Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / ec8faf9243b6f6320daeb3ba6a94d1f257034506 / . / include / ssl_key_handler.hpp
blob: ce6d9fa2f1a6d82e412f2b2dca805d57afc9582d [file] [log] [blame]
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]1#pragma once
Ed Tanous55c7b7a2018-05-22 15:27:24 -0700[diff] [blame]2#ifdef BMCWEB_ENABLE_SSL
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]3
4#include <openssl/bio.h>
5#include <openssl/dh.h>
6#include <openssl/dsa.h>
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]7#include <openssl/err.h>
8#include <openssl/evp.h>
9#include <openssl/pem.h>
10#include <openssl/rand.h>
11#include <openssl/rsa.h>
12#include <openssl/ssl.h>
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]13
Ed Tanous3112a142018-11-29 15:45:10 -0800[diff] [blame]14#include <boost/asio/ssl/context.hpp>
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]15#include <random>
16
17namespace ensuressl
18{
Ed Tanous55c7b7a2018-05-22 15:27:24 -0700[diff] [blame]19static void initOpenssl();
Ed Tanousb01bf292019-03-25 19:25:26 +0000[diff] [blame]20static void cleanupOpenssl();
21static EVP_PKEY *createRsaKey();
22static EVP_PKEY *createEcKey();
Ed Tanous55c7b7a2018-05-22 15:27:24 -0700[diff] [blame]23static void handleOpensslError();
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]24
Ramesh Iyyar082f28f2019-06-22 03:31:55 -0500[diff] [blame]25// Trust chain related errors.`
26inline bool isTrustChainError(int errnum)
27{
28 if ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ||
29 (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) ||
30 (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) ||
31 (errnum == X509_V_ERR_CERT_UNTRUSTED) ||
32 (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
33 {
34 return true;
35 }
36 else
37 {
38 return false;
39 }
40}
41
42inline bool validateCertificate(X509 *const cert)
43{
44 // Create an empty X509_STORE structure for certificate validation.
45 X509_STORE *x509Store = X509_STORE_new();
46 if (!x509Store)
47 {
48 BMCWEB_LOG_ERROR << "Error occured during X509_STORE_new call";
49 return false;
50 }
51
52 // Load Certificate file into the X509 structure.
53 X509_STORE_CTX *storeCtx = X509_STORE_CTX_new();
54 if (!storeCtx)
55 {
56 BMCWEB_LOG_ERROR << "Error occured during X509_STORE_CTX_new call";
57 X509_STORE_free(x509Store);
58 return false;
59 }
60
61 int errCode = X509_STORE_CTX_init(storeCtx, x509Store, cert, NULL);
62 if (errCode != 1)
63 {
64 BMCWEB_LOG_ERROR << "Error occured during X509_STORE_CTX_init call";
65 X509_STORE_CTX_free(storeCtx);
66 X509_STORE_free(x509Store);
67 return false;
68 }
69
70 errCode = X509_verify_cert(storeCtx);
71 if (errCode == 1)
72 {
73 BMCWEB_LOG_INFO << "Certificate verification is success";
74 X509_STORE_CTX_free(storeCtx);
75 X509_STORE_free(x509Store);
76 return true;
77 }
78 if (errCode == 0)
79 {
80 errCode = X509_STORE_CTX_get_error(storeCtx);
81 X509_STORE_CTX_free(storeCtx);
82 X509_STORE_free(x509Store);
83 if (isTrustChainError(errCode))
84 {
85 BMCWEB_LOG_DEBUG << "Ignoring Trust Chain error. Reason: "
86 << X509_verify_cert_error_string(errCode);
87 return true;
88 }
89 else
90 {
91 BMCWEB_LOG_ERROR << "Certificate verification failed. Reason: "
92 << X509_verify_cert_error_string(errCode);
93 return false;
94 }
95 }
96
97 BMCWEB_LOG_ERROR
98 << "Error occured during X509_verify_cert call. ErrorCode: " << errCode;
99 X509_STORE_CTX_free(storeCtx);
100 X509_STORE_free(x509Store);
101 return false;
102}
103
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]104inline bool verifyOpensslKeyCert(const std::string &filepath)
105{
106 bool privateKeyValid = false;
107 bool certValid = false;
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]108
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]109 std::cout << "Checking certs in file " << filepath << "\n";
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]110
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]111 FILE *file = fopen(filepath.c_str(), "r");
112 if (file != NULL)
113 {
114 EVP_PKEY *pkey = PEM_read_PrivateKey(file, NULL, NULL, NULL);
115 int rc;
116 if (pkey != nullptr)
117 {
118 RSA *rsa = EVP_PKEY_get1_RSA(pkey);
119 if (rsa != nullptr)
120 {
121 std::cout << "Found an RSA key\n";
122 if (RSA_check_key(rsa) == 1)
123 {
Jayanth Othayoth4d2849a2019-05-13 01:46:34 -0500[diff] [blame]124 privateKeyValid = true;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]125 }
126 else
127 {
128 std::cerr << "Key not valid error number "
129 << ERR_get_error() << "\n";
130 }
131 RSA_free(rsa);
132 }
133 else
134 {
135 EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
136 if (ec != nullptr)
137 {
138 std::cout << "Found an EC key\n";
139 if (EC_KEY_check_key(ec) == 1)
140 {
141 privateKeyValid = true;
142 }
143 else
144 {
145 std::cerr << "Key not valid error number "
146 << ERR_get_error() << "\n";
147 }
148 EC_KEY_free(ec);
149 }
150 }
151
152 if (privateKeyValid)
153 {
Ramesh Iyyarc0bf8932019-06-22 00:23:29 -0500[diff] [blame]154 // If the order is certificate followed by key in input file
155 // then, certificate read will fail. So, setting the file
156 // pointer to point beginning of file to avoid certificate and
157 // key order issue.
