概述
1、方案对比
2、认证信息
3、Code Sample
一、方案对比
- 一机一密:每台设备烧录自己的设备证书(ProductKey、DeviceName和DeviceSecret)。
- 一型一密预注册:同一产品下设备烧录相同产品证书(ProductKey和ProductSecret)。开通产品的动态注册功能,设备通过动态注册获取DeviceSecret。
- 一型一密免预注册:同一产品下设备烧录相同产品证书(ProductKey和ProductSecret)。开通产品的动态注册功能,通过动态注册,设备不获取DeviceSecret,而是获取ClientID与DeviceToken的组合。
- 子设备动态注册:网关连接上云后,子设备通过动态注册获取DeviceSecret。
认证方案对比
二、认证信息
目前物联网平台主流的通信协议为MQTT协议,物联网平台也原生支持MQTT协议,这里认证信息也主要以MQTT认证方式进行介绍。首次使用物联网平台的用户,建议可以使用MQTT.fx客户端工具接入测试,参考: 使用MQTT.fx接入物联网平台。
MQTT签名参数计算方法,请参见如何计算MQTT签名参数。
一型一密免预注册认证参数拼接参考:
三、Code Sample
- 3.1 平台侧创建产品和设备
- 3.2 开启动态注册
一机一密
- 3.3.1 为一机一密创建设备
- 3.3.2 一机一密:Code Sample
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import org.eclipse.paho.client.mqttv3.*;
import org.eclipse.paho.client.mqttv3.persist.MemoryPersistence;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
public class OneMachineOneSecret {
public static String productKey = "hgoqS******";
public static String deviceName = "******";
public static String deviceSecret = "98ace44304bd198c******************";
public static String regionId = "cn-shanghai";
// 物模型-属性上报topic
private static String pubTopic = "/sys/" + productKey + "/" + deviceName + "/thing/event/property/post";
// 物模型-属性响应topic
private static String subTopic = "/sys/" + productKey + "/" + deviceName + "/thing/event/property/post_reply";
private static MqttClient mqttClient;
public static void main(String [] args){
initAliyunIoTClient();
ScheduledExecutorService scheduledThreadPool = new ScheduledThreadPoolExecutor(1,
new ThreadFactoryBuilder().setNameFormat("thread-runner-%d").build());
scheduledThreadPool.scheduleAtFixedRate(()->postDeviceProperties(), 2,2, TimeUnit.SECONDS);
try {
mqttClient.subscribe(subTopic); // 订阅Topic
} catch (MqttException e) {
System.out.println("error:" + e.getMessage());
e.printStackTrace();
}
// 设置订阅监听
mqttClient.setCallback(new MqttCallback() {
@Override
public void connectionLost(Throwable throwable) {
System.out.println("connection Lost");
}
@Override
public void messageArrived(String s, MqttMessage mqttMessage) throws Exception {
System.out.println("Sub message");
System.out.println("Topic : " + s);
System.out.println("message info " + new String(mqttMessage.getPayload())); //打印输出消息payLoad
}
@Override
public void deliveryComplete(IMqttDeliveryToken iMqttDeliveryToken) {
try {
System.out.println("deliveryComplete: " + iMqttDeliveryToken.getMessage());
} catch (MqttException e) {
e.printStackTrace();
}
}
});
}
/**
* 初始化 Client 对象
*/
private static void initAliyunIoTClient() {
try {
// 构造连接需要的参数
String clientId = "java" + System.currentTimeMillis();
Map<String, String> params = new HashMap<>(16);
params.put("productKey", productKey);
params.put("deviceName", deviceName);
params.put("clientId", clientId);
String timestamp = String.valueOf(System.currentTimeMillis());
params.put("timestamp", timestamp);
// cn-shanghai
String targetServer = "tcp://" + productKey + ".iot-as-mqtt."+regionId+".aliyuncs.com:1883";
String mqttclientId = clientId + "|securemode=3,signmethod=hmacsha1,timestamp=" + timestamp + "|";
String mqttUsername = deviceName + "&" + productKey;
String mqttPassword = AliyunIoTSignUtil.sign(params, deviceSecret, "hmacsha1");
connectMqtt(targetServer, mqttclientId, mqttUsername, mqttPassword);
