Add Certificate verification support
Call X509_verify_cert to perform the following validations:
o Check trust settings on the root CA
o Validity of the certificate chain by
enabling (X509_V_ERR_CERT_HAS_EXPIRED).
For details of the verification, refer:
https://www.openssl.org/docs/manmaster/man1/verify.html
Change-Id: I5fcde5d34658e7b483de2715831107509f31b531
Signed-off-by: Jayanth Othayoth <ojayanth@in.ibm.com>
diff --git a/certs_manager.hpp b/certs_manager.hpp
index f001df7..76f64b4 100644
--- a/certs_manager.hpp
+++ b/certs_manager.hpp
@@ -1,4 +1,6 @@
#pragma once
+#include <openssl/x509.h>
+
#include <cstring>
#include <sdbusplus/bus.hpp>
#include <sdbusplus/server/object.hpp>
@@ -9,6 +11,8 @@
{
namespace certs
{
+// RAII support for openSSL functions.
+using X509_Ptr = std::unique_ptr<X509, decltype(&::X509_free)>;
// Supported Types.
static constexpr auto SERVER = "server";
@@ -84,6 +88,20 @@
*/
void copy(const std::string& src, const std::string& dst);
+ /** @brief Certificate verification function
+ * Certificate file specific validation using openssl
+ * verify function also includes expiry date check
+ * @param[in] fileName - Certificate and key full file path.
+ * @return error code from open ssl verify function.
+ */
+ int32_t verifyCert(const std::string& filePath);
+
+ /** @brief Load Certificate file into the X509 structre.
+ * @param[in] fileName - Certificate and key full file path.
+ * @return pointer to the X509 structure.
+ */
+ X509_Ptr loadCert(const std::string& filePath);
+
/** @brief sdbusplus handler */
sdbusplus::bus::bus& bus;