简柏林 / thingskit · Commits

Commit 0437151a29facd09c656c85501577d74d5e2a090

Authored by Andrew Shvayka
Committed by GitHub
2 parents 005c886c 94241739

Merge pull request #38 from thingsboard/X_509 

X 509
Inline Side-by-side
Showing 13 changed files with 267 additions and 90 deletions
@@ -80,10 +80,12 @@ mqtt: @@ -80,10 +80,12 @@ mqtt:
80 boss_group_thread_count: "${NETTY_BOSS_GROUP_THREADS:1}" 80 boss_group_thread_count: "${NETTY_BOSS_GROUP_THREADS:1}"
81 worker_group_thread_count: "${NETTY_WORKER_GROUP_THREADS:12}" 81 worker_group_thread_count: "${NETTY_WORKER_GROUP_THREADS:12}"
82 # Uncomment the following lines to enable ssl for MQTT 82 # Uncomment the following lines to enable ssl for MQTT
83 - ssl:  
84 - key_store: keystore/mqttserver.jks  
85 - key_store_password: password  
86 - key_store_type: JKS 83 +# ssl:
  84 +# key_store: keystore/mqttserver.jks
  85 +# key_store_password: server_ks_password
  86 +# key_password: server_key_password
  87 +# key_store_type: JKS
  88 +
87 89
88 # CoAP server parameters 90 # CoAP server parameters
89 coap: 91 coap:
@@ -15,6 +15,7 @@ @@ -15,6 +15,7 @@
15 */ 15 */
16 package org.thingsboard.server.dao; 16 package org.thingsboard.server.dao;
17 17
  18 +import com.google.common.base.CharMatcher;
18 import lombok.extern.slf4j.Slf4j; 19 import lombok.extern.slf4j.Slf4j;
19 import org.bouncycastle.crypto.digests.SHA3Digest; 20 import org.bouncycastle.crypto.digests.SHA3Digest;
20 import org.bouncycastle.pqc.math.linearalgebra.ByteUtils; 21 import org.bouncycastle.pqc.math.linearalgebra.ByteUtils;
@@ -28,7 +29,10 @@ public class EncryptionUtil { @@ -28,7 +29,10 @@ public class EncryptionUtil {
28 } 29 }
29 30
30 public static String trimNewLines(String input) { 31 public static String trimNewLines(String input) {
31 - return input.replaceAll("\n","").replaceAll("\r",""); 32 + return input.replaceAll("-----BEGIN CERTIFICATE-----", "")
  33 + .replaceAll("-----END CERTIFICATE-----", "")
  34 + .replaceAll("\n","")
  35 + .replaceAll("\r","");
32 } 36 }
33 37
34 public static String getSha3Hash(String data) { 38 public static String getSha3Hash(String data) {
@@ -48,6 +48,10 @@ @@ -48,6 +48,10 @@
48 <groupId>org.eclipse.paho</groupId> 48 <groupId>org.eclipse.paho</groupId>
49 <artifactId>org.eclipse.paho.client.mqttv3</artifactId> 49 <artifactId>org.eclipse.paho.client.mqttv3</artifactId>
50 </dependency> 50 </dependency>
  51 + <dependency>
  52 + <groupId>com.google.guava</groupId>
  53 + <artifactId>guava</artifactId>
  54 + </dependency>
51 </dependencies> 55 </dependencies>
52 56
53 <build> 57 <build>
  1 +/**
  2 + * Copyright © 2016-2017 The Thingsboard Authors
  3 + *
  4 + * Licensed under the Apache License, Version 2.0 (the "License");
  5 + * you may not use this file except in compliance with the License.
  6 + * You may obtain a copy of the License at
  7 + *
  8 + * http://www.apache.org/licenses/LICENSE-2.0
  9 + *
  10 + * Unless required by applicable law or agreed to in writing, software
  11 + * distributed under the License is distributed on an "AS IS" BASIS,
  12 + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 + * See the License for the specific language governing permissions and
  14 + * limitations under the License.
