Example 1 with X509BootstrapClientCredential
use of org.thingsboard.server.common.data.device.credentials.lwm2m.X509BootstrapClientCredential in project thingsboard by thingsboard.
the class DeviceCredentialsServiceImpl method validateServerCredentials.
private void validateServerCredentials(LwM2MBootstrapClientCredential serverCredentials, String server) {
switch(serverCredentials.getSecurityMode()) {
case NO_SEC:
break;
case PSK:
PSKBootstrapClientCredential pskCredentials = (PSKBootstrapClientCredential) serverCredentials;
if (StringUtils.isBlank(pskCredentials.getClientPublicKeyOrId())) {
throw new DeviceCredentialsValidationException(server + " client PSK public key or id must be specified and must be an utf8 string!");
}
// SecurityMode.NO_SEC.toString() == "NO_SEC";
if (pskCredentials.getClientPublicKeyOrId().equals(SecurityMode.NO_SEC.toString())) {
throw new DeviceCredentialsValidationException(server + " client PSK public key or id must not be '" + SecurityMode.NO_SEC + "'!");
}
String pskKey = pskCredentials.getClientSecretKey();
if (StringUtils.isBlank(pskKey)) {
throw new DeviceCredentialsValidationException(server + " client PSK key must be specified!");
}
if (!pskKey.matches("-?[0-9a-fA-F]+")) {
throw new DeviceCredentialsValidationException(server + " client PSK key must be random sequence in hex encoding!");
}
if (pskKey.length() % 32 != 0 || pskKey.length() > 128) {
throw new DeviceCredentialsValidationException(server + " client PSK key length = " + pskKey.length() + ". Key must be HexDec format: 32, 64, 128 characters!");
}
break;
case RPK:
RPKBootstrapClientCredential rpkServerCredentials = (RPKBootstrapClientCredential) serverCredentials;
if (StringUtils.isEmpty(rpkServerCredentials.getClientPublicKeyOrId())) {
throw new DeviceCredentialsValidationException(server + " client RPK public key or id must be specified!");
}
try {
String pubkRpkSever = EncryptionUtil.pubkTrimNewLines(rpkServerCredentials.getClientPublicKeyOrId());
rpkServerCredentials.setClientPublicKeyOrId(pubkRpkSever);
SecurityUtil.publicKey.decode(rpkServerCredentials.getDecodedClientPublicKeyOrId());
} catch (Exception e) {
throw new DeviceCredentialsValidationException(server + " client RPK public key or id must be in standard [RFC7250 ] and then encoded to Base64 format!");
}
if (StringUtils.isEmpty(rpkServerCredentials.getClientSecretKey())) {
throw new DeviceCredentialsValidationException(server + " client RPK secret key must be specified!");
}
try {
String prikRpkSever = EncryptionUtil.prikTrimNewLines(rpkServerCredentials.getClientSecretKey());
rpkServerCredentials.setClientSecretKey(prikRpkSever);
SecurityUtil.privateKey.decode(rpkServerCredentials.getDecodedClientSecretKey());
} catch (Exception e) {
throw new DeviceCredentialsValidationException(server + " client RPK secret key must be in PKCS#8 format (DER encoding, standard [RFC5958]) and then encoded to Base64 format!");
}
break;
case X509:
X509BootstrapClientCredential x509ServerCredentials = (X509BootstrapClientCredential) serverCredentials;
if (StringUtils.isBlank(x509ServerCredentials.getClientPublicKeyOrId())) {
throw new DeviceCredentialsValidationException(server + " client X509 public key or id must be specified!");
}
try {
String certServer = EncryptionUtil.certTrimNewLines(x509ServerCredentials.getClientPublicKeyOrId());
x509ServerCredentials.setClientPublicKeyOrId(certServer);
SecurityUtil.certificate.decode(x509ServerCredentials.getDecodedClientPublicKeyOrId());
} catch (Exception e) {
throw new DeviceCredentialsValidationException(server + " client X509 public key or id must be in DER-encoded X509v3 format and support only EC algorithm and then encoded to Base64 format!");
}
if (StringUtils.isBlank(x509ServerCredentials.getClientSecretKey())) {
throw new DeviceCredentialsValidationException(server + " client X509 secret key must be specified!");
