Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove corePKCS11 usage from fleet provisioning demo #1912

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions .gitmodules
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,6 @@
path = libraries/aws/device-defender-for-aws-iot-embedded-sdk
branch = main
url = https://github.com/aws/device-defender-for-aws-iot-embedded-sdk.git
[submodule "libraries/standard/corePKCS11"]
path = libraries/standard/corePKCS11
branch = main
url = https://github.com/FreeRTOS/corePKCS11.git
[submodule "libraries/standard/backoffAlgorithm"]
path = libraries/standard/backoffAlgorithm
branch = main
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,6 @@ include( ${CMAKE_SOURCE_DIR}/libraries/standard/backoffAlgorithm/backoffAlgorith
include(
${CMAKE_SOURCE_DIR}/libraries/aws/fleet-provisioning-for-aws-iot-embedded-sdk/fleetprovisioningFilePaths.cmake )

# Set path to corePKCS11 and it's third party libraries.
set(COREPKCS11_LOCATION "${CMAKE_SOURCE_DIR}/libraries/standard/corePKCS11")
set(CORE_PKCS11_3RDPARTY_LOCATION "${COREPKCS11_LOCATION}/source/dependency/3rdparty")

# Include PKCS #11 library's source and header path variables.
include( ${COREPKCS11_LOCATION}/pkcsFilePaths.cmake )

list(APPEND PKCS_SOURCES
"${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils/mbedtls_utils.c"
)

# CPP files are searched for supporting CI build checks that verify C++ linkage of the Fleet Provisioning library
file( GLOB DEMO_SRCS "*.c*" )

Expand All @@ -30,35 +19,25 @@ add_executable( ${DEMO_NAME}
${MQTT_SOURCES}
${MQTT_SERIALIZER_SOURCES}
${BACKOFF_ALGORITHM_SOURCES}
${PKCS_SOURCES}
${PKCS_PAL_POSIX_SOURCES}
${FLEET_PROVISIONING_SOURCES} )

target_link_libraries( ${DEMO_NAME} PRIVATE
tinycbor
mbedtls
clock_posix
transport_mbedtls_pkcs11_posix )
transport_mbedtls_posix )

target_include_directories( ${DEMO_NAME}
PUBLIC
${LOGGING_INCLUDE_DIRS}
${MQTT_INCLUDE_PUBLIC_DIRS}
${BACKOFF_ALGORITHM_INCLUDE_PUBLIC_DIRS}
${PKCS_INCLUDE_PUBLIC_DIRS}
${PKCS_PAL_INCLUDE_PUBLIC_DIRS}
${AWS_DEMO_INCLUDE_DIRS}
"${FLEET_PROVISIONING_INCLUDE_PUBLIC_DIRS}"
"${DEMOS_DIR}/pkcs11/common/include" # corePKCS11 config
"${CMAKE_SOURCE_DIR}/platform/include"
"${CMAKE_CURRENT_LIST_DIR}"
PRIVATE
"${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils" )
${FLEET_PROVISIONING_INCLUDE_PUBLIC_DIRS}
${CMAKE_SOURCE_DIR}/platform/include
${CMAKE_CURRENT_LIST_DIR} )

set_macro_definitions(TARGETS ${DEMO_NAME}
OPTIONAL
"DOWNLOADED_CERT_WRITE_PATH"
"GENERATED_PRIVATE_KEY_WRITE_PATH"
REQUIRED
"AWS_IOT_ENDPOINT"
"ROOT_CA_CERT_PATH"
Expand All @@ -70,4 +49,6 @@ set_macro_definitions(TARGETS ${DEMO_NAME}
"CLIENT_IDENTIFIER"
"OS_NAME"
"OS_VERSION"
"HARDWARE_PLATFORM_NAME")
"HARDWARE_PLATFORM_NAME"
"CLIENT_PRIVATE_KEY_PATH"
"CLIENT_CERT_PATH")
Original file line number Diff line number Diff line change
Expand Up @@ -58,24 +58,16 @@
#include <unistd.h>
#include <errno.h>