} catch (Exception e) {
System.out.println("initAliyunIoTClient error " + e.getMessage());
}
}
public static void connectMqtt(String url, String clientId, String mqttUsername, String mqttPassword) throws Exception {
MemoryPersistence persistence = new MemoryPersistence();
mqttClient = new MqttClient(url, clientId, persistence);
MqttConnectOptions connOpts = new MqttConnectOptions();
// MQTT 3.1.1
connOpts.setMqttVersion(4);
connOpts.setAutomaticReconnect(false);
connOpts.setConnectionTimeout(10);
// connOpts.setCleanSession(true);
connOpts.setCleanSession(false);
connOpts.setUserName(mqttUsername);
connOpts.setPassword(mqttPassword.toCharArray());
connOpts.setKeepAliveInterval(60);
mqttClient.connect(connOpts);
}
/**
* 汇报属性
*/
private static void postDeviceProperties() {
try {
//上报数据
//高级版 物模型-属性上报payload
System.out.println("上报属性值");
// 基于产品物模型定义设置
String payloadJson = "{\"params\":{\"GeoLocation\":{\"Longitude\":18,\"Latitude\":28,\"Altitude\":18,\"CoordinateSystem\":2},\"FLO_Value\":18}}";
MqttMessage message = new MqttMessage(payloadJson.getBytes("utf-8"));
message.setQos(1);
mqttClient.publish(pubTopic, message);
} catch (Exception e) {
System.out.println(e.getMessage());
}
}
}签名类AliyunIoTSignUtil参考:
基于开源JAVA MQTT Client连接阿里云IoT
- 3.3.3 测试效果
一型一密预注册设备
- 3.4.1 创建设备
- 3.4.2 动态注册获取DeviceSecret
import com.alibaba.fastjson.JSONObject;
import org.eclipse.paho.client.mqttv3.*;
import org.eclipse.paho.client.mqttv3.persist.MemoryPersistence;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.util.Random;
import java.util.Set;
import java.util.SortedMap;
import java.util.TreeMap;
public class DynamicRegisterByMqtt {
// 地域ID,填写您的产品所在地域ID。
private static String regionId = "cn-shanghai";
// 定义加密方式。可选MAC算法:HmacMD5、HmacSHA1、HmacSHA256,需和signmethod取值一致。
private static final String HMAC_ALGORITHM = "hmacsha1";
// 接收物联网平台下发设备证书的Topic。无需创建,无需订阅,直接使用。
private static final String REGISTER_TOPIC = "/ext/register";
/**
* 动态注册。
*
* @param productKey 产品的ProductKey
* @param productSecret 产品密钥
* @param deviceName 设备名称
* @throws Exception
*/
public void register(String productKey, String productSecret, String deviceName) throws Exception {
// 接入域名,只能使用TLS。
String broker = "ssl://" + productKey + ".iot-as-mqtt." + regionId + ".aliyuncs.com:1883";
// 表示客户端ID,建议使用设备的MAC地址或SN码,64字符内。
String clientId = productKey + "." + deviceName;
// 获取随机值。
Random r = new Random();
int random = r.nextInt(1000000);
// securemode只能为2表示只能使用TLS;signmethod指定签名算法。
String clientOpts = "|securemode=2,authType=register,signmethod=" + HMAC_ALGORITHM + ",random=" + random + "|";
// MQTT接入客户端ID。
String mqttClientId = clientId + clientOpts;
// MQTT接入用户名。
String mqttUsername = deviceName + "&" + productKey;
// MQTT接入密码,即签名。
JSONObject params = new JSONObject();
params.put("productKey", productKey);
params.put("deviceName", deviceName);
params.put("random", random);
String mqttPassword = sign(params, productSecret);
// 通过MQTT connect报文进行动态注册。
connect(broker, mqttClientId, mqttUsername, mqttPassword);
}
/**
* 通过MQTT connect报文发送动态注册信息。
*
* @param serverURL 动态注册域名地址
* @param clientId 客户端ID
* @param username MQTT用户名
* @param password MQTT密码
*/
@SuppressWarnings("resource")
private void connect(String serverURL, String clientId, String username, String password) {
