Remove same-key limitation for CSR generation using PKCS11

Bravo555 · Bravo555 · commit c44ca53ceccf · 2025-08-14T11:57:54.000Z
This PR removes a limitation for generating CSRs using PKCS11 private
keys that they can only be generated for the same certificate that is
already present.

This unlocks two usecases that were previously impossible:
- using `tedge cert renew` to install a new certificate when we already
  have a certificate but a different keypair is used (previously
  SubjectPublicKeyInfo was reused from previous cert so using different
  key didn't work)
- using `tedge cert download c8y` when we don't yet have a certificate
  and register the device to C8y CA and download the initial certificate
  (previously some fields of CSR were reused from older cert so had no
  way to fill these fields without some certificate already being
  present)

Signed-off-by: Marcel Guzik &lt;marcel.guzik@cumulocity.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/common/certificate/Cargo.toml b/crates/common/certificate/Cargo.toml
@@ -17,6 +17,7 @@ anyhow = { workspace = true }
 asn1-rs = { workspace = true }
 base64 = { workspace = true }
 camino = { workspace = true }
+pem.workspace = true
 rcgen = { workspace = true }
 reqwest = { workspace = true, optional = true, features = [
     "rustls-tls-native-roots",
diff --git a/crates/common/certificate/src/lib.rs b/crates/common/certificate/src/lib.rs
@@ -7,6 +7,7 @@ use sha1::Digest;
 use sha1::Sha1;
 use std::path::Path;
 use std::path::PathBuf;
+use tedge_p11_server::service::ChooseSchemeRequest;
 use tedge_p11_server::CryptokiConfig;
 use time::Duration;
 use time::OffsetDateTime;
@@ -191,6 +192,45 @@ impl KeyKind {
             algorithm,
         }))
     }
+
+    pub fn from_cryptoki(cryptoki_config: CryptokiConfig) -> Result<Self, CertificateError> {
+        let cryptoki = tedge_p11_server::tedge_p11_service(cryptoki_config.clone())?;
+        let pubkey_pem = cryptoki.get_public_key_pem(None)?;
+        let public_key = pem::parse(&pubkey_pem).unwrap();
+        let public_key_raw = public_key.into_contents();
+
+        let signature_algorithm = cryptoki.choose_scheme(ChooseSchemeRequest {
+            offered: vec![
+                tedge_p11_server::service::SignatureScheme(
+                    rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
+                ),
+                tedge_p11_server::service::SignatureScheme(
+                    rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
+                ),
+                tedge_p11_server::service::SignatureScheme(
+                    rustls::SignatureScheme::RSA_PKCS1_SHA256,
+                ),
+            ],
+            uri: None,
+        })?;
+        let signature_algorithm = signature_algorithm
+            .scheme
+            .context("No supported scheme found")?
+            .0;
+
+        let algorithm = match signature_algorithm {
+            rustls::SignatureScheme::ECDSA_NISTP256_SHA256 => SignatureAlgorithm::EcdsaP256Sha256,
+            rustls::SignatureScheme::ECDSA_NISTP384_SHA384 => SignatureAlgorithm::EcdsaP384Sha384,
+            rustls::SignatureScheme::RSA_PKCS1_SHA256 => SignatureAlgorithm::RsaPkcs1Sha256,
+            _ => return Err(anyhow::anyhow!("Unsupported signature scheme").into()),
+        };
+
+        Ok(Self::ReuseRemote(RemoteKeyPair {
+            cryptoki_config,
+            public_key_raw,
+            algorithm,
+        }))
+    }
 }
 
