weixin_39758048
weixin_39758048
2020-12-28 22:13

X509 device provisioning with group enrollment

Hey guys,

I'm trying to provision a X509 device to IoT Hub DPS using the IoT C SDK and group enrollment. I used some information from this doc. For the group enrollment, as i'm using the C SDK, I need to use a custom HSM (Java, C# and Python SDK provide APIs to add custom certificates).

Workflow :

1) I generated the cert chain (root, intermediate and device certificates) using as

deviceId
the id of the device that i want to see in the iot hub after registration. It was done using the script provided in the c sdk (certGen.sh) with these instructions 2) Upload and verfication of the root certificate to the DPS linked to the right IoT hub 3) I created in DPS the group enrollment with the following param :

IoT edge device : false
Certificate type : CA certificate
Primary certificate : the root certificate uploaded just before
IoT hub : the correct one

4) On the device i want to provision, build the custom HSM by updating the following fields :


static const char* const COMMON_NAME = "custom-hsm-example";
static const char* const CERTIFICATE = "-----BEGIN CERTIFICATE-----""\n"
"BASE64 Encoded certificate Here""\n"
"-----END CERTIFICATE-----";
static const char* const PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----""\n"
"BASE64 Encoded certificate Here""\n"
"-----END PRIVATE KEY-----";

where : - COMMON_NAME :

deviceId
used in step 1) - CERTIFICATE : content of (./certs/new-device.cert.pem) - PRIVATE_KEY : content of (./private/new-device.key.pem) 5) Update in
prov_dev_client_sample
the id scope using the value from "overview" in DPS 6) Rebuild the SDK and link with the custom HSM lib 7) Run the provisioning sample (custom hsm is correctly called following the custom logs added,see below)

Output :


run the provisioning sample...
Provisioning API Version: 1.3.5
Not using proxy
custom_hsm_get_common_name
custom_hsm_get_certificate
custom_hsm_get_key

Registering Device

-> 10:26:25 CONNECT | VER: 4 | KEEPALIVE: 0 | FLAGS: 130 | USERNAME: SCOPE_ID/registrations/REGISTRATION_ID/api-version=2019-03-31&ClientVersion=1.3.5 | CLEAN: 1

Additional information : - For testing purpose, the device is an Ubuntu 16.04 VM using the latest version of the SDK. - I did try to use the intermediate certificate instead of root on custom HSM side as suggested here (is there support for validation using rootCA in DPS ? ) - IoT C SDK release 2019-07-01

Actual result : device not provisioned Expected result : device correctly provisioned and registered

Thank you !

该提问来源于开源项目:Azure/azure-iot-sdk-c

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

9条回答

  • weixin_39599342 weixin_39599342 3月前

    Yea I've been looking into this since yesterday and noticed that the powershell script signs the device cert with root while the bash signs with the intermediate. I believe the intention of these scripts should be to keep things as simple as possible for users since certs themselves can be complicated. I'm getting together a fix which signs the device cert as the powershell script does which is with the root. That way you can upload the root, generate the device cert, and therefore only have one cert to compile in your code.

    Great find though on the use of the intermediate! Feel free to use either scenario for testing purposes. Just know that as we label everywhere in and around the cert gen scripts, this is not to be used for production.

    点赞 评论 复制链接分享
  • weixin_39758048 weixin_39758048 3月前

    Ok cool ! Yes absolutely it's for testing purpose only, i'm just trying to build a more complex scenario.

    For now i was trying this "direct" provisioning, while my end goal is to provision a downstream device behind an edge device in transparent mode. I'm just working step by step.

    I'll let you close this ticket when you merge your fix I guess, the workaround with the usage of the intermediate cert is acceptable for me in the meantime.

    Thank you for the support !

    点赞 评论 复制链接分享
  • weixin_39599342 weixin_39599342 3月前

    PR has been opened https://github.com/Azure/azure-iot-sdk-c/pull/1230

    点赞 评论 复制链接分享
  • weixin_39599342 weixin_39599342 3月前

    PR merged to master

    点赞 评论 复制链接分享
  • weixin_39710361 weixin_39710361 3月前

    , , thank you for your contribution to our open-sourced project! Please help us improve by filling out this 2-minute customer satisfaction survey

    点赞 评论 复制链接分享
  • weixin_39758048 weixin_39758048 3月前

    https://github.com/Azure/azure-iot-sdk-c/issues/1055 might be useful, seems this scenario is not working either and generating the same output

    点赞 评论 复制链接分享
  • weixin_39599342 weixin_39599342 3月前

    Hi We have a bug in certGen.sh as brought up here. Is there any way you can run the powershell version of the cert generation for now to unblock yourself?

    点赞 评论 复制链接分享
  • weixin_39758048 weixin_39758048 3月前

    Hi , thank you for your quick reply. It seems indeed to be the same issue. I'll try it and let you know

    点赞 评论 复制链接分享
  • weixin_39758048 weixin_39758048 3月前

    Hey

    I was just reading the example with the C# SDK, and in the provisioning sample we have to provide the intermediate cert which signed the device certs (public and private keys) through the APIs (using this)

    By adding to the

    prov_dev_sample.c
    the content of the intermediate cert ( ./certs/azure-iot-test-only.intermediate.cert.pem) with :

    Prov_Device_SetOption(prov_device_handle, OPTION_TRUSTED_CERT, CERTIFICATE);

    And by changing in the group enrollment the

    Certificate type :
    property to use the intermediate cert instead of the root CA, it seems to provision correctly :
    
    run the provisioning sample...
    Provisioning API Version: 1.3.5
    Not using proxy
    custom_hsm_get_common_name
    custom_hsm_get_certificate
    custom_hsm_get_key
    
    Registering Device
    
    -> 11:12:36 CONNECT | VER: 4 | KEEPALIVE: 0 | FLAGS: 130 | USERNAME: SCOPE_ID/registrations/REGISTRATION_ID/api-version=2019-03-31&ClientVersion=1.3.5 | CLEAN: 1
     11:12:36 SUBSCRIBE | PACKET_ID: 1 | TOPIC_NAME: $dps/registrations/res/# | QOS: 1
    Provisioning Status: PROV_DEVICE_REG_STATUS_INVALID
     11:12:36 PUBLISH | IS_DUP: false | RETAIN: 0 | QOS: DELIVER_AT_MOST_ONCE | TOPIC_NAME: $dps/registrations/PUT/iotdps-register/?$rid=1 | PAYLOAD_LEN: 29
     11:12:36 PUBLISH | IS_DUP: false | RETAIN: 0 | QOS: DELIVER_AT_MOST_ONCE | TOPIC_NAME: $dps/registrations/GET/iotdps-get-operationstatus/?$rid=2&operationId=4.5fdbf7a9b6727138.b3830166-57e6-4db0-bece-4277323451fc | PAYLOAD_LEN: 29
     11:12:39 PUBLISH | IS_DUP: false | RETAIN: 0 | QOS: DELIVER_AT_MOST_ONCE | TOPIC_NAME: $dps/registrations/GET/iotdps-get-operationstatus/?$rid=3&operationId=4.5fdbf7a9b6727138.b3830166-57e6-4db0-bece-4277323451fc | PAYLOAD_LEN: 29
     11:12:39 DISCONNECT
    Press enter key to exit: 
    

    What do you think ?

    点赞 评论 复制链接分享