Direct connection to c8y authorizing using HSM

Signed-off-by: Marcel Guzik <marcel.guzik@cumulocity.com>
thin-edge · Jan 28, 2025 · 649a5f7 · 649a5f7
1 parent 09a9edb
commit 649a5f7
Show file tree

Hide file tree

Showing 8 changed files with 665 additions and 83 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -72,6 +72,7 @@ upload = { path = "crates/common/upload" }
 
 anstyle = "1.0"
 anyhow = "1.0"
+asn1-rs = { version = "0.7.0", features = ["bigint"] }
 assert-json-diff = "2.0"
 assert_cmd = "2.0"
 assert_matches = "1.5"
@@ -97,6 +98,7 @@ clap = { version = "4.5", features = [
     "unstable-styles",
 ] }
 clap_complete = { version = "4.5", features = ["unstable-dynamic"] }
+cryptoki = "0.8.0"
 csv = "1.1"
 darling = "0.20"
 doku = "0.21"

diff --git a/crates/common/certificate/Cargo.toml b/crates/common/certificate/Cargo.toml
@@ -15,7 +15,10 @@ reqwest = ["dep:reqwest"]
 
 [dependencies]
 anyhow = { workspace = true }
+asn1-rs = { workspace = true }
+base64 = "0.22"
 camino = { workspace = true }
+cryptoki = { workspace = true }
 rcgen = { workspace = true }
 reqwest = { workspace = true, optional = true }
 
@@ -37,7 +40,6 @@ zeroize = { workspace = true }
 
 [dev-dependencies]
 assert_matches = { workspace = true }
-base64 = { workspace = true }
 tempfile = { workspace = true }
 time = { workspace = true, features = ["macros"] }
 

diff --git a/crates/common/certificate/src/rustls022/parse_root_certificate.rs b/crates/common/certificate/src/rustls022/parse_root_certificate.rs
@@ -9,9 +9,13 @@ use std::fs;
 use std::fs::File;
 use std::io::BufReader;
 use std::path::Path;
+use std::sync::Arc;
 
 use super::CertificateError;
 
+mod pkcs11;
+use pkcs11::Pkcs11Resolver;
+
 pub fn create_tls_config(
     root_certificates: impl AsRef<Path>,
     client_private_key: impl AsRef<Path>,
@@ -26,6 +30,21 @@ pub fn create_tls_config(
         .with_client_auth_cert(cert_chain, pvt_key)?)
 }
 
+pub fn create_tls_config_piv(
+    root_certificates: impl AsRef<Path>,
+    piv_serial: Arc<str>,
+) -> Result<ClientConfig, CertificateError> {
+    let root_cert_store = new_root_store(root_certificates.as_ref())?;
+
+    let resolver = Pkcs11Resolver::from_piv_serial(&piv_serial).expect("failed to create resolver");
+
+    let config = ClientConfig::builder()
+        .with_root_certificates(root_cert_store)
+        .with_client_cert_resolver(resolver);
+
+    Ok(config)
+}
+
 pub fn client_config_for_ca_certificates<P>(
     root_certificates: impl IntoIterator<Item = P>,
 ) -> Result<ClientConfig, std::io::Error>