Merge pull request #2 from IoT-Technology/lesson13/ssl-encrypted

Lesson13/ssl encrypted merge to master

Author: sanshengshui

pom.xml

@@ -1,5 +1,5 @@
 <!--
-    Copyright © 2021 IOT Technical Guide - The MQTTv5 brokerAuthors
+    Copyright © 2021 IOT Technical Guide - The MQTT broker Authors
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -34,6 +34,7 @@
         <maven.compiler.source>8</maven.compiler.source>
         <maven.compiler.target>8</maven.compiler.target>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <docker.image.prefix>iot-technology</docker.image.prefix>
         <lombok.version>1.18.18</lombok.version>
         <mapstruct.version>1.3.1.Final</mapstruct.version>
         <spring-boot.version>2.3.12.RELEASE</spring-boot.version>
@@ -42,6 +43,8 @@
         <slf4j.version>1.7.32</slf4j.version>
         <logback.version>1.2.6</logback.version>
         <apache.commons-lang3.version>3.12.0</apache.commons-lang3.version>
+        <guava.version>30.0-jre</guava.version>
+        <bouncycastle.version>1.67</bouncycastle.version>
         <redisson.version>3.13.6</redisson.version>
     </properties>
 
@@ -100,6 +103,21 @@
                 <artifactId>commons-lang3</artifactId>
                 <version>${apache.commons-lang3.version}</version>
             </dependency>
+            <dependency>
+                <groupId>com.google.guava</groupId>
+                <artifactId>guava</artifactId>
+                <version>${guava.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcprov-jdk15on</artifactId>
+                <version>${bouncycastle.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcpkix-jdk15on</artifactId>
+                <version>${bouncycastle.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.springframework</groupId>
                 <artifactId>spring-context</artifactId>

server/pom.xml

@@ -1,4 +1,16 @@
-<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright © 2021 IOT Technical Guide - The MQTT broker Authors
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+        http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
 <project xmlns="http://maven.apache.org/POM/4.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
@@ -11,6 +23,7 @@
 
     <name>IoT Technology MQTT Broker :: Server</name>
     <artifactId>server</artifactId>
+    <packaging>jar</packaging>
 
     <properties>
         <maven.compiler.source>8</maven.compiler.source>
@@ -31,22 +44,67 @@
             <artifactId>spring-boot-starter-test</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>io.netty</groupId>
-            <artifactId>netty-all</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15on</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk15on</artifactId>
+        </dependency>
     </dependencies>
 
     <build>
         <plugins>
             <plugin>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>
-                <version>2.3.12.RELEASE</version>
+                <version>${spring-boot.version}</version>
+                <configuration>
+                    <mainClass>iot.technology.mqtt.server.MQTTServerApplication</mainClass>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>repackage</id>
+                        <goals>
+                            <goal>repackage</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>com.spotify</groupId>
+                <artifactId>docker-maven-plugin</artifactId>
+                <version>1.0.0</version>
+                <dependencies>
+                    <dependency>
+                        <groupId>javax.activation</groupId>
+                        <artifactId>activation</artifactId>
+                        <version>1.1.1</version>
+                    </dependency>
+                </dependencies>
+                <configuration>
+                    <!--镜像名称-->
+                    <imageName>${docker.image.prefix}/mqtt-${project.artifactId}</imageName>
+                    <dockerDirectory>src/main/docker</dockerDirectory>
+                    <resources>
+                        <resource>
+                            <targetPath>/</targetPath>
+                            <!--jar 包所在目录，缺省为target-->
+                            <directory>${project.build.directory}</directory>
+                            <!--jar 包名，缺省为 $project.artifactId}-${project.version}-->
+                            <include>${project.build.finalName}.jar</include>
+                        </resource>
+                    </resources>
+                </configuration>
             </plugin>
         </plugins>
     </build>

server/src/main/docker/Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine:3.10
+# 使用 JDK 8 环境为基础环境，如果镜像不是本地的将会从 DockerHub 进行下载
+FROM openjdk:8-jdk-alpine
+MAINTAINER mushuwei "lovewsic@gmail.com"
+# 在宿主机的 /var/lib/docker 目录下创建一个临时文件并把它链接到 tomcat 容器的工作目录 /tmp目录
+VOLUME /tmp
+# 复制文件并重命名 spring-boot-docker-1.0.jar 表示打包后的 jar 包名称
+ADD server-1.0-SNAPSHOT.jar iot-technology-mqtt-broker-1.0.jar
+# 为了缩短Tomcat启动时间，添加 java.security.egd 的系统属性指向 /dev/urandom 作为ENTRYPOINT
+ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/iot-technology-mqtt-broker-1.0.jar"]

server/src/main/java/iot/technology/mqtt/server/MqttServer.java

@@ -1,21 +1,13 @@
 package iot.technology.mqtt.server;
 
 import io.netty.bootstrap.ServerBootstrap;
-import io.netty.channel.Channel;
-import io.netty.channel.ChannelInitializer;
-import io.netty.channel.ChannelPipeline;
-import io.netty.channel.EventLoopGroup;
+import io.netty.channel.*;
 import io.netty.channel.nio.NioEventLoopGroup;
-import io.netty.channel.socket.SocketChannel;
 import io.netty.channel.socket.nio.NioServerSocketChannel;
-import io.netty.handler.codec.mqtt.MqttDecoder;
-import io.netty.handler.codec.mqtt.MqttEncoder;
 import io.netty.util.ResourceLeakDetector;
-import iot.technology.mqtt.server.protocol.MqttIdleStateHandler;
-import iot.technology.mqtt.server.protocol.ProtocolProcess;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.stereotype.Component;
 
 import javax.annotation.PostConstruct;
@@ -26,14 +18,23 @@
  * @author mushuwei
  */
 @Component
-@ConfigurationProperties(prefix = "mqtt")
+@ConditionalOnExpression("'${mqtt.enabled}'=='true'")
 @Slf4j
 public class MqttServer {
 	@Value("${mqtt.bind_address}")
 	private String host;
 	@Value("${mqtt.bind_port}")
 	private Integer port;
 
+	@Value("${mqtt.ssl.enabled}")
+	private boolean sslEnabled;
+
+	@Value("${mqtt.ssl.bind_address}")
+	private String sslHost;
+
+	@Value("${mqtt.ssl.bind_port}")
+	private Integer sslPort;
+
 	@Value("${mqtt.netty.leak_detector_level}")
 	private String leakDetectorLevel;
 	@Value("${mqtt.netty.boss_group_thread_count}")
@@ -43,10 +44,15 @@ public class MqttServer {
 	@Value("${mqtt.netty.max_payload_size}")
 	private Integer maxPayloadSize;
 
+	@Value("${mqtt.netty.so_keep_alive}")
+	private boolean keepAlive;
+
 	@Resource
-	private ProtocolProcess protocolProcess;
+	private MqttTransportContext context;
 
 	private Channel serverChannel;
+
+	private Channel sslServerChannel;
 	private EventLoopGroup bossGroup;
 	private EventLoopGroup workerGroup;
 
@@ -57,25 +63,25 @@ public void init() throws Exception {
 		ResourceLeakDetector.setLevel(ResourceLeakDetector.Level.valueOf(leakDetectorLevel.toUpperCase()));
 		log.info("Starting MQTT transport...");
 
