async Task <(X509Thumbprint, IdCertificates)> CreateIdentityCertAsync(string deviceId, CancellationToken token)
{
(string, string, string)rootCa =
Context.Current.RootCaKeys.Expect(() => new InvalidOperationException("Missing root CA keys"));
string caCertScriptPath = Context.Current.CaCertScriptPath.Expect(
() => new InvalidOperationException("Missing CA cert script path"));
string idScope = Context.Current.DpsIdScope.Expect(
() => new InvalidOperationException("Missing DPS ID scope"));
CertificateAuthority ca = await CertificateAuthority.CreateAsync(
deviceId,
rootCa,
caCertScriptPath,
token);
var identityCerts = await ca.GenerateIdentityCertificatesAsync(deviceId, token);
X509Certificate2 deviceCert = new X509Certificate2(identityCerts.CertificatePath);
return(new X509Thumbprint()
{
PrimaryThumbprint = deviceCert.Thumbprint,
SecondaryThumbprint = deviceCert.Thumbprint
},
identityCerts);
}
public async Task DpsX509()
{
(string, string, string)rootCa =
Context.Current.RootCaKeys.Expect(() => new InvalidOperationException("Missing root CA keys"));
string caCertScriptPath =
Context.Current.CaCertScriptPath.Expect(() => new InvalidOperationException("Missing CA cert script path"));
string idScope = Context.Current.DpsIdScope.Expect(() => new InvalidOperationException("Missing DPS ID scope"));
string registrationId = DeviceId.Current.Generate();
CancellationToken token = this.TestToken;
CertificateAuthority ca = await CertificateAuthority.CreateAsync(
registrationId,
rootCa,
caCertScriptPath,
token);
IdCertificates idCert = await ca.GenerateIdentityCertificatesAsync(registrationId, token);
// The trust bundle for this test isn't used. It can be any arbitrary existing certificate.
string trustBundle = Path.Combine(
caCertScriptPath,
"certs",
"azure-iot-test-only.intermediate-full-chain.cert.pem");
await this.daemon.ConfigureAsync(
config =>
{
config.SetDpsX509(idScope, registrationId, idCert, trustBundle);
config.Update();
return(Task.FromResult((
"with DPS X509 attestation for '{Identity}'",
new object[] { registrationId })));
},
token);
await this.daemon.WaitForStatusAsync(EdgeDaemonStatus.Running, token);
var agent = new EdgeAgent(registrationId, this.iotHub);
await agent.WaitForStatusAsync(EdgeModuleStatus.Running, token);
await agent.PingAsync(token);
Option <EdgeDevice> device = await EdgeDevice.GetIdentityAsync(
registrationId,
Context.Current.ParentDeviceId,
this.iotHub,
token,
takeOwnership : true);
Context.Current.DeleteList.TryAdd(
registrationId,
device.Expect(() => new InvalidOperationException(
$"Device '{registrationId}' should have been created by DPS, but was not found in '{this.iotHub.Hostname}'")));
}
static async Task <LeafDevice> CreateWithCaCertAsync(
string leafDeviceId,
string parentId,
CertificateAuthority ca,
IotHub iotHub,
ITransportSettings transport,
string edgeHostname,
CancellationToken token,
ClientOptions options)
{
Device edge = await GetEdgeDeviceIdentityAsync(parentId, iotHub, token);
Device leaf = new Device(leafDeviceId)
{
Authentication = new AuthenticationMechanism
{
Type = AuthenticationType.CertificateAuthority
},
Scope = edge.Scope
};
leaf = await iotHub.CreateDeviceIdentityAsync(leaf, token);
return(await DeleteIdentityIfFailedAsync(
leaf,
iotHub,
token,
async() =>
{
IdCertificates certFiles = await ca.GenerateIdentityCertificatesAsync(leafDeviceId, token);
(X509Certificate2 leafCert, IEnumerable <X509Certificate2> trustedCerts) =
CertificateHelper.GetServerCertificateAndChainFromFile(certFiles.CertificatePath, certFiles.KeyPath);
// .NET runtime requires that we install the chain of CA certs, otherwise it can't
// provide them to a server during authentication.
