DPS Simulation with x.509 / prov_dev_client_sample doesn't work

[geebinge]

I have an issue with the demo you provided at https://learn.microsoft.com/en-us/azure/iot-dps/quick-create-simulated-device-x509?tabs=linux&pivots=programming-language-ansi-c

I have installed Ubuntu 20.04 and try it now 2 times (1st with main and 2nd time with lts_03_2024), always with the same issue. Everything works fine until I run the sample.

gerhard@fme-geb-scb-dev:~/azure-iot-sdk-c/cmake$ provisioning_client/samples/prov_dev_client_sample/prov_dev_client_sample
Provisioning API Version: 1.12.1

Registering Device

Error: Time:Tue Jun 25 19:39:28 2024 File:/home/gerhard/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:33 failure creating private key evp_key
Error: Time:Tue Jun 25 19:39:28 2024 File:/home/gerhard/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:40   [0] error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
Error: Time:Tue Jun 25 19:39:28 2024 File:/home/gerhard/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:40   [1] error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
Error: Time:Tue Jun 25 19:39:28 2024 File:/home/gerhard/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:40   [2] error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
Error: Time:Tue Jun 25 19:39:28 2024 File:/home/gerhard/azure-iot-sdk-c/c-utility/adapters/x509_openssl.c Func:log_ERR_get_error Line:40   [3] error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib
Error: Time:Tue Jun 25 19:39:28 2024 File:/home/gerhard/azure-iot-sdk-c/c-utility/adapters/tlsio_openssl.c Func:log_ERR_get_error Line:490 unable to use x509 authentication
Error: Time:Tue Jun 25 19:39:28 2024 File:/home/gerhard/azure-iot-sdk-c/c-utility/adapters/tlsio_openssl.c Func:tlsio_openssl_open Line:1449 Failed creating the OpenSSL instance.
Error: Time:Tue Jun 25 19:39:28 2024 File:/home/gerhard/azure-iot-sdk-c/umqtt/src/mqtt_client.c Func:mqtt_client_connect Line:1124 Error: io_open failed
Error: Time:Tue Jun 25 19:39:28 2024 File:/home/gerhard/azure-iot-sdk-c/provisioning_client/src/prov_transport_mqtt_common.c Func:create_connection Line:645 Failure connecting to mqtt server
Error: Time:Tue Jun 25 19:39:28 2024 File:/home/gerhard/azure-iot-sdk-c/provisioning_client/src/prov_transport_mqtt_common.c Func:prov_transport_common_mqtt_dowork Line:919 unable to create mqtt connection
Error: Time:Tue Jun 25 19:39:28 2024 File:/home/gerhard/azure-iot-sdk-c/provisioning_client/src/prov_device_ll_client.c Func:on_transport_registration_data Line:762 Failure retrieving data from the provisioning service

Failure registering device: PROV_DEVICE_RESULT_TRANSPORT
Press enter key to exit:

I use
OpenSSL 1.1.1f 31 Mar 2020.
lts_03_2024 https://github.com/Azure/azure-iot-sdk-c.git
Ubuntu 20.04.6 LTS

The build I did in that way.

cmake -Duse_prov_client=ON ..
cmake --build .
cmake -Duse_prov_client:BOOL=ON -Dhsm_type_custom=ON -Dhsm_custom_lib="~/azure-iot-sdk-c/cmake/provisioning_client/samples/custom_hsm_example/libcustom_hsm_example.a" .
cmake --build .

[comorris2]

It appears from your comment that you are leveraging the relative path to the -Dhsm_custom_lib. Instead, could you attempt to follow the scenario using the absolute path and verify the outcome?

The documentation states:

When specifying the path used with -Dhsm_custom_lib in the following command, make sure to use the absolute path to the library in the cmake directory you previously created.

[geebinge]

if I do it with the absolute path, the result stays the same.

cmake -Duse_prov_client=ON ..
cmake --build .
cmake -Duse_prov_client:BOOL=ON -Dhsm_type_custom=ON -Dhsm_custom_lib="/home/$USER/azure-iot-sdk-c/cmake/provisioning_client/samples/custom_hsm_example/libcustom_hsm_example.a" .
cmake --build .

[geebinge]

We found the issue on our own. The way we add the certs into the code was the wrong one. The whole cert chain must be part of static const char* const CERTIFICATE = "-----BEGIN CERTIFICATE-----""\n" in the custom hsm example.

/usr/share/ca-certificates/ does not work, at least not in our case.