Allowed to deactivate certificate validation

codepitbull · codepitbull · commit 91f6592fcfe3 · 2025-10-30T14:09:44.000+01:00
diff --git a/modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/client/ParsedConfig.java b/modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/client/ParsedConfig.java
@@ -57,7 +57,7 @@ public static Result<ParsedConfig, String> fromConfig(final OpcUaSpecificAdapter
         CertificateValidator certValidator = null;
         if (tlsEnabled) {
             final var truststore = adapterConfig.getTls().truststore();
-            final var certOptional = getTrustedCerts(truststore).map(ParsedConfig::createServerCertificateValidator);
+            final var certOptional = getTrustedCerts(truststore).map(trustedCerts ->  createServerCertificateValidator(trustedCerts, adapterConfig.getTls().noChecks()));
             if (certOptional.isEmpty()) {
                 return Failure.of("Failed to create certificate validator, check truststore configuration");
             }
@@ -124,10 +124,16 @@ public static Result<ParsedConfig, String> fromConfig(final OpcUaSpecificAdapter
         return Optional.of(KeystoreUtil.getCertificatesFromDefaultTruststore());
     }
 
-    private static @NotNull CertificateValidator createServerCertificateValidator(final @NotNull List<X509Certificate> trustedCerts) {
-        return new DefaultClientCertificateValidator(new CertificateTrustListManager(trustedCerts),
-                Set.of(ValidationCheck.VALIDITY, ValidationCheck.REVOCATION, ValidationCheck.REVOCATION_LISTS),
-                new MemoryCertificateQuarantine());
+    private static @NotNull CertificateValidator createServerCertificateValidator(final @NotNull List<X509Certificate> trustedCerts, final boolean noChecks) {
+        if(noChecks) {
+            return new DefaultClientCertificateValidator(new CertificateTrustListManager(trustedCerts),
+                    Set.of(),
+                    new MemoryCertificateQuarantine());
+        } else {
+            return new DefaultClientCertificateValidator(new CertificateTrustListManager(trustedCerts),
+                    Set.of(ValidationCheck.VALIDITY, ValidationCheck.REVOCATION, ValidationCheck.REVOCATION_LISTS),
+                    new MemoryCertificateQuarantine());
+        }
     }
 
     private static @NotNull Optional<KeystoreUtil.KeyPairWithChain> getKeyPairWithChain(final @NotNull Keystore keystore) {
diff --git a/modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/config/OpcUaSpecificAdapterConfig.java b/modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/config/OpcUaSpecificAdapterConfig.java
@@ -90,7 +90,7 @@ public OpcUaSpecificAdapterConfig(
         this.overrideUri = requireNonNullElse(overrideUri, false);
         this.applicationUri = (applicationUri != null && !applicationUri.isBlank()) ? applicationUri : null;
         this.auth = auth;
-        this.tls = requireNonNullElse(tls, new Tls(false, null, null));
+        this.tls = requireNonNullElse(tls, new Tls(false, false, null, null));
         this.opcuaToMqttConfig =
                 Objects.requireNonNullElseGet(opcuaToMqttConfig, () -> new OpcUaToMqttConfig(1, 1000));
         this.security = requireNonNullElse(security, new Security(Constants.DEFAULT_SECURITY_POLICY));
@@ -125,6 +125,8 @@ public OpcUaSpecificAdapterConfig(
         return applicationUri;
     }
 
+
+
     @Override
     public boolean equals(final @Nullable Object o) {
         if (o == null || getClass() != o.getClass()) {
diff --git a/modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/config/Tls.java b/modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/config/Tls.java
@@ -31,6 +31,12 @@ public record Tls (@JsonProperty("enabled")
                                       defaultValue = "false")
                    boolean enabled,
 
+                   @JsonProperty("noChecks")
+                   @ModuleConfigField(title = "Disable certificate validation",
+                                      description = "Allows to disable the validation of a certificate",
+                                      defaultValue = "false")
+                   boolean noChecks,
+
                    @JsonProperty("keystore")
                    @JsonInclude(NON_NULL)
                    @ModuleConfigField(title = "Keystore",
@@ -46,4 +52,19 @@ public record Tls (@JsonProperty("enabled")
     @JsonCreator
     public Tls{
     }
+
+    @Override
+    public boolean equals(final Object o) {
+        if (o == null || getClass() != o.getClass()) return false;
+        final Tls tls = (Tls) o;
+        return enabled() == tls.enabled() &&
+                noChecks() == tls.noChecks() &&
+                Objects.equals(keystore(), tls.keystore()) &&
+                Objects.equals(truststore(), tls.truststore());
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(enabled(), noChecks(), keystore(), truststore());
+    }
 }
diff --git a/modules/hivemq-edge-module-opcua/src/test/java/com/hivemq/edge/adapters/opcua/OpcUaEndpointFilterTest.java b/modules/hivemq-edge-module-opcua/src/test/java/com/hivemq/edge/adapters/opcua/OpcUaEndpointFilterTest.java
@@ -56,7 +56,7 @@ public void whenSingleEndpointConfigSet_thenPickCorrectEndpoint() {
                 false,
                 null,
                 null,
-                new Tls(true, new Keystore("path", null, null), null),
+                new Tls(true, false, new Keystore("path", null, null), null),
                 null,
                 null);
 
