diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 93782a73dd..57c66024b0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -113,7 +113,6 @@ build_template_app: - build variables: BATCH_BUILD: "1" - IDF_CI_BUILD: "1" only: variables: - $BOT_TRIGGER_WITH_LABEL == null @@ -248,7 +247,6 @@ build_esp_idf_tests_cmake: - $LOG_PATH expire_in: 2 days variables: - IDF_CI_BUILD: "1" LOG_PATH: "$CI_PROJECT_DIR/log_examples_make" only: variables: @@ -281,7 +279,6 @@ build_esp_idf_tests_cmake: - $LOG_PATH expire_in: 2 days variables: - IDF_CI_BUILD: "1" LOG_PATH: "$CI_PROJECT_DIR/log_examples_cmake" only: variables: diff --git a/examples/protocols/aws_iot/README.md b/examples/protocols/aws_iot/README.md index e64fcc8b57..4a898d1df5 100644 --- a/examples/protocols/aws_iot/README.md +++ b/examples/protocols/aws_iot/README.md @@ -14,6 +14,16 @@ The [Getting Started section of the AWS IoT Developer Guide](http://docs.aws.ama To build and use this example, follow all the AWS IoT Getting Started steps from the beginning ("Sign in to the AWS Iot Console") up until "Configuring Your Device". For configuring the device, these are the steps: +# Authentication (Based on X.509 certificates) + +### Device Authentication + +AWS IoT can use AWS IoT-generated certificates or certificates signed by a CA certificate for device authentication. To use a certificate that is not created by AWS IoT, you must register a CA certificate. All device certificates must be signed by the CA certificate you register. Please refer to guide at https://docs.aws.amazon.com/iot/latest/developerguide/device-certs-your-own.html for step-by-step instructions to register custom X.509 certificates. + +### Server Authentication + +Server certificates allow devices to verify that they're communicating with AWS IoT and not another server impersonating AWS IoT. By default [Amazon Root CA 1](https://www.amazontrust.com/repository/AmazonRootCA1.pem) (signed by Amazon Trust Services Endpoints CA) is embedded in applications, for more information please refer to https://docs.aws.amazon.com/iot/latest/developerguide/managing-device-certs.html#server-authentication + ## Configuring Your Device ### Installing Private Key & Certificate diff --git a/examples/protocols/aws_iot/subscribe_publish/main/CMakeLists.txt b/examples/protocols/aws_iot/subscribe_publish/main/CMakeLists.txt index d5fc09071e..bbbf02f131 100644 --- a/examples/protocols/aws_iot/subscribe_publish/main/CMakeLists.txt +++ b/examples/protocols/aws_iot/subscribe_publish/main/CMakeLists.txt @@ -6,23 +6,6 @@ register_component() if(CONFIG_EXAMPLE_EMBEDDED_CERTS) target_add_binary_data(${COMPONENT_NAME} "certs/aws-root-ca.pem" TEXT) - -if(NOT IDF_CI_BUILD) - add_custom_command(OUTPUT certs/certificate.pem.crt certs/private.pem.key - COMMAND echo "Dummy certificate data for continuous integration" > - certs/certificate.pem.crt - COMMAND echo "Dummy certificate data for continuous integration" > - certs/private.pem.key - WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} - VERBATIM) - add_custom_target(example_certificates DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/certs/certificate.pem.crt ${CMAKE_CURRENT_BINARY_DIR}/certs/private.pem.key) - - add_dependencies(${COMPONENT_NAME} example_certificates) - - target_add_binary_data(${COMPONENT_NAME} "${CMAKE_CURRENT_BINARY_DIR}/certs/certificate.pem.crt" TEXT) - target_add_binary_data(${COMPONENT_NAME} "${CMAKE_CURRENT_BINARY_DIR}/certs/private.pem.key" TEXT) -else() - target_add_binary_data(${COMPONENT_NAME} "certs/certificate.pem.crt" TEXT) - target_add_binary_data(${COMPONENT_NAME} "certs/private.pem.key" TEXT) +target_add_binary_data(${COMPONENT_NAME} "certs/certificate.pem.crt" TEXT) +target_add_binary_data(${COMPONENT_NAME} "certs/private.pem.key" TEXT) endif() -endif() \ No newline at end of file diff --git a/examples/protocols/aws_iot/subscribe_publish/main/certs/aws-root-ca.pem b/examples/protocols/aws_iot/subscribe_publish/main/certs/aws-root-ca.pem index b9514c5894..a6f3e92af5 100644 --- a/examples/protocols/aws_iot/subscribe_publish/main/certs/aws-root-ca.pem +++ b/examples/protocols/aws_iot/subscribe_publish/main/certs/aws-root-ca.pem @@ -1,28 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB -yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL -ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp -U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW -ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL -MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW -ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln -biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp -U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y -aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1 -nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex -t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz -SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG -BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+ -rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/ -NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E -BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH -BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy -aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv -MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE -p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y -5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK -WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ -4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N -hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq ------END CERTIFICATE----- \ No newline at end of file +MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF +ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 +b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv +b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj +ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM +9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw +IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 +VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L +93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm +jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA +A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI +U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs +N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv +o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU +5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy +rqXRfboQnoZsG4q5WTP468SQvvG5 +-----END CERTIFICATE----- diff --git a/examples/protocols/aws_iot/subscribe_publish/main/component.mk b/examples/protocols/aws_iot/subscribe_publish/main/component.mk index bc11b63933..401de47a5d 100644 --- a/examples/protocols/aws_iot/subscribe_publish/main/component.mk +++ b/examples/protocols/aws_iot/subscribe_publish/main/component.mk @@ -7,16 +7,8 @@ ifdef CONFIG_EXAMPLE_EMBEDDED_CERTS # from AWS, see README for details. COMPONENT_EMBED_TXTFILES := certs/aws-root-ca.pem certs/certificate.pem.crt certs/private.pem.key -ifndef IDF_CI_BUILD # Print an error if the certificate/key files are missing $(COMPONENT_PATH)/certs/certificate.pem.crt $(COMPONENT_PATH)/certs/private.pem.key: @echo "Missing PEM file $@. This file identifies the ESP32 to AWS for the example, see README for details." exit 1 -else # IDF_CI_BUILD -# this case is for the internal Continuous Integration build which -# compiles all examples. Add some dummy certs so the example can -# compile (even though it won't work) -$(COMPONENT_PATH)/certs/certificate.pem.crt $(COMPONENT_PATH)/certs/private.pem.key: - echo "Dummy certificate data for continuous integration" > $@ -endif endif diff --git a/examples/protocols/aws_iot/subscribe_publish/sdkconfig.ci b/examples/protocols/aws_iot/subscribe_publish/sdkconfig.ci new file mode 100644 index 0000000000..b59dfb8704 --- /dev/null +++ b/examples/protocols/aws_iot/subscribe_publish/sdkconfig.ci @@ -0,0 +1,2 @@ +# For CI build example assuming certificates stored on sdcard +CONFIG_EXAMPLE_SDCARD_CERTS=y diff --git a/examples/protocols/aws_iot/thing_shadow/main/CMakeLists.txt b/examples/protocols/aws_iot/thing_shadow/main/CMakeLists.txt index ee14baf02f..0e98592fcb 100644 --- a/examples/protocols/aws_iot/thing_shadow/main/CMakeLists.txt +++ b/examples/protocols/aws_iot/thing_shadow/main/CMakeLists.txt @@ -6,23 +6,6 @@ register_component() if(CONFIG_EXAMPLE_EMBEDDED_CERTS) target_add_binary_data(${COMPONENT_NAME} "certs/aws-root-ca.pem" TEXT) - -if(NOT IDF_CI_BUILD) - add_custom_command(OUTPUT certs/certificate.pem.crt certs/private.pem.key - COMMAND echo "Dummy certificate data for continuous integration" > - certs/certificate.pem.crt - COMMAND echo "Dummy certificate data for continuous integration" > - certs/private.pem.key - WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} - VERBATIM) - add_custom_target(example_certificates DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/certs/certificate.pem.crt ${CMAKE_CURRENT_BINARY_DIR}/certs/private.pem.key) - - add_dependencies(${COMPONENT_NAME} example_certificates) - - target_add_binary_data(${COMPONENT_NAME} "${CMAKE_CURRENT_BINARY_DIR}/certs/certificate.pem.crt" TEXT) - target_add_binary_data(${COMPONENT_NAME} "${CMAKE_CURRENT_BINARY_DIR}/certs/private.pem.key" TEXT) -else() - target_add_binary_data(${COMPONENT_NAME} "certs/certificate.pem.crt" TEXT) - target_add_binary_data(${COMPONENT_NAME} "certs/private.pem.key" TEXT) +target_add_binary_data(${COMPONENT_NAME} "certs/certificate.pem.crt" TEXT) +target_add_binary_data(${COMPONENT_NAME} "certs/private.pem.key" TEXT) endif() -endif() \ No newline at end of file diff --git a/examples/protocols/aws_iot/thing_shadow/main/certs/aws-root-ca.pem b/examples/protocols/aws_iot/thing_shadow/main/certs/aws-root-ca.pem index b9514c5894..a6f3e92af5 100644 --- a/examples/protocols/aws_iot/thing_shadow/main/certs/aws-root-ca.pem +++ b/examples/protocols/aws_iot/thing_shadow/main/certs/aws-root-ca.pem @@ -1,28 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB -yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL -ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp -U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW -ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL -MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW -ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln -biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp -U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y -aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1 -nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex -t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz -SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG -BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+ -rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/ -NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E -BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH -BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy -aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv -MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE -p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y -5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK -WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ -4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N -hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq ------END CERTIFICATE----- \ No newline at end of file +MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF +ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 +b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL +MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv +b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj +ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM +9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw +IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 +VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L +93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm +jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA +A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI +U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs +N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv +o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU +5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy +rqXRfboQnoZsG4q5WTP468SQvvG5 +-----END CERTIFICATE----- diff --git a/examples/protocols/aws_iot/thing_shadow/main/component.mk b/examples/protocols/aws_iot/thing_shadow/main/component.mk index bc11b63933..401de47a5d 100644 --- a/examples/protocols/aws_iot/thing_shadow/main/component.mk +++ b/examples/protocols/aws_iot/thing_shadow/main/component.mk @@ -7,16 +7,8 @@ ifdef CONFIG_EXAMPLE_EMBEDDED_CERTS # from AWS, see README for details. COMPONENT_EMBED_TXTFILES := certs/aws-root-ca.pem certs/certificate.pem.crt certs/private.pem.key -ifndef IDF_CI_BUILD # Print an error if the certificate/key files are missing $(COMPONENT_PATH)/certs/certificate.pem.crt $(COMPONENT_PATH)/certs/private.pem.key: @echo "Missing PEM file $@. This file identifies the ESP32 to AWS for the example, see README for details." exit 1 -else # IDF_CI_BUILD -# this case is for the internal Continuous Integration build which -# compiles all examples. Add some dummy certs so the example can -# compile (even though it won't work) -$(COMPONENT_PATH)/certs/certificate.pem.crt $(COMPONENT_PATH)/certs/private.pem.key: - echo "Dummy certificate data for continuous integration" > $@ -endif endif diff --git a/examples/protocols/aws_iot/thing_shadow/sdkconfig.ci b/examples/protocols/aws_iot/thing_shadow/sdkconfig.ci new file mode 100644 index 0000000000..b59dfb8704 --- /dev/null +++ b/examples/protocols/aws_iot/thing_shadow/sdkconfig.ci @@ -0,0 +1,2 @@ +# For CI build example assuming certificates stored on sdcard +CONFIG_EXAMPLE_SDCARD_CERTS=y