Merge branch 'feature/enable_tls_with_secure_element' into 'master'

esp-mqtt: add support for tls with secure element (ATECC608A)

See merge request espressif/esp-mqtt!66

include/mqtt_client.h

@@ -183,6 +183,7 @@ typedef struct {
     esp_mqtt_protocol_ver_t protocol_ver;   /*!< MQTT protocol version used for connection, defaults to value from menuconfig*/
     int out_buffer_size;                    /*!< size of MQTT output buffer. If not defined, both output and input buffers have the same size defined as ``buffer_size`` */
     bool skip_cert_common_name_check;       /*!< Skip any validation of server certificate CN field, this reduces the security of TLS and makes the mqtt client susceptible to MITM attacks  */
+    bool use_secure_element;                /*!< enable secure element for enabling SSL connection */
 } esp_mqtt_client_config_t;
 
 /**

include/mqtt_supported_features.h

@@ -46,6 +46,7 @@
 #define MQTT_SUPPORTED_FEATURE_DER_CERTIFICATES
 #define MQTT_SUPPORTED_FEATURE_ALPN
 #define MQTT_SUPPORTED_FEATURE_CLIENT_KEY_PASSWORD
+#define MQTT_SUPPORTED_FEATURE_SECURE_ELEMENT
 #endif
 #endif
 

mqtt_client.c

@@ -81,6 +81,7 @@ typedef struct {
     size_t clientkey_bytes;
     const struct psk_key_hint *psk_hint_key;
     bool skip_cert_common_name_check;
+    bool use_secure_element;
 } mqtt_config_storage_t;
 
 typedef enum {
@@ -206,6 +207,17 @@ static esp_err_t esp_mqtt_set_ssl_transport_properties(esp_transport_list_handle
                      goto esp_mqtt_set_transport_failed);
     }
 
+    if (cfg->use_secure_element) {
+#if defined(MQTT_SUPPORTED_FEATURE_SECURE_ELEMENT) && (CONFIG_ESP_TLS_USE_SECURE_ELEMENT)
+        esp_transport_ssl_use_secure_element(ssl);
+#ifdef CONFIG_ATECC608A_TCUSTOM
+        ESP_OK_CHECK(TAG, esp_mqtt_set_cert_key_data(ssl, MQTT_SSL_DATA_API_CLIENT_CERT, cfg->clientcert_buf, cfg->clientcert_bytes),
+                    goto esp_mqtt_set_transport_failed);
+#endif
+#else
+        ESP_LOGE(TAG, "secure element not enabled for esp-tls in menuconfig");
+#endif
+    }
     ESP_OK_CHECK(TAG, esp_mqtt_set_cert_key_data(ssl, MQTT_SSL_DATA_API_CLIENT_CERT, cfg->clientcert_buf, cfg->clientcert_bytes),
                  goto esp_mqtt_set_transport_failed);
     ESP_OK_CHECK(TAG, esp_mqtt_set_cert_key_data(ssl, MQTT_SSL_DATA_API_CLIENT_KEY, cfg->clientkey_buf, cfg->clientkey_bytes),
@@ -428,6 +440,7 @@ esp_err_t esp_mqtt_set_config(esp_mqtt_client_handle_t client, const esp_mqtt_cl
     cfg->clientkey_bytes = config->client_key_len;
     cfg->psk_hint_key = config->psk_hint_key;
     cfg->skip_cert_common_name_check = config->skip_cert_common_name_check;
+    cfg->use_secure_element = config->use_secure_element;
 
     if (config->clientkey_password && config->clientkey_password_len) {
         cfg->clientkey_password_len = config->clientkey_password_len;