http/mutual_tls.cpp - openbmc/bmcweb - Gitiles

 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: Copyright OpenBMC Authors
 #include "mutual_tls.hpp"

 #include "bmcweb_config.h"

 #include "identity.hpp"
 #include "mutual_tls_private.hpp"
 #include "sessions.hpp"

 #include <bit>
 #include <cstddef>
 #include <cstdint>
 #include <optional>
 #include <string>

 extern "C"
 {
 #include <openssl/asn1.h>
 #include <openssl/obj_mac.h>
 #include <openssl/objects.h>
 #include <openssl/types.h>
 #include <openssl/x509.h>
 #include <openssl/x509_vfy.h>
 #include <openssl/x509v3.h>
 }

 #include "logging.hpp"
 #include "mutual_tls_meta.hpp"

 #include <boost/asio/ip/address.hpp>
 #include <boost/asio/ssl/verify_context.hpp>

 #include <memory>
 #include <string_view>

 std::string getCommonNameFromCert(X509* cert)
 {
     std::string commonName;
     // Extract username contained in CommonName
     commonName.resize(256, '\0');
     int length = X509_NAME_get_text_by_NID(
         X509_get_subject_name(cert), NID_commonName, commonName.data(),
         static_cast<int>(commonName.size()));
     if (length <= 0)
     {
         BMCWEB_LOG_DEBUG("TLS cannot get common name to create session");
         return "";
     }
     commonName.resize(static_cast<size_t>(length));
     return commonName;
 }

 bool isUPNMatch(std::string_view upn, std::string_view hostname)
 {
     // UPN format: <username>@<domain> (e.g. user@domain.com)
     // https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname
     size_t upnDomainPos = upn.find('@');
     if (upnDomainPos == std::string_view::npos)
     {
         return false;
     }

     // The hostname should match the domain part of the UPN
     std::string_view upnDomain = upn.substr(upnDomainPos + 1);
     while (true)
     {
         std::string_view upnDomainMatching = upnDomain;
         size_t dotUPNPos = upnDomain.find_last_of('.');
         if (dotUPNPos != std::string_view::npos)
         {
             upnDomainMatching = upnDomain.substr(dotUPNPos + 1);
         }

         std::string_view hostDomainMatching = hostname;
         size_t dotHostPos = hostname.find_last_of('.');
         if (dotHostPos != std::string_view::npos)
         {
             hostDomainMatching = hostname.substr(dotHostPos + 1);
         }

         if (upnDomainMatching != hostDomainMatching)
         {
             return false;
         }

         if (dotUPNPos == std::string_view::npos)
         {
             return true;
         }

         upnDomain = upnDomain.substr(0, dotUPNPos);
         hostname = hostname.substr(0, dotHostPos);
     }
 }

 std::string getUPNFromCert(X509* peerCert, std::string_view hostname)
 {
     GENERAL_NAMES* gs = static_cast<GENERAL_NAMES*>(
         X509_get_ext_d2i(peerCert, NID_subject_alt_name, nullptr, nullptr));
     if (gs == nullptr)
     {
         return "";
     }

     std::string ret;
     for (int i = 0; i < sk_GENERAL_NAME_num(gs); i++)
     {
         GENERAL_NAME* g = sk_GENERAL_NAME_value(gs, i);
         if (g->type != GEN_OTHERNAME)
         {
             continue;
         }

         // NOLINTBEGIN(cppcoreguidelines-pro-type-union-access)
         int nid = OBJ_obj2nid(g->d.otherName->type_id);
         if (nid != NID_ms_upn)
         {
             continue;
         }

         int type = g->d.otherName->value->type;
         if (type != V_ASN1_UTF8STRING)
         {
             continue;
         }

         char* upnChar =
             std::bit_cast<char*>(g->d.otherName->value->value.utf8string->data);
         unsigned int upnLen = static_cast<unsigned int>(
             g->d.otherName->value->value.utf8string->length);
         // NOLINTEND(cppcoreguidelines-pro-type-union-access)

         std::string upn = std::string(upnChar, upnLen);
         if (!isUPNMatch(upn, hostname))
         {
             continue;
         }

         size_t upnDomainPos = upn.find('@');
         ret = upn.substr(0, upnDomainPos);
         break;
     }
     GENERAL_NAMES_free(gs);
     return ret;
 }

 std::string getMetaUserNameFromCert(X509* cert)
 {
     // Meta Inc. CommonName parsing
     std::optional<std::string_view> sslUserMeta =
         mtlsMetaParseSslUser(getCommonNameFromCert(cert));
     if (!sslUserMeta)
     {
         return "";
     }
     return std::string{*sslUserMeta};
 }

 std::string getUsernameFromCert(X509* cert)
 {
     const persistent_data::AuthConfigMethods& authMethodsConfig =
         persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
     switch (authMethodsConfig.mTLSCommonNameParsingMode)
     {
         case persistent_data::MTLSCommonNameParseMode::Invalid:
         case persistent_data::MTLSCommonNameParseMode::Whole:
         {
             // Not yet supported
             return "";
         }
         case persistent_data::MTLSCommonNameParseMode::UserPrincipalName:
         {
             std::string hostname = getHostName();
             if (hostname.empty())
             {
                 BMCWEB_LOG_WARNING("Failed to get hostname");
                 return "";
             }
             return getUPNFromCert(cert, hostname);
         }
         case persistent_data::MTLSCommonNameParseMode::CommonName:
         {
             return getCommonNameFromCert(cert);
         }
         case persistent_data::MTLSCommonNameParseMode::Meta:
         {
             if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING)
             {
                 return getMetaUserNameFromCert(cert);
             }
         }
         default:
         {
             return "";
         }
     }
 }

 std::shared_ptr<persistent_data::UserSession> verifyMtlsUser(
     const boost::asio::ip::address& clientIp,
     boost::asio::ssl::verify_context& ctx)
 {
     // do nothing if TLS is disabled
     if (!persistent_data::SessionStore::getInstance()
              .getAuthMethodsConfig()
              .tls)
     {
         BMCWEB_LOG_DEBUG("TLS auth_config is disabled");
         return nullptr;
     }

     X509_STORE_CTX* cts = ctx.native_handle();
     if (cts == nullptr)
     {
         BMCWEB_LOG_DEBUG("Cannot get native TLS handle.");
         return nullptr;
     }

     // Get certificate
     X509* peerCert = X509_STORE_CTX_get_current_cert(ctx.native_handle());
     if (peerCert == nullptr)
     {
         BMCWEB_LOG_DEBUG("Cannot get current TLS certificate.");
         return nullptr;
     }

     // Check if certificate is OK
     int ctxError = X509_STORE_CTX_get_error(cts);
     if (ctxError != X509_V_OK)
     {
         BMCWEB_LOG_INFO("Last TLS error is: {}", ctxError);
         return nullptr;
     }

     // Check that we have reached final certificate in chain
     int32_t depth = X509_STORE_CTX_get_error_depth(cts);
     if (depth != 0)
     {
         BMCWEB_LOG_DEBUG(
             "Certificate verification in progress (depth {}), waiting to reach final depth",
             depth);
         return nullptr;
     }

     BMCWEB_LOG_DEBUG("Certificate verification of final depth");

     if (X509_check_purpose(peerCert, X509_PURPOSE_SSL_CLIENT, 0) != 1)
     {
         BMCWEB_LOG_DEBUG(
             "Chain does not allow certificate to be used for SSL client authentication");
         return nullptr;
     }

     std::string sslUser = getUsernameFromCert(peerCert);
     if (sslUser.empty())
     {
         BMCWEB_LOG_WARNING("Failed to get user from peer certificate");
         return nullptr;
     }

     std::string unsupportedClientId;
     return persistent_data::SessionStore::getInstance().generateUserSession(
         sslUser, clientIp, unsupportedClientId,
         persistent_data::SessionType::MutualTLS);
 }
	// SPDX-License-Identifier: Apache-2.0
	// SPDX-FileCopyrightText: Copyright OpenBMC Authors
	#include "mutual_tls.hpp"

