MQTT over TLS with .X509 certificate
응답
16. 11. 10 오후 4:04

Dear community,

currently I am trying to connect the XDK to a MQTT Broker over TLS. I used the MQTT Paho example (or here) and it works fine when I don't use the TLS connection.

My plan is that the XDK should connect to the MQTT Broker like this:

  1. The MQTT Broker issues a .X509 certificate and private key for my XDK
  2. I put the .X509 certificate and private key on the SD card of my XDK
  3. I connect the XDK using MQTT over TLS to the MQTT Broker with the stored certificate
  4. I send MQTT messages to the Broker

The problem is that it doesn't seem to work this way. I quickly found the function in the MQTT Paho example that allows me to connect via TLS in the file mqttXDK.c:

int TLSConnectNetwork(Network *n, char* addr, int port, SlSockSecureFiles_t* certificates, unsigned char sec_method, unsigned int cipher, char server_verify)

The important type here is SlSockSecureFiles_t that comes from socket.h in the Wifi module of the SDK. I read a lot about that and the best is this wiki entry from Texas Instruments that describes how to use the TLS functionalities of socket.h. As it describes it is necessary to use a tool called "Uniflash" from Texas Instruments to flash the certificate onto the XDK as part of the firmware. Once this is done I could use it like that:

SlSockSecureFiles_t SecureFiles;
sockSecureFiles.secureFiles[0] = "/cert/privateKey.key";  // mapping private key, 0 file not exist
sockSecureFiles.secureFiles[1] = "/cert/certifacte.cer";  // mapping certificate, 0 file not exist
sockSecureFiles.secureFiles[2] = 0; // mapping CA, 0 file not exist - I could put here the server CA to valide him as well
sockSecureFiles.secureFiles[3] = 0;  // mapping certificate, 0 file not exist

TLSConnectNetwork(&network, MQTT_BROKER_NAME, MQTT_PORT, secureFiles, SL_SO_SEC_METHOD_TLSV1_2, SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, -453);

But this is not what I want; I need a way to put it on the SD card and read it from there. So I asked around and got the advice to look at the WiFiHostPgm.c file from here. In this software the certificate is flashed at runtime into the Wifi module of the XDK so that a Enterprise Network can be used (function UploadCertificate() ). The certificate for that is stored in a dummyCertificate.h file and can be replaced programmatically.
I could try to use this logic as well; I would first need to read both certificates from the SD card, flash them into Wifi module, restart the Wifi module and then proceed with my normal initialization... No flashing of certificates with some extra software required.

But there are some questions I have in mind, since I haven't implemented the certificate flashing at runtime yet and I appreciate any help on this.

  1. Why does the WifiHostPgm.c file flashes the Wifi module with a different firmware first? Is that required or could I flash the certificates right away?
  2. Does anybody can think about an easier way to archive what I want without that much effort?
  3. Does Uniflash works with the XDK? I could try to flash the certificates once to test if the MQTT connection works with flashed certificates before I invest time into implementing the certificate flashing at runtime.
  4. Do you think I will run into firmware / RAM size problems when I do all that? It's kind of a big stack I am planning to implement here: MQTT, SD card reading, runtime flashing, certificates in firmware, TLS etc. I am not familiar with embedded programming, but it sounds kinda huge for such small hardware... Do you guys with more experience think this will work?

I'm thankful for any help,

Fabian

 

0 (0 투표)
RE: MQTT over TLS with .X509 certificate
응답
16. 11. 11 오후 4:50 as a reply to Fabian Schürer.

Hello Fabian,

we are glad to hear that you want to use the XDK for your application.

Unfortunately, this is a complex issue related to implementation details of the Texas Instruments API.

I forwarded the issues to the second level and I’ll try to contact the developer of the host programming tool to help us clarify anything that is unclear.

So for now, the only thing I can do is ask you for patience.

Kind regards,
Manuel

0 (0 투표)
RE: MQTT over TLS with .X509 certificate
응답
16. 11. 17 오후 2:38 as a reply to Manuel Cerny.

Hi Manuel,

thanks for your reply and your contact to Texas Instruments. I would like to give you a update how I progressed on this and where I still have issues.

