Feature: MQTT add TLS authentication
User asked for TLS client certificate based login from DTU to MQTT server. This PR implements storage and use of x509 client certificate and private key. Signed-off-by: Martin Dummer <martin.dummer@gmx.net>
This commit is contained in:
Martin Dummer
parent
12d7349699
commit
971ae6d1be
@ -90,6 +90,9 @@ struct CONFIG_T {
|
||||
bool Mqtt_Hass_IndividualPanels;
|
||||
bool Mqtt_Tls;
|
||||
char Mqtt_RootCaCert[MQTT_MAX_ROOT_CA_CERT_STRLEN + 1];
|
||||
bool Mqtt_TlsCertLogin;
|
||||
char Mqtt_ClientCert[MQTT_MAX_ROOT_CA_CERT_STRLEN + 1];
|
||||
char Mqtt_ClientKey[MQTT_MAX_ROOT_CA_CERT_STRLEN + 1];
|
||||
|
||||
char Mqtt_Hostname[MQTT_MAX_HOSTNAME_STRLEN + 1];
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
#include <ESPAsyncWebServer.h>
|
||||
|
||||
#define MQTT_JSON_DOC_SIZE 3072
|
||||
#define MQTT_JSON_DOC_SIZE 10240
|
||||
|
||||
class WebApiMqttClass {
|
||||
public:
|
||||
|
||||
@ -66,6 +66,9 @@
|
||||
"mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d\n" \
|
||||
"emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=\n" \
|
||||
"-----END CERTIFICATE-----\n"
|
||||
#define MQTT_TLSCERTLOGIN false
|
||||
#define MQTT_TLSCLIENTCERT ""
|
||||
#define MQTT_TLSCLIENTKEY ""
|
||||
#define MQTT_LWT_TOPIC "dtu/status"
|
||||
#define MQTT_LWT_ONLINE "online"
|
||||
#define MQTT_LWT_OFFLINE "offline"
|
||||
|
||||
@ -65,6 +65,9 @@ bool ConfigurationClass::write()
|
||||
JsonObject mqtt_tls = mqtt.createNestedObject("tls");
|
||||
mqtt_tls["enabled"] = config.Mqtt_Tls;
|
||||
mqtt_tls["root_ca_cert"] = config.Mqtt_RootCaCert;
|
||||
mqtt_tls["certlogin"] = config.Mqtt_TlsCertLogin;
|
||||
mqtt_tls["client_cert"] = config.Mqtt_ClientCert;
|
||||
mqtt_tls["client_key"] = config.Mqtt_ClientKey;
|
||||
|
||||
JsonObject mqtt_hass = mqtt.createNestedObject("hass");
|
||||
mqtt_hass["enabled"] = config.Mqtt_Hass_Enabled;
|
||||
@ -202,6 +205,9 @@ bool ConfigurationClass::read()
|
||||
JsonObject mqtt_tls = mqtt["tls"];
|
||||
config.Mqtt_Tls = mqtt_tls["enabled"] | MQTT_TLS;
|
||||
strlcpy(config.Mqtt_RootCaCert, mqtt_tls["root_ca_cert"] | MQTT_ROOT_CA_CERT, sizeof(config.Mqtt_RootCaCert));
|
||||
config.Mqtt_TlsCertLogin = mqtt_tls["certlogin"] | MQTT_TLSCERTLOGIN;
|
||||
strlcpy(config.Mqtt_ClientCert, mqtt_tls["client_cert"] | MQTT_TLSCLIENTCERT, sizeof(config.Mqtt_ClientCert));
|
||||
strlcpy(config.Mqtt_ClientKey, mqtt_tls["client_key"] | MQTT_TLSCLIENTKEY, sizeof(config.Mqtt_ClientKey));
|
||||
|
||||
JsonObject mqtt_hass = mqtt["hass"];
|
||||
config.Mqtt_Hass_Enabled = mqtt_hass["enabled"] | MQTT_HASS_ENABLED;
|
||||
|
||||
@ -104,7 +104,12 @@ void MqttSettingsClass::performConnect()
|
||||
if (config.Mqtt_Tls) {
|
||||
static_cast<espMqttClientSecure*>(mqttClient)->setCACert(config.Mqtt_RootCaCert);
|
||||
static_cast<espMqttClientSecure*>(mqttClient)->setServer(config.Mqtt_Hostname, config.Mqtt_Port);
|
||||
if (config.Mqtt_TlsCertLogin) {
|
||||
static_cast<espMqttClientSecure*>(mqttClient)->setCertificate(config.Mqtt_ClientCert);
