Merge branch 'main' into feat/crypto-allow-setting-absolute-not_after

CHANGELOG.md

@@ -18,7 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   It can be set to `"99991231235959Z"` for a
   [long-lived pledge certificate][rfc8995#2.6.2].
 
-[rfc8995#2.6.2]: https://www.rfc-editor.org/rfc/rfc8995.html#name-infinite-lifetime-of-idevid
+* add `init_binary_array()`, which initializes a new empty `struct BinaryArray`.
 
 #### Build
 

src/brski/brski.cpp

@@ -44,7 +44,8 @@ const std::array<struct command_config, 4> command_list = {{
     {"epvr", CommandId::COMMAND_EXPORT_PVR,
      "\tepvr\t\tExport the pledge voucher request as base64 CMS file"},
     {"preq", CommandId::COMMAND_PLEDGE_REQUEST,
-     "\tpreq\t\tSend a pledge-voucher request to the registrar"},
+     "\tpreq\t\tSend a pledge-voucher request to the registrar and\n"
+     "\t\t\t return the pinned-domain-cert."},
     {"registrar", CommandId::COMMAND_START_REGISTRAR,
      "\tregistrar\tStarts the registrar"},
     {"masa", CommandId::COMMAND_START_MASA, "\tmasa\t\tStarts the MASA"},
@@ -217,7 +218,6 @@ int main(int argc, char *argv[]) {
 
   struct RegistrarContext *rcontext = NULL;
   struct MasaContext *mcontext = NULL;
-  std::string response;
   switch (command_id) {
     case CommandId::COMMAND_EXPORT_PVR:
       std::fprintf(stdout, "Exporting pledge voucher request to %s",
@@ -229,16 +229,18 @@ int main(int argc, char *argv[]) {
         return EXIT_FAILURE;
       }
       break;
-    case CommandId::COMMAND_PLEDGE_REQUEST:
+    case CommandId::COMMAND_PLEDGE_REQUEST: {
       std::fprintf(stdout, "Pledge voucher request to %s:%d\n",
                    config.rconf.bind_address, config.rconf.port);
+      std::string response;
       if (post_voucher_pledge_request(&config.pconf, &config.rconf,
                                       &config.mconf, response) < 0) {
         std::fprintf(stderr, "post_voucher_pledge_request fail");
         return EXIT_FAILURE;
       }
       std::fprintf(stdout, "%s\n", response.c_str());
       break;
+    }
     case CommandId::COMMAND_START_REGISTRAR:
       if (registrar_start(&config.rconf, &config.mconf, &config.pconf,
                           &rcontext) < 0) {

src/brski/http/httplib_wrapper.cpp

@@ -160,9 +160,11 @@ int httplib_register_routes(httplib::SSLServer *server,
 void set_error_handler(httplib::SSLServer *server) {
   server->set_error_handler(
       [](const httplib::Request &req, httplib::Response &res) {
-        char buf[BUFSIZ];
-        snprintf(buf, sizeof(buf), HTTP_ERROR_REPLY);
-        res.set_content(buf, "text/plain");
+        if (res.body == "") {
+          res.body = HTTP_ERROR_REPLY; // set default error response
+        }
+        // according to BRSKI spec, all errors must be plain text
+        res.set_header("Content-Type", "text/plain");
       });
 }
 

src/brski/pledge/pledge_request.cpp

@@ -75,8 +75,12 @@ int post_voucher_pledge_request(struct pledge_config *pconf,
     log_error("https_post_request fail");
     return -1;
   }
-
-  log_debug("post_voucher_pledge_request status %d", status);
+  if (status >= 400) {
+    log_error("post_voucher_pledge_request failed with HTTP code %d and "
+              "response: '%s'",
+              status, response.c_str());
+    return -1;
+  }
 
   const char *masa_pledge_voucher_str = response.c_str();
   struct BinaryArray masa_pledge_voucher_cms = {};
@@ -100,9 +104,8 @@ int post_voucher_pledge_request(struct pledge_config *pconf,
   }
 
   if (pconf->nonce != NULL) {
-    if ((nonce = (struct BinaryArray *)sys_zalloc(
-             sizeof(struct BinaryArray))) == NULL) {
-      log_errno("sys_zalloc");
+    if ((nonce = init_binary_array()) == NULL) {
+      log_errno("init_binary_array");
       goto post_voucher_pledge_request_fail;
     }
     ssize_t length;

