Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Uniq certificate per openHAB instance #2

Closed
belovictor opened this issue Jul 16, 2014 · 33 comments
Closed

Uniq certificate per openHAB instance #2

belovictor opened this issue Jul 16, 2014 · 33 comments
Labels
enhancement An enhancement or new feature for an existing add-on
Milestone

Comments

@belovictor
Copy link

We need to replace pre-created certificate distributed with openHAB with a uniq certificate which should be generated during the first run on openHAB on a user's machine. Right now all openHABs have the same certificate (if user does nothing to change that) which is very insecure - anybody is able to implement man in the middle attack using publicly available certificate.

kaikreuzer pushed a commit that referenced this issue Apr 6, 2015
Merge with master

Merge pull request #2 from openhab/master

Merge with master

initial contribution of the pulseaudio binding, including discovery
service

Signed-off-by: Tobias Bräutigam <[email protected]>

- check if the server is connectable before creating a bridge for it
- add binding to pom.xml

Signed-off-by: Tobias Bräutigam <[email protected]>

use real pulseaudio item names

Signed-off-by: Tobias Bräutigam <[email protected]>

- finer grained thing definitions
- sink-inputs can be rerouted

Signed-off-by: Tobias Bräutigam <[email protected]>

- fixed misdefined channel
- some code cleanup

Signed-off-by: Tobias Bräutigam <[email protected]>

the mdns bundles name has changed

Signed-off-by: Tobias Bräutigam <[email protected]>

missing part of the last commit

Signed-off-by: Tobias Bräutigam <[email protected]>

changes due to Kai´s code review

Signed-off-by: Tobias Bräutigam <[email protected]>

log message removed

Signed-off-by: Tobias Bräutigam <[email protected]>

moved client connection into a scheduled runnable

Signed-off-by: Tobias Bräutigam <[email protected]>
kaikreuzer pushed a commit that referenced this issue Apr 11, 2015
@Stratehm
Copy link

Should the keystore with the unique certificate be removed from the openHAB package and a new keystore/self-signed certificate be generated at the openHAB startup if no user-defined keystore is provided and if no keystore is already present in runtime\etc ?

If so, where the certificate generator should be located ? In the org.openhb.io.jetty bundle ?

@kaikreuzer
Copy link
Member

I tried to look around, but did not find any way to create a self-signed certificate from within Java. Did you find any possibility? If so, we can discuss the best place to put it as a second step :-)

@maggu2810
Copy link

Someone could perhaps have a further look at this one: https://www.bouncycastle.org/java.html

"Except where otherwise stated, this software is distributed under a license based on the MIT X Consortium license. To view the license, see here (https://www.bouncycastle.org/license.html). The OpenPGP library also includes a modified BZIP2 library which is licensed under the Apache Software License, Version 1.1 (http://www.apache.org/licenses/)."

http://blog.thilinamb.com/2010/01/how-to-generate-self-signed.html

@Stratehm
Copy link

I have already developped this feature for one of my project and it could be reused with minor modifications. It indeed uses BouncyCastle.

The code is available here (at line 395): https://github.com/Stratehm/stratum-proxy/blob/master/src/main/java/strat/mining/stratum/proxy/Launcher.java

@maggu2810
Copy link

Wuha, great number of imports ;-)

@kaikreuzer
Copy link
Member

Do you have any idea about the size of dependencies this draws in? Bouncycastle alone seems to have 3MB already. I would like to avoid that for such a small feature, the minimal runtime grows significantly.

@Stratehm
Copy link

It needs 2 dependencies: org.bouncycastle.bcprov-jdk15on (the JAR is 2.8 MB) and org.bouncycastle.bcpkix-jdk15on (the JAR is 608 KB).

@kaikreuzer
Copy link
Member

Which confirms that it is rather huge... So I would opt to put it into a bundle on its own and we can let people decide whether they want it or not. The problem is that the code only needs to be executed a single time - afterwards, it is just ballast :-| Maybe we could also automatically uninstall it once we have Karaf in place...

@Stratehm
Copy link

If this bundle is not included with the minimal runtime, I think not many people will use it (since they may not understant the ins and the outs of this bundle).
Thus the bundle may not be needed. Maybe a simple documentation is enough to explain how to replace the openhab.org certificate with a new one in the packaged keystore by using command line tools.

