Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove corePKCS11 usage from fleet provisioning demo #1912

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Remove corePKCS11 usage from fleet provisioning demo #1912

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
5a8d398
Move PKCS#11 dependent demos
paulbartell Jun 7, 2024
0724a23
Remove corePKCS#11 and PKCS#11 demos
paulbartell Jun 10, 2024
8295ff1
Upgrade mbedtls to v3.6.0
paulbartell Jun 10, 2024
393ceeb
Add mbedtls_posix transport and fleet provisioning demo without PKCS#11
paulbartell Jun 10, 2024
a5ab29f
fix some bugs in demo and transport
paulbartell Jun 10, 2024
8a07a6f
Enable MBEDTLS_ECP_RESTARTABLE in mbedtls_config.h
paulbartell Jun 10, 2024
1e46ce5
Adjust timeouts
paulbartell Jun 14, 2024
a6df290
Add missing call to fclose
paulbartell Jun 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions .gitmodules
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,6 @@
path = libraries/aws/device-defender-for-aws-iot-embedded-sdk
branch = main
url = https://github.com/aws/device-defender-for-aws-iot-embedded-sdk.git
[submodule "libraries/standard/corePKCS11"]
path = libraries/standard/corePKCS11
branch = main
url = https://github.com/FreeRTOS/corePKCS11.git
[submodule "libraries/standard/backoffAlgorithm"]
path = libraries/standard/backoffAlgorithm
branch = main
Expand Down
33 changes: 7 additions & 26 deletions ...leet_provisioning_with_csr/CMakeLists.txt → ...ing/fleet_provisioning_csr/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,6 @@ include( ${CMAKE_SOURCE_DIR}/libraries/standard/backoffAlgorithm/backoffAlgorith
include(
${CMAKE_SOURCE_DIR}/libraries/aws/fleet-provisioning-for-aws-iot-embedded-sdk/fleetprovisioningFilePaths.cmake )

# Set path to corePKCS11 and it's third party libraries.
set(COREPKCS11_LOCATION "${CMAKE_SOURCE_DIR}/libraries/standard/corePKCS11")
set(CORE_PKCS11_3RDPARTY_LOCATION "${COREPKCS11_LOCATION}/source/dependency/3rdparty")

# Include PKCS #11 library's source and header path variables.
include( ${COREPKCS11_LOCATION}/pkcsFilePaths.cmake )

list(APPEND PKCS_SOURCES
"${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils/mbedtls_utils.c"
)

# CPP files are searched for supporting CI build checks that verify C++ linkage of the Fleet Provisioning library
file( GLOB DEMO_SRCS "*.c*" )

Expand All @@ -30,35 +19,25 @@ add_executable( ${DEMO_NAME}
${MQTT_SOURCES}
${MQTT_SERIALIZER_SOURCES}
${BACKOFF_ALGORITHM_SOURCES}
${PKCS_SOURCES}
${PKCS_PAL_POSIX_SOURCES}
${FLEET_PROVISIONING_SOURCES} )

target_link_libraries( ${DEMO_NAME} PRIVATE
tinycbor
mbedtls
clock_posix
transport_mbedtls_pkcs11_posix )
transport_mbedtls_posix )

target_include_directories( ${DEMO_NAME}
PUBLIC
${LOGGING_INCLUDE_DIRS}
${MQTT_INCLUDE_PUBLIC_DIRS}
${BACKOFF_ALGORITHM_INCLUDE_PUBLIC_DIRS}
${PKCS_INCLUDE_PUBLIC_DIRS}
${PKCS_PAL_INCLUDE_PUBLIC_DIRS}
${AWS_DEMO_INCLUDE_DIRS}
"${FLEET_PROVISIONING_INCLUDE_PUBLIC_DIRS}"
"${DEMOS_DIR}/pkcs11/common/include" # corePKCS11 config
"${CMAKE_SOURCE_DIR}/platform/include"
"${CMAKE_CURRENT_LIST_DIR}"
PRIVATE
"${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils" )
${FLEET_PROVISIONING_INCLUDE_PUBLIC_DIRS}
${CMAKE_SOURCE_DIR}/platform/include
${CMAKE_CURRENT_LIST_DIR} )

