diff --git a/edgelet/contrib/config/linux/config.yaml b/edgelet/contrib/config/linux/config.yaml index b68a4d80b31..ed37a2fe0dd 100644 --- a/edgelet/contrib/config/linux/config.yaml +++ b/edgelet/contrib/config/linux/config.yaml @@ -107,6 +107,10 @@ provisioning: # trusted_ca_certs - URI containing all the trusted CA # certificates required for Edge module communication # Optionally can be specified as a file path. +# auto_generated_ca_lifetime_days - The lifetime of the auto-generated workload CA certificate. +# If device_ca_cert and device_ca_pk have not been set, +# then this also applies to the auto-generated device CA certificate. +# Defaults to 90 days. # # Note: # The values of all of these fields can be specified either as a @@ -118,6 +122,7 @@ provisioning: # device_ca_cert: "" # device_ca_pk: "" # trusted_ca_certs: "" +# auto_generated_ca_lifetime_days: ############################################################################### # Edge Agent module spec diff --git a/edgelet/contrib/config/windows/config.yaml b/edgelet/contrib/config/windows/config.yaml index 449357e17e4..8f0c994a4eb 100644 --- a/edgelet/contrib/config/windows/config.yaml +++ b/edgelet/contrib/config/windows/config.yaml @@ -107,6 +107,10 @@ provisioning: # trusted_ca_certs - URI containing all the trusted CA # certificates required for Edge module communication # Optionally can be specified as a file path. +# auto_generated_ca_lifetime_days - The lifetime of the auto-generated workload CA certificate. +# If device_ca_cert and device_ca_pk have not been set, +# then this also applies to the auto-generated device CA certificate. +# Defaults to 90 days. # # Note: # The values of all of these fields can be specified either as a @@ -118,6 +122,7 @@ provisioning: # device_ca_cert: "" # device_ca_pk: "" # trusted_ca_certs: "" +# auto_generated_ca_lifetime_days: ############################################################################### # Edge Agent module spec diff --git a/edgelet/edgelet-core/src/lib.rs b/edgelet/edgelet-core/src/lib.rs index 163f9082518..cabee8bc4c8 100644 --- a/edgelet/edgelet-core/src/lib.rs +++ b/edgelet/edgelet-core/src/lib.rs @@ -48,6 +48,9 @@ pub use settings::{ }; pub use workload::WorkloadConfig; +/// This is the default auto generated certificate life +pub const DEFAULT_AUTO_GENERATED_CA_LIFETIME_DAYS: u16 = 90; + lazy_static! { static ref VERSION: &'static str = option_env!("VERSION").unwrap_or_else(|| include_str!("../../version.txt").trim()); diff --git a/edgelet/edgelet-core/src/settings.rs b/edgelet/edgelet-core/src/settings.rs index 9106348e6aa..ca0df0f64ec 100644 --- a/edgelet/edgelet-core/src/settings.rs +++ b/edgelet/edgelet-core/src/settings.rs @@ -11,6 +11,7 @@ use url_serde; use crate::crypto::MemoryKey; use crate::error::{Error, ErrorKind}; use crate::module::ModuleSpec; +use crate::DEFAULT_AUTO_GENERATED_CA_LIFETIME_DAYS; const DEVICEID_KEY: &str = "DeviceId"; const HOSTNAME_KEY: &str = "HostName"; @@ -320,6 +321,13 @@ impl Listen { #[derive(Clone, Debug, serde_derive::Deserialize, serde_derive::Serialize)] pub struct Certificates { + #[serde(flatten)] + device_cert: Option, + auto_generated_ca_lifetime_days: u16, +} + +#[derive(Clone, Debug, serde_derive::Deserialize, serde_derive::Serialize)] +pub struct DeviceCertificate { device_ca_cert: String, device_ca_pk: String, trusted_ca_certs: String, @@ -392,6 +400,17 @@ fn convert_to_uri(maybe_uri: &str, setting_name: &'static str) -> Result Option<&DeviceCertificate> { + self.device_cert.as_ref() + } + + pub fn auto_generated_ca_lifetime_seconds(&self) -> u64 { + // Convert days to seconds (86,400 seconds per day) + u64::from(self.auto_generated_ca_lifetime_days) * 86_400 + } +} + +impl DeviceCertificate { pub fn device_ca_cert(&self) -> Result { convert_to_path(&self.device_ca_cert, "certificates.device_ca_cert") } @@ -478,7 +497,7 @@ pub trait RuntimeSettings { fn connect(&self) -> &Connect; fn listen(&self) -> &Listen; fn homedir(&self) -> &Path; - fn certificates(&self) -> Option<&Certificates>; + fn certificates(&self) -> &Certificates; fn watchdog(&self) -> &WatchdogSettings; } @@ -529,8 +548,15 @@ where &self.homedir } - fn certificates(&self) -> Option<&Certificates> { - self.certificates.as_ref() + // Certificates is left as an option for backward compat + fn certificates(&self) -> &Certificates { + match &self.certificates { + None => &Certificates { + device_cert: None, + auto_generated_ca_lifetime_days: DEFAULT_AUTO_GENERATED_CA_LIFETIME_DAYS, + }, + Some(c) => c, + } } fn watchdog(&self) -> &WatchdogSettings { diff --git a/edgelet/edgelet-docker/config/unix/default.yaml b/edgelet/edgelet-docker/config/unix/default.yaml index b5dabaa0025..c7dd41eef29 100644 --- a/edgelet/edgelet-docker/config/unix/default.yaml +++ b/edgelet/edgelet-docker/config/unix/default.yaml @@ -25,3 +25,6 @@ homedir: "/var/lib/iotedge" moby_runtime: uri: "unix:///var/run/docker.sock" network: "azure-iot-edge" + +certificates: + auto_generated_ca_lifetime_days: 90 diff --git a/edgelet/edgelet-docker/config/windows/default.yaml b/edgelet/edgelet-docker/config/windows/default.yaml index 5e01d592304..a50dcdab612 100644 --- a/edgelet/edgelet-docker/config/windows/default.yaml +++ b/edgelet/edgelet-docker/config/windows/default.yaml @@ -25,3 +25,6 @@ homedir: "C:\\ProgramData\\iotedge" moby_runtime: uri: "npipe://./pipe/iotedge_moby_engine" network: "nat" + +certificates: + auto_generated_ca_lifetime_days: 90 diff --git a/edgelet/edgelet-docker/src/runtime.rs b/edgelet/edgelet-docker/src/runtime.rs index e5f75b83353..c7fd86f46bc 100644 --- a/edgelet/edgelet-docker/src/runtime.rs +++ b/edgelet/edgelet-docker/src/runtime.rs @@ -1216,7 +1216,7 @@ mod tests { unimplemented!() } - fn certificates(&self) -> Option<&Certificates> { + fn certificates(&self) -> &Certificates { unimplemented!() } diff --git a/edgelet/edgelet-docker/src/settings.rs b/edgelet/edgelet-docker/src/settings.rs index 127a74facdd..e0a6fcdf5ae 100644 --- a/edgelet/edgelet-docker/src/settings.rs +++ b/edgelet/edgelet-docker/src/settings.rs @@ -116,7 +116,7 @@ impl RuntimeSettings for Settings { self.base.homedir() } - fn certificates(&self) -> Option<&Certificates> { + fn certificates(&self) -> &Certificates { self.base.certificates() } @@ -501,7 +501,7 @@ mod tests { ); let settings = Settings::new(Some(&settings_path)).expect("Settings create failed"); println!("{:?}", settings); - let certificates = settings.certificates(); + let certificates = settings.certificates().device_cert(); certificates .map(|c| { let path = c.device_ca_cert().expect("Did not obtain device CA cert"); @@ -532,7 +532,7 @@ mod tests { ); let settings = Settings::new(Some(&settings_path)).unwrap(); println!("{:?}", settings); - let certificates = settings.certificates(); + let certificates = settings.certificates().device_cert(); certificates .map(|c| { let path = c.device_ca_cert().expect("Did not obtain device CA cert"); diff --git a/edgelet/edgelet-docker/test/linux/sample_settings.yaml b/edgelet/edgelet-docker/test/linux/sample_settings.yaml index f51d1985c78..c1eefc16782 100644 --- a/edgelet/edgelet-docker/test/linux/sample_settings.yaml +++ b/edgelet/edgelet-docker/test/linux/sample_settings.yaml @@ -17,6 +17,9 @@ hostname: "localhost" watchdog: max_retries: 3 +certificates: + auto_generated_ca_lifetime_days: 1 + # Sets the connection uris for clients connect: workload_uri: "http://localhost:8081" diff --git a/edgelet/edgelet-docker/test/windows/sample_settings.yaml b/edgelet/edgelet-docker/test/windows/sample_settings.yaml index 35a21df0ba2..de2bbc79382 100644 --- a/edgelet/edgelet-docker/test/windows/sample_settings.yaml +++ b/edgelet/edgelet-docker/test/windows/sample_settings.yaml @@ -17,6 +17,9 @@ hostname: "localhost" watchdog: max_retries: 3 +certificates: + auto_generated_ca_lifetime_days: 1 + # Sets the connection uris for clients connect: workload_uri: "http://localhost:8081" diff --git a/edgelet/edgelet-hsm/src/crypto.rs b/edgelet/edgelet-hsm/src/crypto.rs index e32ae2904d0..8f5b77190eb 100644 --- a/edgelet/edgelet-hsm/src/crypto.rs +++ b/edgelet/edgelet-hsm/src/crypto.rs @@ -44,8 +44,11 @@ unsafe impl Send for Crypto {} unsafe impl Sync for Crypto {} impl Crypto { - pub fn new(hsm_lock: Arc) -> Result { - let hsm = HsmCrypto::new()?; + pub fn new( + hsm_lock: Arc, + auto_generated_ca_lifetime_seconds: u64, + ) -> Result { + let hsm = HsmCrypto::new(auto_generated_ca_lifetime_seconds)?; Crypto::from_hsm(hsm, hsm_lock) } diff --git a/edgelet/edgelet-hsm/src/x509.rs b/edgelet/edgelet-hsm/src/x509.rs index daaf8231f28..6d75d66b63d 100644 --- a/edgelet/edgelet-hsm/src/x509.rs +++ b/edgelet/edgelet-hsm/src/x509.rs @@ -33,8 +33,8 @@ unsafe impl Send for X509 {} unsafe impl Sync for X509 {} impl X509 { - pub fn new(hsm_lock: Arc) -> Result { - let hsm = HsmX509::new()?; + pub fn new(hsm_lock: Arc, auto_generated_ca_validity: u64) -> Result { + let hsm = HsmX509::new(auto_generated_ca_validity)?; X509::from_hsm(hsm, hsm_lock) } diff --git a/edgelet/edgelet-hsm/tests/crypto_create_cert_input_fail.rs b/edgelet/edgelet-hsm/tests/crypto_create_cert_input_fail.rs index 66e99b86f4e..d4660a42381 100644 --- a/edgelet/edgelet-hsm/tests/crypto_create_cert_input_fail.rs +++ b/edgelet/edgelet-hsm/tests/crypto_create_cert_input_fail.rs @@ -23,7 +23,7 @@ fn crypto_create_cert_input_fail() { let _setup_home_dir = TestHSMEnvSetup::new(&LOCK, None); let hsm_lock = HsmLock::new(); - let crypto = Crypto::new(hsm_lock).unwrap(); + let crypto = Crypto::new(hsm_lock, 1000).unwrap(); let edgelet_ca_props = CertificateProperties::new( 3600, diff --git a/edgelet/edgelet-hsm/tests/crypto_create_cert_success.rs b/edgelet/edgelet-hsm/tests/crypto_create_cert_success.rs index 8c0c40a6ae7..952db630e93 100644 --- a/edgelet/edgelet-hsm/tests/crypto_create_cert_success.rs +++ b/edgelet/edgelet-hsm/tests/crypto_create_cert_success.rs @@ -25,7 +25,7 @@ fn crypto_create_cert_success() { let _setup_home_dir = TestHSMEnvSetup::new(&LOCK, None); let hsm_lock = HsmLock::new(); - let crypto = Crypto::new(hsm_lock).unwrap(); + let crypto = Crypto::new(hsm_lock, 1000).unwrap(); // tests to ensure that the Device CA alias exists and is valid assert!(crypto diff --git a/edgelet/edgelet-hsm/tests/crypto_encrypt_decrypt_success.rs b/edgelet/edgelet-hsm/tests/crypto_encrypt_decrypt_success.rs index eeee8d012e5..c55af764d0c 100644 --- a/edgelet/edgelet-hsm/tests/crypto_encrypt_decrypt_success.rs +++ b/edgelet/edgelet-hsm/tests/crypto_encrypt_decrypt_success.rs @@ -22,7 +22,7 @@ fn crypto_encrypt_decypt_success() { let _setup_home_dir = TestHSMEnvSetup::new(&LOCK, None); let hsm_lock = HsmLock::new(); - let crypto = Crypto::new(hsm_lock).unwrap(); + let crypto = Crypto::new(hsm_lock, 1000).unwrap(); let client_id = b"module1"; let plaintext = b"plaintext"; diff --git a/edgelet/edgelet-hsm/tests/crypto_get_random.rs b/edgelet/edgelet-hsm/tests/crypto_get_random.rs index d2af17dab5f..79508da6982 100644 --- a/edgelet/edgelet-hsm/tests/crypto_get_random.rs +++ b/edgelet/edgelet-hsm/tests/crypto_get_random.rs @@ -21,7 +21,7 @@ fn crypto_random_bytes() { let _setup_home_dir = TestHSMEnvSetup::new(&LOCK, None); let hsm_lock = HsmLock::new(); - let crypto = Crypto::new(hsm_lock).unwrap(); + let crypto = Crypto::new(hsm_lock, 1000).unwrap(); // act let smz: [u8; 16] = [0; 16]; diff --git a/edgelet/edgelet-hsm/tests/crypto_get_trust_bundle.rs b/edgelet/edgelet-hsm/tests/crypto_get_trust_bundle.rs index 153f0208788..2462a764372 100644 --- a/edgelet/edgelet-hsm/tests/crypto_get_trust_bundle.rs +++ b/edgelet/edgelet-hsm/tests/crypto_get_trust_bundle.rs @@ -21,7 +21,7 @@ fn crypto_get_trust_bundle() { let _setup_home_dir = TestHSMEnvSetup::new(&LOCK, None); let hsm_lock = HsmLock::new(); - let crypto = Crypto::new(hsm_lock).unwrap(); + let crypto = Crypto::new(hsm_lock, 1000).unwrap(); // act let cert_info = crypto.get_trust_bundle().unwrap(); diff --git a/edgelet/edgelet-hsm/tests/crypto_master_key_success.rs b/edgelet/edgelet-hsm/tests/crypto_master_key_success.rs index cf9be94eaaa..e78ddfac62c 100644 --- a/edgelet/edgelet-hsm/tests/crypto_master_key_success.rs +++ b/edgelet/edgelet-hsm/tests/crypto_master_key_success.rs @@ -22,7 +22,7 @@ fn crypto_master_key_success() { let _setup_home_dir = TestHSMEnvSetup::new(&LOCK, None); let hsm_lock = HsmLock::new(); - let crypto = Crypto::new(hsm_lock).unwrap(); + let crypto = Crypto::new(hsm_lock, 1000).unwrap(); crypto .destroy_key() diff --git a/edgelet/edgelet-hsm/tests/x509_get_configured_identity_cert_success.rs b/edgelet/edgelet-hsm/tests/x509_get_configured_identity_cert_success.rs index 29837524957..7719347bc3c 100644 --- a/edgelet/edgelet-hsm/tests/x509_get_configured_identity_cert_success.rs +++ b/edgelet/edgelet-hsm/tests/x509_get_configured_identity_cert_success.rs @@ -51,7 +51,7 @@ fn x509_get_conf_identity_cert_success() { setup_configured_id_cert(home_dir.get_path()); let hsm_lock = HsmLock::new(); - let x509 = X509::new(hsm_lock).unwrap(); + let x509 = X509::new(hsm_lock, 1000).unwrap(); let cert_info = x509.get().unwrap(); diff --git a/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_env_vars_not_set.rs b/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_env_vars_not_set.rs index b9dcaf6c7a3..40ba86052bc 100644 --- a/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_env_vars_not_set.rs +++ b/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_env_vars_not_set.rs @@ -20,6 +20,6 @@ fn x509_get_identity_cert_fails() { let _setup_home_dir = TestHSMEnvSetup::new(&LOCK, None); let hsm_lock = HsmLock::new(); - let x509 = X509::new(hsm_lock).unwrap(); + let x509 = X509::new(hsm_lock, 1000).unwrap(); assert!(x509.get().is_err()); } diff --git a/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_id_cert_env_is_missing.rs b/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_id_cert_env_is_missing.rs index bd252064589..7e9bbfca122 100644 --- a/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_id_cert_env_is_missing.rs +++ b/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_id_cert_env_is_missing.rs @@ -37,5 +37,5 @@ fn x509_get_conf_x509_identity_missing_cert_env_fails() { setup_configured_id_cert(home_dir.get_path()); let hsm_lock = HsmLock::new(); - assert!(X509::new(hsm_lock).is_err()); + assert!(X509::new(hsm_lock, 1000).is_err()); } diff --git a/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_id_pk_env_is_missing.rs b/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_id_pk_env_is_missing.rs index 7ee1fe5df92..813a8fa76d5 100644 --- a/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_id_pk_env_is_missing.rs +++ b/edgelet/edgelet-hsm/tests/x509_get_identity_cert_fails_when_id_pk_env_is_missing.rs @@ -42,5 +42,5 @@ fn x509_get_conf_x509_identity_missing_pk_env_fails() { setup_configured_id_cert(home_dir.get_path()); let hsm_lock = HsmLock::new(); - assert!(X509::new(hsm_lock).is_err()); + assert!(X509::new(hsm_lock, 1000).is_err()); } diff --git a/edgelet/edgelet-http-workload/tests/dns-san.rs b/edgelet/edgelet-http-workload/tests/dns-san.rs index ddac5fc6f2e..6ea00d9974e 100755 --- a/edgelet/edgelet-http-workload/tests/dns-san.rs +++ b/edgelet/edgelet-http-workload/tests/dns-san.rs @@ -85,7 +85,7 @@ impl WorkloadConfig for Config { } fn init_crypto() -> Crypto { - let crypto = Crypto::new(HsmLock::new()).unwrap(); + let crypto = Crypto::new(HsmLock::new(), 1000).unwrap(); // create the default issuing CA cert let edgelet_ca_props = CertificateProperties::new( diff --git a/edgelet/edgelet-http/tests/tls.rs b/edgelet/edgelet-http/tests/tls.rs index 67f587dd511..4d67bde7a35 100644 --- a/edgelet/edgelet-http/tests/tls.rs +++ b/edgelet/edgelet-http/tests/tls.rs @@ -64,7 +64,7 @@ pub fn configure_test(address: &str) -> Run { println!("IOTEDGE_HOMEDIR set to {:#?