Sample connection to AWS using X.509 certificate

[FleetPhil]

Hi - any chance that you could post an example of a connection to AWS using X.509 certificates? I'm struggling with the connection and just get a timeout from my IoT endpoint. I'm a newbie to AWS - I've got an app working with X.509 certificates based on the AWS sample but I'd prefer to use a lighter Swift Package-based implementation (like this) if possible.... Thanks

[adam-fowler]

Hi, I won't have time to look at this until later in the day. But could you answer some questions in advance

• What platform are you running on
• Could you post your code you have so far.
• If you are on iOS have you been able to create a SecIdentity
• Have you verified your identifier from MQTTClient.init has access. Check AWS console AWSIoT->Secure-Policies
  cheers

[adam-fowler]

Do you not need a "*", you have an empty string. I would try a client identifier without spaces just to check

[FleetPhil]

That's not it either, I set a specific resource (iOSClient) on the policy and the client identifier with the same result. I'm going to delete and recreate the certificate to check there's no issues with that....

[FleetPhil]

That didn't work either.
BTW - the nw_protocol_get_quic_image_block_invoke message is a red herring - it only happens on the simulator not a real device.
I decided to step back and try connecting to the Mosquitto test broker using a Mosquitto generated certificate and the same process to see if it's an AWS issue...
On Mosquitto unencrypted connection on port 1883 works fine, however encrypted with certificate fails with:

Start connect
SecIdentity is : <SecIdentityRef: 0x28152d4e0>
Root cert is: <cert(0x105805a60) s: mosquitto.org i: mosquitto.org>
2021-03-16 19:21:00.374369+0000 IOTTest[37406:13207466] [tcp] tcp_input [C1.1:1] flags=[R.] seq=2839761587, ack=3563983437, win=509 state=ESTABLISHED rcv_nxt=2839761587, snd_una=3563983437
2021-03-16 19:21:00.376678+0000 IOTTest[37406:13207466] [connection] nw_read_request_report [C1] Receive failed with error "Connection reset by peer"
failure(POSIXErrorCode: Connection reset by peer)

So at least a response, although not the one I wanted. My conclusion is that it's definitely something to do with the certificate validation that's failing, whether that's because of the way I'm generating the certificate or the MQTT.Client setup I don't know. I have to stop for today now...

[adam-fowler]

The mosquitto server fails because its server certificate aren't that great and Network.framework is really strict. I couldn't get the mosquitto ones to work with transport services either. I did manage to get ones I rolled myself to work though.

Tomorrow I'll go through the process of creating AWS certificates etc and getting a working mqtt client. I have had it working in the past so hopefully I should get it working again.

[FleetPhil]

I'm glad to hear it's not me being a complete turkey! I have to say I didn't expect it to be this hard but there must be a way... thanks for your help it's appreciated

[adam-fowler]

Ok here is an end to end version of getting AWS IoT working with X.509 certificates. At least it worked for me

• Workout your endpoint. You need the AWS CLI for this aws iot describe-endpoint --endpoint-type iot:Data-ATS. Remember this you'll need it later
• Create a thing.
  • Select IOT Core -> Manage -> Things
  • Select Create a single thing
  • Give your thing a name
  • Press Next
  • Select create certificate
  • Download the certificate, public key and private key
  • Also download the Amazon CA certificate found here
  • Press Activate
• Create a Policy
  • Select IOT Core -> Secure -> Policies
  • Select Create
  • Give you policy a name and setup as follows (replacing {account-number} with your AWS account number)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iot:Publish",
        "iot:Receive"
      ],
      "Resource": "arn:aws:iot:eu-west-1:{account-number}:topic/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Subscribe",
      "Resource": "arn:aws:iot:eu-west-1:{account-number}:topicfilter/*"
    },
    {
      "Effect": "Allow",
      "Action": "iot:Connect",
      "Resource": "arn:aws:iot:eu-west-1:{account-number}:client/*"
    }
  ]
}

• attach the policy to your certificate
  • Go back to the things menu and select your thing
  • Select security and remember the id of the certificate attached
  • Select AWS IoT -> Secure -> Certificates
  • Select the certificate attached to your thing. It will have the id you just remembered
  • Click actions -> attach policy
  • Select the policy you just created and press Attach

You now have everything setup AWS side

• Create a p12 from the certificate and private key you downloaded earlier. When you are asked for a password enter one

openssl pkcs12 -export -in id-certificate.pem.crt -inkey id-private.pem.key -out id-identity.p12

• Create a der of the AmazonRootCA1.pem file you downloaded

openssl x509 -in AmazonRootCA1.pem -out AmazonRootCA1.der -outform DER

Now the code below should get you connected. This is assuming you have added the p12 and der files you created earlier into your bundle. You should replace {iot-endpoint} with the endpoint returned by aws iot describe-endpoint --endpoint-type iot:Data-ATS, and replace {password} with the password you provided when creating the p12

let hostname = "{iot-endpoint}"
let identifier = "my-mqtt-client"

func getTLSConfiguration() throws -> MQTTClient.TLSConfigurationType {
    let certificateURL = Bundle.main.url(forResource: "AmazonRootCA1.der", withExtension: nil)!
    let certificateData = try Data(contentsOf: certificateURL)
    let trustRootCertificates = SecCertificateCreateWithData(nil, certificateData as CFData).map { [$0] }
    let identityURL = Bundle.main.url(forResource: "id-identity.p12", withExtension: nil)!
    let identityData = try Data(contentsOf: identityURL)
    let options: [String: String] = [kSecImportExportPassphrase as String: "{password}"]
    var rawItems: CFArray?
    SecPKCS12Import(identityData as CFData, options as CFDictionary, &rawItems)
    let items = rawItems! as! Array<Dictionary<String, Any>>
    let firstItem = items[0]
    let identity = firstItem[kSecImportItemIdentity as String] as! SecIdentity?
    return .ts(TSTLSConfiguration(
        trustRoots: trustRootCertificates,
        clientIdentity: identity
    ))
}

func createClient() -> MQTTClient {
    guard let tlsConfiguration = try? getTLSConfiguration() else { preconditionFailure("Failed to create MQTTClient") }
    return MQTTClient(
        host: hostname,
        port: 8883,
        identifier: identifier,
        eventLoopGroupProvider: .createNew,
        logger: Logger(label: "MQTTAWS"),
        configuration: .init(useSSL: true, tlsConfiguration: tlsConfiguration)
    )
}

let client = createClient()
try client.connect().wait()

I hope this helps

[FleetPhil]

Adam, that was awesome!! No changes necessary for me in the AWS setup or certificates, it was the TLS configuration that was causing the issue, and your code worked first time. Without that I think it would have taken me a few months to work it out...!
Now I can get back to the actual app, not the mechanics of the connection from iOS to AWS.
Really appreciate your help with this
Thanks Phil

[adam-fowler]

Might write this as a blog post. There are so many places to go wrong. Last night I was hitting an issue because I forgot to activate the certificate.

[FleetPhil]

I agree, it might save a lot of time for anyone else trying to do the same. Just a couple of comments:

• the AWS IoT endpoint is also available from the AWS IoT console under Settings. This also confirms if the endpoint is enabled
• You assume the AWS region in the policy is eu-west-1, which might be different for other users and important to get right!