fix wrong csr

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>

Author: Bravo555

crates/common/certificate/src/lib.rs

@@ -224,6 +224,19 @@ pub struct RemoteKeyPair {
     algorithm: &'static rcgen::SignatureAlgorithm,
 }
 
+fn shit(value: &rcgen::SignatureAlgorithm) -> tedge_p11_server::pkcs11::SigScheme {
+    if *value == rcgen::PKCS_RSA_SHA256 {
+        return tedge_p11_server::pkcs11::SigScheme::RsaPkcs1Sha256;
+    }
+    if *value == rcgen::PKCS_ECDSA_P256_SHA256 {
+        return tedge_p11_server::pkcs11::SigScheme::EcdsaNistp256Sha256;
+    }
+    if *value == rcgen::PKCS_ECDSA_P384_SHA384 {
+        return tedge_p11_server::pkcs11::SigScheme::EcdsaNistp384Sha384;
+    }
+    todo!()
+}
+
 impl RemoteKeyPair {
     pub fn to_key_pair(&self) -> Result<KeyPair, CertificateError> {
         Ok(KeyPair::from_remote(Box::new(self.clone()))?)
@@ -242,7 +255,7 @@ impl rcgen::RemoteKeyPair for RemoteKeyPair {
         let signer = tedge_p11_server::signing_key(self.cryptoki_config.clone())
             .map_err(|e| rcgen::Error::PemError(e.to_string()))?;
         signer
-            .sign(msg)
+            .sign(msg, shit(self.algorithm))
             .map_err(|e| rcgen::Error::PemError(e.to_string()))
     }
 

crates/extensions/tedge-p11-server/src/client.rs

@@ -7,6 +7,8 @@ use anyhow::Context;
 use tracing::debug;
 use tracing::trace;
 
+use crate::pkcs11::SigScheme;
+
 use super::connection::Frame1;
 use super::service::ChooseSchemeRequest;
 use super::service::SignRequest;
@@ -122,7 +124,12 @@ impl TedgeP11Client {
         Ok(response.algorithm.0)
     }
 
-    pub fn sign(&self, message: &[u8], uri: Option<String>) -> anyhow::Result<Vec<u8>> {
+    pub fn sign(
+        &self,
+        message: &[u8],
+        sigscheme: SigScheme,
+        uri: Option<String>,
+    ) -> anyhow::Result<Vec<u8>> {
         let stream = UnixStream::connect(&self.socket_path).with_context(|| {
             format!(
                 "Failed to connect to tedge-p11-server UNIX socket at '{}'",
@@ -134,6 +141,7 @@ impl TedgeP11Client {
 
         let request = Frame1::SignRequest(SignRequest {
             to_sign: message.to_vec(),
+            sigscheme,
             uri,
         });
         trace!(?request);

crates/extensions/tedge-p11-server/src/pkcs11/mod.rs

@@ -28,6 +28,8 @@ use rustls::sign::Signer;
 use rustls::sign::SigningKey;
 use rustls::SignatureAlgorithm;
 use rustls::SignatureScheme;
+use serde::Deserialize;
+use serde::Serialize;
 use tracing::debug;
 use tracing::trace;
 use tracing::warn;
@@ -139,6 +141,9 @@ impl Cryptoki {
         let token_info = self.context.get_token_info(slot)?;
         debug!(?slot_info, ?token_info, "Selected slot");
 
+        // let supported_mechs = self.context.get_mechanism_list(slot)?;
+        // info!(?supported_mechs);
+
         let session = self.context.open_ro_session(slot)?;
         session.login(UserType::User, Some(&self.config.pin))?;
         let session_info = session.get_session_info()?;
@@ -238,22 +243,21 @@ pub struct Pkcs11Session {
 pub struct Pkcs11Signer {
     session: Pkcs11Session,
     key: ObjectHandle,
-    sigscheme: SigScheme,
+    pub sigscheme: SigScheme,
 }
 
 impl Pkcs11Signer {
-    pub fn sign(&self, message: &[u8]) -> Result<Vec<u8>, anyhow::Error> {
+    pub fn sign(&self, message: &[u8], sigscheme: SigScheme) -> Result<Vec<u8>, anyhow::Error> {
         let session = self.session.session.lock().unwrap();
 
-        let mechanism = self.sigscheme.into();
+        let mechanism = sigscheme.into();
         let (mechanism, digest_mechanism) = match mechanism {
             Mechanism::EcdsaSha256 => (Mechanism::Ecdsa, Some(Mechanism::Sha256)),
             Mechanism::EcdsaSha384 => (Mechanism::Ecdsa, Some(Mechanism::Sha384)),
             Mechanism::EcdsaSha512 => (Mechanism::Ecdsa, Some(Mechanism::Sha512)),
-            Mechanism::Sha1RsaPkcs => (Mechanism::RsaPkcs, Some(Mechanism::Sha1)),
-            Mechanism::Sha256RsaPkcs => (Mechanism::RsaPkcs, Some(Mechanism::Sha256)),
-            Mechanism::Sha384RsaPkcs => (Mechanism::RsaPkcs, Some(Mechanism::Sha384)),
-            Mechanism::Sha512RsaPkcs => (Mechanism::RsaPkcs, Some(Mechanism::Sha512)),
+            Mechanism::Sha256RsaPkcs => (Mechanism::Sha256RsaPkcs, None),
+            Mechanism::Sha384RsaPkcs => (Mechanism::Sha384RsaPkcs, None),
+            Mechanism::Sha512RsaPkcs => (Mechanism::Sha512RsaPkcs, None),
             Mechanism::Sha256RsaPkcsPss(p) => (Mechanism::Sha256RsaPkcsPss(p), None),
             Mechanism::Sha384RsaPkcsPss(p) => (Mechanism::Sha384RsaPkcsPss(p), None),
             Mechanism::Sha512RsaPkcsPss(p) => (Mechanism::Sha512RsaPkcsPss(p), None),
@@ -306,12 +310,13 @@ impl Pkcs11Signer {
 }
 
 /// Currently supported signature schemes.
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-enum SigScheme {
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
+pub enum SigScheme {
     EcdsaNistp256Sha256,
     EcdsaNistp384Sha384,
     EcdsaNistp521Sha512,
     RsaPssSha256,
+    RsaPkcs1Sha256,
 }
 
 impl From<SigScheme> for rustls::SignatureScheme {
@@ -321,6 +326,7 @@ impl From<SigScheme> for rustls::SignatureScheme {
             SigScheme::EcdsaNistp384Sha384 => Self::ECDSA_NISTP384_SHA384,
             SigScheme::EcdsaNistp521Sha512 => Self::ECDSA_NISTP521_SHA512,
             SigScheme::RsaPssSha256 => Self::RSA_PSS_SHA256,
+            SigScheme::RsaPkcs1Sha256 => Self::RSA_PKCS1_SHA256,
         }
     }
 }
@@ -331,7 +337,20 @@ impl From<SigScheme> for rustls::SignatureAlgorithm {
             SigScheme::EcdsaNistp256Sha256
             | SigScheme::EcdsaNistp384Sha384
             | SigScheme::EcdsaNistp521Sha512 => Self::ECDSA,
-            SigScheme::RsaPssSha256 => Self::RSA,
+            SigScheme::RsaPssSha256 | SigScheme::RsaPkcs1Sha256 => Self::RSA,
+        }
+    }
+}
+
+impl From<rustls::SignatureScheme> for SigScheme {
+    fn from(value: rustls::SignatureScheme) -> Self {
+        match value {
+            rustls::SignatureScheme::ECDSA_NISTP256_SHA256 => SigScheme::EcdsaNistp256Sha256,
+            rustls::SignatureScheme::ECDSA_NISTP384_SHA384 => SigScheme::EcdsaNistp384Sha384,
+            rustls::SignatureScheme::ECDSA_NISTP521_SHA512 => SigScheme::EcdsaNistp521Sha512,
+            rustls::SignatureScheme::RSA_PSS_SHA256 => SigScheme::RsaPssSha256,
+            rustls::SignatureScheme::RSA_PKCS1_SHA256 => SigScheme::RsaPkcs1Sha256,
+            _ => todo!(),
         }
     }
 }
@@ -342,6 +361,7 @@ impl From<SigScheme> for Mechanism<'_> {
             SigScheme::EcdsaNistp256Sha256 => Self::EcdsaSha256,
             SigScheme::EcdsaNistp384Sha384 => Self::EcdsaSha384,
             SigScheme::EcdsaNistp521Sha512 => Self::EcdsaSha512,
+            SigScheme::RsaPkcs1Sha256 => Self::Sha256RsaPkcs,
             SigScheme::RsaPssSha256 => Mechanism::Sha256RsaPkcsPss(PkcsPssParams {
                 hash_alg: MechanismType::SHA256,
                 mgf: PkcsMgfType::MGF1_SHA256,
@@ -373,7 +393,7 @@ impl SigningKey for Pkcs11Signer {
 
