Fix certificate saving after policy table update #2218
Conversation
AKalinich-Luxoft
requested review from
AByzhynar,
mkloouo,
Ypostolov,
a user,
SNiukalov,
KVGrygoriev and
APipko
| @@ -331,6 +336,8 @@ bool CryptoManagerImpl::set_certificate(const std::string& cert_data) { | |||
| return false; | |||
| } | |||
|
|
|||
| // TODO(AKalinich): remove all lines below till the end of function when | |||
There was a problem hiding this comment.
Can we please remove the todo, as we can't merge these comments into develop?
| @@ -300,7 +305,7 @@ const CryptoManagerSettings& CryptoManagerImpl::get_settings() const { | |||
| return *settings_; | |||
| } | |||
|
|
|||
| bool CryptoManagerImpl::set_certificate(const std::string& cert_data) { | |||
| bool CryptoManagerImpl::SaveCertificateData(const std::string& cert_data) { | |||
| LOG4CXX_AUTO_TRACE(logger_); | |||
There was a problem hiding this comment.
Function doesn't change internal state, it should be const
It would be better function will be called with prefix "Is", IsSaveCertificateData
There was a problem hiding this comment.
@AKalinich-Luxoft Agree with const , disagree with prefix Is.
There was a problem hiding this comment.
@KVGrygoriev also disagree with prefix Is
Const added in 389a64f
| @@ -411,4 +407,59 @@ void CryptoManagerImpl::InitCertExpTime() { | |||
| strptime("1 Jan 1970 00:00:00", "%d %b %Y %H:%M:%S", &expiration_time_); | |||
| } | |||
|
|
|||
| bool CryptoManagerImpl::SaveModuleCertificateToFile(X509* certificate) const { | |||
There was a problem hiding this comment.
Same as for PR #2217 - I suppose we should free allocated resources...
There was a problem hiding this comment.
@olohvinenko thanks, fixed in 389a64f
| @@ -300,7 +305,7 @@ const CryptoManagerSettings& CryptoManagerImpl::get_settings() const { | |||
| return *settings_; | |||
| } | |||
|
|
|||
| bool CryptoManagerImpl::set_certificate(const std::string& cert_data) { | |||
| bool CryptoManagerImpl::SaveCertificateData(const std::string& cert_data) { | |||
| LOG4CXX_AUTO_TRACE(logger_); | |||
There was a problem hiding this comment.
@AKalinich-Luxoft Agree with const , disagree with prefix Is.
|
|
||
| const std::string key_path = get_settings().module_key_path(); | ||
| BIO* bio_key = BIO_new_file(key_path.c_str(), "w"); | ||
| if (NULL == bio_key) { |
There was a problem hiding this comment.
@AKalinich-Luxoft Use please if (!bio_key)
There was a problem hiding this comment.
@AByzhynar fixed in 389a64f
| utils::ScopeGuard bio_guard = utils::MakeGuard(BIO_free, bio_key); | ||
| UNUSED(bio_guard); | ||
|
|
||
| if (0 == PEM_write_bio_PrivateKey(bio_key, key, NULL, NULL, 0, NULL, NULL)) { |
There was a problem hiding this comment.
@AKalinich-Luxoft Use please (!PEM_write_bio_PrivateKey...)
Like described here: PEM_write_bio_PrivateKey
There was a problem hiding this comment.
@AByzhynar fixed in 389a64f
| bool CryptoManagerImpl::SaveModuleKeyToFile(EVP_PKEY* key) const { | ||
| LOG4CXX_AUTO_TRACE(logger_); | ||
|
|
||
| if (NULL == key) { |
There was a problem hiding this comment.
@AKalinich-Luxoft Same as above - if(!key)...
There was a problem hiding this comment.
@AByzhynar fixed in 389a64f
AKalinich-Luxoft
force-pushed
the
fix/fix_certificate_saving_after_ptu
branch
2 times, most recently
from
cb0575a to
9ecb880
Compare
|
@theresalech this PR is ready for review. |
Currently, SDL Core ignores both the CertificatePath and KeyPath keywords that would allow the system integrator to specify certificates for their environment, instead SDL Core only processes the certificate provided via the policy table. This fix makes these keywords functional. Following changes were done: - Added getters for CertificatePath and KeyPath parameters in SecurityManagerSettings class to provide another components an access to these properties - Added methods for loading certificate and private key data from the files specified by CertificatePath and KeyPath keywords - CryptoManager component implementation was updated. Now this component also read certificate data from files (if they are present and accessible) on its own initialization
SDL Core should update the module certificate in the local file system when a policy table update occurs. Currently SDL core is retrieving its certificate directly out of the policy table. This fix provides functionality for saving module certificate to the file system. Following changes were done: - Added getters for CertificatePath and KeyPath parameters in SecurityManagerSettings class to provide another components an access to these properties - Added methods for saving certificate and private key data to the files specified by CertificatePath and KeyPath keywords - CryptoManager component implementation was updated. Now this component also saves certificate data to files (if write permission allowed) after PTU
Added new expectations for a security tests due to some changes in the security flow
|
@AKalinich-Luxoft Please resolve merge conflicts. |
Conflicts: src/components/security_manager/src/crypto_manager_impl.cc
| is_ptu_triggered_ = false; | ||
| #endif // ENABLE_SECURITY | ||
| } | ||
| void ProtocolHandlerImpl::OnPTUFinished(const bool ptu_result) {} |
There was a problem hiding this comment.
Can we just remove this function if it doesn't do anything?
There was a problem hiding this comment.
@JackLivio yes, it has default empty implementation in base class.
Fixed in 0a7317d
Also was removed redundant logic
AKalinich-Luxoft
force-pushed
the
fix/fix_certificate_saving_after_ptu
branch
from
c0a84c8 to
0a7317d
Compare
|
@JackLivio all conflicts was resolved |
Fixes #2191
This PR is ready for review.
Risk
This PR makes no API changes.
Testing Plan
Will be tested on the integration branch
Unit tests
Summary
SDL Core should update the module certificate in the local file system when a policy table update occurs. Currently SDL core is retrieving its certificate directly out of the policy table. This fix provides functionality for saving module certificate to the file system.
NOTE
This fix is closely related to #2217 and should be merged after it.
This fix should be merged after #2105 and #2068.
Changelog
Following changes were done:
CertificatePathandKeyPathparameters inSecurityManagerSettingsclass to provide another components an access to these propertiesCertificatePathandKeyPathkeywordsCryptoManagercomponent implementation was updated. Now this component also saves certificate data to files (if write permission allowed) after PTUCLA