Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-certificate-manager / 73d1fbf3047e24c57cf74a341d6ffdf9c7cbc548^! / . / certificate.cpp
commit73d1fbf3047e24c57cf74a341d6ffdf9c7cbc548[log] [tgz]
authorZbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>Wed Jan 15 15:31:12 2020 +0100
committerZbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>Wed Jan 15 15:35:47 2020 +0100
tree481ff70cfa7c9d69197d5e21800fd2364cc7c912
parent2f3563cc53a8f32c43b03d20b7219e52b1c1cf28 [diff] [blame]
Installing certificates with the same subject name.

This patch enables the way for installing different CA certificates with
the same subject name which could be the use case. The problem is OpenSSL
requires certificates file name to be consisted of the certificate
subject name hash (as name base) and integer number (as name extension),
e.g. "9d66eef0.0":
https://www.boost.org/doc/libs/1_69_0/doc/html/boost_asio/reference/ssl__context/add_verify_path.html
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html
But finally OpenSSL allows to use many CA certificatates with the same subject
name but handling certificate file name extension (e.g. must be
consecutive integers numbers) is needed. Current implementation
hardcodes name extension to 0. So this patch is about handling
certificate file name extension properly.

Tested by installing, deleting and replacing a few CA certificates
with the same subject name and checking whether authentication based
on them works:
 - install a few CA certificates and check whether authentication based
on them works,
 - delete single CA certificate and check whether authentication based
on the rest works and based on the deleted one do not work,
 - replace single CA certificate and check whether authentication based
on the rest and the new one works and based on the replaced one do not
work.

Signed-off-by: Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>
Change-Id: I95b8e77559a9e64f0e6cb95dac60dbad32fbcb86

diff --git a/certificate.cpp b/certificate.cpp
index 1ac5426..2490159 100644
--- a/certificate.cpp
+++ b/certificate.cpp

@@ -75,10 +75,12 @@
 {
     const X509_Ptr cert = loadCert(certPath);
     unsigned long subjectNameHash = X509_subject_name_hash(cert.get());
-    static constexpr auto CERT_ID_LENGTH = 9;
+    unsigned long issuerSerialHash = X509_issuer_and_serial_hash(cert.get());
+    static constexpr auto CERT_ID_LENGTH = 17;
     char idBuff[CERT_ID_LENGTH];
 
-    snprintf(idBuff, CERT_ID_LENGTH, "%08lx", subjectNameHash);
+    snprintf(idBuff, CERT_ID_LENGTH, "%08lx%08lx", subjectNameHash,
+             issuerSerialHash);
 
     return std::string(idBuff);
 }
@@ -110,16 +112,19 @@
     snprintf(hashBuf, CERT_HASH_LENGTH, "%08lx", hash);
 
     const std::string certHash(hashBuf);
-    const std::string certDstFileX509Path =
-        certDstDirPath + "/" + certHash + ".0";
-    if (fs::exists(certDstFileX509Path))
+    for (int i = 0; i < AUTHORITY_CERTIFICATES_LIMIT; ++i)
     {
-        log<level::ERR>("Authority certificate x509 file path already used",
-                        entry("CERT=%s", certDstFileX509Path.c_str()));
-        elog<InternalFailure>();
+        const std::string certDstFileX509Path =
+            certDstDirPath + "/" + certHash + "." + std::to_string(i);
+        if (!fs::exists(certDstFileX509Path))
+        {
+            return certDstFileX509Path;
+        }
     }
 
-    return certDstFileX509Path;
+    log<level::ERR>("Authority certificate x509 file path already used",
+                    entry("DIR=%s", certDstDirPath.c_str()));
+    elog<InternalFailure>();
 }
 
 std::string