Add TLS support

.github/workflows/ci.yml

@@ -12,6 +12,9 @@ jobs:
       matrix:
         os: [macos-latest, ubuntu-latest]
     steps:
+    - uses: actions/setup-go@v3
+      with:
+        go-version: "1.19"
     - name: Checkout code
       uses: actions/checkout@v2
       with:

cocli/README.md

@@ -560,6 +560,15 @@ path (usually `~/.config/cocli/config.yaml` on XDG-compliant systems). Please
 see `./data/config/example-config.yaml` file for details of the configuration
 that needs to be provided.
 
+#### Note on TLS
+
+If the scheme in the API server URL is HTTPS, `cocli` will attempt to establish
+a TLS connection to the server, validating the server certificate using system CA
+certs. It is possible to disable server certificate validation with
+`-i`/`--insecure` flag. Alternatively, if the CA cert for the server is
+available but is not installed in the system, it may be specified using
+`-E`/`--ca-cert` flag.
+
 ## Visual Synopsis of the Available Commands
 
 ```mermaid

cocli/cmd/corimSubmit.go

@@ -1,4 +1,4 @@
-// Copyright 2021 Contributors to the Veraison project.
+// Copyright 2021-2024 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 
 package cmd
@@ -7,17 +7,21 @@ import (
 	"errors"
 	"fmt"
 	"net/url"
+	"strings"
 
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
 	"github.com/veraison/apiclient/provisioning"
 )
 
 var (
-	corimFile *string
-	mediaType *string
-	apiServer string
+	corimFile  *string
+	mediaType  *string
+	apiServer  string
+	isInsecure bool
+	certPaths  []string
 )
 
 var (
@@ -72,21 +76,18 @@ func NewCorimSubmitCmd(submitter ISubmitter) *cobra.Command {
 	cmd.Flags().StringP("token-url", "T", "", "token URL of the OAuth2 service")
 	cmd.Flags().StringP("username", "U", "", "service username")
 	cmd.Flags().StringP("password", "P", "", "service password")
-
-	err := viper.BindPFlag("api_server", cmd.Flags().Lookup("api-server"))
-	cobra.CheckErr(err)
-	err = viper.BindPFlag("auth", cmd.Flags().Lookup("auth"))
-	cobra.CheckErr(err)
-	err = viper.BindPFlag("client_id", cmd.Flags().Lookup("client-id"))
-	cobra.CheckErr(err)
-	err = viper.BindPFlag("client_secret", cmd.Flags().Lookup("client-secret"))
-	cobra.CheckErr(err)
-	err = viper.BindPFlag("username", cmd.Flags().Lookup("username"))
-	cobra.CheckErr(err)
-	err = viper.BindPFlag("password", cmd.Flags().Lookup("password"))
-	cobra.CheckErr(err)
-	err = viper.BindPFlag("token_url", cmd.Flags().Lookup("token-url"))
-	cobra.CheckErr(err)
+	cmd.Flags().BoolP(
+		"insecure", "i", false, "Allow insecure connections (e.g. do not verify TLS certs)",
+	)
+	cmd.Flags().StringArrayP(
+		"ca-cert", "E", nil, "path to a CA cert that will be used in addition to system certs; may be specified multiple times",
+	)
+
+	cmd.Flags().VisitAll(func(flag *pflag.Flag) {
+		cfgName := strings.ReplaceAll(flag.Name, "-", "_")
+		err := viper.BindPFlag(cfgName, flag)
+		cobra.CheckErr(err)
+	})
 
 	return cmd
 }
@@ -109,6 +110,9 @@ func checkSubmitArgs() error {
 		return errors.New("no media type supplied")
 	}
 
+	isInsecure = viper.GetBool("insecure")
+	certPaths = viper.GetStringSlice("ca_cert")
+
 	return nil
 }
 
