Kawaii MQTT 配置 mbedtls 双向验证指南
在使用 Kawaii MQTT 库配置 mbedtls 双向验证前,下面是实现该功能的关键步骤和一个完整的代码示例:
核心步骤
初始化 mbedtls 组件:
mbedtls_net_context server_fd;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
mbedtls_x509_crt cacert; // CA证书
mbedtls_x509_crt client_crt; // 客户端证书
mbedtls_pk_context pkey; // 客户端私钥
加载并解析证书:
// 加载CA证书
mbedtls_x509_crt_parse_file(&cacert, "ca.crt");
// 加载客户端证书
mbedtls_x509_crt_parse_file(&client_crt, "client.crt");
// 加载客户端私钥
mbedtls_pk_parse_keyfile(&pkey, "client.key", NULL);
配置 SSL/TLS:
mbedtls_ssl_config_init(&conf);
mbedtls_ssl_conf_endpoint(&conf, MBEDTLS_SSL_IS_CLIENT); // 设为客户端模式
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
// 设置双向验证要求(客户端和服务器都要提供证书)
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
// 设置CA证书链
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
// 设置客户端证书和密钥
mbedtls_ssl_conf_own_cert(&conf, &client_crt, &pkey);
在 MQTT 连接前完成握手:
// 创建TCP连接
mbedtls_net_connect(&server_fd, "mqtt.example.com", "8883", MBEDTLS_NET_PROTO_TCP);
// 绑定SSL配置
mbedtls_ssl_setup(&ssl, &conf);
// 设置主机名(用于SNI)
mbedtls_ssl_set_hostname(&ssl, "mqtt.example.com");
// 设置底层IO回调
mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
// 执行TLS握手
mbedtls_ssl_handshake(&ssl);
完整示例
#include
#include
#include
#include "mbedtls/net_sockets.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/x509_crt.h"
#include "kawaii-mqtt/kawaii_mqtt.h"
int main() {
// 初始化MQTT客户端
kawaii_client_t client;
kawaii_client_init(&client, "client_id");
// --------- mbedtls初始化 ---------
mbedtls_net_context server_fd;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
int ret;
const char *pers = "kawaii_mqtt";
mbedtls_x509_crt cacert; // CA证书
mbedtls_x509_crt client_crt; // 客户端证书
mbedtls_pk_context pkey; // 客户端私钥
mbedtls_net_init(&server_fd);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
mbedtls_x509_crt_init(&cacert);
mbedtls_x509_crt_init(&client_crt);
mbedtls_pk_init(&pkey);
// 初始化随机数生成器
if((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *)pers,
strlen(pers))) != 0) {
printf("mbedtls_ctr_drbg_seed failed: %dn", ret);
goto exit;
}
// 加载CA证书
if((ret = mbedtls_x509_crt_parse_file(&cacert, "ca.crt")) != 0) {
printf("Failed to parse CA cert: %dn", ret);
goto exit;
}
// 加载客户端证书
if((ret = mbedtls_x509_crt_parse_file(&client_crt, "client.crt")) != 0) {
printf("Failed to parse client cert: %dn", ret);
goto exit;
}
// 加载客户端私钥
if((ret = mbedtls_pk_parse_keyfile(&pkey, "client.key", NULL)) != 0) {
printf("Failed to parse client key: %dn", ret);
goto exit;
}
// 配置SSL
if((ret = mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
printf("ssl_config_defaults failed: %dn", ret);
goto exit;
}
// 设置双向验证模式
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
// 配置证书和密钥
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
// 设置客户端证书
if((ret = mbedtls_ssl_conf_own_cert(&conf, &client_crt, &pkey)) != 0) {
printf("mbedtls_ssl_conf_own_cert: %dn", ret);
goto exit;
}
// 连接服务器
if((ret = mbedtls_net_connect(&server_fd, "mqtt.example.com",
"8883", MBEDTLS_NET_PROTO_TCP)) != 0) {
printf("net_connect failed: %dn", ret);
goto exit;
}
if((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
printf("ssl_setup failed: %dn", ret);
goto exit;
}
mbedtls_ssl_set_hostname(&ssl, "mqtt.example.com");
mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
// 执行TLS握手
while((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
if(ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
printf("handshake failed: %dn", ret);
goto exit;
}
}
// 验证服务器证书
uint32_t flags = mbedtls_ssl_get_verify_result(&ssl);
if(flags != 0) {
printf("Failed to verify server certificate! Flags: 0x%xn", flags);
goto exit;
}
// --------- 集成到Kawaii MQTT ---------
// 设置底层网络接口函数 (需实现相关适配器)
kawaii_net_func_t net_func = {
.read = tls_read_function, // 调用mbedtls_ssl_read
.write = tls_write_function, // 调用mbedtls_ssl_write
.disconnect = tls_disconnect_func,
.state = tls_state_function
};
kawaii_client_set_net_func(&client, &net_func);
kawaii_client_set_context(&client, (void*)&ssl); // 传递SSL上下文
// 配置MQTT连接选项
kawaii_mqtt_option_t options = {
.username = "user",
.password = "pass",
.keep_alive = 60,
.clean_session = 1
};
// 连接到MQTT服务器
if(kawaii_client_connect(&client, &options) != K_ERR_NONE) {
printf("MQTT connection failedn");
goto exit;
}
printf("Successfully connected with mutual authentication!n");
// MQTT操作...
exit:
// 清理资源
mbedtls_ssl_close_notify(&ssl);
mbedtls_net_free(&server_fd);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_x509_crt_free(&cacert);
mbedtls_x509_crt_free(&client_crt);
mbedtls_pk_free(&pkey);
kawaii_client_deinit(&client);
return ret ? 1 : 0;
}
关键注意事项
证书准备:
- CA证书 (ca.crt)
- 客户端证书 (client.crt)
- 客户端私钥 (client.key)
适配器函数实现:
int tls_read_function(void *ctx, uint8_t *buf, int len, int timeout_ms) {
mbedtls_ssl_context *ssl = (mbedtls_ssl_context *)ctx;
return mbedtls_ssl_read(ssl, buf, len);
}
int tls_write_function(void *ctx, uint8_t *buf, int len, int timeout_ms) {
mbedtls_ssl_context *ssl = (mbedtls_ssl_context *)ctx;
return mbedtls_ssl_write(ssl, buf, len);
}
常见错误处理:
MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:证书验证失败
MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN:加密套件不匹配
MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:连接被服务器终止
服务器端配置:
- MQTT服务器也需要设置相同的CA并验证客户端证书
总结
通过以上配置,Kawaii MQTT 可以成功使用 mbedtls 实现双向TLS验证,确保客户端与服务器之间的通信是安全且双向认证的。这个过程中最重要的是正确加载和设置证书、密钥文件,并实现适当的网络适配函数将 mbedtls SSL 层与 Kawaii MQTT 库连接起来。
|
|
|
|
2025-10-10 17:33:15
评论
举报
|
|
|
|
电子发烧友论坛
/9 
工商网监
湘ICP备2023018690号
161
淘帖
1639
