blob: 9dd128d23d8434dba1a15f8fb75ecb65be573d8b [file] [log] [blame]
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -05001#pragma once
Marri Devender Raof4682712019-03-19 05:00:28 -05002#include "config.h"
Jayanth Othayothdd74bd22018-09-28 06:13:35 -05003
Marri Devender Raof4682712019-03-19 05:00:28 -05004#include "certificate.hpp"
5#include "csr.hpp"
Marri Devender Raoffad1ef2019-06-03 04:54:12 -05006#include "watch.hpp"
Marri Devender Raof4682712019-03-19 05:00:28 -05007
8#include <sdeventplus/source/child.hpp>
9#include <sdeventplus/source/event.hpp>
10#include <xyz/openbmc_project/Certs/CSR/Create/server.hpp>
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -050011#include <xyz/openbmc_project/Certs/Install/server.hpp>
Deepak Kodihalliae70b3d2018-09-30 05:42:00 -050012#include <xyz/openbmc_project/Object/Delete/server.hpp>
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -050013
14namespace phosphor
15{
16namespace certs
17{
Marri Devender Raof4682712019-03-19 05:00:28 -050018using Install = sdbusplus::xyz::openbmc_project::Certs::server::Install;
Deepak Kodihalliae70b3d2018-09-30 05:42:00 -050019using Delete = sdbusplus::xyz::openbmc_project::Object::server::Delete;
Marri Devender Raof4682712019-03-19 05:00:28 -050020using CSRCreate = sdbusplus::xyz::openbmc_project::Certs::CSR::server::Create;
21using Ifaces = sdbusplus::server::object::object<Install, CSRCreate, Delete>;
22
23using X509_REQ_Ptr = std::unique_ptr<X509_REQ, decltype(&::X509_REQ_free)>;
24using EVP_PKEY_Ptr = std::unique_ptr<EVP_PKEY, decltype(&::EVP_PKEY_free)>;
Marri Devender Raoffad1ef2019-06-03 04:54:12 -050025using CertificatePtr = std::unique_ptr<Certificate>;
Jayanth Othayothb50789c2018-10-09 07:13:54 -050026
Deepak Kodihalliae70b3d2018-09-30 05:42:00 -050027class Manager : public Ifaces
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -050028{
29 public:
30 /* Define all of the basic class operations:
31 * Not allowed:
32 * - Default constructor is not possible due to member
33 * reference
34 * - Move operations due to 'this' being registered as the
35 * 'context' with sdbus.
36 * Allowed:
37 * - copy
38 * - Destructor.
39 */
40 Manager() = delete;
41 Manager(const Manager&) = default;
42 Manager& operator=(const Manager&) = delete;
43 Manager(Manager&&) = delete;
44 Manager& operator=(Manager&&) = delete;
45 virtual ~Manager() = default;
46
47 /** @brief Constructor to put object onto bus at a dbus path.
48 * @param[in] bus - Bus to attach to.
Marri Devender Raof4682712019-03-19 05:00:28 -050049 * @param[in] event - sd event handler.
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -050050 * @param[in] path - Path to attach at.
51 * @param[in] type - Type of the certificate.
52 * @param[in] unit - Unit consumed by this certificate.
Marri Devender Rao6ceec402019-02-01 03:15:19 -060053 * @param[in] installPath - Certificate installation path.
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -050054 */
Marri Devender Raof4682712019-03-19 05:00:28 -050055 Manager(sdbusplus::bus::bus& bus, sdeventplus::Event& event,
56 const char* path, const CertificateType& type,
57 UnitsToRestart&& unit, CertInstallPath&& installPath);
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -050058
59 /** @brief Implementation for Install
60 * Replace the existing certificate key file with another
61 * (possibly CA signed) Certificate key file.
62 *
Marri Devender Rao6ceec402019-02-01 03:15:19 -060063 * @param[in] filePath - Certificate key file path.
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -050064 */
Zbigniew Kurzynski06a69d72019-09-27 10:57:38 +020065 std::string install(const std::string filePath) override;
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -050066
Deepak Kodihalliae70b3d2018-09-30 05:42:00 -050067 /** @brief Delete the certificate (and possibly revert
68 * to a self-signed certificate).
69 */
70 void delete_() override;
71
Marri Devender Raof4682712019-03-19 05:00:28 -050072 /** @brief Generate Private key and CSR file
73 * Generates the Private key file and CSR file based on the input
74 * parameters. Validation of the parameters is callers responsibility.
75 * At present supports only RSA algorithm type
76 *
77 * @param[in] alternativeNames - Additional hostnames of the component that
78 * is being secured.
79 * @param[in] challengePassword - The challenge password to be applied to
80 * the certificate for revocation requests.
81 * @param[in] city - The city or locality of the organization making the
82 * request. For Example Austin
83 * @param[in] commonName - The fully qualified domain name of the component
84 * that is being secured.
85 * @param[in] contactPerson - The name of the user making the request.
86 * @param[in] country - The country of the organization making the request.
87 * @param[in] email - The email address of the contact within the
88 * organization making the request.
89 * @param[in] givenName - The given name of the user making the request.
90 * @param[in] initials - The initials of the user making the request.
91 * @param[in] keyBitLength - The length of the key in bits, if needed based
92 * on the value of the KeyPairAlgorithm parameter.
93 * @param[in] keyCurveId - The curve ID to be used with the key, if needed
94 * based on the value of the KeyPairAlgorithm parameter.
95 * @param[in] keyPairAlgorithm - The type of key pair for use with signing
96 * algorithms. Valid built-in algorithm names for private key
97 * generation are: RSA, DSA, DH and EC.
98 * @param[in] keyUsage - Key usage extensions define the purpose of the
99 * public key contained in a certificate. Valid Key usage extensions
100 * and its usage description.
101 * - ClientAuthentication: The public key is used for TLS WWW client
102 * authentication.
103 * - CodeSigning: The public key is used for the signing of executable
104 * code
105 * - CRLSigning: The public key is used for verifying signatures on
106 * certificate revocation lists (CLRs).
107 * - DataEncipherment: The public key is used for directly enciphering
108 * raw user data without the use of an intermediate symmetric
109 * cipher.
110 * - DecipherOnly: The public key could be used for deciphering data
111 * while performing key agreement.
112 * - DigitalSignature: The public key is used for verifying digital
113 * signatures, other than signatures on certificatesand CRLs.
114 * - EmailProtection: The public key is used for email protection.
115 * - EncipherOnly: Thepublic key could be used for enciphering data
116 * while performing key agreement.
117 * - KeyCertSign: The public key is used for verifying signatures on
118 * public key certificates.
119 * - KeyEncipherment: The public key is used for enciphering private or
120 * secret keys.
121 * - NonRepudiation: The public key is used to verify digital
122 * signatures, other than signatures on certificates and CRLs, and
123 * used to provide a non-repudiation service that protects against
124 * the signing entity falsely denying some action.
125 * - OCSPSigning: The public key is used for signing OCSP responses.
126 * - ServerAuthentication: The public key is used for TLS WWW server
127 * authentication.
128 * - Timestamping: The public key is used for binding the hash of an
129 * object to a time.
130 * @param[in] organization - The legal name of the organization. This
131 * should not be abbreviated and should include suffixes such as Inc,
132 * Corp, or LLC.For example, IBM Corp.
133 * @param[in] organizationalUnit - The name of the unit or division of the
134 * organization making the request.
135 * @param[in] state - The state or province where the organization is
136 * located. This should not be abbreviated. For example, Texas.
137 * @param[in] surname - The surname of the user making the request.
138 * @param[in] unstructuredName - The unstructured name of the subject.
139 *
140 * @return path[std::string] - The object path of the D-Bus object
141 * representing CSR string. Note: For new CSR request will overwrite
142 * the existing CSR in the system.
143 */
144 std::string generateCSR(
145 std::vector<std::string> alternativeNames,
146 std::string challengePassword, std::string city, std::string commonName,
147 std::string contactPerson, std::string country, std::string email,
148 std::string givenName, std::string initials, int64_t keyBitLength,
149 std::string keyCurveId, std::string keyPairAlgorithm,
150 std::vector<std::string> keyUsage, std::string organization,
151 std::string organizationalUnit, std::string state, std::string surname,
152 std::string unstructuredName) override;
153
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200154 /** @brief Get reference to certificates' collection
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500155 *
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200156 * @return Reference to certificates' collection
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500157 */
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200158 std::vector<std::unique_ptr<Certificate>>& getCertificates();
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500159
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -0500160 private:
Marri Devender Raof4682712019-03-19 05:00:28 -0500161 void generateCSRHelper(std::vector<std::string> alternativeNames,
162 std::string challengePassword, std::string city,
163 std::string commonName, std::string contactPerson,
164 std::string country, std::string email,
165 std::string givenName, std::string initials,
166 int64_t keyBitLength, std::string keyCurveId,
167 std::string keyPairAlgorithm,
168 std::vector<std::string> keyUsage,
169 std::string organization,
170 std::string organizationalUnit, std::string state,
171 std::string surname, std::string unstructuredName);
172
Ramesh Iyyar8a09b522019-06-07 05:23:29 -0500173 /** @brief Generate RSA Key pair and get private key from key pair
174 * @param[in] keyBitLength - KeyBit length.
175 * @return Pointer to RSA private key
176 */
177 EVP_PKEY_Ptr generateRSAKeyPair(const int64_t keyBitLength);
178
179 /** @brief Generate EC Key pair and get private key from key pair
180 * @param[in] p_KeyCurveId - Curve ID
181 * @return Pointer to EC private key
182 */
183 EVP_PKEY_Ptr generateECKeyPair(const std::string& p_KeyCurveId);
184
Marri Devender Raof4682712019-03-19 05:00:28 -0500185 /** @brief Write private key data to file
186 *
Ramesh Iyyar8a09b522019-06-07 05:23:29 -0500187 * @param[in] pKey - pointer to private key
Ramesh Iyyarc6e58c72019-07-16 08:52:47 -0500188 * @param[in] privKeyFileName - private key filename
Marri Devender Raof4682712019-03-19 05:00:28 -0500189 */
Ramesh Iyyarc6e58c72019-07-16 08:52:47 -0500190 void writePrivateKey(const EVP_PKEY_Ptr& pKey,
191 const std::string& privKeyFileName);
Marri Devender Raof4682712019-03-19 05:00:28 -0500192
193 /** @brief Add the specified CSR field with the data
194 * @param[in] x509Name - Structure used in setting certificate properties
195 * @param[in] field - field name
196 * @param[in] bytes - field value in bytes
197 */
198 void addEntry(X509_NAME* x509Name, const char* field,
199 const std::string& bytes);
200
Marri Devender Rao76411052019-08-07 01:25:07 -0500201 /** @brief Check if usage is extended key usage
202 * @param[in] usage - key usage value
203 * @return true if part of extended key usage
204 */
205 bool isExtendedKeyUsage(const std::string& usage);
206
Marri Devender Raof4682712019-03-19 05:00:28 -0500207 /** @brief Create CSR D-Bus object by reading the data in the CSR file
208 * @param[in] statis - SUCCESSS/FAILURE In CSR generation.
209 */
210 void createCSRObject(const Status& status);
211
212 /** @brief Write generated CSR data to file
213 *
214 * @param[in] filePath - CSR file path.
215 * @param[in] x509Req - OpenSSL Request Pointer.
216 */
217 void writeCSR(const std::string& filePath, const X509_REQ_Ptr& x509Req);
218
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500219 /** @brief Load certifiate
220 * Load certificate and create certificate object
221 */
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200222 void createCertificates();
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500223
Ramesh Iyyarc6e58c72019-07-16 08:52:47 -0500224 /** @brief Create RSA private key file
225 * Create RSA private key file by generating rsa key if not created
226 */
227 void createRSAPrivateKeyFile();
228
229 /** @brief Getting RSA private key
230 * Gettting RSA private key from generated file
231 * @param[in] keyBitLength - Key bit length
232 * @return Pointer to RSA key
233 */
234 EVP_PKEY_Ptr getRSAKeyPair(const int64_t keyBitLength);
235
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -0500236 /** @brief sdbusplus handler */
237 sdbusplus::bus::bus& bus;
238
Marri Devender Raof4682712019-03-19 05:00:28 -0500239 // sdevent Event handle
240 sdeventplus::Event& event;
241
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -0500242 /** @brief object path */
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600243 std::string objectPath;
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -0500244
245 /** @brief Type of the certificate **/
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600246 CertificateType certType;
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -0500247
248 /** @brief Unit name associated to the service **/
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600249 UnitsToRestart unitToRestart;
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -0500250
251 /** @brief Certificate file installation path **/
Marri Devender Rao6ceec402019-02-01 03:15:19 -0600252 CertInstallPath certInstallPath;
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -0500253
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200254 /** @brief Collection of pointers to certificate */
255 std::vector<std::unique_ptr<Certificate>> installedCerts;
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -0500256
Marri Devender Raof4682712019-03-19 05:00:28 -0500257 /** @brief pointer to CSR */
258 std::unique_ptr<CSR> csrPtr = nullptr;
259
260 /** @brief SDEventPlus child pointer added to event loop */
Marri Devender Raoffad1ef2019-06-03 04:54:12 -0500261 std::unique_ptr<sdeventplus::source::Child> childPtr = nullptr;
262
263 /** @brief Watch on self signed certificates */
264 std::unique_ptr<Watch> certWatchPtr = nullptr;
Ramesh Iyyarc6e58c72019-07-16 08:52:47 -0500265
266 /** @brif Parent path i.e certificate directory path */
267 fs::path certParentInstallPath;
Kowalski, Kamildb029c92019-07-08 17:09:39 +0200268
269 /** @brief Certificate ID pool */
270 uint64_t certIdCounter = 1;
Marri Devender Raof4682712019-03-19 05:00:28 -0500271};
Jayanth Othayothcfbc8dc2018-09-03 07:22:27 -0500272} // namespace certs
273} // namespace phosphor