X509 对象不检查我在 Azure IoT 中心设备中创建自己的 CA 签名证书时设置的密码

Question

Initially, I generate my own X509 Certificate that is CA-signed by following this tutorial (Powershell variant) - https://docs.microsoft.com/en-us/azure/iot-hub/tutorial-x509-scripts

Then, I made the following two scenarios:

1. Communication from my own laptop (Windows 10) to Azure IoT Hub Device using a .NET Framework app. Here is my simple code:

static void Main(string[] args)
        {
            try
            {
                // Create an X.509 certificate object.
                var cert = new X509Certificate2(@"..\test-device-auth\test-device-auth.pfx", "pass", X509KeyStorageFlags.UserKeySet);
                Console.WriteLine("cert: ");
                Console.WriteLine(cert);

                // Create an authentication object using your X.509 certificate. 
                var auth = new DeviceAuthenticationWithX509Certificate(deviceId, cert);

                // Create the device client.
                var deviceClient = DeviceClient.Create("Arduino-IoT-Hub-Temperature.azure-devices.net", auth, TransportType.Mqtt);

                if (deviceClient == null)
                {
                    Console.WriteLine("Failed to create DeviceClient!");
                }
                else
                {
                    Console.WriteLine("Successfully created DeviceClient!");
                    SendEvent(deviceClient).Wait();
                }

                Console.WriteLine("Exiting...\n");
            }
            catch (Exception ex)
            {
                Console.WriteLine("Error in sample: {0}", ex.Message);
            }
        }

In this case, the program works fine when passing the correct pfx and the correct pass phrase. Additionally, when I pass incorrect pass phrase or incorrect pfx, it fails - this is perfectly fine.

2. Communication directly from my Raspberry Pi 3B to the Azure IoT Hub Device using a python script. Here is the code:

# -------------------------------------------------------------------------
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License. See License.txt in the project root for
# license information.
# --------------------------------------------------------------------------
import os
import uuid
from azure.iot.device.aio import IoTHubDeviceClient
from azure.iot.device import Message, X509
import asyncio

messages_to_send = 10

async def main():
    hostname = "Arduino-IoT-Hub-Temperature.azure-devices.net"
    # The device that has been created on the portal using X509 CA signing or Self signing capabilities
    device_id = "test-device-auth"

    x509 = X509(
        cert_file="../test-device-auth/test-device-auth-public.pem",
        key_file="../test-device-auth/test-device-auth-private.pem",
        pass_phrase="pass",
    )

    # The client object is used to interact with your Azure IoT hub.
    device_client = IoTHubDeviceClient.create_from_x509_certificate(
        hostname=hostname, device_id=device_id, x509=x509
    )

    # Connect the client.
    await device_client.connect()

    async def send_test_message(i):
        print("sending message #" + str(i))
        msg = Message("test wind speed " + str(i))
        msg.message_id = uuid.uuid4()
        msg.correlation_id = "correlation-1234"
        # msg.custom_properties["tornado-warning"] = "yes"
        msg.content_encoding = "utf-8"
        msg.content_type = "application/json"
        await device_client.send_message(msg)
        print("done sending message #" + str(i))

    # send `messages_to_send` messages in parallel
    await asyncio.gather(*[send_test_message(i) for i in range(1, messages_to_send + 1)])

    # Finally, shut down the client
    await device_client.shutdown()

if __name__ == "__main__":
    asyncio.run(main())

    # If using Python 3.6 use the following code instead of asyncio.run(main()):
    # loop = asyncio.get_event_loop()
    # loop.run_until_complete(main())
    # loop.close()

In this case, the .pem files are not secured with the pass_phrase and it does not matter if I will set correct, incorrect or no pass_phrase at all.

Does anyone know why it is like this and how it can be still secured with the pass_phrase?

Answer 1

When test-device-auth-private.pem was created it wasn't created as an encrypted key blob, so no passphrase is needed. You can encrypt it via something like openssl pkcs8 -in test-device-auth-private.pem -out test-device-auth-private-enc.pem -topk8 and give a password at the prompt.