Add unit testcases for CA certificate authority manager

This test cases can be enabled by using below feature flag
"--enable-ca-cert-extension"

Testcases:
testObjectCreation
testInvalidArgument
Del

Add unit testcases for CA certificate authority manager

This test cases can be enabled by using below feature flag
"--enable-ca-cert-extension"

Testcases:
testObjectCreation
testInvalidArgument
DeleteAllCSRObjects
DeleteObjectEntry

Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Change-Id: I9e30f28ef73ecdc377ae357e9c73c42063f85137

show more ...

Implementation of BMC VMI certificate manager

This manager is to create and manage entries
for each host CSR request which needs to shared
with host.

this commits implements dbus interfaces
https:/

Implementation of BMC VMI certificate manager

This manager is to create and manage entries
for each host CSR request which needs to shared
with host.

this commits implements dbus interfaces
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/31808

This feature can be enabled by using below feature flag
"--enable-ca-cert-extension"

Testby:
Creating CSR entries
Deleting entries
Setting properties

Signed-off-by: Ravi Teja <raviteja28031990@gmail.com>
Change-Id: I24829b839feac6264f32053b9be63daef6599379

show more ...

Add documentation of how to use the program in README

I spent some time to understand this process while testing mTLS on
bmcweb.

Having some extra documentation should help people new to the commun

Add documentation of how to use the program in README

I spent some time to understand this process while testing mTLS on
bmcweb.

Having some extra documentation should help people new to the community.

Signed-off-by: Zhenfei Tai <ztai@google.com>
Change-Id: I636c189b5ab5886726af5ce7ce6d2b19ab68f741

show more ...

unit-test: Enable unit test coverage for certificate manager

Signed-off-by: Lakshminarayana R. Kammath <lkammath@in.ibm.com>
Change-Id: I198c7b98c394039da974574856a9318019de7f91

Return error if certificate expiry date is beyond year 2038

Any certificate which is uploaded with expiry year greater than 2038
causes the exipry date to be set to time before 1970.

time_t is used

Return error if certificate expiry date is beyond year 2038

Any certificate which is uploaded with expiry year greater than 2038
causes the exipry date to be set to time before 1970.

time_t is used in calculation of expirty date based on seconds from
epoch. As time_t is defined as int32 any time beyond 2038 causes
integer overflow and generates a negtive number. When the negative
number is used in time calculation it generates year before 1970.

Modified to return error if the seconds computed for expiry date
is beyond INT_MAX.

This change is required till kernel changes time_t to use 64 bit value.

Tested:
Mar 12 11:14:38 xx phosphor-certificate-manager[520]: Certificate install
Mar 12 11:14:38 xx phosphor-certificate-manager[520]: Certificate expiry date is
beyond year 2038
Mar 12 11:14:38 xx phosphor-certificate-manager[520]: Invalid certificate file.
"MESSAGE" : "Certificate expiry date is beyond year 2038",
"PRIORITY" : "3",
"SECONDS" : "2366947077",

Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Change-Id: Icb926fe6eebb2ce896ccde2527b7494896653f58

show more ...

Fix application crash issue with uncaught exception

This change is to not to let the certificate manager crash
with uncaught exception in the constructor.

Due to uncaught exception during code upda

Fix application crash issue with uncaught exception

This change is to not to let the certificate manager crash
with uncaught exception in the constructor.

Due to uncaught exception during code update application was crashing
as shown in below traces
phosphor-certificate-manager[804]: Legacy certificate detected, will be
installed from:
phosphor-certificate-manager[804]: The operation is not allowed
hosphor-certificate-manager[804]: terminate called after throwing an instance of
'sdbusplus::xyz::openbmc_project::Common::Error::NotAllowed'

Also caters to fix
https://github.com/openbmc/phosphor-certificate-manager/issues/12

could not reproduce issue12 but this fix should help

Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Change-Id: If0156c35dcc8b44659c4846215b6f45a81685c3e

show more ...

Remove some traces logged as part of application load.

During reboot, existing certificates are loaded to create
certificate objects causing too many log statements.

Removing some of the log statem

Remove some traces logged as part of application load.

