wolfMQTT icon indicating copy to clipboard operation
wolfMQTT copied to clipboard
verified publisher icon wolfSSL

Post-Quantum MQTT Support

Open camblor opened this issue 1 year ago • 8 comments

Hello,

I have followed the tutorial given in the README.md about Post-Quantum MQTT Support. When reaching to the point where it's just executing the mqttclient, I got an error.

I have tried with liboqs 0.8.0 and 0.10.0. I do:

$ mkdir build
$ cd build
$ cmake -DOQS_USE_OPENSSL=0 ..
$ make all
$ sudo make install

After installing the library, for every liboqs version, I enter the following in the wolfssl latest version configuration:

$ ./configure --with-liboqs --enable-experimental --enable-kyber=yes,original
$ make all
$ sudo make install

The --enable-experimental is not included in the wolfssl INSTALL file, it just points to --with-liboqs, but I assumed it wouldn't cause any error, so I managed to compile wolfssl and install it with that configuration. The same happens about the --enable-kyber=yes,original, which happens to cause a problem when compiling wolfMQTT if it's not included.

In the instructions, it is said to copy some files from the cert folder of the publisher container:

  • /test/cert/CA.crt
  • /test/cert/publisher.crt
  • /test/cert/publisher.key

And the problem is that when executing the following command:

./examples/mqttclient/mqttclient -h 172.18.0.2 -t -A CA.crt -K publisher.key -c publisher.crt -m "Hello from post-quantum wolfMQTT!!" -n test/sensor1 -Q KYBER_LEVEL1

With every other instruction followed and this setup as base, an error arises:

Error loading CA CA.crt: -148 (ASN oid error, unknown sum id)
MQTT Socket Connect: Error (TLS Connect) (-6)

I would appreciate any help with this problem.

camblor avatar Jan 21 '25 19:01 camblor

Hi Camblor.

I'm sorry to see you are having problems with our post-quantum integration in wolfMQTT. Its been a while since that work was done and it might need to be updated. Please let me try it out and report back what I'm seeing. Please stay tuned.

In the meantime can you let us know a bit about yourself and your project? For example, is this out of professional, academic or personal interest?

Warm regards, Anthony

anhu avatar Jan 21 '25 21:01 anhu

Hi Anthony,

I'm working as Researcher-Engineer at Gradiant, a technology center where we research about cybersecurity among other topics. Here, we have a research project about the usage of post quantum cryptography in MQTT communication between IoT devices. WolfMQTT makes a lot of sense here because of the lightweight requirements of IoT devices, so I was trying to make the client work and then start testing.

I'll stay tuned. If you require more information or something I can help with, please tell me.

Warm regards, Alfonso.

camblor avatar Jan 22 '25 18:01 camblor

Hi Alfonso,

I should let you know that we have our own implementation of Kyber/MLKEM and Dilithium/MLDSA So, you don't actually need to build and link against liboqs.

Please try this configure command for wolfSSL:

./configure --enable-experimental --enable-kyber --enable-dilithium

Warm regards, Anthony

anhu avatar Jan 30 '25 17:01 anhu

Hi Anthony,

I have just tried that configuration, but it gives compilation errors in wolfMQTT without the --enable-kyber=yes,original:

$ make all
make -j13  all-am
make[1]: Entering directory '/home/myuser/oqs/wolfMQTT'
  CC       examples/mqttclient/mqttclient-mqttclient.o
  CC       examples/mqttclient_mqttclient-mqttnet.o
  CC       examples/mqttclient_mqttclient-mqttexample.o
  CC       src/libwolfmqtt_la-mqtt_client.lo
  CC       src/libwolfmqtt_la-mqtt_packet.lo
  CC       src/libwolfmqtt_la-mqtt_socket.lo
  CC       examples/mqttsimple/mqttsimple.o
  CC       examples/firmware/fwpush-fwpush.o
  CC       examples/firmware_fwpush-mqttnet.o
  CC       examples/firmware_fwpush-mqttexample.o
  CC       examples/firmware_fwclient-mqttnet.o
  CC       examples/firmware_fwclient-mqttexample.o
  CC       examples/firmware/fwclient-fwclient.o
examples/mqttexample.c: In function ‘mqtt_tls_cb’:
examples/mqttexample.c:730:25: error: ‘WOLFSSL_KYBER_LEVEL1’ undeclared (first use in this function)
  730 |                 group = WOLFSSL_KYBER_LEVEL1;
      |                         ^~~~~~~~~~~~~~~~~~~~
examples/mqttexample.c:730:25: note: each undeclared identifier is reported only once for each function it appears in
examples/mqttexample.c: In function ‘mqtt_tls_cb’:
examples/mqttexample.c:730:25: error: ‘WOLFSSL_KYBER_LEVEL1’ undeclared (first use in this function)
  730 |                 group = WOLFSSL_KYBER_LEVEL1;
      |                         ^~~~~~~~~~~~~~~~~~~~
examples/mqttexample.c:730:25: note: each undeclared identifier is reported only once for each function it appears in
examples/mqttexample.c:732:25: error: ‘WOLFSSL_P256_KYBER_LEVEL1’ undeclared (first use in this function)
  732 |                 group = WOLFSSL_P256_KYBER_LEVEL1;
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
examples/mqttexample.c:732:25: error: ‘WOLFSSL_P256_KYBER_LEVEL1’ undeclared (first use in this function)
  732 |                 group = WOLFSSL_P256_KYBER_LEVEL1;
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
make[1]: *** [Makefile:1871: examples/mqttclient_mqttclient-mqttexample.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:1829: examples/firmware_fwpush-mqttexample.o] Error 1
examples/mqttexample.c: In function ‘mqtt_tls_cb’:
examples/mqttexample.c:730:25: error: ‘WOLFSSL_KYBER_LEVEL1’ undeclared (first use in this function)
  730 |                 group = WOLFSSL_KYBER_LEVEL1;
      |                         ^~~~~~~~~~~~~~~~~~~~
examples/mqttexample.c:730:25: note: each undeclared identifier is reported only once for each function it appears in
examples/mqttexample.c:732:25: error: ‘WOLFSSL_P256_KYBER_LEVEL1’ undeclared (first use in this function)
  732 |                 group = WOLFSSL_P256_KYBER_LEVEL1;
      |                         ^~~~~~~~~~~~~~~~~~~~~~~~~
make[1]: *** [Makefile:1787: examples/firmware_fwclient-mqttexample.o] Error 1

and after I add that part to the command, when I run the mqttclient with the mosquitto containers generating the Dilithium2 files, I get:

Error loading CA CA.crt: -148 (ASN oid error, unknown sum id)
MQTT Socket Connect: Error (TLS Connect) (-6)

The good part is that I managed to make this work by using liboqs 0.10.0, wolfssl current version:

./configure --with-liboqs --enable-experimental --enable-kyber=yes,original

wolfMQTT current version and falcon512 in the Dockerfile, but we would like to use Dilithium/MLDSA for the project.

Warm regards, Alfonso.

camblor avatar Feb 03 '25 13:02 camblor

Alfonso,

Instead of --enable-kyber=yes,original can you try --enable-kyber ?

Warm regards, Anthony

anhu avatar Feb 03 '25 14:02 anhu

Hi Anthony,

Yes, I tried that option and it works for wolfssl, but after that, when I compile wolfMQTT I get the error of the previous message.

Warm regards, Alfonso.

camblor avatar Feb 04 '25 12:02 camblor

Hi @camblor ,

I thought I'd let you know I'm still working on this. I had to get the OQS team to update their build of Mosqitto. Now I need to change up some code points in wolfSSL. Sorry this is taking so long. Please bear with me.

Warm regards, Anthony

anhu avatar Feb 11 '25 21:02 anhu

Hi @anhu,

Understood, take your time, don't worry.

Warm regards, Alfonso.

camblor avatar Feb 20 '25 17:02 camblor

Resolved by #432

embhorn avatar Jul 25 '25 12:07 embhorn