-		log.info("Starting MQTT transport server");
 		bossGroup = new NioEventLoopGroup(bossGroupThreadCount);
 		workerGroup = new NioEventLoopGroup(workerGroupThreadCount);
 		ServerBootstrap b = new ServerBootstrap();
 		b.group(bossGroup, workerGroup)
 				.channel(NioServerSocketChannel.class)
-				.childHandler(new ChannelInitializer<SocketChannel>() {
-					@Override
-					protected void initChannel(SocketChannel socketChannel) throws Exception {
-						ChannelPipeline pipeline = socketChannel.pipeline();
-						pipeline.addLast("idle", new MqttIdleStateHandler());
-						pipeline.addLast("decoder", new MqttDecoder(maxPayloadSize));
-						pipeline.addLast("encoder", MqttEncoder.INSTANCE);
-						MqttTransportHandler handler = new MqttTransportHandler(protocolProcess);
-						pipeline.addLast(handler);
-					}
-				});
+				.childHandler(new MqttTransportServerInitializer(context, false))
+				.childOption(ChannelOption.SO_KEEPALIVE, keepAlive);
 
 		serverChannel = b.bind(host, port).sync().channel();
+		log.info("Mqtt started on {}", port);
+		if (sslEnabled) {
+			b = new ServerBootstrap();
+			b.group(bossGroup, workerGroup)
+					.channel(NioServerSocketChannel.class)
+					.childHandler(new MqttTransportServerInitializer(context, true))
+					.childOption(ChannelOption.SO_KEEPALIVE, keepAlive);
+			sslServerChannel = b.bind(sslHost, sslPort).sync().channel();
+			log.info("Mqtt TLS/SSL started on {}", sslPort);
+		}
 		log.info("Mqtt transport started!");
 	}
 
@@ -84,6 +90,9 @@ public void shutdown() throws InterruptedException {
 		log.info("Stopping MQTT transport!");
 		try {
 			serverChannel.close().sync();
+			if (sslEnabled) {
+				sslServerChannel.close().sync();
+			}
 		} finally {
 			workerGroup.shutdownGracefully();
 			bossGroup.shutdownGracefully();

server/src/main/java/iot/technology/mqtt/server/MqttSystemContext.java

@@ -1,6 +1,7 @@
 package iot.technology.mqtt.server;
 
 import iot.technology.mqtt.storage.session.service.SessionStoreService;
+import iot.technology.mqtt.storage.subscribe.service.SubscribeStoreService;
 import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Component;
@@ -11,10 +12,14 @@
  * @author mushuwei
  */
 @Slf4j
-@Component
+@Component("mqttSystemContext")
 public class MqttSystemContext {
 
 	@Getter
 	@Resource
 	private SessionStoreService sessionStoreService;
+
+	@Getter
+	@Resource
+	private SubscribeStoreService subscribeStoreService;
 }

server/src/main/java/iot/technology/mqtt/server/MqttTransportContext.java

@@ -0,0 +1,38 @@
+package iot.technology.mqtt.server;
+
+import io.netty.handler.ssl.SslHandler;
+import iot.technology.mqtt.server.protocol.ProtocolProcess;
+import iot.technology.mqtt.server.ssl.MqttSslHandlerProvider;
+import lombok.Getter;
+import lombok.Setter;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
+import org.springframework.stereotype.Component;
+
+@Slf4j
+@ConditionalOnExpression("'${mqtt.enabled}'=='true'")
+@Component
+public class MqttTransportContext {
+
+    @Getter
+    @Autowired(required = false)
+    private MqttSslHandlerProvider sslHandlerProvider;
+
+    @Getter
+    @Value("${mqtt.netty.max_payload_size}")
+    private Integer maxPayloadSize;
+
+    @Getter
+    @Setter
+    private SslHandler sslHandler;
+
+    @Getter
+    @Value("${transport.mqtt.timeout:10000}")
+    private long timeout;
+
+    @Getter
+    @Autowired(required = false)
+    private ProtocolProcess protocolProcess;
+}

server/src/main/java/iot/technology/mqtt/server/MqttTransportHandler.java

@@ -4,8 +4,6 @@
 import io.netty.channel.ChannelHandlerContext;
 import io.netty.channel.SimpleChannelInboundHandler;
 import io.netty.handler.codec.mqtt.MqttMessage;
-import iot.technology.mqtt.server.protocol.ProtocolProcess;
-import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 
 import java.io.IOException;
@@ -15,14 +13,17 @@
  */
 @Slf4j
 @ChannelHandler.Sharable
-@AllArgsConstructor
 public class MqttTransportHandler extends SimpleChannelInboundHandler<MqttMessage> {
 
-	private ProtocolProcess protocolProcess;
+	private final MqttTransportContext transportContext;
+
+	public MqttTransportHandler(MqttTransportContext transportContext) {
+		this.transportContext = transportContext;
+	}
 
 	@Override
 	protected void channelRead0(ChannelHandlerContext ctx, MqttMessage msg) throws Exception {
-		protocolProcess.process(ctx, msg);
+		transportContext.getProtocolProcess().process(ctx, msg);
 	}
 
 	@Override

server/src/main/java/iot/technology/mqtt/server/MqttTransportServerInitializer.java

@@ -0,0 +1,34 @@
+package iot.technology.mqtt.server;
+
+import io.netty.channel.ChannelInitializer;
+import io.netty.channel.ChannelPipeline;
+import io.netty.channel.socket.SocketChannel;
+import io.netty.handler.codec.mqtt.MqttDecoder;
+import io.netty.handler.codec.mqtt.MqttEncoder;
+import io.netty.handler.ssl.SslHandler;
+
+public class MqttTransportServerInitializer extends ChannelInitializer<SocketChannel> {
+
+    private final MqttTransportContext context;
+    private final boolean sslEnabled;
+
+    public MqttTransportServerInitializer(MqttTransportContext context, boolean sslEnabled) {
+         this.context = context;
+         this.sslEnabled = sslEnabled;
+    }
+
+    @Override
+    protected void initChannel(SocketChannel ch) throws Exception {
+        ChannelPipeline pipeline = ch.pipeline();
+        SslHandler sslHandler = null;
+        if (sslEnabled && context.getSslHandlerProvider() != null) {
+            sslHandler = context.getSslHandlerProvider().getSslHandler();
+            pipeline.addLast(sslHandler);
+        }
+        pipeline.addLast("decoder", new MqttDecoder(context.getMaxPayloadSize()));
+        pipeline.addLast("encoder", MqttEncoder.INSTANCE);
+
+        MqttTransportHandler handler = new MqttTransportHandler(context);
+        pipeline.addLast(handler);
+    }
+}

server/src/main/java/iot/technology/mqtt/server/protocol/PublishProcessor.java

@@ -1,11 +1,17 @@
 package iot.technology.mqtt.server.protocol;
 
+import io.netty.buffer.Unpooled;
 import io.netty.channel.Channel;
 import io.netty.handler.codec.mqtt.*;
 import io.netty.util.AttributeKey;
+import iot.technology.mqtt.server.MqttSystemContext;
+import iot.technology.mqtt.storage.subscribe.domain.SubscribeStore;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Component;
 
+import javax.annotation.Resource;
+import java.util.Map;
+
 /**
  * <pre>
  * **********************************************************************
@@ -30,6 +36,9 @@ public class PublishProcessor implements AbstractProtocolProcessor {
 	//剩余长度
 	private static final Integer REPLY_REMAINING_LENGTH = 2;
 