}", home_dir.path()); let hsm_lock = HsmLock::new(); - let crypto = Crypto::new(hsm_lock).unwrap(); + let crypto = Crypto::new(hsm_lock, 1000).unwrap(); // create the default issuing CA cert properties let edgelet_ca_props = CertificateProperties::new( diff --git a/edgelet/edgelet-kube/src/settings.rs b/edgelet/edgelet-kube/src/settings.rs index 69a01b6cad5..85844ef7d55 100644 --- a/edgelet/edgelet-kube/src/settings.rs +++ b/edgelet/edgelet-kube/src/settings.rs @@ -141,7 +141,7 @@ impl RuntimeSettings for Settings { self.base.homedir() } - fn certificates(&self) -> Option<&Certificates> { + fn certificates(&self) -> &Certificates { self.base.certificates() } diff --git a/edgelet/edgelet-kube/tests/runtime.rs b/edgelet/edgelet-kube/tests/runtime.rs index 2beaab0bf98..450890684f4 100644 --- a/edgelet/edgelet-kube/tests/runtime.rs +++ b/edgelet/edgelet-kube/tests/runtime.rs @@ -376,7 +376,7 @@ impl RuntimeSettings for TestKubeSettings { self.kube_settings.homedir() } - fn certificates(&self) -> Option<&Certificates> { + fn certificates(&self) -> &Certificates { self.kube_settings.certificates() } diff --git a/edgelet/edgelet-test-utils/src/module.rs b/edgelet/edgelet-test-utils/src/module.rs index 11278a4f53c..f3019b9d331 100644 --- a/edgelet/edgelet-test-utils/src/module.rs +++ b/edgelet/edgelet-test-utils/src/module.rs @@ -106,7 +106,7 @@ impl RuntimeSettings for TestSettings { unimplemented!() } - fn certificates(&self) -> Option<&Certificates> { + fn certificates(&self) -> &Certificates { unimplemented!() } diff --git a/edgelet/hsm-rs/examples/x509_example.rs b/edgelet/hsm-rs/examples/x509_example.rs index f05ac0f41e2..f0a06db40c7 100644 --- a/edgelet/hsm-rs/examples/x509_example.rs +++ b/edgelet/hsm-rs/examples/x509_example.rs @@ -6,6 +6,6 @@ use hsm::{GetDeviceIdentityCertificate, X509}; fn main() { - let hsm_x509 = X509::new().unwrap(); + let hsm_x509 = X509::new(1000).unwrap(); println!("common name = {}", hsm_x509.get_common_name().unwrap()); } diff --git a/edgelet/hsm-rs/src/crypto.rs b/edgelet/hsm-rs/src/crypto.rs index f21d0cbed41..d9d6362a47a 100644 --- a/edgelet/hsm-rs/src/crypto.rs +++ b/edgelet/hsm-rs/src/crypto.rs @@ -53,8 +53,8 @@ impl Drop for Crypto { impl Crypto { /// Create a new Cryptography implementation for the HSM API. - pub fn new() -> Result { - let result = unsafe { hsm_client_crypto_init() as isize }; + pub fn new(auto_generated_ca_lifetime_seconds: u64) -> Result { + let result = unsafe { hsm_client_crypto_init(auto_generated_ca_lifetime_seconds) as isize }; if result != 0 { return Err(result.into()); } diff --git a/edgelet/hsm-rs/src/x509.rs b/edgelet/hsm-rs/src/x509.rs index b2224869acc..a3cc2ab6152 100644 --- a/edgelet/hsm-rs/src/x509.rs +++ b/edgelet/hsm-rs/src/x509.rs @@ -37,8 +37,8 @@ impl Drop for X509 { impl X509 { /// Create a new x509 implementation for the HSM API. - pub fn new() -> Result { - let result = unsafe { hsm_client_x509_init() as isize }; + pub fn new(auto_generated_cert_lifetime: u64) -> Result { + let result = unsafe { hsm_client_x509_init(auto_generated_cert_lifetime) as isize }; if result != 0 { return Err(result.into()); } diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/inc/hsm_client_data.h b/edgelet/hsm-sys/azure-iot-hsm-c/inc/hsm_client_data.h index 24604e97c22..568350aa103 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/inc/hsm_client_data.h +++ b/edgelet/hsm-sys/azure-iot-hsm-c/inc/hsm_client_data.h @@ -18,7 +18,7 @@ extern "C" { /** @file */ -#define AZURE_IOT_HSM_VERSION "1.0.2" +#define AZURE_IOT_HSM_VERSION "1.0.3" typedef void* HSM_CLIENT_HANDLE; @@ -358,11 +358,11 @@ extern const HSM_CLIENT_TPM_INTERFACE* hsm_client_tpm_interface(); extern const HSM_CLIENT_X509_INTERFACE* hsm_client_x509_interface(); extern const HSM_CLIENT_CRYPTO_INTERFACE* hsm_client_crypto_interface(); -extern int hsm_client_x509_init(); +extern int hsm_client_x509_init(uint64_t); extern void hsm_client_x509_deinit(); extern int hsm_client_tpm_init(); extern void hsm_client_tpm_deinit(); -extern int hsm_client_crypto_init(); +extern int hsm_client_crypto_init(uint64_t); extern void hsm_client_crypto_deinit(); extern const char* hsm_get_device_ca_alias(void); extern const char* hsm_get_version(void); diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_crypto.c b/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_crypto.c index 25340244308..24d0b42f9e0 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_crypto.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_crypto.c @@ -23,7 +23,7 @@ static const HSM_CLIENT_KEY_INTERFACE* g_hsm_key_if = NULL; static bool g_is_crypto_initialized = false; static unsigned int g_crypto_ref = 0; -int hsm_client_crypto_init(void) +int hsm_client_crypto_init(uint64_t auto_generated_ca_lifetime) { int result; @@ -42,7 +42,7 @@ int hsm_client_crypto_init(void) LOG_ERROR("HSM key interface not available"); result = __FAILURE__; } - else if ((status = store_if->hsm_client_store_create(EDGE_STORE_NAME)) != 0) + else if ((status = store_if->hsm_client_store_create(EDGE_STORE_NAME, auto_generated_ca_lifetime)) != 0) { LOG_ERROR("Could not create store. Error code %d", status); result = __FAILURE__; diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_store.c b/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_store.c index efea5f24336..09f96708f63 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_store.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_store.c @@ -1556,12 +1556,12 @@ static int load_if_cert_and_key_exist_by_alias return result; } -static int create_owner_ca_cert(void) +static int create_owner_ca_cert(uint64_t validity) { int result; CERT_PROPS_HANDLE ca_props; ca_props = create_ca_certificate_properties(OWNER_CA_COMMON_NAME, - CA_VALIDITY, + validity, OWNER_CA_ALIAS, OWNER_CA_ALIAS, CERTIFICATE_TYPE_CA); @@ -1580,12 +1580,12 @@ static int create_owner_ca_cert(void) return result; } -static int create_device_ca_cert(void) +static int create_device_ca_cert(uint64_t validity) { int result; CERT_PROPS_HANDLE ca_props; ca_props = create_ca_certificate_properties(DEVICE_CA_COMMON_NAME, - CA_VALIDITY, + validity, hsm_get_device_ca_alias(), OWNER_CA_ALIAS, CERTIFICATE_TYPE_CA); @@ -1610,7 +1610,7 @@ static int create_device_ca_cert(void) * Validate each certificate since it might have expired or the issuer certificate has been * modified. */ -static int generate_edge_hsm_certificates_if_needed(void) +static int generate_edge_hsm_certificates_if_needed(uint64_t auto_generated_ca_lifetime) { int result; @@ -1627,11 +1627,11 @@ static int generate_edge_hsm_certificates_if_needed(void) (load_status == LOAD_ERR_NOT_FOUND)) { LOG_INFO("Load status %d. Regenerating owner and device CA certs and keys", load_status); - if (create_owner_ca_cert() != 0) + if (create_owner_ca_cert(auto_generated_ca_lifetime) != 0) { result = __FAILURE__; } - else if (create_device_ca_cert() != 0) + else if (create_device_ca_cert(auto_generated_ca_lifetime) != 0) { result = __FAILURE__; } @@ -1655,7 +1655,7 @@ static int generate_edge_hsm_certificates_if_needed(void) (load_status == LOAD_ERR_NOT_FOUND)) { LOG_DEBUG("Load status %d. Generating device CA cert and key", load_status); - if (create_device_ca_cert() != 0) + if (create_device_ca_cert(auto_generated_ca_lifetime) != 0) { result = __FAILURE__; } @@ -1828,7 +1828,7 @@ static int hsm_provision_edge_id_certificate(void) return result; } -static int hsm_provision_edge_ca_certificates(void) +static int hsm_provision_edge_ca_certificates(uint64_t auto_generated_ca_lifetime) { int result; unsigned int mask = 0, i = 0; @@ -1912,7 +1912,7 @@ static int hsm_provision_edge_ca_certificates(void) result = __FAILURE__; } // none of the certificate files were provided so generate them if needed - else if (!env_set && (generate_edge_hsm_certificates_if_needed() != 0)) + else if (!env_set && (generate_edge_hsm_certificates_if_needed(auto_generated_ca_lifetime) != 0)) { LOG_ERROR("Failure generating required HSM certificates"); result = __FAILURE__; @@ -1968,7 +1968,7 @@ static int hsm_provision_edge_ca_certificates(void) return result; } -static int hsm_provision(void) +static int hsm_provision(uint64_t auto_generated_ca_lifetime) { int result; @@ -1978,7 +1978,7 @@ static int hsm_provision(void) "Set environment variable IOTEDGE_HOMEDIR to a valid path."); result = __FAILURE__; } - else if (hsm_provision_edge_ca_certificates() != 0) + else if (hsm_provision_edge_ca_certificates(auto_generated_ca_lifetime) != 0) { result = __FAILURE__; } @@ -1998,7 +1998,7 @@ static int hsm_deprovision(void) //############################################################################## // Store interface implementation //############################################################################## -static int edge_hsm_client_store_create(const char* store_name) +static int edge_hsm_client_store_create(const char* store_name, uint64_t auto_generated_ca_lifetime) { int result; @@ -2017,7 +2017,7 @@ static int edge_hsm_client_store_create(const char* store_name) } else { - if (hsm_provision() != 0) + if (hsm_provision(auto_generated_ca_lifetime) != 0) { destroy_store(g_crypto_store); g_crypto_store = NULL; diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_x509.c b/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_x509.c index 2cc204395af..a9811a55b53 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_x509.