netio.c: Read certs using readFile before passing with mbedtls APIs

vikramdattu · vikramdattu · commit 93e33271fd0d · 2025-05-26T16:39:53.000+05:30
diff --git a/esp_port/components/api_call/netio.c b/esp_port/components/api_call/netio.c
@@ -22,10 +22,9 @@
 #include <sys/time.h>
 #include <sys/socket.h>
 
-/* Thirdparty headers */
-//#include "azure_c_shared_utility/xlogging.h"
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/entropy.h"
+#include "mbedtls/error.h"
 #if MBEDTLS_VERSION_NUMBER < 0x03000000
 #include "mbedtls/net.h"
 #endif
@@ -36,6 +35,7 @@
 #include "platform_utils.h"
 /* Internal headers */
 #include "netio.h"
+#include "fileio.h"
 
 /******************************************************************************
  * DEFINITIONS
@@ -95,6 +95,71 @@ static mbedtls_ctr_drbg_context ctr_drbg;
 static mbedtls_entropy_context entropy;
 #endif
 
+static int prvReadAndParseCertificate(mbedtls_x509_crt* pCert, const char* pcPath)
+{
+    STATUS retStatus = STATUS_SUCCESS;
+    UINT64 cert_len = 0;
+    PBYTE cert_buf = NULL;
+    CHAR errBuf[128];
+
+    if (readFile(pcPath, FALSE, NULL, &cert_len) != STATUS_SUCCESS) {
+        DLOGE("Failed to get cert file size");
+        retStatus = STATUS_NULL_ARG;
+        goto CleanUp;
+    }
+
+    cert_buf = (PBYTE) MEMCALLOC(1, cert_len + 1);
+    CHK(cert_buf != NULL, STATUS_NOT_ENOUGH_MEMORY);
+    CHK_STATUS(readFile(pcPath, FALSE, cert_buf, &cert_len));
+    int ret = mbedtls_x509_crt_parse(pCert, cert_buf, (size_t) (cert_len + 1));
+    if (ret != 0) {
+        mbedtls_strerror(ret, errBuf, SIZEOF(errBuf));
+        DLOGE("mbedtls_x509_crt_parse failed: %s", errBuf);
+    }
+    CHK(ret == 0, STATUS_INVALID_CA_CERT_PATH);
+
+CleanUp:
+    CHK_LOG_ERR(retStatus);
+    if (cert_buf != NULL) {
+        MEMFREE(cert_buf);
+    }
+    return retStatus;
+}
+
+static int prvReadAndParsePrivateKey(mbedtls_pk_context* pPrivKey, const char* pcPath)
+{
+    STATUS retStatus = STATUS_SUCCESS;
+    UINT64 key_len = 0;
+    PBYTE key_buf = NULL;
+    CHAR errBuf[128];
+
+    if (readFile(pcPath, FALSE, NULL, &key_len) != STATUS_SUCCESS) {
+        DLOGE("Failed to get private key file size");
+        retStatus = STATUS_NULL_ARG;
+        goto CleanUp;
+    }
+
+    key_buf = (PBYTE) MEMALLOC(key_len + 1);
+    CHK(key_buf != NULL, STATUS_NOT_ENOUGH_MEMORY);
+    CHK_STATUS(readFile(pcPath, FALSE, key_buf, &key_len));
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
+    int ret = mbedtls_pk_parse_key(pPrivKey, key_buf, key_len + 1, NULL, 0);
+#else
+    int ret = mbedtls_pk_parse_key(pPrivKey, key_buf, key_len + 1, NULL, 0, &mbedtls_ctr_drbg_random, &ctr_drbg);
+#endif
+    if (ret != 0) {
+        mbedtls_strerror(ret, errBuf, SIZEOF(errBuf));
+        DLOGE("mbedtls_pk_parse_key failed: %s", errBuf);
+    }
+    CHK(ret == 0, STATUS_FILE_CREDENTIAL_PROVIDER_OPEN_FILE_FAILED);
+
+CleanUp:
+    if (key_buf != NULL) {
+        MEMFREE(key_buf);
+    }
+    return retStatus;
+}
+
 static int prvInitConfig(NetIo_t* pxNet, const char* pcRootCA, const char* pcCert, const char* pcPrivKey, bool bFilePath)
 {
     int xRes = STATUS_SUCCESS;
@@ -121,32 +186,36 @@ static int prvInitConfig(NetIo_t* pxNet, const char* pcRootCA, const char* pcCer
             NetIo_setSendTimeout(pxNet, pxNet->uSendTimeoutMs);
 
             if (pcRootCA != NULL && pcCert != NULL && pcPrivKey != NULL) {
-                if (bFilePath == false &&
-                    (mbedtls_x509_crt_parse(pxNet->pRootCA, (void*) pcRootCA, strlen(pcRootCA) + 1) != 0 ||
-                     mbedtls_x509_crt_parse(pxNet->pCert, (void*) pcCert, strlen(pcCert) + 1) != 0 ||
-#if MBEDTLS_VERSION_NUMBER < 0x03000000
-                     mbedtls_pk_parse_key(pxNet->pPrivKey, (void*) pcPrivKey, strlen(pcPrivKey) + 1, NULL, 0) != 0)) {
-#else
-                     mbedtls_pk_parse_key(pxNet->pPrivKey, (void*) pcPrivKey, strlen(pcPrivKey) + 1, NULL, 0, &mbedtls_ctr_drbg_random, &ctr_drbg) != 0)) {
-#endif
-                    DLOGE("Failed to parse x509");
-                    xRes = STATUS_NULL_ARG;
-                } else if (mbedtls_x509_crt_parse_file(pxNet->pRootCA, (void*) pcRootCA) != 0 ||
-                           mbedtls_x509_crt_parse_file(pxNet->pCert, (void*) pcCert) != 0 ||
+                if (bFilePath) {
+                    // Read and parse certificates from files
+                    if (prvReadAndParseCertificate(pxNet->pRootCA, pcRootCA) != STATUS_SUCCESS ||
+                        prvReadAndParseCertificate(pxNet->pCert, pcCert) != STATUS_SUCCESS ||
+                        prvReadAndParsePrivateKey(pxNet->pPrivKey, pcPrivKey) != STATUS_SUCCESS) {
+                        xRes = STATUS_NULL_ARG;
+                        goto CleanUp;
+                    }
+                } else {
+                    // Parse certificates from memory buffers
+                    if (mbedtls_x509_crt_parse(pxNet->pRootCA, (void*) pcRootCA, strlen(pcRootCA) + 1) != 0 ||
+                        mbedtls_x509_crt_parse(pxNet->pCert, (void*) pcCert, strlen(pcCert) + 1) != 0 ||
 #if MBEDTLS_VERSION_NUMBER < 0x03000000
-                            mbedtls_pk_parse_keyfile(pxNet->pPrivKey, (void*) pcPrivKey, NULL) != 0) {
+                        mbedtls_pk_parse_key(pxNet->pPrivKey, (void*) pcPrivKey, strlen(pcPrivKey) + 1, NULL, 0) != 0) {
 #else
-                            mbedtls_pk_parse_keyfile(pxNet->pPrivKey, (void*) pcPrivKey, NULL, &mbedtls_ctr_drbg_random, &ctr_drbg) != 0) {
+                        mbedtls_pk_parse_key(pxNet->pPrivKey, (void*) pcPrivKey, strlen(pcPrivKey) + 1, NULL, 0, &mbedtls_ctr_drbg_random, &ctr_drbg) != 0) {
 #endif
-                } else {
-                    mbedtls_ssl_conf_authmode(&(pxNet->xConf), MBEDTLS_SSL_VERIFY_REQUIRED);
-                    mbedtls_ssl_conf_ca_chain(&(pxNet->xConf), pxNet->pRootCA, NULL);
-
-                    if (mbedtls_ssl_conf_own_cert(&(pxNet->xConf), pxNet->pCert, pxNet->pPrivKey) != 0) {
-                        DLOGE("Failed to conf own cert");
+                        DLOGE("Failed to parse x509");
                         xRes = STATUS_NULL_ARG;
+                        goto CleanUp;
                     }
                 }
+
+                mbedtls_ssl_conf_authmode(&(pxNet->xConf), MBEDTLS_SSL_VERIFY_REQUIRED);
+                mbedtls_ssl_conf_ca_chain(&(pxNet->xConf), pxNet->pRootCA, NULL);
+
+                if (mbedtls_ssl_conf_own_cert(&(pxNet->xConf), pxNet->pCert, pxNet->pPrivKey) != 0) {
+                    DLOGE("Failed to conf own cert");
+                    xRes = STATUS_NULL_ARG;
+                }
             } else {
                 mbedtls_ssl_conf_authmode(&(pxNet->xConf), MBEDTLS_SSL_VERIFY_OPTIONAL);
             }
@@ -160,6 +229,7 @@ static int prvInitConfig(NetIo_t* pxNet, const char* pcRootCA, const char* pcCer
         }
     }
 
+CleanUp:
     return xRes;
 }
 
@@ -257,9 +327,9 @@ void NetIo_terminate(NetIoHandle xNetIoHandle)
 int NetIo_connect(NetIoHandle xNetIoHandle, const char* pcHost, const char* pcPort)
 {
     DLOGD("Reached here: %s %d", __func__, __LINE__);
-    if (heap_caps_check_integrity_all(true) == false) {
-        DLOGE("Heap integrity check failed, line %d", __LINE__);
-    }
+    // if (heap_caps_check_integrity_all(true) == false) {
+    //     DLOGE("Heap integrity check failed, line %d", __LINE__);
+    // }
 
     return prvConnect(xNetIoHandle, pcHost, pcPort, NULL, NULL, NULL, false);
 }
@@ -336,16 +406,13 @@ int NetIo_recv(NetIoHandle xNetIoHandle, unsigned char* pBuffer, size_t uBufferS
 
 bool NetIo_isDataAvailable(NetIoHandle xNetIoHandle)
 {
-    int xRes = STATUS_SUCCESS;
     NetIo_t* pxNet = (NetIo_t*) xNetIoHandle;
     bool bDataAvailable = false;
     struct timeval tv = {0};
     fd_set read_fds = {0};
     int fd = 0;
 
-    if (pxNet == NULL) {
-        xRes = STATUS_NULL_ARG;
-    } else {
+    if (pxNet) {
         fd = pxNet->xFd.fd;
         if (fd >= 0) {
             FD_ZERO(&read_fds);
