/// <summary>
/// Initializes a new instance of the <see cref="DeviceAuthenticationWithTpm"/> class with default
/// time to live of 1 hour and default buffer percentage value of 15.
/// </summary>
/// <remarks>
/// This constructor will create an authentication method instance that will be disposed when its
/// associated device client instance is disposed. To reuse the authentication method instance across multiple client instance lifetimes,
/// use <see cref="DeviceAuthenticationWithTpm(string, SecurityProviderTpm, int, int, bool)"/> constructor and set <c>disposeWithClient</c> to <c>false</c>.
/// </remarks>
/// <param name="deviceId">Device Identifier.</param>
/// <param name="securityProvider">Device Security Provider settings for TPM Hardware Security Modules.</param>
public DeviceAuthenticationWithTpm(
string deviceId,
SecurityProviderTpm securityProvider)
: base(deviceId)
{
_securityProvider = securityProvider ?? throw new ArgumentNullException(nameof(securityProvider));
}
public DeviceAuthenticationWithTpm(
string deviceId,
SecurityProviderTpm securityProvider,
int suggestedTimeToLiveSeconds,
int timeBufferPercentage) : base(deviceId, suggestedTimeToLiveSeconds, timeBufferPercentage)
{
_securityProvider = securityProvider ?? throw new ArgumentNullException(nameof(securityProvider));
}
/// <summary>
/// Initializes a new instance of the <see cref="DeviceAuthenticationWithTpm"/> class.
/// </summary>
/// <param name="deviceId">Device Identifier.</param>
/// <param name="securityProvider">Device Security Provider settings for TPM Hardware Security Modules.</param>
/// <param name="suggestedTimeToLiveSeconds">Token time to live suggested value.</param>
/// <param name="timeBufferPercentage">Time buffer before expiry when the token should be renewed expressed as percentage of
/// the time to live. EX: If you want a SAS token to live for 85% of life before proactive renewal, this value should be 15.</param>
public DeviceAuthenticationWithTpm(
string deviceId,
SecurityProviderTpm securityProvider,
int suggestedTimeToLiveSeconds,
int timeBufferPercentage)
: this(deviceId, securityProvider, suggestedTimeToLiveSeconds, timeBufferPercentage, true)
{
}
public SaslTpmHandler(
byte[] endorsementKey,
byte[] storageRootKey,
string idScope,
SecurityProviderTpm security)
{
Debug.Assert(endorsementKey != null);
Debug.Assert(storageRootKey != null);
Debug.Assert(!string.IsNullOrWhiteSpace(idScope));
Debug.Assert(security != null);
Mechanism = MechanismName;
_endorsementKey = endorsementKey;
_storageRootKey = storageRootKey;
_idScope = idScope;
_security = security;
}
private static string BuildSasSignature(SecurityProviderTpm securityProvider, string keyName, string target, TimeSpan timeToLive)
{
string expiresOn = BuildExpiresOn(timeToLive);
string audience = WebUtility.UrlEncode(target);
var fields = new List <string>
{
audience,
expiresOn
};
// Example string to be signed:
// dh://myiothub.azure-devices-provisioning.net/a/b/c?myvalue1=a
// <Value for ExpiresOn>
byte[] signedBytes = securityProvider.Sign(Encoding.UTF8.GetBytes(string.Join("\n", fields)));
string signature = Convert.ToBase64String(signedBytes);
// Example returned string:
// SharedAccessSignature sr=ENCODED(dh://myiothub.azure-devices.net/a/b/c?myvalue1=a)&sig=<Signature>&se=<ExpiresOnValue>[&skn=<KeyName>]
var buffer = new StringBuilder();
buffer.AppendFormat(
CultureInfo.InvariantCulture,
"{0} {1}={2}&{3}={4}&{5}={6}",
"SharedAccessSignature",
"sr",
audience,
"sig",
WebUtility.UrlEncode(signature),
"se",
WebUtility.UrlEncode(expiresOn));
if (!string.IsNullOrEmpty(keyName))
{
buffer.AppendFormat(CultureInfo.InvariantCulture, "&{0}={1}", "skn", WebUtility.UrlEncode(keyName));
}
return(buffer.ToString());
}
public TpmSharedAccessSignatureBuilder(SecurityProviderTpm securityProvider)
{
_securityProvider = securityProvider;
}
public AmqpAuthStrategyTpm(SecurityProviderTpm security)
{
_security = security;
}
internal static string ExtractServiceAuthKey(SecurityProviderTpm securityProvider, string hostName, byte[] activation)
{
securityProvider.ActivateIdentityKey(activation);
return(BuildSasSignature(securityProvider, KeyName, hostName, TimeToLive));
}
public TpmDelegatingHandler(SecurityProviderTpm securityProvider)
{
_securityProvider = securityProvider;
}
public async Task RunSampleAsync()
{
SecurityProviderTpm security = null;
try
{
if (_parameters.UseTpmSimulator)
{
Console.WriteLine("Starting TPM simulator...");
SecurityProviderTpmSimulator.StartSimulatorProcess();
security = new SecurityProviderTpmSimulator(_parameters.RegistrationId);
}
else
{
Console.WriteLine("Initializing security using the local TPM...");
security = new SecurityProviderTpmHsm(_parameters.RegistrationId);
}
Console.WriteLine($"Initializing the device provisioning client...");
using var transport = GetTransportHandler();
ProvisioningDeviceClient provClient = ProvisioningDeviceClient.Create(
_parameters.GlobalDeviceEndpoint,
_parameters.IdScope,
security,
transport);
Console.WriteLine($"Initialized for registration Id {security.GetRegistrationID()}.");
Console.WriteLine("Registering with the device provisioning service... ");
DeviceRegistrationResult result = await provClient.RegisterAsync();
Console.WriteLine($"Registration status: {result.Status}.");
if (result.Status != ProvisioningRegistrationStatusType.Assigned)
{
Console.WriteLine($"Registration status did not assign a hub, so exiting this sample.");
return;
}
Console.WriteLine($"Device {result.DeviceId} registered to {result.AssignedHub}.");
Console.WriteLine("Creating TPM authentication for IoT Hub...");
IAuthenticationMethod auth = new DeviceAuthenticationWithTpm(result.DeviceId, security);
Console.WriteLine($"Testing the provisioned device with IoT Hub...");
using DeviceClient iotClient = DeviceClient.Create(result.AssignedHub, auth, _parameters.TransportType);
Console.WriteLine("Sending a telemetry message...");
using var message = new Message(Encoding.UTF8.GetBytes("TestMessage"));
await iotClient.SendEventAsync(message);
}
finally
{
if (_parameters.UseTpmSimulator)
{
SecurityProviderTpmSimulator.StopSimulatorProcess();
}
security?.Dispose();
}
Console.WriteLine("Finished.");
}
