forked from ibm-openbmc/phosphor-certificate-manager
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcerts_manager.hpp
247 lines (219 loc) · 10.7 KB
/
certs_manager.hpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
#pragma once
#include "config.h"
#include "certificate.hpp"
#include "csr.hpp"
#include "watch.hpp"
#include <sdeventplus/source/child.hpp>
#include <sdeventplus/source/event.hpp>
#include <xyz/openbmc_project/Certs/CSR/Create/server.hpp>
#include <xyz/openbmc_project/Certs/Install/server.hpp>
#include <xyz/openbmc_project/Object/Delete/server.hpp>
namespace phosphor
{
namespace certs
{
using Install = sdbusplus::xyz::openbmc_project::Certs::server::Install;
using Delete = sdbusplus::xyz::openbmc_project::Object::server::Delete;
using CSRCreate = sdbusplus::xyz::openbmc_project::Certs::CSR::server::Create;
using Ifaces = sdbusplus::server::object::object<Install, CSRCreate, Delete>;
using X509_REQ_Ptr = std::unique_ptr<X509_REQ, decltype(&::X509_REQ_free)>;
using EVP_PKEY_Ptr = std::unique_ptr<EVP_PKEY, decltype(&::EVP_PKEY_free)>;
using CertificatePtr = std::unique_ptr<Certificate>;
class Manager : public Ifaces
{
public:
/* Define all of the basic class operations:
* Not allowed:
* - Default constructor is not possible due to member
* reference
* - Move operations due to 'this' being registered as the
* 'context' with sdbus.
* Allowed:
* - copy
* - Destructor.
*/
Manager() = delete;
Manager(const Manager&) = default;
Manager& operator=(const Manager&) = delete;
Manager(Manager&&) = delete;
Manager& operator=(Manager&&) = delete;
virtual ~Manager() = default;
/** @brief Constructor to put object onto bus at a dbus path.
* @param[in] bus - Bus to attach to.
* @param[in] event - sd event handler.
* @param[in] path - Path to attach at.
* @param[in] type - Type of the certificate.
* @param[in] unit - Unit consumed by this certificate.
* @param[in] installPath - Certificate installation path.
*/
Manager(sdbusplus::bus::bus& bus, sdeventplus::Event& event,
const char* path, const CertificateType& type,
UnitsToRestart&& unit, CertInstallPath&& installPath);
/** @brief Implementation for Install
* Replace the existing certificate key file with another
* (possibly CA signed) Certificate key file.
*
* @param[in] filePath - Certificate key file path.
*/
void install(const std::string filePath) override;
/** @brief Delete the certificate (and possibly revert
* to a self-signed certificate).
*/
void delete_() override;
/** @brief Generate Private key and CSR file
* Generates the Private key file and CSR file based on the input
* parameters. Validation of the parameters is callers responsibility.
* At present supports only RSA algorithm type
*
* @param[in] alternativeNames - Additional hostnames of the component that
* is being secured.
* @param[in] challengePassword - The challenge password to be applied to
* the certificate for revocation requests.
* @param[in] city - The city or locality of the organization making the
* request. For Example Austin
* @param[in] commonName - The fully qualified domain name of the component
* that is being secured.
* @param[in] contactPerson - The name of the user making the request.
* @param[in] country - The country of the organization making the request.
* @param[in] email - The email address of the contact within the
* organization making the request.
* @param[in] givenName - The given name of the user making the request.
* @param[in] initials - The initials of the user making the request.
* @param[in] keyBitLength - The length of the key in bits, if needed based
* on the value of the KeyPairAlgorithm parameter.
* @param[in] keyCurveId - The curve ID to be used with the key, if needed
* based on the value of the KeyPairAlgorithm parameter.
* @param[in] keyPairAlgorithm - The type of key pair for use with signing
* algorithms. Valid built-in algorithm names for private key
* generation are: RSA, DSA, DH and EC.
* @param[in] keyUsage - Key usage extensions define the purpose of the
* public key contained in a certificate. Valid Key usage extensions
* and its usage description.
* - ClientAuthentication: The public key is used for TLS WWW client
* authentication.
* - CodeSigning: The public key is used for the signing of executable
* code
* - CRLSigning: The public key is used for verifying signatures on
* certificate revocation lists (CLRs).
* - DataEncipherment: The public key is used for directly enciphering
* raw user data without the use of an intermediate symmetric
* cipher.
* - DecipherOnly: The public key could be used for deciphering data
* while performing key agreement.
* - DigitalSignature: The public key is used for verifying digital
* signatures, other than signatures on certificatesand CRLs.
* - EmailProtection: The public key is used for email protection.
* - EncipherOnly: Thepublic key could be used for enciphering data
* while performing key agreement.
* - KeyCertSign: The public key is used for verifying signatures on
* public key certificates.
* - KeyEncipherment: The public key is used for enciphering private or
* secret keys.
* - NonRepudiation: The public key is used to verify digital
* signatures, other than signatures on certificates and CRLs, and
* used to provide a non-repudiation service that protects against
* the signing entity falsely denying some action.
* - OCSPSigning: The public key is used for signing OCSP responses.
* - ServerAuthentication: The public key is used for TLS WWW server
* authentication.
* - Timestamping: The public key is used for binding the hash of an
* object to a time.
* @param[in] organization - The legal name of the organization. This
* should not be abbreviated and should include suffixes such as Inc,
* Corp, or LLC.For example, IBM Corp.
* @param[in] organizationalUnit - The name of the unit or division of the
* organization making the request.
* @param[in] state - The state or province where the organization is
* located. This should not be abbreviated. For example, Texas.
* @param[in] surname - The surname of the user making the request.
* @param[in] unstructuredName - The unstructured name of the subject.
*
* @return path[std::string] - The object path of the D-Bus object
* representing CSR string. Note: For new CSR request will overwrite
* the existing CSR in the system.
*/
std::string generateCSR(
std::vector<std::string> alternativeNames,
std::string challengePassword, std::string city, std::string commonName,
std::string contactPerson, std::string country, std::string email,
std::string givenName, std::string initials, int64_t keyBitLength,
std::string keyCurveId, std::string keyPairAlgorithm,
std::vector<std::string> keyUsage, std::string organization,
std::string organizationalUnit, std::string state, std::string surname,
std::string unstructuredName) override;
/** @brief Get reference to certificate
*
* @return Reference to certificate
*/
CertificatePtr& getCertificate();
private:
void generateCSRHelper(std::vector<std::string> alternativeNames,
std::string challengePassword, std::string city,
std::string commonName, std::string contactPerson,
std::string country, std::string email,
std::string givenName, std::string initials,
int64_t keyBitLength, std::string keyCurveId,
std::string keyPairAlgorithm,
std::vector<std::string> keyUsage,
std::string organization,
std::string organizationalUnit, std::string state,
std::string surname, std::string unstructuredName);
/** @brief Generate RSA Key pair and get private key from key pair
* @param[in] keyBitLength - KeyBit length.
* @return Pointer to RSA private key
*/
EVP_PKEY_Ptr generateRSAKeyPair(const int64_t keyBitLength);
/** @brief Generate EC Key pair and get private key from key pair
* @param[in] p_KeyCurveId - Curve ID
* @return Pointer to EC private key
*/
EVP_PKEY_Ptr generateECKeyPair(const std::string& p_KeyCurveId);
/** @brief Write private key data to file
*
* @param[in] pKey - pointer to private key
*/
void writePrivateKey(const EVP_PKEY_Ptr& pKey);
/** @brief Add the specified CSR field with the data
* @param[in] x509Name - Structure used in setting certificate properties
* @param[in] field - field name
* @param[in] bytes - field value in bytes
*/
void addEntry(X509_NAME* x509Name, const char* field,
const std::string& bytes);
/** @brief Create CSR D-Bus object by reading the data in the CSR file
* @param[in] statis - SUCCESSS/FAILURE In CSR generation.
*/
void createCSRObject(const Status& status);
/** @brief Write generated CSR data to file
*
* @param[in] filePath - CSR file path.
* @param[in] x509Req - OpenSSL Request Pointer.
*/
void writeCSR(const std::string& filePath, const X509_REQ_Ptr& x509Req);
/** @brief Load certifiate
* Load certificate and create certificate object
*/
void createCertificate();
/** @brief sdbusplus handler */
sdbusplus::bus::bus& bus;
// sdevent Event handle
sdeventplus::Event& event;
/** @brief object path */
std::string objectPath;
/** @brief Type of the certificate **/
CertificateType certType;
/** @brief Unit name associated to the service **/
UnitsToRestart unitToRestart;
/** @brief Certificate file installation path **/
CertInstallPath certInstallPath;
/** @brief pointer to certificate */
CertificatePtr certificatePtr = nullptr;
/** @brief pointer to CSR */
std::unique_ptr<CSR> csrPtr = nullptr;
/** @brief SDEventPlus child pointer added to event loop */
std::unique_ptr<sdeventplus::source::Child> childPtr = nullptr;
/** @brief Watch on self signed certificates */
std::unique_ptr<Watch> certWatchPtr = nullptr;
};
} // namespace certs
} // namespace phosphor