158 fseek(file, 0, SEEK_SET);
159
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]160 X509 *x509 = PEM_read_X509(file, NULL, NULL, NULL);
161 if (x509 == nullptr)
162 {
163 std::cout << "error getting x509 cert " << ERR_get_error()
164 << "\n";
165 }
166 else
167 {
Ramesh Iyyar082f28f2019-06-22 03:31:55 -0500[diff] [blame]168 certValid = validateCertificate(x509);
169 X509_free(x509);
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]170 }
171 }
172
173 EVP_PKEY_free(pkey);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]174 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]175 fclose(file);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]176 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]177 return certValid;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]178}
179
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]180inline void generateSslCertificate(const std::string &filepath)
181{
182 FILE *pFile = NULL;
183 std::cout << "Generating new keys\n";
184 initOpenssl();
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]185
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]186 // std::cerr << "Generating RSA key";
187 // EVP_PKEY *pRsaPrivKey = create_rsa_key();
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]188
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]189 std::cerr << "Generating EC key\n";
Ed Tanousb01bf292019-03-25 19:25:26 +0000[diff] [blame]190 EVP_PKEY *pRsaPrivKey = createEcKey();
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]191 if (pRsaPrivKey != nullptr)
192 {
193 std::cerr << "Generating x509 Certificate\n";
194 // Use this code to directly generate a certificate
195 X509 *x509;
196 x509 = X509_new();
197 if (x509 != nullptr)
198 {
199 // get a random number from the RNG for the certificate serial
200 // number If this is not random, regenerating certs throws broswer
201 // errors
202 std::random_device rd;
203 int serial = rd();
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]204
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]205 ASN1_INTEGER_set(X509_get_serialNumber(x509), serial);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]206
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]207 // not before this moment
208 X509_gmtime_adj(X509_get_notBefore(x509), 0);
209 // Cert is valid for 10 years
210 X509_gmtime_adj(X509_get_notAfter(x509),
211 60L * 60L * 24L * 365L * 10L);
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]212
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]213 // set the public key to the key we just generated
214 X509_set_pubkey(x509, pRsaPrivKey);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]215
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]216 // get the subject name
217 X509_NAME *name;
218 name = X509_get_subject_name(x509);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]219
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]220 X509_NAME_add_entry_by_txt(
221 name, "C", MBSTRING_ASC,
222 reinterpret_cast<const unsigned char *>("US"), -1, -1, 0);
223 X509_NAME_add_entry_by_txt(
224 name, "O", MBSTRING_ASC,
Brad Bishop85d2bb52019-04-05 08:31:14 -0400[diff] [blame]225 reinterpret_cast<const unsigned char *>("OpenBMC"), -1, -1, 0);
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]226 X509_NAME_add_entry_by_txt(
227 name, "CN", MBSTRING_ASC,
228 reinterpret_cast<const unsigned char *>("testhost"), -1, -1, 0);
229 // set the CSR options
230 X509_set_issuer_name(x509, name);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]231
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]232 // Sign the certificate with our private key
233 X509_sign(x509, pRsaPrivKey, EVP_sha256());
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]234
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]235 pFile = fopen(filepath.c_str(), "wt");
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]236
