add pkcs11 sample

Author: xiazhvera

.github/workflows/ci.yml

@@ -240,7 +240,7 @@ jobs:
         run: |
           cd ${{ env.CI_FOLDER }}
           echo "Starting to run AppVerifier with mqtt5 pub-sub sample"
-          python ${{ env.CI_UTILS_FOLDER }}/appverifier_launch_sample.py --sample_file ".\aws-iot-device-sdk-cpp-v2\build\samples\mqtt5\mqtt5_pubsub\RelWithDebInfo\mqtt5_x509.exe" --sample_secret_endpoint 'ci/endpoint' --sample_secret_certificate 'ci/mqtt5/us/mqtt5_thing/cert' --sample_secret_private_key 'ci/mqtt5/us/mqtt5_thing/key'
+          python ${{ env.CI_UTILS_FOLDER }}/appverifier_launch_sample.py --sample_file ".\aws-iot-device-sdk-cpp-v2\build\samples\mqtt\mqtt5_x509\RelWithDebInfo\mqtt5_x509.exe" --sample_secret_endpoint 'ci/endpoint' --sample_secret_certificate 'ci/mqtt5/us/mqtt5_thing/cert' --sample_secret_private_key 'ci/mqtt5/us/mqtt5_thing/key'
 
   windows-shared-lib:
     runs-on: windows-latest

samples/mqtt/mqtt5_pkcs11/CMakeLists.txt

@@ -0,0 +1,27 @@
+cmake_minimum_required(VERSION 3.9...3.31)
+# note: cxx-17 requires cmake 3.8, cxx-20 requires cmake 3.12
+project(mqtt5_pkcs11 CXX)
+
+file(GLOB SRC_FILES
+       "*.cpp"
+)
+
+add_executable(${PROJECT_NAME} ${SRC_FILES})
+
+set_target_properties(${PROJECT_NAME} PROPERTIES
+    CXX_STANDARD 14)
+
+#set warnings
+if (MSVC)
+    target_compile_options(${PROJECT_NAME} PRIVATE /W4 /WX /wd4068)
+else ()
+    target_compile_options(${PROJECT_NAME} PRIVATE -Wall -Wno-long-long -pedantic -Werror)
+endif ()
+
+find_package(aws-crt-cpp REQUIRED)
+
+include(AwsSanitizers)
+enable_language(C)
+aws_add_sanitizers(${PROJECT_NAME})
+
+target_link_libraries(${PROJECT_NAME} PRIVATE AWS::aws-crt-cpp)

