Skip to content

feat: tedge cert create-key command #3709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat: tedge cert create-key command #3709

wants to merge 9 commits into from

Conversation

Bravo555
Copy link
Member

@Bravo555 Bravo555 commented Jun 26, 2025
edited
Loading

TODO

  • handle all supported keys (EC 256/384, RSA 2048/3072/4096)
  • allow selecting token, key label, key type and size using command line arguments
  • write a test to maintain compatibility with 1.5.1
  • figure out why p11tool sometimes doesn't print curve ids of EC keys added to module documentation
  • see if we can remove added dependencies
  • generate URI for the new key so the user can replace the entire URI instead of tweaking parts
  • don't generate CSR in create-key, do it in tedge cert download
  • cleanup
  • naming?

Follow-up

  • show more information after key is created
  • test failure modes

Proposed changes

Implements a tedge cert create-key command that can be used to create a private key on a PKCS11 token without additional tools.

tedge cert create-key generates the new keypair on the PKCS11 token and prints the URI of the newly created keypair. The user then needs to put this URI as their device.key_uri setting to use the key:

New keypair was successfully created.
Key URI: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=a30ed1ca6244fc5f;token=test-token;id=%51%05%87%75%6F%B7%28%EC%5E%5D%1F%B8%EB%CF%FD%96%B7%E4%28%B6;object=my-key
Public key:
-----BEGIN PUBLIC KEY-----
BEsjmiXDdko90IDdjlAb/bWyTf6kd6S+/KPlj2Yd3zjHZe54evLyHJ1e8dSDhpy7
2Tcml9ZcHWBHA+MM0NFAbaw=
-----END PUBLIC KEY-----


Value of `device.key_uri` was updated to point to the new key

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
  • Documentation Update (if none of the other choices apply)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

#3665

Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA (in all commits with git commit -s. You can activate automatic signing by running just prepare-dev once)
  • I ran just format as mentioned in CODING_GUIDELINES
  • I used just check as mentioned in CODING_GUIDELINES
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

@Bravo555 Bravo555 had a problem deploying to Test Pull Request June 26, 2025 08:58 — with GitHub Actions Failure
@Bravo555 Bravo555 linked an issue Jun 26, 2025 that may be closed by this pull request
tedge cert create should support creating a key via the tedge-p11-server #3665
Open
@Bravo555 Bravo555 self-assigned this Jun 26, 2025
@codecov Codecov
Copy link

codecov bot commented Jun 26, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 338 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
...ates/extensions/tedge-p11-server/src/pkcs11/mod.rs 0.00% 224 Missing ⚠️
...rates/core/tedge/src/cli/certificate/create_key.rs 0.00% 51 Missing ⚠️
crates/core/tedge/src/cli/certificate/cli.rs 0.00% 23 Missing ⚠️
...es/extensions/tedge-p11-server/src/proxy/client.rs 0.00% 18 Missing ⚠️
...es/extensions/tedge-p11-server/src/proxy/server.rs 0.00% 18 Missing ⚠️
...ates/extensions/tedge-p11-server/src/pkcs11/uri.rs 0.00% 3 Missing ⚠️
crates/common/certificate/src/lib.rs 0.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 7d44718 to c2e2aa1 Compare June 27, 2025 07:55
@Bravo555 Bravo555 had a problem deploying to Test Pull Request June 27, 2025 07:56 — with GitHub Actions Failure
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from c2e2aa1 to 993fd82 Compare June 27, 2025 17:57
@Bravo555 Bravo555 had a problem deploying to Test Pull Request June 27, 2025 17:57 — with GitHub Actions Failure
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 993fd82 to 64f3a6b Compare June 30, 2025 17:06
@Bravo555 Bravo555 had a problem deploying to Test Pull Request June 30, 2025 17:06 — with GitHub Actions Failure
@reubenmiller reubenmiller added the theme:hsm Hardware Security Module related topics label Jul 3, 2025
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 64f3a6b to 525651b Compare July 4, 2025 13:10
@Bravo555 Bravo555 had a problem deploying to Test Pull Request July 4, 2025 13:10 — with GitHub Actions Failure
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 9, 2025 16:23 — with GitHub Actions Inactive
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 3025528 to c638b40 Compare July 10, 2025 07:52
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 10, 2025 07:52 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 10, 2025
edited
Loading

Robot Results

✅ Passed ❌ Failed ⏭️ Skipped Total Pass % ⏱️ Duration
693 0 3 693 100 2h4m14.608767999s

