M2MQTT 参数异常：不支持的 HMAC

Question

我正在尝试在 Unity (C#) 中设置一个 MQTT 客户端，它将与 AWS IoT Core 通信。 以下是我采取的步骤：

1）使用来自AWS的证书文件生成a.pfx文件：

openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem

2）将.pem 和.pfx 文件放在我项目的Resources 文件夹中。 代码中设备认证的路径为： deviceCertPath="Assets/Resources/certificate.cert.pfx"

3) 将 M2Mqtt.net dll 添加到 Plugins 文件夹（从 NuGet 下载）

4）我的代码如下：

using System.Collections;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading;
using UnityEngine;

using uPLibrary.Networking.M2Mqtt;
using uPLibrary.Networking.M2Mqtt.Messages;

// Variables

private void Start()   
{
    caCert = X509Certificate2.CreateFromCertFile(caCertPath);
    deviceCert = new X509Certificate2(deviceCertPath);

    client = new MqttClient(broker, port, true, caCert, deviceCert, MqttSslProtocols.TLSv1_2);

    client.MqttMsgPublishReceived += Client_MqttMsgPublishReceived;
    client.MqttMsgSubscribed += Client_MqttMsgSubscribed;

    //Connect
    client.Connect(clientId);
    Debug.Log($"Connected to AWS IoT with client id: {clientId}.");
}

// Message Methods

当我尝试运行代码时，出现在尝试创建 deviceCert 时发生的错误：

ArgumentException: unsupported HMAC
Mono.Security.X509.PKCS12.Decode (System.Byte[] data) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
Mono.Security.X509.PKCS12..ctor (System.Byte[] data, System.String password) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, System.String password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono..ctor (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImpl.ImportFallback (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImplMono.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Mono.ISystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Helper.Import (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile (System.String filename) (at <6073cf49ed704e958b8a66d540dea948>:0)
MQTT.Start () (at Assets/Circulate/Scripts/Networking/MQTT/MQTT.cs:32)

current.pfx 文件没有密码，尽管我尝试使用一个带密码的文件并得到同样的错误。 当我检查证书的详细信息时，两者都有 sha256 的签名 hash 算法。 我不确定为什么会收到此错误，而且我无法找到有关不受支持的 HMAC 的大量信息。 感谢您的帮助，谢谢！

Answer 1

根据来源，您的例外情况是 PFX MAC 算法 ID 不是1.3.14.3.2.26 (SHA-1)。

这似乎令人惊讶，因为 OpenSSL 仍然默认为 PFX MAC 的 HMAC-SHA1，但也许您的 OpenSSL 构建已被修改。 您应该能够通过在导出命令中添加-macalg sha1来强制它使用 HMAC-SHA1（例如openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem -macalg sha1 ）。

可以通过openssl asn1parse验证MAC算法ID，比如

$ openssl asn1parse -inform der -i -in test.pfx
    0:d=0  hl=4 l=1716 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim:  INTEGER           :03
    7:d=1  hl=4 l=1658 cons:  SEQUENCE
   11:d=2  hl=2 l=   9 prim:   OBJECT            :pkcs7-data
   22:d=2  hl=4 l=1643 cons:   cont [ 0 ]
   26:d=3  hl=4 l=1639 prim:    OCTET STRING      [HEX DUMP]:3082066...<snip />
 1669:d=1  hl=2 l=  49 cons:  SEQUENCE
 1671:d=2  hl=2 l=  33 cons:   SEQUENCE
 1673:d=3  hl=2 l=   9 cons:    SEQUENCE
 1675:d=4  hl=2 l=   5 prim:     OBJECT            :sha1
 1682:d=4  hl=2 l=   0 prim:     NULL
 1684:d=3  hl=2 l=  20 prim:    OCTET STRING      [HEX DUMP]:9E2270B998C4A69898F29634EC0F4823E47879A0
 1706:d=2  hl=2 l=   8 prim:   OCTET STRING      [HEX DUMP]:E540B4FDBC03B6AF
 1716:d=2  hl=2 l=   2 prim:   INTEGER           :0800

OBJECT:sha1第5行是MAC算法标识。 （该行的特定偏移量（例如 1675）将取决于您的特定 PFX，但该行始终从底部算起 5）