Closed sweta98 closed 4 weeks ago
Hello @sweta98 ,
Thank you very much for your submission.
From a first guess, I think this might be an issue with the way you are providing certificate.
Could you please provide the following information:
The log associated with the behavior. To enable the log, you will need to call InitializeLogging. You can look at our integration test for a good example of how this function works.
SDK version being used (I am assuming that you are using the latest version of the aws-iot-device-sdk-cpp-v2 released as of today: v1.24.3) In the meantime, I'll attempt to reproduce the issue.
Thank you very much for your time and collaboration. Sincerely, Best regards,
Yasmine
Hi Yasmine,
Please find the logs:
[INFO] [2023-07-06T15:52:26Z] [00001700] [pki-utils] - static: loading certificate chain with 1 certificates.
Loaded 'C:\Windows\SysWOW64\ncryptprov.dll'.
Loaded 'C:\Windows\SysWOW64\profapi.dll'.
[ERROR] [2023-07-06T15:52:26Z] [00001700] [pki-utils] - static: failed to import ecc key with status -2146893783, last error 0
[ERROR] [2023-07-06T15:52:26Z] [00001700] [tls-handler] - static: failed to import certificate and private key with error 46.
Client Configuration initialization failed with error aws-c-common: AWS_ERROR_SYS_CALL_FAILURE, System call failure
[DEBUG] [2023-07-06T15:52:28Z] [00001700] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on.
[DEBUG] [2023-07-06T15:52:28Z] [00001700] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available.
[DEBUG] [2023-07-06T15:52:28Z] [00001700] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on.
[DEBUG] [2023-07-06T15:52:28Z] [00001700] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available.
[DEBUG] [2023-07-06T15:52:28Z] [00001700] [tls-handler] - static: loading custom CA file.
[INFO] [2023-07-06T15:52:28Z] [00001700] [pki-utils] - static: loading 3 certificates in cert chain for use as a CA
[DEBUG] [2023-07-06T15:52:28Z] [00001700] [tls-handler] - static: certificate and key have been set, setting them up now.
[INFO] [2023-07-06T15:52:28Z] [00001700] [pki-utils] - static: loading certificate chain with 1 certificates.
Client Configuration initialization failed with error aws-c-common: AWS_ERROR_SYS_CALL_FAILURE, System call failure
[ERROR] [2023-07-06T15:52:28Z] [00001700] [pki-utils] - static: failed to import ecc key with status -2146893783, last error 0
[ERROR] [2023-07-06T15:52:28Z] [00001700] [tls-handler] - static: failed to import certificate and private key with error 46.
[DEBUG] [2023-07-06T15:52:32Z] [00001700] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on.
[DEBUG] [2023-07-06T15:52:32Z] [00001700] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available.
[DEBUG] [2023-07-06T15:52:32Z] [00001700] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on.
[DEBUG] [2023-07-06T15:52:32Z] [00001700] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available.
[DEBUG] [2023-07-06T15:52:32Z] [00001700] [tls-handler] - static: loading custom CA file.
[INFO] [2023-07-06T15:52:32Z] [00001700] [pki-utils] - static: loading 3 certificates in cert chain for use as a CA
[DEBUG] [2023-07-06T15:52:32Z] [00001700] [tls-handler] - static: certificate and key have been set, setting them up now.
[INFO] [2023-07-06T15:52:32Z] [00001700] [pki-utils] - static: loading certificate chain with 1 certificates.
Client Configuration initialization failed with error aws-c-common: AWS_ERROR_SYS_CALL_FAILURE, System call failure
[ERROR] [2023-07-06T15:52:32Z] [00001700] [pki-utils] - static: failed to import ecc key with status -2146893783, last error 0
[ERROR] [2023-07-06T15:52:32Z] [00001700] [tls-handler] - static: failed to import certificate and private key with error 46.
[DEBUG] [2023-07-06T15:52:40Z] [00001700] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on.
[DEBUG] [2023-07-06T15:52:40Z] [00001700] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available.
[DEBUG] [2023-07-06T15:52:40Z] [00001700] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on.
[DEBUG] [2023-07-06T15:52:40Z] [00001700] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available.
[DEBUG] [2023-07-06T15:52:40Z] [00001700] [tls-handler] - static: loading custom CA file.
