Add tedge cert create-key command

The command uses TedgeP11Client to create a new RSA keypair on the
PKCS11 token.

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>

Author: Bravo555

Cargo.lock

@@ -50,6 +50,7 @@ tar = { workspace = true }
 tedge-agent = { workspace = true }
 tedge-apt-plugin = { workspace = true }
 tedge-mapper = { workspace = true, default-features = false }
+tedge-p11-server = { workspace = true }
 tedge-watchdog = { workspace = true }
 tedge-write = { workspace = true }
 tedge_api = { workspace = true }

crates/core/tedge/Cargo.toml

@@ -5,6 +5,7 @@ use super::renew::RenewCertCmd;
 use super::show::ShowCertCmd;
 use crate::certificate_is_self_signed;
 use crate::cli::certificate::c8y;
+use crate::cli::certificate::create_key::CreateKeyCmd;
 use crate::cli::common::Cloud;
 use crate::cli::common::CloudArg;
 use crate::command::BuildCommand;
@@ -49,6 +50,9 @@ pub enum TEdgeCertCli {
         cloud: Option<CloudArg>,
     },
 
+    /// Create a new keypair
+    CreateKey,
+
     /// Renew the device certificate
     ///
     /// The current certificate is left unchanged and a new certificate file is created,
@@ -200,6 +204,8 @@ impl BuildCommand for TEdgeCertCli {
                 cmd.into_boxed()
             }
 
+            TEdgeCertCli::CreateKey => CreateKeyCmd.into_boxed(),
+
             TEdgeCertCli::Show {
                 cloud,
                 cert_path,

crates/core/tedge/src/cli/certificate/cli.rs

@@ -0,0 +1,23 @@
+use tedge_config::TEdgeConfig;
+
+use crate::command::Command;
+use crate::log::MaybeFancy;
+
+pub struct CreateKeyCmd;
+
+#[async_trait::async_trait]
+impl Command for CreateKeyCmd {
+    fn description(&self) -> String {
+        "Generate a keypair.".into()
+    }
+
+    async fn execute(&self, config: TEdgeConfig) -> Result<(), MaybeFancy<anyhow::Error>> {
+        let socket_path = &config.device.cryptoki.socket_path;
+        let pkcs11client = tedge_p11_server::client::TedgeP11Client::with_ready_check(
+            socket_path.as_std_path().into(),
+        );
+        pkcs11client.create_key(None)?;
+        eprintln!("New keypair was successfully created.");
+        Ok(())
+    }
+}

crates/core/tedge/src/cli/certificate/create_key.rs

@@ -6,6 +6,7 @@ mod c8y;
 mod cli;
 mod create;
 mod create_csr;
+mod create_key;
 mod error;
 mod remove;
 mod renew;

crates/core/tedge/src/cli/certificate/mod.rs

@@ -149,4 +149,29 @@ impl TedgeP11Client {
 
         Ok(response.0)
     }
+
+    pub fn create_key(&self, uri: Option<String>) -> anyhow::Result<()> {
+        let stream = UnixStream::connect(&self.socket_path).with_context(|| {
+            format!(
+                "Failed to connect to tedge-p11-server UNIX socket at '{}'",
+                self.socket_path.display()
+            )
+        })?;
+        let mut connection = crate::connection::Connection::new(stream);
+        debug!("Connected to socket");
+
+        let request = Frame1::CreateKeyRequest(uri);
+        trace!(?request);
+        connection.write_frame(&request)?;
+
+        let response = connection.read_frame()?;
+
+        let Frame1::CreateKeyResponse = response else {
+            bail!("protocol error: bad response, expected sign, received: {response:?}");
+        };
+
+        debug!("Sign complete");
+
+        Ok(())
+    }
 }

crates/extensions/tedge-p11-server/src/client.rs

@@ -89,6 +89,8 @@ pub enum Frame1 {
     SignRequest(SignRequest),
     ChooseSchemeResponse(ChooseSchemeResponse),
     SignResponse(SignResponse),
+    CreateKeyRequest(Option<String>),
+    CreateKeyResponse,
 }
 
 /// An error that can be returned to the client by the server.

crates/extensions/tedge-p11-server/src/connection.rs

@@ -92,23 +92,7 @@ impl Cryptoki {
         })
     }
 
-    pub fn signing_key(&self, uri: Option<&str>) -> anyhow::Result<Pkcs11SigningKey> {
-        let mut config_uri = self
-            .config
-            .uri
-            .as_deref()
-            .map(|u| uri::Pkcs11Uri::parse(u).context("Failed to parse config PKCS#11 URI"))
-            .transpose()?
-            .unwrap_or_default();
-
-        let request_uri = uri
-            .map(|uri| uri::Pkcs11Uri::parse(uri).context("Failed to parse PKCS #11 URI"))
-            .transpose()?
-            .unwrap_or_default();
-
-        config_uri.append_attributes(request_uri);
-        let uri_attributes = config_uri;
-
+    fn open_session(&self, uri_attributes: &uri::Pkcs11Uri) -> anyhow::Result<Session> {
         let wanted_label = uri_attributes.token.as_ref();
         let wanted_serial = uri_attributes.serial.as_ref();
 
@@ -139,11 +123,19 @@ impl Cryptoki {
         let token_info = self.context.get_token_info(slot)?;
         debug!(?slot_info, ?token_info, "Selected slot");
 
-        let session = self.context.open_ro_session(slot)?;
+        // let session = self.context.open_ro_session(slot)?;
+        let session = self.context.open_rw_session(slot)?;
         session.login(UserType::User, Some(&self.config.pin))?;
         let session_info = session.get_session_info()?;
         debug!(?session_info, "Opened a readonly session");
 
+        Ok(session)
+    }
+
+    pub fn signing_key(&self, uri: Option<&str>) -> anyhow::Result<Pkcs11SigningKey> {
+        let uri_attributes = self.request_uri(uri)?;
+        let session = self.open_session(&uri_attributes)?;
+
         // get the signing key
         let key = Self::find_key_by_attributes(&uri_attributes, &session)?;
         let key_type = session
@@ -197,6 +189,15 @@ impl Cryptoki {
         Ok(key)
     }
 
+    pub fn create_key(&self, uri: Option<&str>) -> anyhow::Result<()> {
+        let uri_attributes = self.request_uri(uri)?;
+        let session = self.open_session(&uri_attributes)?;
+
+        create_key(&session).context("Failed to create a new private key")?;
+
+        Ok(())
+    }
+
     fn find_key_by_attributes(
         uri: &uri::Pkcs11Uri,
         session: &Session,
@@ -227,6 +228,49 @@ impl Cryptoki {
 
         Ok(key)
     }
+
+    fn request_uri<'a>(
+        &'a self,
+        request_uri: Option<&'a str>,
+    ) -> anyhow::Result<uri::Pkcs11Uri<'a>> {
+        let mut config_uri = self
+            .config
+            .uri
+            .as_deref()
+            .map(|u| uri::Pkcs11Uri::parse(u).context("Failed to parse config PKCS#11 URI"))
+            .transpose()?
+            .unwrap_or_default();
+
+        let request_uri = request_uri
+            .map(|uri| uri::Pkcs11Uri::parse(uri).context("Failed to parse PKCS #11 URI"))
+            .transpose()?
+            .unwrap_or_default();
+
+        config_uri.append_attributes(request_uri);
+        Ok(config_uri)
+    }
+}
+
+fn create_key(session: &Session) -> anyhow::Result<()> {
+    session
+        .generate_key_pair(
+            &Mechanism::RsaPkcsKeyPairGen,
+            &[
+                Attribute::Token(true),
+                Attribute::Verify(true),
+                Attribute::Encrypt(true),
+                Attribute::ModulusBits(2048.into()),
+            ],
+            &[
+                Attribute::Token(true),
+                Attribute::Sensitive(true),
+                Attribute::Extractable(false),
+                Attribute::Sign(true),
+                Attribute::Decrypt(true),
+            ],
+        )
+        .context("Failed to generate keypair")?;
+    Ok(())
 }
 
 #[derive(Debug, Clone)]

crates/extensions/tedge-p11-server/src/pkcs11/mod.rs

@@ -51,7 +51,8 @@ impl TedgeP11Server {
         let response = match request {
             Frame1::Error(_)
             | Frame1::ChooseSchemeResponse { .. }
-            | Frame1::SignResponse { .. } => {
+            | Frame1::SignResponse { .. }
+            | Frame1::CreateKeyResponse => {
                 let error = ProtocolError("invalid request".to_string());
                 let _ = connection.write_frame(&Frame1::Error(error));
                 anyhow::bail!("protocol error: invalid request")
@@ -82,6 +83,19 @@ impl TedgeP11Server {
                     }
                 }
             }
+            Frame1::CreateKeyRequest(uri) => {
+                let response = self.service.create_key(uri.as_deref());
+                match response {
+                    Ok(_) => Frame1::CreateKeyResponse,
+                    Err(err) => {
+                        let response = Frame1::Error(ProtocolError(format!(
+                            "PKCS #11 service failed: {err:#}"
+                        )));
+                        connection.write_frame(&response)?;
+                        anyhow::bail!(err);
+                    }
+                }
+            }
         };
 
         connection.write_frame(&response).context("write")?;
@@ -119,6 +133,10 @@ mod tests {
         fn sign(&self, _request: SignRequest) -> anyhow::Result<SignResponse> {
             Ok(SignResponse(SIGNATURE.to_vec()))
         }
+
+        fn create_key(&self, uri: Option<&str>) -> anyhow::Result<()> {
+            todo!()
+        }
     }
 
     /// Check that client successfully receives responses from the server about the requests. Tests the

crates/extensions/tedge-p11-server/src/server.rs

@@ -13,6 +13,7 @@ use tracing::warn;
 pub trait SigningService {
     fn choose_scheme(&self, request: ChooseSchemeRequest) -> anyhow::Result<ChooseSchemeResponse>;
     fn sign(&self, request: SignRequest) -> anyhow::Result<SignResponse>;
+    fn create_key(&self, uri: Option<&str>) -> anyhow::Result<()>;
 }
 
 #[derive(Debug)]
@@ -77,6 +78,11 @@ impl SigningService for TedgeP11Service {
             .context("Failed to sign using PKCS #11")?;
         Ok(SignResponse(signature))
     }
+
+    fn create_key(&self, uri: Option<&str>) -> anyhow::Result<()> {
+        self.cryptoki.create_key(uri)?;
+        Ok(())
+    }
 }
 
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]