Use CBOR wrappers in COSE auth (#7574)

maxtropets · web-flow · commit db100b5dff4c · 2026-01-16T13:17:19.000Z
diff --git a/src/crypto/cbor.cpp b/src/crypto/cbor.cpp
@@ -34,7 +34,8 @@ namespace
     Signed value{0};
     if (!cbor_nondet_read_int64(cbor, &value))
     {
-      throw CBORDecodeError("Failed to decode signed value");
+      throw CBORDecodeError(
+        Error::DECODE_FAILED, "Failed to decode signed value");
     }
     return std::make_unique<ValueImpl>(value);
   }
@@ -45,7 +46,8 @@ namespace
     uint64_t length = 0;
     if (!cbor_nondet_get_byte_string(cbor, &data, &length))
     {
-      throw CBORDecodeError("Failed to decode byte string");
+      throw CBORDecodeError(
+        Error::DECODE_FAILED, "Failed to decode byte string");
     }
     Bytes value{data, static_cast<size_t>(length)};
     return std::make_unique<ValueImpl>(value);
@@ -57,7 +59,8 @@ namespace
     uint64_t length = 0;
     if (!cbor_nondet_get_text_string(cbor, &data, &length))
     {
-      throw CBORDecodeError("Failed to decode text string");
+      throw CBORDecodeError(
+        Error::DECODE_FAILED, "Failed to decode text string");
     }
     String value{
       reinterpret_cast<const char*>(data), static_cast<size_t>(length)};
@@ -69,7 +72,8 @@ namespace
     cbor_nondet_array_iterator_t iter;
     if (!cbor_nondet_array_iterator_start(cbor, &iter))
     {
-      throw CBORDecodeError("Failed to start array iterator");
+      throw CBORDecodeError(
+        Error::DECODE_FAILED, "Failed to start array iterator");
     }
 
     Array array;
@@ -78,7 +82,8 @@ namespace
       cbor_nondet_t item;
       if (!cbor_nondet_array_iterator_next(&iter, &item))
       {
-        throw CBORDecodeError("Failed to get next array item");
+        throw CBORDecodeError(
+          Error::DECODE_FAILED, "Failed to get next array item");
       }
       array.items.push_back(consume(item));
     }
@@ -90,7 +95,8 @@ namespace
     cbor_map_iterator iter;
     if (!cbor_nondet_map_iterator_start(cbor, &iter))
     {
-      throw CBORDecodeError("Failed to start map iterator");
+      throw CBORDecodeError(
+        Error::DECODE_FAILED, "Failed to start map iterator");
     }
 
     Map map;
@@ -100,7 +106,8 @@ namespace
       cbor_raw value_raw;
       if (!cbor_nondet_map_iterator_next(&iter, &key_raw, &value_raw))
       {
-        throw CBORDecodeError("Failed to get next map entry");
+        throw CBORDecodeError(
+          Error::DECODE_FAILED, "Failed to get next map entry");
       }
       map.items.emplace_back(consume(key_raw), consume(value_raw));
     }
@@ -113,7 +120,8 @@ namespace
     cbor_nondet_t payload;
     if (!cbor_nondet_get_tagged(cbor, &payload, &tag))
     {
-      throw CBORDecodeError("Failed to decode tagged value");
+      throw CBORDecodeError(
+        Error::DECODE_FAILED, "Failed to decode tagged value");
     }
 
     Tagged tagged;
@@ -130,7 +138,8 @@ namespace
     Simple value{0};
     if (!cbor_nondet_read_simple_value(cbor, &value))
     {
-      throw CBORDecodeError("Failed to decode simple value");
+      throw CBORDecodeError(
+        Error::DECODE_FAILED, "Failed to decode simple value");
     }
     return std::make_unique<ValueImpl>(value);
   }
@@ -156,7 +165,7 @@ namespace
       case CBOR_MAJOR_TYPE_SIMPLE_VALUE:
         return consume_simple(cbor);
       default:
-        throw CBORDecodeError("Unknown CBOR major type");
+        throw CBORDecodeError(Error::DECODE_FAILED, "Unknown CBOR major type");
     }
   }
 
@@ -256,6 +265,16 @@ namespace
 
 namespace ccf::cbor
 {
+  CBORDecodeError::CBORDecodeError(Error err, const std::string& what) :
+    std::runtime_error(what),
+    error(err)
+  {}
+
+  Error CBORDecodeError::error_code() const
+  {
+    return error;
+  }
+
   Value make_signed(int64_t value)
   {
     return std::make_unique<ValueImpl>(value);
@@ -285,7 +304,8 @@ namespace ccf::cbor
           &cbor_parse_size,
           &cbor))
     {
-      throw CBORDecodeError("Failed to parse top-level cbor");
+      throw CBORDecodeError(
+        Error::DECODE_FAILED, "Failed to parse top-level cbor");
     }
 
     return consume(cbor);
@@ -313,21 +333,22 @@ namespace ccf::cbor
       case SimpleValue::True:
         return true;
       default:
-        throw CBORDecodeError("Simple value cannot be matched to boolean");
+        throw CBORDecodeError(
+          Error::TYPE_MISMATCH, "Simple value cannot be matched to boolean");
     }
   }
 
   const Value& ValueImpl::array_at(size_t index) const
   {
     if (!std::holds_alternative<Array>(value))
     {
-      throw CBORDecodeError("Not an array");
+      throw CBORDecodeError(Error::TYPE_MISMATCH, "Not an array");
     }
 
     const auto& arr = std::get<Array>(value);
     if (index >= arr.items.size())
     {
-      throw CBORDecodeError("Array index out of bounds");
+      throw CBORDecodeError(Error::OUT_OF_BOUND, "Array index out of bounds");
     }
 
     return arr.items[index];
@@ -337,7 +358,7 @@ namespace ccf::cbor
   {
     if (!std::holds_alternative<Map>(value))
     {
-      throw CBORDecodeError("Not a map");
+      throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a map");
     }
 
     // Fail fast: Array, Map, Tagged are not supported as map keys in this
@@ -350,6 +371,7 @@ namespace ccf::cbor
           std::is_same_v<T, Tagged>)
         {
           throw CBORDecodeError(
+            Error::TYPE_MISMATCH,
             "Array, Map, and Tagged values cannot be used as map keys");
         }
       },
@@ -390,7 +412,7 @@ namespace ccf::cbor
       }
     }
 
-    throw CBORDecodeError("Key not found in map");
+    throw CBORDecodeError(Error::KEY_NOT_FOUND, "Key not found in map");
   }
 
   size_t ValueImpl::size() const
@@ -405,20 +427,20 @@ namespace ccf::cbor
       const auto& map = std::get<Map>(value);
       return map.items.size();
     }
-    throw CBORDecodeError("Not a collection");
+    throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a collection");
   }
 
   const Value& ValueImpl::tag_at(uint64_t tag) const
   {
     if (!std::holds_alternative<Tagged>(value))
     {
-      throw CBORDecodeError("Not a tagged value");
+      throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a tagged value");
     }
 
     const auto& tagged = std::get<Tagged>(value);
     if (tagged.tag != tag)
     {
-      throw CBORDecodeError("Tag does not match");
+      throw CBORDecodeError(Error::KEY_NOT_FOUND, "Tag does not match");
     }
 
     return tagged.item;
@@ -428,7 +450,7 @@ namespace ccf::cbor
   {
     if (!std::holds_alternative<Signed>(value))
     {
-      throw CBORDecodeError("Not a signed value");
+      throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a signed value");
     }
     return std::get<Signed>(value);
   }
@@ -437,7 +459,7 @@ namespace ccf::cbor
   {
     if (!std::holds_alternative<Bytes>(value))
     {
-      throw CBORDecodeError("Not a bytes value");
+      throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a bytes value");
     }
     return std::get<Bytes>(value);
   }
@@ -446,7 +468,7 @@ namespace ccf::cbor
   {
     if (!std::holds_alternative<String>(value))
     {
-      throw CBORDecodeError("Not a string value");
+      throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a string value");
     }
     return std::get<String>(value);
   }
@@ -455,7 +477,7 @@ namespace ccf::cbor
   {
     if (!std::holds_alternative<Simple>(value))
     {
-      throw CBORDecodeError("Not a simple value");
+      throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a simple value");
     }
     return std::get<Simple>(value);
   }
diff --git a/src/crypto/cbor.h b/src/crypto/cbor.h
@@ -53,7 +53,24 @@ namespace ccf::cbor
 
   using Type = std::variant<Signed, Bytes, String, Array, Map, Tagged, Simple>;
 