@kaikreuzer
Copy link
Member

If this bundle is not included with the minimal runtime

Well, I would say that it can be in the "standard" runtime, but it should be possible for users to strip it down, so that this bundle is not part of it anymore. And for that, we would need it in a separate bundle and not within io.jetty (which always has to be present).

@Stratehm
Copy link

When I extract only the needed classes of BouncyCastle to generate the certificate (since we just need a little part of BouncyCastle features), the resulting package is only 504 KB. We could re-package these classes directly in the new bundle (I think the MIT license allows it if we provide a copy of the license with the bundle).

@kaikreuzer
Copy link
Member

Sounds good!

@maggu2810
Copy link

@kaikreuzer Is the problem the size of used RAM at runtime or the size of
the bundle in the file system?
If just the RAM is the problem, I would prefer using some logic, that
install the bundle, generates the feature and uninstalls it - and doing
that only once.
I do not prefer of greating a new unofficial bundle that contains a subset
of packages / classes of another pacckage. Who does fix bugs in cert
generation, ...
On Sep 25, 2015 3:07 PM, "Kai Kreuzer" [email protected] wrote:

Sounds good!


Reply to this email directly or view it on GitHub
#2 (comment).

@kaikreuzer
Copy link
Member

Is the problem the size of used RAM at runtime or the size of
the bundle in the file system?

I would say both.

I do not prefer of greating a new unofficial bundle that contains a subset
of packages / classes of another pacckage

That's a valid point. But I think this repackaging can also be easily automated (like with http://sonatype.github.io/jarjar-maven-plugin/), so that it should not be too hard to update to a newer version of the external lib. This would mean though, that @Stratehm indeed should not include the sources directly, but rather a stripped down jar.

@Stratehm
Copy link

I do not prefer of greating a new unofficial bundle that contains a subset of packages / classes of another pacckage. Who does fix bugs in cert generation, ...

Agree, it is a real problem.

I think this repackaging can also be easily automated (like with http://sonatype.github.io/jarjar-maven-plugin/),

The maven plugin you mention seems to repackage by selecting packages/classes from jars based on static rules.
To obtain a 504 KB package, we have to select only classes that are really needed. Since I do not know any tools which do it, I had to write a small program which extract all the transitives imports from a base class (in this case, the certificate generator class). Since the BouncyCastle classes involved in the certificate generation may change in future BouncyCastle releases, we have to build dynamically the list of needed classes to repackage and not rely on a pre-build classes list.
=> The build of a new stripped down jar from a newer version of BouncyCastle may not be easy to automate.

=> Is this complexity justified to save 2.5 MB ?

@kaikreuzer
Copy link
Member

=> Is this complexity justified to save 2.5 MB ?

If package level filtering isn't sufficient, then probably no. Is there any gain possible purely through package filtering or doesn't this have any significant effect?

@maggu2810
Copy link

maggu2810 commented Sep 25, 2015 via email

@Stratehm
Copy link

Is there any gain possible purely through package filtering or doesn't this have any significant effect?

Unfortunately no effect, since you then embed unneeded classes that requires some other packages, which then in turn requires other packages and so on. So finally, you just have embedded all the BouncyCastle classes and rebuilt the original package... :$

we can use the upstream bundle as dependency

Which upstream bundle ?

But as it is still a one time procedure, we could perhaps find another solution at all.

Right. At the same time, as @kaikreuzer stated, we should try to find a way to automate the BouncyCastle extraction process with maven since it may solve the problem.

EDIT: Just remember about the maven-shade-plugin. It packages all the maven dependencies into the built jar and it seems it is able to remove all the classes that are not used in the project. I will look further.

@Stratehm
Copy link

The jar built with the maven-shade-plugin is functionnal and is about 350 KB. Great.

Unfortunately, I will not be able to create the new bundle since I do not know OSGi bundle development well enough (particularly the interaction between Maven and OSGi build which is a bit magical to me :).
But I can provide the certificate generation source code and the Maven configuration to build a standalone JAR. Maybe you could create the bundle from all of that.

@kaikreuzer
Copy link
Member

You could add the configuration to the pom.xml of your bundle and have the jar created in the /lib folder of your bundle; then this does not have anything to do with the OSGi stuff of the build, but it will make sure that the Maven build automatically creates a recent version of the jar.

@Stratehm
Copy link

Ok, I will try that. Thanks.

