore; import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; -import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; -import java.security.interfaces.ECPublicKey; -import java.security.spec.ECGenParameterSpec; -import java.security.spec.ECParameterSpec; -import java.security.spec.ECPoint; -import java.security.spec.ECPublicKeySpec; -import java.security.spec.InvalidKeySpecException; -import java.security.spec.InvalidParameterSpecException; -import java.security.spec.KeySpec; -import java.security.spec.PKCS8EncodedKeySpec; -import java.util.Arrays; -import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; -import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; -import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_PSK_WITH_AES_128_CBC_SHA256; -import static org.eclipse.californium.scandium.dtls.cipher.CipherSuite.TLS_PSK_WITH_AES_128_CCM_8; import static org.thingsboard.server.transport.lwm2m.server.LwM2mNetworkConfig.getCoapConfig; @Slf4j @@ -78,9 +56,6 @@ public class LwM2MTransportBootstrapService { @PostConstruct public void init() { - if (serverConfig.getEnableGenNewKeyPskRpk()) { - new LWM2MGenerationPSkRPkECC(); - } log.info("Starting LwM2M transport bootstrap server..."); this.server = getLhBootstrapServer(); this.server.start(); diff --git a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportBootstrapConfig.java b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportBootstrapConfig.java index 6778056dd0..0806ef9e90 100644 --- a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportBootstrapConfig.java +++ b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportBootstrapConfig.java @@ -47,11 +47,11 @@ public class LwM2MTransportBootstrapConfig implements LwM2MSecureServerConfig { private Integer securePort; @Getter - @Value("${transport.lwm2m.bootstrap.security.alias:}") + @Value("${transport.lwm2m.bootstrap.security.key_alias:}") private String certificateAlias; @Getter - @Value("${transport.lwm2m.bootstrap.security.password:}") + @Value("${transport.lwm2m.bootstrap.security.key_password:}") private String certificatePassword; } diff --git a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportServerConfig.java b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportServerConfig.java index 4f9f0798c2..8aeacc72c2 100644 --- a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportServerConfig.java +++ b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportServerConfig.java @@ -53,11 +53,11 @@ public class LwM2MTransportServerConfig implements LwM2MSecureServerConfig { private long sessionReportTimeout; @Getter - @Value("${transport.lwm2m.recommended_ciphers:}") + @Value("${transport.lwm2m.security.recommended_ciphers:}") private boolean recommendedCiphers; @Getter - @Value("${transport.lwm2m.recommended_supported_groups:}") + @Value("${transport.lwm2m.security.recommended_supported_groups:}") private boolean recommendedSupportedGroups; @Getter @@ -96,10 +96,6 @@ public class LwM2MTransportServerConfig implements LwM2MSecureServerConfig { @Value("${transport.lwm2m.security.root_alias:}") private String rootCertificateAlias; - @Getter - @Value("${transport.lwm2m.security.enable_gen_new_key_psk_rpk:}") - private Boolean enableGenNewKeyPskRpk; - @Getter @Value("${transport.lwm2m.server.id:}") private Integer id; @@ -121,11 +117,11 @@ public class LwM2MTransportServerConfig implements LwM2MSecureServerConfig { private Integer securePort; @Getter - @Value("${transport.lwm2m.server.security.alias:}") + @Value("${transport.lwm2m.server.security.key_alias:}") private String certificateAlias; @Getter - @Value("${transport.lwm2m.server.security.password:}") + @Value("${transport.lwm2m.server.security.key_password:}") private String certificatePassword; @Getter diff --git a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/secure/LWM2MGenerationPSkRPkECC.java