Redfish: Add certificate service to manage HTTPS certificates

Implements CertificateService schema to list the actions available. Implements CertificateLocations schema to list the certificates present in the system. Implements CertificateCollection schema to upload/list existing HTTPS certificates Implements Certificate schema to view existing HTTPS certificate Cater for reloading the SSL context after a certificate is uploaded. Fix Certificate signature validation failure At present bmcweb uses the certificate from "/home/root/server.pem" the same is modified to "/etc/ssl/certs/https/server.pem" as phosphor-certificate-manager uses the specified path to install/replace certificates. Bmcweb creates a self-signed certificate when certificate is not present. Catered for creating "/etc/ssl/certs/https/" direcotry structure so that self signed certificate is created in the path. Implements ReplaceCertificate action of Certificate Service for replacing existing HTTPS certificates Cleanup of older self-signed certificate at /home/root/server.pem 1. Tested schema with validator and no issues 2. Privilege map for certificate service is not yet pubished 2. GET on /redfish/v1/CertificateService/ "CertificateService": { "@odata.id": "/redfish/v1/CertificateService" }, 3. GET on /redfish/v1/CertificateService/CertificateLocations/ "@odata.context": "/redfish/v1/$metadata#CertificateLocations.CertificateLocations", "@odata.id": "/redfish/v1/CertificateService/CertificateLocations", "@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations", "Description": "Defines a resource that an administrator can use in order to locate all certificates installed on a given service", "Id": "CertificateLocations", "Name": "Certificate Locations" 4.POST on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates { Returns contents of certificate "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1", "@odata.type": "#Certificate.v1A_0_0.Certificate", "Id": "1", "Issuer": { ... ... } 5.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/ { "@odata.context": "/redfish/v1/$metadata#CertificateCollection.CertificateCollection", "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates", "@odata.type": "#CertificateCollection.CertificatesCollection", "Description": "A Collection of HTTPS certificate instances", "Members": [ { "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" } ], "Members@odata.count": 1, "Name": "HTTPS Certificate Collection" } 6.GET on /redfish/v1/CertificateService/CertificateLocations/ { "@odata.context": "/redfish/v1/$metadata#CertificateLocations.CertificateLocations", "@odata.id": "/redfish/v1/CertificateService/CertificateLocations", "@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations", "Description": "Defines a resource that an administrator can use in order to locate all certificates installed on a given service", "Id": "CertificateLocations", "Links": { "Certificates": [ { "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" } ], "Certificates@odata.count": 1 }, "Name": "Certificate Locations" } 7.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 { "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1", "@odata.type": "#Certificate.v1_0_0.Certificate", "CertificateString": "-----BEGINCERTIFICATE-----\n....\n-----ENDCERTIFICATE-----\n", "CertificateType": "PEM", "Description": "HTTPS Certificate", "Id": "1", "Issuer": { } 8. Verified SSL context is reloaded after a certificate is installed. 9.curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/ -d @data_https.json { "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate", "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1", "@odata.type": "#Certificate.v1_0_0.Certificate", "CertificateString": "-----BEGIN CERTIFICATE----END CERTIFICATE-----\n", "Description": "HTTPS certificate", "Id": "1", "Issuer": { } 4. data_https.json file contents { "CertificateString": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDClW1COSab2O0W\nW0SgTzLxQ1Igl4EpbEmTK8CAQ+wI7loTDZ7sZwYdf6yc9TAs/yNKjlJljgedGszv\nbC7sPNpH4FA63kaM6TbBBKTRshwZ3myXiBOOkOBs6w6V7+c7uEPcMFge6/4W1VXD\nReMi016cnPWZsmQyGzpmPM49YNEDZBfdKZ/pLuCYc9L9t706U7FrUSGfM7swB+mC\n8NH9qMixMuWAV9SBvzUWI6p4OCmN8a/F+4lOdbPMVEUqQ0hCBCjGM4qmiy/5Ng6y\n6rKeJlUdmOSTk8ojrNGcOXKh0nRafNEQFkIuoPHt8k5B/Yw2CX6s2BoGwvF+hS03\n+z3qVSw3AgMBAAECggEBAKpe92kybRGr3/rhMrdCYRJJpZEP1nGUdN89QbGMxxAS\n0h84n9vRYNNXRKWxMNtVEWtoLdDpiNUP8Dv59yO1LFIen2DL2e3rDJv4Gu/YCS7F\nR0NuS+FaDIaRURYLFeV+MzyJv75jVvhbFlqByJxngcGS1KAcSApvOLTnrJSlPpy9\n8ec5gnDhdOUND9PaQt8xCqMs1RPpjqvrgRzMEodZoqT5v+b0K1GmsAdbSHNP2mLM\nrqtpFDefiM1YfsTHUtxQykxG2Ipd2jzJ0a8O0qmVqdXcP9J9aqLcmD/2/r96GEV6\n/5qvIBj3SRFobxCiCwfys2XOXfjz2J+BUZzGoZvKeRECgYEA518hT6mn46LhwrTI\nW+Qpi7iTJgOfeLC+Ng855VHVQFED1P3T2lfyfGDyqKI/wV1DJIJmO8iOXerSPnhi\nb7reQkyHj6ERUtuE+6BQ9oTw2QD3EEvzOK2PEH5UipbhVTDnC3fT62Vz2yb3tR8D\n2h0XVJkj/dng9p1Td5aDGMriRRMCgYEA10vTyYqBPjDIEYw/Sc9aQk2kT6x3hrRQ\ngR4xyuI31RTCRD/KpLh/7z4s11Wkr+F9CyASeLbqu6zymlLOlS5p7IUkJ/x2X027\nJWVY1SR+oF3iF3SHiP4XkOVvWOKwIVUhgTjK1+Di6i3AlwIeAOS7VCCP6W0gbnwJ\nyyAAHZ30NM0CgYAqTur4dj2NEqvVvtkkdIRkWEwQF3mByE//8qjTljM4n5fjysaC\nlrJwrAmzbHfcFAHDG1U2eWYPJnFrmvflFnauCPCBAyL308xtdtNXQNgJ1nNXN4wy\nQQp4KaGr9gseWOLm5fKKiPK2kFmbdSBvMgKiJZ6/PKg2cG5i39L5JaBaoQKBgApw\nqOJ7Du1fHDSNonwHzA6vCSq76Efl8olwV2XJNn/ks87vcPov4DRPxYjjpErLGm8x\nrPOhmxxitJj7Lv1Y9NX9VtWBjpPshwi3M2mSjXllVBNjGTdxat8h4RZkV7omEKvd\nfyicxSQp987a0W2lqdfYhGIDYrE43pi1AoxtHmx5AoGBAJSoRy62oZbW6vjfdkuf\nvVnjNfFZwuiPV/X2NT+BhNPe5ZKFtC6gGedHLaIBBD3ItRhGuHZxgWXccPjGHofi\n6DlPdp2NePJgDT2maSjGSiAcHxyXdmW+Ev27NblvAxktoTUcVqSENrKFb+Fh4FXN\nlXiJzOEwAXiP2ZFbMRyNF/MI\n-----END PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIJAI1Wr/fK5F0GMA0GCSqGSIb3DQEBCwUAMDIxHDAaBgNV\nBAoME29wZW5ibWMtcHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0x\nOTAyMDExMzIyMDhaFw0yOTAxMjkxMzIyMDhaMDIxHDAaBgNVBAoME29wZW5ibWMt\ncHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAMKVbUI5JpvY7RZbRKBPMvFDUiCXgSlsSZMrwIBD7Aju\nWhMNnuxnBh1/rJz1MCz/I0qOUmWOB50azO9sLuw82kfgUDreRozpNsEEpNGyHBne\nbJeIE46Q4GzrDpXv5zu4Q9wwWB7r/hbVVcNF4yLTXpyc9ZmyZDIbOmY8zj1g0QNk\nF90pn+ku4Jhz0v23vTpTsWtRIZ8zuzAH6YLw0f2oyLEy5YBX1IG/NRYjqng4KY3x\nr8X7iU51s8xURSpDSEIEKMYziqaLL/k2DrLqsp4mVR2Y5JOTyiOs0Zw5cqHSdFp8\n0RAWQi6g8e3yTkH9jDYJfqzYGgbC8X6FLTf7PepVLDcCAwEAAaNQME4wHQYDVR0O\nBBYEFDDohRZ1+QlC3WdIkOAdBHXVyW/SMB8GA1UdIwQYMBaAFDDohRZ1+QlC3WdI\nkOAdBHXVyW/SMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFN0DWy6\nYPXHzidWMKKyQiJ5diqUv6LbujKOHUk+/LGSoCqcUp8NvmFDKWYP9MxjOAi9TVbs\nRGlIHBl38oSwKUayXBTY/vVeSLls90giUAOjswoRbBBQZvKyfEuFpc1zUsrhGLDC\n/6DuRt9l0DWcMcmP6Yh3jePIIwTr3bpxBGrwNLly8fPf16q4bWRIAcI3ZgLOhsrN\nLfD2kf56oYViM44d54Wa0qjuCfeTnJ46x/lo6w2kB9IzF7lwpipMU7+AG8ijDdaQ\nn8t0nADpv6tNNargLcOTTfJ0/P2PaKxwA1B88NhjlymBnNbz4epIn4T3KyysgS62\nzwqs66LPWoDerzc=\n-----END CERTIFICATE-----", "CertificateType": "PEM", "CertificateUri": { "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1" } } Change-Id: I2acbf8afa06bbf7d029d4971f7ab3b3988f5f060 Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com> Signed-off-by: Ed Tanous <ed.tanous@intel.com>
author: Marri Devender Rao <devenrao@in.ibm.com> 2019-01-21 19:27:12 +0300
committer: Ed Tanous <ed.tanous@intel.com> 2019-06-13 01:53:05 +0300
commit: 5968caee7ccf978755a9a63d225965101a0c0378 (patch)
tree: 81f7298459cc19487bcbc4774d5e84764c1d5283 /include/ssl_key_handler.hpp
parent: d22c8396f0bcec4488d0c98eae3092384b3a5929 (diff)
download: bmcweb-5968caee7ccf978755a9a63d225965101a0c0378.tar.xz
1 files changed, 17 insertions, 15 deletions
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index e309d70a30..2b67661d62 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -279,28 +279,30 @@ inline void ensureOpensslKeyPresentAndValid(const std::string &filepath)
     }
 }
 
