By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Debug AWS_IO_FILE_VALIDATION_FAILURE while trying to connect to aws IoT with custom client certificate

0

I failed to run the sample code for basic_connect.

While running it with the following argument:
basic_connect.exe --client_id "ME" --endpoint "*-ats.iot.eu-west-1.amazonaws.com" --cert "<>/MyCertificate.crt" --key "<>/MyPrivate.key" --verbosity "Debug"

i receive the following output:

[DEBUG] [2022-09-29T13:02:54Z] [00001648] [mqtt-client] - client=*: Initalizing MQTT client
[DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on.
[DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available.
[DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on.
[DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available.
[DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: certificate and key have been set, setting them up now.
[INFO] [2022-09-29T13:02:56Z] [00001648] [pki-utils] - static: loading certificate chain with 1 certificates.
[ERROR] [2022-09-29T13:03:04Z] [00001648] [pki-utils] - static: no acceptable private key found, error AWS_IO_FILE_VALIDATION_FAILURE
[ERROR] [2022-09-29T13:03:04Z] [00001648] [tls-handler] - static: failed to import certificate and private key with error 1038.
Client Configuration initialization failed with error aws-c-io: AWS_IO_FILE_VALIDATION_FAILURE, A file was read and the input did not match the expected value

I have been trying to follow this AWS_IO_FILE_VALIDATION_FAILURE, and i endup with the following callstack:

	basic-connect.exe!aws_import_key_pair_to_cert_context(aws_allocator * alloc, const aws_byte_cursor * public_cert_chain, const aws_byte_cursor * private_key, bool is_client_mode, void * * store, const _CERT_CONTEXT * * certs, unsigned __int64 * crypto_provider, unsigned __int64 * private_key_handle) Line 691	C
 	basic-connect.exe!s_ctx_new(aws_allocator * alloc, const aws_tls_ctx_options * options, bool is_client_mode) Line 2010	C
 	basic-connect.exe!aws_tls_client_ctx_new(aws_allocator * alloc, const aws_tls_ctx_options * options) Line 2044	C
 	basic-connect.exe!Aws::Crt::Io::TlsContext::TlsContext(Aws::Crt::Io::TlsContextOptions & options, Aws::Crt::Io::TlsMode mode, aws_allocator * allocator) Line 423	C++
 	basic-connect.exe!Aws::Iot::MqttClientConnectionConfigBuilder::Build() Line 493	C++
 	basic-connect.exe!Utils::CommandLineUtils::GetClientConnectionForMQTTConnection(Aws::Iot::MqttClient * client, Aws::Iot::MqttClientConnectionConfigBuilder * clientConfigBuilder) Line 542	C++
 	basic-connect.exe!Utils::CommandLineUtils::BuildDirectMQTTConnection(Aws::Iot::MqttClient * client) Line 459	C++
 	basic-connect.exe!main(int argc, char * * argv) Line 41	C++
 	[External Code]

None of the call to CryptDecodeObjectEx will succeed in the function aws_import_key_pair_to_cert_context. It sounds like there is a problem with my private key which i generated as follow:
openssl req -newkey rsa:4096 -sha256 -nodes -keyout MyPrivate.key -out MyRequest.csr -config MyConfig.cnf

I am not sure to understand what this function is meant to do and what is wrong with my key. I am using win10 with msbuild (tryied in python as well).

Topics
Internet of Things (IoT)Security, Identity, & ComplianceCompute
Tags
AWS IoT CoreInternet of Things (IoT)Device SecurityWindows Provisioning
Language
English
rePost-User-9327290
asked 2 years ago683 views
2 Answers
1
Accepted Answer

Hi. Your openssl command is generating a PEM key file in PKCS#8 format instead of the PKCS#1 format returned when AWS IoT Core generates the key. So your key file has a "BEGIN PRIVATE KEY" header instead of "BEGIN RSA PRIVATE KEY". I'm not familiar with CryptDecodeObjectEx(), but I think the PKCS_RSA_PRIVATE_KEY parameter might be demanding PKCS#1.

So you may find more success by generating your own key and certificate as documented here: https://docs.aws.amazon.com/iot/latest/developerguide/create-device-cert.html

profile pictureAWS
EXPERT
Greg_B
answered 2 years ago
0

Hi,

are you using really <> in your path? I assume you don't have a directory named <>?

Perhaps you should modify your command to look similar to (assuming you are in the same directory where your key/cert is stored):

basic_connect.exe --client_id "ME" --endpoint "*-ats.iot.eu-west-1.amazonaws.com" --cert "MyCertificate.crt" --key "MyPrivate.key" --verbosity "Debug"

You need also to use a valid iot endpoint. In your case you need to replace * with the unique id of your endpoint.

Cheers,
Philipp

AWS
EXPERT
Philipp S
answered 2 years ago
  • rePost-User-9327290
    2 years ago

    "<>" is not a valid path in windows. "<>" and "*" are just a replacement for the real values. I just don't want to share anything personal on the internet. The key is well loaded and as in my file "private.key" in aws_import_key_pair_to_cert_context arguments. It is CryptDecodeObjectEx which is failing on it. I want to understand why. The documentation specify well that aws support rsa + sh256, that should be provided in a PEM format.

  • Philipp S EXPERT
    2 years ago

    You can find some information about troubleshooting connectivity at https://docs.aws.amazon.com/iot/latest/developerguide/diagnosing-connectivity-issues.html. You can use openssl to validate if your certificate is working correctly.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content