blob: 51c8ec694c1f14ada4c6a17400ce71b7e1036dc7 [file] [log] [blame]
Marri Devender Raocd30c492019-06-12 01:40:17 -05001#include "config.h"
2
Marri Devender Rao6ceec402019-02-01 03:15:19 -06003#include "certificate.hpp"
4
5#include <openssl/bio.h>
6#include <openssl/crypto.h>
7#include <openssl/err.h>
8#include <openssl/evp.h>
9#include <openssl/pem.h>
10#include <openssl/x509v3.h>
11
12#include <fstream>
13#include <phosphor-logging/elog-errors.hpp>
Marri Devender Rao13bf74e2019-03-26 01:52:17 -050014#include <xyz/openbmc_project/Certs/error.hpp>
Marri Devender Rao6ceec402019-02-01 03:15:19 -060015#include <xyz/openbmc_project/Common/error.hpp>
Marri Devender Rao13bf74e2019-03-26 01:52:17 -050016
Marri Devender Rao6ceec402019-02-01 03:15:19 -060017namespace phosphor
18{
19namespace certs
20{
21// RAII support for openSSL functions.
22using BIO_MEM_Ptr = std::unique_ptr<BIO, decltype(&::BIO_free)>;
23using X509_STORE_CTX_Ptr =
24 std::unique_ptr<X509_STORE_CTX, decltype(&::X509_STORE_CTX_free)>;
25using X509_LOOKUP_Ptr =
26 std::unique_ptr<X509_LOOKUP, decltype(&::X509_LOOKUP_free)>;
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -060027using ASN1_TIME_ptr = std::unique_ptr<ASN1_TIME, decltype(&ASN1_STRING_free)>;
Marri Devender Rao6ceec402019-02-01 03:15:19 -060028using EVP_PKEY_Ptr = std::unique_ptr<EVP_PKEY, decltype(&::EVP_PKEY_free)>;
29using BUF_MEM_Ptr = std::unique_ptr<BUF_MEM, decltype(&::BUF_MEM_free)>;
30using InternalFailure =
31 sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure;
32using InvalidCertificate =
Marri Devender Rao13bf74e2019-03-26 01:52:17 -050033 sdbusplus::xyz::openbmc_project::Certs::Error::InvalidCertificate;
34using Reason = xyz::openbmc_project::Certs::InvalidCertificate::REASON;
Marri Devender Rao6ceec402019-02-01 03:15:19 -060035
36// Trust chain related errors.`
37#define TRUST_CHAIN_ERR(errnum) \
38 ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) || \
39 (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) || \
40 (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) || \
41 (errnum == X509_V_ERR_CERT_UNTRUSTED) || \
42 (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
43
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -060044// Refer to schema 2018.3
45// http://redfish.dmtf.org/schemas/v1/Certificate.json#/definitions/KeyUsage for
46// supported KeyUsage types in redfish
47// Refer to
48// https://github.com/openssl/openssl/blob/master/include/openssl/x509v3.h for
49// key usage bit fields
50std::map<uint8_t, std::string> keyUsageToRfStr = {
51 {KU_DIGITAL_SIGNATURE, "DigitalSignature"},
52 {KU_NON_REPUDIATION, "NonRepudiation"},
53 {KU_KEY_ENCIPHERMENT, "KeyEncipherment"},
54 {KU_DATA_ENCIPHERMENT, "DataEncipherment"},
55 {KU_KEY_AGREEMENT, "KeyAgreement"},
56 {KU_KEY_CERT_SIGN, "KeyCertSign"},
57 {KU_CRL_SIGN, "CRLSigning"},
58 {KU_ENCIPHER_ONLY, "EncipherOnly"},
59 {KU_DECIPHER_ONLY, "DecipherOnly"}};
60
61// Refer to schema 2018.3
62// http://redfish.dmtf.org/schemas/v1/Certificate.json#/definitions/KeyUsage for
63// supported Extended KeyUsage types in redfish
64std::map<uint8_t, std::string> extendedKeyUsageToRfStr = {
65 {NID_server_auth, "ServerAuthentication"},
66 {NID_client_auth, "ClientAuthentication"},
67 {NID_email_protect, "EmailProtection"},
68 {NID_OCSP_sign, "OCSPSigning"},
69 {NID_ad_timeStamping, "Timestamping"},
70 {NID_code_sign, "CodeSigning"}};
71
Marri Devender Rao6ceec402019-02-01 03:15:19 -060072Certificate::Certificate(sdbusplus::bus::bus& bus, const std::string& objPath,
73 const CertificateType& type,
74 const UnitsToRestart& unit,
75 const CertInstallPath& installPath,
Marri Devender Rao8f80c352019-05-13 00:53:01 -050076 const CertUploadPath& uploadPath,
Marri Devender Raoffad1ef2019-06-03 04:54:12 -050077 bool isSkipUnitReload,
78 const CertWatchPtr& certWatchPtr) :
Marri Devender Raoedd11312019-02-27 08:45:10 -060079 CertIfaces(bus, objPath.c_str(), true),
80 bus(bus), objectPath(objPath), certType(type), unitToRestart(unit),
Marri Devender Raoffad1ef2019-06-03 04:54:12 -050081 certInstallPath(installPath), certWatchPtr(certWatchPtr)
Marri Devender Rao6ceec402019-02-01 03:15:19 -060082{
83 auto installHelper = [this](const auto& filePath) {
84 if (!compareKeys(filePath))
85 {
86 elog<InvalidCertificate>(
87 Reason("Private key does not match the Certificate"));
88 };
89 };
90 typeFuncMap[SERVER] = installHelper;
91 typeFuncMap[CLIENT] = installHelper;
92 typeFuncMap[AUTHORITY] = [](auto filePath) {};
Marri Devender Raocd30c492019-06-12 01:40:17 -050093
94 auto appendPrivateKey = [this](const std::string& filePath) {
95 checkAndAppendPrivateKey(filePath);
96 };
97
98 appendKeyMap[SERVER] = appendPrivateKey;
99 appendKeyMap[CLIENT] = appendPrivateKey;
100 appendKeyMap[AUTHORITY] = [](const std::string& filePath) {};
101
102 // install the certificate
Marri Devender Rao8f80c352019-05-13 00:53:01 -0500103 install(uploadPath, isSkipUnitReload);
Marri Devender Raocd30c492019-06-12 01:40:17 -0500104
Marri Devender Raoedd11312019-02-27 08:45:10 -0600105 this->emit_object_added();
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600106}
107
108Certificate::~Certificate()
109{
110 if (!fs::remove(certInstallPath))
111 {
112 log<level::INFO>("Certificate file not found!",
113 entry("PATH=%s", certInstallPath.c_str()));
114 }
115 else if (!unitToRestart.empty())
116 {
117 reloadOrReset(unitToRestart);
118 }
119}
120
Marri Devender Rao13bf74e2019-03-26 01:52:17 -0500121void Certificate::replace(const std::string filePath)
122{
Marri Devender Rao8f80c352019-05-13 00:53:01 -0500123 install(filePath, false);
Marri Devender Rao13bf74e2019-03-26 01:52:17 -0500124}
125
Marri Devender Rao8f80c352019-05-13 00:53:01 -0500126void Certificate::install(const std::string& filePath, bool isSkipUnitReload)
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600127{
128 log<level::INFO>("Certificate install ",
129 entry("FILEPATH=%s", filePath.c_str()));
130 auto errCode = X509_V_OK;
131
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500132 // stop watch for user initiated certificate install
133 if (certWatchPtr)
134 {
135 certWatchPtr->stopWatch();
136 }
137
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600138 // Verify the certificate file
139 fs::path file(filePath);
140 if (!fs::exists(file))
141 {
142 log<level::ERR>("File is Missing", entry("FILE=%s", filePath.c_str()));
143 elog<InternalFailure>();
144 }
145
146 try
147 {
148 if (fs::file_size(filePath) == 0)
149 {
150 // file is empty
151 log<level::ERR>("File is empty",
152 entry("FILE=%s", filePath.c_str()));
153 elog<InvalidCertificate>(Reason("File is empty"));
154 }
155 }
156 catch (const fs::filesystem_error& e)
157 {
158 // Log Error message
159 log<level::ERR>(e.what(), entry("FILE=%s", filePath.c_str()));
160 elog<InternalFailure>();
161 }
162
163 // Defining store object as RAW to avoid double free.
164 // X509_LOOKUP_free free up store object.
165 // Create an empty X509_STORE structure for certificate validation.
166 auto x509Store = X509_STORE_new();
167 if (!x509Store)
168 {
169 log<level::ERR>("Error occured during X509_STORE_new call");
170 elog<InternalFailure>();
171 }
172
173 OpenSSL_add_all_algorithms();
174
175 // ADD Certificate Lookup method.