@@ -119,6 +123,9 @@ func provisionData(data []byte, submitter ISubmitter, uri string, mediaType stri
 		return fmt.Errorf("unable to set submit URI: %w", err)
 	}
 
+	submitter.SetIsInsecure(isInsecure)
+	submitter.SetCerts(certPaths)
+
 	submitter.SetDeleteSession(true)
 	if err := submitter.Run(data, mediaType); err != nil {
 		return fmt.Errorf("run failed: %w", err)

cocli/cmd/corimSubmit_test.go

@@ -1,3 +1,6 @@
+// Copyright 2021-2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
 package cmd
 
 import (
@@ -133,6 +136,8 @@ func Test_CorimSubmitCmd_submit_ok(t *testing.T) {
 	require.NoError(t, err)
 	ms.EXPECT().SetAuth(gomock.Any())
 	ms.EXPECT().SetSubmitURI("http://veraison.example/endorsement-provisioning/v1/submit").Return(nil)
+	ms.EXPECT().SetIsInsecure(false)
+	ms.EXPECT().SetCerts([]string{})
 	ms.EXPECT().SetDeleteSession(true)
 	ms.EXPECT().Run(testSignedCorimValid, "application/corim-unsigned+cbor; profile=http://arm.com/psa/iot/1").Return(nil)
 	err = cmd.Execute()
@@ -158,6 +163,8 @@ func Test_CorimSubmitCmd_submit_not_ok(t *testing.T) {
 	require.NoError(t, err)
 	ms.EXPECT().SetAuth(gomock.Any())
 	ms.EXPECT().SetSubmitURI("http://veraison.example/endorsement-provisioning/v1/submit").Return(nil)
+	ms.EXPECT().SetIsInsecure(false)
+	ms.EXPECT().SetCerts([]string{})
 	ms.EXPECT().SetDeleteSession(true)
 	err = errors.New(`unexpected HTTP response code 404`)
 

cocli/cmd/isubmitter.go

@@ -1,3 +1,6 @@
+// Copyright 2021-2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
 package cmd
 
 import (
@@ -11,4 +14,6 @@ type ISubmitter interface {
 	SetAuth(a auth.IAuthenticator)
 	SetSubmitURI(uri string) error
 	SetDeleteSession(session bool)
+	SetIsInsecure(v bool)
+	SetCerts(paths []string)
 }

go.mod

@@ -10,9 +10,10 @@ require (
 	github.com/spf13/afero v1.9.2
 	github.com/spf13/cast v1.4.1
 	github.com/spf13/cobra v1.2.1
+	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.9.0
 	github.com/stretchr/testify v1.8.2
-	github.com/veraison/apiclient v0.2.0
+	github.com/veraison/apiclient v0.2.1-0.20240531100343-8a3a730a1e94
 	github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff
 	github.com/veraison/go-cose v1.1.1-0.20230825153510-da0f9a62ade7
 	github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca
@@ -37,7 +38,6 @@ require (
 	github.com/pelletier/go-toml v1.9.4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/crypto v0.12.0 // indirect

go.sum

@@ -323,6 +323,8 @@ github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/veraison/apiclient v0.2.0 h1:QELvZ+eEfzh9v0ORe9B2UTMpiA7aONHpZIfwSfcRR6s=
 github.com/veraison/apiclient v0.2.0/go.mod h1:LCXFZ3D/tJ3HLAOHUg8bnAKGvgTl53e1ntwdwjVbQ5A=
+github.com/veraison/apiclient v0.2.1-0.20240531100343-8a3a730a1e94 h1:0d7vTs3K9Y4bskTtI3pvkFE0HiSHc4vWA3M6Fc0lWRM=
+github.com/veraison/apiclient v0.2.1-0.20240531100343-8a3a730a1e94/go.mod h1:LCXFZ3D/tJ3HLAOHUg8bnAKGvgTl53e1ntwdwjVbQ5A=
 github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff h1:r6I2eJL/z8dp5flsQIKHMeDjyV6UO8If3MaVBLvTjF4=
 github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I=
 github.com/veraison/go-cose v1.1.1-0.20230825153510-da0f9a62ade7 h1:KcKzBthSrSZIUEWBjVvkuk/DE3PyYFbXZxhx5byGFtc=