Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [paho-dev] SSL

Thanks All for your help, I did get this to work... It seems to have been a combination of issues. I am working on a very unique application that was part of the problem. Once we are ready to release I'm sure we will be able to disclose the particulars. Thanks Again Al

On Tue, Apr 14, 2015 at 9:48 AM, Bradley, Dwayne <Dwayne.Bradley@xxxxxxxxxxxxxxx> wrote:

Al,

 

Here is what I did to make SSL work between Mosquitto and Paho.  First, you will need the BouncyCastle jar files that can be found here:

 

https://www.bouncycastle.org/java.html

 

I’m currently using 1.49 but 1.52 is the current release.

 

Next, take a look at the code here for a start:

 

https://gist.github.com/sharonbn/4104301

 

Because of some changes that have occurred in the BouncyCastle jar files since this code was originally written, there are a couple of tweaks that needed to be done to get it to work.  Below is what has worked for me:

 

import java.io.ByteArrayInputStream;

import java.io.IOException;

import java.io.InputStreamReader;

import java.nio.file.Files;

import java.nio.file.InvalidPathException;

import java.nio.file.Paths;

import java.security.KeyManagementException;

import java.security.KeyPair;

import java.security.KeyStore;

import java.security.KeyStoreException;

import java.security.NoSuchAlgorithmException;

import java.security.Security;

import java.security.UnrecoverableKeyException;

import java.security.cert.CertificateException;

 

import javax.net.ssl.KeyManagerFactory;

import javax.net.ssl.SSLContext;

import javax.net.ssl.SSLSocketFactory;

import javax.net.ssl.TrustManagerFactory;

 

import org.bouncycastle.cert.X509CertificateHolder;

import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;

import org.bouncycastle.jce.provider.BouncyCastleProvider;

import org.bouncycastle.openssl.PEMDecryptorProvider;

import org.bouncycastle.openssl.PEMEncryptedKeyPair;

import org.bouncycastle.openssl.PEMKeyPair;

import org.bouncycastle.openssl.PEMParser;

import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;

import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;

 

public class SslUtil

{

       public static SSLSocketFactory getSslSocketFactory(

                     final String caCrtFile,

                     final String crtFile,

                     final String keyFile,

                     final String password)

              throws

                     InvalidPathException,

                     IOException,

                     KeyStoreException,

                     NoSuchAlgorithmException,

                     CertificateException,

                     UnrecoverableKeyException,

                     KeyManagementException,

                     Exception

       {

              Security.addProvider(new BouncyCastleProvider());

             

              // load CA certificate

              PEMParser parser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(caCrtFile)))));

              X509CertificateHolder caCert = (X509CertificateHolder) parser.readObject();

              parser.close();

              // load client certificate

              parser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(crtFile)))));

              X509CertificateHolder cert = (X509CertificateHolder) parser.readObject();

              parser.close();

              // load client private key

              parser = new PEMParser(new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(keyFile)))));

              Object obj = parser.readObject();

              KeyPair key = null;

              JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");

              if (obj instanceof PEMEncryptedKeyPair)

              {

                     PEMDecryptorProvider decProv = new JcePEMDecryptorProviderBuilder().build(password.toCharArray());

                     converter = new JcaPEMKeyConverter().setProvider("BC");

                     key = converter.getKeyPair(((PEMEncryptedKeyPair) obj).decryptKeyPair(decProv));

              }

              else

              {

                     key = converter.getKeyPair((PEMKeyPair) obj);

              }

              parser.close();

             

              JcaX509CertificateConverter certConverter = new JcaX509CertificateConverter();

              certConverter.setProvider("BC");

             

              // CA certificate is used to authenticate server

              KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());

              caKs.load(null, null);

              caKs.setCertificateEntry("ca-certificate", certConverter.getCertificate(caCert));

              TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

              tmf.init(caKs);

              // Client key and certificates are sent to server so it can authenticate us

              KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

              ks.load(null, null);

              ks.setCertificateEntry("certificate", certConverter.getCertificate(cert));

              ks.setKeyEntry("private-key", key.getPrivate(), password.toCharArray(), new java.security.cert.Certificate[]{certConverter.getCertificate(cert)});

              KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

              kmf.init(ks, password.toCharArray());

              // Finally, create SSL socket factory

              SSLContext context = SSLContext.getInstance("TLSv1");

              context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

              return context.getSocketFactory();

       }

}

 

Next, look at the “readme.txt” file that is located at the previous URL for how to use the MqttConnectOptions.setSocketFactory() method.

 

I hope this helps…at least some.

 

Dwayne

 

 

From: paho-dev-bounces@xxxxxxxxxxx [mailto:paho-dev-bounces@xxxxxxxxxxx] On Behalf Of Al Nemethy
Sent: Tuesday, April 14, 2015 9:30 AM
To: General development discussions for paho project
Subject: Re: [paho-dev] SSL

 



*** Exercise caution. This is an EXTERNAL email. DO NOT open attachments or click links from unknown senders or unexpected email. ***

Thanks for your time. Unfortunately I am getting the same problem with your implementation as I was getting with mine ... There are a few minor differences between my code and yours so I used yours. I can't see what is going on on the Broker side but I would bet it's saying the same thing as my local broker said. I am about to give up on mosquitto unless you have some additional info to share.  Regards Al


Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: The CA Certification is: ca.crt

Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: The Certification is: server.crt

Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: The KeyFile is: server.key

Apr 14, 2015 9:18:00 AM com.Imantics.IoT.ALog L
INFO: Connecting to broker Using SSL: ssl://test.mosquitto.org:8883
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: reason: 0
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: msg: MqttException
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: loc: MqttException
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: cause: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Apr 14, 2015 9:18:01 AM com.Imantics.IoT.ALog L
INFO: excep: MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:604)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:89)
    at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:590)
    ... 1 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1421)
    ... 10 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 16 more

 

On Tue, Apr 14, 2015 at 6:31 AM, Ian Craggs <icraggs@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

Albert,

the SSL tests for the Paho Java client are run against Mosquitto.  I think all the material needed, including Mosquitto configuration files, are in the repository.    I'll check later if I have the chance.  It sounds like an article would be a good idea.

Ian

 

On 04/14/2015 12:38 AM, Al Nemethy wrote:

Hello All, I have been trying to successfully build an ssl based Mqtt Java Client for some time now but have not been able to successfully connect. I am using Mosquitto 1.4.1 as the broker and it works with the Mosquitto publisher and subscriber aok. I have build the self-signed certificates many different ways. My question is this: Is there a good example that actually WORKS ? with a complete procedure on how to build the certificates that is any different than what Mosquitto publishes ???  Thanks in advance


--

Many Regards Al
Albert N. Nemethy



_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev



-- 
Ian Craggs                          
icraggs@xxxxxxxxxx                 IBM United Kingdom
Paho Project Lead; Committer on Mosquitto
 


_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev




--

Many Regards Al
Albert N. Nemethy
802 434-2877


_______________________________________________
paho-dev mailing list
paho-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/paho-dev



--
Many Regards Al
Albert N. Nemethy
802 434-2877

Back to the top