feat: Key selection using PKCS #11 URI

[Bravo555]

TODO

• PKCS11 URI scheme parsing
• selection of token by serial number and label and private key by label
• select private key by id (need to handle percent encoding correctly)
• tests
• require warn a user to provide a URI that uniquely identifies key to use if there are multiple tokens/keys and URI is either not provided or not sufficiently precise (feat: Key selection using PKCS #11 URI #3555 (comment))

Follow-up

• warn user if used URI points to an object that is not a private key but the private key exists in the token
• code cleanup

Proposed changes

Allows the user to denote private key that will be used by tedge-p11-server for signing by a new optional --uri parameter.

The PKCS #⁠11 URI is explained in RFC 7512. It can be used to identify any cryptoki resource by its properties. In our case it's used to select a key, but the URI given by the user doesn't have to identify a key, but can identify e.g a token which we can select and find its first if the token contains only one private key, use that key.

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
• Documentation Update (if none of the other choices apply)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

• allow users to specify which pkcs11 private key to use by setting a uri #3538

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA (in all commits with git commit -s. You can activate automatic signing by running just prepare-dev once)
• I ran just format as mentioned in CODING_GUIDELINES
• I used just check as mentioned in CODING_GUIDELINES
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 86 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
crates/extensions/tedge-p11-server/src/pkcs11.rs	0.00%	74 Missing ⚠️
crates/extensions/tedge-p11-server/src/signer.rs	0.00%	6 Missing ⚠️
crates/extensions/tedge-p11-server/src/service.rs	0.00%	5 Missing ⚠️
crates/extensions/tedge-p11-server/src/main.rs	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Robot Results

✅ Passed	❌ Failed	⏭️ Skipped	Total	Pass %	⏱️ Duration
616	0	3	616	100	1h47m33.714582999s

[didier-wenzek]

I will be happy to approve. There are small points still to address though.

[didier-wenzek]

I don't get the point of these fake tokens. The tests pass without those.

[Bravo555]

removed in a8a732e.

This is a leftover I forgot to remove from the previous approach which I abandoned because it was bad. Currently when there are many keys, we just use the first one returned to us by the PKCS#11 implementation. The idea was to create many new tokens, such that one of them would be picked up as "first" and used and later return an error because it does not contain a key.

But relying on an arbitrary implementation-specific order is bad. In situations where there are many tokens/keys to be used and we can't automatically select a good one, we should fail right there and require a user to provide a URI that uniquely identifies a key to be used.

So the test was changed to explicitly point to a token without the key and then to a token with the correct key. As for actually returning an error where a key cannot be uniquely identified, it will be implemented in the next commit.

EDIT: On a today's daily call it was deemed that a warning will be sufficient.

[Bravo555]

warning implemented in 7aa3921

[didier-wenzek]

Approved

Edited. A system test was failing for a silly error. Fixed: 4141e33