}
try {
String prikX509Sever = EncryptionUtil.prikTrimNewLines(x509ServerCredentials.getClientSecretKey());
x509ServerCredentials.setClientSecretKey(prikX509Sever);
SecurityUtil.privateKey.decode(x509ServerCredentials.getDecodedClientSecretKey());
} catch (Exception e) {
throw new DeviceCredentialsValidationException(server + " client X509 secret key must be in PKCS#8 format (DER encoding, standard [RFC5958]) and then encoded to Base64 format!");
}
break;
}
}
Also used :
RPKBootstrapClientCredential(org.thingsboard.server.common.data.device.credentials.lwm2m.RPKBootstrapClientCredential)
Validator.validateString(org.thingsboard.server.dao.service.Validator.validateString)
DeviceCredentialsValidationException(org.thingsboard.server.dao.exception.DeviceCredentialsValidationException)
PSKBootstrapClientCredential(org.thingsboard.server.common.data.device.credentials.lwm2m.PSKBootstrapClientCredential)
DeviceCredentialsValidationException(org.thingsboard.server.dao.exception.DeviceCredentialsValidationException)
ConstraintViolationException(org.hibernate.exception.ConstraintViolationException)
DataValidationException(org.thingsboard.server.dao.exception.DataValidationException)
X509BootstrapClientCredential(org.thingsboard.server.common.data.device.credentials.lwm2m.X509BootstrapClientCredential)
Example 2 with X509BootstrapClientCredential
use of org.thingsboard.server.common.data.device.credentials.lwm2m.X509BootstrapClientCredential in project thingsboard by thingsboard.
the class AbstractSecurityLwM2MIntegrationTest method getBootstrapClientCredentialsX509.
private LwM2MBootstrapClientCredentials getBootstrapClientCredentialsX509(X509Certificate certificate, PrivateKey privateKey, boolean privateKeyIsBad) {
LwM2MBootstrapClientCredentials bootstrapCredentials = new LwM2MBootstrapClientCredentials();
X509BootstrapClientCredential serverCredentials = new X509BootstrapClientCredential();
if (certificate != null) {
try {
serverCredentials.setClientPublicKeyOrId(Base64.encodeBase64String(certificate.getEncoded()));
if (privateKeyIsBad) {
serverCredentials.setClientSecretKey(Hex.encodeHexString(privateKey.getEncoded()));
} else {
serverCredentials.setClientSecretKey(Base64.encodeBase64String(privateKey.getEncoded()));
}
} catch (CertificateEncodingException e) {
log.error("Client`s certificate [{}] is bad. [{}]", certificate, e.getMessage());
}
}
bootstrapCredentials.setBootstrapServer(serverCredentials);
bootstrapCredentials.setLwm2mServer(serverCredentials);
return bootstrapCredentials;
}
Also used :
CertificateEncodingException(java.security.cert.CertificateEncodingException)
LwM2MBootstrapClientCredentials(org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MBootstrapClientCredentials)
X509BootstrapClientCredential(org.thingsboard.server.common.data.device.credentials.lwm2m.X509BootstrapClientCredential)
Aggregations
X509BootstrapClientCredential (org.thingsboard.server.common.data.device.credentials.lwm2m.X509BootstrapClientCredential)2
CertificateEncodingException (java.security.cert.CertificateEncodingException)1
ConstraintViolationException (org.hibernate.exception.ConstraintViolationException)1
LwM2MBootstrapClientCredentials (org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MBootstrapClientCredentials)1
PSKBootstrapClientCredential (org.thingsboard.server.common.data.device.credentials.lwm2m.PSKBootstrapClientCredential)1
RPKBootstrapClientCredential (org.thingsboard.server.common.data.device.credentials.lwm2m.RPKBootstrapClientCredential)1
DataValidationException (org.thingsboard.server.dao.exception.DataValidationException)1
DeviceCredentialsValidationException (org.thingsboard.server.dao.exception.DeviceCredentialsValidationException)1
Validator.validateString (org.thingsboard.server.dao.service.Validator.validateString)1
