aws · graebm · Mar 24, 2022 · Mar 14, 2022 · Mar 14, 2022 · Mar 16, 2022
diff --git a/.builder/actions/build_samples.py b/.builder/actions/build_samples.py
@@ -20,6 +20,7 @@ def run(self, env):
             'samples/mqtt/basic_pub_sub',
             'samples/mqtt/pkcs11_pub_sub',
             'samples/mqtt/raw_pub_sub',
+            'samples/mqtt/windows_cert_pub_sub',
             'samples/shadow/shadow_sync',
             'samples/greengrass/basic_discovery',
             'samples/identity/fleet_provisioning',

diff --git a/crt/aws-crt-cpp b/crt/aws-crt-cpp
diff --git a/samples/README.md b/samples/README.md
@@ -2,6 +2,7 @@
 
 * [Basic MQTT Pub-Sub](#basic-mqtt-pub-sub)
 * [PKCS#11 MQTT Pub-Sub](#pkcs11-mqtt-pub-sub)
+* [Windows Certificate MQTT Pub-Sub](#windows-certificate-mqtt-pub-sub)
 * [Raw MQTT Pub-Sub](#raw-mqtt-pub-sub)
 * [Fleet provisioning](#fleet-provisioning)
 * [Shadow](#shadow)
@@ -121,7 +122,7 @@ but the private key for mutual TLS is stored on a PKCS#11 compatible smart card
 
 WARNING: Unix only. Currently, TLS integration with PKCS#11 is only available on Unix devices.
 
-source: `samples/mqtt/pkcs11_pub_sub/main/cpp`
+source: `samples/mqtt/pkcs11_pub_sub/main.cpp`
 
 To run this sample using [SoftHSM2](https://www.opendnssec.org/softhsm/) as the PKCS#11 device:
 
@@ -144,9 +145,9 @@ To run this sample using [SoftHSM2](https://www.opendnssec.org/softhsm/) as the
 
     If this spits out an error message, create a config file:
     *   Default location: `~/.config/softhsm2/softhsm2.conf`
-    *   This file must specify token dir, default value is:
+    *   This file must specify a valid token directory:
         ```
-        directories.tokendir = /usr/local/var/lib/softhsm/tokens/
+        directories.tokendir = /path/for/my/softhsm/tokens/
         ```
 
 4)  Create token and import private key.
@@ -167,6 +168,68 @@ To run this sample using [SoftHSM2](https://www.opendnssec.org/softhsm/) as the
     ./pkcs11-pub-sub --endpoint <xxxx-ats.iot.xxxx.amazonaws.com> --ca_file <AmazonRootCA.pem> --cert <certificate.pem.crt> --pkcs11_lib <libsofthsm2.so> --pin <user-pin> --token_label <token-label> --key_label <key-label>
     ```
 
+## Windows Certificate MQTT Pub-Sub
+
+WARNING: Windows only
+
+This sample is similar to the [Basic Pub-Sub](#basic-mqtt-pub-sub),
+but your certificate and private key are in a
+[Windows certificate store](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/certificate-stores),
+rather than simply being files on disk.
+
+To run this sample you need the path to your certificate in the store,
+which will look something like:
+"CurrentUser\MY\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6"
+(where "CurrentUser\MY" is the store and "A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6" is the certificate's thumbprint)
+
+If your certificate and private key are in a
+[TPM](https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-overview),
+you would use them by passing their certificate store path.
+
+source: `samples/mqtt/windows_cert_pub_sub/main.cpp`
+
+To run this sample with a basic certificate from AWS IoT Core:
+
+1)  Create an IoT Thing with a certificate and key if you haven't already.
+
+2)  Combine the certificate and private key into a single .pfx file.
+
+    You will be prompted for a password while creating this file. Remember it for the next step.
+
+    If you have OpenSSL installed:
+    ```powershell
+    openssl pkcs12 -in certificate.pem.crt -inkey private.pem.key -out certificate.pfx
+    ```
+
+    Otherwise use [CertUtil](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil).
+    ```powershell
+    certutil -mergePFX certificate.pem.crt,private.pem.key certificate.pfx
+    ```
+
+3)  Add the .pfx file to a Windows certificate store using PowerShell's
+    [Import-PfxCertificate](https://docs.microsoft.com/en-us/powershell/module/pki/import-pfxcertificate)
+
+    In this example we're adding it to "CurrentUser\MY"
+
+    ```powershell
+    $mypwd = Get-Credential -UserName 'Enter password below' -Message 'Enter password below'
+    Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\CurrentUser\MY -Password $mypwd.Password
+    ```
+
+    Note the certificate thumbprint that is printed out:
+    ```
+    Thumbprint                                Subject
+    ----------                                -------
+    A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6  CN=AWS IoT Certificate
+    ```
+
+    So this certificate's path would be: "CurrentUser\MY\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6"
+
+4) Now you can run the sample:
+
+    ```
+    ./windows-cert-pub-sub.exe --endpoint xxxx-ats.iot.xxxx.amazonaws.com --ca_file AmazonRootCA.pem --cert CurrentUser\My\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6
+    ```
 
 ## Raw MQTT Pub-Sub
 

diff --git a/samples/mqtt/windows_cert_pub_sub/CMakeLists.txt b/samples/mqtt/windows_cert_pub_sub/CMakeLists.txt
@@ -0,0 +1,25 @@
+cmake_minimum_required(VERSION 3.1)
+# note: cxx-17 requires cmake 3.8, cxx-20 requires cmake 3.12
+project(windows-cert-pub-sub CXX)
+
+file(GLOB SRC_FILES
+       "*.cpp"
+       "../../utils/CommandLineUtils.cpp"
+       "../../utils/CommandLineUtils.h"
+)
+
+add_executable(${PROJECT_NAME} ${SRC_FILES})
+
+set_target_properties(${PROJECT_NAME} PROPERTIES
+    CXX_STANDARD 14)
+
+# set warnings
+if (MSVC)
+    target_compile_options(${PROJECT_NAME} PRIVATE /W4 /WX /wd4068)
+else ()
+    target_compile_options(${PROJECT_NAME} PRIVATE -Wall -Wno-long-long -pedantic -Werror)
+endif ()
+
+find_package(aws-crt-cpp REQUIRED)
+
+target_link_libraries(${PROJECT_NAME} PRIVATE AWS::aws-crt-cpp)
+1 −1		.github/workflows/ci.yml
+1 −1		crt/aws-c-io
+11 −9		include/aws/crt/io/TlsOptions.h
+14 −0		include/aws/iot/MqttClient.h
+2 −2		source/io/TlsOptions.cpp
+14 −1		source/iot/MqttClient.cpp