[DPS] Unable to employ custom HSM for x509 Individual Enrollment

[maxbeckmann]

Hey team,

I am about to implement a custom HSM interface for evaluation purposes. As a first step, my goal was to use a hardcoded certificate. To do this I attempted to follow the instructions at Implementing A Custom HSM from the Azure C SDK repo and implemented a custom DPS client:

int CustomDPSClientStart(const char* global_prov_uri, const char* id_scope, const char* registration_id) {
    int result = 0;

    result = platform_init();
    if (0 != result)
    {
        LogError("Failed to initialize the platform.");
        result = -1;
    }

    result = prov_dev_security_init(SECURE_DEVICE_TYPE_X509);
    if(0 != result) {
        LogError("Failed to initialize security subsystem");
        return -1;
    }

    PROV_DEVICE_LL_HANDLE handle = NULL;
    handle = Prov_Device_LL_Create(global_prov_uri, id_scope, Prov_Device_HTTP_Protocol);
    if(handle == NULL) {
      LogError("Failed to create prov_device handle");
      return -2;
    }

    memset(&user_ctx, 0, sizeof(CLIENT_SAMPLE_INFO));
    // Initialize user context
    user_ctx.registration_complete = 0;
    user_ctx.sleep_time = 10;

    LogInfo("   DPS Version: %s\r\n", Prov_Device_GetVersionString());
    LogInfo("Iothub Version: %s\r\n", IoTHubClient_GetVersionString());

    Prov_Device_LL_SetOption(handle, "logtrace", &g_trace_on);
    result = Prov_Device_LL_SetOption(handle, "TrustedCerts", certificates);
    if (result != PROV_DEVICE_RESULT_OK) {
      LogError("Failed to set option \"TrustedCerts\"");
      result = false;
    }

    result = Prov_Device_LL_Register_Device(handle, register_device_callback, &user_ctx, registation_status_callback, &user_ctx);
    if(PROV_DEVICE_RESULT_OK != result) {
      return -3;
    }

    do
    {
      Prov_Device_LL_DoWork(handle);
      ThreadAPI_Sleep(user_ctx.sleep_time);
    } while (user_ctx.registration_complete == 0);

    if (user_ctx.registration_complete == 1) {
      result = 0;
    }
    else {
      result = -4;
    }

    Prov_Device_LL_Destroy(handle);
    return result;
}

As you might guess, this did not work - though the client is trying to connect to the Azure DPS Server. I was able to narrow down the problem to the TLS handshake. It appears the DPS server is aborting the connection after receiving the certificate verify. I am now wondering: Why does this happen? Performing the TLS handshake manually was successfull using the following command:

$ openssl s_client -debug -connect global.azure-devices-provisioning.net:443 -cert new-device.key.pem -key new-device.key.pem

Do you have any further suggestion where I might continue my investigations? Do you spot any obvious missconfigurations?

This is the section of my custom_hsm_data.c, where the CERTIFICATE variable is set with the contents of new-device.key.pem. The private key is formatted likewise.