 impl Signer for Pkcs11Signer {
     fn sign(&self, message: &[u8]) -> Result<Vec<u8>, rustls::Error> {
-        Self::sign(self, message).map_err(|e| rustls::Error::General(e.to_string()))
+        Self::sign(self, message, self.sigscheme).map_err(|e| rustls::Error::General(e.to_string()))
     }
 
     fn scheme(&self) -> SignatureScheme {

crates/extensions/tedge-p11-server/src/server.rs

@@ -138,7 +138,10 @@ mod tests {
         tokio::task::spawn_blocking(move || {
             let client = TedgeP11Client::with_ready_check(socket_path.into());
             assert_eq!(client.choose_scheme(&[], None).unwrap().unwrap(), SCHEME);
-            assert_eq!(&client.sign(&[], None).unwrap(), &SIGNATURE[..]);
+            assert_eq!(
+                &client.sign(&[], SCHEME.into(), None).unwrap(),
+                &SIGNATURE[..]
+            );
         })
         .await
         .unwrap();

crates/extensions/tedge-p11-server/src/service.rs

@@ -1,5 +1,6 @@
 use crate::pkcs11::Cryptoki;
 use crate::pkcs11::CryptokiConfigDirect;
+use crate::pkcs11::SigScheme;
 
 use anyhow::Context;
 use rustls::sign::SigningKey;
@@ -71,7 +72,7 @@ impl SigningService for TedgeP11Service {
             .context("Failed to find a signing key")?;
 
         let signature = signer
-            .sign(&request.to_sign)
+            .sign(&request.to_sign, request.sigscheme)
             .context("Failed to sign using PKCS #11")?;
         Ok(SignResponse(signature))
     }
@@ -92,6 +93,7 @@ pub struct ChooseSchemeResponse {
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
 pub struct SignRequest {
     pub to_sign: Vec<u8>,
+    pub sigscheme: SigScheme,
     pub uri: Option<String>,
 }
 

crates/extensions/tedge-p11-server/src/signer.rs

@@ -11,6 +11,7 @@ use crate::client::TedgeP11Client;
 use crate::pkcs11::Cryptoki;
 use crate::pkcs11::CryptokiConfigDirect;
 use crate::pkcs11::Pkcs11Signer;
+use crate::pkcs11::SigScheme;
 
 #[derive(Debug, Clone)]
 pub enum CryptokiConfig {
@@ -28,13 +29,13 @@ pub enum CryptokiConfig {
 /// Contains a handle to Pkcs11-backed private key that will be used for signing, selected at construction time.
 pub trait TedgeP11Signer: SigningKey {
     /// Signs the message using the selected private key.
-    fn sign(&self, msg: &[u8]) -> anyhow::Result<Vec<u8>>;
+    fn sign(&self, msg: &[u8], sigscheme: SigScheme) -> anyhow::Result<Vec<u8>>;
     fn to_rustls_signing_key(self: Arc<Self>) -> Arc<dyn rustls::sign::SigningKey>;
 }
 
 impl TedgeP11Signer for Pkcs11Signer {
-    fn sign(&self, msg: &[u8]) -> anyhow::Result<Vec<u8>> {
-        Pkcs11Signer::sign(self, msg)
+    fn sign(&self, msg: &[u8], sigscheme: SigScheme) -> anyhow::Result<Vec<u8>> {
+        Pkcs11Signer::sign(self, msg, sigscheme)
     }
 
     fn to_rustls_signing_key(self: Arc<Self>) -> Arc<dyn rustls::sign::SigningKey> {
@@ -72,9 +73,9 @@ pub struct TedgeP11ClientSigningKey {
 }
 
 impl TedgeP11Signer for TedgeP11ClientSigningKey {
-    fn sign(&self, msg: &[u8]) -> anyhow::Result<Vec<u8>> {
+    fn sign(&self, msg: &[u8], sigscheme: SigScheme) -> anyhow::Result<Vec<u8>> {
         self.client
-            .sign(msg, self.uri.as_ref().map(|s| s.to_string()))
+            .sign(msg, sigscheme, self.uri.as_ref().map(|s| s.to_string()))
     }
     fn to_rustls_signing_key(self: Arc<Self>) -> Arc<dyn rustls::sign::SigningKey> {
         self
@@ -120,10 +121,11 @@ pub struct TedgeP11ClientSigner {
 
 impl Signer for TedgeP11ClientSigner {
     fn sign(&self, message: &[u8]) -> Result<Vec<u8>, rustls::Error> {
-        let response = match self
-            .client
-            .sign(message, self.uri.as_ref().map(|s| s.to_string()))
-        {
+        let response = match self.client.sign(
+            message,
+            self.scheme.into(),
+            self.uri.as_ref().map(|s| s.to_string()),
+        ) {
             Ok(response) => response,
             Err(err) => {
                 return Err(rustls::Error::Other(rustls::OtherError(Arc::from(

tests/RobotFramework/tests/pkcs11/private_key_storage.robot

@@ -105,44 +105,15 @@ Can use PKCS11 key to renew the public certificate
     ...    can renew both a self-signed certificate and a certificate signed by C8y CA.
     [Setup]    Set tedge-p11-server Uri    value=${EMPTY}
 
-    Connect to C8y using new keypair    type=ecdsa    curve=secp256r1
-    Execute Command    tedge cert renew c8y
-    Tedge Reconnect Should Succeed
-    Execute Command    tedge cert renew c8y
-    Tedge Reconnect Should Succeed
-
-    Connect to C8y using new keypair    type=ecdsa    curve=secp384r1
-    Execute Command    tedge cert renew c8y
-    Tedge Reconnect Should Succeed
-    Execute Command    tedge cert renew c8y
-    Tedge Reconnect Should Succeed
+    Test tedge cert renew    type=ecdsa    curve=secp256r1
+    Test tedge cert renew    type=ecdsa    curve=secp384r1
 
-    # renewal isn't supported for P521 because rcgen doesn't support it
+    # renewal isn't supported for secp521r1 because rcgen doesn't support it
     # https://github.com/rustls/rcgen/issues/60
 
-    # Connect to C8y using new keypair    type=ecdsa    curve=secp521r1
-    # Execute Command    tedge cert renew c8y
-    # Tedge Reconnect Should Succeed
-    # Execute Command    tedge cert renew c8y
-    # Tedge Reconnect Should Succeed
-
-    Connect to C8y using new keypair    type=rsa    bits=2048
-    Execute Command    tedge cert renew c8y
-    Tedge Reconnect Should Succeed
-    Execute Command    tedge cert renew c8y
-    Tedge Reconnect Should Succeed
-
-    Connect to C8y using new keypair    type=rsa    bits=3072
-    Execute Command    tedge cert renew c8y
-    Tedge Reconnect Should Succeed
-    Execute Command    tedge cert renew c8y
-    Tedge Reconnect Should Succeed
-
-    Connect to C8y using new keypair    type=rsa    bits=4096
-    Execute Command    tedge cert renew c8y
-    Tedge Reconnect Should Succeed
-    Execute Command    tedge cert renew c8y
-    Tedge Reconnect Should Succeed
+    Test tedge cert renew    type=rsa    bits=2048
+    Test tedge cert renew    type=rsa    bits=3072
+    Test tedge cert renew    type=rsa    bits=4096
 
     Execute Command    systemctl stop tedge-p11-server tedge-p11-server.socket
     Command Should Fail With
@@ -222,6 +193,23 @@ Warn the user if tedge.toml cannot be parsed
 
 
 *** Keywords ***
+Test tedge cert renew
+    [Arguments]    ${type}    ${bits}=${EMPTY}    ${curve}=${EMPTY}
+
+    Connect to C8y using new keypair    type=${type}    curve=${curve}    bits=${bits}
+
+    Execute Command    tedge cert renew c8y
+    ${stderr}=    Execute Command    openssl req -text -noout -in /etc/tedge/device-certs/tedge.csr -verify    stdout=False    stderr=true
+    Should Contain    ${stderr}    Certificate request self-signature verify OK
+
+    Tedge Reconnect Should Succeed
+
+    Execute Command    tedge cert renew c8y
+    ${stderr}=    Execute Command    openssl req -text -noout -in /etc/tedge/device-certs/tedge.csr -verify    stdout=False    stderr=true
+    Should Contain    ${stderr}    Certificate request self-signature verify OK
+
+    Tedge Reconnect Should Succeed
+
 Connect to C8y using new keypair
     [Documentation]    Connects to C8y with a newly generated keypair and a self-signed certificate.
     ...    The private key is saved on the token, and the self-signed certificate is registered with c8y.