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/src/edge_hsm_client_x509.c @@ -30,13 +30,13 @@ static CERT_INFO_HANDLE edge_x509_hsm_get_cert_info(HSM_CLIENT_HANDLE hsm_handle //############################################################################## // Interface implementation //############################################################################## -int hsm_client_x509_init() +int hsm_client_x509_init(uint64_t auto_generated_cert_lifetime) { int result; if (!g_is_x509_initialized) { - result = hsm_client_crypto_init(); + result = hsm_client_crypto_init(auto_generated_cert_lifetime); if (result == 0) { g_is_x509_initialized = true; diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/src/hsm_client_store.h b/edgelet/hsm-sys/azure-iot-hsm-c/src/hsm_client_store.h index d6ea0b85b67..aed345eed6f 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/src/hsm_client_store.h +++ b/edgelet/hsm-sys/azure-iot-hsm-c/src/hsm_client_store.h @@ -16,7 +16,7 @@ extern "C" { #include "hsm_key_interface.h" typedef void* HSM_CLIENT_STORE_HANDLE; -typedef int (*HSM_CLIENT_STORE_CREATE)(const char* store_name); +typedef int (*HSM_CLIENT_STORE_CREATE)(const char* store_name, uint64_t auto_generated_ca_lifetime); typedef int (*HSM_CLIENT_STORE_DESTROY)(const char* store_name); typedef HSM_CLIENT_STORE_HANDLE (*HSM_CLIENT_STORE_OPEN)(const char* store_name); typedef int (*HSM_CLIENT_STORE_CLOSE)(HSM_CLIENT_STORE_HANDLE handle); diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/src/hsm_client_tpm_in_mem.c b/edgelet/hsm-sys/azure-iot-hsm-c/src/hsm_client_tpm_in_mem.c index 7ba6131a674..da35c4bcc89 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/src/hsm_client_tpm_in_mem.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/src/hsm_client_tpm_in_mem.c @@ -40,7 +40,7 @@ int hsm_client_tpm_store_init(void) LOG_ERROR("HSM key interface not available"); result = __FAILURE__; } - else if ((status = store_if->hsm_client_store_create(EDGE_STORE_NAME)) != 0) + else if ((status = store_if->hsm_client_store_create(EDGE_STORE_NAME, CA_VALIDITY)) != 0) { LOG_ERROR("Could not create store. Error code %d", status); result = __FAILURE__; diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_client_x509_int/edge_hsm_client_x509_int.c b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_client_x509_int/edge_hsm_client_x509_int.c index 45b2a821274..b18b7f0f98c 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_client_x509_int/edge_hsm_client_x509_int.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_client_x509_int/edge_hsm_client_x509_int.c @@ -222,7 +222,7 @@ BEGIN_TEST_SUITE(edge_hsm_client_x509_int) //arrange // act - hsm_client_x509_init(); + hsm_client_x509_init(TEST_VALIDITY); // assert @@ -236,7 +236,7 @@ BEGIN_TEST_SUITE(edge_hsm_client_x509_int) hsm_test_util_setenv(ENV_DEVICE_ID_CERTIFICATE_PATH, TEST_DEVICE_ID_CERT_RSA_FILE); hsm_test_util_setenv(ENV_DEVICE_ID_PRIVATE_KEY_PATH, TEST_DEVICE_ID_PK_RSA_FILE); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); - hsm_client_x509_init(); + hsm_client_x509_init(TEST_VALIDITY); HSM_CLIENT_CREATE hsm_handle = interface->hsm_client_x509_create(); ASSERT_IS_NOT_NULL(hsm_handle, "Line:" TOSTRING(__LINE__)); @@ -259,7 +259,7 @@ BEGIN_TEST_SUITE(edge_hsm_client_x509_int) hsm_test_util_setenv(ENV_DEVICE_ID_CERTIFICATE_PATH, TEST_DEVICE_ID_CERT_RSA_FILE); hsm_test_util_setenv(ENV_DEVICE_ID_PRIVATE_KEY_PATH, TEST_DEVICE_ID_PK_RSA_FILE); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); - hsm_client_x509_init(); + hsm_client_x509_init(TEST_VALIDITY); HSM_CLIENT_CREATE hsm_handle = interface->hsm_client_x509_create(); ASSERT_IS_NOT_NULL(hsm_handle, "Line:" TOSTRING(__LINE__)); @@ -282,7 +282,7 @@ BEGIN_TEST_SUITE(edge_hsm_client_x509_int) hsm_test_util_setenv(ENV_DEVICE_ID_CERTIFICATE_PATH, TEST_DEVICE_ID_CERT_RSA_FILE); hsm_test_util_setenv(ENV_DEVICE_ID_PRIVATE_KEY_PATH, TEST_DEVICE_ID_PK_RSA_FILE); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); - hsm_client_x509_init(); + hsm_client_x509_init(TEST_VALIDITY); HSM_CLIENT_CREATE hsm_handle = interface->hsm_client_x509_create(); ASSERT_IS_NOT_NULL(hsm_handle, "Line:" TOSTRING(__LINE__)); @@ -303,7 +303,7 @@ BEGIN_TEST_SUITE(edge_hsm_client_x509_int) { //arrange const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); - hsm_client_x509_init(); + hsm_client_x509_init(TEST_VALIDITY); HSM_CLIENT_CREATE hsm_handle = interface->hsm_client_x509_create(); ASSERT_IS_NOT_NULL(hsm_handle, "Line:" TOSTRING(__LINE__)); @@ -326,7 +326,7 @@ BEGIN_TEST_SUITE(edge_hsm_client_x509_int) hsm_test_util_setenv(ENV_DEVICE_ID_CERTIFICATE_PATH, TEST_DEVICE_ID_CERT_RSA_FILE); hsm_test_util_setenv(ENV_DEVICE_ID_PRIVATE_KEY_PATH, TEST_DEVICE_ID_PK_RSA_FILE); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); - hsm_client_x509_init(); + hsm_client_x509_init(TEST_VALIDITY); HSM_CLIENT_CREATE hsm_handle = interface->hsm_client_x509_create(); // act @@ -356,7 +356,7 @@ BEGIN_TEST_SUITE(edge_hsm_client_x509_int) hsm_test_util_setenv(ENV_DEVICE_ID_CERTIFICATE_PATH, "blah.txt"); hsm_test_util_setenv(ENV_DEVICE_ID_PRIVATE_KEY_PATH, TEST_DEVICE_ID_PK_RSA_FILE); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); - hsm_client_x509_init(); + hsm_client_x509_init(TEST_VALIDITY); HSM_CLIENT_CREATE hsm_handle = interface->hsm_client_x509_create(); // act @@ -378,7 +378,7 @@ BEGIN_TEST_SUITE(edge_hsm_client_x509_int) //arrange hsm_test_util_setenv(ENV_DEVICE_ID_PRIVATE_KEY_PATH, TEST_DEVICE_ID_PK_RSA_FILE); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); - hsm_client_x509_init(); + hsm_client_x509_init(TEST_VALIDITY); HSM_CLIENT_CREATE hsm_handle = interface->hsm_client_x509_create(); // act @@ -400,7 +400,7 @@ BEGIN_TEST_SUITE(edge_hsm_client_x509_int) hsm_test_util_setenv(ENV_DEVICE_ID_CERTIFICATE_PATH, TEST_DEVICE_ID_CERT_RSA_FILE); hsm_test_util_setenv(ENV_DEVICE_ID_PRIVATE_KEY_PATH, "blah.txt"); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); - hsm_client_x509_init(); + hsm_client_x509_init(TEST_VALIDITY); HSM_CLIENT_CREATE hsm_handle = interface->hsm_client_x509_create(); // act @@ -422,7 +422,7 @@ BEGIN_TEST_SUITE(edge_hsm_client_x509_int) //arrange hsm_test_util_setenv(ENV_DEVICE_ID_CERTIFICATE_PATH, TEST_DEVICE_ID_CERT_RSA_FILE); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); - hsm_client_x509_init(); + hsm_client_x509_init(TEST_VALIDITY); HSM_CLIENT_CREATE hsm_handle = interface->hsm_client_x509_create(); // act diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_crypto_int/edge_hsm_crypto_int.c b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_crypto_int/edge_hsm_crypto_int.c index 031f65dded3..ff85397473e 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_crypto_int/edge_hsm_crypto_int.