Add code comments on the different requirements for credential consta…

…nts between evaluation and production systems. (FreeRTOS#386)

Only comments have changed.  No code changes.

Co-authored-by: Cobus van Eeden <[email protected]>
Co-authored-by: Gary Wicker <[email protected]>

FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Basic_TLS/demo_config.h

@@ -60,7 +60,12 @@
  * must be unique; so edit as required to ensure that no two clients connecting to
  * the same broker use the same client identifier.
  *
- * #define democonfigCLIENT_IDENTIFIER    "...insert here..."
+ *!!! Please note a #defined constant is used for convenience of demonstration
+ *!!! only.  Production devices can use something unique to the device that can
+ *!!! be read by software, such as a production serial number, instead of a
+ *!!! hard coded constant.
+ *
+ * #define democonfigCLIENT_IDENTIFIER				"insert here."
  */
 
 

FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Keep_Alive/demo_config.h

@@ -58,6 +58,11 @@
  * must be unique so edit as required to ensure no two clients connecting to the
  * same broker use the same client identifier.
  *
+ *!!! Please note a #defined constant is used for convenience of demonstration
+ *!!! only.  Production devices can use something unique to the device that can
+ *!!! be read by software, such as a production serial number, instead of a
+ *!!! hard coded constant.
+ *
  * #define democonfigCLIENT_IDENTIFIER				"insert here."
  */
 

FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Multitask/DemoTasks/MultitaskMQTTExample.c

@@ -111,6 +111,13 @@
 
 /* If no username is defined, then a client certificate/key is required. */
     #ifndef democonfigCLIENT_USERNAME
+
+        /*
+         *!!! Please note democonfigCLIENT_PRIVATE_KEY_PEM in used for
+         *!!! convenience of demonstration only.  Production devices should
+         *!!! store keys securely, such as within a secure element.
+         */
+
         #ifndef democonfigCLIENT_CERTIFICATE_PEM
             #error "Please define client certificate(democonfigCLIENT_CERTIFICATE_PEM) in demo_config.h."
         #endif

FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Multitask/demo_config.h

@@ -57,6 +57,11 @@
  * must be unique so edit as required to ensure no two clients connecting to the
  * same broker use the same client identifier.
  *
+ *!!! Please note a #defined constant is used for convenience of demonstration
+ *!!! only.  Production devices can use something unique to the device that can
+ *!!! be read by software, such as a production serial number, instead of a
+ *!!! hard coded constant.
+ *
  * #define democonfigCLIENT_IDENTIFIER				"insert here."
  */
 
@@ -133,6 +138,14 @@
 /**
  * @brief Client's private key.
  *
+ *!!! Please note pasting a key into the header file in this manner is for
+ *!!! convenience of demonstration only and should not be done in production.
+ *!!! Never paste a production private key here!.  Production devices should
+ *!!! store keys securely, such as within a secure element.  Additionally,
+ *!!! we provide the corePKCS library that further enhances security by
+ *!!! enabling securely stored keys to be used without exposing them to
+ *!!! software.
+ *
  * For AWS IoT MQTT broker, refer to the AWS documentation below for details
  * regarding clientauthentication.
  * https://docs.aws.amazon.com/iot/latest/developerguide/client-authentication.html

FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Multitask/mqtt_broker_setup.txt

@@ -63,14 +63,19 @@ TLS mutual authentication for use with this MQTT demo.
             "-----BEGIN CERTIFICATE-----\n" \
             "...base64 data...\n" \
             "-----END CERTIFICATE-----\n"
-11. In the certs folder of your Documents, you will find a file called `client.key`.
+12. In the certs folder of your Documents, you will find a file called `client.key`.
     Copy its contents to `#define democonfigCLIENT_PRIVATE_KEY_PEM`. Keep in mind
     that it must include the PEM header and footer and be formatted in this manner:
         #define democonfigCLIENT_PRIVATE_KEY_PEM \
             "-----BEGIN RSA PRIVATE KEY-----\n" \
             "...base64 data...\n" \
             "-----END RSA PRIVATE KEY-----\n"
-12. Update the config `democonfigdisableSNI` to `( pdTRUE )`. It needs to be 
+
+    *!!! Please note democonfigCLIENT_PRIVATE_KEY_PEM in used for convenience
+    *!!! of demonstration only.  Production devices should store keys securely,
+    *!!! such as within a secure element.
+
+13. Update the config `democonfigdisableSNI` to `( pdTRUE )`. It needs to be
     configured this way because the local MQTT broker will only have an IP
     address but not a hostname. However, SNI (Server name indication) should
     be enabled whenever possible.

FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Mutual_Auth/DemoTasks/MutualAuthMQTTExample.c

@@ -72,6 +72,13 @@
 
 /* If no username is defined, then a client certificate/key is required. */
 #ifndef democonfigCLIENT_USERNAME
+
+    /*
+     *!!! Please note democonfigCLIENT_PRIVATE_KEY_PEM in used for
+     *!!! convenience of demonstration only.  Production devices should
+     *!!! store keys securely, such as within a secure element.
+     */
+
     #ifndef democonfigCLIENT_CERTIFICATE_PEM
         #error "Please define client certificate(democonfigCLIENT_CERTIFICATE_PEM) in demo_config.h."
     #endif

FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Mutual_Auth/demo_config.h

@@ -60,7 +60,12 @@
  * must be unique; so edit as required to ensure that no two clients connecting to
  * the same broker use the same client identifier.
  *
- * #define democonfigCLIENT_IDENTIFIER    "insert here."
+ *!!! Please note a #defined constant is used for convenience of demonstration
+ *!!! only.  Production devices can use something unique to the device that can
+ *!!! be read by software, such as a production serial number, instead of a
+ *!!! hard coded constant.
+ *
+ * #define democonfigCLIENT_IDENTIFIER				"insert here."
  */
 
 /**
@@ -132,6 +137,14 @@
 /**
  * @brief Client's private key.
  *
+ *!!! Please note pasting a key into the header file in this manner is for
+ *!!! convenience of demonstration only and should not be done in production.
+ *!!! Never paste a production private key here!.  Production devices should
+ *!!! store keys securely, such as within a secure element.  Additionally,
+ *!!! we provide the corePKCS library that further enhances security by
+ *!!! enabling securely stored keys to be used without exposing them to
+ *!!! software.
+ *
  * For AWS IoT MQTT broker, refer to the AWS documentation below for details
  * regarding clientauthentication.
  * https://docs.aws.amazon.com/iot/latest/developerguide/client-authentication.html

FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Mutual_Auth/mqtt_broker_setup.txt

@@ -63,14 +63,19 @@ TLS mutual authentication for use with this MQTT demo.
             "-----BEGIN CERTIFICATE-----\n" \
             "...base64 data...\n" \
             "-----END CERTIFICATE-----\n"
-11. In the certs folder of your Documents, you will find a file called `client.key`.
+12. In the certs folder of your Documents, you will find a file called `client.key`.
     Copy its contents to `#define democonfigCLIENT_PRIVATE_KEY_PEM`. Keep in mind
     that it must include the PEM header and footer and be formatted in this manner:
         #define democonfigCLIENT_PRIVATE_KEY_PEM \
             "-----BEGIN RSA PRIVATE KEY-----\n" \
             "...base64 data...\n" \
             "-----END RSA PRIVATE KEY-----\n"
-12. Update the config `democonfigdisableSNI` to `( pdTRUE )`. It needs to be 
+
+    *!!! Please note democonfigCLIENT_PRIVATE_KEY_PEM in used for convenience
+    *!!! of demonstration only.  Production devices should store keys securely,
+    *!!! such as within a secure element.
+
+13. Update the config `democonfigdisableSNI` to `( pdTRUE )`. It needs to be
     configured this way because the local MQTT broker will only have an IP
     address but not a hostname. However, SNI (Server name indication) should
     be enabled whenever possible.

FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Plain_Text/demo_config.h

@@ -58,6 +58,11 @@
  * must be unique so edit as required to ensure no two clients connecting to the
  * same broker use the same client identifier.
  *
+ *!!! Please note a #defined constant is used for convenience of demonstration
+ *!!! only.  Production devices can use something unique to the device that can
+ *!!! be read by software, such as a production serial number, instead of a
+ *!!! hard coded constant.
+ *
  * #define democonfigCLIENT_IDENTIFIER				"insert here."
  */
 

FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Serializer/demo_config.h

@@ -58,6 +58,11 @@
  * must be unique so edit as required to ensure no two clients connecting to the
  * same broker use the same client identifier.
  *
+ *!!! Please note a #defined constant is used for convenience of demonstration
+ *!!! only.  Production devices can use something unique to the device that can
+ *!!! be read by software, such as a production serial number, instead of a
+ *!!! hard coded constant.
+ *
  * #define democonfigCLIENT_IDENTIFIER				"insert here."
  */