#436: Add X509 support to leshan client

leshan-client-cf/src/main/java/org/eclipse/leshan/client/californium/impl/CaliforniumEndpointsManager.java

@@ -18,6 +18,8 @@
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 
@@ -29,8 +31,15 @@
 import org.eclipse.californium.scandium.DTLSConnector;
 import org.eclipse.californium.scandium.config.DtlsConnectorConfig;
 import org.eclipse.californium.scandium.config.DtlsConnectorConfig.Builder;
+import org.eclipse.californium.scandium.dtls.AlertMessage;
+import org.eclipse.californium.scandium.dtls.AlertMessage.AlertDescription;
+import org.eclipse.californium.scandium.dtls.AlertMessage.AlertLevel;
+import org.eclipse.californium.scandium.dtls.CertificateMessage;
+import org.eclipse.californium.scandium.dtls.DTLSSession;
+import org.eclipse.californium.scandium.dtls.HandshakeException;
 import org.eclipse.californium.scandium.dtls.pskstore.StaticPskStore;
 import org.eclipse.californium.scandium.dtls.rpkstore.TrustedRpkStore;
+import org.eclipse.californium.scandium.dtls.x509.CertificateVerifier;
 import org.eclipse.leshan.SecurityMode;
 import org.eclipse.leshan.client.servers.EndpointsManager;
 import org.eclipse.leshan.client.servers.Server;
@@ -101,8 +110,53 @@ public boolean isTrusted(RawPublicKeyIdentity id) {
                         return true;
                     }
                 });
+            } else if (serverInfo.secureMode == SecurityMode.X509) {
+                // set identity
+                newBuilder.setIdentity(serverInfo.privateKey, new Certificate[] { serverInfo.clientCertificate },
+                        false);
+
+                // set X509 verifier
+                final Certificate expectedServerCertificate = serverInfo.serverCertificate;
+                newBuilder.setCertificateVerifier(new CertificateVerifier() {
+
+                    @Override
+                    public void verifyCertificate(CertificateMessage message, DTLSSession session)
+                            throws HandshakeException {
+                        // As specify in the LWM2M spec 1.0, we only support "domain-issued certificate" usage
+                        // Defined in : https://tools.ietf.org/html/rfc6698#section-2.1.1 (3 -- Certificate usage 3)
+
+                        // Get server certificate from certificate message
+                        if (message.getCertificateChain().getCertificates().size() == 0) {
+                            AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE,
+                                    session.getPeer());
+                            throw new HandshakeException("Certificate chain could not be validated", alert);
+                        }
+                        Certificate receivedServerCertificate = message.getCertificateChain().getCertificates().get(0);
+
+                        // Validate certificate
+                        if (!expectedServerCertificate.equals(receivedServerCertificate)) {
+                            AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE,
+                                    session.getPeer());
+                            throw new HandshakeException("Certificate chain could not be validated", alert);
+                        }
+                    }
+
+                    @Override
+                    public X509Certificate[] getAcceptedIssuers() {
+                        return null;
+                    }
+                });
+
+                // disable the possibility to use RPK as client should use X509.
+                // TODO add a way in Scandium to say that we don't accept RPK certificate type
+                newBuilder.setRpkTrustStore(new TrustedRpkStore() {
+                    @Override
+                    public boolean isTrusted(RawPublicKeyIdentity id) {
+                        return false;
+                    }
+                });
+
             }
-            // TODO add support X509
             if (endpointFactory != null) {
                 currentEndpoint = endpointFactory.createSecuredEndpoint(newBuilder.build(), coapConfig, null);
             } else {

leshan-client-core/src/main/java/org/eclipse/leshan/client/object/Security.java

@@ -116,6 +116,15 @@ public static Security rpk(String serverUri, int shortServerId, byte[] clientPub
                 clientPrivateKey.clone(), shortServerId);
     }
 
+    /**
+     * Returns a new security instance (X509) for a device management server.
+     */
+    public static Security x509(String serverUri, int shortServerId, byte[] clientCertificate, byte[] clientPrivateKey,
+            byte[] serverPublicKey) {
+        return new Security(serverUri, false, SecurityMode.X509.code, clientCertificate.clone(),
+                serverPublicKey.clone(), clientPrivateKey.clone(), shortServerId);
+    }
+
     @Override
     public WriteResponse write(int resourceId, LwM2mResource value) {
         LOG.debug("Write on resource {}: {}", resourceId, value);

leshan-client-core/src/main/java/org/eclipse/leshan/client/servers/ServerInfo.java

