added edge_ca validation for identity config (x509 DPS and TPM DPS)

JoergZeidler · JoergZeidler · commit 7ba7baafc203 · 2025-03-25T13:15:39.000+01:00
Signed-off-by: Joerg Zeidler &lt;62105035+JoergZeidler@users.noreply.github.com&gt;
diff --git a/src/validators/identity.rs b/src/validators/identity.rs
@@ -121,8 +121,12 @@ struct Tpm {
 #[serde(deny_unknown_fields)]
 #[allow(dead_code)]
 struct EdgeCA {
-    cert: String,
-    pk: String,
+    method: String,
+    common_name: String,
+    url: String,
+    bootstrap_identity_cert: String,
+    bootstrap_identity_pk: String,
+    auto_renew: Option<CertAutoRenew>,
 }
 
 #[derive(Debug, Deserialize)]
@@ -144,8 +148,8 @@ struct Urls {
 #[serde(deny_unknown_fields)]
 #[allow(dead_code, clippy::upper_case_acronyms)]
 struct EST {
-    auth: Auth,
-    urls: Urls,
+    auth: Option<Auth>,
+    urls: Option<Urls>,
     trusted_certs: Vec<String>,
 }
 
@@ -307,14 +311,9 @@ pub fn validate_identity(
             .as_ref()
             .and_then(|ci| ci.est.as_ref())
             .map(|est| {
-                est.auth.bootstrap_identity_cert.as_str()
-                    == "file:///mnt/cert/priv/device_id_cert.pem"
-                    && est.auth.bootstrap_identity_cert.as_str()
-                        == "file:///mnt/cert/priv/device_id_cert.pem"
-                    && est
-                        .trusted_certs
-                        .iter()
-                        .any(|e| e == "file:///mnt/cert/ca/ca.crt")
+                est.trusted_certs.iter().any(|e| {
+                    e == "file:///mnt/cert/ca/ca.crt" || e == "file:///mnt/cert/ca/edge_ca.crt"
+                })
             })
     {
         out.push(WARN_UNEXPECTED_PATH)
diff --git a/testfiles/identity_config_dps_tpm.toml b/testfiles/identity_config_dps_tpm.toml
@@ -6,4 +6,21 @@ global_endpoint = "https://global.azure-devices-provisioning.net"
 id_scope = "my-scope-id"
 
 [provisioning.attestation]
-method = "tpm"
+method = "tpm"
+
+[cert_issuance.est]
+trusted_certs = [
+     "file:///mnt/cert/ca/edge_ca.crt",
+]
+
+[edge_ca]
+method = "est"
+common_name = "test"
+url = "my-est-url"
+bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem"
+bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem"
+
+[edge_ca.auto_renew]
+rotate_key = true
+threshold = "80%"
+retry = "4%"
diff --git a/testfiles/identity_config_dps_x509_est.toml b/testfiles/identity_config_dps_x509_est.toml
@@ -21,6 +21,7 @@ retry = "4%"
 [cert_issuance.est]
 trusted_certs = [
      "file:///mnt/cert/ca/ca.crt",
+     "file:///mnt/cert/ca/edge_ca.crt",
 ]
 
 [cert_issuance.est.auth]
@@ -29,3 +30,15 @@ bootstrap_identity_pk = "file:///mnt/cert/priv/device_id_cert_key.pem"
 
 [cert_issuance.est.urls]
 default = "my-est-url"
+
+[edge_ca]
+method = "est"
+common_name = "test-omnect-est"
+url = "my-est-url"
+bootstrap_identity_cert = "file:///mnt/cert/priv/edge_ca_cert.pem"
+bootstrap_identity_pk = "file:///mnt/cert/priv/edge_ca_cert_key.pem"
+
+[edge_ca.auto_renew]
+rotate_key = true
+threshold = "80%"
+retry = "4%"
