Skip to content

feat: tedge cert create-key command #3709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 20 commits into
base: main
Choose a base branch
from
Draft

feat: tedge cert create-key command #3709

wants to merge 20 commits into from

Conversation

Bravo555
Copy link
Member

@Bravo555 Bravo555 commented Jun 26, 2025
edited
Loading

TODO

  • handle all supported keys (EC 256/384, RSA 2048/3072/4096)
  • allow selecting token, key label, key type and size using command line arguments
  • write a test to maintain compatibility with 1.5.1
  • figure out why p11tool sometimes doesn't print curve ids of EC keys added to module documentation
  • see if we can remove added dependencies
  • generate URI for the new key so the user can replace the entire URI instead of tweaking parts
  • don't generate CSR in create-key, do it in tedge cert download
  • cleanup

Follow-up

  • show more information after key is created
  • test failure modes

Proposed changes

Implements a tedge cert create-key command that can be used to create a private key on a PKCS11 token without additional tools.

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
  • Documentation Update (if none of the other choices apply)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

#3665

Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA (in all commits with git commit -s. You can activate automatic signing by running just prepare-dev once)
  • I ran just format as mentioned in CODING_GUIDELINES
  • I used just check as mentioned in CODING_GUIDELINES
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

@Bravo555 Bravo555 had a problem deploying to Test Pull Request June 26, 2025 08:58 — with GitHub Actions Failure
@Bravo555 Bravo555 linked an issue Jun 26, 2025 that may be closed by this pull request
tedge cert create should support creating a key via the tedge-p11-server #3665
Open
@Bravo555 Bravo555 self-assigned this Jun 26, 2025
@codecov Codecov
Copy link

codecov bot commented Jun 26, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 0.67873% with 439 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
...ates/extensions/tedge-p11-server/src/pkcs11/mod.rs 0.00% 267 Missing ⚠️
crates/core/tedge/src/cli/certificate/cli.rs 0.00% 42 Missing ⚠️
...es/extensions/tedge-p11-server/src/proxy/client.rs 0.00% 41 Missing ⚠️
...rates/core/tedge/src/cli/certificate/create_key.rs 0.00% 33 Missing ⚠️
...es/extensions/tedge-p11-server/src/proxy/server.rs 8.82% 30 Missing and 1 partial ⚠️
crates/core/tedge/src/cli/certificate/mod.rs 0.00% 19 Missing ⚠️
crates/extensions/tedge-p11-server/src/signer.rs 0.00% 2 Missing ⚠️
crates/common/certificate/src/lib.rs 0.00% 1 Missing ⚠️
..._config/src/tedge_toml/tedge_config/mqtt_config.rs 0.00% 1 Missing ⚠️
crates/core/tedge/src/main.rs 0.00% 0 Missing and 1 partial ⚠️
... and 1 more

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 7d44718 to c2e2aa1 Compare June 27, 2025 07:55
@Bravo555 Bravo555 had a problem deploying to Test Pull Request June 27, 2025 07:56 — with GitHub Actions Failure
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from c2e2aa1 to 993fd82 Compare June 27, 2025 17:57
@Bravo555 Bravo555 had a problem deploying to Test Pull Request June 27, 2025 17:57 — with GitHub Actions Failure
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 993fd82 to 64f3a6b Compare June 30, 2025 17:06
@Bravo555 Bravo555 had a problem deploying to Test Pull Request June 30, 2025 17:06 — with GitHub Actions Failure
@reubenmiller reubenmiller added the theme:hsm Hardware Security Module related topics label Jul 3, 2025
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 64f3a6b to 525651b Compare July 4, 2025 13:10
@Bravo555 Bravo555 had a problem deploying to Test Pull Request July 4, 2025 13:10 — with GitHub Actions Failure
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 9, 2025 16:23 — with GitHub Actions Inactive
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 3025528 to c638b40 Compare July 10, 2025 07:52
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 10, 2025 07:52 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 10, 2025
edited
Loading

Robot Results

✅ Passed ❌ Failed ⏭️ Skipped Total Pass % ⏱️ Duration
670 0 3 670 100 1h48m51.053583999s

@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from c638b40 to c3959cd Compare July 11, 2025 08:49
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 11, 2025 08:49 — with GitHub Actions Inactive
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from c3959cd to e099533 Compare July 14, 2025 14:31
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 14, 2025 14:31 — with GitHub Actions Inactive
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from e099533 to fef773e Compare July 14, 2025 14:36
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 14, 2025 14:36 — with GitHub Actions Inactive
@Bravo555 Bravo555 had a problem deploying to Test Pull Request July 14, 2025 15:13 — with GitHub Actions Failure
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 25fe73f to 629ccbe Compare July 14, 2025 15:16
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 14, 2025 15:16 — with GitHub Actions Inactive
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 0b2fc72 to 04abd57 Compare July 31, 2025 13:43
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 31, 2025 13:43 — with GitHub Actions Inactive
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 04abd57 to 2ea7d45 Compare July 31, 2025 17:12
@Bravo555 Bravo555 had a problem deploying to Test Pull Request July 31, 2025 17:12 — with GitHub Actions Failure
Bravo555 added 20 commits August 8, 2025 08:05
@Bravo555
Add tedge cert create-key command
4d39748 
The command uses TedgeP11Client to create a new RSA keypair on the
PKCS11 token.

Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
Set RSA key size and label
65872d0 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
Creating EC keys
ef7e6a3 
Added options to create EC keys, however there remains a problem that
p11tool doesn't display curve names as it does with keys generated with
`p11tool --generate-privkey`.

Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
Return DER of public key from create_key
248e46c 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
working tedge cert download with CSR signed by PCKS 11 token
52115d1 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
working ecdsa keys
4eb4172 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
resloved RUSTSEC-2023-0071
9f04314 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
remove unnecessary deps
ed3bb5c 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
remove objects with the same label
b5ce3b2 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
print type of request in tedge-p11-server
48e991b 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
add setting device-id
142654e 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
do proper der parsing
733ca78 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
have ec keys curve name displayed properly in p11tool
70369de 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
Move public key reconstruction to tedge-p11-server
dc18a28 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
use CryptokiConfigDirect if configured
b4ec79a 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
docs: PKCS11 key generation
ec5982e 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
show possible rsa bits and ec curve flag values in cli
d0480ca 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
Remove useless EC point transformations
79e7647 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
getting public key PEM from PKCS11 token
a246c68 
Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555
Remove same-key limitation for CSR generation using PKCS11
658d7d3 
This PR removes a limitation for generating CSRs using PKCS11 private
keys that they can only be generated for the same certificate that is
already present.

This unlocks two usecases that were previously impossible:
- using `tedge cert renew` to install a new certificate when we already
  have a certificate but a different keypair is used (previously
  SubjectPublicKeyInfo was reused from previous cert so using different
  key didn't work)
- using `tedge cert download c8y` when we don't yet have a certificate
  and register the device to C8y CA and download the initial certificate
  (previously some fields of CSR were reused from older cert so had no
  way to fill these fields without some certificate already being
  present)

Signed-off-by: Marcel Guzik <[email protected]>
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 637f884 to 658d7d3 Compare August 8, 2025 08:07
@Bravo555 Bravo555 temporarily deployed to Test Pull Request August 8, 2025 08:07 — with GitHub Actions Inactive
@Bravo555 Bravo555 mentioned this pull request Aug 12, 2025
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@didier-wenzek didier-wenzek Awaiting requested review from didier-wenzek didier-wenzek will be requested when the pull request is marked ready for review didier-wenzek is a code owner

@albinsuresh albinsuresh Awaiting requested review from albinsuresh albinsuresh will be requested when the pull request is marked ready for review albinsuresh is a code owner

@jarhodes314 jarhodes314 Awaiting requested review from jarhodes314 jarhodes314 will be requested when the pull request is marked ready for review jarhodes314 is a code owner

@rina23q rina23q Awaiting requested review from rina23q rina23q will be requested when the pull request is marked ready for review rina23q is a code owner

@reubenmiller reubenmiller Awaiting requested review from reubenmiller reubenmiller will be requested when the pull request is marked ready for review reubenmiller is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@Bravo555 Bravo555

Labels
theme:hsm Hardware Security Module related topics
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tedge cert create should support creating a key via the tedge-p11-server
2 participants
@Bravo555 @reubenmiller