search

aws / aws-iot-device-sdk-embedded-C

SDK for connecting to AWS IoT from a device using embedded C.
MIT License
974 stars 622 forks source link

How to use the mqtt_mutual_auth demo with a PreSigned broker url? #1889

Closed jkano closed 9 months ago

jkano commented 9 months ago

Hi,

In our company, we use the AWS IoT core using the PreSigned URL that our devices request using our API.

That url is on the following format:

wss://a272tdymsn5n79-ats.iot.us-east-1.amazonaws.com/mqtt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA5LIR3OD4PB24IQ4T%2F20231002%2Fus-east-1%2Fiotdevicegateway%2Faws4_request&X-Amz-Date=20231002T231441Z&X-Amz-SignedHeaders=host&X-Amz-Signature=4aa9a8d40c92557d21020e13d0bfcf114765a0910ce07f35a9c0e40910b8f4f7&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEBgaCXVzLWVhc3QtMSJHMEUCIDT5olr2kPIQcsiA3E%2F0Borrj8HzGiSFCx7kcYw07ooUAiEA8NZQrUjSeyj8U10drMAMlICejsUMHgdCfIKw%2B7YnlvkqkQQIIBAAGgw5MTc1NDk4Mzg1ODQiDEKHBeDA2l%2BR%2B9M8BCruA0vSdbhsbAiZFdPgkAwL%2Bf0Ey4SHmAXt5X613gAcrwkGAXiHEmXd6h6%2BcjYse9OB4JJG5ZVzOuGSADFuOI7O67%2Fgx6W2ZFOSFVQt1AwhMTFOsolEmLfwvUb%2B1uwoMbN7SoNi9z2F4JS6%2F5SxDLSvoc4iDgxeCpjFQEAbb34ZZepsXH6ZuHNUnIHpYXEJ6WEpYCElsteCLXflW8sYO7FBjmJTZ89ps8pvdzdIlH5eaXnhaT8rruSckp%2BEmknqpywrnGJSzFJX9CyHtM49UkGCCx7Qdoi0Vw5CUuyrKv9cxMsWXuotnQVnhHbD3SpKXVZNiLuMTeg59dYTzisdIpbDYRn0jjruloQ3spv0KyVMlt7gLqbmSCvq07%2BIm2zc4R6lpBt3eQlk9XjX2jgx9U7OCExwPsqnCb6pwsPeG0IRIry2OwT2iV7oDkdTYE5qIf55w4vZJt4o9fl1WzqEbX36LJUuBl908xjiwlDVh5Y41oPgs0TkYH2jLlYsZwLxMdaPXWtRpBW6v1kObu8Kih2ctZSYpbCSFFgJd9xJywL6JqWD2XQ95fv8BA9ecXu7TDL6nLhB5grb4BZiGH9gYLhHEXF3Qb2SQpaTf3mPua0B9jbtcQKRRWGGaJgxqV8uWvylYU3jhAfyYFxSpoJBdT57MOCd7agGOoUCXjnipe3QNWaGIcvDnOM8StRntYsIMoLmtvEvfCGRIoLSCFRizbL3AYRMEoKuq4hVlV2kkdZ66fSUwrmXj9iqlPKKmS6TpilWToPL%2FRCxZeykJOSvkqALn5zAHvZbkpJvx6oedyWkRVqIagGDg0WdNVN%2Fb327GZizaM2OHjF53JZkgyzip%2BLqM6MJHAWuFyoyVnU37lUfH274rlwRC6YYKTO8Qv%2FQ9IcHJn4bwArRd5F2QtHkmfNxZ7%2BVzm4%2Btyo%2B1Xp8p5ktYyP3TXsVUfYECPJ25MNHj4jtbJjKdl5A6AU17h8HHqiapLVEa7zov0Oj2fsuLhCRzhXR1feVyIuCAdQFD8b%2B

As you can see, after the path there are some query parameters that are passed to the request with embedded token.

We dont have Client certificates per device because the devices are created on the go after the device is commissioned, the idea is to the use to be able to flash their devices with our firmware and be able to use our API and App.

So we dont have CLIENT_CERT_PATH or CLIENT_PRIVATE_KEY_PATH to the demo, something that seems to be mandatory in this library.