I combined the MQTT paho project and the Enterprise Network Connection project into a new one which one can find here. So I am able to do the following right now:

  1. Flash my certificates (private key, certificate and server's certificate) into the Wifi module
  2. Set the certificates as socket options
  3. Create secure socket

What failes right now is the connection of the secure socket since it will give me error -457 ("error secure level bad Certificate file") or -458 ("error secure level bad private file"). To flash my certificates I did the following:

  • Received my certificates from the MQTT Service I will work with as PEM certificates (and the private key as .key)
  • I converted the PEM files to der using the commands from this Texas Instrument wiki:
#for the certificates (CA and my certificate)
openssl x509 -in <input.crt> -inform PEM –out <output.der> -outform DER

#for my private key 
rsa -in input.key -inform PEM -out outputkey.der -outform DER 
  •  Since I don't have the SD reading code yet I just put the binary into a C header file hard-coded so that I can flash it. That looks like this:
unsigned char private_key_der2[] = {
    0x30, 0x82, 0x04, 0xA2, 0x02, 0x01, 0x00,
    0x02, 0x82, 0x01, 0x01, 0x00, 0xB7, 0x37
    /*goes on ... */
};
  • With the code of the Enterprise Network Connection project I flash it into the Wifi module with some filename "/cert/privatekey.der"
    retVal = sl_FsOpen((_u8 *) file_name_cert,
        				FS_MODE_OPEN_WRITE,
        				&token, &fileHandle);
    /* some extra code here that changes the mode to FS_MODE_OPEN_CREATE when the file already exists */
    do
        {
            retVal = sl_FsWrite(fileHandle, movingOffset, (_u8 *) &cert[movingOffset], chunkLen);
    
            remainingLen -= chunkLen;
            movingOffset += chunkLen;
            chunkLen = (_u32) find_min(CHUNK_LEN, remainingLen);
        } while (chunkLen > 0);
    
    retVal = sl_FsClose(fileHandle, 0, 0, 0);
    
    sl_Stop(0xFF);
    sl_Start(0, 0, 0);

     

  • Then I use the MQTT paho project to create the TLS network. But I noticed that using
    SlSockSecureFiles_t
    Is not the best way to set the path to the certificates, that's why I am now using
    retVal = sl_SetSockOpt(n->my_socket, SL_SOL_SOCKET, SL_SO_SECURE_FILES_CERTIFICATE_FILE_NAME, certificate_filename, strlen(certificate_filename));

    to set my certificate, the private key and the server's certificate each as socket option.

So if you could include that additional information in your communication with Texas Instruments or with the developer who implemented the host programming tool I would glad. If anyone else in the Community has an idea what could be the problem please contact me.

Cheers,

Fabian

0 (0 투표)
RE: MQTT over TLS with .X509 certificate
응답
16. 11. 18 오전 11:19 as a reply to Fabian Schürer.

Hello Fabian,

it is great to see that you are making progress.
Maybe my reply was a little bit unclear last time. Let me clarify:

Unfortunately I don’t have any contact person at Texas Instruments, but the developer of the host programming tool.

I will keep you posted in this thread as soon as I get more information.

Meanwhile, it would be really great if you would let us know if you forge ahead with this issue.

Kind regards,
Manuel

0 (0 투표)
RE: MQTT over TLS with .X509 certificate
응답
16. 12. 16 오후 5:33 as a reply to Manuel Cerny.

Hi Fabian,

In advance I can reply to one of your mentioned issues:

The XDK is not accessible via Uniflash.

Further the development team would like to analyse the complete TLS code to help you making some progress.

In order to share the project files I would ask you to post your email address that I can contact you.

Kind regards,
Manuel

0 (0 투표)
RE: MQTT over TLS with .X509 certificate
응답
16. 12. 19 오전 10:32 as a reply to Manuel Cerny.

Hi Manuel,

thanks for your reply. My E-Mail is fabian.schuerer@bosch-si.com .

Regards,

Fabian

0 (0 투표)
RE: MQTT over TLS with .X509 certificate
응답
16. 12. 19 오후 12:58 as a reply to Fabian Schürer.

Hello Fabian,

Thank you for proving your E-mail address.

I will keep everybody posted about this topic in this thread.

- Manuel 

0 (0 투표)
RE: MQTT over TLS with .X509 certificate
응답
17. 4. 24 오후 3:00 as a reply to Manuel Cerny.

Hi Manuel,

 

Does the XDK support HTTPS ?

Urgent question, please answer asap.

Regards

Peter

 

 

0 (0 투표)
RE: MQTT over TLS with .X509 certificate
응답
17. 4. 24 오후 8:36 as a reply to yuexiang yang.

Hello Yuexiang,

I have answered your question in your other thread Does XDK support HTTPS.

Kind regards,
Franjo

0 (0 투표)