Added unit test to setup Mqtt Connect through EC-based certificate and key (#545)

* adding ecc key unit test

* revert test api changes, keep the original api unchanged

* fix ecc private key variable name

* update README with ecc related test parameters

* update c-io

* update c-common

* update java test arguments

* rename parameter to make it clear

* rename test context

Author: xiazhvera

.builder/actions/aws_crt_java_test.py

@@ -22,11 +22,14 @@ def run(self, env):
 
         endpoint = env.shell.get_secret("unit-test/endpoint")
 
-        with self._write_secret_to_temp_file(env, "unit-test/rootca") as root_ca_file, self._write_secret_to_temp_file(env, "unit-test/certificate") as cert_file, self._write_secret_to_temp_file(env, "unit-test/privatekey") as key_file:
+        with self._write_secret_to_temp_file(env, "unit-test/rootca") as root_ca_file, self._write_secret_to_temp_file(env, "unit-test/certificate") as cert_file, \
+        self._write_secret_to_temp_file(env, "unit-test/privatekey") as key_file, self._write_secret_to_temp_file(env, "ecc-test/certificate") as ecc_cert_file, \
+        self._write_secret_to_temp_file(env, "ecc-test/privatekey") as ecc_key_file:
 
             test_command = "mvn -P continuous-integration -B test -DredirectTestOutputToFile=true -DreuseForks=false " \
                 "-DrerunFailingTestsCount=5 -Daws.crt.memory.tracing=2 -Daws.crt.debugnative=true -Daws.crt.ci=true " \
-                "-Dendpoint={} -Dcertificate={} -Dprivatekey={} -Drootca={}".format(endpoint, cert_file.name, key_file.name, root_ca_file.name)
+                "-Dendpoint={} -Dcertificate={} -Dprivatekey={} -Drootca={} -Decc_certificate={} -Decc_privatekey={}".format(endpoint, \
+                cert_file.name, key_file.name, root_ca_file.name, ecc_cert_file.name, ecc_key_file.name)
 
             all_test_result = os.system(test_command)
 

README.md

@@ -78,6 +78,8 @@ Full list of test arguments:
 - `certificate`: Path to the IoT thing certificate
 - `privatekey`: Path to the IoT thing private key
 - `privatekey_p8`: Path to the IoT thing private key in PKCS#8 format
+- `ecc_certificate`: Path to the IoT thing with EC-based certificate
+- `ecc_privatekey`: Path to the IoT thing with ECC private key (The ECC key file should only contains the ECC Private Key section to working on MacOS.)
 - `rootca`: Path to the root certificate
 - `proxyhost`: Hostname of proxy
 - `proxyport`: Port of proxy

android/crt/src/androidTest/assets/README.md

@@ -3,5 +3,7 @@ ca-certificates.crt - Taken from any recent Linux /etc/ssl
 certificate.pem - IoT Thing Certificate
 privatekey.pem - IoT Thing Private Key
 privatekey_p8.pem - IoT Thing Private Key in PKCS#8 format
+ecc_certificate.pem - IoT Thing Certificate for ECC private key
+ecc_privatekey.pem - IoT Thing ECC Private Key
 endpoint.txt - IoT ATS Endpoint
 AmazonRootCA1.pem - Available from https://www.amazontrust.com/repository/AmazonRootCA1.pem

android/crt/src/androidTest/java/software/amazon/awssdk/crt/test/android/CrtPlatformImpl.java

@@ -52,6 +52,8 @@ public void testSetup(Object context) {
         ctx.trustStore = assetContents("ca-certificates.crt");
         ctx.iotClientCertificate = assetContents("certificate.pem");
         ctx.iotClientPrivateKey = assetContents("privatekey.pem");
+        ctx.iotClientECCPrivateKey = assetContents("ecc_privatekey.pem");
+        ctx.iotClientECCCertificate = assetContents("ecc_certificate.pem");
         byte[] endpoint = assetContents("endpoint.txt");
         if (endpoint != null) {
             ctx.iotEndpoint = new String(endpoint).trim();

codebuild/common-linux.sh

@@ -13,6 +13,8 @@ git submodule update --init
 curl https://www.amazontrust.com/repository/AmazonRootCA1.pem --output /tmp/AmazonRootCA1.pem
 cert=$(aws secretsmanager get-secret-value --secret-id "unit-test/certificate" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$cert" > /tmp/certificate.pem
 key=$(aws secretsmanager get-secret-value --secret-id "unit-test/privatekey" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$key" > /tmp/privatekey.pem
+ecc_cert=$(aws secretsmanager get-secret-value --secret-id "ecc-test/certificate" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$cert" > /tmp/ecc_certificate.pem
+ecc_privatekey=$(aws secretsmanager get-secret-value --secret-id "ecc-test/privatekey" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$key" > /tmp/ecc_privatekey.pem
 key_p8=$(aws secretsmanager get-secret-value --secret-id "unit-test/privatekey-p8" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$key_p8" > /tmp/privatekey_p8.pem
 ENDPOINT=$(aws secretsmanager get-secret-value --secret-id "unit-test/endpoint" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g')
 