set_macro_definitions(TARGETS ${DEMO_NAME}
OPTIONAL
"DOWNLOADED_CERT_WRITE_PATH"
"GENERATED_PRIVATE_KEY_WRITE_PATH"
REQUIRED
"AWS_IOT_ENDPOINT"
"ROOT_CA_CERT_PATH"
Expand All @@ -70,4 +49,6 @@ set_macro_definitions(TARGETS ${DEMO_NAME}
"CLIENT_IDENTIFIER"
"OS_NAME"
"OS_VERSION"
"HARDWARE_PLATFORM_NAME")
"HARDWARE_PLATFORM_NAME"
"CLIENT_PRIVATE_KEY_PATH"
"CLIENT_CERT_PATH")
0 ...provisioning_keys_cert/core_mqtt_config.h → ...fleet_provisioning_csr/core_mqtt_config.h
View file
Open in desktop
File renamed without changes.
0 ...fleet_provisioning_with_csr/demo_config.h → ...ning/fleet_provisioning_csr/demo_config.h
View file
Open in desktop
File renamed without changes.
0 ...ioning_with_csr/example_claim_policy.json → ...rovisioning_csr/example_claim_policy.json
View file
Open in desktop
File renamed without changes.
0 ...ning_keys_cert/example_demo_template.json → ...ovisioning_csr/example_demo_template.json
View file
Open in desktop
File renamed without changes.
0 ...ing_keys_cert/fleet_provisioning_config.h → ...visioning_csr/fleet_provisioning_config.h
View file
Open in desktop
File renamed without changes.
0 ..._with_csr/fleet_provisioning_serializer.c → ...oning_csr/fleet_provisioning_serializer.c
View file
Open in desktop
File renamed without changes.
0 ..._with_csr/fleet_provisioning_serializer.h → ...oning_csr/fleet_provisioning_serializer.h
View file
Open in desktop
File renamed without changes.
154 changes: 56 additions & 98 deletions ...th_csr/fleet_provisioning_with_csr_demo.c → ...ng_csr/fleet_provisioning_with_csr_demo.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,24 +58,16 @@
#include <unistd.h>
#include <errno.h>

#if defined( DOWNLOADED_CERT_WRITE_PATH )
#include <fcntl.h>
#endif // DOWNLOADED_CERT_WRITE_PATH

/* Demo config. */
#include "demo_config.h"

/* corePKCS11 includes. */
#include "core_pkcs11.h"
#include "core_pkcs11_config.h"

/* AWS IoT Fleet Provisioning Library. */
#include "fleet_provisioning.h"

/* Demo includes. */
#include "mqtt_operations.h"
#include "pkcs11_operations.h"
#include "fleet_provisioning_serializer.h"
#include "mbedtls_posix.h"

/**
* These configurations are required. Throw compilation error if it is not
Expand Down Expand Up @@ -483,71 +475,44 @@ int main( int argc,
char ownershipToken[ OWNERSHIP_TOKEN_BUFFER_LENGTH ];
size_t ownershipTokenLength;
bool connectionEstablished = false;
CK_SESSION_HANDLE p11Session;
int demoRunCount = 0;
CK_RV pkcs11ret = CKR_OK;

/* Silence compiler warnings about unused variables. */
( void ) argc;
( void ) argv;

psa_crypto_init();

do
{
/* Initialize the buffer lengths to their max lengths. */
certificateLength = CERT_BUFFER_LENGTH;
certificateIdLength = CERT_ID_BUFFER_LENGTH;
ownershipTokenLength = OWNERSHIP_TOKEN_BUFFER_LENGTH;

/* Initialize the PKCS #11 module */
pkcs11ret = xInitializePkcs11Session( &p11Session );

if( pkcs11ret != CKR_OK )
{
LogError( ( "Failed to initialize PKCS #11." ) );
status = false;
}
else
{
/* Insert the claim credentials into the PKCS #11 module */
status = loadClaimCredentials( p11Session,
CLAIM_CERT_PATH,
pkcs11configLABEL_CLAIM_CERTIFICATE,
CLAIM_PRIVATE_KEY_PATH,
pkcs11configLABEL_CLAIM_PRIVATE_KEY );

if( status == false )
{
LogError( ( "Failed to provision PKCS #11 with claim credentials." ) );
}
}

/**** Connect to AWS IoT Core with provisioning claim credentials *****/

/* We first use the claim credentials to connect to the broker. These
* credentials should allow use of the RegisterThing API and one of the
* CreateCertificatefromCsr or CreateKeysAndCertificate.
* In this demo we use CreateCertificatefromCsr. */

