From 5968caee7ccf978755a9a63d225965101a0c0378 Mon Sep 17 00:00:00 2001
From: Marri Devender Rao <devenrao@in.ibm.com>
Date: Mon, 21 Jan 2019 10:27:12 -0600
Subject: Redfish: Add certificate service to manage HTTPS certificates

Implements CertificateService schema to list the actions
available.

Implements CertificateLocations schema to list the
certificates present in the system.

Implements CertificateCollection schema to upload/list
existing HTTPS certificates

Implements Certificate schema to view existing HTTPS
certificate

Cater for reloading the SSL context after a certificate
is uploaded.

Fix Certificate signature validation failure

At present bmcweb uses the certificate from "/home/root/server.pem"
the same is modified to "/etc/ssl/certs/https/server.pem" as
phosphor-certificate-manager uses the specified path to
install/replace certificates.

Bmcweb creates a self-signed certificate when certificate is not
present. Catered for creating "/etc/ssl/certs/https/" direcotry
structure so that self signed certificate is created in the path.

Implements ReplaceCertificate action of Certificate
Service for replacing existing HTTPS certificates

Cleanup of older self-signed certificate at /home/root/server.pem

1. Tested schema with validator and no issues
2. Privilege map for certificate service is not yet pubished
2. GET on /redfish/v1/CertificateService/
  "CertificateService": {
    "@odata.id": "/redfish/v1/CertificateService"
  },

3. GET on /redfish/v1/CertificateService/CertificateLocations/
  "@odata.context":
"/redfish/v1/$metadata#CertificateLocations.CertificateLocations",
  "@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
  "@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
  "Description": "Defines a resource that an administrator can use in order to
locate all certificates installed on a given service",
  "Id": "CertificateLocations",
  "Name": "Certificate Locations"

4.POST on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates
{
  Returns contents of certificate
  "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
  "@odata.id": "/redfish/v1/AccountService/LDAP/Certificates/1",
  "@odata.type": "#Certificate.v1A_0_0.Certificate",
  "Id": "1",
  "Issuer": {
  ...
  ...
}

5.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/
{
  "@odata.context":
"/redfish/v1/$metadata#CertificateCollection.CertificateCollection",
  "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates",
  "@odata.type": "#CertificateCollection.CertificatesCollection",
  "Description": "A Collection of HTTPS certificate instances",
  "Members": [
    {
      "@odata.id":
      "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
    }
  ],
  "Members@odata.count": 1,
  "Name": "HTTPS Certificate Collection"
}

6.GET on /redfish/v1/CertificateService/CertificateLocations/
{
  "@odata.context":
"/redfish/v1/$metadata#CertificateLocations.CertificateLocations",
  "@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
  "@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
  "Description": "Defines a resource that an administrator can use in order to
    locate all certificates installed on a given service",
  "Id": "CertificateLocations",
  "Links": {
    "Certificates": [
      {
        "@odata.id":
        "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
      }
    ],
    "Certificates@odata.count": 1
  },
  "Name": "Certificate Locations"
}

7.GET on /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
{
  "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
  "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1",
  "@odata.type": "#Certificate.v1_0_0.Certificate",
  "CertificateString":
"-----BEGINCERTIFICATE-----\n....\n-----ENDCERTIFICATE-----\n",
  "CertificateType": "PEM",
  "Description": "HTTPS Certificate",
  "Id": "1",
  "Issuer": {
}
8. Verified SSL context is reloaded after a certificate is installed.
9.curl -c cjar -b cjar -k -H "X-Auth-Token: $bmc_token" -X POST
https://${bmc}/redfish/v1/CertificateService/Actions/CertificateService.ReplaceCertificate/
-d @data_https.json
{
  "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
  "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1",
  "@odata.type": "#Certificate.v1_0_0.Certificate",
  "CertificateString": "-----BEGIN CERTIFICATE----END CERTIFICATE-----\n",
  "Description": "HTTPS certificate",
  "Id": "1",
  "Issuer": {
}
4. data_https.json file contents
{
    "CertificateString": "-----BEGIN PRIVATE
KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDClW1COSab2O0W\nW0SgTzLxQ1Igl4EpbEmTK8CAQ+wI7loTDZ7sZwYdf6yc9TAs/yNKjlJljgedGszv\nbC7sPNpH4FA63kaM6TbBBKTRshwZ3myXiBOOkOBs6w6V7+c7uEPcMFge6/4W1VXD\nReMi016cnPWZsmQyGzpmPM49YNEDZBfdKZ/pLuCYc9L9t706U7FrUSGfM7swB+mC\n8NH9qMixMuWAV9SBvzUWI6p4OCmN8a/F+4lOdbPMVEUqQ0hCBCjGM4qmiy/5Ng6y\n6rKeJlUdmOSTk8ojrNGcOXKh0nRafNEQFkIuoPHt8k5B/Yw2CX6s2BoGwvF+hS03\n+z3qVSw3AgMBAAECggEBAKpe92kybRGr3/rhMrdCYRJJpZEP1nGUdN89QbGMxxAS\n0h84n9vRYNNXRKWxMNtVEWtoLdDpiNUP8Dv59yO1LFIen2DL2e3rDJv4Gu/YCS7F\nR0NuS+FaDIaRURYLFeV+MzyJv75jVvhbFlqByJxngcGS1KAcSApvOLTnrJSlPpy9\n8ec5gnDhdOUND9PaQt8xCqMs1RPpjqvrgRzMEodZoqT5v+b0K1GmsAdbSHNP2mLM\nrqtpFDefiM1YfsTHUtxQykxG2Ipd2jzJ0a8O0qmVqdXcP9J9aqLcmD/2/r96GEV6\n/5qvIBj3SRFobxCiCwfys2XOXfjz2J+BUZzGoZvKeRECgYEA518hT6mn46LhwrTI\nW+Qpi7iTJgOfeLC+Ng855VHVQFED1P3T2lfyfGDyqKI/wV1DJIJmO8iOXerSPnhi\nb7reQkyHj6ERUtuE+6BQ9oTw2QD3EEvzOK2PEH5UipbhVTDnC3fT62Vz2yb3tR8D\n2h0XVJkj/dng9p1Td5aDGMriRRMCgYEA10vTyYqBPjDIEYw/Sc9aQk2kT6x3hrRQ\ngR4xyuI31RTCRD/KpLh/7z4s11Wkr+F9CyASeLbqu6zymlLOlS5p7IUkJ/x2X027\nJWVY1SR+oF3iF3SHiP4XkOVvWOKwIVUhgTjK1+Di6i3AlwIeAOS7VCCP6W0gbnwJ\nyyAAHZ30NM0CgYAqTur4dj2NEqvVvtkkdIRkWEwQF3mByE//8qjTljM4n5fjysaC\nlrJwrAmzbHfcFAHDG1U2eWYPJnFrmvflFnauCPCBAyL308xtdtNXQNgJ1nNXN4wy\nQQp4KaGr9gseWOLm5fKKiPK2kFmbdSBvMgKiJZ6/PKg2cG5i39L5JaBaoQKBgApw\nqOJ7Du1fHDSNonwHzA6vCSq76Efl8olwV2XJNn/ks87vcPov4DRPxYjjpErLGm8x\nrPOhmxxitJj7Lv1Y9NX9VtWBjpPshwi3M2mSjXllVBNjGTdxat8h4RZkV7omEKvd\nfyicxSQp987a0W2lqdfYhGIDYrE43pi1AoxtHmx5AoGBAJSoRy62oZbW6vjfdkuf\nvVnjNfFZwuiPV/X2NT+BhNPe5ZKFtC6gGedHLaIBBD3ItRhGuHZxgWXccPjGHofi\n6DlPdp2NePJgDT2maSjGSiAcHxyXdmW+Ev27NblvAxktoTUcVqSENrKFb+Fh4FXN\nlXiJzOEwAXiP2ZFbMRyNF/MI\n-----END
