本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
创建用于安全存储的自定义证书处理程序
在加入托管集成中心时,设备证书管理至关重要。虽然默认情况下证书存储在文件系统中,但您可以创建自定义证书处理程序以增强安全性和灵活的凭据管理。
托管集成 End device SDK 为安全存储接口提供了证书处理程序,您可以将其实现为共享对象 (.so) 库。构建安全存储实现以读取和写入证书,然后在运行时将库文件链接到 HubOnboarding 进程。
API 定义和组件
查看以下secure_storage_cert_handler_interface.hpp文件,了解您的实现的 API 组件和要求
API 定义
secure_storage_cert_hander_interface.hpp 的内容
/* * Copyright 2024 Amazon.com, Inc. or its affiliates. All rights reserved. * * AMAZON PROPRIETARY/CONFIDENTIAL * * You may not use this file except in compliance with the terms and * conditions set forth in the accompanying LICENSE.txt file. * * THESE MATERIALS ARE PROVIDED ON AN "AS IS" BASIS. AMAZON SPECIFICALLY * DISCLAIMS, WITH RESPECT TO THESE MATERIALS, ALL WARRANTIES, EXPRESS, * IMPLIED, OR STATUTORY, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. */ #ifndef SECURE_STORAGE_CERT_HANDLER_INTERFACE_HPP #define SECURE_STORAGE_CERT_HANDLER_INTERFACE_HPP #include <iostream> #include <memory> namespace IoTManagedIntegrationsDevice { namespace CertHandler { /** * @enum CERT_TYPE_T * @brief enumeration defining certificate types. */ typedef enum { CLAIM = 0, DHA = 1, PERMANENT = 2 } CERT_TYPE_T; class SecureStorageCertHandlerInterface { public: /** * @brief Read certificate and private key value of a particular certificate * type from secure storage. */ virtual bool read_cert_and_private_key(const CERT_TYPE_T cert_type, std::string &cert_value, std::string &private_key_value) = 0; /** * @brief Write permanent certificate and private key value to secure storage. */ virtual bool write_permanent_cert_and_private_key( std::string_view cert_value, std::string_view private_key_value) = 0; }; std::shared_ptr<SecureStorageCertHandlerInterface> createSecureStorageCertHandler(); } //namespace CertHandler } //namespace IoTManagedIntegrationsDevice #endif //SECURE_STORAGE_CERT_HANDLER_INTERFACE_HPP
关键组件
-
CERT_TYPE_T-集线器上不同类型的证书。
-
CLAIM-最初在集线器上的索赔证书将兑换成永久证书。
-
DHA-暂时未使用。
-
永久-用于连接托管集成端点的永久证书。
-
-
read_cert_and_private_key-(函数待实现)将证书和密钥值读入参考输入。此函数必须能够读取 CLAIM 和永久证书,并根据上述证书类型进行区分。
-
write_permanent_cert_and_private_key-(函数待实现)将永久证书和密钥值写入所需的位置。
示例构建
将内部实现标头与公共接口 (secure_storage_cert_handler_interface.hpp) 分开,以保持干净的项目结构。通过这种分离,您可以在构建证书处理程序的同时管理公用和私有组件。
注意
宣布secure_storage_cert_handler_interface.hpp为公开。
项目结构
继承接口
创建一个继承接口的具体类。将此头文件和其他文件隐藏在单独的目录下,以便在构建时可以轻松区分私有和公共标头。
#ifndef IOTMANAGEDINTEGRATIONSDEVICE_SDK_STUB_SECURE_STORAGE_CERT_HANDLER_HPP #define IOTMANAGEDINTEGRATIONSDEVICE_SDK_STUB_SECURE_STORAGE_CERT_HANDLER_HPP #include "secure_storage_cert_handler_interface.hpp" namespace IoTManagedIntegrationsDevice::CertHandler { class StubSecureStorageCertHandler : public SecureStorageCertHandlerInterface { public: StubSecureStorageCertHandler() = default; bool read_cert_and_private_key(const CERT_TYPE_T cert_type, std::string &cert_value, std::string &private_key_value) override; bool write_permanent_cert_and_private_key( std::string_view cert_value, std::string_view private_key_value) override; /* * any other resource for function you might need */ }; } #endif //IOTMANAGEDINTEGRATIONSDEVICE_SDK_STUB_SECURE_STORAGE_CERT_HANDLER_HPP
实施
实现上面定义的存储类,src/stub_secure_storage_cert_handler.cpp。
