RDK-57883 [PoC] Access TEE Cert Abstracted By CertSelector

source/protocol/http/Makefile.am

@@ -24,7 +24,7 @@ libhttp_la_SOURCES = curlinterface.c
 libhttp_la_LDFLAGS = -shared -fPIC -lcurl
 if IS_LIBRDKCERTSEL_ENABLED
 libhttp_la_CFLAGS = $(LIBRDKCERTSEL_FLAG)
-libhttp_la_LDFLAGS += -lRdkCertSelector
+libhttp_la_LDFLAGS += -lRdkCertSelector -lsetTlsCert
 endif
 libhttp_la_CPPFLAGS = -fPIC -I${PKG_CONFIG_SYSROOT_DIR}$(includedir)/dbus-1.0 \
                                 -I${PKG_CONFIG_SYSROOT_DIR}$(libdir)/dbus-1.0/include \

source/protocol/http/curlinterface.c

@@ -39,7 +39,7 @@
 #include "busInterface.h"
 #ifdef LIBRDKCERTSEL_BUILD
 #include "rdkcertselector.h"
-#define FILESCHEME "file://"
+#include "rdkSetTlsCert.h"
 #endif
 #ifdef LIBRDKCONFIG_BUILD
 #include "rdkconfig.h"
@@ -177,6 +177,7 @@ static T2ERROR setHeader(CURL *curl, const char* destURL, struct curl_slist **he
     return T2ERROR_SUCCESS;
 }
 
+#ifndef LIBRDKCERTSEL_BUILD
 static T2ERROR setMtlsHeaders(CURL *curl, const char* certFile, const char* pPasswd, childResponse *childCurlResponse)
 {
     if(curl == NULL || certFile == NULL || pPasswd == NULL)
@@ -185,15 +186,13 @@ static T2ERROR setMtlsHeaders(CURL *curl, const char* certFile, const char* pPas
         return T2ERROR_FAILURE;
     }
     CURLcode code = CURLE_OK;
-#ifndef LIBRDKCERTSEL_BUILD
     code = curl_easy_setopt(curl, CURLOPT_SSLENGINE_DEFAULT, 1L);
     if(code != CURLE_OK)
     {
         childCurlResponse->curlSetopCode = code;
         childCurlResponse->lineNumber = __LINE__;
         return T2ERROR_FAILURE;
     }
-#endif
     code = curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "P12");
     if(code != CURLE_OK)
     {
@@ -228,7 +227,7 @@ static T2ERROR setMtlsHeaders(CURL *curl, const char* certFile, const char* pPas
     childCurlResponse->lineNumber = __LINE__;
     return T2ERROR_SUCCESS;
 }
-
+#endif
 static T2ERROR setPayload(CURL *curl, const char* payload, childResponse *childCurlResponse)
 {
     if(curl == NULL || payload == NULL)
@@ -318,17 +317,15 @@ T2ERROR sendReportOverHTTP(char *httpUrl, char *payload, pid_t* outForkedPid)
 #ifdef LIBRDKCERTSEL_BUILD
     rdkcertselector_h thisCertSel = NULL;
     rdkcertselectorStatus_t curlGetCertStatus;
-    char *pCertURI = NULL;
-    char *pEngine = NULL;
     bool state_red_enable = false;
 #endif
-    char *pCertFile = NULL;
-    char *pCertPC = NULL;
 #ifdef LIBRDKCONFIG_BUILD
     size_t sKey = 0;
 #endif
     long http_code;
+#ifndef LIBRDKCERTSEL_BUILD
     bool mtls_enable = false;
+#endif
     pid_t childPid;
     int sharedPipeFds[2];
 
@@ -381,8 +378,9 @@ T2ERROR sendReportOverHTTP(char *httpUrl, char *payload, pid_t* outForkedPid)
     }
 #endif
 #endif
-    mtls_enable = isMtlsEnabled();
 #ifndef LIBRDKCERTSEL_BUILD
+    mtls_enable = isMtlsEnabled();
+    char *pCertFile = NULL;
     if(mtls_enable == true && T2ERROR_SUCCESS != getMtlsCerts(&pCertFile, &pCertPC))
     {
         T2Error("mTLS_cert get failed\n");
@@ -456,26 +454,9 @@ T2ERROR sendReportOverHTTP(char *httpUrl, char *payload, pid_t* outForkedPid)
                 goto child_cleanReturn;
             }
 #ifdef LIBRDKCERTSEL_BUILD
-            pEngine = rdkcertselector_getEngine(thisCertSel);
-            if(pEngine != NULL)
-            {
-                code = curl_easy_setopt(curl, CURLOPT_SSLENGINE, pEngine);
-            }
-            else
-            {
-                code = curl_easy_setopt(curl, CURLOPT_SSLENGINE_DEFAULT, 1L);
-            }
-            if(code != CURLE_OK)
-            {
-                curl_easy_cleanup(curl);
-                goto child_cleanReturn;
-            }
             do
             {
-                pCertFile = NULL;
-                pCertPC = NULL;
-                pCertURI = NULL;
-                curlGetCertStatus = rdkcertselector_getCert(thisCertSel, &pCertURI, &pCertPC);
+                curlGetCertStatus = rdkcertselector_getCertForCurl( curl, curlCertSelector);
                 if(curlGetCertStatus != certselectorOk)
                 {
                     T2Error("%s, T2:Failed to retrieve the certificate.\n", __func__);
@@ -485,18 +466,14 @@ T2ERROR sendReportOverHTTP(char *httpUrl, char *payload, pid_t* outForkedPid)
                 }
                 else
                 {
-                    // skip past file scheme in URI
-                    pCertFile = pCertURI;
-                    if ( strncmp( pCertFile, FILESCHEME, sizeof(FILESCHEME) - 1 ) == 0 )
-                    {
-                        pCertFile += (sizeof(FILESCHEME) - 1);
-                    }
 #endif
+#ifndef LIBRDKCERTSEL_BUILD
                     if((mtls_enable == true) && (setMtlsHeaders(curl, pCertFile, pCertPC, &childCurlResponse) != T2ERROR_SUCCESS))
                     {
                         curl_easy_cleanup(curl); // CID 189985: Resource leak
                         goto child_cleanReturn;
                     }
+#endif
                     pthread_once(&curlFileMutexOnce, sendOverHTTPInit);
                     pthread_mutex_lock(&curlFileMutex);
 
@@ -515,7 +492,7 @@ T2ERROR sendReportOverHTTP(char *httpUrl, char *payload, pid_t* outForkedPid)
                         if(curl_code != CURLE_OK || http_code != 200)
                         {
 #ifdef LIBRDKCERTSEL_BUILD
-                            T2Info("%s: Using xpki Certs connection certname: %s\n", __func__, pCertFile);
+                            T2Info("%s: Using xpki Certs connection\n", __func__);
 #endif
                             fprintf(stderr, "curl failed: %s\n", curl_easy_strerror(curl_code));
                             childCurlResponse.lineNumber = __LINE__;

source/xconf-client/xconfclient.c

@@ -42,8 +42,7 @@
 #include "telemetry2_0.h"
 #include "busInterface.h"
 #ifdef LIBRDKCERTSEL_BUILD
-#include "rdkcertselector.h"
-#define FILESCHEME "file://"
+#include "rdkSetTlsCert.h"
 #endif
 #ifdef LIBRDKCONFIG_BUILD
 #include "rdkconfig.h"
@@ -588,12 +587,10 @@ T2ERROR doHttpGet(char* httpsUrl, char **data)
     CURLcode curl_code = CURLE_OK;
 #ifdef LIBRDKCERTSEL_BUILD
     rdkcertselectorStatus_t xcGetCertStatus;
-    char *pCertURI = NULL;
-    char *pEngine = NULL;
 #endif
+#ifdef LIBRDKCONFIG_BUILD
     char *pCertFile = NULL;
     char *pPasswd = NULL;
-#ifdef LIBRDKCONFIG_BUILD
     size_t sPasswdSize = 0;
 #endif
     // char *pKeyType = "PEM" ;
@@ -727,25 +724,9 @@ T2ERROR doHttpGet(char* httpsUrl, char **data)
             if(mtls_enable == true)
             {
 #ifdef LIBRDKCERTSEL_BUILD
-                pEngine = rdkcertselector_getEngine(xcCertSelector);
-                if(pEngine != NULL)
-                {
-                    code = curl_easy_setopt(curl, CURLOPT_SSLENGINE, pEngine);
-                }
-                else
-                {
-                    code = curl_easy_setopt(curl, CURLOPT_SSLENGINE_DEFAULT, 1L);
-                }
-                if(code != CURLE_OK)
-                {
-                    T2Error("%s : Curl set opts failed with error %s \n", __FUNCTION__, curl_easy_strerror(code));
-                }
                 do
                 {
-                    pCertFile = NULL;
-                    pPasswd = NULL;
-                    pCertURI = NULL;
-                    xcGetCertStatus = rdkcertselector_getCert(xcCertSelector, &pCertURI, &pPasswd);
+                    xcGetCertStatus = rdkcertselector_getCertForCurl( curl, xcCertSelector);
                     if(xcGetCertStatus != certselectorOk)
                     {
                         T2Error("%s, T2:Failed to retrieve the certificate.\n", __func__);
@@ -757,47 +738,21 @@ T2ERROR doHttpGet(char* httpsUrl, char **data)
                         goto status_return;
                     }
                     else
-                    {
-                        // skip past file scheme in URI
-                        pCertFile = pCertURI;
-                        if ( strncmp( pCertFile, FILESCHEME, sizeof(FILESCHEME) - 1 ) == 0 )
-                        {
-                            pCertFile += (sizeof(FILESCHEME) - 1);
-                        }
+                    { 
+
 #else
                 if(T2ERROR_SUCCESS == getMtlsCerts(&pCertFile, &pPasswd))
                 {
 #endif
-                        code = curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "P12");
-                        if(code != CURLE_OK)
-                        {
-                            T2Error("%s : Curl set opts failed with error %s \n", __FUNCTION__, curl_easy_strerror(code));
-                        }
-                        code = curl_easy_setopt(curl, CURLOPT_SSLCERT, pCertFile);
-                        if(code != CURLE_OK)
-                        {
-                            T2Error("%s : Curl set opts failed with error %s \n", __FUNCTION__, curl_easy_strerror(code));
-                        }
-                        code = curl_easy_setopt(curl, CURLOPT_KEYPASSWD, pPasswd);
-                        if(code != CURLE_OK)
-                        {
-                            T2Error("%s : Curl set opts failed with error %s \n", __FUNCTION__, curl_easy_strerror(code));
-                        }
-                        /* disconnect if authentication fails */
-                        code = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
-                        if(code != CURLE_OK)
-                        {
-                            T2Error("%s : Curl set opts failed with error %s \n", __FUNCTION__, curl_easy_strerror(code));
-                        }
-                        curl_code = curl_easy_perform(curl);
+                curl_code = curl_easy_perform(curl);
 #ifdef LIBRDKCERTSEL_BUILD
                         if(curl_code != CURLE_OK)
                         {
-                            T2Info("%s: Using xpki Certs connection certname : %s \n", __FUNCTION__, pCertFile);
+                            T2Info("%s: Using xpki Certs connection \n", __FUNCTION__);
                             T2Error("Curl failed : %d \n", curl_code);
                         }
                     }
-                }
+                   }
                 while(rdkcertselector_setCurlStatus(xcCertSelector, curl_code, (const char*)httpsUrl) == TRY_ANOTHER);
 #else
                     }