 /// A key pair using a remote private key.
diff --git a/crates/core/tedge/src/cli/certificate/c8y/download.rs b/crates/core/tedge/src/cli/certificate/c8y/download.rs
@@ -85,7 +85,6 @@ impl DownloadCertCmd {
             create_device_csr(
                 common_name.clone(),
                 self.key.clone(),
-                None,
                 self.csr_path.clone(),
                 self.csr_template.clone(),
             )
diff --git a/crates/core/tedge/src/cli/certificate/c8y/mod.rs b/crates/core/tedge/src/cli/certificate/c8y/mod.rs
@@ -18,15 +18,13 @@ pub use upload::UploadCertCmd;
 async fn create_device_csr(
     common_name: String,
     key: super::create_csr::Key,
-    current_cert: Option<Utf8PathBuf>,
     csr_path: Utf8PathBuf,
     csr_template: CsrTemplate,
 ) -> Result<(), CertError> {
     let create_cmd = CreateCsrCmd {
         id: common_name,
         csr_path: csr_path.clone(),
         key,
-        current_cert,
         user: "tedge".to_string(),
         group: "tedge".to_string(),
         csr_template,
diff --git a/crates/core/tedge/src/cli/certificate/c8y/renew.rs b/crates/core/tedge/src/cli/certificate/c8y/renew.rs
@@ -84,7 +84,6 @@ impl RenewCertCmd {
             create_device_csr(
                 common_name,
                 self.key.clone(),
-                Some(self.cert_path.clone()),
                 self.csr_path.clone(),
                 self.csr_template.clone(),
             )
diff --git a/crates/core/tedge/src/cli/certificate/cli.rs b/crates/core/tedge/src/cli/certificate/cli.rs
@@ -198,15 +198,9 @@ impl BuildCommand for TEdgeCertCli {
                     ));
                 debug!(?key);
 
-                let current_cert = config
-                    .device_cert_path(cloud.as_ref())
-                    .map(|c| c.to_owned())
-                    .ok();
-                debug!(?current_cert);
                 let cmd = CreateCsrCmd {
                     id: get_device_id(id, config, &cloud)?,
                     key,
-                    current_cert,
                     // Use output file instead of csr_path from tedge config if provided
                     csr_path: if let Some(output_path) = output_path {
                         output_path
diff --git a/crates/core/tedge/src/cli/certificate/create_csr.rs b/crates/core/tedge/src/cli/certificate/create_csr.rs
@@ -4,7 +4,6 @@ use crate::log::MaybeFancy;
 use crate::override_public_key;
 use crate::persist_new_private_key;
 use crate::reuse_private_key;
-use anyhow::Context;
 use camino::Utf8PathBuf;
 use certificate::parse_root_certificate::CryptokiConfig;
 use certificate::CsrTemplate;
@@ -22,9 +21,6 @@ pub struct CreateCsrCmd {
     /// The path where the device private key will be stored
     pub key: Key,
 
-    /// Path to current certificate
-    pub current_cert: Option<Utf8PathBuf>,
-
     /// The path where the device CSR will be stored
     pub csr_path: Utf8PathBuf,
 
@@ -67,13 +63,7 @@ impl CreateCsrCmd {
                 .await
                 .map_err(|e| CertError::IoError(e).key_context(key_path.clone()))?,
 
-            Key::Cryptoki(cryptoki) => {
-                let current_cert = self
-                    .current_cert
-                    .clone()
-                    .context("Need an existing cert when using an HSM")?;
-                KeyKind::from_cryptoki_and_existing_cert(cryptoki.clone(), &current_cert)?
-            }
+            Key::Cryptoki(config) => KeyKind::from_cryptoki(config.clone())?,
         };
         debug!(?previous_key);
 
@@ -117,7 +107,6 @@ mod tests {
         let cmd = CreateCsrCmd {
             id: id.to_string(),
             key: Key::Local(key_path.clone()),
-            current_cert: None,
             csr_path: csr_path.clone(),
             user: "mosquitto".to_string(),
             group: "mosquitto".to_string(),
@@ -161,7 +150,6 @@ mod tests {
         let cmd = CreateCsrCmd {
             id: id.to_string(),
             key: Key::Local(key_path.clone()),
-            current_cert: None,
             csr_path: csr_path.clone(),
             user: "mosquitto".to_string(),
             group: "mosquitto".to_string(),
diff --git a/crates/extensions/tedge-p11-server/src/pkcs11/mod.rs b/crates/extensions/tedge-p11-server/src/pkcs11/mod.rs
@@ -21,6 +21,7 @@ use cryptoki::mechanism::MechanismType;
 use cryptoki::object::Attribute;
 use cryptoki::object::AttributeType;
 use cryptoki::object::KeyType;
+use cryptoki::object::ObjectClass;
 use cryptoki::object::ObjectHandle;
 use cryptoki::session::Session;
 use cryptoki::session::UserType;
@@ -175,7 +176,8 @@ impl Cryptoki {
         let session = self.open_session(&uri_attributes)?;
 
