-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X509 certificate provision #7935
X509 certificate provision #7935
Conversation
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Outdated
Show resolved
Hide resolved
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Outdated
Show resolved
Hide resolved
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Outdated
Show resolved
Hide resolved
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Outdated
Show resolved
Hide resolved
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Outdated
Show resolved
Hide resolved
String deviceCommonName = ""; | ||
try { | ||
deviceCommonName = SslUtil.parseCommonName(readCertFile(chain.get(0))); | ||
} catch (Exception ignored) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you prefer to ignore this exception?
I believe in real case production that includes a lot of potential points of failure, it's important quickly understand where is the root cause of the problem and warn message in the core engine that certificate cannot be parsed or common name cannot be obtain could help on this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I realize that it's not obvious, but this error occurs if we cannot read and create an X509 object from a certain String representation (I mean readCertFIle in such case from chain.get(0)), so I am not sure it's the right warning message. But I'll provide an additional warning in the method parseCommonName if we cannot do it.
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Outdated
Show resolved
Hide resolved
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Outdated
Show resolved
Hide resolved
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Outdated
Show resolved
Hide resolved
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Outdated
Show resolved
Hide resolved
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Show resolved
Hide resolved
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Outdated
Show resolved
Hide resolved
...n/src/test/java/org/thingsboard/server/service/transport/DefaultTransportApiServiceTest.java
Outdated
Show resolved
Hide resolved
...hingsboard/server/common/data/device/profile/X509CertificateChainProvisionConfiguration.java
Outdated
Show resolved
Hide resolved
dao/src/main/java/org/thingsboard/server/dao/device/DeviceProfileServiceImpl.java
Outdated
Show resolved
Hide resolved
dao/src/main/java/org/thingsboard/server/dao/device/DeviceProfileCacheKey.java
Outdated
Show resolved
Hide resolved
dao/src/main/java/org/thingsboard/server/dao/device/DeviceProfileServiceImpl.java
Outdated
Show resolved
Hide resolved
...ansport/mqtt/src/main/java/org/thingsboard/server/transport/mqtt/MqttSslHandlerProvider.java
Outdated
Show resolved
Hide resolved
...rc/app/modules/home/components/profile/device-profile-provision-configuration.component.html
Outdated
Show resolved
Hide resolved
...rc/app/modules/home/components/profile/device-profile-provision-configuration.component.html
Outdated
Show resolved
Hide resolved
...ation/src/main/java/org/thingsboard/server/service/transport/DefaultTransportApiService.java
Outdated
Show resolved
Hide resolved
@@ -180,6 +180,10 @@ message ValidateDeviceX509CertRequestMsg { | |||
string hash = 1; | |||
} | |||
|
|||
message ValidateOrCreateDeviceX509CertRequestMsg { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we just add a field to ProvisionDeviceCredentialsMsg?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so. This is not a classic provision strategy, in most cases, it will work as before - connect to devices, so I believe that sending CredentialsDataProto with empty fields to connect is a bad approach.
dao/src/main/java/org/thingsboard/server/dao/service/validator/DeviceProfileDataValidator.java
Outdated
Show resolved
Hide resolved
dao/src/main/java/org/thingsboard/server/dao/service/validator/DeviceProfileDataValidator.java
Outdated
Show resolved
Hide resolved
dao/src/main/java/org/thingsboard/server/dao/service/validator/DeviceProfileDataValidator.java
Outdated
Show resolved
Hide resolved
application/src/main/java/org/thingsboard/server/service/device/DeviceProvisionServiceImpl.java
Outdated
Show resolved
Hide resolved
application/src/main/java/org/thingsboard/server/service/device/DeviceProvisionServiceImpl.java
Show resolved
Hide resolved
application/src/main/java/org/thingsboard/server/service/device/DeviceProvisionServiceImpl.java
Outdated
Show resolved
Hide resolved
… ProvisionFailedException
Pull Request description
Related issues: #6735, #7668
UI changes:
Device profile entity -> Device provisioning -> component DeviceProfileProvisionConfigurationComponent -> added form controls for provision strategy "X509 Certificates Chain".
Screenshots:
General checklist
Back-End feature checklist
Front-End feature checklist