Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [paho-dev] SSL

Al,

 

Here is what I did to make SSL work between Mosquitto and Paho.  First, you will need the BouncyCastle jar files that can be found here:

 

https://www.bouncycastle.org/java.html

 

I’m currently using 1.49 but 1.52 is the current release.

 

Next, take a look at the code here for a start:

 

https://gist.github.com/sharonbn/4104301

 

Because of some changes that have occurred in the BouncyCastle jar files since this code was originally written, there are a couple of tweaks that needed to be done to get it to work.  Below is what has worked for me:

 

import java.io.ByteArrayInputStream;

import java.io.IOException;

import java.io.InputStreamReader;

import java.nio.file.Files;

import java.nio.file.InvalidPathException;

import java.nio.file.Paths;

import java.security.KeyManagementException;

import java.security.KeyPair;

import java.security.KeyStore;

import java.security.KeyStoreException;

import java.security.NoSuchAlgorithmException;

import java.security.Security;

import java.security.UnrecoverableKeyException;

import java.security.cert.CertificateException;

 

import javax.net.ssl.KeyManagerFactory;

import javax.net.ssl.SSLContext;

import javax.net.ssl.SSLSocketFactory;

import javax.net.ssl.TrustManagerFactory;

 

import org.bouncycastle.cert.X509CertificateHolder;

import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;

import org.bouncycastle.jce.provider.BouncyCastleProvider;

import org.bouncycastle.openssl.PEMDecryptorProvider;

import org.bouncycastle.openssl.PEMEncryptedKeyPair;

import org.bouncycastle.openssl.PEMKeyPair;

import org.bouncycastle.openssl.PEMParser;

import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;

import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;

 

public class SslUtil

{

       public static SSLSocketFactory getSslSocketFactory(

                     final String caCrtFile,

                     final String crtFile,

                     final String keyFile,

                     final String password)

              throws

                     InvalidPathException,

                     IOException,

                     KeyStoreException,

                     NoSuchAlgorithmException,

                     CertificateException,

                     UnrecoverableKeyException,

                     KeyManagementException,

                     Exception

       {

              Security.addProvider(new BouncyCastleProvider());

             

              // load CA certificate

              PEMParser parser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(caCrtFile)))));

              X509CertificateHolder caCert = (X509CertificateHolder) parser.readObject();

              parser.close();

              // load client certificate

              parser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(crtFile)))));

              X509CertificateHolder cert = (X509CertificateHolder) parser.readObject();

              parser.close();

              // load client private key

              parser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(keyFile)))));

              Object obj = parser.readObject();

              KeyPair key = null;

              JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");

              if (obj instanceof PEMEncryptedKeyPair)

              {

                     PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder().build(password.toCharArray());

                     converter = new JcaPEMKeyConverter().setProvider("BC");

                     key = converter.getKeyPair(((PEMEncryptedKeyPair) obj).decryptKeyPair(decProv));

              }

              else

              {

                     key = converter.getKeyPair((PEMKeyPair) obj);

              }

              parser.close();

             

              JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter();

              certConverter.setProvider("BC");

             

              // CA certificate is used to authenticate server

              KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());

              caKs.load(null, null);

              caKs.setCertificateEntry("ca-certificate", certConverter.getCertificate(caCert));

              TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

              tmf.init(caKs);

              // Client key and certificates are sent to server so it can authenticate us

              KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

              ks.load(null, null);

              ks.setCertificateEntry("certificate", certConverter.getCertificate(cert));

              ks.setKeyEntry("private-key", key.getPrivate(), password.toCharArray(), new java.security.cert.Certificate[]{certConverter.getCertificate(cert)});

              KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

              kmf.init(ks, password.toCharArray());

              // Finally, create SSL socket factory

              SSLContext context = SSLContext.getInstance("TLSv1");

              context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

              return context.getSocketFactory();

       }

}

 

Next, look at the “readme.txt” file that is located at the previous URL for how to use the MqttConnectOptions.setSocketFactory() method.

 

I hope this helps…at least some.

 

Dwayne

 

 

From: paho-dev-bounces@xxxxxxxxxxx [mailto:paho-dev-bounces@xxxxxxxxxxx] On Behalf Of Al Nemethy
Sent: Tuesday, April 14, 2015 9:30 AM
To: General development discussions for paho project
Subject: Re: [paho-dev] SSL

 



*** Exercise caution. This is an EXTERNAL email. DO NOT open attachments or click links from unknown senders or unexpected email. ***

Thanks for your time. Unfortunately I am getting the same problem with your implementation as I was getting with mine ... There are a few minor differences between my code and yours so I used yours. I can't see what is going on on the Broker side but I would bet it's saying the same thing as my local broker said. I am about to give up on mosquitto unless you have some additional info to share.  Regards Al


Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: The CA Certification is: ca.crt

Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: The Certification is: server.crt

Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: The KeyFile is: server.key

Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: Connecting to broker Using SSL: ssl://test.mosquitto.org:8883
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: reason: 0
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: msg: MqttException
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: loc: MqttException
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: cause: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: excep: MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:604)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:89)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:590)
    ... 1 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1421)
    ... 10 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 16 more

 

On Tue, Apr 14, 2015 at 6:31 AM, Ian Craggs <icraggs@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

Albert,

the SSL tests for the Paho Java client are run against Mosquitto.  I think all the material needed, including Mosquitto configuration files, are in the repository.    I'll check later if I have the chance.  It sounds like an article would be a good idea.

Ian

 

On 04/14/2015 12:38 AM, Al Nemethy wrote:

Hello All, I have been trying to successfully build an ssl based Mqtt Java Client for some time now but have not been able to successfully connect. I am using Mosquitto 1.4.1 as the broker and it works with the Mosquitto publisher and subscriber aok. I have build the self-signed certificates many different ways. My question is this: Is there a good example that actually WORKS ? with a complete procedure on how to build the certificates that is any different than what Mosquitto publishes ???  Thanks in advance


--

Many Regards Al
Albert N. Nemethy



_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev



-- 
Ian Craggs                          
icraggs@xxxxxxxxxx                 IBM United Kingdom
Paho Project Lead; Committer on Mosquitto
 


_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev




--

Many Regards Al
Albert N. Nemethy
802 434-2877


Back to the top