Its an issue with the certificate and key. We have our certificate and key as const vector
Aws::Crt::String convertPrivateKeyDerToPem(const std::vector<uint8_t>& derPrivateKey)
{
mbedtls_pk_context pk;
mbedtls_pk_init(&pk);
int ret = mbedtls_pk_parse_key(&pk, derPrivateKey.data(), derPrivateKey.size(), nullptr, 0);
if(ret != 0)
{
// Handle error
return "";
}
size_t bufferSize = 8192; // Increased buffer size
unsigned char* buffer = new unsigned char[bufferSize];
if (!buffer)
{
// Handle error: Couldn't allocate memory
return "";
}
ret = mbedtls_pk_write_key_pem(&pk, buffer, bufferSize);
if(ret != 0)
{
// Handle error
delete[] buffer;
return "";
}
Aws::Crt::String pemPrivateKey(reinterpret_cast<char*>(buffer));
mbedtls_pk_free(&pk);
delete[] buffer;
return pemPrivateKey;
}
Aws::Crt::String convertDerToPem(const std::vector<uint8_t>& derCertificate)
{
mbedtls_x509_crt crt;
mbedtls_x509_crt_init(&crt);
if(mbedtls_x509_crt_parse_der(&crt, derCertificate.data(), derCertificate.size()) != 0) {
// Error handling
return "";
}
unsigned char buffer[8192]; // Buffer size can be adjusted as needed
size_t len;
if(mbedtls_pem_write_buffer( "-----BEGIN CERTIFICATE-----\n", "-----END CERTIFICATE-----\n",
derCertificate.data(), derCertificate.size(), buffer, sizeof(buffer), &len) != 0) {
// Error handling
return "";
}
mbedtls_x509_crt_free(&crt);
return Aws::Crt::String(reinterpret_cast<char*>(buffer), len);
}
The SDK version is v1.24.3
Can you advise what might be going wrong and how can we fix it? Like version 1 had MBedTLS support, does version 2 have it too? Thank you in advance!
Hello @sweta98 ,
Thank you very much for this information and for your collaboration. Would you be able to step in all the way through the failing call?
Best regards,
Yasmine
Hello @yasminetalby, Thank you for your response! I was able to step in all the way through, this is where the error occurs - aws-iot-device-sdk-cpp-v2\src\crt\aws-crt-cpp\crt\aws-c-io\source\windows\secure_channel_tls_handler.c
int err = aws_import_key_pair_to_cert_context(
alloc,
&cert_chain_cur,
&pk_cur,
is_client_mode,
&secure_channel_ctx->cert_store,
&secure_channel_ctx->pcerts,
&secure_channel_ctx->crypto_provider,
&secure_channel_ctx->private_key);
if (err) {
AWS_LOGF_ERROR(
AWS_LS_IO_TLS, "static: failed to import certificate and private key with error %d.", aws_last_error());
goto clean_up;
}
Stepping into the aws_import_key_pair_to_cert_context function:
Certificates seem to get added correctly. The private key type is AWS_CT_X509_ECC
In the file aws-iot-device-sdk-cpp-v2\src\crt\aws-crt-cpp\crt\aws-c-io\source\windows\windows_pki_utils.c
and function s_cert_context_import_ecc_private_key
, this throws the error :
status = NCryptImportKey(
crypto_prov,
0,
BCRYPT_ECCPRIVATE_BLOB,
&ncBufDesc,
&h_key,
(BYTE *)key_blob,
key_blob_size,
NCRYPT_OVERWRITE_KEY_FLAG);
if (status != ERROR_SUCCESS) {
AWS_LOGF_ERROR(
AWS_LS_IO_PKI,
"static: failed to import ecc key with status %d, last error %d",
status,
(int)GetLastError());
aws_raise_error(AWS_ERROR_SYS_CALL_FAILURE);
goto done;
}
Just wanted to make sure that there is support for Windows ECC key import.
Hello @sweta98 ,
Thank you very much for providing this information. We do support for Windows ECC key import (see PR).
I'll bring this up to the team, this is unexpected behavior. Thank you very much for your time and collaboration.
Sincerely,
Yasmine
Hi @yasminetalby Just wanted to follow up on the issue above. I was wondering if there's any progress or if I can provide any additional information to help move it forward.
Hello @sweta98 ,
Thank you very much for reaching out. We don't currently need more information. While this issue is being investigated I would like to suggest a potential workaround:
We do provide documentation for certificate generation in the IoT Core developer guide : https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html
Best regards,
Yasmine
Hi @yasminetalby Thanks for providing the suggestions. We created a new certificate and key using the AWS Console. The key was a RSA key and that worked. We were able to connect successfully. Seems like the issue happens when the private key is in ECC format. But given the nature of our devices, we would need to stick to ECC as it's more efficient.
Hope this provides more context to the team.
Thanks and regards Sweta
Hi @sweta98, would you mind provide a test ecc cert/key you are using? Or could you describe how you generate the key? I tested with our ECC key (generated using openssl commands), and it seems working. However, we didnt test through mbedtls, it could be related. How about giving a shot at using a PEM format ECC key directly? This can help eliminate any potential issues introduced by mbedtls. It's worth exploring as an alternative approach.
