Getting Invalid Key Store Errors while using MQTT over WebSocket with AWS Signature Version 4 authentication

[sumit-k-aggarwal]

Use Case - My Client application has a TrustStore Loaded in its Java Application Thread which has nothing to do with Certificates required for AWS IOT connectivity.

I am Trying to connect to AWS IoT MQTT Broker as "MQTT over WebSocket with AWS Signature Version 4 authentication".

But i am getting below error:

Exception in thread "main" com.amazonaws.services.iot.client.AWSIotException: MqttException (0) - java.io.IOException: Invalid keystore format at com.amazonaws.services.iot.client.mqtt.AwsIotMqttConnection.openConnection(AwsIotMqttConnection.java:68) at com.amazonaws.services.iot.client.core.AwsIotConnection.connect(AwsIotConnection.java:246) at com.amazonaws.services.iot.client.core.AbstractAwsIotClient.connect(AbstractAwsIotClient.java:111) at com.amazonaws.services.iot.client.AWSIotMqttClient.connect(AWSIotMqttClient.java:501) at com.amazonaws.services.iot.client.core.AbstractAwsIotClient.connect(AbstractAwsIotClient.java:93) at com.amazonaws.services.iot.client.AWSIotMqttClient.connect(AWSIotMqttClient.java:463) at com.emeter.PublishSubscribeSample.main(PublishSubscribeSample.java:110) Caused by: MqttException (0) - java.io.IOException: Invalid keystore format at org.eclipse.paho.client.mqttv3.internal.security.SSLSocketFactoryFactory.getSSLContext(SSLSocketFactoryFactory.java:1284) at org.eclipse.paho.client.mqttv3.internal.security.SSLSocketFactoryFactory.createSocketFactory(SSLSocketFactoryFactory.java:1344) at org.eclipse.paho.client.mqttv3.MqttAsyncClient.createNetworkModule(MqttAsyncClient.java:446) at org.eclipse.paho.client.mqttv3.MqttAsyncClient.createNetworkModules(MqttAsyncClient.java:349) at org.eclipse.paho.client.mqttv3.MqttAsyncClient.connect(MqttAsyncClient.java:557) at com.amazonaws.services.iot.client.mqtt.AwsIotMqttConnection.openConnection(AwsIotMqttConnection.java:66) ... 6 more Caused by: java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) at sun.security.provider.JavaKeyStore$JKS.engineLoad(Unknown Source) at sun.security.provider.KeyStoreDelegator.engineLoad(Unknown Source) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(Unknown Source) at java.security.KeyStore.load(Unknown Source) at org.eclipse.paho.client.mqttv3.internal.security.SSLSocketFactoryFactory.getSSLContext(SSLSocketFactoryFactory.java:1259) ... 11 more

After our analysis we found eclipse paho tries to create SSLSocketFactoryFactory and tries to read KeyStore and TrustStore. In getSSLContext() method of SSLSocketFactoryFactory its doing so. Please go through code.

We also found in the constructor of AwsIotWebsocketConnection as shown below, SocketFactory is passed as null.:

public AwsIotWebsocketConnection(AbstractAwsIotClient client, String awsAccessKeyId, String awsSecretAccessKey, String sessionToken) throws AWSIotException { super(client, null, "wss://" + client.getClientEndpoint() + ":443");

    // Port number must be included in the endpoint for signing otherwise
    // the signature verification will fail. This is because the Paho client
    // library always includes port number in the host line of the
    // HTTP request header, e.g "Host: data.iot.us-east-1.amazonaws.com:443".
    urlSigner = new AwsIotWebSocketUrlSigner(client.getClientEndpoint() + ":443");
    urlSigner.updateCredentials(awsAccessKeyId, awsSecretAccessKey, sessionToken);
}

Due to Null socketFactory, eclipse paho tries to create a socket factory which in turn leads to this problem. Ideally AWS must have provided way to input socket factory.

I have already tried not setting TrustStore which is my application trust store certificate file. After removing trust store everythign works.

[fengsongAWS]

Hi @Sumit-IOT , Thanks for your interest in AWS IoT Java SDK. The implementation of MQTT over websocket does not require KeyStore. This is different than the way that MQTT over TLS x509 mutual auth. Can you try using TLS mutual auth which allows you to load your own keystore file?

[sumit-k-aggarwal]

Hi, I think i have not stated problem clearly. Let me try once more: My Enterprise application uses TrustStore for CAS authentication and preloads trustStore at application bootstrap.

Now i am trying to connect to AWS MQTT broker over websocket. Since application thread already having a trustStore loaded in JVM, eclipse paho library while creating SocketFactory, tries to use TrustStore/KeyStore. This throws error mentioned above. Its being incorrectly assumed that AWS client while connecting MQTT over websocket will not be having any TrustStore/KeyStore.

So far i have not tried "MQTT over TLS x509 mutual auth", even if i will try, i may need to import AWS generated certificate into my own trustStore. This anyway is something which i have not tried till now and can update later.

-Sumit

[fengsongAWS]

Thanks for your elaboration. I think we understand your situation correctly. The reason we set the socket factory as null is because AWS IoT does not need to verify certificates and keys in websocket connection. Instead, we recommend customers to use mutual auth cert connection type which supports socket factory with their KeyStore imported. Please try with Mqtt over TLS mutual auth and let us know if it works.

Meanwhile, is there any reason you want to use websocket connection? We can take this use case and add this feature request in the future release. Also, please feel free to submit a pull request if you had something that we should merge. We will go through it in our internal pipe line and have it released in the future.

Thanks

[sumit-k-aggarwal]

Thanks a lot. Its good finally Problem is clear. I think its more a bug/incorrect-assumption of Eclipse paho then AWS SDK. Thanks for considering it for future release. FYI, if do System.clearProperty("javax.net.ssl.trustStore") before awsIotClient.connect(); and reset System.setProperty("javax.net.ssl.trustStore", "abc.keystore") after connect(), it works properly. Its a type of hack for sure :).

I will see if i can get time to make some changes in SDK and submit for your consideration. This may take couple of days. I will pull it for sure i my schedule permits it.

No specific reason for websocket connection, i started first using websocket. Now i tried TLS as suggested, and faced issue there too , see https://github.com/aws/aws-iot-device-sdk-java/issues/40.

-Sumit

[fengsongAWS]

It is good to hear that you got a work around on it. I will follow up on the other issue you created.

Thanks

[fengsongAWS]

Thanks for your interest in AWS IoT Device SDK in Java. Please open another thread if you still have questions.