cert/security service

dslink-core/.gitignore

@@ -0,0 +1 @@
+/bin/

dslink-v2-websocket/src/main/java/org/iot/dsa/dslink/websocket/WsBinaryTransport.java

@@ -1,12 +1,16 @@
 package org.iot.dsa.dslink.websocket;
 
+import com.acuity.iot.dsa.dslink.sys.cert.SysCertManager;
 import com.acuity.iot.dsa.dslink.transport.BufferedBinaryTransport;
 import com.acuity.iot.dsa.dslink.transport.DSTransport;
 import java.io.IOException;
 import java.net.URI;
 import java.nio.ByteBuffer;
 import javax.websocket.*;
 import org.glassfish.tyrus.client.ClientManager;
+import org.glassfish.tyrus.client.ClientProperties;
+import org.glassfish.tyrus.client.SslContextConfigurator;
+import org.glassfish.tyrus.client.SslEngineConfigurator;
 import org.iot.dsa.util.DSException;
 
 /**
@@ -97,7 +101,13 @@ public DSTransport open() {
             }
             client.setDefaultMaxBinaryMessageBufferSize(64 * 1024);
             client.setDefaultMaxTextMessageBufferSize(64 * 1024);
-            client.connectToServer(this, new URI(getConnectionUrl()));
+            URI connUri = new URI(getConnectionUrl());
+            if ("wss".equalsIgnoreCase(connUri.getScheme())) {
+                SslEngineConfigurator sslEngineConfigurator = new SslEngineConfigurator(new SslContextConfigurator());
+                sslEngineConfigurator.setHostnameVerifier(SysCertManager.getInstance().getHostnameVerifier());
+                client.getProperties().put(ClientProperties.SSL_ENGINE_CONFIGURATOR, sslEngineConfigurator);
+            }
+            client.connectToServer(this, connUri);
             debug(debug() ? "Transport open" : null);
         } catch (Exception x) {
             DSException.throwRuntime(x);

dslink-v2-websocket/src/main/java/org/iot/dsa/dslink/websocket/WsTextTransport.java

@@ -2,6 +2,7 @@
 
 import com.acuity.iot.dsa.dslink.io.DSCharBuffer;
 import com.acuity.iot.dsa.dslink.io.DSIoException;
+import com.acuity.iot.dsa.dslink.sys.cert.SysCertManager;
 import com.acuity.iot.dsa.dslink.transport.DSTextTransport;
 import com.acuity.iot.dsa.dslink.transport.DSTransport;
 import java.io.IOException;
@@ -18,6 +19,9 @@
 import javax.websocket.RemoteEndpoint;
 import javax.websocket.Session;
 import org.glassfish.tyrus.client.ClientManager;
+import org.glassfish.tyrus.client.ClientProperties;
+import org.glassfish.tyrus.client.SslContextConfigurator;
+import org.glassfish.tyrus.client.SslEngineConfigurator;
 import org.iot.dsa.util.DSException;
 
 /**
@@ -149,7 +153,13 @@ public DSTransport open() {
             }
             client.setDefaultMaxBinaryMessageBufferSize(64 * 1024);
             client.setDefaultMaxTextMessageBufferSize(64 * 1024);
-            client.connectToServer(this, new URI(getConnectionUrl()));
+            URI connUri = new URI(getConnectionUrl());
+            if ("wss".equalsIgnoreCase(connUri.getScheme())) {
+                SslEngineConfigurator sslEngineConfigurator = new SslEngineConfigurator(new SslContextConfigurator());
+                sslEngineConfigurator.setHostnameVerifier(SysCertManager.getInstance().getHostnameVerifier());
+                client.getProperties().put(ClientProperties.SSL_ENGINE_CONFIGURATOR, sslEngineConfigurator);
+            }
+            client.connectToServer(this, connUri);
         } catch (Exception x) {
             DSException.throwRuntime(x);
         }

dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/backup/SysBackupService.java

@@ -25,6 +25,10 @@
 import org.iot.dsa.node.action.DSAction;
 import org.iot.dsa.time.DSTime;
 
+/**
+ * @author Daniel Shapiro
+ * @author Aaron Hansen
+ */
 public class SysBackupService extends DSNode implements Runnable {
 
     static final String ENABLED = "Enabled";

dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/AnonymousTrustFactory.java

@@ -1,19 +1,27 @@
 package com.acuity.iot.dsa.dslink.sys.cert;
 
 import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 import java.security.Provider;
 import java.security.Security;
 import java.security.cert.CertificateException;
+import java.security.cert.PKIXCertPathBuilderResult;
+import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import javax.net.ssl.*;
 
 /**
  * Adds support for self signed SSL.  If anonymous is not allowed
  * falls back to the default Java trust manager.
  *
  * @author Aaron Hansen
+ * @author Daniel Shapiro
  */
 public class AnonymousTrustFactory extends TrustManagerFactorySpi {
 
@@ -114,8 +122,13 @@ public void checkClientTrusted(X509Certificate[] chain, String authType)
                 return;
             }
             if (defaultX509Mgr != null) {
-                defaultX509Mgr.checkClientTrusted(chain, authType);
+                try {
+                    defaultX509Mgr.checkClientTrusted(chain, authType);
+                    return;
+                } catch (CertificateException e) {
+                }
             }
+            checkLocally(chain, authType);
         }
 