@@ -26,6 +28,8 @@ mvn -B test $* \
     -Dendpoint=$ENDPOINT \
     -Dcertificate=/tmp/certificate.pem \
     -Dprivatekey=/tmp/privatekey.pem \
+    -Decc_certificate=/tmp/ecc_certificate.pem \
+    -Decc_privatekey=/tmp/ecc_privatekey.pem \
     -Drootca=/tmp/AmazonRootCA1.pem \
     -Dprivatekey_p8=/tmp/privatekey_p8.pem \
     -Daws.crt.debugnative=true \

crt/aws-c-common

@@ -407,6 +407,8 @@
                     <systemPropertyVariables>
                         <certificate>${crt.test.certificate}</certificate>
                         <privatekey>${crt.test.privatekey}</privatekey>
+                        <ecc_certificate>${crt.test.ecc_certificate}</ecc_certificate>
+                        <ecc_privatekey>${crt.test.ecc_privatekey}</ecc_privatekey>
                         <endpoint>${crt.test.endpoint}</endpoint>
                         <rootca>${crt.test.rootca}</rootca>
                         <privatekey_p8>${crt.test.privatekey_p8}</privatekey_p8>

crt/aws-c-io

@@ -13,8 +13,12 @@ public class CrtTestContext {
     public byte[] iotClientCertificate = null;
     // IoT Thing private key for testing
     public byte[] iotClientPrivateKey = null;
+    // IoT Thing ecc certificate for testing
+    public byte[] iotClientEccCertificate = null;
+    // IoT Thing ecc private key for testing
+    public byte[] iotClientEccPrivateKey = null;
     // IoT ATS endpoint for testing
     public String iotEndpoint = null;
     // IoT CA Root
     public byte[] iotCARoot = null;
-}
+}

pom.xml

@@ -48,6 +48,8 @@ public class MqttClientConnectionFixture extends CrtTestFixture {
     static final String TEST_ENDPOINT = System.getProperty("endpoint");
     static final String TEST_CERTIFICATE = System.getProperty("certificate");
     static final String TEST_PRIVATEKEY = System.getProperty("privatekey");
+    static final String TEST_ECC_CERTIFICATE = System.getProperty("ecc_certificate");
+    static final String TEST_ECC_PRIVATEKEY = System.getProperty("ecc_privatekey");
     static final String TEST_ROOTCA = System.getProperty("rootca");
     static final short TEST_PORT = 8883;
     static final short TEST_PORT_ALPN = 443;
@@ -62,13 +64,18 @@ public class MqttClientConnectionFixture extends CrtTestFixture {
     String caRoot = null;
     String iotEndpoint = null;
 
+    enum AUTH_KEY_TYPE {
+        RSA,
+        ECC
+    }
+
     Consumer<MqttConnectionConfig> connectionConfigTransformer = null;
 
     protected void setConnectionConfigTransformer(Consumer<MqttConnectionConfig> connectionConfigTransformer) {
         this.connectionConfigTransformer = connectionConfigTransformer;
     }
 
-    private boolean findCredentials() {
+    private boolean findCredentials(AUTH_KEY_TYPE key_type) {
         CrtTestContext ctx = getContext();
 
         // For each parameter, check the context first, then check the file system/system properties
@@ -87,7 +94,7 @@ private boolean findCredentials() {
             }
             iotEndpoint = ctx.iotEndpoint;
 