-  using CBORDecodeError = std::runtime_error;
+  enum class Error : uint8_t
+  {
+    UNDEFINED = 0,
+    DECODE_FAILED = 1,
+    KEY_NOT_FOUND = 2,
+    OUT_OF_BOUND = 3,
+    TYPE_MISMATCH = 4,
+  };
+
+  class CBORDecodeError : public std::runtime_error
+  {
+  public:
+    explicit CBORDecodeError(Error err, const std::string& what);
+    [[nodiscard]] Error error_code() const;
+
+  private:
+    Error error{Error::UNDEFINED};
+  };
 
   struct ValueImpl
   {
@@ -88,7 +105,8 @@ namespace ccf::cbor
     {
       if (!msg.empty())
       {
-        throw CBORDecodeError(fmt::format("{}: {}", msg, err.what()));
+        throw CBORDecodeError(
+          err.error_code(), fmt::format("{}: {}", msg, err.what()));
       }
       throw err;
     }
diff --git a/src/endpoints/authentication/cose_auth.cpp b/src/endpoints/authentication/cose_auth.cpp

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,8 @@ namespace`
`34`	`34`	`Signed value{0};`
`35`	`35`	`if (!cbor_nondet_read_int64(cbor, &value))`
`36`	`36`	`{`
`37`		`- throw CBORDecodeError("Failed to decode signed value");`
	`37`	`+ throw CBORDecodeError(`
	`38`	`+ Error::DECODE_FAILED, "Failed to decode signed value");`
`38`	`39`	`}`
`39`	`40`	`return std::make_unique<ValueImpl>(value);`
`40`	`41`	`}`
`@@ -45,7 +46,8 @@ namespace`
`45`	`46`	`uint64_t length = 0;`
`46`	`47`	`if (!cbor_nondet_get_byte_string(cbor, &data, &length))`
`47`	`48`	`{`
`48`		`- throw CBORDecodeError("Failed to decode byte string");`
	`49`	`+ throw CBORDecodeError(`
	`50`	`+ Error::DECODE_FAILED, "Failed to decode byte string");`
`49`	`51`	`}`
`50`	`52`	`Bytes value{data, static_cast<size_t>(length)};`
`51`	`53`	`return std::make_unique<ValueImpl>(value);`
`@@ -57,7 +59,8 @@ namespace`
`57`	`59`	`uint64_t length = 0;`
`58`	`60`	`if (!cbor_nondet_get_text_string(cbor, &data, &length))`
`59`	`61`	`{`
`60`		`- throw CBORDecodeError("Failed to decode text string");`
	`62`	`+ throw CBORDecodeError(`
	`63`	`+ Error::DECODE_FAILED, "Failed to decode text string");`
`61`	`64`	`}`
`62`	`65`	`String value{`
`63`	`66`	`reinterpret_cast<const char*>(data), static_cast<size_t>(length)};`
`@@ -69,7 +72,8 @@ namespace`
`69`	`72`	`cbor_nondet_array_iterator_t iter;`
`70`	`73`	`if (!cbor_nondet_array_iterator_start(cbor, &iter))`
`71`	`74`	`{`
`72`		`- throw CBORDecodeError("Failed to start array iterator");`
	`75`	`+ throw CBORDecodeError(`
	`76`	`+ Error::DECODE_FAILED, "Failed to start array iterator");`
`73`	`77`	`}`
`74`	`78`
`75`	`79`	`Array array;`
`@@ -78,7 +82,8 @@ namespace`
`78`	`82`	`cbor_nondet_t item;`
`79`	`83`	`if (!cbor_nondet_array_iterator_next(&iter, &item))`
`80`	`84`	`{`
`81`		`- throw CBORDecodeError("Failed to get next array item");`
	`85`	`+ throw CBORDecodeError(`
	`86`	`+ Error::DECODE_FAILED, "Failed to get next array item");`
`82`	`87`	`}`
`83`	`88`	`array.items.push_back(consume(item));`
`84`	`89`	`}`
`@@ -90,7 +95,8 @@ namespace`
`90`	`95`	`cbor_map_iterator iter;`
`91`	`96`	`if (!cbor_nondet_map_iterator_start(cbor, &iter))`
`92`	`97`	`{`
`93`		`- throw CBORDecodeError("Failed to start map iterator");`
	`98`	`+ throw CBORDecodeError(`
	`99`	`+ Error::DECODE_FAILED, "Failed to start map iterator");`
`94`	`100`	`}`
`95`	`101`
`96`	`102`	`Map map;`
`@@ -100,7 +106,8 @@ namespace`
`100`	`106`	`cbor_raw value_raw;`
`101`	`107`	`if (!cbor_nondet_map_iterator_next(&iter, &key_raw, &value_raw))`
`102`	`108`	`{`
`103`		`- throw CBORDecodeError("Failed to get next map entry");`
	`109`	`+ throw CBORDecodeError(`
	`110`	`+ Error::DECODE_FAILED, "Failed to get next map entry");`
`104`	`111`	`}`
`105`	`112`	`map.items.emplace_back(consume(key_raw), consume(value_raw));`
`106`	`113`	`}`
`@@ -113,7 +120,8 @@ namespace`
`113`	`120`	`cbor_nondet_t payload;`
`114`	`121`	`if (!cbor_nondet_get_tagged(cbor, &payload, &tag))`
`115`	`122`	`{`
`116`		`- throw CBORDecodeError("Failed to decode tagged value");`
	`123`	`+ throw CBORDecodeError(`
	`124`	`+ Error::DECODE_FAILED, "Failed to decode tagged value");`
`117`	`125`	`}`
`118`	`126`
`119`	`127`	`Tagged tagged;`
`@@ -130,7 +138,8 @@ namespace`
`130`	`138`	`Simple value{0};`
`131`	`139`	`if (!cbor_nondet_read_simple_value(cbor, &value))`
`132`	`140`	`{`
`133`		`- throw CBORDecodeError("Failed to decode simple value");`
	`141`	`+ throw CBORDecodeError(`
	`142`	`+ Error::DECODE_FAILED, "Failed to decode simple value");`
`134`	`143`	`}`
`135`	`144`	`return std::make_unique<ValueImpl>(value);`
`136`	`145`	`}`
`@@ -156,7 +165,7 @@ namespace`
`156`	`165`	`case CBOR_MAJOR_TYPE_SIMPLE_VALUE:`
`157`	`166`	`return consume_simple(cbor);`
`158`	`167`	`default:`
`159`		`- throw CBORDecodeError("Unknown CBOR major type");`
	`168`	`+ throw CBORDecodeError(Error::DECODE_FAILED, "Unknown CBOR major type");`
`160`	`169`	`}`
`161`	`170`	`}`
`162`	`171`
`@@ -256,6 +265,16 @@ namespace`
`256`	`265`
`257`	`266`	`namespace ccf::cbor`
`258`	`267`	`{`
	`268`	`+ CBORDecodeError::CBORDecodeError(Error err, const std::string& what) :`
	`269`	`+ std::runtime_error(what),`
	`270`	`+ error(err)`
	`271`	`+ {}`
	`272`	`+`
	`273`	`+ Error CBORDecodeError::error_code() const`
	`274`	`+ {`
	`275`	`+ return error;`
	`276`	`+ }`
	`277`	`+`
`259`	`278`	`Value make_signed(int64_t value)`
`260`	`279`	`{`
`261`	`280`	`return std::make_unique<ValueImpl>(value);`
`@@ -285,7 +304,8 @@ namespace ccf::cbor`
`285`	`304`	`&cbor_parse_size,`
`286`	`305`	`&cbor))`
`287`	`306`	`{`
`288`		`- throw CBORDecodeError("Failed to parse top-level cbor");`
	`307`	`+ throw CBORDecodeError(`
	`308`	`+ Error::DECODE_FAILED, "Failed to parse top-level cbor");`
`289`	`309`	`}`
`290`	`310`
`291`	`311`	`return consume(cbor);`
`@@ -313,21 +333,22 @@ namespace ccf::cbor`
`313`	`333`	`case SimpleValue::True:`
`314`	`334`	`return true;`
`315`	`335`	`default:`
`316`		`- throw CBORDecodeError("Simple value cannot be matched to boolean");`
	`336`	`+ throw CBORDecodeError(`
	`337`	`+ Error::TYPE_MISMATCH, "Simple value cannot be matched to boolean");`
`317`	`338`	`}`
`318`	`339`	`}`
`319`	`340`
`320`	`341`	`const Value& ValueImpl::array_at(size_t index) const`
`321`	`342`	`{`
`322`	`343`	`if (!std::holds_alternative<Array>(value))`
`323`	`344`	`{`
`324`		`- throw CBORDecodeError("Not an array");`
	`345`	`+ throw CBORDecodeError(Error::TYPE_MISMATCH, "Not an array");`
`325`	`346`	`}`
`326`	`347`
`327`	`348`	`const auto& arr = std::get<Array>(value);`
`328`	`349`	`if (index >= arr.items.size())`
`329`	`350`	`{`
`330`		`- throw CBORDecodeError("Array index out of bounds");`
	`351`	`+ throw CBORDecodeError(Error::OUT_OF_BOUND, "Array index out of bounds");`
`331`	`352`	`}`
`332`	`353`