try {
MemoryPersistence persistence = new MemoryPersistence();
MqttClient sampleClient = new MqttClient(serverURL, clientId, persistence);
MqttConnectOptions connOpts = new MqttConnectOptions();
connOpts.setMqttVersion(4);// MQTT 3.1.1
connOpts.setUserName(username);// 用户名
connOpts.setPassword(password.toCharArray());// 密码
connOpts.setAutomaticReconnect(false); // MQTT动态注册协议规定必须关闭自动重连。
System.out.println("----- register params -----");
System.out.print("server=" + serverURL + ",clientId=" + clientId);
System.out.println(",username=" + username + ",password=" + password);
sampleClient.setCallback(new MqttCallback() {
@Override
public void messageArrived(String topic, MqttMessage message) throws Exception {
// 仅处理动态注册返回消息。
if (REGISTER_TOPIC.equals(topic)) {
String payload = new String(message.getPayload(), StandardCharsets.UTF_8);
System.out.println("----- register result -----");
System.out.println(payload);
sampleClient.disconnect();
}
}
@Override
public void deliveryComplete(IMqttDeliveryToken token) {
}
@Override
public void connectionLost(Throwable cause) {
}
});
sampleClient.connect(connOpts);
} catch (MqttException e) {
System.out.print("register failed: clientId=" + clientId);
System.out.println(",username=" + username + ",password=" + password);
System.out.println("reason " + e.getReasonCode());
System.out.println("msg " + e.getMessage());
System.out.println("loc " + e.getLocalizedMessage());
System.out.println("cause " + e.getCause());
System.out.println("excep " + e);
e.printStackTrace();
}
}
/**
* 动态注册签名。
*
* @param params 签名参数
* @param productSecret 产品密钥
* @return 签名十六进制字符串
*/
private String sign(JSONObject params, String productSecret) {
// 请求参数按字典顺序排序。
Set<String> keys = getSortedKeys(params);
// sign、signMethod除外。
keys.remove("sign");
keys.remove("signMethod");
// 组装签名明文。
StringBuffer content = new StringBuffer();
for (String key : keys) {
content.append(key);
content.append(params.getString(key));
}
// 计算签名。
String sign = encrypt(content.toString(), productSecret);
System.out.println("sign content=" + content);
System.out.println("sign result=" + sign);
return sign;
}
/**
* 获取JSON对象排序后的key集合。
*
* @param json 需要排序的JSON对象
* @return 排序后的key集合
*/
private Set<String> getSortedKeys(JSONObject json) {
SortedMap<String, String> map = new TreeMap<String, String>();
for (String key : json.keySet()) {
String vlaue = json.getString(key);
map.put(key, vlaue);
}
return map.keySet();
}
/**
* 使用HMAC_ALGORITHM加密。
*
* @param content 明文
* @param secret 密钥
* @return 密文
*/
private String encrypt(String content, String secret) {
try {
byte[] text = content.getBytes(StandardCharsets.UTF_8);
byte[] key = secret.getBytes(StandardCharsets.UTF_8);
SecretKeySpec secretKey = new SecretKeySpec(key, HMAC_ALGORITHM);
Mac mac = Mac.getInstance(secretKey.getAlgorithm());
mac.init(secretKey);
return byte2hex(mac.doFinal(text));
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
/**
* 二进制转十六进制字符串。
*
* @param b 二进制数组
* @return 十六进制字符串
*/
private String byte2hex(byte[] b) {
StringBuffer sb = new StringBuffer();
for (int n = 0; b != null && n < b.length; n++) {
String stmp = Integer.toHexString(b[n] & 0XFF);
if (stmp.length() == 1) {
sb.append('0');
}
sb.append(stmp);
}
return sb.toString().toUpperCase();
}