-            if (ctx.iotClientCertificate == null) {
+            if (key_type == AUTH_KEY_TYPE.RSA && ctx.iotClientCertificate == null) {
                 pathToCert = TEST_CERTIFICATE != null? Paths.get(TEST_CERTIFICATE) : null;
                 if (pathToCert == null || pathToCert.toString().equals("")) {
                     throw new MissingCredentialsException("Certificate not provided");
@@ -97,10 +104,19 @@ private boolean findCredentials() {
                 }
                 ctx.iotClientCertificate = Files.readAllBytes(pathToCert);
             }
-            certificatePem = new String(ctx.iotClientCertificate);
+            else if (key_type == AUTH_KEY_TYPE.ECC && ctx.iotClientEccCertificate == null) {
+                pathToCert = TEST_ECC_CERTIFICATE != null? Paths.get(TEST_ECC_CERTIFICATE) : null;
+                if (pathToCert == null || pathToCert.toString().equals("")) {
+                    throw new MissingCredentialsException("Certificate not provided");
+                }
+                if (!pathToCert.toFile().exists()) {
+                    throw new MissingCredentialsException("Certificate could not be found at " + pathToCert);
+                }
+                ctx.iotClientEccCertificate = Files.readAllBytes(pathToCert);
+            }
 
-            if (ctx.iotClientPrivateKey == null) {
-                pathToKey = TEST_PRIVATEKEY != null ? Paths.get(TEST_PRIVATEKEY) : null;
+            if (key_type == AUTH_KEY_TYPE.RSA && ctx.iotClientPrivateKey == null) {
+                pathToKey = TEST_PRIVATEKEY != null? Paths.get(TEST_PRIVATEKEY) : null;
                 if (pathToKey == null || pathToKey.toString().equals("")) {
                     throw new MissingCredentialsException("Private key not provided");
                 }
@@ -109,7 +125,27 @@ private boolean findCredentials() {
                 }
                 ctx.iotClientPrivateKey = Files.readAllBytes(pathToKey);
             }
-            privateKeyPem = new String(ctx.iotClientPrivateKey);
+            else if (key_type == AUTH_KEY_TYPE.ECC && ctx.iotClientEccPrivateKey == null) {
+                pathToKey = TEST_ECC_PRIVATEKEY != null? Paths.get(TEST_ECC_PRIVATEKEY) : null;
+                if (pathToKey == null || pathToKey.toString().equals("")) {
+                    throw new MissingCredentialsException("Private key not provided");
+                }
+                if (!pathToKey.toFile().exists()) {
+                    throw new MissingCredentialsException("Private key could not be found at " + pathToKey);
+                }
+                ctx.iotClientEccPrivateKey = Files.readAllBytes(pathToKey);
+            }
+
+            if( key_type == AUTH_KEY_TYPE.ECC)
+            {
+                certificatePem = new String(ctx.iotClientEccCertificate);
+                privateKeyPem = new String(ctx.iotClientEccPrivateKey);
+            }
+            else if(key_type == AUTH_KEY_TYPE.RSA)
+            {
+                certificatePem = new String(ctx.iotClientCertificate);
+                privateKeyPem = new String(ctx.iotClientPrivateKey);
+            }
 
             return true;
         } catch (InvalidPathException ex) {
@@ -147,9 +183,12 @@ boolean connect(boolean cleanSession, int keepAliveSecs, int protocolOperationTi
         return connect(cleanSession, keepAliveSecs, protocolOperationTimeout, null);
     }
 
-    boolean connect(boolean cleanSession, int keepAliveSecs, int protocolOperationTimeout, Consumer<MqttMessage> anyMessageHandler) {
-        Assume.assumeTrue(findCredentials());
+    boolean connectECC() {
+        return connectWithKeyType(false, 0, 0, null, AUTH_KEY_TYPE.ECC);
+    }
 
+    boolean connectDirect(boolean cleanSession, int keepAliveSecs, int protocolOperationTimeout, Consumer<MqttMessage> anyMessageHandler)
+    {
         MqttClientConnectionEvents events = new MqttClientConnectionEvents() {
             @Override
             public void onConnectionResumed(boolean sessionPresent) {
@@ -212,6 +251,17 @@ public void onConnectionInterrupted(int errorCode) {
         return false;
     }
 
+    boolean connect(boolean cleanSession, int keepAliveSecs, int protocolOperationTimeout, Consumer<MqttMessage> anyMessageHandler)
+    {
+        Assume.assumeTrue(findCredentials(AUTH_KEY_TYPE.RSA));
+        return connectDirect(cleanSession,keepAliveSecs,protocolOperationTimeout, anyMessageHandler);
+    }
+
+    boolean connectWithKeyType(boolean cleanSession, int keepAliveSecs, int protocolOperationTimeout, Consumer<MqttMessage> anyMessageHandler, AUTH_KEY_TYPE type) {
+        Assume.assumeTrue(findCredentials(type));
+        return connectDirect(cleanSession,keepAliveSecs,protocolOperationTimeout, anyMessageHandler);
+    }
+
     void disconnect() {
         disconnecting = true;
         try {