  15 + */
  16 +package org.thingsboard.client.tools;
  17 +
  18 +/**
  19 + * @author Valerii Sosliuk
  20 + * This class is intended for manual MQTT SSL Testing
  21 + */
  22 +
  23 +import com.google.common.io.Resources;
  24 +import org.eclipse.paho.client.mqttv3.*;
  25 +
  26 +import javax.net.ssl.*;
  27 +import java.io.File;
  28 +import java.io.FileInputStream;
  29 +import java.io.FileNotFoundException;
  30 +import java.io.IOException;
  31 +import java.net.URISyntaxException;
  32 +import java.net.URL;
  33 +import java.security.*;
  34 +import java.security.cert.CertificateException;
  35 +
  36 +public class MqttSslClient {
  37 +
  38 +
  39 + private static final String MQTT_URL = "ssl://localhost:1883";
  40 +
  41 + private static final String clientId = "MQTT_SSL_JAVA_CLIENT";
  42 + private static final String accessToken = "C1_TEST_TOKEN";
  43 + private static final String keyStoreFile = "mqttclient.jks";
  44 + private static final String JKS="JKS";
  45 + private static final String TLS="TLS";
  46 + private static final String CLIENT_KEYSTORE_PASSWORD = "client_ks_password";
  47 + private static final String CLIENT_KEY_PASSWORD = "client_key_password";
  48 +
  49 + public static void main(String[] args) {
  50 +
  51 + try {
  52 +
  53 + URL ksUrl = Resources.getResource(keyStoreFile);
  54 + File ksFile = new File(ksUrl.toURI());
  55 + URL tsUrl = Resources.getResource(keyStoreFile);
  56 + File tsFile = new File(tsUrl.toURI());
  57 +
  58 + TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
  59 +
  60 + KeyStore trustStore = KeyStore.getInstance(JKS);
  61 + trustStore.load(new FileInputStream(tsFile), CLIENT_KEYSTORE_PASSWORD.toCharArray());
  62 + tmf.init(trustStore);
  63 + KeyStore ks = KeyStore.getInstance(JKS);
  64 +
  65 + ks.load(new FileInputStream(ksFile), CLIENT_KEYSTORE_PASSWORD.toCharArray());
  66 + KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
  67 + kmf.init(ks, CLIENT_KEY_PASSWORD.toCharArray());
  68 +
  69 + KeyManager[] km = kmf.getKeyManagers();
  70 + TrustManager[] tm = tmf.getTrustManagers();
  71 + SSLContext sslContext = SSLContext.getInstance(TLS);
  72 + sslContext.init(km, tm, null);
  73 +
  74 + MqttConnectOptions options = new MqttConnectOptions();
  75 + options.setSocketFactory(sslContext.getSocketFactory());
  76 + MqttAsyncClient client = new MqttAsyncClient(MQTT_URL, clientId);
  77 + client.connect(options);
  78 + Thread.sleep(3000);
  79 + MqttMessage message = new MqttMessage();
  80 + message.setPayload("{\"key1\":\"value1\", \"key2\":true, \"key3\": 3.0, \"key4\": 4}".getBytes());
  81 + client.publish("v1/devices/me/telemetry", message);
  82 + client.disconnect();
  83 + System.out.println("Disconnected");
  84 + System.exit(0);
  85 + } catch (Exception e) {
  86 + e.printStackTrace();
  87 + }
  88 + }
  89 +}
@@ -15,12 +15,22 @@ @@ -15,12 +15,22 @@
15 # 15 #
16 16
17 DOMAIN_SUFFIX="$(hostname)" 17 DOMAIN_SUFFIX="$(hostname)"
18 -PASSWORD="password" 18 +ORGANIZATIONAL_UNIT=Thingsboard
  19 +ORGANIZATION=Thingsboard
  20 +CITY=Piscataway
  21 +STATE_OR_PROVINCE=NJ
  22 +TWO_LETTER_COUNTRY_CODE=US
19 23
20 -CLIENT_TRUSTSTORE="client_truststore.pem"  
21 -CLIENT_KEY_ALIAS="clientalias"  
22 -CLIENT_FILE_PREFIX="mqttclient" 24 +SERVER_KEYSTORE_PASSWORD=server_ks_password
  25 +SERVER_KEY_PASSWORD=server_key_password
23 26
24 SERVER_KEY_ALIAS="serveralias" 27 SERVER_KEY_ALIAS="serveralias"
25 SERVER_FILE_PREFIX="mqttserver" 28 SERVER_FILE_PREFIX="mqttserver"
