config.h.in - OpenGrok history log for /openbmc/phosphor-certificate-manager/config.h.in

Revision	Date	Author	Comments
# 3c478144	27-Jun-2022	Lei YU <yulei.sh@bytedance.com>	Allow for expired certificate The code throws for an expired certificate, which results in the below behavior: 1. If BMC starts when the time is invalid (e.g. the date is in 1970), bmcweb will crea Allow for expired certificate The code throws for an expired certificate, which results in the below behavior: 1. If BMC starts when the time is invalid (e.g. the date is in 1970), bmcweb will create a default certificate with hostname `testhost`; 2. In later reboots when BMC get a valid time, the bmcweb loads the certificate as before. But phosphor-certificate-manager will throw on this certificate. Then there is no DBus object created for this certificate (`/xyz/openbmc_project/certs/server/https/1`) 3. Due to the missing DBus object: * We will not be able to replace the certificate, e.g. by below Redfish URI: ``` /redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate ``` * When the BMC gets the hostname, bmcweb will generate a new self-signed certificate with the hostname and replace it, the replacement fails as well. This commit adds a config option that allows the expired certificate to be created on DBus and fixes the above issues and it is enabled by default. Signed-off-by: Lei YU <yulei.sh@bytedance.com> Change-Id: Ib02bd686c9bfeb6401b269af20856824647f54c5 show more ...
# 6ec13c8f	30-Dec-2021	Nan Zhou <nanzhoumails@gmail.com>	Authorities list: implement InstallAll & ReplaceAll This change implements the design in https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49317. InstallAll: enumerate all certs in the input file Authorities list: implement InstallAll & ReplaceAll This change implements the design in https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49317. InstallAll: enumerate all certs in the input file and install all of them; ReplaceAll: replace all certs with the new authorities list Atomic: implemented via creating temporary folder and issuing swap. Added ability to unit test service reload as well. Tested: 1. Unit tests 2. Tested loading/deleting authorities list in QEMU. ``` root@xxx:~# busctl call xyz.openbmc_project.Certs.Manager.Authority.Ldap \ > /xyz/openbmc_project/certs/authority/ldap \ > xyz.openbmc_project.Certs.InstallAll \ > InstallAll s /tmp/trust_bundle.pem as 3 "/xyz/openbmc_project/certs/authority/ldap/1" "/xyz/openbmc_project/certs/authority/ldap/2" "/xyz/openbmc_project/certs/authority/ldap/3" root@xxx:~# ls /etc/ssl/certs/authority/ 10a5d8b0.0 5b49ceaa.0 f3ddaa86.0 file0qmgPV fileDbjTzW fileR4TtjO trust_bundle root@xxx:~# busctl call xyz.openbmc_project.Certs.Manager.Authority.Ldap /xyz/openbmc_project/certs/authority/ldap xyz.openbmc_project.Certs.ReplaceAll ReplaceAll s /tmp/trust_bundle.pem root@xxx:~# ls /etc/ssl/certs/authority/ 10a5d8b0.0 5b49ceaa.0 f3ddaa86.0 file1obsEZ fileOqVoaC filerUBZCj trust_bundle root@xxx:~# wget -qO- http://localhost/redfish/v1/Managers/bmc/Truststore/Certificates/ { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/", "@odata.type": "#CertificateCollection.CertificateCollection", "Description": "A Collection of TrustStore certificate instances", "Members": [ { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1" }, { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/2" }, { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/3" } ], "Members@odata.count": 3, "Name": "TrustStore Certificates Collection" } root@xxx:~# wget -qO- http://localhost/redfish/v1/Managers/bmc/Truststore/Certificates/1 { "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/1", "@odata.type": "#Certificate.v1_0_0.Certificate", "CertificateString": "-----BEGIN CERTIFICATE-----\nMIICZTCCAgugAwIBAgIUANIf0jvaRNq1MdwxrXPnk25VrmYwCgYIKoZIzj0EAwIw\nVTETMBEGA1UEChMKY2FtcHVzLWFzaDENMAsGA1UECxMEcm9vdDEvMC0GA1UEAwwm\ne2QyZWQ1MGJkLTczMTQtNDgxZC04OWE0LTVkMjkxMmYyMGQ5NH0wIBcNNzAwMTAx\nMDAwMDAwWhgPOTk5OTEyMzEyMzU5NTlaMFUxEzARBgNVBAoTCmNhbXB1cy1hc2gx\nDTALBgNVBAsTBHJvb3QxLzAtBgNVBAMMJntkMmVkNTBiZC03MzE0LTQ4MWQtODlh\nNC01ZDI5MTJmMjBkOTR9MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lp/J3Gj\nc4TKubuYtzpxu2D3STlwTwEjgFbTaLZnQ0KXt7pBrcYc3yY1t74WBluvzM9iok6Q\nDcEFX5aIYcoaAKOBtjCBszAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0lBCIwIAYIKwYB\nBQUHAwEGCCsGAQUFBwMCBgorBgEEAdZ5AgcBMA8GA1UdEwEB/wQFMAMBAf8wHQYD\nVR0OBBYEFIPrX7lbeJhvHHcQ7iYOry50aYKYMBcGA1UdIAQQMA4wDAYKKwYBBAHW\neQIFBDAtBgNVHR4BAf8EIzAhoB8wHYYbLmNhbXB1cy1hc2gucHJvZC5nb29nbGUu\nY29tMAoGCCqGSM49BAMCA0gAMEUCIAS/ZrMPBj992vVVplwzH9DWDCSMu1rCgvqw\nam3byOT1AiEAyrr3FAP+7js7z+h8d94hTyy1kTn+4NOvUWrVzHUmJI8=\n-----END CERTIFICATE-----\n", "Description": "TrustStore Certificate", "Id": "1", "Issuer": { "CommonName": "{d2ed50bd-7314-481d-89a4-5d2912f20d94}", "Organization": "campus-ash", "OrganizationalUnit": "root" }, "KeyUsage": [ "CRLSigning", "ServerAuthentication", "ClientAuthentication", "" ], "Name": "TrustStore Certificate", "Subject": { "CommonName": "{d2ed50bd-7314-481d-89a4-5d2912f20d94}", "Organization": "campus-ash", "OrganizationalUnit": "root" }, "ValidNotAfter": "9999-12-31T23:59:59+00:00", "ValidNotBefore": "1970-01-01T00:00:00+00:00" } ``` Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: I495f5c1c1c4a2ac880dd3233be31b84a78d79a43 show more ...
# 718eef37	28-Dec-2021	Nan Zhou <nanzhoumails@gmail.com>	config.h.in: use const variables instead of macros Most style guides try to avoid preprocessor macros, especially the use case here: const objects. This change replaced them with const variables. Th config.h.in: use const variables instead of macros Most style guides try to avoid preprocessor macros, especially the use case here: const objects. This change replaced them with const variables. Their names are also changed according to the OpenBMC style guide. Reference: https://google.github.io/styleguide/cppguide.html#Preprocessor_Macros Signed-off-by: Nan Zhou <nanzhoumails@gmail.com> Change-Id: I0786c7c83f3a0d892c14f1cb813d0aa16d627b3e show more ...
# e0e2cce9	13-Dec-2021	Patrick Williams <patrick@stwcx.xyz>	build: rename config.h source The meson-generated config.h template was previously named as 'config.h.meson' to avoid collisions with the autotools-generated 'config.h.in'. Switch the source templa build: rename config.h source The meson-generated config.h template was previously named as 'config.h.meson' to avoid collisions with the autotools-generated 'config.h.in'. Switch the source template to '.in' to follow typical file naming patterns now that autotools is removed. Signed-off-by: Patrick Williams <patrick@stwcx.xyz> Change-Id: Ie59d429732ab704ff7670a5ab5d2f5d4c6f09d21 show more ...