skip to Main Content

I am trying to setup an MQTT client in Unity (C#) which would communicate with AWS IoT Core. Here are the steps I’ve taken:

1)Generated a .pfx file using the certificate files from AWS:

openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem

2)Placed the .pem and .pfx file in the Resources folder of my project. The path for the device certification in the code would be: deviceCertPath="Assets/Resources/certificate.cert.pfx"

3)Added M2Mqtt.net dll to Plugins folder (Downloaded from NuGet)

4)My code is as follows:

using System.Collections;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading;
using UnityEngine;

using uPLibrary.Networking.M2Mqtt;
using uPLibrary.Networking.M2Mqtt.Messages;

// Variables

private void Start()   
{
    caCert = X509Certificate2.CreateFromCertFile(caCertPath);
    deviceCert = new X509Certificate2(deviceCertPath);

    client = new MqttClient(broker, port, true, caCert, deviceCert, MqttSslProtocols.TLSv1_2);

    client.MqttMsgPublishReceived += Client_MqttMsgPublishReceived;
    client.MqttMsgSubscribed += Client_MqttMsgSubscribed;

    //Connect
    client.Connect(clientId);
    Debug.Log($"Connected to AWS IoT with client id: {clientId}.");
}

// Message Methods

When I try to run the code I get an error that happens when trying to create the deviceCert (line 16 in code snippet corresponds to line 32 mentioned in the error log):

ArgumentException: unsupported HMAC
Mono.Security.X509.PKCS12.Decode (System.Byte[] data) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
Mono.Security.X509.PKCS12..ctor (System.Byte[] data, System.String password) (at <b2e147cb24644c1580a142ea3d6c249e>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, System.String password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono.ImportPkcs12 (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Certificate2ImplMono..ctor (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImpl.ImportFallback (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.X509PalImplMono.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
Mono.SystemCertificateProvider.Mono.ISystemCertificateProvider.Import (System.Byte[] data, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags, Mono.CertificateImportFlags importFlags) (at <6d7c4c8dd3624dc596686fb7270ae1e6>:0)
System.Security.Cryptography.X509Certificates.X509Helper.Import (System.Byte[] rawData, Microsoft.Win32.SafeHandles.SafePasswordHandle password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName, System.String password, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags keyStorageFlags) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor (System.String fileName) (at <6073cf49ed704e958b8a66d540dea948>:0)
System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile (System.String filename) (at <6073cf49ed704e958b8a66d540dea948>:0)
MQTT.Start () (at Assets/Circulate/Scripts/Networking/MQTT/MQTT.cs:32)

The current .pfx file does not have a password, although I’ve attempted to use one with a password and got the same error. When I check the details of the certificates, both have a signature hash algorithm of sha256. I’m not sure why I am receiving this error and I haven’t been able to find much information regarding unsupported HMAC. Any help is appreciated, thank you!

2

Answers


  1. Your exception, based on the source is that the PFX MAC algorithm ID is not 1.3.14.3.2.26 (SHA-1).

    This seems surprising, since OpenSSL still defaults to HMAC-SHA1 for the PFX MAC, but maybe your build of OpenSSL has been modified. You should be able to force it to use HMAC-SHA1 by adding -macalg sha1 onto your export command (e.g. openssl pkcs12 -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem -macalg sha1).

    You can verify the MAC algorithm ID by openssl asn1parse, such as

    $ openssl asn1parse -inform der -i -in test.pfx
        0:d=0  hl=4 l=1716 cons: SEQUENCE
        4:d=1  hl=2 l=   1 prim:  INTEGER           :03
        7:d=1  hl=4 l=1658 cons:  SEQUENCE
       11:d=2  hl=2 l=   9 prim:   OBJECT            :pkcs7-data
       22:d=2  hl=4 l=1643 cons:   cont [ 0 ]
       26:d=3  hl=4 l=1639 prim:    OCTET STRING      [HEX DUMP]:3082066...<snip />
     1669:d=1  hl=2 l=  49 cons:  SEQUENCE
     1671:d=2  hl=2 l=  33 cons:   SEQUENCE
     1673:d=3  hl=2 l=   9 cons:    SEQUENCE
     1675:d=4  hl=2 l=   5 prim:     OBJECT            :sha1
     1682:d=4  hl=2 l=   0 prim:     NULL
     1684:d=3  hl=2 l=  20 prim:    OCTET STRING      [HEX DUMP]:9E2270B998C4A69898F29634EC0F4823E47879A0
     1706:d=2  hl=2 l=   8 prim:   OCTET STRING      [HEX DUMP]:E540B4FDBC03B6AF
     1716:d=2  hl=2 l=   2 prim:   INTEGER           :0800
    

    The OBJECT :sha1 5 lines from the bottom is the MAC algorithm identifier. (The particular offset for that line (e.g. 1675) will depend on your particular PFX, but that line will always be 5 from the bottom)

    Login or Signup to reply.
  2. check the openssl version, if its 3.0 than you should try to solve the issue with

    openssl pkcs12 **-legacy** -export -in certificate.pem.crt -inkey private.pem.key -out certificate.cert.pfx -certfile AmazonRootCA1.pem
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search