This is an automated email from the ASF dual-hosted git repository.
rong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 5ff214ef313 Pipe: Fixed the bug that certificate cannot be trusted in
OPC UA connector (#13495)
5ff214ef313 is described below
commit 5ff214ef313fb716efd17e93f3d26119a8ded544
Author: Caideyipi <[email protected]>
AuthorDate: Fri Sep 13 11:27:55 2024 +0800
Pipe: Fixed the bug that certificate cannot be trusted in OPC UA connector
(#13495)
---
.../connector/protocol/opcua/OpcUaNameSpace.java | 1 +
.../protocol/opcua/OpcUaServerBuilder.java | 150 +++++++++++----------
2 files changed, 83 insertions(+), 68 deletions(-)
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/connector/protocol/opcua/OpcUaNameSpace.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/connector/protocol/opcua/OpcUaNameSpace.java
index d121c1d4396..cc2f7d57aa1 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/connector/protocol/opcua/OpcUaNameSpace.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/connector/protocol/opcua/OpcUaNameSpace.java
@@ -87,6 +87,7 @@ public class OpcUaNameSpace extends
ManagedNamespaceWithLifecycle {
@Override
public void shutdown() {
getServer().shutdown();
+ builder.close();
}
});
}
diff --git
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/connector/protocol/opcua/OpcUaServerBuilder.java
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/connector/protocol/opcua/OpcUaServerBuilder.java
index 316a4fb72b7..29b8ddd282a 100644
---
a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/connector/protocol/opcua/OpcUaServerBuilder.java
+++
b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/connector/protocol/opcua/OpcUaServerBuilder.java
@@ -49,7 +49,9 @@ import
org.eclipse.milo.opcua.stack.server.security.DefaultServerCertificateVali
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import java.io.Closeable;
import java.io.File;
+import java.io.IOException;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.Path;
@@ -71,7 +73,7 @@ import static
org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.Unsigned.
* OPC UA Server builder for IoTDB to send data. The coding style referenced
ExampleServer.java in
* Eclipse Milo.
*/
-public class OpcUaServerBuilder {
+public class OpcUaServerBuilder implements Closeable {
private static final Logger LOGGER =
LoggerFactory.getLogger(OpcUaServerBuilder.class);
private static final String WILD_CARD_ADDRESS = "0.0.0.0";
@@ -82,6 +84,7 @@ public class OpcUaServerBuilder {
private String password;
private Path securityDir;
private boolean enableAnonymousAccess;
+ private DefaultTrustListManager trustListManager;
OpcUaServerBuilder() {
tcpBindPort =
PipeConnectorConstant.CONNECTOR_OPC_UA_TCP_BIND_PORT_DEFAULT_VALUE;
@@ -143,73 +146,73 @@ public class OpcUaServerBuilder {
new DefaultCertificateManager(loader.getServerKeyPair(),
loader.getServerCertificate());
final OpcUaServerConfig serverConfig;
- try (final DefaultTrustListManager trustListManager = new
DefaultTrustListManager(pkiDir)) {
- LOGGER.info(
- "Certificate directory is: {}, Please move certificates from the
reject dir to the trusted directory to allow encrypted access",
- pkiDir.getAbsolutePath());
-
- final KeyPair httpsKeyPair =
SelfSignedCertificateGenerator.generateRsaKeyPair(2048);
-
- final SelfSignedHttpsCertificateBuilder httpsCertificateBuilder =
- new SelfSignedHttpsCertificateBuilder(httpsKeyPair);
- httpsCertificateBuilder.setCommonName(HostnameUtil.getHostname());
-
HostnameUtil.getHostnames(WILD_CARD_ADDRESS).forEach(httpsCertificateBuilder::addDnsName);
- final X509Certificate httpsCertificate = httpsCertificateBuilder.build();
-
- final DefaultServerCertificateValidator certificateValidator =
- new DefaultServerCertificateValidator(trustListManager);
-
- final UsernameIdentityValidator identityValidator =
- new UsernameIdentityValidator(
- enableAnonymousAccess,
- authChallenge ->
- authChallenge.getUsername().equals(user)
- && authChallenge.getPassword().equals(password));
-
- final X509IdentityValidator x509IdentityValidator = new
X509IdentityValidator(c -> true);
-
- final X509Certificate certificate =
- certificateManager.getCertificates().stream()