During reboot, existing certificates are loaded to create
certificate objects causing too many log statements.

Removing some of the log statements not critical for debugging
purpose to minimise the log statements.

Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Change-Id: Id68298ee95f35c3f8a24178699dfd84a225ddf3a

show more ...

Change InternalFailure to NotAllowed for replace

This patch is about using NotAllowed instead of InternalFailure for
certificate replacement routine. Currently there is a check to prevent
replacing

Change InternalFailure to NotAllowed for replace

This patch is about using NotAllowed instead of InternalFailure for
certificate replacement routine. Currently there is a check to prevent
replacing current certificate with certificate with subject/issuer
already existing on the certificate list (currently replacing
certificate is not taken into account). And for that case it makes
sense to use NotAllowed error instead of InternalFailure.

Tested by replacing one of the currently available certificates with
new one with subject/issuer the same as one of the currently available
certificate.

Signed-off-by: Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>
Change-Id: Ia480e8fe9b70ba7f0291541f47e78680f48a3646

show more ...

Installing certificates with the same subject name.

This patch enables the way for installing different CA certificates with
the same subject name which could be the use case. The problem is OpenSSL

Installing certificates with the same subject name.

This patch enables the way for installing different CA certificates with
the same subject name which could be the use case. The problem is OpenSSL
requires certificates file name to be consisted of the certificate
subject name hash (as name base) and integer number (as name extension),
e.g. "9d66eef0.0":
https://www.boost.org/doc/libs/1_69_0/doc/html/boost_asio/reference/ssl__context/add_verify_path.html
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html
But finally OpenSSL allows to use many CA certificatates with the same subject
name but handling certificate file name extension (e.g. must be
consecutive integers numbers) is needed. Current implementation
hardcodes name extension to 0. So this patch is about handling
certificate file name extension properly.

Tested by installing, deleting and replacing a few CA certificates
with the same subject name and checking whether authentication based
on them works:
- install a few CA certificates and check whether authentication based
on them works,
- delete single CA certificate and check whether authentication based
on the rest works and based on the deleted one do not work,
- replace single CA certificate and check whether authentication based
on the rest and the new one works and based on the replaced one do not
work.

Signed-off-by: Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>
Change-Id: I95b8e77559a9e64f0e6cb95dac60dbad32fbcb86

show more ...

Refactoring of certificates managing and storing

This commit is about third stage code refactoring proposed by Zbigniew
Kurzynski (zbigniew.kurzynski@intel.com) on the mailing list
("phosphor-certif

Refactoring of certificates managing and storing

This commit is about third stage code refactoring proposed by Zbigniew
Kurzynski (zbigniew.kurzynski@intel.com) on the mailing list
("phosphor-certificate-manager refactoring"): "Changing the way of
managing and storing TrustStore certificates".

Following changes are being implemented:
- each certificate has its own and unique ID,
- authority certificates are kept in files with random names under
/etc/ssl/certs/authority and symlinks (based on subject name hash) are
created to satisfy OpenSSL library,
- restarting bmcweb was moved from certificate class to certs_manager
class
- certificate uniqueness is based on certificate ID and checked while
installing and replacing operation in certs_manager class.

Tested by doing installing/replacing/removing operations on certificate
storage using RedFish API.

Signed-off-by: Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>
Change-Id: I0b02a10b940279c46ad9ee07925794262133b1b0

show more ...

Limit access permissions for authority cert directory.

This patch is about limit access permissions for authority certificates
directory. Additionally this patch fixes UTs issues catched here:
https

Limit access permissions for authority cert directory.

This patch is about limit access permissions for authority certificates
directory. Additionally this patch fixes UTs issues catched here:
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/26835
and disscussed here:
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/27810

Tested:
1) All UTs passed.
2) Manually checked access permissions:
root@intel-obmc:~# ls -al /etc/ssl/certs
drwx------ 4 root root 80 Dec 10 12:31 .
drwxr-xr-x 3 root root 80 Dec 10 12:31 ..
drwx------ 2 root root 40 Dec 10 12:31 authority
drwx------ 2 root root 60 Dec 10 12:31 https

Signed-off-by: Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>
Change-Id: I63c698fa776aec01eed44e91ebbae956e707d52d
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>

show more ...