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]237 if (pFile != nullptr)
238 {
239 PEM_write_PrivateKey(pFile, pRsaPrivKey, NULL, NULL, 0, 0,
240 NULL);
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]241
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]242 PEM_write_X509(pFile, x509);
243 fclose(pFile);
244 pFile = NULL;
245 }
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]246
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]247 X509_free(x509);
248 }
249
250 EVP_PKEY_free(pRsaPrivKey);
251 pRsaPrivKey = NULL;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]252 }
253
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]254 // cleanup_openssl();
Ed Tanous99923322017-03-03 14:21:24 -0800[diff] [blame]255}
Ed Tanousb01bf292019-03-25 19:25:26 +0000[diff] [blame]256
257EVP_PKEY *createRsaKey()
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]258{
259 RSA *pRSA = NULL;
Ed Tanousa1e077c2017-04-25 12:42:19 -0700[diff] [blame]260#if OPENSSL_VERSION_NUMBER < 0x00908000L
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]261 pRSA = RSA_generate_key(2048, RSA_3, NULL, NULL);
Ed Tanousa1e077c2017-04-25 12:42:19 -0700[diff] [blame]262#else
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]263 RSA_generate_key_ex(pRSA, 2048, NULL, NULL);
Ed Tanousa1e077c2017-04-25 12:42:19 -0700[diff] [blame]264#endif
265
Ed Tanousb01bf292019-03-25 19:25:26 +0000[diff] [blame]266 EVP_PKEY *pKey = EVP_PKEY_new();
267 if ((pRSA != nullptr) && (pKey != nullptr) &&
268 EVP_PKEY_assign_RSA(pKey, pRSA))
269 {
270 /* pKey owns pRSA from now */
271 if (RSA_check_key(pRSA) <= 0)
272 {
273 fprintf(stderr, "RSA_check_key failed.\n");
274 handleOpensslError();
275 EVP_PKEY_free(pKey);
276 pKey = NULL;
277 }
278 }
279 else
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]280 {
281 handleOpensslError();
282 if (pRSA != nullptr)
283 {
284 RSA_free(pRSA);
Ed Tanousb01bf292019-03-25 19:25:26 +0000[diff] [blame]285 pRSA = NULL;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]286 }
287 if (pKey != nullptr)
288 {
289 EVP_PKEY_free(pKey);
Ed Tanousb01bf292019-03-25 19:25:26 +0000[diff] [blame]290 pKey = NULL;
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]291 }
292 }
Ed Tanousb01bf292019-03-25 19:25:26 +0000[diff] [blame]293 return pKey;
294}
Ed Tanous9b65f1f2017-03-07 15:17:13 -0800[diff] [blame]295
Ed Tanousb01bf292019-03-25 19:25:26 +0000[diff] [blame]296EVP_PKEY *createEcKey()
297{
298 EVP_PKEY *pKey = NULL;
299 int eccgrp = 0;
300 eccgrp = OBJ_txt2nid("prime256v1");
Ed Tanous6ea007a2019-02-13 22:48:25 -0800[diff] [blame]301
Ed Tanous6ea007a2019-02-13 22:48:25 -0800[diff] [blame]302 EC_KEY *myecc = EC_KEY_new_by_curve_name(eccgrp);
Ed Tanousb01bf292019-03-25 19:25:26 +0000[diff] [blame]303 if (myecc != nullptr)
Ed Tanous6ea007a2019-02-13 22:48:25 -0800[diff] [blame]304 {
Ed Tanousb01bf292019-03-25 19:25:26 +0000[diff] [blame]305 EC_KEY_set_asn1_flag(myecc, OPENSSL_EC_NAMED_CURVE);
306 EC_KEY_generate_key(myecc);
307 pKey = EVP_PKEY_new();
308 if (pKey != nullptr)
309 {
310 if (EVP_PKEY_assign_EC_KEY(pKey, myecc))
311 {
312 /* pKey owns pRSA from now */
313 if (EC_KEY_check_key(myecc) <= 0)
314 {
315 fprintf(stderr, "EC_check_key failed.\n");
316 }
317 }
318 }
Ed Tanous6ea007a2019-02-13 22:48:25 -0800[diff] [blame]319 }
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]320 return pKey;
321}
322
323void initOpenssl()
324{
Ed Tanous911ac312017-08-15 09:37:42 -0700[diff] [blame]325#if OPENSSL_VERSION_NUMBER < 0x10100000L
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]326 SSL_load_error_strings();
327 OpenSSL_add_all_algorithms();
328 RAND_load_file("/dev/urandom", 1024);
Ed Tanousa1e077c2017-04-25 12:42:19 -0700[diff] [blame]329#endif
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]330}
331
Ed Tanousb01bf292019-03-25 19:25:26 +0000[diff] [blame]332void cleanupOpenssl()
333{
334 CRYPTO_cleanup_all_ex_data();
