Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to carry out one-way authentication and two-way authentication of TLS/SSL through Android and MQTT". In daily operation, it is believed that many people have doubts about how to carry out one-way authentication and two-way authentication of TLS/SSL through Android and MQTT. The editor consulted all kinds of materials and sorted out simple and useful operation methods. I hope it will be helpful for you to answer the doubt of "how to carry out TLS/SSL one-way authentication and two-way authentication through Android and MQTT"! Next, please follow the editor to study!

MQTT is a lightweight and flexible message exchange and data transfer protocol for the Internet of things, which aims to achieve a balance between flexibility and hardware / network resources for IoT developers. In order to ensure the security of communication, TLS/SSL is usually used to encrypt communication.

Prepare for

This article uses Eclipse Paho Android Service and BouncyCastle to add dependencies

Dependencies {implementation 'org.eclipse.paho:org.eclipse.paho.client.mqttv3:1.1.0' implementation' org.eclipse.paho:org.eclipse.paho.android.service:1.1.1' implementation 'org.bouncycastle:bcpkix-jdk15on:1.59'}

The following is the core code for Android to connect to TLS/SSL

MqttConnectOptions options = new MqttConnectOptions (); SSLSocketFactory sslSocketFactory =... options.setSocketFactory (sslSocketFactory)

The focus is on how to obtain SSLSocketFactory. One-way authentication and two-way authentication are described below.

One-way authentication

One-way authentication refers to the server authentication client, the following is the core code

Public static SSLSocketFactory getSingleSocketFactory (InputStream caCrtFileInputStream) throws Exception {Security.addProvider (new BouncyCastleProvider ()); X509Certificate caCert = null; BufferedInputStream bis = new BufferedInputStream (caCrtFileInputStream); CertificateFactory cf = CertificateFactory.getInstance ("X.509"); while (bis.available () > 0) {caCert = (X509Certificate) cf.generateCertificate (bis);} KeyStore caKs = KeyStore.getInstance (KeyStore.getDefaultType ()) CaKs.load (null, null); caKs.setCertificateEntry ("cert-certificate", caCert); TrustManagerFactory tmf = TrustManagerFactory.getInstance (TrustManagerFactory.getDefaultAlgorithm ()); tmf.init (caKs); SSLContext sslContext = SSLContext.getInstance ("TLSv1.2"); sslContext.init (null, tmf.getTrustManagers (), null); return sslContext.getSocketFactory ();}

We put ca.crt under res/raw and call

Try {InputStream caCrtFileI = context.getResources () .openRawResource (R.raw.ca); options.setSocketFactory (getSingleSocketFactory (caCrtFile));} catch (Exception e) {e.printStackTrace ();} mutual authentication

Two-way authentication refers to mutual authentication between the server and the client. The following is the key code

Public static SSLSocketFactory getSocketFactory (InputStream caCrtFile, InputStream crtFile, InputStream keyFile, String password) throws Exception {Security.addProvider (new BouncyCastleProvider ()); / / load CA certificate X509Certificate caCert = null; BufferedInputStream bis = new BufferedInputStream (caCrtFile); CertificateFactory cf = CertificateFactory.getInstance ("X.509") While (bis.available () > 0) {caCert = (X509Certificate) cf.generateCertificate (bis);} / / load client certificate bis = new BufferedInputStream (crtFile); X509Certificate cert = null; while (bis.available () > 0) {cert = (X509Certificate) cf.generateCertificate (bis) } / / load client private cert PEMParser pemParser = new PEMParser (new InputStreamReader (keyFile)); Object object = pemParser.readObject (); JcaPEMKeyConverter converter = new JcaPEMKeyConverter (). SetProvider ("BC"); KeyPair key = converter.getKeyPair ((PEMKeyPair) object); KeyStore caKs = KeyStore.getInstance (KeyStore.getDefaultType ()); caKs.load (null, null); caKs.setCertificateEntry ("cert-certificate", caCert) TrustManagerFactory tmf = TrustManagerFactory.getInstance (TrustManagerFactory.getDefaultAlgorithm ()); tmf.init (caKs); KeyStore ks = KeyStore.getInstance (KeyStore.getDefaultType ()); ks.load (null, null); ks.setCertificateEntry ("certificate", cert); ks.setKeyEntry ("private-cert", key.getPrivate (), password.toCharArray (), new java.security.cert.Certificate [] {cert}) KeyManagerFactory kmf = KeyManagerFactory.getInstance (KeyManagerFactory.getDefaultAlgorithm ()); kmf.init (ks, password.toCharArray ()); SSLContext context = SSLContext.getInstance ("TLSv1.2"); context.init (kmf.getKeyManagers (), tmf.getTrustManagers (), null); return context.getSocketFactory ();}

We need to prepare the server certificate, client certificate and secret key under res/raw, and then call. Note that the password is set to an empty string.

Try {InputStream caCrtFile = context.getResources (). OpenRawResource (R.raw.ca); InputStream crtFile = context.getResources (). OpenRawResource (R.raw.cert); InputStream keyFile = context.getResources (). OpenRawResource (R.raw.key); options.setSocketFactory (getSocketFactory (caCrtFile, crtFile, keyFile, "));} catch (Exception e) {e.printStackTrace () At this point, the study on "how to carry out one-way authentication and two-way authentication of TLS/SSL through Android and MQTT" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.