Allow only root user to access certificates

This change is to cater allowing only root user to read/write
certificates.

Users with ReadOnly and Callback privilege will not be allowed to
access the

Allow only root user to access certificates

This change is to cater allowing only root user to read/write
certificates.

Users with ReadOnly and Callback privilege will not be allowed to
access the certificate folder

At present setting 700 permission for the certificate folder.

Tested:
1) Verified ldap certificate at /etc/nslcd/certs is not accessible
to read only users.
2) Verified https certificate at /etc/ssl/certs/https is not
accessible to read only users
3) verfied authority certificate at /etc/ssl/certs/ is not accessible
to read only users.

Change-Id: I20acb1bf449f64282c6b692bd7063dcdedbd311d
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>

show more ...

Certificate delete API – backend.

Till now the Certificate Manager has one-to-one relation with a
Certificate class. And the DELETE API provided by the
Certificate Manager was enough to delete manag

Certificate delete API – backend.

Till now the Certificate Manager has one-to-one relation with a
Certificate class. And the DELETE API provided by the
Certificate Manager was enough to delete managed by it certificate.

With introducing Mutual-TLS the relation is changing to one-to-many
and current delete API is not sufficient. This commit adds DELETE
interface to Certificate class, so each of them can be removed
individually. This implementation was done on base of current user
account management implementation. The Certificate class exposes the
delete interface on DBus. When the API is called the Certificate
instance calls proper operation on Certificate Manager which
removes it from its internal collection. The rest of the removing
certificate process, including service reset remains as it was.

Tested with uploaded multiple TLS certificates.
Each Certificate exposes Delete interface on dbus and user is able
to delete each of them. The delete API on Certificate Manager object
was replaced with DeleteAll interface and results in deleting all
loaded certificates.

Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Change-Id: I9dd6fa998e8bd8081fbd13549831bc94a4a7aa54

show more ...

Enable limiting authority certificates amount.

This patch enables check about authority certificates amount limit
and disallows to install new certificate in case limit violation.

Tested: Tests wer

Enable limiting authority certificates amount.

This patch enables check about authority certificates amount limit
and disallows to install new certificate in case limit violation.

Tested: Tests were performed manually by trying to install dozen
authority certificates over RedFish.

Signed-off-by: Zbigniew Lukwinski <zbigniew.lukwinski@linux.intel.com>
Change-Id: Iea83f05e7b6b0ad3e32bc3f2aba710de863b6d34

show more ...

Support uploading multiple certificates per authority service.

This request is a proposition of extending current mode=authority
with support for multiple certificates instead of single one.

This r

Support uploading multiple certificates per authority service.

This request is a proposition of extending current mode=authority
with support for multiple certificates instead of single one.

This review addresses also this issue:
https://github.com/openbmc/phosphor-certificate-manager/issues/3
but with a restriction to mode=authority. Other modes still operates
on a single certification file.

New mode requires that user provides directory path instead of certificate path
as --path argument if using --type=authority.

Tested:
- Manually tested Install, Remove and Replace paths for existing modes
to confirm no change of behavior occurs (authority, client, server)
- Manually tested Install, Remove and Replace paths for authority mode
to confirm that it behaves as expected i.e. filename is changed on certificate
replacement that mirrors change in certificate hash
- Confirmed no regression in unit tests

Change-Id: Icd33723c1fc2580679aaaf54b3e99dfb09342402
Signed-off-by: Kowalski, Kamil <kamil.kowalski@intel.com>
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>

show more ...

Support uploading multiple certificates [install-backend]

To enable multiple certificates support in certificate manager,
and resolve following issues :

openbmc/phosphor-certificate-manager#3,
op

Support uploading multiple certificates [install-backend]

To enable multiple certificates support in certificate manager,
and resolve following issues :

openbmc/phosphor-certificate-manager#3,
openbmc/bmcweb#84

the Install method should return a string with dbus path to just
created certificate. It will allow to recognize a new certificate
and return proper values in redfish response to certificate POST
method.

This change depends on interface change available under this review:
https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-dbus-interfaces/+/25632

Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Depends-On: I58bfb8a86f56923e7f7aca0d10ed7838537d7c14
Change-Id: Ic8ab545c931d89a022acdabd5a755e3bf39e5a79

show more ...

Fixed error message logged for certificate verification

Return value of certificate verification failure is validated
for any known errors like certificate not yet valid, self
signed certificate bef

Fixed error message logged for certificate verification

Return value of certificate verification failure is validated
for any known errors like certificate not yet valid, self
signed certificate before returning error.

As the message logged before comparing with known errors is
misleading changed the error message and also level of the
log message to INFO.

Tested:
phosphor-certificate-manager[556]: Certificate install
phosphor-certificate-manager[556]: Certificate loadCert
phosphor-certificate-manager[556]: Error occured during X509_verify_cert call,
checking for known error
phosphor-certificate-manager[556]: Certificate compareKeys
phosphor-certificate-manager[556]: Certificate loadCert

"ERROR_STR" : "unable to get local issuer certificate",
"ERRCODE" : "20",

Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Change-Id: I2df9abc766086a9d80063c32ccc8e44b62c48fc1

show more ...

Fix extended key usage value while generating CSR

At present extended key usage values are added as
key usage values while generating CSR fixed the same.

Tested:
Verified that key usage and extende

Fix extended key usage value while generating CSR

At present extended key usage values are added as
key usage values while generating CSR fixed the same.

Tested:
Verified that key usage and extended key usage values are
displayed properly

[devenrao]$ openssl req -text -in n1.csr
Certificate Request:
Data:
Version: 1 (0x1)
Subject: subjectAltName=an.com/subjectAltName=bm.com, L=NJ,
CN=w3.ibm.com/name=cp, C=US/emailAddress=abc.com,
GN=gn/initials=in/algorithm=EC/extendedKeyUsage=ServerAuthentication/keyUsage=KeyCertSign/keyUsage=DigitalSignature,
O=IBM, ST=NY, SN=sn/unstructuredName=un
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey

Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Change-Id: I80e2f82696a695ea551cbb01f6a0fd5a2a416663

show more ...

Fix certificate manager failure after factory reset

Private key file is pre-generated during startup of service
for CSR generation as it is time consuming operation.

Noticed after factory reset whe

Fix certificate manager failure after factory reset

Private key file is pre-generated during startup of service
for CSR generation as it is time consuming operation.

Noticed after factory reset when writing private key it is
trying to create file to non existing directory.

Modified to create parent directory structure before creating
private key file

Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Change-Id: Ida296a0ed139aee0d594870b7d71e376f5b5f7c8

show more ...

Fix upload signed certificate error through GUI

Noticed signed certificate uploaded fails certificate
validation.

Back-end appends the private key to the uploaded certificate
file and initiates cer

Fix upload signed certificate error through GUI

Noticed signed certificate uploaded fails certificate
validation.

Back-end appends the private key to the uploaded certificate
file and initiates certificate validation.

As end of line character is missing at the end of the uploaded
certificate private key is added on the same line.

Inserting end of line character before appending private key.

Tested:
1) Uplaoding signed certificate through GUI
2) Uploading signed certificate through command line

Change-Id: Iee944912a748a81e34ccad012707b925c451433e
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>

show more ...

Generate RSA Private Key file during application startup

Generating RSA private key file during application startup if rsa key
file is not found. Here, the rsa private key file is a hidden file
(.rs

Generate RSA Private Key file during application startup

Generating RSA private key file during application startup if rsa key
file is not found. Here, the rsa private key file is a hidden file
(.rsaprivkey.pem) and placed in certificate file install path which is
given during application startup.

This generated rsa private key file will be used to create private key
and csr files if certificate manager received the generateCSR request
with key pair algorithm as RSA. So, the every time rsa key generation
is avoided, because rsa key is generated with keybitlength as 2048
during application startup.

From this change, certificate manager will support only 2048 as key
bit length to generated rsa key pair. If user given other than 2048,
application will throw error.

