M2MQTT 参数异常:不支持的 HMAC

问题描述 投票:0回答:2

我正在尝试在 Unity (C#) 中设置一个 MQTT 客户端,它将与 AWS IoT Core 通信。以下是我采取的步骤:

1)使用来自 AWS 的证书文件生成一个 .pfx 文件:

openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem

2)将 .pem 和 .pfx 文件放在我项目的 Resources 文件夹中。代码中设备认证的路径为:

deviceCertPath="Assets/Resources/certificate.cert.pfx"

3) 将 M2Mqtt.net dll 添加到插件文件夹(从 NuGet 下载)

4)我的代码如下:

using System.Collections;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading;
using UnityEngine;

using uPLibrary.Networking.M2Mqtt;
using uPLibrary.Networking.M2Mqtt.Messages;

// Variables

private void Start()   
{
    caCert = X509Certificate2.CreateFromCertFile(caCertPath);
    deviceCert = new X509Certificate2(deviceCertPath);

    client = new MqttClient(broker, port, true, caCert, deviceCert, MqttSslProtocols.TLSv1_2);

    client.MqttMsgPublishReceived += Client_MqttMsgPublishReceived;
    client.MqttMsgSubscribed += Client_MqttMsgSubscribed;

    //Connect
    client.Connect(clientId);
    Debug.Log($"Connected to AWS IoT with client id: {clientId}.");
}

// Message Methods

当我尝试运行代码时,在尝试创建 

deviceCert
时出现错误(代码片段中的第 16 行对应于错误日志中提到的第 32 行):

ArgumentException: unsupported HMAC
Mono.Security.X509.PKCS12.Decode (System.Byte[] data) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
Mono.Security.X509.PKCS12..ctor (System.Byte[] data, System.String password) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, System.String password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono..ctor (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImpl.ImportFallback (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImplMono.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Mono.ISystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Helper.Import (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile (System.String filename) (at <6073cf49ed704e958b8a66d540dea948>:0)
MQTT.Start () (at Assets/Circulate/Scripts/Networking/MQTT/MQTT.cs:32)

当前的 .pfx 文件没有密码,尽管我尝试使用一个有密码的文件并得到同样的错误。当我检查证书的详细信息时,两者都有 sha256 的签名哈希算法。我不确定为什么会收到此错误,而且我无法找到有关不受支持的 HMAC 的大量信息。感谢您的帮助,谢谢!

amazon-web-services unity3d mqtt x509certificate
2个回答
1
投票

你的例外,基于 source 是 PFX MAC 算法 ID 不是 1.3.14.3.2.26 (SHA-1).

这似乎令人惊讶,因为 OpenSSL 仍然默认为 PFX MAC 的 HMAC-SHA1,但也许您的 OpenSSL 构建已被修改。您应该能够通过在导出命令中添加

-macalg sha1
(例如
openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem -macalg sha1
)来强制它使用HMAC-SHA1。

可以通过

openssl asn1parse
验证MAC算法ID,比如

$ openssl asn1parse -inform der -i -in test.pfx
    0:d=0  hl=4 l=1716 cons: SEQUENCE
    4:d=1  hl=2 l=   1 prim:  INTEGER           :03
    7:d=1  hl=4 l=1658 cons:  SEQUENCE
   11:d=2  hl=2 l=   9 prim:   OBJECT            :pkcs7-data
   22:d=2  hl=4 l=1643 cons:   cont [ 0 ]
   26:d=3  hl=4 l=1639 prim:    OCTET STRING      [HEX DUMP]:3082066...<snip />
 1669:d=1  hl=2 l=  49 cons:  SEQUENCE
 1671:d=2  hl=2 l=  33 cons:   SEQUENCE
 1673:d=3  hl=2 l=   9 cons:    SEQUENCE
 1675:d=4  hl=2 l=   5 prim:     OBJECT            :sha1
 1682:d=4  hl=2 l=   0 prim:     NULL
 1684:d=3  hl=2 l=  20 prim:    OCTET STRING      [HEX DUMP]:9E2270B998C4A69898F29634EC0F4823E47879A0
 1706:d=2  hl=2 l=   8 prim:   OCTET STRING      [HEX DUMP]:E540B4FDBC03B6AF
 1716:d=2  hl=2 l=   2 prim:   INTEGER           :0800

倒数

OBJECT :sha1
5行是MAC算法标识。 (该行的特定偏移量(例如 1675)将取决于您的特定 PFX,但该行始终从底部算起 5)

0
投票

检查 openssl 版本,如果是 3.0,你应该尝试用

解决问题 
openssl pkcs12 **-legacy** -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.