samples/mqtt/mqtt5_pkcs11/README.md

@@ -0,0 +1,186 @@
+# MQTT5 PKCS#11 PubSub
+
+[**Return to main sample list**](../../README.md)
+
+*__Jump To:__*
+* [Introduction](#introduction)
+* [Requirements](#requirements)
+* [How To Build](#how-to-build)
+* [How To Run](#how-to-run)
+* [Run Sample with Soft HSM](#run-sample-with-softhsm)
+* [Additional Information](#additional-information)
+
+## Introduction
+This sample is similar to the [MQTT5 X509](../mqtt5_x509/) sample in that it connects via Mutual TLS (mTLS) using a certificate and key file. However, unlike the x509 sample where the certificate and private key file are stored on disk, this sample uses a PKCS#11 compatible smart card or Hardware Security Module (HSM) to store and access the private key file. This adds a layer of security because the private key file is not openly on the computer but instead is hidden securely away behind the PKCS#11 device.
+
+You can read more about MQTT5 for the CPP IoT Device SDK V2 in the [MQTT5 user guide](../../../documents/MQTT5_Userguide.md).
+
+## Requirements
+
+**WARNING: Unix (Linux) only**. Currently, TLS integration with PKCS#11 is only available on Unix devices.
+
+This sample assumes you have the required AWS IoT resources available. Information about AWS IoT can be found [HERE](https://docs.aws.amazon.com/iot/latest/developerguide/what-is-aws-iot.html) and instructions on creating AWS IoT resources (AWS IoT Policy, Device Certificate, Private Key) can be found [HERE](https://docs.aws.amazon.com/iot/latest/developerguide/create-iot-resources.html).
+
+Your IoT Core Thing's [Policy](https://docs.aws.amazon.com/iot/latest/developerguide/iot-policies.html) must provide privileges for this sample to connect, subscribe, publish, and receive. Below is a sample policy that can be used on your IoT Core Thing that will allow this sample to run as intended.
+
+<details>
+<summary>(see sample policy)</summary>
+<pre>
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iot:Publish",
+        "iot:Receive"
+      ],
+      "Resource": [
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topic/test/topic"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iot:Subscribe"
+      ],
+      "Resource": [
+        "arn:aws:iot:<b>region</b>:<b>account</b>:topicfilter/test/topic"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iot:Connect"
+      ],
+      "Resource": [
+        "arn:aws:iot:<b>region</b>:<b>account</b>:client/mqtt5-sample-*"
+      ]
+    }
+  ]
+}
+</pre>
+
+Replace with the following with the data from your AWS account:
+* `<region>`: The AWS IoT Core region where you created your AWS IoT Core thing you wish to use with this sample. For example `us-east-1`.
+* `<account>`: Your AWS IoT Core account ID. This is the set of numbers in the top right next to your AWS account name when using the AWS IoT Core website.
+
+Note that in a real application, you may want to avoid the use of wildcards in your ClientID or use them selectively. Please follow best practices when working with AWS on production applications using the SDK. Also, for the purposes of this sample, please make sure your policy allows a client ID of `mqtt5-sample-*` to connect or use `--client_id <client ID here>` to send the client ID your policy supports.
+
+</details>
+
+## How to build
+
+To build the sample, change directory into the samples, and run the cmake commands
+```sh
+cd samples/mqtt/mqtt5_pkcs11/
+# If you followed the SDK build instruction, you would use the path to `sdk-workspace` folder for `CMAKE_PREFIX_PATH` here
+cmake -B build -S . -DCMAKE_PREFIX_PATH="<absolute path sdk-workspace dir>" -DCMAKE_BUILD_TYPE="Debug" .
+cmake --build build --config "Debug"
+```
+
+## How to run
+
+To Run this sample from the `samples/mqtt/mqtt5_pkcs11` folder, use the following command:
+
+```sh
+./mqtt5_pkcs11 \
+  --endpoint <AWS IoT endpoint> \
+  --cert <path to certificate file> \
+  --pkcs11_lib <Path to PKCS#11 Library> \
+  --pin <User PIN for logging into PKCS#11 token> \
+  --token_label <Label of the PKCS#11 token to use (optional)> \
+  --key_label <Label of private key on the PKCS#11 token (optional)>
+```
+
+If you would like to see what optional arguments are available, use the `--help` argument:
+```sh
+./mqtt5_pkcs11 --help
+```
+
+will result in the following output:
+```
+MQTT5 PKCS11 Sample.
+
+options:
+  -h, --help      show this help message and exit
+
+required arguments:
+  --endpoint      IoT endpoint hostname (default: None)
+  --cert          Path to the certificate file to use during mTLS connection establishment (default: None)
+  --pkcs11_lib    Path to PKCS#11 Library (default: None)
+  --pin           User PIN for logging into PKCS#11 token (default: None)
+
+optional arguments:
+  --port          Port (8883 mTLS, 443 ALPN) (default: 8883)
+  --token_label   Label of the PKCS#11 token to use (optional). (default: None)
+  --slot_id       Slot ID containing the PKCS#11 token to use (optional). (default: None)
+  --key_label     Label of private key on the PKCS#11 token (optional). (default: None)
+  --ca_file       Path to optional CA bundle (PEM) (default: None)
+  --topic         Topic (default: test/topic)
+  --message       Message payload (default: Hello from mqtt5 sample)
+  --count         Messages to publish (0 = infinite) (default: 5)
+  --proxy_host    HTTP proxy host (default: None)
+  --proxy_port    HTTP proxy port (default: 0)
+  --client_id     Client ID (default: test-548e4344)
+  ```
+
+### Run sample with SoftHSM
+
+If you do not have a PKCS#11 device and/or want to use a software-based solution for testing, you can use [SoftHSM2](https://www.opendnssec.org/softhsm/) as the PKCS#11 device. This allows testing without the need to purchase and use separate hardware.
+
+The steps to use [SoftHSM2](https://www.opendnssec.org/softhsm/) as the PKCS#11 device with this sample are listed below:
+
+1. Create an AWS IoT Thing with a certificate and key if you haven't already.
+
+2. Convert the private key from the AWS IoT Thing into PKCS#8 format using the following command:
+
+    ```sh
+    openssl pkcs8 -topk8 -in <private.pem.key> -out <private.p8.key> -nocrypt
+    ```
+
+3. Install [SoftHSM2](https://www.opendnssec.org/softhsm/) using `apt`:
+
+    ```sh
+    sudo apt install softhsm
+    ```
+
+    Note that if you are using a Linux distribution that does not include `apt`, you will need to
+    adjust the above command to get [SoftHSM2](https://www.opendnssec.org/softhsm/) from the package manager your distribution supports.
+
+4. Check that [SoftHSM2](https://www.opendnssec.org/softhsm/) is working as expected by running the following:
+
+    ```sh
+    softhsm2-util --show-slots
+    ```
+
+    If this spits out an error message, create a config file:
+    *   Default location: `~/.config/softhsm2/softhsm2.conf`
+    *   This file must specify token dir, default value is:
+        ```sh
+        directories.tokendir = /usr/local/var/lib/softhsm/tokens/
+        ```
+
+5. Create a token and import the private key you converted in step 2:
+
+    You can use any values for the labels, PINs, etc
+
+    ```sh
+    softhsm2-util --init-token --free --label <token-label> --pin <user-pin> --so-pin <so-pin>
+    ```
+
+    **Important**: Note which slot the token ended up in
+
+    ```sh
+    softhsm2-util --import <private.p8.key> --slot <slot-with-token> --label <key-label> --id <hex-chars> --pin <user-pin>
+    ```
+
+6. Now you can run the sample with the following:
+
+    ```sh
+    # For Windows: replace 'python3' with 'python' and '/' with '\'
+    python3 mqtt5_pkcs11_connect.py --endpoint <endpoint> --ca_file <path to root CA> --cert <path to certificate> --pkcs11_lib <path to PKCS11 lib> --pin <user-pin> --token_label <token-label> --key_label <key-label>
+    ```
+  
+## Additional Information
+Additional help with the MQTT5 Client can be found in the [MQTT5 Userguide](../../../documents/MQTT5_Userguide.md). This guide will provide more details on MQTT5 [operations](../../../documents/MQTT5_Userguide.md#client-operations), [lifecycle events](../../documents/MQTT5_Userguide.md#client-lifecycle-management), [connection methods](../../../documents/MQTT5_Userguide.md#connecting-to-aws-iot-core), and other useful information.