Merge pull request #3316 from rina23q/fix/3315/cert-create-csr-should-use-cloud-profile-cn

fix: tedge cert create-csr should use cloud profile's CN

Author: rina23q

crates/core/tedge/src/cli/certificate/cli.rs

@@ -3,6 +3,8 @@ use crate::cli::common::CloudArg;
 use camino::Utf8PathBuf;
 use tedge_config::OptionalConfigError;
 use tedge_config::ProfileName;
+use tedge_config::ReadError;
+use tedge_config::TEdgeConfig;
 
 use super::create::CreateCertCmd;
 use super::create_csr::CreateCsrCmd;
@@ -93,11 +95,14 @@ impl BuildCommand for TEdgeCertCli {
                 cloud,
             } => {
                 let cloud: Option<Cloud> = cloud.map(<_>::try_into).transpose()?;
+
                 // Use the current device id if no id is provided
-                let id = match id {
-                    Some(id) => id,
-                    None => config.device.id()?.clone(),
+                let id = if let Some(id) = id {
+                    id
+                } else {
+                    get_device_id_from_config(&config, &cloud)?
                 };
+
                 let cmd = CreateCsrCmd {
                     id,
                     key_path: config.device_key_path(cloud.as_ref())?.to_owned(),
@@ -186,3 +191,17 @@ pub enum UploadCertCli {
         profile: Option<ProfileName>,
     },
 }
+
+fn get_device_id_from_config(
+    config: &TEdgeConfig,
+    cloud: &Option<Cloud>,
+) -> Result<String, ReadError> {
+    let id = match cloud {
+        None => config.device.id(),
+        Some(Cloud::C8y(profile)) => config.c8y.try_get(profile.as_deref())?.device.id(),
+        Some(Cloud::Azure(profile)) => config.az.try_get(profile.as_deref())?.device.id(),
+        Some(Cloud::Aws(profile)) => config.aws.try_get(profile.as_deref())?.device.id(),
+    }?
+    .to_owned();
+    Ok(id)
+}

tests/RobotFramework/tests/tedge/certificate_signing_request.robot

@@ -52,6 +52,39 @@ Generate CSR without an existing certificate and private key
     ...    openssl req -in /etc/tedge/device-certs/tedge.csr -pubkey -noout | openssl md5
     Should Be Equal    ${output_private_key_md5}    ${output_csr_md5}
 
+Generate CSR using the device-id from an existing certificate and private key of cloud profile
+    [Tags]    \#3315
+    [Setup]    Setup With Self-Signed Certificate
+
+    ${second_device_sn}=    Catenate    SEPARATOR=_    ${DEVICE_SN}    second
+    Execute Command
+    ...    tedge config set c8y.device.cert_path --profile second /etc/tedge/device-certs/tedge@second-certificate.pem
+    Execute Command
+    ...    tedge config set c8y.device.key_path --profile second /etc/tedge/device-certs/tedge@second-key.pem
+    Execute Command    tedge cert create --device-id ${second_device_sn} c8y --profile second
+
+    ${hash_before_cert}=    Execute Command    md5sum /etc/tedge/device-certs/tedge@second-certificate.pem
+    ${hash_before_private_key}=    Execute Command    md5sum /etc/tedge/device-certs/tedge@second-key.pem
+
+    Execute Command    sudo tedge cert create-csr c8y --profile second
+
+    ${output_cert_subject}=    Execute Command
+    ...    openssl x509 -noout -subject -in /etc/tedge/device-certs/tedge@second-certificate.pem
+    ${output_csr_subject}=    Execute Command
+    ...    openssl req -noout -subject -in /etc/tedge/device-certs/tedge.csr
+    Should Be Equal    ${output_cert_subject}    ${output_csr_subject}
+
+    ${output_private_key_md5}=    Execute Command
+    ...    openssl pkey -in /etc/tedge/device-certs/tedge@second-key.pem -pubout | openssl md5
+    ${output_csr_md5}=    Execute Command
+    ...    openssl req -in /etc/tedge/device-certs/tedge.csr -pubkey -noout | openssl md5
+    Should Be Equal    ${output_private_key_md5}    ${output_csr_md5}
+
+    ${hash_after_cert}=    Execute Command    md5sum /etc/tedge/device-certs/tedge@second-certificate.pem
+    ${hash_after_private_key}=    Execute Command    md5sum /etc/tedge/device-certs/tedge@second-key.pem
+    Should Be Equal    ${hash_before_cert}    ${hash_after_cert}
+    Should Be Equal    ${hash_before_private_key}    ${hash_after_private_key}
+
 
 *** Keywords ***
 Setup With Self-Signed Certificate