GenerateCSR: Avoid setting CSR version

Latest openssl displays as unknown version while parsing BMC generated
CSRs over openssl command line

As per openssl discussion in this issue, by default CSR

GenerateCSR: Avoid setting CSR version

Latest openssl displays as unknown version while parsing BMC generated
CSRs over openssl command line

As per openssl discussion in this issue, by default CSR version set to 1
https://github.com/openssl/openssl/issues/20663
The only defined CSR version is X509_REQ_VERSION_1, so there is no need
to call X509_REQ_set_version() to set version explicitly

This commit avoids calling X509_REQ_set_version() to set CSR version

Tested By:
1.Generate CSR using redfish interface
2.Parse csr using openssl and check version
openssl req -in csr.txt -noout -text
Certificate Request:
Data:
Version: 1 (0x0)

Change-Id: I29dfc50e661d39fe7930d65079abfee924745d21
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

certs_manager: log all OpenSSL errors on failure

I've been hitting intermittent fails in this code running simulation
with my system1 machine.

```
Sep 20 11:23:29 system1 phosphor-certificate-manag

certs_manager: log all OpenSSL errors on failure

I've been hitting intermittent fails in this code running simulation
with my system1 machine.

```
Sep 20 11:23:29 system1 phosphor-certificate-manager[237]: Error occurred during generate EC key
Sep 20 11:23:29 system1 phosphor-certificate-manager[237]: The operation failed internally.
Sep 20 11:23:29 system1 phosphor-certificate-manager[237]: The operation failed internally.
```

This code path logs an InternalError, which causes a BMC dump to get
generated. That dump causes the automated CI tests to fail.

The fail only occurs 1 out of every 10 runs and there's not currently
enough info to debug the cause of the fail. I think it may have to do
with the network or time being reconfigured during the same time the
certificate code is running but I have no evidence.

Doing some internet searching, it seems this ERR_print_errors_fp() call
is the recommended way to collect any debug info from OpenSSL libraries.
https://www.openssl.org/docs/man1.1.1/man3/ERR_print_errors_fp.html

Tested:
- Unfortunately I can not recreate this issue manually so all I've been
able to test is that this builds and does not affect the good path.

Change-Id: I373b8f481f393b3e783c1a0270c8f6f729c426a5
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>

show more ...

owners: updated Jayanth email

Change-Id: I0b4303591cf2dd95aaf02de578b9ffc8faedbdbe
Signed-off-by: Jayanth Othayoth <ojayanth@gmail.com>

Add Ravi Teja as a reviewer

I have thorough understanding of certificate-manager

Here is my contribution in this repository
https://github.com/openbmc/phosphor-certificate-manager/commits?author=ra

Add Ravi Teja as a reviewer

I have thorough understanding of certificate-manager

Here is my contribution in this repository
https://github.com/openbmc/phosphor-certificate-manager/commits?author=raviteja-b

Thus, I apply to be a reviewer of this repo. Hope I can contribute
more and help the OpenBMC community.

Change-Id: Idc54cf25851d6b17ec27a376fc4ed3711c177b57
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

clang-format: copy latest and re-format

clang-format-17 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest

clang-format: copy latest and re-format

clang-format-17 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest .clang-format from the docs repository and reformat the
repository.

Change-Id: Iecd47831c4a1defc81f3e54332101dc48b0cb6ff
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

Remove irrelevant TODO section

Issue#6 is no longer valid as per openssl issue
https://github.com/openssl/openssl/issues/20663

Change-Id: I01c5a61205756c1adda007408bf80a8c1aa1820d
Signed-off-by: Ra

Remove irrelevant TODO section

Issue#6 is no longer valid as per openssl issue
https://github.com/openssl/openssl/issues/20663

Change-Id: I01c5a61205756c1adda007408bf80a8c1aa1820d
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

logging: switch to lg2

It is recommended to use `phosphor::lg2` to format log,
and the correct `CODE_LINE` and `CODE_FUNC` values
can be used in log tracking.

Tested By: Built CertificateManager su

logging: switch to lg2

It is recommended to use `phosphor::lg2` to format log,
and the correct `CODE_LINE` and `CODE_FUNC` values
can be used in log tracking.

Tested By: Built CertificateManager successfully and Unit Test passes.

Change-Id: Ib2ff946febfe0335d4ecf5fa932683d3a0f117bb
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

config: Change authority D-Bus names

Initially CA certificate management service was intended to support only
LDAP usecases. However since some time this has become outdated, as
certificates stored

config: Change authority D-Bus names

Initially CA certificate management service was intended to support only
LDAP usecases. However since some time this has become outdated, as
certificates stored there might serve more purposes, such as SSL
handshakes or mTLS connections. Therefore, I'm proposing to change
service endpoint name from 'ldap' to something more generic, in order to
avoid any confusion, that could come up when developing applications
would like to utilize this feature.

Tested:
Service present on DBus under new name, along with proper object paths.

root@bmc-maca4bf018cd442:~# busctl list | grep phosphor-cert
...
