Skip to content

Commit

Permalink
Better key gen (#279)
Browse files Browse the repository at this point in the history
* Generate cryptographicaly secure device key.
* Increment version.
  • Loading branch information
digimaun authored Nov 19, 2020
1 parent bda9764 commit a5e3acc
Show file tree
Hide file tree
Showing 9 changed files with 41 additions and 29 deletions.
10 changes: 10 additions & 0 deletions HISTORY.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,15 @@
Release History
===============

0.10.7
+++++++++++++++

**IoT Hub updates**

* Change command name from az iot hub device-identity `regenerate-key` to `renew-key` to better align with az cli core verbs.


0.10.6
+++++++++++++++

Expand All @@ -24,6 +33,7 @@ Release History
* 'az iot hub device-identity remove-children' is deprecated use 'az iot hub device-identity children remove' instead. Deprecated command is planned to be removed by December 2021
* 'az iot hub device-identity list-children' is deprecated use 'az iot hub device-identity children list' instead. Deprecated command group is planned to be removed by December 2021


0.10.5
+++++++++++++++

Expand Down
10 changes: 5 additions & 5 deletions azext_iot/_help.py
Original file line number Diff line number Diff line change
Expand Up @@ -216,15 +216,15 @@
"""

helps[
"iot hub device-identity regenerate-key"
"iot hub device-identity renew-key"
] = """
type: command
short-summary: Regenerate target keys of an IoT Hub device with sas authentication.
short-summary: Renew target keys of an IoT Hub device with sas authentication.
examples:
- name: Regenerate the primary key.
text: az iot hub device-identity regenerate-key -d {device_id} -n {iothub_name} --kt primary
- name: Renew the primary key.
text: az iot hub device-identity renew-key -d {device_id} -n {iothub_name} --kt primary
- name: Swap the primary and secondary keys.
text: az iot hub device-identity regenerate-key -d {device_id} -n {iothub_name} --kt swap
text: az iot hub device-identity renew-key -d {device_id} -n {iothub_name} --kt swap
"""

helps[
Expand Down
8 changes: 4 additions & 4 deletions azext_iot/_params.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
JobCreateType,
JobStatusType,
AuthenticationType,
RegenerateKeyType,
RenewKeyType,
)
from azext_iot._validators import mode2_iot_login_handler
from azext_iot.assets.user_messages import info_param_properties_device
Expand Down Expand Up @@ -416,11 +416,11 @@ def load_arguments(self, _):
deprecate_info=context.deprecate()
)

with self.argument_context('iot hub device-identity regenerate-key') as context:
with self.argument_context('iot hub device-identity renew-key') as context:
context.argument(
"regenerate_key",
"renew_key_type",
options_list=["--key-type", "--kt"],
arg_type=get_enum_type(RegenerateKeyType),
arg_type=get_enum_type(RenewKeyType),
help="Target key type to regenerate."
)

Expand Down
2 changes: 1 addition & 1 deletion azext_iot/commands.py
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ def load_command_table(self, _):
setter_name="iot_device_update",
custom_func_name="update_iot_device_custom"
)
cmd_group.command("regenerate-key", 'iot_device_key_regenerate')
cmd_group.command("renew-key", 'iot_device_key_regenerate')
cmd_group.command(
"show-connection-string",
"iot_get_device_connection_string",
Expand Down
2 changes: 1 addition & 1 deletion azext_iot/common/shared.py
Original file line number Diff line number Diff line change
Expand Up @@ -216,7 +216,7 @@ class AuthenticationType(Enum):
identityBased = "identity"


class RegenerateKeyType(Enum):
class RenewKeyType(Enum):
"""
Target key type for regeneration.
"""
Expand Down
13 changes: 7 additions & 6 deletions azext_iot/common/utility.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@
import re
import hmac
import hashlib
import random

from threading import Event, Thread
from datetime import datetime
Expand Down Expand Up @@ -519,8 +518,10 @@ def compute_device_key(primary_key, registration_id):


