refactor(pkcs11): Make crate::signing_key return a signer that can sign

Instead of returning a rustls::SigningKey, which can't immediately be
used for signing, make tedge_p11_server::signing_key return an object on
which one can call .sign() immediately.

rustls::SigningKey first requires calling `choose_scheme` to obtain a
signer that could be used for signing. So far
`tedge_p11_server::signing_key` was called by only one caller which
wanted a rustls::SigningKey, but now for CSR we want to call `.sign()`.

There were also some changes in the pkcs11 module to remove some
unnecessary structs that in practice were really duplicates - instead of
having a separate `Pkcs11SigningKey` and `Pkcs11Signer` structs, just
have `Pkcs11Signer` impl both `SigningKey` and `Signer`.

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>

Author: Bravo555

crates/extensions/tedge-p11-server/src/pkcs11/mod.rs

@@ -92,7 +92,7 @@ impl Cryptoki {
         })
     }
 
-    pub fn signing_key(&self, uri: Option<&str>) -> anyhow::Result<Pkcs11SigningKey> {
+    pub fn signing_key(&self, uri: Option<&str>) -> anyhow::Result<Pkcs11Signer> {
         let mut config_uri = self
             .config
             .uri
@@ -156,7 +156,7 @@ impl Cryptoki {
             anyhow::bail!("can't get key type");
         };
 
-        let pkcs11 = PKCS11 {
+        let session = Pkcs11Session {
             session: Arc::new(Mutex::new(session)),
         };
 
@@ -177,18 +177,18 @@ impl Cryptoki {
 
         let key = match keytype {
             KeyType::EC => {
-                let sigscheme = get_ec_mechanism(&pkcs11.session.lock().unwrap(), key)
+                let sigscheme = get_ec_mechanism(&session.session.lock().unwrap(), key)
                     .unwrap_or(SigScheme::EcdsaNistp256Sha256);
 
-                Pkcs11SigningKey {
-                    session: pkcs11,
-                    handle: key,
+                Pkcs11Signer {
+                    session,
+                    key,
                     sigscheme,
                 }
             }
-            KeyType::RSA => Pkcs11SigningKey {
-                session: pkcs11,
-                handle: key,
+            KeyType::RSA => Pkcs11Signer {
+                session,
+                key,
                 sigscheme: SigScheme::RsaPssSha256,
             },
             _ => anyhow::bail!("unsupported key type"),
@@ -230,56 +230,20 @@ impl Cryptoki {
 }
 
 #[derive(Debug, Clone)]
-pub struct Pkcs11SigningKey {
-    session: PKCS11,
-    handle: ObjectHandle,
-    sigscheme: SigScheme,
-}
-
-impl SigningKey for Pkcs11SigningKey {
-    fn choose_scheme(&self, offered: &[SignatureScheme]) -> Option<Box<dyn Signer>> {
-        debug!("Offered signature schemes. offered={:?}", offered);
-        let key_scheme = self.sigscheme.into();
-        if offered.contains(&key_scheme) {
-            debug!("Matching scheme: {key_scheme:?}");
-            Some(Box::new(PkcsSigner {
-                pkcs11: self.session.clone(),
-                key: self.handle,
-                sigscheme: self.sigscheme,
-            }))
-        } else {
-            None
-        }
-    }
-
-    fn algorithm(&self) -> SignatureAlgorithm {
-        self.sigscheme.into()
-    }
-}
-
-#[derive(Debug, Clone)]
-pub struct PKCS11 {
+pub struct Pkcs11Session {
     pub session: Arc<Mutex<Session>>,
 }
 
-#[derive(Debug)]
-pub struct PkcsSigner {
-    pkcs11: PKCS11,
+#[derive(Debug, Clone)]
+pub struct Pkcs11Signer {
+    session: Pkcs11Session,
     key: ObjectHandle,
     sigscheme: SigScheme,
 }
 
-impl PkcsSigner {
-    pub fn from_key(key: Pkcs11SigningKey) -> Self {
-        Self {
-            pkcs11: key.session,
-            key: key.handle,
-            sigscheme: key.sigscheme,
-        }
-    }
-
+impl Pkcs11Signer {
     pub fn sign(&self, message: &[u8]) -> Result<Vec<u8>, anyhow::Error> {
-        let session = self.pkcs11.session.lock().unwrap();
+        let session = self.session.session.lock().unwrap();
 
         let mechanism = self.sigscheme.into();
         let (mechanism, digest_mechanism) = match mechanism {
@@ -390,7 +354,24 @@ impl From<SigScheme> for Mechanism<'_> {
     }
 }
 
-impl Signer for PkcsSigner {
+impl SigningKey for Pkcs11Signer {
+    fn choose_scheme(&self, offered: &[SignatureScheme]) -> Option<Box<dyn Signer>> {
+        debug!("Offered signature schemes. offered={:?}", offered);
+        let key_scheme = self.sigscheme.into();
+        if offered.contains(&key_scheme) {
+            debug!("Matching scheme: {key_scheme:?}");
+            Some(Box::new(self.clone()))
+        } else {
+            None
+        }
+    }
+
+    fn algorithm(&self) -> SignatureAlgorithm {
+        self.sigscheme.into()
+    }
+}
+
+impl Signer for Pkcs11Signer {
     fn sign(&self, message: &[u8]) -> Result<Vec<u8>, rustls::Error> {
         Self::sign(self, message).map_err(|e| rustls::Error::General(e.to_string()))
     }

crates/extensions/tedge-p11-server/src/service.rs

@@ -1,6 +1,5 @@
 use crate::pkcs11::Cryptoki;
 use crate::pkcs11::CryptokiConfigDirect;
-use crate::pkcs11::PkcsSigner;
 
 use anyhow::Context;
 use rustls::sign::SigningKey;
@@ -66,12 +65,11 @@ impl SigningService for TedgeP11Service {
     fn sign(&self, request: SignRequest) -> anyhow::Result<SignResponse> {
         trace!(?request);
         let uri = request.uri;
-        let signing_key = self
+        let signer = self
             .cryptoki
             .signing_key(uri.as_deref())
             .context("Failed to find a signing key")?;
 
-        let signer = PkcsSigner::from_key(signing_key);
         let signature = signer
             .sign(&request.to_sign)
             .context("Failed to sign using PKCS #11")?;

crates/extensions/tedge-p11-server/src/signer.rs

@@ -10,6 +10,7 @@ use tracing::instrument;
 use crate::client::TedgeP11Client;
 use crate::pkcs11::Cryptoki;
 use crate::pkcs11::CryptokiConfigDirect;
+use crate::pkcs11::Pkcs11Signer;
 
 #[derive(Debug, Clone)]
 pub enum CryptokiConfig {
@@ -20,10 +21,26 @@ pub enum CryptokiConfig {
     },
 }
 
+/// A signer using a private key object located on the PKCS11 token.
+///
+/// Is backed by either direct cryptoki library usage or by tedge-p11-server client.
+///
+/// Contains a handle to Pkcs11-backed private key that will be used for signing, selected at construction time.
+pub trait TedgeP11Signer: SigningKey {
+    /// Signs the message using the selected private key.
+    fn sign(&self, msg: &[u8]) -> anyhow::Result<Vec<u8>>;
+}
+
+impl TedgeP11Signer for Pkcs11Signer {
+    fn sign(&self, msg: &[u8]) -> anyhow::Result<Vec<u8>> {
+        Pkcs11Signer::sign(self, msg)
+    }
+}
+
 /// Returns a rustls SigningKey that depending on the config, either connects to
 /// tedge-p11-server or calls cryptoki module directly.
-pub fn signing_key(config: CryptokiConfig) -> anyhow::Result<Arc<dyn SigningKey>> {
-    let signing_key: Arc<dyn SigningKey> = match config {
+pub fn signing_key(config: CryptokiConfig) -> anyhow::Result<Arc<dyn TedgeP11Signer>> {
+    let signing_key: Arc<dyn TedgeP11Signer> = match config {
         CryptokiConfig::Direct(config_direct) => {
             let uri = config_direct.uri.clone();
             let cryptoki =
@@ -49,6 +66,13 @@ pub struct TedgeP11ClientSigningKey {
     pub uri: Option<Arc<str>>,
 }
 
+impl TedgeP11Signer for TedgeP11ClientSigningKey {
+    fn sign(&self, msg: &[u8]) -> anyhow::Result<Vec<u8>> {
+        self.client
+            .sign(msg, self.uri.as_ref().map(|s| s.to_string()))
+    }
+}
+
 impl SigningKey for TedgeP11ClientSigningKey {
     #[instrument(skip_all)]
     fn choose_scheme(