add MqttSslHandlerProvider.java

Author: sanshengshui

pom.xml

@@ -44,6 +44,7 @@
         <logback.version>1.2.6</logback.version>
         <apache.commons-lang3.version>3.12.0</apache.commons-lang3.version>
         <guava.version>30.0-jre</guava.version>
+        <bouncycastle.version>1.67</bouncycastle.version>
         <redisson.version>3.13.6</redisson.version>
     </properties>
 
@@ -107,6 +108,16 @@
                 <artifactId>guava</artifactId>
                 <version>${guava.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcprov-jdk15on</artifactId>
+                <version>${bouncycastle.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcpkix-jdk15on</artifactId>
+                <version>${bouncycastle.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.springframework</groupId>
                 <artifactId>spring-context</artifactId>

server/pom.xml

@@ -52,6 +52,14 @@
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15on</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk15on</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

server/src/main/java/iot/technology/mqtt/server/ssl/MqttSslHandlerProvider.java

@@ -1,9 +1,23 @@
 package iot.technology.mqtt.server.ssl;
 
+import io.netty.handler.ssl.SslHandler;
+import iot.technology.mqtt.server.utils.EncryptionUtil;
+import iot.technology.mqtt.server.utils.SslUtil;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Bean;
 import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
+
+import javax.net.ssl.*;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
 
 /**
  * @author mushuwei
@@ -15,4 +29,105 @@ public class MqttSslHandlerProvider {
 
     @Value("${mqtt.ssl.protocol}")
     private String sslProtocol;
+
+    @Bean
+    @ConfigurationProperties(prefix = "mqtt.ssl.credentials")
+    public SslCredentialsConfig mqttSslCredentials() {
+        return new SslCredentialsConfig("MQTT SSL Credentials", false);
+    }
+
+    @Autowired
+    @Qualifier("mqttSslCredentials")
+    private SslCredentialsConfig mqttSslCredentialsConfig;
+
+    private SSLContext sslContext;
+
+    public SslHandler getSslHandler() {
+        if (sslContext == null) {
+            sslContext = createSslContext();
+        }
+        SSLEngine sslEngine = sslContext.createSSLEngine();
+        sslEngine.setUseClientMode(false);
+        sslEngine.setNeedClientAuth(false);
+        sslEngine.setWantClientAuth(true);
+        sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols());
+        sslEngine.setEnabledCipherSuites(sslEngine.getSupportedCipherSuites());
+        sslEngine.setEnableSessionCreation(true);
+        return new SslHandler(sslEngine);
+    }
+
+    private SSLContext createSslContext() {
+        try {
+            SslCredentials sslCredentials = this.mqttSslCredentialsConfig.getCredentials();
+            TrustManagerFactory tmFactory = sslCredentials.createTrustManagerFactory();
+            KeyManagerFactory kmf = sslCredentials.createKeyManagerFactory();
+
+            KeyManager[] km = kmf.getKeyManagers();
+            TrustManager x509wrapped = getX509TrustManager(tmFactory);
+            TrustManager[] tm = {x509wrapped};
+            if (StringUtils.isEmpty(sslProtocol)) {
+                sslProtocol = "TLS";
+            }
+            SSLContext sslContext = SSLContext.getInstance(sslProtocol);
+            sslContext.init(km, tm, null);
+            return sslContext;
+        } catch (Exception e) {
+            log.error("Unable to set up SSL context. Reason: " + e.getMessage(), e);
+            throw new RuntimeException("Failed to get SSL context", e);
+        }
+    }
+
+    private TrustManager getX509TrustManager(TrustManagerFactory tmf) {
+        X509TrustManager x509Tm = null;
+        for (TrustManager tm : tmf.getTrustManagers()) {
+            if (tm instanceof X509TrustManager) {
+                x509Tm = (X509TrustManager) tm;
+                break;
+            }
+        }
+        return new MqttX509TrustManager(x509Tm);
+    }
+
+    static class MqttX509TrustManager implements X509TrustManager {
+
+        private final X509TrustManager trustManager;
+
+        MqttX509TrustManager(X509TrustManager trustManager) {
+            this.trustManager = trustManager;
+        }
+
+        @Override
+        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+           String credentialsBody = null;
+           for (X509Certificate cert : chain) {
+               try {
+                   String strCert = SslUtil.getCertificateString(cert);
+                   String sha3Hash = EncryptionUtil.getSha3Hash(strCert);
+                   final String[] credentialsBodyHolder = new String[1];
+                   CountDownLatch latch = new CountDownLatch(1);
+                   //TODO 处理业务逻辑
+                   latch.await(10, TimeUnit.SECONDS);
+                   if (strCert.equals(credentialsBodyHolder[0])) {
+                       credentialsBody = credentialsBodyHolder[0];
+                       break;
+                   }
+               } catch (InterruptedException e) {
+                   throw new RuntimeException(e);
+               }
+           }
+           if (credentialsBody == null) {
+               throw new CertificateException("Invalid Device Certificate");
+           }
+        }
+
+        @Override
+        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+            trustManager.checkServerTrusted(chain, authType);
+        }
+
+        @Override
+        public X509Certificate[] getAcceptedIssuers() {
+            return trustManager.getAcceptedIssuers();
+        }
+    }
 }

