Skip to content

Infineon/mtb-example-optiga-mqtt-client

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
configs
configs
 
 
deps
deps
 
 
images
images
 
 
source
source
 
 
.cyignore
.cyignore
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

OPTIGA™ Trust M: MQTT Client

This code example demonstrates the implementation of an MQTT Client using the ModusToolbox™ MQTT Client library. The library uses the AWS IoT Device SDK MQTT Client library that includes an MQTT 3.1.1 Client and OPTIGA™ Trust M secure element.

Figure 1. Connection between PSOC™ 6 host MCU and OPTIGA™ Trust M

In this example, the MQTT Client RTOS task reads out a pre-provisioned X.509 certificate out of the secure element and populates the internal MQTT Client configuration to establish a connection with the configured MQTT Broker, and creates the following two tasks:

  • Publisher: Publishes messages on a topic when the user button on the kit is pressed.

  • Subscriber: Subscribes to the same topic and controls the user LED based on the messages received from the MQTT Broker.

If an unexpected MQTT or Wi-Fi disconnection occurs, the application executes a reconnection mechanism to restore the connection. In addition, all operations related to ECDSA and ECDHE that are performed as part of this demo, i.e., as part of the TLS channel establishment, are automatically accelerated on the secure element.

Figure 2. Connection between an MQTT Client and an MQTT Server

View this README on GitHub.

Provide feedback on this code example.

Requirements

Note: Before going through this example you might be also interested in the ModusToolbox™ Training Level 3: WiFi, which explains essential terms for the example, like: TLS, X.509 Certificates, Cloud and MQTT Protocol.

Supported toolchains (make variable 'TOOLCHAIN')

  • GNU Arm® Embedded Compiler v11.3.1 (GCC_ARM) – Default value of TOOLCHAIN
  • Arm® Compiler v6.16 (ARM)
  • IAR C/C++ Compiler v9.40.2 (IAR)

Supported kits (make variable 'TARGET')

To use this code example on a different hardware, please follow this guidance.

Hardware setup

This example uses the board's default configuration for all the supported kits, except CY8CKIT-062S2-43012. It requires XENSIV™ Sensor Shield SHIELD_XENSIV_A to be plugged on the CY8CKIT-062S2-43012. See the kit guide to ensure that the board is configured correctly.

Figure 3. SHIELD_XENSIV_A sensor shield connecting with CY8CKIT-062S2-43012

Software setup

See the ModusToolbox™ tools package installation guide for information about installing and configuring the tools package.

Install a terminal emulator if you don't have one. Instructions in this document use Tera Term.

This code example implements a generic MQTT Client that can connect to various MQTT Brokers. In this document, the instructions to set up and run the MQTT Client have been provided for the AWS IoT MQTT Broker for reference.

This example requires no additional software or tools if you are using the MQTT Client with a publicly hosted MQTT Broker.

Using the code example

WARNING: Keep in mind that due to Windows maximum path length limitation, which is defined as 260 characters, the example might fail during build with an "No such file or directory" error due to many submodules added to the project. In such cases, shorten the system path of the project to a minimum; e.g., move it to a different location.

Create the project

The ModusToolbox™ tools package provides the Project Creator as both a GUI tool and a command line tool.

Use Project Creator GUI

  1. Click the New Application link in the Quick Panel (or, use File > New > ModusToolbox™ Application). This launches the Project Creator tool.

  2. On the Choose Board Support Package (BSP) page, select a kit supported by this code example. See Supported kits.

    Note: To use this code example for a kit not listed here, you may need to update the source files. If the kit does not have the required resources, the application may not work.

  3. On the Select Application page:

    a. Select the Applications(s) Root Path and the Target IDE.

    Note: Depending on how you open the Project Creator tool, these fields may be pre-selected for you.

    b. Select this code example from the list by enabling its check box.

    Note: You can narrow the list of displayed examples by typing in the filter box.

    c. (Optional) Change the suggested New Application Name and New BSP Name.

    d. Click Create to complete the application creation process.

Use Project Creator CLI

The 'project-creator-cli' tool can be used to create applications from a CLI terminal or from within batch files or shell scripts. This tool is available in the {ModusToolbox™ install directory}/tools_{version}/project-creator/ directory.

Use a CLI terminal to invoke the 'project-creator-cli' tool. On Windows, use the command-line 'modus-shell' program provided in the ModusToolbox™ installation instead of a standard Windows command-line application. This shell provides access to all ModusToolbox™ tools. You can access it by typing "modus-shell" in the search box in the Windows menu. In Linux and macOS, you can use any terminal application.

The following example clones the "OPTIGA™ Trust M: MQTT Client" application with the desired name "OPTIGA_MQTT" configured for the CYSBSYSKIT-DEV-01 BSP into the specified working directory, C:/mtb_projects:

project-creator-cli --board-id CYSBSYSKIT-DEV-01 --app-id mtb-example-optiga-mqtt-client --user-app-name OPTIGA_MQTT --target-dir "C:/mtb_projects"

The 'project-creator-cli' tool has the following arguments:

Argument Description Required/optional
--board-id Defined in the field of the BSP manifest Required
--app-id Defined in the field of the CE manifest Required
--target-dir Specify the directory in which the application is to be created if you prefer not to use the default current working directory Optional
--user-app-name Specify the name of the application if you prefer to have a name other than the example's default name Optional

Note: The project-creator-cli tool uses the git clone and make getlibs commands to fetch the repository and import the required libraries. For details, see the "Project creator tools" section of the ModusToolbox™ tools package user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mtb_user_guide.pdf).

Open the project

After the project has been created, you can open it in your preferred development environment.

Eclipse IDE

If you opened the Project Creator tool from the included Eclipse IDE, the project will open in Eclipse automatically.

For more details, see the Eclipse IDE for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_ide_user_guide.pdf).

Visual Studio (VS) Code

Launch VS Code manually, and then open the generated {project-name}.code-workspace file located in the project directory.

For more details, see the Visual Studio Code for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_vscode_user_guide.pdf).

Keil µVision

Double-click the generated {project-name}.cprj file to launch the Keil µVision IDE.

For more details, see the Keil µVision for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_uvision_user_guide.pdf).

IAR Embedded Workbench

Open IAR Embedded Workbench manually, and create a new project. Then select the generated {project-name}.ipcf file located in the project directory.

For more details, see the IAR Embedded Workbench for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_iar_user_guide.pdf).

Command line

If you prefer to use the CLI, open the appropriate terminal, and navigate to the project directory. On Windows, use the command-line 'modus-shell' program; on Linux and macOS, you can use any terminal application. From there, you can run various make commands.

For more details, see the ModusToolbox™ tools package user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mtb_user_guide.pdf).

Operation

Step 1. Register your X.509 device certificate at AWS IoT

  1. Set up the MQTT device (also known as a Thing) in the AWS IoT Core as described in the Getting started with AWS IoT tutorial.
    Do not create a client certificate or a corresponding private key because they will be provided by the secure element.

    Note: While setting up your device, ensure that the policy associated with this device permits all MQTT operations (iot:Connect, iot:Publish, iot:Receive, and iot:Subscribe) for the resource used by this device. For testing purposes, it is recommended to have the following policy document, which allows all MQTT Policy Actions on all Amazon Resource Names (ARNs).

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iot:*",
            "Resource": "*"
        }
    ]
}

  2. Download the device certificate from the CIRRENT™ Cloud ID as per instructions on the OPTIGA™ Trust IoT Security Development Kit package.

  3. On the Device Management tab, navigate to Cloud ID > Actions > Download the list of certificates.
    A zip archive with a .CSV file inside with the following content is downloaded:

    Note: If your board doesn't have a QR code to claim the device certificate, follow Step 3. Program and flash your board (even if it doesn't contain the correct configuration). You should be able to see your personal certificate extracted from the OPTIGA™ Trust M secure element, which you can use as follows:

    "device_id","group_id","certificate"
"d6c5a999890f44f843c34a9013e43c0372c59b14","D003",
"-----BEGIN CERTIFICATE-----
MIIC3DCCAcSgAwIBAgIU1sWpmYkPRPhDw0qQE+Q8A3LFmxQwDQYJKoZIhvcNAQEL
BQAwHzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB2NpcnJlbnQwHhcNMjExMDEzMTkw
NzE1WhcNMjIxMDEzMTkwNzE1WjAxMRAwDgYDVQQDEwdjaXJyZW50MQswCQYDVQQG
EwJVUzEQMA4GA1UEChMHY2lycmVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPShH3JuN7gs9Px/Gz9Hq4JsiJTS1O47i9QyLIDcMCOEF+HiXh4BsRyE
7mqev8elqUDA8eKmWr4+CZgOJUmGyegGLCwdtyUyRadDQYvXawAMAF/ICJJdZ9JW
w9C3yeXiyotRwfozamg4jsJ5gEFItDULmRQeCCamNIYBvIW6cP1X1CtlvABXFhqJ
oBrtZ5PZrippGFBSI16e4ppcLuVrtW9E9wBcgPSNFv7fNaE9desFV3MNr69euC0a
r2mSkcnJ9rU+dUMqyu3cyyfVHOTWPR3qGVGo3eLI4yFGJijsXiWaDB1i7F4+c0xn
LQmy7JJsJP8sZQKXJOrjqK4aYx3h14UCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
dY/5WWFgN4fwHtLQwD3egymiGjd/oTZgFGJ8Ws879fUhsZczdjImOKvb9l3nmFoA
HXL6QK/iSKaWeNfMJHb0Yvh5wU4yB1elB1yvO3k0r71q276m5Wxq37OHal9nXBfq
7YdZYLDqzvNpsXmoOIw8UNFbcfD51ICfWCHGx/A8idip6YJjvF9qyYXbK0kzDIpE
1wEgF2a/A82hBHVt/DSIdSI4tq00i46Ao6DbKelETR4l1I8J/7jjD82Sw82HtoKq
L+706Bgupj11TRa0uCh8gXBXsmlaK/QQV4QOLo8M+yY6Njj6oUizb513IpkdFs2b
x0M1J85xUZMOqXOs2nQWLQ==
-----END CERTIFICATE-----
"

  4. Copy and paste the content starting from the -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- in a PEM file and name it certificate.pem.

  5. Register your certificate.pem file at your AWS IoT endpoint:

    1. In the navigation pane for the AWS IoT console, click Secure, and then click Certificates.

    2. On the Certificates page, click Create a certificate.

    3. Next to Use my certificate, click Get started.

    4. On the Select a CA page, leave the field blank, and then click Next.

      Multi-Account Registration does not require the user to register a certificate authority with AWS.

    5. On the Register existing device certificates page, click Select certificates, and then select the certificate that you recently saved (certificate.pem).

    6. Ensure that the Activate All option is selected, and then click Register certificate.

    7. Click Actions, and then click Attach policy to attach the policy that you created. Click Attach.

    8. Attach your certificate to the Thing you created earlier. On the Certificates page, select the certificate you just created.

    9. Click Actions, and then click Attach thing.

    10. On the Attach things to certificate(s) window, select the Thing name and click Attach.

Step 2. Configure the application

  1. Set the Wi-Fi credentials in configs/wifi_config.h to modify the user configuration files in the configs directory. Modify the macros WIFI_SSID, WIFI_PASSWORD, and WIFI_SECURITY to match the Wi-Fi network that you want to connect to.

  2. Navigate to the AWS IoT Console. In the navigation pane, choose Settings.

    Your AWS IoT endpoint is displayed in Endpoint. It should look like 1234567890123-ats.iot.us-east-1.amazonaws.com. Make a note of this endpoint.

  3. In the configs/mqtt_client_config.h file, set MQTT_BROKER_ADDRESS and MQTT_SNI_HOSTNAME to your custom endpoint on the Settings page of the AWS IoT Console.

  4. In the configs/mqtt_client_config.h file, set the following macros:

    • MQTT_PORT: Set to 8883.
    • MQTT_SECURE_CONNECTION: Set to 1.

  5. Download the Root CA "ECC 256 bit key (Amazon Root CA 3) for AWS IoT from CA certificates for server authentication.

    Note: the following based on the TLS cipher suite:

  6. Using these certificates, enter the following parameters in mqtt_client_config.h in PEM format:

    • ROOT_CA_CERTIFICATE - Root CA certificate

      You can either convert the values to strings manually following the format shown in mqtt_client_config.h or you can use the HTML utility available here to convert the certificates and keys from PEM format to C string format. You need to clone the repository from GitHub to use the utility.

      For a full list of configuration macros used in this code example, see See Table 1 from the Configuring the MQTT Client section.

  7. (Optional) Modify the configuration macros in the following files according to your application:

Step 3. Program

  1. Connect the board to your PC using the provided USB cable through the KitProg3 USB connector.

  2. Program the board using one of the following (you don't need any extra configuration for the first part):

    Using Eclipse IDE for ModusToolbox™

    1. Select the application project in the Project Explorer.

    2. In the Quick Panel, scroll down, and click <Application Name> Program (KitProg3_MiniProg4).

    Using CLI

    From the terminal, execute the make program command to build and program the application using the default toolchain to the default target. You can specify a target and toolchain manually:

    make program TARGET=<BSP> TOOLCHAIN=<toolchain>

    Example:

    make program TARGET=CYSBSYSKIT-DEV-01 TOOLCHAIN=GCC_ARM

  3. After programming, the application starts automatically. Observe the messages on the UART terminal, and wait for the device to make all the required connections.

    Figure 4. Application initialization status

  4. Confirm that the following message is printed on the UART terminal:

    Press the user button (SW2) to publish "TURN ON"/"TURN OFF" on the topic 'ledstatus'...

    This message may vary depending on the MQTT topic and publish messages that are configured in the mqtt_client_config.h file.

  5. Press the user button (SW2) on the kit to toggle the LED state.

  6. Confirm that the user LED state is toggled and the messages received on the subscribed topic are printed on the UART terminal.

    Figure 5. Publisher and subscriber logs

This example can be programmed on multiple kits (Only when GENERATE_UNIQUE_CLIENT_ID is set to 1); the user LEDs on all the kits will synchronously toggle with a button press on any kit.

Alternative methods to verify the publish and subscribe functionality

You can individually verify the publish and subscribe functionalities of the MQTT Client if the MQTT Broker supports a Test MQTT Client such as AWS IoT.

  • To verify the subscribe functionality: Using the Test MQTT Client, publish messages such as "TURN ON" and "TURN OFF" on the topic specified by the MQTT_PUB_TOPIC macro in mqtt_client_config.h to control the LED state on the kit.

  • To verify the publish functionality: From the Test MQTT Client, subscribe to the MQTT topic specified by the MQTT_SUB_TOPIC macro and confirm that the messages published by the kit (when the user button is pressed) are displayed on the Test MQTT Client's console.

Debugging

You can debug the example to step through the code.

In Eclipse IDE

Use the <Application Name> Debug (KitProg3_MiniProg4) configuration in the Quick Panel. For details, see the "Program and debug" section in the Eclipse IDE for ModusToolbox™ user guide.

In other IDEs

Follow the instructions in your preferred IDE.

Design and implementation

This example implements the following RTOS tasks:

  • OPTIGA™ Trust
  • MQTT Client
  • MQTT Publisher
  • MQTT Subscriber

The main function initializes the BSP and the retarget-io library, and creates the OPTIGA™ Trust task.

The OPTIGA™ Trust task does the following:

  1. Initializes the secure element

  2. Extracts the pre-provisioned public key certificate from the chip

  3. Populates the public key certificate with the internal configuration for secure communication

  4. Initializes the MQTT Client task

The MQTT Client task does the following:

  1. Initializes the Wi-Fi Connection Manager (WCM) and connects to a Wi-Fi access point (AP) using the Wi-Fi network credentials that are configured in wifi_config.h

  2. Upon a successful Wi-Fi connection, initializes the MQTT library and establishes a connection with the MQTT Broker/Server

The MQTT connection is configured to be secure by default; the secure connection requires a client certificate, a private key, and the Root CA certificate of the MQTT Broker that are configured in mqtt_client_config.h.

After a successful MQTT connection, the Subscriber and Publisher tasks are created. The MQTT Client task then waits for commands from the other two tasks and callbacks to handle events such as unexpected disconnections.

The Subscriber task initializes the user LED GPIO and subscribes to messages on the topic specified by the MQTT_SUB_TOPIC macro that are configured in mqtt_client_config.h. When the Subscriber task receives a message from the Broker, it turns the user LED ON or OFF depending on whether the received message is "TURN ON" or "TURN OFF" (configured using the MQTT_DEVICE_ON_MESSAGE and MQTT_DEVICE_OFF_MESSAGE macros).

The Publisher task sets up the user button GPIO and configures an interrupt for the button. The ISR notifies the Publisher task when a button press is detected. The Publisher task then publishes messages (TURN ON / TURN OFF) on the topic specified by the MQTT_PUB_TOPIC macro. When the publish operation fails, a message is sent over a queue to the MQTT Client task.

An MQTT event callback function mqtt_event_callback() is invoked by the MQTT library for events such as MQTT disconnection and incoming MQTT subscription messages from the MQTT Broker. In the case of an MQTT disconnection, the MQTT Client task is informed about the disconnection using a message queue. When an MQTT subscription message is received, the subscriber callback function implemented in subscriber_task.c is invoked to handle the incoming MQTT message.

The MQTT Client task handles unexpected disconnections in the MQTT or Wi-Fi connections by initiating reconnection to restore the Wi-Fi and MQTT connections. Upon failure, the Publisher and Subscriber tasks are deleted, cleanup operations of various libraries are performed, and then the MQTT client task is terminated.

Sequence of operation

  1. The user button is pressed.

  2. The GPIO interrupt service routine (ISR) notifies the Publisher task.

  3. The Publisher task publishes a message on a topic.

  4. The MQTT Broker sends back the message to the MQTT Client because it is also subscribed to the same topic.

  5. When the message is received, the Subscriber task turns the LED ON or OFF. As a result, the user LED toggles every time the user presses the button.

Enabling the OPTIGA™ Trust library

Configuration

I2C Pins

Supported boards have CYBSP_I2C_SCL_OPTIGA and CYBSP_I2C_SDA_OPTIGA defined in their BSP. Alternatively, you can define these in the optiga_lib_mtb_config.h file.

Reset and power control pins

The OPTIGA™ Trust secure element can be controlled via a dedicated reset and a power control line. For example, the power control line is used for entering hibernate mode on the chip.

Do the following:

  1. Define OPTIGA_TRUSTM_VDD and OPTIGA_TRUSTM_RST with the corresponding GPIOs in your optiga_lib_config_mtb.h file.

  2. Change the reset type (OPTIGA_COMMS_DEFAULT_RESET_TYPE) as appropriate:

    • If both macros are defined: Set this value to 0.

    • If only the reset line is connected: Set this value to 2.

Initialization in a FreeRTOS task

If the Makefile defines PSOC_FREERTOS, it means that the OPTIGA™ Trust library uses a FreeRTOS-based Platform Abstraction Layer (PAL) for the communication. In this case, adhere to the following guidelines:

  1. Always initialize the secure element from a task.

  2. Allocate enough stack (not more than 3072 bytes) to the OPTIGA™ Trust task, depending on the configuration it needs.

  3. Do not start any MQTT-related tasks before the secure element is initialized.

Certificate extraction and MQTT connection configuration

Immediately after the secure element is initialized, you might need to extract the certificate from the chip and assign it to the internal MQTT Client configuration. For an example, see here.

mbed TLS configuration

For a successful TLS communication, make sure that only supported handshake methods are selected in your mbed TLS configuration file.

To do this, do one of the following:

  • Undefine the following:

    • MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
    • MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
    • MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
    • MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
    • MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
    • MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
    • MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED

  • Define the following:

    • MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED

If Wi-Fi online provisioning is used, your example will try to establish a connection with several clouds. This restricts the use of many handshake methods. For example, the MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED method might be not available. You can choose the MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED and change the Root CA configuration (ROOT_CA_CERTIFICATE) to use the Amazon Root CA 1 (based on RSA 2048), instead of the default value of Amazon Root CA 3 (based on ECC 256).

Cryptography (ECDSA, ECDHE, Random) functions call routing

Ensure that your mbed TLS configuration file has the following macros defined:

  • MBEDTLS_ECDH_GEN_PUBLIC_ALT
  • MBEDTLS_ECDSA_SIGN_ALT
  • MBEDTLS_ECDSA_VERIFY_ALT
  • MBEDTLS_ECDH_COMPUTE_SHARED_ALT
  • MBEDTLS_ECDSA_GENKEY_ALT

In addition to these macros, ensure that your build includes the $(optiga-trust-m)/examples/mbedtls_port files.

Custom Certificates and Keys

If you do not have your own credentials for the connection, but you would like to generate them, see the OPTIGA™ Trust M: Data and certificates management code example. If you would like to use existing credentials and would like to change default Object IDs, edit the Makefile and add the following macros to DEFINES:

  • LABEL_DEVICE_PRIVATE_KEY_FOR_TLS='"0xE0F1"' to define a private key slot of the PKCS11 Engine (secure-sockets middleware library), where '"0xE0F1"' value can be of your choice.
  • CONFIG_OPTIGA_TRUST_M_PRIVKEY_SLOT=0xE0F1 to define the private key slot of the mbedtls alternative implementation, where 0xe0F1 is the same value as specified above. Keep in mind, that here no additional signs '" are required
  • LABEL_DEVICE_CERTIFICATE_FOR_TLS='"0xE0E1"' to define a matching certificate to the private key mentioned above of the PKCS11 Engine, where '"0xE0E1"' value can be of your choice.