|
||||
static_cast<espMqttClientSecure*>(mqttClient)->setPrivateKey(config.Mqtt_ClientKey);
|
||||
} else {
|
||||
static_cast<espMqttClientSecure*>(mqttClient)->setCredentials(config.Mqtt_Username, config.Mqtt_Password);
|
||||
}
|
||||
static_cast<espMqttClientSecure*>(mqttClient)->setWill(willTopic.c_str(), 2, config.Mqtt_Retain, config.Mqtt_LwtValue_Offline);
|
||||
static_cast<espMqttClientSecure*>(mqttClient)->setClientId(clientId.c_str());
|
||||
static_cast<espMqttClientSecure*>(mqttClient)->onConnect(std::bind(&MqttSettingsClass::onMqttConnect, this, _1));
|
||||
|
||||
@ -45,6 +45,8 @@ void WebApiMqttClass::onMqttStatus(AsyncWebServerRequest* request)
|
||||
root["mqtt_retain"] = config.Mqtt_Retain;
|
||||
root["mqtt_tls"] = config.Mqtt_Tls;
|
||||
root["mqtt_root_ca_cert_info"] = getRootCaCertInfo(config.Mqtt_RootCaCert);
|
||||
root["mqtt_tls_cert_login"] = config.Mqtt_TlsCertLogin;
|
||||
root["mqtt_client_cert_info"] = getRootCaCertInfo(config.Mqtt_ClientCert);
|
||||
root["mqtt_lwt_topic"] = String(config.Mqtt_Topic) + config.Mqtt_LwtTopic;
|
||||
root["mqtt_publish_interval"] = config.Mqtt_PublishInterval;
|
||||
root["mqtt_hass_enabled"] = config.Mqtt_Hass_Enabled;
|
||||
@ -76,6 +78,9 @@ void WebApiMqttClass::onMqttAdminGet(AsyncWebServerRequest* request)
|
||||
root["mqtt_retain"] = config.Mqtt_Retain;
|
||||
root["mqtt_tls"] = config.Mqtt_Tls;
|
||||
root["mqtt_root_ca_cert"] = config.Mqtt_RootCaCert;
|
||||
root["mqtt_tls_cert_login"] = config.Mqtt_TlsCertLogin;
|
||||
root["mqtt_client_cert"] = config.Mqtt_ClientCert;
|
||||
root["mqtt_client_key"] = config.Mqtt_ClientKey;
|
||||
root["mqtt_lwt_topic"] = config.Mqtt_LwtTopic;
|
||||
root["mqtt_lwt_online"] = config.Mqtt_LwtValue_Online;
|
||||
root["mqtt_lwt_offline"] = config.Mqtt_LwtValue_Offline;
|
||||
@ -137,6 +142,9 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request)
|
||||
&& root.containsKey("mqtt_topic")
|
||||
&& root.containsKey("mqtt_retain")
|
||||
&& root.containsKey("mqtt_tls")
|
||||
&& root.containsKey("mqtt_tls_cert_login")
|
||||
&& root.containsKey("mqtt_client_cert")
|
||||
&& root.containsKey("mqtt_client_key")
|
||||
&& root.containsKey("mqtt_lwt_topic")
|
||||
&& root.containsKey("mqtt_lwt_online")
|
||||
&& root.containsKey("mqtt_lwt_offline")
|
||||
@ -212,8 +220,10 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request)
|
||||
return;
|
||||
}
|
||||
|
||||
if (root["mqtt_root_ca_cert"].as<String>().length() > MQTT_MAX_ROOT_CA_CERT_STRLEN) {
|
||||
retMsg["message"] = "Certificate must not longer then " STR(MQTT_MAX_ROOT_CA_CERT_STRLEN) " characters!";
|
||||
if (root["mqtt_root_ca_cert"].as<String>().length() > MQTT_MAX_ROOT_CA_CERT_STRLEN
|
||||
|| root["mqtt_client_cert"].as<String>().length() > MQTT_MAX_ROOT_CA_CERT_STRLEN
|
||||
|| root["mqtt_client_key"].as<String>().length() > MQTT_MAX_ROOT_CA_CERT_STRLEN) {
|
||||
retMsg["message"] = "Certificates must not be longer than " STR(MQTT_MAX_ROOT_CA_CERT_STRLEN) " characters!";