src/brski/pledge/pledge_request.h

@@ -23,7 +23,8 @@
  * @param[in] pconf The pledge configuration structure
  * @param[in] rconf The registrar configuration structure
  * @param[in] mconf The masa configuration structure
- * @param[out] response The response from the POST request
+ * @param[out] response The pinned domain certificate in DER format, encoded as
+ * base64.
  * @return int 0 on success, -1 on failure
  */
 int post_voucher_pledge_request(struct pledge_config *pconf,

src/brski/pledge/pledge_utils.c

@@ -48,9 +48,9 @@ voucher_pledge_request_to_array(const struct pledge_config *pconf,
 
   struct BinaryArray *nonce = NULL;
   if (pconf->nonce != NULL) {
-    if ((nonce = (struct BinaryArray *)sys_zalloc(
-             sizeof(struct BinaryArray))) == NULL) {
-      log_errno("sys_zalloc");
+    nonce = init_binary_array();
+    if (nonce == NULL) {
+      log_errno("init_binary_array");
       return NULL;
     }
     ssize_t length;

src/brski/registrar/registrar_api.cpp

@@ -7,6 +7,9 @@
  * SPDX-License-Identifier: MIT
  * @brief File containing the implementation of the registrar routes.
  */
+#include <functional>
+#include <memory>
+#include <new>
 #include <string>
 
 #include "../http/http.h"
@@ -80,124 +83,158 @@ int registrar_requestvoucher(const RequestHeader &request_header,
   struct registrar_config *rconf = context->rconf;
   struct masa_config *mconf = context->mconf;
 
-  struct BinaryArray pledge_voucher_request_cms = {};
-  struct BinaryArray *idevid_issuer = NULL;
-  struct BinaryArray *registrar_tls_cert = NULL;
-  struct BinaryArray *registrar_sign_cert = NULL;
-  struct BinaryArray *registrar_sign_key = NULL;
-  struct BinaryArrayList *pledge_verify_certs = NULL;
-  struct BinaryArrayList *pledge_store_certs = NULL;
-  struct BinaryArrayList *additional_registrar_certs = NULL;
-  struct BinaryArray *voucher_request_cms = NULL;
   struct tm created_on = {0};
   char *serial_number = NULL;
   const char *cms_str = request_body.c_str();
 
   log_trace("registrar_requestvoucher:");
   response_header["Content-Type"] = "application/voucher-cms+json";
 
-  struct crypto_cert_meta idev_meta = {};
-  idev_meta.issuer = init_keyvalue_list();
-  idev_meta.subject = init_keyvalue_list();
+  struct CrypoCertMeta : public crypto_cert_meta {
+    CrypoCertMeta() {
+      this->issuer = init_keyvalue_list();
+      this->subject = init_keyvalue_list();
+      if (this->issuer == nullptr || this->subject == nullptr) {
+        throw std::bad_alloc();
+      }
+    }
+    ~CrypoCertMeta() {
+      free_keyvalue_list(this->issuer);
+      free_keyvalue_list(this->subject);
+    }
+  } idev_meta;
 
   if (crypto_getcert_meta(peer_certificate, &idev_meta) < 0) {
     log_error("crypto_getcert_meta");
-    goto registrar_requestvoucher_fail;
+    return 400;
   }
 
   serial_number = get_cert_serial(&idev_meta);
 
-  if ((idevid_issuer = crypto_getcert_issuer(peer_certificate)) == NULL) {
+  auto idevid_issuer = std::unique_ptr<BinaryArray, void (*)(BinaryArray *)>{
+      crypto_getcert_issuer(peer_certificate),
+      [](BinaryArray *b) { free_binary_array(b); },
+  };
+  if (idevid_issuer == nullptr) {
     log_error("crypto_getcert_issuer fail");
-    goto registrar_requestvoucher_fail;
+    return 400;
   }
 
-  if ((pledge_voucher_request_cms.length =
+  auto pledge_voucher_request_cms =
+      std::unique_ptr<BinaryArray, void (*)(BinaryArray *)>{
+          static_cast<BinaryArray *>(std::malloc(sizeof(BinaryArray))),
+          [](BinaryArray *b) { free_binary_array(b); },
+      };
+  if ((pledge_voucher_request_cms->length =
            serialize_base64str2array((const uint8_t *)cms_str, strlen(cms_str),
-                                     &pledge_voucher_request_cms.array)) < 0) {
+                                     &pledge_voucher_request_cms->array)) < 0) {
     log_errno("serialize_base64str2array fail");
-    goto registrar_requestvoucher_fail;
+    return 400;
   }
 
   if (get_localtime(&created_on) < 0) {
     log_error("get_localtime fail");
-    goto registrar_requestvoucher_fail;
+    return 500;
   }
 
-  if ((registrar_tls_cert = file_to_x509buf(rconf->tls_cert_path)) == NULL) {
+  auto registrar_tls_cert =
+      std::unique_ptr<BinaryArray, void (*)(BinaryArray *)>{
+          file_to_x509buf(rconf->tls_cert_path),
+          [](BinaryArray *b) { free_binary_array(b); },
+      };
+  if (registrar_tls_cert == nullptr) {
     log_error("file_to_x509buf fail");
-    goto registrar_requestvoucher_fail;
+    return 500;
   }
 
-  if ((registrar_sign_cert = file_to_x509buf(rconf->cms_sign_cert_path)) ==
-      NULL) {
+  auto registrar_sign_cert =
+      std::unique_ptr<BinaryArray, void (*)(BinaryArray *)>{
+          file_to_x509buf(rconf->cms_sign_cert_path),
+          [](BinaryArray *b) { free_binary_array(b); },
+      };
+  if (registrar_sign_cert == nullptr) {
     log_error("file_to_x509buf fail");
-    goto registrar_requestvoucher_fail;
+    return 500;
   }
 
-  if ((registrar_sign_key = file_to_keybuf(rconf->cms_sign_key_path)) == NULL) {
+  auto registrar_sign_key =
+      std::unique_ptr<BinaryArray, void (*)(BinaryArray *)>{
+          file_to_keybuf(rconf->cms_sign_key_path),
+          [](BinaryArray *b) { free_binary_array(b); },
+      };
+  if (registrar_sign_key == nullptr) {
     log_error("file_to_keybuf fail");
-    goto registrar_requestvoucher_fail;
+    return 500;
   }
 
-  if (load_cert_files(rconf->cms_verify_certs_paths, &pledge_verify_certs) <
-      0) {
-    log_error("load_cert_files");
-    goto registrar_requestvoucher_fail;
+  auto pledge_verify_certs =
+      std::unique_ptr<BinaryArrayList, void (*)(BinaryArrayList *)>{
+          nullptr,
+          [](BinaryArrayList *list) { free_array_list(list); },
+      };
+  {
+    BinaryArrayList *ptr = nullptr;
+    if (load_cert_files(rconf->cms_verify_certs_paths, &ptr) < 0) {
+      log_error("load_cert_files");
+      return 500;
+    }
+    pledge_verify_certs.reset(ptr);
   }
 
-  if (load_cert_files(rconf->cms_verify_store_paths, &pledge_store_certs) < 0) {
-    log_error("load_cert_files");
-    goto registrar_requestvoucher_fail;
+  auto pledge_store_certs =
+      std::unique_ptr<BinaryArrayList, void (*)(BinaryArrayList *)>{
+          nullptr,
+          [](BinaryArrayList *list) { free_array_list(list); },
+      };
+  {
+    BinaryArrayList *ptr = nullptr;
+    if (load_cert_files(rconf->cms_verify_store_paths, &ptr) < 0) {
+      log_error("load_cert_files");
+      return 500;
+    }
+    pledge_store_certs.reset(ptr);
   }
 
-  if (load_cert_files(rconf->cms_add_certs_paths, &additional_registrar_certs) <
-      0) {
-    log_error("load_cert_files");
-    goto registrar_requestvoucher_fail;
+  auto additional_registrar_certs =
+      std::unique_ptr<BinaryArrayList, void (*)(BinaryArrayList *)>{
+          nullptr,
+          [](BinaryArrayList *list) { free_array_list(list); },
+      };
+  {
+    BinaryArrayList *ptr = nullptr;
+    if (load_cert_files(rconf->cms_add_certs_paths, &ptr) < 0) {
+      log_error("load_cert_files");
+      return 500;
+    }
+    additional_registrar_certs.reset(ptr);
   }
 