-inline boost::asio::ssl::context getSslContext(const std::string &ssl_pem_file)
+inline std::shared_ptr<boost::asio::ssl::context>
+    getSslContext(const std::string &ssl_pem_file)
 {
-    boost::asio::ssl::context mSslContext{
-        boost::asio::ssl::context::tls_server};
-    mSslContext.set_options(boost::asio::ssl::context::default_workarounds |
-                            boost::asio::ssl::context::no_sslv2 |
-                            boost::asio::ssl::context::no_sslv3 |
-                            boost::asio::ssl::context::single_dh_use |
-                            boost::asio::ssl::context::no_tlsv1 |
-                            boost::asio::ssl::context::no_tlsv1_1);
+    std::shared_ptr<boost::asio::ssl::context> mSslContext =
+        std::make_shared<boost::asio::ssl::context>(
+            boost::asio::ssl::context::tls_server);
+    mSslContext->set_options(boost::asio::ssl::context::default_workarounds |
+                             boost::asio::ssl::context::no_sslv2 |
+                             boost::asio::ssl::context::no_sslv3 |
+                             boost::asio::ssl::context::single_dh_use |
+                             boost::asio::ssl::context::no_tlsv1 |
+                             boost::asio::ssl::context::no_tlsv1_1);
 
     // m_ssl_context.set_verify_mode(boost::asio::ssl::verify_peer);
-    mSslContext.use_certificate_file(ssl_pem_file,
-                                     boost::asio::ssl::context::pem);
-    mSslContext.use_private_key_file(ssl_pem_file,
-                                     boost::asio::ssl::context::pem);
+    mSslContext->use_certificate_file(ssl_pem_file,
+                                      boost::asio::ssl::context::pem);
+    mSslContext->use_private_key_file(ssl_pem_file,
+                                      boost::asio::ssl::context::pem);
 
     // Set up EC curves to auto (boost asio doesn't have a method for this)
     // There is a pull request to add this.  Once this is included in an asio
     // drop, use the right way
     // http://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue
-    if (SSL_CTX_set_ecdh_auto(mSslContext.native_handle(), 1) != 1)
+    if (SSL_CTX_set_ecdh_auto(mSslContext->native_handle(), 1) != 1)
     {
         BMCWEB_LOG_ERROR << "Error setting tmp ecdh list\n";
     }
@@ -316,7 +318,7 @@ inline boost::asio::ssl::context getSslContext(const std::string &ssl_pem_file)
                                 "ECDHE-ECDSA-AES128-SHA256:"
                                 "ECDHE-RSA-AES128-SHA256";
 
-    if (SSL_CTX_set_cipher_list(mSslContext.native_handle(),
+    if (SSL_CTX_set_cipher_list(mSslContext->native_handle(),
                                 mozillaModern.c_str()) != 1)
     {
         BMCWEB_LOG_ERROR << "Error setting cipher list\n";
author	Marri Devender Rao <devenrao@in.ibm.com>	2019-01-21 19:27:12 +0300
committer	Ed Tanous <ed.tanous@intel.com>	2019-06-13 01:53:05 +0300
commit	5968caee7ccf978755a9a63d225965101a0c0378 (patch)
tree	81f7298459cc19487bcbc4774d5e84764c1d5283 /include/ssl_key_handler.hpp
parent	d22c8396f0bcec4488d0c98eae3092384b3a5929 (diff)
download	bmcweb-5968caee7ccf978755a9a63d225965101a0c0378.tar.xz