ESP32 Forum

ESP32 Official Forum
http://esp32.io/

SOLVED: Esp-aws-iot Version 202210.01-LTS Won't Load Certificates

http://esp32.io/viewtopic.php?f=13&t=32399

Page 1 of 1

SOLVED: Esp-aws-iot Version 202210.01-LTS Won't Load Certificates

Posted: Wed Mar 01, 2023 1:25 am
by jcolebaker
Hi,

We have been building an IoT device using ESP32 (ESP-IDF v 4.4) and the AWS IoT Core for Embedded port (esp-aws-iot) from here: https://github.com/espressif/esp-aws-iot

We were using version 202012.04-LTS and it was working OK. However, I would like to update to a newer version.

I have changed to version 202210.01-LTS and made some minor changes to get the build to work. However, the TLS connect won't load the AWS certificates anymore.

When the MQTT agent attempts to connect with TLS, I get:

Code: Select all

E (22409) esp-tls-mbedtls: mbedtls_x509_crt_parse returned -0x2180
E (22409) esp-tls-mbedtls: Failed to set client configurations, returned [0x8015] (ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED)
E (22419) esp-tls: create_ssl_handle failed
E (22419) esp-tls: Failed to open new connection
The certificates were working fine with the previous version.

I note that the NetworkContext_t struct has changed ("pem" removed from the names, and a size added for each certificate).

I am using the same certificate data as before. I just changed the name of the struct members, and added the sizes (as follows):

Code: Select all

    l_network_context.pcClientKeySize = strlen(l_network_context.pcClientKey);
    l_network_context.pcClientCertSize = strlen(l_network_context.pcClientCert);
    l_network_context.pcServerRootCASize = strlen(l_network_context.pcServerRootCA);
I'm confident that the certificates are actually NUL-terminated strings and "strlen" will work, because that's how it worked before.

Does the TLS connect function no longer support PEM format certificates? What else could cause this error?

Re: SOLVED: Esp-aws-iot Version 202210.01-LTS Won't Load Certificates

Posted: Wed Mar 01, 2023 1:38 am
by jcolebaker
OK, I managed to fix the problem.

Even though a size is now required for each certificate, the data must still be NUL-terminated (at least when in PEM format).

So, the correct sizes for each certificate should be calculated like this (in my example above, where the certificate data was actually NUL-terminated PEM data):

Code: Select all

    l_network_context.pcClientKeySize = strlen(l_network_context.pcClientKey) + 1;
    l_network_context.pcClientCertSize = strlen(l_network_context.pcClientCert) + 1;
    l_network_context.pcServerRootCASize = strlen(l_network_context.pcServerRootCA) + 1;
Note the + 1 so that the size includes the NUL character. With the above code, I am able to correctly load certificates and connect with the same certificate data as previously.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/