public static void main(String[] args) throws Exception {
String productKey = "hgoqS******";
String productSecret = "rhjN24E9********";
String deviceName = "device2";
// 进行动态注册。
DynamicRegisterByMqtt client = new DynamicRegisterByMqtt();
client.register(productKey, productSecret, deviceName);
// 动态注册成功,需要在本地固化deviceSecret。
}
}- 3.4.3 代码运行效果
- 3.4.4 设备连接平台
已经获取到了设备的DeviceSecret,参考前面一机一密认证方式连接认证即可。
一型一密免预注册
- 3.5.1 Code Sample
import com.alibaba.fastjson.JSONObject;
import org.eclipse.paho.client.mqttv3.*;
import org.eclipse.paho.client.mqttv3.persist.MemoryPersistence;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.util.Random;
import java.util.Set;
import java.util.SortedMap;
import java.util.TreeMap;
public class DynamicRegisterInstance {
// 定义加密方式。可选MAC算法:HmacMD5、HmacSHA1、HmacSHA256,需和signmethod取值一致。
private static final String HMAC_ALGORITHM = "hmacsha1";
// 接收物联网平台下发设备证书的Topic。无需创建,无需订阅,直接使用。
private static final String REGISTER_TOPIC = "/ext/regnwl";
/**
* 动态注册。
*
* @param productKey 产品key
* @param productSecret 产品密钥
* @param deviceName 设备名称
* @throws Exception
*/
public void register(String productKey, String productSecret, String deviceName, String instanceId) throws Exception {
// 接入域名,只能使用TLS。
String broker = "ssl://"+instanceId+".mqtt.iothub.aliyuncs.com:1883";
// 表示客户端ID,建议使用设备的MAC地址或SN码,64字符内。
String clientId = productKey + "@" + deviceName;
// 获取随机值。
Random r = new Random();
int random = r.nextInt(1000000);
// securemode只能为2表示只能使用TLS;signmethod指定签名算法。
String clientOpts = "|securemode=-2,authType=regnwl,signmethod=" + HMAC_ALGORITHM + ",random=" + random + ""+",instanceId="+instanceId+"|";
// MQTT接入客户端ID。
String mqttClientId = clientId + clientOpts;
// MQTT接入用户名。
String mqttUsername = deviceName + "&" + productKey;
// MQTT接入密码,即签名。
JSONObject params = new JSONObject();
params.put("productKey", productKey);
params.put("deviceName", deviceName);
params.put("random", random);
String mqttPassword = sign(params, productSecret);
// 通过MQTT connect报文进行动态注册。
connect(broker, mqttClientId, mqttUsername, mqttPassword);
}
/**
* 通过MQTT connect报文发送动态注册信息。
*
* @param serverURL 动态注册域名地址
* @param clientId 客户端ID
* @param username MQTT用户名
* @param password MQTT密码
*/
@SuppressWarnings("resource")
private void connect(String serverURL, String clientId, String username, String password) {
try {
MemoryPersistence persistence = new MemoryPersistence();
MqttClient sampleClient = new MqttClient(serverURL, clientId, persistence);
MqttConnectOptions connOpts = new MqttConnectOptions();
connOpts.setMqttVersion(4);// MQTT 3.1.1
connOpts.setUserName(username);// 用户名
connOpts.setPassword(password.toCharArray());// 密码
connOpts.setAutomaticReconnect(false); // MQTT动态注册协议规定必须关闭自动重连。
System.out.println("----- register params -----");
System.out.print("server=" + serverURL + ",clientId=" + clientId);
System.out.println(",username=" + username + ",password=" + password);
sampleClient.setCallback(new MqttCallback() {
@Override
public void messageArrived(String topic, MqttMessage message) throws Exception {
// 仅处理动态注册返回消息。
if (REGISTER_TOPIC.equals(topic)) {
String payload = new String(message.getPayload(), StandardCharsets.UTF_8);
System.out.println("----- register result -----");
System.out.println(payload);
sampleClient.disconnect();
}
}
@Override
public void deliveryComplete(IMqttDeliveryToken token) {
}
@Override
public void connectionLost(Throwable cause) {
}
});
sampleClient.connect(connOpts);
} catch (MqttException e) {
System.out.print("register failed: clientId=" + clientId);
System.out.println(",username=" + username + ",password=" + password);
System.out.println("reason " + e.getReasonCode());
System.out.println("msg " + e.getMessage());
System.out.println("loc " + e.getLocalizedMessage());
System.out.println("cause " + e.getCause());
System.out.println("excep " + e);
e.printStackTrace();
}
}
/**
* 动态注册签名。
*
* @param params 签名参数
* @param productSecret 产品密钥
* @return 签名十六进制字符串
*/
private String sign(JSONObject params, String productSecret) {
// 请求参数按字典顺序排序。
Set<String> keys = getSortedKeys(params);
// sign、signMethod除外。
keys.remove("sign");
keys.remove("signMethod");
// 组装签名明文。
StringBuffer content = new StringBuffer();
for (String key : keys) {
content.append(key);
content.append(params.getString(key));
}
// 计算签名。
String sign = encrypt(content.toString(), productSecret);
System.out.println("sign content=" + content);
System.out.println("sign result=" + sign);
return sign;
}
/**
* 获取JSON对象排序后的key集合。
*
* @param json 需要排序的JSON对象
* @return 排序后的key集合
*/
private Set<String> getSortedKeys(JSONObject json) {
SortedMap<String, String> map = new TreeMap<String, String>();
for (String key : json.keySet()) {
String vlaue = json.getString(key);
map.put(key, vlaue);
}
return map.keySet();
}
/**
* 使用HMAC_ALGORITHM加密。
*
* @param content 明文
* @param secret 密钥
* @return 密文
*/
private String encrypt(String content, String secret) {
try {
byte[] text = content.getBytes(StandardCharsets.UTF_8);
byte[] key = secret.getBytes(StandardCharsets.UTF_8);
SecretKeySpec secretKey = new SecretKeySpec(key, HMAC_ALGORITHM);
Mac mac = Mac.getInstance(secretKey.getAlgorithm());
mac.init(secretKey);
return byte2hex(mac.doFinal(text));
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
/**
* 二进制转十六进制字符串。
*
* @param b 二进制数组
* @return 十六进制字符串
*/
private String byte2hex(byte[] b) {
StringBuffer sb = new StringBuffer();
for (int n = 0; b != null && n < b.length; n++) {
String stmp = Integer.toHexString(b[n] & 0XFF);
if (stmp.length() == 1) {
sb.append('0');
}
sb.append(stmp);
}
return sb.toString().toUpperCase();
}
public static void main(String[] args) throws Exception {
String productKey = "hgoqS******";
String productSecret = "rhjN24E9uD******";
String deviceName = "device3";// 自定义的设备名称,运行后会在控制台自动创建设备
String instanceId = "iot-060a0bky"; // 企业版独享实例id
// 进行动态注册。
DynamicRegisterInstance client = new DynamicRegisterInstance();
client.register(productKey, productSecret, deviceName,instanceId);
}
}
- 3.5.2 运行结果
- 3.5.3 预注册效果对比
- 3.5.4 设备端基于动态注册获取的ClientId和DeviceToken信息和Server端交互
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import org.eclipse.paho.client.mqttv3.*;
import org.eclipse.paho.client.mqttv3.persist.MemoryPersistence;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
public class OneMachineOneSecret {
public static String productKey = "hgoqS******";
public static String deviceName = "device3";
public static String deviceToken = "^1^1658122822394^ad612**********";
public static String regionId = "cn-shanghai";
public static String clientId = "IVhhglYX6liOLNb**********";
