From a3fd185fffc08938b130112540cff6a9ffa5ca43 Mon Sep 17 00:00:00 2001
From: pennam <m.pennasilico@arduino.cc>
Date: Mon, 27 Jan 2025 15:55:36 +0100
Subject: [PATCH 1/6] Add missing comment about nano rp2040

---
 src/tls/utility/TLSClientMqtt.h | 1 +
 src/tls/utility/TLSClientOta.h  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/tls/utility/TLSClientMqtt.h b/src/tls/utility/TLSClientMqtt.h
index 837e76dec..e8ac6906f 100644
--- a/src/tls/utility/TLSClientMqtt.h
+++ b/src/tls/utility/TLSClientMqtt.h
@@ -24,6 +24,7 @@
   /*
    * Arduino MKR GSM 1400
    * Arduino MKR NB 1500
+   * Arduino NANO RP 2040
    * Arduino Portenta H7
    * Arduino Giga R1
    * OPTA
diff --git a/src/tls/utility/TLSClientOta.h b/src/tls/utility/TLSClientOta.h
index 3e76433ab..89925499b 100644
--- a/src/tls/utility/TLSClientOta.h
+++ b/src/tls/utility/TLSClientOta.h
@@ -24,6 +24,7 @@
   /*
    * Arduino MKR GSM 1400
    * Arduino MKR NB 1500
+   * Arduino NANO RP 2040
    * Arduino Portenta H7
    * Arduino Giga R1
    * OPTA

From da6b1064b0744de4a6af85d296d603b4a5d4b849 Mon Sep 17 00:00:00 2001
From: pennam <m.pennasilico@arduino.cc>
Date: Mon, 27 Jan 2025 16:00:55 +0100
Subject: [PATCH 2/6] Add ArduinoIoTAuthenticationMode enum

---
 src/tls/utility/TLSClientMqtt.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/tls/utility/TLSClientMqtt.h b/src/tls/utility/TLSClientMqtt.h
index e8ac6906f..affa2cb3d 100644
--- a/src/tls/utility/TLSClientMqtt.h
+++ b/src/tls/utility/TLSClientMqtt.h
@@ -13,6 +13,12 @@
 #include <Arduino_ConnectionHandler.h>
 #include <AIoTC_Config.h>
 
+enum class ArduinoIoTAuthenticationMode
+{
+  PASSWORD,
+  CERTIFICATE
+};
+
 #if defined(BOARD_HAS_OFFLOADED_ECCX08)
   /*
    * Arduino MKR WiFi1010 - WiFi

From 78f6a356fa1b8f5d8940c8c1725bf6cbeb79e388 Mon Sep 17 00:00:00 2001
From: pennam <m.pennasilico@arduino.cc>
Date: Mon, 27 Jan 2025 16:05:20 +0100
Subject: [PATCH 3/6] TLSClientMqtt: add ArduinoIoTAuthenticationMode parameter

---
 src/tls/utility/TLSClientMqtt.cpp | 10 +++++++++-
 src/tls/utility/TLSClientMqtt.h   |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/tls/utility/TLSClientMqtt.cpp b/src/tls/utility/TLSClientMqtt.cpp
index 9bd8607a4..7d94f43c9 100644
--- a/src/tls/utility/TLSClientMqtt.cpp
+++ b/src/tls/utility/TLSClientMqtt.cpp
@@ -33,23 +33,29 @@
   }
 #endif
 
-void TLSClientMqtt::begin(ConnectionHandler & connection) {
+
+void TLSClientMqtt::begin(ConnectionHandler & connection, ArduinoIoTAuthenticationMode authMode) {
 
 #if defined(BOARD_HAS_OFFLOADED_ECCX08)
   /* Arduino Root CA is configured in nina-fw
    * https://github.com/arduino/nina-fw/blob/master/arduino/libraries/ArduinoBearSSL/src/BearSSLTrustAnchors.h
    */
+  (void)authMode;
 #elif defined(BOARD_HAS_ECCX08)
+  (void)authMode;
   setClient(connection.getClient());
   setProfile(aiotc_client_profile_init);
   setTrustAnchors(ArduinoIoTCloudTrustAnchor, ArduinoIoTCloudTrustAnchor_NUM);
   onGetTime(getTime);
 #elif defined(ARDUINO_PORTENTA_C33)
+  (void)authMode;
   setClient(connection.getClient());
   setCACert(AIoTSSCert);
 #elif defined(ARDUINO_NICLA_VISION)
+  (void)authMode;
   appendCustomCACert(AIoTSSCert);
 #elif defined(ARDUINO_EDGE_CONTROL)
+  (void)authMode;
   appendCustomCACert(AIoTUPCert);
 #elif defined(ARDUINO_UNOR4_WIFI)
   /* Arduino Root CA is configured in uno-r4-wifi-usb-bridge fw >= 0.4.1
@@ -62,8 +68,10 @@ void TLSClientMqtt::begin(ConnectionHandler & connection) {
   /* Temporary force CACert to add new CA without rebuilding firmware */
   setCACert(AIoTSSCert);
 #elif defined(ARDUINO_ARCH_ESP32)
+  (void)authMode;
   setCACert(AIoTUPCert);
 #elif defined(ARDUINO_ARCH_ESP8266)
+  (void)authMode;
   setInsecure();
 #endif
 }
diff --git a/src/tls/utility/TLSClientMqtt.h b/src/tls/utility/TLSClientMqtt.h
index affa2cb3d..7deebe24e 100644
--- a/src/tls/utility/TLSClientMqtt.h
+++ b/src/tls/utility/TLSClientMqtt.h
@@ -71,6 +71,6 @@ enum class ArduinoIoTAuthenticationMode
 #endif
 
 public:
-  void begin(ConnectionHandler & connection);
+  void begin(ConnectionHandler & connection, ArduinoIoTAuthenticationMode authMode = ArduinoIoTAuthenticationMode::CERTIFICATE);
 
 };

From 3a50cc61ef7e961e06962c50528cec01658f909e Mon Sep 17 00:00:00 2001
From: pennam <m.pennasilico@arduino.cc>
Date: Mon, 27 Jan 2025 16:06:23 +0100
Subject: [PATCH 4/6] TLSClientMqtt: force CA only if UNOR4 is using
 CERTIFICATE auth mode

---
 src/tls/utility/TLSClientMqtt.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/tls/utility/TLSClientMqtt.cpp b/src/tls/utility/TLSClientMqtt.cpp
index 7d94f43c9..0717dcced 100644
--- a/src/tls/utility/TLSClientMqtt.cpp
+++ b/src/tls/utility/TLSClientMqtt.cpp
@@ -66,7 +66,9 @@ void TLSClientMqtt::begin(ConnectionHandler & connection, ArduinoIoTAuthenticati
    */
   (void)connection;
   /* Temporary force CACert to add new CA without rebuilding firmware */
-  setCACert(AIoTSSCert);
+  if (authMode == ArduinoIoTAuthenticationMode::CERTIFICATE) {
+    setCACert(AIoTSSCert);
+  }
 #elif defined(ARDUINO_ARCH_ESP32)
   (void)authMode;
   setCACert(AIoTUPCert);

From cfc895c5646ac09a9ed50fe5dd10d232341b863b Mon Sep 17 00:00:00 2001
From: pennam <m.pennasilico@arduino.cc>
Date: Mon, 27 Jan 2025 16:06:59 +0100
Subject: [PATCH 5/6] ArduinoIoTCloudTCP: configure
 ArduinoIoTAuthenticationMode during begin()

---
 src/ArduinoIoTCloudTCP.cpp | 20 +++++++++++---------
 src/ArduinoIoTCloudTCP.h   |  1 +
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/ArduinoIoTCloudTCP.cpp b/src/ArduinoIoTCloudTCP.cpp
index d027ef738..fc8e8f6da 100644
--- a/src/ArduinoIoTCloudTCP.cpp
+++ b/src/ArduinoIoTCloudTCP.cpp
@@ -67,6 +67,7 @@ ArduinoIoTCloudTCP::ArduinoIoTCloudTCP()
 , _messageTopicIn("")
 , _dataTopicOut("")
 , _dataTopicIn("")
+, _authMode(ArduinoIoTAuthenticationMode::CERTIFICATE)
 #if OTA_ENABLED
 , _ota(&_message_stream)
 , _get_ota_confirmation{nullptr}
@@ -84,20 +85,24 @@ int ArduinoIoTCloudTCP::begin(ConnectionHandler & connection, bool const enable_
   _connection = &connection;
   _brokerAddress = brokerAddress;
 
+#if defined (BOARD_HAS_SECRET_KEY)
+  /* If board supports and sketch is configured for username and password login */
+  if(_password.length()) {
+    _authMode = ArduinoIoTAuthenticationMode::PASSWORD;
+  }
+#endif
+
   /* Setup broker TLS client */
-  _brokerClient.begin(connection);
+  _brokerClient.begin(connection, _authMode);
 
 #if  OTA_ENABLED
   /* Setup OTA TLS client */
   _otaClient.begin(connection);
 #endif
 
