六、Mosquitto 高級應用之SSL/TLS

　　mosquitto提供SSL支持加密的網絡連接和身份驗證、本章節講述次功能的實現、 在此之前需要一些准備工作。

准本工作： 一台 Linux 服務器、 安裝好 openssl (不會明白怎么安裝 openssl 的可以在網上搜索下、 我就不在這講解了)

准本工作完成后我們開始來制作所需要的證書。

注：在生成證書過程 在需要輸入 【Common Name 】 參數的地方 輸入主機ip

一、Certificate Authority

Generate a certificate authority certificate and key.

　　openssl req -newkey rsa:2045 -x509 -nodes -sha256 -days 36500 -extensions v3_ca -keyout ca.key -out ca.crt

二、Server

Generate a server key.

　　openssl genrsa -des3 -out server.key 2048

Generate a server key without encryption.

　　openssl genrsa -out server.key 2048

Generate a certificate signing request to send to the CA.

　　openssl req -out server.csr -key server.key -new

Send the CSR to the CA, or sign it with your CA key:

　　openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days <duration>

三、Client

Generate a client key.

　　openssl genrsa -des3 -out client.key 2048

Generate a certificate signing request to send to the CA.

　　openssl req -out client.csr -key client.key -new

Send the CSR to the CA, or sign it with your CA key:

　　openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days <duration>

到此處證書基本生成完成、 此時會在對應的目錄下生成如下證書

ca.crt  ca.key  ca.srl  client.crt  client.csr  client.key  server.crt  server.csr  server.key

Server 端：ca.crt、 client.crt 、server.key

Client 端：ca.crt、 client.csr  client.key

其中 ca.crt 是同一個證書。

四、Mosquitto 服務進行配置證書

1> 打開配置文件 mosquitto.conf 修改如下配置　　

　　cafile /home/mosquitto-CA/ssl/ca.crt // 對應上述生成證書的絕對路勁
　　certfile /home/mosquitto-CA/ssl/server.crt
　　certfile /home/mosquitto-CA/ssl/server.key
　　require_certificate true
　　use_identity_as_username true

 

配置完成后 保存退出 到這 SSL/TLS  功能基本完成。

2> 啟動 Mosquitto 服務

　　mosquitto -c mosquitto.conf –v

五、Java 端實現

Java 端的 SSL 客戶端的實現和<<Mosquitto Java 客戶端實現>> 講解的基本一致 在這就不多做解釋了、直接放代碼。

需要引入依賴

 

<dependency>
    <groupId>org.eclipse.paho</groupId>
    <artifactId>org.eclipse.paho.client.mqttv3</artifactId>
    <version>1.0.2</version>
</dependency>
<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk16</artifactId>
    <version>1.45</version>
</dependency>

 

 

 

1> ClientMQTT

 

import java.util.concurrent.ScheduledExecutorService;

import javax.net.ssl.SSLSocketFactory;

import org.eclipse.paho.client.mqttv3.MqttClient;
import org.eclipse.paho.client.mqttv3.MqttConnectOptions;
import org.eclipse.paho.client.mqttv3.MqttException;
import org.eclipse.paho.client.mqttv3.MqttTopic;
import org.eclipse.paho.client.mqttv3.persist.MemoryPersistence;

public class ClientMQTT {

    public static final String HOST = "ssl://172.16.192.102:1883";
    public static final String TOPIC = "root/topic/123";
    private static final String clientid = "client11";
    private MqttClient client;
    private MqttConnectOptions options;
    private String userName = "admin";
    private String passWord = "admin";
    public static String caFilePath = "D:/keystore/Mosquitto-ca/ssl/ca.crt";
    public static String clientCrtFilePath = "D:/keystore/Mosquitto-ca/ssl/client.crt";
    public static String clientKeyFilePath = "D:/keystore/Mosquitto-ca/ssl/client.key";

    private ScheduledExecutorService scheduler;