@@ -20,6 +20,7 @@
 import java.net.URISyntaxException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.security.cert.Certificate;
 
 import org.eclipse.leshan.LwM2m;
 import org.eclipse.leshan.SecurityMode;
@@ -38,9 +39,13 @@ public class ServerInfo {
     public byte[] pskKey;
 
     public PublicKey publicKey;
-    public PrivateKey privateKey;
     public PublicKey serverPublicKey;
 
+    public Certificate clientCertificate;
+    public Certificate serverCertificate;
+
+    public PrivateKey privateKey;
+
     public InetSocketAddress getAddress() {
         return getAddress(serverUri);
     }

leshan-client-core/src/main/java/org/eclipse/leshan/client/servers/ServersInfoExtractor.java

@@ -19,12 +19,17 @@
 import static org.eclipse.leshan.LwM2mId.*;
 import static org.eclipse.leshan.client.request.ServerIdentity.SYSTEM;
 
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.X509EncodedKeySpec;
@@ -79,6 +84,10 @@ public static ServersInfo getInfo(Map<Integer, LwM2mObjectEnabler> objectEnabler
                             info.publicKey = getPublicKey(security);
                             info.privateKey = getPrivateKey(security);
                             info.serverPublicKey = getServerPublicKey(security);
+                        } else if (info.secureMode == SecurityMode.X509) {
+                            info.clientCertificate = getClientCertificate(security);
+                            info.serverCertificate = getServerCertificate(security);
+                            info.privateKey = getPrivateKey(security);
                         }
                         infos.bootstrap = info;
                     }
@@ -95,6 +104,10 @@ public static ServersInfo getInfo(Map<Integer, LwM2mObjectEnabler> objectEnabler
                         info.publicKey = getPublicKey(security);
                         info.privateKey = getPrivateKey(security);
                         info.serverPublicKey = getServerPublicKey(security);
+                    } else if (info.secureMode == SecurityMode.X509) {
+                        info.clientCertificate = getClientCertificate(security);
+                        info.serverCertificate = getServerCertificate(security);
+                        info.privateKey = getPrivateKey(security);
                     }
                     // search corresponding device management server
                     for (LwM2mObjectInstance server : servers.getInstances().values()) {
@@ -187,4 +200,30 @@ private static PublicKey getServerPublicKey(LwM2mObjectInstance securityInstance
         }
         return null;
     }
+
+    private static Certificate getServerCertificate(LwM2mObjectInstance securityInstance) {
+        byte[] encodedCert = (byte[]) securityInstance.getResource(SEC_SERVER_PUBKEY).getValue();
+        try {
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            try (ByteArrayInputStream in = new ByteArrayInputStream(encodedCert)) {
+                return cf.generateCertificate(in);
+            }
+        } catch (CertificateException | IOException e) {
+            LOG.debug("Failed to decode X.509 certificate", e);
+            return null;
+        }
+    }
+
+    private static Certificate getClientCertificate(LwM2mObjectInstance securityInstance) {
+        byte[] encodedCert = (byte[]) securityInstance.getResource(SEC_PUBKEY_IDENTITY).getValue();
+        try {
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            try (ByteArrayInputStream in = new ByteArrayInputStream(encodedCert)) {
+                return cf.generateCertificate(in);
+            }
+        } catch (CertificateException | IOException e) {
+            LOG.debug("Failed to decode X.509 certificate", e);
+            return null;
+        }
+    }
 }

leshan-integration-tests/src/test/java/org/eclipse/leshan/integration/tests/RedisSecureIntegrationTestHelper.java

@@ -17,7 +17,6 @@
 
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
-import java.security.cert.Certificate;
 
 import org.eclipse.leshan.core.node.codec.DefaultLwM2mNodeDecoder;
 import org.eclipse.leshan.server.californium.LeshanServerBuilder;
@@ -60,7 +59,7 @@ public void createServerWithRPK() {
     }
 
     @Override
-    public void createServerWithX509Cert(Certificate[] trustedCertificates) {
+    public void createServerWithX509Cert() {
         throw new UnsupportedOperationException("Not implemented");
     }