server/src/main/java/iot/technology/mqtt/server/ssl/PemSslCredentials.java

@@ -0,0 +1,129 @@
+package iot.technology.mqtt.server.ssl;
+
+import iot.technology.mqtt.server.utils.ResourceUtils;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMDecryptorProvider;
+import org.bouncycastle.openssl.PEMEncryptedKeyPair;
+import org.springframework.util.StringUtils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.cert.CertPath;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.stream.Collectors;
+
+@Data
+@EqualsAndHashCode(callSuper = false)
+public class PemSslCredentials extends AbstractSslCredentials {
+
+    public static final String DEFAULT_KEY_ALIAS = "server";
+
+    private String certFile;
+    private String keyFile;
+    private String keyPassword;
+
+    @Override
+    protected boolean canUse() {
+        return ResourceUtils.resourceExists(this, this.certFile);
+    }
+
+    @Override
+    protected KeyStore loadKeyStore(boolean trustsOnly, char[] keyPasswordArray) throws IOException, GeneralSecurityException {
+        if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
+            Security.addProvider(new BouncyCastleProvider());
+        }
+        List<X509Certificate> certificates = new ArrayList<>();
+        PrivateKey privateKey = null;
+        JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter();
+        JcaPEMKeyConverter keyConverter = new JcaPEMKeyConverter();
+        try (InputStream inStream = ResourceUtils.getInputStream(this, this.certFile)) {
+            try (PEMParser pemParser = new PEMParser(new InputStreamReader(inStream))) {
+                Object object;
+                while ((object = pemParser.readObject()) != null) {
+                    if (object instanceof X509CertificateHolder) {
+                        X509Certificate x509Cert = certConverter.getCertificate((X509CertificateHolder) object);
+                        certificates.add(x509Cert);
+                    } else if (object instanceof PEMEncryptedKeyPair) {
+                        PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder().build(keyPasswordArray);
+                        privateKey = keyConverter.getKeyPair(((PEMEncryptedKeyPair) object).decryptKeyPair(decProv)).getPrivate();
+                    } else if (object instanceof PEMKeyPair) {
+                        privateKey = keyConverter.getKeyPair((PEMKeyPair) object).getPrivate();
+                    } else if (object instanceof PrivateKeyInfo) {
+                        privateKey = keyConverter.getPrivateKey((PrivateKeyInfo) object);
+                    }
+                }
+            }
+        }
+        if (privateKey == null && !StringUtils.isEmpty(this.keyFile)) {
+            if (ResourceUtils.resourceExists(this, this.keyFile)) {
+                try (InputStream inStream = ResourceUtils.getInputStream(this, this.keyFile)) {
+                    try (PEMParser pemParser = new PEMParser(new InputStreamReader(inStream))) {
+                        Object object;
+                        while ((object = pemParser.readObject()) != null) {
+                            if (object instanceof PEMEncryptedKeyPair) {
+                                PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder().build(keyPasswordArray);
+                                privateKey = keyConverter.getKeyPair(((PEMEncryptedKeyPair) object).decryptKeyPair(decProv)).getPrivate();
+                                break;
+                            } else if (object instanceof PEMKeyPair) {
+                                privateKey = keyConverter.getKeyPair((PEMKeyPair) object).getPrivate();
+                                break;
+                            } else if (object instanceof PrivateKeyInfo) {
+                                privateKey = keyConverter.getPrivateKey((PrivateKeyInfo) object);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        if (certificates.isEmpty()) {
+            throw new IllegalArgumentException("No certificates found in certFile: " + this.certFile);
+        }
+        if (privateKey == null && !trustsOnly) {
+            throw new IllegalArgumentException("Unable to load private key neither from certFile: " + this.certFile
+                    + " nor form keyFile: " + this.keyFile);
+        }
+        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        keyStore.load(null);
+        if (trustsOnly) {
+            List<Certificate> unique = certificates.stream().distinct().collect(Collectors.toList());
+            for (int i = 0; i < unique.size(); i++) {
+                keyStore.setCertificateEntry("root-" + i, unique.get(i));
+            }
+        }
+        if (privateKey != null) {
+            CertificateFactory factory = CertificateFactory.getInstance("X.509");
+            CertPath certPath = factory.generateCertPath(certificates);
+            List<? extends Certificate> path = certPath.getCertificates();
+            Certificate[] x509Certificates = path.toArray(new Certificate[0]);
+            keyStore.setKeyEntry(DEFAULT_KEY_ALIAS, privateKey, keyPasswordArray, x509Certificates);
+        }
+        return keyStore;
+    }
+
+    @Override
+    protected void updateKeyAlias(String keyAlias) {
+    }
+
+    @Override
+    public String getKeyAlias() {
+        return DEFAULT_KEY_ALIAS;
+    }
+}

