使用TPM连接到Azure Iot Hub [英] Connecting to Azure Iot Hub using TPM

问题描述

通过遵循 https://docs.microsoft. com/en-us/azure/iot-dps/quick-enroll-device-tpm-java

I have successfully provisioned a device in Azure IoT using TPM authentication by following this sample and the following guide: https://docs.microsoft.com/en-us/azure/iot-dps/quick-enroll-device-tpm-java

现在我的设备已配置好，我试图找出使用TPM芯片上存储的密钥连接到IoT中心的最简单方法.我已经尝试了以下代码片段:

Now that my device is provisioned I'm trying to figure out the simplest way to connect to the IoT Hub using the keys stored on the TPM chip. I've tried the following code snippet:

SecurityProviderTpm securityClientTPM = new SecurityProviderTPMHsm();
DeviceClient client  = DeviceClient.createFromSecurityProvider("myhub.azure-devices.net", "my-device", securityClientTPM, IotHubClientProtocol.HTTPS);

但这失败了:

Exception in thread "main" java.io.IOException: com.microsoft.azure.sdk.iot.provisioning.security.exceptions.SecurityProviderException: activateIdentityKey first before signing
        at com.microsoft.azure.sdk.iot.device.auth.IotHubSasTokenHardwareAuthenticationProvider.generateSasTokenSignatureFromSecurityProvider(IotHubSasTokenHardwareAuthenticationProvider.java:169)
        at com.microsoft.azure.sdk.iot.device.auth.IotHubSasTokenHardwareAuthenticationProvider.<init>(IotHubSasTokenHardwareAuthenticationProvider.java:51)
        at com.microsoft.azure.sdk.iot.device.DeviceClientConfig.<init>(DeviceClientConfig.java:192)
        at com.microsoft.azure.sdk.iot.device.InternalClient.<init>(InternalClient.java:109)
        at com.microsoft.azure.sdk.iot.device.DeviceClient.<init>(DeviceClient.java:284)
        at com.microsoft.azure.sdk.iot.device.DeviceClient.createFromSecurityProvider(DeviceClient.java:250)
        at samples.com.microsoft.azure.sdk.iot.SendEvent.main(SendEvent.java:88)
Caused by: com.microsoft.azure.sdk.iot.provisioning.security.exceptions.SecurityProviderException: activateIdentityKey first before signing
        at com.microsoft.azure.sdk.iot.provisioning.security.hsm.SecurityProviderTPMHsm.signWithIdentity(SecurityProviderTPMHsm.java:371)
        at com.microsoft.azure.sdk.iot.device.auth.IotHubSasTokenHardwareAuthenticationProvider.generateSasTokenSignatureFromSecurityProvider(IotHubSasTokenHardwareAuthenticationProvider.java:155)
        ... 6 more

搜索SDK代码显示，虽然activateIdentityKey仅在配置过程中被调用.

Searching the SDK code shows that activateIdentityKey is only called during the provisioning process though.

每次我想连接客户端时重新调用供应过程似乎不正确.配置设备后，是否有更好的方法将设备连接到IoT中心?

Re-invoking the provisioning proceedure everytime I want to connect the client doesn't seem right. Is there a better way to connect the device to the IoT Hub once it's been provisioned?

推荐答案

我能够通过删除signData函数的main/java/com/microsoft/azure/sdk/iot/provisioning/security/hsm/SecurityProviderTPMHsm.java#L366"rel =" nofollow noreferrer> publicArea .

I was able to work around this by removing the check in the signWithIdentity function and removing the need to pass the publicArea to the signData function.

publicArea仅用于派生哈希算法，只要我们知道密钥的创建方式，就可以将其设置为常量.

The publicArea is only used to derive the hash algorithm which can be set to a constant given that we know how the key was created.

我更新的signData函数如下:

private byte[] signData(Tpm tpm, byte[] tokenData) throws SecurityProviderException {
    TPM_ALG_ID  idKeyHashAlg = TPM_ALG_ID.SHA256;
    ...

到目前为止，这对我们来说一直很好，但是很高兴能从图书馆作者那里得到一些反馈意见:)

This has been working well for us so far, but it would be nice to get some feedback from the library authors :)

这篇关于使用TPM连接到Azure Iot Hub的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！