26 -SERVER_KEYSTORE_DIR="../../../../application/src/main/resources/keystore/"  
  29 +SERVER_KEYSTORE_DIR="../../../../application/src/main/resources/keystore/"
  30 +
  31 +CLIENT_KEYSTORE_PASSWORD=client_ks_password
  32 +CLIENT_KEY_PASSWORD=client_key_password
  33 +
  34 +CLIENT_KEY_ALIAS="clientalias"
  35 +CLIENT_FILE_PREFIX="mqttclient"
  36 +
1 -# -*- coding: utf-8 -*-  
2 # 1 #
3 # Copyright © 2016-2017 The Thingsboard Authors 2 # Copyright © 2016-2017 The Thingsboard Authors
4 # 3 #
@@ -44,7 +43,7 @@ client.publish('v1/devices/me/attributes/request/1', "{\"clientKeys\":\"model\"} @@ -44,7 +43,7 @@ client.publish('v1/devices/me/attributes/request/1', "{\"clientKeys\":\"model\"}
44 43
45 #client.tls_set(ca_certs="client_truststore.pem", certfile="mqttclient.nopass.pem", keyfile=None, cert_reqs=ssl.CERT_REQUIRED, 44 #client.tls_set(ca_certs="client_truststore.pem", certfile="mqttclient.nopass.pem", keyfile=None, cert_reqs=ssl.CERT_REQUIRED,
46 # tls_version=ssl.PROTOCOL_TLSv1, ciphers=None); 45 # tls_version=ssl.PROTOCOL_TLSv1, ciphers=None);
47 -client.tls_set(ca_certs="client_truststore.pem", certfile=None, keyfile=None, cert_reqs=ssl.CERT_REQUIRED, 46 +client.tls_set(ca_certs="mqttserver.pub.pem", certfile=None, keyfile=None, cert_reqs=ssl.CERT_REQUIRED,
48 tls_version=ssl.PROTOCOL_TLSv1, ciphers=None); 47 tls_version=ssl.PROTOCOL_TLSv1, ciphers=None);
49 48
50 client.username_pw_set("B1_TEST_TOKEN") 49 client.username_pw_set("B1_TEST_TOKEN")
1 -#!/bin/sh 1 +#!/bin/bash
2 # 2 #
3 # Copyright © 2016-2017 The Thingsboard Authors 3 # Copyright © 2016-2017 The Thingsboard Authors
4 # 4 #
@@ -17,7 +17,7 @@ @@ -17,7 +17,7 @@
17 17
18 usage() { 18 usage() {
19 echo "This script generates client public/private rey pair, extracts them to a no-password RSA pem file," 19 echo "This script generates client public/private rey pair, extracts them to a no-password RSA pem file,"
20 - echo "and also imports server public key to client trust store" 20 + echo "and imports server public key to client keystore"
21 echo "usage: ./securemqttclient.keygen.sh [-p file]" 21 echo "usage: ./securemqttclient.keygen.sh [-p file]"
22 echo " -p | --props | --properties file Properties file. default value is ./keygen.properties" 22 echo " -p | --props | --properties file Properties file. default value is ./keygen.properties"
23 echo " -h | --help | ? Show this message" 23 echo " -h | --help | ? Show this message"
@@ -44,17 +44,44 @@ done @@ -44,17 +44,44 @@ done
44 44
45 . $PROPERTIES_FILE 45 . $PROPERTIES_FILE
46 46
  47 +if [ -f $CLIENT_FILE_PREFIX.jks ] || [ -f $CLIENT_FILE_PREFIX.pub.pem ] || [ -f $CLIENT_FILE_PREFIX.nopass.pem ] || [ -f $CLIENT_FILE_PREFIX.pem ] || [ -f $CLIENT_FILE_PREFIX.p12 ];
  48 +then
  49 +while :
  50 + do
  51 + read -p "Output files from previous server.keygen.sh script run found. Overwrite?[yes]" response
  52 + case $response in
  53 + [nN]|[nN][oO])
  54 + echo "Skipping"
  55 + echo "Done"
  56 + exit 0
  57 + ;;
  58 + [yY]|[yY][eE]|[yY][eE]|[sS]|[yY]|"")
  59 + echo "Cleaning up files"
  60 + rm -rf $CLIENT_FILE_PREFIX.jks
  61 + rm -rf $CLIENT_FILE_PREFIX.pub.pem
  62 + rm -rf $CLIENT_FILE_PREFIX.nopass.pem
  63 + rm -rf $CLIENT_FILE_PREFIX.pem
  64 + rm -rf $CLIENT_FILE_PREFIX.p12
  65 + break;
  66 + ;;
  67 + *) echo "Please reply 'yes' or 'no'"
  68 + ;;
  69 + esac
  70 + done
  71 +fi
  72 +
47 echo "Generating SSL Key Pair..." 73 echo "Generating SSL Key Pair..."
