Azure · Feb 1, 2022
diff --git a/‎edge-agent/src/Microsoft.Azure.Devices.Edge.Agent.Core/planners/HealthRestartPlanner.cs
-3 b/‎edge-agent/src/Microsoft.Azure.Devices.Edge.Agent.Core/planners/HealthRestartPlanner.cs
-3
diff --git a/‎edge-hub/core/src/Microsoft.Azure.Devices.Edge.Hub.Http/EdgeHubScopeResultHelpers.cs
+5-8 b/‎edge-hub/core/src/Microsoft.Azure.Devices.Edge.Hub.Http/EdgeHubScopeResultHelpers.cs
+5-8
diff --git a/‎edge-hub/core/test/Microsoft.Azure.Devices.Edge.Hub.CloudProxy.Test/DeviceScopeCertificateAuthenticatorTest.cs
+19-19 b/‎edge-hub/core/test/Microsoft.Azure.Devices.Edge.Hub.CloudProxy.Test/DeviceScopeCertificateAuthenticatorTest.cs
+19-19
diff --git a/‎edge-util/src/Microsoft.Azure.Devices.Edge.Util/CertificateHelper.cs
+93-52 b/‎edge-util/src/Microsoft.Azure.Devices.Edge.Util/CertificateHelper.cs
+93-52
@@ -4,17 +4,14 @@ namespace Microsoft.Azure.Devices.Edge.Agent.Core.Planners
     using System;
     using System.Collections.Generic;
     using System.Collections.Immutable;
-    using System.Diagnostics;
     using System.Linq;
-    using System.Runtime.CompilerServices;
     using System.Threading.Tasks;
     using Microsoft.Azure.Devices.Edge.Agent.Core.Commands;
     using Microsoft.Azure.Devices.Edge.Storage;
     using Microsoft.Azure.Devices.Edge.Util;
     using Microsoft.Extensions.Logging;
     using Newtonsoft.Json;
     using Nito.AsyncEx;
-    using Org.BouncyCastle.Math.EC.Rfc7748;
     using DiffState = System.ValueTuple<
         // added modules
         System.Collections.Generic.IList<Microsoft.Azure.Devices.Edge.Agent.Core.IModule>,
 
@@ -1,13 +1,10 @@
 // Copyright (c) Microsoft. All rights reserved.
 namespace Microsoft.Azure.Devices.Edge.Hub.Http.Controllers
 {
-    using System.Collections.Generic;
-    using System.Linq;
-    using Microsoft.Azure.Devices.Edge.Hub.Core;
+    using System;
     using Microsoft.Azure.Devices.Edge.Hub.Core.Identity.Service;
     using Microsoft.Azure.Devices.Edge.Util;
     using Microsoft.Azure.Devices.Shared;
-    using Org.BouncyCastle.Security;
 
     public static class EdgeHubScopeResultHelpers
     {
@@ -30,7 +27,7 @@ public static EdgeHubScopeModule ToEdgeHubScopeModule(this ServiceIdentity ident
         {
             Preconditions.CheckNotNull(identity);
             Preconditions.CheckArgument(identity.IsModule);
-            string moduleId = identity.ModuleId.Expect(() => new InvalidParameterException($"ModuleId shouldn't be empty when ServiceIdentity is a module: {identity.Id}"));
+            string moduleId = identity.ModuleId.Expect(() => new InvalidOperationException($"ModuleId shouldn't be empty when ServiceIdentity is a module: {identity.Id}"));
 
             return new EdgeHubScopeModule(
                 Preconditions.CheckNonWhiteSpace(moduleId, nameof(moduleId)),
@@ -53,13 +50,13 @@ static AuthenticationMechanism GetAuthenticationMechanism(ServiceAuthentication
             {
                 case ServiceAuthenticationType.SymmetricKey:
                     authentication.Type = AuthenticationType.Sas;
-                    var sasKey = serviceAuth.SymmetricKey.Expect(() => new InvalidParameterException("SAS key shouldn't be empty when auth type is SymmetricKey"));
+                    var sasKey = serviceAuth.SymmetricKey.Expect(() => new InvalidOperationException("SAS key shouldn't be empty when auth type is SymmetricKey"));
                     authentication.SymmetricKey = new SymmetricKey() { PrimaryKey = sasKey.PrimaryKey, SecondaryKey = sasKey.SecondaryKey };
                     break;
 
                 case ServiceAuthenticationType.CertificateThumbprint:
                     authentication.Type = AuthenticationType.SelfSigned;
-                    var x509Thumbprint = serviceAuth.X509Thumbprint.Expect(() => new InvalidParameterException("X509 thumbprint shouldn't be empty when auth type is CertificateThumbPrint"));
+                    var x509Thumbprint = serviceAuth.X509Thumbprint.Expect(() => new InvalidOperationException("X509 thumbprint shouldn't be empty when auth type is CertificateThumbPrint"));
                     authentication.X509Thumbprint = new X509Thumbprint() { PrimaryThumbprint = x509Thumbprint.PrimaryThumbprint, SecondaryThumbprint = x509Thumbprint.SecondaryThumbprint };
                     break;
 
@@ -72,7 +69,7 @@ static AuthenticationMechanism GetAuthenticationMechanism(ServiceAuthentication
                     break;
 
                 default:
-                    throw new InvalidParameterException($"Unexpected ServiceAuthenticationType: {serviceAuth.Type}");
+                    throw new InvalidOperationException($"Unexpected ServiceAuthenticationType: {serviceAuth.Type}");
             }
 
             return authentication;
 
@@ -238,8 +238,8 @@ public async Task AuthenticateAsyncWithDeviceCAX509InScopeCacheSucceeds()
         {
             var notBefore = DateTime.Now.Subtract(TimeSpan.FromDays(2));
             var notAfter = DateTime.Now.AddYears(1);
-            var (caCert, caKeyPair) = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
-            var (issuedClientCert, issuedClientKeyPair) = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, caKeyPair, false, null, null);
+            var caCert = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
+            var issuedClientCert = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, false, null, null);
             IList<X509Certificate2> issuedClientCertChain = new List<X509Certificate2>() { caCert };
             IList<X509Certificate2> trustBundle = new List<X509Certificate2>() { caCert };
             string deviceId = "MyIssuedTestClient";
@@ -269,8 +269,8 @@ public async Task AuthenticateAsyncWithDeviceCAX509NotInScopeCacheFails()
         {
             var notBefore = DateTime.Now.Subtract(TimeSpan.FromDays(2));
             var notAfter = DateTime.Now.AddYears(1);
-            var (caCert, caKeyPair) = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
-            var (issuedClientCert, issuedClientKeyPair) = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, caKeyPair, false, null, null);
+            var caCert = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
+            var issuedClientCert = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, false, null, null);
             IList<X509Certificate2> issuedClientCertChain = new List<X509Certificate2>() { caCert };
             IList<X509Certificate2> trustBundle = new List<X509Certificate2>() { caCert };
             string deviceId = "MyIssuedTestClient";
@@ -300,8 +300,8 @@ public async Task AuthenticateAsyncWithDeviceCAX509ExpiredCertInScopeCacheFails(
         {
             var notBefore = DateTime.Now.Subtract(TimeSpan.FromDays(2));
             var notAfter = DateTime.Now.Subtract(TimeSpan.FromDays(1));
-            var (caCert, caKeyPair) = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
-            var (issuedClientCert, issuedClientKeyPair) = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, caKeyPair, false, null, null);
+            var caCert = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
+            var issuedClientCert = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, false, null, null);
             IList<X509Certificate2> issuedClientCertChain = new List<X509Certificate2>() { caCert };
             IList<X509Certificate2> trustBundle = new List<X509Certificate2>() { caCert };
             string deviceId = "MyIssuedTestClient";
@@ -331,8 +331,8 @@ public async Task AuthenticateAsyncWithDeviceCAX509FutureValidCertInScopeCacheFa
             var notBefore = DateTime.Now.AddYears(1);
             var notAfter = DateTime.Now.AddYears(2);
 
-            var (caCert, caKeyPair) = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
-            var (issuedClientCert, issuedClientKeyPair) = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, caKeyPair, false, null, null);
+            var caCert = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
+            var issuedClientCert = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, false, null, null);
             IList<X509Certificate2> issuedClientCertChain = new List<X509Certificate2>() { caCert };
             IList<X509Certificate2> trustBundle = new List<X509Certificate2>() { caCert };
             string deviceId = "MyIssuedTestClient";
@@ -362,8 +362,8 @@ public async Task AuthenticateAsyncWithDeviceCAX509CATrueInScopeCacheFails()
             var notBefore = DateTime.Now.Subtract(TimeSpan.FromDays(2));
             var notAfter = DateTime.Now.AddYears(1);
 
-            var (caCert, caKeyPair) = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
-            var (issuedClientCert, issuedClientKeyPair) = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, caKeyPair, true, null, null);
+            var caCert = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
+            var issuedClientCert = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, true, null, null);
             IList<X509Certificate2> issuedClientCertChain = new List<X509Certificate2>() { caCert };
             IList<X509Certificate2> trustBundle = new List<X509Certificate2>() { caCert };
             string deviceId = "MyIssuedTestClient";
@@ -392,8 +392,8 @@ public async Task AuthenticateAsyncWithMismatchDeviceIDCAX509InScopeCacheFails()
         {
             var notBefore = DateTime.Now.Subtract(TimeSpan.FromDays(2));
             var notAfter = DateTime.Now.AddYears(1);
-            var (caCert, caKeyPair) = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
-            var (issuedClientCert, issuedClientKeyPair) = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, caKeyPair, false, null, null);
+            var caCert = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
+            var issuedClientCert = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, false, null, null);
             IList<X509Certificate2> issuedClientCertChain = new List<X509Certificate2>() { caCert };
             IList<X509Certificate2> trustBundle = new List<X509Certificate2>() { caCert };
             string deviceId = "different from CN";
@@ -422,8 +422,8 @@ public async Task AuthenticateAsyncWithEmptyChainDeviceCAX509InScopeCacheFails()
         {
             var notBefore = DateTime.Now.Subtract(TimeSpan.FromDays(2));
             var notAfter = DateTime.Now.AddYears(1);
-            var (caCert, caKeyPair) = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
-            var (issuedClientCert, issuedClientKeyPair) = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, caKeyPair, false, null, null);
+            var caCert = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
+            var issuedClientCert = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, false, null, null);
             IList<X509Certificate2> issuedClientCertChain = new List<X509Certificate2>() { }; // empty chain supplied
             IList<X509Certificate2> trustBundle = new List<X509Certificate2>() { caCert };
             string deviceId = "different from CN";
@@ -452,9 +452,9 @@ public async Task AuthenticateAsyncWithInvalidChainDeviceCAX509InScopeCacheFails
         {
             var notBefore = DateTime.Now.Subtract(TimeSpan.FromDays(2));
             var notAfter = DateTime.Now.AddYears(1);
-            var (caCert, caKeyPair) = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
-            var (otherCaCert, otherCaKeyPair) = TestCertificateHelper.GenerateSelfSignedCert("MyOtherTestCA", notBefore, notAfter, true);
-            var (issuedClientCert, issuedClientKeyPair) = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, caKeyPair, false, null, null);
+            var caCert = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
+            var otherCaCert = TestCertificateHelper.GenerateSelfSignedCert("MyOtherTestCA", notBefore, notAfter, true);
+            var issuedClientCert = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, false, null, null);
             IList<X509Certificate2> issuedClientCertChain = new List<X509Certificate2>() { otherCaCert }; // invalid chain supplied
             IList<X509Certificate2> trustBundle = new List<X509Certificate2>() { caCert };
             string deviceId = "different from CN";
@@ -529,8 +529,8 @@ public async Task AuthenticateAsyncWithModuleCAX509InScopeCacheFails()
         {
             var notBefore = DateTime.Now.Subtract(TimeSpan.FromDays(2));
             var notAfter = DateTime.Now.AddYears(1);
-            var (caCert, caKeyPair) = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
-            var (issuedClientCert, issuedClientKeyPair) = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, caKeyPair, false, null, null);
+            var caCert = TestCertificateHelper.GenerateSelfSignedCert("MyTestCA", notBefore, notAfter, true);
+            var issuedClientCert = TestCertificateHelper.GenerateCertificate("MyIssuedTestClient", notBefore, notAfter, caCert, false, null, null);
             IList<X509Certificate2> issuedClientCertChain = new List<X509Certificate2>() { caCert };
             IList<X509Certificate2> trustBundle = new List<X509Certificate2>() { caCert };
             string deviceId = "d1";
 
@@ -9,18 +9,16 @@ namespace Microsoft.Azure.Devices.Edge.Util
     using System.Security.Cryptography;
     using System.Security.Cryptography.X509Certificates;
     using System.Text;
+    using System.Threading;
     using System.Threading.Tasks;
     using Microsoft.Azure.Devices.Edge.Util.Edged;
     using Microsoft.Extensions.Logging;
-    using Org.BouncyCastle.Crypto;
-    using Org.BouncyCastle.Crypto.Parameters;
-    using Org.BouncyCastle.OpenSsl;
-    using Org.BouncyCastle.Pkcs;
-    using Org.BouncyCastle.Security;
-    using X509Certificate = Org.BouncyCastle.X509.X509Certificate;
 
     public static class CertificateHelper
     {
+        static Oid oidRsaEncryption = Oid.FromFriendlyName("RSA", OidGroup.All);
+        static Oid oidEcPublicKey = Oid.FromFriendlyName("ECC", OidGroup.All);
+
         public static string GetSha256Thumbprint(X509Certificate2 cert)
         {
             Preconditions.CheckNotNull(cert);
@@ -387,53 +385,10 @@ internal static (X509Certificate2, IEnumerable<X509Certificate2>) ParseCertifica
 
             IEnumerable<X509Certificate2> certsChain = GetCertificatesFromPem(pemCerts.Skip(1));
 
-            Pkcs12Store store = new Pkcs12StoreBuilder().Build();
-            IList<X509CertificateEntry> chain = new List<X509CertificateEntry>();
-
-            // note: the seperator between the certificate and private key is added for safety to delinate the cert and key boundary
-            var sr = new StringReader(pemCerts.First() + "\r\n" + privateKey);
-            var pemReader = new PemReader(sr);
-
-            AsymmetricKeyParameter keyParams = null;
-            object certObject = pemReader.ReadObject();
-            while (certObject != null)
-            {
-                if (certObject is X509Certificate x509Cert)
-                {
-                    chain.Add(new X509CertificateEntry(x509Cert));
-                }
-
-                // when processing certificates generated via openssl certObject type is of AsymmetricCipherKeyPair
-                if (certObject is AsymmetricCipherKeyPair keyPair)
-                {
-                    certObject = keyPair.Private;
-                }
-
-                if (certObject is RsaPrivateCrtKeyParameters rsaParameters)
-                {
-                    keyParams = rsaParameters;
-                }
-                else if (certObject is ECPrivateKeyParameters ecParameters)
-                {
-                    keyParams = ecParameters;
-                }
-
-                certObject = pemReader.ReadObject();
-            }
-
-            if (keyParams == null)
-            {
-                throw new InvalidOperationException("Private key is required");
-            }
+            var certWithNoKey = new X509Certificate2(Encoding.UTF8.GetBytes(pemCerts.First()));
+            var certWithPrivateKey = AttachPrivateKey(certWithNoKey, privateKey);
 