xyz.openbmc_project.Certs.Manager.Authority.Truststore 256 phosphor-certif root :1.15 phosphor-certificate-manager@authority.service - -
...

root@bmc-maca4bf018cd442:~# busctl tree xyz.openbmc_project.Certs.Manager.Authority.Truststore
`-/xyz
`-/xyz/openbmc_project
`-/xyz/openbmc_project/certs
`-/xyz/openbmc_project/certs/authority
`-/xyz/openbmc_project/certs/authority/truststore

Change-Id: I1d2c4ef9e7b4846951ce4dd52f869d7c64f3902d
Signed-off-by: Michal Orzel <michalx.orzel@intel.com>

show more ...

meson_options.txt: Support for reading options from meson.options

Support has been added for reading options from meson.options instead
of meson_options.txt[1]. These are equivalent, but not using t

meson_options.txt: Support for reading options from meson.options

Support has been added for reading options from meson.options instead
of meson_options.txt[1]. These are equivalent, but not using the .txt
extension for a build file has a few advantages, chief among them
many tools and text editors expect a file with the .txt extension to
be plain text files, not build scripts.

[1] https://mesonbuild.com/Release-notes-for-1-1-0.html#support-for-reading-options-from-mesonoptions

Signed-off-by: George Liu <liuxiwei@inspur.com>
Change-Id: I9c44f30404cd5437429845d22a8062a984ea9905

show more ...

build: upgrade to C++23

Meson 1.1.1 and GCC-13 both support C++23 and a sufficient portion of
the standard has been implemented. Upgrade the build to leverage it.

Change-Id: Ic01fe99067eede474be18

build: upgrade to C++23

Meson 1.1.1 and GCC-13 both support C++23 and a sufficient portion of
the standard has been implemented. Upgrade the build to leverage it.

Change-Id: Ic01fe99067eede474be1861d3986a198c4ef765d
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest .clang-format from the docs repository and reformat the
repository.

Change-Id: Ie4138afe359d52b9f1a32fdff6890a90dd31efa8
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

Allow for expired certificate

The code throws for an expired certificate, which results in the below
behavior:

1. If BMC starts when the time is invalid (e.g. the date is in 1970),
bmcweb will crea

Allow for expired certificate

The code throws for an expired certificate, which results in the below
behavior:

1. If BMC starts when the time is invalid (e.g. the date is in 1970),
bmcweb will create a default certificate with hostname `testhost`;

2. In later reboots when BMC get a valid time, the bmcweb loads the
certificate as before. But phosphor-certificate-manager will throw on
this certificate. Then there is no DBus object created for this
certificate (`/xyz/openbmc_project/certs/server/https/1`)

3. Due to the missing DBus object:
* We will not be able to replace the certificate, e.g. by below
Redfish URI:
```
/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate
```
* When the BMC gets the hostname, bmcweb will generate a new
self-signed certificate with the hostname and replace it, the
replacement fails as well.

This commit adds a config option that allows the expired certificate to
be created on DBus and fixes the above issues and it is enabled by
default.

Signed-off-by: Lei YU <yulei.sh@bytedance.com>
Change-Id: Ib02bd686c9bfeb6401b269af20856824647f54c5

show more ...

meson: remove deprecated get_pkgconfig_variable

Since meson 0.56, the `get_pkgconfig_variable` has been deprecated. In
meson 0.58 the `get_variable` was enhanced to no longer require the
`pkgconfig

meson: remove deprecated get_pkgconfig_variable

Since meson 0.56, the `get_pkgconfig_variable` has been deprecated. In
meson 0.58 the `get_variable` was enhanced to no longer require the
`pkgconfig` keyword argument. Ensure meson 0.58 is required and update
the usage of all `get_pkgconfig_variable` and `get_variable` to be the
modern variant.

Change-Id: I02322901951608cb3348060f076be10a2a52d022
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

markdownlint: fix all warnings

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I0f8f7fbc23cb0113c093cad8a7d722054eac960a

prettier: re-format

Prettier is enabled in openbmc-build-scripts on Markdown, JSON, and YAML
files to have consistent formatting for these file types. Re-run the
formatter on the whole repository.

prettier: re-format

Prettier is enabled in openbmc-build-scripts on Markdown, JSON, and YAML
files to have consistent formatting for these file types. Re-run the
formatter on the whole repository.

Change-Id: I29cc1a8c9003e1262aac7d27544f54599b3b1649
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

bmc-vmi-ca: Fix executable name

The executable name expected by the bmc-vmi-ca-manager.service file is
bmc-vmi-ca, but when the repo was updated to use meson, the file name
was mistakenly set to bmc

bmc-vmi-ca: Fix executable name

The executable name expected by the bmc-vmi-ca-manager.service file is
bmc-vmi-ca, but when the repo was updated to use meson, the file name
was mistakenly set to bmc_vmi_ca.

Tested: Verified the service started successfully in p10bmc:
```
root@p10bmc:~# systemctl status bmc-vmi-ca-manager
* bmc-vmi-ca-manager.service - BMC VMI CA authority manager
Loaded: loaded
(8;;file://p10bmc/lib/systemd/system/bmc-vmi-ca-manager.service/lib/systemd/system/bmc-vmi-ca-manager.service8;;;
enabled; preset: enabled)
Active: active (running) since Thu 2022-12-01 20:45:46 UTC; 1min
44s ago
Main PID: 236 (bmc-vmi-ca)
CPU: 6ms
CGroup: /system.slice/bmc-vmi-ca-manager.service
`-236 /usr/bin/bmc-vmi-ca

