search

openbmc / phosphor-certificate-manager

Apache License 2.0
6 stars 5 forks source link

Able to upload multiple CA certificates with same subject and issue name #10

Closed rahulmah closed 4 years ago

rahulmah commented 4 years ago

Able to multiple upload CA certificate with same subject and issue name.

bash-4.2$ curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${BMC_IP}/redfish/v1/Managers/bmc/Truststore/Certificates/27
{
  "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
  "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/27",
  "@odata.type": "#Certificate.v1_0_0.Certificate",
  "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDOTCCAiGgAwIBAgIJAOuTkdoHTDwZMA0GCSqGSIb3DQEBCwUAMDMxGjAYBgNV\nBAoMEVhZWjcgQ29ycG9yYXRpb24gMRUwEwYDVQQDDAx3d3cueHl6Ny5jb20wHhcN\nMjAwMjA0MDUwNjA3WhcNMjEwMjAzMDUwNjA3WjAzMRowGAYDVQQKDBFYWVo3IENv\ncnBvcmF0aW9uIDEVMBMGA1UEAwwMd3d3Lnh5ejcuY29tMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEArBkK+uUbYwrz1DqHOxsFfGGqpm0k4PgJm+9mibQ4\n4pFavn7KCQh1H8DqI2eAtMgLAuI2U+PS9eGUkFd3jou9wNltZiUMWTHGRqTu8dZ/\nCcNTIgURwQRLAmOpmPM1Y+z0xNA6PvqopYYylLXLBlxnYzYTQ7isZQ1/wYFRQuEo\nEejMQKjtWG261wNApipEUL4YVD/SycJ9HChkEBFfy0Qrc9kgMCVb6YXycQOQCymr\nddQkX7oRbL0oOo8qiObwrOwxTvRWd/g4NFvsHiG40WMDGRTjcV2gApg8Af0LFv/R\nNeXMYutrhLJhTydPGKMXJB3VlbQWMAmx/ciW+cj9KKC3KwIDAQABo1AwTjAdBgNV\nHQ4EFgQUWjZIFhGhssVJ64iyE99k+Gr2StswHwYDVR0jBBgwFoAUWjZIFhGhssVJ\n64iyE99k+Gr2StswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAc7ve\npe2fVnQLRTAwFBVDDSvkpJPkciKcAujy0aqatk3OH589d44xWOyGzU/LU7kKrzWr\njTQ1AUB6Gicr9OSvROJn0I38srqooSs6FdNVn4RMLsF4Czw91QLxWswCdhRzthA+\nkO6yvOPgg8Hv25NFgNSQ9j5JLV3+HjW9rIEpvPg08HHOHx71M/8j8j4TO/Z0u9Ad\njdMmGKH+D78ZQ7JUV70dEE0LXORAf3Rh1YGeLsZ68lGWloiVJbcUYBKkNsHcaTnv\n2+j0MoJ92d5TYaWHgOo9pf00WjgGbE7UjX1pG0By/ZG2sJ+xE+zB7dBPSkIw5/7H\nCoZKR8+f/+nS5HL+KQ==\n-----END CERTIFICATE-----\n",
  "Description": "TrustStore Certificate",
  "Id": "27",
  "Issuer": {
    "CommonName": "www.xyz7.com",             <---- Issuer details
    "Organization": "XYZ7 Corporation "
  },
  "KeyUsage": [],
  "Name": "TrustStore Certificate",
  "Subject": {
    "CommonName": "www.xyz7.com",                <---- Subject details
    "Organization": "XYZ7 Corporation "
  },
  "ValidNotAfter": "2021-02-02T17:06:07+00:00",
  "ValidNotBefore": "2020-02-03T17:06:07+00:00"
}bash-4.2$ curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${BMC_IP}/redfish/v1/Managers/bmc/Truststore/Certificates/26
{
  "@odata.context": "/redfish/v1/$metadata#Certificate.Certificate",
  "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/26",
  "@odata.type": "#Certificate.v1_0_0.Certificate",
  "CertificateString": "-----BEGIN CERTIFICATE-----\nMIIDOTCCAiGgAwIBAgIJAO+NdmzzFFpFMA0GCSqGSIb3DQEBCwUAMDMxGjAYBgNV\nBAoMEVhZWjcgQ29ycG9yYXRpb24gMRUwEwYDVQQDDAx3d3cueHl6Ny5jb20wHhcN\nMjAwMjA0MDUwMTU0WhcNMjEwMjAzMDUwMTU0WjAzMRowGAYDVQQKDBFYWVo3IENv\ncnBvcmF0aW9uIDEVMBMGA1UEAwwMd3d3Lnh5ejcuY29tMIIBIjANBgkqhkiG9w0B\nAQEFAAOCAQ8AMIIBCgKCAQEA4bh/0ZhpxZccxz/1DXlq49y2oW+/1Ig7VfHrNPOx\nozXQmYPvLJtiNRk00Lv0FJ+DlPaPI3oxNR7A9yALkG0uAQ6G8nP+TzdU+TTyrITz\njaKuAznorI2yxZFXX/nmOL6f9NVmQWHwbFyN3PYZnlY4cEwnNVZtjwyPNRrl/Zk2\naCEQsbSEPvVaOpIjKDaGsL/RteLfYOUbwr9/7AVodGv0em0zCrtZBy2STzb8LhO8\nv1riJPwJ9kSzXQpXDc97F5Lu2LEgCV8wIoY7bZtRmEucEAPTgQIPx4Ij65c6s5r1\nKP1D5Qspvqw5nVLGFbGDlAWZZ/vHV4ySUj3q9E0WeQEueQIDAQABo1AwTjAdBgNV\nHQ4EFgQUxpvSKf2hhcrqIlwwXct/Oi8H+tUwHwYDVR0jBBgwFoAUxpvSKf2hhcrq\nIlwwXct/Oi8H+tUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEACFFY\n70jO0r3/PaKCCqQi3hU4Y9bP8ZL7wium8t4/Yqak7s9pbRVKt8NOjVBStmWZOxCK\nyBP/S3DSNo8izg9GKdCxtjhJjN2ezCFWMcF/9WhdgGpJ6+OiZ0g4qG6v+ydyBs8e\nlrjgECiWU6hwox5GrPUzYNxVwFvztyDGC/mUtsEDHVWcFjs+vXAUwvx8ThLaYUkv\n4gjeXiJBlMLRjvejqPRWkTy1vhQO90y40Gym4zjgWsKQPe7loxFScunKK+QOMfJc\nd94pBLJf64Zg75tOQ/ZmSvXqtnCIG+CoVHzxnb/cku0jxjBNkS2D/66YQNvTPyRW\nbprrpLmJ9PGJstd0xg==\n-----END CERTIFICATE-----\n",
  "Description": "TrustStore Certificate",
  "Id": "26",
  "Issuer": {
    "CommonName": "www.xyz7.com",          <---- Issuer details
    "Organization": "XYZ7 Corporation "
  },
  "KeyUsage": [],
  "Name": "TrustStore Certificate",
  "Subject": {
    "CommonName": "www.xyz7.com",          <---- Subject details
    "Organization": "XYZ7 Corporation "
  },
  "ValidNotAfter": "2021-02-02T17:01:54+00:00",
  "ValidNotBefore": "2020-02-03T17:01:54+00:00"
}bash-4.2$

BMC fw details:


ID="openbmc-phosphor"
NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro)"
VERSION="2.8.0-dev"
VERSION_ID="2.8.0-dev-1171-gbb8adec"
PRETTY_NAME="Phosphor OpenBMC (Phosphor OpenBMC Project Reference Distro) 2.8.0-dev"
BUILD_ID="2.8.0-dev"
OPENBMC_TARGET_MACHINE="witherspoon"```
devenrao commented 4 years ago

My mistake it is not just the subject name and issuer name it is also serial number of the certificate that is considered when assuming it as a duplicate certificate.

[devenrao]$ openssl x509 -in server1.crt -serial -noout serial=F6A66BB9A97533A2 [devenrao]$ openssl x509 -in server2.crt -serial -noout serial=CE3773F72968044D

please do also check if the serial number is also same.

devenrao commented 4 years ago

Basically if we upload the same certificate again and again it should not be allowed, but generated multiple times will have different serial number.

Earlier we used to just check subject name, but we had issues with that so we added issuername and serial number of the certificate too.

devenrao commented 4 years ago

Id is a combination of unsigned long subjectNameHash = X509_subject_name_hash(cert.get()); unsigned long issuerSerialHash = X509_issuer_and_serial_hash(cert.get());