+	@Resource(name = "mqttSystemContext")
+	private MqttSystemContext mqttSystemContext;
+
 	@Override
 	public void processMqttProtocol(Channel channel, MqttMessage msg) {
 		String clientId = (String) channel.attr(AttributeKey.valueOf("clientId")).get();
@@ -41,18 +50,37 @@ public void processMqttProtocol(Channel channel, MqttMessage msg) {
 		 * qosLevel 消息级别
 		 */
 		MqttPublishVariableHeader mqttPubVariableHeader = mqttPubMessage.variableHeader();
+		String topicName = mqttPubVariableHeader.topicName();
 		byte[] messageBytes = new byte[mqttPubMessage.payload().readableBytes()];
 		mqttPubMessage.payload().getBytes(mqttPubMessage.payload().readerIndex(), messageBytes);
 		String messageStr = new String(messageBytes);
 		MqttQoS qosLevel = msg.fixedHeader().qosLevel();
-		log.info("clientId:{}, qos:{}, topicName:{}, message:{}", clientId, qosLevel, mqttPubVariableHeader.topicName(), messageStr);
+		log.info("clientId:{}, qos:{}, topicName:{}, message:{}", clientId, qosLevel, topicName, messageStr);
 
 		if (qosLevel == MqttQoS.AT_MOST_ONCE) {
 		} else if (qosLevel == MqttQoS.AT_LEAST_ONCE) {
 			this.sendPubAckMessage(channel, mqttPubVariableHeader.packetId());
 		} else if (qosLevel == MqttQoS.EXACTLY_ONCE) {
 			this.sendPubRecMessage(channel, mqttPubVariableHeader.packetId());
 		}
+		this.deliveryMessage(topicName, qosLevel, messageBytes, false, false);
+	}
+
+	private void deliveryMessage(String topic, MqttQoS mqttQoS, byte[] messageBytes, boolean retain, boolean dup) {
+		Map<String, SubscribeStore> subscribeStoreMap = mqttSystemContext.getSubscribeStoreService().search(topic);
+		for (Map.Entry<String, SubscribeStore> entry : subscribeStoreMap.entrySet()) {
+			SubscribeStore subscribeStore = entry.getValue();
+			//看某个设备是否存活，如果存活进行投递
+			if (mqttSystemContext.getSessionStoreService().containsKey(entry.getKey())) {
+				MqttQoS respQoS = mqttQoS.value() > subscribeStore.getMqttQoS() ? MqttQoS.valueOf(subscribeStore.getMqttQoS()) : mqttQoS;
+				MqttPublishMessage deliveryMessage = (MqttPublishMessage) MqttMessageFactory.newMessage(
+						new MqttFixedHeader(MqttMessageType.PUBLISH, dup, respQoS, retain, 0),
+						new MqttPublishVariableHeader(topic, 0),
+						Unpooled.buffer().writeBytes(messageBytes));
+				log.info("PUBLISH - clientId: {}, topic: {}, Qos: {}", subscribeStore.getClientId(), topic, respQoS.value());
+				mqttSystemContext.getSessionStoreService().get(entry.getKey()).getChannel().writeAndFlush(deliveryMessage);
+			}
+		}
 	}
 
 	private void sendPubAckMessage(Channel channel, int messageId) {

server/src/main/java/iot/technology/mqtt/server/protocol/SubScribeProcessor.java

@@ -3,10 +3,13 @@
 import io.netty.channel.Channel;
 import io.netty.handler.codec.mqtt.*;
 import io.netty.util.AttributeKey;
+import iot.technology.mqtt.server.MqttSystemContext;
+import iot.technology.mqtt.storage.subscribe.domain.SubscribeStore;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Service;
 
+import javax.annotation.Resource;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -17,6 +20,9 @@
 @Service("subscribeProcessor")
 public class SubScribeProcessor implements AbstractProtocolProcessor {
 
+	@Resource(name = "mqttSystemContext")
+	private MqttSystemContext mqttSystemContext;
+
 	@Override
 	public void processMqttProtocol(Channel channel, MqttMessage msg) {
 		MqttSubscribeMessage mqttSubMessage = (MqttSubscribeMessage) msg;
@@ -25,17 +31,22 @@ public void processMqttProtocol(Channel channel, MqttMessage msg) {
 			String clientId = (String) channel.attr(AttributeKey.valueOf("clientId")).get();
 			List<Integer> mqttQoSList = new ArrayList<Integer>();
 			for (MqttTopicSubscription mqttTopicSubscription : topicSubscriptions) {
-				String topicFilter = mqttTopicSubscription.topicName();
+				String topicName = mqttTopicSubscription.topicName();
 				MqttQoS mqttQoS = mqttTopicSubscription.qualityOfService();
 				mqttQoSList.add(mqttQoS.value());
 
+				SubscribeStore subscribeStore =
+						new SubscribeStore().setTopicName(topicName).setClientId(clientId).setMqttQoS(mqttQoS.value());
+				mqttSystemContext.getSubscribeStoreService().put(topicName, subscribeStore);
 			}
 			MqttSubAckMessage subAckMessage = (MqttSubAckMessage) MqttMessageFactory.newMessage(
 					new MqttFixedHeader(MqttMessageType.SUBACK, false, MqttQoS.AT_MOST_ONCE, false, 0),
 					MqttMessageIdVariableHeader.from(mqttSubMessage.variableHeader().messageId()),
 					new MqttSubAckPayload(mqttQoSList));
 			channel.writeAndFlush(subAckMessage);
 			log.info("SUBSCRIBE - clientId: {}, topicSubscriptions: {}", clientId, topicSubscriptions);
+		} else {
+			channel.close();
 		}
 	}
 

server/src/main/java/iot/technology/mqtt/server/protocol/UnSubScribeProcessor.java

@@ -3,9 +3,11 @@
 import io.netty.channel.Channel;
 import io.netty.handler.codec.mqtt.*;
 import io.netty.util.AttributeKey;
+import iot.technology.mqtt.server.MqttSystemContext;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 
+import javax.annotation.Resource;
 import java.util.List;
 
 /**
@@ -17,12 +19,19 @@
 @Service("unsubscribeProcessor")
 public class UnSubScribeProcessor implements AbstractProtocolProcessor {
 
+	@Resource(name = "mqttSystemContext")
+	private MqttSystemContext mqttSystemContext;
+
 	@Override
 	public void processMqttProtocol(Channel channel, MqttMessage msg) {
 		MqttUnsubscribeMessage mqttUnsubMessage = (MqttUnsubscribeMessage) msg;
 		String clinetId = (String) channel.attr(AttributeKey.valueOf("clientId")).get();
 		List<String> unSubTopics = mqttUnsubMessage.payload().topics();
-
+		if (!unSubTopics.isEmpty()) {
+			unSubTopics.forEach(topic -> {
+				mqttSystemContext.getSubscribeStoreService().remove(topic, clinetId);
+			});
+		}
 		MqttUnsubAckMessage unsubAckMessage = (MqttUnsubAckMessage) MqttMessageFactory.newMessage(
 				new MqttFixedHeader(MqttMessageType.UNSUBACK, false, MqttQoS.AT_MOST_ONCE, false, 2),
 				MqttMessageIdVariableHeader.from(mqttUnsubMessage.variableHeader().messageId()),

