platform: keep authentication keys inside the tls module

core/src/mender-api.c

@@ -127,10 +127,8 @@ mender_api_init(mender_api_config_t *config) {
 }
 
 mender_err_t
-mender_api_perform_authentication(unsigned char *private_key, size_t private_key_length, unsigned char *public_key, size_t public_key_length) {
+mender_api_perform_authentication(void) {
 
-    assert(NULL != private_key);
-    assert(NULL != public_key);
     mender_err_t ret;
     char *       public_key_pem   = NULL;
     char *       payload          = NULL;
@@ -139,16 +137,9 @@ mender_api_perform_authentication(unsigned char *private_key, size_t private_key
     size_t       signature_length = 0;
     int          status           = 0;
 
-    /* Convert public key to PEM format */
-    size_t olen = 0;
-    mender_tls_pem_write_buffer(public_key, public_key_length, NULL, 0, &olen);
-    if (NULL == (public_key_pem = (char *)malloc(olen))) {
-        mender_log_error("Unable to allocate memory");
-        ret = MENDER_FAIL;
-        goto END;
-    }
-    if (MENDER_OK != (ret = mender_tls_pem_write_buffer(public_key, public_key_length, public_key_pem, olen, &olen))) {
-        mender_log_error("Unable to convert public key");
+    /* Get public key in PEM format */
+    if (MENDER_OK != (ret = mender_tls_get_public_key_pem(&public_key_pem))) {
+        mender_log_error("Unable to get public key");
         goto END;
     }
 
@@ -178,7 +169,7 @@ mender_api_perform_authentication(unsigned char *private_key, size_t private_key
     }
 
     /* Sign payload */
-    if (MENDER_OK != (ret = mender_tls_sign_payload(private_key, private_key_length, payload, &signature, &signature_length))) {
+    if (MENDER_OK != (ret = mender_tls_sign_payload(payload, &signature, &signature_length))) {
         mender_log_error("Unable to sign payload");
         goto END;
     }

core/src/mender-client.c

@@ -84,14 +84,6 @@ typedef enum {
  */
 static mender_client_state_t mender_client_state = MENDER_CLIENT_STATE_INITIALIZATION;
 
-/**
- * @brief Authentication keys
- */
-static unsigned char *mender_client_private_key        = NULL;
-static size_t         mender_client_private_key_length = 0;
-static unsigned char *mender_client_public_key         = NULL;
-static size_t         mender_client_public_key_length  = 0;
-
 /**
  * @brief OTA ID and artifact name, used to report OTA status after rebooting
  */
@@ -286,16 +278,6 @@ mender_client_exit(void) {
     mender_client_config.tenant_token                 = NULL;
     mender_client_config.authentication_poll_interval = 0;
     mender_client_config.update_poll_interval         = 0;
-    if (NULL != mender_client_private_key) {
-        free(mender_client_private_key);
-        mender_client_private_key = NULL;
-    }
-    mender_client_private_key_length = 0;
-    if (NULL != mender_client_public_key) {
-        free(mender_client_public_key);
-        mender_client_public_key = NULL;
-    }
-    mender_client_public_key_length = 0;
     if (NULL != mender_client_ota_id) {
         free(mender_client_ota_id);
         mender_client_ota_id = NULL;
@@ -352,37 +334,10 @@ mender_client_initialization_work_function(void) {
 
     mender_err_t ret;
 
-    /* Check if recommissioning is forced */
-    if (true == mender_client_config.recommissioning) {
-
-        /* Erase authentication keys */
-        mender_log_info("Delete authentication keys...");
-        if (MENDER_OK != mender_storage_delete_authentication_keys()) {
-            mender_log_warning("Unable to delete authentication keys");
-        }
-    }
-
-    /* Retrieve or generate authentication keys if not allready done */
-    if (MENDER_OK
-        != mender_storage_get_authentication_keys(
-            &mender_client_private_key, &mender_client_private_key_length, &mender_client_public_key, &mender_client_public_key_length)) {
-
-        /* Generate authentication keys */
-        mender_log_info("Generating authentication keys...");
-        if (MENDER_OK
-            != (ret = mender_tls_generate_authentication_keys(
-                    &mender_client_private_key, &mender_client_private_key_length, &mender_client_public_key, &mender_client_public_key_length))) {
-            mender_log_error("Unable to generate authentication keys");
-            return ret;
-        }
-
-        /* Record keys */
-        if (MENDER_OK
-            != (ret = mender_storage_set_authentication_keys(
-                    mender_client_private_key, mender_client_private_key_length, mender_client_public_key, mender_client_public_key_length))) {
-            mender_log_error("Unable to record authentication keys");
-            return ret;
-        }
+    /* Retrieve or generate authentication keys */
+    if (MENDER_OK != (ret = mender_tls_init_authentication_keys(mender_client_config.recommissioning))) {
+        mender_log_error("Unable to retrieve or generate authentication keys");
+        return ret;
     }
 
