I am looking at upgrading to the latest aws sdk for embedded-c and can`t implement the openssl version as my device only supports openssl-1.0.2 Looking at using the mbedtls as transport protocol on top of pkcs11, there as some differences which I am probably missing... This is part of the code we have used, which also is developed by the aws team for embedded-c:
#define ALPN_PROTOCOL_NAME "\x0ex-amzn-mqtt-ca"
const char * alpn[] = { ALPN_PROTOCOL_NAME, NULL };
MbedtlsPkcs11Status_t tlsStatus = MBEDTLS_PKCS11_SUCCESS;
MbedtlsPkcs11Credentials_t tlsCredentials = { 0 };
const char * alpn[] = { ALPN_PROTOCOL_NAME, NULL };
/* Set the pParams member of the network context with desired transport. */
pNetworkContext->pParams = &tlsContext;
/* Initialize credentials for establishing TLS session. */
tlsCredentials.pRootCaPath = rootCA;
tlsCredentials.pClientCertLabel = clientCRT;
tlsCredentials.pPrivateKeyLabel = clientKey;
pkcs11ret = xInitializePkcs11Session( &tlsCredentials.p11Session );
if( pkcs11ret != CKR_OK )
{
LogError( ( "Failed to initialize PKCS #11." ) );
}
/* AWS IoT requires devices to send the Server Name Indication (SNI)
* extension to the Transport Layer Security (TLS) protocol and provide
* the complete endpoint address in the host_name field. Details about
* SNI for AWS IoT can be found in the link below.
* https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html
*/
tlsCredentials.disableSni = false;
uint16_t port = AWS_IOT_MQTT_PORT;
if( port == 443 )
{
/* Pass the ALPN protocol name depending on the port being used.
* Please see more details about the ALPN protocol for AWS IoT MQTT endpoint
* in the link below.
* https://aws.amazon.com/blogs/iot/mqtt-with-tls-client-authentication-on-port-443-
why-it-is-useful-and-how-it-works/
*/
tlsCredentials.pAlpnProtos = alpn;
}
bool status = false;
if( pkcs11ret != CKR_OK )
{
LE_ERROR( "Failed to initialize PKCS #11.");
status = false;
}
else
{
printf( "===SUCCESSFULLY INITIALIZED PKCS #11.===");
// Insert the claim credentials into the PKCS #11 module
status = loadClaimCredentials( tlsCredentials.p11Session,
clientCRT,
pkcs11configLABEL_CLAIM_CERTIFICATE,
clientKey,
pkcs11configLABEL_CLAIM_PRIVATE_KEY );
if( status == false )
{
printf( "Failed to provision PKCS #11 with claim credentials." );
}
else
printf( "===SUCCESSFULLY PROVISIONED PKCS #11.===");
}
/* Initialize reconnect attempts and interval */
BackoffAlgorithm_InitializeParams( &reconnectParams,
CONNECTION_RETRY_BACKOFF_BASE_MS,
CONNECTION_RETRY_MAX_BACKOFF_DELAY_MS,
CONNECTION_RETRY_MAX_ATTEMPTS );
do
{
/* Establish a TLS session with the MQTT broker. This example connects
* to the MQTT broker as specified in BROKER_ENDPOINT and BROKER_PORT at
* the top of this file. */
LE_INFO("Establishing a TLS session to %.*s:%d.",
BROKER_ENDPOINT_LENGTH,
BROKER_ENDPOINT,
AWS_IOT_MQTT_PORT );
tlsStatus = Mbedtls_Pkcs11_Connect( pNetworkContext,
BROKER_ENDPOINT,
port,
&tlsCredentials,
TRANSPORT_SEND_RECV_TIMEOUT_MS );
}
This will always fails due to invalid certificates, but I am using those already and they are all valid, so I am thinking this has something to do with the way we load the certificates in the handler "tlsCredentials.p11Session" and I am probably missing something and not loading everything?
This is the log I get:
mqttClientAws.c connectToServerWithBackoffRetries() 654 | ===SUCCESSFULLY INITIALIZED PKCS #11.===
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_mbedtls.c:483] Successfully found object class attribute.^M
mqttClientAws[5879] | [INFO] [PKCS11] [core_pkcs11_mbedtls.c:2823] Creating a 0x3 type object.^M
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_mbedtls.c:2057] Successfully found the key type in the template.^M
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_mbedtls.c:2086] Successfully found the label in the template.^M
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_mbedtls.c:1259] Key was private type.^M
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_mbedtls.c:1268] Received RSA key type.^M
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_mbedtls.c:1288] Allocating a 1200 bytes sized buffer to write the key to.^M
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_pal_utils.c:123] Converted Device Priv TLS Key to corePKCS11_Key.dat^M
mqttClientAws[5879] | Successfully wrote 1192 to corePKCS11_Key.dat[DEBUG] [PKCS11] [core_pkcs11_mbedtls.c:3352] Search parameters other than label are ignored.^M
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_mbedtls.c:3446] Could not find the object handle in the list. Trying to search PKCS #11 PAL for object.^M
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_pal_utils.c:123] Converted Device Cert to corePKCS11_Certificate.dat^M
mqttClientAws[5879] | [INFO] [PKCS11] [core_pkcs11_pal.c:63] Could not open corePKCS11_Certificate.dat for reading.^M
mqttClientAws[5879] | [ERROR] [PKCS11] [core_pkcs11.c:370] xFindObjectWithLabelAndClass ERROR CK_INVALID_HANDLE^M
mqttClientAws[5879] | [INFO] [FLEET_PROVISIONING_DEMO] [pkcs11_operations.c:770] Writing certificate into label "Device Cert".^M
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_mbedtls.c:483] Successfully found object class attribute.^M
mqttClientAws[5879] | [INFO] [PKCS11] [core_pkcs11_mbedtls.c:2823] Creating a 0x1 type object.^M
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_pal_utils.c:123] Converted Device Cert to corePKCS11_Certificate.dat^M
mqttClientAws[5879]/mqttClientAwsComponent T=main | mqttClientAws.c connectToServerWithBackoffRetries() 668 | ===SUCCESSFULLY PROVISIONED PKCS #11.===
mqttClientAws.c connectToServerWithBackoffRetries() 686 | Establishing a TLS session to axxxxxx-ats.iot.ap-southeast-2.amazonaws.com:443.
mqttClientAws[5879] | Successfully wrote 861 to corePKCS11_Certificate.dat[DEBUG] [PKCS11] [core_pkcs11_mbedtls.c:3352] Search parameters other than label are ignored.^M
mqttClientAws[5879] | [DEBUG] [PKCS11] [core_pkcs11_mbedtls.c:3352] Search parameters other than label are ignored.^M
mqttClientAws[5879] | [ERROR] [PKCS11] [core_pkcs11.c:370] xFindObjectWithLabelAndClass ERROR CK_INVALID_HANDLE^M
mqttClientAws[5879] | [ERROR] [Transport_MbedTLS_PKCS11] [mbedtls_pkcs11_posix.c:625] Function returned ERROR.^M
mqttClientAws[5879] | [ERROR] [Transport_MbedTLS_PKCS11] [mbedtls_pkcs11_posix.c:400] Failed to setup key handling by PKCS #11.^M
mqttClientAws[5879] | [WARN] [DEMO] [mqttClientAws.c:724] Connection to the broker failed. Retrying connection after 270 ms backoff.^M
Very much appreciated any help on this.
