Initially, I generate my own X509 Certificate that is CA-signed by following this tutorial (Powershell variant) - https://learn.microsoft.com/en-us/azure/iot-hub/tutorial-x509-scripts
Then, I made the following two scenarios:
static void Main(string[] args)
{
try
{
// Create an X.509 certificate object.
var cert = new X509Certificate2(@"..\test-device-auth\test-device-auth.pfx", "pass", X509KeyStorageFlags.UserKeySet);
Console.WriteLine("cert: ");
Console.WriteLine(cert);
// Create an authentication object using your X.509 certificate.
var auth = new DeviceAuthenticationWithX509Certificate(deviceId, cert);
// Create the device client.
var deviceClient = DeviceClient.Create("Arduino-IoT-Hub-Temperature.azure-devices.net", auth, TransportType.Mqtt);
if (deviceClient == null)
{
Console.WriteLine("Failed to create DeviceClient!");
}
else
{
Console.WriteLine("Successfully created DeviceClient!");
SendEvent(deviceClient).Wait();
}
Console.WriteLine("Exiting...\n");
}
catch (Exception ex)
{
Console.WriteLine("Error in sample: {0}", ex.Message);
}
}
In this case, the program works fine when passing the correct pfx and the correct pass phrase. Additionally, when I pass incorrect pass phrase or incorrect pfx, it fails - this is perfectly fine.
# -------------------------------------------------------------------------
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License. See License.txt in the project root for
# license information.
# --------------------------------------------------------------------------
import os
import uuid
from azure.iot.device.aio import IoTHubDeviceClient
from azure.iot.device import Message, X509
import asyncio
messages_to_send = 10
async def main():
hostname = "Arduino-IoT-Hub-Temperature.azure-devices.net"
# The device that has been created on the portal using X509 CA signing or Self signing capabilities
device_id = "test-device-auth"
x509 = X509(
cert_file="../test-device-auth/test-device-auth-public.pem",
key_file="../test-device-auth/test-device-auth-private.pem",
pass_phrase="pass",
)
# The client object is used to interact with your Azure IoT hub.
device_client = IoTHubDeviceClient.create_from_x509_certificate(
hostname=hostname, device_id=device_id, x509=x509
)
# Connect the client.
await device_client.connect()
async def send_test_message(i):
print("sending message #" + str(i))
msg = Message("test wind speed " + str(i))
msg.message_id = uuid.uuid4()
msg.correlation_id = "correlation-1234"
# msg.custom_properties["tornado-warning"] = "yes"
msg.content_encoding = "utf-8"
msg.content_type = "application/json"
await device_client.send_message(msg)
print("done sending message #" + str(i))
# send `messages_to_send` messages in parallel
await asyncio.gather(*[send_test_message(i) for i in range(1, messages_to_send + 1)])
# Finally, shut down the client
await device_client.shutdown()
if __name__ == "__main__":
asyncio.run(main())
# If using Python 3.6 use the following code instead of asyncio.run(main()):
# loop = asyncio.get_event_loop()
# loop.run_until_complete(main())
# loop.close()
In this case, the .pem files are not secured with the pass_phrase and it does not matter if I will set correct, incorrect or no pass_phrase at all.
Does anyone know why it is like this and how it can be still secured with the pass_phrase?
When test-device-auth-private.pem was created it wasn't created as an encrypted key blob, so no passphrase is needed. You can encrypt it via something like openssl pkcs8 -in test-device-auth-private.pem -out test-device-auth-private-enc.pem -topk8 and give a password at the prompt.