MQTT TLS on Google cloud - invalid JWT generated

I'm trying to connect to our thing on Google Cloud IoT Core, but I get an error when trying to connect using  

status = nxd_mqtt_client_secure_connect(&g_mqtt_client0, &broker_address, NXD_MQTT_TLS_PORT,
NX_MQTT_tls_setup, 0, NX_TRUE, NX_WAIT_FOREVER);

I figure out the cause is in nx_secure_tls_session_start.c, function _nx_secure_tls_handshake_process that Fails with 56 (0x38) error (NX_NOT_CONNECTED 0x38)

Then looking at the JWT that is generated, I've checked on jwt.io (a website) and gets me invalid JWT.

Note that I have RootCA certificate, device certificate and device private key (in pem format) and they work just fine with Python (just checking certificates and key are correct, and server address/ TLS is working), in fact the JWT generated in python gets me "genuine" under the same jwt.io website validator.

I dont' get any errors while loading certificates and key on netx secure, so I'm guessing is the way I pad or calculate the JWT is not correct, I'm using the same base64 and JWT create functions that you use in the MQTT_tls google cloud example project.

Root certificate and device certificate are converted first to .der (using openssl) and then to binary array using the hexy.exe tool.

Private key is converted first to pkcs1.pem, then to .der and finally to binary array.

All the CA certificate, device certificate and private key are loaded into some header files and included in my project.

Some code, after I establish an IP layer through Wifi, following:

//> SNTP gets time, I save timestamp and call get_time() when I need it (to generate JWT) - no errors here

//> DNS to get IP address of Google Cloud endpoint - no errors here

//>Init of mqtt packet pool and client - all good

Then init and store of certificates, I get no errors in the following:

status = nx_secure_tls_session_create(&g_mqtt_client0.nxd_mqtt_tls_session,
(NX_SECURE_TLS_CRYPTO *) &nx_crypto_tls_ciphers_synergys7,
crypto_metadata,
sizeof(crypto_metadata));

status = nx_secure_tls_session_packet_buffer_set(&g_mqtt_client0.nxd_mqtt_tls_session,
tls_packet_buffer,
sizeof(tls_packet_buffer));

//---------------------

char *temp_str = "unused";

for(UINT i = 0; i < sizeof(temp_str); i++)
{
username[i] = temp_str[i];
}

//Password is the JWT generated using realtime timestamp (epoch) and IoT thing private key
//rsa_private_pkcs1, RSA_PRIVATE_LEN
jwt_expiration = JWT_EXPIRATION_SECS;

/* Generate JWT */
if (jwt_create(password, sizeof(password), &jwt_expiration,
rsa_private_pkcs1, RSA_PRIVATE_LEN, (CHAR*) &project_id))
{
HSP_APP_LOG(HSP_LOG_LEVEL_ERROR,"Unable to create JWT. Aborting.\r\n");
__BKPT(0);
}

HSP_APP_LOG(HSP_LOG_LEVEL_DEBUG,"JWT token created successfully %s\n============", password);
//set login
status = nxd_mqtt_client_login_set(&g_mqtt_client0, username, strlen(username),
(char *)password, strlen((char *)password));
if(status){
HSP_APP_LOG(HSP_LOG_LEVEL_ERROR,"tnxd_mqtt_client_login_set error %d", status);
__BKPT(0);
}

//---------------------------------- after this, I get back the error described above.

///> In nx_secure_tls_session_start.c
///> function _nx_secure_tls_handshake_process Fails with 56 (0x38) error
///> (NX_NOT_CONNECTED 0x38)

status = nxd_mqtt_client_secure_connect(&g_mqtt_client0, &broker_address, NXD_MQTT_TLS_PORT,
NX_MQTT_tls_setup, 0, NX_TRUE, NX_WAIT_FOREVER);

if(status){
HSP_APP_LOG(HSP_LOG_LEVEL_ERROR,"nxd_mqtt_client_secure_connect error %d", status);
__BKPT(0);
}

__BKPT(0);

I include my project file, so maybe somebody can address me on how to properly generate the JWT, as the following is not getting me a proper JWT.

https://www.filemail.com/d/hacpvrjcfpuxwnd

Is the certs/private key conversion and handling correct?

Do I need to change padding/ crypto functions in the JWT header/payload/signature generation?

Unfortunately I can not find any more info on this topic, as normally a jwt library is used to generate hash and create the token, but I want to make use of the hardware secure engine.

Any info/hints very welcome. 

I can share certs/keys if you want to check, but basically If I get a valid JWT generated I think we are half way there.

Generated JWT:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJoNG5oNDQtMSIsImV4cCI6MTYzMDQyMTE3OCwiaWF0IjoxNjMwNDIwODc4fQ==.SbNIiu23b0w9udd8jlICsW/cQqsbMgKvzQlSmga8mseI3hVAwW001YQ9QmLPc7Y3z8bE8ndYJXE3lO4UA39M4D6G/KyrybRnzQkFfevRm4qw8NekOsENPEse25YGNpzydKcVHvomHMBm8r797ApH2Z0Xs3FD2e+EgnS3GkQ4bYVxscMmDFqd/m5IWJPz8mZiwuN3+LXK2gVOF798wObXY7L7q8EWycV2QbeDOQlEkVyG1SFTwudM0Y+Geppsli5uUrscEq5ipT/rgIaIFuqUcvykH9IZm/sLHXh54UYIkaAlHdzGyWTr+50cV4X+9ZWwTcfQdrRcECKIsSgeC/JyHw==

(note the == characters generated, I suspect shouldn't be there)

and so: [0000002235][new_thread0_entry.c:0395] - nxd_mqtt_client_secure_connect error 65541

I'm on S5D9, SSP1.7.8 e2Studio. NetX Duo.

Thanks a lot.

S

Parents Reply Children
No Data