fix cert renew incompat for tedge-p11-server 1.6.1

If tedge-p11-server is too old, use previous method to renew only
existing certificates.

With tedge-p11-server 1.6.1, we could only renew existing certificates.
In later versions, where an ability to export the PEM of public keys was
added and we could use this to generate CSRs without existing
certificate, this new method replaced the previous approach, but this
introduced the incompatibility (since tedge-p11-server 1.6.1 didn't
support it). So now we revert to the older method if server is too old.

Signed-off-by: Marcel Guzik <[email protected]>

Author: Bravo555

crates/common/certificate/src/lib.rs

@@ -155,7 +155,7 @@ pub enum KeyKind {
 }
 
 impl KeyKind {
-    pub fn from_cryptoki_and_existing_cert(
+    fn from_cryptoki_and_existing_cert(
         cryptoki_config: CryptokiConfig,
         current_cert: &Utf8Path,
     ) -> Result<Self, CertificateError> {
@@ -193,9 +193,29 @@ impl KeyKind {
         }))
     }
 
-    pub fn from_cryptoki(cryptoki_config: CryptokiConfig) -> Result<Self, CertificateError> {
+    pub fn from_cryptoki(
+        cryptoki_config: CryptokiConfig,
+        current_cert: Option<&Utf8Path>,
+    ) -> Result<Self, CertificateError> {
         let cryptoki = tedge_p11_server::tedge_p11_service(cryptoki_config.clone())?;
-        let pubkey_pem = cryptoki.get_public_key_pem(None)?;
+
+        let pubkey_pem = cryptoki.get_public_key_pem(None);
+        let pubkey_pem = match pubkey_pem {
+            Ok(p) => p,
+            Err(err) => {
+                let e = format!("{err:#}");
+                if e.contains("Failed to parse the received frame") {
+                    // server doesn't understand the request, too old, fallback to the older method of just resigning existing certificate
+                    let Some(current_cert) = current_cert else {
+                        return Err(CertificateError::Other(
+                            anyhow::anyhow!("tedge-p11-server can only renew existing certificates but there's no existing certificate; upgrade tedge-p11-server or generate a self-signed certificate first")));
+                    };
+                    return Self::from_cryptoki_and_existing_cert(cryptoki_config, current_cert);
+                }
+                return Err(err.into());
+            }
+        };
+
         let public_key = pem::parse(&pubkey_pem).unwrap();
         let public_key_raw = public_key.into_contents();
 

crates/core/tedge/src/cli/certificate/c8y/download.rs

@@ -85,6 +85,7 @@ impl DownloadCertCmd {
             create_device_csr(
                 common_name.clone(),
                 self.key.clone(),
+                None,
                 self.csr_path.clone(),
                 self.csr_template.clone(),
             )

crates/core/tedge/src/cli/certificate/c8y/mod.rs

@@ -18,13 +18,15 @@ pub use upload::UploadCertCmd;
 async fn create_device_csr(
     common_name: String,
     key: super::create_csr::Key,
+    current_cert: Option<Utf8PathBuf>,
     csr_path: Utf8PathBuf,
     csr_template: CsrTemplate,
 ) -> Result<(), CertError> {
     let create_cmd = CreateCsrCmd {
         id: common_name,
         csr_path: csr_path.clone(),
         key,
+        current_cert,
         user: "tedge".to_string(),
         group: "tedge".to_string(),
         csr_template,

crates/core/tedge/src/cli/certificate/c8y/renew.rs

@@ -84,6 +84,7 @@ impl RenewCertCmd {
             create_device_csr(
                 common_name,
                 self.key.clone(),
+                Some(self.cert_path.clone()),
                 self.csr_path.clone(),
                 self.csr_template.clone(),
             )

crates/core/tedge/src/cli/certificate/cli.rs

@@ -197,6 +197,11 @@ impl BuildCommand for TEdgeCertCli {
                         config.device_key_path(cloud.as_ref())?.to_owned(),
                     ));
                 debug!(?key);
+                let current_cert = config
+                    .device_cert_path(cloud.as_ref())
+                    .map(|c| c.to_owned())
+                    .ok();
+                debug!(?current_cert);
 
                 let cmd = CreateCsrCmd {
                     id: get_device_id(id, config, &cloud)?,
@@ -207,6 +212,7 @@ impl BuildCommand for TEdgeCertCli {
                     } else {
                         config.device_csr_path(cloud.as_ref())?.to_owned()
                     },
+                    current_cert,
                     user: user.to_owned(),
                     group: group.to_owned(),
                     csr_template,

crates/core/tedge/src/cli/certificate/create_csr.rs

@@ -24,6 +24,9 @@ pub struct CreateCsrCmd {
     /// The path where the device CSR will be stored
     pub csr_path: Utf8PathBuf,
 
+    /// Path to current certificate, if it exists
+    pub current_cert: Option<Utf8PathBuf>,
+
     /// The owner of the private key
     pub user: String,
     pub group: String,
@@ -63,7 +66,10 @@ impl CreateCsrCmd {
                 .await
                 .map_err(|e| CertError::IoError(e).key_context(key_path.clone()))?,
 
-            Key::Cryptoki(config) => KeyKind::from_cryptoki(config.clone())?,
+            Key::Cryptoki(config) => KeyKind::from_cryptoki(
+                config.clone(),
+                self.current_cert.as_ref().map(|p| p.as_path()),
+            )?,
         };
         debug!(?previous_key);
 
@@ -111,6 +117,7 @@ mod tests {
             user: "mosquitto".to_string(),
             group: "mosquitto".to_string(),
             csr_template: CsrTemplate::default(),
+            current_cert: None,
         };
 
         assert_matches!(cmd.create_certificate_signing_request().await, Ok(()));
@@ -154,6 +161,7 @@ mod tests {
             user: "mosquitto".to_string(),
             group: "mosquitto".to_string(),
             csr_template: CsrTemplate::default(),
+            current_cert: None,
         };
 
         // create csr using existing private key and device_id from public cert