本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # 创建用于安全存储的自定义证书处理程序 在加入托管集成中心时,设备证书管理至关重要。虽然默认情况下证书存储在文件系统中,但您可以创建自定义证书处理程序以增强安全性和灵活的凭据管理。 托管集成 End device SDK 为安全存储接口提供了证书处理程序,您可以将其实现为共享对象 (.so) 库。构建安全存储实现以读取和写入证书,然后在运行时将库文件链接到 HubOnboarding 进程。 ## API 定义和组件 查看以下`secure_storage_cert_handler_interface.hpp`文件,了解您的实现的 API 组件和要求 **Topics** + [API 定义](#managedintegrations-sdk-v2-cookbook-certhandler-apidef) + [关键组件](#managedintegrations-sdk-v2-cookbook-certhandler-apicomp) ### API 定义 **`secure_storage_cert_hander_interface.hpp` 的内容** ``` /* * Copyright 2024 Amazon.com, Inc. or its affiliates. All rights reserved. * * AMAZON PROPRIETARY/CONFIDENTIAL * * You may not use this file except in compliance with the terms and * conditions set forth in the accompanying LICENSE.txt file. * * THESE MATERIALS ARE PROVIDED ON AN "AS IS" BASIS. AMAZON SPECIFICALLY * DISCLAIMS, WITH RESPECT TO THESE MATERIALS, ALL WARRANTIES, EXPRESS, * IMPLIED, OR STATUTORY, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. */ #ifndef SECURE_STORAGE_CERT_HANDLER_INTERFACE_HPP #define SECURE_STORAGE_CERT_HANDLER_INTERFACE_HPP #include #include namespace IoTManagedIntegrationsDevice { namespace CertHandler { /** * @enum CERT_TYPE_T * @brief enumeration defining certificate types. */ typedef enum { CLAIM = 0, DHA = 1, PERMANENT = 2 } CERT_TYPE_T; class SecureStorageCertHandlerInterface { public: /** * @brief Read certificate and private key value of a particular certificate * type from secure storage. */ virtual bool read_cert_and_private_key(const CERT_TYPE_T cert_type, std::string &cert_value, std::string &private_key_value) = 0; /** * @brief Write permanent certificate and private key value to secure storage. */ virtual bool write_permanent_cert_and_private_key( std::string_view cert_value, std::string_view private_key_value) = 0; }; std::shared_ptr createSecureStorageCertHandler(); } //namespace CertHandler } //namespace IoTManagedIntegrationsDevice #endif //SECURE_STORAGE_CERT_HANDLER_INTERFACE_HPP ``` ### 关键组件 + CERT\_TYPE\_T-集线器上不同类型的证书。 + CLAIM-最初在集线器上的索赔证书将兑换成永久证书。 + DHA-暂时未使用。 + 永久-用于连接托管集成端点的永久证书。 + read\_cert\_and\_private\_key-(函数待实现)将证书和密钥值读入参考输入。此函数必须能够读取 CLAIM 和永久证书,并根据上述证书类型进行区分。 + write\_permanent\_cert\_and\_private\_key-(函数待实现)将永久证书和密钥值写入所需的位置。 ## 示例构建 将内部实现标头与公共接口 (`secure_storage_cert_handler_interface.hpp`) 分开,以保持干净的项目结构。通过这种分离,您可以在构建证书处理程序的同时管理公用和私有组件。 **注意** 宣布`secure_storage_cert_handler_interface.hpp`为公开。 **Topics** + [项目结构](#managedintegrations-sdk-v2-cookbook-proj) + [继承接口](#managedintegrations-sdk-v2-cookbook-interface) + [实施](#managedintegrations-sdk-v2-cookbook-interimpl) + [CMakeList.txt](#managedintegrations-sdk-v2-cookbook-cmakelist) ### 项目结构 ![托管集成证书处理程序项目结构。](http://docs.aws.amazon.com/zh_cn/iot-mi/latest/devguide/images/iot-managedintegrations-cert-handler-projstruct.png) ### 继承接口 创建一个继承接口的具体类。将此头文件和其他文件隐藏在单独的目录下,以便在构建时可以轻松区分私有和公共标头。 ``` #ifndef IOTMANAGEDINTEGRATIONSDEVICE_SDK_STUB_SECURE_STORAGE_CERT_HANDLER_HPP #define IOTMANAGEDINTEGRATIONSDEVICE_SDK_STUB_SECURE_STORAGE_CERT_HANDLER_HPP #include "secure_storage_cert_handler_interface.hpp" namespace IoTManagedIntegrationsDevice::CertHandler { class StubSecureStorageCertHandler : public SecureStorageCertHandlerInterface { public: StubSecureStorageCertHandler() = default; bool read_cert_and_private_key(const CERT_TYPE_T cert_type, std::string &cert_value, std::string &private_key_value) override; bool write_permanent_cert_and_private_key( std::string_view cert_value, std::string_view private_key_value) override; /* * any other resource for function you might need */ }; } #endif //IOTMANAGEDINTEGRATIONSDEVICE_SDK_STUB_SECURE_STORAGE_CERT_HANDLER_HPP ``` ### 实施 实现上面定义的存储类,`src/stub_secure_storage_cert_handler.cpp`。 ``` /* * Copyright 2024 Amazon.com, Inc. or its affiliates. All rights reserved. * * AMAZON PROPRIETARY/CONFIDENTIAL * * You may not use this file except in compliance with the terms and * conditions set forth in the accompanying LICENSE.txt file. * * THESE MATERIALS ARE PROVIDED ON AN "AS IS" BASIS. AMAZON SPECIFICALLY * DISCLAIMS, WITH RESPECT TO THESE MATERIALS, ALL WARRANTIES, EXPRESS, * IMPLIED, OR STATUTORY, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. */ #include "stub_secure_storage_cert_handler.hpp" using namespace IoTManagedIntegrationsDevice::CertHandler; bool StubSecureStorageCertHandler::write_permanent_cert_and_private_key( std::string_view cert_value, std::string_view private_key_value) { // TODO: implement write function return true; } bool StubSecureStorageCertHandler::read_cert_and_private_key(const CERT_TYPE_T cert_type, std::string &cert_value, std::string &private_key_value) { std::cout<<"Using Stub Secure Storage Cert Handler, returning dummy values"; cert_value = "StubCertVal"; private_key_value = "StubKeyVal"; // TODO: implement read function return true; } ``` 实现接口中定义的工厂函数`src/secure_storage_cert_handler.cpp`。 ``` #include "stub_secure_storage_cert_handler.hpp" std::shared_ptr IoTManagedIntegrationsDevice::CertHandler::createSecureStorageCertHandler() { // TODO: replace with your implementation return std::make_shared(); } ``` ### CMakeList.txt ``` #project name must stay the same project(SecureStorageCertHandler) # Public Header files. The interface definition must be in top level with exactly the same name #ie. Not in anotherDir/secure_storage_cert_hander_interface.hpp set(PUBLIC_HEADERS ${PROJECT_SOURCE_DIR}/include ) # private implementation headers. set(PRIVATE_HEADERS ${PROJECT_SOURCE_DIR}/internal/stub ) #set all sources set(SOURCES ${PROJECT_SOURCE_DIR}/src/secure_storage_cert_handler.cpp ${PROJECT_SOURCE_DIR}/src/stub_secure_storage_cert_handler.cpp ) # Create the shared library add_library(${PROJECT_NAME} SHARED ${SOURCES}) target_include_directories( ${PROJECT_NAME} PUBLIC ${PUBLIC_HEADERS} PRIVATE ${PRIVATE_HEADERS} ) # Set the library output location. Location can be customized but version must stay the same set_target_properties(${PROJECT_NAME} PROPERTIES LIBRARY_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/../lib VERSION 1.0 SOVERSION 1 ) # Install rules install(TARGETS ${PROJECT_NAME} LIBRARY DESTINATION lib ARCHIVE DESTINATION lib ) install(FILES ${HEADERS} DESTINATION include/SecureStorageCertHandler ) ``` ## 使用量 编译完成后,您将拥有一个`libSecureStorageCertHandler.so`共享的对象库文件及其关联的符号链接。将库文件和符号链接复制到 HubOnboarding 二进制文件所需的库位置。 **Topics** + [重要注意事项](#managedintegrations-sdk-v2-cookbook-certhandler-useconsider) + [使用安全存储](#managedintegrations-sdk-v2-cookbook-certhandler-usagehowto) ### 重要注意事项 + 验证您的用户帐户是否具有 HubOnboarding 二进制文件和`libSecureStorageCertHandler.so`库的读写权限。 + 保留`secure_storage_cert_handler_interface.hpp`为唯一的公共头文件。所有其他头文件都应保留在您的私有实现中。 + 验证您的共享对象库名称。在构建时`libSecureStorageCertHandler.so`, HubOnboarding 可能需要在文件名中使用特定的版本,例如`libSecureStorageCertHandler.so.1.0`。使用`ldd`命令检查库依赖关系并根据需要创建符号链接。 + 如果共享库的实现具有外部依赖关系,请将其存储在 HubOnboarding 可以访问的目录中,例如`/usr/lib or the iotmi_common`目录。 ### 使用安全存储 通过将`iot_claim_cert_path`和`iot_claim_pk_path`都设置为来更新您的`iotmi_config.json`文件**SECURE\_STORAGE**。 ``` { "ro": { "iot_provisioning_method": "FLEET_PROVISIONING", "iot_claim_cert_path": "SECURE_STORAGE", "iot_claim_pk_path": "SECURE_STORAGE", "fp_template_name": "device-integration-example", "iot_endpoint_url": "[{{ACCOUNT-PREFIX}}]-ats.iot.{{AWS-REGION}}.amazonaws.com", "SN": "1234567890", "UPC": "1234567890" }, "rw": { "iot_provisioning_state": "NOT_PROVISIONED" } } ```