48 74
49 keytool -genkeypair -v \ 75 keytool -genkeypair -v \
50 -alias $CLIENT_KEY_ALIAS \ 76 -alias $CLIENT_KEY_ALIAS \
51 -dname "CN=$DOMAIN_SUFFIX, OU=Thingsboard, O=Thingsboard, L=Piscataway, ST=NJ, C=US" \ 77 -dname "CN=$DOMAIN_SUFFIX, OU=Thingsboard, O=Thingsboard, L=Piscataway, ST=NJ, C=US" \
52 -keystore $CLIENT_FILE_PREFIX.jks \ 78 -keystore $CLIENT_FILE_PREFIX.jks \
53 - -keypass $PASSWORD \  
54 - -storepass $PASSWORD \ 79 + -keypass $CLIENT_KEY_PASSWORD \
  80 + -storepass $CLIENT_KEYSTORE_PASSWORD \
55 -keyalg RSA \ 81 -keyalg RSA \
56 -keysize 2048 \ 82 -keysize 2048 \
57 -validity 9999 83 -validity 9999
  84 +
58 echo "Converting keystore to pkcs12" 85 echo "Converting keystore to pkcs12"
59 keytool -importkeystore \ 86 keytool -importkeystore \
60 -srckeystore $CLIENT_FILE_PREFIX.jks \ 87 -srckeystore $CLIENT_FILE_PREFIX.jks \
@@ -62,28 +89,33 @@ keytool -importkeystore \ @@ -62,28 +89,33 @@ keytool -importkeystore \
62 -srcalias $CLIENT_KEY_ALIAS \ 89 -srcalias $CLIENT_KEY_ALIAS \
63 -srcstoretype jks \ 90 -srcstoretype jks \
64 -deststoretype pkcs12 \ 91 -deststoretype pkcs12 \
65 - -keypass $PASSWORD \  
66 - -srcstorepass $PASSWORD \  
67 - -deststorepass $PASSWORD \  
68 - -srckeypass $PASSWORD \  
69 - -destkeypass $PASSWORD 92 + -srcstorepass $CLIENT_KEYSTORE_PASSWORD \
  93 + -deststorepass $CLIENT_KEY_PASSWORD \
  94 + -srckeypass $CLIENT_KEY_PASSWORD \
  95 + -destkeypass $CLIENT_KEY_PASSWORD
70 96
71 echo "Converting pkcs12 to pem" 97 echo "Converting pkcs12 to pem"
72 openssl pkcs12 -in $CLIENT_FILE_PREFIX.p12 \ 98 openssl pkcs12 -in $CLIENT_FILE_PREFIX.p12 \
73 -out $CLIENT_FILE_PREFIX.pem \ 99 -out $CLIENT_FILE_PREFIX.pem \
74 - -passin pass:$PASSWORD \  
75 - -passout pass:$PASSWORD \ 100 + -passin pass:$CLIENT_KEY_PASSWORD \
  101 + -passout pass:$CLIENT_KEY_PASSWORD \
76 102
77 -echo "Importing server public key..."  