If I define the CLIENT_CERT_PATH and CLIENT_PRIVATE_KEY_PATH pointing to empty files and define the AWS_IOT_ENDPOINT as the full URL I get the following error:

[INFO] [DEMO] [mqtt_demo_mutual_auth.c:677] Establishing a TLS session to a272tdymsn5n79-ats.iot.us-east-1.amazonaws.com/mqtt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA5LIR3OD4PB24IQ4T%2F20231002%2Fus-east-1%2Fiotdevicegateway%2Faws4_request&X-Amz-Date=20231002T231441Z&X-Amz-SignedHeaders=host&X-Amz-Signature=4aa9a8d40c92557d21020e13d0bfcf114765a0910ce07f35a9c0e40910b8f4f7&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEBgaCXVzLWVhc3QtMSJHMEUCIDT5olr2kPIQcsiA3E%2F0Borrj8HzGiSFCx7kcYw07ooUAiEA8NZQrUjSeyj8U10drMAMlICejsUMHgdCfIKw%2B7YnlvkqkQQIIBAAGgw5MTc1NDk4Mzg1ODQiDEKHBeDA2l%2BR%2B9M8BCruA0vSdbhsbAiZFdPgkAwL%2Bf0Ey4SHmAXt5X613gAcrwkGAXiHEmXd6h6%2BcjYse9OB4JJG5ZVzOuGSADFuOI7O67%2Fgx6W2ZFOSFVQt1AwhMTFOsolEmLfwvUb%2B1uwoMbN7SoNi9z2F4JS6%2F5SxDLSvoc4iDgxeCpjFQEAbb34ZZepsXH6ZuHNUnIHpYXEJ6WEpYCElsteCLXflW8sYO7FBjmJTZ89ps8pvdzdIlH5eaXnhaT8rruSckp%2BEmknqpywrnGJSzFJX9CyHtM49UkGCCx7Qdoi0Vw5CUuyrKv9cxMsWXuotnQVnhHbD3SpKXVZNiLuMTeg59dYTzisdIpbDYRn0jjruloQ3spv0KyVMlt7gLqbmSCvq07%2BIm2zc4R6lpBt3eQlk9XjX2jgx9U7OCExwPsqnCb6pwsPeG0IRIry2OwT2iV7oDkdTYE5qIf55w4vZJt4o9fl1WzqEbX36LJUuBl908xjiwlDVh5Y41oPgs0TkYH2jLlYsZwLxMdaPXWtRpBW6v1kObu8Kih2ctZSYpbCSFFgJd9xJywL6JqWD2XQ95fv8BA9ecXu7TDL6nLhB5grb4BZiGH9gYLhHEXF3Qb2SQpaTf3mPua0B9jbtcQKRRWGGaJgxqV8uWvylYU3jhAfyYFxSpoJBdT57MOCd7agGOoUCXjnipe3QNWaGIcvDnOM8StRntYsIMoLmtvEvfCGRIoLSCFRizbL3AYRMEoKuq4hVlV2kkdZ66fSUwrmXj9iqlPKKmS6TpilWToPL%2FRCxZeykJOSvkqALn5zAHvZbkpJvx6oedyWkRVqIagGDg0WdNVN%2Fb327GZizaM2OHjF53JZkgyzip%2BLqM6MJHAWuFyoyVnU37lUfH274rlwRC6YYKTO8Qv%2FQ9IcHJn4bwArRd5F2QtHkmfNxZ7%2BVzm4%2Btyo%2B1Xp8p5ktYyP3TXsVUfYECPJ25MNHj4jtbJjKdl5A6AU17h8HHqiapLVEa7zov0Oj2fsuLhCRzhXR1feVyIuCAdQFD8b%2B:443.

