Set RSA key size and label

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>

Author: Bravo555

crates/core/tedge/src/cli/certificate/cli.rs

@@ -51,7 +51,13 @@ pub enum TEdgeCertCli {
     },
 
     /// Create a new keypair
-    CreateKey,
+    CreateKey {
+        #[arg(long, default_value = "2048")]
+        bits: u16,
+
+        #[arg(long)]
+        label: String,
+    },
 
     /// Renew the device certificate
     ///
@@ -204,7 +210,7 @@ impl BuildCommand for TEdgeCertCli {
                 cmd.into_boxed()
             }
 
-            TEdgeCertCli::CreateKey => CreateKeyCmd.into_boxed(),
+            TEdgeCertCli::CreateKey { bits, label } => CreateKeyCmd { bits, label }.into_boxed(),
 
             TEdgeCertCli::Show {
                 cloud,

crates/core/tedge/src/cli/certificate/create_key.rs

@@ -1,9 +1,13 @@
 use tedge_config::TEdgeConfig;
+use tedge_p11_server::pkcs11::{CreateKeyParams, KeyTypeParams};
 
 use crate::command::Command;
 use crate::log::MaybeFancy;
 
-pub struct CreateKeyCmd;
+pub struct CreateKeyCmd {
+    pub bits: u16,
+    pub label: String,
+}
 
 #[async_trait::async_trait]
 impl Command for CreateKeyCmd {
@@ -16,7 +20,12 @@ impl Command for CreateKeyCmd {
         let pkcs11client = tedge_p11_server::client::TedgeP11Client::with_ready_check(
             socket_path.as_std_path().into(),
         );
-        pkcs11client.create_key(None)?;
+        let params = CreateKeyParams {
+            key: KeyTypeParams::Rsa { bits: self.bits },
+            token: None,
+            label: self.label.clone(),
+        };
+        pkcs11client.create_key(None, params)?;
         eprintln!("New keypair was successfully created.");
         Ok(())
     }

crates/extensions/tedge-p11-server/src/client.rs

@@ -7,6 +7,9 @@ use anyhow::Context;
 use tracing::debug;
 use tracing::trace;
 
+use crate::pkcs11::CreateKeyParams;
+use crate::service::CreateKeyRequest;
+
 use super::connection::Frame1;
 use super::service::ChooseSchemeRequest;
 use super::service::SignRequest;
@@ -111,7 +114,7 @@ impl TedgeP11Client {
         Ok(response.0)
     }
 
-    pub fn create_key(&self, uri: Option<String>) -> anyhow::Result<()> {
+    pub fn create_key(&self, uri: Option<String>, params: CreateKeyParams) -> anyhow::Result<()> {
         let stream = UnixStream::connect(&self.socket_path).with_context(|| {
             format!(
                 "Failed to connect to tedge-p11-server UNIX socket at '{}'",
@@ -121,7 +124,7 @@ impl TedgeP11Client {
         let mut connection = crate::connection::Connection::new(stream);
         debug!("Connected to socket");
 
-        let request = Frame1::CreateKeyRequest(uri);
+        let request = Frame1::CreateKeyRequest(CreateKeyRequest { uri, params });
         trace!(?request);
         connection.write_frame(&request)?;
 

crates/extensions/tedge-p11-server/src/connection.rs

@@ -15,6 +15,7 @@ use tracing::warn;
 
 use crate::service::ChooseSchemeRequest;
 use crate::service::ChooseSchemeResponse;
+use crate::service::CreateKeyRequest;
 use crate::service::SignRequest;
 use crate::service::SignResponse;
 
@@ -89,7 +90,7 @@ pub enum Frame1 {
     SignRequest(SignRequest),
     ChooseSchemeResponse(ChooseSchemeResponse),
     SignResponse(SignResponse),
-    CreateKeyRequest(Option<String>),
+    CreateKeyRequest(CreateKeyRequest),
     CreateKeyResponse,
 }
 

crates/extensions/tedge-p11-server/src/pkcs11/mod.rs

@@ -28,6 +28,8 @@ use rustls::sign::Signer;
 use rustls::sign::SigningKey;
 use rustls::SignatureAlgorithm;
 use rustls::SignatureScheme;
+use serde::Deserialize;
+use serde::Serialize;
 use tracing::debug;
 use tracing::trace;
 use tracing::warn;
@@ -189,11 +191,11 @@ impl Cryptoki {
         Ok(key)
     }
 
-    pub fn create_key(&self, uri: Option<&str>) -> anyhow::Result<()> {
+    pub fn create_key(&self, uri: Option<&str>, params: CreateKeyParams) -> anyhow::Result<()> {
         let uri_attributes = self.request_uri(uri)?;
         let session = self.open_session(&uri_attributes)?;
 
-        create_key(&session).context("Failed to create a new private key")?;
+        create_key(&session, params).context("Failed to create a new private key")?;
 
         Ok(())
     }
@@ -251,28 +253,53 @@ impl Cryptoki {
     }
 }
 
-fn create_key(session: &Session) -> anyhow::Result<()> {
+fn create_key(session: &Session, params: CreateKeyParams) -> anyhow::Result<()> {
+    let KeyTypeParams::Rsa { bits } = params.key;
+    anyhow::ensure!(
+        bits == 2048 || bits == 3072 || bits == 4096,
+        "Invalid bits value: only 2048/3072/4096 key sizes are valid"
+    );
+
+    trace!(bits, "Generating keypair");
     session
         .generate_key_pair(
             &Mechanism::RsaPkcsKeyPairGen,
             &[
-                Attribute::Token(true),
+                // Attribute::Token(true),
+                Attribute::Private(false),
                 Attribute::Verify(true),
                 Attribute::Encrypt(true),
-                Attribute::ModulusBits(2048.into()),
+                Attribute::ModulusBits(u64::from(bits).into()),
+                // Attribute::Label("rsa_public".into()),
             ],
             &[
                 Attribute::Token(true),
+                Attribute::Private(true),
                 Attribute::Sensitive(true),
                 Attribute::Extractable(false),
                 Attribute::Sign(true),
                 Attribute::Decrypt(true),
+                Attribute::Label(params.label.into()),
+                // Attribute::ModulusBits(u64::from(bits).into()),
+                // Attribute::KeyType(KeyType::RSA),
             ],
         )
         .context("Failed to generate keypair")?;
     Ok(())
 }
 
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+pub struct CreateKeyParams {
+    pub key: KeyTypeParams,
+    pub token: Option<String>,
+    pub label: String,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+pub enum KeyTypeParams {
+    Rsa { bits: u16 },
+}
+
 #[derive(Debug, Clone)]
 pub struct Pkcs11SigningKey {
     session: PKCS11,

crates/extensions/tedge-p11-server/src/server.rs

@@ -83,8 +83,10 @@ impl TedgeP11Server {
                     }
                 }
             }
-            Frame1::CreateKeyRequest(uri) => {
-                let response = self.service.create_key(uri.as_deref());
+            Frame1::CreateKeyRequest(request) => {
+                let response = self
+                    .service
+                    .create_key(request.uri.as_deref(), request.params);
                 match response {
                     Ok(_) => Frame1::CreateKeyResponse,
                     Err(err) => {
@@ -107,6 +109,7 @@ impl TedgeP11Server {
 #[cfg(test)]
 mod tests {
     use crate::client::TedgeP11Client;
+    use crate::pkcs11::CreateKeyParams;
     use crate::service::*;
     use std::io::Read;
     use std::os::unix::net::UnixStream;
@@ -134,7 +137,7 @@ mod tests {
             Ok(SignResponse(SIGNATURE.to_vec()))
         }
 
-        fn create_key(&self, _uri: Option<&str>) -> anyhow::Result<()> {
+        fn create_key(&self, _uri: Option<&str>, _params: CreateKeyParams) -> anyhow::Result<()> {
             todo!()
         }
     }

crates/extensions/tedge-p11-server/src/service.rs

@@ -1,3 +1,4 @@
+use crate::pkcs11::CreateKeyParams;
 use crate::pkcs11::Cryptoki;
 use crate::pkcs11::CryptokiConfigDirect;
 use crate::pkcs11::PkcsSigner;
@@ -13,7 +14,7 @@ use tracing::warn;
 pub trait SigningService {
     fn choose_scheme(&self, request: ChooseSchemeRequest) -> anyhow::Result<ChooseSchemeResponse>;
     fn sign(&self, request: SignRequest) -> anyhow::Result<SignResponse>;
-    fn create_key(&self, uri: Option<&str>) -> anyhow::Result<()>;
+    fn create_key(&self, uri: Option<&str>, params: CreateKeyParams) -> anyhow::Result<()>;
 }
 
 #[derive(Debug)]
@@ -79,8 +80,9 @@ impl SigningService for TedgeP11Service {
         Ok(SignResponse(signature))
     }
 
-    fn create_key(&self, uri: Option<&str>) -> anyhow::Result<()> {
-        self.cryptoki.create_key(uri)?;
+    #[instrument(skip_all)]
+    fn create_key(&self, uri: Option<&str>, params: CreateKeyParams) -> anyhow::Result<()> {
+        self.cryptoki.create_key(uri, params)?;
         Ok(())
     }
 }
@@ -106,6 +108,12 @@ pub struct SignRequest {
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
 pub struct SignResponse(pub Vec<u8>);
 
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+pub struct CreateKeyRequest {
+    pub uri: Option<String>,
+    pub params: CreateKeyParams,
+}
+
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct SignatureScheme(pub rustls::SignatureScheme);
 

tests/RobotFramework/tests/pkcs11/private_key_storage.robot

@@ -111,11 +111,24 @@ Creates a private key on the PKCS11 token
     Should Be Equal    ${output}    No matching objects found
 
     Set tedge-p11-server Uri    value=pkcs11:token=create-key-token
-    Execute Command    tedge cert create-key
 
+    Execute Command    tedge cert create-key --label rsa-2048
     ${output}=    Execute Command
     ...    cmd=p11tool --login --set-pin=123456 --list-privkeys "pkcs11:token=create-key-token"
     Should Contain    ${output}    Object 0:
+    Should Contain    ${output}    Type: Private key (RSA-2048)\n\tLabel: rsa-2048
+
+    Execute Command    tedge cert create-key --label rsa-3072 --bits 3072
+    ${output}=    Execute Command
+    ...    cmd=p11tool --login --set-pin=123456 --list-privkeys "pkcs11:token=create-key-token"
+    Should Contain    ${output}    Object 1:
+    Should Contain    ${output}    Type: Private key (RSA-3072)\n\tLabel: rsa-3072
+
+    Execute Command    tedge cert create-key --label rsa-4096 --bits 4096
+    ${output}=    Execute Command
+    ...    cmd=p11tool --login --set-pin=123456 --list-privkeys "pkcs11:token=create-key-token"
+    Should Contain    ${output}    Object 2:
+    Should Contain    ${output}    Type: Private key (RSA-4096)\n\tLabel: rsa-4096
 
     [Teardown]    Set tedge-p11-server Uri    value=