Connecting to Azure Iot Hub using TPM

0
votes

I have successfully provisioned a device in Azure IoT using TPM authentication by following this sample and the following guide: https://docs.microsoft.com/en-us/azure/iot-dps/quick-enroll-device-tpm-java

Now that my device is provisioned I'm trying to figure out the simplest way to connect to the IoT Hub using the keys stored on the TPM chip. I've tried the following code snippet:

SecurityProviderTpm securityClientTPM = new SecurityProviderTPMHsm();
DeviceClient client  = DeviceClient.createFromSecurityProvider("myhub.azure-devices.net", "my-device", securityClientTPM, IotHubClientProtocol.HTTPS);

but this fails with:

Exception in thread "main" java.io.IOException: com.microsoft.azure.sdk.iot.provisioning.security.exceptions.SecurityProviderException: activateIdentityKey first before signing
        at com.microsoft.azure.sdk.iot.device.auth.IotHubSasTokenHardwareAuthenticationProvider.generateSasTokenSignatureFromSecurityProvider(IotHubSasTokenHardwareAuthenticationProvider.java:169)
        at com.microsoft.azure.sdk.iot.device.auth.IotHubSasTokenHardwareAuthenticationProvider.<init>(IotHubSasTokenHardwareAuthenticationProvider.java:51)
        at com.microsoft.azure.sdk.iot.device.DeviceClientConfig.<init>(DeviceClientConfig.java:192)
        at com.microsoft.azure.sdk.iot.device.InternalClient.<init>(InternalClient.java:109)
        at com.microsoft.azure.sdk.iot.device.DeviceClient.<init>(DeviceClient.java:284)
        at com.microsoft.azure.sdk.iot.device.DeviceClient.createFromSecurityProvider(DeviceClient.java:250)
        at samples.com.microsoft.azure.sdk.iot.SendEvent.main(SendEvent.java:88)
Caused by: com.microsoft.azure.sdk.iot.provisioning.security.exceptions.SecurityProviderException: activateIdentityKey first before signing
        at com.microsoft.azure.sdk.iot.provisioning.security.hsm.SecurityProviderTPMHsm.signWithIdentity(SecurityProviderTPMHsm.java:371)
        at com.microsoft.azure.sdk.iot.device.auth.IotHubSasTokenHardwareAuthenticationProvider.generateSasTokenSignatureFromSecurityProvider(IotHubSasTokenHardwareAuthenticationProvider.java:155)
        ... 6 more

Searching the SDK code shows that activateIdentityKey is only called during the provisioning process though.

Re-invoking the provisioning proceedure everytime I want to connect the client doesn't seem right. Is there a better way to connect the device to the IoT Hub once it's been provisioned?

1
javaazure-iot-hub
I am also facing the same issue. Someone please help.Mohan Suresh Ramasamy
Did you get any clue? were you able to instantiate the DeviceClient object using TPM?Mohan Suresh Ramasamy

1 Answers

0
votes

I was able to work around this by removing the check in the signWithIdentity function and removing the need to pass the publicArea to the signData function.

The publicArea is only used to derive the hash algorithm which can be set to a constant given that we know how the key was created.

My updated signData function looks like:

private byte[] signData(Tpm tpm, byte[] tokenData) throws SecurityProviderException {
    TPM_ALG_ID  idKeyHashAlg = TPM_ALG_ID.SHA256;
    ...

This has been working well for us so far, but it would be nice to get some feedback from the library authors :)