[ERROR] [Sockets] [sockets_posix.c:135] Failed to resolve DNS: Hostname=a272tdymsn5n79-ats.iot.us-east-1.amazonaws.com/mqtt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA5LIR3OD4PB24IQ4T%2F20231002%2Fus-east-1%2Fiotdevicegateway%2Faws4_request&X-Amz-Date=20231002T231441Z&X-Amz-SignedHeaders=host&X-Amz-Signature=4aa9a8d40c92557d21020e13d0bfcf114765a0910ce07f35a9c0e40910b8f4f7&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEBgaCXVzLWVhc3QtMSJHMEUCIDT5olr2kPIQcsiA3E%2F0Borrj8HzGiSFCx7kcYw07ooUAiEA8NZQrUjSeyj8U10drMAMlICejsUMHgdCfIKw%2B7YnlvkqkQQIIBAAGgw5MTc1NDk4Mzg1ODQiDEKHBeDA2l%2BR%2B9M8BCruA0vSdbhsbAiZFdPgkAwL%2Bf0Ey4SHmAXt5X613gAcrwkGAXiHEmXd6h6%2BcjYse9OB4JJG5ZVzOuGSADFuOI7O67%2Fgx6W2ZFOSFVQt1AwhMTFOsolEmLfwvUb%2B1uwoMbN7SoNi9z2F4JS6%2F5SxDLSvoc4iDgxeCpjFQEAbb34ZZepsXH6ZuHNUnIHpYXEJ6WEpYCElsteCLXflW8sYO7FBjmJTZ89ps8pvdzdIlH5eaXnhaT8rruSckp%2BEmknqpywrnGJSzFJX9CyHtM49UkGCCx7Qdoi0Vw5CUuyrKv9cxMsWXuotnQVnhHbD3SpKXVZNiLuMTeg59dYTzisdIpbDYRn0jjruloQ3spv0KyVMlt7gLqbmSCvq07%2BIm2zc4R6lpBt3eQlk9XjX2jgx9U7OCExwPsqnCb6pwsPeG0IRIry2OwT2iV7oDkdTYE5qIf55w4vZJt4o9fl1WzqEbX36LJUuBl908xjiwlDVh5Y41oPgs0TkYH2jLlYsZwLxMdaPXWtRpBW6v1kObu8Kih2ctZSYpbCSFFgJd9xJywL6JqWD2XQ95fv8BA9ecXu7TDL6nLhB5grb4BZiGH9gYLhHEXF3Qb2SQpaTf3mPua0B9jbtcQKRRWGGaJgxqV8uWvylYU3jhAfyYFxSpoJBdT57MOCd7agGOoUCXjnipe3QNWaGIcvDnOM8StRntYsIMoLmtvEvfCGRIoLSCFRizbL3AYRMEoKuq4hVlV2kkdZ66fSUwrmXj9iqlPKKmS6TpilWToPL%2FRCxZeykJOSvkqALn5zAHvZbkpJvx6oedyWkRVqIagGDg0WdNVN%2Fb327GZizaM2OHjF53JZkgyzip%2BLqM6MJHAWuFyoyVnU37lUfH274rlwRC6YYKTO8Qv%2FQ9IcHJn4bwArRd5F2QtHkmfNxZ7%2BVzm4%2Btyo%2B1Xp8p5ktYyP3TXsVUfYECPJ25MNHj4jtbJjKdl5A6AU17h8HHqiapLVEa7zov0Oj2fsuLhCRzhXR1feVyIuCAdQFD8b%2B, ErrorCode=-2.

Which is understandable because its treating the full url as the hostname. So, if I set the AWS_IOT_ENDPOINT as only the host a272tdymsn5n79-ats.iot.us-east-1.amazonaws.com I get the following error:

[INFO] [DEMO] [mqtt_demo_mutual_auth.c:677] Establishing a TLS session to a272tdymsn5n79-ats.iot.us-east-1.amazonaws.com:443.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:197] Attempting to open Root CA certificate: Path=/home/jose/aws-iot-device-sdk-embedded-C/build/bin/certificates/AmazonRootCA1.crt.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:383] Successfully imported root CA.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:493] Setting ALPN protos.
[DEBUG] [Transport_OpenSSL_Sockets] [openssl_posix.c:540] Setting server name a272tdymsn5n79-ats.iot.us-east-1.amazonaws.com for SNI.
[ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:280] SSL_connect failed to perform TLS handshake.
[ERROR] [Transport_OpenSSL_Sockets] [openssl_posix.c:696] Failed to establish a TLS connection.
[WARN] [DEMO] [mqtt_demo_mutual_auth.c:716] Connection to the broker failed. Retrying connection after 453 ms backoff

I tried with an MQTT Client software called MQTTX and it can connect to the broker using the host, path and port that I have

image

image

So I know the MQTT broker works and I can use it without any issues on MQTTX client.

So my question is if there's a way to support connecting to MQTT over secure websocket using a presigned urls with this library?

Thanks!

chinglee-iot commented 9 months ago

We would like to suggest you to post this question in FreeRTOS forum. There will be more support from community and your question can also benefit the forum users. Github issue will be used primarily for bug tracking in this repository. I am going to close this as this is not a bug. Looking forward to see your post in FreeRTOS Forum.