Tested By:
- Added below unit test case
* To check rsa private key file is generated during application
startup.
* To validate unsupported key bit length.
* To check rsa private key file is present or not.
* To check rsa private key is picked from rsa private key file
while receive the generateCSR request.
- Manual test case
* Restarted certificate manager application to check rsa private
key file is generated.
systemctl restart phosphor-certificate-manager@bmcweb.service

* Invoked genearteCSR request by using curl command to check
generated rsa private key file is used to create private key
and csr file.
curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
https://${bmc}/redfish/v1/CertificateService/Actions/
CertificateService.GenerateCSR/ -d @generate_https.json

Change-Id: I876779f1ab36f52774c52041d68304a610ea261b
Signed-off-by: Ramesh Iyyar <rameshi1@in.ibm.com>

show more ...

Append private key from the system to CA signed certificate

A CSR request is intiated which creates a private key file
and CSR file in the system.

CSR file is passed onto the CA to sign the certifi

Append private key from the system to CA signed certificate

A CSR request is intiated which creates a private key file
and CSR file in the system.

CSR file is passed onto the CA to sign the certificate.

If the CA signed certificate file does not have private key
use the private key generated as part of the CSR request
from the system.

After sucessfull validation append the private key with the
CA signed file and store in the system.

Tested:
1) Verifid when uploading a certificate file without private
key system is using the private key file from the system.

Change-Id: I9a5313af64f87fdb1d9189558c95ab75ce317a73
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>

show more ...

Manage certificates created by applications

Added watch on certificate path to watch on certificates
created/updated by apps.

As part of watch notification, create new D-Bus new certificate
and for

Manage certificates created by applications

Added watch on certificate path to watch on certificates
created/updated by apps.

As part of watch notification, create new D-Bus new certificate
and for existing D-Bus object update the properties.

Tested:
Test case 1
1) Ensure no certificate is present
2) Restart certificate service
3) Restart bmcweb service
4) Verified that certificate object is created for the
self-signed certificate created by bmcweb.

Test case 2
1) After a certificate is present
2) Modify the bmcweb certificate by replacing it
with a valid certificate manually.
3) Verified that certificate manager is notified
and certificate objects properties are updated.

Test case 3
1) Upload CSR based certificate file
2) Verified that private key is appended to the file

Test case 4
1) Create a dummy file in certificate folder
2) Verified that notification is received and file is ignored

Test case 5
1) Verified install, replace, generate csr.

Change-Id: I7d1e3624958e4b68e5ba7bc6150c19b11fca501a
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>

show more ...

Added support to generate CSR based on ECC approach

In existing, phosphor-certificate-manager is supported RSA approach to
generate CSR. As per Redfish certificate schema, CSR can generate either
RS

Added support to generate CSR based on ECC approach

In existing, phosphor-certificate-manager is supported RSA approach to
generate CSR. As per Redfish certificate schema, CSR can generate either
RSA or ECC by passing KeyPairAlgorithm. So, In this commit ECC based CSR
generation is added.

Openssl API are used for generating ECC key pair.

User Input Validation:
- ECC approach is used as default if user does not give algorithm type.
- Default KeyBitLength and CurveId used as "2048" and "secp224r1"
respectively if user does not give.
- Error will be thrown if algorithm given other than RSA and ECC.

In this commit refactor also done by splitting RSA key generation from
writePrivateKey().

Tested by:
- Added unit test cases to verify unsupported KeyPairAlgorithm and
KeyPairCurveID, ECC Key generation.

- Tested by BMC-web(Redfish) to generate CSR based on ECC.
curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
https://${bmc}/redfish/v1/CertificateService/Actions/
CertificateService.GenerateCSR/ -d @generate_https.json

Change-Id: I523293ee2ff6da2964e8c3d4380eefc96bf1f36b
Signed-off-by: Ramesh Iyyar <rameshi1@in.ibm.com>

show more ...

Fix subject property value is set with certificate string

Noticed subject property value is set with certificate string
value and subject value.

Change-Id: Ie8c6420e607550f6d8c573b2ebcf723494fdd8f8

Fix subject property value is set with certificate string

Noticed subject property value is set with certificate string
value and subject value.

Change-Id: Ie8c6420e607550f6d8c573b2ebcf723494fdd8f8
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>

show more ...