Skip to content

Commit

Permalink
fleet provisioning demo to get certificate and private key via Create…
Browse files Browse the repository at this point in the history
…KeysAndCertificate (#1875)

* just duplicated demo fleet_provisioning_with_csr and renamed

* migrating demo CreateCertificateFromCsr -> CreateKeysAndCertificate

* migrating demo CreateCertificateFromCsr -> CreateKeysAndCertificate

* migrating demo CreateCertificateFromCsr -> CreateKeysAndCertificate

* migrating demo CreateCertificateFromCsr -> CreateKeysAndCertificate

* migrated demo CreateCertificateFromCsr -> CreateKeysAndCertificate

* added optional write to disk of downloaded private key and certificate

* removed unused code and fixed doxygen

* accept pPrivateKey in demos spelling check

* uncrustified

* uncrustified

---------

Co-authored-by: Giuseppe Penone <giuseppe.penone@delonghigroup.com>
  • Loading branch information
giuspen and Giuseppe Penone authored Aug 23, 2023
1 parent 52f2d40 commit 0c209c0
Show file tree
Hide file tree
Showing 14 changed files with 4,054 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
set( DEMO_NAME "fleet_provisioning_keys_cert_demo" )

# Include MQTT library's source and header path variables.
include( ${CMAKE_SOURCE_DIR}/libraries/standard/coreMQTT/mqttFilePaths.cmake )

# Include backoffAlgorithm library file path configuration.
include( ${CMAKE_SOURCE_DIR}/libraries/standard/backoffAlgorithm/backoffAlgorithmFilePaths.cmake )

# Include Fleet Provisioning library's source and header path variables.
include(
${CMAKE_SOURCE_DIR}/libraries/aws/fleet-provisioning-for-aws-iot-embedded-sdk/fleetprovisioningFilePaths.cmake )

# Set path to corePKCS11 and it's third party libraries.
set(COREPKCS11_LOCATION "${CMAKE_SOURCE_DIR}/libraries/standard/corePKCS11")
set(CORE_PKCS11_3RDPARTY_LOCATION "${COREPKCS11_LOCATION}/source/dependency/3rdparty")

# Include PKCS #11 library's source and header path variables.
include( ${COREPKCS11_LOCATION}/pkcsFilePaths.cmake )

list(APPEND PKCS_SOURCES
"${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils/mbedtls_utils.c"
)

# CPP files are searched for supporting CI build checks that verify C++ linkage of the Fleet Provisioning library
file( GLOB DEMO_SRCS "*.c*" )

# Demo target.
add_executable( ${DEMO_NAME}
${DEMO_SRCS}
${MQTT_SOURCES}
${MQTT_SERIALIZER_SOURCES}
${BACKOFF_ALGORITHM_SOURCES}
${PKCS_SOURCES}
${PKCS_PAL_POSIX_SOURCES}
${FLEET_PROVISIONING_SOURCES} )

target_link_libraries( ${DEMO_NAME} PRIVATE
tinycbor
mbedtls
clock_posix
transport_mbedtls_pkcs11_posix )

target_include_directories( ${DEMO_NAME}
PUBLIC
${LOGGING_INCLUDE_DIRS}
${MQTT_INCLUDE_PUBLIC_DIRS}
${BACKOFF_ALGORITHM_INCLUDE_PUBLIC_DIRS}
${PKCS_INCLUDE_PUBLIC_DIRS}
${PKCS_PAL_INCLUDE_PUBLIC_DIRS}
${AWS_DEMO_INCLUDE_DIRS}
"${FLEET_PROVISIONING_INCLUDE_PUBLIC_DIRS}"
"${DEMOS_DIR}/pkcs11/common/include" # corePKCS11 config
"${CMAKE_SOURCE_DIR}/platform/include"
"${CMAKE_CURRENT_LIST_DIR}"
PRIVATE
"${CORE_PKCS11_3RDPARTY_LOCATION}/mbedtls_utils" )

set_macro_definitions(TARGETS ${DEMO_NAME}
OPTIONAL
"DOWNLOADED_CERT_WRITE_PATH"
"DOWNLOADED_PRIVATE_KEY_WRITE_PATH"
REQUIRED
"AWS_IOT_ENDPOINT"
"ROOT_CA_CERT_PATH"
"CLAIM_CERT_PATH"
"CLAIM_PRIVATE_KEY_PATH"
"PROVISIONING_TEMPLATE_NAME"
"DEVICE_SERIAL_NUMBER"
"CSR_SUBJECT_NAME"
"CLIENT_IDENTIFIER"
"OS_NAME"
"OS_VERSION"
"HARDWARE_PLATFORM_NAME")
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
/*
* AWS IoT Device SDK for Embedded C 202211.00
* Copyright (C) 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of
* this software and associated documentation files (the "Software"), to deal in
* the Software without restriction, including without limitation the rights to
* use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
* the Software, and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/

