Added support for MQTT over SSL/TLS (#1387)

* Added support for MQTT over SSL/TLS

* Added documentation on new parameters

Author: rdrgzlng

MyConfig.h

@@ -1485,6 +1485,63 @@
  */
 //#define MY_MQTT_SUBSCRIBE_TOPIC_PREFIX "mygateway1-in"
 
+/**
+ * @def MY_MQTT_CA_CERT
+ * @brief Set a specific CA certificate needed to validate MQTT server against. Use the certificate as a trust anchor, accepting remote certificates signed by it.
+ *
+ * This define is mandatory when you need connect MQTT over SSL/TLS.
+ * Example: @code
+ *
+ * const char mqtt_ca_cert[] PROGMEM = R"EOF(
+ * ----- BEGIN THE CERTIFICATE -----
+ * XXX ... XXX
+ * ----- FINISH CERTIFICATE -----
+ * )EOF";
+ *
+ * #define MY_MQTT_CA_CERT mqtt_ca_cert
+ *
+ * @endcode
+ */
+//#define MY_MQTT_CA_CERT
+
+/**
+ * @def MY_MQTT_CLIENT_CERT
+ * @brief Set a client certificate to send to a MQTT server that requests one over TLS connection.
+ *
+ * This define is mandatory when you need connect MQTT over SSL/TLS.
+ * Example: @code
+ *
+ * const char mqtt_client_cert[] PROGMEM = R"EOF(
+ * ----- BEGIN THE CERTIFICATE -----
+ * XXX ... XXX
+ * ----- FINISH CERTIFICATE -----
+ * )EOF";
+ *
+ * #define MY_MQTT_CLIENT_CERT mqtt_client_cert
+ *
+ * @endcode
+ */
+//#define MY_MQTT_CLIENT_CERT
+
+/**
+ * @def MY_MQTT_CLIENT_KEY
+ * @brief Set a client private key to send to a MQTT server that requests one over TLS connection.
+ *
+ * This define is mandatory when you need connect MQTT over SSL/TLS.
+ * Example: @code
+ *
+ * const char mqtt_client_key[] PROGMEM = R"EOF(
+ * ----- START THE RSA PRIVATE KEY -----
+ * XXX ... XXX
+ * ----- FINISH THE RSA PRIVATE KEY -----
+ * )EOF";
+ *
+ * #define MY_MQTT_CLIENT_KEY mqtt_client_key
+ *
+ * @endcode
+ */
+//#define MY_MQTT_CLIENT_KEY
+
 /**
  * @def MY_IP_ADDRESS
  * @brief Static ip address of gateway. If not defined, DHCP will be used.
@@ -2262,6 +2319,9 @@
 #define MY_MQTT_CLIENT_ID
 #define MY_MQTT_PUBLISH_TOPIC_PREFIX
 #define MY_MQTT_SUBSCRIBE_TOPIC_PREFIX
+#define MY_MQTT_CA_CERT
+#define MY_MQTT_CLIENT_CERT
+#define MY_MQTT_CLIENT_KEY
 #define MY_SIGNAL_REPORT_ENABLED
 // general
 #define MY_WITH_LEDS_BLINKING_INVERSE

core/MyGatewayTransportMQTTClient.cpp

@@ -83,7 +83,14 @@
 #endif /* End of MY_IP_ADDRESS */
 
 #if defined(MY_GATEWAY_ESP8266) || defined(MY_GATEWAY_ESP32)
+#if defined(MY_MQTT_CA_CERT) && defined(MY_MQTT_CLIENT_CERT) && defined(MY_MQTT_CLIENT_KEY)
+#define EthernetClient WiFiClientSecure
+BearSSL::X509List ca_cert(MY_MQTT_CA_CERT);
+BearSSL::X509List client_cert(MY_MQTT_CLIENT_CERT);
+BearSSL::PrivateKey client_key(MY_MQTT_CLIENT_KEY);
+#else
 #define EthernetClient WiFiClient
+#endif /* End of MY_MQTT_CA_CERT && MY_MQTT_CLIENT_CERT && MY_MQTT_CLIENT_KEY */
 #elif defined(MY_GATEWAY_LINUX)
 // Nothing to do here
 #else
@@ -138,6 +145,7 @@ void incomingMQTT(char *topic, uint8_t *payload, unsigned int length)
 bool reconnectMQTT(void)
 {
 	GATEWAY_DEBUG(PSTR("GWT:RMQ:CONNECTING...\n"));
+
 	// Attempt to connect
 	if (_MQTT_client.connect(MY_MQTT_CLIENT_ID, MY_MQTT_USER, MY_MQTT_PASSWORD)) {
 		GATEWAY_DEBUG(PSTR("GWT:RMQ:OK\n"));
@@ -261,6 +269,11 @@ bool gatewayTransportInit(void)
 	(void)WiFi.begin(MY_WIFI_SSID, MY_WIFI_PASSWORD, 0, MY_WIFI_BSSID);
 #endif
 
+#if defined(MY_MQTT_CA_CERT) && defined(MY_MQTT_CLIENT_CERT) && defined(MY_MQTT_CLIENT_KEY)
+	_MQTT_ethClient.setTrustAnchors(&ca_cert);
+	_MQTT_ethClient.setClientRSACert(&client_cert, &client_key);
+#endif /* End of MY_MQTT_CA_CERT && MY_MQTT_CLIENT_CERT && MY_MQTT_CLIENT_KEY */
+
 	gatewayTransportConnect();
 
 	_MQTT_connecting = false;

keywords.txt

@@ -248,7 +248,10 @@ MY_GATEWAY_SERIAL	LITERAL1
 MY_GATEWAY_W5100	LITERAL1
 MY_HOSTNAME	LITERAL1
 MY_INCLUSION_BUTTON_EXTERNAL_PULLUP	LITERAL1
+MY_MQTT_CA_CERT	LITERAL1
+MY_MQTT_CLIENT_CERT	LITERAL1
 MY_MQTT_CLIENT_ID	LITERAL1
+MY_MQTT_CLIENT_KEY	LITERAL1
 MY_MQTT_CLIENT_PUBLISH_RETAIN	LITERAL1
 MY_MQTT_PASSWORD	LITERAL1
 MY_MQTT_PUBLISH_TOPIC_PREFIX	LITERAL1