	#include "bmcweb_config.h"

	#include "identity.hpp"
	#include "mutual_tls_private.hpp"
	#include "sessions.hpp"

	#include <bit>
	#include <cstddef>
	#include <cstdint>
	#include <optional>
	#include <string>

	extern "C"
	{
	#include <openssl/asn1.h>
	#include <openssl/obj_mac.h>
	#include <openssl/objects.h>
	#include <openssl/types.h>
	#include <openssl/x509.h>
	#include <openssl/x509_vfy.h>
	#include <openssl/x509v3.h>
	}

	#include "logging.hpp"
	#include "mutual_tls_meta.hpp"

	#include <boost/asio/ip/address.hpp>
	#include <boost/asio/ssl/verify_context.hpp>

	#include <memory>
	#include <string_view>

	std::string getCommonNameFromCert(X509* cert)
	{
	std::string commonName;
	// Extract username contained in CommonName
	commonName.resize(256, '\0');
	int length = X509_NAME_get_text_by_NID(
	X509_get_subject_name(cert), NID_commonName, commonName.data(),
	static_cast<int>(commonName.size()));
	if (length <= 0)
	{
	BMCWEB_LOG_DEBUG("TLS cannot get common name to create session");
	return "";
	}
	commonName.resize(static_cast<size_t>(length));
	return commonName;
	}

	bool isUPNMatch(std::string_view upn, std::string_view hostname)
	{
	// UPN format: <username>@<domain> (e.g. user@domain.com)
	// https://learn.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname
	size_t upnDomainPos = upn.find('@');
	if (upnDomainPos == std::string_view::npos)
	{
	return false;
	}

	// The hostname should match the domain part of the UPN
	std::string_view upnDomain = upn.substr(upnDomainPos + 1);
	while (true)
	{
	std::string_view upnDomainMatching = upnDomain;
	size_t dotUPNPos = upnDomain.find_last_of('.');
	if (dotUPNPos != std::string_view::npos)
	{
	upnDomainMatching = upnDomain.substr(dotUPNPos + 1);
	}

	std::string_view hostDomainMatching = hostname;
	size_t dotHostPos = hostname.find_last_of('.');
	if (dotHostPos != std::string_view::npos)
	{
	hostDomainMatching = hostname.substr(dotHostPos + 1);
	}

	if (upnDomainMatching != hostDomainMatching)
	{
	return false;
	}

	if (dotUPNPos == std::string_view::npos)
	{
	return true;
	}

	upnDomain = upnDomain.substr(0, dotUPNPos);
	hostname = hostname.substr(0, dotHostPos);
	}
	}

	std::string getUPNFromCert(X509* peerCert, std::string_view hostname)
	{
	GENERAL_NAMES* gs = static_cast<GENERAL_NAMES*>(
	X509_get_ext_d2i(peerCert, NID_subject_alt_name, nullptr, nullptr));
	if (gs == nullptr)
	{
	return "";
	}

	std::string ret;
	for (int i = 0; i < sk_GENERAL_NAME_num(gs); i++)
	{
	GENERAL_NAME* g = sk_GENERAL_NAME_value(gs, i);
	if (g->type != GEN_OTHERNAME)
	{
	continue;
	}

	// NOLINTBEGIN(cppcoreguidelines-pro-type-union-access)
	int nid = OBJ_obj2nid(g->d.otherName->type_id);
	if (nid != NID_ms_upn)
	{
	continue;
	}

	int type = g->d.otherName->value->type;
	if (type != V_ASN1_UTF8STRING)
	{
	continue;
	}

	char* upnChar =
	std::bit_cast<char*>(g->d.otherName->value->value.utf8string->data);
	unsigned int upnLen = static_cast<unsigned int>(
	g->d.otherName->value->value.utf8string->length);
	// NOLINTEND(cppcoreguidelines-pro-type-union-access)