@Stratehm
Copy link

It is almost done. The certificate generation works if no keystore is already present and the bundle has a size of 357 KB.
I still have a problem: At the first launch, when no keystore is present, jetty tries to load the keystore and fails since the certificate generation bundle is started after Jetty. How could I do to be sure the certificate generation bundle start before Jetty ?

@kaikreuzer
Copy link
Member

@maggu2810
Copy link

The property exist in the karaf branch only, but we should use
"${openhab.userdata}" for the manual created keystore, shouldn't we?
Writing to runtime[/etc] should not be done at runtime

2015-09-29 11:44 GMT+02:00 Kai Kreuzer [email protected]:

That should hopefully work if you add it here
https://github.com/openhab/openhab2/blob/master/products/org.openhab.product.runtime/org.openhab.runtime.product.product#L38
with startlevel 2 or 3.


Reply to this email directly or view it on GitHub
#2 (comment).

@maggu2810
Copy link

I do not know how much bits you are using for the private key, but the
generation of a "strong" private key could be take some time.
If I use Karaf with ssh feature and does not provide a pre-generated SSH,
the a key is generated on the first login.
If I try to login first, I get a timeout (120 s). The machine consists of
an A20 CPU (dual ARM Cortex-A7 cores; 2x 1GHz) with 2 GB RAM.
Perhaps @kaikreuzer this could be interesting for you as you target RPi,
too.

2015-09-29 13:22 GMT+02:00 Markus Rathgeb [email protected]:

The property exist in the karaf branch only, but we should use
"${openhab.userdata}" for the manual created keystore, shouldn't we?
Writing to runtime[/etc] should not be done at runtime

2015-09-29 11:44 GMT+02:00 Kai Kreuzer [email protected]:

That should hopefully work if you add it here
https://github.com/openhab/openhab2/blob/master/products/org.openhab.product.runtime/org.openhab.runtime.product.product#L38
with startlevel 2 or 3.


Reply to this email directly or view it on GitHub
#2 (comment).

@kaikreuzer
Copy link
Member

120s? Are you serious...? This would indeed be a no-go for the initial startup.

Could we ship with the existing certificate, so that Jetty starts up correctly and then simply replace it silently in the background (or triggering it as a manual installation step)?

@maggu2810
Copy link

Do not know which implementation this ssh daemon for Java is using, but
yes, I am get this timeout.
At get it also with my Udoo (CPU: "Freescale i.MX6Quad, 4 x ARM® Cortex™-A9
core @ 1GHz with ARMv7A instruction set").

Could we ship with the existing certificate, so that Jetty starts up
correctly and then simply replace it silently in the background (or
triggering it as a manual installation step)?

This will result in two keystores, one in runtime, one in userdata.
The openhab jetty bundle have to check if there is one in userdata and
change the jetty property which keystore should be used...

lkn94 referenced this issue in lkn94/openhab2-addons Jul 17, 2019
Added new functions for the binding
Dries-Vandenneucker pushed a commit to Dries-Vandenneucker/openhab-addons that referenced this issue May 21, 2020
Add tecalor thing-type and fix percent channel
GerdZanker pushed a commit to GerdZanker/openhab-addons that referenced this issue Jun 25, 2020
Support for Bosch Shutter Control in-wall device
Wawszczak pushed a commit to Wawszczak/openhab-addons that referenced this issue Oct 22, 2020
fwolter referenced this issue in fwolter/openhab-addons Dec 2, 2020
Signed-off-by: Fabian Wolter <[email protected]>
fwolter referenced this issue in fwolter/openhab-addons Dec 11, 2021
Flole998 pushed a commit to Flole998/openhab-addons that referenced this issue Dec 30, 2021
only install feature if name is not blank
lolodomo pushed a commit to lolodomo/openhab-addons that referenced this issue Jan 8, 2022
lolodomo pushed a commit to lolodomo/openhab-addons that referenced this issue Jan 9, 2022
altaroca added a commit to altaroca/openhab-addons that referenced this issue Jun 14, 2022
lsiepel referenced this issue in lsiepel/openhab-addons Jan 4, 2023
Signed-off-by: lsiepel <[email protected]>
HolgerHees added a commit to jsjames/openhab-addons that referenced this issue Jan 6, 2025
Graal engine working - occasional "info" is null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement An enhancement or new feature for an existing add-on
Projects
None yet
Development

No branches or pull requests

5 participants