#ifndef CORE_MQTT_CONFIG_H_
#define CORE_MQTT_CONFIG_H_

/**************************************************/
/******* DO NOT CHANGE the following order ********/
/**************************************************/

/* Include logging header files and define logging macros in the following order:
* 1. Include the header file "logging_levels.h".
* 2. Define the LIBRARY_LOG_NAME and LIBRARY_LOG_LEVEL macros.
* 3. Include the header file "logging_stack.h".
*/

#include "logging_levels.h"

/* Logging configuration for the MQTT library. */
#ifndef LIBRARY_LOG_NAME
#define LIBRARY_LOG_NAME "MQTT"
#endif

#ifndef LIBRARY_LOG_LEVEL
#define LIBRARY_LOG_LEVEL LOG_WARN
#endif

#include "logging_stack.h"

/************ End of logging configuration ****************/

/**
* @brief Determines the maximum number of MQTT PUBLISH messages, pending
* acknowledgement at a time, that are supported for incoming and outgoing
* direction of messages, separately.
*
* QoS 1 and 2 MQTT PUBLISHes require acknowledgement from the server before
* they can be completed. While they are awaiting the acknowledgement, the
* client must maintain information about their state. The value of this
* macro sets the limit on how many simultaneous PUBLISH states an MQTT
* context maintains, separately, for both incoming and outgoing direction of
* PUBLISHes.
*
* @note The MQTT context maintains separate state records for outgoing
* and incoming PUBLISHes, and thus, 2 * MQTT_STATE_ARRAY_MAX_COUNT amount
* of memory is statically allocated for the state records.
*/
#define MQTT_STATE_ARRAY_MAX_COUNT ( 10U )

/**
* @brief Number of milliseconds to wait for a ping response to a ping
* request as part of the keep-alive mechanism.
*
* If a ping response is not received before this timeout, then
* #MQTT_ProcessLoop will return #MQTTKeepAliveTimeout.
*/
#define MQTT_PINGRESP_TIMEOUT_MS ( 5000U )

#endif /* ifndef CORE_MQTT_CONFIG_H_ */
214 changes: 214 additions & 0 deletions demos/fleet_provisioning/fleet_provisioning_keys_cert/demo_config.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,214 @@
/*
* AWS IoT Device SDK for Embedded C 202211.00
* Copyright (C) 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of
* this software and associated documentation files (the "Software"), to deal in
* the Software without restriction, including without limitation the rights to
* use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
* the Software, and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/

#ifndef DEMO_CONFIG_H_
#define DEMO_CONFIG_H_

/**************************************************/
/******* DO NOT CHANGE the following order ********/
/**************************************************/

/* Include logging header files and define logging macros in the following order:
* 1. Include the header file "logging_levels.h".
* 2. Define LIBRARY_LOG_NAME and LIBRARY_LOG_LEVEL.
* 3. Include the header file "logging_stack.h".
*/

/* Include header that defines log levels. */
#include "logging_levels.h"

/* Logging configuration for the Demo. */
#ifndef LIBRARY_LOG_NAME
#define LIBRARY_LOG_NAME "FLEET_PROVISIONING_DEMO"
#endif

#ifndef LIBRARY_LOG_LEVEL
#define LIBRARY_LOG_LEVEL LOG_INFO
#endif

#include "logging_stack.h"

/************ End of logging configuration ****************/

/**
* @brief Details of the MQTT broker to connect to.
*
* This is the Thing's Rest API Endpoint for AWS IoT.
*
* @note Your AWS IoT Core endpoint can be found in the AWS IoT console under
* Settings/Custom Endpoint, or using the describe-endpoint API.
*
* #define AWS_IOT_ENDPOINT "...insert here..."
*/

/**
* @brief AWS IoT MQTT broker port number.
*
* In general, port 8883 is for secured MQTT connections.
*
* @note Port 443 requires use of the ALPN TLS extension with the ALPN protocol
* name. When using port 8883, ALPN is not required.
*/
#define AWS_MQTT_PORT ( 8883 )

/**
* @brief Path of the file containing the server's root CA certificate.
*
* This certificate is used to identify the AWS IoT server and is publicly
* available. Refer to the AWS documentation available in the link below
* https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html#server-authentication-certs
*
* Amazon's root CA certificate is automatically downloaded to the certificates
* directory from @ref https://www.amazontrust.com/repository/AmazonRootCA1.pem
* using the CMake build system.
*
* @note This certificate should be PEM-encoded.
* @note This path is relative from the demo binary created. Update
* ROOT_CA_CERT_PATH to the absolute path if this demo is executed from elsewhere.
*/
#ifndef ROOT_CA_CERT_PATH
#define ROOT_CA_CERT_PATH "certificates/AmazonRootCA1.crt"
#endif

