I'm using RTOS_SDK 1.5, with mbedTLS supporting TLS 1.2. Trying to connect to AWS Iot.
At first i have a certificate with eliptic curve. But i get the error -15488 MBEDTLS_ERR_PK_UNKNOWN_PK_ALG. The mbedTLS documentation (https://tls.mbed.org/api/pk_8h.html#a877b66447bfa2cd49c1b99f1dc887568) describes the error as
Key algorithm is unsupported (only RSA and EC are supported)
If EC is supported in mbedTLS, why i'm getting this error? The support to EC was removed for the RTOS_SDK?
Then i create a new certificate with RSA, and i'm getting the following error in the handshake -9984 MBEDTLS_ERR_X509_CERT_VERIFY_FAILED. I use the certificate in esp-open-rtos by SuperHouse (https://github.com/SuperHouse) and it works so is not the certificate.
Here is the code to establish the connection, i take it from the aws_iot example of SuperHouse, it is similar to the Mbedtls_demo example of Espressif:
Code: Select all
#include <esp_common.h>
#include <freertos/portmacro.h>
#include <lwip/sockets.h>
#include <ipv4/lwip/inet.h>
#include <lwip/netdb.h>
#include <lwip/sys.h>
#include <string.h>
// this must be ahead of any mbedtls header files so the local mbedtls/config.h can be properly referenced
#include "ssl_connection.h"
#define SSL_READ_TIMEOUT_MS 2000
const char *pers = "esp-tls";
static int handle_error(int err) {
#ifdef MBEDTLS_ERROR_C
char error_buf[100];
mbedtls_strerror(err, error_buf, 100);
printf("%s\n", error_buf);
#endif
printf("Error: %d\n", err);
return err;
}
void ssl_init(SSLConnection* conn) {
/*
* Initialize the RNG and the session data
*/
mbedtls_net_init(&conn->net_ctx);
mbedtls_ssl_init(&conn->ssl_ctx);
mbedtls_ssl_config_init(&conn->ssl_conf);
mbedtls_x509_crt_init(&conn->ca_cert);
mbedtls_x509_crt_init(&conn->client_cert);
mbedtls_pk_init(&conn->client_key);
mbedtls_ctr_drbg_init(&conn->drbg_ctx);
mbedtls_entropy_init(&conn->entropy_ctx);
}
int ssl_connect(SSLConnection* conn, const char* host, int port) {
int ret;
char buffer[8];
ret = mbedtls_ctr_drbg_seed(&conn->drbg_ctx, mbedtls_entropy_func,
&conn->entropy_ctx, (const unsigned char *) pers, strlen(pers));
if (ret < 0) {
return -1;
}
ret = mbedtls_x509_crt_parse(&conn->ca_cert,
(const unsigned char *) conn->ca_cert_str,
strlen(conn->ca_cert_str) + 1);
if (ret < 0) {
return handle_error(ret);
}
ret = mbedtls_x509_crt_parse(&conn->client_cert,
(const unsigned char *) conn->client_cert_str,
strlen(conn->client_cert_str) + 1);
if (ret < 0) {
return handle_error(ret);
}
ret = mbedtls_pk_parse_key(&conn->client_key,
(const unsigned char *) conn->client_key_str,
strlen(conn->client_key_str) + 1, NULL, 0);
if (ret != 0) {
return handle_error(ret);
}
snprintf(buffer, sizeof(buffer), "%d", port);
ret = mbedtls_net_connect(&conn->net_ctx, host, buffer, MBEDTLS_NET_PROTO_TCP);
if (ret != 0) {
return handle_error(ret);
}
ret = mbedtls_ssl_config_defaults(&conn->ssl_conf, MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
if (ret != 0) {
return handle_error(ret);
}
mbedtls_ssl_conf_authmode(&conn->ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_ssl_conf_rng(&conn->ssl_conf, mbedtls_ctr_drbg_random, &conn->drbg_ctx);
mbedtls_ssl_conf_read_timeout(&conn->ssl_conf, SSL_READ_TIMEOUT_MS);
mbedtls_ssl_conf_ca_chain(&conn->ssl_conf, &conn->ca_cert, NULL);
ret = mbedtls_ssl_conf_own_cert(&conn->ssl_conf, &conn->client_cert, &conn->client_key);
if (ret != 0) {
return handle_error(ret);
}
ret = mbedtls_ssl_setup(&conn->ssl_ctx, &conn->ssl_conf);
if (ret != 0) {
return handle_error(ret);
}
ret = mbedtls_ssl_set_hostname(&conn->ssl_ctx, host);
if (ret != 0) {
return handle_error(ret);
}
mbedtls_ssl_set_bio(&conn->ssl_ctx, &conn->net_ctx, mbedtls_net_send, NULL, mbedtls_net_recv_timeout);
while ((ret = mbedtls_ssl_handshake(&conn->ssl_ctx)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ
&& ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
return handle_error(ret);
}
}
handle_error(ret);
vTaskDelay(5000 / portTICK_RATE_MS);
}
mbedtls_ssl_get_record_expansion(&conn->ssl_ctx);
ret = mbedtls_ssl_get_verify_result(&conn->ssl_ctx);
if (ret != 0) {
return handle_error(ret);
}
return ret;
}
In this post https://forums.aws.amazon.com/thread.jspa?threadID=219255 suggest to check the root CA certificate to validate the AWS IoT server certificate. I alredy check it.
Any idea or suggestion of what could be happen?
Thanks.