网上现有的MQTT双向认证代码一般都没有兼容Android P之后的版本,故这里结合前人的经验对MQTT双向认证的使用进行下总结。
build.gradle中添加依赖
implementation 'org.eclipse.paho:org.eclipse.paho.client.mqttv3:1.2.4'
implementation 'org.eclipse.paho:org.eclipse.paho.android.service:1.1.1'
implementation 'org.bouncycastle:bcpkix-jdk15on:1.59'
准备好双向认证的证书
将服务端提供的ca.pem、client.pem、client.key放置在res/raw目录下
配置SSLSocketFactory
static SSLSocketFactory getSocketFactory(InputStream caPem, InputStream clientPem, InputStream clientKey,
String password) throws Exception {
Security.addProvider(new BouncyCastleProvider());
// load CA certificate
X509Certificate caCert = null;
BufferedInputStream bis = new BufferedInputStream(caPem);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
while (bis.available() > 0) {
caCert = (X509Certificate) cf.generateCertificate(bis);
}
// load client certificate
bis = new BufferedInputStream(clientPem);
X509Certificate cert = null;
while (bis.available() > 0) {
cert = (X509Certificate) cf.generateCertificate(bis);
}
// load client private cert
PEMParser pemParser = new PEMParser(new InputStreamReader(clientKey));
Object object = pemParser.readObject();
KeyFactory keyFactory;
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
// fix BC provider has been removed after Android P
keyFactory = KeyFactory.getInstance("RSA");
} else {
keyFactory = KeyFactory.getInstance("RSA", "BC");
}
JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(keyFactory.getProvider());
KeyPair key = converter.getKeyPair((PEMKeyPair) object);
KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
caKs.load(null, null);
caKs.setCertificateEntry("cert-certificate", caCert);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(caKs);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, null);
ks.setCertificateEntry("certificate", cert);
ks.setKeyEntry("private-cert", key.getPrivate(), password.toCharArray(),
new java.security.cert.Certificate[]{cert});
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, password.toCharArray());
SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
return context.getSocketFactory();
}
上述代码与网上其他代码区别在与兼容了Android P之后BC Provider被移除的情况
配置MQTT
val options = MqttConnectOptions()
options.socketFactory = MqttSSLUtil.getSocketFactory(
context.resources.openRawResource(caPem),
context.resources.openRawResource(clientPem),
context.resources.openRawResource(clientKey),
""/** 空字符串,非null **/
)
感谢大佬的总结: www.emqx.com/zh/blog/and…