78 -keytool -export \  
79 - -alias $SERVER_KEY_ALIAS \  
80 - -keystore $SERVER_KEYSTORE_DIR/$SERVER_FILE_PREFIX.jks \  
81 - -file $CLIENT_TRUSTSTORE -rfc \  
82 - -storepass $PASSWORD 103 +echo "Importing server public key to $CLIENT_FILE_PREFIX.jks"
  104 +keytool --importcert \
  105 + -file $SERVER_FILE_PREFIX.cer \
  106 + -keystore $CLIENT_FILE_PREFIX.jks \
  107 + -alias $SERVER_KEY_ALIAS \
  108 + -keypass $SERVER_KEY_PASSWORD \
  109 + -storepass $CLIENT_KEYSTORE_PASSWORD \
  110 + -noprompt
83 111
84 echo "Exporting no-password pem certificate" 112 echo "Exporting no-password pem certificate"
85 -openssl rsa -in $CLIENT_FILE_PREFIX.pem -out $CLIENT_FILE_PREFIX.nopass.pem -passin pass:$PASSWORD 113 +openssl rsa -in $CLIENT_FILE_PREFIX.pem -out $CLIENT_FILE_PREFIX.nopass.pem -passin pass:$CLIENT_KEY_PASSWORD
86 tail -n +$(($(grep -m1 -n -e '-----BEGIN CERTIFICATE' $CLIENT_FILE_PREFIX.pem | cut -d: -f1) )) \ 114 tail -n +$(($(grep -m1 -n -e '-----BEGIN CERTIFICATE' $CLIENT_FILE_PREFIX.pem | cut -d: -f1) )) \
87 $CLIENT_FILE_PREFIX.pem >> $CLIENT_FILE_PREFIX.nopass.pem 115 $CLIENT_FILE_PREFIX.pem >> $CLIENT_FILE_PREFIX.nopass.pem
88 116
  117 +echo "Exporting client public key"
  118 +tail -n +$(($(grep -m1 -n -e '-----BEGIN CERTIFICATE' $CLIENT_FILE_PREFIX.pem | cut -d: -f1) )) \
  119 + $CLIENT_FILE_PREFIX.pem >> $CLIENT_FILE_PREFIX.pub.pem
  120 +
89 echo "Done." 121 echo "Done."
tools/src/main/shell/server.keygen.sh renamed from tools/src/main/shell/keygen.sh
1 -#!/bin/sh 1 +#!/bin/bash
2 # 2 #
3 # Copyright © 2016-2017 The Thingsboard Authors 3 # Copyright © 2016-2017 The Thingsboard Authors
4 # 4 #
@@ -18,9 +18,9 @@ @@ -18,9 +18,9 @@
18 usage() { 18 usage() {
19 echo "This script generates thingsboard server's ssl certificate" 19 echo "This script generates thingsboard server's ssl certificate"
20 echo "and optionally copies it to the server's resource directory." 20 echo "and optionally copies it to the server's resource directory."
21 - echo "usage: ./keygen.sh [-c flag] [-d directory]"  
22 - echo " -c | --copy flag Set if copy keystore to server directory needed. Default value is true"  
23 - echo " -d | --dir directory Server keystore directory, where the generated keystore file will be copied." 21 + echo "usage: ./server.keygen.sh [-c flag] [-d directory] [-p file]"
  22 + echo " -c | --copy flag Specifies if the keystore should be copied to the server directory. Defaults to true"
  23 + echo " -d | --dir directory Server keystore directory, where the generated keystore file will be copied. If specified, overrides the value from the properties file"
24 echo " Default value is SERVER_KEYSTORE_DIR property from properties file" 24 echo " Default value is SERVER_KEYSTORE_DIR property from properties file"
25 echo " -p | --props | --properties file Properties file. default value is ./keygen.properties" 25 echo " -p | --props | --properties file Properties file. default value is ./keygen.properties"
26 echo " -h | --help | ? Show this message" 26 echo " -h | --help | ? Show this message"
@@ -32,23 +32,24 @@ PROPERTIES_FILE=keygen.properties @@ -32,23 +32,24 @@ PROPERTIES_FILE=keygen.properties
32 32
33 while true; do 33 while true; do
34 case "$1" in 34 case "$1" in
35 - -c | --copy) COPY=$2 ;  
36 - shift  
37 - ;;  
38 - -d | --dir | --directory) COPY_DIR=$2 ;  
39 - shift  
40 - ;;  
41 - -p | --props | --properties) PROPERTIES_FILE=$2 ;  
42 - shift  
43 - ;;  
44 - -h | --help | ?) usage  
45 - exit 0  
46 - ;;  
47 - -- ) shift;  
48 - break  
49 - ;;  
50 - * ) break  
51 - ;; 35 + -c | --copy) COPY=$2 ;
  36 + shift
  37 + ;;
  38 + -d | --dir | --directory ) COPY_DIR=$2 ;
  39 + shift
  40 + ;;
  41 + -p | --props | --properties ) PROPERTIES_FILE=$2 ;
  42 + shift
  43 + ;;
  44 + -- ) shift;
  45 + break
  46 + ;;
  47 + "" ) break
  48 + ;;
  49 +
  50 + -h | --help | ? | *) usage
  51 + exit 0
  52 + ;;
52 esac 53 esac
53 shift 54 shift
54 done 55 done
@@ -57,18 +58,40 @@ if [[ "$COPY" != true ]] && [[ "$COPY" != false ]]; then @@ -57,18 +58,40 @@ if [[ "$COPY" != true ]] && [[ "$COPY" != false ]]; then
57 usage 58 usage
58 fi 59 fi
59 60
60 -echo "copy: $COPY; copy_dir: $COPY_DIR; PROPERTIES_FILE=$PROPERTIES_FILE";  
61 -  
62 . $PROPERTIES_FILE 61 . $PROPERTIES_FILE
63 62
  63 +if [ -f $SERVER_FILE_PREFIX.jks ] || [ -f $SERVER_FILE_PREFIX.cer ] || [ -f $SERVER_FILE_PREFIX.pub.pem ] || [ -f $SERVER_FILE_PREFIX.pub.der ];
  64 +then
  65 +while :
  66 + do
  67 + read -p "Output files from previous server.keygen.sh script run found. Overwrite?[yes]" response
  68 + case $response in
  69 + [nN]|[nN][oO])
  70 + echo "Skipping"
  71 + echo "Done"
  72 + exit 0
  73 + ;;
  74 + [yY]|[yY][eE]|[yY][eE]|[sS]|[yY]|"")
  75 + echo "Cleaning up files"
  76 + rm -rf $SERVER_FILE_PREFIX.jks
  77 + rm -rf $SERVER_FILE_PREFIX.pub.pem
  78 + rm -rf $SERVER_FILE_PREFIX.cer
  79 + break;
  80 + ;;
  81 + *) echo "Please reply 'yes' or 'no'"
  82 + ;;
  83 + esac
  84 + done
  85 +fi
  86 +
64 echo "Generating SSL Key Pair..." 87 echo "Generating SSL Key Pair..."
65 88
66 keytool -genkeypair -v \ 89 keytool -genkeypair -v \
67 -alias $SERVER_KEY_ALIAS \ 90 -alias $SERVER_KEY_ALIAS \
68 - -dname "CN=$DOMAIN_SUFFIX, OU=Thingsboard, O=Thingsboard, L=Piscataway, ST=NJ, C=US" \ 91 + -dname "CN=$DOMAIN_SUFFIX, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" \
69 -keystore $SERVER_FILE_PREFIX.jks \ 92 -keystore $SERVER_FILE_PREFIX.jks \
70 - -keypass $PASSWORD \  
71 - -storepass $PASSWORD \ 93 + -keypass $SERVER_KEY_PASSWORD \
  94 + -storepass $SERVER_KEYSTORE_PASSWORD \
72 -keyalg RSA \ 95 -keyalg RSA \
73 -keysize 2048 \ 96 -keysize 2048 \
74 -validity 9999 97 -validity 9999
@@ -81,8 +104,15 @@ fi @@ -81,8 +104,15 @@ fi
81 keytool -export \ 104 keytool -export \
82 -alias $SERVER_KEY_ALIAS \ 105 -alias $SERVER_KEY_ALIAS \
83 -keystore $SERVER_FILE_PREFIX.jks \ 106 -keystore $SERVER_FILE_PREFIX.jks \
84 - -file $CLIENT_TRUSTSTORE -rfc \  
85 - -storepass $PASSWORD 107 + -file $SERVER_FILE_PREFIX.pub.pem -rfc \
  108 + -storepass $SERVER_KEYSTORE_PASSWORD
  109 +
  110 +keytool -export \
  111 + -alias $SERVER_KEY_ALIAS \
  112 + -file $SERVER_FILE_PREFIX.cer \
  113 + -keystore $SERVER_FILE_PREFIX.jks \
  114 + -storepass $SERVER_KEYSTORE_PASSWORD \
  115 + -keypass $SERVER_KEY_PASSWORD
86 116
87 status=$? 117 status=$?
