Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / c4771fb4cecd77272a72f3265d19096c83e5e8e9 / . / include / ssl_key_handler.hpp
blob: 6e09cbe20182042b72db993a4c549ec2d7faff04 [file] [log] [blame]
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]1#pragma once
2
3#include <openssl/bio.h>
4#include <openssl/dh.h>
5#include <openssl/dsa.h>
6#include <openssl/dsa.h>
7#include <openssl/err.h>
8#include <openssl/evp.h>
9#include <openssl/pem.h>
10#include <openssl/rand.h>
11#include <openssl/rsa.h>
12#include <openssl/ssl.h>
13
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame^]14#include <boost/asio.hpp>
15
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]16#include <g3log/g3log.hpp>
17
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]18namespace ensuressl {
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]19static void init_openssl(void);
20static void cleanup_openssl(void);
21static EVP_PKEY *create_rsa_key(void);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]22static EVP_PKEY *create_ec_key(void);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]23static void handle_openssl_error(void);
24
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]25
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]26inline bool verify_openssl_key_cert(const std::string &filepath) {
27 bool private_key_valid = false;
28 bool cert_valid = false;
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]29
30 LOG(DEBUG) << "Checking certs in file " << filepath;
31
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]32 FILE *file = fopen(filepath.c_str(), "r");
33 if (file != NULL) {
34 EVP_PKEY *pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL);
35 int rc;
36 if (pkey) {
37 int type = EVP_PKEY_type(pkey->type);
38 switch (type) {
39 case EVP_PKEY_RSA:
40 case EVP_PKEY_RSA2: {
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]41 LOG(DEBUG) << "Found an RSA key";
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]42 RSA *rsa = EVP_PKEY_get1_RSA(pkey);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]43 if (rsa){
44 if (RSA_check_key(rsa) == 1) {
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame^]45 //private_key_valid = true;
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]46 } else {
47 LOG(WARNING) << "Key not valid error number " << ERR_get_error();
48 }
49 RSA_free(rsa);
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]50 }
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]51 break;
52 }
53 case EVP_PKEY_EC:{
54 LOG(DEBUG) << "Found an EC key";
55 EC_KEY* ec = EVP_PKEY_get1_EC_KEY(pkey);
56 if (ec){
57 if (EC_KEY_check_key(ec) == 1) {
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame^]58 private_key_valid = true;
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]59 } else {
60 LOG(WARNING) << "Key not valid error number " << ERR_get_error();
61 }
62 EC_KEY_free(ec);
63 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]64 break;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]65 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]66 default:
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]67 LOG(WARNING) << "Found an unrecognized key type " << type;
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]68 break;
69 }
70
71 if (private_key_valid) {
72 X509 *x509 = PEM_read_X509(file, NULL, NULL, NULL);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]73 if (!x509){
74 LOG(DEBUG) << "error getting x509 cert " << ERR_get_error();
75 } else {
76 rc = X509_verify(x509, pkey);
77 if (rc == 1) {
78 cert_valid = true;
79 } else {
80 LOG(WARNING) << "Error in verifying private key signature " << ERR_get_error();
81 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]82 }
83 }
84
85 EVP_PKEY_free(pkey);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]86 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]87 fclose(file);
88 }
89 return cert_valid;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]90}
91
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]92inline void generate_ssl_certificate(const std::string &filepath) {
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]93 FILE *pFile = NULL;
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]94 LOG(WARNING) << "Generating new keys";
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]95 init_openssl();
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]96
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame^]97 //LOG(WARNING) << "Generating RSA key";
98 //EVP_PKEY *pRsaPrivKey = create_rsa_key();
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]99
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame^]100 LOG(WARNING) << "Generating EC key";
101 EVP_PKEY *pRsaPrivKey = create_ec_key();
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]102
103 LOG(WARNING) << "Generating x509 Certificate";
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]104 // Use this code to directly generate a certificate
105 X509 *x509;
106 x509 = X509_new();
107 if (x509) {
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]108
109 // Get a random number from the RNG for the certificate serial number
110 // If this is not random, regenerating certs throws broswer errors
111 std::random_device rd;
112 int serial = rd();
113
114 ASN1_INTEGER_set(X509_get_serialNumber(x509), serial);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]115
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]116 // not before this moment
117 X509_gmtime_adj(X509_get_notBefore(x509), 0);
118 // Cert is valid for 10 years
119 X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * 365L * 10L);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]120
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]121 // set the public key to the key we just generated
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]122 X509_set_pubkey(x509, pRsaPrivKey);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]123
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]124 // Get the subject name
125 X509_NAME *name;
126 name = X509_get_subject_name(x509);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]127
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]128 X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"US", -1, -1, 0);
129 X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned char *)"Intel BMC", -1, -1, 0);
130 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"testhost", -1, -1, 0);
131 // set the CSR options
132 X509_set_issuer_name(x509, name);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]133
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]134 // Sign the certificate with our private key
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]135 X509_sign(x509, pRsaPrivKey, EVP_sha256());
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]136
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]137 pFile = fopen(filepath.c_str(), "wt");
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]138
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]139 if (pFile) {
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]140 PEM_write_PrivateKey(pFile, pRsaPrivKey, NULL, NULL, 0, 0, NULL);
141
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]142 PEM_write_X509(pFile, x509);
143 fclose(pFile);
144 pFile = NULL;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]145 }
146
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]147 X509_free(x509);
148 }
149
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]150 if (pRsaPrivKey) {
151 EVP_PKEY_free(pRsaPrivKey);
152 pRsaPrivKey = NULL;
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]153 }
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame^]154
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]155 // cleanup_openssl();
156}
157
158EVP_PKEY *create_rsa_key(void) {
159 RSA *pRSA = NULL;
160 EVP_PKEY *pKey = NULL;
161 pRSA = RSA_generate_key(2048, RSA_3, NULL, NULL);
162 pKey = EVP_PKEY_new();
163 if (pRSA && pKey && EVP_PKEY_assign_RSA(pKey, pRSA)) {
164 /* pKey owns pRSA from now */
165 if (RSA_check_key(pRSA) <= 0) {
166 fprintf(stderr, "RSA_check_key failed.\n");
167 handle_openssl_error();
168 EVP_PKEY_free(pKey);
169 pKey = NULL;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]170 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]171 } else {
172 handle_openssl_error();
173 if (pRSA) {
174 RSA_free(pRSA);
175 pRSA = NULL;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]176 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]177 if (pKey) {
178 EVP_PKEY_free(pKey);
179 pKey = NULL;
180 }
181 }
182 return pKey;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]183}
184
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]185EVP_PKEY *create_ec_key(void) {
186 EC_KEY *myecc = NULL;
187 EVP_PKEY *pKey = NULL;
188 int eccgrp = 0;
189 eccgrp = OBJ_txt2nid("prime256v1");
190
191 // TODO handle errors
192 myecc = EC_KEY_new_by_curve_name(eccgrp);
193 EC_KEY_set_asn1_flag(myecc, OPENSSL_EC_NAMED_CURVE);
194 EC_KEY_generate_key(myecc);
195 pKey = EVP_PKEY_new();
196
197 if (myecc && pKey && EVP_PKEY_assign_EC_KEY(pKey, myecc)) {
