MQTT broker搭建并用SSL加密

系统为centos,基于emqx搭建broker,流程参考官方

安装好后,用ssl加密。

进入/etc/emqx/certs,可以看到

分别为

  • cacert.pem CA 文件
  • cert.pem 服务端证书
  • key.pem 服务端key
  • client-cert.pem 客户端证书
  • client-key.pem 客户端key
    编辑emqx配置:vim /etc/emqx/emqx.conf,添加ssl配置:
json 复制代码
listeners.ssl.default {
  # 端口
  bind = "0.0.0.0:8883"
  ssl_options {
    cacertfile = "/etc/emqx/certs/cacert.pem" #CA文件
    certfile = "/etc/emqx/certs/cert.pem"    #服务端证书
    keyfile = "/etc/emqx/certs/key.pem"   #服务端key
    verify = verify_peer  # 双向认证
    fail_if_no_peer_cert = true
  }
}

再在客户端(如MQTTX)配置连接信息:

Springboot订阅MQTTS

添加依赖

xml 复制代码
        <!--mqtt-->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-integration</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.integration</groupId>
            <artifactId>spring-integration-stream</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.integration</groupId>
            <artifactId>spring-integration-mqtt</artifactId>
        </dependency>

        <!--ssl-->
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcpkix-jdk15on</artifactId>
            <version>1.64</version>
        </dependency>

配置

yml 复制代码
spring:
  mqtt:
    provider:
      #MQTTS服务地址,端口号默认8883,如果有多个,用逗号隔开
      url: ssl://192.168.1.xx:8883
      #用户名
      username: xx
      #密码
      password: xxxx
      #客户端id(不能重复)
      client:
        id: provider-id
      #MQTT默认的消息推送主题,实际可在调用接口是指定
      default:
        topic: topic
    consumer:
      url: ssl://192.168.1.xx:8883
      #用户名
      username: xx
      #密码
      password: xxxx
      #客户端id(不能重复)
      client:
        id: consumer-id
      #MQTT默认的消息推送主题,实际可在调用接口时指定
      default:
        topic: topic

Mqtt配置

java 复制代码
@Configuration
public class MqttConsumerConfig {
    @Value("${spring.mqtt.consumer.username}")
    private String username;

    @Value("${spring.mqtt.consumer.password}")
    private String password;

    @Value("${spring.mqtt.consumer.url}")
    private String hostUrl;

    @Value("${spring.mqtt.consumer.client.id}")
    private String clientId;

    @Value("${spring.mqtt.consumer.default.topic}")
    private String defaultTopic;

	// 把证书文件放在在resource的ssl_certs目录下
    String caFilePath = "/ssl_certs/cacert.pem";
    String clientCrtFilePath = "/ssl_certs/client-cert.pem";
    String clientKeyFilePath = "/ssl_certs/client-key.pem";


    /**
     * 客户端对象
     */
    private MqttClient client;

    /**
     * 在bean初始化后连接到服务器
     */
    @PostConstruct
    public void init() {
        connect();
    }

    /**
     * 客户端连接服务端
     */
    @SneakyThrows
    public void connect() {
//        try {
            //创建MQTT客户端对象
            client = new MqttClient(hostUrl, clientId, new MemoryPersistence());
            //连接设置
            MqttConnectOptions options = new MqttConnectOptions();

            SSLSocketFactory socketFactory = getSocketFactory(caFilePath,
                    clientCrtFilePath, clientKeyFilePath, "");
            options.setSocketFactory(socketFactory);

            /*允许所有host连接*/
            options.setSSLHostnameVerifier((s, sslSession) -> true);

            /*不配置可能出现报错java.security.cert.CertificateException: No subject alternative names present*/
            options.setHttpsHostnameVerificationEnabled(false);


            //是否清空session,设置为false表示服务器会保留客户端的连接记录,客户端重连之后能获取到服务器在客户端断开连接期间推送的消息
            //设置为true表示每次连接到服务端都是以新的身份
            options.setCleanSession(true);
            //设置连接用户名
            options.setUserName(username);
            //设置连接密码
            options.setPassword(password.toCharArray());
            //设置超时时间,单位为秒
            options.setConnectionTimeout(100);
            //设置心跳时间 单位为秒,表示服务器每隔1.5*20秒的时间向客户端发送心跳判断客户端是否在线
            options.setKeepAliveInterval(20);
            //设置遗嘱消息的话题,若客户端和服务器之间的连接意外断开,服务器将发布客户端的遗嘱信息
            options.setWill("willTopic", (clientId + "与服务器断开连接").getBytes(), 0, false);
            options.setAutomaticReconnect(true);
            //设置回调
            client.setCallback(new MqttCallbackImpl());
            client.connect(options);
            System.out.println(" 客户端连接成功 ");
            //订阅主题
            //消息等级,和主题数组一一对应,服务端将按照指定等级给订阅了主题的客户端推送消息
            int[] qos = {1, 1};
            //主题
            String[] topics = {"topicX#", "topicY#"};
            //订阅主题
//            client.subscribe("topicX",1);
            client.subscribe(topics);
//        } catch (Exception e) {
//            e.printStackTrace();
//        }
    }

    /**
     * 断开连接
     */
    public void disConnect() {
        try {
            client.disconnect();
        } catch (MqttException e) {
            e.printStackTrace();
        }
    }


    /**
     * 订阅主题
     */
    public void subscribe(String topic, int qos) {
        try {
            client.subscribe(topic, qos);
        } catch (MqttException e) {
            e.printStackTrace();
        }
    }

    private static SSLSocketFactory getSocketFactory(final String caCrtFile,
                                                     final String crtFile, final String keyFile, final String password)
            throws Exception {

        ClassPathResource caCrtFileRes = new ClassPathResource(caCrtFile);
        ClassPathResource crtFileRes = new ClassPathResource(crtFile);
        ClassPathResource keyFileRes = new ClassPathResource(keyFile);


        // add BouncyCastle provider
        Security.addProvider(new BouncyCastleProvider());

        // load CA certificate
        X509Certificate caCert = null;

        BufferedInputStream bis = new BufferedInputStream(caCrtFileRes.getStream());
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

        while (bis.available() > 0) {
            caCert = (X509Certificate) cf.generateCertificate(bis);
            // System.out.println(caCert.toString());
        }

        // load client certificate
        bis = new BufferedInputStream(crtFileRes.getStream());
        X509Certificate cert = null;
        while (bis.available() > 0) {
            cert = (X509Certificate) cf.generateCertificate(bis);
            // System.out.println(caCert.toString());
        }

        // load client private key
        PEMParser pemParser = new PEMParser(new InputStreamReader(keyFileRes.getStream()));
        Object object = pemParser.readObject();
        PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder()
                .build(password.toCharArray());
        JcaPEMKeyConverter converter = new JcaPEMKeyConverter()
                .setProvider("BC");
        KeyPair key;
        if (object instanceof PEMEncryptedKeyPair) {
            System.out.println("Encrypted key - we will use provided password");
            key = converter.getKeyPair(((PEMEncryptedKeyPair) object)
                    .decryptKeyPair(decProv));
        } else {
            System.out.println("Unencrypted key - no password needed");
            key = converter.getKeyPair((PEMKeyPair) object);
        }
        pemParser.close();

        // CA certificate is used to authenticate server
        KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
        caKs.load(null, null);
        caKs.setCertificateEntry("ca-certificate", caCert);
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
        tmf.init(caKs);

        // client key and certificates are sent to server so it can authenticate
        // us
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(null, null);
        ks.setCertificateEntry("certificate", cert);
        ks.setKeyEntry("private-key", key.getPrivate(), password.toCharArray(),
                new java.security.cert.Certificate[]{cert});
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory
                .getDefaultAlgorithm());
        kmf.init(ks, password.toCharArray());

        // finally, create SSL socket factory
        SSLContext context = SSLContext.getInstance("TLSv1.2");
        context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

        return context.getSocketFactory();
    }

}
java 复制代码
@Slf4j
@Component
public class MqttCallbackImpl implements MqttCallback {

    @Override
    public void connectionLost(Throwable throwable) {
        log.info("[MQTT] 连接断开");
    }

    @Override
    public void messageArrived(String topic, MqttMessage message) throws Exception {
        String msg = new String(message.getPayload());
        log.info(String.format("接收消息主题 : %s", topic));
        log.info(String.format("接收消息Qos : %d", message.getQos()));
        log.info(String.format("接收消息内容 : %s", msg));
        log.info(String.format("接收消息retained : %b", message.isRetained()));
    }

    @Override
    public void deliveryComplete(IMqttDeliveryToken iMqttDeliveryToken) {
        log.info("发送消息成功");

    }
}
相关推荐
GGBondlctrl14 天前
【JavaEE初阶】网络原理-深入理解网络通信中协议的概念
md5·crc·应用层协议·传输层协议·1024程序员节·udp协议
常敲代码手不生2 个月前
开放API接口时要注意的安全处理总结
java·安全·非对称加密·md5·令牌
lpruoyu4 个月前
【雷丰阳-谷粒商城 】【分布式高级篇-微服务架构篇】【17】认证服务01—短信/邮件/异常/MD5
分布式·微服务·md5·邮件·短信
yuzhongrun5 个月前
编码与加密(对称加密与非对称加密)
非对称加密·aes·编码·md5·对称加密·bcb
任磊abc5 个月前
前端加密的方式汇总
前端·哈希算法·base64·非对称加密·md5·对称加密·前端加密
小李子就是我6 个月前
Excel中实现md5加密
excel·md5
简 洁 冬冬6 个月前
001 登录(md5加密)
md5
Amd7947 个月前
深入理解MD5:Message Digest Algorithm 5
密码学·md5·数据完整性·安全性·哈希函数·替代算法·碰撞攻击
紫郢剑侠7 个月前
Linux shell编程学习笔记42:md5sum
linux·md5·文件比较·shell编程·脚本编程·md5sum