	std::string upn = std::string(upnChar, upnLen);
	if (!isUPNMatch(upn, hostname))
	{
	continue;
	}

	size_t upnDomainPos = upn.find('@');
	ret = upn.substr(0, upnDomainPos);
	break;
	}
	GENERAL_NAMES_free(gs);
	return ret;
	}

	std::string getMetaUserNameFromCert(X509* cert)
	{
	// Meta Inc. CommonName parsing
	std::optional<std::string_view> sslUserMeta =
	mtlsMetaParseSslUser(getCommonNameFromCert(cert));
	if (!sslUserMeta)
	{
	return "";
	}
	return std::string{*sslUserMeta};
	}

	std::string getUsernameFromCert(X509* cert)
	{
	const persistent_data::AuthConfigMethods& authMethodsConfig =
	persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
	switch (authMethodsConfig.mTLSCommonNameParsingMode)
	{
	case persistent_data::MTLSCommonNameParseMode::Invalid:
	case persistent_data::MTLSCommonNameParseMode::Whole:
	{
	// Not yet supported
	return "";
	}
	case persistent_data::MTLSCommonNameParseMode::UserPrincipalName:
	{
	std::string hostname = getHostName();
	if (hostname.empty())
	{
	BMCWEB_LOG_WARNING("Failed to get hostname");
	return "";
	}
	return getUPNFromCert(cert, hostname);
	}
	case persistent_data::MTLSCommonNameParseMode::CommonName:
	{
	return getCommonNameFromCert(cert);
	}
	case persistent_data::MTLSCommonNameParseMode::Meta:
	{
	if constexpr (BMCWEB_META_TLS_COMMON_NAME_PARSING)
	{
	return getMetaUserNameFromCert(cert);
	}
	}
	default:
	{
	return "";
	}
	}
	}

	std::shared_ptr<persistent_data::UserSession> verifyMtlsUser(
	const boost::asio::ip::address& clientIp,
	boost::asio::ssl::verify_context& ctx)
	{
	// do nothing if TLS is disabled
	if (!persistent_data::SessionStore::getInstance()
	.getAuthMethodsConfig()
	.tls)
	{
	BMCWEB_LOG_DEBUG("TLS auth_config is disabled");
	return nullptr;
	}

	X509_STORE_CTX* cts = ctx.native_handle();
	if (cts == nullptr)
	{
	BMCWEB_LOG_DEBUG("Cannot get native TLS handle.");
	return nullptr;
	}

	// Get certificate
	X509* peerCert = X509_STORE_CTX_get_current_cert(ctx.native_handle());
	if (peerCert == nullptr)
	{
	BMCWEB_LOG_DEBUG("Cannot get current TLS certificate.");
	return nullptr;
	}

	// Check if certificate is OK
	int ctxError = X509_STORE_CTX_get_error(cts);
	if (ctxError != X509_V_OK)
	{
	BMCWEB_LOG_INFO("Last TLS error is: {}", ctxError);
	return nullptr;
	}

	// Check that we have reached final certificate in chain
	int32_t depth = X509_STORE_CTX_get_error_depth(cts);
	if (depth != 0)
	{
	BMCWEB_LOG_DEBUG(
	"Certificate verification in progress (depth {}), waiting to reach final depth",
	depth);
	return nullptr;
	}

	BMCWEB_LOG_DEBUG("Certificate verification of final depth");

	if (X509_check_purpose(peerCert, X509_PURPOSE_SSL_CLIENT, 0) != 1)
	{
	BMCWEB_LOG_DEBUG(
	"Chain does not allow certificate to be used for SSL client authentication");
	return nullptr;
	}

	std::string sslUser = getUsernameFromCert(peerCert);
	if (sslUser.empty())
	{
	BMCWEB_LOG_WARNING("Failed to get user from peer certificate");
	return nullptr;
	}

	std::string unsupportedClientId;
	return persistent_data::SessionStore::getInstance().generateUserSession(
	sslUser, clientIp, unsupportedClientId,
	persistent_data::SessionType::MutualTLS);
	}