Controller Api MQTT: add TLS support (#2459)

Co-authored-by: Stefan Feilmeier <[email protected]>

Author: samuelBloch

cnf/pom.xml

@@ -250,6 +250,12 @@
 			<artifactId>org.apache.servicemix.bundles.junit</artifactId>
 			<version>4.13.2_1</version>
 		</dependency>
+		<dependency>
+			<!-- Bouncycastle for Eclipse Paho MQTTv5 Client -->
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpkix-jdk15on</artifactId>
+			<version>1.70</version>
+		</dependency>
 		<dependency>
 			<groupId>org.dhatim</groupId>
 			<artifactId>fastexcel</artifactId>

doc/modules/ROOT/pages/gettingstarted.adoc

@@ -85,7 +85,7 @@ image::eclipse-io.openems.edge.application.png[io.openems.edge.application proje
 +
 NOTE: Instead of navigating through the projects tree, you can simply use the keyboard shortcut btn:[Ctrl] + btn:[Shift] + btn:[R] to start the "Open Resource" dialog. Enter "EdgeApp.bndrun" there and press btn:[Enter] to open the file.
 +
-The `EdgeApp.bndrun` file declares all the bundles and runtime properties. For now it should not be necessary to edit it, but it hides some useful settings unter the btn:[Source] tab:
+The `EdgeApp.bndrun` file declares all the bundles and runtime properties. For now it should not be necessary to edit it, but it hides some useful settings under the btn:[Source] tab:
 +
 - `org.osgi.service.http.port=8080`: start the Apache Felix Web Console on port `8080`
 - `felix.cm.dir=c:/openems/config`: persist configurations in the folder `c:/openems/config`. Adjust this if you are working on Linux to keep your configurations after restart

io.openems.edge.application/EdgeApp.bndrun

@@ -185,6 +185,9 @@
 
 -runbundles: \
 	Java-WebSocket;version='[1.5.4,1.5.5)',\
+	bcpkix;version='[1.70.0,1.70.1)',\
+	bcprov;version='[1.70.0,1.70.1)',\
+	bcutil;version='[1.70.0,1.70.1)',\
 	com.fazecast.jSerialComm;version='[2.5.1,2.5.2)',\
 	com.ghgande.j2mod;version='[2.5.5,2.5.6)',\
 	com.google.gson;version='[2.10.1,2.10.2)',\

io.openems.edge.controller.api.mqtt/bnd.bnd

@@ -5,6 +5,8 @@ Bundle-Version: 1.0.0.${tstamp}
 
 -buildpath: \
 	${buildpath},\
+	bcpkix;version='1.70',\
+	bcprov;version='1.70',\
 	io.openems.common,\
 	io.openems.edge.common,\
 	io.openems.edge.controller.api,\

io.openems.edge.controller.api.mqtt/src/io/openems/edge/controller/api/mqtt/Config.java

@@ -32,6 +32,15 @@
 	@AttributeDefinition(name = "Uri", description = "The connection Uri to MQTT broker.")
 	String uri() default "tcp://localhost:1883";
 
+	@AttributeDefinition(name = "Certificate", description = "The client certificate in PEM format")
+	String certPem();
+
+	@AttributeDefinition(name = "Private Key", description = "The private key in PEM format")
+	String privateKeyPem();
+
+	@AttributeDefinition(name = "Trust Store", description = "The trust store in PEM format")
+	String trustStorePem();
+
 	@AttributeDefinition(name = "Persistence Priority", description = "Send only Channels with a Persistence Priority greater-or-equals this.")
 	PersistencePriority persistencePriority() default PersistencePriority.VERY_LOW;
 

io.openems.edge.controller.api.mqtt/src/io/openems/edge/controller/api/mqtt/ControllerApiMqttImpl.java

@@ -77,8 +77,8 @@ private void activate(ComponentContext context, Config config) throws Exception
 		this.topicPrefix = String.format(ControllerApiMqtt.TOPIC_PREFIX, config.clientId());
 
 		super.activate(context, config.id(), config.alias(), config.enabled());
-		this.mqttConnector.connect(config.uri(), config.clientId(), config.username(), config.password())
-				.thenAccept(client -> {
+		this.mqttConnector.connect(config.uri(), config.clientId(), config.username(), config.password(),
+				config.certPem(), config.privateKeyPem(), config.trustStorePem()).thenAccept(client -> {
 					this.mqttClient = client;
 					this.logInfo(this.log, "Connected to MQTT Broker [" + config.uri() + "]");
 				});
@@ -174,4 +174,4 @@ protected boolean publish(String subTopic, String message, int qos, boolean reta
 		var msg = new MqttMessage(message.getBytes(StandardCharsets.UTF_8), qos, retained, properties);
 		return this.publish(subTopic, msg);
 	}
-}
+}

io.openems.edge.controller.api.mqtt/src/io/openems/edge/controller/api/mqtt/MqttConnector.java