// 物模型-属性上报topic
private static String pubTopic = "/sys/" + productKey + "/" + deviceName + "/thing/event/property/post";
// 物模型-属性响应topic
private static String subTopic = "/sys/" + productKey + "/" + deviceName + "/thing/event/property/post_reply";
private static MqttClient mqttClient;
public static void main(String [] args){
initAliyunIoTClient();
ScheduledExecutorService scheduledThreadPool = new ScheduledThreadPoolExecutor(1,
new ThreadFactoryBuilder().setNameFormat("thread-runner-%d").build());
scheduledThreadPool.scheduleAtFixedRate(()->postDeviceProperties(), 2,2, TimeUnit.SECONDS);
try {
mqttClient.subscribe(subTopic); // 订阅Topic
} catch (MqttException e) {
System.out.println("error:" + e.getMessage());
e.printStackTrace();
}
// 设置订阅监听
mqttClient.setCallback(new MqttCallback() {
@Override
public void connectionLost(Throwable throwable) {
System.out.println("connection Lost");
}
@Override
public void messageArrived(String s, MqttMessage mqttMessage) throws Exception {
System.out.println("Sub message");
System.out.println("Topic : " + s);
System.out.println("message info " + new String(mqttMessage.getPayload())); //打印输出消息payLoad
}
@Override
public void deliveryComplete(IMqttDeliveryToken iMqttDeliveryToken) {
try {
System.out.println(iMqttDeliveryToken.getMessage());
} catch (MqttException e) {
e.printStackTrace();
}
}
});
}
/**
* 初始化 Client 对象
*/
private static void initAliyunIoTClient() {
try {
// 构造连接需要的参数
Map<String, String> params = new HashMap<>(16);
params.put("productKey", productKey);
params.put("deviceName", deviceName);
params.put("clientId", clientId);
String timestamp = String.valueOf(System.currentTimeMillis());
params.put("timestamp", timestamp);
// cn-shanghai
String targetServer = "tcp://" + productKey + ".iot-as-mqtt."+regionId+".aliyuncs.com:1883";
String mqttclientId = clientId + "|securemode=-2,authType=connwl|";
String mqttUsername = deviceName + "&" + productKey;
String mqttPassword = deviceToken;
connectMqtt(targetServer, mqttclientId, mqttUsername, mqttPassword);
} catch (Exception e) {
System.out.println("initAliyunIoTClient error " + e.getMessage());
}
}
public static void connectMqtt(String url, String clientId, String mqttUsername, String mqttPassword) throws Exception {
MemoryPersistence persistence = new MemoryPersistence();
mqttClient = new MqttClient(url, clientId, persistence);
MqttConnectOptions connOpts = new MqttConnectOptions();
// MQTT 3.1.1
connOpts.setMqttVersion(4);
connOpts.setAutomaticReconnect(false);
connOpts.setConnectionTimeout(10);
// connOpts.setCleanSession(true);
connOpts.setCleanSession(false);
connOpts.setUserName(mqttUsername);
connOpts.setPassword(mqttPassword.toCharArray());
connOpts.setKeepAliveInterval(60);
mqttClient.connect(connOpts);
}
/**
* 汇报属性
*/
private static void postDeviceProperties() {
try {
//上报数据
//高级版 物模型-属性上报payload
System.out.println("上报属性值");
String payloadJson = "{\"params\":{\"FLO_Value\":90.1}}";
MqttMessage message = new MqttMessage(payloadJson.getBytes("utf-8"));
message.setQos(1);
mqttClient.publish(pubTopic, message);
} catch (Exception e) {
System.out.println(e.getMessage());
}
}
}- 3.5.5 运行效果
- 3.6 子设备动态注册
阿里云物联网平台网关子设备接入JAVA Sample
- 3.7 注意
设备激活后,不再支持通过动态注册获取devicesecret,如果要继续获取,需要服务端调用: ResetThing重置一下设备。
