Forums - MQTT with SSL support

9 posts / 0 new
Last post
MQTT with SSL support
chau-nm
Join Date: 12 Feb 17
Posts: 8
Posted: Thu, 2018-05-24 03:19

Hi, 

I intend to make an hostless mqtt application with QCA4010 which will connect to an mqtt broker that require certifications.

In the qcom_mqtt_connect function, the parameter: MqttConnectParams has the fields for rootCA, private key, and certificates files location. 
My question is how can I put my certificates into the file in my application? Basically, I have the byte array of the certificates in pem-encoded.

I didn't find any document that describes about the file mechanism in QCA4010.

  • Up0
  • Down0
jbhanu Moderator
Join Date: 6 Feb 17
Posts: 76
Posted: Thu, 2018-05-24 12:02

Hi , 

There are at least two certification files required A. the server sent certificate B. The root CA certificate of the CA . You can directly  add the HEX value (byte array) in to your code using MqttConnectParams. Means hard code those value in Array and assigned to specfic MqttConnectParams members. 

 

 

 

  • Up0
  • Down0
chau-nm
Join Date: 12 Feb 17
Posts: 8
Posted: Sun, 2018-05-27 21:01

Hi, 

Thanks for your reply. But due to the definition of the MQTTConnectParams as below:

typedef struct {
    uint8_t enableAutoReconnect;        ///< Set to true to enable auto reconnect
    char *pHostURL;                     ///< Pointer to a string defining the endpoint for the MQTT service
    uint16_t port;                      ///< MQTT service listening port
    char *pRootCALocation;              ///< Pointer to a string defining the Root CA file (full file, not path)
    char *pDeviceCertLocation;          ///< Pointer to a string defining the device identity certificate file (full file, not path)
    char *pDevicePrivateKeyLocation;    ///< Pointer to a string defining the device private key file (full file, not path)
    char *pClientID;                    ///< Pointer to a string defining the MQTT client ID (this needs to be unique \b per \b device across your AWS account)
    char *pUserName;                    ///< Not used in the AWS IoT Service
    char *pPassword;                    ///< Not used in the AWS IoT Service
    MQTT_Ver_t MQTTVersion;             ///< Desired MQTT version used during connection
    uint16_t KeepAliveInterval_sec;     ///< MQTT keep alive interval in seconds. Defines inactivity time allowed before determining the connection has been lost.
    bool isCleansession;                ///< MQTT clean session. True = this session is to be treated as clean. Previous server state is cleared and no stated is retained from this connection.
    bool isWillMsgPresent;              ///< Is there a LWT associated with this connection?
    MQTTwillOptions will;               ///< MQTT LWT parameters.
    uint32_t mqttCommandTimeout_ms;     ///< Timeout for MQTT blocking calls. In milliseconds.
    uint32_t tlsHandshakeTimeout_ms;    ///< TLS handshake timeout. In milliseconds.
    bool isSSLHostnameVerify;           ///< Client should perform server certificate hostname validation.
    iot_disconnect_handler disconnectHandler;   ///< Callback to be invoked upon connection loss.
} MQTTConnectParams;

 

I saw that the members for the pRootCALocation, pDeviceCertLocation, pPrivatekeyLocation cert are the location of the files that hold the certs and key. Can I directly pass the address of the arrays to those member or I have to use qcom_SSL_storeCert to save those certs and key to flash before using in MQTTConnectParams? 

I do have the pem-encoded certificates and privatekey with me? Do I have to use sharkSSLParseCert.exe to convert it to bin file before getting the array?

I have done with openSSL before and in that case I only provided the certs as below array:

const char clientCert[] = "-----BEGIN CERTIFICATE-----\n" \
....

 

"-----END CERTIFICATE-----\n";

 

  • Up0
  • Down0
jbhanu Moderator
Join Date: 6 Feb 17
Posts: 76
Posted: Mon, 2018-05-28 03:20

Hi , 

Yes. Right. You need to  use sharkSSLParseCert.exe to convert it to bin file before getting the array

  • Up0
  • Down0
chau-nm
Join Date: 12 Feb 17
Posts: 8
Posted: Mon, 2018-05-28 19:01

Hi jbhanu, 

Thanks for your reply. 

So I resume the process as below:

1. Get the root CA, certificate and private key.

2. Using sharkSSLParseCert.exe to get the bin files.

3. Using arrays to store the bin file contents.

4. Pass the address of the array to the MQTTConnectParams:

MQTTConnectParams.pRootCALocation = rootCAarray;

MQTTConnectParams.pDeviceCertLocation = deviceCertArray;

MQTTConnectParams.pPrivateKeyLocation = devicePrivateKeyArray;

Can you help to confirm the process?

 

  • Up0
  • Down0
jbhanu Moderator
Join Date: 6 Feb 17
Posts: 76
Posted: Mon, 2018-06-04 20:22

Hi , 

Yes . You just need to convert your .pem format cert to sharkssl format like below and assign  generated array to MQTTConnectParams.pDeviceCertLocation

 ./ SharkSSLParseCert  <certificate> <privatekeyfile> 

Like that same is applicable for root CA. 

$ ./SharkSSLParseCAList  <root-CA.crt> 

 

Just pass MQTTConnectParams.pPrivateKeyLocation = NULL, as alerdy used by SharkSSLParseCert.exe.

Hope it helps. 

  • Up0
  • Down0
jbhanu Moderator
Join Date: 6 Feb 17
Posts: 76
Posted: Mon, 2018-06-04 20:22

Hi , 

Yes . You just need to convert your .pem format cert to sharkssl format like below and assign  generated array to MQTTConnectParams.pDeviceCertLocation

 ./ SharkSSLParseCert  <certificate> <privatekeyfile> 

Like that same is applicable for root CA. 

$ ./SharkSSLParseCAList  <root-CA.crt> 

 

Just pass MQTTConnectParams.pPrivateKeyLocation = NULL, as alerdy used by SharkSSLParseCert.exe.

Hope it helps. 

  • Up0
  • Down0
chau-nm
Join Date: 12 Feb 17
Posts: 8
Posted: Sat, 2018-09-01 22:09

Hi, 

I finally use can work with an SSL supported MQTT broker in my local network.

For the RootCa and Cert, use SharkSSL to parse the cert plus private key and RootCA.

After that, you will need to use qcom_SSL_storeCert to store the cert into file and provide that file name to MQTT param.

That worked well for me.

  • Up0
  • Down0
jbhanu Moderator
Join Date: 6 Feb 17
Posts: 76
Posted: Sun, 2018-09-02 21:12

Good news. You can use the same procedure for any remote broker too. If any further doubt/query , please kindly let us know . 

 

Thanks

 

  • Up0
  • Down0
or Register

Opinions expressed in the content posted here are the personal opinions of the original authors, and do not necessarily reflect those of Qualcomm Incorporated or its subsidiaries (“Qualcomm”). The content is provided for informational purposes only and is not meant to be an endorsement or representation by Qualcomm or any other party. This site may also provide links or references to non-Qualcomm sites and resources. Qualcomm makes no representations, warranties, or other commitments whatsoever about any non-Qualcomm sites or third-party resources that may be referenced, accessible from, or linked to this site.