| Alan Kuo | a822070 | 2020-11-26 11:15:29 +0800 | [diff] [blame] | 1 | #pragma once |
| 2 | #ifdef BMCWEB_ENABLE_SSL |
| 3 | #include <boost/container/flat_map.hpp> |
| 4 | #include <dbus_singleton.hpp> |
| 5 | #include <sdbusplus/bus/match.hpp> |
| 6 | #include <sdbusplus/message/types.hpp> |
| 7 | #include <ssl_key_handler.hpp> |
| 8 | |
| 9 | namespace crow |
| 10 | { |
| 11 | namespace hostname_monitor |
| 12 | { |
| 13 | static std::unique_ptr<sdbusplus::bus::match::match> hostnameSignalMonitor; |
| 14 | |
| 15 | inline void installCertificate(const std::filesystem::path& certPath) |
| 16 | { |
| 17 | crow::connections::systemBus->async_method_call( |
| 18 | [certPath](boost::system::error_code ec) { |
| 19 | if (ec) |
| 20 | { |
| 21 | BMCWEB_LOG_ERROR << "Replace Certificate Fail.."; |
| 22 | return; |
| 23 | } |
| 24 | |
| 25 | BMCWEB_LOG_INFO << "Replace HTTPs Certificate Success, " |
| 26 | "remove temporary certificate file.."; |
| 27 | remove(certPath.c_str()); |
| 28 | }, |
| 29 | "xyz.openbmc_project.Certs.Manager.Server.Https", |
| 30 | "/xyz/openbmc_project/certs/server/https/1", |
| 31 | "xyz.openbmc_project.Certs.Replace", "Replace", certPath.string()); |
| 32 | } |
| 33 | |
| 34 | inline int onPropertyUpdate(sd_bus_message* m, void* /* userdata */, |
| Ed Tanous | 81ce609 | 2020-12-17 16:54:55 +0000 | [diff] [blame] | 35 | sd_bus_error* retError) |
| Alan Kuo | a822070 | 2020-11-26 11:15:29 +0800 | [diff] [blame] | 36 | { |
| Ed Tanous | 81ce609 | 2020-12-17 16:54:55 +0000 | [diff] [blame] | 37 | if (retError == nullptr || sd_bus_error_is_set(retError)) |
| Alan Kuo | a822070 | 2020-11-26 11:15:29 +0800 | [diff] [blame] | 38 | { |
| 39 | BMCWEB_LOG_ERROR << "Got sdbus error on match"; |
| 40 | return 0; |
| 41 | } |
| 42 | |
| 43 | sdbusplus::message::message message(m); |
| 44 | std::string iface; |
| 45 | boost::container::flat_map<std::string, std::variant<std::string>> |
| 46 | changedProperties; |
| 47 | |
| 48 | message.read(iface, changedProperties); |
| 49 | auto it = changedProperties.find("HostName"); |
| 50 | if (it == changedProperties.end()) |
| 51 | { |
| 52 | return 0; |
| 53 | } |
| 54 | |
| 55 | std::string* hostname = std::get_if<std::string>(&it->second); |
| 56 | if (hostname == nullptr) |
| 57 | { |
| 58 | BMCWEB_LOG_ERROR << "Unable to read hostname"; |
| 59 | return 0; |
| 60 | } |
| 61 | |
| 62 | BMCWEB_LOG_DEBUG << "Read hostname from signal: " << *hostname; |
| 63 | const std::string certFile = "/etc/ssl/certs/https/server.pem"; |
| 64 | |
| 65 | X509* cert = ensuressl::loadCert(certFile); |
| 66 | if (cert == nullptr) |
| 67 | { |
| 68 | BMCWEB_LOG_ERROR << "Failed to read cert"; |
| 69 | return 0; |
| 70 | } |
| 71 | |
| 72 | const int maxKeySize = 256; |
| 73 | std::array<char, maxKeySize> cnBuffer{}; |
| 74 | |
| 75 | int cnLength = |
| 76 | X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, |
| 77 | cnBuffer.data(), cnBuffer.size()); |
| 78 | if (cnLength == -1) |
| 79 | { |
| 80 | BMCWEB_LOG_ERROR << "Failed to read NID_commonName"; |
| 81 | X509_free(cert); |
| 82 | return 0; |
| 83 | } |
| 84 | std::string_view cnValue(std::begin(cnBuffer), |
| 85 | static_cast<size_t>(cnLength)); |
| 86 | |
| 87 | EVP_PKEY* pPubKey = X509_get_pubkey(cert); |
| 88 | if (pPubKey == nullptr) |
| 89 | { |
| 90 | BMCWEB_LOG_ERROR << "Failed to get public key"; |
| 91 | X509_free(cert); |
| 92 | return 0; |
| 93 | } |
| 94 | int isSelfSigned = X509_verify(cert, pPubKey); |
| 95 | EVP_PKEY_free(pPubKey); |
| 96 | |
| 97 | BMCWEB_LOG_DEBUG << "Current HTTPs Certificate Subject CN: " << cnValue |
| 98 | << ", New HostName: " << *hostname |
| 99 | << ", isSelfSigned: " << isSelfSigned; |
| 100 | |
| 101 | ASN1_IA5STRING* asn1 = static_cast<ASN1_IA5STRING*>( |
| 102 | X509_get_ext_d2i(cert, NID_netscape_comment, nullptr, nullptr)); |
| 103 | if (asn1) |
| 104 | { |
| 105 | std::string_view comment(reinterpret_cast<const char*>(asn1->data), |
| 106 | static_cast<size_t>(asn1->length)); |
| 107 | BMCWEB_LOG_DEBUG << "x509Comment: " << comment; |
| 108 | |
| 109 | if (ensuressl::x509Comment == comment && isSelfSigned == 1 && |
| 110 | cnValue != *hostname) |
| 111 | { |
| 112 | BMCWEB_LOG_INFO << "Ready to generate new HTTPs " |
| 113 | << "certificate with subject cn: " << *hostname; |
| 114 | |
| 115 | ensuressl::generateSslCertificate("/tmp/hostname_cert.tmp", |
| 116 | *hostname); |
| 117 | installCertificate("/tmp/hostname_cert.tmp"); |
| 118 | } |
| 119 | ASN1_STRING_free(asn1); |
| 120 | } |
| 121 | X509_free(cert); |
| 122 | return 0; |
| 123 | } |
| 124 | |
| 125 | inline void registerHostnameSignal() |
| 126 | { |
| 127 | BMCWEB_LOG_INFO << "Register HostName PropertiesChanged Signal"; |
| 128 | std::string propertiesMatchString = |
| 129 | ("type='signal'," |
| 130 | "interface='org.freedesktop.DBus.Properties'," |
| 131 | "path='/xyz/openbmc_project/network/config'," |
| 132 | "arg0='xyz.openbmc_project.Network.SystemConfiguration'," |
| 133 | "member='PropertiesChanged'"); |
| 134 | |
| 135 | hostnameSignalMonitor = std::make_unique<sdbusplus::bus::match::match>( |
| 136 | *crow::connections::systemBus, propertiesMatchString, onPropertyUpdate, |
| 137 | nullptr); |
| 138 | } |
| 139 | } // namespace hostname_monitor |
| 140 | } // namespace crow |
| 141 | #endif |