Hi,
I want to connect to Google Cloud IoT with a modified asset_tracker and want the TLS done by the modem like in asset_tracker.
Google has a primary and a backup root CA for IoT and they may switch between the primary and backup certificates at any time without notice
See here cloud.google.com/.../mqtt-bridge
Is it enough to install these certificates (in the right converted form) as type 0 with different sec_tags on the modem?
I hope :)
With kind regards,
Árpád
Currently, a huge portion of the support team (including many of the experts on nRF9160) is on summer vacation, and you may experience delayed answers. My apologies for that.
I will try to provide you with an answer within this week.
Best regards,
Simon
Hi Simon,
update: The different root CAs should come to different sec_tags installed on the modem and that sec_tags must be referenced from the application software. That's clear me now.
But I have a problem when I try to verify the peer in the TLS connection:
struct mqtt_sec_config *tls_config = &client->transport.tls.config; tls_config->peer_verify = MQTT_TRANSPORT_SECURE;
results in EOPNOTSUPP 95 (Operation not supported on socket)
When I use
tls_config->peer_verify = TLS_PEER_VERIFY_NONE;
I can connect.
The peer verification works on Amazon with its sha256WithRSAEncryption signature. Google's signature for mqtt.2030.ltsapis.goog is an ecdsa-with-SHA256 signature.
Is that not supported?
Is this a bug in the modem software?
I use the latest one (mfw_nrf9160_1.2.0.zip).
With best regards,
Árpád
I am currently looking into your questions. In the meanwhile, you should check out this blog, if you haven't seen it already.
Best regards,
Simon
Hi Simon,
thank you for your reply. From that blog code (nRF9160DKtoGoogleCloud.zip) is the
tls_config->peer_verify = TLS_PEER_VERIFY_NONE;
workaround. See the function gcloud.c:gcloud_provision
tls_config.peer_verify = 0;
which is the same.
The defined ROOT_CERT at the begin of the file is wrong. It's a self signed certificate, not the primary or the backup certificate of Google for mqtt.2030.ltsapis.goog:
openssl x509 -in unknown_cert_from_How_to_connect_nRF9160_DK_to_Google_Cloud.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
eb:e3:e0:f5:5f:02:0a:a3
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = nrf91-marte
Validity
Not Before: Apr 5 11:15:17 2019 GMT
Not After : Mar 2 11:15:17 4757 GMT
Subject: CN = nrf91-marte
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:0a:bc:a2:d9:16:1a:7a:1c:a5:d0:31:96:7a:49:
75:59:fa:10:16:f5:59:b4:27:65:72:c5:69:8c:ec:
31:e5:d6:18:52:08:3b:4d:a1:59:3b:da:49:43:c8:
d7:13:6c:d1:00:7c:73:72:14:f6:80:61:0d:79:11:
35:4d:8d:aa:2d
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
4B:02:13:B7:DF:90:80:77:6F:34:23:FA:95:42:68:8C:D3:B9:DD:F1
X509v3 Authority Key Identifier:
keyid:4B:02:13:B7:DF:90:80:77:6F:34:23:FA:95:42:68:8C:D3:B9:DD:F1
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:5d:a4:40:ee:c2:aa:7e:f7:00:d9:b0:05:d8:06:
03:5c:bf:28:63:a9:39:4e:08:ff:2c:05:2c:4b:bc:b6:b3:94:
02:21:00:f3:ff:d4:5a:db:4c:46:49:9a:ca:58:21:c3:79:a0:
b1:81:86:2a:4d:7b:ad:8f:b8:8f:ee:26:19:4c:2f:0e:7c
-----BEGIN CERTIFICATE-----
MIIBdTCCARugAwIBAgIJAOvj4PVfAgqjMAoGCCqGSM49BAMCMBYxFDASBgNVBAMM
C25yZjkxLW1hcnRlMCAXDTE5MDQwNTExMTUxN1oYDzQ3NTcwMzAyMTExNTE3WjAW
MRQwEgYDVQQDDAtucmY5MS1tYXJ0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BAq8otkWGnocpdAxlnpJdVn6EBb1WbQnZXLFaYzsMeXWGFIIO02hWTvaSUPI1xNs
0QB8c3IU9oBhDXkRNU2Nqi2jUDBOMB0GA1UdDgQWBBRLAhO335CAd280I/qVQmiM
07nd8TAfBgNVHSMEGDAWgBRLAhO335CAd280I/qVQmiM07nd8TAMBgNVHRMEBTAD
AQH/MAoGCCqGSM49BAMCA0gAMEUCIF2kQO7Cqn73ANmwBdgGA1y/KGOpOU4I/ywF
LEu8trOUAiEA8//UWttMRkmaylghw3mgsYGGKk17rY+4j+4mGUwvDnw=
-----END CERTIFICATE-----
Look at the Issuer.
In my code I use the primary certificate of Google for mqtt.2030.ltsapis.goog uploaded to the modem together with my public certificate and private key to a definite sec_tag.
The usage is exact of nrf_cloud_transport.c:nct_provision but with my sec_tag and google's hostname:
static int nct_provision(void)
{
static sec_tag_t sec_tag_list[] = { CONFIG_NRF_CLOUD_SEC_TAG };
nct.tls_config.peer_verify = 2;
nct.tls_config.cipher_count = 0;
nct.tls_config.cipher_list = NULL;
nct.tls_config.sec_tag_count = ARRAY_SIZE(sec_tag_list);
nct.tls_config.sec_tag_list = sec_tag_list;
nct.tls_config.hostname = NRF_CLOUD_HOSTNAME;
}
That should be enough to work, I think, but doesn't.
The only difference what I see is the signature algorithm: nRF Cloud (Amazon IoT) uses sha256WithRSAEncryption, Google's signature for mqtt.2030.ltsapis.goog is an ecdsa-with-SHA256 signature.
Look at the Signature Algorithm property of the following two root CA certificates:
openssl x509 -in nrf_cloud_ca_certificate.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:6c:9f:cf:99:bf:8c:0a:39:e2:f0:78:8a:43:e6:96:36:5b:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Amazon, CN = Amazon Root CA 1
Validity
Not Before: May 26 00:00:00 2015 GMT
Not After : Jan 17 00:00:00 2038 GMT
Subject: C = US, O = Amazon, CN = Amazon Root CA 1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b2:78:80:71:ca:78:d5:e3:71:af:47:80:50:74:
7d:6e:d8:d7:88:76:f4:99:68:f7:58:21:60:f9:74:
84:01:2f:ac:02:2d:86:d3:a0:43:7a:4e:b2:a4:d0:
36:ba:01:be:8d:db:48:c8:07:17:36:4c:f4:ee:88:
23:c7:3e:eb:37:f5:b5:19:f8:49:68:b0:de:d7:b9:
76:38:1d:61:9e:a4:fe:82:36:a5:e5:4a:56:e4:45:
e1:f9:fd:b4:16:fa:74:da:9c:9b:35:39:2f:fa:b0:
20:50:06:6c:7a:d0:80:b2:a6:f9:af:ec:47:19:8f:
50:38:07:dc:a2:87:39:58:f8:ba:d5:a9:f9:48:67:
30:96:ee:94:78:5e:6f:89:a3:51:c0:30:86:66:a1:
45:66:ba:54:eb:a3:c3:91:f9:48:dc:ff:d1:e8:30:
2d:7d:2d:74:70:35:d7:88:24:f7:9e:c4:59:6e:bb:
73:87:17:f2:32:46:28:b8:43:fa:b7:1d:aa:ca:b4:
f2:9f:24:0e:2d:4b:f7:71:5c:5e:69:ff:ea:95:02:
cb:38:8a:ae:50:38:6f:db:fb:2d:62:1b:c5:c7:1e:
54:e1:77:e0:67:c8:0f:9c:87:23:d6:3f:40:20:7f:
20:80:c4:80:4c:3e:3b:24:26:8e:04:ae:6c:9a:c8:
aa:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
84:18:CC:85:34:EC:BC:0C:94:94:2E:08:59:9C:C7:B2:10:4E:0A:08
Signature Algorithm: sha256WithRSAEncryption
98:f2:37:5a:41:90:a1:1a:c5:76:51:28:20:36:23:0e:ae:e6:
28:bb:aa:f8:94:ae:48:a4:30:7f:1b:fc:24:8d:4b:b4:c8:a1:
97:f6:b6:f1:7a:70:c8:53:93:cc:08:28:e3:98:25:cf:23:a4:
f9:de:21:d3:7c:85:09:ad:4e:9a:75:3a:c2:0b:6a:89:78:76:
44:47:18:65:6c:8d:41:8e:3b:7f:9a:cb:f4:b5:a7:50:d7:05:
2c:37:e8:03:4b:ad:e9:61:a0:02:6e:f5:f2:f0:c5:b2:ed:5b:
b7:dc:fa:94:5c:77:9e:13:a5:7f:52:ad:95:f2:f8:93:3b:de:
8b:5c:5b:ca:5a:52:5b:60:af:14:f7:4b:ef:a3:fb:9f:40:95:
6d:31:54:fc:42:d3:c7:46:1f:23:ad:d9:0f:48:70:9a:d9:75:
78:71:d1:72:43:34:75:6e:57:59:c2:02:5c:26:60:29:cf:23:
19:16:8e:88:43:a5:d4:e4:cb:08:fb:23:11:43:e8:43:29:72:
62:a1:a9:5d:5e:08:d4:90:ae:b8:d8:ce:14:c2:d0:55:f2:86:
f6:c4:93:43:77:66:61:c0:b9:e8:41:d7:97:78:60:03:6e:4a:
72:ae:a5:d1:7d:ba:10:9e:86:6c:1b:8a:b9:59:33:f8:eb:c4:
90:be:f1:b9
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468SQvvG5
-----END CERTIFICATE-----
openssl x509 -in mqtt_2030_ltsapis_goog_PRIMARY.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:f0:f7:9d:59:dd:6e:50:f7:42:73:71:50
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, O = Google Trust Services LLC, CN = GTS LTSR
Validity
Not Before: Nov 1 00:00:42 2018 GMT
Not After : Nov 1 00:00:42 2042 GMT
Subject: C = US, O = Google Trust Services LLC, CN = GTS LTSR
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:cd:f1:8c:8e:da:ef:b2:09:0a:19:77:00:24:50:
db:f9:73:77:68:91:f5:0b:7e:b0:3a:40:98:05:57:
65:cc:b8:43:6d:41:92:06:e4:75:0e:4b:a8:c5:9f:
c7:f4:c9:29:55:78:e4:42:c6:a1:72:8c:32:72:46:
7f:3a:77:e2:24
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
3E:FE:FF:CC:52:EB:BF:34:3E:3D:F3:40:D0:E4:25:B1:5F:B8:BB:52
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:f2:ae:7f:f5:6d:04:7a:86:c3:74:d4:c1:42:
2a:ed:37:da:13:1a:77:6c:7e:db:8c:20:66:55:72:6e:a5:3f:
45:02:20:6b:d1:29:82:b6:cb:a4:9a:21:a0:a5:a8:e3:7f:f8:
05:8a:01:8c:df:81:7d:d3:6d:5b:09:6b:35:31:b2:f4:48
-----BEGIN CERTIFICATE-----
MIIBxTCCAWugAwIBAgINAfD3nVndblD3QnNxUDAKBggqhkjOPQQDAjBEMQswCQYD
VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzERMA8G
A1UEAxMIR1RTIExUU1IwHhcNMTgxMTAxMDAwMDQyWhcNNDIxMTAxMDAwMDQyWjBE
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzERMA8GA1UEAxMIR1RTIExUU1IwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATN
8YyO2u+yCQoZdwAkUNv5c3dokfULfrA6QJgFV2XMuENtQZIG5HUOS6jFn8f0ySlV
eORCxqFyjDJyRn86d+Iko0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUw
AwEB/zAdBgNVHQ4EFgQUPv7/zFLrvzQ+PfNA0OQlsV+4u1IwCgYIKoZIzj0EAwID
SAAwRQIhAPKuf/VtBHqGw3TUwUIq7TfaExp3bH7bjCBmVXJupT9FAiBr0SmCtsuk
miGgpajjf/gFigGM34F9021bCWs1MbL0SA==
-----END CERTIFICATE-----
Best regards,
Árpád