def generate_key(byte_length=32):
key = ""
while byte_length > 0:
key += chr(random.randrange(1, 128))
byte_length -= 1
return base64.b64encode(key.encode()).decode("utf-8")
"""
Generate cryptographically secure device key.
"""
import secrets

token_bytes = secrets.token_bytes(byte_length)
return base64.b64encode(token_bytes).decode("utf8")
2 changes: 1 addition & 1 deletion azext_iot/constants.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

import os

VERSION = "0.10.6"
VERSION = "0.10.7"
EXTENSION_NAME = "azure-iot"
EXTENSION_ROOT = os.path.dirname(os.path.abspath(__file__))
EXTENSION_CONFIG_ROOT_KEY = "iotext"
Expand Down
11 changes: 6 additions & 5 deletions azext_iot/operations/hub.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
ConfigType,
KeyType,
SettleType,
RegenerateKeyType,
RenewKeyType,
IoTHubStateType
)
from azext_iot.iothub.providers.discovery import IotHubDiscovery
Expand Down Expand Up @@ -417,7 +417,7 @@ def _update_device_key(target, device, auth_method, pk, sk):
raise CLIError(err)


def iot_device_key_regenerate(cmd, hub_name, device_id, regenerate_key, resource_group_name=None, login=None):
def iot_device_key_regenerate(cmd, hub_name, device_id, renew_key_type, resource_group_name=None, login=None):
discovery = IotHubDiscovery(cmd)
target = discovery.get_target(
hub_name=hub_name, resource_group_name=resource_group_name, login=login
Expand All @@ -428,11 +428,12 @@ def iot_device_key_regenerate(cmd, hub_name, device_id, regenerate_key, resource

pk = device["authentication"]["symmetricKey"]["primaryKey"]
sk = device["authentication"]["symmetricKey"]["secondaryKey"]
if regenerate_key == RegenerateKeyType.primary.value:

if renew_key_type == RenewKeyType.primary.value:
pk = generate_key()
if regenerate_key == RegenerateKeyType.secondary.value:
if renew_key_type == RenewKeyType.secondary.value:
sk = generate_key()
if regenerate_key == RegenerateKeyType.swap.value:
if renew_key_type == RenewKeyType.swap.value:
temp = pk
pk = sk
sk = temp
Expand Down
12 changes: 6 additions & 6 deletions azext_iot/tests/test_iot_ext_int.py
Original file line number Diff line number Diff line change
Expand Up @@ -518,9 +518,9 @@ def test_hub_devices(self):
],
)

# Test 'az iot hub device regenerate-key'
# Test 'az iot hub device renew-key'
device = self.cmd(
'''iot hub device-identity regenerate-key -d {} -n {} -g {} --kt primary
'''iot hub device-identity renew-key -d {} -n {} -g {} --kt primary
'''.format(
edge_device_ids[1], LIVE_HUB, LIVE_RG
),
Expand All @@ -529,9 +529,9 @@ def test_hub_devices(self):
]
).get_output_in_json()

# Test swap keys 'az iot hub device regenerate-key'
# Test swap keys 'az iot hub device renew-key'
self.cmd(
'''iot hub device-identity regenerate-key -d {} -n {} -g {} --kt swap
'''iot hub device-identity renew-key -d {} -n {} -g {} --kt swap
'''.format(
edge_device_ids[1], LIVE_HUB, LIVE_RG
),
Expand All @@ -541,8 +541,8 @@ def test_hub_devices(self):
],
)

# Test 'az iot hub device regenerate-key' with non sas authentication
self.cmd("iot hub device-identity regenerate-key -d {} -n {} -g {} --kt secondary"
# Test 'az iot hub device renew-key' with non sas authentication
self.cmd("iot hub device-identity renew-key -d {} -n {} -g {} --kt secondary"
.format(device_ids[0], LIVE_HUB, LIVE_RG),
expect_failure=True)

Expand Down

0 comments on commit a5e3acc

Please sign in to comment.