@@ -1,5 +1,7 @@
 package io.openems.edge.controller.api.mqtt;
 
+import static io.openems.edge.controller.api.mqtt.MqttUtils.createSslSocketFactory;
+
 import java.nio.charset.StandardCharsets;
 import java.util.Date;
 import java.util.concurrent.CompletableFuture;
@@ -66,26 +68,34 @@ protected synchronized void deactivate() {
 	}
 
 	protected synchronized CompletableFuture<IMqttClient> connect(String serverUri, String clientId, String username,
-			String password) throws IllegalArgumentException, MqttException {
-		return this.connect(serverUri, clientId, username, password, null);
+			String password, String certPem, String privateKeyPem, String trustStorePem)
+			throws IllegalArgumentException, MqttException {
+		return this.connect(serverUri, clientId, username, password, certPem, privateKeyPem, trustStorePem, null);
 	}
 
 	protected synchronized CompletableFuture<IMqttClient> connect(String serverUri, String clientId, String username,
-			String password, MqttCallback callback) throws IllegalArgumentException, MqttException {
+			String password, String certPem, String privateKeyPem, String trustStorePem, MqttCallback callback)
+			throws IllegalArgumentException, MqttException {
 		IMqttClient client = new MqttClient(serverUri, clientId);
 		if (callback != null) {
 			client.setCallback(callback);
 		}
 
 		var options = new MqttConnectionOptions();
 		options.setUserName(username);
-		if (password != null) {
+		if (password != null && !password.isBlank()) {
 			options.setPassword(password.getBytes(StandardCharsets.UTF_8));
 		}
 		options.setAutomaticReconnect(true);
 		options.setCleanStart(true);
 		options.setConnectionTimeout(10);
 
+		if (certPem != null && !certPem.isBlank() //
+				&& privateKeyPem != null && !privateKeyPem.isBlank() //
+				&& trustStorePem != null && !trustStorePem.isBlank()) {
+			options.setSocketFactory(createSslSocketFactory(certPem, privateKeyPem, trustStorePem));
+		}
+
 		this.connector = new MyConnector(client, options);
 
 		this.executor.schedule(this.connector, 0 /* immediately */, TimeUnit.SECONDS);
@@ -97,4 +107,4 @@ private void waitAndRetry() {
 		this.executor.schedule(this.connector, this.waitSeconds.get(), TimeUnit.SECONDS);
 	}
 
-}
+}

io.openems.edge.controller.api.mqtt/src/io/openems/edge/controller/api/mqtt/MqttUtils.java