/* * Copyright 2024 Amazon.com, Inc. or its affiliates. All rights reserved. * * AMAZON PROPRIETARY/CONFIDENTIAL * * You may not use this file except in compliance with the terms and * conditions set forth in the accompanying LICENSE.txt file. * * THESE MATERIALS ARE PROVIDED ON AN "AS IS" BASIS. AMAZON SPECIFICALLY * DISCLAIMS, WITH RESPECT TO THESE MATERIALS, ALL WARRANTIES, EXPRESS, * IMPLIED, OR STATUTORY, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. */ #include "stub_secure_storage_cert_handler.hpp" using namespace IoTManagedIntegrationsDevice::CertHandler; bool StubSecureStorageCertHandler::write_permanent_cert_and_private_key( std::string_view cert_value, std::string_view private_key_value) { // TODO: implement write function return true; } bool StubSecureStorageCertHandler::read_cert_and_private_key(const CERT_TYPE_T cert_type, std::string &cert_value, std::string &private_key_value) { std::cout<<"Using Stub Secure Storage Cert Handler, returning dummy values"; cert_value = "StubCertVal"; private_key_value = "StubKeyVal"; // TODO: implement read function return true; }
实现接口中定义的工厂函数src/secure_storage_cert_handler.cpp。
#include "stub_secure_storage_cert_handler.hpp" std::shared_ptr<IoTManagedIntegrationsDevice::CertHandler::SecureStorageCertHandlerInterface> IoTManagedIntegrationsDevice::CertHandler::createSecureStorageCertHandler() { // TODO: replace with your implementation return std::make_shared<IoTManagedIntegrationsDevice::CertHandler::StubSecureStorageCertHandler>(); }
CMakeList.txt
#project name must stay the same project(SecureStorageCertHandler) # Public Header files. The interface definition must be in top level with exactly the same name #ie. Not in anotherDir/secure_storage_cert_hander_interface.hpp set(PUBLIC_HEADERS ${PROJECT_SOURCE_DIR}/include ) # private implementation headers. set(PRIVATE_HEADERS ${PROJECT_SOURCE_DIR}/internal/stub ) #set all sources set(SOURCES ${PROJECT_SOURCE_DIR}/src/secure_storage_cert_handler.cpp ${PROJECT_SOURCE_DIR}/src/stub_secure_storage_cert_handler.cpp ) # Create the shared library add_library(${PROJECT_NAME} SHARED ${SOURCES}) target_include_directories( ${PROJECT_NAME} PUBLIC ${PUBLIC_HEADERS} PRIVATE ${PRIVATE_HEADERS} ) # Set the library output location. Location can be customized but version must stay the same set_target_properties(${PROJECT_NAME} PROPERTIES LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/../lib VERSION 1.0 SOVERSION 1 ) # Install rules install(TARGETS ${PROJECT_NAME} LIBRARY DESTINATION lib ARCHIVE DESTINATION lib ) install(FILES ${HEADERS} DESTINATION include/SecureStorageCertHandler )
使用量
编译完成后,您将拥有一个libSecureStorageCertHandler.so共享的对象库文件及其关联的符号链接。将库文件和符号链接复制到 HubOnboarding 二进制文件所需的库位置。
重要注意事项
-
验证您的用户帐户是否具有 HubOnboarding 二进制文件和
libSecureStorageCertHandler.so库的读写权限。 -
保留
secure_storage_cert_handler_interface.hpp为唯一的公共头文件。所有其他头文件都应保留在您的私有实现中。 -
验证您的共享对象库名称。在构建时
libSecureStorageCertHandler.so, HubOnboarding 可能需要在文件名中使用特定的版本,例如libSecureStorageCertHandler.so.1.0。使用ldd命令检查库依赖关系并根据需要创建符号链接。 -
如果共享库的实现具有外部依赖关系,请将其存储在 HubOnboarding 可以访问的目录中,例如
/usr/lib or the iotmi_common目录。
使用安全存储
通过将iot_claim_cert_path和iot_claim_pk_path都设置为来更新您的iotmi_config.json文件SECURE_STORAGE。
{ "ro": { "iot_provisioning_method": "FLEET_PROVISIONING", "iot_claim_cert_path": "SECURE_STORAGE", "iot_claim_pk_path": "SECURE_STORAGE", "fp_template_name": "device-integration-example", "iot_endpoint_url": "[ACCOUNT-PREFIX]-ats.iot.AWS-REGION.amazonaws.com", "SN": "1234567890", "UPC": "1234567890" }, "rw": { "iot_provisioning_state": "NOT_PROVISIONED" } }