|
||||
retMsg["code"] = WebApiError::MqttCertificateLength;
|
||||
retMsg["param"]["max"] = MQTT_MAX_ROOT_CA_CERT_STRLEN;
|
||||
response->setLength();
|
||||
@ -291,6 +301,9 @@ void WebApiMqttClass::onMqttAdminPost(AsyncWebServerRequest* request)
|
||||
config.Mqtt_Retain = root["mqtt_retain"].as<bool>();
|
||||
config.Mqtt_Tls = root["mqtt_tls"].as<bool>();
|
||||
strlcpy(config.Mqtt_RootCaCert, root["mqtt_root_ca_cert"].as<String>().c_str(), sizeof(config.Mqtt_RootCaCert));
|
||||
config.Mqtt_TlsCertLogin = root["mqtt_tls_cert_login"].as<bool>();
|
||||
strlcpy(config.Mqtt_ClientCert, root["mqtt_client_cert"].as<String>().c_str(), sizeof(config.Mqtt_ClientCert));
|
||||
strlcpy(config.Mqtt_ClientKey, root["mqtt_client_key"].as<String>().c_str(), sizeof(config.Mqtt_ClientKey));
|
||||
config.Mqtt_Port = root["mqtt_port"].as<uint>();
|
||||
strlcpy(config.Mqtt_Hostname, root["mqtt_hostname"].as<String>().c_str(), sizeof(config.Mqtt_Hostname));
|
||||
strlcpy(config.Mqtt_Username, root["mqtt_username"].as<String>().c_str(), sizeof(config.Mqtt_Username));
|
||||
|
||||
@ -259,6 +259,8 @@
|
||||
"Retain": "Retain",
|
||||
"Tls": "TLS",
|
||||
"RootCertifcateInfo": "Root CA-Zertifikat-Informationen",
|
||||
"TlsCertLogin": "Anmeldung mit TLS Zertifikat",
|
||||
"ClientCertifcateInfo": "Client Zertifikat-Informationen",
|
||||
"HassSummary": "Home Assistant MQTT-Auto-Discovery Konfigurationszusammenfassung",
|
||||
"Expire": "Ablaufen",
|
||||
"IndividualPanels": "Einzelne Paneele",
|
||||
@ -387,6 +389,9 @@
|
||||
"EnableRetain": "Retain Flag aktivieren",
|
||||
"EnableTls": "TLS aktivieren",
|
||||
"RootCa": "CA-Root-Zertifikat (Standard Letsencrypt):",
|
||||
"TlsCertLoginEnable": "TLS Zertifikat Login",
|
||||
"ClientCert": "TLS Client-Zertifikat:",
|
||||
"ClientKey": "TLS Client-Key:",
|
||||
"LwtParameters": "LWT-Parameter",
|
||||
"LwtTopic": "LWT-Topic:",
|
||||
"LwtTopicHint": "LWT-Topic, wird der Basis Topic angehängt",
|
||||
|
||||
@ -259,6 +259,8 @@
|
||||
"Retain": "Retain",
|
||||
"Tls": "TLS",
|
||||
"RootCertifcateInfo": "Root CA Certifcate Info",
|
||||
"TlsCertLogin": "Login with TLS Certificate",
|
||||
"ClientCertifcateInfo": "Client Certifcate Info",
|
||||
"HassSummary": "Home Assistant MQTT Auto Discovery Configuration Summary",
|
||||
"Expire": "Expire",
|
||||
"IndividualPanels": "Individual Panels",
|
||||
@ -387,6 +389,9 @@
|
||||
"EnableRetain": "Enable Retain Flag",
|
||||
"EnableTls": "Enable TLS",
|
||||
"RootCa": "CA-Root-Certificate (default Letsencrypt):",
|
||||
"TlsCertLoginEnable": "Enable TLS Certificate Login",
|
||||
"ClientCert": "TLS Client-Certificate:",
|
||||
"ClientKey": "TLS Client-Key:",
|
||||
"LwtParameters": "LWT Parameters",
|
||||
"LwtTopic": "LWT Topic:",
|
||||
"LwtTopicHint": "LWT topic, will be append base topic",
|
||||
|
||||
@ -259,6 +259,8 @@
|
||||
"Retain": "Conserver",
|
||||
"Tls": "TLS",
|
||||
"RootCertifcateInfo": "Informations sur le certificat de l'autorité de certification racine",
|