- .findFirst()
- .orElseThrow(
- () ->
- new UaRuntimeException(
- StatusCodes.Bad_ConfigurationError, "No certificate
found"));
-
- final String applicationUri =
- CertificateUtil.getSanUri(certificate)
- .orElseThrow(
- () ->
- new UaRuntimeException(
- StatusCodes.Bad_ConfigurationError,
- "Certificate is missing the application URI"));
-
- final Set<EndpointConfiguration> endpointConfigurations =
- createEndpointConfigurations(certificate, tcpBindPort,
httpsBindPort);
-
- serverConfig =
- OpcUaServerConfig.builder()
- .setApplicationUri(applicationUri)
- .setApplicationName(LocalizedText.english("Apache IoTDB OPC UA
server"))
- .setEndpoints(endpointConfigurations)
- .setBuildInfo(
- new BuildInfo(
- "urn:apache:iotdb:opc-ua-server",
- "apache",
- "Apache IoTDB OPC UA server",
- OpcUaServer.SDK_VERSION,
- "",
- DateTime.now()))
- .setCertificateManager(certificateManager)
- .setTrustListManager(trustListManager)
- .setCertificateValidator(certificateValidator)
- .setHttpsKeyPair(httpsKeyPair)
- .setHttpsCertificateChain(new X509Certificate[]
{httpsCertificate})
- .setIdentityValidator(
- new CompositeValidator(identityValidator,
x509IdentityValidator))
- .setProductUri("urn:apache:iotdb:opc-ua-server")
- .build();
- }
+
+ trustListManager = new DefaultTrustListManager(pkiDir);
+
+ LOGGER.info(
+ "Certificate directory is: {}, Please move certificates from the
reject dir to the trusted directory to allow encrypted access",
+ pkiDir.getAbsolutePath());
+
+ final KeyPair httpsKeyPair =
SelfSignedCertificateGenerator.generateRsaKeyPair(2048);
+
+ final SelfSignedHttpsCertificateBuilder httpsCertificateBuilder =
+ new SelfSignedHttpsCertificateBuilder(httpsKeyPair);
+ httpsCertificateBuilder.setCommonName(HostnameUtil.getHostname());
+
HostnameUtil.getHostnames(WILD_CARD_ADDRESS).forEach(httpsCertificateBuilder::addDnsName);
+ final X509Certificate httpsCertificate = httpsCertificateBuilder.build();
+
+ final DefaultServerCertificateValidator certificateValidator =
+ new DefaultServerCertificateValidator(trustListManager);
+
+ final UsernameIdentityValidator identityValidator =
+ new UsernameIdentityValidator(
+ enableAnonymousAccess,
+ authChallenge ->
+ authChallenge.getUsername().equals(user)
+ && authChallenge.getPassword().equals(password));
+
+ final X509IdentityValidator x509IdentityValidator = new
X509IdentityValidator(c -> true);
+
+ final X509Certificate certificate =
+ certificateManager.getCertificates().stream()
+ .findFirst()
+ .orElseThrow(
+ () ->
+ new UaRuntimeException(
+ StatusCodes.Bad_ConfigurationError, "No certificate
found"));
+
+ final String applicationUri =
+ CertificateUtil.getSanUri(certificate)
+ .orElseThrow(
+ () ->
+ new UaRuntimeException(
+ StatusCodes.Bad_ConfigurationError,
+ "Certificate is missing the application URI"));
+
+ final Set<EndpointConfiguration> endpointConfigurations =
+ createEndpointConfigurations(certificate, tcpBindPort, httpsBindPort);
+
+ serverConfig =
+ OpcUaServerConfig.builder()
+ .setApplicationUri(applicationUri)
+ .setApplicationName(LocalizedText.english("Apache IoTDB OPC UA
server"))
+ .setEndpoints(endpointConfigurations)
+ .setBuildInfo(
+ new BuildInfo(
+ "urn:apache:iotdb:opc-ua-server",
+ "apache",
+ "Apache IoTDB OPC UA server",
+ OpcUaServer.SDK_VERSION,
+ "",
+ DateTime.now()))
+ .setCertificateManager(certificateManager)
+ .setTrustListManager(trustListManager)
+ .setCertificateValidator(certificateValidator)
+ .setHttpsKeyPair(httpsKeyPair)
+ .setHttpsCertificateChain(new X509Certificate[] {httpsCertificate})
+ .setIdentityValidator(new CompositeValidator(identityValidator,
x509IdentityValidator))
+ .setProductUri("urn:apache:iotdb:opc-ua-server")
+ .build();
// Setup server to enable event posting
final OpcUaServer server = new OpcUaServer(serverConfig);
@@ -325,4 +328,15 @@ public class OpcUaServerBuilder {
tcpBindPort, httpsBindPort, attrName, thisAttr, attrName,
thatAttr));
}
}
+
+ @Override
+ public void close() {
+ if (Objects.nonNull(trustListManager)) {
+ try {
+ trustListManager.close();
+ } catch (final IOException e) {
+ LOGGER.warn("Failed to close trustListManager, because {}.",
e.getMessage());
+ }
+ }
+ }
}
