IoT Hub + DPS CSR feature support

[timtay-microsoft]

DPS device client changes

• Add optional field for filling in client certificate signing request to the DPS provisioning message payload
• Add field for issuedClientCertificateChain to the DPS provisioning response payload object
• Add check to assert usage of MQTT/MQTT_WS protocol
• Bump service API version
• TODO are there any new DPS service errors?
  • I tried sending malformed CSRs to DPS when provisioning and got a 500 level error, so maybe the service folks don't have this pinned down yet?

IoT hub device client changes

• Add new API for sending certificate signing request
  • Since this feature involves multiple callbacks (on CSR accepted, on CSR completed), I have overloads with callback style notifications (which is in line with other async APIs in this SDK), but I also added a completable future overload since I found that style easier to write the sample with (so customers may as well)
• Add new exception type for reporting certificate signing errors sent by IoT hub
• Add check to assert usage of MQTT/MQTT_WS protocol
• Bump service API version

Samples changes

• Add new sample that shows the end-to-end flow of using DPS to provision a device with signed certificates that it uses to connect with IoT hub. The sample then shows that a device can use IoT hub to sign new certificates, and then that device can re-connect with those new certificates.

Misc changes

• Upgrade some bouncycastle dependencies repo-wide since the new CSR sample needs those versions

Notable design choices

Below are a few design choices I made that may conflict with implementations of this CSR feature in other languages so far. I singled these out so that it is easier for us to discuss their merits cross-language.

• The new IoT hub device client sendCertificateSigningRequest method notifies the user at each stage of the CSR process (CSR accepted, CSR complete and if/when a CSR error is reported by IoT hub)

  • This is as opposed to the method simply returning when the CSR has been completed
  • There is some value in users being aware of when a CSR has been accepted since the API allows for users to "replace" active requests.
  • Additionally, "CSR accepted" message contains some timestamp information that may be relevant to the user's application
  • Maybe there is still value in offering the simple sendCertificateSigningRequest API that just returns when signing completes or errors out, though (add it later if users ask?). It just shouldn't be the only way to do signing.

• The IoT hub SDK allows users to see what request Id is associated with their CSR

  • The IoT hub API allows users to "replace" an active certificate signing request by specifying the active certificate signing request's request Id, so users need to be aware of request Ids in general for this feature.

• Neither the IoT hub nor DPS SDKs added certificate "helper" methods

  • The CSR sample hosts all the required certificate signing request generator/parsing methods
  • This SDK is not a certificate signing request generation library
  • While these methods may be applicable to most users of this CSR feature, it would require taking a dependency on a security library like bouncy castle. Users are very sensitive to dependencies like these, so adding it may upset some users