0.62.0

a-hansen · web-flow · commit 703a98a7aa80 · 2019-06-18T13:59:17.000-07:00
- add ability to manually import certs to truststore
- use java's x509trustmanagers for verifying cert chains
diff --git a/build.gradle b/build.gradle
@@ -5,7 +5,7 @@ subprojects {
     apply plugin: 'maven'
 
     group 'org.iot-dsa'
-    version '0.61.0'
+    version '0.62.0'
 
     sourceCompatibility = 1.8
     targetCompatibility = 1.8
diff --git a/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/AnonymousTrustFactory.java b/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/AnonymousTrustFactory.java
@@ -1,6 +1,7 @@
 package com.acuity.iot.dsa.dslink.sys.cert;
 
 import java.security.KeyStore;
+import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.Provider;
@@ -19,6 +20,7 @@
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.TrustManagerFactorySpi;
 import javax.net.ssl.X509TrustManager;
+import org.iot.dsa.logging.DSLogger;
 
 /**
  * Adds support for self signed SSL.  If anonymous is not allowed
@@ -33,9 +35,12 @@ public class AnonymousTrustFactory extends TrustManagerFactorySpi {
     // Fields
     /////////////////////////////////////////////////////////////////
 
+    private static String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); 
     private static SysCertService certManager;
     private static X509TrustManager defaultX509Mgr;
+    private static X509TrustManager localX509Mgr;
     private static TrustManager[] trustManagers;
+    private static DSLogger log = new DSLogger();
 
     /////////////////////////////////////////////////////////////////
     // Methods - Public and in alphabetical order by method TrustAnon.
@@ -53,15 +58,26 @@ public void engineInit(KeyStore ks) {
     @Override
     public void engineInit(ManagerFactoryParameters spec) {
     }
+    
+    // This gets called once on startup, and again every time a new certificate is added to the local truststore.
+    public static void initLocalTrustManager() throws NoSuchAlgorithmException, KeyStoreException {
+            TrustManagerFactory fac =   TrustManagerFactory.getInstance(defaultAlgorithm);
+            fac.init(certManager.getLocalTruststore());
+            for (TrustManager locTm: fac.getTrustManagers()) {
+                if (locTm instanceof X509TrustManager) {
+                    localX509Mgr = (X509TrustManager) locTm;
+                    break;
+                }
+            }
+    }
 
     /**
      * Captures the default trust factory and installs this one.
      */
     static void init(SysCertService mgr) {
         certManager = mgr;
         try {
-            TrustManagerFactory fac = TrustManagerFactory.getInstance(
-                    TrustManagerFactory.getDefaultAlgorithm());
+            TrustManagerFactory fac = TrustManagerFactory.getInstance(defaultAlgorithm);
             fac.init((KeyStore) null);
             trustManagers = fac.getTrustManagers();
             if (trustManagers == null) {
@@ -82,6 +98,8 @@ static void init(SysCertService mgr) {
                 list.add(new MyTrustManager());
                 trustManagers = list.toArray(new TrustManager[list.size()]);
             }
+            
+            initLocalTrustManager();
         } catch (Exception x) {
             certManager.error(certManager.getPath(), x);
         }
@@ -129,9 +147,15 @@ public void checkClientTrusted(X509Certificate[] chain, String authType)
                     defaultX509Mgr.checkClientTrusted(chain, authType);
                     return;
                 } catch (CertificateException e) {
+                    try {
+                        localX509Mgr.checkClientTrusted(chain, authType);
+                        return;
+                    } catch (CertificateException e1) {
+                        tryAddingRootCertToQuarantine(chain, authType);
+                        throw e1;
+                    }
                 }
             }
-            checkLocally(chain, authType);
         }
 
         @Override
@@ -145,9 +169,15 @@ public void checkServerTrusted(X509Certificate[] chain, String authType)
                     defaultX509Mgr.checkServerTrusted(chain, authType);
                     return;
                 } catch (CertificateException e) {
+                    try {
+                        localX509Mgr.checkServerTrusted(chain, authType);
+                        return;
+                    } catch (CertificateException e1) {
+                        tryAddingRootCertToQuarantine(chain, authType);
+                        throw e1;
+                    }
                 }
             }
-            checkLocally(chain, authType);
         }
 