Configuring the MQTT Client

Table 1. Wi-Fi and MQTT configuration macros

Macro Description
Wi-Fi connection configuration In configs/wifi_config.h
WIFI_SSID SSID of the Wi-Fi AP to which the MQTT Client connects
WIFI_PASSWORD Passkey/password for the Wi-Fi SSID specified above
WIFI_SECURITY Security type of the Wi-Fi AP. See the cy_wcm_security_t structure in the cy_wcm.h file for more details.
MAX_WIFI_CONN_RETRIES Maximum number of retries for the Wi-Fi connection
WIFI_CONN_RETRY_INTERVAL_MS Time interval in milliseconds in between successive Wi-Fi connection retries
MQTT connection configurations In configs/mqtt_client_config.h
MQTT_BROKER_ADDRESS Hostname of the MQTT Broker
MQTT_PORT Port number to be used for the MQTT connection. As specified by the Internet Assigned Numbers Authority (IANA), port numbers assigned for the MQTT protocol are 1883 for non-secure connections and 8883 for secure connections. However, MQTT Brokers may use other ports. Configure this macro as specified by the MQTT Broker.
MQTT_SECURE_CONNECTION Set this macro to 1 if your application requires establishing a secure (TLS) connection to the MQTT Broker; else 0.
MQTT_USERNAME
MQTT_PASSWORD		 User name and password for client authentication and authorization, if required by the MQTT Broker. However, note that this information is generally not encrypted and the password is sent in plain text. Therefore, this is not a recommended method of client authentication.
MQTT Client certificate configurations In configs/mqtt_client_config.h
CLIENT_CERTIFICATE
CLIENT_PRIVATE_KEY		 Certificate and private key of the MQTT Client used for client authentication. Note that these macros are applicable only when MQTT_SECURE_CONNECTION is set to 1.
ROOT_CA_CERTIFICATE Root CA certificate of the MQTT Broker
MQTT message configurations In configs/mqtt_client_config.h
MQTT_PUB_TOPIC MQTT topic to which the messages are published by the Publisher task to the MQTT Broker
MQTT_SUB_TOPIC MQTT topic to which the Subscriber task subscribes. The MQTT Broker sends the messages to the Subscriber that are published in this topic (or equivalent topic).
MQTT_MESSAGES_QOS Quality of Service (QoS) level to be used by the Publisher and Subscriber. Valid choices are 0, 1, and 2.
ENABLE_LWT_MESSAGE Set this macro to 1 if you want to use the 'Last Will and Testament (LWT)' option; else 0. LWT is an MQTT message that will be published by the MQTT Broker on the specified topic if the MQTT connection is unexpectedly closed. This configuration is sent to the MQTT Broker during MQTT connect operation; the MQTT Broker will publish the Will message on the Will topic when it recognizes an unexpected disconnection from the client.
MQTT_WILL_TOPIC_NAME
MQTT_WILL_MESSAGE		 MQTT topic and message for the LWT option described above. These configurations are applicable only when ENABLE_LWT_MESSAGE is set to 1.
MQTT_DEVICE_ON_MESSAGE
MQTT_DEVICE_OFF_MESSAGE		 MQTT messages that control the device (LED) state in this code example
Other MQTT Client configurations In configs/mqtt_client_config.h
GENERATE_UNIQUE_CLIENT_ID Every active MQTT connection must have a unique client identifier. If this macro is set to 1, the device will generate a unique client identifier by appending a timestamp to the string specified by the MQTT_CLIENT_IDENTIFIER macro. This feature is useful if you are using the same code on multiple kits simultaneously.
MQTT_CLIENT_IDENTIFIER Client identifier (client ID) string to be used during an MQTT connection. If GENERATE_UNIQUE_CLIENT_ID is set to 1, a timestamp is appended to this macro value and used as the client ID; else, the value specified for this macro is directly used as the client ID.
MQTT_CLIENT_IDENTIFIER_MAX_LEN The longest client identifier that an MQTT Server must accept (as defined by the MQTT 3.1.1 spec) is 23 characters. However, some MQTT Brokers support longer client IDs. Configure this macro as per the MQTT Broker specification.
MQTT_TIMEOUT_MS Timeout in milliseconds for MQTT operations in this example
MQTT_KEEP_ALIVE_SECONDS Keep a live interval in seconds used for the MQTT ping request
MQTT_ALPN_PROTOCOL_NAME Application Layer Protocol Negotiation (ALPN) protocol name to be used that is supported by the MQTT Broker in use. Note that this is an optional macro for most of the use cases.
Per IANA, the port numbers assigned for the MQTT protocol are 1883 for non-secure connections and 8883 for secure connections. Some applications may need to use other ports for MQTT such as port 443 (which is reserved for HTTPS). ALPN is an extension for TLS that allows many protocols to be used over a secure connection.
MQTT_SNI_HOSTNAME Server Name Indication (SNI) host name to be used during a TLS connection as specified by the MQTT Broker.
SNI is an extension to the TLS protocol. As required by some MQTT Brokers, SNI typically includes the hostname in the "Client Hello" message sent during a TLS handshake.
MQTT_NETWORK_BUFFER_SIZE Size of the network buffer allocated for sending and receiving MQTT packets over the network. Note that the minimum buffer size is defined by the CY_MQTT_MIN_NETWORK_BUFFER_SIZE macro in the MQTT library.
MAX_MQTT_CONN_RETRIES Maximum number of retries for an MQTT connection
MQTT_CONN_RETRY_INTERVAL_MS Time interval in milliseconds in between successive MQTT connection retries

