Search in sources :

Example 1 with RPKBootstrapClientCredential

use of org.thingsboard.server.common.data.device.credentials.lwm2m.RPKBootstrapClientCredential in project thingsboard by thingsboard.

the class DeviceCredentialsServiceImpl method validateServerCredentials.

private void validateServerCredentials(LwM2MBootstrapClientCredential serverCredentials, String server) {
    switch(serverCredentials.getSecurityMode()) {
        case NO_SEC:
            break;
        case PSK:
            PSKBootstrapClientCredential pskCredentials = (PSKBootstrapClientCredential) serverCredentials;
            if (StringUtils.isBlank(pskCredentials.getClientPublicKeyOrId())) {
                throw new DeviceCredentialsValidationException(server + " client PSK public key or id must be specified and must be an utf8 string!");
            }
            // SecurityMode.NO_SEC.toString() == "NO_SEC";
            if (pskCredentials.getClientPublicKeyOrId().equals(SecurityMode.NO_SEC.toString())) {
                throw new DeviceCredentialsValidationException(server + " client PSK public key or id must not be '" + SecurityMode.NO_SEC + "'!");
            }
            String pskKey = pskCredentials.getClientSecretKey();
            if (StringUtils.isBlank(pskKey)) {
                throw new DeviceCredentialsValidationException(server + " client PSK key must be specified!");
            }
            if (!pskKey.matches("-?[0-9a-fA-F]+")) {
                throw new DeviceCredentialsValidationException(server + " client PSK key must be random sequence in hex encoding!");
            }
            if (pskKey.length() % 32 != 0 || pskKey.length() > 128) {
                throw new DeviceCredentialsValidationException(server + " client PSK key length = " + pskKey.length() + ". Key must be HexDec format: 32, 64, 128 characters!");
            }
            break;
        case RPK:
            RPKBootstrapClientCredential rpkServerCredentials = (RPKBootstrapClientCredential) serverCredentials;
            if (StringUtils.isEmpty(rpkServerCredentials.getClientPublicKeyOrId())) {
                throw new DeviceCredentialsValidationException(server + " client RPK public key or id must be specified!");
            }
            try {
                String pubkRpkSever = EncryptionUtil.pubkTrimNewLines(rpkServerCredentials.getClientPublicKeyOrId());
                rpkServerCredentials.setClientPublicKeyOrId(pubkRpkSever);
                SecurityUtil.publicKey.decode(rpkServerCredentials.getDecodedClientPublicKeyOrId());
            } catch (Exception e) {
                throw new DeviceCredentialsValidationException(server + " client RPK public key or id must be in standard [RFC7250 ] and then encoded to Base64 format!");
            }
            if (StringUtils.isEmpty(rpkServerCredentials.getClientSecretKey())) {
                throw new DeviceCredentialsValidationException(server + " client RPK secret key must be specified!");
            }
            try {
                String prikRpkSever = EncryptionUtil.prikTrimNewLines(rpkServerCredentials.getClientSecretKey());
                rpkServerCredentials.setClientSecretKey(prikRpkSever);
                SecurityUtil.privateKey.decode(rpkServerCredentials.getDecodedClientSecretKey());
            } catch (Exception e) {
                throw new DeviceCredentialsValidationException(server + " client RPK secret key must be in PKCS#8 format (DER encoding, standard [RFC5958]) and then encoded to Base64 format!");
            }
            break;
        case X509:
            X509BootstrapClientCredential x509ServerCredentials = (X509BootstrapClientCredential) serverCredentials;
            if (StringUtils.isBlank(x509ServerCredentials.getClientPublicKeyOrId())) {
                throw new DeviceCredentialsValidationException(server + " client X509 public key or id must be specified!");
            }
            try {
                String certServer = EncryptionUtil.certTrimNewLines(x509ServerCredentials.getClientPublicKeyOrId());
                x509ServerCredentials.setClientPublicKeyOrId(certServer);
                SecurityUtil.certificate.decode(x509ServerCredentials.getDecodedClientPublicKeyOrId());
            } catch (Exception e) {
                throw new DeviceCredentialsValidationException(server + " client X509 public key or id must be in DER-encoded X509v3 format  and support only EC algorithm and then encoded to Base64 format!");
            }
            if (StringUtils.isBlank(x509ServerCredentials.getClientSecretKey())) {
                throw new DeviceCredentialsValidationException(server + " client X509 secret key must be specified!");
            }
            try {
                String prikX509Sever = EncryptionUtil.prikTrimNewLines(x509ServerCredentials.getClientSecretKey());
                x509ServerCredentials.setClientSecretKey(prikX509Sever);
                SecurityUtil.privateKey.decode(x509ServerCredentials.getDecodedClientSecretKey());
            } catch (Exception e) {
                throw new DeviceCredentialsValidationException(server + " client X509 secret key must be in PKCS#8 format (DER encoding, standard [RFC5958]) and then encoded to Base64 format!");
            }
            break;
    }
}
Also used : RPKBootstrapClientCredential(org.thingsboard.server.common.data.device.credentials.lwm2m.RPKBootstrapClientCredential) Validator.validateString(org.thingsboard.server.dao.service.Validator.validateString) DeviceCredentialsValidationException(org.thingsboard.server.dao.exception.DeviceCredentialsValidationException) PSKBootstrapClientCredential(org.thingsboard.server.common.data.device.credentials.lwm2m.PSKBootstrapClientCredential) DeviceCredentialsValidationException(org.thingsboard.server.dao.exception.DeviceCredentialsValidationException) ConstraintViolationException(org.hibernate.exception.ConstraintViolationException) DataValidationException(org.thingsboard.server.dao.exception.DataValidationException) X509BootstrapClientCredential(org.thingsboard.server.common.data.device.credentials.lwm2m.X509BootstrapClientCredential)

