ECC fix (#3428)

When ECC certificates are set as device CA on an Edge device, the resultant server certificates will also be ECC certificates. The edgeHub certificate parsing logic is now enlightened to parse such certificates and keys out from the workload API response.

Fix for #3371

Cherry-pick from master 49f25b5

edge-util/src/Microsoft.Azure.Devices.Edge.Util/CertificateHelper.cs

@@ -356,7 +356,7 @@ internal static (X509Certificate2, IEnumerable<X509Certificate2>) ParseCertifica
             var sr = new StringReader(pemCerts.First() + "\r\n" + privateKey);
             var pemReader = new PemReader(sr);
 
-            RsaPrivateCrtKeyParameters keyParams = null;
+            AsymmetricKeyParameter keyParams = null;
             object certObject = pemReader.ReadObject();
             while (certObject != null)
             {
@@ -366,14 +366,18 @@ internal static (X509Certificate2, IEnumerable<X509Certificate2>) ParseCertifica
                 }
 
                 // when processing certificates generated via openssl certObject type is of AsymmetricCipherKeyPair
-                if (certObject is AsymmetricCipherKeyPair)
+                if (certObject is AsymmetricCipherKeyPair keyPair)
                 {
-                    certObject = ((AsymmetricCipherKeyPair)certObject).Private;
+                    certObject = keyPair.Private;
                 }
 
-                if (certObject is RsaPrivateCrtKeyParameters)
+                if (certObject is RsaPrivateCrtKeyParameters rsaParameters)
                 {
-                    keyParams = (RsaPrivateCrtKeyParameters)certObject;
+                    keyParams = rsaParameters;
+                }
+                else if (certObject is ECPrivateKeyParameters ecParameters)
+                {
+                    keyParams = ecParameters;
                 }
 
                 certObject = pemReader.ReadObject();

edge-util/test/Microsoft.Azure.Devices.Edge.Util.Test.Common/CertificateHelper.cs

@@ -99,6 +99,25 @@ public static class CertificateHelper
 dfjGFy1v/NqzATNcHpZVmqDT9CsZutBEwjdJyA+BcTfqkmb+alItJU8OsZu6c9nO
 U7JoTvzy0x7VG98T0+y68IcyjsSIPQ==
 -----END PRIVATE KEY-----
+";
+
+        public const string ECCCertificatePem = @"-----BEGIN CERTIFICATE-----
+MIIBejCCASACCQD758oFRTpGozAKBggqhkjOPQQDAjBFMQswCQYDVQQGEwJBVTET
+MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMB4XDTIwMDgxODIyMDIzMFoXDTIxMDgxODIyMDIzMFowRTELMAkGA1UE
+BhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdp
+ZGdpdHMgUHR5IEx0ZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL8DMFmDTOmF
+pcCzDqRMWBaG8VVEFXZoBFwO752RBXb8yr6zXoHPh0ET08t0PZasT4jiWci5Pc6F
++u3Gdb65PYAwCgYIKoZIzj0EAwIDSAAwRQIgIMsSviG0HTcQtz0EC5/2+mKoUn+d
+x0DnmhDakf0O/kICIQC0DzYCSXsk0Yce1+Bi7zmwjp320U7o0sCs7O8ZhUgy+g==
+-----END CERTIFICATE-----
+";
+
+        public const string ECCPrivateKeyPem = @"-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIP+wX2mlEdZCqURmTFq05cV0XE6VefkqCshhc88q8mxMoAoGCCqGSM49
+AwEHoUQDQgAEvwMwWYNM6YWlwLMOpExYFobxVUQVdmgEXA7vnZEFdvzKvrNegc+H
+QRPTy3Q9lqxPiOJZyLk9zoX67cZ1vrk9gB==
+-----END EC PRIVATE KEY-----
 ";
 
         public enum ExtKeyUsage

edge-util/test/Microsoft.Azure.Devices.Edge.Util.Test/certificate/CertificateHelperTest.cs

@@ -229,7 +229,7 @@ public void ParseCertificatesResponseShouldReturnCert()
         }
 
         [Fact]
-        public void ParseCertificateAndKeyShouldReturnCertAndKey()
+        public void ParseRSACertificateAndKeyShouldReturnCertAndKey()
         {
             TestCertificateHelper.GenerateSelfSignedCert("top secret").Export(X509ContentType.Cert);
             (X509Certificate2 cert, IEnumerable<X509Certificate2> chain) = CertificateHelper.ParseCertificateAndKey(TestCertificateHelper.CertificatePem, TestCertificateHelper.PrivateKeyPem);
@@ -240,6 +240,16 @@ public void ParseCertificateAndKeyShouldReturnCertAndKey()
             Assert.Empty(chain);
         }
 
+        [Fact]
+        public void ParseECCCertificateAndKeyShouldReturnCertAndKey()
+        {
+            (X509Certificate2 cert, IEnumerable<X509Certificate2> chain) = CertificateHelper.ParseCertificateAndKey(TestCertificateHelper.ECCCertificatePem, TestCertificateHelper.ECCPrivateKeyPem);
+
+            var expected = new X509Certificate2(Encoding.UTF8.GetBytes(TestCertificateHelper.CertificatePem));
+            Assert.True(cert.HasPrivateKey);
+            Assert.Empty(chain);
+        }
+
         [Fact]
         public void ParseMultipleCertificateAndKeyShouldReturnCertAndKey()
         {

samples/dotnet/EdgeX509AuthDownstreamDevice/Program.cs

@@ -99,7 +99,7 @@ internal static (X509Certificate2, IEnumerable<X509Certificate2>) ParseCertifica
             var sr = new StringReader(pemCerts.First() + "\r\n" + privateKey);
             var pemReader = new PemReader(sr);
 
-            RsaPrivateCrtKeyParameters keyParams = null;
+            AsymmetricKeyParameter keyParams = null;
             object certObject = pemReader.ReadObject();
             while (certObject != null)
             {
@@ -109,14 +109,18 @@ internal static (X509Certificate2, IEnumerable<X509Certificate2>) ParseCertifica
                 }
 
                 // when processing certificates generated via openssl certObject type is of AsymmetricCipherKeyPair
-                if (certObject is AsymmetricCipherKeyPair)
+                if (certObject is AsymmetricCipherKeyPair keyPair)
                 {
-                    certObject = ((AsymmetricCipherKeyPair)certObject).Private;
+                    certObject = keyPair.Private;
                 }
 
-                if (certObject is RsaPrivateCrtKeyParameters)
+                if (certObject is RsaPrivateCrtKeyParameters rsaParameters)
                 {
-                    keyParams = (RsaPrivateCrtKeyParameters)certObject;
+                    keyParams = rsaParameters;
+                }
+                else if (certObject is ECPrivateKeyParameters ecParameters)
+                {
+                    keyParams = ecParameters;
                 }
 
                 certObject = pemReader.ReadObject();