Merge pull request #33 from OSGP/feature/FDP-2217

FDP-2217: Implement mutual TLS

README.md

@@ -25,3 +25,10 @@ To test this flow locally:
 8. When the crest device service receives a message from the device (simulator), a psk set command will be sent in the downlink response to the device (simulator). The new key will be set to pending.
     1. When the crest device service receives a success result code in the subsequent message from the device (simulator), the pending key will be set to active and the old key will become inactive.
     2. When the crest device service receives a failure result code in the subsequent message from the device (simulator), the pending key will be set to invalid.
+
+
+## Mutual TLS
+Communication between the COAP HTTP Proxy and the Crest device service should be encrypted using mutual TLS.
+
+The repositories contain test certificates that can be used for local testing. (they are not included in the jar or docker image)
+They can be also be (re)generated using the [generate_certificates.sh](generate_certificates.sh) script.

application/build.gradle.kts

@@ -1,3 +1,5 @@
+import org.springframework.boot.gradle.tasks.bundling.BootJar
+
 // SPDX-FileCopyrightText: Contributors to the GXF project
 //
 // SPDX-License-Identifier: Apache-2.0
@@ -43,6 +45,11 @@ dependencies {
     jacocoAggregation(project(":application"))
 }
 
+tasks.withType<BootJar> {
+    // Exclude test keys and certificates
+    exclude("ssl/*.pem")
+}
+
 tasks.withType<org.springframework.boot.gradle.tasks.bundling.BootBuildImage> {
     imageName.set("ghcr.io/osgp/gxf-sng-crest-device-service:${version}")
     if (project.hasProperty("publishImage")) {

application/src/main/resources/application-dev.yaml

@@ -6,13 +6,17 @@ spring:
     url: "jdbc:postgresql://localhost:5432/crest_device_service"
     username: "postgres"
     password: "1234"
-  jpa:
-    properties:
-      hibernate:
-        dialect: "org.hibernate.dialect.PostgreSQLDialect"
   kafka:
     bootstrap-servers: "localhost:9092"
 
+# Local testing certificates
+mutual-tls:
+  keystore:
+    private-key: "classpath:ssl/dev-device-service-key.pem"
+    certificate: "classpath:ssl/dev-device-service-cert.pem"
+  truststore:
+    certificate: "classpath:ssl/dev-proxy-cert.pem"
+
 server:
   port: 9000
 

application/src/main/resources/application.yaml

@@ -1,12 +1,37 @@
 #SPDX-FileCopyrightText: Contributors to the GXF project
 #
 #SPDX-License-Identifier: Apache-2.0
+
+# The crest device service should always require mutual tls
+server:
+  ssl:
+    enabled: true
+    client-auth: need
+    bundle: "crest-device-service"
+
+# Run the actuator under a different not tls port
 management:
+  server:
+    port: 8081
+    ssl:
+      enabled: false
   endpoints:
     web:
       exposure:
         include: "prometheus"
 
+# Default server ssl bundle
+spring:
+  ssl:
+    bundle:
+      pem:
+        crest-device-service:
+          keystore:
+            private-key: "${mutual-tls.keystore.private-key}"
+            certificate: "${mutual-tls.keystore.certificate}"
+          truststore:
+            certificate: "${mutual-tls.truststore.certificate}"
+
 logging:
   level:
     com:

application/src/main/resources/ssl/dev-device-service-cert.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFsTCCA5mgAwIBAgIUY0NujZU+uRqek0Fi6QoY1Qo4AKAwDQYJKoZIhvcNAQEL
+BQAwaDELMAkGA1UEBhMCTkwxEzARBgNVBAgMCkdlbGRlcmxhbmQxDzANBgNVBAcM
+BkFybmhlbTESMBAGA1UECgwJQWxsaWFuZGVyMQswCQYDVQQLDAJJVDESMBAGA1UE
+AwwJbG9jYWxob3N0MB4XDTI0MDYwNzEwNTExMVoXDTM0MDYwNTEwNTExMVowaDEL
+MAkGA1UEBhMCTkwxEzARBgNVBAgMCkdlbGRlcmxhbmQxDzANBgNVBAcMBkFybmhl
+bTESMBAGA1UECgwJQWxsaWFuZGVyMQswCQYDVQQLDAJJVDESMBAGA1UEAwwJbG9j
+YWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA86nNd5UwicED
+H861toiRZLsol3m11GVBGXBYLNlDE6gK0Ib9ST7tf3sV/desa9JnQdGJn5xSZf0H
+RKShs2u3aB2vdY1ZTeBnadIaekNLVil92Ug4fPBqhgaNQgHWf12vZS9Im97JfULT
+AmBGJN2u5p1otkX9gqPD8IHV51hVplrXyUEpiShib/KFcG4POyr0b6RGBBShcxNm
+ll0t57/jIQq50qOf0altFNDMe3OSeUsHepxhPIPDW0voN4eOogdfkaL5YvJ3lBg4
+hoasVhwmr4/k+C5REYT8bbzQIAuK2E28R/6rBm2qclzvC500pyEb3PxLQnDsui+a
+GnMgxOr+D+3YbqmQsxlTodfktThG8g3uT0WULjmF3WAxOlitYMEXb6U08+NwZJA0
+hfPPVxovkkNUTTVDKaecv/k90R6c7qhE0pQojkdb7/px6j4zJgORX4zAXyo8UUrA
+OLhB0BMrUrjaDSUtMmmPwch5ps6gwSEUYQZPchG9H7h1U8Har4EpBFVB/+qdJ+VX
++eBYtf6wJk1pT0wEn0rBXs/B/aThWVjcCIk+yP84FWiGLqcQ5owmgtHYqiqWiUzH
+GI5ZZk5pZt3E9aOelkUDyXIOhKzGi6mCQ2oCQYVFId57opD16jBNwo8WWAnhuqNN
+gNechnnegK+QacU3zHvrJUqoKgkZ3y0CAwEAAaNTMFEwHQYDVR0OBBYEFM8HC5y9
+pI1VSahRWDuCuyW1BjSbMB8GA1UdIwQYMBaAFM8HC5y9pI1VSahRWDuCuyW1BjSb
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBADQ2nWBuiyNU/2my
+QaaMTajKHtl4jynH4qhQnYypxd6pTeI2/a5AQpe+5O+lLdeiizhue/5T+119j8DM
+ZedmZskFhP9vhXt/6m50TqwuxkGNXxKbdpEvLSjhdepuFIAkh7yT3sMe5ivSSXjh
+HqqHOZ7Yn/3nbCUPhsrmc3bEXsbsILOHpJjUNyyoxCv/MnSAMeGTZddd1zvVSbz9
++pmZmkPOR1osmNcaFiw3klbRnz2ckt64Ds7Ea2+WuWmWEKUllgDcSO1wmYTjUzFK
+xdb1HqhORFsi2KUW/Zk4JQPxedehImLrs07uMJUjBaBn1FgO60yDLFAFQwYUAYKm
+MhYUuG32k23Ywx7fM495Le6exRpjGu/ZniYQyz1nKzuobQNrEIjTHFGGmaqJfzu4
+030Jq8dvi1Pi+HNIqnTOcmxEzvfj3ie4aBzGjTNPAI1O94doUxGf5EcD330fYIKG
+xo8Rkqv+uV48jiZ/2cG+e5NAktuiBOiYq28QP+2RnkLH2S2WPN9Qmk7Norb20Gs8
+V4hH/EMt6Qduh0X5vLNg8gKy6cIuqlmSQ2cMNKMXNaCwSvRuDOnJt/Ko2lKAWc6r
+uPlh9grkF5EvfoPAG47kdlclyzChVPvNIIsWE9WT7mQ30RORSffjqXdG55F/Igf/
+Idj2vIFKNQlLkpMPSANa2B1u1/mH
+-----END CERTIFICATE-----

