我正在尝试在 Unity (C#) 中设置一个 MQTT 客户端,它将与 AWS IoT Core 通信。以下是我采取的步骤:
1)使用来自 AWS 的证书文件生成一个 .pfx 文件:
openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem
2)将 .pem 和 .pfx 文件放在我项目的 Resources 文件夹中。代码中设备认证的路径为:
deviceCertPath="Assets/Resources/certificate.cert.pfx"
3) 将 M2Mqtt.net dll 添加到插件文件夹(从 NuGet 下载)
4)我的代码如下:
using System.Collections;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading;
using UnityEngine;
using uPLibrary.Networking.M2Mqtt;
using uPLibrary.Networking.M2Mqtt.Messages;
// Variables
private void Start()
{
caCert = X509Certificate2.CreateFromCertFile(caCertPath);
deviceCert = new X509Certificate2(deviceCertPath);
client = new MqttClient(broker, port, true, caCert, deviceCert, MqttSslProtocols.TLSv1_2);
client.MqttMsgPublishReceived += Client_MqttMsgPublishReceived;
client.MqttMsgSubscribed += Client_MqttMsgSubscribed;
//Connect
client.Connect(clientId);
Debug.Log($"Connected to AWS IoT with client id: {clientId}.");
}
// Message Methods
当我尝试运行代码时,在尝试创建
deviceCert
时出现错误(代码片段中的第 16 行对应于错误日志中提到的第 32 行):
ArgumentException: unsupported HMAC
Mono.Security.X509.PKCS12.Decode (System.Byte[] data) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
Mono.Security.X509.PKCS12..ctor (System.Byte[] data, System.String password) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, System.String password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono..ctor (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImpl.ImportFallback (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImplMono.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Mono.ISystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Helper.Import (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile (System.String filename) (at <6073cf49ed704e958b8a66d540dea948>:0)
MQTT.Start () (at Assets/Circulate/Scripts/Networking/MQTT/MQTT.cs:32)
当前的 .pfx 文件没有密码,尽管我尝试使用一个有密码的文件并得到同样的错误。当我检查证书的详细信息时,两者都有 sha256 的签名哈希算法。我不确定为什么会收到此错误,而且我无法找到有关不受支持的 HMAC 的大量信息。感谢您的帮助,谢谢!
你的例外,基于 source 是 PFX MAC 算法 ID 不是 1.3.14.3.2.26 (SHA-1).
这似乎令人惊讶,因为 OpenSSL 仍然默认为 PFX MAC 的 HMAC-SHA1,但也许您的 OpenSSL 构建已被修改。您应该能够通过在导出命令中添加
-macalg sha1
(例如openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem -macalg sha1
)来强制它使用HMAC-SHA1。
可以通过
openssl asn1parse
验证MAC算法ID,比如
$ openssl asn1parse -inform der -i -in test.pfx
0:d=0 hl=4 l=1716 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :03
7:d=1 hl=4 l=1658 cons: SEQUENCE
11:d=2 hl=2 l= 9 prim: OBJECT :pkcs7-data
22:d=2 hl=4 l=1643 cons: cont [ 0 ]
26:d=3 hl=4 l=1639 prim: OCTET STRING [HEX DUMP]:3082066...<snip />
1669:d=1 hl=2 l= 49 cons: SEQUENCE
1671:d=2 hl=2 l= 33 cons: SEQUENCE
1673:d=3 hl=2 l= 9 cons: SEQUENCE
1675:d=4 hl=2 l= 5 prim: OBJECT :sha1
1682:d=4 hl=2 l= 0 prim: NULL
1684:d=3 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:9E2270B998C4A69898F29634EC0F4823E47879A0
1706:d=2 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:E540B4FDBC03B6AF
1716:d=2 hl=2 l= 2 prim: INTEGER :0800
倒数
OBJECT :sha1
5行是MAC算法标识。 (该行的特定偏移量(例如 1675)将取决于您的特定 PFX,但该行始终从底部算起 5)
检查 openssl 版本,如果是 3.0,你应该尝试用
解决问题openssl pkcs12 **-legacy** -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem