Remove same-key limitation for CSR generation using PKCS11

This PR removes a limitation for generating CSRs using PKCS11 private
keys that they can only be generated for the same certificate that is
already present.

This unlocks two usecases that were previously impossible:
- using `tedge cert renew` to install a new certificate when we already
  have a certificate but a different keypair is used (previously
  SubjectPublicKeyInfo was reused from previous cert so using different
  key didn't work)
- using `tedge cert download c8y` when we don't yet have a certificate
  and register the device to C8y CA and download the initial certificate
  (previously some fields of CSR were reused from older cert so had no
  way to fill these fields without some certificate already being
  present)

Signed-off-by: Marcel Guzik <[email protected]>

Author: Bravo555

crates/common/certificate/src/lib.rs

@@ -7,6 +7,7 @@ use sha1::Digest;
 use sha1::Sha1;
 use std::path::Path;
 use std::path::PathBuf;
+use tedge_p11_server::service::ChooseSchemeRequest;
 use tedge_p11_server::CryptokiConfig;
 use tedge_p11_server::CryptokiConfigDirect;
 use time::Duration;
@@ -199,44 +200,112 @@ impl KeyKind {
     #[instrument]
     pub fn from_cryptoki_and_public_key_pem(
         cryptoki_config: CryptokiConfig,
-        private_key_label: String,
-        public_key_pem: String,
-        algorithm: SignatureAlgorithm,
     ) -> Result<Self, CertificateError> {
-        let public_key = pem::parse(public_key_pem).unwrap();
+        let cryptoki = tedge_p11_server::tedge_p11_service(cryptoki_config.clone())?;
+        let pubkey_pem = cryptoki.get_public_key_pem(None)?;
+        let public_key = pem::parse(&pubkey_pem).unwrap();
         let public_key_raw = public_key.into_contents();
-        trace!("pubkey raw: {public_key_raw:x?}");
 
-        // construct a URI that uses private key we just created to sign
-        let mut cryptoki_config = cryptoki_config;
-        let uri = match cryptoki_config {
-            CryptokiConfig::Direct(CryptokiConfigDirect { ref mut uri, .. }) => uri,
-            CryptokiConfig::SocketService { ref mut uri, .. } => uri,
-        };
-        // TODO: cleanup manual URI parsing
-        let private_key_uri = match uri {
-            Some(uri) if uri.contains("object=") => {
-                let uri: String = uri
-                    .strip_prefix("pkcs11:")
-                    .unwrap_or("")
-                    .split(';')
-                    .filter(|a| !a.contains("object="))
-                    .collect();
-
-                format!("pkcs11:{uri};object={private_key_label}")
-            }
-            Some(uri) => format!("{uri};object={private_key_label}"),
-            None => format!("pkcs11:object={private_key_label}"),
+        let signature_algorithm = cryptoki.choose_scheme(ChooseSchemeRequest {
+            offered: vec![
+                tedge_p11_server::service::SignatureScheme(
+                    rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
+                ),
+                tedge_p11_server::service::SignatureScheme(
+                    rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
+                ),
+                tedge_p11_server::service::SignatureScheme(
+                    rustls::SignatureScheme::RSA_PKCS1_SHA256,
+                ),
+            ],
+            uri: None,
+        })?;
+        let signature_algorithm = signature_algorithm
+            .scheme
+            .context("No supported scheme found")?
+            .0;
+
+        let algorithm = match signature_algorithm {
+            rustls::SignatureScheme::ECDSA_NISTP256_SHA256 => SignatureAlgorithm::EcdsaP256Sha256,
+            rustls::SignatureScheme::ECDSA_NISTP384_SHA384 => SignatureAlgorithm::EcdsaP384Sha384,
+            rustls::SignatureScheme::RSA_PKCS1_SHA256 => SignatureAlgorithm::RsaPkcs1Sha256,
+            _ => return Err(anyhow::anyhow!("Unsupported signature scheme").into()),
         };
-        *uri = Some(private_key_uri.into());
-        debug!(?uri);
+        trace!(?pubkey_pem, ?algorithm);
+        // trace!("pubkey raw: {public_key_raw:x?}");
+
+        // // construct a URI that uses private key we just created to sign
+        // let mut cryptoki_config = cryptoki_config;
+        // let uri = match cryptoki_config {
+        //     CryptokiConfig::Direct(CryptokiConfigDirect { ref mut uri, .. }) => uri,
+        //     CryptokiConfig::SocketService { ref mut uri, .. } => uri,
+        // };
+        // // TODO: cleanup manual URI parsing
+        // let private_key_uri = match uri {
+        //     Some(uri) if uri.contains("object=") => {
+        //         let uri: String = uri
+        //             .strip_prefix("pkcs11:")
+        //             .unwrap_or("")
+        //             .split(';')
+        //             .filter(|a| !a.contains("object="))
+        //             .collect();
+
+        //         format!("pkcs11:{uri};object={private_key_label}")
+        //     }
+        //     Some(uri) => format!("{uri};object={private_key_label}"),
+        //     None => format!("pkcs11:object={private_key_label}"),
+        // };
+        // *uri = Some(private_key_uri.into());
+        // debug!(?uri);
 
