Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 9b65f1fdcfcaaa22719a83be26dbcb5dbe855b0c / . / include / ssl_key_handler.hpp
blob: 69987b98fa3d79cae14ae9db4889312910bf544c [file] [log] [blame]
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]1#pragma once
2
3#include <openssl/bio.h>
4#include <openssl/dh.h>
5#include <openssl/dsa.h>
6#include <openssl/dsa.h>
7#include <openssl/err.h>
8#include <openssl/evp.h>
9#include <openssl/pem.h>
10#include <openssl/rand.h>
11#include <openssl/rsa.h>
12#include <openssl/ssl.h>
13
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]14#include <g3log/g3log.hpp>
15
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]16namespace ensuressl {
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]17static void init_openssl(void);
18static void cleanup_openssl(void);
19static EVP_PKEY *create_rsa_key(void);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]20static EVP_PKEY *create_ec_key(void);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]21static void handle_openssl_error(void);
22
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]23
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]24inline bool verify_openssl_key_cert(const std::string &filepath) {
25 bool private_key_valid = false;
26 bool cert_valid = false;
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]27
28 LOG(DEBUG) << "Checking certs in file " << filepath;
29
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]30 FILE *file = fopen(filepath.c_str(), "r");
31 if (file != NULL) {
32 EVP_PKEY *pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL);
33 int rc;
34 if (pkey) {
35 int type = EVP_PKEY_type(pkey->type);
36 switch (type) {
37 case EVP_PKEY_RSA:
38 case EVP_PKEY_RSA2: {
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]39 LOG(DEBUG) << "Found an RSA key";
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]40 RSA *rsa = EVP_PKEY_get1_RSA(pkey);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]41 if (rsa){
42 if (RSA_check_key(rsa) == 1) {
43 private_key_valid = true;
44 } else {
45 LOG(WARNING) << "Key not valid error number " << ERR_get_error();
46 }
47 RSA_free(rsa);
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]48 }
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]49 break;
50 }
51 case EVP_PKEY_EC:{
52 LOG(DEBUG) << "Found an EC key";
53 EC_KEY* ec = EVP_PKEY_get1_EC_KEY(pkey);
54 if (ec){
55 if (EC_KEY_check_key(ec) == 1) {
56 //private_key_valid = true;
57 } else {
58 LOG(WARNING) << "Key not valid error number " << ERR_get_error();
59 }
60 EC_KEY_free(ec);
61 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]62 break;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]63 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]64 default:
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]65 LOG(WARNING) << "Found an unrecognized key type " << type;
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]66 break;
67 }
68
69 if (private_key_valid) {
70 X509 *x509 = PEM_read_X509(file, NULL, NULL, NULL);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]71 if (!x509){
72 LOG(DEBUG) << "error getting x509 cert " << ERR_get_error();
73 } else {
74 rc = X509_verify(x509, pkey);
75 if (rc == 1) {
76 cert_valid = true;
77 } else {
78 LOG(WARNING) << "Error in verifying private key signature " << ERR_get_error();
79 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]80 }
81 }
82
83 EVP_PKEY_free(pkey);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]84 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]85 fclose(file);
86 }
87 return cert_valid;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]88}
89
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]90inline void generate_ssl_certificate(const std::string &filepath) {
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]91 FILE *pFile = NULL;
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]92 LOG(WARNING) << "Generating new keys";
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]93 init_openssl();
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]94
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]95 LOG(WARNING) << "Generating RSA key";
96 EVP_PKEY *pRsaPrivKey = create_rsa_key();
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]97
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]98 //LOG(WARNING) << "Generating EC key";
99 //EVP_PKEY *pRsaPrivKey = create_ec_key();
100
101 LOG(WARNING) << "Generating x509 Certificate";
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]102 // Use this code to directly generate a certificate
103 X509 *x509;
104 x509 = X509_new();
105 if (x509) {
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]106
107 // Get a random number from the RNG for the certificate serial number
108 // If this is not random, regenerating certs throws broswer errors
109 std::random_device rd;
110 int serial = rd();
111
112 ASN1_INTEGER_set(X509_get_serialNumber(x509), serial);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]113
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]114 // not before this moment
115 X509_gmtime_adj(X509_get_notBefore(x509), 0);
116 // Cert is valid for 10 years
117 X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * 365L * 10L);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]118
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]119 // set the public key to the key we just generated
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]120 X509_set_pubkey(x509, pRsaPrivKey);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]121
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]122 // Get the subject name
123 X509_NAME *name;
124 name = X509_get_subject_name(x509);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]125
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]126 X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, (unsigned char *)"US", -1, -1, 0);
127 X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC, (unsigned char *)"Intel BMC", -1, -1, 0);
128 X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, (unsigned char *)"testhost", -1, -1, 0);
129 // set the CSR options
130 X509_set_issuer_name(x509, name);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]131
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]132 // Sign the certificate with our private key
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]133 X509_sign(x509, pRsaPrivKey, EVP_sha256());
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]134
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]135 pFile = fopen(filepath.c_str(), "wt");
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]136
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]137 if (pFile) {
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]138 PEM_write_PrivateKey(pFile, pRsaPrivKey, NULL, NULL, 0, 0, NULL);
139
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]140 PEM_write_X509(pFile, x509);
141 fclose(pFile);
142 pFile = NULL;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]143 }
144
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]145 X509_free(x509);
146 }
147
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]148 if (pRsaPrivKey) {
149 EVP_PKEY_free(pRsaPrivKey);
150 pRsaPrivKey = NULL;
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]151 }
152
153 // cleanup_openssl();
154}
155
156EVP_PKEY *create_rsa_key(void) {
157 RSA *pRSA = NULL;
158 EVP_PKEY *pKey = NULL;
159 pRSA = RSA_generate_key(2048, RSA_3, NULL, NULL);
160 pKey = EVP_PKEY_new();
161 if (pRSA && pKey && EVP_PKEY_assign_RSA(pKey, pRSA)) {
162 /* pKey owns pRSA from now */
163 if (RSA_check_key(pRSA) <= 0) {
164 fprintf(stderr, "RSA_check_key failed.\n");
165 handle_openssl_error();
166 EVP_PKEY_free(pKey);
167 pKey = NULL;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]168 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]169 } else {
170 handle_openssl_error();
171 if (pRSA) {
172 RSA_free(pRSA);
173 pRSA = NULL;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]174 }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]175 if (pKey) {
176 EVP_PKEY_free(pKey);
177 pKey = NULL;
178 }
179 }
180 return pKey;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]181}
182
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]183EVP_PKEY *create_ec_key(void) {
184 EC_KEY *myecc = NULL;
185 EVP_PKEY *pKey = NULL;
186 int eccgrp = 0;
187 eccgrp = OBJ_txt2nid("prime256v1");
188
189 // TODO handle errors
190 myecc = EC_KEY_new_by_curve_name(eccgrp);
191 EC_KEY_set_asn1_flag(myecc, OPENSSL_EC_NAMED_CURVE);
192 EC_KEY_generate_key(myecc);
193 pKey = EVP_PKEY_new();
194
195 if (myecc && pKey && EVP_PKEY_assign_EC_KEY(pKey, myecc)) {
196 /* pKey owns pRSA from now */
197 if (EC_KEY_check_key(myecc) <= 0) {
198 fprintf(stderr, "EC_check_key failed.\n");
199 handle_openssl_error();
200 EVP_PKEY_free(pKey);
201 pKey = NULL;
202 }
203 } else {
204 handle_openssl_error();
205 if (myecc) {
206 EC_KEY_free(myecc);
207 myecc = NULL;
208 }
209 if (pKey) {
210 EVP_PKEY_free(pKey);
211 pKey = NULL;
212 }
213 }
214 return pKey;
215}
216
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]217void init_openssl(void) {
218 if (SSL_library_init()) {
219 SSL_load_error_strings();
220 OpenSSL_add_all_algorithms();
221 RAND_load_file("/dev/urandom", 1024);
222 } else
223 exit(EXIT_FAILURE);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]224}
225
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]226void cleanup_openssl(void) {
227 CRYPTO_cleanup_all_ex_data();
228 ERR_free_strings();
229 ERR_remove_thread_state(0);
230 EVP_cleanup();
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]231}
232
233void handle_openssl_error(void) { ERR_print_errors_fp(stderr); }
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]234inline void ensure_openssl_key_present_and_valid(const std::string &filepath) {
235 bool pem_file_valid = false;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]236
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]237 pem_file_valid = verify_openssl_key_cert(filepath);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]238
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]239 if (!pem_file_valid) {
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame^]240 LOG(WARNING) << "Error in verifying signature, regenerating";
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]241 generate_ssl_certificate(filepath);
242 }
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]243}
244}