    private void start() {
        try {
            // host為主機名，clientid即連接MQTT的客戶端ID，一般以唯一標識符表示，MemoryPersistence設置clientid的保存形式，默認為以內存保存
            client = new MqttClient(HOST, clientid, new MemoryPersistence());
            // MQTT的連接設置
            options = new MqttConnectOptions();
            // 設置是否清空session,這里如果設置為false表示服務器會保留客戶端的連接記錄，這里設置為true表示每次連接到服務器都以新的身份連接
            options.setCleanSession(true);
            // 設置連接的用戶名
            options.setUserName(userName);
            // 設置連接的密碼
            options.setPassword(passWord.toCharArray());
            // 設置超時時間 單位為秒
            options.setConnectionTimeout(10);
            // 設置會話心跳時間 單位為秒 服務器會每隔1.5*20秒的時間向客戶端發送個消息判斷客戶端是否在線，但這個方法並沒有重連的機制
            options.setKeepAliveInterval(20);
            // 設置回調
            client.setCallback(new PushCallback());
            MqttTopic topic = client.getTopic(TOPIC);
            // setWill方法，如果項目中需要知道客戶端是否掉線可以調用該方法。設置最終端口的通知消息
            options.setWill(topic, "close".getBytes(), 2, true);
            SSLSocketFactory factory = SslUtil.getSocketFactory(caFilePath, clientCrtFilePath, clientKeyFilePath,
                    "111111");
            options.setSocketFactory(factory);
            client.connect(options);
            // 訂閱消息
            int[] Qos = { 1 };
            String[] topic1 = { TOPIC };
            client.subscribe(topic1, Qos);

        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static void main(String[] args) throws MqttException {
        ClientMQTT client = new ClientMQTT();
        client.start();
    }
}

 

2> ServerMQTT

/**
 * 
 * Title:Server Description: 服務器向多個客戶端推送主題，即不同客戶端可向服務器訂閱相同主題
 * 
 * @author yueli 2017年9月1日下午17:41:10
 */
public class ServerMQTT {

    // tcp://MQTT安裝的服務器地址:MQTT定義的端口號
    public static final String HOST = "ssl://172.16.192.102:1883";
    // 定義一個主題
    public static final String TOPIC = "root/topic/123";
    // 定義MQTT的ID，可以在MQTT服務配置中指定
    private static final String clientid = "server11";

    private MqttClient client;
    private MqttTopic topic11;
    private String userName = "mosquitto";
    private String passWord = "mosquitto";
    public static String caFilePath = "D:/keystore/Mosquitto-ca/ssl/ca.crt";
    public static String clientCrtFilePath = "D:/keystore/Mosquitto-ca/ssl/client.crt";
    public static String clientKeyFilePath = "D:/keystore/Mosquitto-ca/ssl/client.key";

    private MqttMessage message;

    /**
     * 構造函數
     * 
     * @throws Exception
     */
    public ServerMQTT() throws Exception {
        // MemoryPersistence設置clientid的保存形式，默認為以內存保存
        client = new MqttClient(HOST, clientid, new MemoryPersistence());
        connect();
    }

    /**
     * 用來連接服務器
     * 
     * @throws Exception
     */
    private void connect() throws Exception {
        MqttConnectOptions options = new MqttConnectOptions();
        options.setCleanSession(false);
        options.setUserName(userName);
        options.setPassword(passWord.toCharArray());
        // 設置超時時間
        options.setConnectionTimeout(10);
        // 設置會話心跳時間
        options.setKeepAliveInterval(20);
        SSLSocketFactory factory = SslUtil.getSocketFactory(caFilePath, clientCrtFilePath, clientKeyFilePath, "111111");
        options.setSocketFactory(factory);
        try {
            client.setCallback(new PushCallback());
            client.connect(options);

            topic11 = client.getTopic(TOPIC);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    /**
     * 
     * @param topic
     * @param message
     * @throws MqttPersistenceException
     * @throws MqttException
     */
    public void publish(MqttTopic topic, MqttMessage message) throws MqttPersistenceException, MqttException {
        MqttDeliveryToken token = topic.publish(message);
        token.waitForCompletion();
        System.out.println("message is published completely! " + token.isComplete());
    }