@@ -0,0 +1,136 @@
+package io.openems.edge.controller.api.mqtt;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+
+/**
+ * This Utility class provides methods for handling MQTT-related operations.
+ */
+public class MqttUtils {
+	/**
+	 * Creates and returns an SSLSocketFactory for establishing secure connections
+	 * in MQTT.
+	 *
+	 * <p>
+	 * This method initializes an SSL context using the provided certificate,
+	 * private key and server truststore information, allowing the creation of an
+	 * SSLSocketFactory with the configured security settings.
+	 *
+	 * @param cert       The client's certificate as String.
+	 * @param privateKey The private key as String.
+	 * @param trustStore The server's trust store as String.
+	 * @return An SSLSocketFactory configured with the specified security settings.
+	 * @throws RuntimeException If there is an error during the creation of the
+	 *                          SSLSocketFactory.
+	 */
+
+	public static SSLSocketFactory createSslSocketFactory(String cert, String privateKey, String trustStore) {
+		try {
+			Security.addProvider(new BouncyCastleProvider());
+
+			// Load client certificate
+			X509Certificate clientCert = loadCertificate(cert);
+
+			// Load client private key
+			PrivateKey clientKey = loadPrivateKey(privateKey);
+
+			// Load CA certificate
+			X509Certificate caCert = loadCertificate(trustStore);
+
+			// Create a KeyStore and add the CA certificate, client certificate, and private
+			// key
+			KeyStore keyStore = KeyStore.getInstance("PKCS12");
+			keyStore.load(null, null);
+			keyStore.setCertificateEntry("caCert", caCert);
+			keyStore.setCertificateEntry("clientCert", clientCert);
+			keyStore.setKeyEntry("clientKey", clientKey, new char[0], new X509Certificate[] { clientCert });
+
+			// Create a TrustManager that trusts the CA certificate
+			TrustManagerFactory trustManagerFactory = TrustManagerFactory
+					.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+			trustManagerFactory.init(keyStore);
+
+			// Create a KeyManager that uses the client certificate and private key
+			KeyManagerFactory keyManagerFactory = KeyManagerFactory
+					.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+			keyManagerFactory.init(keyStore, new char[0]);
+
+			// Create an SSLContext with the TrustManager and KeyManager
+			SSLContext sslContext = SSLContext.getInstance("TLS");
+			sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(),
+					new SecureRandom());
+
+			return sslContext.getSocketFactory();
+		} catch (Exception e) {
+			throw new RuntimeException("Error creating SSLSocketFactory", e);
+		}
+	}
+
+	/**
+	 * Loads an X.509 certificate from a PEM-encoded string.
+	 *
+	 * @param cert The PEM-encoded certificate string.
+	 * @return The X.509 certificate.
+	 * @throws IOException          If an I/O error occurs.
+	 * @throws CertificateException If an error occurs while processing the
+	 *                              certificate.
+	 */
+	private static X509Certificate loadCertificate(String cert) throws IOException, CertificateException {
+		CertificateFactory cf = CertificateFactory.getInstance("X.509");
+		try (InputStream is = new ByteArrayInputStream(cert.getBytes())) {
+			return (X509Certificate) cf.generateCertificate(is);
+		}
+	}
+
+	/**
+	 * Loads a private key from a PEM-encoded string.
+	 *
+	 * @param privateKey The PEM-encoded private key string.
+	 * @return The private key.
+	 * @throws IOException              If an I/O error occurs.
+	 * @throws NoSuchAlgorithmException If the specified algorithm is not available.
+	 * @throws InvalidKeySpecException  If the private key cannot be generated.
+	 */
+	private static PrivateKey loadPrivateKey(String privateKey)
+			throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
+		try (PEMParser pemParser = new PEMParser(
+				new InputStreamReader(new ByteArrayInputStream(privateKey.getBytes())))) {
+			Object obj = pemParser.readObject();
+			if (obj instanceof PEMKeyPair) {
+				// Handle RSA private key
+				PEMKeyPair pemKeyPair = (PEMKeyPair) obj;
+				JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
+				return converter.getPrivateKey(pemKeyPair.getPrivateKeyInfo());
+			} else if (obj instanceof PrivateKeyInfo) {
+				// Handle other private key formats
+				PrivateKeyInfo privateKeyInfo = (PrivateKeyInfo) obj;
+				JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
+				return converter.getPrivateKey(privateKeyInfo);
+			} else {
+				throw new InvalidKeySpecException("Invalid private key format");
+			}
+		}
+	}
+}

io.openems.edge.controller.api.mqtt/test/io/openems/edge/controller/api/mqtt/ControllerApiMqttImplTest.java

@@ -30,7 +30,10 @@ public void test() throws Exception {
 						.setUri("ws://localhost:1883") //
 						.setPersistencePriority(PersistencePriority.VERY_LOW) //
 						.setDebugMode(true) //
+						.setCertPem("") //
+						.setPrivateKeyPem("") //
+						.setTrustStorePath("") //
 						.build());
 	}
 
-}
+}

io.openems.edge.controller.api.mqtt/test/io/openems/edge/controller/api/mqtt/MyConfig.java

@@ -14,6 +14,9 @@ protected static class Builder {
 		private String clientId;
 		private String username;
 		private String password;
+		private String certPem;
+		private String privateKeyPem;
+		private String trustStorePem;
 
 		private Builder() {
 		}
@@ -43,6 +46,21 @@ public Builder setPassword(String password) {
 			return this;
 		}
 
+		public Builder setCertPem(String certPem) {
+			this.certPem = certPem;
+			return this;
+		}
+
+		public Builder setPrivateKeyPem(String privateKeyPem) {
+			this.privateKeyPem = privateKeyPem;
+			return this;
+		}
+
+		public Builder setTrustStorePath(String trustStorePem) {
+			this.trustStorePem = trustStorePem;
+			return this;
+		}
+
 		public Builder setPersistencePriority(PersistencePriority persistencePriority) {
 			this.persistencePriority = persistencePriority;
 			return this;
@@ -104,4 +122,18 @@ public String password() {
 		return this.builder.password;
 	}
 
+	@Override
+	public String certPem() {
+		return this.builder.certPem;
+	}
+
+	@Override
+	public String privateKeyPem() {
+		return this.builder.privateKeyPem;
+	}
+
+	@Override
+	public String trustStorePem() {
+		return this.builder.trustStorePem;
+	}
 }