         // get the signing key
-        let key = Self::find_key_by_attributes(&uri_attributes, &session)?;
+        let key =
+            Self::find_key_by_attributes(&uri_attributes, &session, ObjectClass::PRIVATE_KEY)?;
         let key_type = session
             .get_attributes(key, &[AttributeType::KeyType])?
             .into_iter()
@@ -214,12 +216,14 @@ impl Cryptoki {
                     session,
                     key,
                     sigscheme,
+                    secondary_schemes: Vec::new(),
                 }
             }
             KeyType::RSA => Pkcs11Signer {
                 session,
                 key,
                 sigscheme: SigScheme::RsaPssSha256,
+                secondary_schemes: vec![SigScheme::RsaPkcs1Sha256],
             },
             _ => anyhow::bail!("unsupported key type"),
         };
@@ -231,36 +235,32 @@ impl Cryptoki {
         let uri_attributes = self.request_uri(uri)?;
         let session = self.open_session(&uri_attributes)?;
 
-        let key =
-            Self::find_key_by_attributes(&uri_attributes, &session).context("object not found")?;
+        let key = Self::find_key_by_attributes(&uri_attributes, &session, ObjectClass::PUBLIC_KEY)?;
 
         export_public_key_pem(&session, key)
     }
 
     fn find_key_by_attributes(
         uri: &uri::Pkcs11Uri,
         session: &Session,
+        class: ObjectClass,
     ) -> anyhow::Result<ObjectHandle> {
-        let mut key_template = vec![
-            Attribute::Token(true),
-            Attribute::Private(true),
-            Attribute::Sign(true),
-        ];
+        let mut key_template = vec![Attribute::Token(true), Attribute::Class(class)];
         if let Some(object) = &uri.object {
             key_template.push(Attribute::Label(object.as_bytes().to_vec()));
         }
         if let Some(id) = &uri.id {
             key_template.push(Attribute::Id(id.clone()));
         }
 
-        trace!(?key_template, "Finding a key");
+        trace!(?key_template, ?uri.object, "Finding a key");
 
         let mut keys = session
             .find_objects(&key_template)
             .context("Failed to find private key objects")?
             .into_iter();
 
-        let key = keys.next().context("Failed to find a private key")?;
+        let key = keys.next().context("Failed to find a key")?;
         if keys.len() > 0 {
             warn!(
                 "Multiple keys were found. If the wrong one was chosen, please use a URI that uniquely identifies a key."
@@ -364,6 +364,7 @@ pub struct Pkcs11Signer {
     session: Pkcs11Session,
     key: ObjectHandle,
     pub sigscheme: SigScheme,
+    pub secondary_schemes: Vec<SigScheme>,
 }
 
 impl Pkcs11Signer {
@@ -498,10 +499,20 @@ impl SigningKey for Pkcs11Signer {
         let key_scheme = self.sigscheme.into();
         if offered.contains(&key_scheme) {
             debug!("Matching scheme: {key_scheme:?}");
-            Some(Box::new(self.clone()))
-        } else {
-            None
+            return Some(Box::new(self.clone()));
         }
+
+        for scheme in &self.secondary_schemes {
+            let key_scheme = (*scheme).into();
+            if offered.contains(&key_scheme) {
+                debug!("Matching scheme: {key_scheme:?}");
+                let mut signer = self.clone();
+                signer.sigscheme = *scheme;
+                return Some(Box::new(signer));
+            }
+        }
+
+        None
     }
 
     fn algorithm(&self) -> SignatureAlgorithm {
diff --git a/crates/extensions/tedge-p11-server/src/proxy/client.rs b/crates/extensions/tedge-p11-server/src/proxy/client.rs
@@ -29,24 +29,35 @@ impl TedgeP11Service for TedgeP11Client {
         &self,
         request: ChooseSchemeRequest,
     ) -> anyhow::Result<crate::service::ChooseSchemeResponse> {
+        let uri = request
+            .uri
+            .as_deref()
+            .or(self.uri.as_deref())
+            .map(ToString::to_string);
         let offered: Vec<_> = request.offered.iter().map(|s| s.0).collect();
-        self.choose_scheme(&offered, request.uri)
+        self.choose_scheme(&offered, uri)
     }
 