`333`	`354`	`return arr.items[index];`
`@@ -337,7 +358,7 @@ namespace ccf::cbor`
`337`	`358`	`{`
`338`	`359`	`if (!std::holds_alternative<Map>(value))`
`339`	`360`	`{`
`340`		`- throw CBORDecodeError("Not a map");`
	`361`	`+ throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a map");`
`341`	`362`	`}`
`342`	`363`
`343`	`364`	`// Fail fast: Array, Map, Tagged are not supported as map keys in this`
`@@ -350,6 +371,7 @@ namespace ccf::cbor`
`350`	`371`	`std::is_same_v<T, Tagged>)`
`351`	`372`	`{`
`352`	`373`	`throw CBORDecodeError(`
	`374`	`+ Error::TYPE_MISMATCH,`
`353`	`375`	`"Array, Map, and Tagged values cannot be used as map keys");`
`354`	`376`	`}`
`355`	`377`	`},`
`@@ -390,7 +412,7 @@ namespace ccf::cbor`
`390`	`412`	`}`
`391`	`413`	`}`
`392`	`414`
`393`		`- throw CBORDecodeError("Key not found in map");`
	`415`	`+ throw CBORDecodeError(Error::KEY_NOT_FOUND, "Key not found in map");`
`394`	`416`	`}`
`395`	`417`
`396`	`418`	`size_t ValueImpl::size() const`
`@@ -405,20 +427,20 @@ namespace ccf::cbor`
`405`	`427`	`const auto& map = std::get<Map>(value);`
`406`	`428`	`return map.items.size();`
`407`	`429`	`}`
`408`		`- throw CBORDecodeError("Not a collection");`
	`430`	`+ throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a collection");`
`409`	`431`	`}`
`410`	`432`
`411`	`433`	`const Value& ValueImpl::tag_at(uint64_t tag) const`
`412`	`434`	`{`
`413`	`435`	`if (!std::holds_alternative<Tagged>(value))`
`414`	`436`	`{`
`415`		`- throw CBORDecodeError("Not a tagged value");`
	`437`	`+ throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a tagged value");`
`416`	`438`	`}`
`417`	`439`
`418`	`440`	`const auto& tagged = std::get<Tagged>(value);`
`419`	`441`	`if (tagged.tag != tag)`
`420`	`442`	`{`
`421`		`- throw CBORDecodeError("Tag does not match");`
	`443`	`+ throw CBORDecodeError(Error::KEY_NOT_FOUND, "Tag does not match");`
`422`	`444`	`}`
`423`	`445`
`424`	`446`	`return tagged.item;`
`@@ -428,7 +450,7 @@ namespace ccf::cbor`
`428`	`450`	`{`
`429`	`451`	`if (!std::holds_alternative<Signed>(value))`
`430`	`452`	`{`
`431`		`- throw CBORDecodeError("Not a signed value");`
	`453`	`+ throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a signed value");`
`432`	`454`	`}`
`433`	`455`	`return std::get<Signed>(value);`
`434`	`456`	`}`
`@@ -437,7 +459,7 @@ namespace ccf::cbor`
`437`	`459`	`{`
`438`	`460`	`if (!std::holds_alternative<Bytes>(value))`
`439`	`461`	`{`
`440`		`- throw CBORDecodeError("Not a bytes value");`
	`462`	`+ throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a bytes value");`
`441`	`463`	`}`
`442`	`464`	`return std::get<Bytes>(value);`
`443`	`465`	`}`
`@@ -446,7 +468,7 @@ namespace ccf::cbor`
`446`	`468`	`{`
`447`	`469`	`if (!std::holds_alternative<String>(value))`
`448`	`470`	`{`
`449`		`- throw CBORDecodeError("Not a string value");`
	`471`	`+ throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a string value");`
`450`	`472`	`}`
`451`	`473`	`return std::get<String>(value);`
`452`	`474`	`}`
`@@ -455,7 +477,7 @@ namespace ccf::cbor`
`455`	`477`	`{`
`456`	`478`	`if (!std::holds_alternative<Simple>(value))`
`457`	`479`	`{`
`458`		`- throw CBORDecodeError("Not a simple value");`
	`480`	`+ throw CBORDecodeError(Error::TYPE_MISMATCH, "Not a simple value");`
`459`	`481`	`}`
`460`	`482`	`return std::get<Simple>(value);`
`461`	`483`	`}`