Trying to connect to Mosquitto Broker from an STM32 Azure RTOS environment using certificates that work from Paho MQTT clients

Question

My program, linked with Paho SDK C library, works fine connecting to a UNIX-hosted Mosquitto MQTT Broker. The required SSL/TLS connection involved self-signed certificate generation. Those same client certificate sets work with "MQTT Explorer" and MQTT-spy. The 3 required certificates in each client-set are:

1. Server Certificate (CA),
2. Client Certificate, and
3. Client Key

they are generated using OpenSSL from the terminal and are all in PEM (text) x509 format and constitute the minimum certificate info. that must be built-in and handled by each client. The program I'm developing talks to my Mosquitto Broker configured with:

• listener 8883
• cafile ...path to.../ca.crt
• certfile ...path to.../broker.crt
• keyfile ...path.../broker.key
• require_certificate true
• use_identity_as_username true

Quite straight forward with Paho SDK. Clients connected - All working great!

I need to get this client program working on an STM32 board. I have ST.com MQTT example code running against mosquitto.org's test broker. I implemented a Mosquitto Broker on my LAN, to which all my Paho SDK programs connect, but the converted MQTT example code does not. (The Azure SDK is horribly complicated). I had my STM32 board client-program working with anonymous access over SSL/TLS with one certificate installed. Initialized with this code (surrounded by other required Azure SDK calls):

nx_secure_x509_certificate_initialize(trusted_certificate_ptr (UCHAR *)ca_crt_der, sizeof(ca_crt_der), NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);

(returns TX_SUCCESS here)

nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);

(returns TX_SUCCESS here too)

That only introduces one of the 3 required certificates, with the PEM/x509 format converted to a C header hex-code array using:

openssl base64 -d -in ../ca/ca.crt -out ca.crt.der
xxd -i ca.crt.der > ca.crt.der.h

I cannot figure out how to properly extend this certificate introduction code to include all three (required) certificates needed for SSL/TLS connections.

I have tried adding one more "initialize"/"add" block:

nx_secure_x509_certificate_initialize(trusted_certificate_ptr (UCHAR *)client_crt_der, sizeof(client_crt_der), NX_NULL, 0, (UCHAR *)client_key_der, sizeof(client_key_der), NX_SECURE_X509_KEY_TYPE_EC_DER);

(Returns fail (0x18a) here)

nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);

here, the client_key_der was produced using:

openssl ec -inform pem -in client.key -outform der -out client.key.der
xxd -i client.key.der > client.key.der.h

I've also tried 3 separate "initialize"/"add" blocks without treating the client.key info as a different info-type i.e., the initial ca_crt_der (above) followed by these two "initialize"/"add" blocks:

nx_secure_x509_certificate_initialize(trusted_certificate_ptr, (UCHAR*)client_crt_der, (USHORT)sizeof(client_crt_der), NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);

(returns TX_SUCCESS here)

nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);

(Returns fail (0x4d) here)

nx_secure_x509_certificate_initialize(trusted_certificate_ptr, (UCHAR*)client_key_der, (USHORT)sizeof(client_key_der), NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);

I have no idea what I'm doing here. The Microsoft documentation does not seem to indicate how I should integrate the additional certificates. Do I need to create more space? Am I OK reusing the TLS_session_ptr and trusted_certificate_ptr structures, i.e. does the nx_secure_tls_trusted_certificate_add() copy the passed structure data or should I allocate new structure space? What else do I need to try?

I'm fumbling around like I'm flying a helicopter in the fog

Any help would be appreciated.

Update #1 Apr 27th. @Shivanand Gowda: Ty for the answer. Here's the author-comment text above the Microsoft Source to that nx_secure_tls_session_client_verify_enable() function:

    /**************************************************************************/
    /*                                                                        */
    /*  FUNCTION                                               RELEASE        */
    /*                                                                        */
    /*    _nx_secure_tls_session_client_verify_enable         PORTABLE C      */
    /*                                                           6.1          */
    /*  AUTHOR                                                                */
    /*                                                                        */
    /*    Timothy Stapko, Microsoft Corporation                               */
    /*                                                                        */
    /*  DESCRIPTION                                                           */
    /*                                                                        */
    /*    This function enables Client Certificate Verification for TLS       */
    /*    Server instances. If enabled, the TLS Server will request and       */
    /*    verify a remote TLS Client Certificate using all available crypto   */
    /*    signature routines. The certificate must have space allocated using */
    /*    nx_secure_tls_remote_certificate_allocate and will be checked       */
    /*    against the trusted certificate store built using                   */
    /*    nx_secure_tls_trusted_certificate_add.                              */
    /*                                                                        */
    /*    Note that this will only happen for TLS Server sessions. Enabling   */
    /*    Client Certificate Verification for TLS Client sessions will have   */
    /*    no effect.                                                          */

I'm writing client-code to talk to a Mosquitto Broker (server). Unfortunately that function will likely do nothing in the client I'm writing :-(.

Answer 1

Looks like you have to enable using this function nx_secure_tls_session_client_verify_enable

UINT nx_secure_tls_session_client_verify_enable( NX_SECURE_TLS_SESSION *session_ptr); Description This service enables Client Certificate Authentication for a specific TLS session. Enabling Client Certificate Authentication for a TLS Server instance will cause the TLS Server to request a certificate from any remote TLS Client during the initial TLS handshake. The certificate received from the remote TLS Client is accompanied by a CertificateVerify message, which the TLS Server uses to verify that the Client owns the certificate (has access to the private key associated with that certificate).

If the provided certificate can be verified and traced back to a certificate in the TLS Server trusted certificate store via an X.509 certificate chain, the remote TLS Client is authenticated and the handshake proceeds. In case of any errors in processing the certificate or CertificateVerify message, the TLS handshake ends with an error.

Note

The TLS Server must have at least one certificate in its trusted store added with nx_secure_tls_trusted_certificate_add or authentication will always fail.

https://learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-secure-tls/chapter4#nx_secure_tls_session_client_verify_enable