У меня простой Java клиент к серверу MQTT Mosquitto:
public class TestMQTT3 {
public static void main(String[] args) {
System.out.println("Starting");
String serverUrl = "ssl://192.168.1.8:8887";
String path= "C:\\projects\\certs\\CA4\\";
String caFilePath =path+"cacert.pem";
String mqttUserName = "b";
String mqttPassword = "b";
MqttClient client;
try {
client = new MqttClient(serverUrl, "2");
MqttConnectOptions options = new MqttConnectOptions();
options.setUserName(mqttUserName);
options.setPassword(mqttPassword.toCharArray());
options.setConnectionTimeout(60);
options.setKeepAliveInterval(60);
options.setMqttVersion(MqttConnectOptions.MQTT_VERSION_3_1);
SSLSocketFactory socketFactory = getSocketFactory3(caFilePath);
options.setSocketFactory(socketFactory);
System.out.println("starting connect the server...");
client.connect(options);
System.out.println("connected!");
Thread.sleep(1000);
client.subscribe(
"/u/56ca327d17531d08e76bddd4a215e37f5fd6082f7442151c4d3f1d100a0ffd4e",
0);
client.disconnect();
System.out.println("disconnected!");
} catch (MqttException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
}
private static SSLSocketFactory getSocketFactory3(final String caCrtFile) throws Exception
{
Security.addProvider(new BouncyCastleProvider());
// load CA certificate
X509Certificate caCert = null;
FileInputStream fis = new FileInputStream(caCrtFile);
BufferedInputStream bis = new BufferedInputStream(fis);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
while (bis.available() > 0)
{
caCert = (X509Certificate) cf.generateCertificate(bis);
System.out.println(caCert.toString());
}
// CA certificate is used to authenticate server
KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
caKs.load(null, null);
caKs.setCertificateEntry("ca-certificate", caCert);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(caKs);
// finally, create SSL socket factory
SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(null, tmf.getTrustManagers(), null);
return context.getSocketFactory();
}
}
Попытка подключения с помощью сертификата CA:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f6:7e:ef:1c:70:ef:30:64
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=Hawthorne, O=PhilNet, OU=UN, CN=CN
Validity
Not Before: Jan 15 17:36:08 2020 GMT
Not After : Jan 14 17:36:08 2021 GMT
Subject: C=US, ST=California, L=Hawthorne, O=PhilNet, OU=UN, CN=CN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d2:65:49:db:fc:87:dd:36:8a:e0:27:e6:bb:66:
66:78:35:af:86:ae:d3:e5:e2:07:db:8e:51:f2:67:
06:22:78:99:b3:2f:81:14:a9:e7:28:7e:2a:96:8d:
fb:ec:29:64:39:5b:b7:d4:3c:22:b0:30:18:0d:e4:
c1:38:57:c2:ba:c5:09:11:12:46:8b:cc:06:08:0d:
e4:86:3f:98:e7:61:2d:d8:a9:40:34:e6:87:d7:7d:
c4:7c:62:51:78:b3:fd:d8:a6:1d:15:0b:80:fb:78:
29:59:9c:b7:30:ad:7e:92:f0:bc:94:3c:03:30:c1:
83:28:92:de:34:0b:68:8c:19:6e:d7:29:de:75:23:
59:8c:11:51:a8:84:69:32:d3:96:3d:eb:df:44:7b:
b6:85:2e:f4:af:98:a7:28:84:7b:7d:c9:56:89:66:
e0:e0:3d:63:ae:59:46:23:98:13:bc:af:72:7b:6f:
d5:a6:ec:3e:4e:56:2c:87:f6:70:ab:47:05:a3:4a:
1b:9e:2c:ec:52:7f:3e:7f:b9:a3:33:59:8a:1d:28:
cc:d4:39:0c:8b:f2:12:2d:82:09:63:bd:ae:b3:51:
c6:a4:ac:d3:ab:e4:31:de:b6:b0:11:85:90:36:33:
70:15:94:d0:54:ab:07:bb:a9:6a:63:3e:84:cc:5c:
c3:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
75:AF:4E:B9:E0:49:FE:62:C1:21:28:B0:77:38:36:02:22:2E:1B:8F
X509v3 Authority Key Identifier:
keyid:75:AF:4E:B9:E0:49:FE:62:C1:21:28:B0:77:38:36:02:22:2E:1B:8F
X509v3 Subject Alternative Name:
IP Address:192.168.1.8, DNS:glass
Signature Algorithm: sha1WithRSAEncryption
7b:af:79:85:a6:69:3f:00:3c:d3:f9:b7:9f:f6:31:8a:3d:fd:
7f:9e:63:8b:86:de:4e:34:34:11:b3:e1:73:3d:24:8d:06:e5:
ba:a6:91:ba:bc:0a:2f:b1:95:34:4b:c8:cd:cf:6b:31:14:17:
5f:a4:4e:74:8d:07:01:fb:7f:2b:0d:fc:6a:35:85:46:ea:ba:
fc:98:92:de:69:4d:53:f2:c8:99:e9:bd:fa:df:a7:cf:aa:48:
c0:6f:93:ba:cd:79:43:8a:89:8b:e7:bd:99:dd:11:31:c8:5f:
76:a8:fd:99:13:1c:a0:8b:e3:86:72:62:cf:09:7c:de:9d:cf:
db:0b:fc:81:62:1c:32:b0:81:52:58:d9:2f:0b:44:fa:8a:59:
5f:23:b2:01:f0:8e:53:c3:8d:36:1c:25:0b:b5:80:67:95:85:
66:74:8a:08:cc:9c:dc:c1:c6:f6:4b:b7:4b:a3:1a:2d:41:19:
20:7b:54:f0:f1:fe:22:e6:55:7e:14:07:66:77:36:2c:17:ee:
31:33:40:c8:b9:6e:fa:c4:98:86:3a:6f:ba:c0:72:22:75:6c:
5f:4f:94:07:c9:cf:6d:67:61:ff:e9:da:88:95:68:72:78:43:
59:f2:e9:5b:0f:95:d6:7e:33:19:70:23:b4:1e:dd:c9:db:d4:
bc:16:d6:9e
Ошибка:
starting connect the server...
MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1640)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:149)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:722)
... 1 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1622)
... 10 more
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:159)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:85)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 16 more
Что я делаю не так и как решить проблему?