ESP32 + ATECC608 MQTT connection to AWS

Partners & Sponsors Espressif
1

Hi,

I am trying to connect to AWS from an ESP32 using certificates stored in ATECC608 Trust and Flex.

Before using the ATECC608, I had my certificates stored in the code with the following structure of project:

    /build
    /components
    /esp-aws-iot
    /esp-idf
    /mySource
        /certs
            device.crt
            device.key
            root_cert_auth.crt

With this structure all the project runs properly, however when I try to use the ATECC608 the MQTT connection gives me the following messages:

I (72710) coreMQTT: Establishing a TLS session to my_URL
I (72820) esp-tls-mbedtls: Initialize the ATECC interface…
D (74340) coreMQTT: Encoded size for length 103 is 1 bytes.
D (74340) coreMQTT: CONNECT packet remaining length=103 and packet size=105.
D (74340) coreMQTT: CONNECT packet size is 105 and remaining length is 103.
D (74350) coreMQTT: sendMessageVector: Bytes Sent=12, Bytes Remaining=93
D (74360) coreMQTT: sendMessageVector: Bytes Sent=2, Bytes Remaining=91
D (74370) coreMQTT: sendMessageVector: Bytes Sent=20, Bytes Remaining=71
D (74370) coreMQTT: sendMessageVector: Bytes Sent=2, Bytes Remaining=69
D (74380) coreMQTT: sendMessageVector: Bytes Sent=69, Bytes Remaining=0
E (74480) coreMQTT: A single byte was not read from the transport: transportStatus=-1.
E (74480) coreMQTT: CONNACK recv failed with status = MQTTRecvFailed.
E (74490) coreMQTT: MQTT connection failed with status = MQTTRecvFailed.
E (74490) coreMQTT: Connection with MQTT broker failed with status 4.
I (75510) coreMQTT: Sending MQTT DISCONNECT success with status=0.

I have checked the meaning of MQTTRecvFailed: The transport receive function failed.

I suppose that the problem is related to the new certificates, but I do not know which is the problem.

Thanks in advanced.
Regards
Iñaki

2

Hi, have you registered the new certificates on AWS IoT Core, and associated them with a policy that allows connect and other IoT operations needed?

3

Hi Archit,

First of all, thanks for your answer.

I don’t register the new certificate. When I didn’t use the ATECC608, I register them with JITR and the policy is attached automatically using a lambda function and it worked.

I think this is the properly way to do because doing manually it’s not suitable for us in production phase, maybe there is another option to register them automatically.

Anyway, in order to check that this is the problem I can register one and attach the policy manually. I will do it tomorrow, today I’m out of office.

Regards,
Iñaki

4

Hi Archit,

I have tried to register my certificate but AWS says that the certificate is not valid.

image
image815×797 60.3 KB

Sorry, the screen recorded is in Spanish.

The certificate which I am trying to upload is the one that “Trust Platform Design Suite” of Microchip generates. I can’t attach it, but this tool generates a zip file with the device’s, CA’s and signer’s certificates.

So, I can’t check if the problem is related with the policy or not.

How can I upload a certificate generated by the tool of Microchip?

Thanks and regards,
Iñaki

5

What output does openssl give for the cert? For example, if your cert is named device.pem, run: openssl x509 -in device.pem -text -noout. Perhaps the cert is not in PEM format?

If openssl can read the cert, then we can see if openssl can verify the cert using the CA.

Does the registration work selecting the option for using a cert not registered with AWS IoT?

As an aside, for another automatic option instead of JITR, there is JITP which requires uploading a CA cert and template, and generates Things for devices connecting with certs signed by that CA; though this doesn’t solve the immediate issue since its not working manually.

6

Also, enable AWS IoT debug logs which can provide some helpful information - Monitor AWS IoT using CloudWatch Logs - AWS IoT Core

7

Hi Archit,

This is the output that openssl gives me:

openssl x509 -in device.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6e:50:3e:a0:52:c6:98:d7:e0:be:24:d4:bf:b6:7f:21
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: O = Microchip Technology Inc, CN = Crypto Authentication Signer FFFFFFFF
        Validity
            Not Before: Apr 28 09:00:00 2023 GMT
            Not After : Apr 28 09:00:00 2028 GMT
        Subject: O = Microchip Technology Inc, CN = sn0123030405060708EE
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:71:f1:a7:0d:a3:79:a3:fd:ed:6b:50:10:bd:ad:
                    6e:1f:b9:e8:eb:a7:df:2c:4b:5c:67:d3:5e:ba:84:
                    da:09:e7:7a:e8:db:2c:cb:96:28:ee:eb:85:cd:aa:
                    b3:5c:92:e5:3e:1c:44:d5:5a:2b:a7:a0:24:aa:92:
                    60:3b:68:94:8a
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Agreement
            X509v3 Subject Key Identifier: 
                1A:90:B2:22:37:A4:51:B7:57:DD:36:D1:3A:85:2B:E1:3D:2E:F2:CA
            X509v3 Authority Key Identifier: 
                3A:BA:4C:C5:28:2C:B8:65:B9:E4:16:1A:60:AB:AC:5A:79:28:43:A7
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:45:02:21:00:8f:64:e7:b3:15:eb:9f:28:de:d1:a2:2d:fc:
        de:e8:06:ad:07:4c:b2:1b:cb:67:1f:53:a6:19:60:f3:bc:7c:
        d1:02:20:05:18:b8:c8:6f:78:1a:61:98:22:58:62:af:b1:6d:

I think it is ok.

However, I have tried to verify the cert using the CA through openssl and it can’t verify the cert:

openssl verify -CAfile root.crt device.crt 
O = Microchip Technology Inc, CN = sn0123030405060708EE
error 20 at 0 depth lookup: unable to get local issuer certificate
error device.crt: verification failed

I also try to verify it with the signer:

openssl verify -CAfile signer.crt device.crt
O = Microchip Technology Inc, CN = Crypto Authentication Signer FFFFFFFF
error 2 at 1 depth lookup: unable to get issuer certificate
error device.crt: verification failed

I don’t know what is wrong.

Regards
Iñaki

8

Hey @ialonsoERK, it’s been a bit since you posted this issue with your cert. I wanted to reach out and see if you were still looking for help on this or if you have figured out what your problem was?

9

Hi @skptak,

I can’t solve my problem. Now, I try to generate a new CA and certificates in order to understand all the process. I have written a script with all the steps and at the end of these steps I have my CA registered in AWS and these files:

  • rootCA.pem
  • deviceCert.key
  • deviceCert.crt

I copy them into my code into:

  • root_cert_auth.crt
  • client.key
  • client.crt

However, when I try to open the open the connection I receive the following message:
esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x2700

I think that the root_cert_auth.crt shouldn’t be my root_CA.crt. but I don’t know which certificate I have to write in that file and how to associated it with my CA.

Regards,
Iñaki

10

The root CA is should be Amazon root CA and you do not need to associate with your root ca.

11

Hello,

I have also tried this Amazon root CA, anyway I have tried it again now and I receive these messages:

E (214325) coreMQTT: A single byte was not read from the transport 2: transportStatus=-1.
E (214325) coreMQTT: CONNACK recv failed with status = MQTTRecvFailed.
E (214335) coreMQTT: MQTT connection failed with status = MQTTRecvFailed.
E (214345) coreMQTT: Connection with MQTT broker failed with status 4.

If I am not wrong, this means that my CA can’t verify the devive certificate. I have checked it with the following command:

openssl verify -verbose -CAfile rootCA.pem deviceCert.crt 
deviceCert.crt: OK

I can register manually my certificate into IOT core. Just in case, I copied my key and my certificate into the espressif files again, but I receive the same messages.

I haven’t any idea about what I am doing wrong.

Regards,
Iñaki

12

What is the policy attached to your certificate?

13

I attach it with a lambda function. looking fot this, I have realized that the certificate is registrating correctly in mi IOT Core. So I have to check the lambda function to attach the policy and how to create the object associated to my certificate.

14

The other day I said one thing wrong: I register my certificate with a lambda function but I attach the policy and I create the object with JITP and I hadn’t it created for my new CA.

Now, I have my own CA and my own certificates working. In the following days, I will try to store my keys and certificates into the ATECC608.

Regards and thanks for your help,
Iñaki

15

Thank you for reporting back.