copilot review feedback

Author: bigbrett

docs/draft/wrapped-certs.md

@@ -4,7 +4,7 @@
 
 This documents the "wrapped certificate" use case, showing how to leverage the
 certificate manager to use trusted root certificates that live in the server's
-**keystore cache** (RAM) after being unwrapped via keywrap funcitonality,
+**keystore cache** (RAM) after being unwrapped via keywrap functionality,
 rather than exclusively in **NVM** (flash). A root certificate is wrapped
 (AES-GCM encrypted) by the server, handed back to the client as an opaque blob,
 and later unwrapped into the server's key cache on demand. Once cached, it can
@@ -196,7 +196,7 @@ updated with the same pattern:
 
 1. **Translate the client ID**: If the incoming `req.id` (or
    `req.trustedRootNvmId`) has `WH_KEYID_CLIENT_WRAPPED_FLAG` set, call
-   `wh_KeyId_TranslateFromClient(WH_KEYTYPE_NVM, server->comm->client_id, req.id)`
+   `wh_KeyId_TranslateFromClient(WH_KEYTYPE_WRAPPED, server->comm->client_id, req.id)`
    to produce a full server-internal key ID with `TYPE=WH_KEYTYPE_WRAPPED`,
    `USER=client_id`, and the bare key `ID` in the low byte.
 

src/wh_client_cert.c

@@ -1035,7 +1035,8 @@ int wh_Client_CertUnwrapAndExportResponse(whClientContext*   ctx,
                                           uint8_t*           certOut,
                                           uint16_t*          inout_certSz)
 {
-    if ((ctx == NULL) || (certOut == NULL) || (inout_certSz == NULL)) {
+    if ((ctx == NULL) || (metadataOut == NULL) || (certOut == NULL) ||
+        (inout_certSz == NULL)) {
         return WH_ERROR_BADARGS;
     }
 
@@ -1051,7 +1052,7 @@ int wh_Client_CertUnwrapAndExport(
     int rc;
 
     if ((ctx == NULL) || (wrappedCert == NULL) || (wrappedCertSz == 0) ||
-        (certOut == NULL) || (inout_certSz == NULL)) {
+        (metadataOut == NULL) || (certOut == NULL) || (inout_certSz == NULL)) {
         return WH_ERROR_BADARGS;
     }
 

src/wh_server_cert.c

@@ -245,6 +245,12 @@ int wh_Server_CertReadTrusted(whServerContext* server, whKeyId id,
         if (rc == WH_ERROR_OK) {
             *inout_cert_len = sz;
         }
+        else if (rc == WH_ERROR_NOSPACE) {
+            /* Map keystore error to cert API's documented error and report the
+             * required size so the caller can retry with a larger buffer */
+            *inout_cert_len = meta.len;
+            rc              = WH_ERROR_BUFFER_SIZE;
+        }
         return rc;
     }
 
@@ -256,11 +262,11 @@ int wh_Server_CertReadTrusted(whServerContext* server, whKeyId id,
 
     /* Check if the provided buffer is large enough */
     if (meta.len > *inout_cert_len) {
+        *inout_cert_len = meta.len;
         return WH_ERROR_BUFFER_SIZE;
     }
 
-    /* Clamp the input length to the actual length of the certificate. This will
-     * be reflected back to the user on length mismatch failure */
+    /* Clamp the input length to the actual length of the certificate */
     *inout_cert_len = meta.len;
 
     return wh_Nvm_Read(server->nvm, id, 0, meta.len, cert);