         @Override
@@ -125,7 +138,43 @@ public void checkServerTrusted(X509Certificate[] chain, String authType)
                 return;
             }
             if (defaultX509Mgr != null) {
-                defaultX509Mgr.checkServerTrusted(chain, authType);
+                try {
+                    defaultX509Mgr.checkServerTrusted(chain, authType);
+                    return;
+                } catch (CertificateException e) {
+                }
+            }
+            checkLocally(chain, authType);
+        }
+
+        private void checkLocally(X509Certificate[] chain, String authType) throws CertificateException {
+            Set<X509Certificate> chainAsSet = new HashSet<X509Certificate>();
+            Collections.addAll(chainAsSet, chain);
+            X509Certificate anchorCert;
+            try {
+                if (CertificateVerifier.isSelfSigned(chain[0])) {
+                    anchorCert = chain[0];
+                } else {
+                    PKIXCertPathBuilderResult result = CertificateVerifier.verifyCertificate(chain[0], chainAsSet);
+                    TrustAnchor anchor = result.getTrustAnchor();
+                    anchorCert = anchor.getTrustedCert();
+                }
+
+                if (anchorCert == null) {
+                    throw new CertificateException();
+                }
+
+                if (!certManager.isInTrustStore(anchorCert)) {
+                    certManager.addToQuarantine(anchorCert);
+                    throw new CertificateException();
+                }
+
+            } catch (CertificateVerificationException e1) {
+                throw new CertificateException();
+            } catch (NoSuchAlgorithmException e) {
+                throw new CertificateException();
+            } catch (NoSuchProviderException e) {
+                throw new CertificateException();
             }
         }
 

dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CertCollection.java

@@ -0,0 +1,46 @@
+package com.acuity.iot.dsa.dslink.sys.cert;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
+import java.util.Base64.Encoder;
+import org.iot.dsa.node.DSIObject;
+import org.iot.dsa.node.DSNode;
+import org.iot.dsa.time.DSTime;
+
+/**
+ * @author Daniel Shapiro
+ */
+public class CertCollection extends DSNode {
+
+    public void addCertificate(X509Certificate cert) throws CertificateEncodingException {
+        String name = certToName(cert);
+        addCertificate(name, encodeCertificate(cert));
+    }
+
+    public void addCertificate(String name, String cert) {
+        put(name, new CertNode().updateValue(cert));
+    }
+
+    public boolean containsCertificate(X509Certificate cert) {
+        DSIObject obj = get(certToName(cert));
+        String certStr;
+        try {
+            certStr = encodeCertificate(cert);
+        } catch (CertificateEncodingException e) {
+            warn(e);
+            return false;
+        }
+        return obj != null && obj instanceof CertNode && certStr.equals(((CertNode) obj).toElement().toString());
+    }
+
+    public static String certToName(X509Certificate cert) {
+    	return DSTime.encodeForFiles(DSTime.getCalendar(System.currentTimeMillis()), new StringBuilder(cert.getIssuerX500Principal().getName())).toString();
+    }
+
+    public static String encodeCertificate(X509Certificate cert) throws CertificateEncodingException {
+        Encoder encoder = Base64.getEncoder();
+        return encoder.encodeToString(cert.getEncoded());
+    }
+
+}

dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CertNode.java

@@ -0,0 +1,70 @@
+package com.acuity.iot.dsa.dslink.sys.cert;
+
+import org.iot.dsa.node.DSInfo;
+import org.iot.dsa.node.DSString;
+import org.iot.dsa.node.DSValueNode;
+import org.iot.dsa.node.action.ActionInvocation;
+import org.iot.dsa.node.action.ActionResult;
+import org.iot.dsa.node.action.DSAction;
+
+/**
+ * @author Daniel Shapiro
+ */
+public class CertNode extends DSValueNode {
+
+    private static final String VALUE = "value";
+    private static final String ALLOW = "Allow";
+    private static final String REMOVE = "Remove";
+
+    private DSInfo value = getInfo(VALUE);
+    private DSInfo allow = getInfo(ALLOW);
+    private DSInfo remove = getInfo(REMOVE);
+
+    private SysCertManager certManager;
+
+    @Override
+    protected void declareDefaults() {
+        super.declareDefaults();
+        declareDefault(VALUE, DSString.valueOf("")).setHidden(true).setReadOnly(true);
+        declareDefault(ALLOW, DSAction.DEFAULT);
+        declareDefault(REMOVE, DSAction.DEFAULT);
+    }
+
+    public CertNode updateValue(String newVal) {
+        put(VALUE, newVal);
+        return this;
+    }
+
+    @Override
+    public DSInfo getValueChild() {
+        return value;
+    }
+
+    @Override
+    public ActionResult onInvoke(DSInfo action, ActionInvocation invocation) {
+        if (action == remove) {
+            remove();
+        } else if (action == allow) {
+            allow();
+        } else {
+            super.onInvoke(action, invocation);
+        }
+        return null;
+    }
+
+    private void remove() {
+        getParent().remove(getInfo());
+    }
+
+    private void allow() {
+        getCertManager().allow(getInfo());
+    }
+
+    public SysCertManager getCertManager() {
+        if (certManager == null) {
+            certManager = (SysCertManager) getAncestor(SysCertManager.class);
+        }
+        return certManager;
+    }
+
+}

dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CertificateVerificationException.java

@@ -0,0 +1,19 @@
+package com.acuity.iot.dsa.dslink.sys.cert;
+
+/**
+ * This class wraps an exception that could be thrown during
+ * the certificate verification process.
+ * 
+ * @author Svetlin Nakov
+ */
+public class CertificateVerificationException extends Exception {
+    private static final long serialVersionUID = 1L;
+
+    public CertificateVerificationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public CertificateVerificationException(String message) {
+        super(message);
+    }
+}