By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

JITP cert not created with mbedTLS+ATECC608A (works with moquitto_pub)

0

Hello,

I have the following setup:

  • ATECC608A
  • mbedTLS
  • coreMQTT

The certificate chain is the following: RootCA > SignerCA > DeviceCert. I've registered both RootCA and SignerCA as CAs in the AWS IoT Console

When connecting to my ats-endpoint with that stack, the TLS handshake is successul: the device cert and signerCA are presented and AWS presents its cert chain as well. mbedTLS seems to be happy.

I then use the created mbedtls_ssl_context to connect coreMQTT. From the log, coreMQTT is able to write on the socket but AWS closes the connection. I expect the first connection to fail. But in this case, the certificate does not appear in the AWS IoT console and subsequent connection attempts fail as well.

I double checked the signerCA stored and its policy. They seem fine. To ensure that this confg is correct, I manually created a certificate on my machine and signed it with my SignerCA.I then used that certificate with mosquitto_pub. The process works and my certificate appears in the AWS IoT console with the correct policy attached.

Another verification I've done is to check that my coreMQTT connection is correct. To connect without the JITP provisioning, I extracted the device certificate from the ATECC, manually uploaded its PEM and attached a policy to the device in the AWS console.
That MQTT connection was successful (and I see the 'MQTT.Connect event in the AWS logs).

Questions:

  • mbedTLS seems to present the two concatened certificates. Would the handshake be successful if one them was not correct or if mbedTLS was misconfigured?
  • Could the X509v3 extensions be responsible for the JITP failure? The device cert has them, while the manually-generated one has not.
  • Is there a way to log mutual authentication failures in Cloudwatch?

Is there anything that I missed?

I could not attach any logs, I get the validation error "Your post contains inappropriate content. Please review and adjust before posting." when I try to include them. The full logs are available on the twin SO question: https://stackoverflow.com/questions/65735301/jitp-cert-not-created-with-mbedtlsatecc608a-works-with-moquitto-pub

Thanks!

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
fstephany
asked 3 years ago259 views
3 Answers
0

I've noticed that if I don't add the signerCA to the chain when connection mbedTLS, the handshake is still successful but I get the same behaviour: AWS closes the connection and do not register any certificate. In this case this is expected because the signerCA cannot be identified.

That looks like mbedTLS/cryptoauthlib does something wrong when connecting (I use atca_mbedtls_cert_add(&device_cert_chain, &g_cert_def_1_signer)) to add the signerCA to the chain).

fstephany
answered 3 years ago
0

I've continued to explore the issue and can confirm that:

A) a similar certificate (same x509v3 extensions, same naming scheme) sent by mosquitto_pub triggers the JITP process while my device certificates does not. After inspecting the TLS handshake with Wireshark, both send the two certificates (signerCA and end-device cert). Both have a succesful handshake, both receive a close notify message but only the mosquitt_pub one triggers the provisioning proces. This should validate that the JITP configuration (signerCA+policy) is correct.

B) If I manually import the device certificate in the AWS console, attach a policy and a thing to it, the code is able to publish a message in a topic. This should validate that the TLS connection is correct and the ATECC chip works well.

I don't know why the device cert chain does not trigger JITP. I've checked the TLS handshake in Wireshark and cannot see what is different between the two sessions.

Edited by: fstephany on Jan 18, 2021 9:08 AM (formatting)

Edited by: fstephany on Jan 18, 2021 9:18 AM (formatting)

fstephany
answered 3 years ago
0

Found the issue !
The problem was the AuthorityKeyIdentifier (which is 20 bytes in the middle of the cert) in the signerCA that was wrong. It is populated at runtime by the atecc. I'll double check my provisioning scripts to ensure that the signer cert def and template regenerate the right CA out of the box.

fstephany
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content