[bug #54601] altcp_tls_create_config_client does not support sending of device certificate and private key

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[bug #54601] altcp_tls_create_config_client does not support sending of device certificate and private key

Simon Goldschmidt
URL:
  <http://savannah.nongnu.org/bugs/?54601>

                 Summary: altcp_tls_create_config_client does not support
sending of device certificate and private key
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: richmond_umagat
            Submitted on: Fri 31 Aug 2018 03:01:04 AM UTC
                Category: TCP
                Severity: 3 - Normal
              Item Group: Feature Request
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

Secure MQTT brokers such as AWS IoT cloud requires MQTT clients to send device
certificate and private key, in addition to the CA certificate (which is
optional).

But the current implementation of altcp_tls_create_config_client() only allows
user to include CA certificate. As such, it is impossible to connect to AWS
cloud with such limitation.

To fix this issue, the following function has been modified:
OLD:
struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert,
size_t cert_len);
NEW:
altcp_tls_create_config_client(const u8_t *ca, size_t ca_len, const u8_t
*cert, size_t cert_len, const u8_t *pkey, size_t pkey_len)

I have attached my proposed modifications in altcp_tls_mbedtls.c and
altcp_tls.h. This has been tested to work with MQTT protocol to connect to AWS
IoT cloud and AWS Greengrass.




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Fri 31 Aug 2018 03:01:04 AM UTC  Name: altcp_tls.h  Size: 4KiB   By:
richmond_umagat
Proposed changes
<http://savannah.nongnu.org/bugs/download.php?file_id=44901>
-------------------------------------------------------
Date: Fri 31 Aug 2018 03:01:04 AM UTC  Name: altcp_tls_mbedtls.c  Size: 37KiB
 By: richmond_umagat
Proposed changes
<http://savannah.nongnu.org/bugs/download.php?file_id=44902>

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?54601>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #54601] altcp_tls_create_config_client does not support sending of device certificate and private key

Simon Goldschmidt
Follow-up Comment #1, bug #54601 (project lwip):

OK, so now at least we know it fails because you need a client certificate for
your mqtt server.

Some comments before pushing this:
- please provide a new function (e.g. altcp_tls_create_config_client_privkey
or something like that) to differ between client authentication connections
and "standard" https connections
- remove those FT32_PORT ifdefs
- why do you need the 'ca' member in struct altcp_tls_config? I fail to find
it in the manual diff...

Anyway, 2.1.0 is about to be released really soon, so if you want this to go
in, you should be fast ;-)

    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?54601>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #54601] altcp_tls_create_config_client does not support sending of device certificate and private key

Simon Goldschmidt
Follow-up Comment #2, bug #54601 (project lwip):

Attached are the updated modifications to address your comments.

- A new function called altcp_tls_create_config_client_2wayauth() is
introduced to support two-way authentication (server can authenticate client
using the client certificate and private key; client can authenticate server
using the ca/server certificate)
- 'ca' member in altcp_tls_config structure is necessary. Like 'cert' and
'pkey' members, the memory must persist until connection is freed in
altcp_tls_free_config().

The modifications have been tested working with Amazon AWS IoT cloud.

(file #44924, file #44925)
    _______________________________________________________

Additional Item Attachment:

File name: altcp_tls_mbedtls.c            Size:36 KB
File name: altcp_tls.h                    Size:3 KB


    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?54601>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

[bug #54601] altcp_tls_create_config_client does not support sending of device certificate and private key

Simon Goldschmidt
Update of bug #54601 (project lwip):

                  Status:                    None => Fixed                  
             Assigned to:                    None => goldsimon              
             Open/Closed:                    Open => Closed                

    _______________________________________________________

Follow-up Comment #3:

Fixed, though slightly different. Thanks for the fix.

    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?54601>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel