Merge pull request #40 from nqminds/feat/ldevdid

Feat/ldevdid

src/brski/config.c

@@ -95,11 +95,6 @@ void free_masa_config_content(struct masa_config *mconf) {
       mconf->ldevid_ca_cert_path = NULL;
     }
 
-    if (mconf->ldevid_ca_key_path != NULL) {
-      sys_free(mconf->ldevid_ca_key_path);
-      mconf->ldevid_ca_key_path = NULL;
-    }
-
     if (mconf->tls_key_path != NULL) {
       sys_free(mconf->tls_key_path);
       mconf->tls_key_path = NULL;
@@ -191,20 +186,6 @@ int load_masa_config(const char *filename, struct masa_config *const mconf) {
     return -1;
   }
 
-  ini_gets("masa", "ldevidCAKeyPath", "", value, MAX_CONFIG_VALUE_SIZE,
-           filename);
-  mconf->ldevid_ca_key_path = value;
-  if (!strlen(mconf->ldevid_ca_key_path)) {
-    mconf->ldevid_ca_key_path = NULL;
-    sys_free(value);
-  }
-
-  if ((value = sys_zalloc(MAX_CONFIG_VALUE_SIZE)) == NULL) {
-    log_errno("sys_zalloc");
-    free_masa_config_content(mconf);
-    return -1;
-  }
-
   ini_gets("masa", "tlsCertPath", "", value, MAX_CONFIG_VALUE_SIZE, filename);
   mconf->tls_cert_path = value;
   if (!strlen(mconf->tls_cert_path)) {
@@ -307,6 +288,11 @@ void free_registrar_config_content(struct registrar_config *rconf) {
       rconf->tls_key_path = NULL;
     }
 
+    if (rconf->tls_ca_key_path != NULL) {
+      sys_free(rconf->tls_ca_key_path);
+      rconf->tls_ca_key_path = NULL;
+    }
+
     if (rconf->tls_ca_cert_path != NULL) {
       sys_free(rconf->tls_ca_cert_path);
       rconf->tls_ca_cert_path = NULL;
@@ -385,6 +371,20 @@ int load_registrar_config(const char *filename,
     return -1;
   }
 
+  ini_gets("registrar", "tlsCAKeyPath", "", value, MAX_CONFIG_VALUE_SIZE,
+           filename);
+  rconf->tls_ca_key_path = value;
+  if (!strlen(rconf->tls_ca_key_path)) {
+    rconf->tls_ca_key_path = NULL;
+    sys_free(value);
+  }
+
+  if ((value = sys_zalloc(MAX_CONFIG_VALUE_SIZE)) == NULL) {
+    log_errno("sys_zalloc");
+    free_registrar_config_content(rconf);
+    return -1;
+  }
+
   ini_gets("registrar", "tlsCACertPath", "", value, MAX_CONFIG_VALUE_SIZE,
            filename);
   rconf->tls_ca_cert_path = value;

src/brski/config.ini.in

@@ -19,6 +19,7 @@ bindAddress = "0.0.0.0"
 port = 12345
 tlsKeyPath = ""
 tlsCertPath = ""
+tlsCAKeyPath = ""
 tlsCACertPath = ""
 cmsSignKeyPath = ""
 cmsSignCertPath = ""
@@ -29,9 +30,7 @@ cmsVerifyStorePath = ""
 [masa]
 bindAddress = "0.0.0.0"
 expiresOn = ""
-expiresOn = ""
 port = 12346
-ldevidCAKeyPath = ""
 ldevidCACertPath = ""
 tlsKeyPath = ""
 tlsCertPath = ""

src/brski/dev-config.ini.in

@@ -19,6 +19,7 @@ bindAddress = "0.0.0.0"
 port = 12345
 tlsKeyPath = ""
 tlsCertPath = ""
+tlsCAKeyPath = ""
 tlsCACertPath = ""
 cmsSignKeyPath = ""
 cmsSignCertPath = ""
@@ -30,7 +31,6 @@ cmsVerifyStorePath = ""
 bindAddress = "0.0.0.0"
 expiresOn = ""
 port = 12346
-ldevidCAKeyPath = ""
 ldevidCACertPath = ""
 tlsKeyPath = ""
 tlsCertPath = ""

src/brski/masa/masa_api.cpp

@@ -29,11 +29,6 @@ int voucher_req_cb(const char *serial_number,
                    void *user_ctx, struct BinaryArray *pinned_domain_cert) {
   struct MasaContext *context = static_cast<struct MasaContext *>(user_ctx);
 
-  if (context->ldevid_ca_key == NULL) {
-    log_error("ldevid_ca_key is NULL");
-    return -1;
-  }
-
   if (context->ldevid_ca_cert == NULL) {
     log_error("ldevid_ca_cert is NULL");
     return -1;
@@ -102,12 +97,6 @@ int masa_requestvoucher(const RequestHeader &request_header,
     goto masa_requestvoucher_fail;
   }
 
-  if ((context->ldevid_ca_key = file_to_keybuf(mconf->ldevid_ca_key_path)) ==
-      NULL) {
-    log_error("file_to_keybuf fail");
-    goto masa_requestvoucher_fail;
-  }
-
   if ((masa_sign_cert = file_to_x509buf(mconf->cms_sign_cert_path)) == NULL) {
     log_error("file_to_x509buf fail");
     goto masa_requestvoucher_fail;
@@ -168,7 +157,6 @@ int masa_requestvoucher(const RequestHeader &request_header,
 
   sys_free(base64);
   free_binary_array(context->ldevid_ca_cert);
-  free_binary_array(context->ldevid_ca_key);
   free_binary_array(masa_sign_key);
   free_binary_array(masa_sign_cert);
   free_array_list(registrar_verify_certs);
@@ -182,7 +170,6 @@ int masa_requestvoucher(const RequestHeader &request_header,
 
 masa_requestvoucher_fail:
   free_binary_array(context->ldevid_ca_cert);
-  free_binary_array(context->ldevid_ca_key);
   free_binary_array(masa_sign_cert);
   free_binary_array(masa_sign_key);
   free_array_list(registrar_verify_certs);
@@ -338,73 +325,3 @@ int get_est_csrattrs(const RequestHeader &request_header,
   response_header["Content-Type"] = "text/plain";
   return 503;
 }
-
-int masa_signcert(const RequestHeader &request_header,
-                  const std::string &request_body, CRYPTO_CERT peer_certificate,
-                  ResponseHeader &response_header, std::string &response,
-                  void *user_ctx) {
-  struct MasaContext *context = static_cast<struct MasaContext *>(user_ctx);
-  struct registrar_config *rconf = context->rconf;
-  struct masa_config *mconf = context->mconf;
-
-  struct BinaryArray cert_to_sign = {};
-  struct BinaryArray *ldevid_ca_cert = NULL;
-  struct BinaryArray *ldevid_ca_key = NULL;
-  ssize_t length;
-
-  char *cert_str = (char *)request_body.c_str();
-
-  response_header["Content-Type"] = "text/plain";
-
-  log_trace("masa_signcert:");
-
-  if ((length = serialize_base64str2array((const uint8_t *)cert_str,
-                                          strlen(cert_str),
-                                          &cert_to_sign.array)) < 0) {
-    log_errno("serialize_base64str2array fail");
-    goto masa_signcert_err;
-  }
-  cert_to_sign.length = length;
-
-  /* Here check the registrar */
-
-  if ((ldevid_ca_cert = file_to_x509buf(mconf->ldevid_ca_cert_path)) == NULL) {
-    log_error("file_to_x509buf fail");
-    goto masa_signcert_err;
-  }
-
-  if ((ldevid_ca_key = file_to_keybuf(mconf->ldevid_ca_key_path)) == NULL) {
-    log_error("file_to_keybuf fail");
-    goto masa_signcert_err;
-  }
-
-  length = crypto_sign_cert(ldevid_ca_key->array, ldevid_ca_key->length,
-                            ldevid_ca_cert->array, ldevid_ca_cert->length,
-                            cert_to_sign.length, &cert_to_sign.array);
-  if (length < 0) {
-    log_error("file_to_x509buf fail");
-    goto masa_signcert_err;
-  }
-  cert_to_sign.length = length;
-  cert_str = NULL;
-
-  if (serialize_array2base64str(cert_to_sign.array, cert_to_sign.length,
-                                (uint8_t **)&cert_str) < 0) {
-    log_error("serialize_array2base64str fail");
-    goto masa_signcert_err;
-  }
-
-  response.assign((char *)cert_str);
-
-  sys_free(cert_str);
-  free_binary_array_content(&cert_to_sign);
-  free_binary_array(ldevid_ca_cert);
-  free_binary_array(ldevid_ca_key);
-  return 200;
-
-masa_signcert_err:
-  free_binary_array_content(&cert_to_sign);
-  free_binary_array(ldevid_ca_cert);
-  free_binary_array(ldevid_ca_key);
-  return 400;
-}

src/brski/masa/masa_api.hpp

@@ -21,9 +21,6 @@
 #define PATH_BRSKI_REQUESTAUDITLOG BRSKI_PREFIX_PATH "/requestauditlog"
 #define PATH_BRSKI_ENROLLSTATUS BRSKI_PREFIX_PATH "/enrollstatus"
 
-/* Not part of the standard */
-#define PATH_BRSKI_SIGNCERT BRSKI_PREFIX_PATH "/signcert"
-
 #define EST_PREFIX_PATH "/.well-known/est"
 #define PATH_EST_CACERTS EST_PREFIX_PATH "/cacerts"
 #define PATH_EST_SIMPLEENROLL EST_PREFIX_PATH "/simpleenroll"
@@ -76,21 +73,6 @@ int masa_enrollstatus(const RequestHeader &request_header,
                       ResponseHeader &response_header, std::string &response,
                       void *context);
 
-/**
- * @brief RMASA sign certificate
- * Not part of the specification.
- *
- * @return The HTTP status code.
- * @retval 200 OK.
- * @retval 400 Bad Request (malformed request).
- * @retval 500 Internal Server Error.
- * @retval 502 Bad Gateway
- */
-int masa_signcert(const RequestHeader &request_header,
-                  const std::string &request_body, CRYPTO_CERT peer_certificate,
-                  ResponseHeader &response_header, std::string &response,
-                  void *context);
-
 /**
  * @brief EST CA certs handler
  *

src/brski/masa/masa_config.h

@@ -18,7 +18,6 @@ struct masa_config {
   char *expires_on;
   unsigned int port;
   char *ldevid_ca_cert_path;
-  char *ldevid_ca_key_path;
   char *tls_cert_path;
   char *tls_key_path;
   char *tls_ca_cert_path;
@@ -33,7 +32,6 @@ struct MasaContext {
   struct registrar_config *rconf;
   struct masa_config *mconf;
   struct BinaryArray *ldevid_ca_cert;
-  struct BinaryArray *ldevid_ca_key;
   void *srv_ctx;
 };
 

src/brski/masa/masa_server.cpp

@@ -38,10 +38,6 @@ void setup_masa_routes(std::vector<struct RouteTuple> &routes) {
                     .method = HTTP_METHOD_POST,
                     .handle = masa_enrollstatus});
 
-  routes.push_back({.path = std::string(PATH_BRSKI_SIGNCERT),
-                    .method = HTTP_METHOD_POST,
-                    .handle = masa_signcert});
-
   routes.push_back({.path = std::string(PATH_EST_CACERTS),
                     .method = HTTP_METHOD_GET,
                     .handle = get_est_cacerts});

src/brski/pledge/pledge_request.cpp

@@ -258,7 +258,7 @@ int post_sign_cert(struct pledge_config *pconf, struct registrar_config *rconf,
   struct BinaryArray pinned_domain_cert = {};
   int status;
   char *pki_str = NULL;
-  std::string path = PATH_BRSKI_SIGNCERT;
+  std::string path = PATH_EST_SIMPLEENROLL;
   std::string content_type = "application/voucher-cms+json";
   std::string registrar_ca_cert;
   ssize_t length;

src/brski/registrar/registrar_api.cpp

@@ -304,45 +304,74 @@ int registrar_enrollstatus(const RequestHeader &request_header,
   return 200;
 }
 
-int registrar_signcert(const RequestHeader &request_header,
-                       const std::string &request_body,
-                       CRYPTO_CERT peer_certificate,
-                       ResponseHeader &response_header, std::string &response,
-                       void *user_ctx) {
+int registrar_est_simpleenroll(const RequestHeader &request_header,
+                               const std::string &request_body,
+                               CRYPTO_CERT peer_certificate,
+                               ResponseHeader &response_header,
+                               std::string &response, void *user_ctx) {
   struct RegistrarContext *context =
       static_cast<struct RegistrarContext *>(user_ctx);
   struct registrar_config *rconf = context->rconf;
   struct masa_config *mconf = context->mconf;
 
-  log_trace("registrar_signcert:");
+  struct BinaryArray cert_to_sign = {};
+  struct BinaryArray *tls_ca_key = NULL;
+  struct BinaryArray *tls_ca_cert = NULL;
+  ssize_t length;
 
-  std::string path = PATH_BRSKI_SIGNCERT;
-  std::string content_type = "text/plain";
-  std::string body = request_body;
+  log_trace("registrar_est_simpleenroll:");
 
-  log_info("Request sign cert from MASA %s", path.c_str());
+  char *cert_str = (char *)request_body.c_str();
 
-  struct HttpResponse http_res;
-  int status = https_post_request(rconf->tls_key_path, rconf->tls_cert_path,
-                                  mconf->bind_address, mconf->port, path, false,
-                                  body, content_type, http_res);
+  response_header["Content-Type"] = "text/plain";
 
-  if (status < 0) {
-    log_error("https_post_request fail");
-    return 400;
+  if ((length = serialize_base64str2array((const uint8_t *)cert_str,
+                                          strlen(cert_str),
+                                          &cert_to_sign.array)) < 0) {
+    log_errno("serialize_base64str2array fail");
+    goto registrar_signcert_err;
   }
+  cert_to_sign.length = length;
 
-  if (status >= 400) {
-    log_error("https_post_request failed with HTTP code %d and "
-              "response: '%s'",
-              status, http_res.response.c_str());
-    crypto_free_certcontext(http_res.peer_certificate);
-    return 400;
+  /* Here check the idevid */
+
+  if ((tls_ca_cert = file_to_x509buf(rconf->tls_ca_cert_path)) == NULL) {
+    log_error("file_to_x509buf fail");
+    goto registrar_signcert_err;
   }
 
-  crypto_free_certcontext(http_res.peer_certificate);
-  response = http_res.response;
+  if ((tls_ca_key = file_to_keybuf(rconf->tls_ca_key_path)) == NULL) {
+    log_error("file_to_keybuf fail");
+    goto registrar_signcert_err;
+  }
+
+  length = crypto_sign_cert(tls_ca_key->array, tls_ca_key->length,
+                            tls_ca_cert->array, tls_ca_cert->length,
+                            cert_to_sign.length, &cert_to_sign.array);
+  if (length < 0) {
+    log_error("file_to_x509buf fail");
+    goto registrar_signcert_err;
+  }
+  cert_to_sign.length = length;
+  cert_str = NULL;
 
-  response_header["Content-Type"] = content_type;
+  if (serialize_array2base64str(cert_to_sign.array, cert_to_sign.length,
+                                (uint8_t **)&cert_str) < 0) {
+    log_error("serialize_array2base64str fail");
+    goto registrar_signcert_err;
+  }
+
+  response.assign((char *)cert_str);
+
+  sys_free(cert_str);
+  free_binary_array_content(&cert_to_sign);
+  free_binary_array(tls_ca_cert);
+  free_binary_array(tls_ca_key);
   return 200;
+
+registrar_signcert_err:
+  free_binary_array_content(&cert_to_sign);
+  free_binary_array(tls_ca_cert);
+  free_binary_array(tls_ca_key);
+  return 400;
 }

src/brski/registrar/registrar_api.hpp

@@ -76,9 +76,9 @@ int registrar_enrollstatus(const RequestHeader &request_header,
  * @retval 500 Internal Server Error.
  * @retval 502 Bad Gateway
  */
-int registrar_signcert(const RequestHeader &request_header,
-                       const std::string &request_body,
-                       CRYPTO_CERT peer_certificate,
-                       ResponseHeader &response_header, std::string &response,
-                       void *context);
+int registrar_est_simpleenroll(const RequestHeader &request_header,
+                               const std::string &request_body,
+                               CRYPTO_CERT peer_certificate,
+                               ResponseHeader &response_header,
+                               std::string &response, void *context);
 #endif