thin-edge
diff --git a/‎Cargo.lock
Lines changed: 155 additions & 0 deletions b/‎Cargo.lock
Lines changed: 155 additions & 0 deletions
diff --git a/‎crates/common/certificate/Cargo.toml
Lines changed: 1 addition & 0 deletions b/‎crates/common/certificate/Cargo.toml
Lines changed: 1 addition & 0 deletions
diff --git a/‎crates/common/certificate/src/lib.rs
Lines changed: 20 additions & 2 deletions b/‎crates/common/certificate/src/lib.rs
Lines changed: 20 additions & 2 deletions
diff --git a/‎crates/core/tedge/Cargo.toml
Lines changed: 7 additions & 0 deletions b/‎crates/core/tedge/Cargo.toml
Lines changed: 7 additions & 0 deletions
diff --git a/‎crates/core/tedge/src/cli/certificate/cli.rs
Lines changed: 3 additions & 0 deletions b/‎crates/core/tedge/src/cli/certificate/cli.rs
Lines changed: 3 additions & 0 deletions
diff --git a/‎crates/core/tedge/src/cli/certificate/create_csr.rs
Lines changed: 4 additions & 0 deletions b/‎crates/core/tedge/src/cli/certificate/create_csr.rs
Lines changed: 4 additions & 0 deletions
@@ -17,6 +17,7 @@ anyhow = { workspace = true }
 asn1-rs = { workspace = true }
 base64 = { workspace = true }
 camino = { workspace = true }
+elliptic-curve = "0.13.8"
 pem.workspace = true
 rcgen = { workspace = true }
 reqwest = { workspace = true, optional = true, features = [
 
@@ -208,13 +208,14 @@ impl KeyKind {
         cryptoki_config: CryptokiConfig,
         private_key_label: String,
         public_key_pem: String,
+        sigalg: SigAlg,
     ) -> Result<Self, CertificateError> {
         let public_key = pem::parse(public_key_pem).unwrap();
         let public_key_raw = public_key.into_contents();
         trace!("pubkey raw: {public_key_raw:x?}");
 
         // TODO: implement other algs
-        let algorithm = &rcgen::PKCS_RSA_SHA256;
+        let algorithm = sigalg.into();
 
         // construct a URI that uses private key we just created to sign
         let mut cryptoki_config = cryptoki_config;
@@ -224,7 +225,7 @@ impl KeyKind {
         };
         let private_key_uri = match uri {
             Some(uri) if uri.contains("object=") => {
-                let mut uri: String = uri
+                let uri: String = uri
                     .strip_prefix("pkcs11:")
                     .unwrap_or("")
                     .split(';')
@@ -247,6 +248,23 @@ impl KeyKind {
     }
 }
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum SigAlg {
+    PkcsRsaSha256,
+    PkcsEcdsaP256Sha256,
+    PkcsEcdsaP384Sha384,
+}
+
+impl From<SigAlg> for &'static rcgen::SignatureAlgorithm {
+    fn from(value: SigAlg) -> Self {
+        match value {
+            SigAlg::PkcsRsaSha256 => &rcgen::PKCS_RSA_SHA256,
+            SigAlg::PkcsEcdsaP256Sha256 => &rcgen::PKCS_ECDSA_P256_SHA256,
+            SigAlg::PkcsEcdsaP384Sha384 => &rcgen::PKCS_ECDSA_P384_SHA384,
+        }
+    }
+}
+
 /// A key pair using a remote private key.
 ///
 /// To generate a CSR we need:
 
@@ -25,12 +25,19 @@ certificate = { workspace = true }
 clap = { workspace = true }
 clap_complete = { version = "4.5.42", features = ["unstable-dynamic"] }
 doku = { workspace = true }
+elliptic-curve = { version = "0.13.8", features = [
+    "arithmetic",
+    "sec1",
+    "std",
+] }
 flate2 = { workspace = true }
 humantime = { workspace = true }
 hyper = { workspace = true, default-features = false }
 mime_guess = { workspace = true }
 mqtt_channel = { workspace = true }
 nix = { workspace = true }
+p256 = "0.13.2"
+p384 = "0.13.1"
 pad = { workspace = true }
 pem.workspace = true
 rasn = { workspace = true }
 
@@ -220,6 +220,7 @@ impl BuildCommand for TEdgeCertCli {
                         config,
                         privkey_label: None,
                         pubkey_pem: None,
+                        sigalg: None,
                     })
                     .unwrap_or(Key::Local(
                         config.device_key_path(cloud.as_ref())?.to_owned(),
@@ -356,6 +357,7 @@ impl BuildCommand for TEdgeCertCli {
                         config,
                         privkey_label: None,
                         pubkey_pem: None,
+                        sigalg: None,
                     })
                     .unwrap_or(Key::Local(
                         config
@@ -448,6 +450,7 @@ impl BuildCommand for TEdgeCertCli {
                             config,
                             privkey_label: None,
                             pubkey_pem: None,
+                            sigalg: None,
                         })
                         .unwrap_or(Key::Local(
                             config.device_key_path(cloud.as_ref())?.to_owned(),
 
@@ -44,6 +44,8 @@ pub enum Key {
         // TODO: move it where it makes sense
         privkey_label: Option<String>,
         pubkey_pem: Option<String>,
+        // TODO: hack to pass sigalg
+        sigalg: Option<certificate::SigAlg>,
     },
 }
 
@@ -76,6 +78,7 @@ impl CreateCsrCmd {
                 config,
                 privkey_label,
                 pubkey_pem,
+                sigalg,
             } => {
                 let current_cert = self.current_cert.clone();
                 match current_cert {
@@ -86,6 +89,7 @@ impl CreateCsrCmd {
                         config.clone(),
                         privkey_label.clone().unwrap(),
                         pubkey_pem.as_ref().unwrap().clone(),
+                        sigalg.expect("sigalg should be set when generating a new key"),
                     )?,
                 }
             }