PRIVATE KEY-----\n-----BEGIN
CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIJAI1Wr/fK5F0GMA0GCSqGSIb3DQEBCwUAMDIxHDAaBgNV\nBAoME29wZW5ibWMtcHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0x\nOTAyMDExMzIyMDhaFw0yOTAxMjkxMzIyMDhaMDIxHDAaBgNVBAoME29wZW5ibWMt\ncHJvamVjdC54eXoxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAMKVbUI5JpvY7RZbRKBPMvFDUiCXgSlsSZMrwIBD7Aju\nWhMNnuxnBh1/rJz1MCz/I0qOUmWOB50azO9sLuw82kfgUDreRozpNsEEpNGyHBne\nbJeIE46Q4GzrDpXv5zu4Q9wwWB7r/hbVVcNF4yLTXpyc9ZmyZDIbOmY8zj1g0QNk\nF90pn+ku4Jhz0v23vTpTsWtRIZ8zuzAH6YLw0f2oyLEy5YBX1IG/NRYjqng4KY3x\nr8X7iU51s8xURSpDSEIEKMYziqaLL/k2DrLqsp4mVR2Y5JOTyiOs0Zw5cqHSdFp8\n0RAWQi6g8e3yTkH9jDYJfqzYGgbC8X6FLTf7PepVLDcCAwEAAaNQME4wHQYDVR0O\nBBYEFDDohRZ1+QlC3WdIkOAdBHXVyW/SMB8GA1UdIwQYMBaAFDDohRZ1+QlC3WdI\nkOAdBHXVyW/SMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFN0DWy6\nYPXHzidWMKKyQiJ5diqUv6LbujKOHUk+/LGSoCqcUp8NvmFDKWYP9MxjOAi9TVbs\nRGlIHBl38oSwKUayXBTY/vVeSLls90giUAOjswoRbBBQZvKyfEuFpc1zUsrhGLDC\n/6DuRt9l0DWcMcmP6Yh3jePIIwTr3bpxBGrwNLly8fPf16q4bWRIAcI3ZgLOhsrN\nLfD2kf56oYViM44d54Wa0qjuCfeTnJ46x/lo6w2kB9IzF7lwpipMU7+AG8ijDdaQ\nn8t0nADpv6tNNargLcOTTfJ0/P2PaKxwA1B88NhjlymBnNbz4epIn4T3KyysgS62\nzwqs66LPWoDerzc=\n-----END
CERTIFICATE-----",
    "CertificateType": "PEM",
    "CertificateUri":
    {
        "@odata.id":
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
    }
}

Change-Id: I2acbf8afa06bbf7d029d4971f7ab3b3988f5f060
Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
---
 src/webserver_main.cpp | 9 ---------
 1 file changed, 9 deletions(-)

(limited to 'src/webserver_main.cpp')

diff --git a/src/webserver_main.cpp b/src/webserver_main.cpp
index a4cf582aa7..1c9c1f18d3 100644
--- a/src/webserver_main.cpp
+++ b/src/webserver_main.cpp
@@ -61,15 +61,6 @@ int main(int argc, char** argv)
     auto io = std::make_shared<boost::asio::io_context>();
     CrowApp app(io);
 
-#ifdef BMCWEB_ENABLE_SSL
-    std::string sslPemFile("server.pem");
-    std::cout << "Building SSL Context\n";
-
-    ensuressl::ensureOpensslKeyPresentAndValid(sslPemFile);
-    std::cout << "SSL Enabled\n";
-    auto sslContext = ensuressl::getSslContext(sslPemFile);
-    app.ssl(std::move(sslContext));
-#endif
     // Static assets need to be initialized before Authorization, because auth
     // needs to build the whitelist from the static routes
 
-- 
cgit v1.2.3