Test: Fix CI failure

Currently CI fails with --wrapper 'valgrind --error-exitcode=1'

This commit fixes few variables initialization in test code and increase
timeout to generate certs to 500 second

Test: Fix CI failure

Currently CI fails with --wrapper 'valgrind --error-exitcode=1'

This commit fixes few variables initialization in test code and increase
timeout to generate certs to 500 seconds considering valgrind enabled.

Tested by:
CI passed with --wrapper 'valgrind --error-exitcode=1'

Change-Id: I1bf26fb2fafbf68bcb128eb77083a99867dd21c8
Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>

show more ...

config: Change authority D-Bus names

Initially CA certificate management service was intended to support only
LDAP usecases. However since some time this has become outdated, as
certificates stored

config: Change authority D-Bus names

Initially CA certificate management service was intended to support only
LDAP usecases. However since some time this has become outdated, as
certificates stored there might serve more purposes, such as SSL
handshakes or mTLS connections. Therefore, I'm proposing to change
service endpoint name from 'ldap' to something more generic, in order to
avoid any confusion, that could come up when developing applications
would like to utilize this feature.

Tested:
Service present on DBus under new name, along with proper object paths.

root@bmc-maca4bf018cd442:~# busctl list | grep phosphor-cert
...
xyz.openbmc_project.Certs.Manager.Authority.Truststore 256 phosphor-certif root :1.15 phosphor-certificate-manager@authority.service - -
...

root@bmc-maca4bf018cd442:~# busctl tree xyz.openbmc_project.Certs.Manager.Authority.Truststore
`-/xyz
`-/xyz/openbmc_project
`-/xyz/openbmc_project/certs
`-/xyz/openbmc_project/certs/authority
`-/xyz/openbmc_project/certs/authority/truststore

Change-Id: I1d2c4ef9e7b4846951ce4dd52f869d7c64f3902d
Signed-off-by: Michal Orzel <michalx.orzel@intel.com>

show more ...

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest

clang-format: copy latest and re-format

clang-format-16 has some backwards incompatible changes that require
additional settings for best compatibility and re-running the formatter.
Copy the latest .clang-format from the docs repository and reformat the
repository.

Change-Id: Ie4138afe359d52b9f1a32fdff6890a90dd31efa8
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>

show more ...

bmc-vmi-ca: use processs_loop

In reference [1], sdbusplus introduces its own process loop. This patch
removed the unncesssary sdeventplus dependency from bmc-vmi-ca, and uses
the sdbusplus built-in

bmc-vmi-ca: use processs_loop

In reference [1], sdbusplus introduces its own process loop. This patch
removed the unncesssary sdeventplus dependency from bmc-vmi-ca, and uses
the sdbusplus built-in process loop instead.

[1] https://gerrit.openbmc.org/c/openbmc/sdbusplus/+/56891

Tested:
1. The daemon starts correctly
2. Tested several dbus commands via busctl (introspect, DeleteAll, etc)

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I802f18f077e7b0bd3bf0b910c56b1f560fe342e7

show more ...

clang-tidy: enable clang-tidy

Enable the first check: readability-identifier-naming

Also fixed all check failures. The renaming is done by clang-tidy
automatically.

Tested:
1. compiles, no clang-t

clang-tidy: enable clang-tidy

Enable the first check: readability-identifier-naming

Also fixed all check failures. The renaming is done by clang-tidy
automatically.

Tested:
1. compiles, no clang-tidy failures
2. tested on QEMU, Redfish is working correctly
3. tested on s7106, Redfish is working correctly; certificates can be
retrieved.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I3c5c9ca734146a94f4e0433ed8c1ae84173288c5

show more ...

certs manager test: remove unused codes

The "delete_" function is unused. It doesn't follow the naming
convention as well, which prevents us enable clang-tidy. See the child
patch.

This commit just

certs manager test: remove unused codes

The "delete_" function is unused. It doesn't follow the naming
convention as well, which prevents us enable clang-tidy. See the child
patch.

This commit just removed it.

Tested: unit test passed.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I1f587c7b5e1af0eeedc9aac882be285e322bc23b

show more ...

fix HEAD

The HEAD doesn't build now because of a typo

Tested: unit test passed

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I03339ca0f4b251154a5297cad041d93f09be9538

sdbusplus: use shorter type aliases

The sdbusplus headers provide shortened aliases for many types.
Switch to using them to provide better code clarity and shorter
lines. Possible replacements are

sdbusplus: use shorter type aliases

The sdbusplus headers provide shortened aliases for many types.
Switch to using them to provide better code clarity and shorter
lines. Possible replacements are for:
* bus_t
* exception_t
* manager_t
* match_t
* message_t
* object_t
* slot_t

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I9bb7b9a430d029ddaf2a08ea26acb775b9b2b152

show more ...

argument parser: use CLI11 and add unit tests

CLI11 is one of the most commonly use argument parser in OpenBMC. It can
save ~150 lines of codes in this project.

We are hitting argument related bugs

argument parser: use CLI11 and add unit tests

CLI11 is one of the most commonly use argument parser in OpenBMC. It can
save ~150 lines of codes in this project.

We are hitting argument related bugs that not covered in unit tests.
This test adds a test for argument parsing.

Tested: QEMU IPMI/Redfish worked.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Ib409c7e6a82ad31049f2da3e32727ebdf185f0fc

show more ...

Authorities list: implement InstallAll & ReplaceAll

This change implements the design in
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49317.

InstallAll: enumerate all certs in the input file

Authorities list: implement InstallAll & ReplaceAll

This change implements the design in
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49317.

InstallAll: enumerate all certs in the input file and install all of
them;
ReplaceAll: replace all certs with the new authorities list
Atomic: implemented via creating temporary folder and issuing swap.

Added ability to unit test service reload as well.

Tested:
1. Unit tests
2. Tested loading/deleting authorities list in QEMU.

```
root@xxx:~# busctl call xyz.openbmc_project.Certs.Manager.Authority.Ldap \
> /xyz/openbmc_project/certs/authority/ldap \
> xyz.openbmc_project.Certs.InstallAll \
> InstallAll s /tmp/trust_bundle.pem
as 3 "/xyz/openbmc_project/certs/authority/ldap/1"
"/xyz/openbmc_project/certs/authority/ldap/2"
"/xyz/openbmc_project/certs/authority/ldap/3"
root@xxx:~# ls /etc/ssl/certs/authority/
10a5d8b0.0 5b49ceaa.0 f3ddaa86.0 file0qmgPV fileDbjTzW fileR4TtjO
trust_bundle
root@xxx:~# busctl call
xyz.openbmc_project.Certs.Manager.Authority.Ldap
/xyz/openbmc_project/certs/authority/ldap
xyz.openbmc_project.Certs.ReplaceAll ReplaceAll s /tmp/trust_bundle.pem
root@xxx:~# ls /etc/ssl/certs/authority/
10a5d8b0.0 5b49ceaa.0 f3ddaa86.0 file1obsEZ fileOqVoaC filerUBZCj
trust_bundle

root@xxx:~# wget -qO- http://localhost/redfish/v1/Managers/bmc/Truststore/Certificates/
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/",
"@odata.type": "#CertificateCollection.CertificateCollection",
"Description": "A Collection of TrustStore certificate instances",
"Members": [
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1"
},
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/2"
},
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/3"
}
],
"Members@odata.count": 3,
"Name": "TrustStore Certificates Collection"
}
root@xxx:~# wget -qO- http://localhost/redfish/v1/Managers/bmc/Truststore/Certificates/1
{
"@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1",
"@odata.type": "#Certificate.v1_0_0.Certificate",
"CertificateString": "-----BEGIN CERTIFICATE-----\nMIICZTCCAgugAwIBAgIUANIf0jvaRNq1MdwxrXPnk25VrmYwCgYIKoZIzj0EAwIw\nVTETMBEGA1UEChMKY2FtcHVzLWFzaDENMAsGA1UECxMEcm9vdDEvMC0GA1UEAwwm\ne2QyZWQ1MGJkLTczMTQtNDgxZC04OWE0LTVkMjkxMmYyMGQ5NH0wIBcNNzAwMTAx\nMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMFUxEzARBgNVBAoTCmNhbXB1cy1hc2gx\nDTALBgNVBAsTBHJvb3QxLzAtBgNVBAMMJntkMmVkNTBiZC03MzE0LTQ4MWQtODlh\nNC01ZDI5MTJmMjBkOTR9MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lp/J3Gj\nc4TKubuYtzpxu2D3STlwTwEjgFbTaLZnQ0KXt7pBrcYc3yY1t74WBluvzM9iok6Q\nDcEFX5aIYcoaAKOBtjCBszAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0lBCIwIAYIKwYB\nBQUHAwEGCCsGAQUFBwMCBgorBgEEAdZ5AgcBMA8GA1UdEwEB/wQFMAMBAf8wHQYD\nVR0OBBYEFIPrX7lbeJhvHHcQ7iYOry50aYKYMBcGA1UdIAQQMA4wDAYKKwYBBAHW\neQIFBDAtBgNVHR4BAf8EIzAhoB8wHYYbLmNhbXB1cy1hc2gucHJvZC5nb29nbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIAS/ZrMPBj992vVVplwzH9DWDCSMu1rCgvqw\nam3byOT1AiEAyrr3FAP+7js7z+h8d94hTyy1kTn+4NOvUWrVzHUmJI8=\n-----END CERTIFICATE-----\n",
"Description": "TrustStore Certificate",
"Id": "1",
"Issuer": {
"CommonName": "{d2ed50bd-7314-481d-89a4-5d2912f20d94}",
"Organization": "campus-ash",
"OrganizationalUnit": "root"
},
"KeyUsage": [
"CRLSigning",
"ServerAuthentication",
"ClientAuthentication",
""
],
"Name": "TrustStore Certificate",
"Subject": {
"CommonName": "{d2ed50bd-7314-481d-89a4-5d2912f20d94}",
"Organization": "campus-ash",
"OrganizationalUnit": "root"
},
"ValidNotAfter": "9999-12-31T23:59:59+00:00",
"ValidNotBefore": "1970-01-01T00:00:00+00:00"
}
```

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I495f5c1c1c4a2ac880dd3233be31b84a78d79a43

show more ...

iwyu

This changes uses its best effort to clean up headers according to iwyu.

Reference:
https://include-what-you-use.org/

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Ibd8bd8735238

iwyu

This changes uses its best effort to clean up headers according to iwyu.

Reference:
https://include-what-you-use.org/

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Ibd8bd8735238d6ec101a2428241bb1727e3ac9a9

show more ...

clean up using directives and type alias

Most C++ style guides try to avoid using directives in headers and also
suggest using type alias carefully, according to which, this change does
the followin

clean up using directives and type alias

Most C++ style guides try to avoid using directives in headers and also
suggest using type alias carefully, according to which, this change does
the following clean up:

1. used Enum class to represent Certificate type
2. removed all using directives: e.g. the phosphor logging namespace;
instead, this change uses using declarations
3. removed unnecessary type alias; in existing codes, we only support
strings as types of UnitToRestart, InstallPath, UploadPath, etc; this
change uses std::string directly
4. moved all alias outside any class scope into source files or an
internal namespace
5. renamed types, constants, classes as per OpenBMC style guide
6. fixed all compilation errors and some warnings after the refactoring;
built with both Clang & GCC

Reference:
https://docs.microsoft.com/en-us/cpp/cpp/header-files-cpp?view=msvc-170#what-to-put-in-a-header-file
https://google.github.io/styleguide/cppguide.html#Namespaces

Tested:
Unit tests

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I58e026934a4e969f4d8877801c8f3c671990468a

show more ...

config.h.in: use const variables instead of macros

Most style guides try to avoid preprocessor macros, especially the use
case here: const objects. This change replaced them with const
variables. Th

config.h.in: use const variables instead of macros

Most style guides try to avoid preprocessor macros, especially the use
case here: const objects. This change replaced them with const
variables. Their names are also changed according to the OpenBMC style
guide.

Reference:
https://google.github.io/styleguide/cppguide.html#Preprocessor_Macros

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I0786c7c83f3a0d892c14f1cb813d0aa16d627b3e

show more ...

Use nested namespace

Nested namespace is introduced in C++ 17. This saves nearly 50 lines.
This change also puts tests into a nested namespace, which saves
unnecessary using directives.

Signed-off-

Use nested namespace

Nested namespace is introduced in C++ 17. This saves nearly 50 lines.
This change also puts tests into a nested namespace, which saves
unnecessary using directives.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I7c3e38588fd5c2cbd83ac13ee24327318e8c06a4

show more ...