     /* Retrieve OTA ID if it is found (following an update) */
@@ -402,9 +357,7 @@ mender_client_authentication_work_function(void) {
     mender_err_t ret;
 
     /* Perform authentication with the mender server */
-    if (MENDER_OK
-        != (ret = mender_api_perform_authentication(
-                mender_client_private_key, mender_client_private_key_length, mender_client_public_key, mender_client_public_key_length))) {
+    if (MENDER_OK != (ret = mender_api_perform_authentication())) {
 
         /* Invoke authentication error callback */
         if (NULL != mender_client_callbacks.authentication_failure) {

include/mender-api.h

@@ -54,13 +54,9 @@ mender_err_t mender_api_init(mender_api_config_t *config);
 
 /**
  * @brief Perform authentication of the device, retrieve token from mender-server used for the next requests
- * @param private_key Client private key used for authentication
- * @param private_key_length Private key length
- * @param public_key Client public key used for authentication
- * @param public_key_length Public key length
  * @return MENDER_OK if the function succeeds, error code otherwise
  */
-mender_err_t mender_api_perform_authentication(unsigned char *private_key, size_t private_key_length, unsigned char *public_key, size_t public_key_length);
+mender_err_t mender_api_perform_authentication(void);
 
 /**
  * @brief Check for deployments for the device from the mender-server

include/mender-tls.h

@@ -41,40 +41,27 @@ extern "C" {
 mender_err_t mender_tls_init(void);
 
 /**
- * @brief Generate authentication keys
- * @param private_key Private key generated
- * @param private_key_length Private key lenght
- * @param public_key Public key generated
- * @param public_key_length Public key lenght
+ * @brief Initialize mender TLS authentication keys
+ * @param recommissioning perform recommisioning (if supported by the platform)
  * @return MENDER_OK if the function succeeds, error code otherwise
  */
-mender_err_t mender_tls_generate_authentication_keys(unsigned char **private_key,
-                                                     size_t *        private_key_length,
-                                                     unsigned char **public_key,
-                                                     size_t *        public_key_length);
+mender_err_t mender_tls_init_authentication_keys(bool recommissioning);
 
 /**
- * @brief Write a buffer of PEM information from a DER encoded buffer
- * @note This function is derived from mbedtls_pem_write_buffer with const header and footer, and line feed is "\\n"
- * @param der_data The DER data to encode
- * @param der_len The length of the DER data
- * @param buf The buffer to write to
- * @param buf_len The length of the output buffer
- * @param olen The address at which to store the total length written or required output buffer length is not enough
+ * @brief Get public key (PEM format suitable to be integrated in mender authentication request)
+ * @param public_key Public key, NULL if an error occured
  * @return MENDER_OK if the function succeeds, error code otherwise
  */
-mender_err_t mender_tls_pem_write_buffer(const unsigned char *der_data, size_t der_len, char *buf, size_t buf_len, size_t *olen);
+mender_err_t mender_tls_get_public_key_pem(char **public_key);
 
 /**
  * @brief Sign payload
- * @param private_key Private key
- * @param private_key_length Private key length
  * @param payload Payload to sign
  * @param signature Signature of the payload
  * @param signature_length Length of the signature buffer, updated to the length of the signature
  * @return MENDER_OK if the function succeeds, error code otherwise
  */
-mender_err_t mender_tls_sign_payload(unsigned char *private_key, size_t private_key_length, char *payload, char **signature, size_t *signature_length);
+mender_err_t mender_tls_sign_payload(char *payload, char **signature, size_t *signature_length);
 
 /**
  * @brief Release mender TLS