Merge pull request #1 from inomotech-foss/feature/cert_as_text

Feature/cert as text

Author: samuelBloch

io.openems.edge.application/EdgeApp.bndrun

@@ -403,4 +403,7 @@
 	org.osgi.util.promise;version='[1.3.0,1.3.1)',\
 	org.owasp.encoder;version='[1.2.3,1.2.4)',\
 	reactive-streams;version='[1.0.4,1.0.5)',\
-	rrd4j;version='[3.9.0,3.9.1)'
+	rrd4j;version='[3.9.0,3.9.1)',\
+	bcpkix;version='[1.65.0,1.65.1)',\
+	bcprov;version='[1.65.0,1.65.1)'
+-resolve: auto

io.openems.edge.controller.api.mqtt/bnd.bnd

@@ -13,6 +13,8 @@ Bundle-Version: 1.0.0.${tstamp}
 	io.openems.wrapper.paho-mqttv5,\
 	org.eclipse.paho.mqttv5.client;version='1.2',\
 	org.ops4j.pax.logging.pax-logging-api,\
-
+	bcprov,\
+	bcpkix
+	
 -testpath: \
 	${testpath}

io.openems.edge.controller.api.mqtt/src/io/openems/edge/controller/api/mqtt/Config.java

@@ -32,17 +32,14 @@
 	@AttributeDefinition(name = "Uri", description = "The connection Uri to MQTT broker.")
 	String uri() default "tcp://localhost:1883";
 
-	@AttributeDefinition(name = "Certificate", description = "The path to the client certificate")
-	String certPath();
+	@AttributeDefinition(name = "Certificate", description = "The client certificate in PEM format")
+	String certPem();
 
-	@AttributeDefinition(name = "Private Key", description = "The path to the private key")
-	String privateKeyPath();
+	@AttributeDefinition(name = "Private Key", description = "The private key in PEM format")
+	String privateKeyPem();
 
-	@AttributeDefinition(name = "Trust Store", description = "The path to the trust store")
-	String trustStorePath();
-	
-	@AttributeDefinition(name = "Trust Store Password", description = "Password to access trust store")
-	String trustStorePassword() default "";
+	@AttributeDefinition(name = "Trust Store", description = "The trust store in PEM format")
+	String trustStorePem();
 
 	@AttributeDefinition(name = "Persistence Priority", description = "Send only Channels with a Persistence Priority greater-or-equals this.")
 	PersistencePriority persistencePriority() default PersistencePriority.VERY_LOW;

io.openems.edge.controller.api.mqtt/src/io/openems/edge/controller/api/mqtt/ControllerApiMqttImpl.java

@@ -77,10 +77,8 @@ private void activate(ComponentContext context, Config config) throws Exception
 		this.topicPrefix = String.format(ControllerApiMqtt.TOPIC_PREFIX, config.clientId());
 
 		super.activate(context, config.id(), config.alias(), config.enabled());
-		this.mqttConnector
-				.connect(config.uri(), config.clientId(), config.username(), config.password(), config.certPath(),
-						config.privateKeyPath(), config.trustStorePath(), config.trustStorePassword())
-				.thenAccept(client -> {
+		this.mqttConnector.connect(config.uri(), config.clientId(), config.username(), config.password(),
+				config.certPem(), config.privateKeyPem(), config.trustStorePem()).thenAccept(client -> {
 					this.mqttClient = client;
 					this.logInfo(this.log, "Connected to MQTT Broker [" + config.uri() + "]");
 				});
@@ -176,4 +174,4 @@ protected boolean publish(String subTopic, String message, int qos, boolean reta
 		var msg = new MqttMessage(message.getBytes(StandardCharsets.UTF_8), qos, retained, properties);
 		return this.publish(subTopic, msg);
 	}
-}
+}

io.openems.edge.controller.api.mqtt/src/io/openems/edge/controller/api/mqtt/MqttConnector.java

@@ -66,15 +66,14 @@ protected synchronized void deactivate() {
 	}
 
 	protected synchronized CompletableFuture<IMqttClient> connect(String serverUri, String clientId, String username,
-			String password, String certPath, String privateKeyPath, String trustStorePath, String trustStorePassword)
+			String password, String certPem, String privateKeyPem, String trustStorePem)
 			throws IllegalArgumentException, MqttException {
-		return this.connect(serverUri, clientId, username, password, certPath, privateKeyPath, trustStorePath,
-				trustStorePassword, null);
+		return this.connect(serverUri, clientId, username, password, certPem, privateKeyPem, trustStorePem, null);
 	}
 
 	protected synchronized CompletableFuture<IMqttClient> connect(String serverUri, String clientId, String username,
-			String password, String certPath, String privateKeyPath, String trustStorePath, String trustStorePassword,
-			MqttCallback callback) throws IllegalArgumentException, MqttException {
+			String password, String certPem, String privateKeyPem, String trustStorePem, MqttCallback callback)
+			throws IllegalArgumentException, MqttException {
 		IMqttClient client = new MqttClient(serverUri, clientId);
 		if (callback != null) {
 			client.setCallback(callback);
@@ -89,9 +88,8 @@ protected synchronized CompletableFuture<IMqttClient> connect(String serverUri,
 		options.setCleanStart(true);
 		options.setConnectionTimeout(10);
 