server/src/main/java/iot/technology/mqtt/server/ssl/SslCredentialsConfig.java

@@ -3,6 +3,8 @@
 import lombok.Data;
 import lombok.extern.slf4j.Slf4j;
 
+import javax.annotation.PostConstruct;
+
 @Slf4j
 @Data
 public class SslCredentialsConfig {
@@ -11,5 +13,44 @@ public class SslCredentialsConfig {
 
     private SslCredentialsType type;
 
+    private PemSslCredentials pem;
+
+    private KeystoreSslCredentials keystore;
+
+    private SslCredentials credentials;
+
+    private final String name;
+
+    private final boolean trustsOnly;
+
+    public SslCredentialsConfig(String name, boolean trustsOnly) {
+        this.name = name;
+        this.trustsOnly = trustsOnly;
+    }
+
+    @PostConstruct
+    public void init() {
+        if (this.enabled) {
+            log.info("{}: Initializing SSL credentials.", name);
+            if (SslCredentialsType.PEM.equals(type) && pem.canUse()) {
+                this.credentials = this.pem;
+            } else if (keystore.canUse()) {
+                if (SslCredentialsType.PEM.equals(type)) {
+                    log.warn("{}: Specified PEM configuration is not valid. Using SSL keystore configuration as fallback.", name);
+                }
+                this.credentials = this.keystore;
+            } else {
+                throw new RuntimeException(name + ": Invalid SSL credentials configuration. None of the PEM or KEYSTORE configurations can be used!");
+            }
+            try {
+                this.credentials.init(this.trustsOnly);
+            } catch (Exception e) {
+               throw new RuntimeException(name + ": Failed to init SSL credentials configuration.", e);
+            }
+        } else {
+            log.info("{}: Skipping initialization of disabled SSL credentials.", name);
+        }
+    }
+
 
 }