||||
"TlsCertLogin": "Connexion avec un certificat TLS",
|
||||
"ClientCertifcateInfo": "Informations sur le certificat du client",
|
||||
"HassSummary": "Résumé de la configuration de la découverte automatique du MQTT de Home Assistant",
|
||||
"Expire": "Expiration",
|
||||
"IndividualPanels": "Panneaux individuels",
|
||||
@ -387,6 +389,9 @@
|
||||
"EnableRetain": "Activation du maintien",
|
||||
"EnableTls": "Activer le TLS",
|
||||
"RootCa": "Certificat CA-Root (par défaut Letsencrypt)",
|
||||
"TlsCertLoginEnable": "Activer la connexion par certificat TLS",
|
||||
"ClientCert": "Certificat client TLS:",
|
||||
"ClientKey": "Clé client TLS:",
|
||||
"LwtParameters": "Paramètres LWT",
|
||||
"LwtTopic": "Sujet LWT",
|
||||
"LwtTopicHint": "Sujet LWT, sera ajouté comme sujet de base",
|
||||
|
||||
@ -9,6 +9,9 @@ export interface MqttConfig {
|
||||
mqtt_retain: boolean;
|
||||
mqtt_tls: boolean;
|
||||
mqtt_root_ca_cert: string;
|
||||
mqtt_tls_cert_login: boolean;
|
||||
mqtt_client_cert: string;
|
||||
mqtt_client_key: string;
|
||||
mqtt_lwt_topic: string;
|
||||
mqtt_lwt_online: string;
|
||||
mqtt_lwt_offline: string;
|
||||
|
||||
@ -8,6 +8,8 @@ export interface MqttStatus {
|
||||
mqtt_retain: boolean;
|
||||
mqtt_tls: boolean;
|
||||
mqtt_root_ca_cert_info: string;
|
||||
mqtt_tls_cert_login: boolean;
|
||||
mqtt_client_cert_info: string;
|
||||
mqtt_connected: boolean;
|
||||
mqtt_hass_enabled: boolean;
|
||||
mqtt_hass_expire: boolean;
|
||||
|
||||
@ -60,6 +60,21 @@
|
||||
:label="$t('mqttadmin.RootCa')"
|
||||
v-model="mqttConfigList.mqtt_root_ca_cert"
|
||||
type="textarea" maxlength="2560" rows="10"/>
|
||||
|
||||
<InputElement v-show="mqttConfigList.mqtt_tls"
|
||||
:label="$t('mqttadmin.TlsCertLoginEnable')"
|
||||
v-model="mqttConfigList.mqtt_tls_cert_login"
|
||||
type="checkbox"/>
|
||||
|
||||
<InputElement v-show="mqttConfigList.mqtt_tls_cert_login"
|
||||
:label="$t('mqttadmin.ClientCert')"
|
||||
v-model="mqttConfigList.mqtt_client_cert"
|
||||
type="textarea" maxlength="2560" rows="10"/>
|
||||
|
||||
<InputElement v-show="mqttConfigList.mqtt_tls_cert_login"
|
||||
:label="$t('mqttadmin.ClientKey')"
|
||||
v-model="mqttConfigList.mqtt_client_key"
|
||||
type="textarea" maxlength="2560" rows="10"/>
|
||||
</CardElement>
|
||||
|
||||
<CardElement :text="$t('mqttadmin.LwtParameters')" textVariant="text-bg-primary" add-space
|
||||
|
||||
@ -46,6 +46,16 @@
|
||||
<th>{{ $t('mqttinfo.RootCertifcateInfo') }}</th>
|
||||
<td>{{ mqttDataList.mqtt_root_ca_cert_info }}</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>{{ $t('mqttinfo.TlsCertLogin') }}</th>
|
||||
<td>
|
||||
<StatusBadge :status="mqttDataList.mqtt_tls_cert_login" true_text="mqttinfo.Enabled" false_text="mqttinfo.Disabled" />
|
||||
</td>
|
||||
</tr>
|
||||
<tr v-show="mqttDataList.mqtt_tls_cert_login">
|
||||
<th>{{ $t('mqttinfo.ClientCertifcateInfo') }}</th>
|
||||
<td>{{ mqttDataList.mqtt_client_cert_info }}</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user