b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/secure/LWM2MGenerationPSkRPkECC.java deleted file mode 100644 index 22c5878a58..0000000000 --- a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/secure/LWM2MGenerationPSkRPkECC.java +++ /dev/null @@ -1,110 +0,0 @@ -/** - * Copyright © 2016-2021 The Thingsboard Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.thingsboard.server.transport.lwm2m.secure; - -import lombok.extern.slf4j.Slf4j; -import org.eclipse.leshan.core.util.Hex; - -import java.security.InvalidAlgorithmParameterException; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.SecureRandom; -import java.security.interfaces.ECPublicKey; -import java.security.spec.ECGenParameterSpec; -import java.util.Arrays; - -@Slf4j -public class LWM2MGenerationPSkRPkECC { - - public LWM2MGenerationPSkRPkECC() { - generationPSkKey(); - generationRPKECCKey(); - } - - private void generationPSkKey() { - /* PSK */ - int lenPSkKey = 32; - /* Start PSK - Clients and Servers MUST support PSK keys of up to 64 bytes in length, as required by [RFC7925] - SecureRandom object must be unpredictable, and all SecureRandom output sequences must be cryptographically strong, as described in [RFC4086] - */ - SecureRandom randomPSK = new SecureRandom(); - byte[] bytesPSK = new byte[lenPSkKey]; - randomPSK.nextBytes(bytesPSK); - log.info("\nCreating new PSK: \n for the next start PSK -> security key: [{}]", Hex.encodeHexString(bytesPSK)); - } - - private void generationRPKECCKey() { - /* RPK */ - String algorithm = "EC"; - String provider = "SunEC"; - String nameParameterSpec = "secp256r1"; - - /* Start RPK - Elliptic Curve parameters : [secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)] - */ - KeyPairGenerator kpg = null; - try { - kpg = KeyPairGenerator.getInstance(algorithm, provider); - } catch (NoSuchAlgorithmException | NoSuchProviderException e) { - log.error("", e); - } - ECGenParameterSpec ecsp = new ECGenParameterSpec(nameParameterSpec); - try { - kpg.initialize(ecsp); - } catch (InvalidAlgorithmParameterException e) { - log.error("", e); - } - - KeyPair kp = kpg.genKeyPair(); - PrivateKey privKey = kp.getPrivate(); - PublicKey pubKey = kp.getPublic(); - - if (pubKey instanceof ECPublicKey) { - ECPublicKey ecPublicKey = (ECPublicKey) pubKey; - /* Get x coordinate */ - byte[] x = ecPublicKey.getW().getAffineX().toByteArray(); - if (x[0] == 0) - x = Arrays.copyOfRange(x, 1, x.length); - - /* Get Y coordinate */ - byte[] y = ecPublicKey.getW().getAffineY().toByteArray(); - if (y[0] == 0) - y = Arrays.copyOfRange(y, 1, y.length); - - /* Get Curves params */ - String privHex = Hex.encodeHexString(privKey.getEncoded()); - log.info("\nCreating new RPK for the next start... \n" + - " Public Key (Hex): [{}]\n" + - " Private Key (Hex): [{}]" + - " public_x : [{}] \n" + - " public_y : [{}] \n" + - " private_encode : [{}] \n" + - " Elliptic Curve parameters : [{}] \n", - Hex.encodeHexString(pubKey.getEncoded()), - privHex, - Hex.encodeHexString(x), - Hex.encodeHexString(y), - privHex, - ecPublicKey.getParams().toString()); - } - } -} - diff --git a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/DefaultLwM2mTransportService.java b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/DefaultLwM2mTransportService.java index bf32b2f817..a2cc1c0b83 100644 --- a/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/DefaultLwM2mTransportService.java +++ b/common/transport/lwm2m/src/main/java/org/thingsboard/server/transport/lwm2m/server/DefaultLwM2mTransportService.java @@ -29,7 +29,6 @@ import org.springframework.stereotype.Component; import org.thingsboard.server.cache.ota.OtaPackageDataCache; import org.thingsboard.server.queue.util.TbLwM2mTransportComponent; import org.thingsboard.server.transport.lwm2m.config.LwM2MTransportServerConfig; -import org.thingsboard.server.transport.lwm2m.secure.LWM2MGenerationPSkRPkECC; import org.thingsboard.server.transport.lwm2m.secure.TbLwM2MAuthorizer; import org.thingsboard.server.transport.lwm2m.secure.TbLwM2MDtlsCertificateVerifier; import org.thingsboard.server.transport.lwm2m.server.client.LwM2mClientContext; @@ -74,9 +73,6 @@ public class DefaultLwM2mTransportService implements LwM2MTransportService { @PostConstruct public void init() { - if (config.getEnableGenNewKeyPskRpk()) { - new LWM2MGenerationPSkRPkECC(); - } this.server = getLhServer(); /* * Add a resource to the server. diff --git a/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml b/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml index 695053d417..b6f29ea9d7 100644 --- a/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml +++ b/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml @@ -106,41 +106,40 @@ transport: bind_address: "${LWM2M_BIND_ADDRESS:0.0.0.0}" bind_port: "${LWM2M_BIND_PORT:5685}" security: - bind_address: "${LWM2M_BIND_ADDRESS_SECURITY:0.0.0.0}" - bind_port: "${LWM2M_BIND_PORT_SECURITY:5686}" + bind_address: "${LWM2M_SECURITY_BIND_ADDRESS:0.0.0.0}" + bind_port: "${LWM2M_SECURITY_BIND_PORT:5686}" # Only Certificate_x509: - alias: "${LWM2M_KEYSTORE_SERVER_ALIAS:server}" - password: "${LWM2M_KEYSTORE_SERVER_PASSWORD:server_ks_password}" + key_alias: "${LWM2M_SERVER_KEY_ALIAS:server}" + key_password: "${LWM2M_SERVER_KEY_PASSWORD:server_ks_password}" skip_validity_check_for_client_cert: "${TB_LWM2M_SERVER_SECURITY_SKIP_VALIDITY_CHECK_FOR_CLIENT_CERT:false}" bootstrap: enable: "${LWM2M_ENABLED_BS:true}" id: "${LWM2M_SERVER_ID_BS:111}" - bind_address: "${LWM2M_BIND_ADDRESS_BS:0.0.0.0}" - bind_port: "${LWM2M_BIND_PORT_BS:5687}" + bind_address: "${LWM2M_BS_BIND_ADDRESS:0.0.0.0}" + bind_port: "${LWM2M_BS_BIND_PORT:5687}" security: - bind_address: "${LWM2M_BIND_ADDRESS_SECURITY_BS:0.0.0.0}" - bind_port: "${LWM2M_BIND_PORT_SECURITY_BS:5688}" + bind_address: "${LWM2M_BS_SECURITY_BIND_ADDRESS:0.0.0.0}" + bind_port: "${LWM2M_BS_SECURITY_BIND_PORT:5688}" # Only Certificate_x509: - alias: "${LWM2M_KEYSTORE_BS_ALIAS:bootstrap}" - password: "${LWM2M_KEYSTORE_BS_PASSWORD:server_ks_password}" + key_alias: "${LWM2M_BS_KEY_ALIAS:bootstrap}" + key_password: "${LWM2M_BS_KEY_PASSWORD:server_ks_password}" security: # Certificate_x509: # To get helps about files format and how to generate it, see: https://github.com/eclipse/leshan/wiki/Credential-files-format # Create new X509 Certificates: common/transport/lwm2m/src/main/resources/credentials/shell/lwM2M_credentials.sh key_store_type: "${LWM2M_KEYSTORE_TYPE:JKS}" # key_store_path_file: "${KEY_STORE_PATH_FILE:/common/transport/lwm2m/src/main/resources/credentials/serverKeyStore.jks" - key_store: "${LWM2M_KEY_STORE:lwm2mserver.jks}" - key_store_password: "${LWM2M_KEY_STORE_PASSWORD:server_ks_password}" - root_alias: "${LWM2M_SERVER_ROOT_CA:rootca}" - enable_gen_new_key_psk_rpk: "${ENABLE_GEN_NEW_KEY_PSK_RPK:false}" + key_store: "${LWM2M_KEYSTORE:lwm2mserver.jks}" + key_store_password: "${LWM2M_KEYSTORE_PASSWORD:server_ks_password}" + root_alias: "${LWM2M_SERVER_ROOT_CA_ALIAS:rootca}" + recommended_ciphers: "${LWM2M_RECOMMENDED_CIPHERS:false}" + recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:true}" timeout: "${LWM2M_TIMEOUT:120000}" - recommended_ciphers: "${LWM2M_RECOMMENDED_CIPHERS:false}" - recommended_supported_groups: "${LWM2M_RECOMMENDED_SUPPORTED_GROUPS:true}" uplink_pool_size: "${LWM2M_UPLINK_POOL_SIZE:10}" downlink_pool_size: "${LWM2M_DOWNLINK_POOL_SIZE:10}" ota_pool_size: "${LWM2M_OTA_POOL_SIZE:10}" clean_period_in_sec: "${LWM2M_CLEAN_PERIOD_IN_SEC:2}" - log_max_length: "${LWM2M_LOG_MAX_LENGTH:100}" + log_max_length: "${LWM2M_LOG_MAX_LENGTH:1024}" # Use redis for Security and Registration stores redis.enabled: "${LWM2M_REDIS_ENABLED:false}"