AzureRTOS/ThreadX MQTTs (mutual TLS)

Davide Dalfra · ‎2024-11-05

Hello Community,

I'm setting up a test with NetxDuo + MQTT over TLS (aka MQTTs, port 8883) on a STM32F429NIx.
As far as i see from the example available it consider a scenario where the client verify the certs provided by the server with the supplied CA.

This could work, but it's not mutual-tls, while I'm trying to have a mTLS (mutual-tls ) where also the client_cert and client_key are used.

I see the tls_callback function specified in the nxd_mqtt_client_secure_connect have two NX_SECURE_X509_CERT * parameter.

UINT tls_setup_callback(NXD_MQTT_CLIENT *client_pt, NX_SECURE_TLS_SESSION *TLS_session_ptr, NX_SECURE_X509_CERT *certificate_ptr,   NX_SECURE_X509_CERT *trusted_certificate_ptr)

Always from the examples i see trusted_certificate_ptr is used for the CA, while the certificate_ptr for the cert received from the server.

Then my question is: where i have to load the client certs? Have i misunderstood the certificate_ptr parameter so i have to setup the client_cert/key here?

Does NetxDuo/MQTT support mTLS (mutualTLS) mqtt connection?

If someone could point me out where to watch at this, it would be really appreciated.

Regards

Davide

Guillaume K · ‎2024-11-05

Yes it is what I am saying.

The certificate_ptr is used to receive the server's certificate.

View solution in original post

Guillaume K · ‎2024-11-05

Hello

In tls_setup_callback(), after creating a session, try to use nx_secure_tls_local_certificate_add() with an initialized certificate for your client (initialized with nx_secure_x509_certificate_initialize()).

I think it is the server that decides to ask the client to provide a certificate .

For example, if you use mosquitto MQTT server, you must configure it for TLS with its own certificate and CA, and enable the option to require client certificates: "require_certificate true".

Of course, the client certificate must match with the CA configured in the server.

Davide Dalfra · ‎2024-11-05

Hello Guillaume,

Thanks for your reply.
In the meantime i got some progress and i done something like this in the tls_callback.

NX_SECURE_X509_CERT client_cert = { 0 };
UINT tls_setup_callback(NXD_MQTT_CLIENT *client_pt, NX_SECURE_TLS_SESSION *TLS_session_ptr, NX_SECURE_X509_CERT *certificate_ptr,   NX_SECURE_X509_CERT *trusted_certificate_ptr)
{
  UINT ret = NX_SUCCESS;
  NX_PARAMETER_NOT_USED(client_pt);

  /* Initialize TLS module */
  nx_secure_tls_initialize();

  /* Create a TLS session */
  ret = nx_secure_tls_session_create(TLS_session_ptr, &nx_crypto_tls_ciphers,
                                     crypto_metadata_client, sizeof(crypto_metadata_client));
  if (ret != TX_SUCCESS)
  {
    Error_Handler();
  }
  
  /* Need to allocate space for the certificate coming in from the broker. */
  memset((certificate_ptr), 0, sizeof(NX_SECURE_X509_CERT));

  /* Allocate space for packet reassembly. */
  ret = nx_secure_tls_session_packet_buffer_set(TLS_session_ptr, tls_packet_buffer,
                                                sizeof(tls_packet_buffer));
  if (ret != TX_SUCCESS)
  {
    Error_Handler();
  }

  /* allocate space for the certificate coming in from the remote host */
  ret = nx_secure_tls_remote_certificate_allocate(TLS_session_ptr, certificate_ptr,
                                                  tls_packet_buffer, sizeof(tls_packet_buffer));
  if (ret != TX_SUCCESS)
  {
    Error_Handler();
  }
  
  
  /*************************************** CA SECTIOn *****************************************/
  ret = nx_secure_x509_certificate_initialize(trusted_certificate_ptr, (UCHAR*)ca_der,
                                              ca_der_len, NX_NULL, 0, NULL, 0,
                                              NX_SECURE_X509_KEY_TYPE_NONE);
  
  
  if (ret != TX_SUCCESS)
  {
    MQTT_LOG("Certificate issue..\nPlease make sure that your X509_certificate is valid. \n");
    Error_Handler();
  }

  /* Add a CA Certificate to our trusted store */
  ret = nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);
  if (ret != TX_SUCCESS)
  {
    MQTT_LOG("Failed to load CA-certificate\n");
    Error_Handler();
  }
  

  /*******************************************************************************************/
  
  
  /************************************ CLIENT CERT SECTION ************************************/
  ret = nx_secure_x509_certificate_initialize(&client_cert, (UCHAR*)default_client_der,
                                              default_client_der_len, NX_NULL, 0, default_client_key_der, default_client_key_der_len,
                                              NX_SECURE_X509_KEY_TYPE_RSA_PKCS1_DER);
  if (ret != TX_SUCCESS)
  {
    MQTT_LOG("Failed to load client cert / key\n");
    Error_Handler();
  }
  
  
  ret = nx_secure_tls_local_certificate_add(TLS_session_ptr, &client_cert);
  if (ret != TX_SUCCESS)
  {
    Error_Handler();
  }
  
  /************************************************************************************************/
  


  
  


  return ret;
}

Basically i used an external object (declared before the function) and then loaded to the TLS_session_ptr.
Is this what you was saying , or is it more correct to initialize on the certificate_ptr?

Regards

Davide

Guillaume K · ‎2024-11-05

Yes it is what I am saying.

The certificate_ptr is used to receive the server's certificate.

Davide Dalfra · ‎2024-11-09

Great!

Thanks

Davide

theanhhds · ‎2025-01-24

Hi Davide,

I am having the same question as you in your original post. Can you please elaborate a little bit more of how did you load the CA, client_key and client_cert files into the project so that you can have the pointers to those?

Best wishes,

Anh

Davide Dalfra · ‎2025-01-24

Hi,

You simply import them into the project as simple files.
Remember to transform the certificate (usually .der format) to byte-array style. If you have the certificate in PEM , convert it to der by using openssl.

Once you get the .der format, you need to transform into a byte-array style: ST suggest xxd for doing that, but there's plenty of solutions(i.e. HxD).

Regards

Davide