make tedge cert create use HSM

Bravo555 · Bravo555 · commit 66b13b98f84e · 2025-12-09T20:51:10.000Z
Signed-off-by: Marcel Guzik &lt;marcel.guzik@cumulocity.com&gt;
diff --git a/crates/core/tedge/src/cli/certificate/cli.rs b/crates/core/tedge/src/cli/certificate/cli.rs
@@ -34,7 +34,10 @@ use tracing::debug;
 
 #[derive(clap::Subcommand, Debug)]
 pub enum TEdgeCertCli {
-    /// Create a self-signed device certificate
+    /// Create a self-signed device certificate.
+    ///
+    /// This command creates the device certificate and private key, and persists them, if they
+    /// don't already exist.
     Create {
         /// The device identifier to be used as the common name for the certificate
         #[clap(long = "device-id", global = true)]
diff --git a/crates/core/tedge/src/cli/certificate/create.rs b/crates/core/tedge/src/cli/certificate/create.rs
@@ -2,6 +2,7 @@ use super::error::CertError;
 use crate::cli::certificate::show::ShowCertCmd;
 use crate::command::Command;
 use crate::log::MaybeFancy;
+use anyhow::Context;
 use camino::Utf8Path;
 use camino::Utf8PathBuf;
 use certificate::CsrTemplate;
@@ -12,6 +13,7 @@ use std::fs::Permissions;
 use std::os::unix::fs::PermissionsExt;
 use std::path::Path;
 use tedge_config::TEdgeConfig;
+use tedge_p11_server::CryptokiConfig;
 use tokio::fs::File;
 use tokio::fs::OpenOptions;
 use tokio::io::AsyncWriteExt;
@@ -42,8 +44,10 @@ impl Command for CreateCertCmd {
         format!("create a test certificate for the device {}.", self.id)
     }
 
-    async fn execute(&self, _: TEdgeConfig) -> Result<(), MaybeFancy<anyhow::Error>> {
-        self.create_test_certificate(&self.csr_template).await?;
+    async fn execute(&self, config: TEdgeConfig) -> Result<(), MaybeFancy<anyhow::Error>> {
+        let cryptoki = config.device.cryptoki_config(None)?;
+        self.create_test_certificate(&self.csr_template, cryptoki)
+            .await?;
         eprintln!("Certificate created successfully");
         eprintln!("    => the certificate has to be uploaded to the cloud");
         eprintln!("    => before the device can be connected\n");
@@ -53,8 +57,23 @@ impl Command for CreateCertCmd {
 }
 
 impl CreateCertCmd {
-    pub async fn create_test_certificate(&self, config: &CsrTemplate) -> Result<(), CertError> {
-        let cert = KeyCertPair::new_selfsigned_certificate(config, &self.id, &KeyKind::New)?;
+    // test certificate here means it's not yet permanent - establishing the connection using this
+    // new certificate will be tested during `tedge connect` and if an error happens, we will revert
+    // to the previous certificate. If not, the certificate will be set as a permanent active
+    // certificate and will not be tested on further connections.
+    pub async fn create_test_certificate(
+        &self,
+        template: &CsrTemplate,
+        cryptoki: Option<CryptokiConfig>,
+    ) -> Result<(), CertError> {
+        let key_kind = if let Some(cryptoki) = cryptoki {
+            KeyKind::from_cryptoki(cryptoki.clone(), None)
+                .context("failed to create a remote keykind")?
+        } else {
+            KeyKind::New
+        };
+
+        let cert = KeyCertPair::new_selfsigned_certificate(template, &self.id, &key_kind)?;
 
         let cert_path = &self.cert_path;
         persist_new_public_key(
@@ -66,15 +85,18 @@ impl CreateCertCmd {
         .await
         .map_err(|err| err.cert_context(cert_path.clone()))?;
 
-        let key_path = &self.key_path;
-        persist_new_private_key(
-            key_path,
-            cert.private_key_pem_string()?,
-            &self.user,
-            &self.group,
-        )
-        .await
-        .map_err(|err| err.key_context(key_path.clone()))?;
+        // only persist to filesystem if we just created a new key (not using HSM)
+        if let KeyKind::New = key_kind {
+            let key_path = &self.key_path;
+            persist_new_private_key(
+                key_path,
+                cert.private_key_pem_string()?,
+                &self.user,
+                &self.group,
+            )
+            .await
+            .map_err(|err| err.key_context(key_path.clone()))?;
+        }
         Ok(())
     }
 }
@@ -238,7 +260,8 @@ mod tests {
         };
 
         assert_matches!(
-            cmd.create_test_certificate(&CsrTemplate::default()).await,
+            cmd.create_test_certificate(&CsrTemplate::default(), None)
+                .await,
             Ok(())
         );
         assert_eq!(parse_pem_file(&cert_path).tag(), "CERTIFICATE");
@@ -268,7 +291,7 @@ mod tests {
         };
 
         assert!(cmd
-            .create_test_certificate(&CsrTemplate::default())
+            .create_test_certificate(&CsrTemplate::default(), None)
             .await
             .ok()
             .is_none());
@@ -293,7 +316,7 @@ mod tests {
         };
 
         let cert_error = cmd
-            .create_test_certificate(&CsrTemplate::default())
+            .create_test_certificate(&CsrTemplate::default(), None)
             .await
             .unwrap_err();
         assert_matches!(cert_error, CertError::CertificateNotFound { .. });
@@ -315,7 +338,7 @@ mod tests {
         };
 
         let cert_error = cmd
-            .create_test_certificate(&CsrTemplate::default())
+            .create_test_certificate(&CsrTemplate::default(), None)
             .await
             .unwrap_err();
         assert_matches!(cert_error, CertError::KeyNotFound { .. });
diff --git a/crates/core/tedge/src/cli/certificate/create_csr.rs b/crates/core/tedge/src/cli/certificate/create_csr.rs
@@ -145,7 +145,8 @@ mod tests {
 
         // create private key and public cert with standard command
         assert_matches!(
-            cmd.create_test_certificate(&CsrTemplate::default()).await,
+            cmd.create_test_certificate(&CsrTemplate::default(), None)
+                .await,
             Ok(())
         );
 
diff --git a/crates/core/tedge/src/cli/certificate/renew.rs b/crates/core/tedge/src/cli/certificate/renew.rs
@@ -89,7 +89,7 @@ mod tests {
         };
 
         // First create both cert and key
-        cmd.create_test_certificate(&CsrTemplate::default())
+        cmd.create_test_certificate(&CsrTemplate::default(), None)
             .await
             .unwrap();
 
diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_create/current.robot b/tests/RobotFramework/tests/pkcs11/tedge_cert_create/current.robot
@@ -0,0 +1,13 @@
+*** Settings ***
+Resource        tedge_cert_create.resource
+
+Suite Setup     tedge-p11-server Setup    ${TEDGE_P11_SERVER_VERSION}
+
+
+*** Variables ***
+${TEDGE_P11_SERVER_VERSION}     ${EMPTY}
+
+
+*** Test Cases ***
+Tedge cert create should use HSM configuration
+    Test tedge cert create uses HSM configuration
diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_create/initial.robot b/tests/RobotFramework/tests/pkcs11/tedge_cert_create/initial.robot
@@ -0,0 +1,13 @@
+*** Settings ***
+Resource        tedge_cert_create.resource
+
+Suite Setup     tedge-p11-server Setup    ${TEDGE_P11_SERVER_VERSION}
+
+
+*** Variables ***
+${TEDGE_P11_SERVER_VERSION}     ${EMPTY}
+
+
+*** Test Cases ***
+Tedge cert create should use HSM configuration
+    Test tedge cert create uses HSM configuration
diff --git a/tests/RobotFramework/tests/pkcs11/tedge_cert_create/tedge_cert_create.resource b/tests/RobotFramework/tests/pkcs11/tedge_cert_create/tedge_cert_create.resource
@@ -0,0 +1,13 @@
+*** Settings ***
+Resource    ../pkcs11_common.resource
+
+
+*** Keywords ***
+Test tedge cert create uses HSM configuration
+    # here assumed that we're configured to use PKCS11 private key
+    Execute Command    tedge cert remove
+    Execute Command    tedge cert create --device-id ${DEVICE_SN}
+
+    Execute Command
+    ...    cmd=C8Y_USER='${C8Y_CONFIG.username}' C8Y_PASSWORD='${C8Y_CONFIG.password}' tedge cert upload c8y
+    Tedge Reconnect Should Succeed
