Merge pull request #3709 from Bravo555/feat/pkcs11-create-key

feat: `tedge cert create-key` command

Author: Bravo555

Cargo.lock

@@ -11,6 +11,7 @@ use tedge_p11_server::service::ChooseSchemeRequest;
 use tedge_p11_server::CryptokiConfig;
 use time::Duration;
 use time::OffsetDateTime;
+use tracing::trace;
 use x509_parser::public_key::PublicKey;
 pub use zeroize::Zeroizing;
 #[cfg(feature = "reqwest")]
@@ -294,6 +295,7 @@ impl rcgen::SigningKey for RemoteKeyPair {
         // the error here is not PEM-related, but we need to return a foreign error type, and there
         // are no other better variants that could let us return context, so we'll have to use this
         // until `rcgen::Error::RemoteKeyError` can take a parameter
+        trace!(?self.cryptoki_config, msg = %String::from_utf8_lossy(msg), "sign");
         let signer = tedge_p11_server::signing_key(self.cryptoki_config.clone())
             .map_err(|e| rcgen::Error::PemError(e.to_string()))?;
         signer
@@ -304,7 +306,7 @@ impl rcgen::SigningKey for RemoteKeyPair {
 
 /// Signature algorithms that can be used for generating a CSR
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
-enum SignatureAlgorithm {
+pub enum SignatureAlgorithm {
     RsaPkcs1Sha256,
     EcdsaP256Sha256,
     EcdsaP384Sha384,

crates/common/certificate/src/lib.rs

@@ -14,6 +14,7 @@ default-run = "tedge"
 [dependencies]
 anstyle = { workspace = true }
 anyhow = { workspace = true }
+asn1-rs.workspace = true
 async-trait = { workspace = true }
 base64 = { workspace = true }
 c8y-firmware-plugin = { workspace = true }
@@ -32,7 +33,7 @@ mime_guess = { workspace = true }
 mqtt_channel = { workspace = true }
 nix = { workspace = true }
 pad = { workspace = true }
-pem = { workspace = true }
+pem.workspace = true
 rasn = { workspace = true }
 rasn-cms = { workspace = true }
 reqwest = { workspace = true, features = [
@@ -51,6 +52,7 @@ tedge-agent = { workspace = true }
 tedge-apt-plugin = { workspace = true }
 tedge-file-log-plugin = { workspace = true }
 tedge-mapper = { workspace = true, default-features = false }
+tedge-p11-server = { workspace = true }
 tedge-watchdog = { workspace = true }
 tedge-write = { workspace = true }
 tedge_api = { workspace = true }

crates/core/tedge/Cargo.toml

@@ -6,14 +6,20 @@ use super::show::ShowCertCmd;
 use crate::certificate_is_self_signed;
 use crate::cli::certificate::c8y;
 use crate::cli::certificate::create_csr::Key;
+use crate::cli::certificate::create_key::CreateKeyHsmCmd;
+use crate::cli::certificate::create_key::EcCurve;
+use crate::cli::certificate::create_key::KeyType;
+use crate::cli::certificate::create_key::RsaBits;
 use crate::cli::common::Cloud;
 use crate::cli::common::CloudArg;
 use crate::command::BuildCommand;
 use crate::command::Command;
 use crate::CertificateShift;
 use crate::ConfigError;
 use anyhow::anyhow;
+use anyhow::Context;
 use c8y_api::http_proxy::C8yEndPoint;
+use camino::Utf8Path;
 use camino::Utf8PathBuf;
 use certificate::CsrTemplate;
 use clap::ValueHint;
@@ -51,6 +57,73 @@ pub enum TEdgeCertCli {
         cloud: Option<CloudArg>,
     },
 
+    /// Generate a new keypair on the PKCS #11 token and select it to be used.
+    ///
+    /// Can be used to generate a keypair on the TOKEN. If TOKEN argument is not provided, the
+    /// command prints the available tokens.
+    ///
+    /// If TOKEN is provided, the command generates an RSA or an ECDSA keypair on the token. When
+    /// using RSA, `--bits` is used to set the size of the key, when using ECDSA, `--curve` is used.
+    ///
+    /// After the key is generated, tedge config is updated to use the new key using
+    /// `device.key_uri` property. Depending on the selected cloud, we use `device.key_uri` setting
+    /// for that cloud, e.g. `create-key-hsm c8y` will write to `c8y.device.key_uri`.
+    CreateKeyHsm {
+        /// Human readable description (CKA_LABEL attribute) for the key.
+        #[arg(long, default_value = "tedge")]
+        label: String,
+
+        /// Key identifier for the keypair (CKA_ID attribute).
+        ///
+        /// If provided and no object exists on the token with the same ID, this will be the ID of
+        /// the new keypair. If an object with this ID already exists, the operation will return an
+        /// error. If not provided, a random ID will be generated and used by the keypair.
+        ///
+        /// The id shall be provided as a sequence of hex digits without `0x` prefix, optionally
+        /// separated by spaces, e.g. `--id 010203` or `--id "01 02 03"`.
+        #[arg(long)]
+        id: Option<String>,
+
+        /// The type of the key.
+        #[arg(long, default_value = "ecdsa")]
+        r#type: KeyType,
+
+        /// The size of the RSA keys in bits. Should only be used with --type rsa.
+        #[arg(long, default_value = "2048", group = "key_params")]
+        bits: RsaBits,
+
+        /// The curve (size) of the ECDSA key. Should only be used with --type ecdsa.
+        #[arg(long, default_value = "p256", group = "key_params")]
+        curve: EcCurve,
+
+        /// User PIN value for logging into the PKCS #11 token.
+        ///
+        /// This flag can be used to provide a PIN when creating a new key without needing to update
+        /// tedge-config, which can be helpful when initializing keys on new tokens.
+        ///
+        /// Note that in contrast to the URI of the key, which will be written to tedge-config
+        /// automatically when the keypair is created, PIN will not be written automatically and may
+        /// be needed to written manually using tedge config set (if not using tedge-p11-server with
+        /// the correct default PIN).
+        #[arg(long)]
+        pin: Option<String>,
+
+        /// Path where public key will be saved when a keypair is generated.
+        #[arg(long)]
+        outfile_pubkey: Option<Box<Utf8Path>>,
+
+        // can't document subcommands here because one would have to document variants of the enum
+        // but this type is used in other places
+        #[clap(subcommand)]
+        cloud: Option<CloudArg>,
+
+        /// The URI of the token where the keypair should be created.
+        ///
+        /// If this argument is missing, a list of available initialized tokens will be shown. The
+        /// token needs to be initialized to be able to generate keys.
+        token: Option<String>,
+    },
+
     /// Renew the device certificate
     ///
     /// The current certificate is left unchanged and a new certificate file is created,
@@ -220,6 +293,42 @@ impl BuildCommand for TEdgeCertCli {
                 cmd.into_boxed()
             }
 
+            TEdgeCertCli::CreateKeyHsm {
+                bits,
+                label,
+                r#type,
+                curve,
+                id,
+                pin,
+                outfile_pubkey,
+
+                cloud,
+                token,
+            } => {
+                let cloud: Option<Cloud> = cloud.map(<_>::try_into).transpose()?;
+                let cloud_config = cloud
+                    .as_ref()
+                    .map(|c| config.as_cloud_config((c).into()))
+                    .transpose()?;
+                let cryptoki_config = config
+                    .device
+                    .cryptoki_config(cloud_config)?
+                    .context("Cryptoki config is not enabled")?;
+
+                CreateKeyHsmCmd {
+                    cryptoki_config,
+                    label,
+                    r#type,
+                    bits,
+                    curve,
+                    id,
+                    pin,
+                    outfile_pubkey,
+                    cloud,
+                    token,
+                }
+                .into_boxed()
+            }
             TEdgeCertCli::Show {
                 cloud,
                 cert_path,