-            store.SetKeyEntry("Edge", new AsymmetricKeyEntry(keyParams), chain.ToArray());
-            using (var p12File = new MemoryStream())
-            {
-                store.Save(p12File, new char[] { }, new SecureRandom());
-
-                var cert = new X509Certificate2(p12File.ToArray());
-                return (cert, certsChain);
-            }
+            return (certWithPrivateKey, certsChain);
         }
 
         static string ToHexString(byte[] bytes)
@@ -462,5 +417,91 @@ static Option<string> GetCommonNameFromSubject(string subject)
 
             return commonName;
         }
+
+        static X509Certificate2 AttachPrivateKey(X509Certificate2 certificate, string pemEncodedKey)
+        {
+            var pkcs8Label = "PRIVATE KEY";
+            var rsaLabel = "RSA PRIVATE KEY";
+            var ecLabel = "EC PRIVATE KEY";
+            var keyAlgorithm = certificate.GetKeyAlgorithm();
+            var isPkcs8 = pemEncodedKey.IndexOf(Header(pkcs8Label)) >= 0;
+
+            X509Certificate2 result = null;
+
+            try
+            {
+                if (oidRsaEncryption.Value == keyAlgorithm)
+                {
+                    var decodedKey = UnwrapPrivateKey(pemEncodedKey, isPkcs8 ? pkcs8Label : rsaLabel);
+                    var key = RSA.Create();
+
+                    if (isPkcs8)
+                    {
+                        key.ImportPkcs8PrivateKey(decodedKey, out _);
+                    }
+                    else
+                    {
+                        key.ImportRSAPrivateKey(decodedKey, out _);
+                    }
+
+                    result = certificate.CopyWithPrivateKey(key);
+                }
+                else if (oidEcPublicKey.Value == keyAlgorithm)
+                {
+                    var decodedKey = UnwrapPrivateKey(pemEncodedKey, isPkcs8 ? pkcs8Label : ecLabel);
+                    var key = ECDsa.Create();
+
+                    if (isPkcs8)
+                    {
+                        key.ImportPkcs8PrivateKey(decodedKey, out _);
+                    }
+                    else
+                    {
+                        key.ImportECPrivateKey(decodedKey, out _);
+                    }
+
+                    result = certificate.CopyWithPrivateKey(key);
+                }
+            }
+            catch (Exception ex)
+            {
+                throw new InvalidOperationException("Cannot import private key", ex);
+            }
+
+            if (result == null)
+            {
+                throw new InvalidOperationException($"Cannot use certificate, not supported key algorithm: ${keyAlgorithm}");
+            }
+
+            return result;
+        }
+
+        static byte[] UnwrapPrivateKey(string pemEncodedKey, string algoLabel)
+        {
+            var headerIndex = pemEncodedKey.IndexOf(Header(algoLabel));
+            var footerIndex = pemEncodedKey.IndexOf(Footer(algoLabel));
+
+            if (headerIndex < 0 || footerIndex < 0)
+            {
+                throw new InvalidOperationException($"Certificate key algorithm indicates {algoLabel}, but cannot unwrap key - headers not found");
+            }
+
+            byte[] decodedKey;
+
+            try
+            {
+                var dataIndex = headerIndex + Header(algoLabel).Length;
+                decodedKey = Convert.FromBase64String(pemEncodedKey.Substring(dataIndex, footerIndex - dataIndex));
+            }
+            catch (Exception ex)
+            {
+                throw new InvalidOperationException("Cannot decode private key: base64 decoding failed after removing headers", ex);
+            }
+
+            return decodedKey;
+        }
+
+        static string Header(string label) => $"-----BEGIN {label}-----";
+        static string Footer(string label) => $"-----END {label}-----";
     }
 }