Ejemplo n.º 1
0
        public void SetDpsX509(string idScope, string registrationId, IdCertificates cert, string trustBundle)
        {
            if (!File.Exists(cert.CertificatePath))
            {
                throw new InvalidOperationException($"{cert.CertificatePath} does not exist");
            }

            if (!File.Exists(cert.KeyPath))
            {
                throw new InvalidOperationException($"{cert.KeyPath} does not exist");
            }

            if (!File.Exists(trustBundle))
            {
                throw new InvalidOperationException($"{trustBundle} does not exist");
            }

            this.SetBasicDpsParam(idScope);
            this.config[Service.Identityd].Document.ReplaceOrAdd("provisioning.attestation.method", "x509");
            this.config[Service.Identityd].Document.ReplaceOrAdd("provisioning.attestation.registration_id", registrationId);

            string certFileName = Path.GetFileName(cert.CertificatePath);
            string certName     = DaemonConfiguration.SanitizeName(certFileName);

            this.config[Service.Identityd].Document.ReplaceOrAdd("provisioning.attestation.identity_cert", certName);
            this.config[Service.Certd].Document.ReplaceOrAdd($"preloaded_certs.{certName}", "file://" + cert.CertificatePath);

            string keyFileName = Path.GetFileName(cert.KeyPath);
            string keyName     = DaemonConfiguration.SanitizeName(keyFileName);

            this.config[Service.Identityd].Document.ReplaceOrAdd("provisioning.attestation.identity_pk", keyName);
            this.config[Service.Keyd].Document.ReplaceOrAdd($"preloaded_keys.{keyName}", "file://" + cert.KeyPath);

            this.config[Service.Certd].Document.ReplaceOrAdd("preloaded_certs.iotedge-trust-bundle", "file://" + trustBundle);
        }
Ejemplo n.º 2
0
        public async Task DpsX509()
        {
            (string, string, string)rootCa =
                Context.Current.RootCaKeys.Expect(() => new InvalidOperationException("Missing root CA keys"));
            string caCertScriptPath =
                Context.Current.CaCertScriptPath.Expect(() => new InvalidOperationException("Missing CA cert script path"));
            string idScope        = Context.Current.DpsIdScope.Expect(() => new InvalidOperationException("Missing DPS ID scope"));
            string registrationId = DeviceId.Current.Generate();

            CancellationToken token = this.TestToken;

            CertificateAuthority ca = await CertificateAuthority.CreateAsync(
                registrationId,
                rootCa,
                caCertScriptPath,
                token);

            IdCertificates idCert = await ca.GenerateIdentityCertificatesAsync(registrationId, token);

            // The trust bundle for this test isn't used. It can be any arbitrary existing certificate.
            string trustBundle = Path.Combine(
                caCertScriptPath,
                "certs",
                "azure-iot-test-only.intermediate-full-chain.cert.pem");

            await this.daemon.ConfigureAsync(
                config =>
            {
                config.SetDpsX509(idScope, registrationId, idCert, trustBundle);
                config.Update();
                return(Task.FromResult((
                                           "with DPS X509 attestation for '{Identity}'",
                                           new object[] { registrationId })));
            },
                token);

            await this.daemon.WaitForStatusAsync(EdgeDaemonStatus.Running, token);

            var agent = new EdgeAgent(registrationId, this.iotHub);
            await agent.WaitForStatusAsync(EdgeModuleStatus.Running, token);

            await agent.PingAsync(token);

            Option <EdgeDevice> device = await EdgeDevice.GetIdentityAsync(
                registrationId,
                Context.Current.ParentDeviceId,
                this.iotHub,
                token,
                takeOwnership : true);

            Context.Current.DeleteList.TryAdd(
                registrationId,
                device.Expect(() => new InvalidOperationException(
                                  $"Device '{registrationId}' should have been created by DPS, but was not found in '{this.iotHub.Hostname}'")));
        }
Ejemplo n.º 3
0
        public void SetDpsX509(string idScope, string registrationId, IdCertificates cert)
        {
            Uri certUri = new Uri(cert.CertificatePath, UriKind.Absolute);
            Uri pKeyUri = new Uri(cert.KeyPath, UriKind.Absolute);

            this.SetBasicDpsParam(idScope);
            this.config.ReplaceOrAdd("provisioning.attestation.method", "x509");
            this.config.ReplaceOrAdd("provisioning.attestation.identity_cert", certUri.ToString());
            this.config.ReplaceOrAdd("provisioning.attestation.identity_pk", pKeyUri.ToString());
            this.config.ReplaceOrAdd("provisioning.attestation.registration_id", registrationId);
        }
Ejemplo n.º 4
0
        static async Task <LeafDevice> CreateWithCaCertAsync(
            string leafDeviceId,
            string parentId,
            CertificateAuthority ca,
            IotHub iotHub,
            ITransportSettings transport,
            string edgeHostname,
            CancellationToken token,
            ClientOptions options)
        {
            Device edge = await GetEdgeDeviceIdentityAsync(parentId, iotHub, token);