Resources and settings

Table 2. Application resources

Resource Alias/object Purpose
UART (HAL) cy_retarget_io_uart_obj UART HAL object used by Retarget-IO for Debug UART port
GPIO (HAL) CYBSP_USER_LED User LED controlled by the Subscriber based on incoming MQTT messages
GPIO (HAL) CYBSP_USER_BTN User button used to notify the Publisher to publish MQTT messages

Add MBEDTLS_VERBOSE=4 and ENABLE_SECURE_SOCKETS_LOGS in the Makefile to the end of the DEFINES list after a whitespace to enable an verbose output of mbedtls in case you have a problem during the TLS channel establishment, the Makefile content should be then similar to the following:

DEFINES=$(MBEDTLSFLAGS) $(OPTIGAFLAGS) CYBSP_WIFI_CAPABLE CY_RETARGET_IO_CONVERT_LF_TO_CRLF CY_CRYPTO_HAL_DISABLE MBEDTLS_VERBOSE=4

Related resources

Resources Links
Application notes AN228571 – Getting started with PSOC™ 6 MCU on ModusToolbox™
AN215656 – PSOC™ 6 MCU: Dual-CPU system design
Code examples Using ModusToolbox™ on GitHub
Device documentation PSOC™ 6 MCU datasheets
PSOC™ 6 technical reference manuals
Development kits Select your kits from the Evaluation board finder.
Libraries on GitHub mtb-pdl-cat1 – PSOC™ 6 Peripheral Driver Library (PDL)
mtb-hal-cat1 – Hardware Abstraction Layer (HAL) library
retarget-io – Utility library to retarget STDIO messages to a UART port
freeRTOS – A port of FreeRTOS kernel for PSOC™ 6 MCUs
Middleware on GitHub optiga-trust-m – OPTIGA™ Trust M library and documents
capsense – CAPSENSE™ library and documents
psoc6-middleware – Links to all PSOC™ 6 MCU middleware
Tools ModusToolbox™ – ModusToolbox™ software is a collection of easy-to-use libraries and tools enabling rapid development with Infineon MCUs for applications ranging from wireless and cloud-connected systems, edge AI/ML, embedded sense and control, to wired USB connectivity using PSOC™ Industrial/IoT MCUs, AIROC™ Wi-Fi and Bluetooth® connectivity devices, XMC™ Industrial MCUs, and EZ-USB™/EZ-PD™ wired connectivity controllers. ModusToolbox™ incorporates a comprehensive set of BSPs, HAL, libraries, configuration tools, and provides support for industry-standard IDEs to fast-track your embedded application development.

Other resources

Infineon provides a wealth of data at www.infineon.com to help you select the right device, and quickly and effectively integrate it into your design.

Document history

Document title: CE233736OPTIGA™ Trust M: MQTT Client

Version Description of change
1.0.0 New code example
1.1.0 Fix 62S2 boards build and minor README updates
2.0.0 Major update to support ModusToolbox™ v3.0. This version is not backward compatible with previous versions of ModusToolbox™
2.1.0 Added support for new kits
2.2.0 Added support for CY8CKIT-062S2-43012 connected with SHIELD_XENSIV_A

All referenced product or service names and trademarks are the property of their respective owners.

The Bluetooth® word mark and logos are registered trademarks owned by Bluetooth SIG, Inc., and any use of such marks by Infineon is under license.

