First connection to MQTT broker after Fleet Provisioning Demo always fails

Greetings,

While developing a Fleet Provisioning (FP) application which runs on the Renesas RX65N MCU, I encountered a bug where the first MQTT connection after FP operatoin always fails.

image735×157 29.7 KB

I referred the reference code provided in this repo: Fleet_Provisioning_Windows_Simulator/CSR_Demo

This is my baseline code where I encountered the issue: FleetProvisioningDemoExample.c

There are 2 parts to this issue:

1. The PKCS11 session is closed prematurely, before the provisioning routine is completed. (SOLVED)
   - I fixed this by shifting the xPkcs11CloseSession function call to the end of provisioning routine.
   - After fixing this issue, the following bug happens…
2. First MQTT connection following FP completion always fails, due to premature closing of PKCS11 session.

After investigation, I traced the root cause to xPkcs11CloseSession, specifically xFunctionList->C_Finalize .

This function completely de-initializes the PKCS#11 library, releasing all resources.
After this function is called, all subsequent cryptographic operations will fail, until it is reinitialized with C_Initialize.

In order to fix this issue, we removed the C_Finalize function call in xPkcs11CloseSession.

Request

1. Is this the intended behavior for xPkcs11CloseSession?
   It seems to not work well if we want to perform further MQTT operation immediately after device provisioning.

2. Is our solution the ideal approach?

Thank you.

This seems correct.

Would you please link where we call C_Initialize? May be this C_Initialize/C_Finalize needs to be done once only and not once per session.

Thank you for your prompt reply, @aggarg.

In my application, the C_Initialize is called in transport_mbedtls_pkcs11.c#L796.
After the first connection attempt failed, PKCS11 library will be re-initialized by tlsSetup in TLS_FreeRTOS_Connect.

I hope this answers your question.

Is this code specific to your application? I think your need to re-factor the code like the following:

xPkcs11Init() // Does C_Initialize
xPkcs11DeInit() // Does C_Finalize
xInitializePkcs11Session // Starts the session and does not call C_Initialize
xPkcs11CloseSession // Closes the session and does not call C_Finalize

@aggarg: Not exactly. The transport_mbedtls_pkcs11.c linked in my reply was modified from FreeRTOS repo reference code: FreeRTOS/FreeRTOS-Plus/…/transport_mbedtls_pkcs11.c.

I attached the code comparison for reference: original.txt → modified.txt
(original = FreeRTOS reference, modified = my implementation)

Or, are you suggesting that this issue should be addressed in my application layer instead?

I do not see a call to C_Initialize neither in the original file nor in your modified one. Would you please attach your complete file?

I am suggesting to update this file only. This file is considered as part of the application.

@aggarg

Apologies if my explanation is confusing.
As mentioned in my previous reply, the C_Initialize is called bytlsSetup in TLS_FreeRTOS_Connect.

I attached the call hierarchy for clarififcation:

image1050×275 24.9 KB

I also attached my transport_mbedtls_pkcs11.c for your reference.
transport_mbedtls_pkcs11.c (37.2 KB)

To reiterate:

• The first TLS connection after FP failed, because PKCS11 was de-initialized.
• The next TLS connection succeeds because PKCS11 is initialized again by my mqtt-agent task.
  
  

  image1017×264 139 KB

Thank you.

Thank you for your reply. Would you also share the files containing the implementations of xInitializePkcs11Session and xInitializePKCS11?

We used the FreeRTOS-LTS corePKCS11 submodule as-is: FreeRTOS/corePKCS11 at eed7d31

I attached the code for your convenience.

core_pkcs11.c (12.1 KB)

Thank you for sharing these files.

Your solution is correct. Please raise a PR for this.

Apologies for back and forth.

Thanks for the confirmation, @aggarg.
I’ve raised a PR to fix this issue: Pull Request #1385

Thank you for your contribution!