Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-certificate-manager / e869bb63df5f492a98b49786f78e584fd121e30f^! / . / x509_utils.hpp
commite869bb63df5f492a98b49786f78e584fd121e30f[log] [tgz]
authorNan Zhou <nanzhoumails@gmail.com>Thu Dec 30 11:34:42 2021 -0800
committerNan Zhou <nanzhoumails@gmail.com>Thu Mar 24 15:57:07 2022 +0000
treec3e54f92edafd6a71501234dd646c982e77e56e6
parent8135881590a78b7d101933dce1a1bce66aa1f8d1 [diff] [blame]
Add x509 utils

This change moves some existing static functions in the Certificate
class and x509 related routines into a separate library. These functions
will be used in future Authorities List related functions.

This change also reduces the number of times Certificate class reads PEM
files by passing cert via X509 pointers rather than Certificate paths.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Ieb268ee051c3597f2add732902eb0461375a4c3f

diff --git a/x509_utils.hpp b/x509_utils.hpp
new file mode 100644
index 0000000..e439aad
--- /dev/null
+++ b/x509_utils.hpp

@@ -0,0 +1,61 @@
+#include <openssl/ossl_typ.h>
+#include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
+
+#include <memory>
+#include <string>
+
+namespace phosphor::certs
+{
+
+/** @brief Creates an X509 Store from the given certSrcPath
+ *  Creates an X509 Store, adds a lookup file to the store from the given source
+ * certificate, and returns it
+ *  @param[in] certSrcPath - the file path to a list of trusted certificates
+ *
+ */
+std::unique_ptr<X509_STORE, decltype(&::X509_STORE_free)>
+    getX509Store(const std::string& certSrcPath);
+
+/** @brief Loads Certificate file into the X509 structure.
+ *  @param[in] filePath - Certificate and key full file path.
+ *  @return pointer to the X509 structure.
+ */
+std::unique_ptr<X509, decltype(&::X509_free)>
+    loadCert(const std::string& filePath);
+
+/**
+ * @brief Parses the certificate and throws error if certificate NotBefore date
+ * is lt 1970
+ * @param[in] cert Reference to certificate object uploaded
+ * @return void
+ */
+void validateCertificateStartDate(X509& cert);
+
+/**
+ * @brief Validates the certificate against the trusted certificates store and
+ * throws error if certificate is not valid
+ * @param[in] x509Store Reference to trusted certificates store
+ * @param[in] cert Reference to certificate to be validated
+ * @return void
+ */
+void validateCertificateAgainstStore(X509_STORE& x509Store, X509& cert);
+
+/**
+ * @brief Validates the certificate can be used in an SSL context, otherwise,
+ * throws errors
+ * @param[in] cert Reference to certificate to be validated
+ * @return void
+ */
+void validateCertificateInSSLContext(X509& cert);
+
+/**
+ * @brief Generates certificate ID based on provided certificate file.
+ *
+ * @param[in] cert - Certificate object.
+ *
+ * @return Certificate ID as formatted string.
+ */
+std::string generateCertId(X509& cert);
+
+} // namespace phosphor::certs