/**
* @brief Path of the file containing the provisioning claim certificate. This
* certificate is used to connect to AWS IoT Core and use Fleet Provisioning
* APIs to provision the client device. This is used for the "Provisioning by
* Claim" provisioning workflow.
*
* For information about provisioning by claim, see the following AWS documentation:
* https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html#claim-based
*
* @note This certificate should be PEM-encoded. The certificate should be
* registered on AWS IoT Core beforehand. It should have an AWS IoT policy to
* allow it to access only the Fleet Provisioning APIs. An example policy for
* the claim certificates for this demo is available in the
* example_claim_policy.json file in the demo directory. In the example,
* replace <aws-region> with your AWS region, <aws-account-id> with your
* account ID, and <template-name> with the name of your provisioning template.
*
* #define CLAIM_CERT_PATH "...insert here..."
*/

/**
* @brief Path of the file containing the provisioning claim private key. This
* key corresponds to the provisioning claim certificate and is used to
* authenticate with AWS IoT for provisioning by claim.
*
* For information about provisioning by claim, see the following AWS documentation:
* https://docs.aws.amazon.com/iot/latest/developerguide/provision-wo-cert.html#claim-based
*
* @note This private key should be PEM-encoded.
*
* #define CLAIM_PRIVATE_KEY_PATH "...insert here..."
*/

/**
* @brief Name of the provisioning template to use for the RegisterThing
* portion of the Fleet Provisioning workflow.
*
* For information about provisioning templates, see the following AWS documentation:
* https://docs.aws.amazon.com/iot/latest/developerguide/provision-template.html#fleet-provision-template
*
* The example template used for this demo is available in the
* example_demo_template.json file in the demo directory. In the example,
* replace <provisioned-thing-policy> with the policy provisioned devices
* should have. The demo template uses Fn::Join to construct the Thing name by
* concatenating fp_demo_ and the serial number sent by the demo.
*
* @note The provisioning template MUST be created in AWS IoT before running the
* demo.
*
* #define PROVISIONING_TEMPLATE_NAME "...insert here..."
*/

/**
* @brief Serial number to send in the request to the Fleet Provisioning
* RegisterThing API.
*
* This is sent as a parameter to the provisioning template, which uses it to
* generate a unique Thing name. This should be unique per device.
*
* #define DEVICE_SERIAL_NUMBER "...insert here..."
*/

/**
* @brief Subject name to use when creating the certificate signing request (CSR)
* for provisioning the demo client with using the Fleet Provisioning
* CreateCertificateFromCsr APIs.
*
* This is passed to MbedTLS; see https://tls.mbed.org/api/x509__csr_8h.html#a954eae166b125cea2115b7db8c896e90
*/
#ifndef CSR_SUBJECT_NAME
#define CSR_SUBJECT_NAME "CN=Fleet Provisioning Demo"
#endif

/**
* @brief MQTT client identifier.
*
* No two clients may use the same client identifier simultaneously.
*
* @note The client identifier should match the Thing name per
* AWS IoT Security best practices:
* https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html
* However, it is not required for the demo to run.
*/
#ifndef CLIENT_IDENTIFIER
#define CLIENT_IDENTIFIER DEVICE_SERIAL_NUMBER
#endif

/**
* @brief Size of the network buffer for MQTT packets. Must be large enough to
* hold the GetCertificateFromCsr response, which, among other things, includes
* a PEM encoded certificate.
*/
#define NETWORK_BUFFER_SIZE ( 4096U )

/**
* @brief The name of the operating system that the application is running on.
* The current value is given as an example. Please update for your specific
* operating system.
*/
#define OS_NAME "Ubuntu"

/**
* @brief The version of the operating system that the application is running
* on. The current value is given as an example. Please update for your specific
* operating system version.
*/
#define OS_VERSION "18.04 LTS"

/**
* @brief The name of the hardware platform the application is running on. The
* current value is given as an example. Please update for your specific
* hardware platform.
*/
#define HARDWARE_PLATFORM_NAME "PC"

/**
* @brief The name of the MQTT library used and its version, following an "@"
* symbol.
*/
#include "core_mqtt.h"
#define MQTT_LIB "core-mqtt@" MQTT_LIBRARY_VERSION

#endif /* ifndef DEMO_CONFIG_H_ */
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive"
],
"Resource": [
"arn:aws:iot:<aws-region>:<aws-account-id>:topic/$aws/certificates/create/*",
"arn:aws:iot:<aws-region>:<aws-account-id>:topic/$aws/provisioning-templates/<template-name>/provision/*"
]
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": [
"arn:aws:iot:<aws-region>:<aws-account-id>:topicfilter/$aws/certificates/create/*",
"arn:aws:iot:<aws-region>:<aws-account-id>:topicfilter/$aws/provisioning-templates/<template-name>/provision/*"
]
}
]
}
Loading

0 comments on commit 0c209c0

Please sign in to comment.