Modernize use nullptr

NULL => nullptr as per modernize-use-nullptr.

After this change:
```
grep "NULL" -r */*.*pp *.*pp
None
```

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Iecddab

Modernize use nullptr

NULL => nullptr as per modernize-use-nullptr.

After this change:
```
grep "NULL" -r */*.*pp *.*pp
None
```

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Iecddab6fba06f959866048eff4496310453d0fde

show more ...

Fix typos

After this change:
```
codespell --builtin clear,rare,en-GB_to_en-US -d --count --skip
"./subprojects/*,./.git" .
0
```

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I7bc4c9

Fix typos

After this change:
```
codespell --builtin clear,rare,en-GB_to_en-US -d --count --skip
"./subprojects/*,./.git" .
0
```

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: I7bc4c94facdd366dea91e456e7ef8a0b05532b99

show more ...

remove year 2038 check

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49188 resolves
the year 2038 problem in BMCWeb. There's no need to check it in
cert-manager anymore. However, the current

remove year 2038 check

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/49188 resolves
the year 2038 problem in BMCWeb. There's no need to check it in
cert-manager anymore. However, the current Cert interface can't take
certificate whose NotBefore is before the Unix Epoch given the
timestamp is uint64_t. So this change adds the check to return
errors in this case.

This change also fixed the existing issue of setting unix epoch.

TESTED: unit tests + QEMU
1. added a cert that's valid from 1970/01/01 to 9999/12/31 into
unit tests
2. tested the dbus properties in QEMU after installing the above
cert;

```
.ValidNotAfter property t 253402300799 emits-change writable
.ValidNotBefore property t 0 emits-change writable
```
This is expected.

Signed-off-by: Nan Zhou <nanzhoumails@gmail.com>
Change-Id: Idc6b7721fc84b6b9022467e6b0c9e1984f682912

show more ...

build: remove autotools

Build is switched to meson now, including in the meta-phosphor recipe,
so remove all autotools support.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I05fb6

build: remove autotools

Build is switched to meson now, including in the meta-phosphor recipe,
so remove all autotools support.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I05fb6c507369355757831891e3d990c3600b9d86

show more ...

build: add meson support

Port the existing autotools build system to meson, add meson wrap files
for all openbmc dependencies, and add appropriate meson rules to
gitignore.

Tested:

Verified execut

build: add meson support

Port the existing autotools build system to meson, add meson wrap files
for all openbmc dependencies, and add appropriate meson rules to
gitignore.

Tested:

Verified executables all build, test cases pass, and executables
install. Checked configuration files are all installed into the same
locations as a Yocto-built autotools version of the package. Manually
checked the symlinks for the systemd service files.

```
$ DESTDIR=/tmp/certificate_test ninja install
$ find /tmp/certificate_test/lib /tmp/certificate_test/usr/local/share/phosphor-certificate-manager/
/tmp/certificate_test/lib
/tmp/certificate_test/lib/systemd
/tmp/certificate_test/lib/systemd/system
/tmp/certificate_test/lib/systemd/system/multi-user.target.wants
/tmp/certificate_test/lib/systemd/system/multi-user.target.wants/phosphor-certificate-manager@authority.service
/tmp/certificate_test/lib/systemd/system/multi-user.target.wants/phosphor-certificate-manager@bmcweb.service
/tmp/certificate_test/lib/systemd/system/bmc-vmi-ca-manager.service
/tmp/certificate_test/lib/systemd/system/phosphor-certificate-manager@.service
/tmp/certificate_test/usr/local/share/phosphor-certificate-manager/
/tmp/certificate_test/usr/local/share/phosphor-certificate-manager/authority
/tmp/certificate_test/usr/local/share/phosphor-certificate-manager/bmcweb
$ ls -n /tmp/certificate_test/lib/systemd/system/multi-user.target.wants
total 0
lrwxrwxrwx 1 1000 1000 40 Dec 3 15:37 phosphor-certificate-manager@authority.service -> ../phosphor-certificate-manager@.service
lrwxrwxrwx 1 1000 1000 40 Dec 3 15:37 phosphor-certificate-manager@bmcweb.service -> ../phosphor-certificate-manager@.service
```

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ib9700b5a3bb437ccc157a2d060067b8e2b777981

show more ...

cleanup sdbus CAMELCASE define

The transition from e129be3b566a187f42e4ab45bccfb10d35dc3d71 is
complete, so clean up the old defines.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id:

cleanup sdbus CAMELCASE define

The transition from e129be3b566a187f42e4ab45bccfb10d35dc3d71 is
complete, so clean up the old defines.

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ia1570296370970999171cfa7c2c3aa7b16a8f32e

show more ...

use new sdbus++ camelcase for CSR.

Change I17a8d7479556596a3cf252b3f4eae9c8df547189 will change
how sdbus++ generates names which start with an acronym.
Prepare for this by keying off the SDBUSPP_NE

use new sdbus++ camelcase for CSR.

Change I17a8d7479556596a3cf252b3f4eae9c8df547189 will change
how sdbus++ generates names which start with an acronym.
Prepare for this by keying off the SDBUSPP_NEW_CAMELCASE
define to use the new format.

Changes:
cSR() -> csr()

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I9adb628d7d064af9f65d37aebe99e06532690163

show more ...

Add unit testcases for CA certificate authority manager

This test cases can be enabled by using below feature flag
"--enable-ca-cert-extension"

Testcases:
testObjectCreation
testInvalidArgument
Del

Add unit testcases for CA certificate authority manager

This test cases can be enabled by using below feature flag
"--enable-ca-cert-extension"

Testcases:
testObjectCreation
testInvalidArgument
DeleteAllCSRObjects
DeleteObjectEntry

Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Change-Id: I9e30f28ef73ecdc377ae357e9c73c42063f85137

show more ...

unit-test: Enable unit test coverage for certificate manager

Signed-off-by: Lakshminarayana R. Kammath <lkammath@in.ibm.com>
Change-Id: I198c7b98c394039da974574856a9318019de7f91

Installing certificates with the same subject name.

This patch enables the way for installing different CA certificates with
the same subject name which could be the use case. The problem is OpenSSL

Installing certificates with the same subject name.

This patch enables the way for installing different CA certificates with
the same subject name which could be the use case. The problem is OpenSSL
requires certificates file name to be consisted of the certificate
subject name hash (as name base) and integer number (as name extension),
e.g. "9d66eef0.0":
https://www.boost.org/doc/libs/1_69_0/doc/html/boost_asio/reference/ssl__context/add_verify_path.html
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html
But finally OpenSSL allows to use many CA certificatates with the same subject
name but handling certificate file name extension (e.g. must be
consecutive integers numbers) is needed. Current implementation
hardcodes name extension to 0. So this patch is about handling
certificate file name extension properly.

Tested by installing, deleting and replacing a few CA certificates
with the same subject name and checking whether authentication based
on them works:
- install a few CA certificates and check whether authentication based
on them works,
- delete single CA certificate and check whether authentication based
on the rest works and based on the deleted one do not work,
- replace single CA certificate and check whether authentication based
on the rest and the new one works and based on the replaced one do not
work.

Signed-off-by: Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>
Change-Id: I95b8e77559a9e64f0e6cb95dac60dbad32fbcb86

show more ...

Refactoring of certificates managing and storing

This commit is about third stage code refactoring proposed by Zbigniew
Kurzynski (zbigniew.kurzynski@intel.com) on the mailing list
("phosphor-certif

Refactoring of certificates managing and storing

This commit is about third stage code refactoring proposed by Zbigniew
Kurzynski (zbigniew.kurzynski@intel.com) on the mailing list
("phosphor-certificate-manager refactoring"): "Changing the way of
managing and storing TrustStore certificates".

Following changes are being implemented:
- each certificate has its own and unique ID,
- authority certificates are kept in files with random names under
/etc/ssl/certs/authority and symlinks (based on subject name hash) are
created to satisfy OpenSSL library,
- restarting bmcweb was moved from certificate class to certs_manager
class
- certificate uniqueness is based on certificate ID and checked while
installing and replacing operation in certs_manager class.

Tested by doing installing/replacing/removing operations on certificate
storage using RedFish API.

Signed-off-by: Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>
Change-Id: I0b02a10b940279c46ad9ee07925794262133b1b0

show more ...