88 if [[ $status != 0 ]]; then 118 if [[ $status != 0 ]]; then
@@ -92,27 +122,37 @@ fi @@ -92,27 +122,37 @@ fi
92 122
93 if [[ $COPY = true ]]; then 123 if [[ $COPY = true ]]; then
94 if [[ -z "$COPY_DIR" ]]; then 124 if [[ -z "$COPY_DIR" ]]; then
95 - read -p "Do you want to copy $SERVER_FILE_PREFIX.jks to server directory? " yn  
96 - case $yn in  
97 - [Yy]) echo "Please, specify destination dir: "  
98 - read -p "(Default: $SERVER_KEYSTORE_DIR): " dir  
99 - if [[ ! -z $dir ]]; then  
100 - DESTINATION=$dir;  
101 - else  
102 - DESTINATION=$SERVER_KEYSTORE_DIR  
103 - fi;  
104 - break;;  
105 - * ) ;;  
106 - esac 125 + read -p "Do you want to copy $SERVER_FILE_PREFIX.jks to server directory?[yes]" yn
  126 + while :
  127 + do
  128 + case $yn in
  129 + [nN]|[nN][oO])
  130 + break
  131 + ;;
  132 + [yY]|[yY][eE]|[yY][eE]|[sS]|[yY]|"")
  133 + read -p "(Default: $SERVER_KEYSTORE_DIR): " dir
  134 + if [[ ! -z $dir ]]; then
  135 + DESTINATION=$dir;
  136 + else
  137 + DESTINATION=$SERVER_KEYSTORE_DIR
  138 + fi;
  139 + break;;
  140 + *) echo "Please reply 'yes' or 'no'"
  141 + ;;
  142 + esac
  143 + done
107 else 144 else
108 DESTINATION=$COPY_DIR 145 DESTINATION=$COPY_DIR
109 fi 146 fi
110 - mkdir -p $DESTINATION  
111 - cp $SERVER_FILE_PREFIX.jks $DESTINATION  
112 - if [ $? -ne 0 ]; then  
113 - echo "Failed to copy keystore file."  
114 - else  
115 - echo "File copied successfully." 147 + echo "*** DEST: $DESTINATION"
  148 + if [[ -n $DESTINATION ]]; then
  149 + mkdir -p $DESTINATION
  150 + cp $SERVER_FILE_PREFIX.jks $DESTINATION
  151 + if [ $? -ne 0 ]; then
  152 + echo "Failed to copy keystore file."
  153 + else
  154 + echo "File copied successfully."
  155 + fi
116 fi 156 fi
117 fi 157 fi
118 echo "Done." 158 echo "Done."
@@ -41,7 +41,7 @@ client.on_connect = on_connect @@ -41,7 +41,7 @@ client.on_connect = on_connect
41 client.on_message = on_message 41 client.on_message = on_message
42 client.publish('v1/devices/me/attributes/request/1', "{\"clientKeys\":\"model\"}", 1) 42 client.publish('v1/devices/me/attributes/request/1', "{\"clientKeys\":\"model\"}", 1)
43 43
44 -client.username_pw_set("TEST_TOKEN") 44 +client.username_pw_set("B1_TEST_TOKEN")
45 client.connect('127.0.0.1', 1883, 1) 45 client.connect('127.0.0.1', 1883, 1)
46 46
47 # Blocking call that processes network traffic, dispatches callbacks and 47 # Blocking call that processes network traffic, dispatches callbacks and
@@ -42,7 +42,7 @@ client.on_connect = on_connect @@ -42,7 +42,7 @@ client.on_connect = on_connect
42 client.on_message = on_message 42 client.on_message = on_message
43 client.publish('v1/devices/me/attributes/request/1', "{\"clientKeys\":\"model\"}", 1) 43 client.publish('v1/devices/me/attributes/request/1', "{\"clientKeys\":\"model\"}", 1)
44 44
45 -client.tls_set(ca_certs="client_truststore.pem", certfile="mqttclient.nopass.pem", keyfile=None, cert_reqs=ssl.CERT_REQUIRED, 45 +client.tls_set(ca_certs="mqttserver.pub.pem", certfile="mqttclient.nopass.pem", keyfile=None, cert_reqs=ssl.CERT_REQUIRED,
46 tls_version=ssl.PROTOCOL_TLSv1, ciphers=None); 46 tls_version=ssl.PROTOCOL_TLSv1, ciphers=None);
47 47
48 client.tls_insecure_set(False) 48 client.tls_insecure_set(False)
@@ -64,11 +64,9 @@ @@ -64,11 +64,9 @@
64 <groupId>ch.qos.logback</groupId> 64 <groupId>ch.qos.logback</groupId>
65 <artifactId>logback-classic</artifactId> 65 <artifactId>logback-classic</artifactId>
66 </dependency> 66 </dependency>
67 - <!-- https://mvnrepository.com/artifact/com.google.guava/guava -->  
68 <dependency> 67 <dependency>
69 <groupId>com.google.guava</groupId> 68 <groupId>com.google.guava</groupId>
