Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-certificate-manager / 8a09b52a767bebdc510914d3b4bb63313dae2196^! / . / certs_manager.hpp
commit8a09b52a767bebdc510914d3b4bb63313dae2196[log] [tgz]
authorRamesh Iyyar <rameshi1@in.ibm.com>Fri Jun 07 05:23:29 2019 -0500
committerRamesh Iyyar <rameshi1@in.ibm.com>Fri Jun 21 01:22:41 2019 -0500
treee24340cd8e655180c627480692034e6f65463fbb
parentdec5877c7e1219299042671cdf82589a081d583f [diff] [blame]
Added support to generate CSR based on ECC approach

In existing, phosphor-certificate-manager is supported RSA approach to
generate CSR. As per Redfish certificate schema, CSR can generate either
RSA or ECC by passing KeyPairAlgorithm. So, In this commit ECC based CSR
generation is added.

Openssl API are used for generating ECC key pair.

User Input Validation:
- ECC approach is used as default if user does not give algorithm type.
- Default KeyBitLength and CurveId used as "2048" and "secp224r1"
  respectively if user does not give.
- Error will be thrown if algorithm given other than RSA and ECC.

In this commit refactor also done by splitting RSA key generation from
writePrivateKey().

Tested by:
- Added unit test cases to verify unsupported KeyPairAlgorithm and
  KeyPairCurveID, ECC Key generation.

- Tested by BMC-web(Redfish) to generate CSR based on ECC.
  curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
  https://${bmc}/redfish/v1/CertificateService/Actions/
  CertificateService.GenerateCSR/ -d @generate_https.json

Change-Id: I523293ee2ff6da2964e8c3d4380eefc96bf1f36b
Signed-off-by: Ramesh Iyyar <rameshi1@in.ibm.com>

diff --git a/certs_manager.hpp b/certs_manager.hpp
index 0c8f4e6..236f6f1 100644
--- a/certs_manager.hpp
+++ b/certs_manager.hpp

@@ -162,13 +162,23 @@
                            std::string organizationalUnit, std::string state,
                            std::string surname, std::string unstructuredName);
 
+    /** @brief Generate RSA Key pair and get private key from key pair
+     *  @param[in]  keyBitLength - KeyBit length.
+     *  @return     Pointer to RSA private key
+     */
+    EVP_PKEY_Ptr generateRSAKeyPair(const int64_t keyBitLength);
+
+    /** @brief Generate EC Key pair and get private key from key pair
+     *  @param[in]  p_KeyCurveId - Curve ID
+     *  @return     Pointer to EC private key
+     */
+    EVP_PKEY_Ptr generateECKeyPair(const std::string& p_KeyCurveId);
+
     /** @brief Write private key data to file
      *
-     *  @param[in] keyBitLength - KeyBit length.
-     *  @param[in] x509Req - pointer to X509 request.
-     *  @return pointer to private key
+     *  @param[in] pKey     - pointer to private key
      */
-    EVP_PKEY_Ptr writePrivateKey(int64_t keyBitLength, X509_REQ_Ptr& x509Req);
+    void writePrivateKey(const EVP_PKEY_Ptr& pKey);
 
     /** @brief Add the specified CSR field with the data
      *  @param[in] x509Name - Structure used in setting certificate properties