         Ok(Self::ReuseRemote(RemoteKeyPair {
             cryptoki_config,
             public_key_raw,
             algorithm,
         }))
     }
+
+    // #[instrument]
+    // pub fn from_cryptoki_and_public_key_pem(
+    //     cryptoki_config: CryptokiConfig,
+    //     private_key_label: String,
+    //     public_key_pem: String,
+    //     algorithm: SignatureAlgorithm,
+    // ) -> Result<Self, CertificateError> {
+    //     let public_key = pem::parse(public_key_pem).unwrap();
+    //     let public_key_raw = public_key.into_contents();
+    //     trace!("pubkey raw: {public_key_raw:x?}");
+
+    //     // construct a URI that uses private key we just created to sign
+    //     let mut cryptoki_config = cryptoki_config;
+    //     let uri = match cryptoki_config {
+    //         CryptokiConfig::Direct(CryptokiConfigDirect { ref mut uri, .. }) => uri,
+    //         CryptokiConfig::SocketService { ref mut uri, .. } => uri,
+    //     };
+    //     // TODO: cleanup manual URI parsing
+    //     let private_key_uri = match uri {
+    //         Some(uri) if uri.contains("object=") => {
+    //             let uri: String = uri
+    //                 .strip_prefix("pkcs11:")
+    //                 .unwrap_or("")
+    //                 .split(';')
+    //                 .filter(|a| !a.contains("object="))
+    //                 .collect();
+
+    //             format!("pkcs11:{uri};object={private_key_label}")
+    //         }
+    //         Some(uri) => format!("{uri};object={private_key_label}"),
+    //         None => format!("pkcs11:object={private_key_label}"),
+    //     };
+    //     *uri = Some(private_key_uri.into());
+    //     debug!(?uri);
+
+    //     Ok(Self::ReuseRemote(RemoteKeyPair {
+    //         cryptoki_config,
+    //         public_key_raw,
+    //         algorithm,
+    //     }))
+    // }
 }
 
 /// A key pair using a remote private key.

crates/common/tedge_config/src/tedge_toml/tedge_config/mqtt_config.rs

@@ -12,6 +12,7 @@ use camino::Utf8PathBuf;
 use certificate::parse_root_certificate::AuthPin;
 use certificate::CertificateError;
 use tedge_config_macros::all_or_nothing;
+use tracing::trace;
 
 use super::CloudConfig;
 use super::TEdgeConfigReaderDevice;
@@ -226,6 +227,7 @@ impl TEdgeConfigReaderDevice {
         let uri = cloud
             .and_then(|c| c.key_uri().or(self.key_uri.or_none().cloned()))
             .or(self.key_uri.or_none().cloned());
+        trace!(?uri);
         match cryptoki.mode {
             Cryptoki::Off => Ok(None),
             Cryptoki::Module => Ok(Some(CryptokiConfig::Direct(CryptokiConfigDirect {

crates/core/tedge/src/cli/certificate/create_csr.rs

@@ -78,20 +78,7 @@ impl CreateCsrCmd {
                 privkey_label,
                 pubkey_pem,
                 sigalg,
-            } => {
-                let current_cert = self.current_cert.clone();
-                match current_cert {
-                    Some(current_cert) => {
-                        KeyKind::from_cryptoki_and_existing_cert(config.clone(), &current_cert)?
-                    }
-                    None => KeyKind::from_cryptoki_and_public_key_pem(
-                        config.clone(),
-                        privkey_label.clone().unwrap(),
-                        pubkey_pem.as_ref().unwrap().clone(),
-                        sigalg.expect("sigalg should be set when generating a new key"),
-                    )?,
-                }
-            }
+            } => KeyKind::from_cryptoki_and_public_key_pem(config.clone())?,
         };
         debug!(?previous_key);
 

crates/core/tedge/src/cli/certificate/create_key.rs

@@ -90,28 +90,28 @@ impl Command for CreateKeyCmd {
 
         eprintln!("New keypair was successfully created.");
 
-        // use returned public key to create a CSR
-        let sigalg = match (self.r#type, self.curve) {
-            (KeyType::Rsa, _) => certificate::SignatureAlgorithm::RsaPkcs1Sha256,
-            (KeyType::Ec, EcCurve::P256) => certificate::SignatureAlgorithm::EcdsaP256Sha256,
-            (KeyType::Ec, EcCurve::P384) => certificate::SignatureAlgorithm::EcdsaP384Sha384,
-        };
-
-        let key = super::create_csr::Key::Cryptoki {
-            config: self.cryptoki_config.clone(),
-            privkey_label: Some(self.label.clone()),
-            pubkey_pem: Some(pubkey_pem.clone()),
-            sigalg: Some(sigalg),
-        };
-
-        super::create_device_csr(
-            self.device_id.clone(),
-            key,
-            None,
-            self.csr_path.clone(),
-            self.csr_template.clone(),
-        )
-        .await?;
+        // // use returned public key to create a CSR
+        // let sigalg = match (self.r#type, self.curve) {
+        //     (KeyType::Rsa, _) => certificate::SignatureAlgorithm::RsaPkcs1Sha256,
+        //     (KeyType::Ec, EcCurve::P256) => certificate::SignatureAlgorithm::EcdsaP256Sha256,
+        //     (KeyType::Ec, EcCurve::P384) => certificate::SignatureAlgorithm::EcdsaP384Sha384,
+        // };
+
+        // let key = super::create_csr::Key::Cryptoki {
+        //     config: self.cryptoki_config.clone(),
+        //     privkey_label: Some(self.label.clone()),
+        //     pubkey_pem: Some(pubkey_pem.clone()),
+        //     sigalg: Some(sigalg),
+        // };
+
+        // super::create_device_csr(
+        //     self.device_id.clone(),
+        //     key,
+        //     None,
+        //     self.csr_path.clone(),
+        //     self.csr_template.clone(),
+        // )
+        // .await?;
 
         eprintln!("Public key:\n{pubkey_pem}\n");
 

crates/core/tedge/src/main.rs

@@ -69,11 +69,7 @@ async fn main() -> anyhow::Result<()> {
                 .context("failed to run tedge apt plugin")?
         }
         TEdgeOptMulticall::Tedge(TEdgeCli { cmd, common }) => {
-            log_init(
-                "tedge",
-                &common.log_args.with_default_level(tracing::Level::WARN),
-                &common.config_dir,
-            )?;
+            log_init("tedge", &common.log_args, &common.config_dir)?;
 
             let tedge_config = tedge_config::TEdgeConfig::load(&common.config_dir).await?;
 

crates/extensions/tedge-p11-server/src/pkcs11/mod.rs

@@ -79,6 +79,7 @@ use cryptoki::mechanism::MechanismType;
 use cryptoki::object::Attribute;
 use cryptoki::object::AttributeType;
 use cryptoki::object::KeyType;
+use cryptoki::object::ObjectClass;
 use cryptoki::object::ObjectHandle;
 use cryptoki::session::Session;
 use cryptoki::session::UserType;
@@ -239,7 +240,8 @@ impl Cryptoki {
         let session = self.open_session(&uri_attributes)?;
 