70 <artifactId>guava</artifactId> 69 <artifactId>guava</artifactId>
71 - <version>18.0</version>  
72 </dependency> 70 </dependency>
73 <dependency> 71 <dependency>
74 <groupId>org.springframework.boot</groupId> 72 <groupId>org.springframework.boot</groupId>
@@ -49,9 +49,11 @@ public class MqttSslHandlerProvider { @@ -49,9 +49,11 @@ public class MqttSslHandlerProvider {
49 private String keyStoreFile; 49 private String keyStoreFile;
50 @Value("${mqtt.ssl.key_store_password}") 50 @Value("${mqtt.ssl.key_store_password}")
51 private String keyStorePassword; 51 private String keyStorePassword;
  52 + @Value("${mqtt.ssl.key_password}")
  53 + private String keyPassword;
52 @Value("${mqtt.ssl.key_store_type}") 54 @Value("${mqtt.ssl.key_store_type}")
53 private String keyStoreType; 55 private String keyStoreType;
54 - 56 +
55 @Autowired 57 @Autowired
56 private DeviceCredentialsService deviceCredentialsService; 58 private DeviceCredentialsService deviceCredentialsService;
57 59
@@ -72,7 +74,7 @@ public class MqttSslHandlerProvider { @@ -72,7 +74,7 @@ public class MqttSslHandlerProvider {
72 74
73 ks.load(new FileInputStream(ksFile), keyStorePassword.toCharArray()); 75 ks.load(new FileInputStream(ksFile), keyStorePassword.toCharArray());
74 KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); 76 KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
75 - kmf.init(ks, keyStorePassword.toCharArray()); 77 + kmf.init(ks, keyPassword.toCharArray());
76 78
77 KeyManager[] km = kmf.getKeyManagers(); 79 KeyManager[] km = kmf.getKeyManagers();
78 TrustManager x509wrapped = getX509TrustManager(tmFactory); 80 TrustManager x509wrapped = getX509TrustManager(tmFactory);
@@ -16,6 +16,7 @@ @@ -16,6 +16,7 @@
16 package org.thingsboard.server.transport.mqtt.util; 16 package org.thingsboard.server.transport.mqtt.util;
17 17
18 import lombok.extern.slf4j.Slf4j; 18 import lombok.extern.slf4j.Slf4j;
  19 +import org.springframework.util.Base64Utils;
19 import org.thingsboard.server.dao.EncryptionUtil; 20 import org.thingsboard.server.dao.EncryptionUtil;
20 import sun.misc.BASE64Encoder; 21 import sun.misc.BASE64Encoder;
21 22
@@ -35,17 +36,13 @@ public class SslUtil { @@ -35,17 +36,13 @@ public class SslUtil {
35 36
36 public static String getX509CertificateString(X509Certificate cert) 37 public static String getX509CertificateString(X509Certificate cert)
37 throws CertificateEncodingException, IOException { 38 throws CertificateEncodingException, IOException {
38 - ByteArrayOutputStream out = new ByteArrayOutputStream();  
39 - BASE64Encoder encoder = new BASE64Encoder();  
40 - encoder.encodeBuffer(cert.getEncoded(), out);  
41 - return EncryptionUtil.trimNewLines(new String(out.toByteArray(), "UTF-8")); 39 + Base64Utils.encodeToString(cert.getEncoded());
  40 + return EncryptionUtil.trimNewLines(Base64Utils.encodeToString(cert.getEncoded()));
42 } 41 }
43 42
44 public static String getX509CertificateString(javax.security.cert.X509Certificate cert) 43 public static String getX509CertificateString(javax.security.cert.X509Certificate cert)
45 throws javax.security.cert.CertificateEncodingException, IOException { 44 throws javax.security.cert.CertificateEncodingException, IOException {
46 - ByteArrayOutputStream out = new ByteArrayOutputStream();  
47 - BASE64Encoder encoder = new BASE64Encoder();  
48 - encoder.encodeBuffer(cert.getEncoded(), out);  
49 - return EncryptionUtil.trimNewLines(new String(out.toByteArray(), "UTF-8")); 45 + Base64Utils.encodeToString(cert.getEncoded());
  46 + return EncryptionUtil.trimNewLines(Base64Utils.encodeToString(cert.getEncoded()));
50 } 47 }
51 } 48 }