feat: Integration with Cumulocity CA

[didier-wenzek]

Proposed changes

• Impl tedge cert download c8y
• Impl tedge cert renew c8y
• Enhance tedge config with setting for certificate validity period.
• Enhance tedge cert show to display number of days before expiration.
• Make sure the current certificate is not erased on renewal

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
• Documentation Update (if none of the other choices apply)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

#3248

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA (in all commits with git commit -s)
• I ran cargo fmt as mentioned in CODING_GUIDELINES
• I used cargo clippy as mentioned in CODING_GUIDELINES
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

[codecov]

Codecov Report

Attention: Patch coverage is 25.61728% with 241 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...tes/core/tedge/src/cli/certificate/c8y/download.rs	0.00%	81 Missing ⚠️
crates/core/tedge/src/cli/certificate/c8y/renew.rs	0.00%	53 Missing ⚠️
crates/core/tedge/src/cli/certificate/cli.rs	0.00%	42 Missing ⚠️
crates/core/tedge/src/cli/certificate/c8y/mod.rs	68.26%	30 Missing and 3 partials ⚠️
.../tedge_config/src/tedge_config_cli/tedge_config.rs	32.00%	10 Missing and 7 partials ⚠️
crates/core/tedge/src/cli/certificate/mod.rs	0.00%	9 Missing ⚠️
crates/core/tedge/src/cli/certificate/create.rs	44.44%	3 Missing and 2 partials ⚠️
crates/core/c8y_api/src/json_c8y_deserializer.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

📢 Thoughts on this report? Let us know!

[didier-wenzek]

One needs to loop only when it makes senses to retry: i.e. the c8y endpoint has been reached but the device has not been registered yet.

Question: does Cumulocity return a specific HTTP status when the device is not registered?

[reubenmiller]

No I don't think any other response is returned as it would give away information.

Sorry I didn't see that this comment was from last year!

[github-actions]

Robot Results

✅ Passed	❌ Failed	⏭️ Skipped	Total	Pass %	⏱️ Duration
570	0	3	570	100	1h35m28.294394s

[didier-wenzek]

Can this be the root cause preventing c8y to accept the extracted certificate?

[reubenmiller]

After doing a deep dive into the differences in the certificates I've found exactly where the difference is coming from:

I have a working example with refactored code (using rasn/rasm-csm over the higher level cryptographic-message-syntax crate) where the thumbprint is the same as the one computed by openssl. The code can be found on my temp branch which uses a fork of the x509-certificate crate to avoid the "problem".

The problem originates from this part in the x509-certificate where it does the PEM encoding of the Der formatted value when handing the AlgorithmIdentifier and its handling of the optional parameters. The cryptographic-message-syntax crate suffers from the same problem as it uses the same x509-certificate crate.

The x509-certificate crate purposefully uses the ASN.1 NULL value when an AlgorithmIdentifier object does not have any parameters associated with it.

There is a comment in the code of x509-certificate explaining the motivation of using a ASN.1 NULL tag for (despite the ASN.1 spec clearly stating that the AlgorithmIdentifier parameter object is OPTIONAL).

fn encoded_values(&self, mode: Mode) -> impl Values + '_ {
    // parameters is strictly OPTIONAL, which means we can omit it completely.
    // However, it is common to see this field encoded as NULL and some
    // parsers seem to insist the NULL be there or else they refuse to
    // parse the ASN.1. So we ensure this field is always set.
    let captured = if let Some(params) = self.parameters.as_ref() {
        params.clone()
    } else {
        AlgorithmParameter(Captured::from_values(mode, ().encode_as(Tag::NULL)))
    };

    encode::sequence((self.algorithm.clone().encode(), captured))
}

Other libraries like openssl, and golang x509 libraries do not use ASN.1 NULL values if the AlgorithmIdentifier Parameters are empty, so this results in the PEM encoded x509 certificates having a different thumbprint when compared to the any Rust code which uses the 509-certificate crate.

Whilst this may not be a bug as the certificate should still be functionally equal, the difference in
thumbprints can give the impression that the cert is functionality different, and maybe this is causing the connection problem to Cumulocity (like you said), but I haven't verified this just yet.

[reubenmiller]

And I've found an easier solution for encoding the x509 cert from DER into the PEM format by using the existing dependency to the pem crate. Now no custom forks are needed and it adds very little crate dependencies (in comparison with the x509-certificate and cryptographic-message-syntax crates.