working tedge cert download with CSR signed by PCKS 11 token

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>

Author: Bravo555

Cargo.lock

@@ -17,6 +17,7 @@ anyhow = { workspace = true }
 asn1-rs = { workspace = true }
 base64 = { workspace = true }
 camino = { workspace = true }
+pem.workspace = true
 rcgen = { workspace = true }
 reqwest = { workspace = true, optional = true, features = [
     "rustls-tls-native-roots",

crates/common/certificate/Cargo.toml

@@ -1,4 +1,5 @@
 use anyhow::Context;
+use asn1_rs::nom::HexDisplay;
 use camino::Utf8Path;
 use device_id::DeviceIdError;
 use rcgen::Certificate;
@@ -9,8 +10,12 @@ use sha1::Sha1;
 use std::path::Path;
 use std::path::PathBuf;
 use tedge_p11_server::CryptokiConfig;
+use tedge_p11_server::CryptokiConfigDirect;
 use time::Duration;
 use time::OffsetDateTime;
+use tracing::debug;
+use tracing::instrument;
+use tracing::trace;
 use x509_parser::oid_registry;
 use x509_parser::public_key::PublicKey;
 pub use zeroize::Zeroizing;
@@ -198,6 +203,49 @@ impl KeyKind {
             algorithm,
         }))
     }
+
+    #[instrument]
+    pub fn from_cryptoki_and_public_key_pem(
+        cryptoki_config: CryptokiConfig,
+        private_key_label: String,
+        public_key_pem: String,
+    ) -> Result<Self, CertificateError> {
+        let public_key = pem::parse(public_key_pem).unwrap();
+        let public_key_raw = public_key.into_contents();
+        trace!("pubkey raw: {public_key_raw:x?}");
+
+        // TODO: implement other algs
+        let algorithm = &rcgen::PKCS_RSA_SHA256;
+
+        // construct a URI that uses private key we just created to sign
+        let mut cryptoki_config = cryptoki_config;
+        let uri = match cryptoki_config {
+            CryptokiConfig::Direct(CryptokiConfigDirect { ref mut uri, .. }) => uri,
+            CryptokiConfig::SocketService { ref mut uri, .. } => uri,
+        };
+        let private_key_uri = match uri {
+            Some(uri) if uri.contains("object=") => {
+                let mut uri: String = uri
+                    .strip_prefix("pkcs11:")
+                    .unwrap_or("")
+                    .split(';')
+                    .filter(|a| !a.contains("object="))
+                    .collect();
+
+                format!("pkcs11:{uri};object={private_key_label}")
+            }
+            Some(uri) => format!("{uri};object={private_key_label}"),
+            None => format!("pkcs11:object={private_key_label}"),
+        };
+        *uri = Some(private_key_uri.into());
+        debug!(?uri);
+
+        Ok(Self::ReuseRemote(RemoteKeyPair {
+            cryptoki_config,
+            public_key_raw,
+            algorithm,
+        }))
+    }
 }
 
 /// A key pair using a remote private key.
@@ -252,6 +300,7 @@ impl rcgen::RemoteKeyPair for RemoteKeyPair {
         // the error here is not PEM-related, but we need to return a foreign error type, and there
         // are no other better variants that could let us return context, so we'll have to use this
         // until `rcgen::Error::RemoteKeyError` can take a parameter
+        trace!(?self.cryptoki_config, msg = %String::from_utf8_lossy(msg), "sign");
         let signer = tedge_p11_server::signing_key(self.cryptoki_config.clone())
             .map_err(|e| rcgen::Error::PemError(e.to_string()))?;
         signer

crates/common/certificate/src/lib.rs

@@ -1,7 +1,7 @@
-use crate::cli::certificate::c8y::create_device_csr;
 use crate::cli::certificate::c8y::read_csr_from_file;
 use crate::cli::certificate::c8y::store_device_cert;
 use crate::cli::certificate::create_csr::Key;
+use crate::cli::certificate::create_device_csr;
 use crate::cli::certificate::show::ShowCertCmd;
 use crate::command::Command;
 use crate::error;
@@ -113,6 +113,7 @@ impl DownloadCertCmd {
                     error!("Fail to extract a certificate from the response returned by {c8y_url}");
                 }
                 Ok(response) => {
+                    tracing::error!(?response);
                     let error = Self::c8y_error_message(response).await;
                     error!("The device {common_name} is not registered yet on {c8y_url}: {error}");
                 }
@@ -182,7 +183,7 @@ impl DownloadCertCmd {
 
     async fn c8y_error_message(response: Response) -> String {
         let status = response.status().to_string();
-        if let Ok(C8yAPIError { message, .. }) = response.json().await {
+        if let Ok(C8yAPIError { message, .. }) = dbg!(response.json().await) {
             format!("{status}: {}", message)
         } else {
             status

crates/core/tedge/src/cli/certificate/c8y/download.rs

@@ -12,29 +12,6 @@ pub use download::DownloadCertCmd;
 pub use renew::RenewCertCmd;
 pub use upload::UploadCertCmd;
 