    /**
     * 啟動入口
     * 
     * @param args
     * @throws Exception
     */
    public static void main(String[] args) throws Exception {
        ServerMQTT server = new ServerMQTT();

        server.message = new MqttMessage();
        server.message.setQos(1);
        server.message.setRetained(true);
        server.message.setPayload("hello,topic14".getBytes());
        server.publish(server.topic11, server.message);
        System.out.println(server.message.isRetained() + "------ratained狀態");
    }
}

3> PushCallback

import org.eclipse.paho.client.mqttv3.IMqttDeliveryToken;
import org.eclipse.paho.client.mqttv3.MqttCallback;
import org.eclipse.paho.client.mqttv3.MqttMessage;

/**
 * 發布消息的回調類
 * 
 * 必須實現MqttCallback的接口並實現對應的相關接口方法CallBack 類將實現 MqttCallBack。
 * 每個客戶機標識都需要一個回調實例。在此示例中，構造函數傳遞客戶機標識以另存為實例數據。 在回調中，將它用來標識已經啟動了該回調的哪個實例。
 * 必須在回調類中實現三個方法：
 * 
 * public void messageArrived(MqttTopic topic, MqttMessage message)接收已經預訂的發布。
 * 
 * public void connectionLost(Throwable cause)在斷開連接時調用。
 * 
 * public void deliveryComplete(MqttDeliveryToken token)) 接收到已經發布的 QoS 1 或 QoS 2
 * 消息的傳遞令牌時調用。 由 MqttClient.connect 激活此回調。
 * 
 */
public class PushCallback implements MqttCallback {

    public void connectionLost(Throwable cause) {
        // 連接丟失后，一般在這里面進行重連
        System.out.println("連接斷開，可以做重連");
    }

    public void deliveryComplete(IMqttDeliveryToken token) {
        System.out.println("deliveryComplete---------" + token.isComplete());
    }

    public void messageArrived(String topic, MqttMessage message) throws Exception {
        // subscribe后得到的消息會執行到這里面
        System.out.println("接收消息主題 : " + topic);
        System.out.println("接收消息Qos : " + message.getQos());
        System.out.println("接收消息內容 : " + new String(message.getPayload()));
    }
}

4> SslUtil

import java.io.ByteArrayInputStream;
import java.io.InputStreamReader;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.X509Certificate;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;

import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.*;

public class SslUtil {
    public static SSLSocketFactory getSocketFactory(final String caCrtFile, final String crtFile, final String keyFile,
            final String password) throws Exception {
        Security.addProvider(new BouncyCastleProvider());

        // load CA certificate
        PEMReader reader = new PEMReader(
                new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(caCrtFile)))));
        X509Certificate caCert = (X509Certificate) reader.readObject();
        reader.close();

        // load client certificate
        reader = new PEMReader(new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(crtFile)))));
        X509Certificate cert = (X509Certificate) reader.readObject();
        reader.close();

        // load client private key
        reader = new PEMReader(new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(keyFile)))),
                new PasswordFinder() {
                    @Override
                    public char[] getPassword() {
                        return password.toCharArray();
                    }
                });
        KeyPair key = (KeyPair) reader.readObject();
        reader.close();

        // CA certificate is used to authenticate server
        KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
        caKs.load(null, null);
        caKs.setCertificateEntry("ca-certificate", caCert);
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(caKs);

        // client key and certificates are sent to server so it can authenticate
        // us
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(null, null);
        ks.setCertificateEntry("certificate", cert);
        ks.setKeyEntry("private-key", key.getPrivate(), password.toCharArray(),
                new java.security.cert.Certificate[] { cert });
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        kmf.init(ks, password.toCharArray());

        // finally, create SSL socket factory
        SSLContext context = SSLContext.getInstance("TLSv1");
        context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

        return context.getSocketFactory();
    }
}

到這基本完成 Mosquitto 配置SSL/TLS 功能的實現和測試 。