private async Task TestInvalidServiceCertificate(ProvisioningTransportHandler transport) { string certificateSubject = $"E2E_{nameof(ProvisioningCertificateValidationE2ETest)}-{Guid.NewGuid()}"; X509Certificate2Helper.GenerateSelfSignedCertificateFiles(certificateSubject, s_x509CertificatesFolder, Logger); using X509Certificate2 cert = X509Certificate2Helper.CreateX509Certificate2FromPfxFile(certificateSubject, s_x509CertificatesFolder); using var security = new SecurityProviderX509Certificate(cert); var provisioningDeviceClient = ProvisioningDeviceClient.Create( TestConfiguration.Provisioning.GlobalDeviceEndpointInvalidServiceCertificate, "0ne00000001", security, transport); await provisioningDeviceClient.RegisterAsync().ConfigureAwait(false); }
private async Task<SecurityProvider> CreateSecurityProviderFromNameAsync( AttestationMechanismType attestationType, EnrollmentType? enrollmentType, string groupId, ReprovisionPolicy reprovisionPolicy, AllocationPolicy allocationPolicy, CustomAllocationDefinition customAllocationDefinition, ICollection<string> iothubs, DeviceCapabilities capabilities = null) { _verboseLog.WriteLine($"{nameof(CreateSecurityProviderFromNameAsync)}({attestationType})"); string registrationId = AttestationTypeToString(attestationType) + "-" + Guid.NewGuid(); using var provisioningServiceClient = ProvisioningServiceClient.CreateFromConnectionString(TestConfiguration.Provisioning.ConnectionString); switch (attestationType) { case AttestationMechanismType.Tpm: IndividualEnrollment tpmEnrollment = await CreateIndividualEnrollmentAsync( provisioningServiceClient, registrationId, AttestationMechanismType.Tpm, null, reprovisionPolicy, allocationPolicy, customAllocationDefinition, iothubs, capabilities, Logger).ConfigureAwait(false); return new SecurityProviderTpmSimulator(tpmEnrollment.RegistrationId); case AttestationMechanismType.X509: X509Certificate2 certificate = null; X509Certificate2Collection collection = null; switch (enrollmentType) { case EnrollmentType.Individual: X509Certificate2Helper.GenerateSelfSignedCertificateFiles(registrationId, s_x509CertificatesFolder, Logger); #pragma warning disable CA2000 // Dispose objects before losing scope // This certificate is used for authentication with IoT hub and is returned to the caller of this method. // It is disposed when the caller to this method is disposed, at the end of the test method. certificate = X509Certificate2Helper.CreateX509Certificate2FromPfxFile(registrationId, s_x509CertificatesFolder); #pragma warning restore CA2000 // Dispose objects before losing scope using (X509Certificate2 publicCertificate = X509Certificate2Helper.CreateX509Certificate2FromCerFile(registrationId, s_x509CertificatesFolder)) { IndividualEnrollment x509IndividualEnrollment = await CreateIndividualEnrollmentAsync( provisioningServiceClient, registrationId, AttestationMechanismType.X509, publicCertificate, reprovisionPolicy, allocationPolicy, customAllocationDefinition, iothubs, capabilities, Logger).ConfigureAwait(false); x509IndividualEnrollment.Attestation.Should().BeAssignableTo<X509Attestation>(); } break; case EnrollmentType.Group: // The X509 enrollment group has been hardcoded for the purpose of E2E tests and the root certificate has been verified on DPS. // Each device identity provisioning through the above enrollment group is created on-demand. X509Certificate2Helper.GenerateIntermediateCertificateSignedCertificateFiles( registrationId, s_intermediateCertificateSubject, s_x509CertificatesFolder, Logger); #pragma warning disable CA2000 // Dispose objects before losing scope // This certificate is used for authentication with IoT hub and is returned to the caller of this method. // It is disposed when the caller to this method is disposed, at the end of the test method. certificate = X509Certificate2Helper.CreateX509Certificate2FromPfxFile(registrationId, s_x509CertificatesFolder); #pragma warning restore CA2000 // Dispose objects before losing scope collection = new X509Certificate2Collection { TestConfiguration.CommonCertificates.GetRootCaCertificate(), TestConfiguration.CommonCertificates.GetIntermediate1Certificate(), TestConfiguration.CommonCertificates.GetIntermediate2Certificate(), X509Certificate2Helper.CreateX509Certificate2FromCerFile(registrationId, s_x509CertificatesFolder) }; break; default: throw new NotSupportedException($"Unknown X509 type: '{enrollmentType}'"); } return new SecurityProviderX509Certificate(certificate, collection); case AttestationMechanismType.SymmetricKey: switch (enrollmentType) { case EnrollmentType.Group: EnrollmentGroup symmetricKeyEnrollmentGroup = await CreateEnrollmentGroupAsync( provisioningServiceClient, AttestationMechanismType.SymmetricKey, groupId, reprovisionPolicy, allocationPolicy, customAllocationDefinition, iothubs, capabilities, Logger) .ConfigureAwait(false); Assert.IsTrue(symmetricKeyEnrollmentGroup.Attestation is SymmetricKeyAttestation); var symmetricKeyAttestation = (SymmetricKeyAttestation)symmetricKeyEnrollmentGroup.Attestation; string registrationIdSymmetricKey = _idPrefix + Guid.NewGuid(); string primaryKeyEnrollmentGroup = symmetricKeyAttestation.PrimaryKey; string secondaryKeyEnrollmentGroup = symmetricKeyAttestation.SecondaryKey; string primaryKeyIndividual = ComputeDerivedSymmetricKey(Convert.FromBase64String(primaryKeyEnrollmentGroup), registrationIdSymmetricKey); string secondaryKeyIndividual = ComputeDerivedSymmetricKey(Convert.FromBase64String(secondaryKeyEnrollmentGroup), registrationIdSymmetricKey); return new SecurityProviderSymmetricKey(registrationIdSymmetricKey, primaryKeyIndividual, secondaryKeyIndividual); case EnrollmentType.Individual: IndividualEnrollment symmetricKeyEnrollment = await CreateIndividualEnrollmentAsync( provisioningServiceClient, registrationId, AttestationMechanismType.SymmetricKey, null, reprovisionPolicy, allocationPolicy, customAllocationDefinition, iothubs, capabilities, Logger).ConfigureAwait(false); Assert.IsTrue(symmetricKeyEnrollment.Attestation is SymmetricKeyAttestation); symmetricKeyAttestation = (SymmetricKeyAttestation)symmetricKeyEnrollment.Attestation; registrationIdSymmetricKey = symmetricKeyEnrollment.RegistrationId; string primaryKey = symmetricKeyAttestation.PrimaryKey; string secondaryKey = symmetricKeyAttestation.SecondaryKey; return new SecurityProviderSymmetricKey(registrationIdSymmetricKey, primaryKey, secondaryKey); default: throw new NotSupportedException("Unrecognized enrollment type"); } default: throw new NotSupportedException("Unrecognized attestation type"); } throw new NotSupportedException($"Unknown security type: '{attestationType}'."); }