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_crypto_int/edge_hsm_crypto_int.c @@ -352,7 +352,7 @@ static void test_helper_teardown_homedir(void) static HSM_CLIENT_HANDLE test_helper_crypto_init(void) { int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_HANDLE result = interface->hsm_client_crypto_create(); @@ -1009,43 +1009,43 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_int_tests) hsm_test_util_setenv(ENV_DEVICE_CA_PATH, device_ca_path); hsm_test_util_unsetenv(ENV_DEVICE_PK_PATH); hsm_test_util_unsetenv(ENV_TRUSTED_CA_CERTS_PATH); - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(CA_VALIDITY); ASSERT_ARE_NOT_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); hsm_test_util_unsetenv(ENV_DEVICE_CA_PATH); hsm_test_util_setenv(ENV_DEVICE_PK_PATH, device_pk_path); hsm_test_util_unsetenv(ENV_TRUSTED_CA_CERTS_PATH); - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(CA_VALIDITY); ASSERT_ARE_NOT_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); hsm_test_util_setenv(ENV_DEVICE_CA_PATH, device_ca_path); hsm_test_util_setenv(ENV_DEVICE_PK_PATH, device_pk_path); hsm_test_util_unsetenv(ENV_TRUSTED_CA_CERTS_PATH); - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(CA_VALIDITY); ASSERT_ARE_NOT_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); hsm_test_util_unsetenv(ENV_DEVICE_CA_PATH); hsm_test_util_unsetenv(ENV_DEVICE_PK_PATH); hsm_test_util_setenv(ENV_TRUSTED_CA_CERTS_PATH, trusted_ca_path); - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(CA_VALIDITY); ASSERT_ARE_NOT_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); hsm_test_util_setenv(ENV_DEVICE_CA_PATH, device_ca_path); hsm_test_util_unsetenv(ENV_DEVICE_PK_PATH); hsm_test_util_setenv(ENV_TRUSTED_CA_CERTS_PATH, trusted_ca_path); - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(CA_VALIDITY); ASSERT_ARE_NOT_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); hsm_test_util_unsetenv(ENV_DEVICE_CA_PATH); hsm_test_util_setenv(ENV_DEVICE_PK_PATH, device_pk_path); hsm_test_util_setenv(ENV_TRUSTED_CA_CERTS_PATH, trusted_ca_path); - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(CA_VALIDITY); ASSERT_ARE_NOT_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); hsm_test_util_setenv(ENV_DEVICE_CA_PATH, INVALID_PATH); hsm_test_util_setenv(ENV_DEVICE_PK_PATH, INVALID_PATH); hsm_test_util_setenv(ENV_TRUSTED_CA_CERTS_PATH, INVALID_PATH); - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(CA_VALIDITY); ASSERT_ARE_NOT_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); // cleanup diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_crypto_ut/edge_hsm_crypto_ut.c b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_crypto_ut/edge_hsm_crypto_ut.c index 175fc9bd458..219342b70ea 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_crypto_ut/edge_hsm_crypto_ut.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_crypto_ut/edge_hsm_crypto_ut.c @@ -31,6 +31,7 @@ static void test_hook_gballoc_free(void* ptr) #include "testrunnerswitcher.h" #include "umock_c/umock_c.h" +#include "umock_c/umocktypes_stdint.h" #include "umock_c/umock_c_negative_tests.h" #include "umock_c/umocktypes_charptr.h" @@ -43,7 +44,7 @@ static void test_hook_gballoc_free(void* ptr) #include "azure_c_shared_utility/gballoc.h" // store mocks -MOCKABLE_FUNCTION(, int, mocked_hsm_client_store_create, const char*, store_name); +MOCKABLE_FUNCTION(, int, mocked_hsm_client_store_create, const char*, store_name, uint64_t, auto_generated_ca_lifetime); MOCKABLE_FUNCTION(, int, mocked_hsm_client_store_destroy, const char*, store_name); MOCKABLE_FUNCTION(, HSM_CLIENT_STORE_HANDLE, mocked_hsm_client_store_open, const char*, store_name); MOCKABLE_FUNCTION(, int, mocked_hsm_client_store_close, HSM_CLIENT_STORE_HANDLE, handle); @@ -110,6 +111,9 @@ static TEST_MUTEX_HANDLE g_dllByDll; static const char* TEST_ALIAS_STRING = "test_alias"; static const char* TEST_ISSUER_ALIAS_STRING = "test_issuer_alias"; +// 90 days. +static const uint64_t TEST_CA_VALIDITY = 90 * 24 * 3600; + static const unsigned char TEST_TBS[] = { 't', 'e', 's', 't' }; static const size_t TEST_TBS_SIZE = sizeof(TEST_TBS); @@ -166,8 +170,9 @@ const HSM_CLIENT_KEY_INTERFACE* test_hook_hsm_client_key_interface(void) return &mocked_hsm_client_key_interface; } -static int test_hook_hsm_client_store_create(const char* store_name) +static int test_hook_hsm_client_store_create(const char* store_name, uint64_t auto_generated_ca_lifetime) { + (void)auto_generated_ca_lifetime; (void)store_name; return 0; } @@ -514,6 +519,8 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) REGISTER_GLOBAL_MOCK_HOOK(generate_rand_buffer, test_hook_generate_rand_buffer); REGISTER_GLOBAL_MOCK_FAIL_RETURN(generate_rand_buffer, 1); + + (void)umocktypes_stdint_register_types(); } TEST_SUITE_CLEANUP(TestClassCleanup) @@ -549,10 +556,10 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) int status; EXPECTED_CALL(hsm_client_store_interface()); EXPECTED_CALL(hsm_client_key_interface()); - STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME)); + STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME, TEST_CA_VALIDITY)); // act - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); // assert ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); @@ -570,12 +577,12 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) { //arrange int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); umock_c_reset_all_calls(); // act - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); // assert ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); @@ -598,7 +605,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) EXPECTED_CALL(hsm_client_store_interface()); EXPECTED_CALL(hsm_client_key_interface()); - STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME)); + STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME, TEST_CA_VALIDITY)); umock_c_negative_tests_snapshot(); @@ -609,7 +616,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) umock_c_negative_tests_fail_call(i); // act - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); // assert ASSERT_ARE_NOT_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); @@ -626,7 +633,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) TEST_FUNCTION(hsm_client_crypto_deinit_success) { //arrange - (void)hsm_client_crypto_init(); + (void)hsm_client_crypto_init(TEST_CA_VALIDITY); umock_c_reset_all_calls(); STRICT_EXPECTED_CALL(mocked_hsm_client_store_destroy(TEST_EDGE_STORE_NAME)); @@ -648,16 +655,16 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) { //arrange int status; - hsm_client_crypto_init(); + hsm_client_crypto_init(TEST_CA_VALIDITY); hsm_client_crypto_deinit(); umock_c_reset_all_calls(); EXPECTED_CALL(hsm_client_store_interface()); EXPECTED_CALL(hsm_client_key_interface()); - STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME)); + STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME, TEST_CA_VALIDITY)); // act - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); // assert ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); @@ -724,7 +731,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) { //arrange int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -757,7 +764,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) int test_result = umock_c_negative_tests_init(); ASSERT_ARE_EQUAL(int, 0, test_result); - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -832,7 +839,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) { //arrange int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -888,7 +895,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) TEST_FUNCTION(edge_hsm_client_get_random_bytes_invalid_param_validation) { //arrange - int status = hsm_client_crypto_init(); + int status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -925,7 +932,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) { //arrange int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -958,7 +965,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) int test_result = umock_c_negative_tests_init(); ASSERT_ARE_EQUAL(int, 0, test_result); int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1018,7 +1025,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) TEST_FUNCTION(edge_hsm_client_create_master_encryption_key_invalid_param_validation) { //arrange - int status = hsm_client_crypto_init(); + int status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE_MASTER_ENCRYPTION_KEY hsm_client_create_master_encryption_key; @@ -1039,7 +1046,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) TEST_FUNCTION(edge_hsm_client_create_master_encryption_key_success) { //arrange - int status = hsm_client_crypto_init(); + int status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1087,7 +1094,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) TEST_FUNCTION(edge_hsm_client_destroy_master_encryption_key_invalid_param_validation) { //arrange - int status = hsm_client_crypto_init(); + int status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_DESTROY_MASTER_ENCRYPTION_KEY hsm_client_destroy_master_encryption_key; @@ -1108,7 +1115,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) TEST_FUNCTION(edge_hsm_client_destroy_master_encryption_key_success) { //arrange - int status = hsm_client_crypto_init(); + int status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1154,7 +1161,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) TEST_FUNCTION(edge_hsm_client_create_certificate_invalid_param_validation) { //arrange - int status = hsm_client_crypto_init(); + int status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE_CERTIFICATE hsm_client_create_certificate = interface->hsm_client_create_certificate; @@ -1181,7 +1188,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) { //arrange int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1218,7 +1225,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) int test_result = umock_c_negative_tests_init(); ASSERT_ARE_EQUAL(int, 0, test_result); int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1281,7 +1288,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) TEST_FUNCTION(edge_hsm_client_get_trust_bundle_invalid_param_validation) { //arrange - int status = hsm_client_crypto_init(); + int status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_GET_TRUST_BUNDLE hsm_client_get_trust_bundle = interface->hsm_client_get_trust_bundle; @@ -1304,7 +1311,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) { //arrange int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1338,7 +1345,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) int test_result = umock_c_negative_tests_init(); ASSERT_ARE_EQUAL(int, 0, test_result); int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1396,7 +1403,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) TEST_FUNCTION(edge_hsm_client_destroy_certificate_invalid_param_1_validation) { //arrange - int status = hsm_client_crypto_init(); + int status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_DESTROY_CERTIFICATE hsm_client_destroy_certificate = interface->hsm_client_destroy_certificate; @@ -1417,7 +1424,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) TEST_FUNCTION(edge_hsm_client_destroy_certificate_invalid_param_2_validation) { //arrange - int status = hsm_client_crypto_init(); + int status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_DESTROY_CERTIFICATE hsm_client_destroy_certificate = interface->hsm_client_destroy_certificate; @@ -1439,7 +1446,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) { //arrange int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1471,7 +1478,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) int test_result = umock_c_negative_tests_init(); ASSERT_ARE_EQUAL(int, 0, test_result); int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1530,7 +1537,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) TEST_FUNCTION(edge_hsm_client_crypto_get_certificate_invalid_param_validation) { //arrange - int status = hsm_client_crypto_init(); + int status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CRYPTO_GET_CERTIFICATE hsm_client_crypto_get_certificate = interface->hsm_client_crypto_get_certificate; @@ -1557,7 +1564,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) { //arrange int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1591,7 +1598,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) int test_result = umock_c_negative_tests_init(); ASSERT_ARE_EQUAL(int, 0, test_result); int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1697,7 +1704,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) { //arrange int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; @@ -1736,7 +1743,7 @@ BEGIN_TEST_SUITE(edge_hsm_crypto_unittests) int test_result = umock_c_negative_tests_init(); ASSERT_ARE_EQUAL(int, 0, test_result); int status; - status = hsm_client_crypto_init(); + status = hsm_client_crypto_init(TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_CRYPTO_INTERFACE* interface = hsm_client_crypto_interface(); HSM_CLIENT_CREATE hsm_client_crypto_create = interface->hsm_client_crypto_create; diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_store_int/edge_hsm_store_int.c b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_store_int/edge_hsm_store_int.c index adb8008f86f..8ff6568e27a 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_store_int/edge_hsm_store_int.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_store_int/edge_hsm_store_int.c @@ -40,6 +40,9 @@ static char* TEST_IOTEDGE_HOMEDIR_GUID = NULL; static TEST_MUTEX_HANDLE g_testByTest; static TEST_MUTEX_HANDLE g_dllByDll; +// 90 days. +static const uint64_t TEST_CA_VALIDITY = 90 * 24 * 3600; + //############################################################################# // Test helpers //############################################################################# @@ -233,7 +236,7 @@ BEGIN_TEST_SUITE(edge_hsm_store_int_tests) int result; const HSM_CLIENT_STORE_INTERFACE *store_if = hsm_client_store_interface(); ASSERT_IS_NOT_NULL(store_if, "Line:" TOSTRING(__LINE__)); - result = store_if->hsm_client_store_create(EDGE_STORE_NAME); + result = store_if->hsm_client_store_create(EDGE_STORE_NAME, TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, result, "Line:" TOSTRING(__LINE__)); result = store_if->hsm_client_store_destroy(EDGE_STORE_NAME); @@ -246,7 +249,7 @@ BEGIN_TEST_SUITE(edge_hsm_store_int_tests) const HSM_CLIENT_STORE_INTERFACE *store_if = hsm_client_store_interface(); ASSERT_IS_NOT_NULL(store_if, "Line:" TOSTRING(__LINE__)); - result = store_if->hsm_client_store_create(EDGE_STORE_NAME); + result = store_if->hsm_client_store_create(EDGE_STORE_NAME, TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, result, "Line:" TOSTRING(__LINE__)); HSM_CLIENT_STORE_HANDLE store_handle = store_if->hsm_client_store_open(EDGE_STORE_NAME); @@ -271,7 +274,7 @@ BEGIN_TEST_SUITE(edge_hsm_store_int_tests) const HSM_CLIENT_STORE_INTERFACE *store_if = hsm_client_store_interface(); ASSERT_IS_NOT_NULL(store_if, "Line:" TOSTRING(__LINE__)); - result = store_if->hsm_client_store_create(EDGE_STORE_NAME); + result = store_if->hsm_client_store_create(EDGE_STORE_NAME, TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, result, "Line:" TOSTRING(__LINE__)); HSM_CLIENT_STORE_HANDLE store_handle = store_if->hsm_client_store_open(EDGE_STORE_NAME); @@ -313,7 +316,7 @@ BEGIN_TEST_SUITE(edge_hsm_store_int_tests) const HSM_CLIENT_STORE_INTERFACE *store_if = hsm_client_store_interface(); ASSERT_IS_NOT_NULL(store_if, "Line:" TOSTRING(__LINE__)); - result = store_if->hsm_client_store_create(EDGE_STORE_NAME); + result = store_if->hsm_client_store_create(EDGE_STORE_NAME, TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, result, "Line:" TOSTRING(__LINE__)); HSM_CLIENT_STORE_HANDLE store_handle = store_if->hsm_client_store_open(EDGE_STORE_NAME); @@ -362,7 +365,7 @@ BEGIN_TEST_SUITE(edge_hsm_store_int_tests) const HSM_CLIENT_STORE_INTERFACE *store_if = hsm_client_store_interface(); ASSERT_IS_NOT_NULL(store_if, "Line:" TOSTRING(__LINE__)); - result = store_if->hsm_client_store_create(EDGE_STORE_NAME); + result = store_if->hsm_client_store_create(EDGE_STORE_NAME, TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, result, "Line:" TOSTRING(__LINE__)); HSM_CLIENT_STORE_HANDLE store_handle = store_if->hsm_client_store_open(EDGE_STORE_NAME); @@ -390,7 +393,7 @@ BEGIN_TEST_SUITE(edge_hsm_store_int_tests) const HSM_CLIENT_STORE_INTERFACE *store_if = hsm_client_store_interface(); ASSERT_IS_NOT_NULL(store_if, "Line:" TOSTRING(__LINE__)); - result = store_if->hsm_client_store_create(EDGE_STORE_NAME); + result = store_if->hsm_client_store_create(EDGE_STORE_NAME, TEST_CA_VALIDITY); ASSERT_ARE_EQUAL(int, 0, result, "Line:" TOSTRING(__LINE__)); HSM_CLIENT_STORE_HANDLE store_handle = store_if->hsm_client_store_open(EDGE_STORE_NAME); diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_tpm_ut/edge_hsm_tpm_ut.c b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_tpm_ut/edge_hsm_tpm_ut.c index 47a49efa432..6e0fcc902cb 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_tpm_ut/edge_hsm_tpm_ut.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_tpm_ut/edge_hsm_tpm_ut.c @@ -33,6 +33,7 @@ static void test_hook_gballoc_free(void* ptr) #include "umock_c/umock_c.h" #include "umock_c/umock_c_negative_tests.h" #include "umock_c/umocktypes_charptr.h" +#include "umock_c/umocktypes_stdint.h" //############################################################################# // Declare and enable MOCK definitions @@ -43,7 +44,7 @@ static void test_hook_gballoc_free(void* ptr) #include "azure_c_shared_utility/gballoc.h" // store mocks -MOCKABLE_FUNCTION(, int, mocked_hsm_client_store_create, const char*, store_name); +MOCKABLE_FUNCTION(, int, mocked_hsm_client_store_create, const char*, store_name, uint64_t, auto_generated_ca_lifetime); MOCKABLE_FUNCTION(, int, mocked_hsm_client_store_destroy, const char*, store_name); MOCKABLE_FUNCTION(, HSM_CLIENT_STORE_HANDLE, mocked_hsm_client_store_open, const char*, store_name); MOCKABLE_FUNCTION(, int, mocked_hsm_client_store_close, HSM_CLIENT_STORE_HANDLE, handle); @@ -100,6 +101,9 @@ static TEST_MUTEX_HANDLE g_testByTest; static TEST_MUTEX_HANDLE g_dllByDll; static unsigned char TEST_EDGE_MODULE_IDENTITY[] = {'s', 'a', 'm', 'p', 'l', 'e'}; +// 90 days. +static const uint64_t TEST_CA_VALIDITY = 90 * 24 * 3600; + static const HSM_CLIENT_STORE_INTERFACE mocked_hsm_client_store_interface = { mocked_hsm_client_store_create, @@ -150,9 +154,10 @@ const HSM_CLIENT_KEY_INTERFACE* test_hook_hsm_client_key_interface(void) return &mocked_hsm_client_key_interface; } -static int test_hook_hsm_client_store_create(const char* store_name) +static int test_hook_hsm_client_store_create(const char* store_name, uint64_t auto_generated_ca_lifetime) { (void)store_name; + (void)auto_generated_ca_lifetime; return 0; } @@ -441,6 +446,8 @@ BEGIN_TEST_SUITE(edge_hsm_tpm_unittests) REGISTER_GLOBAL_MOCK_HOOK(mocked_hsm_client_key_decrypt, test_hook_hsm_client_key_decrypt); REGISTER_GLOBAL_MOCK_FAIL_RETURN(mocked_hsm_client_key_decrypt, 1); + + (void)umocktypes_stdint_register_types(); } TEST_SUITE_CLEANUP(TestClassCleanup) @@ -476,7 +483,7 @@ BEGIN_TEST_SUITE(edge_hsm_tpm_unittests) int status; EXPECTED_CALL(hsm_client_store_interface()); EXPECTED_CALL(hsm_client_key_interface()); - STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME)); + STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME, TEST_CA_VALIDITY)); // act status = hsm_client_tpm_store_init(); @@ -501,7 +508,7 @@ BEGIN_TEST_SUITE(edge_hsm_tpm_unittests) EXPECTED_CALL(hsm_client_store_interface()); EXPECTED_CALL(hsm_client_key_interface()); - STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME)); + STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME, TEST_CA_VALIDITY)); umock_c_negative_tests_snapshot(); @@ -578,7 +585,7 @@ BEGIN_TEST_SUITE(edge_hsm_tpm_unittests) EXPECTED_CALL(hsm_client_store_interface()); EXPECTED_CALL(hsm_client_key_interface()); - STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME)); + STRICT_EXPECTED_CALL(mocked_hsm_client_store_create(TEST_EDGE_STORE_NAME, TEST_CA_VALIDITY)); // act status = hsm_client_tpm_store_init(); diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_x509_ut/edge_hsm_x509_ut.c b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_x509_ut/edge_hsm_x509_ut.c index acb353b4be2..83967910877 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_x509_ut/edge_hsm_x509_ut.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/tests/edge_hsm_x509_ut/edge_hsm_x509_ut.c @@ -33,6 +33,7 @@ static void test_hook_gballoc_free(void* ptr) #include "umock_c/umock_c.h" #include "umock_c/umock_c_negative_tests.h" #include "umock_c/umocktypes_charptr.h" +#include "umock_c/umocktypes_stdint.h" //############################################################################# // Declare and enable MOCK definitions @@ -48,7 +49,7 @@ static void test_hook_gballoc_free(void* ptr) #include "hsm_utils.h" // interface mocks -MOCKABLE_FUNCTION(, int, hsm_client_crypto_init); +MOCKABLE_FUNCTION(, int, hsm_client_crypto_init, uint64_t, auto_generated_ca_lifetime); MOCKABLE_FUNCTION(, void, hsm_client_crypto_deinit); MOCKABLE_FUNCTION(, const HSM_CLIENT_CRYPTO_INTERFACE*, hsm_client_crypto_interface); MOCKABLE_FUNCTION(, const char*, hsm_get_device_ca_alias); @@ -130,6 +131,8 @@ static const char *TEST_ENV_DATA = "test_env"; #define TEST_ENV_DATA_SIZE (strlen(TEST_ENV_DATA) + 1) #define MAX_FAILED_FUNCTION_LIST_SIZE 16 +#define TEST_CERT_VALIDITY 7776000 +#define TEST_VALIDITY 10000 //############################################################################# // Mocked functions test hooks @@ -148,8 +151,9 @@ static const HSM_CLIENT_CRYPTO_INTERFACE* test_hook_hsm_client_crypto_interface( return &mocked_hsm_client_crypto_interface; } -static int test_hook_hsm_client_crypto_init() +static int test_hook_hsm_client_crypto_init(uint64_t auto_generated_ca_lifetime) { + (void)auto_generated_ca_lifetime; return 0; } @@ -441,6 +445,8 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) REGISTER_GLOBAL_MOCK_HOOK(hsm_get_env, test_hook_hsm_get_env); REGISTER_GLOBAL_MOCK_FAIL_RETURN(hsm_get_env, 1); + + (void)umocktypes_stdint_register_types(); } TEST_SUITE_CLEANUP(TestClassCleanup) @@ -474,10 +480,10 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) { //arrange int status; - EXPECTED_CALL(hsm_client_crypto_init()); + EXPECTED_CALL(hsm_client_crypto_init(TEST_CERT_VALIDITY)); // act - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); // assert ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); @@ -495,12 +501,12 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) { //arrange int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); umock_c_reset_all_calls(); // act - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); // assert ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); @@ -521,7 +527,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) int test_result = umock_c_negative_tests_init(); ASSERT_ARE_EQUAL(int, 0, test_result); - EXPECTED_CALL(hsm_client_crypto_init()); + EXPECTED_CALL(hsm_client_crypto_init(TEST_CERT_VALIDITY)); umock_c_negative_tests_snapshot(); for (size_t i = 0; i < umock_c_negative_tests_call_count(); i++) @@ -531,7 +537,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) umock_c_negative_tests_fail_call(i); // act - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); // assert ASSERT_ARE_NOT_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); @@ -574,7 +580,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) { //arrange int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); umock_c_reset_all_calls(); @@ -623,7 +629,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) ASSERT_ARE_EQUAL(int, 0, test_result); int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); umock_c_reset_all_calls(); @@ -657,7 +663,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) { //arrange int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); umock_c_reset_all_calls(); @@ -680,7 +686,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) { //arrange int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); CERT_INFO_HANDLE handle = interface->hsm_client_x509_create(); @@ -727,7 +733,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) { //arrange int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); umock_c_reset_all_calls(); @@ -774,7 +780,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) { //arrange int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); HSM_CLIENT_CREATE handle = interface->hsm_client_x509_create(); @@ -806,7 +812,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) ASSERT_ARE_EQUAL(int, 0, test_result); int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); HSM_CLIENT_CREATE handle = interface->hsm_client_x509_create(); @@ -845,7 +851,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) { //arrange int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); HSM_CLIENT_CREATE handle = interface->hsm_client_x509_create(); @@ -871,7 +877,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) { //arrange int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); HSM_CLIENT_CREATE handle = interface->hsm_client_x509_create(); @@ -897,7 +903,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) { //arrange int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); HSM_CLIENT_CREATE handle = interface->hsm_client_x509_create(); @@ -951,7 +957,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) { //arrange int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); HSM_CLIENT_CREATE handle = interface->hsm_client_x509_create(); @@ -991,7 +997,7 @@ BEGIN_TEST_SUITE(edge_hsm_x509_unittests) ASSERT_ARE_EQUAL(int, 0, test_result); int status; - status = hsm_client_x509_init(); + status = hsm_client_x509_init(TEST_VALIDITY); ASSERT_ARE_EQUAL(int, 0, status, "Line:" TOSTRING(__LINE__)); const HSM_CLIENT_X509_INTERFACE* interface = hsm_client_x509_interface(); HSM_CLIENT_CREATE handle = interface->hsm_client_x509_create(); diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/tools/hsm_validator/v0_0_1/hsm_v0_0_1_validation.c b/edgelet/hsm-sys/azure-iot-hsm-c/tools/hsm_validator/v0_0_1/hsm_v0_0_1_validation.c index 0bbd7f45762..7e873c206aa 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/tools/hsm_validator/v0_0_1/hsm_v0_0_1_validation.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/tools/hsm_validator/v0_0_1/hsm_v0_0_1_validation.c @@ -10,7 +10,7 @@ static int validate_hsm_init_library(void) { int result = 0; #ifdef USE_X509_INTERFACE - if (hsm_client_x509_init() != 0) + if (hsm_client_x509_init(1000) != 0) { (void)printf("Failure calling hsm_client_x509_init\r\n"); result = __LINE__; diff --git a/edgelet/hsm-sys/azure-iot-hsm-c/tools/hsm_validator/v0_0_2/validate_x509.c b/edgelet/hsm-sys/azure-iot-hsm-c/tools/hsm_validator/v0_0_2/validate_x509.c index 122ed6a9ef2..499ded92195 100644 --- a/edgelet/hsm-sys/azure-iot-hsm-c/tools/hsm_validator/v0_0_2/validate_x509.c +++ b/edgelet/hsm-sys/azure-iot-hsm-c/tools/hsm_validator/v0_0_2/validate_x509.c @@ -5,18 +5,20 @@ #include "test_utils.h" #include "hsm_client_data.h" +#define TEST_VALIDITY 1000 + static int x509_init_succeeds_when_called_after_deinit(void) { - ASSERT(hsm_client_x509_init() == 0); + ASSERT(hsm_client_x509_init(TEST_VALIDITY) == 0); hsm_client_x509_deinit(); - ASSERT(hsm_client_x509_init() == 0); + ASSERT(hsm_client_x509_init(TEST_VALIDITY) == 0); hsm_client_x509_deinit(); return 0; } static int x509_interface_pointer_is_always_the_same_after_init(void) { - ASSERT(hsm_client_x509_init() == 0); + ASSERT(hsm_client_x509_init(TEST_VALIDITY) == 0); const HSM_CLIENT_X509_INTERFACE* if1 = hsm_client_x509_interface(); const HSM_CLIENT_X509_INTERFACE* if2 = hsm_client_x509_interface(); @@ -44,7 +46,7 @@ static int x509_interface_implements_all_functions(void) static int get_cert_returns_a_non_null_value(void) { - ASSERT(hsm_client_x509_init() == 0); + ASSERT(hsm_client_x509_init(TEST_VALIDITY) == 0); const HSM_CLIENT_X509_INTERFACE* x509 = hsm_client_x509_interface(); ASSERT(x509 != NULL); @@ -65,7 +67,7 @@ static int get_cert_returns_a_non_null_value(void) static int get_key_returns_a_non_null_value(void) { - ASSERT(hsm_client_x509_init() == 0); + ASSERT(hsm_client_x509_init(TEST_VALIDITY) == 0); const HSM_CLIENT_X509_INTERFACE* x509 = hsm_client_x509_interface(); ASSERT(x509 != NULL); @@ -86,7 +88,7 @@ static int get_key_returns_a_non_null_value(void) static int get_common_name_returns_a_non_null_value(void) { - ASSERT(hsm_client_x509_init() == 0); + ASSERT(hsm_client_x509_init(TEST_VALIDITY) == 0); const HSM_CLIENT_X509_INTERFACE* x509 = hsm_client_x509_interface(); ASSERT(x509 != NULL); diff --git a/edgelet/hsm-sys/src/lib.rs b/edgelet/hsm-sys/src/lib.rs index d27fa1b6b12..d32520b3a49 100644 --- a/edgelet/hsm-sys/src/lib.rs +++ b/edgelet/hsm-sys/src/lib.rs @@ -39,7 +39,7 @@ fn bindgen_test_supported_hsm_version() { .to_string_lossy() .into_owned() }; - assert_eq!(String::from("1.0.2"), result); + assert_eq!(String::from("1.0.3"), result); } pub type HSM_CLIENT_HANDLE = *mut c_void; @@ -1051,7 +1051,7 @@ extern "C" { pub fn hsm_client_crypto_interface() -> *const HSM_CLIENT_CRYPTO_INTERFACE; } extern "C" { - pub fn hsm_client_x509_init() -> c_int; + pub fn hsm_client_x509_init(auto_generated_cert_lifetime: u64) -> c_int; } extern "C" { pub fn hsm_client_x509_deinit(); @@ -1063,7 +1063,7 @@ extern "C" { pub fn hsm_client_tpm_deinit(); } extern "C" { - pub fn hsm_client_crypto_init() -> c_int; + pub fn hsm_client_crypto_init(auto_generated_cert_lifetime: u64) -> c_int; } extern "C" { pub fn hsm_client_crypto_deinit(); diff --git a/edgelet/iotedge/src/check/mod.rs b/edgelet/iotedge/src/check/mod.rs index 8592684c0be..930b3a0c2d8 100644 --- a/edgelet/iotedge/src/check/mod.rs +++ b/edgelet/iotedge/src/check/mod.rs @@ -1303,7 +1303,7 @@ fn settings_certificates(check: &mut Check) -> Result Result { info!("Transparent gateway certificates not found, operating in quick start mode...") } @@ -630,14 +634,15 @@ where fn prepare_httpclient_and_identity_data( hsm_lock: Arc, settings: &S, + auto_generated_ca_lifetime_seconds: u64, ) -> Result<(MaybeProxyClient, Option), Error> where S: RuntimeSettings, { if get_provisioning_auth_method(settings) == ProvisioningAuthMethod::X509 { info!("Initializing hsm X509 interface..."); - let x509 = - X509::new(hsm_lock).context(ErrorKind::Initialize(InitializeErrorReason::Hsm))?; + let x509 = X509::new(hsm_lock, auto_generated_ca_lifetime_seconds) + .context(ErrorKind::Initialize(InitializeErrorReason::Hsm))?; let hsm_version = x509 .get_version() @@ -1160,7 +1165,7 @@ where let (work_tx, work_rx) = oneshot::channel(); let edgelet_cert_props = CertificateProperties::new( - IOTEDGED_VALIDITY, + settings.certificates().auto_generated_ca_lifetime_seconds(), IOTEDGED_TLS_COMMONNAME.to_string(), CertificateType::Server, "iotedge-tls".to_string(), @@ -1738,7 +1743,7 @@ mod tests { use tempdir::TempDir; use edgelet_core::ModuleRuntimeState; - use edgelet_core::{KeyBytes, PrivateKey}; + use edgelet_core::{KeyBytes, PrivateKey, DEFAULT_AUTO_GENERATED_CA_LIFETIME_DAYS}; use edgelet_docker::{DockerConfig, DockerModuleRuntime, Settings}; use edgelet_test_utils::cert::TestCert; use edgelet_test_utils::crypto::TestHsm; @@ -1906,6 +1911,25 @@ mod tests { } } + #[test] + fn settings_without_cert_life_uses_default() { + let settings = Settings::new(Some(Path::new(GOOD_SETTINGS1))).unwrap(); + assert_eq!( + u64::from(DEFAULT_AUTO_GENERATED_CA_LIFETIME_DAYS) * 86_400, + settings.certificates().auto_generated_ca_lifetime_seconds() + ); + } + + #[test] + fn settings_with_cert_life_uses_value() { + let settings = Settings::new(Some(Path::new(GOOD_SETTINGS2))).unwrap(); + // Provided value is 1 day so check for that in seconds + assert_eq!( + 86_400, + settings.certificates().auto_generated_ca_lifetime_seconds() + ); + } + #[test] fn settings_with_invalid_issuer_ca_fails() { let tmp_dir = TempDir::new("blah").unwrap(); diff --git a/edgelet/iotedged/test/linux/sample_settings2.yaml b/edgelet/iotedged/test/linux/sample_settings2.yaml index 3530a4d4109..cc9243c27fa 100644 --- a/edgelet/iotedged/test/linux/sample_settings2.yaml +++ b/edgelet/iotedged/test/linux/sample_settings2.yaml @@ -17,6 +17,9 @@ hostname: "localhost" watchdog: max_retries: 3 +certificates: + auto_generated_ca_lifetime_days: 1 + # Sets the connection uris for clients connect: workload_uri: "http://localhost:8081" diff --git a/edgelet/iotedged/test/windows/sample_settings2.yaml b/edgelet/iotedged/test/windows/sample_settings2.yaml index 9e381d145c5..abc27d76de9 100644 --- a/edgelet/iotedged/test/windows/sample_settings2.yaml +++ b/edgelet/iotedged/test/windows/sample_settings2.yaml @@ -17,6 +17,9 @@ hostname: "localhost" watchdog: max_retries: 3 +certificates: + auto_generated_ca_lifetime_days: 1 + # Sets the connection uris for clients connect: workload_uri: "http://localhost:8081"