| SSL/TLS connection from Eclipse Paho Java client to mosquitto MQTT broker | |
| By Sharon Ben Asher | |
| AVG Mobilation | |
| Sharon.Ben-Asher@AVG.com | |
| Mosquitto is an Open Source MQTT v3.1 Broker written in C (http://mosquitto.org) | |
| Eclipse Paho project has a Java MQTT client (http://eclipse.org/paho/) | |
| The code snippet below demonstrates how to establish a secured connection from a Paho client to a mosquitto broker. | |
| The connection includes server and client authentication through openssl (PEM formatted) certificates. | |
| 1) Follow the instructions on the mosquitto site to produce all the necessary certificates | |
| http://mosquitto.org/man/mosquitto-tls-7.html | |
| 2) Configure the broker to expect SSL connections. | |
| example configuration: | |
| listener 1883 | |
| cafile /home/ubuntu/etc/ca.crt | |
| certfile /home/ubuntu/etc/server.crt | |
| keyfile /home/ubuntu/etc/server.key | |
| require_certificate true | |
| use_identity_as_username true | |
| 3) On the client side, Paho has several options for specifying properties for the creation of SSL sockets | |
| (Properties, JVM arguments, etc). However, none of them will work with mosquitto (historically, Paho worked with IBM brokers). | |
| Fortunately, it also accepts a custom made instance of javax.net.ssl.SSLSocketFactory through the method MqttConnectOptions.setSocketFactory() and this works. | |
| example code using Paho API to establish connection: | |
| String serverUrl = "ssl://myMosquittoServer.com:1883"; | |
| MqttClient client = new MqttClient(serverUrl, "consumerId" , null); | |
| client.setCallback(new MyCallback()); | |
| MqttConnectOptions options = new MqttConnectOptions(); | |
| options.setConnectionTimeout(60); | |
| options.setKeepAliveInterval(60); | |
| options.setSocketFactory(SslUtil.getSocketFactory("caFilePath", "clientCrtFilePath", "clientKeyFilePath", "password")); | |
| client.connect(options); | |
| client.subscribe("topic", 0); | |
| The interesting bit is, of course, SslUtil.getSocketFactory() method. The code is attached seperately. | |
| Since Java cannot read PEM formatted certificates, the method is using bouncy castle (http://www.bouncycastle.org/) to load the necessary files: | |
| ca.crt is used to authenticate the server and is used to init an instance of javax.net.ssl.TrustManagerFactory. | |
| client.crt/.key are sent to mosquitto for client authentication, and therefore are used to init an instance of javax.net.ssl.KeyManagerFactory. | |
| The method expects all files as String full paths. | |
| The method is using Files.readAllBytes() which is available in JDK 7. | |
| basically, you need to load the file into byte array and pass that array to the constructor of ByteArrayInputStream as is demonstrated in the code. |
| import java.io.*; | |
| import java.nio.file.*; | |
| import java.security.*; | |
| import java.security.cert.*; | |
| import javax.net.ssl.*; | |
| import org.bouncycastle.jce.provider.*; | |
| import org.bouncycastle.openssl.*; | |
| public class SslUtil | |
| { | |
| static SSLSocketFactory getSocketFactory (final String caCrtFile, final String crtFile, final String keyFile, | |
| final String password) throws Exception | |
| { | |
| Security.addProvider(new BouncyCastleProvider()); | |
| // load CA certificate | |
| PEMReader reader = new PEMReader(new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(caCrtFile))))); | |
| X509Certificate caCert = (X509Certificate)reader.readObject(); | |
| reader.close(); | |
| // load client certificate | |
| reader = new PEMReader(new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(crtFile))))); | |
| X509Certificate cert = (X509Certificate)reader.readObject(); | |
| reader.close(); | |
| // load client private key | |
| reader = new PEMReader( | |
| new InputStreamReader(new ByteArrayInputStream(Files.readAllBytes(Paths.get(keyFile)))), | |
| new PasswordFinder() { | |
| @Override | |
| public char[] getPassword() { | |
| return password.toCharArray(); | |
| } | |
| } | |
| ); | |
| KeyPair key = (KeyPair)reader.readObject(); | |
| reader.close(); | |
| // CA certificate is used to authenticate server | |
| KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType()); | |
| caKs.load(null, null); | |
| caKs.setCertificateEntry("ca-certificate", caCert); | |
| TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); | |
| tmf.init(caKs); | |
| // client key and certificates are sent to server so it can authenticate us | |
| KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); | |
| ks.load(null, null); | |
| ks.setCertificateEntry("certificate", cert); | |
| ks.setKeyEntry("private-key", key.getPrivate(), password.toCharArray(), new java.security.cert.Certificate[]{cert}); | |
| KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); | |
| kmf.init(ks, password.toCharArray()); | |
| // finally, create SSL socket factory | |
| SSLContext context = SSLContext.getInstance("TLSv1"); | |
| context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); | |
| return context.getSocketFactory(); | |
| } | |
| } |
|
from this post |
tusharbapte
commented
Feb 8, 2013
|
Hi sharonbn, I have added above class file into my package but i am unable to use this class from my Sample.java(paho) file. conOpt.setSocketFactory(SslUtil.getSocketFactory(CA_CERT_PATH,CLIENT_CERT_PATH,CLIENT_KEY_PATH, PASSWORD)); I am getting following error: |
tusharbapte
commented
Mar 7, 2013
|
Hi sharonbn, Can you provide steps to compile java paho client after adding SslUtil.java , i am using ant tool to compile paho client as given in link: Thanks, |
tusharbapte
commented
Mar 7, 2013
|
Hi sharonbn, i am getting following error when compiling Sample.java javac -cp /home/tushar/new_jar_paho/bcpkix-jdk15on-148.jar:/home/tushar/new_jar_paho/bcprov-jdk15on-148.jar:/home/tushar/new_jar_paho/nio_framework-1.1beta_all.jar:/tmp/Mqttv3ClientOut/ship/org.eclipse.paho.client.mqttv3.jar src/org/eclipse/paho/sample/mqttv3app/Sample.java Note: src/org/eclipse/paho/sample/mqttv3app/Sample.java uses or overrides a deprecated API. Note: Recompile with -Xlint:deprecation for details. Thanks, |
ziakhancluuz
commented
May 23, 2013
|
Hi, I am trying to use paho library to connect to an ActiveMQ mqtt broker, I have followed the steps on the ActiveMQ site to generate some self signed certifcates, keystore files and some trust store files. I am not quite sure how all of them translate to the input for this class. as i don't have a caCertifcate and private key file. can I generate them using java "keytool" Any help would be really appreciated as I am really new to this and don't quite understand what i need to provide. All I am trying use the SSL for is the encryption and i don't really need to client authentication and I can blindly trust the server. Thanks in advance, Z |
anemethy
commented
Apr 2, 2015
|
Is there an update on this ??? The code is 2 years old and all of the bouncy castle libraries have changed. Please advise. Regards |
rohanag12
commented
Dec 9, 2015
|
I've written similar code using a newer version of the BouncyCastle library. Those looking for an update to this, check out https://gist.github.com/rohanag12/07ab7eb22556244e9698 |
fgarsombke
commented
Jan 5, 2016
|
Thank you! Exactly what I was looking for :) Much Karma going your way. |
sadaf13
commented
Feb 3, 2016
|
Hey!! i tried the above solution but facing the following exception. Exception in thread "main" MqttException (0) - javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure |
disharaval
commented
Feb 17, 2016
|
hey,I am facing following exception: |
rohitsureka
commented
Mar 3, 2016
|
@sadaf13 Were you able to get past that issue? |
vishalkothari
commented
Mar 7, 2016
|
@dishraval I am getting exact same exception trace. Did you find any solution for the issue The specified SocketFactory type does not match the broker URI (32105)? |
wendyhi
commented
Apr 27, 2016
|
In my case, changing the url of the mqtt server from tcp://1.2.3.4:8883 to ssl://1.2.3.4:8883 resolve the issue about |
javaproject
commented
Jan 29, 2017
|
Hello, I am trying to connect to AWS iot using Paho Mqtt Java Client. I have to specify the client_id, but also configure the connection tls_set meaning that I will specify root certificate (.crt), certificate file (.pem.crt) and the private key (.pem.crt) . I have already implemented this on Python, but unfortunately I need it in Java. Is there anyway you could help me ? The URI that I have is an endpoint from Amazon like : .iot.us-west-2.amazonaws.com How can I specify this in my code ??! Any kind of help would be appreciated. Thank you !! |
tusharbapte commentedNov 28, 2012
exception throwing after line :KeyPair key = (KeyPair)reader.readObject();
org.bouncycastle.openssl.PEMException: problem parsing ENCRYPTED PRIVATE KEY: javax.crypto.BadPaddingException: pad block corrupted
at org.bouncycastle.openssl.PEMReader$EncryptedPrivateKeyParser.parseObject(Unknown Source)
at org.bouncycastle.openssl.PEMReader.readObject(Unknown Source)
at org.eclipse.paho.sample.mqttv3app.SslUtil.getSocketFactory(SslUtil.java:38)
at org.eclipse.paho.sample.mqttv3app.Sample.(Sample.java:194)
at org.eclipse.paho.sample.mqttv3app.Sample.main(Sample.java:137)
Caused by: javax.crypto.BadPaddingException: pad block corrupted