-#if defined (BOARD_HAS_SECRET_KEY)
-  /* If board is not configured for username and password login */
-  if(!_password.length())
+  /* If board is configured for certificate authentication and mTLS */
+  if(_authMode == ArduinoIoTAuthenticationMode::CERTIFICATE)
   {
-#endif
-
 #if defined(BOARD_HAS_SECURE_ELEMENT)
     if (!_selement.begin())
     {
@@ -130,14 +135,11 @@ int ArduinoIoTCloudTCP::begin(ConnectionHandler & connection, bool const enable_
   #endif
     _brokerPort = (brokerPort == DEFAULT_BROKER_PORT_AUTO) ? mqttPort() : brokerPort;
 #endif
-
-#if defined(BOARD_HAS_SECRET_KEY)
   }
   else
   {
     _brokerPort = (brokerPort == DEFAULT_BROKER_PORT_AUTO) ? DEFAULT_BROKER_PORT_USER_PASS_AUTH : brokerPort;
   }
-#endif
 
   /* Setup TimeService */
   _time_service.begin(_connection);
diff --git a/src/ArduinoIoTCloudTCP.h b/src/ArduinoIoTCloudTCP.h
index 937d0d89d..810e633e9 100644
--- a/src/ArduinoIoTCloudTCP.h
+++ b/src/ArduinoIoTCloudTCP.h
@@ -162,6 +162,7 @@ class ArduinoIoTCloudTCP: public ArduinoIoTCloudClass
     String _dataTopicOut;
     String _dataTopicIn;
 
+    ArduinoIoTAuthenticationMode _authMode;
 
 #if OTA_ENABLED
     TLSClientOta _otaClient;

From 1587be277f47d303abc3edd8e62f002380441a2b Mon Sep 17 00:00:00 2001
From: pennam <m.pennasilico@arduino.cc>
Date: Tue, 28 Jan 2025 08:35:22 +0100
Subject: [PATCH 6/6] ArduinoIoTCloudTCP: reduce authMode variable scope

---
 src/ArduinoIoTCloudTCP.cpp | 8 ++++----
 src/ArduinoIoTCloudTCP.h   | 2 --
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/ArduinoIoTCloudTCP.cpp b/src/ArduinoIoTCloudTCP.cpp
index fc8e8f6da..f3ca4c402 100644
--- a/src/ArduinoIoTCloudTCP.cpp
+++ b/src/ArduinoIoTCloudTCP.cpp
@@ -67,7 +67,6 @@ ArduinoIoTCloudTCP::ArduinoIoTCloudTCP()
 , _messageTopicIn("")
 , _dataTopicOut("")
 , _dataTopicIn("")
-, _authMode(ArduinoIoTAuthenticationMode::CERTIFICATE)
 #if OTA_ENABLED
 , _ota(&_message_stream)
 , _get_ota_confirmation{nullptr}
@@ -85,15 +84,16 @@ int ArduinoIoTCloudTCP::begin(ConnectionHandler & connection, bool const enable_
   _connection = &connection;
   _brokerAddress = brokerAddress;
 
+  ArduinoIoTAuthenticationMode authMode = ArduinoIoTAuthenticationMode::CERTIFICATE;
 #if defined (BOARD_HAS_SECRET_KEY)
   /* If board supports and sketch is configured for username and password login */
   if(_password.length()) {
-    _authMode = ArduinoIoTAuthenticationMode::PASSWORD;
+    authMode = ArduinoIoTAuthenticationMode::PASSWORD;
   }
 #endif
 
   /* Setup broker TLS client */
-  _brokerClient.begin(connection, _authMode);
+  _brokerClient.begin(connection, authMode);
 
 #if  OTA_ENABLED
   /* Setup OTA TLS client */
@@ -101,7 +101,7 @@ int ArduinoIoTCloudTCP::begin(ConnectionHandler & connection, bool const enable_
 #endif
 
   /* If board is configured for certificate authentication and mTLS */
-  if(_authMode == ArduinoIoTAuthenticationMode::CERTIFICATE)
+  if(authMode == ArduinoIoTAuthenticationMode::CERTIFICATE)
   {
 #if defined(BOARD_HAS_SECURE_ELEMENT)
     if (!_selement.begin())
diff --git a/src/ArduinoIoTCloudTCP.h b/src/ArduinoIoTCloudTCP.h
index 810e633e9..7456a264d 100644
--- a/src/ArduinoIoTCloudTCP.h
+++ b/src/ArduinoIoTCloudTCP.h
@@ -162,8 +162,6 @@ class ArduinoIoTCloudTCP: public ArduinoIoTCloudClass
     String _dataTopicOut;
     String _dataTopicIn;
 
-    ArduinoIoTAuthenticationMode _authMode;
-
 #if OTA_ENABLED
     TLSClientOta _otaClient;
     ArduinoCloudOTA _ota;