这篇文章主要介绍“如何通过Android与MQTT进行TLS/SSL单向认证和双向认证”,在日常操作中,相信很多人在如何通过Android与MQTT进行TLS/SSL单向认证和双向认证问题上存在疑惑,小编查阅了各式资料,整理出简单好用的操作方法,希望对大家解答”如何通过Android与MQTT进行TLS/SSL单向认证和双向认证”的疑惑有所帮助!接下来,请跟着小编一起来学习吧!
创新互联在网站设计、网站制作、成都APP应用开发、网站运营等方面均有出色的表现,凭借多年丰富的经验,我们会仔细了解各客户的需求而做出多方面的分析、设计、整合,为客户设计出具风格及创意性的商业解决方案,我们更提供一系列营销型网站建设,网站制作和网站推广的服务,以推动各中小企业全面信息化,并利用创新技术帮助各行业提升企业形象和运营效率。
MQTT 是一种轻量级的、灵活的物联网消息交换和数据传递协议,致力于为 IoT 开发人员实现灵活性与硬件/网络资源的平衡。为了确保通讯安全,通常使用 TLS/SSL 来进行通讯加密。
本文使用 Eclipse Paho Android Service 和 BouncyCastle,添加依赖
dependencies {
implementation 'org.eclipse.paho:org.eclipse.paho.client.mqttv3:1.1.0'
implementation 'org.eclipse.paho:org.eclipse.paho.android.service:1.1.1'
implementation 'org.bouncycastle:bcpkix-jdk15on:1.59'
}以下是 Android 连接 TLS/SSL 的核心代码部分
MqttConnectOptions options = new MqttConnectOptions(); SSLSocketFactory sslSocketFactory = ... options.setSocketFactory(sslSocketFactory);
重点在于如何获取 SSLSocketFactory,下面对单向认证和双向认证分别进行说明。
单向认证是指服务端认证客户端,以下是核心代码
public static SSLSocketFactory getSingleSocketFactory(InputStream caCrtFileInputStream) throws Exception {
Security.addProvider(new BouncyCastleProvider());
X509Certificate caCert = null;
BufferedInputStream bis = new BufferedInputStream(caCrtFileInputStream);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
while (bis.available() > 0) {
caCert = (X509Certificate) cf.generateCertificate(bis);
}
KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
caKs.load(null, null);
caKs.setCertificateEntry("cert-certificate", caCert);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(caKs);
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, tmf.getTrustManagers(), null);
return sslContext.getSocketFactory();
}我们把 ca.crt 放到 res/raw 下,然后调用
try {
InputStream caCrtFileI = context.getResources().openRawResource(R.raw.ca);
options.setSocketFactory(getSingleSocketFactory(caCrtFile));
} catch (Exception e) {
e.printStackTrace();
}双向认证是指服务端和客户端相互认证,以下是关键代码
public static SSLSocketFactory getSocketFactory(InputStream caCrtFile, InputStream crtFile, InputStream keyFile,
String password) throws Exception {
Security.addProvider(new BouncyCastleProvider());
// load CA certificate
X509Certificate caCert = null;
BufferedInputStream bis = new BufferedInputStream(caCrtFile);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
while (bis.available() > 0) {
caCert = (X509Certificate) cf.generateCertificate(bis);
}
// load client certificate
bis = new BufferedInputStream(crtFile);
X509Certificate cert = null;
while (bis.available() > 0) {
cert = (X509Certificate) cf.generateCertificate(bis);
}
// load client private cert
PEMParser pemParser = new PEMParser(new InputStreamReader(keyFile));
Object object = pemParser.readObject();
JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
KeyPair key = converter.getKeyPair((PEMKeyPair) object);
KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
caKs.load(null, null);
caKs.setCertificateEntry("cert-certificate", caCert);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(caKs);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, null);
ks.setCertificateEntry("certificate", cert);
ks.setKeyEntry("private-cert", key.getPrivate(), password.toCharArray(),
new java.security.cert.Certificate[]{cert});
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, password.toCharArray());
SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
return context.getSocketFactory();
}我们需要准备好服务端证书,客户端证书和秘钥放到 res/raw 下,然后调用,注意密码设为空字符串
try {
InputStream caCrtFile = context.getResources().openRawResource(R.raw.ca);
InputStream crtFile = context.getResources().openRawResource(R.raw.cert);
InputStream keyFile = context.getResources().openRawResource(R.raw.key);
options.setSocketFactory(getSocketFactory(caCrtFile, crtFile, keyFile, ""));
} catch (Exception e) {
e.printStackTrace();
}到此,关于“如何通过Android与MQTT进行TLS/SSL单向认证和双向认证”的学习就结束了,希望能够解决大家的疑惑。理论与实践的搭配能更好的帮助大家学习,快去试试吧!若想继续学习更多相关知识,请继续关注创新互联网站,小编会继续努力为大家带来更多实用的文章!
