diff options
author | Kowalski, Kamil <kamil.kowalski@intel.com> | 2019-07-10 14:12:57 +0300 |
---|---|---|
committer | James Feist <james.feist@linux.intel.com> | 2019-11-08 19:52:06 +0300 |
commit | 55e43f69db10c3320430c190853bff8a5a272965 (patch) | |
tree | a54e098c8702af8d083a48de0aaf576a8cc84b93 /include/ssl_key_handler.hpp | |
parent | 8ae37025d83533889be862d73d8ec701a818275a (diff) | |
download | bmcweb-55e43f69db10c3320430c190853bff8a5a272965.tar.xz |
TLS based user auth implementation
Implemented TLS based user auth. It utilizes certificates stored by
Phosphor Certificate Manager in storage mode, to verify that user
that tries to log in, has a certificate signed by a trusted CA.
More about this can be read in redfish-tls-user-authentication.md design
document.
Tested that it does not break current authentication methods, when not
using TLS Auth - user should not see difference between versions. TLS Auth
itself allows user in when certificate is signed by trusted CA and valid, and
stops working immediatley after it is removed. User is not let in when provided
certificate is not between notBefore and notAfter dates. Session is tested to
not be created when user does not exist in the system (courtesy of earlier
UserManagement usage commits).
Signed-off-by: Kowalski, Kamil <kamil.kowalski@intel.com>
Change-Id: I6bcaff018fe3105f77d3c10f69765e0011af8dab
Signed-off-by: Zbigniew Kurzynski <zbigniew.kurzynski@intel.com>
Diffstat (limited to 'include/ssl_key_handler.hpp')
-rw-r--r-- | include/ssl_key_handler.hpp | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp index d634d6375e..2bd1f59da3 100644 --- a/include/ssl_key_handler.hpp +++ b/include/ssl_key_handler.hpp @@ -16,6 +16,7 @@ namespace ensuressl { +constexpr char const *trustStorePath = "/etc/ssl/certs/authority"; static void initOpenssl(); static EVP_PKEY *createEcKey(); @@ -312,7 +313,11 @@ inline std::shared_ptr<boost::asio::ssl::context> boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1); - // m_ssl_context.set_verify_mode(boost::asio::ssl::verify_peer); + mSslContext->set_verify_mode(boost::asio::ssl::verify_peer); + + BMCWEB_LOG_DEBUG << "Using default TrustStore location: " << trustStorePath; + mSslContext->add_verify_path(trustStorePath); + mSslContext->use_certificate_file(ssl_pem_file, boost::asio::ssl::context::pem); mSslContext->use_private_key_file(ssl_pem_file, |