stackoom
  简体   繁体   中英

M2MQTT Argument Exception: unsupported HMAC

 原文  2022-12-22 04:05:14       amazon-web-services/ unity3d/ mqtt/ x509certificate

Question

I am trying to setup an MQTT client in Unity (C#) which would communicate with AWS IoT Core. Here are the steps I've taken:

1)Generated a.pfx file using the certificate files from AWS:

openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem

2)Placed the.pem and.pfx file in the Resources folder of my project. The path for the device certification in the code would be: deviceCertPath="Assets/Resources/certificate.cert.pfx"

3)Added M2Mqtt.net dll to Plugins folder (Downloaded from NuGet)

4)My code is as follows: 

using System.Collections;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading;
using UnityEngine;

using uPLibrary.Networking.M2Mqtt;
using uPLibrary.Networking.M2Mqtt.Messages;

// Variables

private void Start()   
{
    caCert = X509Certificate2.CreateFromCertFile(caCertPath);
    deviceCert = new X509Certificate2(deviceCertPath);

    client = new MqttClient(broker, port, true, caCert, deviceCert, MqttSslProtocols.TLSv1_2);

    client.MqttMsgPublishReceived += Client_MqttMsgPublishReceived;
    client.MqttMsgSubscribed += Client_MqttMsgSubscribed;

    //Connect
    client.Connect(clientId);
    Debug.Log($"Connected to AWS IoT with client id: {clientId}.");
}

// Message Methods

When I try to run the code I get an error that happens when trying to create the deviceCert:

ArgumentException: unsupported HMAC
Mono.Security.X509.PKCS12.Decode (System.Byte[] data) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
Mono.Security.X509.PKCS12..ctor (System.Byte[] data, System.String password) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, System.String password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono..ctor (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImpl.ImportFallback (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImplMono.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Mono.ISystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Helper.Import (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile (System.String filename) (at <6073cf49ed704e958b8a66d540dea948>:0)
MQTT.Start () (at Assets/Circulate/Scripts/Networking/MQTT/MQTT.cs:32)

The current.pfx file does not have a password, although I've attempted to use one with a password and got the same error. When I check the details of the certificates, both have a signature hash algorithm of sha256. I'm not sure why I am receiving this error and I haven't been able to find much information regarding unsupported HMAC. Any help is appreciated, thank you!

1 answers

solution1
 0  2023-01-04 00:12:21

Your exception, based on the source is that the PFX MAC algorithm ID is not 1.3.14.3.2.26 (SHA-1).

This seems surprising, since OpenSSL still defaults to HMAC-SHA1 for the PFX MAC, but maybe your build of OpenSSL has been modified. You should be able to force it to use HMAC-SHA1 by adding -macalg sha1 onto your export command (eg openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem -macalg sha1 ).

You can verify the MAC algorithm ID by openssl asn1parse , such as

$ openssl asn1parse -inform der -i -in test.pfx
    0:d=0  hl=4 l=1716 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim:  INTEGER           :03
    7:d=1  hl=4 l=1658 cons:  SEQUENCE
   11:d=2  hl=2 l=   9 prim:   OBJECT            :pkcs7-data
   22:d=2  hl=4 l=1643 cons:   cont [ 0 ]
   26:d=3  hl=4 l=1639 prim:    OCTET STRING      [HEX DUMP]:3082066...<snip />
 1669:d=1  hl=2 l=  49 cons:  SEQUENCE
 1671:d=2  hl=2 l=  33 cons:   SEQUENCE
 1673:d=3  hl=2 l=   9 cons:    SEQUENCE
 1675:d=4  hl=2 l=   5 prim:     OBJECT            :sha1
 1682:d=4  hl=2 l=   0 prim:     NULL
 1684:d=3  hl=2 l=  20 prim:    OCTET STRING      [HEX DUMP]:9E2270B998C4A69898F29634EC0F4823E47879A0
 1706:d=2  hl=2 l=   8 prim:   OCTET STRING      [HEX DUMP]:E540B4FDBC03B6AF
 1716:d=2  hl=2 l=   2 prim:   INTEGER           :0800

The OBJECT:sha1 5 lines from the bottom is the MAC algorithm identifier. (The particular offset for that line (eg 1675) will depend on your particular PFX, but that line will always be 5 from the bottom)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question HMAC SHA-256 for a signed AWS request flutter Unhandled Exception: PlatformException(sign_in_failed, m3.b: 10: , null, null) Exception has occurred. ArgumentError (Invalid argument: Instance of 'Future<dynamic>') Flutter Dart ERROR:flutter/lib/ui/ui_dart_state.cc(166), Unhandled Exception: Invalid argument: Instance of 'GoogleSignInAccount' Unsupported operation: toImage is not supported on the Web How to connect to Mosquitto MQTT Broker, that is running on a Google Cloud Virtual Machine Instance, using mqtt.js Ballerina HMAC SHA256 not generating expected results Unsupported relations for schema using GORM Connecting to aws iot core with mqtt username and password How to see MQTT data in AWS IOT and Azure IOT HUB
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM