Add x509 Cert capability to esp32 (#167)

danewalton-msft · web-flow · commit e3543f0ce98e · 2022-04-25T22:52:38.000Z
diff --git a/.gitignore b/.gitignore
@@ -351,13 +351,17 @@ MigrationBackup/
 
 # Build directories
 /build
+build/
 /mimxrt1060
 /build_linux
 /build_windows
 /b-l475e-iot01a
 /b-l4s5i-iot01a
 /stm32h745i-disco
 
+# ESP-IDF config files
+sdkconfig*
+
 # Gate build directories
 /build_pc_linux
 /build_nxp_mimxrt1060
diff --git a/demos/projects/ESPRESSIF/aziotkit/README.md b/demos/projects/ESPRESSIF/aziotkit/README.md
@@ -77,9 +77,36 @@ Parameter | Value
 ---------|----------
  `Azure IoT Hub FQDN` | _{Your Azure IoT Hub Host FQDN}_ (Unused if Device Provisioning is enabled below)
  `Azure IoT Device ID` | _{Your Azure IoT Hub device ID}_
- `Azure IoT Device Symmetric Key` | _{Your Azure IoT Hub device symmetric key}_
  `Azure IoT Module ID` | _{Your Azure IoT Hub Module ID}_ (optional, specify module id if using a device module; else leave blank if not)
 
+Select your desired authentication method with the `Azure IoT Authentication Method () --->`. The default option is `Symmetric Key`:
+
+Parameter | Value
+---------|----------
+ `Azure IoT Device Symmetric Key` | _{Your Azure IoT Hub device symmetric key}_
+
+If you would like to use x509 certificates, select `X509 Certificates` and update the following values:
+
+Parameter | Value
+---------|----------
+ `Azure IoT Device Client Certificate` | _{Your Azure IoT Hub device certificate}_
+ `Azure IoT Device Client Certificate Private Key` | _{Your Azure IoT Hub device certificate private key}_
+
+Note that the certificate and private key must be a single line string with `\n` characters at the appropriate line breaks. For example:
+
+```txt
+# Single Line (CORRECT)
+-----BEGIN CERTIFICATE-----\nMIIBJDCB...\nyC+koNRC0MU=\n-----END CERTIFICATE-----
+
+# PEM Formatted (WRONG)
+-----BEGIN CERTIFICATE-----
+MIIBJDCBywIUfeHrebBVa2eZAbouBgACp9R3BncwCgYIKoZIzj0EAwIwETEPMA0G
+...
+vTfQahwsxN3xink9z1gtirrjQlqDAiEAyU+6TUJcG6d9JF+uJqsLFpsbbF3IzGAw
+yC+koNRC0MU=
+-----END CERTIFICATE-----
+```
+
 > Some parameters contain default values that do not need to be updated.
 
 If you're using **DPS** with an individual enrollment with SAS authentication, set the following parameters:
diff --git a/demos/projects/ESPRESSIF/aziotkit/components/sample-azure-iot/CMakeLists.txt b/demos/projects/ESPRESSIF/aziotkit/components/sample-azure-iot/CMakeLists.txt
@@ -5,6 +5,19 @@ set(ROOT_PATH
     ${CMAKE_CURRENT_LIST_DIR}/../../../../../..
 )
 
+# kconfig does not support multiline strings.
+# For certificates, we use as a workaround escaping the newlines
+# in certificates and keys so they can be entered as a single
+# string in kconfig.
+# The routine below unescapes the newlines so the values
+# can be correctly interpreted by the code.
+if(EXISTS "${CMAKE_BINARY_DIR}/config/sdkconfig.h")
+    file(READ "${CMAKE_BINARY_DIR}/config/sdkconfig.h" config_header)
+    string(REPLACE "\\n" "n" client_certificate ${config_header})
+    message("CLIENT_CERT: ${client_certificate}")
+    file(WRITE "${CMAKE_BINARY_DIR}/config/sdkconfig.h" "${client_certificate}")
+endif()
+
 idf_component_get_property(MBEDTLS_DIR mbedtls COMPONENT_DIR)
 
 set(COMPONENT_SOURCES
diff --git a/demos/projects/ESPRESSIF/aziotkit/components/sample-azure-iot/Kconfig.projbuild b/demos/projects/ESPRESSIF/aziotkit/components/sample-azure-iot/Kconfig.projbuild
@@ -15,12 +15,43 @@ menu "Azure IoT middleware for FreeRTOS Main Task Configuration"
         help
             "Set the Azure IoT Device ID."
 
+    choice AZURE_IOT_AUTH_METHOD
+        prompt "Azure IoT Authentication Method"
+        default AZURE_IOT_AUTH_METHOD_SYMMETRIC_KEY
+        help
+            Authentication method:
+
+            If "Symmetric Key" is selected, you must provide the symmetric key for the device.
+
+            If "X509 Certificates" is selected, you must provide the device certificate and certificate private key.
+
+        config AZURE_IOT_AUTH_METHOD_SYMMETRIC_KEY
+            bool "Symmetric Key"
+        config AZURE_IOT_AUTH_METHOD_X509
+            bool "X509 Certificates"
+    endchoice
+
     config AZURE_IOT_DEVICE_SYMMETRIC_KEY
         string "Azure IoT Device Symmetric Key"
         default ""
+        depends on AZURE_IOT_AUTH_METHOD_SYMMETRIC_KEY
         help
             "Set the Azure IoT Device Symmetric Key (if using SAS token authentication)."
 
+    config AZURE_IOT_DEVICE_CLIENT_CERTIFICATE
+        string "Azure IoT Device Client Certificate"
+        default ""
+        depends on AZURE_IOT_AUTH_METHOD_X509
+        help
+            "Set the Azure IoT Device Client Certificate (if using x509 client authentication)."
+
+    config AZURE_IOT_DEVICE_CLIENT_CERTIFICATE_PRIVATE_KEY
+        string "Azure IoT Device Client Certificate Private Key"
+        default ""
+        depends on AZURE_IOT_AUTH_METHOD_X509
+        help
+            "Set the Azure IoT Device Client Certificate Private Key (if using x509 client authentication)."
+
     config AZURE_IOT_MODULE_ID
         string "Azure IoT Module ID"
         default ""
diff --git a/demos/projects/ESPRESSIF/aziotkit/config/demo_config.h b/demos/projects/ESPRESSIF/aziotkit/config/demo_config.h
@@ -107,19 +107,25 @@
  * @brief Device symmetric key
  *
  */
+#ifdef CONFIG_AZURE_IOT_DEVICE_SYMMETRIC_KEY
 #define democonfigDEVICE_SYMMETRIC_KEY CONFIG_AZURE_IOT_DEVICE_SYMMETRIC_KEY
+#endif
 
 /**
  * @brief Client's X509 Certificate.
  *
  */
-// #define democonfigCLIENT_CERTIFICATE_PEM    "<YOUR DEVICE CERT HERE>"
+#ifdef CONFIG_AZURE_IOT_DEVICE_CLIENT_CERTIFICATE
+#define democonfigCLIENT_CERTIFICATE_PEM CONFIG_AZURE_IOT_DEVICE_CLIENT_CERTIFICATE
+#endif
 
 /**
  * @brief Client's private key.
  *
  */
-// #define democonfigCLIENT_PRIVATE_KEY_PEM    "<YOUR DEVICE PRIVATE KEY HERE>"
+#ifdef CONFIG_AZURE_IOT_DEVICE_CLIENT_CERTIFICATE_PRIVATE_KEY
+#define democonfigCLIENT_PRIVATE_KEY_PEM    CONFIG_AZURE_IOT_DEVICE_CLIENT_CERTIFICATE_PRIVATE_KEY
+#endif
 
 /**
  * @brief Load the required certificates:
diff --git a/demos/projects/ESPRESSIF/esp32/README.md b/demos/projects/ESPRESSIF/esp32/README.md
@@ -78,10 +78,37 @@ Under menu item `Azure IoT middleware for FreeRTOS Main Task Configuration`, upd
 Parameter | Value
 ---------|----------
  `Use PnP in Azure Sample` | Enabled by default. Disable this option to build a simpler sample without Azure Plug-and-Play.
- `Azure IoT Hub FQDN` | _{Your Azure IoT Hub Host FQDN}_
+ `Azure IoT Hub FQDN` | _{Your Azure IoT Hub Host FQDN}_ (Unused if Device Provisioning is enabled below)
  `Azure IoT Device ID` | _{Your Azure IoT Hub device ID}_
+ `Azure IoT Module ID` | _{Your Azure IoT Hub Module ID}_ (optional, specify module id if using a device module; else leave blank if not)
+
+Select your desired authentication method with the `Azure IoT Authentication Method () --->`. The default option is `Symmetric Key`:
+
+Parameter | Value
+---------|----------
  `Azure IoT Device Symmetric Key` | _{Your Azure IoT Hub device symmetric key}_
- `Azure IoT Module ID` | _{Your Azure IoT Hub Module ID}_ (IF USING A MODULE; leave blank if not)
+
+If you would like to use x509 certificates, select `X509 Certificates` and update the following values:
+
+Parameter | Value
+---------|----------
+ `Azure IoT Device Client Certificate` | _{Your Azure IoT Hub device certificate}_
+ `Azure IoT Device Client Certificate Private Key` | _{Your Azure IoT Hub device certificate private key}_
+
+Note that the certificate and private key must be a single line string with `\n` characters at the appropriate line breaks. For example:
+
+```txt
+# PEM Formatted (WRONG)
+-----BEGIN CERTIFICATE-----
+MIIBJDCBywIUfeHrebBVa2eZAbouBgACp9R3BncwCgYIKoZIzj0EAwIwETEPMA0G
+...
+vTfQahwsxN3xink9z1gtirrjQlqDAiEAyU+6TUJcG6d9JF+uJqsLFpsbbF3IzGAw
+yC+koNRC0MU=
+-----END CERTIFICATE-----
+
+# Single Line (CORRECT)
+-----BEGIN CERTIFICATE-----\nMIIBJDCB...\nyC+koNRC0MU=\n-----END CERTIFICATE-----
+```
 
 > Some parameters contain default values that do not need to be updated.
 
diff --git a/demos/projects/ESPRESSIF/esp32/components/sample-azure-iot/CMakeLists.txt b/demos/projects/ESPRESSIF/esp32/components/sample-azure-iot/CMakeLists.txt
@@ -15,6 +15,19 @@ else()
     )
 endif()
 
+# kconfig does not support multiline strings.
+# For certificates, we use as a workaround escaping the newlines
+# in certificates and keys so they can be entered as a single
+# string in kconfig.
+# The routine below unescapes the newlines so the values
+# can be correctly interpreted by the code.
+if(EXISTS "${CMAKE_BINARY_DIR}/config/sdkconfig.h")
+    file(READ "${CMAKE_BINARY_DIR}/config/sdkconfig.h" config_header)
+    string(REPLACE "\\n" "n" client_certificate ${config_header})
+    message("CLIENT_CERT: ${client_certificate}")
+    file(WRITE "${CMAKE_BINARY_DIR}/config/sdkconfig.h" "${client_certificate}")
+endif()
+
 idf_component_get_property(MBEDTLS_DIR mbedtls COMPONENT_DIR)
 
 list(APPEND COMPONENT_SOURCES
@@ -41,4 +54,3 @@ idf_component_register(
     SRCS ${COMPONENT_SOURCES}
     INCLUDE_DIRS ${COMPONENT_INCLUDE_DIRS}
     REQUIRES mbedtls tcp_transport coreMQTT azure-sdk-for-c azure-iot-middleware-freertos)
-
diff --git a/demos/projects/ESPRESSIF/esp32/components/sample-azure-iot/Kconfig.projbuild b/demos/projects/ESPRESSIF/esp32/components/sample-azure-iot/Kconfig.projbuild
@@ -21,12 +21,43 @@ menu "Azure IoT middleware for FreeRTOS Main Task Configuration"
         help
             "Set the Azure IoT Device ID."
 
+    choice AZURE_IOT_AUTH_METHOD
+        prompt "Azure IoT Authentication Method"
+        default AZURE_IOT_AUTH_METHOD_SYMMETRIC_KEY
+        help
+            Authentication method:
+
+            If "Symmetric Key" is selected, you must provide the symmetric key for the device.
+
+            If "X509 Certificates" is selected, you must provide the device certificate and certificate private key.
+
+        config AZURE_IOT_AUTH_METHOD_SYMMETRIC_KEY
+            bool "Symmetric Key"
+        config AZURE_IOT_AUTH_METHOD_X509
+            bool "X509 Certificates"
+    endchoice
+
     config AZURE_IOT_DEVICE_SYMMETRIC_KEY
         string "Azure IoT Device Symmetric Key"
         default ""
+        depends on AZURE_IOT_AUTH_METHOD_SYMMETRIC_KEY
         help
             "Set the Azure IoT Device Symmetric Key (if using SAS token authentication)."
 
+    config AZURE_IOT_DEVICE_CLIENT_CERTIFICATE
+        string "Azure IoT Device Client Certificate"
+        default ""
+        depends on AZURE_IOT_AUTH_METHOD_X509
+        help
+            "Set the Azure IoT Device Client Certificate (if using x509 client authentication)."
+
+    config AZURE_IOT_DEVICE_CLIENT_CERTIFICATE_PRIVATE_KEY
+        string "Azure IoT Device Client Certificate Private Key"
+        default ""
+        depends on AZURE_IOT_AUTH_METHOD_X509
+        help
+            "Set the Azure IoT Device Client Certificate Private Key (if using x509 client authentication)."
+
     config AZURE_IOT_MODULE_ID
         string "Azure IoT Module ID"
         default ""
diff --git a/demos/projects/ESPRESSIF/esp32/config/demo_config.h b/demos/projects/ESPRESSIF/esp32/config/demo_config.h
@@ -109,19 +109,25 @@
  * @brief Device symmetric key
  *
  */
+#ifdef CONFIG_AZURE_IOT_DEVICE_SYMMETRIC_KEY
 #define democonfigDEVICE_SYMMETRIC_KEY CONFIG_AZURE_IOT_DEVICE_SYMMETRIC_KEY
+#endif
 
 /**
  * @brief Client's X509 Certificate.
  *
  */
-// #define democonfigCLIENT_CERTIFICATE_PEM    "<YOUR DEVICE CERT HERE>"
+#ifdef CONFIG_AZURE_IOT_DEVICE_CLIENT_CERTIFICATE
+#define democonfigCLIENT_CERTIFICATE_PEM CONFIG_AZURE_IOT_DEVICE_CLIENT_CERTIFICATE
+#endif
 
 /**
  * @brief Client's private key.
  *
  */
-// #define democonfigCLIENT_PRIVATE_KEY_PEM    "<YOUR DEVICE PRIVATE KEY HERE>"
+#ifdef CONFIG_AZURE_IOT_DEVICE_CLIENT_CERTIFICATE_PRIVATE_KEY
+#define democonfigCLIENT_PRIVATE_KEY_PEM    CONFIG_AZURE_IOT_DEVICE_CLIENT_CERTIFICATE_PRIVATE_KEY
+#endif
 
 /**
  * @brief Load the required certificates:
