You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 25, 2023. It is now read-only.
I am about to implement a custom HSM interface for evaluation purposes.
As a first step, my goal was to use a hardcoded certificate.
To do this I attempted to follow the instructions at Implementing A Custom HSM from the Azure C SDK repo and implemented a custom DPS client:
intCustomDPSClientStart(constchar*global_prov_uri, constchar*id_scope, constchar*registration_id) {
intresult=0;
result=platform_init();
if (0!=result)
{
LogError("Failed to initialize the platform.");
result=-1;
}
result=prov_dev_security_init(SECURE_DEVICE_TYPE_X509);
if(0!=result) {
LogError("Failed to initialize security subsystem");
return-1;
}
PROV_DEVICE_LL_HANDLEhandle=NULL;
handle=Prov_Device_LL_Create(global_prov_uri, id_scope, Prov_Device_HTTP_Protocol);
if(handle==NULL) {
LogError("Failed to create prov_device handle");
return-2;
}
memset(&user_ctx, 0, sizeof(CLIENT_SAMPLE_INFO));
// Initialize user contextuser_ctx.registration_complete=0;
user_ctx.sleep_time=10;
LogInfo(" DPS Version: %s\r\n", Prov_Device_GetVersionString());
LogInfo("Iothub Version: %s\r\n", IoTHubClient_GetVersionString());
Prov_Device_LL_SetOption(handle, "logtrace", &g_trace_on);
result=Prov_Device_LL_SetOption(handle, "TrustedCerts", certificates);
if (result!=PROV_DEVICE_RESULT_OK) {
LogError("Failed to set option \"TrustedCerts\"");
result= false;
}
result=Prov_Device_LL_Register_Device(handle, register_device_callback, &user_ctx, registation_status_callback, &user_ctx);
if(PROV_DEVICE_RESULT_OK!=result) {
return-3;
}
do
{
Prov_Device_LL_DoWork(handle);
ThreadAPI_Sleep(user_ctx.sleep_time);
} while (user_ctx.registration_complete==0);
if (user_ctx.registration_complete==1) {
result=0;
}
else {
result=-4;
}
Prov_Device_LL_Destroy(handle);
returnresult;
}
As you might guess, this did not work - though the client is trying to connect to the Azure DPS Server. I was able to narrow down the problem to the TLS handshake. It appears the DPS server is aborting the connection after receiving the certificate verify. I am now wondering: Why does this happen?
Performing the TLS handshake manually was successfull using the following command:
Do you have any further suggestion where I might continue my investigations?
Do you spot any obvious missconfigurations?
This is the section of my custom_hsm_data.c, where the CERTIFICATE variable is set with the contents of new-device.key.pem. The private key is formatted likewise.
// This sample is provided for sample only. Please do not use this in production// For more information please see the devdoc using_custom_hsm.mdstaticconstchar*constCOMMON_NAME="devkit";
