feat: removed the depenedncy on the idevid CA cert

nqminds · Jan 23, 2024 · ee15111 · ee15111
1 parent 7568296
commit ee15111
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 8 deletions.
diff --git a/src/brski/brski.cpp b/src/brski/brski.cpp
@@ -368,8 +368,7 @@ int main(int argc, char *argv[]) {
     }
 
     case CommandId::COMMAND_START_REGISTRAR:
-      if (registrar_start(&config.rconf, &config.mconf, &config.pconf,
-                          &rcontext) < 0) {
+      if (registrar_start(&config.rconf, &config.mconf, &rcontext) < 0) {
         log_error("https_start fail");
         return EXIT_FAILURE;
       }

diff --git a/src/brski/http/httplib.h b/src/brski/http/httplib.h
@@ -8872,6 +8872,13 @@ static SSLInit sslinit_;
 
 } // namespace detail
 
+// Accepty the client certificate as it is, vrefication not needed
+int SSL_verify_fn(int preverify_ok, X509_STORE_CTX *x509_ctx) {
+  (void) preverify_ok;
+  (void) x509_ctx;
+  return 1;
+}
+
 // SSL HTTP server implementation
 inline SSLServer::SSLServer(const char *cert_path, const char *private_key_path,
                             const char *client_ca_cert_file_path,
@@ -8905,6 +8912,10 @@ inline SSLServer::SSLServer(const char *cert_path, const char *private_key_path,
       SSL_CTX_set_verify(
           ctx_, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
     }
+
+    if (client_ca_cert_file_path == nullptr && client_ca_cert_dir_path == nullptr) {
+      SSL_CTX_set_verify(ctx_, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_verify_fn);
+    }
   }
 }
 

diff --git a/src/brski/registrar/registrar_api.cpp b/src/brski/registrar/registrar_api.cpp
@@ -99,7 +99,7 @@ int registrar_requestvoucher(const RequestHeader &request_header,
   char *serial_number = NULL;
   const char *cms_str = request_body.c_str();
 
-  log_trace("registrar_requestvoucher:");
+  log_trace("registrar_requestvoucher: %p", peer_certificate);
   response_header["Content-Type"] = "application/voucher-cms+json";
 
   struct CrypoCertMeta : public crypto_cert_meta {

diff --git a/src/brski/registrar/registrar_server.cpp b/src/brski/registrar/registrar_server.cpp
@@ -44,7 +44,6 @@ void setup_registrar_routes(std::vector<struct RouteTuple> &routes) {
 }
 
 int registrar_start(struct registrar_config *rconf, struct masa_config *mconf,
-                    struct pledge_config *pconf,
                     struct RegistrarContext **context) {
   std::vector<struct RouteTuple> routes;
 
@@ -64,8 +63,7 @@ int registrar_start(struct registrar_config *rconf, struct masa_config *mconf,
                               .port = rconf->port,
                               .tls_cert_path = rconf->tls_cert_path,
                               .tls_key_path = rconf->tls_key_path,
-                              .client_ca_cert_path =
-                                  pconf->idevid_ca_cert_path};
+                              .client_ca_cert_path = nullptr};
 
   return https_start(&hconf, routes, static_cast<void *>(*context),
                      &(*context)->srv_ctx);

diff --git a/src/brski/registrar/registrar_server.hpp b/src/brski/registrar/registrar_server.hpp
@@ -19,12 +19,10 @@
  *
  * @param[in] rconf The registrar config
  * @param[in] mconf The masa config
- * @param[in] pconf The pledge config
  * @param[out] context The registrar context
  * @return int 0 on success, -1 on failure
  */
 int registrar_start(struct registrar_config *rconf, struct masa_config *mconf,
-                    struct pledge_config *pconf,
                     struct RegistrarContext **context);
 
 /**