SPRADB2 august   2023 AM2431 , AM2432 , AM2434 , AM2631 , AM2631-Q1 , AM2632 , AM2632-Q1 , AM2634 , AM2634-Q1 , AM263P4 , AM2732 , AM2732-Q1 , AM6411 , AM6412 , AM6421 , AM6422 , AM6441 , AM6442

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
    1. 1.1 Acronyms Used in This Document
  5. 2MbedTLS
    1. 2.1 What is MbedTLS?
    2. 2.2 Why MbedTLS?
    3. 2.3 Application of MbedTLS
  6. 3MbedTLS Over Lwip
    1. 3.1 TLS Server Example (HTTPS Server)
    2. 3.2 TLS Client Example (MQTT Client)

3.2 TLS Client Example (MQTT Client)

This example demonstrates the AM2x device in the form of an MQTT client, subscribing to an MQTT broker and intercepting data when published by another client. The MQTT broker used in this case is an open-source software, Mosquito MQTT. The IP address assigned to the Mosquito broker and the MQTT client is static.

In this example, a 2-way mutual authentication is performed, which involves the client verifying the server and the server verifying the client as well. Since locally generated and self-signed certificates are used, CA certificates and CA keys are used as server certificates and keys.

A top-level working of MQTT + TLS client is described below:

Role of MbedTLS:

  • A TLS config using the CA certificate, CA key, client certificate, private key, password for accessing the private key (optional) is created. A standard allocator function creates an altcp PCB for TLS over TCP.
  • The client certificate and private key is loaded. Then based on the format of x509 certificate (DER or PEM), the certificate and keys are parsed.
  • The private key is passed and compared with the public key present in the certificate. If they match, the certificate and keys/ keypair are verified.
  • Pass the TLS config to LwIP application APIs, which internally use the same TLS config in PCB (Process Control Block of the corresponding TCP connection).
  • Using mbedTLS cryptographic functions, certificates and keys are verified. If any parsing error or data inconsistency, certificate and keys invalidation occur, the ongoing network connection is dropped.

Role of LwIP:

  • The TLS config is populated inside the LwIP's mqtt_context structure.
  • An altcp PCB is created for the defined MQTT port, IP address, and connection callbacks are set. The client information containing the TLS configuration is passed.
  • An altcp_accept callback is set, which handles new incoming connections, allocates memory to manage the connection state, sets callbacks for sending, receiving, error handling and polling.
  • The mqtt connection callback is responsible for subscribing/unsubscribing to a topic, sending the required data about the same to the MQTT broker.
  • Input callback functions are set which determine the behavior of client when data is received.
  • Based on the state of the connection, the data is processed.

Figure 3-3 demonstrates the same with SA2UL cryptography accelerator being used for cryptography (optional).

GUID-071E4D61-E3DB-4468-8891-5C5122D32A40-low.png Figure 3-3 Overview of Working of MQTT + TLS Client