staticconstchar*constCERTIFICATE="-----BEGIN CERTIFICATE-----\n""MIIFrzCCA5egAwIBAgIBAjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDDClBenVy""ZSBJb1QgSHViIEludGVybWVkaWF0ZSBDZXJ0IFRlc3QgT25seTAeFw0xODExMTIx""MjAyNTFaFw0xODEyMTIxMjAyNTFaMBExDzANBgNVBAMMBmRldmtpdDCCAiIwDQYJ""KoZIhvcNAQEBBQADggIPADCCAgoCggIBAOLe2yKDY1hl7rVbfR2iBrEunInU7tXu""YVWXGrzmS/WZVwjS+taHB8dO2uPv9uRo27mtFXP+v5YIuy7uiPnv9G85UYKdX9+3""+3FOh+5xQqzX0ZbySv50aCBK02aGASwN+qNY6XTksETr6xcUnRflFlJHBTWRLsPA""T8b/zqTKeVBjrNdHHi1KRncg2WQIlOwJUnqczEmPHi4OqfmCjrKlMHaUOjyC7Mdd""MngQBuSYdJIhY/8VsxB2eoO5wYRzAv2JOx8xRBQjotgrxkMDX/VOgAx0gKThXsFX""vifqXZ485u2LiBfLuNgcN4HCGHtphYvMDT4QQrr0yL8TnwGxIBiYPctUtXwMCFy6""V+PUWt8Uh1t75rxrb+DKVm8LDWw+0zyuLaptavJft9NYtTJUbGBkaqD/KdqBkAxG""nCl0T8U3hPP40PPaSNVMFkqTERDCHoNR2QSzCYUlp19STtjFW0wnd8qoN99prS2F""I7ZR5GEB2JIV/mrMVmtdXsCSoAcFfhzIaE0F4UQvJfgv/WWAtIX6P/iWRXiSpwxf""ou1r+rK0k9SdMp+koGSG5bxOJjWk7x9BxgJ4SkrDaEv+rxCxdIy7+O/a72QZEzUi""8OfsqJbcGEH+DzBtSfpd9KzC2fZI4+4HE+y8mUIXR4qUCzTP1hr/XN8Cnah1H/Ja""Ylsg7L6b557pAgMBAAGjge4wgeswCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMC""BkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0""aWZpY2F0ZTAdBgNVHQ4EFgQUdtLL7XLSzhZ5qT+NV/ISuCyQRRswUgYDVR0jBEsw""SYAUZ0Vdg8eWlbVbHoikDYO7tRQfHk2hLqQsMCoxKDAmBgNVBAMMH0F6dXJlIElv""VCBIdWIgQ0EgQ2VydCBUZXN0IE9ubHmCAQEwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud""JQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQDmvDzQzTv8PRTtUbpS""fS0CrOpovN6C/R6dgILLB7AVbMQGUnqg3vTEiWoRK33Z/OQRRW46qcdMGltR6Gq3""QnAlfyUQ0d+AKHTtXxAAevZqLO5ZMKeHeFEARuMOd0S+zvuTBlx881Dzk4/fLDl3""z75hZhJZFbmDHdAGZmiAaUCJYYUiqDCtbVzpFfOEWSNTvVawhDnZqvR0Ozmp1XJF""9UtcFSLH1halB2BcKD+HHAbzDa57ZjHz+RckxVt42O82KEqfFLr6Mbh/kIFhLuCu""0oCSBp8iiftFWXu0irizR0av67tdBXO5uiFHlcSyagPLR+W67RgQaEQA2CZwwO8D""aVR975ISf8diCu038Y3MmClmuUZwqv/QA1AxUgYcR55XNyFZ9+qVy3yO7EpGtCfT""T18HXZAxSxGu2EtTA1mzmIpQnxtEtj5Shvu4zVkxIS5fHOMiGq71brnpcBmTCh5p""nxpyiKUFWr0pqFO/OyCjWiPwjaLzeBkw9OEdxHZY2I4GSUNyY2jvOqJ1iJeZ7Cah""NIjxwCiHlvTqNiyfbknx3vuhp8+MlzhTGDqoKmMp3fF5PkG7nKqdE+DRjaBPf9rl""D+xQ2aw7XRUKQivXPN/mRwQkRXWh071GahRrfLlLkFMpFP6i/8OeJ39uNrwBuF9w""e+hv/Iq1smZXTkVHuhaMOK1CUw==""-----END CERTIFICATE-----\n";
Thanks!
Max
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has no recent activities. It will be closed if no further activity occurs within 3 days. Thank you for your contributions.
Hey team,
I am about to implement a custom HSM interface for evaluation purposes.
As a first step, my goal was to use a hardcoded certificate.
To do this I attempted to follow the instructions at Implementing A Custom HSM from the Azure C SDK repo and implemented a custom DPS client:
As you might guess, this did not work - though the client is trying to connect to the Azure DPS Server. I was able to narrow down the problem to the TLS handshake. It appears the DPS server is aborting the connection after receiving the
certificate verify
. I am now wondering: Why does this happen?Performing the TLS handshake manually was successfull using the following command:
Do you have any further suggestion where I might continue my investigations?
Do you spot any obvious missconfigurations?
This is the section of my
custom_hsm_data.c
, where the CERTIFICATE variable is set with the contents of new-device.key.pem. The private key is formatted likewise.Thanks!
Max
The text was updated successfully, but these errors were encountered: