From b35a69121c14c226a9fbe4ef54df640d677ec830 Mon Sep 17 00:00:00 2001 From: "hrushikesh.bhosale" Date: Mon, 12 May 2025 12:03:32 +0530 Subject: [PATCH] feat(mqtt): Add support for ECDSA signing Added support for ECDSA signing in MQTT. --- include/mqtt_client.h | 2 ++ include/mqtt_supported_features.h | 5 +++++ lib/include/mqtt_client_priv.h | 2 ++ mqtt_client.c | 17 +++++++++++++++++ 4 files changed, 26 insertions(+) diff --git a/include/mqtt_client.h b/include/mqtt_client.h index ea187e5..0b4df87 100644 --- a/include/mqtt_client.h +++ b/include/mqtt_client.h @@ -308,6 +308,8 @@ typedef struct esp_mqtt_client_config_t { bool use_secure_element; /*!< Enable secure element, available in ESP32-ROOM-32SE, for SSL connection */ void *ds_data; /*!< Carrier of handle for digital signature parameters, digital signature peripheral is available in some Espressif devices. It's not copied nor freed by the client, user needs to clean up.*/ + bool use_ecdsa_peripheral; /*!< Enable ECDSA peripheral, available in some Espressif devices. */ + uint8_t ecdsa_key_efuse_blk; /*!< ECDSA key block number from efuse, available in some Espressif devices. */ } authentication; /*!< Client authentication */ } credentials; /*!< User credentials for broker */ /** diff --git a/include/mqtt_supported_features.h b/include/mqtt_supported_features.h index 42516c0..982ef34 100644 --- a/include/mqtt_supported_features.h +++ b/include/mqtt_supported_features.h @@ -69,6 +69,11 @@ #define MQTT_SUPPORTED_FEATURE_CRT_CMN_NAME #endif +#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 3, 0) +// Features supported in 5.3.0 +#define MQTT_SUPPORTED_FEATURE_ECDSA_PERIPHERAL +#endif + #endif /* ESP_IDF_VERSION */ #endif // _MQTT_SUPPORTED_FEATURES_H_ diff --git a/lib/include/mqtt_client_priv.h b/lib/include/mqtt_client_priv.h index 235631f..4aa0a9f 100644 --- a/lib/include/mqtt_client_priv.h +++ b/lib/include/mqtt_client_priv.h @@ -96,6 +96,8 @@ typedef struct { const char *common_name; bool use_secure_element; void *ds_data; + bool use_ecdsa_peripheral; + uint8_t ecdsa_key_efuse_blk; int message_retransmit_timeout; uint64_t outbox_limit; esp_transport_handle_t transport; diff --git a/mqtt_client.c b/mqtt_client.c index 4ac2275..d062e7a 100644 --- a/mqtt_client.c +++ b/mqtt_client.c @@ -231,6 +231,21 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle goto esp_mqtt_set_transport_failed; #endif } + + if (cfg->use_ecdsa_peripheral) { +#ifdef MQTT_SUPPORTED_FEATURE_ECDSA_PERIPHERAL +#ifdef CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN + esp_transport_ssl_set_client_key_ecdsa_peripheral(ssl, cfg->ecdsa_key_efuse_blk); +#else + ESP_LOGE(TAG, "ECDSA peripheral not enabled for esp-tls in menuconfig"); + goto esp_mqtt_set_transport_failed; +#endif /* CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN */ +#else + ESP_LOGE(TAG, "ECDSA peripheral feature is not available in IDF version %s", IDF_VER); + goto esp_mqtt_set_transport_failed; +#endif /* MQTT_SUPPORTED_FEATURE_ECDSA_PERIPHERAL */ + } + ESP_OK_CHECK(TAG, esp_mqtt_set_cert_key_data(ssl, MQTT_SSL_DATA_API_CLIENT_CERT, cfg->clientcert_buf, cfg->clientcert_bytes), goto esp_mqtt_set_transport_failed); ESP_OK_CHECK(TAG, esp_mqtt_set_cert_key_data(ssl, MQTT_SSL_DATA_API_CLIENT_KEY, cfg->clientkey_buf, cfg->clientkey_bytes), @@ -570,6 +585,8 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl client->config->common_name = config->broker.verification.common_name; client->config->use_secure_element = config->credentials.authentication.use_secure_element; client->config->ds_data = config->credentials.authentication.ds_data; + client->config->use_ecdsa_peripheral = config->credentials.authentication.use_ecdsa_peripheral; + client->config->ecdsa_key_efuse_blk = config->credentials.authentication.ecdsa_key_efuse_blk; if (config->credentials.authentication.key_password && config->credentials.authentication.key_password_len) { client->config->clientkey_password_len = config->credentials.authentication.key_password_len;