Example 2 with RPKBootstrapClientCredential

use of org.thingsboard.server.common.data.device.credentials.lwm2m.RPKBootstrapClientCredential in project thingsboard by thingsboard.

the class AbstractSecurityLwM2MIntegrationTest method getBootstrapClientCredentialsRpk.

private LwM2MBootstrapClientCredentials getBootstrapClientCredentialsRpk(X509Certificate certificate, PrivateKey privateKey, boolean privateKeyIsBad) {
    LwM2MBootstrapClientCredentials bootstrapCredentials = new LwM2MBootstrapClientCredentials();
    RPKBootstrapClientCredential serverCredentials = new RPKBootstrapClientCredential();
    if (certificate != null && certificate.getPublicKey() != null && privateKey != null) {
        serverCredentials.setClientPublicKeyOrId(Base64.encodeBase64String(certificate.getPublicKey().getEncoded()));
        if (privateKeyIsBad) {
            serverCredentials.setClientSecretKey(Hex.encodeHexString(privateKey.getEncoded()));
        } else {
            serverCredentials.setClientSecretKey(Base64.encodeBase64String(privateKey.getEncoded()));
        }
    }
    bootstrapCredentials.setBootstrapServer(serverCredentials);
    bootstrapCredentials.setLwm2mServer(serverCredentials);
    return bootstrapCredentials;
}
Also used : RPKBootstrapClientCredential(org.thingsboard.server.common.data.device.credentials.lwm2m.RPKBootstrapClientCredential) LwM2MBootstrapClientCredentials(org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MBootstrapClientCredentials)

Aggregations

RPKBootstrapClientCredential (org.thingsboard.server.common.data.device.credentials.lwm2m.RPKBootstrapClientCredential)2 ConstraintViolationException (org.hibernate.exception.ConstraintViolationException)1 LwM2MBootstrapClientCredentials (org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MBootstrapClientCredentials)1 PSKBootstrapClientCredential (org.thingsboard.server.common.data.device.credentials.lwm2m.PSKBootstrapClientCredential)1 X509BootstrapClientCredential (org.thingsboard.server.common.data.device.credentials.lwm2m.X509BootstrapClientCredential)1 DataValidationException (org.thingsboard.server.dao.exception.DataValidationException)1 DeviceCredentialsValidationException (org.thingsboard.server.dao.exception.DeviceCredentialsValidationException)1 Validator.validateString (org.thingsboard.server.dao.service.Validator.validateString)1