Add weak variable checking for device certificate update

arduino · pennam · commit ae1a788b18c6 · 2025-01-22T15:35:28.000+01:00
diff --git a/src/ArduinoIoTCloudTCP.cpp b/src/ArduinoIoTCloudTCP.cpp
@@ -43,6 +43,13 @@ unsigned long getTime()
   return ArduinoCloud.getInternalTime();
 }
 
+char NOT_AFTER[]        __attribute__((weak)) = "";
+char NOT_BEFORE[]       __attribute__((weak)) = "";
+char SERIAL_NUMBER[]    __attribute__((weak)) = "";
+char AUTHORITY_KEY_ID[] __attribute__((weak)) = "";
+char SIGNATURE[]        __attribute__((weak)) = "";
+
+
 /******************************************************************************
    CTOR/DTOR
  ******************************************************************************/
@@ -59,6 +66,9 @@ ArduinoIoTCloudTCP::ArduinoIoTCloudTCP()
 #ifdef BOARD_HAS_SECRET_KEY
 , _password("")
 #endif
+#if defined(BOARD_HAS_SECURE_ELEMENT)
+, _writeOnConnect(false)
+#endif
 , _mqttClient{nullptr}
 , _messageTopicOut("")
 , _messageTopicIn("")
@@ -80,11 +90,6 @@ int ArduinoIoTCloudTCP::begin(ConnectionHandler & connection, bool const enable_
 {
   _connection = &connection;
   _brokerAddress = brokerAddress;
-#ifdef BOARD_HAS_SECRET_KEY
-  _brokerPort = _password.length() ? DEFAULT_BROKER_PORT_USER_PASS_AUTH : brokerPort;
-#else
-  _brokerPort = brokerPort;
-#endif
 
   /* Setup broker TLS client */
   _brokerClient.begin(connection);
@@ -94,20 +99,7 @@ int ArduinoIoTCloudTCP::begin(ConnectionHandler & connection, bool const enable_
   _otaClient.begin(connection);
 #endif
 
-  /* Setup TimeService */
-  _time_service.begin(_connection);
-
-  /* Setup retry timers */
-  _connection_attempt.begin(AIOT_CONFIG_RECONNECTION_RETRY_DELAY_ms, AIOT_CONFIG_MAX_RECONNECTION_RETRY_DELAY_ms);
-  return begin(enable_watchdog, _brokerAddress, _brokerPort);
-}
-
-int ArduinoIoTCloudTCP::begin(bool const enable_watchdog, String brokerAddress, uint16_t brokerPort)
-{
-  _brokerAddress = brokerAddress;
-  _brokerPort = brokerPort;
-
-#if defined(BOARD_HAS_SECRET_KEY)
+#if defined (BOARD_HAS_SECRET_KEY)
   /* If board is not configured for username and password login */
   if(!_password.length())
   {
@@ -129,23 +121,63 @@ int ArduinoIoTCloudTCP::begin(bool const enable_watchdog, String brokerAddress,
       DEBUG_ERROR("ArduinoIoTCloudTCP::%s could not read device id.", __FUNCTION__);
       return 0;
     }
-  #if !defined(BOARD_HAS_OFFLOADED_ECCX08)
+    /* read certificate stored in secure element to compare AUTHORITY_KEY_ID */
     if (!SElementArduinoCloudCertificate::read(_selement, _cert, SElementArduinoCloudSlot::CompressedCertificate))
     {
       DEBUG_ERROR("ArduinoIoTCloudTCP::%s could not read device certificate.", __FUNCTION__);
       return 0;
     }
+    /* check if we need to update and try rebuild */
+    int result = SElementArduinoCloudCertificate::update(_selement, _cert, getDeviceId(), String(NOT_BEFORE), String(NOT_AFTER), String(SERIAL_NUMBER), String(AUTHORITY_KEY_ID), String(SIGNATURE));
+    if (result > 0)
+    {
+      DEBUG_INFO("ArduinoIoTCloudTCP::%s device certificate update request.", __FUNCTION__);
+      _writeOnConnect = true;
+    }
+    else if (result < 0)
+    {
+      DEBUG_ERROR("ArduinoIoTCloudTCP::%s device certificate rebuild error.", __FUNCTION__);
+      /* there was an error trying to rebuild certificate re-read old one */
+      if (!SElementArduinoCloudCertificate::read(_selement, _cert, SElementArduinoCloudSlot::CompressedCertificate))
+      {
+        DEBUG_ERROR("ArduinoIoTCloudTCP::%s could not read device id.", __FUNCTION__);
+        return 0;
+      }
+    }
+    else
+    {
+      DEBUG_VERBOSE("ArduinoIoTCloudTCP::%s device certificate updated.", __FUNCTION__);
+    }
+  #if !defined(BOARD_HAS_OFFLOADED_ECCX08)
     _brokerClient.setEccSlot(static_cast<int>(SElementArduinoCloudSlot::Key), _cert.bytes(), _cert.length());
     #if  OTA_ENABLED
     _otaClient.setEccSlot(static_cast<int>(SElementArduinoCloudSlot::Key), _cert.bytes(), _cert.length());
     #endif
   #endif
+    _brokerPort = (brokerPort == DEFAULT_BROKER_PORT_AUTO) ? mqttPort() : brokerPort;
 #endif
 
 #if defined(BOARD_HAS_SECRET_KEY)
   }
+  else
+  {
+    _brokerPort = (brokerPort == DEFAULT_BROKER_PORT_AUTO) ? DEFAULT_BROKER_PORT_USER_PASS_AUTH : brokerPort;
+  }
 #endif
 
+  /* Setup TimeService */
+  _time_service.begin(_connection);
+
+  /* Setup retry timers */
+  _connection_attempt.begin(AIOT_CONFIG_RECONNECTION_RETRY_DELAY_ms, AIOT_CONFIG_MAX_RECONNECTION_RETRY_DELAY_ms);
+  return begin(enable_watchdog, _brokerAddress, _brokerPort);
+}
+
+int ArduinoIoTCloudTCP::begin(bool const enable_watchdog, String brokerAddress, uint16_t brokerPort)
+{
+  _brokerAddress = brokerAddress;
+  _brokerPort = brokerPort;
+
   _mqttClient.setClient(_brokerClient);
 
 #ifdef BOARD_HAS_SECRET_KEY
@@ -281,6 +313,17 @@ ArduinoIoTCloudTCP::State ArduinoIoTCloudTCP::handle_ConnectMqttBroker()
     /* Subscribe to message topic to receive commands */
     _mqttClient.subscribe(_messageTopicIn);
 
+#if defined(BOARD_HAS_SECURE_ELEMENT)
+    /* A device certificate update was pending */
+    if (_writeOnConnect)
+    {
+      if (SElementArduinoCloudCertificate::write(_selement, _cert, SElementArduinoCloudSlot::CompressedCertificate))
+      {
+        DEBUG_INFO("ArduinoIoTCloudTCP::%s device certificate update done.", __FUNCTION__);
+        _writeOnConnect = false;
+      }
+    }
+#endif
     DEBUG_VERBOSE("ArduinoIoTCloudTCP::%s connected to %s:%d", __FUNCTION__, _brokerAddress.c_str(), _brokerPort);
     return State::Connected;
   }
@@ -558,6 +601,17 @@ int ArduinoIoTCloudTCP::write(String const topic, byte const data[], int const l
   return 0;
 }
 
+#if defined(BOARD_HAS_SECURE_ELEMENT)
+int ArduinoIoTCloudTCP::mqttPort()
+{
+  if (memcmp(DEPRECATED_BROKER_AUTHORITY_KEY_IDENTIFIER, _cert.authorityKeyIdentifierBytes() , ECP256_CERT_AUTHORITY_KEY_ID_LENGTH) == 0) {
+    return DEPRECATED_BROKER_PORT_SECURE_AUTH;
+  } else {
+    return DEFAULT_BROKER_PORT_SECURE_AUTH;
+  }
+}
+#endif
+
 /******************************************************************************
  * EXTERN DEFINITION
  ******************************************************************************/
diff --git a/src/ArduinoIoTCloudTCP.h b/src/ArduinoIoTCloudTCP.h
@@ -31,16 +31,14 @@
 #if defined(BOARD_HAS_SECURE_ELEMENT)
   #include <Arduino_SecureElement.h>
   #include <utility/SElementArduinoCloudDeviceId.h>
-  #if !defined(BOARD_HAS_OFFLOADED_ECCX08)
-    #include <utility/SElementArduinoCloudCertificate.h>
-  #endif
+  #include <utility/SElementArduinoCloudCertificate.h>
 #endif
 
 #include <tls/utility/TLSClientMqtt.h>
 #include <tls/utility/TLSClientOta.h>
 
 #if OTA_ENABLED
-#include <ota/OTA.h>
+  #include <ota/OTA.h>
 #endif
 
 #include "cbor/MessageDecoder.h"
@@ -49,9 +47,14 @@
 /******************************************************************************
    CONSTANTS
  ******************************************************************************/
-static char const DEFAULT_BROKER_ADDRESS_SECURE_AUTH[] = "iot.arduino.cc";
-static uint16_t const DEFAULT_BROKER_PORT_SECURE_AUTH = 8883;
+static char const DEFAULT_BROKER_ADDRESS[] = "iot.arduino.cc";
+static uint16_t const DEFAULT_BROKER_PORT_SECURE_AUTH = 8885;
+static uint16_t const DEPRECATED_BROKER_PORT_SECURE_AUTH = 8883;
+static uint8_t const DEPRECATED_BROKER_AUTHORITY_KEY_IDENTIFIER[] = {
+                  0x5b, 0x3e, 0x2a, 0x6b, 0x8e, 0xc9, 0xb0, 0x1a, 0xa8, 0x54,
+                  0xe6, 0x36, 0x9b, 0x8c, 0x09, 0xf9, 0xfc, 0xe1, 0xb9, 0x80 };
 static uint16_t const DEFAULT_BROKER_PORT_USER_PASS_AUTH = 8884;
+static uint16_t const DEFAULT_BROKER_PORT_AUTO = 0;
 
 /******************************************************************************
  * TYPEDEF
@@ -74,8 +77,8 @@ class ArduinoIoTCloudTCP: public ArduinoIoTCloudClass
     virtual int  connected     () override;
     virtual void printDebugInfo() override;
 
-    int begin(ConnectionHandler & connection, bool const enable_watchdog = true, String brokerAddress = DEFAULT_BROKER_ADDRESS_SECURE_AUTH, uint16_t brokerPort = DEFAULT_BROKER_PORT_SECURE_AUTH);
-    int begin(bool const enable_watchdog = true, String brokerAddress = DEFAULT_BROKER_ADDRESS_SECURE_AUTH, uint16_t brokerPort = DEFAULT_BROKER_PORT_SECURE_AUTH);
+    int begin(ConnectionHandler & connection, bool const enable_watchdog = true, String brokerAddress = DEFAULT_BROKER_ADDRESS, uint16_t brokerPort = DEFAULT_BROKER_PORT_AUTO);
+    int begin(bool const enable_watchdog = true, String brokerAddress = DEFAULT_BROKER_ADDRESS, uint16_t brokerPort = DEFAULT_BROKER_PORT_AUTO);
 
     #ifdef BOARD_HAS_SECRET_KEY
     inline void setBoardId        (String const device_id) { setDeviceId(device_id); }
@@ -142,9 +145,8 @@ class ArduinoIoTCloudTCP: public ArduinoIoTCloudClass
 
 #if defined(BOARD_HAS_SECURE_ELEMENT)
     SecureElement _selement;
-  #if !defined(BOARD_HAS_OFFLOADED_ECCX08)
     ECP256Certificate _cert;
-  #endif
+    bool _writeOnConnect;
 #endif
 
     TLSClientMqtt _brokerClient;
@@ -183,6 +185,10 @@ class ArduinoIoTCloudTCP: public ArduinoIoTCloudClass
     void detachThing();
     int write(String const topic, byte const data[], int const length);
 
+#if defined(BOARD_HAS_SECURE_ELEMENT)
+    int mqttPort();
+#endif
+
 };
 
 /******************************************************************************
