Fix for client certificate check

2020-10-07 12:06:24 +03:00 · 2020-10-07 12:06:24 +03:00 · de9cd8939e
commit de9cd8939e
parent 67f8327cde
4 changed files with 11 additions and 0 deletions
--- a/application/src/main/resources/thingsboard.yml
+++ b/application/src/main/resources/thingsboard.yml
@ -569,6 +569,8 @@ transport:
      key_password: "${MQTT_SSL_KEY_PASSWORD:server_key_password}"
      # Type of the key store
      key_store_type: "${MQTT_SSL_KEY_STORE_TYPE:JKS}"
+      # Skip certificate validity check for client certificates.
+      skip_validity_check_for_client_cert: "${MQTT_SSL_SKIP_VALIDITY_CHECK_FOR_CLIENT_CERT:false}"
  # Local CoAP transport parameters
  coap:
    # Enable/disable coap transport protocol.
--- a/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttTransportContext.java
+++ b/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttTransportContext.java
@ -46,6 +46,10 @@ public class MqttTransportContext extends TransportContext {
    @Value("${transport.mqtt.netty.max_payload_size}")
    private Integer maxPayloadSize;

+    @Getter
+    @Value("${transport.mqtt.netty.skip_validity_check_for_client_cert:false}")
+    private boolean skipValidityCheckForClientCert;
+
    @Getter
    @Setter
    private SslHandler sslHandler;
--- a/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttTransportHandler.java
+++ b/common/transport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttTransportHandler.java
@ -383,6 +383,9 @@ public class MqttTransportHandler extends ChannelInboundHandlerAdapter implement

    private void processX509CertConnect(ChannelHandlerContext ctx, X509Certificate cert) {
        try {
+            if(!context.isSkipValidityCheckForClientCert()){
+                cert.checkValidity();
+            }
            String strCert = SslUtil.getX509CertificateString(cert);
            String sha3Hash = EncryptionUtil.getSha3Hash(strCert);
            transportService.process(ValidateDeviceX509CertRequestMsg.newBuilder().setHash(sha3Hash).build(),
--- a/transport/mqtt/src/main/resources/tb-mqtt-transport.yml
+++ b/transport/mqtt/src/main/resources/tb-mqtt-transport.yml
@ -67,6 +67,8 @@ transport:
      key_password: "${MQTT_SSL_KEY_PASSWORD:server_key_password}"
      # Type of the key store
      key_store_type: "${MQTT_SSL_KEY_STORE_TYPE:JKS}"
+      # Skip certificate validity check for client certificates.
+      skip_validity_check_for_client_cert: "${MQTT_SSL_SKIP_VALIDITY_CHECK_FOR_CLIENT_CERT:false}"
  sessions:
    inactivity_timeout: "${TB_TRANSPORT_SESSIONS_INACTIVITY_TIMEOUT:300000}"
    report_timeout: "${TB_TRANSPORT_SESSIONS_REPORT_TIMEOUT:30000}"