tls: use der format certificate

Author: joelguittet

core/src/mender-api.c

@@ -116,44 +116,58 @@ mender_api_init(mender_api_config_t *config, mender_api_callbacks_t *callbacks)
 }
 
 mender_err_t
-mender_api_perform_authentication(char *private_key, char *public_key) {
+mender_api_perform_authentication(unsigned char *private_key, size_t private_key_length, unsigned char *public_key, size_t public_key_length) {
 
     assert(NULL != private_key);
     assert(NULL != public_key);
     mender_err_t ret;
+    char *       public_key_pem   = NULL;
     char *       payload          = NULL;
     char *       response         = NULL;
     char *       signature        = NULL;
     size_t       signature_length = 0;
     int          status           = 0;
 
+    /* Convert public key to PEM format */
+    size_t olen = 0;
+    mender_tls_pem_write_buffer(public_key, public_key_length, NULL, 0, &olen);
+    if (NULL == (public_key_pem = (char *)malloc(olen))) {
+        mender_log_error("Unable to allocate memory");
+        ret = MENDER_FAIL;
+        goto END;
+    }
+    if (MENDER_OK != (ret = mender_tls_pem_write_buffer(public_key, public_key_length, public_key_pem, olen, &olen))) {
+        mender_log_error("Unable to convert public key");
+        goto END;
+    }
+
     /* Format payload */
     if (NULL != mender_api_config.tenant_token) {
         if (NULL
             == (payload = malloc(strlen("{ \"id_data\": \"{ \\\"mac\\\": \\\"\\\"}\", \"pubkey\": \"\", \"tenant_token\": \"\" }")
-                                 + strlen(mender_api_config.mac_address) + strlen(public_key) + strlen(mender_api_config.tenant_token) + 1))) {
+                                 + strlen(mender_api_config.mac_address) + strlen(public_key_pem) + strlen(mender_api_config.tenant_token) + 1))) {
             mender_log_error("Unable to allocate memory");
             ret = MENDER_FAIL;
             goto END;
         }
         sprintf(payload,
                 "{ \"id_data\": \"{ \\\"mac\\\": \\\"%s\\\"}\", \"pubkey\": \"%s\", \"tenant_token\": \"%s\" }",
                 mender_api_config.mac_address,
-                public_key,
+                public_key_pem,
                 mender_api_config.tenant_token);
     } else {
         if (NULL
             == (payload = malloc(strlen("{ \"id_data\": \"{ \\\"mac\\\": \\\"\\\"}\", \"pubkey\": \"\" }") + strlen(mender_api_config.mac_address)
-                                 + strlen(public_key) + 1))) {
+                                 + strlen(public_key_pem) + 1))) {
             mender_log_error("Unable to allocate memory");
             ret = MENDER_FAIL;
             goto END;
         }
-        sprintf(payload, "{ \"id_data\": \"{ \\\"mac\\\": \\\"%s\\\"}\", \"pubkey\": \"%s\" }", mender_api_config.mac_address, public_key);
+        sprintf(payload, "{ \"id_data\": \"{ \\\"mac\\\": \\\"%s\\\"}\", \"pubkey\": \"%s\" }", mender_api_config.mac_address, public_key_pem);
     }
 
     /* Sign payload */
-    if (MENDER_OK != (ret = mender_tls_sign_payload(private_key, payload, &signature, &signature_length))) {
+    if (MENDER_OK != (ret = mender_tls_sign_payload(private_key, private_key_length, payload, &signature, &signature_length))) {
         mender_log_error("Unable to sign payload");
         goto END;
     }
@@ -205,6 +219,9 @@ mender_api_perform_authentication(char *private_key, char *public_key) {
     if (NULL != payload) {
         free(payload);
     }
+    if (NULL != public_key_pem) {
+        free(public_key_pem);
+    }
 
     return ret;
 }

core/src/mender-client.c

@@ -85,8 +85,10 @@ static mender_client_callbacks_t mender_client_callbacks;
 /**
  * @brief Authentication keys
  */
-static char *mender_client_private_key = NULL;
-static char *mender_client_public_key  = NULL;
+static unsigned char *mender_client_private_key        = NULL;
+static size_t         mender_client_private_key_length = 0;
+static unsigned char *mender_client_public_key         = NULL;
+static size_t         mender_client_public_key_length  = 0;
 
 /**
  * @brief OTA ID and artifact name, used to report OTA status after rebooting
@@ -319,10 +321,12 @@ mender_client_exit(void) {
         free(mender_client_private_key);
         mender_client_private_key = NULL;
     }
+    mender_client_private_key_length = 0;
     if (NULL != mender_client_public_key) {
         free(mender_client_public_key);
         mender_client_public_key = NULL;
     }
+    mender_client_public_key_length = 0;
     if (NULL != mender_client_ota_id) {
         free(mender_client_ota_id);
         mender_client_ota_id = NULL;
@@ -365,34 +369,28 @@ mender_client_task(void *arg) {
     }
 
     /* Retrieve or generate authentication keys if not allready done */
-    size_t private_key_length = 0;
-    size_t public_key_length  = 0;
-    if (MENDER_OK != mender_storage_get_authentication_keys(&mender_client_private_key, &private_key_length, &mender_client_public_key, &public_key_length)) {
+    if (MENDER_OK
+        != mender_storage_get_authentication_keys(
+            &mender_client_private_key, &mender_client_private_key_length, &mender_client_public_key, &mender_client_public_key_length)) {
 
         /* Generate authentication keys */
         mender_log_info("Generating authentication keys...");
         if (MENDER_OK
-            != mender_tls_generate_authentication_keys(&mender_client_private_key, &private_key_length, &mender_client_public_key, &public_key_length)) {
+            != mender_tls_generate_authentication_keys(
+                &mender_client_private_key, &mender_client_private_key_length, &mender_client_public_key, &mender_client_public_key_length)) {
             mender_log_error("Unable to generate authentication keys");
             goto END;
         }
 
         /* Record keys */
-        if (MENDER_OK != mender_storage_set_authentication_keys(mender_client_private_key, mender_client_public_key)) {
+        if (MENDER_OK
+            != mender_storage_set_authentication_keys(
+                mender_client_private_key, mender_client_private_key_length, mender_client_public_key, mender_client_public_key_length)) {
             mender_log_error("Unable to record authentication keys");
             goto END;
         }
     }
 
-    /* Convert public key for usage with mender HTTP API */
-    char *tmp = mender_utils_str_replace(mender_client_public_key, "\n", "\\n");
-    if (NULL == tmp) {
-        mender_log_error("Unable to convert public key");
-        goto END;
-    }
-    free(mender_client_public_key);
-    mender_client_public_key = tmp;
-
     /* Retrieve OTA ID if it is found (following an update) */
     mender_err_t ret;
     size_t       ota_id_length            = 0;
@@ -411,7 +409,9 @@ mender_client_task(void *arg) {
     while (true) {
 
         /* Perform authentication with the mender server */
-        if (MENDER_OK != mender_api_perform_authentication(mender_client_private_key, mender_client_public_key)) {
+        if (MENDER_OK
+            != mender_api_perform_authentication(
+                mender_client_private_key, mender_client_private_key_length, mender_client_public_key, mender_client_public_key_length)) {
 
             /* Invoke authentication error callback */
             if (NULL != mender_client_callbacks.authentication_failure) {

core/src/mender-utils.c

@@ -25,106 +25,9 @@
  * SOFTWARE.
  */
 
-#include <sys/types.h>
-#include <regex.h>
 #include "mender-log.h"
 #include "mender-utils.h"
 
-char *
-mender_utils_str_replace(char *input, char *search, char *replace) {
-
-    assert(NULL != input);
-    assert(NULL != search);
-    assert(NULL != replace);
-
-    regex_t    regex;
-    regmatch_t match;
-    char *     str                   = input;
-    char *     output                = NULL;
-    size_t     index                 = 0;
-    int        previous_match_finish = 0;
-
-    /* Compile expression */
-    if (0 != regcomp(&regex, search, REG_EXTENDED)) {
-        /* Unable to compile expression */
-        mender_log_error("Unable to compile expression '%s'", search);
-        return NULL;
-    }
-
-    /* Loop until all search string are replaced */
-    bool loop = true;
-    while (true == loop) {
-
-        /* Search wanted string */
-        if (0 != regexec(&regex, str, 1, &match, 0)) {
-            /* No more string to be replaced */
-            loop = false;
-        } else {
-            if (match.rm_so != -1) {
-
-                /* Beginning and ending offset of the match */
-                int current_match_start  = (int)(match.rm_so + (str - input));
-                int current_match_finish = (int)(match.rm_eo + (str - input));
-
-                /* Reallocate output memory */
-                char *tmp = (char *)realloc(output, index + (current_match_start - previous_match_finish) + 1);
-                if (NULL == tmp) {
-                    /* Unable to allocate memory */
-                    regfree(&regex);
-                    free(output);
-                    mender_log_error("Unable to allocate memory");
-                    return NULL;
-                }
-                output = tmp;
-
-                /* Copy string from previous match to the beginning of the current match */
-                memcpy(&output[index], &input[previous_match_finish], current_match_start - previous_match_finish);
-                index += (current_match_start - previous_match_finish);
-                output[index] = 0;
-
-                /* Reallocate output memory */
-                if (NULL == (tmp = (char *)realloc(output, index + strlen(replace) + 1))) {
-                    /* Unable to allocate memory */
-                    regfree(&regex);
-                    free(output);
-                    mender_log_error(NULL, "Unable to allocate memory");
-                    return NULL;
-                }
-                output = tmp;
-
-                /* Copy replace string to the output */
-                strcat(output, replace);
-                index += strlen(replace);
-
-                /* Update previous match ending value */
-                previous_match_finish = current_match_finish;
-            }
-            str += match.rm_eo;
-        }
-    }
-
-    /* Reallocate output memory */
-    char *tmp = (char *)realloc(output, index + (strlen(input) - previous_match_finish) + 1);
-    if (NULL == tmp) {
-        /* Unable to allocate memory */
-        regfree(&regex);
-        free(output);
-        mender_log_error(NULL, "Unable to allocate memory");
-        return NULL;
-    }
-    output = tmp;
-
-    /* Copy the end of the string after the latest match */
-    memcpy(&output[index], &input[previous_match_finish], strlen(input) - previous_match_finish);
-    index += (strlen(input) - previous_match_finish);
-    output[index] = 0;
-
-    /* Release regex */
-    regfree(&regex);
-
-    return output;
-}
-
 char *
 mender_utils_http_status_to_string(int status) {
 

include/mender-api.h

@@ -62,10 +62,12 @@ mender_err_t mender_api_init(mender_api_config_t *config, mender_api_callbacks_t
 /**
  * @brief Perform authentication of the device, retrieve token from mender-server used for the next requests
  * @param private_key Client private key used for authentication
+ * @param private_key_length Private key length
  * @param public_key Client public key used for authentication
+ * @param public_key_length Public key length
  * @return MENDER_OK if the function succeeds, error code otherwise
  */
-mender_err_t mender_api_perform_authentication(char *private_key, char *public_key);
+mender_err_t mender_api_perform_authentication(unsigned char *private_key, size_t private_key_length, unsigned char *public_key, size_t public_key_length);
 
 /**
  * @brief Publish inventory data of the device to the mender-server

include/mender-storage.h

@@ -38,7 +38,7 @@ mender_err_t mender_storage_init(void);
 
