search

bytebeamio / rumqtt

The MQTT ecosystem in rust
Apache License 2.0
1.53k stars 234 forks source link

InvalidCertificate(BadSignature) when using TLS with custom root certificate #865

Closed philoliver closed 1 month ago

philoliver commented 1 month ago

Hi, I am trying to connect to a broker that uses a self-signed certificate, however, I get a BadSignature error. The certificate works with another application (using other language/libraries). I'd really appreciate any help how should go ahead.

Current Behavior

Error on poll: Tls(Io(Custom { kind: InvalidData, error: InvalidCertificate(BadSignature) })

Code

let mut roots = rustls::RootCertStore::empty();
let file = File::open(cert_path).expect("There was an issue loading the ca certificate file");
let mut reader = BufReader::new(file);
let certs = rustls_pemfile::certs(&mut reader);
for cert in certs.flatten() {
        roots.add(cert).expect("Could not add ca certificate.");
}

let client_conf = ClientConfig::builder()
        .with_root_certificates(roots.clone())
        .with_no_client_auth();

mqtt_options.set_transport(Transport::tls_with_config(client_conf.into()));

let (client, mut eventloop) = AsyncClient::new(mqtt_options, 10);

loop {
        let notification = eventloop.poll().await.expect("Poll failed.");
}

Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = <ST>, L = <L>, O = <O>, OU = <OU>, CN = <CN>, emailAddress = <mail>
        Validity
            Not Before: May  3 06:39:54 2021 GMT
            Not After : May  1 06:39:54 2031 GMT
        Subject: C = DE, ST = <ST>, L = <L>, O = <O>, OU = <OU>, CN = <CN>, emailAddress = <mail>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                        00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
                        00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
                        ...
                        00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
                        00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:develmqtt.mydomain.com, IP Address:127.0.0.1, IP Address:1.1.1.1
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
        00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
        ...
        00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
        00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:
philoliver commented 1 month ago

It turns out that I was provided a server certificate rather than a CA certificate. I don't know how the other application accepted it. With the correct certificate it works!

For anyone who finds himself in the same situation. Use the following command to view the certificate details: openssl x509 -in <certificate-file> -text -noout

According to my understanding, if you file does not have the following lines, it is not a CA certificate:

X509v3 Basic Constraints: critical
                CA:TRUE