From 669d23e3f0fad540a9536f6fe2054414553a1805 Mon Sep 17 00:00:00 2001 From: Jasper Kamerling Date: Fri, 7 Jun 2024 10:41:52 +0200 Subject: [PATCH] FDP-2217: Implement mutual TLS Signed-off-by: Jasper Kamerling --- application/build.gradle.kts | 7 +++ .../src/main/resources/application-dev.yaml | 16 +++--- .../src/main/resources/application.yaml | 16 ++++++ .../resources/ssl/dev-device-service-cert.pem | 33 ++++++++++++ .../src/main/resources/ssl/dev-proxy-cert.pem | 33 ++++++++++++ .../src/main/resources/ssl/dev-proxy-key.pem | 52 +++++++++++++++++++ 6 files changed, 150 insertions(+), 7 deletions(-) create mode 100644 application/src/main/resources/ssl/dev-device-service-cert.pem create mode 100644 application/src/main/resources/ssl/dev-proxy-cert.pem create mode 100644 application/src/main/resources/ssl/dev-proxy-key.pem diff --git a/application/build.gradle.kts b/application/build.gradle.kts index ac5157b..6cf06d5 100644 --- a/application/build.gradle.kts +++ b/application/build.gradle.kts @@ -1,3 +1,5 @@ +import org.springframework.boot.gradle.tasks.bundling.BootJar + // SPDX-FileCopyrightText: Contributors to the GXF project // // SPDX-License-Identifier: Apache-2.0 @@ -27,6 +29,11 @@ dependencies { jacocoAggregation(project(":application")) } +tasks.withType { + // Exclude test keys and certificates + exclude("ssl/*.pem") +} + tasks.withType { imageName.set("ghcr.io/osgp/sng-coap-http-proxy:$version") if (project.hasProperty("publishImage")) { diff --git a/application/src/main/resources/application-dev.yaml b/application/src/main/resources/application-dev.yaml index 33abdfd..361bb59 100644 --- a/application/src/main/resources/application-dev.yaml +++ b/application/src/main/resources/application-dev.yaml @@ -5,11 +5,13 @@ server: port: 8181 -management: - endpoints: - web: - exposure: - include: prometheus +# Local testing certificates +mutual-tls: + keystore: + private-key: "classpath:ssl/dev-proxy-key.pem" + certificate: "classpath:ssl/dev-proxy-cert.pem" + truststore: + certificate: "classpath:ssl/dev-device-service-cert.pem" config: coap: @@ -24,8 +26,8 @@ config: preferred-block-size: 1024 http: - url: "http://localhost:9000" - connection-timeout: 5000ms + url: "https://localhost:9000" + connection-timeout: "5000ms" udp: udp-receive-buffer-size: 8192 diff --git a/application/src/main/resources/application.yaml b/application/src/main/resources/application.yaml index 4575317..15bb8c6 100644 --- a/application/src/main/resources/application.yaml +++ b/application/src/main/resources/application.yaml @@ -2,6 +2,22 @@ # #SPDX-License-Identifier: Apache-2.0 +# Default server ssl bundle +spring: + ssl: + bundle: + pem: + coap-http-proxy: + keystore: + private-key: "${mutual-tls.keystore.private-key}" + certificate: "${mutual-tls.keystore.certificate}" + truststore: + certificate: "${mutual-tls.truststore.certificate}" + +config: + http: + ssl-bundle: "coap-http-proxy" + management: endpoints: web: diff --git a/application/src/main/resources/ssl/dev-device-service-cert.pem b/application/src/main/resources/ssl/dev-device-service-cert.pem new file mode 100644 index 0000000..e742c5f --- /dev/null +++ b/application/src/main/resources/ssl/dev-device-service-cert.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFsTCCA5mgAwIBAgIUY0NujZU+uRqek0Fi6QoY1Qo4AKAwDQYJKoZIhvcNAQEL +BQAwaDELMAkGA1UEBhMCTkwxEzARBgNVBAgMCkdlbGRlcmxhbmQxDzANBgNVBAcM +BkFybmhlbTESMBAGA1UECgwJQWxsaWFuZGVyMQswCQYDVQQLDAJJVDESMBAGA1UE +AwwJbG9jYWxob3N0MB4XDTI0MDYwNzEwNTExMVoXDTM0MDYwNTEwNTExMVowaDEL +MAkGA1UEBhMCTkwxEzARBgNVBAgMCkdlbGRlcmxhbmQxDzANBgNVBAcMBkFybmhl +bTESMBAGA1UECgwJQWxsaWFuZGVyMQswCQYDVQQLDAJJVDESMBAGA1UEAwwJbG9j +YWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA86nNd5UwicED +H861toiRZLsol3m11GVBGXBYLNlDE6gK0Ib9ST7tf3sV/desa9JnQdGJn5xSZf0H +RKShs2u3aB2vdY1ZTeBnadIaekNLVil92Ug4fPBqhgaNQgHWf12vZS9Im97JfULT +AmBGJN2u5p1otkX9gqPD8IHV51hVplrXyUEpiShib/KFcG4POyr0b6RGBBShcxNm +ll0t57/jIQq50qOf0altFNDMe3OSeUsHepxhPIPDW0voN4eOogdfkaL5YvJ3lBg4 +hoasVhwmr4/k+C5REYT8bbzQIAuK2E28R/6rBm2qclzvC500pyEb3PxLQnDsui+a +GnMgxOr+D+3YbqmQsxlTodfktThG8g3uT0WULjmF3WAxOlitYMEXb6U08+NwZJA0 +hfPPVxovkkNUTTVDKaecv/k90R6c7qhE0pQojkdb7/px6j4zJgORX4zAXyo8UUrA +OLhB0BMrUrjaDSUtMmmPwch5ps6gwSEUYQZPchG9H7h1U8Har4EpBFVB/+qdJ+VX ++eBYtf6wJk1pT0wEn0rBXs/B/aThWVjcCIk+yP84FWiGLqcQ5owmgtHYqiqWiUzH +GI5ZZk5pZt3E9aOelkUDyXIOhKzGi6mCQ2oCQYVFId57opD16jBNwo8WWAnhuqNN +gNechnnegK+QacU3zHvrJUqoKgkZ3y0CAwEAAaNTMFEwHQYDVR0OBBYEFM8HC5y9 +pI1VSahRWDuCuyW1BjSbMB8GA1UdIwQYMBaAFM8HC5y9pI1VSahRWDuCuyW1BjSb +MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBADQ2nWBuiyNU/2my +QaaMTajKHtl4jynH4qhQnYypxd6pTeI2/a5AQpe+5O+lLdeiizhue/5T+119j8DM +ZedmZskFhP9vhXt/6m50TqwuxkGNXxKbdpEvLSjhdepuFIAkh7yT3sMe5ivSSXjh +HqqHOZ7Yn/3nbCUPhsrmc3bEXsbsILOHpJjUNyyoxCv/MnSAMeGTZddd1zvVSbz9 ++pmZmkPOR1osmNcaFiw3klbRnz2ckt64Ds7Ea2+WuWmWEKUllgDcSO1wmYTjUzFK +xdb1HqhORFsi2KUW/Zk4JQPxedehImLrs07uMJUjBaBn1FgO60yDLFAFQwYUAYKm +MhYUuG32k23Ywx7fM495Le6exRpjGu/ZniYQyz1nKzuobQNrEIjTHFGGmaqJfzu4 +030Jq8dvi1Pi+HNIqnTOcmxEzvfj3ie4aBzGjTNPAI1O94doUxGf5EcD330fYIKG +xo8Rkqv+uV48jiZ/2cG+e5NAktuiBOiYq28QP+2RnkLH2S2WPN9Qmk7Norb20Gs8 +V4hH/EMt6Qduh0X5vLNg8gKy6cIuqlmSQ2cMNKMXNaCwSvRuDOnJt/Ko2lKAWc6r +uPlh9grkF5EvfoPAG47kdlclyzChVPvNIIsWE9WT7mQ30RORSffjqXdG55F/Igf/ +Idj2vIFKNQlLkpMPSANa2B1u1/mH +-----END CERTIFICATE----- diff --git a/application/src/main/resources/ssl/dev-proxy-cert.pem b/application/src/main/resources/ssl/dev-proxy-cert.pem new file mode 100644 index 0000000..d0865ae --- /dev/null +++ b/application/src/main/resources/ssl/dev-proxy-cert.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFsTCCA5mgAwIBAgIUQz2Jfjg4JkSsca8BVSafqt8mB0cwDQYJKoZIhvcNAQEL +BQAwaDELMAkGA1UEBhMCTkwxEzARBgNVBAgMCkdlbGRlcmxhbmQxDzANBgNVBAcM +BkFybmhlbTESMBAGA1UECgwJQWxsaWFuZGVyMQswCQYDVQQLDAJJVDESMBAGA1UE +AwwJbG9jYWxob3N0MB4XDTI0MDYwNzEwNTExMVoXDTM0MDYwNTEwNTExMVowaDEL +MAkGA1UEBhMCTkwxEzARBgNVBAgMCkdlbGRlcmxhbmQxDzANBgNVBAcMBkFybmhl +bTESMBAGA1UECgwJQWxsaWFuZGVyMQswCQYDVQQLDAJJVDESMBAGA1UEAwwJbG9j +YWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApGs2eERv8/XM +FwN1B8puQLT7+b1rnxYKQZqblpPQwmb15ytWaVVBgDWaJV7re/ZeXD+B3wB0bo6j +X1xx4o6Ue25GTdQajTnD2/Oy8VATbTV45gyHqNfz6ourP7Bkt4xzeBjFYHTwLKKt +IOjHD7zgZ8ih74xpSeeUabsVz0zYI9URI6hSt8iRvti8ibCsWxvaO3lbLT87m+Ht +4cUg+j0phHQ3k/HU8KqtReKJCpSrBq9eyPAU1of4AXP/iMDi7vw5+iPPqtUKfpgN +dRwxiCnopjnUwIUbZ7G1U805zu6zEjOTlZNI0uTnNT24b2k79Ml05Qy+zn/3RPrh +16raHv0R3x9ZrE5I/GP3XX6sWEVrKjTsftkOFkCJACm/idtMoqOSrM/5bVTPBpMS +j7hjvO65CwgbfBeR1v+NUzpk+aFTglL72WI6bT28xhZLZb+xPu0DTilB5bfWUNmB +GewThY1uQdeq4n3bsPQeneXighba2oM4rkDQ15E/UML7qKDrCjs8vNSYzaG+PAjL +5ADxKkrM+KrSNiEUjPwAZvCF47XFsUEM5UTYggvoxIk90HAPG42zxklYRnA15BkL +yPMsduDZ4cf65goZWkXrLNkUoVYdEx1Bcfp2uJjeiE8X6dyIPAdEHvdkfRK8EGd8 +HFXuGjYcHSFAikZRyF9fc7nhiUfK/d0CAwEAAaNTMFEwHQYDVR0OBBYEFPNQWmxE +JCyHMgO8Yz5ACAbRWwbUMB8GA1UdIwQYMBaAFPNQWmxEJCyHMgO8Yz5ACAbRWwbU +MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAJKb79cLWd+8iBGW +5XW3ThAuLoMxVdTHWYScMXfSxB9hnG+Xac+v5/2Fe1wGMcSII05SwUnveiUFlj3V +9PPOOmKk1xlLXuXu3WEhotBt3MWywjf2GIrtF4uOLUvWajgBu8ASiXBOcw8my0fd +FUNwmNkxiqcgr9UvbYoeaTG594Jmp+we7P9OZO0NCHMHfsRPC2Qsz1F3AJfy1jAI +hm4JJvHvIAfBqxP+Z/SJTZP1xAXSS7JyzGGEz+H6ZLJabjd0kW/FIa0C4Lm8pHNH +qeFwLjQTMocFUaTLkbZVD2vPsGsl8PmzpWTt04EWd03kQGnFWtp4J9Gd1FQWPYMQ +zNYKvwmDKq9odQTViNzU6xHQmwo+mZM17KqRwkqKRPmXYH6mtqdpmxKEWynkWhwQ +jfBsJfqfJqrSfVyID0IbxZIAEgD2MOcH8KET8iImdvZyQcHC0NWJF8EDVvwnG2If +4oAlfKIwSxe4FQ0pG01MCGnWwncQt76d75k7fs1FO9DORCCYQdDxcI8M1uwzdxJG +1UQ/WbRxSlKalAwgzP8rL9LTA9naVR7FDjZTBaP3JJHcI7cEwkYiGDxYdFzjy8b2 +dU5fGUoSNoWABVIGAQxpDlNqS4AZaQQxA9g7KHBUuLXaDvnG59yK36g0YlQBUbyh +7mN89Z4HwosPDcA5cIfi/Wie/kfZ +-----END CERTIFICATE----- diff --git a/application/src/main/resources/ssl/dev-proxy-key.pem b/application/src/main/resources/ssl/dev-proxy-key.pem new file mode 100644 index 0000000..df2c60a --- /dev/null +++ b/application/src/main/resources/ssl/dev-proxy-key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCkazZ4RG/z9cwX +A3UHym5AtPv5vWufFgpBmpuWk9DCZvXnK1ZpVUGANZolXut79l5cP4HfAHRujqNf +XHHijpR7bkZN1BqNOcPb87LxUBNtNXjmDIeo1/Pqi6s/sGS3jHN4GMVgdPAsoq0g +6McPvOBnyKHvjGlJ55RpuxXPTNgj1REjqFK3yJG+2LyJsKxbG9o7eVstPzub4e3h +xSD6PSmEdDeT8dTwqq1F4okKlKsGr17I8BTWh/gBc/+IwOLu/Dn6I8+q1Qp+mA11 +HDGIKeimOdTAhRtnsbVTzTnO7rMSM5OVk0jS5Oc1PbhvaTv0yXTlDL7Of/dE+uHX +qtoe/RHfH1msTkj8Y/ddfqxYRWsqNOx+2Q4WQIkAKb+J20yio5Ksz/ltVM8GkxKP +uGO87rkLCBt8F5HW/41TOmT5oVOCUvvZYjptPbzGFktlv7E+7QNOKUHlt9ZQ2YEZ +7BOFjW5B16rifduw9B6d5eKCFtragziuQNDXkT9QwvuooOsKOzy81JjNob48CMvk +APEqSsz4qtI2IRSM/ABm8IXjtcWxQQzlRNiCC+jEiT3QcA8bjbPGSVhGcDXkGQvI +8yx24Nnhx/rmChlaRess2RShVh0THUFx+na4mN6ITxfp3Ig8B0Qe92R9ErwQZ3wc +Ve4aNhwdIUCKRlHIX19zueGJR8r93QIDAQABAoICAAz92A/l5SG1/ZJ2SGLyn3EX +S+S2egCX8CdcZShfVYAS53caFnRxaIujUKLczpxyLGUQyJKGGZfFx19zhsp+dnmP ++QKmfJLwVPX2L4tqnB+wOWAWGTRhx0kfEEuSmiFjD0RWqBFAftzMCC7g7cpkI9LX +iIIiNQyXqENi0Beb9w/SbWME+8Tqq9IpvoYJCClqeJKOpYIcVw8GFF2XTbfa1C2+ +NXOyyLRb4XVI791T6h/3r0nkfIUHY9+Q2p4OkwU2uAm4QYJlCIoAZOnTbeTYM4+f +jgcd+BB4EH+cEvyzTEInLKVwPfFvZbHa3A4Dlu73PyMSdX42ys3wHp8ZBdir1E5N +qh2WRT9Y8ZGAw9WJT7kUVABAxkGZY/94VSZtng+56vZNDqTpawjjCUjApnRl25tG +7RkGON2D8KTks6FQp66UASS9SBDyBa4ntHYb0v+eI/zmAxlst2ljL4URh7gAy6OR +3swq/+tRTRN5hK87zHoOuclHwyraZXq5hF/EgdTGWuF3M/G1qPHDQnJHzqMkanPm +0zrkOlW67u4NiqsSzNAq9cQrG39fEN8caZzhOi/0m1mzq1vDAIQkh2bP+zDU3LVL +JB/ky/Y9QzsMZB3btUpt9PstdyKFTsRPnShU9SNCtE2fbWCl1c98D6DSXlKB6874 +bIoeCFhi9yrU3i85qYJ5AoIBAQDZYltasxPK2Czz70EtLBFeWaikHZhqD4kAI8MJ +ZA3L8l4uYkcc11QPHYD50+wappI/YGyuPsVY7TNu3nNrzuhwC4b6lR+8Tgu5P7jZ +GQIVl2QvBz+YCe3fKnxG1sA86Va3KrJjw3ntKPu3m2s++6UegRYV9ZqHS1pyNDHz +i5L7mB4vrVYMByYi7Lz2R8p4IAVVmYLyBTuOEMrxeYrxAyDF6W22THIUQRwycxI5 +tI2yzVBnXaNFetjZ6lKNhzVr2QwEUn6XIpv5cuEM0vYULSU2jCsCoWGX7vsTX/RZ +BjKSf70JWS6q+SJIi+04Zko91kWyR5jyLatmxFywAb2wppNpAoIBAQDBoDsHNiuG +ZNXNX76NROgy64uqEscLkWlnKrQmFgumeTJVEPcUDyGhsmdVLtL5zMCQQZ1u8OCc +noJgwUg9RXW6Kvg/7vvsdIYZTemNhKSu3t8KLSoNnTHjJSWM+Y+Y+AUxDUa3b8uw +2ff9GxMclfKM1G6HDprcbkTceNipO10WeMACZTH1FgTNuWf6zyEglgmo+/UHzgLZ +nsQJZOW4ZwskkSvihbo1mCrJVyr6tcVaXjuQVSQ8EJb+5ykeMrOD+vtE15fWokWh +g3tpOmbkZaND77da66ghgx7S7rECp5XKwgBuRdWxWmHLhIfaYp9AQa2ES5oIl6hB +AZjlmHzPNixVAoIBAGdyQczomQuXUdUHTvnDFcTTX8gxeT1HhUd2vTJz1YjvHlhu +Vi7oXU0QGjdI3PtVtxTHuxA0OM93mVkyLLTp8nyXT7VhT4fZkASoyTsuhmpl77vd +dCrS1sqzOg6v1S1nUOe7Psbw182/CgI2yJNhRxM8FJmAlfe6KSFdq0OdcOWfXwYL +M35nzIMkK0v7n+MIQeGZOtIXIV8aqKi+0RqeBXOJALeWq1buIQ/06IBjZmbnA1Md +ITxIGHei5YQKCqb205we8bTUOGs9etESdx3k2eeaTkFjMMEPbZWrvOi8ZUaH2Rpg +wS+FfQYO6GVFcCD7HZGYNrVQfFdcLEtpmK4+prkCggEAC1MMwMI5T3XsT0OvSGHk +Vr4SABNzEskhaghEWwnlCoqCGBmS6dhstiFSC9hePH/uL0G3LHroGCDpLTGAwRyj +4wyKUmruzwiNo0M8SqucWiHs15KGqB8ugMN2a8VY0bCH1TOalDX0qtZEu8fumThn +5Da0dC+1fPjyDBcBTPyM2DidukYi4tuz0jhqzW9514cO75Q044z3+7RecNI24U8d +hrj64RfDKUlKD1aKy/j/nuZuA2YHZX/u5N+uNvbuKuTt9zvIxKPfALBI8oGY7PjI +0LtfdPDdd4BMuDd/oNEeYKpyDgEFm4bWu2l37JziBYcR1+/4BVKhY5PtVlhRzGi1 +tQKCAQEAoBVaaLEEfHrcNVS7m+2sGFQdTaOZalwepV8TfPekk25/S6H3tp5QMdUD +18CQT1U2b0vQAn+zon1Wey5yqhNZHqaSIUCo07hBkAIyEV31bGa3Xn2bqRFbdgna +MJiRcQJ99lYtknDF9WF3dd19Szqlc49e6aVT2aJZsmWh74YUEM6WXmOOLKKcVrPE +2rQDkN6S/oaXBAsh5Vz/PN6cEDlGx+MkXQ3q9b5Xw27m0zStXxZrwBjSwhUdjOD7 +V3RWHePRjlR7pPpxPxal9dJxYOT35dkALOsa+UTWRMS3e4/0yU7jGF1BsdioWwex +GeQDPl/PZMayJ7wjD6slJbxa/HSmgA== +-----END PRIVATE KEY-----