-  voucher_request_cms = sign_voucher_request(
-      &pledge_voucher_request_cms, &created_on, serial_number, idevid_issuer,
-      registrar_tls_cert, registrar_sign_cert, registrar_sign_key,
-      pledge_verify_certs, pledge_store_certs, additional_registrar_certs);
-
-  if (voucher_request_cms == NULL) {
+  auto voucher_request_cms =
+      std::unique_ptr<BinaryArray, void (*)(BinaryArray *)>{
+          sign_voucher_request(
+              pledge_voucher_request_cms.get(), &created_on, serial_number,
+              idevid_issuer.get(), registrar_tls_cert.get(),
+              registrar_sign_cert.get(), registrar_sign_key.get(),
+              pledge_verify_certs.get(), pledge_store_certs.get(),
+              additional_registrar_certs.get()),
+          [](BinaryArray *b) { free_binary_array(b); },
+      };
+
+  if (voucher_request_cms == nullptr) {
     log_error("sign_voucher_request fail");
-    goto registrar_requestvoucher_fail;
+    return 400;
   }
 
-  if (post_voucher_request(voucher_request_cms, mconf, rconf, response) < 0) {
+  if (post_voucher_request(voucher_request_cms.get(), mconf, rconf, response) <
+      0) {
     log_error("post_voucher_request fail");
-    goto registrar_requestvoucher_fail;
+    response.assign(
+        "Voucher request to the MASA server failed. Please contact the "
+        "webmaster of the registrar server if this error persists.");
+    return 502;
   }
 
-  free_binary_array(registrar_tls_cert);
-  free_binary_array(registrar_sign_cert);
-  free_binary_array(registrar_sign_key);
-  free_array_list(pledge_verify_certs);
-  free_array_list(pledge_store_certs);
-  free_array_list(additional_registrar_certs);
-  free_binary_array(voucher_request_cms);
-  free_binary_array(idevid_issuer);
-  free_keyvalue_list(idev_meta.issuer);
-  free_keyvalue_list(idev_meta.subject);
-  free_binary_array_content(&pledge_voucher_request_cms);
   return 200;
-
-registrar_requestvoucher_fail:
-  free_binary_array(registrar_tls_cert);
-  free_binary_array(registrar_sign_cert);
-  free_binary_array(registrar_sign_key);
-  free_array_list(pledge_verify_certs);
-  free_array_list(pledge_store_certs);
-  free_array_list(additional_registrar_certs);
-  free_binary_array(voucher_request_cms);
-  free_binary_array(idevid_issuer);
-  free_keyvalue_list(idev_meta.issuer);
-  free_keyvalue_list(idev_meta.subject);
-  free_binary_array_content(&pledge_voucher_request_cms);
-  return 400;
 }
 
 int registrar_voucher_status(const RequestHeader &request_header,

src/brski/registrar/registrar_api.h

@@ -18,7 +18,11 @@
 /**
  * @brief Registrar request voucher handler
  *
- * @return int 0 on success, -1 on failure
+ * @return The HTTP status code.
+ * @retval 200 OK.
+ * @retval 400 Bad Request (malformed request).
+ * @retval 500 Internal Server Error (e.g. invalid config).
+ * @retval 502 Bad Gateway (e.g. could not send requests to MASA server)
  */
 int registrar_requestvoucher(const RequestHeader &request_header,
                              const std::string &request_body,
@@ -29,7 +33,8 @@ int registrar_requestvoucher(const RequestHeader &request_header,
 /**
  * @brief Registrar voucher status handler
  *
- * @return int 0 on success, -1 on failure
+ * @return The HTTP status code.
+ * @retval 200 OK.
  */
 int registrar_voucher_status(const RequestHeader &request_header,
                              const std::string &request_body,
@@ -40,7 +45,8 @@ int registrar_voucher_status(const RequestHeader &request_header,
 /**
  * @brief Registrar request audit log handler
  *
- * @return int 0 on success, -1 on failure
+ * @return The HTTP status code.
+ * @retval 200 OK.
  */
 int registrar_requestauditlog(const RequestHeader &request_header,
                               const std::string &request_body,
@@ -51,7 +57,8 @@ int registrar_requestauditlog(const RequestHeader &request_header,
 /**
  * @brief Registrar enroll status handler
  *
- * @return int 0 on success, -1 on failure
+ * @return The HTTP status code.
+ * @retval 200 OK.
  */
 int registrar_enrollstatus(const RequestHeader &request_header,
                            const std::string &request_body,