server/src/main/java/iot/technology/mqtt/server/ssl/AbstractSslCredentials.java

@@ -0,0 +1,194 @@
+package iot.technology.mqtt.server.ssl;
+
+import org.springframework.util.StringUtils;
+
+import javax.net.ssl.KeyManagerFactory;
+import java.security.KeyStore.PrivateKeyEntry;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.IOException;
+import java.security.*;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.*;
+
+public abstract class AbstractSslCredentials implements SslCredentials {
+
+    private char[] keyPasswordArray;
+
+    private KeyStore keyStore;
+
+    private PrivateKey privateKey;
+
+    private PublicKey publicKey;
+
+    private X509Certificate[] chain;
+
+    private X509Certificate[] trusts;
+
+    @Override
+    public void init(boolean trustsOnly) throws IOException, GeneralSecurityException {
+        String keyPassword = getKeyPassword();
+        if (StringUtils.isEmpty(keyPassword)) {
+            this.keyPasswordArray = new char[0];
+        } else {
+            this.keyPasswordArray = keyPassword.toCharArray();
+        }
+        this.keyStore = this.loadKeyStore(trustsOnly, this.keyPasswordArray);
+        Set<X509Certificate> trustedCerts = getTrustedCerts(this.keyStore, trustsOnly);
+        this.trusts = trustedCerts.toArray(new X509Certificate[0]);
+        if (!trustsOnly) {
+            PrivateKeyEntry privateKeyEntry = null;
+            String keyAlias = this.getKeyAlias();
+            if (!StringUtils.isEmpty(keyAlias)) {
+                privateKeyEntry = tryGetPrivateKeyEntry(this.keyStore, keyAlias, this.keyPasswordArray);
+            } else {
+                for (Enumeration<String> e = this.keyStore.aliases(); e.hasMoreElements(); ) {
+                    String alias = e.nextElement();
+                    privateKeyEntry = tryGetPrivateKeyEntry(this.keyStore, alias, this.keyPasswordArray);
+                    if (privateKeyEntry != null) {
+                        this.updateKeyAlias(alias);
+                        break;
+                    }
+                }
+            }
+            if (privateKeyEntry == null) {
+                throw new IllegalArgumentException("Failed to get private key from the keystore or pem files. " +
+                        "Please check if the private key exists in the keystore or pem files and if the provided private key password is valid.");
+            }
+            this.chain = asX509Certificates(privateKeyEntry.getCertificateChain());
+            this.privateKey = privateKeyEntry.getPrivateKey();
+            if (this.chain.length > 0) {
+                this.publicKey = this.chain[0].getPublicKey();
+            }
+        }
+
+    }
+
+    @Override
+    public KeyStore getKeyStore() {
+        return this.keyStore;
+    }
+
+    @Override
+    public PrivateKey getPrivateKey() {
+        return this.privateKey;
+    }
+
+    @Override
+    public PublicKey getPublicKey() {
+        return this.publicKey;
+    }
+
+    @Override
+    public X509Certificate[] getCertificateChain() {
+        return this.chain;
+    }
+
+    @Override
+    public X509Certificate[] getTrustedCertificates() {
+        return this.trusts;
+    }
+
+    @Override
+    public TrustManagerFactory createTrustManagerFactory() throws NoSuchAlgorithmException, KeyStoreException {
+        TrustManagerFactory tmFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmFactory.init(this.keyStore);
+        return tmFactory;
+    }
+
+    @Override
+    public KeyManagerFactory createKeyManagerFactory() throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException {
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        kmf.init(this.keyStore, this.keyPasswordArray);
+        return kmf;
+    }
+
+    @Override
+    public String getValueFromSubjectNameByKey(String subjectName, String key) {
+        String[] dns = subjectName.split(",");
+        Optional<String> cn = (Arrays.stream(dns).filter(dn -> dn.contains(key + "="))).findFirst();
+        String value = cn.isPresent() ? cn.get().replace(key + "=", "") : null;
+        return StringUtils.isEmpty(value) ? null : value;
+    }
+
+    protected abstract boolean canUse();
+
+    protected abstract KeyStore loadKeyStore(boolean isPrivateKeyRequired, char[] keyPasswordArray) throws IOException, GeneralSecurityException;
+
+    protected abstract void updateKeyAlias(String keyAlias);
+
+    private static X509Certificate[] asX509Certificates(Certificate[] certificates) {
+        if (null == certificates || 0 == certificates.length) {
+            throw new IllegalArgumentException("certificates missing!");
+        }
+        X509Certificate[] x509Certificates = new X509Certificate[certificates.length];
+        for (int index = 0; certificates.length > index; ++index) {
+            if (null == certificates[index]) {
+                throw new IllegalArgumentException("[" + index + "] is null!");
+            }
+            try {
+                x509Certificates[index] = (X509Certificate) certificates[index];
+            } catch (ClassCastException e) {
+                throw new IllegalArgumentException("[" + index + "] is not a x509 certificate! Instead it's a "
+                        + certificates[index].getClass().getName());
+            }
+        }
+        return x509Certificates;
+    }
+
+    private static PrivateKeyEntry tryGetPrivateKeyEntry(KeyStore keyStore, String alias, char[] pwd) {
+        PrivateKeyEntry entry = null;
+        try {
+            if (keyStore.entryInstanceOf(alias, PrivateKeyEntry.class)) {
+                try {
+                    entry = (PrivateKeyEntry) keyStore
+                            .getEntry(alias, new KeyStore.PasswordProtection(pwd));
+                } catch (UnsupportedOperationException e) {
+                    PrivateKey key = (PrivateKey) keyStore.getKey(alias, pwd);
+                    Certificate[] certs = keyStore.getCertificateChain(alias);
+                    entry = new KeyStore.PrivateKeyEntry(key, certs);
+                }
+            }
+        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException e) {
+        }
+        return entry;
+    }
+
+    private static Set<X509Certificate> getTrustedCerts(KeyStore ks, boolean trustsOnly) {
+        Set<X509Certificate> set = new HashSet<>();
+        try {
+            for (Enumeration<String> e = ks.aliases(); e.hasMoreElements(); ) {
+                String alias = e.nextElement();
+                if (ks.isCertificateEntry(alias)) {
+                    Certificate cert = ks.getCertificate(alias);
+                    if (cert instanceof X509Certificate) {
+                        if (trustsOnly) {
+                            // is CA certificate
+                            if (((X509Certificate) cert).getBasicConstraints() >= 0) {
+                                set.add((X509Certificate) cert);
+                            }
+                        } else {
+                            set.add((X509Certificate) cert);
+                        }
+                    }
+                } else if (ks.isKeyEntry(alias)) {
+                    Certificate[] certs = ks.getCertificateChain(alias);
+                    if ((certs != null) && (certs.length > 0) && (certs[0] instanceof X509Certificate)) {
+                        if (trustsOnly) {
+                            for (Certificate cert : certs) {
+                                // is CA certificate
+                                if (((X509Certificate) cert).getBasicConstraints() >= 0) {
+                                    set.add((X509Certificate) cert);
+                                }
+                            }
+                        } else {
+                            set.add((X509Certificate) certs[0]);
+                        }
+                    }
+
+                }
+            }
+        } catch (KeyStoreException ignored) {}
+        return Collections.unmodifiableSet(set);
+    }
+}

server/src/main/java/iot/technology/mqtt/server/ssl/KeystoreSslCredentials.java

@@ -0,0 +1,46 @@
+package iot.technology.mqtt.server.ssl;
+
+import iot.technology.mqtt.server.utils.ResourceUtils;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import org.springframework.util.StringUtils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+
+@Data
+@EqualsAndHashCode(callSuper = false)
+public class KeystoreSslCredentials extends AbstractSslCredentials {
+
+    private String type;
+
+    private String storeFile;
+
+    private String storePassword;
+
+    private String keyPassword;
+
+    private String keyAlias;
+
+    @Override
+    protected boolean canUse() {
+        return ResourceUtils.resourceExists(this, this.storeFile);
+    }
+
+    @Override
+    protected KeyStore loadKeyStore(boolean isPrivateKeyRequired, char[] keyPasswordArray) throws IOException, GeneralSecurityException {
+        String keyStoreType = StringUtils.isEmpty(this.type) ? KeyStore.getDefaultType() : this.type;
+        KeyStore keyStore = KeyStore.getInstance(keyStoreType);
+        try (InputStream tsFileInputStream = ResourceUtils.getInputStream(this, this.storeFile)) {
+            keyStore.load(tsFileInputStream, StringUtils.isEmpty(this.storePassword) ? new char[0] : this.storePassword.toCharArray());
+        }
+        return keyStore;
+    }
+
+    @Override
+    protected void updateKeyAlias(String keyAlias) {
+        this.keyAlias = keyAlias;
+    }
+}

