Support MQTT client certificate authentication (#74)

moznion · brocaar · commit d2ee5aca58a4 · 2018-01-30T19:34:56.000+01:00
diff --git a/backend/mqttpubsub/backend.go b/backend/mqttpubsub/backend.go
@@ -24,7 +24,7 @@ type Backend struct {
 }
 
 // NewBackend creates a new Backend.
-func NewBackend(server, username, password, cafile string) (*Backend, error) {
+func NewBackend(server, username, password, cafile, certFile, certKeyFile string) (*Backend, error) {
 	b := Backend{
 		txPacketChan: make(chan gw.TXPacketBytes),
 		gateways:     make(map[lorawan.EUI64]struct{}),
@@ -37,11 +37,16 @@ func NewBackend(server, username, password, cafile string) (*Backend, error) {
 	opts.SetOnConnectHandler(b.onConnected)
 	opts.SetConnectionLostHandler(b.onConnectionLost)
 
-	if cafile != "" {
-		tlsconfig, err := NewTLSConfig(cafile)
-		if err == nil {
-			opts.SetTLSConfig(tlsconfig)
-		}
+	tlsconfig, err := NewTLSConfig(cafile, certFile, certKeyFile)
+	if err != nil {
+		log.WithError(err).WithFields(log.Fields{
+			"ca_cert":  cafile,
+			"tls_cert": certFile,
+			"tls_key":  certKeyFile,
+		}).Fatal("error loading mqtt certificate files")
+	}
+	if tlsconfig != nil {
+		opts.SetTLSConfig(tlsconfig)
 	}
 
 	log.WithField("server", server).Info("backend: connecting to mqtt broker")
@@ -54,23 +59,43 @@ func NewBackend(server, username, password, cafile string) (*Backend, error) {
 }
 
 // NewTLSConfig returns the TLS configuration.
-func NewTLSConfig(cafile string) (*tls.Config, error) {
+func NewTLSConfig(cafile, certFile, certKeyFile string) (*tls.Config, error) {
+	// Here are three valid options:
+	//   - Only CA
+	//   - TLS cert + key
+	//   - CA, TLS cert + key
+
+	if cafile == "" && certFile == "" && certKeyFile == "" {
+		log.Info("backend: TLS config is empty")
+		return nil, nil
+	}
+
+	tlsConfig := &tls.Config{}
+
 	// Import trusted certificates from CAfile.pem.
+	if cafile != "" {
+		cacert, err := ioutil.ReadFile(cafile)
+		if err != nil {
+			log.Errorf("backend: couldn't load cafile: %s", err)
+			return nil, err
+		}
+		certpool := x509.NewCertPool()
+		certpool.AppendCertsFromPEM(cacert)
 
-	cert, err := ioutil.ReadFile(cafile)
-	if err != nil {
-		log.Errorf("backend: couldn't load cafile: %s", err)
-		return nil, err
+		tlsConfig.RootCAs = certpool // RootCAs = certs used to verify server cert.
 	}
 
-	certpool := x509.NewCertPool()
-	certpool.AppendCertsFromPEM(cert)
+	// Import certificate and the key
+	if certFile != "" && certKeyFile != "" {
+		kp, err := tls.LoadX509KeyPair(certFile, certKeyFile)
+		if err != nil {
+			log.Errorf("backend: couldn't load MQTT TLS key pair: %s", err)
+			return nil, err
+		}
+		tlsConfig.Certificates = []tls.Certificate{kp}
+	}
 
-	// Create tls.Config with desired tls properties
-	return &tls.Config{
-		// RootCAs = certs used to verify server cert.
-		RootCAs: certpool,
-	}, nil
+	return tlsConfig, nil
 }
 
 // Close closes the backend.
diff --git a/backend/mqttpubsub/backend_test.go b/backend/mqttpubsub/backend_test.go
@@ -22,7 +22,7 @@ func TestBackend(t *testing.T) {
 		defer c.Disconnect(0)
 
 		Convey("Given a new Backend", func() {
-			backend, err := NewBackend(conf.Server, conf.Username, conf.Password, "")
+			backend, err := NewBackend(conf.Server, conf.Username, conf.Password, "", "", "")
 			So(err, ShouldBeNil)
 			defer backend.Close()
 
diff --git a/cmd/lora-gateway-bridge/doc.go b/cmd/lora-gateway-bridge/doc.go
@@ -6,21 +6,23 @@ USAGE:
    main [global options] command [command options] [arguments...]
 
