add additional certificates (#301)

Author: ryanwinter

shared/src/azure_iot_cert.c

@@ -4,7 +4,13 @@
 #ifndef _AZURE_IOT_CERT_H
 #define _AZURE_IOT_CERT_H
 
-extern const unsigned char azure_iot_root_ca[];
-extern const unsigned int azure_iot_root_ca_len;
+extern const unsigned char azure_iot_root_cert[];
+extern const unsigned int azure_iot_root_cert_size;
+
+extern const unsigned char azure_iot_root_cert_2[];
+extern const unsigned int azure_iot_root_cert_size_2;
+
+extern const unsigned char azure_iot_root_cert_3[];
+extern const unsigned int azure_iot_root_cert_size_3;
 
 #endif

shared/src/azure_iot_cert.h

@@ -1,13 +1,5 @@
-/**************************************************************************/
-/*                                                                        */
-/*       Copyright (c) Microsoft Corporation. All rights reserved.        */
-/*                                                                        */
-/*       This software is licensed under the Microsoft Software License   */
-/*       Terms for Microsoft Azure RTOS. Full text of the license can be  */
-/*       found in the LICENSE file at https://aka.ms/AzureRTOS_EULA       */
-/*       and in the root directory of this software.                      */
-/*                                                                        */
-/**************************************************************************/
+/* Copyright (c) Microsoft Corporation.
+   Licensed under the MIT License. */
 
 #include "azure_iot_ciphersuites.h"
 
@@ -27,8 +19,7 @@ extern NX_CRYPTO_METHOD crypto_method_sha256;
 extern NX_CRYPTO_METHOD crypto_method_aes_cbc_128;
 extern NX_CRYPTO_METHOD crypto_method_rsa;
 
-const NX_CRYPTO_METHOD *_nx_azure_iot_tls_supported_crypto[] =
-{
+const NX_CRYPTO_METHOD* _nx_azure_iot_tls_supported_crypto[] = {
     &crypto_method_hmac,
     &crypto_method_hmac_sha256,
     &crypto_method_tls_prf_sha256,
@@ -37,23 +28,20 @@ const NX_CRYPTO_METHOD *_nx_azure_iot_tls_supported_crypto[] =
     &crypto_method_rsa,
 };
 
-const UINT _nx_azure_iot_tls_supported_crypto_size = sizeof(_nx_azure_iot_tls_supported_crypto) / sizeof(NX_CRYPTO_METHOD*);
+const UINT _nx_azure_iot_tls_supported_crypto_size =
+    sizeof(_nx_azure_iot_tls_supported_crypto) / sizeof(NX_CRYPTO_METHOD*);
 
-
-/* Define supported TLS ciphersuites. */
+// Define supported TLS ciphersuites.
 extern const NX_CRYPTO_CIPHERSUITE nx_crypto_tls_rsa_with_aes_128_cbc_sha256;
 extern const NX_CRYPTO_CIPHERSUITE nx_crypto_x509_rsa_sha_256;
 
-const NX_CRYPTO_CIPHERSUITE *_nx_azure_iot_tls_ciphersuite_map[] =
-{
-
-    /* TLS ciphersuites. */
+const NX_CRYPTO_CIPHERSUITE* _nx_azure_iot_tls_ciphersuite_map[] = {
+    // TLS ciphersuites.
     &nx_crypto_tls_rsa_with_aes_128_cbc_sha256,
 
-    /* X.509 ciphersuites. */
+    // X.509 ciphersuites.
     &nx_crypto_x509_rsa_sha_256,
 };
 
-const UINT _nx_azure_iot_tls_ciphersuite_map_size = sizeof(_nx_azure_iot_tls_ciphersuite_map) / sizeof(NX_CRYPTO_CIPHERSUITE*);
-
-
+const UINT _nx_azure_iot_tls_ciphersuite_map_size =
+    sizeof(_nx_azure_iot_tls_ciphersuite_map) / sizeof(NX_CRYPTO_CIPHERSUITE*);

shared/src/azure_iot_ciphersuites.c

@@ -1,29 +1,19 @@
-/**************************************************************************/
-/*                                                                        */
-/*       Copyright (c) Microsoft Corporation. All rights reserved.        */
-/*                                                                        */
-/*       This software is licensed under the Microsoft Software License   */
-/*       Terms for Microsoft Azure RTOS. Full text of the license can be  */
-/*       found in the LICENSE file at https://aka.ms/AzureRTOS_EULA       */
-/*       and in the root directory of this software.                      */
-/*                                                                        */
-/**************************************************************************/
+/* Copyright (c) Microsoft Corporation.
+   Licensed under the MIT License. */
 
 #ifndef NX_AZURE_IOT_CIPHERSUITES_H
 #define NX_AZURE_IOT_CIPHERSUITES_H
 
 #include "nx_secure_tls_api.h"
 
-/* Users can use these ciphersuites as sample, and also can build their own ciphersuite
-   referring to nx_secure/nx_crypto_generic_ciphersuites.c.  */
-extern const NX_CRYPTO_METHOD *_nx_azure_iot_tls_supported_crypto[];
+// Users can use these ciphersuites as sample, and also can build their own ciphersuite
+// referring to nx_secure/nx_crypto_generic_ciphersuites.c.
+extern const NX_CRYPTO_METHOD* _nx_azure_iot_tls_supported_crypto[];
 extern const UINT _nx_azure_iot_tls_supported_crypto_size;
-extern const NX_CRYPTO_CIPHERSUITE *_nx_azure_iot_tls_ciphersuite_map[];
+extern const NX_CRYPTO_CIPHERSUITE* _nx_azure_iot_tls_ciphersuite_map[];
 extern const UINT _nx_azure_iot_tls_ciphersuite_map_size;
 
-/* Define the metadata size for _nx_azure_iot_tls_ciphers.  */
-#ifndef NX_AZURE_IOT_TLS_METADATA_BUFFER_SIZE
-#define NX_AZURE_IOT_TLS_METADATA_BUFFER_SIZE                     (9 * 1024)
-#endif /* NX_AZURE_IOT_TLS_METADATA_BUFFER_SIZE  */
+// Define the metadata size for _nx_azure_iot_tls_ciphers.
+#define NX_AZURE_IOT_TLS_METADATA_BUFFER_SIZE (9 * 1024)
 
 #endif /* NX_AZURE_IOT_CIPHERSUITES_H */

shared/src/azure_iot_ciphersuites.h

@@ -124,20 +124,20 @@ UINT tls_setup(NXD_MQTT_CLIENT* client,
         return status;
     }
 
-    status = nx_secure_tls_remote_certificate_allocate(tls_session,	
-        &azure_iot_mqtt->mqtt_remote_certificate,	
-        azure_iot_mqtt->mqtt_remote_cert_buffer,	
-        sizeof(azure_iot_mqtt->mqtt_remote_cert_buffer));	
-    if (status != NX_SUCCESS)	
-    {	
-        printf("Failed to create remote certificate buffer (0x%04x)\r\n", status);	
-        return status;	
+    status = nx_secure_tls_remote_certificate_allocate(tls_session,
+        &azure_iot_mqtt->mqtt_remote_certificate,
+        azure_iot_mqtt->mqtt_remote_cert_buffer,
+        sizeof(azure_iot_mqtt->mqtt_remote_cert_buffer));
+    if (status != NX_SUCCESS)
+    {
+        printf("Failed to create remote certificate buffer (0x%04x)\r\n", status);
+        return status;
     }
 
     // Add a CA Certificate to our trusted store for verifying incoming server certificates
     status = nx_secure_x509_certificate_initialize(trusted_cert,
-        (UCHAR*)azure_iot_root_ca,
-        azure_iot_root_ca_len,
+        (UCHAR*)azure_iot_root_cert,
+        azure_iot_root_cert_size,
         NX_NULL,
         0,
         NX_NULL,

shared/src/azure_iot_mqtt/azure_iot_mqtt.c

@@ -396,8 +396,23 @@ static UINT azure_iot_nx_client_hub_create_internal(AZURE_IOT_NX_CONTEXT* contex
         }
     }
 
+    if (status != NX_AZURE_IOT_SUCCESS)
+    {
+        printf("Failed to set auth credentials\r\n");
+    }
+
+    // Add more CA certificates
+    else if ((status = nx_azure_iot_hub_client_trusted_cert_add(&context->iothub_client, &context->root_ca_cert_2)))
+    {
+        printf("Failed on nx_azure_iot_hub_client_trusted_cert_add!: error code = 0x%08x\r\n", status);
+    }
+    else if ((status = nx_azure_iot_hub_client_trusted_cert_add(&context->iothub_client, &context->root_ca_cert_3)))
+    {
+        printf("Failed on nx_azure_iot_hub_client_trusted_cert_add!: error code = 0x%08x\r\n", status);
+    }
+    
     // Set Model id
-    if ((status = nx_azure_iot_hub_client_model_id_set(
+    else if ((status = nx_azure_iot_hub_client_model_id_set(
              &context->iothub_client, (UCHAR*)context->azure_iot_model_id, strlen(context->azure_iot_model_id))))
     {
         printf("Error: nx_azure_iot_hub_client_model_id_set (0x%08x)\r\n", status);
@@ -578,10 +593,38 @@ UINT azure_iot_nx_client_create(AZURE_IOT_NX_CONTEXT* context,
         return status;
     }
 
