Ignored Trust-Chain related errors when validating certificate

Currently, bmcweb is generating self signed certificate when uploaded certificate is not in trust-chain while validating that certificate. As per design direction, bmcweb and Certificate Manager should ignore trust chain related errors and same feature addressed in certificate manager. Reference change id from Certificate Manager: https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/13875 With this change, the user can upload self signed CA certificate without Root CA-Certificate in certificate store and bmcweb won't generate self signed certificate when uploaded certificate is not in trust-chain. Trust chain error info: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY X509_V_ERR_CERT_UNTRUSTED X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE Change-Id: Ieedd602541d6d5284be3e22ffd5db3ee875065fe Signed-off-by: Ramesh Iyyar <rameshi1@in.ibm.com>
author: Ramesh Iyyar <rameshi1@in.ibm.com> 2019-06-22 03:31:55 -0500
committer: Ed Tanous <ed.tanous@intel.com> 2019-07-11 03:36:43 +0000
commit: 082f28fd2588fd9fcd9452ad38234ce875319163 (patch)
tree: aad8b42eafe157934a42ac82579d61e1ef33d23f /include
parent: 6f3595683739a6528e98b38cc82afbc60f9fda34 (diff)
download: bmcweb-082f28fd2588fd9fcd9452ad38234ce875319163.tar.gz
bmcweb-082f28fd2588fd9fcd9452ad38234ce875319163.zip
1 files changed, 81 insertions, 10 deletions
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index 7aa1c53..ce6d9fa 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -22,6 +22,85 @@ static EVP_PKEY *createRsaKey();
 static EVP_PKEY *createEcKey();
 static void handleOpensslError();
 
+// Trust chain related errors.`
+inline bool isTrustChainError(int errnum)
+{
+    if ((errnum == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ||
+        (errnum == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) ||
+        (errnum == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) ||
+        (errnum == X509_V_ERR_CERT_UNTRUSTED) ||
+        (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
+    {
+        return true;
+    }
+    else
+    {
+        return false;
+    }
+}
+
+inline bool validateCertificate(X509 *const cert)
+{
+    // Create an empty X509_STORE structure for certificate validation.
+    X509_STORE *x509Store = X509_STORE_new();
+    if (!x509Store)
+    {
+        BMCWEB_LOG_ERROR << "Error occured during X509_STORE_new call";
+        return false;
+    }
+
+    // Load Certificate file into the X509 structure.
+    X509_STORE_CTX *storeCtx = X509_STORE_CTX_new();
+    if (!storeCtx)
+    {
+        BMCWEB_LOG_ERROR << "Error occured during X509_STORE_CTX_new call";
+        X509_STORE_free(x509Store);
+        return false;
+    }
+
+    int errCode = X509_STORE_CTX_init(storeCtx, x509Store, cert, NULL);
+    if (errCode != 1)
+    {
+        BMCWEB_LOG_ERROR << "Error occured during X509_STORE_CTX_init call";
+        X509_STORE_CTX_free(storeCtx);
+        X509_STORE_free(x509Store);
+        return false;
+    }
+
+    errCode = X509_verify_cert(storeCtx);
+    if (errCode == 1)
+    {
+        BMCWEB_LOG_INFO << "Certificate verification is success";
+        X509_STORE_CTX_free(storeCtx);
+        X509_STORE_free(x509Store);
+        return true;
+    }
+    if (errCode == 0)
+    {
+        errCode = X509_STORE_CTX_get_error(storeCtx);
+        X509_STORE_CTX_free(storeCtx);
+        X509_STORE_free(x509Store);
+        if (isTrustChainError(errCode))
+        {
+            BMCWEB_LOG_DEBUG << "Ignoring Trust Chain error. Reason: "
+                             << X509_verify_cert_error_string(errCode);
+            return true;
+        }
+        else
+        {
+            BMCWEB_LOG_ERROR << "Certificate verification failed. Reason: "
+                             << X509_verify_cert_error_string(errCode);
+            return false;
+        }
+    }
+
+    BMCWEB_LOG_ERROR
+        << "Error occured during X509_verify_cert call. ErrorCode: " << errCode;
+    X509_STORE_CTX_free(storeCtx);
+    X509_STORE_free(x509Store);
+    return false;
+}
+
 inline bool verifyOpensslKeyCert(const std::string &filepath)
 {
     bool privateKeyValid = false;
@@ -86,16 +165,8 @@ inline bool verifyOpensslKeyCert(const std::string &filepath)
                 }
                 else
                 {
-                    rc = X509_verify(x509, pkey);
-                    if (rc == 1)
-                    {
-                        certValid = true;
-                    }
-                    else
-                    {
-                        std::cerr << "Error in verifying private key signature "
-                                  << ERR_get_error() << "\n";
-                    }
+                    certValid = validateCertificate(x509);
+                    X509_free(x509);
                 }
             }
author	Ramesh Iyyar <rameshi1@in.ibm.com>	2019-06-22 03:31:55 -0500
committer	Ed Tanous <ed.tanous@intel.com>	2019-07-11 03:36:43 +0000
commit	082f28fd2588fd9fcd9452ad38234ce875319163 (patch)
tree	aad8b42eafe157934a42ac82579d61e1ef33d23f /include
parent	6f3595683739a6528e98b38cc82afbc60f9fda34 (diff)
download	bmcweb-082f28fd2588fd9fcd9452ad38234ce875319163.tar.gz bmcweb-082f28fd2588fd9fcd9452ad38234ce875319163.zip