clang-format: re-format for clang-18

clang-format-18 isn't compatible with the clang-format-17 output, so we
need to reformat the code with the latest version. The way clang-18
handles lambda forma

clang-format: re-format for clang-18

clang-format-18 isn't compatible with the clang-format-17 output, so we
need to reformat the code with the latest version. The way clang-18
handles lambda formatting also changed, so we have made changes to the
organization default style format to better handle lambda formatting.

See I5e08687e696dd240402a2780158664b7113def0e for updated style.
See Iea0776aaa7edd483fa395e23de25ebf5a6288f71 for clang-18 enablement.

Change-Id: Ic1ad64722b2368169dfb0e62c37f7f3c1ff20fe8
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

GenerateCSR: Avoid setting CSR version

Latest openssl displays as unknown version while parsing BMC generated
CSRs over openssl command line

As per openssl discussion in this issue, by default CSR

GenerateCSR: Avoid setting CSR version

Latest openssl displays as unknown version while parsing BMC generated
CSRs over openssl command line

As per openssl discussion in this issue, by default CSR version set to 1
https://github.com/openssl/openssl/issues/20663
The only defined CSR version is X509_REQ_VERSION_1, so there is no need
to call X509_REQ_set_version() to set version explicitly

This commit avoids calling X509_REQ_set_version() to set CSR version

Tested By:
1.Generate CSR using redfish interface
2.Parse csr using openssl and check version
openssl req -in csr.txt -noout -text
Certificate Request:
Data:
Version: 1 (0x0)

Change-Id: I29dfc50e661d39fe7930d65079abfee924745d21
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

certs_manager: log all OpenSSL errors on failure

I've been hitting intermittent fails in this code running simulation
with my system1 machine.

```
Sep 20 11:23:29 system1 phosphor-certificate-manag

certs_manager: log all OpenSSL errors on failure

I've been hitting intermittent fails in this code running simulation
with my system1 machine.

```
Sep 20 11:23:29 system1 phosphor-certificate-manager[237]: Error occurred during generate EC key
Sep 20 11:23:29 system1 phosphor-certificate-manager[237]: The operation failed internally.
Sep 20 11:23:29 system1 phosphor-certificate-manager[237]: The operation failed internally.
```

This code path logs an InternalError, which causes a BMC dump to get
generated. That dump causes the automated CI tests to fail.

The fail only occurs 1 out of every 10 runs and there's not currently
enough info to debug the cause of the fail. I think it may have to do
with the network or time being reconfigured during the same time the
certificate code is running but I have no evidence.

Doing some internet searching, it seems this ERR_print_errors_fp() call
is the recommended way to collect any debug info from OpenSSL libraries.
https://www.openssl.org/docs/man1.1.1/man3/ERR_print_errors_fp.html

Tested:
- Unfortunately I can not recreate this issue manually so all I've been
able to test is that this builds and does not affect the good path.

Change-Id: I373b8f481f393b3e783c1a0270c8f6f729c426a5
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>

show more ...

clang-format: copy latest and re-format

clang-format-17 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest

clang-format: copy latest and re-format

clang-format-17 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest .clang-format from the docs repository and reformat the
repository.

Change-Id: Iecd47831c4a1defc81f3e54332101dc48b0cb6ff
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

Remove irrelevant TODO section

Issue#6 is no longer valid as per openssl issue
https://github.com/openssl/openssl/issues/20663

Change-Id: I01c5a61205756c1adda007408bf80a8c1aa1820d
Signed-off-by: Ra

Remove irrelevant TODO section

Issue#6 is no longer valid as per openssl issue
https://github.com/openssl/openssl/issues/20663

Change-Id: I01c5a61205756c1adda007408bf80a8c1aa1820d
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

logging: switch to lg2

It is recommended to use `phosphor::lg2` to format log,
and the correct `CODE_LINE` and `CODE_FUNC` values
can be used in log tracking.

Tested By: Built CertificateManager su

logging: switch to lg2

It is recommended to use `phosphor::lg2` to format log,
and the correct `CODE_LINE` and `CODE_FUNC` values
can be used in log tracking.

Tested By: Built CertificateManager successfully and Unit Test passes.

Change-Id: Ib2ff946febfe0335d4ecf5fa932683d3a0f117bb
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest .clang-format from the docs repository and reformat the
repository.

Change-Id: Ie4138afe359d52b9f1a32fdff6890a90dd31efa8
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

Move Certificate install in resotre path to DEBUG

We are seeing 387+ `Certificate install` messages for a single boot in
the journal log.

Moved the `Certifacte install` log for the restore path to

Move Certificate install in resotre path to DEBUG

We are seeing 387+ `Certificate install` messages for a single boot in
the journal log.

Moved the `Certifacte install` log for the restore path to DEBUG instead
of INFO to remove it on the normal jorunal logs.

Tested:
```
systemctl status phosphor-certificate-manager@bmcweb.service
* phosphor-certificate-manager@bmcweb.service - Phosphor certificate manager for bmcweb
Loaded: loaded (/lib/systemd/system/phosphor-certificate-manager@.service; static)
Active: active (running) since Fri 2018-03-09 19:19:02 UTC; 24s ago
Main PID: 25773 (phosphor-certif)
CGroup: /system.slice/system-phosphor\x2dcertificate\x2dmanager.slice/phosphor-certificate-manager@bmcweb.service
`-25773 /usr/bin/phosphor-certificate-manager --endpoint https --path /path/server.pem --type server --unit server_creds.target

