Update copyCertificate function to preserve file metadata

Cert Manager currently creates a new file with the same content
during Certificate::copyCertificate function but doesn’t
preserve the file m

Update copyCertificate function to preserve file metadata

Cert Manager currently creates a new file with the same content
during Certificate::copyCertificate function but doesn’t
preserve the file metadata(uid,gid,rwx etc.) from the original
file. It's a nice to have feature if both content and file
metadata are preserved during the copy. This would be useful for
security software running later on to validate the file's
integrity and authenticity.

This is achievable by utilizing the cp command. PCM will issue a
std::system call to ask the underlying host environment's command
processor to execute the cp -fp call.

This PR doesn't change any current business logic to any existing
code that depends on PCM.

Change-Id: I53907253857b04629914290a77b140c338344d05
Signed-off-by: Zac Tang <zactang1024@gmail.com>

show more ...

clang-format: re-format for clang-18

clang-format-18 isn't compatible with the clang-format-17 output, so we
need to reformat the code with the latest version. The way clang-18
handles lambda forma

clang-format: re-format for clang-18

clang-format-18 isn't compatible with the clang-format-17 output, so we
need to reformat the code with the latest version. The way clang-18
handles lambda formatting also changed, so we have made changes to the
organization default style format to better handle lambda formatting.

See I5e08687e696dd240402a2780158664b7113def0e for updated style.
See Iea0776aaa7edd483fa395e23de25ebf5a6288f71 for clang-18 enablement.

Change-Id: Ic1ad64722b2368169dfb0e62c37f7f3c1ff20fe8
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

Fix spelling mistakes using codespell

This commit corrects various spelling mistakes throughout the
repository. The corrections were made automatically using `codespell`[1]
tool.

[1]: https://githu

Fix spelling mistakes using codespell

This commit corrects various spelling mistakes throughout the
repository. The corrections were made automatically using `codespell`[1]
tool.

[1]: https://github.com/codespell-project/codespell

Change-Id: I49a1a13821bbc966768d4db048886e78e8e77d9f
Signed-off-by: Manojkiran Eda <manojkiran.eda@gmail.com>

show more ...

Test: Fix CI failure

Currently CI fails with --wrapper 'valgrind --error-exitcode=1'

This commit fixes few variables initialization in test code and increase
timeout to generate certs to 500 second

Test: Fix CI failure

Currently CI fails with --wrapper 'valgrind --error-exitcode=1'

This commit fixes few variables initialization in test code and increase
timeout to generate certs to 500 seconds considering valgrind enabled.

Tested by:
CI passed with --wrapper 'valgrind --error-exitcode=1'

Change-Id: I1bf26fb2fafbf68bcb128eb77083a99867dd21c8
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

GenerateCSR: Avoid setting CSR version

Latest openssl displays as unknown version while parsing BMC generated
CSRs over openssl command line

As per openssl discussion in this issue, by default CSR

GenerateCSR: Avoid setting CSR version

Latest openssl displays as unknown version while parsing BMC generated
CSRs over openssl command line

As per openssl discussion in this issue, by default CSR version set to 1
https://github.com/openssl/openssl/issues/20663
The only defined CSR version is X509_REQ_VERSION_1, so there is no need
to call X509_REQ_set_version() to set version explicitly

This commit avoids calling X509_REQ_set_version() to set CSR version

Tested By:
1.Generate CSR using redfish interface
2.Parse csr using openssl and check version
openssl req -in csr.txt -noout -text
Certificate Request:
Data:
Version: 1 (0x0)

Change-Id: I29dfc50e661d39fe7930d65079abfee924745d21
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

certs_manager: log all OpenSSL errors on failure

I've been hitting intermittent fails in this code running simulation
with my system1 machine.

```
Sep 20 11:23:29 system1 phosphor-certificate-manag

certs_manager: log all OpenSSL errors on failure

I've been hitting intermittent fails in this code running simulation
with my system1 machine.

```
Sep 20 11:23:29 system1 phosphor-certificate-manager[237]: Error occurred during generate EC key
Sep 20 11:23:29 system1 phosphor-certificate-manager[237]: The operation failed internally.
Sep 20 11:23:29 system1 phosphor-certificate-manager[237]: The operation failed internally.
```

This code path logs an InternalError, which causes a BMC dump to get
generated. That dump causes the automated CI tests to fail.

The fail only occurs 1 out of every 10 runs and there's not currently
enough info to debug the cause of the fail. I think it may have to do
with the network or time being reconfigured during the same time the
certificate code is running but I have no evidence.

Doing some internet searching, it seems this ERR_print_errors_fp() call
is the recommended way to collect any debug info from OpenSSL libraries.
https://www.openssl.org/docs/man1.1.1/man3/ERR_print_errors_fp.html

Tested:
- Unfortunately I can not recreate this issue manually so all I've been
able to test is that this builds and does not affect the good path.

Change-Id: I373b8f481f393b3e783c1a0270c8f6f729c426a5
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>

show more ...

owners: updated Jayanth email

Change-Id: I0b4303591cf2dd95aaf02de578b9ffc8faedbdbe
Signed-off-by: Jayanth Othayoth <ojayanth@gmail.com>

Add Ravi Teja as a reviewer

I have thorough understanding of certificate-manager

Here is my contribution in this repository
https://github.com/openbmc/phosphor-certificate-manager/commits?author=ra

Add Ravi Teja as a reviewer

I have thorough understanding of certificate-manager

Here is my contribution in this repository
https://github.com/openbmc/phosphor-certificate-manager/commits?author=raviteja-b

Thus, I apply to be a reviewer of this repo. Hope I can contribute
more and help the OpenBMC community.

Change-Id: Idc54cf25851d6b17ec27a376fc4ed3711c177b57
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

clang-format: copy latest and re-format

clang-format-17 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest

clang-format: copy latest and re-format

clang-format-17 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest .clang-format from the docs repository and reformat the
repository.

Change-Id: Iecd47831c4a1defc81f3e54332101dc48b0cb6ff
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

Remove irrelevant TODO section

Issue#6 is no longer valid as per openssl issue
https://github.com/openssl/openssl/issues/20663

Change-Id: I01c5a61205756c1adda007408bf80a8c1aa1820d
Signed-off-by: Ra

Remove irrelevant TODO section

Issue#6 is no longer valid as per openssl issue
https://github.com/openssl/openssl/issues/20663

Change-Id: I01c5a61205756c1adda007408bf80a8c1aa1820d
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

logging: switch to lg2

It is recommended to use `phosphor::lg2` to format log,
and the correct `CODE_LINE` and `CODE_FUNC` values
can be used in log tracking.

Tested By: Built CertificateManager su

logging: switch to lg2

It is recommended to use `phosphor::lg2` to format log,
and the correct `CODE_LINE` and `CODE_FUNC` values
can be used in log tracking.

Tested By: Built CertificateManager successfully and Unit Test passes.

Change-Id: Ib2ff946febfe0335d4ecf5fa932683d3a0f117bb
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

config: Change authority D-Bus names

Initially CA certificate management service was intended to support only
LDAP usecases. However since some time this has become outdated, as
certificates stored

config: Change authority D-Bus names

Initially CA certificate management service was intended to support only
LDAP usecases. However since some time this has become outdated, as
certificates stored there might serve more purposes, such as SSL
handshakes or mTLS connections. Therefore, I'm proposing to change
service endpoint name from 'ldap' to something more generic, in order to
avoid any confusion, that could come up when developing applications
would like to utilize this feature.

Tested:
Service present on DBus under new name, along with proper object paths.

root@bmc-maca4bf018cd442:~# busctl list | grep phosphor-cert
...
xyz.openbmc_project.Certs.Manager.Authority.Truststore 256 phosphor-certif root :1.15 phosphor-certificate-manager@authority.service - -
...

root@bmc-maca4bf018cd442:~# busctl tree xyz.openbmc_project.Certs.Manager.Authority.Truststore
`-/xyz
`-/xyz/openbmc_project
`-/xyz/openbmc_project/certs
`-/xyz/openbmc_project/certs/authority
`-/xyz/openbmc_project/certs/authority/truststore

Change-Id: I1d2c4ef9e7b4846951ce4dd52f869d7c64f3902d
Signed-off-by: Michal Orzel <michalx.orzel@intel.com>

show more ...

meson_options.txt: Support for reading options from meson.options

Support has been added for reading options from meson.options instead
of meson_options.txt[1]. These are equivalent, but not using t

meson_options.txt: Support for reading options from meson.options

Support has been added for reading options from meson.options instead
of meson_options.txt[1]. These are equivalent, but not using the .txt
extension for a build file has a few advantages, chief among them
many tools and text editors expect a file with the .txt extension to
be plain text files, not build scripts.

[1] https://mesonbuild.com/Release-notes-for-1-1-0.html#support-for-reading-options-from-mesonoptions

Signed-off-by: George Liu <liuxiwei@inspur.com>
Change-Id: I9c44f30404cd5437429845d22a8062a984ea9905

show more ...

build: upgrade to C++23

Meson 1.1.1 and GCC-13 both support C++23 and a sufficient portion of
the standard has been implemented. Upgrade the build to leverage it.

Change-Id: Ic01fe99067eede474be18

build: upgrade to C++23

Meson 1.1.1 and GCC-13 both support C++23 and a sufficient portion of
the standard has been implemented. Upgrade the build to leverage it.

Change-Id: Ic01fe99067eede474be1861d3986a198c4ef765d
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest .clang-format from the docs repository and reformat the
repository.

Change-Id: Ie4138afe359d52b9f1a32fdff6890a90dd31efa8
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

Allow for expired certificate

The code throws for an expired certificate, which results in the below
behavior:

1. If BMC starts when the time is invalid (e.g. the date is in 1970),
bmcweb will crea

Allow for expired certificate

The code throws for an expired certificate, which results in the below
behavior:

1. If BMC starts when the time is invalid (e.g. the date is in 1970),
bmcweb will create a default certificate with hostname `testhost`;

2. In later reboots when BMC get a valid time, the bmcweb loads the
certificate as before. But phosphor-certificate-manager will throw on
this certificate. Then there is no DBus object created for this
certificate (`/xyz/openbmc_project/certs/server/https/1`)

3. Due to the missing DBus object:
* We will not be able to replace the certificate, e.g. by below
Redfish URI:
```
/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
```
* When the BMC gets the hostname, bmcweb will generate a new
self-signed certificate with the hostname and replace it, the
replacement fails as well.

This commit adds a config option that allows the expired certificate to
be created on DBus and fixes the above issues and it is enabled by
default.

Signed-off-by: Lei YU <yulei.sh@bytedance.com>
Change-Id: Ib02bd686c9bfeb6401b269af20856824647f54c5

show more ...

meson: remove deprecated get_pkgconfig_variable

Since meson 0.56, the `get_pkgconfig_variable` has been deprecated. In
meson 0.58 the `get_variable` was enhanced to no longer require the
`pkgconfig

meson: remove deprecated get_pkgconfig_variable

Since meson 0.56, the `get_pkgconfig_variable` has been deprecated. In
meson 0.58 the `get_variable` was enhanced to no longer require the
`pkgconfig` keyword argument. Ensure meson 0.58 is required and update
the usage of all `get_pkgconfig_variable` and `get_variable` to be the
modern variant.

Change-Id: I02322901951608cb3348060f076be10a2a52d022
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

markdownlint: fix all warnings

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I0f8f7fbc23cb0113c093cad8a7d722054eac960a

prettier: re-format

Prettier is enabled in openbmc-build-scripts on Markdown, JSON, and YAML
files to have consistent formatting for these file types. Re-run the
formatter on the whole repository.

prettier: re-format

Prettier is enabled in openbmc-build-scripts on Markdown, JSON, and YAML
files to have consistent formatting for these file types. Re-run the
formatter on the whole repository.

Change-Id: I29cc1a8c9003e1262aac7d27544f54599b3b1649
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

bmc-vmi-ca: Fix executable name

The executable name expected by the bmc-vmi-ca-manager.service file is
bmc-vmi-ca, but when the repo was updated to use meson, the file name
was mistakenly set to bmc

bmc-vmi-ca: Fix executable name

The executable name expected by the bmc-vmi-ca-manager.service file is
bmc-vmi-ca, but when the repo was updated to use meson, the file name
was mistakenly set to bmc_vmi_ca.

Tested: Verified the service started successfully in p10bmc:
```
root@p10bmc:~# systemctl status bmc-vmi-ca-manager
* bmc-vmi-ca-manager.service - BMC VMI CA authority manager
Loaded: loaded
(8;;file://p10bmc/lib/systemd/system/bmc-vmi-ca-manager.service/lib/systemd/system/bmc-vmi-ca-manager.service8;;;
enabled; preset: enabled)
Active: active (running) since Thu 2022-12-01 20:45:46 UTC; 1min
44s ago
Main PID: 236 (bmc-vmi-ca)
CPU: 6ms
CGroup: /system.slice/bmc-vmi-ca-manager.service
`-236 /usr/bin/bmc-vmi-ca

Dec 01 20:45:45 p10bmc systemd[1]: Starting BMC VMI CA authority
manager...
Dec 01 20:45:46 p10bmc systemd[1]: Started BMC VMI CA authority manager.
```

Change-Id: Id32c79a470255e6818d46e27cab82e17fc10c4f4
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>

show more ...

Move Certificate install in resotre path to DEBUG

We are seeing 387+ `Certificate install` messages for a single boot in
the journal log.

Moved the `Certifacte install` log for the restore path to

Move Certificate install in resotre path to DEBUG

We are seeing 387+ `Certificate install` messages for a single boot in
the journal log.

Moved the `Certifacte install` log for the restore path to DEBUG instead
of INFO to remove it on the normal jorunal logs.

Tested:
```
systemctl status phosphor-certificate-manager@bmcweb.service
* phosphor-certificate-manager@bmcweb.service - Phosphor certificate manager for bmcweb
Loaded: loaded (/lib/systemd/system/phosphor-certificate-manager@.service; static)
Active: active (running) since Fri 2018-03-09 19:19:02 UTC; 24s ago
Main PID: 25773 (phosphor-certif)
CGroup: /system.slice/system-phosphor\x2dcertificate\x2dmanager.slice/phosphor-certificate-manager@bmcweb.service
`-25773 /usr/bin/phosphor-certificate-manager --endpoint https --path /path/server.pem --type server --unit server_creds.target

Mar 09 19:19:02 [hostname] systemd[1]: Started Phosphor certificate manager for bmcweb.
Mar 09 19:19:03 [hostname] phosphor-certificate-manager[25773]: Error occurred during X509_verify_cert call, checking for known error
Mar 09 19:19:03 [hostname] phosphor-certificate-manager[25773]: Certificate compareKeys
Mar 09 19:19:03 [hostname] phosphor-certificate-manager[25773]: Certificate install
...
```

Change-Id: I907afd6ce4522e5c54348d16c1ace0a770f3b8f1
Signed-off-by: Willy Tu <wltu@google.com>

show more ...

bmc-vmi-ca: use processs_loop

In reference [1], sdbusplus introduces its own process loop. This patch
removed the unncesssary sdeventplus dependency from bmc-vmi-ca, and uses
the sdbusplus built-in

bmc-vmi-ca: use processs_loop

In reference [1], sdbusplus introduces its own process loop. This patch
removed the unncesssary sdeventplus dependency from bmc-vmi-ca, and uses
the sdbusplus built-in process loop instead.

[1] https://gerrit.openbmc.org/c/openbmc/sdbusplus/+/56891

Tested:
1. The daemon starts correctly
2. Tested several dbus commands via busctl (introspect, DeleteAll, etc)

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I802f18f077e7b0bd3bf0b910c56b1f560fe342e7

show more ...

clang-tidy: enable clang-tidy

Enable the first check: readability-identifier-naming

Also fixed all check failures. The renaming is done by clang-tidy
automatically.

Tested:
1. compiles, no clang-t

clang-tidy: enable clang-tidy

Enable the first check: readability-identifier-naming

Also fixed all check failures. The renaming is done by clang-tidy
automatically.

Tested:
1. compiles, no clang-tidy failures
2. tested on QEMU, Redfish is working correctly
3. tested on s7106, Redfish is working correctly; certificates can be
retrieved.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I3c5c9ca734146a94f4e0433ed8c1ae84173288c5

show more ...

certs manager test: remove unused codes

The "delete_" function is unused. It doesn't follow the naming
convention as well, which prevents us enable clang-tidy. See the child
patch.

This commit just

certs manager test: remove unused codes

The "delete_" function is unused. It doesn't follow the naming
convention as well, which prevents us enable clang-tidy. See the child
patch.

This commit just removed it.

Tested: unit test passed.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I1f587c7b5e1af0eeedc9aac882be285e322bc23b

show more ...

lcov: remove the configure file

The file was created when this repo is using autotools. In meson repos,
I don't see this file in other repos.

I also searched the default lcov configurations [1]; th

lcov: remove the configure file

The file was created when this repo is using autotools. In meson repos,
I don't see this file in other repos.

I also searched the default lcov configurations [1]; the values in this
file are default values. I don't see it's neccessary to keep this file
in this project.

[1] https://www.systutorials.com/docs/linux/man/5-lcovrc/

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Ife2fa3f01337db7ce11ac582fcd9fd6b40fe29a6

show more ...