Skip to content

Commit e38e1a3

Browse files
c-ryan-kVeryEarly
c-ryan-k
and
VeryEarly
authored
[DPS] Add attestation mechanism updates to device enrollment and enrollment group commands (#14219)
* Added attestation mechanism updates to device enrollment and enrollment group commands * Updated changelog * Update ChangeLog.md Co-authored-by: Yabo Hu <[email protected]>
1 parent 566fea4 commit e38e1a3

File tree

11 files changed

+3362
-1791
lines changed

11 files changed

+3362
-1791
lines changed

src/DeviceProvisioningServices/DeviceProvisioningServices.Test/ScenarioTests/IotDpsEnrollmentGroupTests.ps1

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,8 @@ function Test-AzIotDpsEnrollmentGroupLifeCycle
2929
$ResourceGroupName = getAssetName
3030
$IotHubName = getAssetName
3131
$hubKeyName = "ServiceKey"
32-
$CertificateKey = "MIIBiDCCAS2gAwIBAgIFWks8LR4wCgYIKoZIzj0EAwIwNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzAgFw0xNzAxMDEwMDAwMDBaGA8zNzAxMDEzMTIzNTk1OVowNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLVS6bK+QMm+HZ0247Nm+JmnERuickBXTj6rydcP3WzVQNBNpvcQ/4YVrPp60oiYRxZbsPyBtHt2UCAC00vEXy+jJjAkMA4GA1UdDwEB/wQEAwIHgDASBgNVHRMBAf8ECDAGAQH/AgECMAoGCCqGSM49BAMCA0kAMEYCIQDEjs2PoZEi/yAQNj2Vji9RthQ33HG/QdL12b1ABU5UXgIhAPJujG/c/S+7vcREWI7bQcCb31JIBDhWZbt4eyCvXZtZ"
32+
$PrimaryCertificateKey = "MIIBiDCCAS2gAwIBAgIFWks8LR4wCgYIKoZIzj0EAwIwNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzAgFw0xNzAxMDEwMDAwMDBaGA8zNzAxMDEzMTIzNTk1OVowNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLVS6bK+QMm+HZ0247Nm+JmnERuickBXTj6rydcP3WzVQNBNpvcQ/4YVrPp60oiYRxZbsPyBtHt2UCAC00vEXy+jJjAkMA4GA1UdDwEB/wQEAwIHgDASBgNVHRMBAf8ECDAGAQH/AgECMAoGCCqGSM49BAMCA0kAMEYCIQDEjs2PoZEi/yAQNj2Vji9RthQ33HG/QdL12b1ABU5UXgIhAPJujG/c/S+7vcREWI7bQcCb31JIBDhWZbt4eyCvXZtZ"
33+
$SecondaryCertificateKey = "MIIBiDCCAS2gAwIBAgIFWks8LR4wCgYIKoZIzj0EAwIwNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzAgFw0xNzAxMDEwMDAwMDBaGA8zNzAxMDEzMTIzNTk1OVowNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLVS6bK+QMm+HZ0247Nm+JmnERuickBXTj6rydcP3WzVQNBNpvcQ/4YVrPp60oiYRxZbsPyBtHt2UCAC00vEXy+jJjAkMA4GA1UdDwEB/wQEAwIHgDASBgNVHRMBAf8ECDAGAQH/AgECMAoGCCqGSM49BAMCA0kAMEYCIQDEjs2PoZEi/yAQNj2Vji9RthQ33HG/QdL12b1ABU5UXgIhAPJujG/c/S+7vcREWI7bQcCb31JIBDhWZbt4eyCvXZtY"
3334
$Sku = "S1"
3435
$symEnroll = getAssetName
3536
$x509Enroll = getAssetName
@@ -115,7 +116,7 @@ function Test-AzIotDpsEnrollmentGroupLifeCycle
115116
Assert-True { $symEnrollment.ReprovisionPolicy.MigrateDeviceData }
116117

