Skip to content

Commit

Permalink
platform: keep authentication keys inside the tls module
Browse files Browse the repository at this point in the history
  • Loading branch information
joelguittet committed Oct 10, 2023
1 parent 1f2957f commit 6e498a5
Show file tree
Hide file tree
Showing 5 changed files with 305 additions and 248 deletions.
19 changes: 5 additions & 14 deletions core/src/mender-api.c
Original file line number Diff line number Diff line change
Expand Up @@ -127,10 +127,8 @@ mender_api_init(mender_api_config_t *config) {
}

mender_err_t
mender_api_perform_authentication(unsigned char *private_key, size_t private_key_length, unsigned char *public_key, size_t public_key_length) {
mender_api_perform_authentication(void) {

assert(NULL != private_key);
assert(NULL != public_key);
mender_err_t ret;
char * public_key_pem = NULL;
char * payload = NULL;
Expand All @@ -139,16 +137,9 @@ mender_api_perform_authentication(unsigned char *private_key, size_t private_key
size_t signature_length = 0;
int status = 0;

/* Convert public key to PEM format */
size_t olen = 0;
mender_tls_pem_write_buffer(public_key, public_key_length, NULL, 0, &olen);
if (NULL == (public_key_pem = (char *)malloc(olen))) {
mender_log_error("Unable to allocate memory");
ret = MENDER_FAIL;
goto END;
}
if (MENDER_OK != (ret = mender_tls_pem_write_buffer(public_key, public_key_length, public_key_pem, olen, &olen))) {
mender_log_error("Unable to convert public key");
/* Get public key in PEM format */
if (MENDER_OK != (ret = mender_tls_get_public_key_pem(&public_key_pem))) {
mender_log_error("Unable to get public key");
goto END;
}

Expand Down Expand Up @@ -178,7 +169,7 @@ mender_api_perform_authentication(unsigned char *private_key, size_t private_key
}

/* Sign payload */
if (MENDER_OK != (ret = mender_tls_sign_payload(private_key, private_key_length, payload, &signature, &signature_length))) {
if (MENDER_OK != (ret = mender_tls_sign_payload(payload, &signature, &signature_length))) {
mender_log_error("Unable to sign payload");
goto END;
}
Expand Down
57 changes: 5 additions & 52 deletions core/src/mender-client.c
Original file line number Diff line number Diff line change
Expand Up @@ -84,14 +84,6 @@ typedef enum {
*/
static mender_client_state_t mender_client_state = MENDER_CLIENT_STATE_INITIALIZATION;

/**
* @brief Authentication keys
*/
static unsigned char *mender_client_private_key = NULL;
static size_t mender_client_private_key_length = 0;
static unsigned char *mender_client_public_key = NULL;
static size_t mender_client_public_key_length = 0;

/**
* @brief OTA ID and artifact name, used to report OTA status after rebooting
*/
Expand Down Expand Up @@ -286,16 +278,6 @@ mender_client_exit(void) {
mender_client_config.tenant_token = NULL;
mender_client_config.authentication_poll_interval = 0;
mender_client_config.update_poll_interval = 0;
if (NULL != mender_client_private_key) {
free(mender_client_private_key);
mender_client_private_key = NULL;
}
mender_client_private_key_length = 0;
if (NULL != mender_client_public_key) {
free(mender_client_public_key);
mender_client_public_key = NULL;
}
mender_client_public_key_length = 0;
if (NULL != mender_client_ota_id) {
free(mender_client_ota_id);
mender_client_ota_id = NULL;
Expand Down Expand Up @@ -352,37 +334,10 @@ mender_client_initialization_work_function(void) {

mender_err_t ret;

/* Check if recommissioning is forced */
if (true == mender_client_config.recommissioning) {

/* Erase authentication keys */
mender_log_info("Delete authentication keys...");
if (MENDER_OK != mender_storage_delete_authentication_keys()) {
mender_log_warning("Unable to delete authentication keys");
}
}

/* Retrieve or generate authentication keys if not allready done */
if (MENDER_OK
!= mender_storage_get_authentication_keys(
&mender_client_private_key, &mender_client_private_key_length, &mender_client_public_key, &mender_client_public_key_length)) {

/* Generate authentication keys */
mender_log_info("Generating authentication keys...");
if (MENDER_OK
!= (ret = mender_tls_generate_authentication_keys(
&mender_client_private_key, &mender_client_private_key_length, &mender_client_public_key, &mender_client_public_key_length))) {
mender_log_error("Unable to generate authentication keys");
return ret;
}

/* Record keys */
if (MENDER_OK
!= (ret = mender_storage_set_authentication_keys(
mender_client_private_key, mender_client_private_key_length, mender_client_public_key, mender_client_public_key_length))) {
mender_log_error("Unable to record authentication keys");
return ret;
}
/* Retrieve or generate authentication keys */
if (MENDER_OK != (ret = mender_tls_init_authentication_keys(mender_client_config.recommissioning))) {
mender_log_error("Unable to retrieve or generate authentication keys");
return ret;
}

/* Retrieve OTA ID if it is found (following an update) */
Expand All @@ -402,9 +357,7 @@ mender_client_authentication_work_function(void) {
mender_err_t ret;

/* Perform authentication with the mender server */
if (MENDER_OK
!= (ret = mender_api_perform_authentication(
mender_client_private_key, mender_client_private_key_length, mender_client_public_key, mender_client_public_key_length))) {
if (MENDER_OK != (ret = mender_api_perform_authentication())) {

/* Invoke authentication error callback */
if (NULL != mender_client_callbacks.authentication_failure) {
Expand Down
6 changes: 1 addition & 5 deletions include/mender-api.h
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,9 @@ mender_err_t mender_api_init(mender_api_config_t *config);

/**
* @brief Perform authentication of the device, retrieve token from mender-server used for the next requests
* @param private_key Client private key used for authentication
* @param private_key_length Private key length
* @param public_key Client public key used for authentication
* @param public_key_length Public key length
* @return MENDER_OK if the function succeeds, error code otherwise
*/
mender_err_t mender_api_perform_authentication(unsigned char *private_key, size_t private_key_length, unsigned char *public_key, size_t public_key_length);
mender_err_t mender_api_perform_authentication(void);

/**
* @brief Check for deployments for the device from the mender-server
Expand Down
27 changes: 7 additions & 20 deletions include/mender-tls.h
Original file line number Diff line number Diff line change
Expand Up @@ -41,40 +41,27 @@ extern "C" {
mender_err_t mender_tls_init(void);

/**
* @brief Generate authentication keys
* @param private_key Private key generated
* @param private_key_length Private key lenght
* @param public_key Public key generated
* @param public_key_length Public key lenght
* @brief Initialize mender TLS authentication keys
* @param recommissioning perform recommisioning (if supported by the platform)
* @return MENDER_OK if the function succeeds, error code otherwise
*/
mender_err_t mender_tls_generate_authentication_keys(unsigned char **private_key,
size_t * private_key_length,
unsigned char **public_key,
size_t * public_key_length);
mender_err_t mender_tls_init_authentication_keys(bool recommissioning);

/**
* @brief Write a buffer of PEM information from a DER encoded buffer
* @note This function is derived from mbedtls_pem_write_buffer with const header and footer, and line feed is "\\n"
* @param der_data The DER data to encode
* @param der_len The length of the DER data
* @param buf The buffer to write to
* @param buf_len The length of the output buffer
* @param olen The address at which to store the total length written or required output buffer length is not enough
* @brief Get public key (PEM format suitable to be integrated in mender authentication request)
* @param public_key Public key, NULL if an error occured
* @return MENDER_OK if the function succeeds, error code otherwise
*/
mender_err_t mender_tls_pem_write_buffer(const unsigned char *der_data, size_t der_len, char *buf, size_t buf_len, size_t *olen);
mender_err_t mender_tls_get_public_key_pem(char **public_key);

/**
* @brief Sign payload
* @param private_key Private key
* @param private_key_length Private key length
* @param payload Payload to sign
* @param signature Signature of the payload
* @param signature_length Length of the signature buffer, updated to the length of the signature
* @return MENDER_OK if the function succeeds, error code otherwise
*/
mender_err_t mender_tls_sign_payload(unsigned char *private_key, size_t private_key_length, char *payload, char **signature, size_t *signature_length);
mender_err_t mender_tls_sign_payload(char *payload, char **signature, size_t *signature_length);

/**
* @brief Release mender TLS
Expand Down
Loading

0 comments on commit 6e498a5

Please sign in to comment.