application/src/main/resources/ssl/dev-device-service-key.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDzqc13lTCJwQMf
+zrW2iJFkuyiXebXUZUEZcFgs2UMTqArQhv1JPu1/exX916xr0mdB0YmfnFJl/QdE
+pKGza7doHa91jVlN4Gdp0hp6Q0tWKX3ZSDh88GqGBo1CAdZ/Xa9lL0ib3sl9QtMC
+YEYk3a7mnWi2Rf2Co8PwgdXnWFWmWtfJQSmJKGJv8oVwbg87KvRvpEYEFKFzE2aW
+XS3nv+MhCrnSo5/RqW0U0Mx7c5J5Swd6nGE8g8NbS+g3h46iB1+Rovli8neUGDiG
+hqxWHCavj+T4LlERhPxtvNAgC4rYTbxH/qsGbapyXO8LnTSnIRvc/EtCcOy6L5oa
+cyDE6v4P7dhuqZCzGVOh1+S1OEbyDe5PRZQuOYXdYDE6WK1gwRdvpTTz43BkkDSF
+889XGi+SQ1RNNUMpp5y/+T3RHpzuqETSlCiOR1vv+nHqPjMmA5FfjMBfKjxRSsA4
+uEHQEytSuNoNJS0yaY/ByHmmzqDBIRRhBk9yEb0fuHVTwdqvgSkEVUH/6p0n5Vf5
+4Fi1/rAmTWlPTASfSsFez8H9pOFZWNwIiT7I/zgVaIYupxDmjCaC0diqKpaJTMcY
+jllmTmlm3cT1o56WRQPJcg6ErMaLqYJDagJBhUUh3nuikPXqME3CjxZYCeG6o02A
+15yGed6Ar5BpxTfMe+slSqgqCRnfLQIDAQABAoICAErI4n2h5ghZm45fIMl5x/od
+MVuwaNzcCOt4Xi/BrQMy78LJs6KP9E/MpNbIo6xiIvwCBlXdIjMYQmtQhiqt1FhZ
+yBjxvaeXyNWjPSoqTkyPJoeSUXgTR/aDu0Y3jzB/Pg51wTjJ25ic8muHxe+ZtI0m
+YdWTzLeUcNZ32wGKzJrmxdUIsWld4jyOuGLl/LnBuM0tI6or9NN/cFyVE7pN3DWv
+d5INU0eD0y1w2lnHgnzEyPJaXcO3gzWZqhek/OOBFNV7qkQyu/3Ro0OywOEa+cqn
+hPShLpOMd/dsXIqBUGeMEE4efTpXXVmFaX7sjJUBJe6g5q5pP1bztj4I+NVHdJsw
+p9XqBFU0slQWob0th2Q2WFgkFULf1cPW2wPiEqnuGvirhhKTC8uuiVaVAvMH+VRQ
+0kg9XpD+vhhMadEt6bBti+Or1PTQaGLtACubobwcOb/wnYoA2iIzlpavYY8JU7k7
+GfhAxcSJpSkMJDGPPjW9UegonVXQf28pvZ7zgV0i8e/ApktFiXPcQt72ZtkWjMuc
+zTm+EmQgmyZlTDeLNsj9EcnZxTNBrLXOP8NL3XIfK4I/0hreXDfHCCw65KmiogRM
+EZl54HOlOCQBn6VnHc4sgF6jbtlrMkAhfyH+bJmpBNlomzDqpCwktvoUzzgxP5Ps
+Acz8nWbsvxU1HDU04yZXAoIBAQD8xIzpidv4ev6ISpdNQwVAap0khFGes6YMaEJE
+QQoQWc1lw9fGKCMh5RSC8sK7OAVt74Jtkg3exEmBf+YbCDLi2gz6GlTwWTHAjkEk
+/vE590qTMNKRTbFVw/XZlNjRmMN7+qTSkBlcXG4mT1SaGOwhJogUFxnuIb5Lw61n
+QnWdriRMzaEWvkh87uTWAnYj07lzm32oaEBaWiku9iIsQMdumJBMdQsNtTbPgitn
+9+DJiSiwVprVpHQcsSYm/naHTyUdjvhNBxRwdmHVMd+xWglLBd+JTIEmteEJF03j
+bwj5YFKYnY2pxOXU+FwS+feFxc+kVcVrlJNw4AghTKmB8Gd3AoIBAQD2x3K4bo0L
+E3cq2SaDBWETLPrKD3yg0fp70fHs0nYNkUAxED4JfKGXya3tsgNb44h0GZFNZ9Vx
+sGDMuDCLt+6yIAQqYtNlsf3TN9/nbhrwbyUTjmIXE03DJgp57K3PLXx5ThDBxa/m
+rEUtjmRce+gsOvsENcFWXbCpWQ3EQfdVn1RaAmzkrIaDL3hO/vD/tsUX2dBMiVJ5
+DqkQXGhkr5xikDPd1Ipky0ZCwbKF4gw8ommB572uapM/OAvBXogciBLmsVWGXtOZ
+lxs2+Q0UlTAXMbzCn4ggqLQP2cVC6RMsZUorjJF2OZJnUU8Z7a4pLYr2k5KsWKdu
+GT9784YQJV97AoIBAGL8kfZvL366o+050NDH+0mDtvBzBQeycMeRGMpj8g3/LQm6
+TUjjtQZ0ELlLWmk5Ah9QWXKRbO8dTW/yZ2mUp2DhZY2YPEU3mN1AmFBlqpA5wLGt
+v/h5RYZBzIid2t8SBRQLTvrKxbO+2sAT9xy1v9snnMjJVzVDb6N6CPFUPH04kiyl
+pn0inX6Xi3Qn2J4lLw4QCYCm+vSnNFOYvj84SyGLi471kxOWMNXIszjvAM/L7+xG
+rjIWSgZmdXt10XMh0nYl5CU+LYnxQlTcSC7LBLKlpSm+lSFUvsDxqGX1uLz4NMBh
+ivW+Dwd9D4m67G0tzygbEsoTkD327hgkTol9XPcCggEAHALxq6uoyNwRx8RUUcT3
+iuStJuhxHhQXmZxwGJCfI9Ub8zXDxPHnqcITwwpUxUZjg8IvMxkZKkl6A2LY59Md
+/gwSTPlgw4dbp3ENMkjWN/p1u+2KhtIDHqafw80wwXaJTX+l+UjGOanORGiITdMm
+vHaJbaXoZzRFTEO2g1N1jruCKKFj2OUYc6Wcw2K+2lfVsWpg8X8Y5HLcj+XdV6hz
+WODDcmegueY0+HjiGb5Z4zwQO9WhOz4Prrpe4zkmvA5aDuOMMK9s119GkIvehzqT
+9d4IbhMLsaFUpwPyFzE7outwatcO39uTGbUqBGhtP3FS98AyguuhPacSBLDUw9pq
+JwKCAQA1bQ77h4wyfuC0EryDOobfLUaLDF7qD0bZMakFVTBKA1M63MQiZ04H1hJD
+/eSHn1BS5tNW/xP3SjtN7w7qm4zN1K9C6PIstY2A5MnUzgiJFzecQLy8OhCF6dRZ
+k3uleK4K+UZOlvVNW+biCrw8u19hevY665HY9mxa8nPwFWqVxh+NZ0+ypfp768k3
+Yq5o9i9E9r3gQEuZGLZGuXlcwMfA/ziKk0HTjpRuKS/qqIlwYgi4N7cYYJUJEJS6
+McSGVUtsld1Qu8we+aELMAn7GuZgE88qP3hoDEyV6eaUxIAwubCn/jiIqyAB+8N0
+2JMuaHHHTnDTanBCbkbJxkJmV4L7
+-----END PRIVATE KEY-----

