fix: handling non-json responses from signing backup service (#189)

not in all cases service returns valid json for non-200 responses and so we should not parse it assuming it has valid json which caused segfault
crashappsec · Feb 7, 2024 · 1d03aa9 · 1d03aa9
1 parent 910b8a3
commit 1d03aa9
Showing 1 changed file with 13 additions and 15 deletions.
diff --git a/src/attestation.nim b/src/attestation.nim
@@ -5,7 +5,7 @@
 ## (see https://crashoverride.com/docs/chalk)
 ##
 
-import base64, chalkjson, config, httpclient, net, os, selfextract, 
+import base64, chalkjson, config, httpclient, net, os, selfextract,
        sinks, uri, nimutils/sinks
 
 const
@@ -147,7 +147,7 @@ template callTheSigningKeyBackupService(base: string, prKey: string, bodytxt: un
                                  retries           = 2,
                                  firstRetryDelayMs = 100)
 
-  trace("Signing Key Backup Service URL: " & $uri)  
+  trace("Signing Key Backup Service URL: " & $uri)
   trace("Signing Key Backup Service HTTP headers: " & $authHeaders)
   trace("Signing Key Backup Service status code: " & response.status)
   trace("Signing Key Backup Service response: " & response.body)
@@ -196,15 +196,13 @@ proc restoreSigningKeyFromService*(prkey: string): bool =
 
   let response = callTheSigningKeyBackupService(base, prKey, "", HttpGet)
 
-  if not response.code.is2xx():
-    # authentication issue / token expiration - begin reauth
-    if response.code == Http401:
-      # parse json response and save / return values()
-      let jsonNodeReason = parseJson(response.body())
-      trace("JSON body of response from Signing key Backup Service: " & $jsonNodeReason)
-    else:
-      warn("Could not retrieve encrypted signing key: " & response.status & "\n" & "Will not be able to sign / verify.")
-      return false
+  if response.code == Http401:
+    # authentication issue / token expiration
+    trace("JSON body of response from Signing key Backup Service: " & response.body())
+    return false
+  elif not response.code.is2xx():
+    warn("Could not retrieve encrypted signing key: " & response.status & "\n" & "Will not be able to sign / verify.")
+    return false
 
   var
     body:    string
@@ -214,7 +212,7 @@ proc restoreSigningKeyFromService*(prkey: string): bool =
     hexBits = response.body()
     body    = parseHexStr($hexBits)
 
-    if len(body) != 40: 
+    if len(body) != 40:
       error("Encrypted key returned from server is incorrect size. Received" & $len(body) & "bytes, exected 40 bytes.")
       return false
 
@@ -351,7 +349,7 @@ proc acquirePassword(optfile = ""): bool {.discardable.} =
     if prikey == "":
       return false
 
-  # Use Chalk Data API key to retrieve previously saved encrypted secret 
+  # Use Chalk Data API key to retrieve previously saved encrypted secret
   #  from API, then use retrieved private key to decrypt
   if restoreSigningKeyFromService(prikey):
     return true
@@ -522,7 +520,7 @@ proc attemptToGenKeys*(): bool =
     return false
 
   let keyOutLoc = getKeyFileLoc()
-  
+
   if keyOutLoc == "":
     return false
 
@@ -546,7 +544,7 @@ proc attemptToGenKeys*(): bool =
     cosignLoaded = true
 
     result = saveSigningSetup(pubKey, priKey, true)
-    
+
 proc canAttest*(): bool =
   if getCosignLocation() == "":
     return false