Merge branch 'main' into integ-mqtt3-ssl

aws-greengrass · Nov 8, 2023 · 8b0d749 · 8b0d749
2 parents 2538acc + 7cbe567
commit 8b0d749
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 22 deletions.
diff --git a/src/main/java/com/aws/greengrass/mqtt/bridge/auth/MQTTClientKeyStore.java b/src/main/java/com/aws/greengrass/mqtt/bridge/auth/MQTTClientKeyStore.java
@@ -13,17 +13,24 @@
 import com.aws.greengrass.logging.api.Logger;
 import com.aws.greengrass.logging.impl.LogManager;
 import com.aws.greengrass.mqtt.bridge.MQTTBridge;
+import com.aws.greengrass.util.EncryptionUtils;
 import lombok.Getter;
+import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
+import java.security.Key;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
@@ -203,4 +210,40 @@ public SSLSocketFactory getSSLSocketFactory() throws KeyStoreException {
             throw new KeyStoreException("Unable to create SocketFactory from KeyStore", e);
         }
     }
+
+
+    /**
+     * Retrieve the cert under alias {@link MQTTClientKeyStore#KEY_ALIAS} from the keystore.
+     *
+     * @return cert in pem format
+     * @throws KeyStoreException            if keystore isn't initialized
+     * @throws CertificateEncodingException if unable to encode certificate
+     * @throws IOException                  if unable to encode certificate
+     */
+    public String getCertPem() throws KeyStoreException, CertificateEncodingException, IOException {
+        Certificate certificateData = keyStore.getCertificate(KEY_ALIAS);
+        return EncryptionUtils.encodeToPem("CERTIFICATE", certificateData.getEncoded());
+    }
+
+    /**
+     * Retrieve the key under alias {@link MQTTClientKeyStore#KEY_ALIAS} from the keystore.
+     *
+     * @return key in pem format
+     * @throws UnrecoverableKeyException if key cannot be recovered
+     * @throws KeyStoreException         if keystore isn't initialized
+     * @throws NoSuchAlgorithmException  if the key algo can't be found
+     * @throws IOException               if key cannot be parsed or encoded
+     */
+    public String getKeyPem() throws UnrecoverableKeyException, KeyStoreException,
+            NoSuchAlgorithmException, IOException {
+        // aws-c-io requires PKCS#1 key encoding for non-linux
+        // https://github.com/awslabs/aws-c-io/issues/260
+        // once this is resolved we can remove the conversion
+        Key key = keyStore.getKey(KEY_ALIAS, DEFAULT_KEYSTORE_PASSWORD);
+        PrivateKeyInfo pkInfo = PrivateKeyInfo.getInstance(key.getEncoded());
+        ASN1Encodable privateKeyPKCS1ASN1Encodable = pkInfo.parsePrivateKey();
+        ASN1Primitive privateKeyPKCS1ASN1 = privateKeyPKCS1ASN1Encodable.toASN1Primitive();
+        byte[] privateKeyPKCS1 = privateKeyPKCS1ASN1.getEncoded();
+        return EncryptionUtils.encodeToPem("RSA PRIVATE KEY", privateKeyPKCS1);
+    }
 }
diff --git a/src/main/java/com/aws/greengrass/mqtt/bridge/clients/LocalMqtt5Client.java b/src/main/java/com/aws/greengrass/mqtt/bridge/clients/LocalMqtt5Client.java
@@ -11,7 +11,6 @@
 import com.aws.greengrass.mqtt.bridge.model.MqttMessage;
 import com.aws.greengrass.mqttclient.v5.Publish;
 import com.aws.greengrass.util.CrashableSupplier;
-import com.aws.greengrass.util.EncryptionUtils;
 import com.aws.greengrass.util.RetryUtils;
 import com.aws.greengrass.util.Utils;
 import lombok.AccessLevel;
@@ -20,9 +19,6 @@
 import lombok.Getter;
 import lombok.NonNull;
 import lombok.Setter;
-import org.bouncycastle.asn1.ASN1Encodable;
-import org.bouncycastle.asn1.ASN1Primitive;
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import software.amazon.awssdk.crt.CRT;
 import software.amazon.awssdk.crt.CrtRuntimeException;
 import software.amazon.awssdk.crt.io.ClientTlsContext;
@@ -49,11 +45,9 @@
 
 import java.io.IOException;
 import java.net.URI;
-import java.security.Key;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.UnrecoverableKeyException;
-import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
 import java.time.Duration;
 import java.util.Collections;
@@ -71,8 +65,6 @@
 import java.util.function.Consumer;
 import java.util.stream.Collectors;
 
-import static com.aws.greengrass.mqtt.bridge.auth.MQTTClientKeyStore.DEFAULT_KEYSTORE_PASSWORD;
-import static com.aws.greengrass.mqtt.bridge.auth.MQTTClientKeyStore.KEY_ALIAS;
 import static com.aws.greengrass.mqtt.bridge.model.Mqtt5RouteOptions.DEFAULT_NO_LOCAL;
 
 @SuppressWarnings("PMD.CloseResource")
@@ -719,20 +711,9 @@ private Mqtt5Client createCrtClient() throws MessageClientException {
                     .withMinReconnectDelayMs(config.getMinReconnectDelayMs());
 
             if (isSSL) {
-                // aws-c-io requires PKCS#1 key encoding for non-linux
-                // https://github.com/awslabs/aws-c-io/issues/260
-                // once this is resolved we can remove the conversion
-                Key key = mqttClientKeyStore.getKeyStore().getKey(KEY_ALIAS, DEFAULT_KEYSTORE_PASSWORD);
-                PrivateKeyInfo pkInfo = PrivateKeyInfo.getInstance(key.getEncoded());
-                ASN1Encodable privateKeyPKCS1ASN1Encodable = pkInfo.parsePrivateKey();
-                ASN1Primitive privateKeyPKCS1ASN1 = privateKeyPKCS1ASN1Encodable.toASN1Primitive();
-                byte[] privateKeyPKCS1 = privateKeyPKCS1ASN1.getEncoded();
-                String privateKey = EncryptionUtils.encodeToPem("RSA PRIVATE KEY", privateKeyPKCS1);
-
-                Certificate certificateData = mqttClientKeyStore.getKeyStore().getCertificate(KEY_ALIAS);
-                String certificatePem = EncryptionUtils.encodeToPem("CERTIFICATE", certificateData.getEncoded());
-
-                tlsContextOptions = TlsContextOptions.createWithMtls(certificatePem, privateKey);
+                tlsContextOptions = TlsContextOptions.createWithMtls(
+                        mqttClientKeyStore.getCertPem(),
+                        mqttClientKeyStore.getKeyPem());
                 tlsContextOptions.overrideDefaultTrustStore(
                         mqttClientKeyStore.getCaCertsAsString().orElseThrow(
                                 () -> new MQTTClientException("unable to set default trust store, "