@@ -115,7 +115,7 @@ public void whenMessageSecurityModeSpecified_thenFilterByMode() {
                 false,
                 null,
                 null,
-                new Tls(true, new Keystore("path", null, null), null),
+                new Tls(true, false, new Keystore("path", null, null), null),
                 null,
                 null);
 
@@ -152,7 +152,7 @@ public void whenNoMessageSecurityModeSpecified_thenAcceptAnyMode() {
                 false,
                 null,
                 null,
-                new Tls(true, new Keystore("path", null, null), null),
+                new Tls(true, false, new Keystore("path", null, null), null),
                 null,
                 null);
 
@@ -181,7 +181,7 @@ public void whenWrongMessageSecurityMode_thenNoEndpointSelected() {
                 false,
                 null,
                 null,
-                new Tls(true, new Keystore("path", null, null), null),
+                new Tls(true, false, new Keystore("path", null, null), null),
                 null,
                 null);
 
diff --git a/modules/hivemq-edge-module-opcua/src/test/java/com/hivemq/edge/adapters/opcua/OpcUaProtocolAdapterAuthTest.java b/modules/hivemq-edge-module-opcua/src/test/java/com/hivemq/edge/adapters/opcua/OpcUaProtocolAdapterAuthTest.java
@@ -145,7 +145,7 @@ public void whenBasicAuthAndNoSubscriptions_thenConnectSuccessfully() {
     @Timeout(30)
     public void whenTlsAndNoSubscriptions_thenConnectSuccessfully() {
         final Security security = new Security(SecPolicy.NONE);
-        final Tls tls = new Tls(true, null, null);
+        final Tls tls = new Tls(true, false, null, null);
         final OpcUaSpecificAdapterConfig config = new OpcUaSpecificAdapterConfig(
                 opcUaServerExtension.getServerUri(),
                 false,
@@ -174,7 +174,7 @@ public void whenCertAuthAndNoSubscriptions_thenConnectSuccessfully() throws Exce
         final KeyChain root = KeyChain.createKeyChain("root");
 
         final var keystore = root.wrapInKeyStoreWithPrivateKey("keystore", "root", "password", "password");
-        final Tls tls = new Tls(true, new Keystore(keystore.getAbsolutePath(), "password", "password"), null);
+        final Tls tls = new Tls(true, false, new Keystore(keystore.getAbsolutePath(), "password", "password"), null);
         final OpcUaSpecificAdapterConfig config = new OpcUaSpecificAdapterConfig(
                 opcUaServerExtension.getServerUri(),
                 false,
diff --git a/modules/hivemq-edge-module-opcua/src/test/java/com/hivemq/edge/adapters/opcua/client/ParsedConfigTest.java b/modules/hivemq-edge-module-opcua/src/test/java/com/hivemq/edge/adapters/opcua/client/ParsedConfigTest.java
@@ -357,7 +357,7 @@ private OpcUaSpecificAdapterConfig createAdapterConfig(
                 ? new Truststore(truststorePath, KEYSTORE_PASSWORD)
                 : null;
 
-        final Tls tls = new Tls(tlsEnabled, keystore, truststore);
+        final Tls tls = new Tls(tlsEnabled, false, keystore, truststore);
         final Security security = new Security(SecPolicy.NONE);
         final OpcUaToMqttConfig opcUaToMqttConfig = new OpcUaToMqttConfig(1, 1000);
 
diff --git a/modules/hivemq-edge-module-opcua/src/test/java/com/hivemq/edge/adapters/opcua/config/OpcUaProtocolAdapterConfigTest.java b/modules/hivemq-edge-module-opcua/src/test/java/com/hivemq/edge/adapters/opcua/config/OpcUaProtocolAdapterConfigTest.java
@@ -180,6 +180,7 @@ public void unconvertConfigObject_full_valid() {
                 null,
                 new Auth(new BasicAuth("my-username", "my-password"), new X509Auth(true)),
                 new Tls(true,
+                        false,
                         new Keystore("my/keystore/path", "keystore-password", "private-key-password"),
                         new Truststore("my/truststore/path", "truststore-password")),
                 new OpcUaToMqttConfig(1, 1000),