if( status == true )
{
/* Attempts to connect to the AWS IoT MQTT broker. If the
* connection fails, retries after a timeout. Timeout value will
* exponentially increase until maximum attempts are reached. */
LogInfo( ( "Establishing MQTT session with claim certificate..." ) );
status = EstablishMqttSession( provisioningPublishCallback,
p11Session,
pkcs11configLABEL_CLAIM_CERTIFICATE,
pkcs11configLABEL_CLAIM_PRIVATE_KEY );
/* Attempts to connect to the AWS IoT MQTT broker. If the
* connection fails, retries after a timeout. Timeout value will
* exponentially increase until maximum attempts are reached. */
LogInfo( ( "Establishing MQTT session with claim certificate..." ) );
status = EstablishMqttSession( provisioningPublishCallback,
CLAIM_CERT_PATH,
CLAIM_PRIVATE_KEY_PATH );

if( status == false )
{
LogError( ( "Failed to establish MQTT session." ) );
}
else
{
LogInfo( ( "Established connection with claim credentials." ) );
connectionEstablished = true;
}
if( status == false )
{
LogError( ( "Failed to establish MQTT session." ) );
}
else
{
LogInfo( ( "Established connection with claim credentials." ) );
connectionEstablished = true;
}

/**** Call the CreateCertificateFromCsr API ***************************/
Expand All @@ -565,13 +530,22 @@ int main( int argc,

if( status == true )
{
/* Create a new key and CSR. */
status = generateKeyAndCsr( p11Session,
pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS,
pkcs11configLABEL_DEVICE_PUBLIC_KEY_FOR_TLS,
csr,
CSR_BUFFER_LENGTH,
&csrLength );
if( Mbedtls_GenerateECKey( CLIENT_PRIVATE_KEY_PATH ) != MBEDTLS_SUCCESS )
{
status = false;
}
}

if( status == true )
{
if( Mbedtls_GenerateCSR( CLIENT_PRIVATE_KEY_PATH, csr, CSR_BUFFER_LENGTH ) != MBEDTLS_SUCCESS )
{
status = false;
}
else
{
csrLength = strnlen( csr, CSR_BUFFER_LENGTH );
}
}

if( status == true )
Expand Down Expand Up @@ -628,11 +602,26 @@ int main( int argc,

if( status == true )
{
/* Save the certificate into PKCS #11. */
status = loadCertificate( p11Session,
certificate,
pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS,
certificateLength );
FILE * pFile = fopen(CLIENT_CERT_PATH, "w");

if( pFile == NULL )
{
status = false;
}
else
{
size_t bytesWritten = fwrite( certificate, 1, certificateLength, pFile );
if( bytesWritten != certificateLength )
{
status = false;
LogError( ( "Failed to write device certificate to file %s.", CLIENT_CERT_PATH ) );
}
else
{
LogInfo( ( "Wrote client certificate to path: %s, length: %lu", CLIENT_CERT_PATH, ( unsigned long ) certificateLength ) );
}
fclose( pFile );
}
}

if( status == true )
Expand Down Expand Up @@ -725,9 +714,8 @@ int main( int argc,
{
LogInfo( ( "Establishing MQTT session with provisioned certificate..." ) );
status = EstablishMqttSession( provisioningPublishCallback,
p11Session,
pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS,
pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS );
CLIENT_CERT_PATH,
CLIENT_PRIVATE_KEY_PATH );

if( status != true )
{
Expand All @@ -752,8 +740,6 @@ int main( int argc,
connectionEstablished = false;
}

pkcs11CloseSession( p11Session );

/**** Retry in case of failure ****************************************/

/* Increment the demo run count. */
Expand Down Expand Up @@ -781,34 +767,6 @@ int main( int argc,
if( status == true )
{
LogInfo( ( "Demo completed successfully." ) );

#if defined( DOWNLOADED_CERT_WRITE_PATH )
{
int fd = open( DOWNLOADED_CERT_WRITE_PATH, O_CREAT | O_WRONLY | O_TRUNC, S_IRUSR | S_IWUSR );

if( -1 != fd )
{
const ssize_t writtenBytes = write( fd, certificate, certificateLength );

if( writtenBytes == certificateLength )
{
LogInfo( ( "Written %s successfully.", DOWNLOADED_CERT_WRITE_PATH ) );
}
else
{
LogError( ( "Could not write to %s. Error: %s.", DOWNLOADED_CERT_WRITE_PATH, strerror( errno ) ) );
}

close( fd );
}
else
{
LogError( ( "Could not open %s. Error: %s.", DOWNLOADED_CERT_WRITE_PATH, strerror( errno ) ) );
}
}
#else /* if defined( DOWNLOADED_CERT_WRITE_PATH ) */
LogInfo( ( "NOTE: define DOWNLOADED_CERT_WRITE_PATH in order to have the certificate written to disk." ) );
#endif // DOWNLOADED_CERT_WRITE_PATH
}

return ( status == true ) ? EXIT_SUCCESS : EXIT_FAILURE;
Expand Down
Loading
Loading