I am trying to setup an MQTT client in Unity (C#) which would communicate with AWS IoT Core. Here are the steps I've taken:
1)Generated a.pfx file using the certificate files from AWS:
openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem
2)Placed the.pem and.pfx file in the Resources folder of my project. The path for the device certification in the code would be: deviceCertPath="Assets/Resources/certificate.cert.pfx"
3)Added M2Mqtt.net dll to Plugins folder (Downloaded from NuGet)
4)My code is as follows:
using System.Collections;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading;
using UnityEngine;
using uPLibrary.Networking.M2Mqtt;
using uPLibrary.Networking.M2Mqtt.Messages;
// Variables
private void Start()
{
caCert = X509Certificate2.CreateFromCertFile(caCertPath);
deviceCert = new X509Certificate2(deviceCertPath);
client = new MqttClient(broker, port, true, caCert, deviceCert, MqttSslProtocols.TLSv1_2);
client.MqttMsgPublishReceived += Client_MqttMsgPublishReceived;
client.MqttMsgSubscribed += Client_MqttMsgSubscribed;
//Connect
client.Connect(clientId);
Debug.Log($"Connected to AWS IoT with client id: {clientId}.");
}
// Message Methods
When I try to run the code I get an error that happens when trying to create the deviceCert:
ArgumentException: unsupported HMAC
Mono.Security.X509.PKCS12.Decode (System.Byte[] data) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
Mono.Security.X509.PKCS12..ctor (System.Byte[] data, System.String password) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, System.String password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono..ctor (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImpl.ImportFallback (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImplMono.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Mono.ISystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Helper.Import (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile (System.String filename) (at <6073cf49ed704e958b8a66d540dea948>:0)
MQTT.Start () (at Assets/Circulate/Scripts/Networking/MQTT/MQTT.cs:32)
The current.pfx file does not have a password, although I've attempted to use one with a password and got the same error. When I check the details of the certificates, both have a signature hash algorithm of sha256. I'm not sure why I am receiving this error and I haven't been able to find much information regarding unsupported HMAC. Any help is appreciated, thank you!
Your exception, based on the source is that the PFX MAC algorithm ID is not 1.3.14.3.2.26 (SHA-1).
This seems surprising, since OpenSSL still defaults to HMAC-SHA1 for the PFX MAC, but maybe your build of OpenSSL has been modified. You should be able to force it to use HMAC-SHA1 by adding -macalg sha1
onto your export command (eg openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem -macalg sha1
).
You can verify the MAC algorithm ID by openssl asn1parse
, such as
$ openssl asn1parse -inform der -i -in test.pfx
0:d=0 hl=4 l=1716 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :03
7:d=1 hl=4 l=1658 cons: SEQUENCE
11:d=2 hl=2 l= 9 prim: OBJECT :pkcs7-data
22:d=2 hl=4 l=1643 cons: cont [ 0 ]
26:d=3 hl=4 l=1639 prim: OCTET STRING [HEX DUMP]:3082066...<snip />
1669:d=1 hl=2 l= 49 cons: SEQUENCE
1671:d=2 hl=2 l= 33 cons: SEQUENCE
1673:d=3 hl=2 l= 9 cons: SEQUENCE
1675:d=4 hl=2 l= 5 prim: OBJECT :sha1
1682:d=4 hl=2 l= 0 prim: NULL
1684:d=3 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:9E2270B998C4A69898F29634EC0F4823E47879A0
1706:d=2 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:E540B4FDBC03B6AF
1716:d=2 hl=2 l= 2 prim: INTEGER :0800
The OBJECT:sha1
5 lines from the bottom is the MAC algorithm identifier. (The particular offset for that line (eg 1675) will depend on your particular PFX, but that line will always be 5 from the bottom)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.