Hello Everyone,
I am trying to connect to AWS using mbedtls library over lwIP. When it comes to ‘case MBEDTLS_SSL_CERTIFICATE_VERIFY:’ case, the function “ssl_write_certificate_verify” returns me an error code: -17168. Where am I going wrong?
Kindly help me through this. Check my TLS init code below:
const char *pers = “MT_TEST”;
/* Setup the thread callbacks */
mbedtls_threading_set_alt(threading_mutex_init_pthread,
threading_mutex_free_pthread, threading_mutex_lock_pthread,
threading_mutex_unlock_pthread);
/* initialize the different descriptors */
mbedtls_entropy_init( &stentropy );
ret = mbedtls_entropy_add_source(&stentropy, entropy_source, NULL, 128,
MBEDTLS_ENTROPY_SOURCE_STRONG);
if (ret != 0) {
mbedtls_entropy_free(&stentropy);
return -1;
}
mbedtls_ctr_drbg_init( &stctr_drbg );
if( ( ret = mbedtls_ctr_drbg_seed( &stctr_drbg, mbedtls_entropy_func, &stentropy,
(const unsigned char *) pers,
strlen(pers ) ) ) != 0 )
{
LWIP_DEBUGF(MQTT_APP_DEBUG_TRACE,( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret ));
printf( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
return -1;
}
mbedtls_ssl_init( &stssl );
mbedtls_ssl_config_init( &stconf );
/*
- First prepare the SSL configuration by setting the endpoint and transport type, and loading reasonable
- defaults for security parameters. The endpoint determines if the stconf/TLS layer will act as a server (MBEDTLS_SSL_IS_SERVER)
- or a client (MBEDTLS_SSL_IS_CLIENT). The transport type determines if we are using TLS (MBEDTLS_SSL_TRANSPORT_STREAM)
- or DTLS (MBEDTLS_SSL_TRANSPORT_DATAGRAM).
*/
if( ( ret = mbedtls_ssl_config_defaults( &stconf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
LWIP_DEBUGF(MQTT_APP_DEBUG_TRACE,( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret ));
printf( " failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
return -1;
}
/* Set rsa_min_bitlen to 1024 for better compatibility */
crtProfile = mbedtls_x509_crt_profile_default;
crtProfile.rsa_min_bitlen = 1024;
mbedtls_ssl_conf_cert_profile(&stconf, &crtProfile);
mbedtls_x509_crt_init( &stcacert );
/* The authentication mode determines how strict the certificates that are presented are checked. */
#if CONFIG_USE_SERVER_VERIFICATION
#if CONFIG_USE_BROKER_ADAFRUIT
#error “no certificate?”
#elif CONFIG_USE_BROKER_AZURE
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_azure_ca_crt, mbedtls_azure_ca_crt_len );
#elif CONFIG_USE_BROKER_MOSQUITTO_TEST
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_mosquitto_test_ca_crt, mbedtls_mosquitto_test_ca_crt_len );
#elif CONFIG_USE_BROKER_LOCAL
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)mbedtls_m2mqtt_srv_crt, mbedtls_m2mqtt_srv_crt_len );
#elif CONFIG_USE_BROKER_AWS
mbedtls_x509_crt_init( &stlocalcert );
mbedtls_pk_init(&stPKctx);
ret = mbedtls_x509_crt_parse(&stlocalcert, (const unsigned char *)client_cert_pem,
client_cert_pem_len );
if(ret != 0)
{
printf( " failed\n ! mbedtls_x509_crt_parse local cert returned -0x%x\n\n", -ret );
return -1;
}
ret = mbedtls_pk_parse_key(&stPKctx, (const unsigned char *)client_private_key_pem,
client_private_key_pem_len, NULL, 0);
if (ret != 0)
{
printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n", -ret );
return -1;
}
ret = mbedtls_x509_crt_parse(&stcacert, (const unsigned char *)root_ca_pem, root_ca_pem_len );
if(ret != 0)
{
printf( " failed\n ! mbedtls_x509_crt_parse root CA returned -0x%x\n\n", -ret );
return -1;
}
ret = mbedtls_ssl_conf_own_cert(&stconf, &stlocalcert, &stPKctx);
if (ret != 0)
{
printf( " failed\n ! mbedtls_ssl_conf_own_cert returned -0x%x\n\n", -ret );
return -1;
}
#else
#error “unknown mqtt broker?”
#endif
if(ret != 0)
{
printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
}
mbedtls_ssl_conf_ca_chain( &stconf, &stcacert, NULL );
mbedtls_ssl_conf_authmode(&stconf, MBEDTLS_SSL_VERIFY_REQUIRED);
#else
mbedtls_ssl_conf_authmode(&stconf, MBEDTLS_SSL_VERIFY_NONE);
#endif
/* The library needs to know which random engine to use and which debug function to use as callback. */
mbedtls_ssl_conf_rng( &stconf, mbedtls_ctr_drbg_random, &stctr_drbg );
mbedtls_ssl_conf_dbg( &stconf, my_debug, stdout );
ret = mbedtls_ssl_setup(&stssl, &stconf);
if (ret != 0) {
LWIP_ASSERT(“mbedtls_ssl_setup failed. \n”, ret == 0);
/* TODO: convert ‘ret’ to err_t */
return ERR_MEM;
}
/* the SSL context needs to know the input and output functions it needs to use for sending out network traffic. */
mbedtls_ssl_set_bio(&ssl, &mqtt_client, mbedtls_net_send, mbedtls_net_recv, NULL);
return 0; /* no error */