-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uniq certificate per openHAB instance #2
Comments
Merge with master Merge pull request #2 from openhab/master Merge with master initial contribution of the pulseaudio binding, including discovery service Signed-off-by: Tobias Bräutigam <[email protected]> - check if the server is connectable before creating a bridge for it - add binding to pom.xml Signed-off-by: Tobias Bräutigam <[email protected]> use real pulseaudio item names Signed-off-by: Tobias Bräutigam <[email protected]> - finer grained thing definitions - sink-inputs can be rerouted Signed-off-by: Tobias Bräutigam <[email protected]> - fixed misdefined channel - some code cleanup Signed-off-by: Tobias Bräutigam <[email protected]> the mdns bundles name has changed Signed-off-by: Tobias Bräutigam <[email protected]> missing part of the last commit Signed-off-by: Tobias Bräutigam <[email protected]> changes due to Kai´s code review Signed-off-by: Tobias Bräutigam <[email protected]> log message removed Signed-off-by: Tobias Bräutigam <[email protected]> moved client connection into a scheduled runnable Signed-off-by: Tobias Bräutigam <[email protected]>
Should the keystore with the unique certificate be removed from the openHAB package and a new keystore/self-signed certificate be generated at the openHAB startup if no user-defined keystore is provided and if no keystore is already present in runtime\etc ? If so, where the certificate generator should be located ? In the org.openhb.io.jetty bundle ? |
I tried to look around, but did not find any way to create a self-signed certificate from within Java. Did you find any possibility? If so, we can discuss the best place to put it as a second step :-) |
Someone could perhaps have a further look at this one: https://www.bouncycastle.org/java.html "Except where otherwise stated, this software is distributed under a license based on the MIT X Consortium license. To view the license, see here (https://www.bouncycastle.org/license.html). The OpenPGP library also includes a modified BZIP2 library which is licensed under the Apache Software License, Version 1.1 (http://www.apache.org/licenses/)." http://blog.thilinamb.com/2010/01/how-to-generate-self-signed.html |
I have already developped this feature for one of my project and it could be reused with minor modifications. It indeed uses BouncyCastle. The code is available here (at line 395): https://github.com/Stratehm/stratum-proxy/blob/master/src/main/java/strat/mining/stratum/proxy/Launcher.java |
Wuha, great number of imports ;-) |
Do you have any idea about the size of dependencies this draws in? Bouncycastle alone seems to have 3MB already. I would like to avoid that for such a small feature, the minimal runtime grows significantly. |
It needs 2 dependencies: org.bouncycastle.bcprov-jdk15on (the JAR is 2.8 MB) and org.bouncycastle.bcpkix-jdk15on (the JAR is 608 KB). |
Which confirms that it is rather huge... So I would opt to put it into a bundle on its own and we can let people decide whether they want it or not. The problem is that the code only needs to be executed a single time - afterwards, it is just ballast :-| Maybe we could also automatically uninstall it once we have Karaf in place... |
If this bundle is not included with the minimal runtime, I think not many people will use it (since they may not understant the ins and the outs of this bundle). |
Well, I would say that it can be in the "standard" runtime, but it should be possible for users to strip it down, so that this bundle is not part of it anymore. And for that, we would need it in a separate bundle and not within io.jetty (which always has to be present). |
When I extract only the needed classes of BouncyCastle to generate the certificate (since we just need a little part of BouncyCastle features), the resulting package is only 504 KB. We could re-package these classes directly in the new bundle (I think the MIT license allows it if we provide a copy of the license with the bundle). |
Sounds good! |
@kaikreuzer Is the problem the size of used RAM at runtime or the size of
|
I would say both.
That's a valid point. But I think this repackaging can also be easily automated (like with http://sonatype.github.io/jarjar-maven-plugin/), so that it should not be too hard to update to a newer version of the external lib. This would mean though, that @Stratehm indeed should not include the sources directly, but rather a stripped down jar. |
Agree, it is a real problem.
The maven plugin you mention seems to repackage by selecting packages/classes from jars based on static rules. => Is this complexity justified to save 2.5 MB ? |
If package level filtering isn't sufficient, then probably no. Is there any gain possible purely through package filtering or doesn't this have any significant effect? |
If we greate a bundle that generates a unique certificate, we can use the
upstream bundle as dependency. The normal runtime does not contain that
bundle. If someone decide to use / need it, that one has to live 2.5 MB.
But as it is still a one time procedure, we could perhaps find another
solution at all. Will also think about it.
|
Unfortunately no effect, since you then embed unneeded classes that requires some other packages, which then in turn requires other packages and so on. So finally, you just have embedded all the BouncyCastle classes and rebuilt the original package... :$
Which upstream bundle ?
Right. At the same time, as @kaikreuzer stated, we should try to find a way to automate the BouncyCastle extraction process with maven since it may solve the problem. EDIT: Just remember about the maven-shade-plugin. It packages all the maven dependencies into the built jar and it seems it is able to remove all the classes that are not used in the project. I will look further. |
The jar built with the maven-shade-plugin is functionnal and is about 350 KB. Great. Unfortunately, I will not be able to create the new bundle since I do not know OSGi bundle development well enough (particularly the interaction between Maven and OSGi build which is a bit magical to me :). |
You could add the configuration to the pom.xml of your bundle and have the jar created in the /lib folder of your bundle; then this does not have anything to do with the OSGi stuff of the build, but it will make sure that the Maven build automatically creates a recent version of the jar. |
Ok, I will try that. Thanks. |
It is almost done. The certificate generation works if no keystore is already present and the bundle has a size of 357 KB. |
That should hopefully work if you add it here https://github.com/openhab/openhab2/blob/master/products/org.openhab.product.runtime/org.openhab.runtime.product.product#L38 with startlevel 2 or 3. |
The property exist in the karaf branch only, but we should use 2015-09-29 11:44 GMT+02:00 Kai Kreuzer [email protected]:
|
I do not know how much bits you are using for the private key, but the 2015-09-29 13:22 GMT+02:00 Markus Rathgeb [email protected]:
|
120s? Are you serious...? This would indeed be a no-go for the initial startup. Could we ship with the existing certificate, so that Jetty starts up correctly and then simply replace it silently in the background (or triggering it as a manual installation step)? |
Do not know which implementation this ssh daemon for Java is using, but
This will result in two keystores, one in runtime, one in userdata. |
Added new functions for the binding
Add tecalor thing-type and fix percent channel
Support for Bosch Shutter Control in-wall device
Signed-off-by: Fabian Wolter <[email protected]>
only install feature if name is not blank
Default translation properties
Signed-off-by: lsiepel <[email protected]>
Graal engine working - occasional "info" is null
We need to replace pre-created certificate distributed with openHAB with a uniq certificate which should be generated during the first run on openHAB on a user's machine. Right now all openHABs have the same certificate (if user does nothing to change that) which is very insecure - anybody is able to implement man in the middle attack using publicly available certificate.
The text was updated successfully, but these errors were encountered: