Implement hybrid X509 auth for Iot Edge (#1364)

Changes here implement X509 provisioning via DPS for IoT Edge devices. The hybrid auth stems from the fact that the device identity credential is an X509 certificate and the modules are symmetric key based. The symmetric keys for modules are derived from the X509 identity of the device and will change if the device id, hub name, or certificate/private key change. Thus modules creds are anchored to the Edge device's creds.
Azure · Jul 19, 2019 · f012c28 · f012c28
1 parent c8b4d00
commit f012c28
Show file tree

Hide file tree

Showing 7 changed files with 1,451 additions and 108 deletions.
diff --git a/edgelet/Cargo.lock b/edgelet/Cargo.lock
diff --git a/edgelet/contrib/config/linux/config.yaml b/edgelet/contrib/config/linux/config.yaml
@@ -161,7 +161,7 @@ hostname: "<ADD HOSTNAME HERE>"
 #
 #               If this configuration is not specified, the daemon keeps retrying
 #               on errors and doesn't fail fatally.
-# 
+#
 #               On a fatal failure, the daemon returns an exit code which
 #               signifies the kind of error encountered. Currently, the following
 #               error codes are returned by the daemon -

diff --git a/edgelet/iotedged/Cargo.toml b/edgelet/iotedged/Cargo.toml
@@ -46,6 +46,7 @@ winapi = { version = "0.3.5", features = ["shellapi"] }
 win-logger = { path = "../win-logger" }
 
 [dev_dependencies]
+rand = "0.5"
 tempdir = "0.3.7"
 
 edgelet-test-utils = { path = "../edgelet-test-utils" }
diff --git a/edgelet/iotedged/src/error.rs b/edgelet/iotedged/src/error.rs
@@ -164,6 +164,11 @@ pub enum InitializeErrorReason {
     ExternalProvisioningClient(ExternalProvisioningErrorReason),
     Hsm,
     HttpClient,
+    HybridAuthDirCreate,
+    HybridAuthKeyCreate,
+    HybridAuthKeyLoad,
+    HybridAuthKeyInvalid,
+    InvalidDeviceCertCredentials,
     InvalidDeviceConfig,
     InvalidHubConfig,
     InvalidProxyUri,
@@ -239,6 +244,26 @@ impl fmt::Display for InitializeErrorReason {
 
             InitializeErrorReason::HttpClient => write!(f, "Could not initialize HTTP client"),
 
+            InitializeErrorReason::HybridAuthDirCreate => {
+                write!(f, "Could not create the hybrid identity key directory")
+            }
+
+            InitializeErrorReason::HybridAuthKeyCreate => {
+                write!(f, "Could not create the hybrid identity key")
+            }
+
+            InitializeErrorReason::HybridAuthKeyLoad => {
+                write!(f, "Could not load the hybrid identity key")
+            }
+
+            InitializeErrorReason::HybridAuthKeyInvalid => {
+                write!(f, "The loaded hybrid identity key was invalid")
+            }
+
+            InitializeErrorReason::InvalidDeviceCertCredentials => {
+                write!(f, "Invalid identity certificate")
+            }
+
             InitializeErrorReason::InvalidDeviceConfig => {
                 write!(f, "Invalid device configuration was provided")
             }