-		if (certPath != null && privateKeyPath != null) {
-			options.setSocketFactory(
-					MqttUtils.createSslSocketFactory(certPath, privateKeyPath, trustStorePath, trustStorePassword));
+		if (certPem != null && privateKeyPem != null) {
+			options.setSocketFactory(MqttUtils.createSslSocketFactory(certPem, privateKeyPem, trustStorePem));
 		}
 
 		this.connector = new MyConnector(client, options);

io.openems.edge.controller.api.mqtt/src/io/openems/edge/controller/api/mqtt/MqttUtils.java

@@ -1,16 +1,21 @@
 package io.openems.edge.controller.api.mqtt;
 
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+
 import javax.net.ssl.*;
-import java.io.FileInputStream;
 import java.io.InputStream;
-import java.security.KeyFactory;
-import java.security.KeyStore;
-import java.security.PrivateKey;
+import java.io.InputStreamReader;
+import java.security.*;
+import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
-import java.security.spec.PKCS8EncodedKeySpec;
-import java.util.ArrayList;
-import java.util.List;
+import java.security.spec.InvalidKeySpecException;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
 
 /**
  * This Utility class provides methods for handling MQTT-related operations.
@@ -25,105 +30,93 @@ public class MqttUtils {
 	 * server truststore information, allowing the creation of an SSLSocketFactory
 	 * with the configured security settings.
 	 *
-	 * @param certPath           The file path to the client's certificate.
-	 * @param privateKeyPath     The file path to the private key file.
-	 * @param trustStorePath     The file path to the server's truststore.
-	 * @param trustStorePassword The password for accessing the server's truststore.
+	 * @param cert           The client's certificate as String.
+	 * @param privateKey     The private key as String.
+	 * @param trustStore     The server's trust store as String.
 	 * @return An SSLSocketFactory configured with the specified security settings.
 	 * @throws RuntimeException If there is an error during the creation of the
 	 *                          SSLSocketFactory.
 	 */
 
-	public static SSLSocketFactory createSslSocketFactory(String certPath, String privateKeyPath, String trustStorePath,
-			String trustStorePassword) {
+	public static SSLSocketFactory createSslSocketFactory(String cert, String privateKey, String trustStore) {
 		try {
-			X509Certificate clientCertificate = loadClientCertificate(certPath);
-
-			PrivateKey privateKey = loadPrivateKey(privateKeyPath);
-
-			KeyManagerFactory keyManagerFactory = KeyManagerFactory
-					.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-			KeyStore clientKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-			clientKeyStore.load(null);
-			clientKeyStore.setCertificateEntry("clientCert", clientCertificate);
-			char pw[] = (trustStorePassword != null) ? trustStorePassword.toCharArray() : null;
-			clientKeyStore.setKeyEntry("clientKey", privateKey, pw,
-					new java.security.cert.Certificate[] { clientCertificate });
-			keyManagerFactory.init(clientKeyStore, pw);
-
-			TrustManagerFactory trustManagerFactory = TrustManagerFactory
-					.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-			trustManagerFactory.init(loadTrustStore(trustStorePath));
+	        Security.addProvider(new BouncyCastleProvider());
 
-			SSLContext sslContext = SSLContext.getInstance("TLS");
-			sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
-
-			return sslContext.getSocketFactory();
-		} catch (Exception e) {
-			throw new RuntimeException("Error creating SSLSocketFactory", e);
-		}
-	}
-
-	/**
-	 * Loads a client certificate from a given path.
-	 *
-	 * @param certPath The path to the certificate file.
-	 * @return The loaded client certificate.
-	 * @throws Exception If an error occurs while loading the certificate.
-	 */
-	private static X509Certificate loadClientCertificate(String certPath) throws Exception {
-		CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
-		X509Certificate clientCertificate;
-		try (InputStream certInputStream = new FileInputStream(certPath)) {
-			clientCertificate = (X509Certificate) certificateFactory.generateCertificate(certInputStream);
-			return clientCertificate;
-		}
 
-	}
+	        // Load client certificate
+	        X509Certificate clientCert = loadCertificate(cert);
 
-	/**
-	 * Loads a trust store from a given path.
-	 *
-	 * @param trustStorePath The path to the trust store file.
-	 * @return The loaded trust store.
-	 * @throws Exception If an error occurs while loading the trust store.
-	 */
-	private static KeyStore loadTrustStore(String trustStorePath) throws Exception {
-		CertificateFactory cf = CertificateFactory.getInstance("X.509");
+	        // Load client private key
+	        PrivateKey clientKey = loadPrivateKey(privateKey);
+	        
+	        // Load CA certificate
+	        X509Certificate caCert = loadCertificate(trustStore);
 