            Device leaf = new Device(leafDeviceId)
            {
                Authentication = new AuthenticationMechanism
                {
                    Type = AuthenticationType.CertificateAuthority
                },
                Scope = edge.Scope
            };

            leaf = await iotHub.CreateDeviceIdentityAsync(leaf, token);

            return(await DeleteIdentityIfFailedAsync(
                       leaf,
                       iotHub,
                       token,
                       async() =>
            {
                IdCertificates certFiles = await ca.GenerateIdentityCertificatesAsync(leafDeviceId, token);

                (X509Certificate2 leafCert, IEnumerable <X509Certificate2> trustedCerts) =
                    CertificateHelper.GetServerCertificateAndChainFromFile(certFiles.CertificatePath, certFiles.KeyPath);
                // .NET runtime requires that we install the chain of CA certs, otherwise it can't
                // provide them to a server during authentication.
                OsPlatform.Current.InstallTrustedCertificates(trustedCerts);

                return await CreateLeafDeviceAsync(
                    leaf,
                    () => DeviceClient.Create(
                        iotHub.Hostname,
                        edgeHostname,
                        new DeviceAuthenticationWithX509Certificate(leaf.Id, leafCert),
                        new[] { transport },
                        options),
                    iotHub,
                    token);
            }));
Ejemplo n.º 5
0
        public async Task DpsX509()
        {
            (string, string, string)rootCa =
                Context.Current.RootCaKeys.Expect(() => new InvalidOperationException("Missing DPS ID scope (check rootCaPrivateKeyPath in context.json)"));
            string caCertScriptPath =
                Context.Current.CaCertScriptPath.Expect(() => new InvalidOperationException("Missing CA cert script path (check caCertScriptPath in context.json)"));
            string idScope        = Context.Current.DpsIdScope.Expect(() => new InvalidOperationException("Missing DPS ID scope (check dpsIdScope in context.json)"));
            string registrationId = DeviceId.Current.Generate();

            CancellationToken token = this.TestToken;

            CertificateAuthority ca = await CertificateAuthority.CreateAsync(
                registrationId,
                rootCa,
                caCertScriptPath,
                token);

            IdCertificates idCert = await ca.GenerateIdentityCertificatesAsync(registrationId, token);

            (TestCertificates testCerts, _) = await TestCertificates.GenerateCertsAsync(registrationId, token);

            // Generated credentials need to be copied out of the script path because future runs
            // of the script will overwrite them.
            string path     = Path.Combine(FixedPaths.E2E_TEST_DIR, registrationId);
            string certPath = Path.Combine(path, "device_id_cert.pem");
            string keyPath  = Path.Combine(path, "device_id_cert_key.pem");

            Directory.CreateDirectory(path);
            File.Copy(idCert.CertificatePath, certPath);
            OsPlatform.Current.SetOwner(certPath, "aziotcs", "644");
            File.Copy(idCert.KeyPath, keyPath);
            OsPlatform.Current.SetOwner(keyPath, "aziotks", "600");

            await this.daemon.ConfigureAsync(
                config =>
            {
                testCerts.AddCertsToConfig(config);
                config.SetDpsX509(idScope, registrationId, certPath, keyPath);
                config.Update();
                return(Task.FromResult((
                                           "with DPS X509 attestation for '{Identity}'",
                                           new object[] { registrationId })));
            },
                token);

            await this.daemon.WaitForStatusAsync(EdgeDaemonStatus.Running, token);

            var agent = new EdgeAgent(registrationId, this.iotHub);
            await agent.WaitForStatusAsync(EdgeModuleStatus.Running, token);

            await agent.PingAsync(token);

            Option <EdgeDevice> device = await EdgeDevice.GetIdentityAsync(
                registrationId,
                this.iotHub,
                token,
                takeOwnership : true);

            Context.Current.DeleteList.TryAdd(
                registrationId,
                device.Expect(() => new InvalidOperationException(
                                  $"Device '{registrationId}' should have been created by DPS, but was not found in '{this.iotHub.Hostname}'")));
        }