#if defined( DOWNLOADED_CERT_WRITE_PATH )
#include <fcntl.h>
#endif // DOWNLOADED_CERT_WRITE_PATH

/* Demo config. */
#include "demo_config.h"

/* corePKCS11 includes. */
#include "core_pkcs11.h"
#include "core_pkcs11_config.h"

/* AWS IoT Fleet Provisioning Library. */
#include "fleet_provisioning.h"

/* Demo includes. */
#include "mqtt_operations.h"
#include "pkcs11_operations.h"
#include "fleet_provisioning_serializer.h"
#include "mbedtls_posix.h"

/**
* These configurations are required. Throw compilation error if it is not
Expand Down Expand Up @@ -483,71 +475,44 @@ int main( int argc,
char ownershipToken[ OWNERSHIP_TOKEN_BUFFER_LENGTH ];
size_t ownershipTokenLength;
bool connectionEstablished = false;
CK_SESSION_HANDLE p11Session;
int demoRunCount = 0;
CK_RV pkcs11ret = CKR_OK;

/* Silence compiler warnings about unused variables. */
( void ) argc;
( void ) argv;

psa_crypto_init();

do
{
/* Initialize the buffer lengths to their max lengths. */
certificateLength = CERT_BUFFER_LENGTH;
certificateIdLength = CERT_ID_BUFFER_LENGTH;
ownershipTokenLength = OWNERSHIP_TOKEN_BUFFER_LENGTH;

/* Initialize the PKCS #11 module */
pkcs11ret = xInitializePkcs11Session( &p11Session );

if( pkcs11ret != CKR_OK )
{
LogError( ( "Failed to initialize PKCS #11." ) );
status = false;
}
else
{
/* Insert the claim credentials into the PKCS #11 module */
status = loadClaimCredentials( p11Session,
CLAIM_CERT_PATH,
pkcs11configLABEL_CLAIM_CERTIFICATE,
CLAIM_PRIVATE_KEY_PATH,
pkcs11configLABEL_CLAIM_PRIVATE_KEY );

if( status == false )
{
LogError( ( "Failed to provision PKCS #11 with claim credentials." ) );
}
}

/**** Connect to AWS IoT Core with provisioning claim credentials *****/

/* We first use the claim credentials to connect to the broker. These
* credentials should allow use of the RegisterThing API and one of the
* CreateCertificatefromCsr or CreateKeysAndCertificate.
* In this demo we use CreateCertificatefromCsr. */

if( status == true )
{
/* Attempts to connect to the AWS IoT MQTT broker. If the
* connection fails, retries after a timeout. Timeout value will
* exponentially increase until maximum attempts are reached. */
LogInfo( ( "Establishing MQTT session with claim certificate..." ) );
status = EstablishMqttSession( provisioningPublishCallback,
p11Session,
pkcs11configLABEL_CLAIM_CERTIFICATE,
pkcs11configLABEL_CLAIM_PRIVATE_KEY );
/* Attempts to connect to the AWS IoT MQTT broker. If the
* connection fails, retries after a timeout. Timeout value will
* exponentially increase until maximum attempts are reached. */
LogInfo( ( "Establishing MQTT session with claim certificate..." ) );
status = EstablishMqttSession( provisioningPublishCallback,
CLAIM_CERT_PATH,
CLAIM_PRIVATE_KEY_PATH );

if( status == false )
{
LogError( ( "Failed to establish MQTT session." ) );
}
else
{
LogInfo( ( "Established connection with claim credentials." ) );
connectionEstablished = true;
}
if( status == false )
{
LogError( ( "Failed to establish MQTT session." ) );
}
else
{
LogInfo( ( "Established connection with claim credentials." ) );
connectionEstablished = true;
}

/**** Call the CreateCertificateFromCsr API ***************************/
Expand All @@ -565,13 +530,22 @@ int main( int argc,

if( status == true )
{
/* Create a new key and CSR. */
status = generateKeyAndCsr( p11Session,
pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS,
pkcs11configLABEL_DEVICE_PUBLIC_KEY_FOR_TLS,
csr,
CSR_BUFFER_LENGTH,
&csrLength );
if( Mbedtls_GenerateECKey( CLIENT_PRIVATE_KEY_PATH ) != MBEDTLS_SUCCESS )
{
status = false;
}
}

if( status == true )
{
if( Mbedtls_GenerateCSR( CLIENT_PRIVATE_KEY_PATH, csr, CSR_BUFFER_LENGTH ) != MBEDTLS_SUCCESS )
{
status = false;
}
else
{
csrLength = strnlen( csr, CSR_BUFFER_LENGTH );
}
}

if( status == true )
Expand Down Expand Up @@ -628,11 +602,26 @@ int main( int argc,

if( status == true )
{
/* Save the certificate into PKCS #11. */
status = loadCertificate( p11Session,
certificate,
pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS,
certificateLength );
FILE * pFile = fopen(CLIENT_CERT_PATH, "w");

if( pFile == NULL )
{
status = false;
}
else
{
size_t bytesWritten = fwrite( certificate, 1, certificateLength, pFile );
if( bytesWritten != certificateLength )
{
status = false;
LogError( ( "Failed to write device certificate to file %s.", CLIENT_CERT_PATH ) );
}
else
{
LogInfo( ( "Wrote client certificate to path: %s, length: %lu", CLIENT_CERT_PATH, ( unsigned long ) certificateLength ) );
}
fclose( pFile );
}
}

if( status == true )
Expand Down Expand Up @@ -725,9 +714,8 @@ int main( int argc,
{
LogInfo( ( "Establishing MQTT session with provisioned certificate..." ) );
status = EstablishMqttSession( provisioningPublishCallback,
p11Session,
pkcs11configLABEL_DEVICE_CERTIFICATE_FOR_TLS,
pkcs11configLABEL_DEVICE_PRIVATE_KEY_FOR_TLS );
CLIENT_CERT_PATH,
CLIENT_PRIVATE_KEY_PATH );

if( status != true )
{
Expand All @@ -752,8 +740,6 @@ int main( int argc,
connectionEstablished = false;
}

pkcs11CloseSession( p11Session );

/**** Retry in case of failure ****************************************/

/* Increment the demo run count. */
Expand Down Expand Up @@ -781,34 +767,6 @@ int main( int argc,
if( status == true )
{
LogInfo( ( "Demo completed successfully." ) );

#if defined( DOWNLOADED_CERT_WRITE_PATH )
{
int fd = open( DOWNLOADED_CERT_WRITE_PATH, O_CREAT | O_WRONLY | O_TRUNC, S_IRUSR | S_IWUSR );

if( -1 != fd )
{
const ssize_t writtenBytes = write( fd, certificate, certificateLength );

if( writtenBytes == certificateLength )
{
LogInfo( ( "Written %s successfully.", DOWNLOADED_CERT_WRITE_PATH ) );
}
else
{
LogError( ( "Could not write to %s. Error: %s.", DOWNLOADED_CERT_WRITE_PATH, strerror( errno ) ) );
}

close( fd );
}
else
{
LogError( ( "Could not open %s. Error: %s.", DOWNLOADED_CERT_WRITE_PATH, strerror( errno ) ) );
}
}
#else /* if defined( DOWNLOADED_CERT_WRITE_PATH ) */
LogInfo( ( "NOTE: define DOWNLOADED_CERT_WRITE_PATH in order to have the certificate written to disk." ) );
#endif // DOWNLOADED_CERT_WRITE_PATH
}

return ( status == true ) ? EXIT_SUCCESS : EXIT_FAILURE;
Expand Down
Loading
Loading