application/src/main/resources/ssl/dev-proxy-cert.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFsTCCA5mgAwIBAgIUQz2Jfjg4JkSsca8BVSafqt8mB0cwDQYJKoZIhvcNAQEL
+BQAwaDELMAkGA1UEBhMCTkwxEzARBgNVBAgMCkdlbGRlcmxhbmQxDzANBgNVBAcM
+BkFybmhlbTESMBAGA1UECgwJQWxsaWFuZGVyMQswCQYDVQQLDAJJVDESMBAGA1UE
+AwwJbG9jYWxob3N0MB4XDTI0MDYwNzEwNTExMVoXDTM0MDYwNTEwNTExMVowaDEL
+MAkGA1UEBhMCTkwxEzARBgNVBAgMCkdlbGRlcmxhbmQxDzANBgNVBAcMBkFybmhl
+bTESMBAGA1UECgwJQWxsaWFuZGVyMQswCQYDVQQLDAJJVDESMBAGA1UEAwwJbG9j
+YWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApGs2eERv8/XM
+FwN1B8puQLT7+b1rnxYKQZqblpPQwmb15ytWaVVBgDWaJV7re/ZeXD+B3wB0bo6j
+X1xx4o6Ue25GTdQajTnD2/Oy8VATbTV45gyHqNfz6ourP7Bkt4xzeBjFYHTwLKKt
+IOjHD7zgZ8ih74xpSeeUabsVz0zYI9URI6hSt8iRvti8ibCsWxvaO3lbLT87m+Ht
+4cUg+j0phHQ3k/HU8KqtReKJCpSrBq9eyPAU1of4AXP/iMDi7vw5+iPPqtUKfpgN
+dRwxiCnopjnUwIUbZ7G1U805zu6zEjOTlZNI0uTnNT24b2k79Ml05Qy+zn/3RPrh
+16raHv0R3x9ZrE5I/GP3XX6sWEVrKjTsftkOFkCJACm/idtMoqOSrM/5bVTPBpMS
+j7hjvO65CwgbfBeR1v+NUzpk+aFTglL72WI6bT28xhZLZb+xPu0DTilB5bfWUNmB
+GewThY1uQdeq4n3bsPQeneXighba2oM4rkDQ15E/UML7qKDrCjs8vNSYzaG+PAjL
+5ADxKkrM+KrSNiEUjPwAZvCF47XFsUEM5UTYggvoxIk90HAPG42zxklYRnA15BkL
+yPMsduDZ4cf65goZWkXrLNkUoVYdEx1Bcfp2uJjeiE8X6dyIPAdEHvdkfRK8EGd8
+HFXuGjYcHSFAikZRyF9fc7nhiUfK/d0CAwEAAaNTMFEwHQYDVR0OBBYEFPNQWmxE
+JCyHMgO8Yz5ACAbRWwbUMB8GA1UdIwQYMBaAFPNQWmxEJCyHMgO8Yz5ACAbRWwbU
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAJKb79cLWd+8iBGW
+5XW3ThAuLoMxVdTHWYScMXfSxB9hnG+Xac+v5/2Fe1wGMcSII05SwUnveiUFlj3V
+9PPOOmKk1xlLXuXu3WEhotBt3MWywjf2GIrtF4uOLUvWajgBu8ASiXBOcw8my0fd
+FUNwmNkxiqcgr9UvbYoeaTG594Jmp+we7P9OZO0NCHMHfsRPC2Qsz1F3AJfy1jAI
+hm4JJvHvIAfBqxP+Z/SJTZP1xAXSS7JyzGGEz+H6ZLJabjd0kW/FIa0C4Lm8pHNH
+qeFwLjQTMocFUaTLkbZVD2vPsGsl8PmzpWTt04EWd03kQGnFWtp4J9Gd1FQWPYMQ
+zNYKvwmDKq9odQTViNzU6xHQmwo+mZM17KqRwkqKRPmXYH6mtqdpmxKEWynkWhwQ
+jfBsJfqfJqrSfVyID0IbxZIAEgD2MOcH8KET8iImdvZyQcHC0NWJF8EDVvwnG2If
+4oAlfKIwSxe4FQ0pG01MCGnWwncQt76d75k7fs1FO9DORCCYQdDxcI8M1uwzdxJG
+1UQ/WbRxSlKalAwgzP8rL9LTA9naVR7FDjZTBaP3JJHcI7cEwkYiGDxYdFzjy8b2
+dU5fGUoSNoWABVIGAQxpDlNqS4AZaQQxA9g7KHBUuLXaDvnG59yK36g0YlQBUbyh
+7mN89Z4HwosPDcA5cIfi/Wie/kfZ
+-----END CERTIFICATE-----