117118
# Create enrollment group with X509 attestation
118-
$x509Enrollment = Add-AzIoTDeviceProvisioningServiceEnrollmentGroup -ResourceGroupName $ResourceGroupName -DpsName $IotDpsName -Name $x509Enroll -AttestationType X509 -PrimaryCertificate $CertificateKey -RootCertificate -IotHubHostName $LinkedHubName -ReprovisionPolicy reprovisionandresetdata -ProvisioningStatus "Disabled"
119+
$x509Enrollment = Add-AzIoTDeviceProvisioningServiceEnrollmentGroup -ResourceGroupName $ResourceGroupName -DpsName $IotDpsName -Name $x509Enroll -AttestationType X509 -PrimaryCertificate $PrimaryCertificateKey -RootCertificate -IotHubHostName $LinkedHubName -ReprovisionPolicy reprovisionandresetdata -ProvisioningStatus "Disabled"
119120
Assert-True { $x509Enrollment.EnrollmentGroupId -eq $x509Enroll }
120121
Assert-True { $x509Enrollment.IotHubHostName -eq $LinkedHubName }
121122
Assert-False { $x509Enrollment.Capabilities.IotEdge }
@@ -154,6 +155,16 @@ function Test-AzIotDpsEnrollmentGroupLifeCycle
154155
Assert-True { $x509EnrollmentUpdated.ReprovisionPolicy.UpdateHubAssignment }
155156
Assert-False { $x509EnrollmentUpdated.ReprovisionPolicy.MigrateDeviceData }
156157

158+
# Update Enrollment attestation values
159+
160+
# SymmetricKey (swap keys)
161+
$symEnrollmentUpdated = Set-AzIoTDeviceProvisioningServiceEnrollmentGroup -ResourceGroupName $ResourceGroupName -DpsName $IotDpsName -Name $symEnroll -PrimaryKey $symEnrollment.Attestation.SymmetricKey.SecondaryKey -SecondaryKey $symEnrollment.Attestation.SymmetricKey.PrimaryKey
162+
Assert-True { $symEnrollmentUpdated.Attestation.Type -eq "SymmetricKey" }
163+
Assert-True { $symEnrollmentUpdated.Attestation.PrimaryKey -eq $symEnrollment.Attestation.SecondaryKey }
164+
Assert-True { $symEnrollmentUpdated.Attestation.SecondaryKey -eq $symEnrollment.Attestation.PrimaryKey }
165+
166+
# X509 (change certs)
167+
$x509EnrollmentUpdated = Set-AzIoTDeviceProvisioningServiceEnrollmentGroup -ResourceGroupName $ResourceGroupName -DpsName $IotDpsName -Name $x509Enroll -PrimaryCertificate $SecondaryCertificateKey -SecondaryCertificate $PrimaryCertificateKey -RootCertificate
157168
# Remove enrollment group
158169
$result = Remove-AzIoTDPSEnrollmentGroup -ResourceGroupName $ResourceGroupName -DpsName $IotDpsName -Name $symEnroll -PassThru
159170
Assert-True { $result }

src/DeviceProvisioningServices/DeviceProvisioningServices.Test/ScenarioTests/IotDpsEnrollmentTests.ps1

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,9 @@ function Test-AzIotDpsEnrollmentLifeCycle
3030
$IotHubName = getAssetName
3131
$hubKeyName = "ServiceKey"
3232
$EndorsementKey = "AToAAQALAAMAsgAgg3GXZ0SEs/gakMyNRqXXJP1S124GUgtk8qHaGzMUaaoABgCAAEMAEAgAAAAAAAEAibym9HQP9vxCGF5dVc1QQsAGe021aUGJzNol1/gycBx3jFsTpwmWbISRwnFvflWd0w2Mc44FAAZNaJOAAxwZvG8GvyLlHh6fGKdh+mSBL4iLH2bZ4Ry22cB3CJVjXmdGoz9Y/j3/NwLndBxQC+baNvzvyVQZ4/A2YL7vzIIj2ik4y+ve9ir7U0GbNdnxskqK1KFIITVVtkTIYyyFTIR0BySjPrRIDj7r7Mh5uF9HBppGKQCBoVSVV8dI91lNazmSdpGWyqCkO7iM4VvUMv2HT/ym53aYlUrau+Qq87Tu+uQipWYgRdF11KDfcpMHqqzBQQ1NpOJVhrsTrhyJzO7KNw=="
33-
$CertificateKey = "MIIBiDCCAS2gAwIBAgIFWks8LR4wCgYIKoZIzj0EAwIwNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzAgFw0xNzAxMDEwMDAwMDBaGA8zNzAxMDEzMTIzNTk1OVowNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLVS6bK+QMm+HZ0247Nm+JmnERuickBXTj6rydcP3WzVQNBNpvcQ/4YVrPp60oiYRxZbsPyBtHt2UCAC00vEXy+jJjAkMA4GA1UdDwEB/wQEAwIHgDASBgNVHRMBAf8ECDAGAQH/AgECMAoGCCqGSM49BAMCA0kAMEYCIQDEjs2PoZEi/yAQNj2Vji9RthQ33HG/QdL12b1ABU5UXgIhAPJujG/c/S+7vcREWI7bQcCb31JIBDhWZbt4eyCvXZtZ"
33+
$EndorsementKeyUpdated = "BToAAQALAAMAsgAgg3GXZ0SEs/gakMyNRqXXJP1S124GUgtk8qHaGzMUaaoABgCAAEMAEAgAAAAAAAEAibym9HQP9vxCGF5dVc1QQsAGe021aUGJzNol1/gycBx3jFsTpwmWbISRwnFvflWd0w2Mc44FAAZNaJOAAxwZvG8GvyLlHh6fGKdh+mSBL4iLH2bZ4Ry22cB3CJVjXmdGoz9Y/j3/NwLndBxQC+baNvzvyVQZ4/A2YL7vzIIj2ik4y+ve9ir7U0GbNdnxskqK1KFIITVVtkTIYyyFTIR0BySjPrRIDj7r7Mh5uF9HBppGKQCBoVSVV8dI91lNazmSdpGWyqCkO7iM4VvUMv2HT/ym53aYlUrau+Qq87Tu+uQipWYgRdF11KDfcpMHqqzBQQ1NpOJVhrsTrhyJzO7KNw=="
34+
$PrimaryCertificateKey = "MIIBiDCCAS2gAwIBAgIFWks8LR4wCgYIKoZIzj0EAwIwNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzAgFw0xNzAxMDEwMDAwMDBaGA8zNzAxMDEzMTIzNTk1OVowNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLVS6bK+QMm+HZ0247Nm+JmnERuickBXTj6rydcP3WzVQNBNpvcQ/4YVrPp60oiYRxZbsPyBtHt2UCAC00vEXy+jJjAkMA4GA1UdDwEB/wQEAwIHgDASBgNVHRMBAf8ECDAGAQH/AgECMAoGCCqGSM49BAMCA0kAMEYCIQDEjs2PoZEi/yAQNj2Vji9RthQ33HG/QdL12b1ABU5UXgIhAPJujG/c/S+7vcREWI7bQcCb31JIBDhWZbt4eyCvXZtZ"
35+
$SecondaryCertificateKey = "MIIBiDCCAS2gAwIBAgIFWks8LR4wCgYIKoZIzj0EAwIwNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzAgFw0xNzAxMDEwMDAwMDBaGA8zNzAxMDEzMTIzNTk1OVowNjEUMBIGA1UEAwwLcmlvdGNvcmVuZXcxETAPBgNVBAoMCE1TUl9URVNUMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLVS6bK+QMm+HZ0247Nm+JmnERuickBXTj6rydcP3WzVQNBNpvcQ/4YVrPp60oiYRxZbsPyBtHt2UCAC00vEXy+jJjAkMA4GA1UdDwEB/wQEAwIHgDASBgNVHRMBAf8ECDAGAQH/AgECMAoGCCqGSM49BAMCA0kAMEYCIQDEjs2PoZEi/yAQNj2Vji9RthQ33HG/QdL12b1ABU5UXgIhAPJujG/c/S+7vcREWI7bQcCb31JIBDhWZbt4eyCvXZZt"
3436
$Sku = "S1"
3537
$symEnroll = getAssetName
3638
$tpmEnroll = getAssetName
@@ -129,7 +131,7 @@ function Test-AzIotDpsEnrollmentLifeCycle
129131
Assert-True { $tpmEnrollment.Attestation.Tpm.EndorsementKey -eq $EndorsementKey }
130132