-/// Create a device private key and CSR
-///
-/// Return the CSR in the format expected by c8y CA
-async fn create_device_csr(
-    common_name: String,
-    key: super::create_csr::Key,
-    current_cert: Option<Utf8PathBuf>,
-    csr_path: Utf8PathBuf,
-    csr_template: CsrTemplate,
-) -> Result<(), CertError> {
-    let create_cmd = CreateCsrCmd {
-        id: common_name,
-        csr_path: csr_path.clone(),
-        key,
-        current_cert,
-        user: "tedge".to_string(),
-        group: "tedge".to_string(),
-        csr_template,
-    };
-    create_cmd.create_certificate_signing_request().await?;
-    Ok(())
-}
-
 /// Return the CSR in the format expected by c8y CA
 async fn read_csr_from_file(csr_path: &Utf8PathBuf) -> Result<String, CertError> {
     let csr = read_cert_to_string(csr_path).await?;

crates/core/tedge/src/cli/certificate/c8y/mod.rs

@@ -1,8 +1,8 @@
 use crate::certificate_cn;
-use crate::cli::certificate::c8y::create_device_csr;
 use crate::cli::certificate::c8y::read_csr_from_file;
 use crate::cli::certificate::c8y::store_device_cert;
 use crate::cli::certificate::create_csr::Key;
+use crate::cli::certificate::create_device_csr;
 use crate::cli::certificate::show::ShowCertCmd;
 use crate::command::Command;
 use crate::get_webpki_error_from_reqwest;

crates/core/tedge/src/cli/certificate/c8y/renew.rs

@@ -66,6 +66,13 @@ pub enum TEdgeCertCli {
 
         #[arg(long, default_value = "256")]
         curve: u16,
+
+        /// The device identifier to be used as the common name for the certificate
+        #[clap(long = "device-id", global = true)]
+        id: Option<String>,
+
+        #[clap(subcommand)]
+        cloud: Option<CloudArg>,
     },
 
     /// Renew the device certificate
@@ -209,7 +216,11 @@ impl BuildCommand for TEdgeCertCli {
                     .transpose()?;
                 let cryptoki = config.device.cryptoki_config(cloud_config)?;
                 let key = cryptoki
-                    .map(super::create_csr::Key::Cryptoki)
+                    .map(|config| super::create_csr::Key::Cryptoki {
+                        config,
+                        privkey_label: None,
+                        pubkey_pem: None,
+                    })
                     .unwrap_or(Key::Local(
                         config.device_key_path(cloud.as_ref())?.to_owned(),
                     ));
@@ -242,14 +253,24 @@ impl BuildCommand for TEdgeCertCli {
                 label,
                 r#type,
                 curve,
-            } => CreateKeyCmd {
-                bits,
-                label,
-                r#type,
-                curve,
-            }
-            .into_boxed(),
 
+                id,
+                cloud,
+            } => {
+                let cloud: Option<Cloud> = cloud.map(<_>::try_into).transpose()?;
+
+                CreateKeyCmd {
+                    bits,
+                    label,
+                    r#type,
+                    curve,
+
+                    device_id: get_device_id(id, config, &cloud)?,
+                    csr_template,
+                    csr_path: config.device_csr_path(cloud.as_ref())?.to_owned(),
+                }
+                .into_boxed()
+            }
             TEdgeCertCli::Show {
                 cloud,
                 cert_path,
@@ -331,7 +352,11 @@ impl BuildCommand for TEdgeCertCli {
 
                 let cryptoki = config.device.cryptoki_config(Some(c8y_config))?;
                 let key = cryptoki
-                    .map(super::create_csr::Key::Cryptoki)
+                    .map(|config| super::create_csr::Key::Cryptoki {
+                        config,
+                        privkey_label: None,
+                        pubkey_pem: None,
+                    })
                     .unwrap_or(Key::Local(
                         config
                             .device_key_path(Some(tedge_config::tedge_toml::Cloud::C8y(
@@ -419,7 +444,11 @@ impl BuildCommand for TEdgeCertCli {
                         .transpose()?;
                     let cryptoki = config.device.cryptoki_config(cloud_config)?;
                     let key = cryptoki
-                        .map(super::create_csr::Key::Cryptoki)
+                        .map(|config| super::create_csr::Key::Cryptoki {
+                            config,
+                            privkey_label: None,
+                            pubkey_pem: None,
+                        })
                         .unwrap_or(Key::Local(
                             config.device_key_path(cloud.as_ref())?.to_owned(),
                         ));

crates/core/tedge/src/cli/certificate/cli.rs

@@ -39,7 +39,12 @@ pub struct CreateCsrCmd {
 #[derive(Debug, Clone)]
 pub enum Key {
     Local(Utf8PathBuf),
-    Cryptoki(CryptokiConfig),
+    Cryptoki {
+        config: CryptokiConfig,
+        // TODO: move it where it makes sense
+        privkey_label: Option<String>,
+        pubkey_pem: Option<String>,
+    },
 }
 
 #[async_trait::async_trait]
@@ -67,12 +72,22 @@ impl CreateCsrCmd {
                 .await
                 .map_err(|e| CertError::IoError(e).key_context(key_path.clone()))?,
 
-            Key::Cryptoki(cryptoki) => {
-                let current_cert = self
-                    .current_cert
-                    .clone()
-                    .context("Need an existing cert when using an HSM")?;
-                KeyKind::from_cryptoki_and_existing_cert(cryptoki.clone(), &current_cert)?
+            Key::Cryptoki {
+                config,
+                privkey_label,
+                pubkey_pem,
+            } => {
+                let current_cert = self.current_cert.clone();
+                match current_cert {
+                    Some(current_cert) => {
+                        KeyKind::from_cryptoki_and_existing_cert(config.clone(), &current_cert)?
+                    }
+                    None => KeyKind::from_cryptoki_and_public_key_pem(
+                        config.clone(),
+                        privkey_label.clone().unwrap(),
+                        pubkey_pem.as_ref().unwrap().clone(),
+                    )?,
+                }
             }
         };
         debug!(?previous_key);

crates/core/tedge/src/cli/certificate/create_csr.rs

@@ -1,7 +1,11 @@
+use camino::Utf8PathBuf;
+use certificate::CsrTemplate;
 use clap::ValueEnum;
 use tedge_config::TEdgeConfig;
 use tedge_p11_server::pkcs11::{CreateKeyParams, KeyTypeParams};
+use tedge_p11_server::CryptokiConfig;
 
+use crate::cli::common::Cloud;
 use crate::command::Command;
 use crate::log::MaybeFancy;
 
@@ -10,6 +14,13 @@ pub struct CreateKeyCmd {
     pub curve: u16,
     pub label: String,
     pub r#type: KeyType,
+
+    /// The device identifier to be used as the common name for the certificate
+    pub device_id: String,
+
+    pub csr_template: CsrTemplate,
+
+    pub csr_path: Utf8PathBuf,
 }
 
 #[derive(Debug, Clone, PartialEq, Eq, ValueEnum)]
@@ -38,11 +49,40 @@ impl Command for CreateKeyCmd {
             token: None,
             label: self.label.clone(),
         };
+
+        // generate a keypair
+        // TODO: don't assume it's RSA
         let pubkey_der = pkcs11client.create_key(None, params)?;
         let pubkey_pem = pem::Pem::new("PUBLIC KEY", pubkey_der);
         let pubkey_pem = pem::encode(&pubkey_pem);
 
         eprintln!("New keypair was successfully created.");
+
+        // use returned private key to create a CSR
+
+        // isn't device_id the same as certificate_cn?
+        let common_name = crate::certificate_cn(
+            &config
+                .device_cert_path(None::<&Cloud>)
+                .unwrap()
+                .to_path_buf(),
+        )
+        .await?;
+
+        let cryptoki_config = config.device.cryptoki_config(None).unwrap().unwrap();
+        let key = super::create_csr::Key::Cryptoki {
+            config: cryptoki_config,
+            privkey_label: Some(self.label.clone()),
+            pubkey_pem: Some(pubkey_pem.clone()),
+        };
+        let csr_path = config
+            .device_csr_path(None::<&Cloud>)
+            .unwrap()
+            .to_path_buf();
+
+        super::create_device_csr(common_name, key, None, csr_path, self.csr_template.clone())
+            .await?;
+
         eprintln!("Public key:\n{pubkey_pem}\n");
 
         Ok(())