Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-certificate-manager / 73d1fbf3047e24c57cf74a341d6ffdf9c7cbc548 / . / certificate.cpp
blob: 24901594ad86437cd59093315c64e8f84c6c0ab3 [file] [log] [blame]
Marri Devender Raocd30c492019-06-12 01:40:17 -0500[diff] [blame]1#include "config.h"
2
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]3#include "certificate.hpp"
4
Zbigniew Kurzynskia3bb38f2019-09-17 13:34:25 +0200[diff] [blame]5#include "certs_manager.hpp"
6
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]7#include <openssl/bio.h>
8#include <openssl/crypto.h>
9#include <openssl/err.h>
10#include <openssl/evp.h>
11#include <openssl/pem.h>
12#include <openssl/x509v3.h>
13
14#include <fstream>
15#include <phosphor-logging/elog-errors.hpp>
Marri Devender Rao13bf74e2019-03-26 01:52:17 -0500[diff] [blame]16#include <xyz/openbmc_project/Certs/error.hpp>
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]17#include <xyz/openbmc_project/Common/error.hpp>
Marri Devender Rao13bf74e2019-03-26 01:52:17 -0500[diff] [blame]18
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]19namespace phosphor
20{
21namespace certs
22{
23// RAII support for openSSL functions.
24using BIO_MEM_Ptr = std::unique_ptr<BIO, decltype(&::BIO_free)>;
25using X509_STORE_CTX_Ptr =
26 std::unique_ptr<X509_STORE_CTX, decltype(&::X509_STORE_CTX_free)>;
27using X509_LOOKUP_Ptr =
28 std::unique_ptr<X509_LOOKUP, decltype(&::X509_LOOKUP_free)>;
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600[diff] [blame]29using ASN1_TIME_ptr = std::unique_ptr<ASN1_TIME, decltype(&ASN1_STRING_free)>;
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]30using EVP_PKEY_Ptr = std::unique_ptr<EVP_PKEY, decltype(&::EVP_PKEY_free)>;
31using BUF_MEM_Ptr = std::unique_ptr<BUF_MEM, decltype(&::BUF_MEM_free)>;
32using InternalFailure =
33 sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure;
34using InvalidCertificate =
Marri Devender Rao13bf74e2019-03-26 01:52:17 -0500[diff] [blame]35 sdbusplus::xyz::openbmc_project::Certs::Error::InvalidCertificate;
36using Reason = xyz::openbmc_project::Certs::InvalidCertificate::REASON;
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]37
38// Trust chain related errors.`
39#define TRUST_CHAIN_ERR(errnum) \
40 ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) || \
41 (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) || \
42 (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) || \
43 (errnum == X509_V_ERR_CERT_UNTRUSTED) || \
44 (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
45
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600[diff] [blame]46// Refer to schema 2018.3
47// http://redfish.dmtf.org/schemas/v1/Certificate.json#/definitions/KeyUsage for
48// supported KeyUsage types in redfish
49// Refer to
50// https://github.com/openssl/openssl/blob/master/include/openssl/x509v3.h for
51// key usage bit fields
52std::map<uint8_t, std::string> keyUsageToRfStr = {
53 {KU_DIGITAL_SIGNATURE, "DigitalSignature"},
54 {KU_NON_REPUDIATION, "NonRepudiation"},
55 {KU_KEY_ENCIPHERMENT, "KeyEncipherment"},
56 {KU_DATA_ENCIPHERMENT, "DataEncipherment"},
57 {KU_KEY_AGREEMENT, "KeyAgreement"},
58 {KU_KEY_CERT_SIGN, "KeyCertSign"},
59 {KU_CRL_SIGN, "CRLSigning"},
60 {KU_ENCIPHER_ONLY, "EncipherOnly"},
61 {KU_DECIPHER_ONLY, "DecipherOnly"}};
62
63// Refer to schema 2018.3
64// http://redfish.dmtf.org/schemas/v1/Certificate.json#/definitions/KeyUsage for
65// supported Extended KeyUsage types in redfish
66std::map<uint8_t, std::string> extendedKeyUsageToRfStr = {
67 {NID_server_auth, "ServerAuthentication"},
68 {NID_client_auth, "ClientAuthentication"},
69 {NID_email_protect, "EmailProtection"},
70 {NID_OCSP_sign, "OCSPSigning"},
71 {NID_ad_timeStamping, "Timestamping"},
72 {NID_code_sign, "CodeSigning"}};
73
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]74std::string Certificate::generateCertId(const std::string& certPath)
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]75{
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]76 const X509_Ptr cert = loadCert(certPath);
77 unsigned long subjectNameHash = X509_subject_name_hash(cert.get());
Zbigniew Lukwinski73d1fbf2020-01-15 15:31:12 +0100[diff] [blame^]78 unsigned long issuerSerialHash = X509_issuer_and_serial_hash(cert.get());
79 static constexpr auto CERT_ID_LENGTH = 17;
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]80 char idBuff[CERT_ID_LENGTH];
81
Zbigniew Lukwinski73d1fbf2020-01-15 15:31:12 +0100[diff] [blame^]82 snprintf(idBuff, CERT_ID_LENGTH, "%08lx%08lx", subjectNameHash,
83 issuerSerialHash);
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]84
85 return std::string(idBuff);
86}
87
88std::string
89 Certificate::generateUniqueFilePath(const std::string& directoryPath)
90{
91 char* filePath = tempnam(directoryPath.c_str(), NULL);
92 if (filePath == NULL)
93 {
94 log<level::ERR>(
95 "Error occured while creating random certificate file path",
96 entry("DIR=%s", directoryPath.c_str()));
97 elog<InternalFailure>();
98 }
99 std::string filePathStr(filePath);
100 free(filePath);
101 return filePathStr;
102}
103
104std::string Certificate::generateAuthCertFileX509Path(
105 const std::string& certSrcFilePath, const std::string& certDstDirPath)
106{
107 const X509_Ptr cert = loadCert(certSrcFilePath);
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]108 unsigned long hash = X509_subject_name_hash(cert.get());
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]109 static constexpr auto CERT_HASH_LENGTH = 9;
110 char hashBuf[CERT_HASH_LENGTH];
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]111
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]112 snprintf(hashBuf, CERT_HASH_LENGTH, "%08lx", hash);
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]113
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]114 const std::string certHash(hashBuf);
Zbigniew Lukwinski73d1fbf2020-01-15 15:31:12 +0100[diff] [blame^]115 for (int i = 0; i < AUTHORITY_CERTIFICATES_LIMIT; ++i)
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]116 {
Zbigniew Lukwinski73d1fbf2020-01-15 15:31:12 +0100[diff] [blame^]117 const std::string certDstFileX509Path =
118 certDstDirPath + "/" + certHash + "." + std::to_string(i);
119 if (!fs::exists(certDstFileX509Path))
120 {
121 return certDstFileX509Path;
122 }
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]123 }
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]124
Zbigniew Lukwinski73d1fbf2020-01-15 15:31:12 +0100[diff] [blame^]125 log<level::ERR>("Authority certificate x509 file path already used",
126 entry("DIR=%s", certDstDirPath.c_str()));
127 elog<InternalFailure>();
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]128}
129
130std::string
131 Certificate::generateAuthCertFilePath(const std::string& certSrcFilePath)
132{
133 // If there is a certificate file path (which means certificate replacement
134 // is doing) use it (do not create new one)
135 if (!certFilePath.empty())
136 {
137 return certFilePath;
138 }
139 // If source certificate file is located in the certificates directory use
140 // it (do not create new one)
141 else if (fs::path(certSrcFilePath).parent_path().string() ==
142 certInstallPath)
143 {
144 return certSrcFilePath;
145 }
146 // Otherwise generate new file name/path
147 else
148 {
149 return generateUniqueFilePath(certInstallPath);
150 }
151}
152
153std::string
154 Certificate::generateCertFilePath(const std::string& certSrcFilePath)
155{
156 if (certType == phosphor::certs::AUTHORITY)
157 {
158 return generateAuthCertFilePath(certSrcFilePath);
159 }
160 else
161 {
162 return certInstallPath;
163 }
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]164}
165
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]166Certificate::Certificate(sdbusplus::bus::bus& bus, const std::string& objPath,
167 const CertificateType& type,
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]168 const CertInstallPath& installPath,
Marri Devender Rao8f80c352019-05-13 00:53:01 -0500[diff] [blame]169 const CertUploadPath& uploadPath,
Zbigniew Kurzynskia3bb38f2019-09-17 13:34:25 +0200[diff] [blame]170 const CertWatchPtr& certWatchPtr, Manager& parent) :
Marri Devender Raoedd11312019-02-27 08:45:10 -0600[diff] [blame]171 CertIfaces(bus, objPath.c_str(), true),
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]172 bus(bus), objectPath(objPath), certType(type), certInstallPath(installPath),
173 certWatchPtr(certWatchPtr), manager(parent)
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]174{
175 auto installHelper = [this](const auto& filePath) {
176 if (!compareKeys(filePath))
177 {
178 elog<InvalidCertificate>(
179 Reason("Private key does not match the Certificate"));
180 };
181 };
182 typeFuncMap[SERVER] = installHelper;
183 typeFuncMap[CLIENT] = installHelper;
184 typeFuncMap[AUTHORITY] = [](auto filePath) {};
Marri Devender Raocd30c492019-06-12 01:40:17 -0500[diff] [blame]185
186 auto appendPrivateKey = [this](const std::string& filePath) {
187 checkAndAppendPrivateKey(filePath);
188 };
189
190 appendKeyMap[SERVER] = appendPrivateKey;
191 appendKeyMap[CLIENT] = appendPrivateKey;
192 appendKeyMap[AUTHORITY] = [](const std::string& filePath) {};
193
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]194 // Generate certificate file path
195 certFilePath = generateCertFilePath(uploadPath);
196
Marri Devender Raocd30c492019-06-12 01:40:17 -0500[diff] [blame]197 // install the certificate
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]198 install(uploadPath);
Marri Devender Raocd30c492019-06-12 01:40:17 -0500[diff] [blame]199
Marri Devender Raoedd11312019-02-27 08:45:10 -0600[diff] [blame]200 this->emit_object_added();
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]201}
202
203Certificate::~Certificate()
204{
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]205 if (!fs::remove(certFilePath))
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]206 {
207 log<level::INFO>("Certificate file not found!",
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]208 entry("PATH=%s", certFilePath.c_str()));
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]209 }
210}
211
Marri Devender Rao13bf74e2019-03-26 01:52:17 -0500[diff] [blame]212void Certificate::replace(const std::string filePath)
213{
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]214 manager.replaceCertificate(this, filePath);
Marri Devender Rao13bf74e2019-03-26 01:52:17 -0500[diff] [blame]215}
216
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]217void Certificate::install(const std::string& certSrcFilePath)
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]218{
219 log<level::INFO>("Certificate install ",
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]220 entry("FILEPATH=%s", certSrcFilePath.c_str()));
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]221 auto errCode = X509_V_OK;
222
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500[diff] [blame]223 // stop watch for user initiated certificate install
224 if (certWatchPtr)
225 {
226 certWatchPtr->stopWatch();
227 }
228
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]229 // Verify the certificate file
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]230 fs::path file(certSrcFilePath);
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]231 if (!fs::exists(file))
232 {
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]233 log<level::ERR>("File is Missing",
234 entry("FILE=%s", certSrcFilePath.c_str()));
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]235 elog<InternalFailure>();
236 }
237
238 try
239 {
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]240 if (fs::file_size(certSrcFilePath) == 0)
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]241 {
242 // file is empty
243 log<level::ERR>("File is empty",
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]244 entry("FILE=%s", certSrcFilePath.c_str()));
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]245 elog<InvalidCertificate>(Reason("File is empty"));
246 }
247 }
248 catch (const fs::filesystem_error& e)
249 {
250 // Log Error message
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]251 log<level::ERR>(e.what(), entry("FILE=%s", certSrcFilePath.c_str()));
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]252 elog<InternalFailure>();
253 }
254
255 // Defining store object as RAW to avoid double free.
256 // X509_LOOKUP_free free up store object.
257 // Create an empty X509_STORE structure for certificate validation.
258 auto x509Store = X509_STORE_new();
259 if (!x509Store)
260 {
261 log<level::ERR>("Error occured during X509_STORE_new call");
262 elog<InternalFailure>();
263 }
264
265 OpenSSL_add_all_algorithms();
266
267 // ADD Certificate Lookup method.
268 X509_LOOKUP_Ptr lookup(X509_STORE_add_lookup(x509Store, X509_LOOKUP_file()),
269 ::X509_LOOKUP_free);
270 if (!lookup)
271 {
272 // Normally lookup cleanup function interanlly does X509Store cleanup
273 // Free up the X509Store.
274 X509_STORE_free(x509Store);
275 log<level::ERR>("Error occured during X509_STORE_add_lookup call");
276 elog<InternalFailure>();
277 }
278 // Load Certificate file.
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]279 errCode = X509_LOOKUP_load_file(lookup.get(), certSrcFilePath.c_str(),
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]280 X509_FILETYPE_PEM);
281 if (errCode != 1)
282 {
283 log<level::ERR>("Error occured during X509_LOOKUP_load_file call",
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]284 entry("FILE=%s", certSrcFilePath.c_str()));
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]285 elog<InvalidCertificate>(Reason("Invalid certificate file format"));
286 }
287
288 // Load Certificate file into the X509 structre.
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]289 X509_Ptr cert = loadCert(certSrcFilePath);
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]290 X509_STORE_CTX_Ptr storeCtx(X509_STORE_CTX_new(), ::X509_STORE_CTX_free);
291 if (!storeCtx)
292 {
293 log<level::ERR>("Error occured during X509_STORE_CTX_new call",
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]294 entry("FILE=%s", certSrcFilePath.c_str()));
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]295 elog<InternalFailure>();
296 }
297
298 errCode = X509_STORE_CTX_init(storeCtx.get(), x509Store, cert.get(), NULL);
299 if (errCode != 1)
300 {
301 log<level::ERR>("Error occured during X509_STORE_CTX_init call",
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]302 entry("FILE=%s", certSrcFilePath.c_str()));
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]303 elog<InternalFailure>();
304 }
305
306 // Set time to current time.
307 auto locTime = time(nullptr);
308
309 X509_STORE_CTX_set_time(storeCtx.get(), X509_V_FLAG_USE_CHECK_TIME,
310 locTime);
311
312 errCode = X509_verify_cert(storeCtx.get());
313 if (errCode == 1)
314 {
315 errCode = X509_V_OK;
316 }
317 else if (errCode == 0)
318 {
319 errCode = X509_STORE_CTX_get_error(storeCtx.get());
Marri Devender Rao2e8c3a52019-08-09 01:26:35 -0500[diff] [blame]320 log<level::INFO>(
321 "Error occured during X509_verify_cert call, checking for known "
322 "error",
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]323 entry("FILE=%s", certSrcFilePath.c_str()),
324 entry("ERRCODE=%d", errCode),
Marri Devender Rao2e8c3a52019-08-09 01:26:35 -0500[diff] [blame]325 entry("ERROR_STR=%s", X509_verify_cert_error_string(errCode)));
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]326 }
327 else
328 {
329 log<level::ERR>("Error occured during X509_verify_cert call",
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]330 entry("FILE=%s", certSrcFilePath.c_str()));
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]331 elog<InternalFailure>();
332 }
333
334 // Allow certificate upload, for "certificate is not yet valid" and
335 // trust chain related errors.
336 if (!((errCode == X509_V_OK) ||
337 (errCode == X509_V_ERR_CERT_NOT_YET_VALID) ||
338 TRUST_CHAIN_ERR(errCode)))
339 {
340 if (errCode == X509_V_ERR_CERT_HAS_EXPIRED)
341 {
342 elog<InvalidCertificate>(Reason("Expired Certificate"));
343 }
344 // Loging general error here.
345 elog<InvalidCertificate>(Reason("Certificate validation failed"));
346 }
347
Marri Devender Raocd30c492019-06-12 01:40:17 -0500[diff] [blame]348 // Invoke type specific append private key function.
349 auto appendIter = appendKeyMap.find(certType);
350 if (appendIter == appendKeyMap.end())
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]351 {
352 log<level::ERR>("Unsupported Type", entry("TYPE=%s", certType.c_str()));
353 elog<InternalFailure>();
354 }
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]355 appendIter->second(certSrcFilePath);
Marri Devender Raocd30c492019-06-12 01:40:17 -0500[diff] [blame]356
357 // Invoke type specific compare keys function.
358 auto compIter = typeFuncMap.find(certType);
359 if (compIter == typeFuncMap.end())
360 {
361 log<level::ERR>("Unsupported Type", entry("TYPE=%s", certType.c_str()));
362 elog<InternalFailure>();
363 }
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]364 compIter->second(certSrcFilePath);
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]365
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500[diff] [blame]366 // Copy the certificate to the installation path
367 // During bootup will be parsing existing file so no need to
368 // copy it.
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]369 if (certSrcFilePath != certFilePath)
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]370 {
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500[diff] [blame]371 std::ifstream inputCertFileStream;
372 std::ofstream outputCertFileStream;
373 inputCertFileStream.exceptions(std::ifstream::failbit |
374 std::ifstream::badbit |
375 std::ifstream::eofbit);
376 outputCertFileStream.exceptions(std::ofstream::failbit |
377 std::ofstream::badbit |
378 std::ofstream::eofbit);
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]379
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500[diff] [blame]380 try
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]381 {
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]382 inputCertFileStream.open(certSrcFilePath);
383 outputCertFileStream.open(certFilePath, std::ios::out);
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500[diff] [blame]384 outputCertFileStream << inputCertFileStream.rdbuf() << std::flush;
385 inputCertFileStream.close();
386 outputCertFileStream.close();
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]387 }
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500[diff] [blame]388 catch (const std::exception& e)
389 {
390 log<level::ERR>("Failed to copy certificate",
391 entry("ERR=%s", e.what()),
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]392 entry("SRC=%s", certSrcFilePath.c_str()),
393 entry("DST=%s", certFilePath.c_str()));
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500[diff] [blame]394 elog<InternalFailure>();
395 }
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]396 }
Marri Devender Rao8f80c352019-05-13 00:53:01 -0500[diff] [blame]397
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]398 storageUpdate();
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600[diff] [blame]399
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]400 // Keep certificate ID
401 certId = generateCertId(certFilePath);
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]402
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600[diff] [blame]403 // Parse the certificate file and populate properties
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]404 populateProperties(certFilePath);
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500[diff] [blame]405
406 // restart watch
407 if (certWatchPtr)
408 {
409 certWatchPtr->startWatch();
410 }
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600[diff] [blame]411}
412
413void Certificate::populateProperties()
414{
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]415 populateProperties(certInstallPath);
416}
417
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]418std::string Certificate::getCertId() const
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]419{
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]420 return certId;
421}
422
423bool Certificate::isSame(const std::string& certPath)
424{
425 return getCertId() == generateCertId(certPath);
426}
427
428void Certificate::storageUpdate()
429{
430 if (certType == phosphor::certs::AUTHORITY)
431 {
432 // Create symbolic link in the certificate directory
433 std::string certFileX509Path;
434 try
435 {
436 if (!certFilePath.empty() &&
437 fs::is_regular_file(fs::path(certFilePath)))
438 {
439 certFileX509Path =
440 generateAuthCertFileX509Path(certFilePath, certInstallPath);
441 fs::create_symlink(fs::path(certFilePath),
442 fs::path(certFileX509Path));
443 }
444 }
445 catch (const std::exception& e)
446 {
447 log<level::ERR>("Failed to create symlink for certificate",
448 entry("ERR=%s", e.what()),
449 entry("FILE=%s", certFilePath.c_str()),
450 entry("SYMLINK=%s", certFileX509Path.c_str()));
451 elog<InternalFailure>();
452 }
453 }
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200[diff] [blame]454}
455
456void Certificate::populateProperties(const std::string& certPath)
457{
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]458 X509_Ptr cert = loadCert(certPath);
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600[diff] [blame]459 // Update properties if no error thrown
460 BIO_MEM_Ptr certBio(BIO_new(BIO_s_mem()), BIO_free);
461 PEM_write_bio_X509(certBio.get(), cert.get());
462 BUF_MEM_Ptr certBuf(BUF_MEM_new(), BUF_MEM_free);
463 BUF_MEM* buf = certBuf.get();
464 BIO_get_mem_ptr(certBio.get(), &buf);
465 std::string certStr(buf->data, buf->length);
466 CertificateIface::certificateString(certStr);
467
468 static const int maxKeySize = 4096;
469 char subBuffer[maxKeySize] = {0};
Marri Devender Raodec58772019-06-11 03:10:00 -0500[diff] [blame]470 BIO_MEM_Ptr subBio(BIO_new(BIO_s_mem()), BIO_free);
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600[diff] [blame]471 // This pointer cannot be freed independantly.
472 X509_NAME* sub = X509_get_subject_name(cert.get());
Marri Devender Raodec58772019-06-11 03:10:00 -0500[diff] [blame]473 X509_NAME_print_ex(subBio.get(), sub, 0, XN_FLAG_SEP_COMMA_PLUS);
474 BIO_read(subBio.get(), subBuffer, maxKeySize);
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600[diff] [blame]475 CertificateIface::subject(subBuffer);
476
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600[diff] [blame]477 char issuerBuffer[maxKeySize] = {0};
Marri Devender Raodec58772019-06-11 03:10:00 -0500[diff] [blame]478 BIO_MEM_Ptr issuerBio(BIO_new(BIO_s_mem()), BIO_free);
479 // This pointer cannot be freed independantly.
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600[diff] [blame]480 X509_NAME* issuer_name = X509_get_issuer_name(cert.get());
Marri Devender Raodec58772019-06-11 03:10:00 -0500[diff] [blame]481 X509_NAME_print_ex(issuerBio.get(), issuer_name, 0, XN_FLAG_SEP_COMMA_PLUS);
482 BIO_read(issuerBio.get(), issuerBuffer, maxKeySize);
Dhruvaraj Subhashchandran36f25142019-02-14 05:06:26 -0600[diff] [blame]483 CertificateIface::issuer(issuerBuffer);
484
485 std::vector<std::string> keyUsageList;
486 ASN1_BIT_STRING* usage;
487
488 // Go through each usage in the bit string and convert to
489 // corresponding string value
490 if ((usage = static_cast<ASN1_BIT_STRING*>(
491 X509_get_ext_d2i(cert.get(), NID_key_usage, NULL, NULL))))
492 {
493 for (auto i = 0; i < usage->length; ++i)
494 {
495 for (auto& x : keyUsageToRfStr)
496 {
497 if (x.first & usage->data[i])
498 {
499 keyUsageList.push_back(x.second);
500 break;
501 }
502 }
503 }
504 }
505
506 EXTENDED_KEY_USAGE* extUsage;
507 if ((extUsage = static_cast<EXTENDED_KEY_USAGE*>(
508 X509_get_ext_d2i(cert.get(), NID_ext_key_usage, NULL, NULL))))
509 {
510 for (int i = 0; i < sk_ASN1_OBJECT_num(extUsage); i++)
511 {
512 keyUsageList.push_back(extendedKeyUsageToRfStr[OBJ_obj2nid(
513 sk_ASN1_OBJECT_value(extUsage, i))]);
514 }
515 }
516 CertificateIface::keyUsage(keyUsageList);
517
518 int days = 0;
519 int secs = 0;
520
521 ASN1_TIME_ptr epoch(ASN1_TIME_new(), ASN1_STRING_free);
522 // Set time to 12:00am GMT, Jan 1 1970
523 ASN1_TIME_set_string(epoch.get(), "700101120000Z");
524
525 static const int dayToSeconds = 24 * 60 * 60;
526 ASN1_TIME* notAfter = X509_get_notAfter(cert.get());
527 ASN1_TIME_diff(&days, &secs, epoch.get(), notAfter);
528 CertificateIface::validNotAfter((days * dayToSeconds) + secs);
529
530 ASN1_TIME* notBefore = X509_get_notBefore(cert.get());
531 ASN1_TIME_diff(&days, &secs, epoch.get(), notBefore);
532 CertificateIface::validNotBefore((days * dayToSeconds) + secs);
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]533}
534
535X509_Ptr Certificate::loadCert(const std::string& filePath)
536{
537 log<level::INFO>("Certificate loadCert",
538 entry("FILEPATH=%s", filePath.c_str()));
539 // Read Certificate file
540 X509_Ptr cert(X509_new(), ::X509_free);
541 if (!cert)
542 {
543 log<level::ERR>("Error occured during X509_new call",
544 entry("FILE=%s", filePath.c_str()),
545 entry("ERRCODE=%lu", ERR_get_error()));
546 elog<InternalFailure>();
547 }
548
549 BIO_MEM_Ptr bioCert(BIO_new_file(filePath.c_str(), "rb"), ::BIO_free);
550 if (!bioCert)
551 {
552 log<level::ERR>("Error occured during BIO_new_file call",
553 entry("FILE=%s", filePath.c_str()));
554 elog<InternalFailure>();
555 }
556
557 X509* x509 = cert.get();
558 if (!PEM_read_bio_X509(bioCert.get(), &x509, nullptr, nullptr))
559 {
560 log<level::ERR>("Error occured during PEM_read_bio_X509 call",
561 entry("FILE=%s", filePath.c_str()));
562 elog<InternalFailure>();
563 }
564 return cert;
565}
Marri Devender Raocd30c492019-06-12 01:40:17 -0500[diff] [blame]566
567void Certificate::checkAndAppendPrivateKey(const std::string& filePath)
568{
569 BIO_MEM_Ptr keyBio(BIO_new(BIO_s_file()), ::BIO_free);
570 if (!keyBio)
571 {
572 log<level::ERR>("Error occured during BIO_s_file call",
573 entry("FILE=%s", filePath.c_str()));
574 elog<InternalFailure>();
575 }
576 BIO_read_filename(keyBio.get(), filePath.c_str());
577
578 EVP_PKEY_Ptr priKey(
579 PEM_read_bio_PrivateKey(keyBio.get(), nullptr, nullptr, nullptr),
580 ::EVP_PKEY_free);
581 if (!priKey)
582 {
583 log<level::INFO>("Private key not present in file",
584 entry("FILE=%s", filePath.c_str()));
585 fs::path privateKeyFile = fs::path(certInstallPath).parent_path();
586 privateKeyFile = privateKeyFile / PRIV_KEY_FILE_NAME;
587 if (!fs::exists(privateKeyFile))
588 {
589 log<level::ERR>("Private key file is not found",
590 entry("FILE=%s", privateKeyFile.c_str()));
591 elog<InternalFailure>();
592 }
593
594 std::ifstream privKeyFileStream;
595 std::ofstream certFileStream;
596 privKeyFileStream.exceptions(std::ifstream::failbit |
597 std::ifstream::badbit |
598 std::ifstream::eofbit);
599 certFileStream.exceptions(std::ofstream::failbit |
600 std::ofstream::badbit |
601 std::ofstream::eofbit);
602 try
603 {
604 privKeyFileStream.open(privateKeyFile);
605 certFileStream.open(filePath, std::ios::app);
Marri Devender Rao18e51c92019-07-15 04:59:01 -0500[diff] [blame]606 certFileStream << std::endl; // insert line break
Marri Devender Raocd30c492019-06-12 01:40:17 -0500[diff] [blame]607 certFileStream << privKeyFileStream.rdbuf() << std::flush;
608 privKeyFileStream.close();
609 certFileStream.close();
610 }
611 catch (const std::exception& e)
612 {
613 log<level::ERR>("Failed to append private key",
614 entry("ERR=%s", e.what()),
615 entry("SRC=%s", privateKeyFile.c_str()),
616 entry("DST=%s", filePath.c_str()));
617 elog<InternalFailure>();
618 }
619 }
620}
621
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]622bool Certificate::compareKeys(const std::string& filePath)
623{
624 log<level::INFO>("Certificate compareKeys",
625 entry("FILEPATH=%s", filePath.c_str()));
626 X509_Ptr cert(X509_new(), ::X509_free);
627 if (!cert)
628 {
629 log<level::ERR>("Error occured during X509_new call",
630 entry("FILE=%s", filePath.c_str()),
631 entry("ERRCODE=%lu", ERR_get_error()));
632 elog<InternalFailure>();
633 }
634
635 BIO_MEM_Ptr bioCert(BIO_new_file(filePath.c_str(), "rb"), ::BIO_free);
636 if (!bioCert)
637 {
638 log<level::ERR>("Error occured during BIO_new_file call",
639 entry("FILE=%s", filePath.c_str()));
640 elog<InternalFailure>();
641 }
642
643 X509* x509 = cert.get();
644 PEM_read_bio_X509(bioCert.get(), &x509, nullptr, nullptr);
645
646 EVP_PKEY_Ptr pubKey(X509_get_pubkey(cert.get()), ::EVP_PKEY_free);
647 if (!pubKey)
648 {
649 log<level::ERR>("Error occurred during X509_get_pubkey",
650 entry("FILE=%s", filePath.c_str()),
651 entry("ERRCODE=%lu", ERR_get_error()));
652 elog<InvalidCertificate>(Reason("Failed to get public key info"));
653 }
654
655 BIO_MEM_Ptr keyBio(BIO_new(BIO_s_file()), ::BIO_free);
656 if (!keyBio)
657 {
658 log<level::ERR>("Error occured during BIO_s_file call",
659 entry("FILE=%s", filePath.c_str()));
660 elog<InternalFailure>();
661 }
662 BIO_read_filename(keyBio.get(), filePath.c_str());
663
664 EVP_PKEY_Ptr priKey(
665 PEM_read_bio_PrivateKey(keyBio.get(), nullptr, nullptr, nullptr),
666 ::EVP_PKEY_free);
667 if (!priKey)
668 {
669 log<level::ERR>("Error occurred during PEM_read_bio_PrivateKey",
670 entry("FILE=%s", filePath.c_str()),
671 entry("ERRCODE=%lu", ERR_get_error()));
672 elog<InvalidCertificate>(Reason("Failed to get private key info"));
673 }
674
675 int32_t rc = EVP_PKEY_cmp(priKey.get(), pubKey.get());
676 if (rc != 1)
677 {
678 log<level::ERR>("Private key is not matching with Certificate",
679 entry("FILE=%s", filePath.c_str()),
680 entry("ERRCODE=%d", rc));
681 return false;
682 }
683 return true;
684}
685
Zbigniew Kurzynskia3bb38f2019-09-17 13:34:25 +0200[diff] [blame]686void Certificate::delete_()
687{
Zbigniew Lukwinski2f3563c2020-01-08 12:35:23 +0100[diff] [blame]688 manager.deleteCertificate(this);
Zbigniew Kurzynskia3bb38f2019-09-17 13:34:25 +0200[diff] [blame]689}
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600[diff] [blame]690} // namespace certs
691} // namespace phosphor