 /**
  * @brief Erase authentication keys
- * @return ESP_OK if the function succeeds, error code otherwise
+ * @return MENDER_OK if the function succeeds, error code otherwise
  */
 mender_err_t mender_storage_erase_authentication_keys(void);
 
@@ -50,15 +50,20 @@ mender_err_t mender_storage_erase_authentication_keys(void);
  * @param public_key_lentgh Public key length from storage, 0 if not found
  * @return MENDER_OK if the function succeeds, error code otherwise
  */
-mender_err_t mender_storage_get_authentication_keys(char **private_key, size_t *private_key_length, char **public_key, size_t *public_key_length);
+mender_err_t mender_storage_get_authentication_keys(unsigned char **private_key,
+                                                    size_t *        private_key_length,
+                                                    unsigned char **public_key,
+                                                    size_t *        public_key_length);
 
 /**
  * @brief Set authentication keys
  * @param private_key Private key to store
+ * @param private_key_lentgh Private key length
  * @param public_key Public key to store
+ * @param public_key_lentgh Public key length
  * @return MENDER_OK if the function succeeds, error code otherwise
  */
-mender_err_t mender_storage_set_authentication_keys(char *private_key, char *public_key);
+mender_err_t mender_storage_set_authentication_keys(unsigned char *private_key, size_t private_key_length, unsigned char *public_key, size_t public_key_length);
 
 /**
  * @brief Get OTA deployment

include/mender-tls.h

@@ -42,19 +42,35 @@ mender_err_t mender_tls_init(void);
  * @param private_key_length Private key lenght
  * @param public_key Public key generated
  * @param public_key_length Public key lenght
- * @return ESP_OK if the function succeeds, error code otherwise
+ * @return MENDER_OK if the function succeeds, error code otherwise
+ */
+mender_err_t mender_tls_generate_authentication_keys(unsigned char **private_key,
+                                                     size_t *        private_key_length,
+                                                     unsigned char **public_key,
+                                                     size_t *        public_key_length);
+
+/**
+ * @brief Write a buffer of PEM information from a DER encoded buffer
+ * @note This function is derived from mbedtls_pem_write_buffer with const header and footer, and line feed is "\\n"
+ * @param der_data The DER data to encode
+ * @param der_len The length of the DER data
+ * @param buf The buffer to write to
+ * @param buf_len The length of the output buffer
+ * @param olen The address at which to store the total length written or required output buffer length is not enough
+ * @return MENDER_OK if the function succeeds, error code otherwise
  */
-mender_err_t mender_tls_generate_authentication_keys(char **private_key, size_t *private_key_length, char **public_key, size_t *public_key_length);
+mender_err_t mender_tls_pem_write_buffer(const unsigned char *der_data, size_t der_len, char *buf, size_t buf_len, size_t *olen);
 
 /**
  * @brief Sign payload
  * @param private_key Private key
+ * @param private_key_length Private key length
  * @param payload Payload to sign
  * @param signature Signature of the payload
  * @param signature_length Length of the signature buffer, updated to the length of the signature
- * @return ESP_OK if the function succeeds, error code otherwise
+ * @return MENDER_OK if the function succeeds, error code otherwise
  */
-mender_err_t mender_tls_sign_payload(char *private_key, char *payload, char **signature, size_t *signature_length);
+mender_err_t mender_tls_sign_payload(unsigned char *private_key, size_t private_key_length, char *payload, char **signature, size_t *signature_length);
 
 /**
  * @brief Release mender TLS

include/mender-utils.h

@@ -30,15 +30,6 @@
 
 #include "mender-common.h"
 
-/**
- * @brief Function used to replace a string in the input buffer
- * @param input Input buffer
- * @param search String to be replaced or regex expression
- * @param replace Replacement string
- * @return New string with replacements if the function succeeds, NULL otherwise
- */
-char *mender_utils_str_replace(char *input, char *search, char *replace);
-
 /**
  * @brief Function used to print HTTP status as string
  * @param status HTTP status code