131133
# Create enrollment with X509 attestation
132-
$x509Enrollment = Add-AzIoTDeviceProvisioningServiceEnrollment -ResourceGroupName $ResourceGroupName -DpsName $IotDpsName -RegistrationId $x509Enroll -AttestationType X509 -PrimaryCertificate $CertificateKey -IotHubHostName $LinkedHubName -ReprovisionPolicy reprovisionandresetdata -ProvisioningStatus "Disabled"
134+
$x509Enrollment = Add-AzIoTDeviceProvisioningServiceEnrollment -ResourceGroupName $ResourceGroupName -DpsName $IotDpsName -RegistrationId $x509Enroll -AttestationType X509 -PrimaryCertificate $PrimaryCertificateKey -IotHubHostName $LinkedHubName -ReprovisionPolicy reprovisionandresetdata -ProvisioningStatus "Disabled"
133135
Assert-True { $x509Enrollment.RegistrationId -eq $x509Enroll }
134136
Assert-True { $x509Enrollment.IotHubHostName -eq $LinkedHubName }
135137
Assert-False { $x509Enrollment.Capabilities.IotEdge }
@@ -168,6 +170,21 @@ function Test-AzIotDpsEnrollmentLifeCycle
168170
Assert-True { $tpmEnrollmentUpdated.Attestation.Type -eq "Tpm" }
169171
Assert-True { $tpmEnrollmentUpdated.Attestation.Tpm.EndorsementKey -eq $EndorsementKey }
170172

173+
# Update Enrollment attestation values
174+
175+
# SymmetricKey (swap keys)
176+
$symEnrollmentUpdated = Set-AzIoTDeviceProvisioningServiceEnrollment -ResourceGroupName $ResourceGroupName -DpsName $IotDpsName -RegistrationId $symEnroll -PrimaryKey $symEnrollment.Attestation.SymmetricKey.SecondaryKey -SecondaryKey $symEnrollment.Attestation.SymmetricKey.PrimaryKey
177+
Assert-True { $symEnrollmentUpdated.Attestation.Type -eq "SymmetricKey" }
178+
Assert-True { $symEnrollmentUpdated.Attestation.PrimaryKey -eq $symEnrollment.Attestation.SecondaryKey }
179+
Assert-True { $symEnrollmentUpdated.Attestation.SecondaryKey -eq $symEnrollment.Attestation.PrimaryKey }
180+
181+
# X509 (change certs)
182+
$x509EnrollmentUpdated = Set-AzIoTDeviceProvisioningServiceEnrollment -ResourceGroupName $ResourceGroupName -DpsName $IotDpsName -RegistrationId $x509Enroll -PrimaryCertificate $SecondaryCertificateKey -SecondaryCertificate $PrimaryCertificateKey
183+
184+
# TPM (new endorsement key)
185+
$tpmEnrollmentUpdated = Set-AzIoTDeviceProvisioningServiceEnrollment -ResourceGroupName $ResourceGroupName -DpsName $IotDpsName -RegistrationId $tpmEnroll -IotHubHostName $LinkedHubName -EndorsementKey $EndorsementKeyUpdated
186+
Assert-True { $tpmEnrollmentUpdated.Attestation.Tpm.EndorsementKey -eq $EndorsementKeyUpdated }
187+
171188
# Remove Enrollment
172189
$result = Remove-AzIoTDeviceProvisioningServiceEnrollment -ResourceGroupName $ResourceGroupName -DpsName $IotDpsName -RegistrationId $tpmEnroll -PassThru
173190
Assert-True { $result }

0 commit comments

Comments
 (0)