         // get the signing key
-        let key = Self::find_key_by_attributes(&uri_attributes, &session)?;
+        let key =
+            Self::find_key_by_attributes(&uri_attributes, &session, ObjectClass::PRIVATE_KEY)?;
         let key_type = session
             .get_attributes(key, &[AttributeType::KeyType])?
             .into_iter()
@@ -278,12 +280,14 @@ impl Cryptoki {
                     session,
                     key,
                     sigscheme,
+                    secondary_schemes: Vec::new(),
                 }
             }
             KeyType::RSA => Pkcs11Signer {
                 session,
                 key,
                 sigscheme: SigScheme::RsaPssSha256,
+                secondary_schemes: vec![SigScheme::RsaPkcs1Sha256],
             },
             _ => anyhow::bail!("unsupported key type"),
         };
@@ -305,20 +309,20 @@ impl Cryptoki {
         let uri_attributes = self.request_uri(uri)?;
         let session = self.open_session(&uri_attributes)?;
 
-        let key =
-            Self::find_key_by_attributes(&uri_attributes, &session).context("object not found")?;
+        let key = Self::find_key_by_attributes(&uri_attributes, &session, ObjectClass::PUBLIC_KEY)?;
 
         export_public_key_pem(&session, key)
     }
 
     fn find_key_by_attributes(
         uri: &uri::Pkcs11Uri,
         session: &Session,
+        class: ObjectClass,
     ) -> anyhow::Result<ObjectHandle> {
         let mut key_template = vec![
             Attribute::Token(true),
-            Attribute::Private(true),
-            Attribute::Sign(true),
+            // Attribute::Sign(true),
+            Attribute::Class(class),
         ];
         if let Some(object) = &uri.object {
             key_template.push(Attribute::Label(object.as_bytes().to_vec()));
@@ -327,14 +331,14 @@ impl Cryptoki {
             key_template.push(Attribute::Id(id.clone()));
         }
 
-        trace!(?key_template, "Finding a key");
+        trace!(?key_template, ?uri.object, "Finding a key");
 
         let mut keys = session
             .find_objects(&key_template)
             .context("Failed to find private key objects")?
             .into_iter();
 
-        let key = keys.next().context("Failed to find a private key")?;
+        let key = keys.next().context("Failed to find a key")?;
         if keys.len() > 0 {
             warn!(
                 "Multiple keys were found. If the wrong one was chosen, please use a URI that uniquely identifies a key."
@@ -636,6 +640,8 @@ fn export_public_key_pem(session: &Session, key: ObjectHandle) -> anyhow::Result
             }
 
             debug!("Can't use PublicKeyInfo, reconstructing pubkey from components");
+            let attrs = session.get_attributes(key, &[AttributeType::EcPoint])?;
+            let mut attrs = attrs.into_iter();
 
             // Elliptic-Curve-Point-to-Octet-String from SEC 1: Elliptic Curve Cryptography (Version 2.0) section 2.3.3 (page 10)
             let ec_point = attrs.next().context("Failed to get pubkey EcPoint")?;
@@ -678,6 +684,7 @@ pub struct Pkcs11Signer {
     session: Pkcs11Session,
     key: ObjectHandle,
     pub sigscheme: SigScheme,
+    pub secondary_schemes: Vec<SigScheme>,
 }
 
 impl Pkcs11Signer {
@@ -812,10 +819,20 @@ impl SigningKey for Pkcs11Signer {
         let key_scheme = self.sigscheme.into();
         if offered.contains(&key_scheme) {
             debug!("Matching scheme: {key_scheme:?}");
-            Some(Box::new(self.clone()))
-        } else {
-            None
+            return Some(Box::new(self.clone()));
         }
+
+        for scheme in &self.secondary_schemes {
+            let key_scheme = (*scheme).into();
+            if offered.contains(&key_scheme) {
+                debug!("Matching scheme: {key_scheme:?}");
+                let mut signer = self.clone();
+                signer.sigscheme = *scheme;
+                return Some(Box::new(signer));
+            }
+        }
+
+        None
     }
 
     fn algorithm(&self) -> SignatureAlgorithm {