-    // Initialize CA root certificate
+    // Initialize CA root certificates
     if ((status = nx_secure_x509_certificate_initialize(&context->root_ca_cert,
-             (UCHAR*)azure_iot_root_ca,
-             (USHORT)azure_iot_root_ca_len,
+             (UCHAR*)azure_iot_root_cert,
+             (USHORT)azure_iot_root_cert_size,
+             NX_NULL,
+             0,
+             NULL,
+             0,
+             NX_SECURE_X509_KEY_TYPE_NONE)))
+    {
+        printf("Failed to initialize ROOT CA certificate!: error code = 0x%08x\r\n", status);
+        nx_azure_iot_delete(&context->nx_azure_iot);
+        return status;
+    }
+
+    if ((status = nx_secure_x509_certificate_initialize(&context->root_ca_cert_2,
+             (UCHAR*)azure_iot_root_cert_2,
+             (USHORT)azure_iot_root_cert_size_2,
+             NX_NULL,
+             0,
+             NULL,
+             0,
+             NX_SECURE_X509_KEY_TYPE_NONE)))
+    {
+        printf("Failed to initialize ROOT CA certificate!: error code = 0x%08x\r\n", status);
+        nx_azure_iot_delete(&context->nx_azure_iot);
+        return status;
+    }
+
+    if ((status = nx_secure_x509_certificate_initialize(&context->root_ca_cert_3,
+             (UCHAR*)azure_iot_root_cert_3,
+             (USHORT)azure_iot_root_cert_size_3,
              NX_NULL,
              0,
              NULL,
@@ -691,8 +734,24 @@ UINT azure_iot_nx_client_dps_create(AZURE_IOT_NX_CONTEXT* context, CHAR* dps_id_
         }
     }
 
+    if (status != NX_AZURE_IOT_SUCCESS)
+    {
+        printf("Failed to set auth credentials\r\n");
+    }
+
+    // Add more CA certificates
+    else if ((status = nx_azure_iot_provisioning_client_trusted_cert_add(&context->dps_client, &context->root_ca_cert_2)))
+    {
+        printf("Failed on nx_azure_iot_provisioning_client_trusted_cert_add!: error code = 0x%08x\r\n", status);
+    }
+    else if ((status =
+                     nx_azure_iot_provisioning_client_trusted_cert_add(&context->dps_client, &context->root_ca_cert_3)))
+    {
+        printf("Failed on nx_azure_iot_provisioning_client_trusted_cert_add!: error code = 0x%08x\r\n", status);
+    }
+
     // Set the payload containing the model Id
-    if ((status = nx_azure_iot_provisioning_client_registration_payload_set(
+    else if ((status = nx_azure_iot_provisioning_client_registration_payload_set(
              &context->dps_client, (UCHAR*)payload, strlen(payload))))
     {
         printf("Error: nx_azure_iot_provisioning_client_registration_payload_set (0x%08x\r\n", status);

shared/src/azure_iot_nx_client.c

@@ -37,6 +37,9 @@ typedef ULONG (*func_ptr_unix_time_get)(VOID);
 struct AZURE_IOT_NX_CONTEXT_STRUCT
 {
     NX_SECURE_X509_CERT root_ca_cert;
+    NX_SECURE_X509_CERT root_ca_cert_2;
+    NX_SECURE_X509_CERT root_ca_cert_3;
+
     ULONG nx_azure_iot_tls_metadata_buffer[NX_AZURE_IOT_TLS_METADATA_BUFFER_SIZE / sizeof(ULONG)];
     ULONG nx_azure_iot_thread_stack[NX_AZURE_IOT_STACK_SIZE / sizeof(ULONG)];
     ULONG azure_iot_thread_stack[AZURE_IOT_STACK_SIZE / sizeof(ULONG)];