public void SetDpsX509(string idScope, string registrationId, IdCertificates cert, string trustBundle)
{
if (!File.Exists(cert.CertificatePath))
{
throw new InvalidOperationException($"{cert.CertificatePath} does not exist");
}
if (!File.Exists(cert.KeyPath))
{
throw new InvalidOperationException($"{cert.KeyPath} does not exist");
}
if (!File.Exists(trustBundle))
{
throw new InvalidOperationException($"{trustBundle} does not exist");
}
this.SetBasicDpsParam(idScope);
this.config[Service.Identityd].Document.ReplaceOrAdd("provisioning.attestation.method", "x509");
this.config[Service.Identityd].Document.ReplaceOrAdd("provisioning.attestation.registration_id", registrationId);
string certFileName = Path.GetFileName(cert.CertificatePath);
string certName = DaemonConfiguration.SanitizeName(certFileName);
this.config[Service.Identityd].Document.ReplaceOrAdd("provisioning.attestation.identity_cert", certName);
this.config[Service.Certd].Document.ReplaceOrAdd($"preloaded_certs.{certName}", "file://" + cert.CertificatePath);
string keyFileName = Path.GetFileName(cert.KeyPath);
string keyName = DaemonConfiguration.SanitizeName(keyFileName);
this.config[Service.Identityd].Document.ReplaceOrAdd("provisioning.attestation.identity_pk", keyName);
this.config[Service.Keyd].Document.ReplaceOrAdd($"preloaded_keys.{keyName}", "file://" + cert.KeyPath);
this.config[Service.Certd].Document.ReplaceOrAdd("preloaded_certs.iotedge-trust-bundle", "file://" + trustBundle);
}
public async Task DpsX509()
{
(string, string, string)rootCa =
Context.Current.RootCaKeys.Expect(() => new InvalidOperationException("Missing root CA keys"));
string caCertScriptPath =
Context.Current.CaCertScriptPath.Expect(() => new InvalidOperationException("Missing CA cert script path"));
string idScope = Context.Current.DpsIdScope.Expect(() => new InvalidOperationException("Missing DPS ID scope"));
string registrationId = DeviceId.Current.Generate();
CancellationToken token = this.TestToken;
CertificateAuthority ca = await CertificateAuthority.CreateAsync(
registrationId,
rootCa,
caCertScriptPath,
token);
IdCertificates idCert = await ca.GenerateIdentityCertificatesAsync(registrationId, token);
// The trust bundle for this test isn't used. It can be any arbitrary existing certificate.
string trustBundle = Path.Combine(
caCertScriptPath,
"certs",
"azure-iot-test-only.intermediate-full-chain.cert.pem");
await this.daemon.ConfigureAsync(
config =>
{
config.SetDpsX509(idScope, registrationId, idCert, trustBundle);
config.Update();
return(Task.FromResult((
"with DPS X509 attestation for '{Identity}'",
new object[] { registrationId })));
},
token);
await this.daemon.WaitForStatusAsync(EdgeDaemonStatus.Running, token);
var agent = new EdgeAgent(registrationId, this.iotHub);
await agent.WaitForStatusAsync(EdgeModuleStatus.Running, token);
await agent.PingAsync(token);
Option <EdgeDevice> device = await EdgeDevice.GetIdentityAsync(
registrationId,
Context.Current.ParentDeviceId,
this.iotHub,
token,
takeOwnership : true);
Context.Current.DeleteList.TryAdd(
registrationId,
device.Expect(() => new InvalidOperationException(
$"Device '{registrationId}' should have been created by DPS, but was not found in '{this.iotHub.Hostname}'")));
}
public void SetDpsX509(string idScope, string registrationId, IdCertificates cert)
{
Uri certUri = new Uri(cert.CertificatePath, UriKind.Absolute);
Uri pKeyUri = new Uri(cert.KeyPath, UriKind.Absolute);
this.SetBasicDpsParam(idScope);
this.config.ReplaceOrAdd("provisioning.attestation.method", "x509");
this.config.ReplaceOrAdd("provisioning.attestation.identity_cert", certUri.ToString());
this.config.ReplaceOrAdd("provisioning.attestation.identity_pk", pKeyUri.ToString());
this.config.ReplaceOrAdd("provisioning.attestation.registration_id", registrationId);
}
static async Task <LeafDevice> CreateWithCaCertAsync(
string leafDeviceId,
string parentId,
CertificateAuthority ca,
IotHub iotHub,
ITransportSettings transport,
string edgeHostname,
CancellationToken token,
ClientOptions options)
{
Device edge = await GetEdgeDeviceIdentityAsync(parentId, iotHub, token);
Device leaf = new Device(leafDeviceId)
{
Authentication = new AuthenticationMechanism
{
Type = AuthenticationType.CertificateAuthority
},
Scope = edge.Scope
};
leaf = await iotHub.CreateDeviceIdentityAsync(leaf, token);
return(await DeleteIdentityIfFailedAsync(
leaf,
iotHub,
token,
async() =>
{
IdCertificates certFiles = await ca.GenerateIdentityCertificatesAsync(leafDeviceId, token);
(X509Certificate2 leafCert, IEnumerable <X509Certificate2> trustedCerts) =
CertificateHelper.GetServerCertificateAndChainFromFile(certFiles.CertificatePath, certFiles.KeyPath);
// .NET runtime requires that we install the chain of CA certs, otherwise it can't
// provide them to a server during authentication.
OsPlatform.Current.InstallTrustedCertificates(trustedCerts);
return await CreateLeafDeviceAsync(
leaf,
() => DeviceClient.Create(
iotHub.Hostname,
edgeHostname,
new DeviceAuthenticationWithX509Certificate(leaf.Id, leafCert),
new[] { transport },
options),
iotHub,
token);
}));
public async Task DpsX509()
{
(string, string, string)rootCa =
Context.Current.RootCaKeys.Expect(() => new InvalidOperationException("Missing DPS ID scope (check rootCaPrivateKeyPath in context.json)"));
string caCertScriptPath =
Context.Current.CaCertScriptPath.Expect(() => new InvalidOperationException("Missing CA cert script path (check caCertScriptPath in context.json)"));
string idScope = Context.Current.DpsIdScope.Expect(() => new InvalidOperationException("Missing DPS ID scope (check dpsIdScope in context.json)"));
string registrationId = DeviceId.Current.Generate();
CancellationToken token = this.TestToken;
CertificateAuthority ca = await CertificateAuthority.CreateAsync(
registrationId,
rootCa,
caCertScriptPath,
token);
IdCertificates idCert = await ca.GenerateIdentityCertificatesAsync(registrationId, token);
(TestCertificates testCerts, _) = await TestCertificates.GenerateCertsAsync(registrationId, token);
// Generated credentials need to be copied out of the script path because future runs
// of the script will overwrite them.
string path = Path.Combine(FixedPaths.E2E_TEST_DIR, registrationId);
string certPath = Path.Combine(path, "device_id_cert.pem");
string keyPath = Path.Combine(path, "device_id_cert_key.pem");
Directory.CreateDirectory(path);
File.Copy(idCert.CertificatePath, certPath);
OsPlatform.Current.SetOwner(certPath, "aziotcs", "644");
File.Copy(idCert.KeyPath, keyPath);
OsPlatform.Current.SetOwner(keyPath, "aziotks", "600");
await this.daemon.ConfigureAsync(
config =>
{
testCerts.AddCertsToConfig(config);
config.SetDpsX509(idScope, registrationId, certPath, keyPath);
config.Update();
return(Task.FromResult((
"with DPS X509 attestation for '{Identity}'",
new object[] { registrationId })));
},
token);
await this.daemon.WaitForStatusAsync(EdgeDaemonStatus.Running, token);
var agent = new EdgeAgent(registrationId, this.iotHub);
await agent.WaitForStatusAsync(EdgeModuleStatus.Running, token);
await agent.PingAsync(token);
Option <EdgeDevice> device = await EdgeDevice.GetIdentityAsync(
registrationId,
this.iotHub,
token,
takeOwnership : true);
Context.Current.DeleteList.TryAdd(
registrationId,
device.Expect(() => new InvalidOperationException(
$"Device '{registrationId}' should have been created by DPS, but was not found in '{this.iotHub.Hostname}'")));
}