Uniq certificate per openHAB instance

[belovictor]

We need to replace pre-created certificate distributed with openHAB with a uniq certificate which should be generated during the first run on openHAB on a user's machine. Right now all openHABs have the same certificate (if user does nothing to change that) which is very insecure - anybody is able to implement man in the middle attack using publicly available certificate.

[Stratehm]

Should the keystore with the unique certificate be removed from the openHAB package and a new keystore/self-signed certificate be generated at the openHAB startup if no user-defined keystore is provided and if no keystore is already present in runtime\etc ?

If so, where the certificate generator should be located ? In the org.openhb.io.jetty bundle ?

[kaikreuzer]

I tried to look around, but did not find any way to create a self-signed certificate from within Java. Did you find any possibility? If so, we can discuss the best place to put it as a second step :-)

[maggu2810]

Someone could perhaps have a further look at this one: https://www.bouncycastle.org/java.html

"Except where otherwise stated, this software is distributed under a license based on the MIT X Consortium license. To view the license, see here (https://www.bouncycastle.org/license.html). The OpenPGP library also includes a modified BZIP2 library which is licensed under the Apache Software License, Version 1.1 (http://www.apache.org/licenses/)."

http://blog.thilinamb.com/2010/01/how-to-generate-self-signed.html

[Stratehm]

I have already developped this feature for one of my project and it could be reused with minor modifications. It indeed uses BouncyCastle.

The code is available here (at line 395): https://github.com/Stratehm/stratum-proxy/blob/master/src/main/java/strat/mining/stratum/proxy/Launcher.java

[maggu2810]

Wuha, great number of imports ;-)

[kaikreuzer]

Do you have any idea about the size of dependencies this draws in? Bouncycastle alone seems to have 3MB already. I would like to avoid that for such a small feature, the minimal runtime grows significantly.

[Stratehm]

It needs 2 dependencies: org.bouncycastle.bcprov-jdk15on (the JAR is 2.8 MB) and org.bouncycastle.bcpkix-jdk15on (the JAR is 608 KB).

[kaikreuzer]

Which confirms that it is rather huge... So I would opt to put it into a bundle on its own and we can let people decide whether they want it or not. The problem is that the code only needs to be executed a single time - afterwards, it is just ballast :-| Maybe we could also automatically uninstall it once we have Karaf in place...

[Stratehm]

If this bundle is not included with the minimal runtime, I think not many people will use it (since they may not understant the ins and the outs of this bundle).
Thus the bundle may not be needed. Maybe a simple documentation is enough to explain how to replace the openhab.org certificate with a new one in the packaged keystore by using command line tools.

[kaikreuzer]

If this bundle is not included with the minimal runtime

Well, I would say that it can be in the "standard" runtime, but it should be possible for users to strip it down, so that this bundle is not part of it anymore. And for that, we would need it in a separate bundle and not within io.jetty (which always has to be present).

[Stratehm]

When I extract only the needed classes of BouncyCastle to generate the certificate (since we just need a little part of BouncyCastle features), the resulting package is only 504 KB. We could re-package these classes directly in the new bundle (I think the MIT license allows it if we provide a copy of the license with the bundle).

[kaikreuzer]

Sounds good!