Skip to content

fix: pkcs11 generate correct CSR signature#3737

Merged
Bravo555 merged 3 commits intothin-edge:mainfrom
Bravo555:fix/pkcs11-cert-renew-invalid-csr
Jul 22, 2025
Merged

fix: pkcs11 generate correct CSR signature#3737
Bravo555 merged 3 commits intothin-edge:mainfrom
Bravo555:fix/pkcs11-cert-renew-invalid-csr

Conversation

@Bravo555
Copy link
Copy Markdown
Member

@Bravo555 Bravo555 commented Jul 21, 2025

Proposed changes

Make the signer use a PKCS 1.5 signature when signing CSRs instead of currently used RSA-PSS.

The signature generated so far was invalid because, when generating a CSR with a private key on a PKCS11 token, and if that key was an RSA key, the signer signed the CSR using RSA-PSS signature scheme, but the SignatureAlgorithm identifier in the CSR indicated that the signature was a PKCS 1.5 signature.

This was previously unnoticed because Cumulocity did not verify CSR signature is correct when renewing, but as of time of making this fix, Cumulocity now correctly verifies the signatures.

Types of changes

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
  • Documentation Update (if none of the other choices apply)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue


Checklist

  • I have read the CONTRIBUTING doc
  • I have signed the CLA (in all commits with git commit -s. You can activate automatic signing by running just prepare-dev once)
  • I ran just format as mentioned in CODING_GUIDELINES
  • I used just check as mentioned in CODING_GUIDELINES
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

@Bravo555
refactor: TedgeP11Client extract request submission
6dcd293 
Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 21, 2025 09:01 — with GitHub Actions Inactive
@reubenmiller reubenmiller added the theme:hsm Hardware Security Module related topics label Jul 21, 2025
@codecov
Copy link
Copy Markdown

codecov bot commented Jul 21, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 24.48980% with 74 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
crates/common/certificate/src/lib.rs 0.00% 18 Missing ⚠️
...ates/extensions/tedge-p11-server/src/pkcs11/mod.rs 0.00% 18 Missing ⚠️
crates/extensions/tedge-p11-server/src/client.rs 51.61% 12 Missing and 3 partials ⚠️
crates/extensions/tedge-p11-server/src/server.rs 36.36% 14 Missing ⚠️
crates/extensions/tedge-p11-server/src/signer.rs 0.00% 8 Missing ⚠️
crates/extensions/tedge-p11-server/src/service.rs 0.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jul 21, 2025
edited
Loading

Robot Results

✅ Passed ❌ Failed ⏭️ Skipped Total Pass % ⏱️ Duration
666 0 3 666 100 1h48m34.401882999s

@Bravo555
pkcs11: Allow selecting a signature scheme when signing
72c9b88 
Add a `sign2` function that allows the caller to select a signature
scheme to use when signing.

This was previously thought unnecessary because EC keys each only
support a single signature scheme and for RSA keys using RSA-PSS
signatures is recommended so when only using RSA-PSS each RSA key also
would have only a single signature scheme, but when generating CSRs, we
actually need to use PKCS 1.5 signatures because rcgen doesn't support
RSA-PSS yet.

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555 Bravo555 force-pushed the fix/pkcs11-cert-renew-invalid-csr branch from 3c70db2 to c6000b0 Compare July 21, 2025 09:27
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 21, 2025 09:27 — with GitHub Actions Inactive
@Bravo555 Bravo555 marked this pull request as ready for review July 21, 2025 09:27
jarhodes314
jarhodes314 reviewed Jul 21, 2025
View reviewed changes
crates/extensions/tedge-p11-server/src/pkcs11/mod.rs Outdated
rustls::SignatureScheme::ECDSA_NISTP521_SHA512 => SigScheme::EcdsaNistp521Sha512,
rustls::SignatureScheme::RSA_PSS_SHA256 => SigScheme::RsaPssSha256,
rustls::SignatureScheme::RSA_PKCS1_SHA256 => SigScheme::RsaPkcs1Sha256,
_ => todo!(),
Copy link
Copy Markdown
Contributor

@jarhodes314 jarhodes314 Jul 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we can't map all possible source values to a valid target value here, this should probably be a TryFrom

Copy link
Copy Markdown
Member Author

@Bravo555 Bravo555 Jul 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed in 08af0dc by directly using SigScheme instead of rustls::SignatureScheme and converting to SigScheme, so the partial From implementation was entirely removed

@Bravo555 Bravo555 had a problem deploying to Test Pull Request July 22, 2025 08:10 — with GitHub Actions Failure
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 22, 2025 09:04 — with GitHub Actions Inactive
@jarhodes314 jarhodes314 enabled auto-merge July 22, 2025 10:23
@jarhodes314 jarhodes314 disabled auto-merge July 22, 2025 10:23
@Bravo555
fix: pkcs11 generate correct CSR signature
3f1ef44 
Make the signer use a PKCS 1.5 signature when signing CSRs instead of
currently used RSA-PSS.

The signature generated so far was invalid because, when generating a
CSR with a private key on a PKCS11 token, and if that key was an RSA
key, the signer signed the CSR using RSA-PSS signature scheme, but the
SignatureAlgorithm identifier in the CSR indicated that the signature
was a PKCS 1.5 signature.

This was previously unnoticed because Cumulocity did not verify CSR
signature is correct when renewing, but as of time of making this fix,
Cumulocity now correctly verifies the signatures.

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
@Bravo555 Bravo555 force-pushed the fix/pkcs11-cert-renew-invalid-csr branch from 1c23b1a to 3f1ef44 Compare July 22, 2025 10:27
@Bravo555 Bravo555 temporarily deployed to Test Pull Request July 22, 2025 10:27 — with GitHub Actions Inactive
@Bravo555 Bravo555 enabled auto-merge July 22, 2025 10:27
@Bravo555 Bravo555 added this pull request to the merge queue Jul 22, 2025
Merged via the queue into thin-edge:main with commit 913a134 Jul 22, 2025
34 checks passed
@Bravo555 Bravo555 deleted the fix/pkcs11-cert-renew-invalid-csr branch July 22, 2025 12:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jarhodes314 jarhodes314 jarhodes314 approved these changes

@didier-wenzek didier-wenzek Awaiting requested review from didier-wenzek didier-wenzek is a code owner

@albinsuresh albinsuresh Awaiting requested review from albinsuresh albinsuresh is a code owner

@rina23q rina23q Awaiting requested review from rina23q rina23q is a code owner

Assignees

No one assigned

Labels

theme:hsm Hardware Security Module related topics

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Bravo555 @jarhodes314 @reubenmiller