server/src/main/java/iot/technology/mqtt/server/ssl/MqttSslHandlerProvider.java

@@ -0,0 +1,133 @@
+package iot.technology.mqtt.server.ssl;
+
+import io.netty.handler.ssl.SslHandler;
+import iot.technology.mqtt.server.utils.EncryptionUtil;
+import iot.technology.mqtt.server.utils.SslUtil;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.stereotype.Component;
+import org.springframework.util.StringUtils;
+
+import javax.net.ssl.*;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * @author mushuwei
+ */
+@Slf4j
+@Component("mqttSslHandlerProvider")
+@ConditionalOnProperty(prefix = "mqtt.ssl", value = "enabled", havingValue = "true", matchIfMissing = false)
+public class MqttSslHandlerProvider {
+
+    @Value("${mqtt.ssl.protocol}")
+    private String sslProtocol;
+
+    @Bean
+    @ConfigurationProperties(prefix = "mqtt.ssl.credentials")
+    public SslCredentialsConfig mqttSslCredentials() {
+        return new SslCredentialsConfig("MQTT SSL Credentials", false);
+    }
+
+    @Autowired
+    @Qualifier("mqttSslCredentials")
+    private SslCredentialsConfig mqttSslCredentialsConfig;
+
+    private SSLContext sslContext;
+
+    public SslHandler getSslHandler() {
+        if (sslContext == null) {
+            sslContext = createSslContext();
+        }
+        SSLEngine sslEngine = sslContext.createSSLEngine();
+        sslEngine.setUseClientMode(false);
+        sslEngine.setNeedClientAuth(false);
+        sslEngine.setWantClientAuth(true);
+        sslEngine.setEnabledProtocols(sslEngine.getSupportedProtocols());
+        sslEngine.setEnabledCipherSuites(sslEngine.getSupportedCipherSuites());
+        sslEngine.setEnableSessionCreation(true);
+        return new SslHandler(sslEngine);
+    }
+
+    private SSLContext createSslContext() {
+        try {
+            SslCredentials sslCredentials = this.mqttSslCredentialsConfig.getCredentials();
+            TrustManagerFactory tmFactory = sslCredentials.createTrustManagerFactory();
+            KeyManagerFactory kmf = sslCredentials.createKeyManagerFactory();
+
+            KeyManager[] km = kmf.getKeyManagers();
+            TrustManager x509wrapped = getX509TrustManager(tmFactory);
+            TrustManager[] tm = {x509wrapped};
+            if (StringUtils.isEmpty(sslProtocol)) {
+                sslProtocol = "TLS";
+            }
+            SSLContext sslContext = SSLContext.getInstance(sslProtocol);
+            sslContext.init(km, tm, null);
+            return sslContext;
+        } catch (Exception e) {
+            log.error("Unable to set up SSL context. Reason: " + e.getMessage(), e);
+            throw new RuntimeException("Failed to get SSL context", e);
+        }
+    }
+
+    private TrustManager getX509TrustManager(TrustManagerFactory tmf) {
+        X509TrustManager x509Tm = null;
+        for (TrustManager tm : tmf.getTrustManagers()) {
+            if (tm instanceof X509TrustManager) {
+                x509Tm = (X509TrustManager) tm;
+                break;
+            }
+        }
+        return new MqttX509TrustManager(x509Tm);
+    }
+
+    static class MqttX509TrustManager implements X509TrustManager {
+
+        private final X509TrustManager trustManager;
+
+        MqttX509TrustManager(X509TrustManager trustManager) {
+            this.trustManager = trustManager;
+        }
+
+        @Override
+        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+           String credentialsBody = null;
+           for (X509Certificate cert : chain) {
+               try {
+                   String strCert = SslUtil.getCertificateString(cert);
+                   String sha3Hash = EncryptionUtil.getSha3Hash(strCert);
+                   final String[] credentialsBodyHolder = new String[1];
+                   CountDownLatch latch = new CountDownLatch(1);
+                   //TODO 处理业务逻辑
+                   latch.await(10, TimeUnit.SECONDS);
+                   if (strCert.equals(credentialsBodyHolder[0])) {
+                       credentialsBody = credentialsBodyHolder[0];
+                       break;
+                   }
+               } catch (InterruptedException e) {
+                   throw new RuntimeException(e);
+               }
+           }
+           if (credentialsBody == null) {
+               throw new CertificateException("Invalid Device Certificate");
+           }
+        }
+
+        @Override
+        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+            trustManager.checkServerTrusted(chain, authType);
+        }
+
+        @Override
+        public X509Certificate[] getAcceptedIssuers() {
+            return trustManager.getAcceptedIssuers();
+        }
+    }
+}

