制作您自己的 KeyStoreHelper,将 CA Cert 放入您的 KeyStore,并使用它代替 AWS IoT SDK 的KeyStoreHelper。
注意:我省略了以下代码中的所有异常处理,createKeyPair()、createCSR()、parsePemObject() 和 signCSR() 是我的方法。
public class MyKeystoreHelper {
public KeyStore createKeystoreJIT(String certId, String keystorePath,
String keystoreName, String keystorePassword, HashMap<String, String> directory) {
// Generate KeyPair
KeyPair key = createKeyPair();
// Generate CSR
PKCS10CertificationRequest csr = createCSR(key, directory);
// Read CA Private key
PEMKeyPair pemKey = (PEMKeyPair)parsePemObject(context, PATH_TO_CAROOT_KEY_FILE);
KeyPair caKey = new JcaPEMKeyConverter().getKeyPair(pemKey);
// Read CA Cert
X509CertificateHolder pemCert = (X509CertificateHolder)parsePemObject(context, PATH_TO_CAROOT_CERT_FILE);
X509Certificate caCert = new JcaX509CertificateConverter().getCertificate(pemCert);
X500Name issuer = pemCert.getIssuer();
// Generate CA Signed CSR
X509Certificate cert = signCSR(csr, caKey.getPrivate(), caCert, issuer);
// Create Key Store
saveKeystore(certId, cert, caCert, key.getPrivate(), keystorePath, keystoreName, keystorePassword); // <-- HERE!! Pass CA Cert
KeyStore keystore = getKeystore(certId, keystorePath, keystoreName, keystorePassword);
return keystore;
}
....
private boolean saveKeystore(String certId, X509Certificate cert, X509Certificate caCert,
PrivateKey privatekey, String keystorePath, String keystoreName, String keystorePassword) {
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
File keystoreFile = new File(keystorePath, keystoreName);
if( ! keystoreFile.exists()) {
createKeystore(keystorePath, keystoreName, keystorePassword);
}
FileInputStream fis = new FileInputStream(keystoreFile);
keystore.load(fis, keystorePassword.toCharArray());
fis.close();
keystore.setCertificateEntry(certId, cert);
keystore.setKeyEntry(certId, privatekey, keystorePassword.toCharArray(), new Certificate[] { cert, caCert }); // <-- HERE!! put CA Cert
String caCertId = certId + "_CA";
keystore.setCertificateEntry(caCertId, caCert);
keystore.setKeyEntry(caCertId, privatekey, keystorePassword.toCharArray(), new Certificate[] { caCert });
String keystoreFileAndPath;
if(keystorePath.endsWith("/")) {
keystoreFileAndPath = keystorePath + keystoreName;
} else {
keystoreFileAndPath = keystorePath + "/" + keystoreName;
}
FileOutputStream fos = new FileOutputStream(keystoreFileAndPath);
keystore.store(fos, keystorePassword.toCharArray());
fos.close();
return true;
}
....
private KeyStore getMemoryKeystore(KeyStore customerKeystore, String certId, String customerKeystorePassword) {
KeyStore memoryKeystore = KeyStore.getInstance(KeyStore.getDefaultType());
memoryKeystore.load(null);
X509Certificate cert = (X509Certificate) customerKeystore.getCertificate(certId);
memoryKeystore.setCertificateEntry("cert-alias", cert);
Key key = customerKeystore.getKey(certId, customerKeystorePassword.toCharArray());
String caCertId = certId + "_CA";
X509Certificate caCert = (X509Certificate) customerKeystore.getCertificate(caCertId); // Pull CA Cert
memoryKeystore.setCertificateEntry("cacert-alias", caCert);
memoryKeystore.setKeyEntry("key-alias", key, AWS_IOT_INTERNAL_KEYSTORE_PASSWORD.toCharArray(), new Certificate[] { cert, caCert }); // <-- HERE!!
return memoryKeystore;
}
....
}
在连接和发布 MQTT 之前,请获取链接在 KeyStore 中的 CSR 和 CA 证书,如下所示:
keystoreHelper = new MyKeystoreHelper(...);
if(keystoreHelper.isKeystorePresent(keystorePath, KEYSTORE_NAME)) {
keystore = keystoreHelper.getKeystore(CERTIFICATE_ID, keystorePath, KEYSTORE_NAME, KEYSTORE_PASSWORD);
} else {
// Create your own KeyStroe if it is not exist yet.
HashMap<String, String> directory = getDirectory(); // X.500 directory items for CSR
keystoreHelper.createKeystoreJIT(CERTIFICATE_ID, keystorePath, KEYSTORE_NAME, KEYSTORE_PASSWORD, directory);
keystore = keystoreHelper.getKeystore(CERTIFICATE_ID, keystorePath, KEYSTORE_NAME, KEYSTORE_PASSWORD);
}
首次向终端节点发布任何消息后,AWS IoT Core 将自动创建一个“事物”。
我希望这可以帮助你。