335 ERR_free_strings();
336#if OPENSSL_VERSION_NUMBER < 0x10100000L
337 ERR_remove_thread_state(0);
338#endif
339 EVP_cleanup();
340}
341
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]342void handleOpensslError()
343{
344 ERR_print_errors_fp(stderr);
345}
346inline void ensureOpensslKeyPresentAndValid(const std::string &filepath)
347{
348 bool pemFileValid = false;
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]349
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]350 pemFileValid = verifyOpensslKeyCert(filepath);
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700[diff] [blame]351
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]352 if (!pemFileValid)
353 {
354 std::cerr << "Error in verifying signature, regenerating\n";
355 generateSslCertificate(filepath);
356 }
Ed Tanous0fdddb12017-02-28 11:06:34 -0800[diff] [blame]357}
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame]358
Marri Devender Rao5968cae2019-01-21 10:27:12 -0600[diff] [blame]359inline std::shared_ptr<boost::asio::ssl::context>
360 getSslContext(const std::string &ssl_pem_file)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]361{
Marri Devender Rao5968cae2019-01-21 10:27:12 -0600[diff] [blame]362 std::shared_ptr<boost::asio::ssl::context> mSslContext =
363 std::make_shared<boost::asio::ssl::context>(
364 boost::asio::ssl::context::tls_server);
365 mSslContext->set_options(boost::asio::ssl::context::default_workarounds |
366 boost::asio::ssl::context::no_sslv2 |
367 boost::asio::ssl::context::no_sslv3 |
368 boost::asio::ssl::context::single_dh_use |
369 boost::asio::ssl::context::no_tlsv1 |
370 boost::asio::ssl::context::no_tlsv1_1);
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame]371
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]372 // m_ssl_context.set_verify_mode(boost::asio::ssl::verify_peer);
Marri Devender Rao5968cae2019-01-21 10:27:12 -0600[diff] [blame]373 mSslContext->use_certificate_file(ssl_pem_file,
374 boost::asio::ssl::context::pem);
375 mSslContext->use_private_key_file(ssl_pem_file,
376 boost::asio::ssl::context::pem);
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame]377
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]378 // Set up EC curves to auto (boost asio doesn't have a method for this)
379 // There is a pull request to add this. Once this is included in an asio
380 // drop, use the right way
381 // http://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue
Marri Devender Rao5968cae2019-01-21 10:27:12 -0600[diff] [blame]382 if (SSL_CTX_set_ecdh_auto(mSslContext->native_handle(), 1) != 1)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]383 {
384 BMCWEB_LOG_ERROR << "Error setting tmp ecdh list\n";
385 }
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame]386
Ed Tanous457207f2019-02-07 15:27:14 -0800[diff] [blame]387 std::string mozillaModern = "ECDHE-ECDSA-AES256-GCM-SHA384:"
388 "ECDHE-RSA-AES256-GCM-SHA384:"
389 "ECDHE-ECDSA-CHACHA20-POLY1305:"
390 "ECDHE-RSA-CHACHA20-POLY1305:"
391 "ECDHE-ECDSA-AES128-GCM-SHA256:"
392 "ECDHE-RSA-AES128-GCM-SHA256:"
393 "ECDHE-ECDSA-AES256-SHA384:"
394 "ECDHE-RSA-AES256-SHA384:"
395 "ECDHE-ECDSA-AES128-SHA256:"
396 "ECDHE-RSA-AES128-SHA256";
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame]397
Marri Devender Rao5968cae2019-01-21 10:27:12 -0600[diff] [blame]398 if (SSL_CTX_set_cipher_list(mSslContext->native_handle(),
Ed Tanous457207f2019-02-07 15:27:14 -0800[diff] [blame]399 mozillaModern.c_str()) != 1)
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]400 {
401 BMCWEB_LOG_ERROR << "Error setting cipher list\n";
402 }
403 return mSslContext;
Ed Tanousc4771fb2017-03-13 13:39:49 -0700[diff] [blame]404}
Ed Tanous1abe55e2018-09-05 08:30:59 -0700[diff] [blame]405} // namespace ensuressl
Ed Tanous01250f22017-04-18 17:49:51 -0700[diff] [blame]406
Brad Bishop85d2bb52019-04-05 08:31:14 -0400[diff] [blame]407#endif