Dec 01 20:45:45 p10bmc systemd[1]: Starting BMC VMI CA authority
manager...
Dec 01 20:45:46 p10bmc systemd[1]: Started BMC VMI CA authority manager.
```

Change-Id: Id32c79a470255e6818d46e27cab82e17fc10c4f4
Signed-off-by: Adriana Kobylak <anoo@us.ibm.com>

show more ...

Move Certificate install in resotre path to DEBUG

We are seeing 387+ `Certificate install` messages for a single boot in
the journal log.

Moved the `Certifacte install` log for the restore path to

Move Certificate install in resotre path to DEBUG

We are seeing 387+ `Certificate install` messages for a single boot in
the journal log.

Moved the `Certifacte install` log for the restore path to DEBUG instead
of INFO to remove it on the normal jorunal logs.

Tested:
```
systemctl status phosphor-certificate-manager@bmcweb.service
* phosphor-certificate-manager@bmcweb.service - Phosphor certificate manager for bmcweb
Loaded: loaded (/lib/systemd/system/phosphor-certificate-manager@.service; static)
Active: active (running) since Fri 2018-03-09 19:19:02 UTC; 24s ago
Main PID: 25773 (phosphor-certif)
CGroup: /system.slice/system-phosphor\x2dcertificate\x2dmanager.slice/phosphor-certificate-manager@bmcweb.service
`-25773 /usr/bin/phosphor-certificate-manager --endpoint https --path /path/server.pem --type server --unit server_creds.target

Mar 09 19:19:02 [hostname] systemd[1]: Started Phosphor certificate manager for bmcweb.
Mar 09 19:19:03 [hostname] phosphor-certificate-manager[25773]: Error occurred during X509_verify_cert call, checking for known error
Mar 09 19:19:03 [hostname] phosphor-certificate-manager[25773]: Certificate compareKeys
Mar 09 19:19:03 [hostname] phosphor-certificate-manager[25773]: Certificate install
...
```

Change-Id: I907afd6ce4522e5c54348d16c1ace0a770f3b8f1
Signed-off-by: Willy Tu <wltu@google.com>

show more ...

bmc-vmi-ca: use processs_loop

In reference [1], sdbusplus introduces its own process loop. This patch
removed the unncesssary sdeventplus dependency from bmc-vmi-ca, and uses
the sdbusplus built-in

bmc-vmi-ca: use processs_loop

In reference [1], sdbusplus introduces its own process loop. This patch
removed the unncesssary sdeventplus dependency from bmc-vmi-ca, and uses
the sdbusplus built-in process loop instead.

[1] https://gerrit.openbmc.org/c/openbmc/sdbusplus/+/56891

Tested:
1. The daemon starts correctly
2. Tested several dbus commands via busctl (introspect, DeleteAll, etc)

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I802f18f077e7b0bd3bf0b910c56b1f560fe342e7

show more ...

clang-tidy: enable clang-tidy

Enable the first check: readability-identifier-naming

Also fixed all check failures. The renaming is done by clang-tidy
automatically.

Tested:
1. compiles, no clang-t

clang-tidy: enable clang-tidy

Enable the first check: readability-identifier-naming

Also fixed all check failures. The renaming is done by clang-tidy
automatically.

Tested:
1. compiles, no clang-tidy failures
2. tested on QEMU, Redfish is working correctly
3. tested on s7106, Redfish is working correctly; certificates can be
retrieved.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I3c5c9ca734146a94f4e0433ed8c1ae84173288c5

show more ...

certs manager test: remove unused codes

The "delete_" function is unused. It doesn't follow the naming
convention as well, which prevents us enable clang-tidy. See the child
patch.

This commit just

certs manager test: remove unused codes

The "delete_" function is unused. It doesn't follow the naming
convention as well, which prevents us enable clang-tidy. See the child
patch.

This commit just removed it.

Tested: unit test passed.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I1f587c7b5e1af0eeedc9aac882be285e322bc23b

show more ...

lcov: remove the configure file

The file was created when this repo is using autotools. In meson repos,
I don't see this file in other repos.

I also searched the default lcov configurations [1]; th

lcov: remove the configure file

The file was created when this repo is using autotools. In meson repos,
I don't see this file in other repos.

I also searched the default lcov configurations [1]; the values in this
file are default values. I don't see it's neccessary to keep this file
in this project.

[1] https://www.systutorials.com/docs/linux/man/5-lcovrc/

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Ife2fa3f01337db7ce11ac582fcd9fd6b40fe29a6

show more ...

gitlint: check commit message

Check commit message when running CI for this project.

Reference:
[1] https://github.com/openbmc/openbmc-build-scripts/blob/fb9948a3a859500188e468d4f247b13687f3fefb/sc

gitlint: check commit message

Check commit message when running CI for this project.

Reference:
[1] https://github.com/openbmc/openbmc-build-scripts/blob/fb9948a3a859500188e468d4f247b13687f3fefb/scripts/format-code.sh#L30

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I289707de2114a9ee399eafd8875ae5f2b7cfeaac

show more ...

remove Ed from owners

The previous commit [1] didn't remove Ed from the owner list but only
from the openbmc list. This patch fixed that. See the original commit
about why Ed removes himself.

[1] h

remove Ed from owners

The previous commit [1] didn't remove Ed from the owner list but only
from the openbmc list. This patch fixed that. See the original commit
about why Ed removes himself.

[1] https://github.com/openbmc/phosphor-certificate-manager/commit/8135881590a78b7d101933dce1a1bce66aa1f8d1

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I3dbda0b03043a910cd2c263115bde3def9d19dce

show more ...

fix HEAD

The HEAD doesn't build now because of a typo

Tested: unit test passed

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I03339ca0f4b251154a5297cad041d93f09be9538

sdbusplus: use shorter type aliases

The sdbusplus headers provide shortened aliases for many types.
Switch to using them to provide better code clarity and shorter
lines. Possible replacements are

sdbusplus: use shorter type aliases

The sdbusplus headers provide shortened aliases for many types.
Switch to using them to provide better code clarity and shorter
lines. Possible replacements are for:
* bus_t
* exception_t
* manager_t
* match_t
* message_t
* object_t
* slot_t

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I9bb7b9a430d029ddaf2a08ea26acb775b9b2b152

show more ...