         @Override
@@ -158,7 +188,7 @@ public X509Certificate[] getAcceptedIssuers() {
             return new X509Certificate[0];
         }
 
-        private void checkLocally(X509Certificate[] chain, String authType)
+        private void tryAddingRootCertToQuarantine(X509Certificate[] chain, String authType)
                 throws CertificateException {
             Set<X509Certificate> chainAsSet = new HashSet<X509Certificate>();
             Collections.addAll(chainAsSet, chain);
@@ -174,20 +204,16 @@ private void checkLocally(X509Certificate[] chain, String authType)
                 }
 
                 if (anchorCert == null) {
-                    throw new CertificateException();
-                }
-
-                if (!certManager.isInTrustStore(anchorCert)) {
-                    certManager.addToQuarantine(anchorCert);
-                    throw new CertificateException();
+                    return;
                 }
 
-            } catch (CertificateVerificationException e1) {
-                throw new CertificateException();
+                certManager.addToQuarantine(anchorCert);
+            } catch (CertificateVerificationException e) {
+                log.debug("", e);
             } catch (NoSuchAlgorithmException e) {
-                throw new CertificateException();
+                log.debug("", e);
             } catch (NoSuchProviderException e) {
-                throw new CertificateException();
+                log.debug("", e);
             }
         }
 
diff --git a/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CertCollection.java b/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CertCollection.java
@@ -1,31 +1,65 @@
 package com.acuity.iot.dsa.dslink.sys.cert;
 
+import java.io.ByteArrayInputStream;
 import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Base64;
 import java.util.Base64.Encoder;
+import java.util.HashMap;
+import java.util.Map;
 import org.iot.dsa.node.DSIObject;
+import org.iot.dsa.node.DSInfo;
+import org.iot.dsa.node.DSMap;
+import org.iot.dsa.node.DSMetadata;
 import org.iot.dsa.node.DSNode;
+import org.iot.dsa.node.DSValueType;
+import org.iot.dsa.node.action.ActionInvocation;
+import org.iot.dsa.node.action.ActionResult;
+import org.iot.dsa.node.action.DSAction;
 import org.iot.dsa.time.DSTime;
+import org.iot.dsa.util.DSException;
 
 /**
  * @author Daniel Shapiro
  */
 public class CertCollection extends DSNode {
+    
+    private static final String ADD_CERT = "Add Certificate";
+    private static final String CERT = "Certificate";
+    
+    private CertificateFactory certFactory;
+    
+    private CertificateFactory getCertFactory() {
+        if (certFactory == null) {
+            try {
+                certFactory = CertificateFactory.getInstance("X.509");
+            } catch (CertificateException e) {
+                warn("", e);
+            }
+        }
+        return certFactory;
+    }
 
     public void addCertificate(X509Certificate cert) throws CertificateEncodingException {
         String name = certToName(cert);
         addCertificate(name, encodeCertificate(cert));
     }
 
     public void addCertificate(String name, String cert) {
-        put(name, new CertNode().updateValue(cert));
+        CertNode certNode = new CertNode().updateValue(cert);
+        put(name, certNode);
+        try {
+            certNode.getCertManager().onCertAddedToCollection(this, certFromString(cert));
+        } catch (CertificateException e) {
+            warn("", e);
+        }
     }
 
     public static String certToName(X509Certificate cert) {
-        return DSTime.encodeForFiles(DSTime.getCalendar(System.currentTimeMillis()),
-                                     new StringBuilder(cert.getIssuerX500Principal().getName()))
-                     .toString();
+        return DSTime.encodeForFiles(DSTime.getCalendar(System.currentTimeMillis()), 
+                new StringBuilder(cert.getIssuerX500Principal().getName())).toString();
     }
 