generate_certificates.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# SPDX-FileCopyrightText: Copyright Contributors to the GXF project
+#
+# SPDX-License-Identifier: Apache-2.0
+
+HOST_NAME=localhost
+
+RESOURCE_DIR=application/src/main/resources/ssl
+DEVICE_SERVICE_RESOURCE_DIR="./${RESOURCE_DIR}"
+COAP_HTTP_PROXY_RESOURCE_DIR="../sng-coap-http-proxy/${RESOURCE_DIR}"
+
+echo "Generating new proxy certificate"
+
+openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 \
+            -keyout dev-proxy-key.pem -out dev-proxy-cert.pem \
+            -subj "/C=NL/ST=Gelderland/L=Arnhem/O=Alliander/OU=IT/CN=${HOST_NAME}"
+
+openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 \
+            -keyout dev-device-service-key.pem -out dev-device-service-cert.pem \
+            -subj "/C=NL/ST=Gelderland/L=Arnhem/O=Alliander/OU=IT/CN=${HOST_NAME}"
+
+# Device service files
+cp dev-device-service-key.pem "${DEVICE_SERVICE_RESOURCE_DIR}"
+cp dev-device-service-cert.pem "${DEVICE_SERVICE_RESOURCE_DIR}"
+cp dev-proxy-cert.pem "${DEVICE_SERVICE_RESOURCE_DIR}"
+
+# Proxy files
+cp dev-proxy-key.pem "${COAP_HTTP_PROXY_RESOURCE_DIR}"
+cp dev-proxy-cert.pem "${COAP_HTTP_PROXY_RESOURCE_DIR}"
+cp dev-device-service-cert.pem "${COAP_HTTP_PROXY_RESOURCE_DIR}"
+
+rm ./*.pem
+
+echo "Generated all certificates and stores"