Mar 09 19:19:02 [hostname] systemd[1]: Started Phosphor certificate manager for bmcweb.
Mar 09 19:19:03 [hostname] phosphor-certificate-manager[25773]: Error occurred during X509_verify_cert call, checking for known error
Mar 09 19:19:03 [hostname] phosphor-certificate-manager[25773]: Certificate compareKeys
Mar 09 19:19:03 [hostname] phosphor-certificate-manager[25773]: Certificate install
...
```

Change-Id: I907afd6ce4522e5c54348d16c1ace0a770f3b8f1
Signed-off-by: Willy Tu <wltu@google.com>

show more ...

clang-tidy: enable clang-tidy

Enable the first check: readability-identifier-naming

Also fixed all check failures. The renaming is done by clang-tidy
automatically.

Tested:
1. compiles, no clang-t

clang-tidy: enable clang-tidy

Enable the first check: readability-identifier-naming

Also fixed all check failures. The renaming is done by clang-tidy
automatically.

Tested:
1. compiles, no clang-tidy failures
2. tested on QEMU, Redfish is working correctly
3. tested on s7106, Redfish is working correctly; certificates can be
retrieved.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I3c5c9ca734146a94f4e0433ed8c1ae84173288c5

show more ...

sdbusplus: use shorter type aliases

The sdbusplus headers provide shortened aliases for many types.
Switch to using them to provide better code clarity and shorter
lines. Possible replacements are

sdbusplus: use shorter type aliases

The sdbusplus headers provide shortened aliases for many types.
Switch to using them to provide better code clarity and shorter
lines. Possible replacements are for:
* bus_t
* exception_t
* manager_t
* match_t
* message_t
* object_t
* slot_t

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I9bb7b9a430d029ddaf2a08ea26acb775b9b2b152

show more ...

InstallAll: add logs before and after installation

We have some issues internally about authority list installation. We
found these logs could help debug in the future.

Signed-off-by: Nan Zhou <nan

InstallAll: add logs before and after installation

We have some issues internally about authority list installation. We
found these logs could help debug in the future.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I99cb0c1bcd73d65207fb72c597e32a0ec4f8cd92

show more ...

Authorities list: implement InstallAll & ReplaceAll

This change implements the design in
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49317.

InstallAll: enumerate all certs in the input file

Authorities list: implement InstallAll & ReplaceAll

This change implements the design in
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49317.

InstallAll: enumerate all certs in the input file and install all of
them;
ReplaceAll: replace all certs with the new authorities list
Atomic: implemented via creating temporary folder and issuing swap.

Added ability to unit test service reload as well.

Tested:
1. Unit tests
2. Tested loading/deleting authorities list in QEMU.

```
root@xxx:~# busctl call xyz.openbmc_project.Certs.Manager.Authority.Ldap \
> /xyz/openbmc_project/certs/authority/ldap \
> xyz.openbmc_project.Certs.InstallAll \
> InstallAll s /tmp/trust_bundle.pem
as 3 "/xyz/openbmc_project/certs/authority/ldap/1"
"/xyz/openbmc_project/certs/authority/ldap/2"
"/xyz/openbmc_project/certs/authority/ldap/3"
root@xxx:~# ls /etc/ssl/certs/authority/
10a5d8b0.0 5b49ceaa.0 f3ddaa86.0 file0qmgPV fileDbjTzW fileR4TtjO
trust_bundle
root@xxx:~# busctl call
xyz.openbmc_project.Certs.Manager.Authority.Ldap
/xyz/openbmc_project/certs/authority/ldap
xyz.openbmc_project.Certs.ReplaceAll ReplaceAll s /tmp/trust_bundle.pem
root@xxx:~# ls /etc/ssl/certs/authority/
10a5d8b0.0 5b49ceaa.0 f3ddaa86.0 file1obsEZ fileOqVoaC filerUBZCj
trust_bundle

root@xxx:~# wget -qO- http://localhost/redfish/v1/Managers/bmc/Truststore/Certificates/
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/",
"@odata.type": "#CertificateCollection.CertificateCollection",
"Description": "A Collection of TrustStore certificate instances",
"Members": [
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1"
},
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/2"
},
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/3"
}
],
"Members@odata.count": 3,
"Name": "TrustStore Certificates Collection"
}
root@xxx:~# wget -qO- http://localhost/redfish/v1/Managers/bmc/Truststore/Certificates/1
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString": "-----BEGIN CERTIFICATE-----\nMIICZTCCAgugAwIBAgIUANIf0jvaRNq1MdwxrXPnk25VrmYwCgYIKoZIzj0EAwIw\nVTETMBEGA1UEChMKY2FtcHVzLWFzaDENMAsGA1UECxMEcm9vdDEvMC0GA1UEAwwm\ne2QyZWQ1MGJkLTczMTQtNDgxZC04OWE0LTVkMjkxMmYyMGQ5NH0wIBcNNzAwMTAx\nMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMFUxEzARBgNVBAoTCmNhbXB1cy1hc2gx\nDTALBgNVBAsTBHJvb3QxLzAtBgNVBAMMJntkMmVkNTBiZC03MzE0LTQ4MWQtODlh\nNC01ZDI5MTJmMjBkOTR9MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lp/J3Gj\nc4TKubuYtzpxu2D3STlwTwEjgFbTaLZnQ0KXt7pBrcYc3yY1t74WBluvzM9iok6Q\nDcEFX5aIYcoaAKOBtjCBszAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0lBCIwIAYIKwYB\nBQUHAwEGCCsGAQUFBwMCBgorBgEEAdZ5AgcBMA8GA1UdEwEB/wQFMAMBAf8wHQYD\nVR0OBBYEFIPrX7lbeJhvHHcQ7iYOry50aYKYMBcGA1UdIAQQMA4wDAYKKwYBBAHW\neQIFBDAtBgNVHR4BAf8EIzAhoB8wHYYbLmNhbXB1cy1hc2gucHJvZC5nb29nbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIAS/ZrMPBj992vVVplwzH9DWDCSMu1rCgvqw\nam3byOT1AiEAyrr3FAP+7js7z+h8d94hTyy1kTn+4NOvUWrVzHUmJI8=\n-----END CERTIFICATE-----\n",
"Description": "TrustStore Certificate",
"Id": "1",
"Issuer": {
"CommonName": "{d2ed50bd-7314-481d-89a4-5d2912f20d94}",
"Organization": "campus-ash",
"OrganizationalUnit": "root"
},
"KeyUsage": [
"CRLSigning",
"ServerAuthentication",
"ClientAuthentication",
""
],
"Name": "TrustStore Certificate",
"Subject": {
"CommonName": "{d2ed50bd-7314-481d-89a4-5d2912f20d94}",
"Organization": "campus-ash",
"OrganizationalUnit": "root"
},
"ValidNotAfter": "9999-12-31T23:59:59+00:00",
"ValidNotBefore": "1970-01-01T00:00:00+00:00"
}
```

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I495f5c1c1c4a2ac880dd3233be31b84a78d79a43

show more ...

iwyu

This changes uses its best effort to clean up headers according to iwyu.

Reference:
https://include-what-you-use.org/

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Ibd8bd8735238

iwyu

This changes uses its best effort to clean up headers according to iwyu.

Reference:
https://include-what-you-use.org/

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Ibd8bd8735238d6ec101a2428241bb1727e3ac9a9

show more ...

clean up using directives and type alias

Most C++ style guides try to avoid using directives in headers and also
suggest using type alias carefully, according to which, this change does
the followin

clean up using directives and type alias

Most C++ style guides try to avoid using directives in headers and also
suggest using type alias carefully, according to which, this change does
the following clean up:

1. used Enum class to represent Certificate type
2. removed all using directives: e.g. the phosphor logging namespace;
instead, this change uses using declarations
3. removed unnecessary type alias; in existing codes, we only support
strings as types of UnitToRestart, InstallPath, UploadPath, etc; this
change uses std::string directly
4. moved all alias outside any class scope into source files or an
internal namespace
5. renamed types, constants, classes as per OpenBMC style guide
6. fixed all compilation errors and some warnings after the refactoring;
built with both Clang & GCC

Reference:
https://docs.microsoft.com/en-us/cpp/cpp/header-files-cpp?view=msvc-170#what-to-put-in-a-header-file
https://google.github.io/styleguide/cppguide.html#Namespaces

Tested:
Unit tests

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I58e026934a4e969f4d8877801c8f3c671990468a

show more ...

use RAII to manager RSA pointers

Tested:
unit tests.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I8888f01e0f64836ca36f03c79307c1044d0dae44

config.h.in: use const variables instead of macros

Most style guides try to avoid preprocessor macros, especially the use
case here: const objects. This change replaced them with const
variables. Th

config.h.in: use const variables instead of macros

Most style guides try to avoid preprocessor macros, especially the use
case here: const objects. This change replaced them with const
variables. Their names are also changed according to the OpenBMC style
guide.

Reference:
https://google.github.io/styleguide/cppguide.html#Preprocessor_Macros

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I0786c7c83f3a0d892c14f1cb813d0aa16d627b3e

show more ...

Use nested namespace

Nested namespace is introduced in C++ 17. This saves nearly 50 lines.
This change also puts tests into a nested namespace, which saves
unnecessary using directives.

Signed-off-

Use nested namespace

Nested namespace is introduced in C++ 17. This saves nearly 50 lines.
This change also puts tests into a nested namespace, which saves
unnecessary using directives.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I7c3e38588fd5c2cbd83ac13ee24327318e8c06a4

show more ...

Modernize use nullptr

NULL => nullptr as per modernize-use-nullptr.

After this change:
```
grep "NULL" -r */*.*pp *.*pp
None
```

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Iecddab

Modernize use nullptr

NULL => nullptr as per modernize-use-nullptr.

After this change:
```
grep "NULL" -r */*.*pp *.*pp
None
```

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Iecddab6fba06f959866048eff4496310453d0fde

show more ...

Fix typos

After this change:
```
codespell --builtin clear,rare,en-GB_to_en-US -d --count --skip
"./subprojects/*,./.git" .
0
```

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I7bc4c9

Fix typos

After this change:
```
codespell --builtin clear,rare,en-GB_to_en-US -d --count --skip
"./subprojects/*,./.git" .
0
```

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I7bc4c94facdd366dea91e456e7ef8a0b05532b99

show more ...

certs_manager: switch keygen to support openssl-3

Many of the functions currently used to generate key pairs are
deprecated in OpenSSL-3. Update keygen functions to use non-deprecated

