mirrors
/
Tasmota
mirror of https://github.com/arendst/Tasmota.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated AWS IoT (markdown)

s-hadinger 2019-08-04 21:04:58 +02:00
parent 7afb2238cf
commit 045746873f
1 changed files with 8 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
AWS-IoT.md

@ -60,18 +60,6 @@ You will need to install/compile the following:
* Complete environment to compile Tasmota, ex: PlatformIO (https://github.com/arendst/Sonoff-Tasmota/wiki/PlatformIO)
* Recent version of `openssl`
* `bearssl` tool to embed your keys in the code
To compile bearssl, do the following:
* Clone the BearSSL repo: ```git clone https://www.bearssl.org/git/BearSSL```
* Compile bearssl:
```
cd BearSSL
make
```
### Step 2. Configure AWS IoT (to be done once)
@ -115,7 +103,7 @@ First create an ECC private key for your device (as described in this [Blog](htt
$ openssl ecparam -out tasmota-01.key -name prime256v1 -genkey
```
Next, using this private key, create a certificate signing request (CSR). When asked enter teh certificate details. This is not really used later, you can just enter a 2 letters country code like "**EU**" and leave all other fields blank (type 8 times enter).
Next, using this private key, create a certificate signing request (CSR). When asked enter the certificate details. This is not really used later, you can just enter a 2 letters country code like "**EU**" and leave all other fields blank (type 8 times enter).
```
$ openssl req -new -sha256 -key tasmota-01.key -nodes -out tasmota-01.csr
@ -169,7 +157,7 @@ Your setup is done in AWS IoT. Let's proceed to the custom firmware.
### Step 6. Enable AWS IoT in Tasmota
Using your favorite IDE, create `sonoff/user_config_override.h`, and add `#define USE_MQTT_AWS_IOT`. You will need to #undef `#define USE_DISCOVERY` because mDNS will add too much code size.
Using your favorite IDE, create `sonoff/user_config_override.h`, and add `#define USE_MQTT_AWS_IOT`. It is highly suggested to also add `#define USE_MQTT_TLS_CA_CERT`. You will need to #undef `#define USE_DISCOVERY` because mDNS will add too much code size.
Note: TLS handshake takes ~1.2s on ESP8266 @80MHz. You may choose to switch to 160MHz if the power supply of your device supports it. If you do so, handshake time should be ~0.7s.
@ -177,60 +165,17 @@ Try to compile the firmware to make sure everything is good.
> This step is only to check compilation goes well. Your firmware is still not usable since it does not contain the Private Key + Certificate.
### Step 7. Embed your Private Key + Certificate
### Step 7. Flash your device
You will now need to copy/paste your credentials in the file `sonoff/sonoff_aws_iot.cpp`. This is where you need the bearssl binary compiled in step 1.
Flash your device the normal way; either through serial or OTA. If you use OTA, first flash a `sonoff-minimal` firmware, then your target firmware.
Copy/paste the Private Key first, into lines 46-55:
### Step 8. Prepare your AWS IoT credentials
```
$ BearSSL/build/brssl skey tasmota-01.key -C
File 'tasmota-01.key': decoding as PEM
(skipping 'EC PARAMETERS')
EC key (curve = 23: secp256r1)
You will now need to convert your AWS IoT credentials to Tasmota commands. Credentials are composed of two distinct parts, first a Private Key - this is the secret that will allow your device to prove it is who it pretends to be. Consider this as sensitive as a password. The Private Key is exactly 32 bytes (256 bits).
static const unsigned char EC_X[] = {
0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX,
0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX,
0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX
};
The second part is the Certificate delivered by AWS IoT. Tasmota will also need it to athenticate to the AWS IoT endpoint.
static const br_ec_private_key EC = {
23,
(unsigned char *)EC_X, sizeof EC_X
};
```
Now copy/paste your certificate, into lines 69-139:
```
$ BearSSL/build/brssl chain tasmota-01.cert.pem
Reading file 'tasmota-01.cert.pem': 1 certificate
static const unsigned char CERT0[] = {
0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX,
0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX,
[.../...]
0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX,
0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX
};
static const br_x509_certificate CHAIN[] = {
{ (unsigned char *)CERT0, sizeof CERT0 }
};
#define CHAIN_LEN 1
```
Now compile the Tasmota firmware. Your firmware is now ready.
### Step 8. Flash your device
Flash your device the normal way; either through serial or OTA. If you use OTA, first flash a `sonoff-minial` firmware, then your target firmware.
Both credentials must be stored in Tasmota Flash memory, in that order, using the new `TLSKey` command.
### Step 9. Configure Tasmota device