This example demonstrates the AM2x
device in the form of an MQTT client, subscribing to an MQTT broker and intercepting
data when published by another client. The MQTT broker used in this case is an
open-source software, Mosquito MQTT. The IP address assigned to the Mosquito broker
and the MQTT client is static.
In this example, a 2-way mutual
authentication is performed, which involves the client verifying the server and the
server verifying the client as well. Since locally generated and self-signed
certificates are used, CA certificates and CA keys are used as server certificates
and keys.
A top-level working of MQTT + TLS
client is described below:
Role of MbedTLS:
- A TLS config using the CA
certificate, CA key, client certificate, private key, password for accessing the
private key (optional) is created. A standard allocator function creates an
altcp PCB for TLS over TCP.
- The client certificate and
private key is loaded. Then based on the format of x509 certificate (DER or
PEM), the certificate and keys are parsed.
- The private key is passed and
compared with the public key present in the certificate. If they match, the
certificate and keys/ keypair are verified.
- Pass the TLS config to LwIP
application APIs, which internally use the same TLS config in PCB (Process
Control Block of the corresponding TCP connection).
- Using mbedTLS cryptographic
functions, certificates and keys are verified. If any parsing error or data
inconsistency, certificate and keys invalidation occur, the ongoing network
connection is dropped.
Role of LwIP:
- The TLS config is populated
inside the LwIP's mqtt_context structure.
- An altcp PCB is created for the
defined MQTT port, IP address, and connection callbacks are set. The client
information containing the TLS configuration is passed.
- An altcp_accept callback is set,
which handles new incoming connections, allocates memory to manage the
connection state, sets callbacks for sending, receiving, error handling and
polling.
- The mqtt connection callback is
responsible for subscribing/unsubscribing to a topic, sending the required data
about the same to the MQTT broker.
- Input callback functions are set
which determine the behavior of client when data is received.
- Based on the state of the
connection, the data is processed.
Figure 3-3 demonstrates the same with SA2UL cryptography accelerator being used for
cryptography (optional).