Pass the key ID to ic-admin (and therefore to pkcs11-tool) as an inte…

…ger. (#1112)

Cargo.Bazel.lock

@@ -1,5 +1,5 @@
 {
-  "checksum": "1dd74cd583c623172e2fd7871212a0fcdd087546bfb876e666e7523fb3fd2523",
+  "checksum": "b0ec2b8c25823c3cf45f0fc88d6e89efed82effa3649f89645909fb47a732ecb",
   "crates": {
     "actix-codec 0.5.2": {
       "name": "actix-codec",
@@ -15263,6 +15263,10 @@
               "id": "backoff 0.4.0",
               "target": "backoff"
             },
+            {
+              "id": "byteorder 1.5.0",
+              "target": "byteorder"
+            },
             {
               "id": "candid 0.10.10",
               "target": "candid"

rs/cli/src/auth.rs

@@ -3,7 +3,7 @@ use std::path::PathBuf;
 use anyhow::anyhow;
 use dialoguer::{console::Term, theme::ColorfulTheme, Password, Select};
 use ic_canisters::governance::GovernanceCanisterWrapper;
-use ic_canisters::parallel_hardware_identity::{hsm_key_id_to_string, KeyIdVec, ParallelHardwareIdentity};
+use ic_canisters::parallel_hardware_identity::{hsm_key_id_to_int, KeyIdVec, ParallelHardwareIdentity};
 use ic_canisters::IcAgentCanisterClient;
 use ic_icrc1_test_utils::KeyPairGenerator;
 use ic_management_types::Network;
@@ -183,7 +183,7 @@ impl Auth {
                 "--slot".to_string(),
                 identity.slot.to_string(),
                 "--key-id".to_string(),
-                hsm_key_id_to_string(&identity.key_id),
+                hsm_key_id_to_int(&identity.key_id),
             ],
             Auth::Keyfile { path } => vec!["--secret-key-pem".to_string(), path.to_string_lossy().to_string()],
             Auth::Anonymous => vec![],

rs/ic-canisters/Cargo.toml

@@ -9,6 +9,7 @@ license.workspace = true
 
 [dependencies]
 anyhow = { workspace = true }
+byteorder = "1.5.0"
 backoff = { workspace = true }
 candid = { workspace = true }
 hex = { workspace = true }

rs/ic-canisters/src/parallel_hardware_identity.rs

@@ -1,5 +1,4 @@
-use ic_agent::{agent::EnvelopeContent, export::Principal, identity::Delegation, Identity, Signature};
-
+use byteorder::{BigEndian, ReadBytesExt};
 use cryptoki::{
     context::{CInitializeArgs, Pkcs11 as CryptokiPkcs11},
     error::{Error as CryptokiError, RvError},
@@ -8,6 +7,7 @@ use cryptoki::{
     session::UserType,
     slot::{Slot, SlotInfo, TokenInfo},
 };
+use ic_agent::{agent::EnvelopeContent, export::Principal, identity::Delegation, Identity, Signature};
 use log::error;
 use log::info;
 use log::{debug, warn};
@@ -20,6 +20,7 @@ use simple_asn1::{
     ASN1Block::{BitString, ObjectIdentifier, OctetString, Sequence},
     ASN1DecodeErr, ASN1EncodeErr,
 };
+use std::io::Cursor;
 use std::{error::Error, sync::Mutex};
 use std::{marker::PhantomData, path::Path, str::FromStr, sync::Arc};
 use thiserror::Error;
@@ -46,11 +47,21 @@ const EXPECTED_EC_PARAMS: &[u8; 10] = b"\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07
 
 // The key ID stored in the HSM is referenced by a sixteen-bit unsigned number.
 //  We represent this internally as an array of two bytes.
-// The following function produces the key ID in the format that ic-admin wants.
 pub fn hsm_key_id_to_string(s: &KeyIdVec) -> String {
     format!("0x{}", hex::encode(s))
 }
 
+// When ic-admin wants the key ID, it is usually to pass to pkcs11-tool's
+// --id argument.  That wants the key ID as an integer.
+// FIXME: there should be no need to unwrap() here.  The fix is that KeyIdVec
+// should simply be a type that contains an u16, and then we don't need to use
+// read_uint() here at all.  Will fix in a later PR.
+pub fn hsm_key_id_to_int(s: &KeyIdVec) -> String {
+    let mut rdr = Cursor::new(s);
+    let i = rdr.read_uint::<BigEndian>(s.len()).unwrap();
+    format!("{}", i)
+}
+
 /// An error happened related to a HardwareIdentity.
 #[derive(Error, Debug)]
 pub enum HardwareIdentityError {