     fn sign(
         &self,
         request: SignRequestWithSigScheme,
     ) -> anyhow::Result<crate::service::SignResponse> {
+        let uri = request
+            .uri
+            .as_deref()
+            .or(self.uri.as_deref())
+            .map(ToString::to_string);
         let response = match request.sigscheme {
-            Some(sigscheme) => self.sign2(&request.to_sign, request.uri, sigscheme)?,
-            None => self.sign(&request.to_sign, request.uri)?,
+            Some(sigscheme) => self.sign2(&request.to_sign, uri, sigscheme)?,
+            None => self.sign(&request.to_sign, uri)?,
         };
 
         Ok(crate::service::SignResponse(response))
     }
 
     fn get_public_key_pem(&self, uri: Option<&str>) -> anyhow::Result<String> {
-        self.get_public_key_pem(uri.map(ToString::to_string))
+        let uri = uri.or(self.uri.as_deref()).map(ToString::to_string);
+        self.get_public_key_pem(uri)
     }
 }
 
diff --git a/tests/RobotFramework/tests/pkcs11/private_key_storage.robot b/tests/RobotFramework/tests/pkcs11/private_key_storage.robot
@@ -111,13 +111,34 @@ Can use PKCS11 key to renew the public certificate
     Execute Command    systemctl stop tedge-p11-server tedge-p11-server.socket
     Command Should Fail With
     ...    tedge cert renew c8y
-    ...    error=PEM error: Failed to connect to tedge-p11-server UNIX socket at '/run/tedge-p11-server/tedge-p11-server.sock'
+    ...    error=Failed to connect to tedge-p11-server UNIX socket at '/run/tedge-p11-server/tedge-p11-server.sock'
 
     Execute Command    systemctl start tedge-p11-server.socket
+
     Execute Command    cmd=tedge config set c8y.device.key_uri pkcs11:object=nonexistent_key
     Command Should Fail With
     ...    tedge cert renew c8y
-    ...    error=PEM error: protocol error: bad response, expected sign, received: Error(ProtocolError("PKCS #11 service failed: Failed to find a signing key: Failed to find a private key"))
+    ...    error=PKCS #11 service failed: Failed to find a key
+    Execute Command    cmd=tedge config unset c8y.device.key_uri
+
+Can use tedge cert download c8y to download a certificate
+    [Documentation]    Download a certificate using CSR generated with PKCS11 without a prior certificate.
+    # this new keypair doesn't have an associated certificate
+    Set up new PKCS11 keypair    type=ecdsa
+
+    ${credentials}=    Cumulocity.Bulk Register Device With Cumulocity CA    external_id=${DEVICE_SN}
+    Execute Command
+    ...    cmd=tedge cert download c8y --device-id "${DEVICE_SN}" --one-time-password '${credentials.one_time_password}' --retry-every 5s --max-timeout 60s
+
+    Tedge Reconnect Should Succeed
+
+Can renew the certificate using different keypair
+    [Documentation]    Starting with an initial trusted certificate, replace the keypair and renew the certificate.
+    Connect to C8y using new keypair    type=ecdsa
+    Set up new PKCS11 keypair    type=ecdsa
+    Execute Command    tedge cert renew c8y
+    ${stdout}=    Tedge Reconnect Should Succeed
+    Should Contain    ${stdout}    The new certificate is now the active certificate
 
 Ignore tedge.toml if missing
     Execute Command    rm -f ./tedge.toml

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,6 @@ impl DownloadCertCmd {`
`85`	`85`	`create_device_csr(`
`86`	`86`	`common_name.clone(),`
`87`	`87`	`self.key.clone(),`
`88`		`- None,`
`89`	`88`	`self.csr_path.clone(),`
`90`	`89`	`self.csr_template.clone(),`
`91`	`90`	`)`
Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,6 @@ impl RenewCertCmd {`
`84`	`84`	`create_device_csr(`
`85`	`85`	`common_name,`
`86`	`86`	`self.key.clone(),`
`87`		`- Some(self.cert_path.clone()),`
`88`	`87`	`self.csr_path.clone(),`
`89`	`88`	`self.csr_template.clone(),`
`90`	`89`	`)`