198 /* pKey owns pRSA from now */
199 if (EC_KEY_check_key(myecc) <= 0) {
200 fprintf(stderr, "EC_check_key failed.\n");
201 handle_openssl_error();
202 EVP_PKEY_free(pKey);
203 pKey = NULL;
204 }
205 } else {
206 handle_openssl_error();
207 if (myecc) {
208 EC_KEY_free(myecc);
209 myecc = NULL;
210 }
211 if (pKey) {
212 EVP_PKEY_free(pKey);
213 pKey = NULL;
214 }
215 }
216 return pKey;
217}
218
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]219void init_openssl(void) {
220 if (SSL_library_init()) {
221 SSL_load_error_strings();
222 OpenSSL_add_all_algorithms();
223 RAND_load_file("/dev/urandom", 1024);
224 } else
225 exit(EXIT_FAILURE);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]226}
227
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]228void cleanup_openssl(void) {
229 CRYPTO_cleanup_all_ex_data();
230 ERR_free_strings();
231 ERR_remove_thread_state(0);
232 EVP_cleanup();
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]233}
234
235void handle_openssl_error(void) { ERR_print_errors_fp(stderr); }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]236inline void ensure_openssl_key_present_and_valid(const std::string &filepath) {
237 bool pem_file_valid = false;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]238
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]239 pem_file_valid = verify_openssl_key_cert(filepath);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]240
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]241 if (!pem_file_valid) {
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]242 LOG(WARNING) << "Error in verifying signature, regenerating";
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]243 generate_ssl_certificate(filepath);
244 }
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]245}
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame^]246
247
248boost::asio::ssl::context get_ssl_context(std::string ssl_pem_file){
249 boost::asio::ssl::context m_ssl_context{boost::asio::ssl::context::sslv23};
250 m_ssl_context.set_options(boost::asio::ssl::context::default_workarounds | boost::asio::ssl::context::no_sslv2 | boost::asio::ssl::context::no_sslv3 |
251 boost::asio::ssl::context::single_dh_use | boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1);
252
253 // m_ssl_context.set_verify_mode(boost::asio::ssl::verify_peer);
254 m_ssl_context.use_certificate_file(ssl_pem_file, boost::asio::ssl::context::pem);
255 m_ssl_context.use_private_key_file(ssl_pem_file, boost::asio::ssl::context::pem);
256
257 // Set up EC curves to auto (boost asio doesn't have a method for this)
258 // There is a pull request to add this. Once this is included in an asio drop, use the right way
259 // http://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue
260 if (SSL_CTX_set_ecdh_auto(m_ssl_context.native_handle(), 1) != 1) {
261 CROW_LOG_ERROR << "Error setting tmp ecdh list\n";
262 }
263
264 // From mozilla "compatibility"
265 std::string ciphers =
266 "ECDHE-ECDSA-CHACHA20-POLY1305:"
267 "ECDHE-RSA-CHACHA20-POLY1305:"
268 "ECDHE-ECDSA-AES128-GCM-SHA256:"
269 "ECDHE-RSA-AES128-GCM-SHA256:"
270 "ECDHE-ECDSA-AES256-GCM-SHA384:"
271 "ECDHE-RSA-AES256-GCM-SHA384:"
272 "DHE-RSA-AES128-GCM-SHA256:"
273 "DHE-RSA-AES256-GCM-SHA384:"
274 "ECDHE-ECDSA-AES128-SHA256:"
275 "ECDHE-RSA-AES128-SHA256:"
276 "ECDHE-ECDSA-AES128-SHA:"
277 "ECDHE-RSA-AES256-SHA384:"
278 "ECDHE-RSA-AES128-SHA:"
279 "ECDHE-ECDSA-AES256-SHA384:"
280 "ECDHE-ECDSA-AES256-SHA:"
281 "ECDHE-RSA-AES256-SHA:"
282 "DHE-RSA-AES128-SHA256:"
283 "DHE-RSA-AES128-SHA:"
284 "DHE-RSA-AES256-SHA256:"
285 "DHE-RSA-AES256-SHA:"
286 "ECDHE-ECDSA-DES-CBC3-SHA:"
287 "ECDHE-RSA-DES-CBC3-SHA:"
288 "EDH-RSA-DES-CBC3-SHA:"
289 "AES128-GCM-SHA256:"
290 "AES256-GCM-SHA384:"
291 "AES128-SHA256:"
292 "AES256-SHA256:"
293 "AES128-SHA:"
294 "AES256-SHA:"
295 "DES-CBC3-SHA:"
296 "!DSS";
297
298 // From mozilla "modern"
299 std::string modern_ciphers =
300 "ECDHE-ECDSA-AES256-GCM-SHA384:"
301 "ECDHE-RSA-AES256-GCM-SHA384:"
302 "ECDHE-ECDSA-CHACHA20-POLY1305:"
303 "ECDHE-RSA-CHACHA20-POLY1305:"
304 "ECDHE-ECDSA-AES128-GCM-SHA256:"
305 "ECDHE-RSA-AES128-GCM-SHA256:"
306 "ECDHE-ECDSA-AES256-SHA384:"
307 "ECDHE-RSA-AES256-SHA384:"
308 "ECDHE-ECDSA-AES128-SHA256:"
309 "ECDHE-RSA-AES128-SHA256";
310
311 std::string lighttp_ciphers = "AES128+EECDH:AES128+EDH:!aNULL:!eNULL";
312
313 if (SSL_CTX_set_cipher_list(m_ssl_context.native_handle(), ciphers.c_str()) != 1) {
314 CROW_LOG_ERROR << "Error setting cipher list\n";
315 }
316 return m_ssl_context;
317}
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]318}