     public boolean containsCertificate(X509Certificate cert) {
@@ -40,11 +74,83 @@ public boolean containsCertificate(X509Certificate cert) {
         return obj != null && obj instanceof CertNode && certStr
                 .equals(((CertNode) obj).toElement().toString());
     }
+    
+    public Map<String, X509Certificate> getCertificates() {
+        Map<String, X509Certificate> certs = new HashMap<String, X509Certificate>();
+        for (DSInfo info: this) {
+            DSIObject obj = info.get();
+            if (obj instanceof CertNode) {
+                String certStr = ((CertNode) obj).toElement().toString();
+                X509Certificate cert;
+                try {
+                    cert = certFromString(certStr);
+                    certs.put(info.getName(), cert);
+                } catch (CertificateException e) {
+                    warn("", e);
+                }
+            }
+        }
+        return certs;
+    }
 
     public static String encodeCertificate(X509Certificate cert)
             throws CertificateEncodingException {
         Encoder encoder = Base64.getEncoder();
         return encoder.encodeToString(cert.getEncoded());
     }
+    
+    @Override
+    protected void declareDefaults() {
+        super.declareDefaults();
+        declareDefault(ADD_CERT, makeAddCertAction());
+    }
+    
+    @Override
+    public DSNode remove(DSInfo info) {
+        DSIObject child = info.get();
+        if (child instanceof CertNode) {
+            CertNode certNode = (CertNode) child;
+            try {
+                certNode.getCertManager().onCertRemovedFromCollection(this, certFromString(certNode.toElement().toString()));
+            } catch (CertificateException e) {
+                warn("", e);
+            }
+        }
+        return super.remove(info);
+    }
+    
+    private DSAction makeAddCertAction() {
+        DSAction act = new DSAction.Parameterless() {
+            @Override
+            public ActionResult invoke(DSInfo target, ActionInvocation request) {
+                ((CertCollection) target.get()).addCert(request.getParameters());
+                return null;
+            }
+        };
+        act.addParameter(CERT, DSValueType.STRING, null).setEditor(DSMetadata.STR_EDITOR_TEXT_AREA);
+        return act;
+    }
+    
+    private void addCert(DSMap parameters) {
+        String certStr = parameters.getString(CERT);
+        try {
+            X509Certificate cert = certFromString(certStr);
+            addCertificate(cert);
+        } catch (CertificateException e) {
+            warn("", e);
+            DSException.throwRuntime(e);
+        }
+    }
+    
+    private X509Certificate certFromString(String certStr) throws CertificateException {
+        certStr = certStr.trim();
+        if (!certStr.startsWith("-----BEGIN CERTIFICATE-----")) {
+            certStr = "-----BEGIN CERTIFICATE-----\n" + certStr;
+        }
+        if (!certStr.endsWith("-----END CERTIFICATE-----")) {
+            certStr = certStr + "\n-----END CERTIFICATE-----";
+        }
+        return (X509Certificate) getCertFactory().generateCertificate(new ByteArrayInputStream(certStr.getBytes()));
+    }
 
 }
diff --git a/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CertNode.java b/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CertNode.java
@@ -1,11 +1,15 @@
 package com.acuity.iot.dsa.dslink.sys.cert;
 
+import java.util.Collection;
 import org.iot.dsa.node.DSInfo;
 import org.iot.dsa.node.DSString;
 import org.iot.dsa.node.DSValueNode;
 import org.iot.dsa.node.action.ActionInvocation;
 import org.iot.dsa.node.action.ActionResult;
 import org.iot.dsa.node.action.DSAction;
+import org.iot.dsa.node.action.DeleteAction;
+import org.iot.dsa.node.action.DuplicateAction;
+import org.iot.dsa.node.action.RenameAction;
 
 /**
  * @author Daniel Shapiro
@@ -34,6 +38,16 @@ public CertNode updateValue(String newVal) {
         put(VALUE, newVal);
         return this;
     }
+    
+    @Override
+    public void getVirtualActions(DSInfo target, Collection<String> bucket) {
+        super.getVirtualActions(target, bucket);
+        if (target.isNode() && target.getNode() == this) {
+            bucket.remove(DeleteAction.DELETE);
+            bucket.remove(RenameAction.RENAME);
+            bucket.remove(DuplicateAction.DUPLICATE);
+        }
+    }
 
     @Override
     protected void declareDefaults() {
diff --git a/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/SysCertService.java b/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/SysCertService.java