server/src/main/java/iot/technology/mqtt/server/ssl/PemSslCredentials.java

@@ -0,0 +1,129 @@
+package iot.technology.mqtt.server.ssl;
+
+import iot.technology.mqtt.server.utils.ResourceUtils;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMDecryptorProvider;
+import org.bouncycastle.openssl.PEMEncryptedKeyPair;
+import org.springframework.util.StringUtils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.cert.CertPath;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.stream.Collectors;
+
+@Data
+@EqualsAndHashCode(callSuper = false)
+public class PemSslCredentials extends AbstractSslCredentials {
+
+    public static final String DEFAULT_KEY_ALIAS = "server";
+
+    private String certFile;
+    private String keyFile;
+    private String keyPassword;
+
+    @Override
+    protected boolean canUse() {
+        return ResourceUtils.resourceExists(this, this.certFile);
+    }
+
+    @Override
+    protected KeyStore loadKeyStore(boolean trustsOnly, char[] keyPasswordArray) throws IOException, GeneralSecurityException {
+        if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
+            Security.addProvider(new BouncyCastleProvider());
+        }
+        List<X509Certificate> certificates = new ArrayList<>();
+        PrivateKey privateKey = null;
+        JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter();
+        JcaPEMKeyConverter keyConverter = new JcaPEMKeyConverter();
+        try (InputStream inStream = ResourceUtils.getInputStream(this, this.certFile)) {
+            try (PEMParser pemParser = new PEMParser(new InputStreamReader(inStream))) {
+                Object object;
+                while ((object = pemParser.readObject()) != null) {
+                    if (object instanceof X509CertificateHolder) {
+                        X509Certificate x509Cert = certConverter.getCertificate((X509CertificateHolder) object);
+                        certificates.add(x509Cert);
+                    } else if (object instanceof PEMEncryptedKeyPair) {
+                        PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder().build(keyPasswordArray);
+                        privateKey = keyConverter.getKeyPair(((PEMEncryptedKeyPair) object).decryptKeyPair(decProv)).getPrivate();
+                    } else if (object instanceof PEMKeyPair) {
+                        privateKey = keyConverter.getKeyPair((PEMKeyPair) object).getPrivate();
+                    } else if (object instanceof PrivateKeyInfo) {
+                        privateKey = keyConverter.getPrivateKey((PrivateKeyInfo) object);
+                    }
+                }
+            }
+        }
+        if (privateKey == null && !StringUtils.isEmpty(this.keyFile)) {
+            if (ResourceUtils.resourceExists(this, this.keyFile)) {
+                try (InputStream inStream = ResourceUtils.getInputStream(this, this.keyFile)) {
+                    try (PEMParser pemParser = new PEMParser(new InputStreamReader(inStream))) {
+                        Object object;
+                        while ((object = pemParser.readObject()) != null) {
+                            if (object instanceof PEMEncryptedKeyPair) {
+                                PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder().build(keyPasswordArray);
+                                privateKey = keyConverter.getKeyPair(((PEMEncryptedKeyPair) object).decryptKeyPair(decProv)).getPrivate();
+                                break;
+                            } else if (object instanceof PEMKeyPair) {
+                                privateKey = keyConverter.getKeyPair((PEMKeyPair) object).getPrivate();
+                                break;
+                            } else if (object instanceof PrivateKeyInfo) {
+                                privateKey = keyConverter.getPrivateKey((PrivateKeyInfo) object);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        if (certificates.isEmpty()) {
+            throw new IllegalArgumentException("No certificates found in certFile: " + this.certFile);
+        }
+        if (privateKey == null && !trustsOnly) {
+            throw new IllegalArgumentException("Unable to load private key neither from certFile: " + this.certFile
+                    + " nor form keyFile: " + this.keyFile);
+        }
+        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        keyStore.load(null);
+        if (trustsOnly) {
+            List<Certificate> unique = certificates.stream().distinct().collect(Collectors.toList());
+            for (int i = 0; i < unique.size(); i++) {
+                keyStore.setCertificateEntry("root-" + i, unique.get(i));
+            }
+        }
+        if (privateKey != null) {
+            CertificateFactory factory = CertificateFactory.getInstance("X.509");
+            CertPath certPath = factory.generateCertPath(certificates);
+            List<? extends Certificate> path = certPath.getCertificates();
+            Certificate[] x509Certificates = path.toArray(new Certificate[0]);
+            keyStore.setKeyEntry(DEFAULT_KEY_ALIAS, privateKey, keyPasswordArray, x509Certificates);
+        }
+        return keyStore;
+    }
+
+    @Override
+    protected void updateKeyAlias(String keyAlias) {
+    }
+
+    @Override
+    public String getKeyAlias() {
+        return DEFAULT_KEY_ALIAS;
+    }
+}

server/src/main/java/iot/technology/mqtt/server/ssl/SslCredentials.java

@@ -0,0 +1,32 @@
+package iot.technology.mqtt.server.ssl;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.IOException;
+import java.security.*;
+import java.security.cert.X509Certificate;
+
+public interface SslCredentials {
+
+    void init(boolean trustsOnly) throws IOException, GeneralSecurityException;
+
+    KeyStore getKeyStore();
+
+    String getKeyPassword();
+
+    String getKeyAlias();
+
+    PrivateKey getPrivateKey();
+
+    PublicKey getPublicKey();
+
+    X509Certificate[] getCertificateChain();
+
+    X509Certificate[] getTrustedCertificates();
+
+    TrustManagerFactory createTrustManagerFactory() throws NoSuchAlgorithmException, KeyStoreException;
+
+    KeyManagerFactory createKeyManagerFactory() throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException;
+
+    String getValueFromSubjectNameByKey(String subjectName, String key);
+}

server/src/main/java/iot/technology/mqtt/server/ssl/SslCredentialsConfig.java

@@ -0,0 +1,56 @@
+package iot.technology.mqtt.server.ssl;
+
+import lombok.Data;
+import lombok.extern.slf4j.Slf4j;
+
+import javax.annotation.PostConstruct;
+
+@Slf4j
+@Data
+public class SslCredentialsConfig {
+
+    private boolean enabled = true;
+
+    private SslCredentialsType type;
+
+    private PemSslCredentials pem;
+
+    private KeystoreSslCredentials keystore;
+
+    private SslCredentials credentials;
+
+    private final String name;
+
+    private final boolean trustsOnly;
+
+    public SslCredentialsConfig(String name, boolean trustsOnly) {
+        this.name = name;
+        this.trustsOnly = trustsOnly;
+    }
+
+    @PostConstruct
+    public void init() {
+        if (this.enabled) {
+            log.info("{}: Initializing SSL credentials.", name);
+            if (SslCredentialsType.PEM.equals(type) && pem.canUse()) {
+                this.credentials = this.pem;
+            } else if (keystore.canUse()) {
+                if (SslCredentialsType.PEM.equals(type)) {
+                    log.warn("{}: Specified PEM configuration is not valid. Using SSL keystore configuration as fallback.", name);
+                }
+                this.credentials = this.keystore;
+            } else {
+                throw new RuntimeException(name + ": Invalid SSL credentials configuration. None of the PEM or KEYSTORE configurations can be used!");
+            }
+            try {
+                this.credentials.init(this.trustsOnly);
+            } catch (Exception e) {
+               throw new RuntimeException(name + ": Failed to init SSL credentials configuration.", e);
+            }
+        } else {
+            log.info("{}: Skipping initialization of disabled SSL credentials.", name);
+        }
+    }
+
+
+}

server/src/main/java/iot/technology/mqtt/server/ssl/SslCredentialsType.java

@@ -0,0 +1,8 @@
+package iot.technology.mqtt.server.ssl;
+
+public enum SslCredentialsType {
+
+    PEM,
+
+    KEYSTORE
+}

server/src/main/java/iot/technology/mqtt/server/utils/EncryptionUtil.java

@@ -0,0 +1,46 @@
+package iot.technology.mqtt.server.utils;
+
+import lombok.extern.slf4j.Slf4j;
+import org.bouncycastle.crypto.digests.SHA3Digest;
+import org.bouncycastle.pqc.math.linearalgebra.ByteUtils;
+
+@Slf4j
+public class EncryptionUtil {
+
+    private EncryptionUtil() {
+
+    }
+
+    public static String certTrimNewLines(String input) {
+        return input.replaceAll("-----BEGIN CERTIFICATE-----", "")
+                .replaceAll("\n", "")
+                .replaceAll("\r", "")
+                .replaceAll("-----END CERTIFICATE-----", "");
+    }
+
+    public static String pubkTrimNewLines(String input) {
+        return input.replaceAll("-----BEGIN PUBLIC KEY-----", "")
+                .replaceAll("\n", "")
+                .replaceAll("\r", "")
+                .replaceAll("-----END PUBLIC KEY-----", "");
+    }
+
+    public static String prikTrimNewLines(String input) {
+        return input.replaceAll("-----BEGIN EC PRIVATE KEY-----", "")
+                .replaceAll("\n", "")
+                .replaceAll("\r", "")
+                .replaceAll("-----END EC PRIVATE KEY-----", "");
+    }
+
+    public static String getSha3Hash(String data) {
+        String trimmedData = certTrimNewLines(data);
+        byte[] dataBytes = trimmedData.getBytes();
+        SHA3Digest md = new SHA3Digest(256);
+        md.reset();
+        md.update(dataBytes, 0 , dataBytes.length);
+        byte[] hashedBytes = new byte[256 / 8];
+        md.doFinal(hashedBytes, 0);
+        String sha3Hash = ByteUtils.toHexString(hashedBytes);
+        return sha3Hash;
+    }
+}

server/src/main/java/iot/technology/mqtt/server/utils/ResourceUtils.java

@@ -0,0 +1,89 @@
+package iot.technology.mqtt.server.utils;
+
+
+import com.google.common.io.Resources;
+import lombok.extern.slf4j.Slf4j;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URL;
+
+@Slf4j
+public class ResourceUtils {
+
+    public static final String CLASSPATH_URL_PREFIX = "classpath:";
+
+    public static boolean resourceExists(Object classLoaderSource, String filePath) {
+        return resourceExists(classLoaderSource.getClass().getClassLoader(), filePath);
+    }
+
+    public static boolean resourceExists(ClassLoader classLoader, String filePath) {
+        boolean classPathResource = false;
+        String path = filePath;
+        if (path.startsWith(CLASSPATH_URL_PREFIX)) {
+            path = path.substring(CLASSPATH_URL_PREFIX.length());
+            classPathResource = true;
+        }
+        if (!classPathResource) {
+            File resourceFile = new File(path);
+            if (resourceFile.exists()) {
+                return true;
+            }
+        }
+        InputStream classPathStream = classLoader.getResourceAsStream(path);
+        if (classPathStream != null) {
+            return true;
+        } else {
+            try {
+                URL url = Resources.getResource(path);
+                if (url != null) {
+                    return true;
+                }
+            } catch (IllegalArgumentException e) {}
+        }
+        return false;
+    }
+
+    public static InputStream getInputStream(Object classLoaderSource, String filePath) {
+        return getInputStream(classLoaderSource.getClass().getClassLoader(), filePath);
+    }
+
+    public static InputStream getInputStream(ClassLoader classLoader, String filePath) {
+        boolean classPathResource = false;
+        String path = filePath;
+        if (path.startsWith(CLASSPATH_URL_PREFIX)) {
+            path = path.substring(CLASSPATH_URL_PREFIX.length());
+            classPathResource = true;
+        }
+        try {
+            if (!classPathResource) {
+                File resourceFile = new File(path);
+                if (resourceFile.exists()) {
+                    log.info("Reading resource data from file {}", filePath);
+                    return new FileInputStream(resourceFile);
+                }
+            }
+            InputStream classPathStream = classLoader.getResourceAsStream(path);
+            if (classPathStream != null) {
+                log.info("Reading resource data from class path {}", filePath);
+                return classPathStream;
+            } else {
+                URL url = Resources.getResource(path);
+                if (url != null) {
+                    URI uri = url.toURI();
+                    log.info("Reading resource data from URI {}", filePath);
+                    return new FileInputStream(new File(uri));
+                }
+            }
+        } catch (Exception e) {
+            if (e instanceof NullPointerException) {
+                log.warn("Unable to find resource: " + filePath);
+            } else {
+                log.warn("Unable to find resource: " + filePath, e);
+            }
+        }
+        throw new RuntimeException("Unable to find resource: " + filePath);
+    }
+}

server/src/main/java/iot/technology/mqtt/server/utils/SslUtil.java

@@ -0,0 +1,21 @@
+package iot.technology.mqtt.server.utils;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.util.Base64Utils;
+
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+
+@Slf4j
+public class SslUtil {
+
+    private SslUtil() {
+
+    }
+
+    public static String getCertificateString(Certificate cert)
+            throws CertificateEncodingException {
+        return EncryptionUtil.certTrimNewLines(Base64Utils.encodeToString(cert.getEncoded()));
+
+    }
+}

server/src/main/resources/application.yml

@@ -2,14 +2,51 @@ server:
   port: 8088
 
 mqtt:
+  # Enable/disable mqtt transport protocol.
   enabled: true
   bind_address: 0.0.0.0
   bind_port: 1883
+  timeout: 10000
   netty:
     leak_detector_level: DISABLED
     boss_group_thread_count: 1
     worker_group_thread_count: 8
     max_payload_size: 65536
+    so_keep_alive: false
+  # MQTT SSL configuration
+  ssl:
+    # Enable/disable SSL support
+    enabled: false
+    # MQTT SSL bind address
+    bind_address: 0.0.0.0
+    # MQTT SSL bind port
+    bind_port: 8883
+    # SSL protocol: See https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#sslcontext-algorithms
+    protocol: TLSv1.2
+    # Server SSL credentials
+    credentials:
+      # Server credentials type (PEM - pem certificate file; KEYSTORE - java keystore)
+      type: PEM
+      # PEM server credentials
+      pem:
+        # Path to the server certificate file (holds server certificate or certificate chain, may include server private key)
+        cert_file: mqttsrver.pem
+        # Path to the server certificate private key file. Optional by default. Required if the private key is not present in server certificate file;
+        key_file: mqttserver_key.pem
+        # Server certificate private key password (optional)
+        key_password: server_key_password
+      # Keystore server credentials
+      keystore:
+        # Type of the key store (JKS or PKCS12)
+        type: JKS
+        # Path to the key store that holds the SSL certificate
+        store_file: mqttserver.jks
+        # Password used to access the key store
+        store_password: server_ks_password
+        # Optional alias of the private key; If not set, the platform will load the first private key from the keystore;
+        key_alias:
+        # Optional password to access the private key, If not set, the platform will attempt to load the private keys that are not protected with the password;
+        key_password: server_key_password
 
 
 spring:

server/src/test/java/iot/technology/mqtt/server/MQTTRedissonApplicationTests.java

@@ -1,7 +1,7 @@
 package iot.technology.mqtt.server;
 
 import iot.technology.mqtt.server.domain.Book;
-import iot.technology.mqtt.storage.session.cache.CacheManager;
+import iot.technology.mqtt.storage.cache.CacheManager;
 import lombok.extern.slf4j.Slf4j;
 import org.junit.Test;
 import org.junit.runner.RunWith;

server/target/classes/iot/technology/mqtt/server/MQTTServerApplication.class

@@ -1,4 +1,16 @@
-<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright © 2021 IOT Technical Guide - The MQTT broker Authors
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+        http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
 <project xmlns="http://maven.apache.org/POM/4.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

storage/pom.xml

@@ -0,0 +1,11 @@
+package iot.technology.mqtt.storage.cache;
+
+/**
+ * @author mushuwei
+ */
+public interface CacheConst {
+
+	public static final String SUBSRIBE_PRE = "itmb_subscribe_";
+	public static final String CLIENT_PRE = "itmb_client_";
+
+}

storage/src/main/java/iot/technology/mqtt/storage/cache/CacheConst.java

@@ -1,4 +1,4 @@
-package iot.technology.mqtt.storage.session.cache;
+package iot.technology.mqtt.storage.cache;
 
 import java.util.List;
 import java.util.Map;
@@ -85,6 +85,25 @@ public interface CacheManager {
 	 * @return 字典键值集合
 	 */
 	Map<String, Object> getAllHashCache(String key);
+
+	/**
+	 * 检查某字典是否包含该字典键
+	 *
+	 * @param key    键
+	 * @param mapKey 字典键
+	 * @return
+	 */
+	Boolean containHashKey(String key, String mapKey);
+
+
+	/**
+	 * 删除某字典某字典键
+	 *
+	 * @param key    键
+	 * @param mapKey 字典键
+	 * @return
+	 */
+	Boolean removeHashKey(String key, String mapKey);
 	//******hash(字典) 操作 end
 
 
@@ -117,6 +136,9 @@ public interface CacheManager {
 	 */
 	Boolean existsSetCache(String key, Object value);
 
+
+	Boolean removeSetCache(String key, Object value);
+
 	/**
 	 * 批量获取set列表
 	 *

storage/src/main/java/iot/technology/mqtt/storage/session/cache/CacheManager.java storage/src/main/java/iot/technology/mqtt/storage/cache/CacheManager.java

@@ -1,4 +1,4 @@
-package iot.technology.mqtt.storage.session.cache;
+package iot.technology.mqtt.storage.cache;
 
 import org.redisson.api.*;
 import org.springframework.stereotype.Service;
@@ -76,6 +76,19 @@ public Map<String, Object> getAllHashCache(String key) {
 		return hashMap;
 	}
 
+	@Override
+	public Boolean containHashKey(String key, String mapKey) {
+		RMap<String, Object> cache = redissonClient.getMap(key);
+		return cache.containsKey(mapKey);
+	}
+
+	@Override
+	public Boolean removeHashKey(String key, String mapKey) {
+		RMap<String, Object> cache = redissonClient.getMap(key);
+		cache.remove(mapKey);
+		return Boolean.TRUE;
+	}
+
 	@Override
 	public Boolean addSetCache(String key, Object value) {
 		RSet<Object> cache = redissonClient.getSet(key);
@@ -95,6 +108,12 @@ public Boolean existsSetCache(String key, Object value) {
 		return cache.contains(value);
 	}
 
+	@Override
+	public Boolean removeSetCache(String key, Object value) {
+		RSet<Object> cache = redissonClient.getSet(key);
+		return cache.remove(value);
+	}
+
 	@Override
 	public Set<Object> getAllSetCache(String key) {
 		RSet<Object> cache = redissonClient.getSet(key);

storage/src/main/java/iot/technology/mqtt/storage/session/cache/RedissonClientService.java storage/src/main/java/iot/technology/mqtt/storage/cache/RedissonClientService.java

@@ -0,0 +1,61 @@
+package iot.technology.mqtt.storage.manager;
+
+import iot.technology.mqtt.storage.cache.CacheManager;
+import iot.technology.mqtt.storage.subscribe.domain.SubscribeStore;
+import org.springframework.stereotype.Service;
+
+import javax.annotation.Resource;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import static iot.technology.mqtt.storage.cache.CacheConst.CLIENT_PRE;
+import static iot.technology.mqtt.storage.cache.CacheConst.SUBSRIBE_PRE;
+
+/**
+ * @author mushuwei
+ */
+@Service("subscribeManager")
+public class SubscribeCacheManager {
+
+	@Resource(name = "redissonClientService")
+	private CacheManager cacheManager;
+
+	public SubscribeStore put(String topic, String clientId, SubscribeStore subscribeStore) {
+		cacheManager.putHashCache(SUBSRIBE_PRE + topic, clientId, subscribeStore);
+		cacheManager.addSetCache(CLIENT_PRE + clientId, topic);
+		return subscribeStore;
+	}
+
+	public SubscribeStore get(String topic, String clientId) {
+		return (SubscribeStore) cacheManager.getHashCache(SUBSRIBE_PRE + topic, clientId);
+	}
+
+	public Boolean topicContainClient(String topic, String clientId) {
+		return cacheManager.containHashKey(SUBSRIBE_PRE + topic, clientId);
+	}
+
+	public Boolean removeClientOfTopic(String topic, String clientId) {
+		cacheManager.removeSetCache(CLIENT_PRE + clientId, topic);
+		return cacheManager.removeHashKey(SUBSRIBE_PRE + topic, clientId);
+	}
+
+	public Boolean removeClient(String clientId) {
+		Set<Object> topicLists = cacheManager.getAllSetCache(CLIENT_PRE + clientId);
+		topicLists.forEach(topic -> {
+			cacheManager.removeHashKey(SUBSRIBE_PRE + topic, CLIENT_PRE + clientId);
+		});
+		cacheManager.deleteStringCache(clientId);
+		return Boolean.TRUE;
+	}
+
+	public Map<String, SubscribeStore> getSubscribeStoreMapByTopic(String topic) {
+		Map<String, SubscribeStore> resultMap = new HashMap<>();
+		Map<String, Object> cacheMap = cacheManager.getAllHashCache(SUBSRIBE_PRE + topic);
+		for (Map.Entry<String, Object> entry : cacheMap.entrySet()) {
+			resultMap.put(entry.getKey(), (SubscribeStore) entry.getValue());
+		}
+		return resultMap;
+	}
+
+}

storage/src/main/java/iot/technology/mqtt/storage/manager/SubscribeCacheManager.java

@@ -0,0 +1,24 @@
+package iot.technology.mqtt.storage.subscribe.domain;
+
+import lombok.Getter;
+import lombok.Setter;
+import lombok.experimental.Accessors;
+
+import java.io.Serializable;
+
+/**
+ * @author mushuwei
+ */
+@Getter
+@Setter
+@Accessors(chain = true)
+public class SubscribeStore implements Serializable {
+
+	private static final long serialVersionUID = 1276156087085594264L;
+
+	private String clientId;
+
+	private String topicName;
+
+	private int mqttQoS;
+}

storage/src/main/java/iot/technology/mqtt/storage/subscribe/domain/SubscribeStore.java

@@ -0,0 +1,44 @@
+package iot.technology.mqtt.storage.subscribe.service;
+
+import iot.technology.mqtt.storage.subscribe.domain.SubscribeStore;
+
+import java.util.Map;
+
+/**
+ * @author mushuwei
+ * @description 订阅存储服务接口
+ */
+public interface SubscribeStoreService {
+
+	/**
+	 * 存储订阅
+	 *
+	 * @param topicName      主题名
+	 * @param subscribeStore 订阅元数据
+	 */
+	void put(String topicName, SubscribeStore subscribeStore);
+	
+
+	/**
+	 * 删除某主题下对应的客户端订阅
+	 *
+	 * @param topicName 主题名
+	 * @param clientId  客户端编号
+	 */
+	void remove(String topicName, String clientId);
+
+	/**
+	 * 删除某客户端编号对应的所有topic订阅
+	 *
+	 * @param clientId
+	 */
+	void removeTopicByClientId(String clientId);
+
+	/**
+	 * 获取某topic下的订阅集合
+	 *
+	 * @param topicName 主题名
+	 * @return 订阅集合
+	 */
+	Map<String, SubscribeStore> search(String topicName);
+}

storage/src/main/java/iot/technology/mqtt/storage/subscribe/service/SubscribeStoreService.java

@@ -0,0 +1,39 @@
+package iot.technology.mqtt.storage.subscribe.service.impl;
+
+import iot.technology.mqtt.storage.manager.SubscribeCacheManager;
+import iot.technology.mqtt.storage.subscribe.domain.SubscribeStore;
+import iot.technology.mqtt.storage.subscribe.service.SubscribeStoreService;
+import org.springframework.stereotype.Service;
+
+import javax.annotation.Resource;
+import java.util.Map;
+
+/**
+ * @author mushuwei
+ */
+@Service("subscribeStoreService")
+public class SubscribeStoreServiceImpl implements SubscribeStoreService {
+
+	@Resource
+	private SubscribeCacheManager cacheManager;
+
+	@Override
+	public void put(String topicName, SubscribeStore subscribeStore) {
+		cacheManager.put(topicName, subscribeStore.getClientId(), subscribeStore);
+	}
+
+	@Override
+	public void remove(String topicName, String clientId) {
+		cacheManager.removeClientOfTopic(topicName, clientId);
+	}
+
+	@Override
+	public void removeTopicByClientId(String clientId) {
+		cacheManager.removeClient(clientId);
+	}
+
+	@Override
+	public Map<String, SubscribeStore> search(String topicName) {
+		return cacheManager.getSubscribeStoreMapByTopic(topicName);
+	}
+}