TLS based user auth implementation
Implemented TLS based user auth. It utilizes certificates stored by
Phosphor Certificate Manager in storage mode, to verify that user
that tries to log in, has a certificate signed by a trusted CA.
More about this can be read in redfish-tls-user-authentication.md design
document.
Tested that it does not break current authentication methods, when not
using TLS Auth - user should not see difference between versions. TLS Auth
itself allows user in when certificate is signed by trusted CA and valid, and
stops working immediatley after it is removed. User is not let in when provided
certificate is not between notBefore and notAfter dates. Session is tested to
not be created when user does not exist in the system (courtesy of earlier
UserManagement usage commits).
Signed-off-by: Kowalski, Kamil <kamil.kowalski@intel.com>
Change-Id: I6bcaff018fe3105f77d3c10f69765e0011af8dab
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index d634d63..2bd1f59 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -16,6 +16,7 @@
namespace ensuressl
{
+constexpr char const *trustStorePath = "/etc/ssl/certs/authority";
static void initOpenssl();
static EVP_PKEY *createEcKey();
@@ -312,7 +313,11 @@
boost::asio::ssl::context::no_tlsv1 |
boost::asio::ssl::context::no_tlsv1_1);
- // m_ssl_context.set_verify_mode(boost::asio::ssl::verify_peer);
+ mSslContext->set_verify_mode(boost::asio::ssl::verify_peer);
+
+ BMCWEB_LOG_DEBUG << "Using default TrustStore location: " << trustStorePath;
+ mSslContext->add_verify_path(trustStorePath);
+
mSslContext->use_certificate_file(ssl_pem_file,
boost::asio::ssl::context::pem);
mSslContext->use_private_key_file(ssl_pem_file,