@xiazhvera Here's a test certificate and key: CERTIFICATE : "MIICjjCCAXagAwIBAgIUSu8ioQgKL3zLEggWtF5xyGzyQq4wDQYJKoZIhvcNAQELBQAwTTFLMEkGA1UECwxCQW1hem9uIFdlYiBTZXJ2aWNlcyBPPUFtYXpvbi5jb20gSW5jLiBMPVNlYXR0bGUgU1Q9V2FzaGluZ3RvbiBDPVVTMB4XDTIzMDcxMjE2NTMyMVoXDTQ5MTIzMTIzNTk1OVowHjEcMBoGA1UEAxMTQVdTIElvVCBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE1HvTjFlRcFsP+z3plhxgeaktvJUyiIssIDFWiFjAKIU+Z608oMqG7MH8v3PVQO9pwRHheU5kCQHUW2yKivCsajYDBeMB8GA1UdIwQYMBaAFHpUFtUUHy8lmsQNDKXVDbkvwhNIMB0GA1UdDgQWBBQ25aSILhXp8QRCI4xPTUnI/TEGYjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAHq6ehtXuszQew3oIXQ8cj58Uet8IQroe33ySWDZBk8kgwwJsPo7ed5vjSO1pag+mZNJnqna7r3Ri2zsGEXRIMGVmeMuaU2fgsfLYf99J3JxVy3X4CfrEIJtTc1T6QJaVcGoc1CT9ErGA/+3rzQ+1bdTlIFdrpe8rMflxrILX0sNTdv6Hmkyliz8VHcqRGsbnH5NWapjHl/CgaQo+E6RA7cLaOt//jVvMfmeX1Ct2oQJ/qA2esxUv91XgjW5ldPhHlNe3s8q/f/nRiYZBvegw0Tr4CMvsmCAHaJ2nxJ3QEXArvR6onfVXWr4n8wHnVhqnwoCCFJVgT297nD0ifjcEmA==" PRIVATE_KEY : "MHgCAQEEIQC+e/hEsd6woNRNkZhwmA8kbP3UvwUWJioFJDcLdMZu2KAKBggqhkjOPQMBB6FEA0IABE1HvTjFlRcFsP+z3plhxgeaktvJUyiIssIDFWiFjAKIU+Z608oMqG7MH8v3PVQO9pwRHheU5kCQHUW2yKivCsY=" We need to store they key and certificate in DER format, so I have a helper function that helps fetch the files and convert it to PEM before passing it to the MQTTClientConfigBuilder
Hi @sweta98, I tested with the key you provided, but the OS failed to import the credentials. It seems that the key was not converted correctly. With a quick research online, it seems that you would need to setup the key as ECC format when parse it. Checkout the post here: https://stackoverflow.com/questions/54764933/parse-a-ecc-private-key-buffer. As I'm not familiar with mbedtls library, let me know if it helps. Meanwhile, it might help if you could provide the tool/library you used to generate the DER credentials so that we could try it out on our side.
Hi @xiazhvera Apologies for the late response. Thank you for providing the link, will try that and get back to you on this. The credentials are generated using the CreateCertificateFromCsrRequest() from the SDK
@xiazhvera We are doing the same way the Stackoverflow post states, and have validated the ECC key. Following up on the discussion above, hoping the information I provided is helpful. Let me know if there is anything else I need to provide.
@sweta98 can you provide a quick summary for how you are creating your ECC key? We've been able to successfully create a working ECC key, so I would like to make sure we're trying to reproduce this error in the same way that you are using it.
Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.
Describe the bug
Hi, I'm upgrading our thing's SDK version from 1 to 2 and trying to set up the MQTT Client connection similar to the pub sub sample. We are getting the client config ready with the following:
Aws::Iot::MqttClientConnectionConfigBuilder::Build()
On debugging and stepping into the build function, we found it errors out here:We dont use BYO_CRYPTO and Metrics collection is set to false. We stepped into the TLSOptions.cpp to see what is the exact error and here is where we get AWS_ERROR_SYS_CALL_FAILURE:
the mode is CLIENT but it never enters m_ctx.reset(), we get an error with code 46 in the last if block for checking m_ctx. Can you please advise? thanks
Expected Behavior
I expected the MQTTClientCOnfigBuilder to build successfully and establish a TLS connection
Current Behavior
On building the MQTTClientCOnfigBuilder using the build(), it errors out with AWS_ERROR_SYS_CALL_FAILURE.
Reproduction Steps
Here's the code snippet for the MQTT connection for our device:
Error is thrown in this segment:
Possible Solution
No response
Additional Information/Context
No response
SDK version used
2
Environment details (OS name and version, etc.)
Windows