Android 应用程序使用 X.509 证书连接到 AWS IoT

Question

I am writing an Android application to connect a sensor to an AWS IoT service.

I have been provided with the X.509 certificate, a pair of public-private key, clientEndpoint , etc.

I am trying to follow the AWS's Sample code ( see here ).

The instructions are clear, but I don't want to generate the certificate and the keys (I already have them).

Below is the code snippet:

// Create a new private key and certificate. This call
// creates both on the server and returns them to the
// device.
CreateKeysAndCertificateRequest createKeysAndCertificateRequest = new CreateKeysAndCertificateRequest();
createKeysAndCertificateRequest.setSetAsActive(true);
final CreateKeysAndCertificateResult createKeysAndCertificateResult;
createKeysAndCertificateResult = mIotAndroidClient.createKeysAndCertificate(createKeysAndCertificateRequest);
Log.i(LOG_TAG,"Cert ID: " +createKeysAndCertificateResult.getCertificateId() +" created.");

// store in keystore for use in MQTT client
// saved as alias "default" so a new certificate isn't
// generated each run of this application
AWSIotKeystoreHelper.saveCertificateAndPrivateKey(certificateId,createKeysAndCertificateResult.getCertificatePem(),createKeysAndCertificateResult.getKeyPair().getPrivateKey(),
keystorePath, keystoreName, keystorePassword);
// load keystore from file into memory to pass on
// connection
clientKeyStore = AWSIotKeystoreHelper.getIotKeystore(certificateId,keystorePath, keystoreName, keystorePassword);

How can I use the existing certificates files instead of generating new certificate and keys?

Thank you

Answer 1

1. Use AWSIotKeystoreHelper.isKeystorePresent(mKeystorePath, mKeystoreName) to check if keystore is already on you device

2. Check Alias using AWSIotKeystoreHelper.keystoreContainsAlias(mCertificateId, mKeystorePath, mKeystorePassword)

3. Get keystore using keystore = AWSIotKeystoreHelper.getIotKeystore(mCertificateId, mKeystoreName, mKeystorePassword)

4. Use keystore on mqttManager to connect

Answer 2

Here's a full snip that I've successfully used with some test code.

    String tempFilePath = context.getFilesDir().getAbsolutePath();

    if (!AWSIotKeystoreHelper.isKeystorePresent(tempFilePath, "iotkeystore")) {

        Resources resources = context.getResources();
        int certId = resources.getIdentifier("foo_device_cert", "raw", context.getPackageName());
        int privkeyId = resources.getIdentifier("foo_device_private_key", "raw", context.getPackageName());

        String cert = TestUtils.loadTestResource(context, certId);
        String privKey = TestUtils.loadTestResource(context, privkeyId);

        AWSIotKeystoreHelper.saveCertificateAndPrivateKey("iotcert", cert, privKey, tempFilePath, "iotkeystore", "iotpasswd");
    }

    KeyStore keystore = AWSIotKeystoreHelper.getIotKeystore("iotcert", tempFilePath, "iotkeystore", "iotpasswd");
    AWSIotMqttManager mqttManager = new AWSIotMqttManager("sdk-java", "xxxxxxxxxxxx-ats.iot.us-east-2.amazonaws.com");
    mqttManager.connect(keystore, new LocalMqttStatusCallback());
    mqttManager.subscribeToTopic("sdk/test/java", AWSIotMqttQos.QOS0, new LocalMessageCallback());
    logger.info("testLoadCertificate()...");

In this case, I simply saved the certificates in the res/raw folder and loaded them at run time as shown above. This prob. isn't the best from a security standpoint, but should help you get something working. I put this entire snip into a Robolectric test case and the keystore gets reloaded each time. It properly connects and receives messages though.

The AWS documentation is really poor here, I wasn't able to find any working sample code from them (bad links) and I'm not wanting to just turn over my entire project to Amplify and it's automatic reconfiguration.

Good luck.