fix tedge-p11-server unhandled unwrap

Bravo555 · Bravo555 · commit 92046cc05c5b · 2025-04-09T13:11:11.000Z
Signed-off-by: Marcel Guzik &lt;marcel.guzik@cumulocity.com&gt;
diff --git a/crates/extensions/tedge-p11-server/src/client.rs b/crates/extensions/tedge-p11-server/src/client.rs
@@ -38,7 +38,7 @@ impl TedgeP11Client {
         let response = connection.read_frame()?;
 
         let Frame1::ChooseSchemeResponse(response) = response else {
-            bail!("protocol error: bad response, expected chose scheme");
+            bail!("protocol error: bad response, expected chose scheme, received: {response:?}");
         };
 
         debug!("Choose scheme complete");
@@ -66,7 +66,7 @@ impl TedgeP11Client {
         let response = connection.read_frame()?;
 
         let Frame1::ChooseSchemeResponse(response) = response else {
-            bail!("protocol error: bad response, expected chose scheme");
+            bail!("protocol error: bad response, expected chose scheme, received: {response:?}");
         };
 
         debug!("Choose scheme complete");
@@ -87,7 +87,7 @@ impl TedgeP11Client {
         let response = connection.read_frame()?;
 
         let Frame1::SignResponse(response) = response else {
-            bail!("protocol error: bad response, expected sign");
+            bail!("protocol error: bad response, expected sign, received: {response:?}");
         };
 
         debug!("Sign complete");
diff --git a/crates/extensions/tedge-p11-server/src/server.rs b/crates/extensions/tedge-p11-server/src/server.rs
@@ -31,6 +31,7 @@ impl TedgeP11Server {
                 .context("Failed to accept connection")?;
 
             let stream = stream.into_std()?;
+            stream.set_nonblocking(false)?;
             let connection = Connection::new(stream);
 
             match self.process(connection) {
@@ -52,9 +53,31 @@ impl TedgeP11Server {
                 anyhow::bail!("protocol error: invalid request")
             }
             Frame1::ChooseSchemeRequest(request) => {
-                Frame1::ChooseSchemeResponse(self.service.choose_scheme(request))
+                let response = self.service.choose_scheme(request);
+                match response {
+                    Ok(response) => Frame1::ChooseSchemeResponse(response),
+                    Err(err) => {
+                        let response = Frame1::Error(ProtocolError(format!(
+                            "PKCS #11 service failed: {err:#}"
+                        )));
+                        connection.write_frame(&response)?;
+                        anyhow::bail!(err);
+                    }
+                }
+            }
+            Frame1::SignRequest(request) => {
+                let response = self.service.sign(request);
+                match response {
+                    Ok(response) => Frame1::SignResponse(response),
+                    Err(err) => {
+                        let response = Frame1::Error(ProtocolError(format!(
+                            "PKCS #11 service failed: {err:#}"
+                        )));
+                        connection.write_frame(&response)?;
+                        anyhow::bail!(err);
+                    }
+                }
             }
-            Frame1::SignRequest(request) => Frame1::SignResponse(self.service.sign(request)),
         };
 
         connection.write_frame(&response)?;
diff --git a/crates/extensions/tedge-p11-server/src/service.rs b/crates/extensions/tedge-p11-server/src/service.rs
@@ -24,35 +24,40 @@ impl P11SignerService {
         Ok(Self { signing_key })
     }
 
-    #[instrument]
-    pub fn choose_scheme(&self, request: ChooseSchemeRequest) -> ChooseSchemeResponse {
+    #[instrument(skip_all)]
+    pub fn choose_scheme(
+        &self,
+        request: ChooseSchemeRequest,
+    ) -> anyhow::Result<ChooseSchemeResponse> {
         let offered = request.offered.into_iter().map(|s| s.0).collect::<Vec<_>>();
 
         let signer = self.signing_key.choose_scheme(&offered);
         let algorithm = SignatureAlgorithm(self.signing_key.algorithm());
 
         let Some(signer) = signer else {
-            return ChooseSchemeResponse {
+            return Ok(ChooseSchemeResponse {
                 scheme: None,
                 algorithm,
-            };
+            });
         };
 
-        ChooseSchemeResponse {
+        Ok(ChooseSchemeResponse {
             scheme: Some(SignatureScheme(signer.scheme())),
             algorithm,
-        }
+        })
     }
 
-    #[instrument]
-    pub fn sign(&self, request: SignRequest) -> SignResponse {
+    #[instrument(skip_all)]
+    pub fn sign(&self, request: SignRequest) -> anyhow::Result<SignResponse> {
         let session = match &self.signing_key {
             Pkcs11SigningKey::Ecdsa(key) => &key.pkcs11,
             Pkcs11SigningKey::Rsa(key) => &key.pkcs11,
         };
         let signer = PkcsSigner::from_session(session.clone());
-        let signature = signer.sign(&request.to_sign).unwrap();
-        SignResponse(signature)
+        let signature = signer
+            .sign(&request.to_sign)
+            .context("Failed to sign using PKCS #11")?;
+        Ok(SignResponse(signature))
     }
 }
 
