Al,
Here is what I did to make SSL work between Mosquitto and Paho. First, you will need the BouncyCastle jar files that can be found here:
https://www.bouncycastle.org/java.html
I’m currently using 1.49 but 1.52 is the current release.
Next, take a look at the code here for a start:
https://gist.github.com/sharonbn/4104301
Because of some changes that have occurred in the BouncyCastle jar files since this code was originally written, there are a couple of tweaks that needed to
be done to get it to work. Below is what has worked for me:
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.file.Files;
import java.nio.file.InvalidPathException;
import java.nio.file.Paths;
import java.security.KeyManagementException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMDecryptorProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
public
class SslUtil
{
public
static SSLSocketFactory getSslSocketFactory(
final String caCrtFile,
final String crtFile,
final String keyFile,
final String password)
throws
InvalidPathException,
IOException,
KeyStoreException,
NoSuchAlgorithmException,
CertificateException,
UnrecoverableKeyException,
KeyManagementException,
Exception
{
Security.addProvider(new
BouncyCastleProvider());
// load CA certificate
PEMParser parser =
new PEMParser(new
InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(caCrtFile)))));
X509CertificateHolder caCert = (X509CertificateHolder) parser.readObject();
parser.close();
// load client certificate
parser =
new PEMParser(new
InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(crtFile)))));
X509CertificateHolder cert = (X509CertificateHolder) parser.readObject();
parser.close();
// load client private key
parser =
new PEMParser(new
InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(keyFile)))));
Object obj = parser.readObject();
KeyPair key =
null;
JcaPEMKeyConverter converter =
new JcaPEMKeyConverter().setProvider("BC");
if (obj
instanceof PEMEncryptedKeyPair)
{
PEMDecryptorProvider decProv =
new JcePEMDecryptorProviderBuilder().build(password.toCharArray());
converter =
new JcaPEMKeyConverter().setProvider("BC");
key = converter.getKeyPair(((PEMEncryptedKeyPair) obj).decryptKeyPair(decProv));
}
else
{
key = converter.getKeyPair((PEMKeyPair) obj);
}
parser.close();
JcaX509CertificateConverter certConverter =
new JcaX509CertificateConverter();
certConverter.setProvider("BC");
// CA certificate is used to authenticate server
KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
caKs.load(null,
null);
caKs.setCertificateEntry("ca-certificate",
certConverter.getCertificate(caCert));
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(caKs);
// Client key and certificates are sent to server so it can authenticate us
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null,
null);
ks.setCertificateEntry("certificate",
certConverter.getCertificate(cert));
ks.setKeyEntry("private-key",
key.getPrivate(), password.toCharArray(), new java.security.cert.Certificate[]{certConverter.getCertificate(cert)});
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, password.toCharArray());
// Finally, create SSL socket factory
SSLContext context = SSLContext.getInstance("TLSv1");
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
null);
return context.getSocketFactory();
}
}
Next, look at the “readme.txt” file that is located at the previous URL for how to use the MqttConnectOptions.setSocketFactory() method.
I hope this helps…at least some.
Dwayne
From: paho-dev-bounces@xxxxxxxxxxx [mailto:paho-dev-bounces@xxxxxxxxxxx]
On Behalf Of Al Nemethy
Sent: Tuesday, April 14, 2015 9:30 AM
To: General development discussions for paho project
Subject: Re: [paho-dev] SSL
*** Exercise caution. This is an EXTERNAL email. DO NOT open attachments or click links from unknown senders or unexpected email. ***
Thanks for your time. Unfortunately I am getting the same problem with your implementation as I was getting with mine ... There are a few minor differences between my code and yours so I used yours. I can't see what is going on on the Broker
side but I would bet it's saying the same thing as my local broker said. I am about to give up on mosquitto unless you have some additional info to share. Regards Al
Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: The CA Certification is: ca.crt
Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: The Certification is: server.crt
Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: The KeyFile is: server.key
Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: Connecting to broker Using SSL: ssl://test.mosquitto.org:8883
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: reason: 0
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: msg: MqttException
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: loc: MqttException
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: cause: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: excep: MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:604)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:89)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:590)
... 1 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1421)
... 10 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 16 more
On Tue, Apr 14, 2015 at 6:31 AM, Ian Craggs <icraggs@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Albert,
the SSL tests for the Paho Java client are run against Mosquitto. I think all the material needed, including Mosquitto configuration files, are in the repository. I'll check later if I have the chance. It sounds like an article would be a good idea.
Ian
On 04/14/2015 12:38 AM, Al Nemethy wrote:
Hello All, I have been trying to successfully build an ssl based Mqtt Java Client for some time now but have not been able to successfully connect. I am using Mosquitto 1.4.1 as the broker and it works with the Mosquitto publisher and subscriber
aok. I have build the self-signed certificates many different ways. My question is this: Is there a good example that actually WORKS ? with a complete procedure on how to build the certificates that is any different than what Mosquitto publishes ??? Thanks
in advance
--
Many Regards Al
Albert N. Nemethy
_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev
--
Ian Craggs
icraggs@xxxxxxxxxx IBM United Kingdom
Paho Project Lead; Committer on Mosquitto
_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev
--
Many Regards Al
Albert N. Nemethy
802 434-2877