Java Edition Mosquitto client uses SSL features for specific operations summary

in the development of the Java version of the Mosquitto client program needs to use the PAHO library, if the development of Java client to use the SSL function, you need to bouncy Castle library, when using the SSL function, the certificate file is required for authentication, However, during the testing process, you only make your own CA and issue the certificate. During testing, you first create a unified CA that includes a CRT file, a key file (for example, CA.CRT, Ca.key); During the test, to use the CA to issue a certificate for each test machine, for example: The Mosquitto server is running on 192.168.4.223 Linux, and the Java version of the client is running on 192.168.4.69 windows, the CA (that is, the file CA.CRT, Ca.key) are copied to the Mosquitto server running 192.168.4.223, the Java version of the client run on the 192.168.4.69 machine, and then use OpenSSL with the CA for these two machines issued a certificate file, the server-side issued a certificate file is SERVER.CRT And Server.key, the certificate file issued for the client is CLIENT.CRT and Client.key, and the following four points may be required in the above process:

(1) Making a CA under a Linux system and issuing a certificate using a CA, the process can refer to the documentation:

http://blog.csdn.net/houjixin/article/details/24305613

Or:

http://houjixin.blog.163.com/blog/static/35628410201432205042955/

(2) The OpenSSL command required to make a CA using OpenSSL can be consulted: http://mosquitto.org/man/mosquitto-tls-7.html

(3) Create the client's certificate file under the Windows platform, where the CA is consistent with the server side and other test clients. The production certificate under Windows platform can be referenced in the documentation:

http://blog.csdn.net/houjixin/article/details/25806151

Or:

http://houjixin.blog.163.com/blog/static/3562841020144143494875/

(4) In the development process need to use the library "Bcprov-jdk16-139.jar",

It is: http://www.bouncycastle.org/latest_releases.html

The SSL feature is only authenticated before the client and server communication, and the subsequent communication process of the encryption operation is done internally by SSL, so the SSL-capable Java version of the Mosquitto client is compared to the normal Java version of the Mosquitto client. Just modify the relevant code in the Start section. When developing a Java Edition client under Windows System, follow these steps:

(1) Use OPENSS to issue client certificate files based on the provider CA Three files will be generated during the certificate issuance process: CLIENT.CRT,CLIENT.CSR and Client.key, where CLIENT.CSR is primarily to request a "certificate request file" that is generated when a CA is requested to generate a Client.key file. Once the CLIENT.CRT and Client.key have been generated and are no longer needed, the actual testing process is only CLIENT.CRT, client.key two files that are used by the client to authenticate with the Mosquitto server program when communicating.

(2) Encapsulation of SSL related operations into a Java class, such as Sslutil, to complete all SSL-related functions in this class, for example: Loading CA.CRT, CLIENT.CRT and Client.key These three files, with Mosquitto's server side for SSL authentication. There is only one function getsocketfactory in the class, and eventually the function returns an SSL-related socket factory instance. This class is provided in the annex "Ssutil.java" attachment file.

(3) Before you create a Mosquitto client using PAHO, you need to create a Mqttconnectoptions object, call the function setsocketfactory in the object, and pass in the Sslutil returned in the second step sockt Factory instance. The relevant code looks like this:

m_conopt = new Mqttconnectoptions (), ..... try {m_conopt.setsocketfactory (sslutil.getsocketfactory (CaFilePath, Clientcrtfilepath, Clientkeyfilepath, sspwd));} catch (Exception e) {e.printstacktrace ();}

(4) Create a Mqttclient object and set the Mqttconnectoptions object created in the third step before the object connects to the Mosquitto server.

(5) Modify the URL parameter passed to the Mqttclient object so that its most previous protocol flag is modified to SSL, for example:

String ServerURL = "ssl://192.168.4.223:8883";

Attention:

1) when making a certificate file under the Win7 system, it may appear that: unable to write the "random State" problem, the solution to this problem can refer to the documentation:

http://houjixin.blog.163.com/blog/static/356284102014420104455237/

Or:

http://blog.csdn.net/houjixin/article/details/26347375

2) When using PAHO to connect Mosquitto, you need to change the protocol name in the URL to SSL, for example:

Stringserverurl = "SSL://192.168.4.223:8883"

Reference content:

[1] https://gist.github.com/sharonbn/4104301

[2]http://stackoverflow.com/questions/18896087/mosquitto-mqtt-broker-and-java-client-with-ssl-tls

Attached: Sslutil.java Source:

Package Test.com.browan.mqtt;import Java.io.*;import Java.nio.file.*;import java.security.*;import Java.security.cert.*;import javax.net.ssl.*; Import Org.bouncycastle.jce.provider.*;import org.bouncycastle.openssl.*; public class Sslutil{static Sslsocketfactory getsocketfactory (final string cacrtfile, final string crtfile, final string KeyFile, final String password) throws Exception{security.addprovider (new bouncy Castleprovider ()); Load CA certificatepemreader reader = new Pemreader (new InputStreamReader (New Bytearrayinputstream ( Files.readallbytes (Paths.get (Cacrtfile)))); X509Certificate CaCert = (x509certificate) reader.readobject (); Reader.close (); Load Client Certificatereader = new Pemreader (new InputStreamReader (New Bytearrayinputstream (Files.readallbytes ( Paths.get (Crtfile)))); X509Certificate cert = (x509certificate) reader.readobject (); Reader.close (); Load Client Private Keyreader = new Pemreader (new InputStreamReader (New BytearRayinputstream (Files.readallbytes (Paths.get (keyfile))), new Passwordfinder () {@Overridepublic char[] GetPassword () {return Password.tochararray ();}}); KeyPair key = (KeyPair) reader.readobject (); Reader.close (); CA certificate is used to authenticate serverkeystore Caks = Keystore.getinstance (Keystore.getdefaulttype ()); Caks.load (null, NULL); Caks.setcertificateentry ("Ca-certificate", CaCert); Trustmanagerfactory TMF = trustmanagerfactory.getinstance (Trustmanagerfactory.getdefaultalgorithm ()); Tmf.init ( Caks); Client key and certificates is sent to server so it can authenticate Uskeystore KS = Keystore.getinstance (keystore.get DefaultType ()); Ks.load (null, NULL), Ks.setcertificateentry ("certificate", cert); Ks.setkeyentry ("Private-key", Key.getprivate (), Password.tochararray (), New Java.security.cert.certificate[]{cert}); Keymanagerfactory KMF = keymanagerfactory.getinstance (Keymanagerfactory.getdefaultalgorithm ()); Kmf.init (KS, Password.tochararray ()); Finally, create SSL socket FactoryssLcontext context = sslcontext.getinstance ("TLSv1"); Context.init (Kmf.getkeymanagers (), tmf.gettrustmanagers (), NULL) ; return Context.getsocketfactory ();}}

Java Edition Mosquitto client uses SSL features for specific operations summary