Add Support for Self-Signed X509 Certificates - RSA Only (#159)

Add support support for self-signed x509 certificates. Only RSA encryption supported at this time. Not tested with CA-signed certs.

Co-authored-by: Spencer McDonough <[email protected]>

Author: smcd253

.github/workflows/ATSAME54-XPRO.yml

@@ -38,7 +38,6 @@ jobs:
 
       - name: Install Ninja
         uses: seanmiddleditch/gha-setup-ninja@v3
-
       - name: Build project
         run: |
           cmake -Bbuild -GNinja -DCMAKE_TOOLCHAIN_FILE="../../cmake/arm-gcc-cortex-m4.cmake" 

MXChip/AZ3166/AZ3166.code-workspace

@@ -2,6 +2,9 @@
 	"folders": [
         {
             "path": "."
+        },
+        {
+            "path": "..\\.."
         }
     ],
     "settings": {

MXChip/AZ3166/app/azure_config.h

@@ -21,25 +21,52 @@ typedef enum
 
 // ----------------------------------------------------------------------------
 // Azure IoT Hub Connection Transport
-// Define to use the legacy MQTT connection, else Azure RTOS SDK for Azure IoT
+//    Define to use the legacy MQTT connection, else Azure RTOS SDK for Azure IoT
 // ----------------------------------------------------------------------------
 //#define ENABLE_LEGACY_MQTT
 
 // ----------------------------------------------------------------------------
 // Azure IoT Dynamic Provisioning Service
-// Define this to use the DPS service, otherwise direct IoT Hub
+//    Define this to use the DPS service, otherwise direct IoT Hub
 // ----------------------------------------------------------------------------
-//#define ENABLE_DPS
+// #define ENABLE_DPS
 
 // ----------------------------------------------------------------------------
-// Azure IoT Hub config
+// Azure IoT DPS Self-Signed X509Certificate
+//    Define this to connect to DPS or Iot Hub using a self-signed X509 
+///   certificate
+// ----------------------------------------------------------------------------
+// #define ENABLE_X509
+
+// ----------------------------------------------------------------------------
+// Azure IoT Device ID
+//    Make sure this is the same as the Device ID on the corresponding IoT Hub
+//    NOTE: To be used only when ENABLE_DPS is NOT defined
 // ----------------------------------------------------------------------------
-#define IOT_HUB_HOSTNAME ""
 #define IOT_DEVICE_ID    ""
+
+// ----------------------------------------------------------------------------
+// Azure IoT SAS Key
+//    The SAS key generated by configuring an IoT Hub device or DPS individual
+//    enrollment
+//    NOTE: To be used only when ENABLE_X509 is not defined
+// ----------------------------------------------------------------------------
 #define IOT_PRIMARY_KEY  ""
 
+// ----------------------------------------------------------------------------
+// Azure IoT Hub Hostname
+//    The Hostname found on your IoT Hub Overview page
+//    NOTE: To be used only when ENABLE_DPS is not defined
+// ----------------------------------------------------------------------------
+#define IOT_HUB_HOSTNAME ""
+
 // ----------------------------------------------------------------------------
 // Azure IoT DPS config
+//    DPS connection information
+//    IOT_DPS_ENDPOINT is always "global.azure-devices-provisioning.net"
+//    IOT_DPS_ID_SCOPE can be found on your DPS Overview page
+//    IOT_DPS_REGISTRATION ID is the title of your individual enrollment
+//    containing your SAS key or X509 certificate
 // ----------------------------------------------------------------------------
 #define IOT_DPS_ENDPOINT        "global.azure-devices-provisioning.net"
 #define IOT_DPS_ID_SCOPE        ""

MXChip/AZ3166/app/azure_device_x509_cert_config.h

@@ -0,0 +1,18 @@
+#ifndef _AZURE_DEVICE_X509_CERT_CONFIG_H
+#define _AZURE_DEVICE_X509_CERT_CONFIG_H
+
+// ----------------------------------------------------------------------------
+// Azure IoT X509 Device Certificate
+// Replace {0x00} with your formatted output from OpenSSL and xxd here
+// ----------------------------------------------------------------------------
+const unsigned char iot_x509_device_cert[] = {0x00};
+unsigned int iot_x509_device_cert_len = sizeof(iot_x509_device_cert);
+
+// ----------------------------------------------------------------------------
+// Azure IoT X509 Device Private Key
+// Replace {0x00} with your formatted output from OpenSSL and xxd here
+// ----------------------------------------------------------------------------
+unsigned char iot_x509_private_key[] = {0x00};
+const unsigned int iot_x509_private_key_len = sizeof(iot_x509_private_key);
+
+#endif

MXChip/AZ3166/app/nx_client.c

@@ -18,6 +18,9 @@
 #include "nx_azure_iot_pnp_helpers.h"
 
 #include "azure_config.h"
+#include "azure_device_x509_cert_config.h"
+
+#define IOT_MODEL_ID                "dtmi:com:example:azurertos:gsg;1"
 #include "azure_pnp_info.h"
 
 #define IOT_MODEL_ID "dtmi:azurertos:devkit:gsgmxchip;1"
@@ -334,6 +337,22 @@ UINT azure_iot_nx_client_entry(
     }
 
 #ifdef ENABLE_DPS
+#   ifdef ENABLE_X509
+    status = azure_iot_nx_client_dps_create(&azure_iot_nx_client,
+        ip_ptr,
+        pool_ptr,
+        dns_ptr,
+        unix_time_callback,
+        IOT_DPS_ENDPOINT,
+        IOT_DPS_ID_SCOPE,
+        IOT_DPS_REGISTRATION_ID,
+        "",
+        (UCHAR*)iot_x509_device_cert,
+        iot_x509_device_cert_len,
+        (UCHAR*)iot_x509_private_key,
+        iot_x509_private_key_len,
+        IOT_MODEL_ID);
+#   else
     status = azure_iot_nx_client_dps_create(&azure_iot_nx_client,
         ip_ptr,
         pool_ptr,
@@ -343,8 +362,28 @@ UINT azure_iot_nx_client_entry(
         IOT_DPS_ID_SCOPE,
         IOT_DPS_REGISTRATION_ID,
         IOT_PRIMARY_KEY,
+        NULL,
+        0,
+        NULL,
+        0,
         IOT_MODEL_ID);
+#   endif
 #else
+#   ifdef ENABLE_X509
+    status = azure_iot_nx_client_create(&azure_iot_nx_client,
+        ip_ptr,
+        pool_ptr,
+        dns_ptr,
+        unix_time_callback,
+        IOT_HUB_HOSTNAME,
+        IOT_DEVICE_ID,
+        "",
+        (UCHAR*)iot_x509_device_cert,
+        iot_x509_device_cert_len,
+        (UCHAR*)iot_x509_private_key,
+        iot_x509_private_key_len,
+        IOT_MODEL_ID);
+#   else
     status = azure_iot_nx_client_create(&azure_iot_nx_client,
         ip_ptr,
         pool_ptr,
@@ -353,7 +392,12 @@ UINT azure_iot_nx_client_entry(
         IOT_HUB_HOSTNAME,
         IOT_DEVICE_ID,
         IOT_PRIMARY_KEY,
+        NULL,
+        0,
+        NULL,
+        0,
         IOT_MODEL_ID);
+#   endif
 #endif
     if (status != NX_SUCCESS)
     {

Microchip/ATSAME54-XPRO/app/azure_config.h

@@ -8,32 +8,64 @@
 // 0 - BME280 sensor is not present
 // 1 - BME280 sensor is present
 // ----------------------------------------------------------------------------
-#define __SENSOR_BME280__ 1
+#define __SENSOR_BME280__ 0
 
 // ----------------------------------------------------------------------------
 // Azure IoT Hub Connection Transport
-// Define to use the legacy MQTT connection, else Azure RTOS SDK for Azure IoT
+//    Define to use the legacy MQTT connection, else Azure RTOS SDK for Azure IoT
 // ----------------------------------------------------------------------------
 //#define ENABLE_LEGACY_MQTT
 
 // ----------------------------------------------------------------------------
 // Azure IoT Dynamic Provisioning Service
-// Define this to use the DPS service, otherwise direct IoT Hub
+//    Define this to use the DPS service, otherwise direct IoT Hub
 // ----------------------------------------------------------------------------
-//#define ENABLE_DPS
+// #define ENABLE_DPS
 
 // ----------------------------------------------------------------------------
-// Azure IoT Hub config
+// Azure IoT DPS Self-Signed X509Certificate
+//    Define this to connect to DPS or Iot Hub using a self-signed X509 
+///   certificate
+// ----------------------------------------------------------------------------
+// #define ENABLE_X509
+
+// ----------------------------------------------------------------------------
+// Azure IoT Device ID
+//    Make sure this is the same as the Device ID on the corresponding IoT Hub
+//    NOTE: To be used only when ENABLE_DPS is NOT defined
 // ----------------------------------------------------------------------------
-#define IOT_HUB_HOSTNAME ""
 #define IOT_DEVICE_ID    ""
+
+#ifndef ENABLE_X509
+// ----------------------------------------------------------------------------
+// Azure IoT SAS Key
+//    The SAS key generated by configuring an IoT Hub device or DPS individual
+//    enrollment
+//    NOTE: To be used only when ENABLE_X509 is not defined
+// ----------------------------------------------------------------------------
 #define IOT_PRIMARY_KEY  ""
+#endif
+
+#ifndef ENABLE_DPS
+// ----------------------------------------------------------------------------
+// Azure IoT Hub Hostname
+//    The Hostname found on your IoT Hub Overview page
+//    NOTE: To be used only when ENABLE_DPS is not defined
+// ----------------------------------------------------------------------------
+#define IOT_HUB_HOSTNAME ""
 
+#else
 // ----------------------------------------------------------------------------
 // Azure IoT DPS config
+//    DPS connection information
+//    IOT_DPS_ENDPOINT is always "global.azure-devices-provisioning.net"
+//    IOT_DPS_ID_SCOPE can be found on your DPS Overview page
+//    IOT_DPS_REGISTRATION ID is the title of your individual enrollment
+//    containing your SAS key or X509 certificate
 // ----------------------------------------------------------------------------
 #define IOT_DPS_ENDPOINT        "global.azure-devices-provisioning.net"
 #define IOT_DPS_ID_SCOPE        ""
 #define IOT_DPS_REGISTRATION_ID ""
+#endif
 
 #endif // _AZURE_CONFIG_H

Microchip/ATSAME54-XPRO/app/azure_device_x509_cert_config.h

@@ -0,0 +1,18 @@
+#ifndef _AZURE_DEVICE_X509_CERT_CONFIG_H
+#define _AZURE_DEVICE_X509_CERT_CONFIG_H
+
+// ----------------------------------------------------------------------------
+// Azure IoT X509 Device Certificate
+// Replace {0x00} with your formatted output from OpenSSL and xxd here
+// ----------------------------------------------------------------------------
+const unsigned char iot_x509_device_cert[] = {0x00};
+unsigned int iot_x509_device_cert_len = sizeof(iot_x509_device_cert);
+
+// ----------------------------------------------------------------------------
+// Azure IoT X509 Device Private Key
+// Replace {0x00} with your formatted output from OpenSSL and xxd here
+// ----------------------------------------------------------------------------
+unsigned char iot_x509_private_key[] = {0x00};
+const unsigned int iot_x509_private_key_len = sizeof(iot_x509_private_key);
+
+#endif

Microchip/ATSAME54-XPRO/app/nx_client.c

@@ -17,6 +17,7 @@
 #include "nx_azure_iot_pnp_helpers.h"
 
 #include "azure_config.h"
+#include "azure_device_x509_cert_config.h"
 #include "azure_pnp_info.h"
 
 #define IOT_MODEL_ID "dtmi:azurertos:devkit:gsg;1"
@@ -198,6 +199,22 @@ UINT azure_iot_nx_client_entry(
     }
 