-		List<X509Certificate> certificates = new ArrayList<>();
-		try (FileInputStream fis = new FileInputStream(trustStorePath)) {
-			while (fis.available() > 0) {
-				X509Certificate certificate = (X509Certificate) cf.generateCertificate(fis);
-				certificates.add(certificate);
-			}
-		}
+	        // Create a KeyStore and add the CA certificate, client certificate, and private key
+	        KeyStore keyStore = KeyStore.getInstance("PKCS12");
+	        keyStore.load(null, null);
+	        keyStore.setCertificateEntry("caCert", caCert);
+	        keyStore.setCertificateEntry("clientCert", clientCert);
+	        keyStore.setKeyEntry("clientKey", clientKey, new char[0], new X509Certificate[]{clientCert});
 
-		KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
-		trustStore.load(null);
+	        // Create a TrustManager that trusts the CA certificate
+	        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+	        trustManagerFactory.init(keyStore);
 
-		int i = 0;
-		for (X509Certificate certificate : certificates) {
-			String alias = "cert" + i++;
-			trustStore.setCertificateEntry(alias, certificate);
-		}
+	        // Create a KeyManager that uses the client certificate and private key
+	        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+	        keyManagerFactory.init(keyStore, new char[0]);
 
-		return trustStore;
-	}
+	        // Create an SSLContext with the TrustManager and KeyManager
+	        SSLContext sslContext = SSLContext.getInstance("TLS");
+	        sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
 
-	/**
-	 * Loads a private key from a given path.
-	 *
-	 * @param privateKeyPath The path to the private key file.
-	 * @return The loaded private key.
-	 * @throws Exception If an error occurs while loading the private key.
-	 */
-	private static PrivateKey loadPrivateKey(String privateKeyPath) throws Exception {
-		try (FileInputStream keyInputStream = new FileInputStream(privateKeyPath)) {
-			byte[] keyBytes = keyInputStream.readAllBytes();
-			PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyBytes);
-			KeyFactory keyFactory = KeyFactory.getInstance("RSA");
-			return keyFactory.generatePrivate(keySpec);
+	        return sslContext.getSocketFactory();
+		} catch (Exception e) {
+			throw new RuntimeException("Error creating SSLSocketFactory", e);
 		}
 	}
+	
+    /**
+     * Loads an X.509 certificate from a PEM-encoded string.
+     *
+     * @param cert The PEM-encoded certificate string.
+     * @return The X.509 certificate.
+     * @throws IOException              If an I/O error occurs.
+     * @throws CertificateException     If an error occurs while processing the certificate.
+     */
+    private static X509Certificate loadCertificate(String cert) throws IOException, CertificateException {
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        try (InputStream is = new ByteArrayInputStream(cert.getBytes())) {
+            return (X509Certificate) cf.generateCertificate(is);
+        }
+    }
+    
+    /**
+     * Loads a private key from a PEM-encoded string.
+     *
+     * @param privateKey The PEM-encoded private key string.
+     * @return The private key.
+     * @throws IOException                 If an I/O error occurs.
+     * @throws NoSuchAlgorithmException    If the specified algorithm is not available.
+     * @throws InvalidKeySpecException     If the private key cannot be generated.
+     */
+    private static PrivateKey loadPrivateKey(String privateKey) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
+        try (PEMParser pemParser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(privateKey.getBytes())))) {
+            Object obj = pemParser.readObject();
+            if (obj instanceof PEMKeyPair) {
+                // Handle RSA private key
+                PEMKeyPair pemKeyPair = (PEMKeyPair) obj;
+                JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
+                return converter.getPrivateKey(pemKeyPair.getPrivateKeyInfo());
+            } else if (obj instanceof PrivateKeyInfo) {
+                // Handle other private key formats
+                PrivateKeyInfo privateKeyInfo = (PrivateKeyInfo) obj;
+                JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
+                return converter.getPrivateKey(privateKeyInfo);
+            } else {
+                throw new InvalidKeySpecException("Invalid private key format");
+            }
+        }
+    }
 }

io.openems.edge.controller.api.mqtt/test/io/openems/edge/controller/api/mqtt/ControllerApiMqttImplTest.java

@@ -24,12 +24,10 @@ public void test() throws Exception {
 				.addComponent(new DummySum()) //
 				.activate(MyConfig.create() //
 						.setId(CTRL_ID) //
-						.setClientId("iotconsole-28fca1b5-0a3d-405b-9b5c-92c87fcbbbcd\n"
-								+ "")//.setClientId("edge0") //
+						.setClientId("edge0") //
 						.setUsername("guest") //
 						.setPassword("guest") //
-						.setUri("a3emae25wqghr3-ats.iot.eu-central-1.amazonaws.com\n"
-								+ "")//.setUri("ws://localhost:1883") //
+						.setUri("ws://localhost:1883") //
 						.setPersistencePriority(PersistencePriority.VERY_LOW) //
 						.setDebugMode(true) //
 						.build());