 COMMANDS:
-   help, h	Shows a list of commands or help for one command
+     help, h  Shows a list of commands or help for one command
 
 GLOBAL OPTIONS:
-   --udp-bind "0.0.0.0:1700"		ip:port to bind the UDP listener to [$UDP_BIND]
-   --mqtt-server "tcp://127.0.0.1:1883"	MQTT server [$MQTT_SERVER]
-   --mqtt-username 			MQTT username [$MQTT_USERNAME]
-   --mqtt-password 			MQTT password [$MQTT_PASSWORD]
-   --mqtt-ca-cert                       CA certificate file [$MQTT_CA_CERT]
-   --log-level "4"			debug=5, info=4, warning=3, error=2, fatal=1, panic=0 [$LOG_LEVEL]
-   --help, -h				show help
-   --version, -v			print the version
+   --udp-bind value       ip:port to bind the UDP listener to (default: "0.0.0.0:1700") [$UDP_BIND]
+   --mqtt-server value    mqtt server (e.g. scheme://host:port where scheme is tcp, ssl or ws) (default: "tcp://127.0.0.1:1883") [$MQTT_SERVER]
+   --mqtt-username value  mqtt server username (optional) [$MQTT_USERNAME]
+   --mqtt-password value  mqtt server password (optional) [$MQTT_PASSWORD]
+   --mqtt-ca-cert value   mqtt CA certificate file (optional) [$MQTT_CA_CERT]
+   --mqtt-tls-cert value  mqtt certificate file (optional) [$MQTT_TLS_CERT]
+   --mqtt-tls-key value   mqtt key file of certificate (optional) [$MQTT_TLS_KEY]
+   --skip-crc-check       skip the CRC status-check of received packets [$SKIP_CRC_CHECK]
+   --log-level value      debug=5, info=4, warning=3, error=2, fatal=1, panic=0 (default: 4) [$LOG_LEVEL]
+   --help, -h             show help
+   --version, -v          print the version
 
 COPYRIGHT:
    See http://github.com/brocaar/lora-gateway-bridge for copyright information
 
-
 */
 package main
diff --git a/cmd/lora-gateway-bridge/main.go b/cmd/lora-gateway-bridge/main.go
@@ -28,7 +28,7 @@ func run(c *cli.Context) error {
 	var pubsub *mqttpubsub.Backend
 	for {
 		var err error
-		pubsub, err = mqttpubsub.NewBackend(c.String("mqtt-server"), c.String("mqtt-username"), c.String("mqtt-password"), c.String("mqtt-ca-cert"))
+		pubsub, err = mqttpubsub.NewBackend(c.String("mqtt-server"), c.String("mqtt-username"), c.String("mqtt-password"), c.String("mqtt-ca-cert"), c.String("mqtt-tls-cert"), c.String("mqtt-tls-key"))
 		if err == nil {
 			break
 		}
@@ -126,6 +126,16 @@ func main() {
 			Usage:  "mqtt CA certificate file (optional)",
 			EnvVar: "MQTT_CA_CERT",
 		},
+		cli.StringFlag{
+			Name:   "mqtt-tls-cert",
+			Usage:  "mqtt certificate file (optional)",
+			EnvVar: "MQTT_CERT",
+		},
+		cli.StringFlag{
+			Name:   "mqtt-tls-key",
+			Usage:  "mqtt key file of certificate (optional)",
+			EnvVar: "MQTT_CERT_KEY",
+		},
 		cli.BoolFlag{
 			Name:   "skip-crc-check",
 			Usage:  "skip the CRC status-check of received packets",
diff --git a/docs/content/install/config.md b/docs/content/install/config.md
@@ -30,6 +30,8 @@ GLOBAL OPTIONS:
    --mqtt-username value  mqtt server username (optional) [$MQTT_USERNAME]
    --mqtt-password value  mqtt server password (optional) [$MQTT_PASSWORD]
    --mqtt-ca-cert value   mqtt CA certificate file (optional) [$MQTT_CA_CERT]
+   --mqtt-tls-cert value  mqtt certificate file (optional) [$MQTT_TLS_CERT]
+   --mqtt-tls-key value   mqtt key file of certificate (optional) [$MQTT_TLS_KEY]
    --skip-crc-check       skip the CRC status-check of received packets [$SKIP_CRC_CHECK]
    --log-level value      debug=5, info=4, warning=3, error=2, fatal=1, panic=0 (default: 4) [$LOG_LEVEL]
    --help, -h             show help
