Can't connect to AWS IoT Core broker about mqtt-cli HOT 6 CLOSED

Hi @aiden-francois and thank you for your issue! :)

I could trace this down as CLI-only bug - It should definetly work fine if you use the MQTT-Client-Library.

On to the actual bug for future reference:

If we build build the KeyStore for a Client in SslOptions.java buildSslConfig, we are not taking into consideration the full certificate chain because FileToCertificateConverter only returns the first certificate in the chain for now.

To fix this we would need to use bouncycastle CertifcateFactory in the CertificateConverterUtils class and return an array of certificates in the FileToCertificateConverter:

org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory().engineGenerateCertificates(new FileInputStream(keyFile)).forEach()

FileToCertifcateConverter must then return the array of certifcates:

public X509Certificate[] convert()

And in SslOptions the clientCertifate should now be an array of certifcates:

 private X509Certificate[] clientCertificates;

Now we can use the whole certicate chain in buildSslConfig:

private KeyManagerFactory buildKeyManagerFactory(final @NotNull X509Certificate[] certs, final @NotNull PrivateKey key) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException, UnrecoverableKeyException {

        final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

        ks.load(null, null);

        ks.setKeyEntry("mykey", key, null, certs);

        final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

        keyManagerFactory.init(ks, null);

        return keyManagerFactory;
    }

from mqtt-cli.

My best guess is that in Java 8 or less one of the following calls of KeyStore throws an IllegalArgumentException if the password passed to it is null:

ks.load(null, null);
ks.setKeyEntry("mykey", key, null, certs);

from mqtt-cli.

I will test that specifically then, on the platform where it fails.

However just like you said, the MQTT-Client-Library connect just fine to AWS IoT Core MQTT broker (tested on Android API 29) once providing the desired TrustManagerFactory and KeyManagerFactory.

from mqtt-cli.

Hi @gitseti, thanks for the quick investigation!

I rebuilt from the intermediate-certificates-are-ignored branch which includes #193 and it still fails although differently for shell connect.

• connect from the shell returns Could not build SSL configuration immediately instead of what was observed previously: password can't be null then Timeout while waiting for CONNACK after a delay.
• mqtt test fails the same with Could not build SSL config - password can't be null

Am I possibly using the wrong command line parameters?

from mqtt-cli.

Hmm, could you also verify the problem for Java 11?

from mqtt-cli.

Good catch @gitseti !
It's connecting just fine with shell and test on OS: Mac OS X 10.14.6 x86_64 with

JVM: 11.0.2 (Oracle Corporation OpenJDK 64-Bit Server VM 11.0.2+9)
JVM: 13.0.1 (Oracle Corporation OpenJDK 64-Bit Server VM 13.0.1+9)

So the issue is specific to Mac OS current Oracle Java 1.8 runtime.

from mqtt-cli.