【问题标题】:Unauthorized exception when using Azure IoT Hub Device Provisioning Service (DPS)使用 Azure IoT 中心设备预配服务 (DPS) 时出现未经授权的异常
【发布时间】:2021-08-09 19:37:27
【问题描述】:

我正在尝试使用 Azure IoT Hub 迁移现有解决方案以使用 Azure IoT Hub 设备预配服务 (DPS)。

设备使用 X.509 自签名证书进行身份验证。

出于测试目的,我可以使用生成证书

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
  • 公用名设置为mything1
  • 所有其他字段为空白

然后我可以使用将这些文件合并到一个文件中

openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12

选择password作为密码。

然后我有 3 个文件。

  • certificate.p12 包含证书和私钥
  • certificate.pem 包含证书
  • key.pem 包含私钥

然后我可以使用

直接在 IoT 中心注册此设备
string ThingId = "mything1";

// Register device directly in IoT hub.
{
    var certificate = new X509Certificate2(File.ReadAllBytes("certificate.pem"));
    string thumb1 = certificate.Thumbprint;

    using (var hasher = SHA256.Create())
    {
        using (var registryManager = RegistryManager.CreateFromConnectionString(iotHubConnectionString))
        {
            await registryManager.AddDeviceAsync(new Device(ThingId)
            {
                Authentication = new AuthenticationMechanism()
                {
                    X509Thumbprint = new X509Thumbprint()
                    {
                        PrimaryThumbprint = thumb1,
                        SecondaryThumbprint = thumb1,
                    }
                },
            });
        }
    }
}

然后在设备注册后,我可以使用证书作为设备身份验证连接到 IoT Hub。

// Vertifying that certificate is ok etc
// by connecting to an IoT Hub
{
    var auth = new DeviceAuthenticationWithX509Certificate(ThingId, new X509Certificate2(File.ReadAllBytes("certificate.p12"), "password"));

    var client = DeviceClient.Create(iotHubHostname, auth,
        new ITransportSettings[] { new AmqpTransportSettings(Microsoft.Azure.Devices.Client.TransportType.Amqp_WebSocket_Only) });

    // Report a value just to make sure it works.
    TwinCollection props = new TwinCollection();
    props["Hello"] = "World";
    await client.UpdateReportedPropertiesAsync(props, new CancellationTokenSource(1000 * 30).Token);
}

这是有效的,也是我今天的解决方案。现在尝试做同样的事情,但使用 DPS。

首先为设备创建一个单独的注册:

// Create an individual enrollment for device
using (var provisioningServiceClient = 
    ProvisioningServiceClient.CreateFromConnectionString(provisioningServiceConnectionString))
{
    var attestation = X509Attestation.CreateFromClientCertificates(new X509Certificate2(File.ReadAllBytes("certificate.pem")));

    IndividualEnrollment individualEnrollment =
        new IndividualEnrollment(
                ThingId,
                attestation);

    IndividualEnrollment individualEnrollmentResult =
        await provisioningServiceClient.CreateOrUpdateIndividualEnrollmentAsync(individualEnrollment);
}

然后在创建注册后,我应该能够将自己设置为设备。

string globalDeviceEndpoint = "global.azure-devices-provisioning.net";
            
using (var security = new SecurityProviderX509Certificate(new X509Certificate2(File.ReadAllBytes("certificate.p12"), "password")))
{
    ProvisioningDeviceClient provClient = ProvisioningDeviceClient.Create(globalDeviceEndpoint, 
        s_idScope, 
        security, 
        new ProvisioningTransportHandlerHttp());
    
    DeviceRegistrationResult result = await provClient.RegisterAsync(); // Throws exception

    Console.WriteLine($"ProvisioningClient AssignedHub: {result.AssignedHub}; DeviceId: {result.DeviceId}");
}

但这会引发未经授权的异常:

Unhandled exception. Microsoft.Azure.Devices.Provisioning.Client.ProvisioningTransportException: {"errorCode":401002,"trackingId":"f7ec27c8-dbad-4600-8b47-f46aaa0160de","message":"Unauthorized","timestampUtc":"2021-05-20T14:09:00.8491407Z"}
 ---> Microsoft.Rest.HttpOperationException: Operation returned an invalid status code 'Unauthorized'
   at Microsoft.Azure.Devices.Provisioning.Client.Transport.RuntimeRegistration.RegisterDeviceWithHttpMessagesAsync(String registrationId, String idScope, DeviceRegistration deviceRegistration, Nullable`1 forceRegistration, Dictionary`2 customHeaders, CancellationToken cancellationToken)
   at Microsoft.Azure.Devices.Provisioning.Client.Transport.RuntimeRegistrationExtensions.RegisterDeviceAsync(IRuntimeRegistration operations, String registrationId, String idScope, DeviceRegistration deviceRegistration, Nullable`1 forceRegistration, CancellationToken cancellationToken)
   at Microsoft.Azure.Devices.Provisioning.Client.Transport.ProvisioningTransportHandlerHttp.RegisterAsync(ProvisioningTransportRegisterMessage message, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at Microsoft.Azure.Devices.Provisioning.Client.Transport.ProvisioningTransportHandlerHttp.RegisterAsync(ProvisioningTransportRegisterMessage message, CancellationToken cancellationToken)
   at DPSWorkShop.Program.Main(String[] args) in C:\Work\Elux\DPSWorkShop\DPSWorkShop\Program.cs:line 91
   at DPSWorkShop.Program.<Main>(String[] args)

我在这里做错了什么?

编辑: 正如 Rajeev 在这里回答的那样:https://stackoverflow.com/a/67641996/6877590 问题是基本约束:CA:true。

解决这个问题(用于测试)

  1. 编辑文件/usr/lib/ssl/openssl.cnf
  2. 查找[ v3_ca ]
  3. 将 CA:true 更改为 CA:false

【问题讨论】:

    标签: c# azure azure-iot-hub azure-iot-sdk azure-iot-hub-device-management


    【解决方案1】:

    设备提供的叶证书不应包含“CA”基本约束。见RFC 5280。这就是 DPS 引发“未经授权”异常的原因。

    【讨论】:

    • @johnor 请将此标记为帮助他人的答案。
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2020-04-05
    • 1970-01-01
    • 2018-08-29
    • 2017-11-07
    • 1970-01-01
    • 2019-11-11
    相关资源
    最近更新 更多