@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from c638b40 to c3959cd Compare July 11, 2025 08:49
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 11, 2025 08:49 — with GitHub Actions Inactive
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from c3959cd to e099533 Compare July 14, 2025 14:31
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 14, 2025 14:31 — with GitHub Actions Inactive
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from e099533 to fef773e Compare July 14, 2025 14:36
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 14, 2025 14:36 — with GitHub Actions Inactive
@Bravo555 Bravo555 had a problem deploying to Test Pull Request July 14, 2025 15:13 — with GitHub Actions Failure
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 25fe73f to 629ccbe Compare July 14, 2025 15:16
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 14, 2025 15:16 — with GitHub Actions Inactive
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 5371ba9 to 048f3f3 Compare September 15, 2025 16:08
@Bravo555
refactor: Move mutex from Pkcs11Session to Pkcs11SigningKey
a8b0a06 
Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555
refactor: Create session type
c833256 
Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555
refactor: Move session functions to CryptokiSession impl
3465c51 
Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 048f3f3 to 799e0c1 Compare September 15, 2025 20:58
@Bravo555
feat: Add tedge cert create-key command
1e2357f 
Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555 Bravo555 force-pushed the feat/pkcs11-create-key branch from 799e0c1 to 1e2357f Compare September 15, 2025 21:24
@Bravo555 Bravo555 temporarily deployed to Test Pull Request September 15, 2025 21:24 — with GitHub Actions Inactive
@Bravo555 Bravo555 marked this pull request as ready for review September 15, 2025 21:24
didier-wenzek
didier-wenzek reviewed Sep 16, 2025
View reviewed changes
docs/src/references/hsm-support.md
Comment on lines +262 to +264
c8y
az
aws
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand the purpose of this sub-command. To create a key, one only needs to interact with the HSM not the cloud. Am I missing something?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Analogous to tedge cert create c8y/az/aws which changes the path of the certificate (if default settings are changed), these subcommands just read device.key_uri from under [c8y]/[az]/[aws] tables. Will add help text to make it more clear.

docs/src/references/hsm-support.md Outdated

The command also creates a CSR at `device.csr_path`, which should be used when requesting a new certificate.

4. Change the `device.key_uri` setting to point to the new private key. This is most easily done by
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really have to set device.key_uri twice? First before creating a key and then once created?

This sounds as two independent settings conflated into one.

docs/src/references/hsm-support.md Outdated
Options:
--config-dir <CONFIG_DIR> [env: TEDGE_CONFIG_DIR, default: /etc/tedge]
--label <LABEL>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this?

docs/src/references/hsm-support.md Outdated
Comment on lines 308 to 316
Example:

```title="Previous URI"
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=83f9cf49039c051a;token=c8y%20token;id=%02;object=azure%20keypair;type=private
```

```title="New URI"
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=83f9cf49039c051a;token=c8y%20token;object=my-key
```
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand what I have to do here.

tests/RobotFramework/tests/pkcs11/private_key_storage.robot
Comment on lines -110 to -121
Execute Command systemctl stop tedge-p11-server tedge-p11-server.socket
Command Should Fail With
... tedge cert renew c8y
... error=Failed to connect to tedge-p11-server UNIX socket at '/run/tedge-p11-server/tedge-p11-server.sock'

Execute Command systemctl start tedge-p11-server.socket

Execute Command cmd=tedge config set c8y.device.key_uri pkcs11:object=nonexistent_key
Command Should Fail With
... tedge cert renew c8y
... error=PKCS #11 service failed: Failed to find a key
Execute Command cmd=tedge config unset c8y.device.key_uri
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why have these checks been removed? They sound as still meaningful.

crates/core/tedge/src/cli/certificate/create_key.rs Outdated
Comment on lines 89 to 90
eprintln!("Insert this as a new value of device.key_uri:");
eprintln!("{}", key.uri);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason not to set device.key_uri on behalf of the user?

@Bravo555
Write key_uri to appropriate device.key_uri automatically
653bc3d 
Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555 Bravo555 mentioned this pull request Sep 19, 2025
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@didier-wenzek didier-wenzek didier-wenzek left review comments

@albinsuresh albinsuresh Awaiting requested review from albinsuresh albinsuresh is a code owner

@jarhodes314 jarhodes314 Awaiting requested review from jarhodes314 jarhodes314 is a code owner

@rina23q rina23q Awaiting requested review from rina23q rina23q is a code owner

@reubenmiller reubenmiller Awaiting requested review from reubenmiller reubenmiller is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@Bravo555 Bravo555

Labels
theme:hsm Hardware Security Module related topics
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tedge cert create should support creating a key via the tedge-p11-server
3 participants
@Bravo555 @didier-wenzek @reubenmiller