© Cypress Semiconductor Corporation, 2022-2024. This document is the property of Cypress Semiconductor Corporation, an Infineon Technologies company, and its affiliates ("Cypress"). This document, including any software or firmware included or referenced in this document ("Software"), is owned by Cypress under the intellectual property laws and treaties of the United States and other countries worldwide. Cypress reserves all rights under such laws and treaties and does not, except as specifically stated in this paragraph, grant any license under its patents, copyrights, trademarks, or other intellectual property rights. If the Software is not accompanied by a license agreement and you do not otherwise have a written agreement with Cypress governing the use of the Software, then Cypress hereby grants you a personal, non-exclusive, nontransferable license (without the right to sublicense) (1) under its copyright rights in the Software (a) for Software provided in source code form, to modify and reproduce the Software solely for use with Cypress hardware products, only internally within your organization, and (b) to distribute the Software in binary code form externally to end users (either directly or indirectly through resellers and distributors), solely for use on Cypress hardware product units, and (2) under those claims of Cypress's patents that are infringed by the Software (as provided by Cypress, unmodified) to make, use, distribute, and import the Software solely for use with Cypress hardware products. Any other use, reproduction, modification, translation, or compilation of the Software is prohibited.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CYPRESS MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS DOCUMENT OR ANY SOFTWARE OR ACCOMPANYING HARDWARE, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. No computing device can be absolutely secure. Therefore, despite security measures implemented in Cypress hardware or software products, Cypress shall have no liability arising out of any security breach, such as unauthorized access to or use of a Cypress product. CYPRESS DOES NOT REPRESENT, WARRANT, OR GUARANTEE THAT CYPRESS PRODUCTS, OR SYSTEMS CREATED USING CYPRESS PRODUCTS, WILL BE FREE FROM CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, DATA LOSS OR THEFT, OR OTHER SECURITY INTRUSION (collectively, "Security Breach"). Cypress disclaims any liability relating to any Security Breach, and you shall and hereby do release Cypress from any claim, damage, or other liability arising from any Security Breach. In addition, the products described in these materials may contain design defects or errors known as errata which may cause the product to deviate from published specifications. To the extent permitted by applicable law, Cypress reserves the right to make changes to this document without further notice. Cypress does not assume any liability arising out of the application or use of any product or circuit described in this document. Any information provided in this document, including any sample design information or programming code, is provided only for reference purposes. It is the responsibility of the user of this document to properly design, program, and test the functionality and safety of any application made of this information and any resulting product. "High-Risk Device" means any device or system whose failure could cause personal injury, death, or property damage. Examples of High-Risk Devices are weapons, nuclear installations, surgical implants, and other medical devices. "Critical Component" means any component of a High-Risk Device whose failure to perform can be reasonably expected to cause, directly or indirectly, the failure of the High-Risk Device, or to affect its safety or effectiveness. Cypress is not liable, in whole or in part, and you shall and hereby do release Cypress from any claim, damage, or other liability arising from any use of a Cypress product as a Critical Component in a High-Risk Device. You shall indemnify and hold Cypress, including its affiliates, and its directors, officers, employees, agents, distributors, and assigns harmless from and against all claims, costs, damages, and expenses, arising out of any claim, including claims for product liability, personal injury or death, or property damage arising from any use of a Cypress product as a Critical Component in a High-Risk Device. Cypress products are not intended or authorized for use as a Critical Component in any High-Risk Device except to the limited extent that (i) Cypress's published data sheet for the product explicitly states Cypress has qualified the product for use in a specific High-Risk Device, or (ii) Cypress has given you advance written authorization to use the product as a Critical Component in the specific High-Risk Device and you have signed a separate indemnification agreement.
Cypress, the Cypress logo, and combinations thereof, ModusToolbox, PSoC, CAPSENSE, EZ-USB, F-RAM, and TRAVEO are trademarks or registered trademarks of Cypress or a subsidiary of Cypress in the United States or in other countries. For a more complete list of Cypress trademarks, visit www.infineon.com. Other names and brands may be claimed as property of their respective owners.

About

No description or website provided.

Topics

peripherals cy8ceval-062s2-lai-4373m2 cy8ceval-062s2-mur-43439m2 cysbsyskit-dev-01 cy8ceval-062s2-lai-43439m2 cy8ceval-062s2-mur-4373em2

Resources

Readme

License

View license
Activity
Custom properties

Stars

1 star

Watchers

16 watching

Forks

0 forks
Report repository

Releases 3

release-v2.0.0 Latest
Mar 6, 2023
+ 2 releases

Packages

No packages published

Languages