// This sample is provided for sample only.  Please do not use this in production
// For more information please see the devdoc using_custom_hsm.md
static const char* const COMMON_NAME = "devkit";
static const char* const CERTIFICATE = "-----BEGIN CERTIFICATE-----\n"
"MIIFrzCCA5egAwIBAgIBAjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDDClBenVy"
"ZSBJb1QgSHViIEludGVybWVkaWF0ZSBDZXJ0IFRlc3QgT25seTAeFw0xODExMTIx"
"MjAyNTFaFw0xODEyMTIxMjAyNTFaMBExDzANBgNVBAMMBmRldmtpdDCCAiIwDQYJ"
"KoZIhvcNAQEBBQADggIPADCCAgoCggIBAOLe2yKDY1hl7rVbfR2iBrEunInU7tXu"
"YVWXGrzmS/WZVwjS+taHB8dO2uPv9uRo27mtFXP+v5YIuy7uiPnv9G85UYKdX9+3"
"+3FOh+5xQqzX0ZbySv50aCBK02aGASwN+qNY6XTksETr6xcUnRflFlJHBTWRLsPA"
"T8b/zqTKeVBjrNdHHi1KRncg2WQIlOwJUnqczEmPHi4OqfmCjrKlMHaUOjyC7Mdd"
"MngQBuSYdJIhY/8VsxB2eoO5wYRzAv2JOx8xRBQjotgrxkMDX/VOgAx0gKThXsFX"
"vifqXZ485u2LiBfLuNgcN4HCGHtphYvMDT4QQrr0yL8TnwGxIBiYPctUtXwMCFy6"
"V+PUWt8Uh1t75rxrb+DKVm8LDWw+0zyuLaptavJft9NYtTJUbGBkaqD/KdqBkAxG"
"nCl0T8U3hPP40PPaSNVMFkqTERDCHoNR2QSzCYUlp19STtjFW0wnd8qoN99prS2F"
"I7ZR5GEB2JIV/mrMVmtdXsCSoAcFfhzIaE0F4UQvJfgv/WWAtIX6P/iWRXiSpwxf"
"ou1r+rK0k9SdMp+koGSG5bxOJjWk7x9BxgJ4SkrDaEv+rxCxdIy7+O/a72QZEzUi"
"8OfsqJbcGEH+DzBtSfpd9KzC2fZI4+4HE+y8mUIXR4qUCzTP1hr/XN8Cnah1H/Ja"
"Ylsg7L6b557pAgMBAAGjge4wgeswCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMC"
"BkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0"
"aWZpY2F0ZTAdBgNVHQ4EFgQUdtLL7XLSzhZ5qT+NV/ISuCyQRRswUgYDVR0jBEsw"
"SYAUZ0Vdg8eWlbVbHoikDYO7tRQfHk2hLqQsMCoxKDAmBgNVBAMMH0F6dXJlIElv"
"VCBIdWIgQ0EgQ2VydCBUZXN0IE9ubHmCAQEwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud"
"JQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQDmvDzQzTv8PRTtUbpS"
"fS0CrOpovN6C/R6dgILLB7AVbMQGUnqg3vTEiWoRK33Z/OQRRW46qcdMGltR6Gq3"
"QnAlfyUQ0d+AKHTtXxAAevZqLO5ZMKeHeFEARuMOd0S+zvuTBlx881Dzk4/fLDl3"
"z75hZhJZFbmDHdAGZmiAaUCJYYUiqDCtbVzpFfOEWSNTvVawhDnZqvR0Ozmp1XJF"
"9UtcFSLH1halB2BcKD+HHAbzDa57ZjHz+RckxVt42O82KEqfFLr6Mbh/kIFhLuCu"
"0oCSBp8iiftFWXu0irizR0av67tdBXO5uiFHlcSyagPLR+W67RgQaEQA2CZwwO8D"
"aVR975ISf8diCu038Y3MmClmuUZwqv/QA1AxUgYcR55XNyFZ9+qVy3yO7EpGtCfT"
"T18HXZAxSxGu2EtTA1mzmIpQnxtEtj5Shvu4zVkxIS5fHOMiGq71brnpcBmTCh5p"
"nxpyiKUFWr0pqFO/OyCjWiPwjaLzeBkw9OEdxHZY2I4GSUNyY2jvOqJ1iJeZ7Cah"
"NIjxwCiHlvTqNiyfbknx3vuhp8+MlzhTGDqoKmMp3fF5PkG7nKqdE+DRjaBPf9rl"
"D+xQ2aw7XRUKQivXPN/mRwQkRXWh071GahRrfLlLkFMpFP6i/8OeJ39uNrwBuF9w"
"e+hv/Iq1smZXTkVHuhaMOK1CUw=="
"-----END CERTIFICATE-----\n";

Thanks! Max

[ArthurMa1978]

x509 for DPS is too complex and highly depend on hw and underlying driver, not sure I can help you but will take time to investigate your case.

[github-actions[bot]]

This issue has no recent activities, please take a look and provide updates for it.

[github-actions[bot]]

This issue has no recent activities, please take a look and provide updates for it.

[github-actions[bot]]

This issue has been automatically marked as stale because it has no recent activities. It will be closed if no further activity occurs within 3 days. Thank you for your contributions.