Processing Client Certificates in Authorization Extensions

This is a followup of the thread Access X.509 Certificates in Authentication Extensions where we solved my TLS 1.2 connectivity problem. This post is now about the root question I want to evaluate…

The goal of my prototyping is to implement an authentication extension that checks the certificate thumbprint against an external system (e.g. our own device registry) and not against the HiveMQ truststore. We want to manage our device certs in our system and not using the truststore. From my understanding, we cannot use the Enterprise Extension, because the cert checking is based on SQL queries. We do not have a SQL database managing our devices.

This is why I am trying to build an authentication extension that verifies the device certificate thumbprint against our own system without using the HiveMQ truststore.

Here are my different approaches

  1. I can connect my device using X509 certs and examine the device certificate in my authentication extension. This works as long as I have stored the certificate in the truststore and configured the client-authentication-mode as REQUIRED. Unfortunately, this does not cover my use case because the certificate is stored in the truststore.

  2. When removing the device certificate from the truststore and leave the client-authentication-mode as REQUIRED/OPTIONAL, the client connection is refused without consulting the authentication extension. I would have expected that my extension is still consulted and makes the authentication decision, which is unfortunately not the case. The server logs

2022-04-13 18:26:20,228 ERROR - An unexpected error occurred for client with IP 192.168.1.42: io.netty.handler.codec.DecoderException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
  1. When removing the device certificate from the truststore and using client-authentication-mode NONE, my authentication extension is called, but without passing the certificate. My extension cannot make a decision. Here I would have expected that the extension is called with the client certificate for decision making.

I observe the same behavior for Simple and Enhanced Extensions.
Am I on the wrong path or is my use case not covered by the Authentication Extension SDK?

Matthias

p.s. here is my server config

<?xml version="1.0"?>
<hivemq>
    <listeners>
        <tcp-listener>
            <port>1883</port>
            <bind-address>0.0.0.0</bind-address>
        </tcp-listener>
        <tls-tcp-listener>
            <port>8883</port>
            <bind-address>0.0.0.0</bind-address>
            <tls>
                <!-- Enable specific TLS versions manually -->
                <protocols>
                    <protocol>TLSv1.2</protocol>
                </protocols>
                <keystore>
                    <path>conf/keystore.jks</path>
                    <password>...</password>
                    <private-key-password>...</private-key-password>
                </keystore>
                <truststore>
                    <path>conf/truststore.jks</path>
                    <password>...</password>
                </truststore>
                <client-authentication-mode>REQUIRED</client-authentication-mode>
            </tls>
        </tls-tcp-listener>
    </listeners>
    <anonymous-usage-statistics>
        <enabled>true</enabled>
    </anonymous-usage-statistics>
</hivemq>