Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 23f1c96e6bc9060b54ff08a6b4d6cf8b8e0c3b23 / . / http / mutual_tls.hpp
blob: 64bcd490d4de513fe0858cf2787b3180981998fc [file] [log] [blame]
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]1#pragma once
2
3#include "logging.hpp"
4#include "persistent_data.hpp"
5
6#include <openssl/crypto.h>
7#include <openssl/ssl.h>
8
9#include <boost/asio/ip/address.hpp>
10#include <boost/asio/ssl/verify_context.hpp>
11
12#include <memory>
Patrick Williams3d7fc712023-05-10 20:03:19 -0500[diff] [blame]13#include <span>
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]14
15inline std::shared_ptr<persistent_data::UserSession>
16 verifyMtlsUser(const boost::asio::ip::address& clientIp,
17 boost::asio::ssl::verify_context& ctx)
18{
19 // do nothing if TLS is disabled
20 if (!persistent_data::SessionStore::getInstance()
21 .getAuthMethodsConfig()
22 .tls)
23 {
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]24 BMCWEB_LOG_DEBUG("TLS auth_config is disabled");
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]25 return nullptr;
26 }
27
28 X509_STORE_CTX* cts = ctx.native_handle();
29 if (cts == nullptr)
30 {
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]31 BMCWEB_LOG_DEBUG("Cannot get native TLS handle.");
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]32 return nullptr;
33 }
34
35 // Get certificate
36 X509* peerCert = X509_STORE_CTX_get_current_cert(ctx.native_handle());
37 if (peerCert == nullptr)
38 {
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]39 BMCWEB_LOG_DEBUG("Cannot get current TLS certificate.");
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]40 return nullptr;
41 }
42
43 // Check if certificate is OK
44 int ctxError = X509_STORE_CTX_get_error(cts);
45 if (ctxError != X509_V_OK)
46 {
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]47 BMCWEB_LOG_INFO("Last TLS error is: {}", ctxError);
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]48 return nullptr;
49 }
Ed Tanous23f1c962023-12-05 15:57:46 -0800[diff] [blame^]50
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]51 // Check that we have reached final certificate in chain
52 int32_t depth = X509_STORE_CTX_get_error_depth(cts);
53 if (depth != 0)
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]54 {
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]55 BMCWEB_LOG_DEBUG(
56 "Certificate verification in progress (depth {}), waiting to reach final depth",
57 depth);
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]58 return nullptr;
59 }
60
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]61 BMCWEB_LOG_DEBUG("Certificate verification of final depth");
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]62
Ed Tanous23f1c962023-12-05 15:57:46 -0800[diff] [blame^]63 if (X509_check_purpose(peerCert, X509_PURPOSE_SSL_CLIENT, 0) != 1)
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]64 {
Ed Tanous23f1c962023-12-05 15:57:46 -0800[diff] [blame^]65 BMCWEB_LOG_DEBUG(
66 "Chain does not allow certificate to be used for SSL client authentication");
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]67 return nullptr;
68 }
69
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]70 std::string sslUser;
71 // Extract username contained in CommonName
72 sslUser.resize(256, '\0');
73
74 int status = X509_NAME_get_text_by_NID(X509_get_subject_name(peerCert),
75 NID_commonName, sslUser.data(),
76 static_cast<int>(sslUser.size()));
77
78 if (status == -1)
79 {
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]80 BMCWEB_LOG_DEBUG("TLS cannot get username to create session");
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]81 return nullptr;
82 }
83
84 size_t lastChar = sslUser.find('\0');
85 if (lastChar == std::string::npos || lastChar == 0)
86 {
Ed Tanous62598e32023-07-17 17:06:25 -0700[diff] [blame]87 BMCWEB_LOG_DEBUG("Invalid TLS user name");
Ed Tanous7c8e0642022-02-21 12:11:14 -0800[diff] [blame]88 return nullptr;
89 }
90 sslUser.resize(lastChar);
91 std::string unsupportedClientId;
92 return persistent_data::SessionStore::getInstance().generateUserSession(
93 sslUser, clientIp, unsupportedClientId,
94 persistent_data::PersistenceType::TIMEOUT);
95}