OsPlatform.Current.InstallTrustedCertificates(trustedCerts);
return await CreateLeafDeviceAsync(
leaf,
() => DeviceClient.Create(
iotHub.Hostname,
edgeHostname,
new DeviceAuthenticationWithX509Certificate(leaf.Id, leafCert),
new[] { transport },
options),
iotHub,
token);
}));
async Task <(X509Thumbprint, string, string)> CreateIdentityCertAsync(string deviceId, CancellationToken token)
{
(string, string, string)rootCa =
Context.Current.RootCaKeys.Expect(() => new InvalidOperationException("Missing root CA keys"));
string caCertScriptPath = Context.Current.CaCertScriptPath.Expect(
() => new InvalidOperationException("Missing CA cert script path"));
string idScope = Context.Current.DpsIdScope.Expect(
() => new InvalidOperationException("Missing DPS ID scope"));
CertificateAuthority ca = await CertificateAuthority.CreateAsync(
deviceId,
rootCa,
caCertScriptPath,
token);
var identityCerts = await ca.GenerateIdentityCertificatesAsync(deviceId, token);
// Generated credentials need to be copied out of the script path because future runs
// of the script will overwrite them.
string path = $"/etc/aziot/e2e_tests/{deviceId}";
string certPath = $"{path}/device_id_cert.pem";
string keyPath = $"{path}/device_id_cert_key.pem";
Directory.CreateDirectory(path);
File.Copy(identityCerts.CertificatePath, certPath);
OsPlatform.Current.SetOwner(certPath, "aziotcs", "644");
File.Copy(identityCerts.KeyPath, keyPath);
OsPlatform.Current.SetOwner(keyPath, "aziotks", "600");
X509Certificate2 deviceCert = new X509Certificate2(identityCerts.CertificatePath);
return(new X509Thumbprint()
{
PrimaryThumbprint = deviceCert.Thumbprint,
SecondaryThumbprint = deviceCert.Thumbprint
},
certPath,
keyPath);
}
public async Task DpsX509()
{
(string, string, string)rootCa =
Context.Current.RootCaKeys.Expect(() => new InvalidOperationException("Missing DPS ID scope (check rootCaPrivateKeyPath in context.json)"));
string caCertScriptPath =
Context.Current.CaCertScriptPath.Expect(() => new InvalidOperationException("Missing CA cert script path (check caCertScriptPath in context.json)"));
string idScope = Context.Current.DpsIdScope.Expect(() => new InvalidOperationException("Missing DPS ID scope (check dpsIdScope in context.json)"));
string registrationId = DeviceId.Current.Generate();
CancellationToken token = this.TestToken;
CertificateAuthority ca = await CertificateAuthority.CreateAsync(
registrationId,
rootCa,
caCertScriptPath,
token);
IdCertificates idCert = await ca.GenerateIdentityCertificatesAsync(registrationId, token);
(TestCertificates testCerts, _) = await TestCertificates.GenerateCertsAsync(registrationId, token);
// Generated credentials need to be copied out of the script path because future runs
// of the script will overwrite them.
string path = Path.Combine(FixedPaths.E2E_TEST_DIR, registrationId);
string certPath = Path.Combine(path, "device_id_cert.pem");
string keyPath = Path.Combine(path, "device_id_cert_key.pem");
Directory.CreateDirectory(path);
File.Copy(idCert.CertificatePath, certPath);
OsPlatform.Current.SetOwner(certPath, "aziotcs", "644");
File.Copy(idCert.KeyPath, keyPath);
OsPlatform.Current.SetOwner(keyPath, "aziotks", "600");
await this.daemon.ConfigureAsync(
config =>
{
testCerts.AddCertsToConfig(config);
config.SetDpsX509(idScope, registrationId, certPath, keyPath);
config.Update();
return(Task.FromResult((
"with DPS X509 attestation for '{Identity}'",
new object[] { registrationId })));
},
token);
await this.daemon.WaitForStatusAsync(EdgeDaemonStatus.Running, token);
var agent = new EdgeAgent(registrationId, this.iotHub);
await agent.WaitForStatusAsync(EdgeModuleStatus.Running, token);
await agent.PingAsync(token);
Option <EdgeDevice> device = await EdgeDevice.GetIdentityAsync(
registrationId,
this.iotHub,
token,
takeOwnership : true);
Context.Current.DeleteList.TryAdd(
registrationId,
device.Expect(() => new InvalidOperationException(
$"Device '{registrationId}' should have been created by DPS, but was not found in '{this.iotHub.Hostname}'")));
}
