search

Azure / iot-identity-service

Source of the Azure IoT Identity Service and related services.
MIT License
37 stars 46 forks source link

[identityd] Fix certificate subject propagation #475

Closed onalante-msft closed 1 year ago

onalante-msft commented 1 year ago

Certificate subject configuration options for EST-issued certificates were not being propagated to identityd, which meant that CSRs to issue a certificate would not be generated with the configured certificate subject. Add additional configuration options to identityd to receive a CSR subject configuration and adjust aziotctl config apply to hydrate these options with the certificate issuance options extracted for certd.

onalante-msft commented 1 year ago

Testing done by inspecting generated CSR with this patch:

diff --git a/identity/aziot-identityd/src/lib.rs b/identity/aziot-identityd/src/lib.rs
index 4ec2a7d..df7169c 100644
--- a/identity/aziot-identityd/src/lib.rs
+++ b/identity/aziot-identityd/src/lib.rs
@@ -838,7 +838,9 @@ pub(crate) fn create_csr(
     csr.set_pubkey(public_key)?;
     csr.sign(private_key, openssl::hash::MessageDigest::sha256())?;

-    csr.build().to_pem()
+    let pem = csr.build().to_pem()?;
+    std::fs::write("/var/lib/aziot/identityd/csr.pem", &pem).unwrap();
+    Ok(pem)
 }

 pub struct SettingsAuthenticator {

End-to-end DPS+EST testing done with https://github.com/globalsign/est.