 #ifdef ENABLE_DPS
+#   ifdef ENABLE_X509
+    status = azure_iot_nx_client_dps_create(&azure_iot_nx_client,
+        ip_ptr,
+        pool_ptr,
+        dns_ptr,
+        unix_time_callback,
+        IOT_DPS_ENDPOINT,
+        IOT_DPS_ID_SCOPE,
+        IOT_DPS_REGISTRATION_ID,
+        "",
+        (UCHAR*)iot_x509_device_cert,
+        iot_x509_device_cert_len,
+        (UCHAR*)iot_x509_private_key,
+        iot_x509_private_key_len,
+        IOT_MODEL_ID);
+#   else
     status = azure_iot_nx_client_dps_create(&azure_iot_nx_client,
         ip_ptr,
         pool_ptr,
@@ -207,8 +224,28 @@ UINT azure_iot_nx_client_entry(
         IOT_DPS_ID_SCOPE,
         IOT_DPS_REGISTRATION_ID,
         IOT_PRIMARY_KEY,
+        NULL,
+        0,
+        NULL,
+        0,
         IOT_MODEL_ID);
+#   endif
 #else
+#   ifdef ENABLE_X509
+    status = azure_iot_nx_client_create(&azure_iot_nx_client,
+        ip_ptr,
+        pool_ptr,
+        dns_ptr,
+        unix_time_callback,
+        IOT_HUB_HOSTNAME,
+        IOT_DEVICE_ID,
+        "",
+        (UCHAR*)iot_x509_device_cert,
+        iot_x509_device_cert_len,
+        (UCHAR*)iot_x509_private_key,
+        iot_x509_private_key_len,
+        IOT_MODEL_ID);
+#   else
     status = azure_iot_nx_client_create(&azure_iot_nx_client,
         ip_ptr,
         pool_ptr,
@@ -217,7 +254,12 @@ UINT azure_iot_nx_client_entry(
         IOT_HUB_HOSTNAME,
         IOT_DEVICE_ID,
         IOT_PRIMARY_KEY,
+        NULL,
+        0,
+        NULL,
+        0,
         IOT_MODEL_ID);
+#   endif
 #endif
     if (status != NX_SUCCESS)
     {

NXP/MIMXRT1050-EVKB/app/azure_config.h

@@ -6,28 +6,55 @@
 
 // ----------------------------------------------------------------------------
 // Azure IoT Hub Connection Transport
-// Define to use the legacy MQTT connection, else Azure RTOS SDK for Azure IoT
+//    Define to use the legacy MQTT connection, else Azure RTOS SDK for Azure IoT
 // ----------------------------------------------------------------------------
 //#define ENABLE_LEGACY_MQTT
 
 // ----------------------------------------------------------------------------
-// Azure IoT Hub Connection Transport
-// Define to use the legacy MQTT connection, else Azure RTOS SDK for Azure IoT
+// Azure IoT Dynamic Provisioning Service
+//    Define this to use the DPS service, otherwise direct IoT Hub
 // ----------------------------------------------------------------------------
-//#define ENABLE_LEGACY_MQTT
+// #define ENABLE_DPS
 
 // ----------------------------------------------------------------------------
-// Azure IoT Hub config
+// Azure IoT DPS Self-Signed X509Certificate
+//    Define this to connect to DPS or Iot Hub using a self-signed X509 
+///   certificate
+// ----------------------------------------------------------------------------
+// #define ENABLE_X509
+
+// ----------------------------------------------------------------------------
+// Azure IoT Device ID
+//    Make sure this is the same as the Device ID on the corresponding IoT Hub
+//    NOTE: To be used only when ENABLE_DPS is NOT defined
 // ----------------------------------------------------------------------------
-#define IOT_HUB_HOSTNAME ""
 #define IOT_DEVICE_ID    ""
+
+// ----------------------------------------------------------------------------
+// Azure IoT SAS Key
+//    The SAS key generated by configuring an IoT Hub device or DPS individual
+//    enrollment
+//    NOTE: To be used only when ENABLE_X509 is not defined
+// ----------------------------------------------------------------------------
 #define IOT_PRIMARY_KEY  ""
 
+// ----------------------------------------------------------------------------
+// Azure IoT Hub Hostname
+//    The Hostname found on your IoT Hub Overview page
+//    NOTE: To be used only when ENABLE_DPS is not defined
+// ----------------------------------------------------------------------------
+#define IOT_HUB_HOSTNAME ""
+
 // ----------------------------------------------------------------------------
 // Azure IoT DPS config
+//    DPS connection information
+//    IOT_DPS_ENDPOINT is always "global.azure-devices-provisioning.net"
+//    IOT_DPS_ID_SCOPE can be found on your DPS Overview page
+//    IOT_DPS_REGISTRATION ID is the title of your individual enrollment
+//    containing your SAS key or X509 certificate
 // ----------------------------------------------------------------------------
 #define IOT_DPS_ENDPOINT        "global.azure-devices-provisioning.net"
 #define IOT_DPS_ID_SCOPE        ""
 #define IOT_DPS_REGISTRATION_ID ""
 
-#endif // _AZURE_CONFIG_H
+#endif // _AZURE_CONFIG_H