begin implementing basic quarantine/local trust store

Author: d-shapiro

dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/AnonymousTrustFactory.java

@@ -113,8 +113,16 @@ public void checkClientTrusted(X509Certificate[] chain, String authType)
             if (certManager.allowAnonymousClients()) {
                 return;
             }
+            if (certManager.isInTrustStore(chain[0])) {
+                return;
+            }
             if (defaultX509Mgr != null) {
-                defaultX509Mgr.checkClientTrusted(chain, authType);
+                try {
+                    defaultX509Mgr.checkClientTrusted(chain, authType);
+                } catch (CertificateException e) {
+                    certManager.addToQuarantine(chain[0]);
+                    throw e;
+                }
             }
         }
 
@@ -124,8 +132,16 @@ public void checkServerTrusted(X509Certificate[] chain, String authType)
             if (certManager.allowAnonymousServers()) {
                 return;
             }
+            if (certManager.isInTrustStore(chain[0])) {
+                return;
+            }
             if (defaultX509Mgr != null) {
-                defaultX509Mgr.checkServerTrusted(chain, authType);
+                try {
+                    defaultX509Mgr.checkServerTrusted(chain, authType);
+                } catch (CertificateException e) {
+                    certManager.addToQuarantine(chain[0]);
+                    throw e;
+                }
             }
         }
 

dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CertCollection.java

@@ -0,0 +1,42 @@
+package com.acuity.iot.dsa.dslink.sys.cert;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
+import java.util.Base64.Encoder;
+import org.iot.dsa.node.DSIObject;
+import org.iot.dsa.node.DSNode;
+
+public class CertCollection extends DSNode {
+
+    public void addCertificate(X509Certificate cert) throws CertificateEncodingException {
+        String name = certToName(cert);
+        addCertificate(name, encodeCertificate(cert));
+    }
+    
+    public void addCertificate(String name, String cert) {
+        put(name, new CertNode().updateValue(cert));
+    }
+    
+    public boolean containsCertificate(X509Certificate cert) {
+        DSIObject obj = get(certToName(cert));
+        String certStr;
+        try {
+            certStr = encodeCertificate(cert);
+        } catch (CertificateEncodingException e) {
+            warn(e);
+            return false;
+        }
+        return obj != null && obj instanceof CertNode && certStr.equals(((CertNode) obj).toElement().toString());
+    }
+    
+    public static String certToName(X509Certificate cert) {
+        return cert.getIssuerX500Principal().getName() + "-" + Integer.toHexString(cert.hashCode());
+    }
+    
+    public static String encodeCertificate(X509Certificate cert) throws CertificateEncodingException {
+        Encoder encoder = Base64.getEncoder();
+        return encoder.encodeToString(cert.getEncoded());
+    }
+
+}

dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CertNode.java

@@ -0,0 +1,67 @@
+package com.acuity.iot.dsa.dslink.sys.cert;
+
+import org.iot.dsa.node.DSInfo;
+import org.iot.dsa.node.DSString;
+import org.iot.dsa.node.DSValueNode;
+import org.iot.dsa.node.action.ActionInvocation;
+import org.iot.dsa.node.action.ActionResult;
+import org.iot.dsa.node.action.DSAction;
+
+public class CertNode extends DSValueNode {
+    
+    private static final String VALUE = "value";
+    private static final String ALLOW = "Allow";
+    private static final String REMOVE = "Remove";
+    
+    private DSInfo value = getInfo(VALUE);
+    private DSInfo allow = getInfo(ALLOW);
+    private DSInfo remove = getInfo(REMOVE);
+    
+    private SysCertManager certManager;
+    
+    @Override
+    protected void declareDefaults() {
+        super.declareDefaults();
+        declareDefault(VALUE, DSString.valueOf("")).setHidden(true).setReadOnly(true);
+        declareDefault(ALLOW, DSAction.DEFAULT);
+        declareDefault(REMOVE, DSAction.DEFAULT);
+    }
+    
+    public CertNode updateValue(String newVal) {
+        put(VALUE, newVal);
+        return this;
+    }
+
+    @Override
+    public DSInfo getValueChild() {
+        return value;
+    }
+    
+    @Override
+    public ActionResult onInvoke(DSInfo action, ActionInvocation invocation) {
+        if (action == remove) {
+            remove();
+        } else if (action == allow) {
+            allow();
+        } else {
+            super.onInvoke(action, invocation);
+        }
+        return null;
+    }
+    
+    private void remove() {
+        getParent().remove(getInfo());
+    }
+    
+    private void allow() {
+        getCertManager().allow(getInfo());
+    }
+    
+    public SysCertManager getCertManager() {
+        if (certManager == null) {
+            certManager = (SysCertManager) getAncestor(SysCertManager.class);
+        }
+        return certManager;
+    }
+
+}

dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/SysCertManager.java

@@ -1,6 +1,8 @@
 package com.acuity.iot.dsa.dslink.sys.cert;
 
 import java.io.File;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
 import org.iot.dsa.node.DSBool;
 import org.iot.dsa.node.DSInfo;
 import org.iot.dsa.node.DSNode;
@@ -24,6 +26,8 @@ public class SysCertManager extends DSNode {
     private static final String CERTFILE = "Cert_File";
     private static final String CERTFILE_PASS = "Cert_File_Pass";
     private static final String CERTFILE_TYPE = "Cert_File_Type";
+    private static final String LOCAL_TRUSTSTORE = "Local_Truststore";
+    private static final String QUARANTINE = "Quarantine";
 
     // Fields
     // ------
@@ -33,6 +37,8 @@ public class SysCertManager extends DSNode {
     private DSInfo keystore = getInfo(CERTFILE);
     private DSInfo keystorePass = getInfo(CERTFILE_PASS);
     private DSInfo keystoreType = getInfo(CERTFILE_TYPE);
+    private CertCollection localTruststore = (CertCollection) getInfo(LOCAL_TRUSTSTORE).getObject();
+    private CertCollection quarantine = (CertCollection) getInfo(QUARANTINE).getObject();
 
     // Methods
     // -------
@@ -58,6 +64,8 @@ public void declareDefaults() {
         declareDefault(CERTFILE, DSString.valueOf("dslink.jks"));
         declareDefault(CERTFILE_TYPE, DSString.valueOf("JKS"));
         declareDefault(CERTFILE_PASS, DSPasswordAes128.valueOf("dsarocks"));
+        declareDefault(LOCAL_TRUSTSTORE, new CertCollection());
+        declareDefault(QUARANTINE, new CertCollection()).setTransient(true);
     }
 
     private String getCertFilePass() {
@@ -108,4 +116,25 @@ public void onStarted() {
         }
     }
 
+    public boolean isInTrustStore(X509Certificate cert) {
+        return localTruststore.containsCertificate(cert);
+    }
+    
+    public void addToQuarantine(X509Certificate cert) {
+        try {
+            quarantine.addCertificate(cert);
+        } catch (CertificateEncodingException e) {
+            error("", e);
+        }
+    }
+    
+    public void allow(DSInfo certInfo) {
+        String name = certInfo.getName();
+        CertNode certNode = (CertNode) certInfo.getNode();
+        String certStr = certNode.toElement().toString();
+        quarantine.remove(certInfo);
+        localTruststore.addCertificate(name, certStr);
+    }
+    
+
 }