176 X509_LOOKUP_Ptr lookup(X509_STORE_add_lookup(x509Store, X509_LOOKUP_file()),
177 ::X509_LOOKUP_free);
178 if (!lookup)
179 {
180 // Normally lookup cleanup function interanlly does X509Store cleanup
181 // Free up the X509Store.
182 X509_STORE_free(x509Store);
183 log<level::ERR>("Error occured during X509_STORE_add_lookup call");
184 elog<InternalFailure>();
185 }
186 // Load Certificate file.
187 errCode = X509_LOOKUP_load_file(lookup.get(), filePath.c_str(),
188 X509_FILETYPE_PEM);
189 if (errCode != 1)
190 {
191 log<level::ERR>("Error occured during X509_LOOKUP_load_file call",
192 entry("FILE=%s", filePath.c_str()));
193 elog<InvalidCertificate>(Reason("Invalid certificate file format"));
194 }
195
196 // Load Certificate file into the X509 structre.
197 X509_Ptr cert = std::move(loadCert(filePath));
198 X509_STORE_CTX_Ptr storeCtx(X509_STORE_CTX_new(), ::X509_STORE_CTX_free);
199 if (!storeCtx)
200 {
201 log<level::ERR>("Error occured during X509_STORE_CTX_new call",
202 entry("FILE=%s", filePath.c_str()));
203 elog<InternalFailure>();
204 }
205
206 errCode = X509_STORE_CTX_init(storeCtx.get(), x509Store, cert.get(), NULL);
207 if (errCode != 1)
208 {
209 log<level::ERR>("Error occured during X509_STORE_CTX_init call",
210 entry("FILE=%s", filePath.c_str()));
211 elog<InternalFailure>();
212 }
213
214 // Set time to current time.
215 auto locTime = time(nullptr);
216
217 X509_STORE_CTX_set_time(storeCtx.get(), X509_V_FLAG_USE_CHECK_TIME,
218 locTime);
219
220 errCode = X509_verify_cert(storeCtx.get());
221 if (errCode == 1)
222 {
223 errCode = X509_V_OK;
224 }
225 else if (errCode == 0)
226 {
227 errCode = X509_STORE_CTX_get_error(storeCtx.get());
228 log<level::ERR>("Certificate verification failed",
229 entry("FILE=%s", filePath.c_str()),
230 entry("ERRCODE=%d", errCode));
231 }
232 else
233 {
234 log<level::ERR>("Error occured during X509_verify_cert call",
235 entry("FILE=%s", filePath.c_str()));
236 elog<InternalFailure>();
237 }
238
239 // Allow certificate upload, for "certificate is not yet valid" and
240 // trust chain related errors.
241 if (!((errCode == X509_V_OK) ||
242 (errCode == X509_V_ERR_CERT_NOT_YET_VALID) ||
243 TRUST_CHAIN_ERR(errCode)))
244 {
245 if (errCode == X509_V_ERR_CERT_HAS_EXPIRED)
246 {
247 elog<InvalidCertificate>(Reason("Expired Certificate"));
248 }
249 // Loging general error here.
250 elog<InvalidCertificate>(Reason("Certificate validation failed"));
251 }
252
Marri Devender Raocd30c492019-06-12 01:40:17 -0500253 // Invoke type specific append private key function.
254 auto appendIter = appendKeyMap.find(certType);
255 if (appendIter == appendKeyMap.end())
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600256 {
257 log<level::ERR>("Unsupported Type", entry("TYPE=%s", certType.c_str()));
258 elog<InternalFailure>();
259 }
Marri Devender Raocd30c492019-06-12 01:40:17 -0500260 appendIter->second(filePath);
261
262 // Invoke type specific compare keys function.
263 auto compIter = typeFuncMap.find(certType);
264 if (compIter == typeFuncMap.end())
265 {
266 log<level::ERR>("Unsupported Type", entry("TYPE=%s", certType.c_str()));
267 elog<InternalFailure>();
268 }
269 compIter->second(filePath);
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600270
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500271 // Copy the certificate to the installation path
272 // During bootup will be parsing existing file so no need to
273 // copy it.
274 if (filePath != certInstallPath)
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600275 {
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500276 std::ifstream inputCertFileStream;
277 std::ofstream outputCertFileStream;
278 inputCertFileStream.exceptions(std::ifstream::failbit |
279 std::ifstream::badbit |
280 std::ifstream::eofbit);
281 outputCertFileStream.exceptions(std::ofstream::failbit |
282 std::ofstream::badbit |
283 std::ofstream::eofbit);
284 try
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600285 {
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500286 inputCertFileStream.open(filePath);
287 outputCertFileStream.open(certInstallPath, std::ios::out);
288 outputCertFileStream << inputCertFileStream.rdbuf() << std::flush;
289 inputCertFileStream.close();
290 outputCertFileStream.close();
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600291 }
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500292 catch (const std::exception& e)
293 {
294 log<level::ERR>("Failed to copy certificate",
295 entry("ERR=%s", e.what()),
296 entry("SRC=%s", filePath.c_str()),
297 entry("DST=%s", certInstallPath.c_str()));
298 elog<InternalFailure>();
299 }
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600300 }
Marri Devender Rao8f80c352019-05-13 00:53:01 -0500301
302 if (!isSkipUnitReload)
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600303 {
Marri Devender Rao8f80c352019-05-13 00:53:01 -0500304 // restart the units
305 if (!unitToRestart.empty())
306 {
307 reloadOrReset(unitToRestart);
308 }
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600309 }
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600310
311 // Parse the certificate file and populate properties
312 populateProperties();
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500313
314 // restart watch
315 if (certWatchPtr)
316 {
317 certWatchPtr->startWatch();
318 }
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600319}
320
321void Certificate::populateProperties()
322{
323 X509_Ptr cert = std::move(loadCert(certInstallPath));
324 // Update properties if no error thrown
325 BIO_MEM_Ptr certBio(BIO_new(BIO_s_mem()), BIO_free);
326 PEM_write_bio_X509(certBio.get(), cert.get());
327 BUF_MEM_Ptr certBuf(BUF_MEM_new(), BUF_MEM_free);
328 BUF_MEM* buf = certBuf.get();
329 BIO_get_mem_ptr(certBio.get(), &buf);
330 std::string certStr(buf->data, buf->length);
331 CertificateIface::certificateString(certStr);
332
333 static const int maxKeySize = 4096;
334 char subBuffer[maxKeySize] = {0};
Marri Devender Raodec58772019-06-11 03:10:00 -0500335 BIO_MEM_Ptr subBio(BIO_new(BIO_s_mem()), BIO_free);
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600336 // This pointer cannot be freed independantly.
337 X509_NAME* sub = X509_get_subject_name(cert.get());
Marri Devender Raodec58772019-06-11 03:10:00 -0500338 X509_NAME_print_ex(subBio.get(), sub, 0, XN_FLAG_SEP_COMMA_PLUS);
339 BIO_read(subBio.get(), subBuffer, maxKeySize);
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600340 CertificateIface::subject(subBuffer);
341
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600342 char issuerBuffer[maxKeySize] = {0};
Marri Devender Raodec58772019-06-11 03:10:00 -0500343 BIO_MEM_Ptr issuerBio(BIO_new(BIO_s_mem()), BIO_free);
344 // This pointer cannot be freed independantly.
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600345 X509_NAME* issuer_name = X509_get_issuer_name(cert.get());
Marri Devender Raodec58772019-06-11 03:10:00 -0500346 X509_NAME_print_ex(issuerBio.get(), issuer_name, 0, XN_FLAG_SEP_COMMA_PLUS);
347 BIO_read(issuerBio.get(), issuerBuffer, maxKeySize);
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600348 CertificateIface::issuer(issuerBuffer);
349
350 std::vector<std::string> keyUsageList;
351 ASN1_BIT_STRING* usage;
352
353 // Go through each usage in the bit string and convert to
354 // corresponding string value
355 if ((usage = static_cast<ASN1_BIT_STRING*>(
356 X509_get_ext_d2i(cert.get(), NID_key_usage, NULL, NULL))))
357 {
358 for (auto i = 0; i < usage->length; ++i)
359 {
360 for (auto& x : keyUsageToRfStr)
361 {
362 if (x.first & usage->data[i])
363 {
364 keyUsageList.push_back(x.second);
365 break;
366 }
367 }
368 }
369 }
370
371 EXTENDED_KEY_USAGE* extUsage;
372 if ((extUsage = static_cast<EXTENDED_KEY_USAGE*>(
373 X509_get_ext_d2i(cert.get(), NID_ext_key_usage, NULL, NULL))))
374 {
375 for (int i = 0; i < sk_ASN1_OBJECT_num(extUsage); i++)
376 {
377 keyUsageList.push_back(extendedKeyUsageToRfStr[OBJ_obj2nid(
378 sk_ASN1_OBJECT_value(extUsage, i))]);
379 }
380 }
381 CertificateIface::keyUsage(keyUsageList);
382
383 int days = 0;
384 int secs = 0;
385
386 ASN1_TIME_ptr epoch(ASN1_TIME_new(), ASN1_STRING_free);
387 // Set time to 12:00am GMT, Jan 1 1970
388 ASN1_TIME_set_string(epoch.get(), "700101120000Z");
389
390 static const int dayToSeconds = 24 * 60 * 60;
391 ASN1_TIME* notAfter = X509_get_notAfter(cert.get());
392 ASN1_TIME_diff(&days, &secs, epoch.get(), notAfter);
393 CertificateIface::validNotAfter((days * dayToSeconds) + secs);
394
395 ASN1_TIME* notBefore = X509_get_notBefore(cert.get());
396 ASN1_TIME_diff(&days, &secs, epoch.get(), notBefore);
397 CertificateIface::validNotBefore((days * dayToSeconds) + secs);
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600398}
399
400X509_Ptr Certificate::loadCert(const std::string& filePath)
401{
402 log<level::INFO>("Certificate loadCert",
403 entry("FILEPATH=%s", filePath.c_str()));
404 // Read Certificate file
405 X509_Ptr cert(X509_new(), ::X509_free);
406 if (!cert)
407 {
408 log<level::ERR>("Error occured during X509_new call",
409 entry("FILE=%s", filePath.c_str()),
410 entry("ERRCODE=%lu", ERR_get_error()));
411 elog<InternalFailure>();
412 }
413
414 BIO_MEM_Ptr bioCert(BIO_new_file(filePath.c_str(), "rb"), ::BIO_free);
415 if (!bioCert)
416 {
417 log<level::ERR>("Error occured during BIO_new_file call",
418 entry("FILE=%s", filePath.c_str()));
419 elog<InternalFailure>();
420 }
421
422 X509* x509 = cert.get();
423 if (!PEM_read_bio_X509(bioCert.get(), &x509, nullptr, nullptr))
424 {
425 log<level::ERR>("Error occured during PEM_read_bio_X509 call",
426 entry("FILE=%s", filePath.c_str()));
427 elog<InternalFailure>();
428 }
429 return cert;
430}
Marri Devender Raocd30c492019-06-12 01:40:17 -0500431
432void Certificate::checkAndAppendPrivateKey(const std::string& filePath)
433{
434 BIO_MEM_Ptr keyBio(BIO_new(BIO_s_file()), ::BIO_free);
435 if (!keyBio)
436 {
437 log<level::ERR>("Error occured during BIO_s_file call",
438 entry("FILE=%s", filePath.c_str()));
439 elog<InternalFailure>();
440 }
441 BIO_read_filename(keyBio.get(), filePath.c_str());
442
443 EVP_PKEY_Ptr priKey(
444 PEM_read_bio_PrivateKey(keyBio.get(), nullptr, nullptr, nullptr),
445 ::EVP_PKEY_free);
446 if (!priKey)
447 {
448 log<level::INFO>("Private key not present in file",
449 entry("FILE=%s", filePath.c_str()));
450 fs::path privateKeyFile = fs::path(certInstallPath).parent_path();
451 privateKeyFile = privateKeyFile / PRIV_KEY_FILE_NAME;
452 if (!fs::exists(privateKeyFile))
453 {
454 log<level::ERR>("Private key file is not found",
