microsoft
[DPS] Unable to employ custom HSM for x509 Individual Enrollment
Hey team,
I am about to implement a custom HSM interface for evaluation purposes. As a first step, my goal was to use a hardcoded certificate. To do this I attempted to follow the instructions at Implementing A Custom HSM from the Azure C SDK repo and implemented a custom DPS client:
int CustomDPSClientStart(const char* global_prov_uri, const char* id_scope, const char* registration_id) {
int result = 0;
result = platform_init();
if (0 != result)
{
LogError("Failed to initialize the platform.");
result = -1;
}
result = prov_dev_security_init(SECURE_DEVICE_TYPE_X509);
if(0 != result) {
LogError("Failed to initialize security subsystem");
return -1;
}
PROV_DEVICE_LL_HANDLE handle = NULL;
handle = Prov_Device_LL_Create(global_prov_uri, id_scope, Prov_Device_HTTP_Protocol);
if(handle == NULL) {
LogError("Failed to create prov_device handle");
return -2;
}
memset(&user_ctx, 0, sizeof(CLIENT_SAMPLE_INFO));
// Initialize user context
user_ctx.registration_complete = 0;
user_ctx.sleep_time = 10;
LogInfo(" DPS Version: %s\r\n", Prov_Device_GetVersionString());
LogInfo("Iothub Version: %s\r\n", IoTHubClient_GetVersionString());
Prov_Device_LL_SetOption(handle, "logtrace", &g_trace_on);
result = Prov_Device_LL_SetOption(handle, "TrustedCerts", certificates);
if (result != PROV_DEVICE_RESULT_OK) {
LogError("Failed to set option \"TrustedCerts\"");
result = false;
}
result = Prov_Device_LL_Register_Device(handle, register_device_callback, &user_ctx, registation_status_callback, &user_ctx);
if(PROV_DEVICE_RESULT_OK != result) {
return -3;
}
do
{
Prov_Device_LL_DoWork(handle);
ThreadAPI_Sleep(user_ctx.sleep_time);
} while (user_ctx.registration_complete == 0);
if (user_ctx.registration_complete == 1) {
result = 0;
}
else {
result = -4;
}
Prov_Device_LL_Destroy(handle);
return result;
}
As you might guess, this did not work - though the client is trying to connect to the Azure DPS Server. I was able to narrow down the problem to the TLS handshake. It appears the DPS server is aborting the connection after receiving the certificate verify. I am now wondering: Why does this happen?
Performing the TLS handshake manually was successfull using the following command:
$ openssl s_client -debug -connect global.azure-devices-provisioning.net:443 -cert new-device.key.pem -key new-device.key.pem
Do you have any further suggestion where I might continue my investigations? Do you spot any obvious missconfigurations?
This is the section of my custom_hsm_data.c, where the CERTIFICATE variable is set with the contents of new-device.key.pem. The private key is formatted likewise.
// This sample is provided for sample only. Please do not use this in production
// For more information please see the devdoc using_custom_hsm.md
static const char* const COMMON_NAME = "devkit";
static const char* const CERTIFICATE = "-----BEGIN CERTIFICATE-----\n"
"MIIFrzCCA5egAwIBAgIBAjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDDClBenVy"
"ZSBJb1QgSHViIEludGVybWVkaWF0ZSBDZXJ0IFRlc3QgT25seTAeFw0xODExMTIx"
"MjAyNTFaFw0xODEyMTIxMjAyNTFaMBExDzANBgNVBAMMBmRldmtpdDCCAiIwDQYJ"
"KoZIhvcNAQEBBQADggIPADCCAgoCggIBAOLe2yKDY1hl7rVbfR2iBrEunInU7tXu"
"YVWXGrzmS/WZVwjS+taHB8dO2uPv9uRo27mtFXP+v5YIuy7uiPnv9G85UYKdX9+3"
"+3FOh+5xQqzX0ZbySv50aCBK02aGASwN+qNY6XTksETr6xcUnRflFlJHBTWRLsPA"
"T8b/zqTKeVBjrNdHHi1KRncg2WQIlOwJUnqczEmPHi4OqfmCjrKlMHaUOjyC7Mdd"
"MngQBuSYdJIhY/8VsxB2eoO5wYRzAv2JOx8xRBQjotgrxkMDX/VOgAx0gKThXsFX"
"vifqXZ485u2LiBfLuNgcN4HCGHtphYvMDT4QQrr0yL8TnwGxIBiYPctUtXwMCFy6"
"V+PUWt8Uh1t75rxrb+DKVm8LDWw+0zyuLaptavJft9NYtTJUbGBkaqD/KdqBkAxG"
"nCl0T8U3hPP40PPaSNVMFkqTERDCHoNR2QSzCYUlp19STtjFW0wnd8qoN99prS2F"
"I7ZR5GEB2JIV/mrMVmtdXsCSoAcFfhzIaE0F4UQvJfgv/WWAtIX6P/iWRXiSpwxf"
"ou1r+rK0k9SdMp+koGSG5bxOJjWk7x9BxgJ4SkrDaEv+rxCxdIy7+O/a72QZEzUi"
"8OfsqJbcGEH+DzBtSfpd9KzC2fZI4+4HE+y8mUIXR4qUCzTP1hr/XN8Cnah1H/Ja"
"Ylsg7L6b557pAgMBAAGjge4wgeswCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMC"
"BkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0"
"aWZpY2F0ZTAdBgNVHQ4EFgQUdtLL7XLSzhZ5qT+NV/ISuCyQRRswUgYDVR0jBEsw"
"SYAUZ0Vdg8eWlbVbHoikDYO7tRQfHk2hLqQsMCoxKDAmBgNVBAMMH0F6dXJlIElv"
"VCBIdWIgQ0EgQ2VydCBUZXN0IE9ubHmCAQEwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud"
"JQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQDmvDzQzTv8PRTtUbpS"
"fS0CrOpovN6C/R6dgILLB7AVbMQGUnqg3vTEiWoRK33Z/OQRRW46qcdMGltR6Gq3"
"QnAlfyUQ0d+AKHTtXxAAevZqLO5ZMKeHeFEARuMOd0S+zvuTBlx881Dzk4/fLDl3"
"z75hZhJZFbmDHdAGZmiAaUCJYYUiqDCtbVzpFfOEWSNTvVawhDnZqvR0Ozmp1XJF"
"9UtcFSLH1halB2BcKD+HHAbzDa57ZjHz+RckxVt42O82KEqfFLr6Mbh/kIFhLuCu"
"0oCSBp8iiftFWXu0irizR0av67tdBXO5uiFHlcSyagPLR+W67RgQaEQA2CZwwO8D"
"aVR975ISf8diCu038Y3MmClmuUZwqv/QA1AxUgYcR55XNyFZ9+qVy3yO7EpGtCfT"
"T18HXZAxSxGu2EtTA1mzmIpQnxtEtj5Shvu4zVkxIS5fHOMiGq71brnpcBmTCh5p"
"nxpyiKUFWr0pqFO/OyCjWiPwjaLzeBkw9OEdxHZY2I4GSUNyY2jvOqJ1iJeZ7Cah"
"NIjxwCiHlvTqNiyfbknx3vuhp8+MlzhTGDqoKmMp3fF5PkG7nKqdE+DRjaBPf9rl"
"D+xQ2aw7XRUKQivXPN/mRwQkRXWh071GahRrfLlLkFMpFP6i/8OeJ39uNrwBuF9w"
"e+hv/Iq1smZXTkVHuhaMOK1CUw=="
"-----END CERTIFICATE-----\n";
Thanks! Max
x509 for DPS is too complex and highly depend on hw and underlying driver, not sure I can help you but will take time to investigate your case.
This issue has no recent activities, please take a look and provide updates for it.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has no recent activities, please take a look and provide updates for it.
This issue has been automatically marked as stale because it has no recent activities. It will be closed if no further activity occurs within 3 days. Thank you for your contributions.