certs_manager: switch keygen to support openssl-3

Many of the functions currently used to generate key pairs are
deprecated in OpenSSL-3. Update keygen functions to use non-deprecated
functions.

Unfortunately, the replacement functions are not available in
OpenSSL-1, so we have to add an #ifdef block around the proper routines
for each version.

Tested: Ran test cases under both OpenSSL1 and OpenSSL3.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I888a8a796cc97caf8c402cd546ab39b4931960ed

show more ...

catch exceptions as const

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I5dd93e951abc51abb78d3798d7ca2b32d333ee76

exception: switch to public sdbus exception

SdBusError was intended to be a private error type inside sdbusplus.
Switch all catch locations to use the general sdbusplus::exception type.

exception: switch to public sdbus exception

SdBusError was intended to be a private error type inside sdbusplus.
Switch all catch locations to use the general sdbusplus::exception type.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I48d2dfbed5d63be184aa573ad2e12c653992baa6

show more ...

Add fix for Missing "OU" OrganizationalUnit CSR

generateCSR function missed to include the "OU" field
information during CSR generation. Fix is to add this
missing field in the CSR.

Add fix for Missing "OU" OrganizationalUnit CSR

generateCSR function missed to include the "OU" field
information during CSR generation. Fix is to add this
missing field in the CSR.

Details available in issue #phosphor-certificate-manager/18

Tested:
Created CSR string and verified "OU" field is present.

Signed-off-by: Jayanth Othayoth <ojayanth@in.ibm.com>
Change-Id: I70a7d53f85b01241b91e40e666539c194e217973

show more ...

genCSR: Fix to catch InvalidArgument exception

Currently unit test cases (TestGenerateCSRwithUnsupportedKeyPairAlgorithm and
TestRSAKeyWithUnsupportedKeyBitLength) are failed with below

genCSR: Fix to catch InvalidArgument exception

Currently unit test cases (TestGenerateCSRwithUnsupportedKeyPairAlgorithm and
TestRSAKeyWithUnsupportedKeyBitLength) are failed with below mentioned error when
using unsupported values to generate CSR. The problem is, did not catch the thrown
exception for handling unsupported values. So, In this patch added catch block to
capture the thrown exception.

Error:
C++ exception with description "xyz.openbmc_project.Common.Error.InvalidArgument:
Invalid argument was given." thrown in the test body.

TestedBy:
- Ran Unit Test cases.

Signed-off-by: Ramesh Iyyar <rameshi1@in.ibm.com>
Change-Id: I4ec0b8a926dacd4c3fb6751e48502776d5cc436b

show more ...

Fix application crash issue with uncaught exception

This change is to not to let the certificate manager crash
with uncaught exception in the constructor.

Due to uncaught except

Fix application crash issue with uncaught exception

This change is to not to let the certificate manager crash
with uncaught exception in the constructor.

Due to uncaught exception during code update application was crashing
as shown in below traces
phosphor-certificate-manager[804]: Legacy certificate detected, will be
installed from:
phosphor-certificate-manager[804]: The operation is not allowed
hosphor-certificate-manager[804]: terminate called after throwing an instance of
'sdbusplus::xyz::openbmc_project::Common::Error::NotAllowed'

Also caters to fix
https://github.com/openbmc/phosphor-certificate-manager/issues/12

could not reproduce issue12 but this fix should help

Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Change-Id: If0156c35dcc8b44659c4846215b6f45a81685c3e

show more ...