455 entry("FILE=%s", privateKeyFile.c_str()));
456 elog<InternalFailure>();
457 }
458
459 std::ifstream privKeyFileStream;
460 std::ofstream certFileStream;
461 privKeyFileStream.exceptions(std::ifstream::failbit |
462 std::ifstream::badbit |
463 std::ifstream::eofbit);
464 certFileStream.exceptions(std::ofstream::failbit |
465 std::ofstream::badbit |
466 std::ofstream::eofbit);
467 try
468 {
469 privKeyFileStream.open(privateKeyFile);
470 certFileStream.open(filePath, std::ios::app);
Marri Devender Rao18e51c92019-07-15 04:59:01 -0500471 certFileStream << std::endl; // insert line break
Marri Devender Raocd30c492019-06-12 01:40:17 -0500472 certFileStream << privKeyFileStream.rdbuf() << std::flush;
473 privKeyFileStream.close();
474 certFileStream.close();
475 }
476 catch (const std::exception& e)
477 {
478 log<level::ERR>("Failed to append private key",
479 entry("ERR=%s", e.what()),
480 entry("SRC=%s", privateKeyFile.c_str()),
481 entry("DST=%s", filePath.c_str()));
482 elog<InternalFailure>();
483 }
484 }
485}
486
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600487bool Certificate::compareKeys(const std::string& filePath)
488{
489 log<level::INFO>("Certificate compareKeys",
490 entry("FILEPATH=%s", filePath.c_str()));
491 X509_Ptr cert(X509_new(), ::X509_free);
492 if (!cert)
493 {
494 log<level::ERR>("Error occured during X509_new call",
495 entry("FILE=%s", filePath.c_str()),
496 entry("ERRCODE=%lu", ERR_get_error()));
497 elog<InternalFailure>();
498 }
499
500 BIO_MEM_Ptr bioCert(BIO_new_file(filePath.c_str(), "rb"), ::BIO_free);
501 if (!bioCert)
502 {
503 log<level::ERR>("Error occured during BIO_new_file call",
504 entry("FILE=%s", filePath.c_str()));
505 elog<InternalFailure>();
506 }
507
508 X509* x509 = cert.get();
509 PEM_read_bio_X509(bioCert.get(), &x509, nullptr, nullptr);
510
511 EVP_PKEY_Ptr pubKey(X509_get_pubkey(cert.get()), ::EVP_PKEY_free);
512 if (!pubKey)
513 {
514 log<level::ERR>("Error occurred during X509_get_pubkey",
515 entry("FILE=%s", filePath.c_str()),
516 entry("ERRCODE=%lu", ERR_get_error()));
517 elog<InvalidCertificate>(Reason("Failed to get public key info"));
518 }
519
520 BIO_MEM_Ptr keyBio(BIO_new(BIO_s_file()), ::BIO_free);
521 if (!keyBio)
522 {
523 log<level::ERR>("Error occured during BIO_s_file call",
524 entry("FILE=%s", filePath.c_str()));
525 elog<InternalFailure>();
526 }
527 BIO_read_filename(keyBio.get(), filePath.c_str());
528
529 EVP_PKEY_Ptr priKey(
530 PEM_read_bio_PrivateKey(keyBio.get(), nullptr, nullptr, nullptr),
531 ::EVP_PKEY_free);
532 if (!priKey)
533 {
534 log<level::ERR>("Error occurred during PEM_read_bio_PrivateKey",
535 entry("FILE=%s", filePath.c_str()),
536 entry("ERRCODE=%lu", ERR_get_error()));
537 elog<InvalidCertificate>(Reason("Failed to get private key info"));
538 }
539
540 int32_t rc = EVP_PKEY_cmp(priKey.get(), pubKey.get());
541 if (rc != 1)
542 {
543 log<level::ERR>("Private key is not matching with Certificate",
544 entry("FILE=%s", filePath.c_str()),
545 entry("ERRCODE=%d", rc));
546 return false;
547 }
548 return true;
549}
550
551void Certificate::reloadOrReset(const UnitsToRestart& unit)
552{
553 constexpr auto SYSTEMD_SERVICE = "org.freedesktop.systemd1";
554 constexpr auto SYSTEMD_OBJ_PATH = "/org/freedesktop/systemd1";
555 constexpr auto SYSTEMD_INTERFACE = "org.freedesktop.systemd1.Manager";
556 try
557 {
558 auto method =
559 bus.new_method_call(SYSTEMD_SERVICE, SYSTEMD_OBJ_PATH,
560 SYSTEMD_INTERFACE, "ReloadOrRestartUnit");
561 method.append(unit, "replace");
562 bus.call_noreply(method);
563 }
564 catch (const sdbusplus::exception::SdBusError& e)
565 {
566 log<level::ERR>("Failed to reload or restart service",
567 entry("ERR=%s", e.what()),
568 entry("UNIT=%s", unit.c_str()));
569 elog<InternalFailure>();
570 }
571}
572} // namespace certs
573} // namespace phosphor