bmcweb and certificate chains [WAS: Security working group meeting 2020-01-22]

[Joseph Reynolds]

On 1/24/20 11:19 AM, Alexander Tereschenko wrote:
> On 22-Jan-20 22:23, Joseph Reynolds wrote:
>> Notes from the security working group meeting 2020-01-22:
>> Highlights below; details in 
>> https://github.com/openbmc/openbmc/wiki/Security-working-group
>>
>>
>> 1. Discuss BMCWeb’s site identity certificate handling, specifically 
>> intermediate certificates.  See 
>> https://github.com/openbmc/bmcweb/#configuration 

>>
>> Other web servers have directives to concatenate the intermediate 
>> certificates (excluding the root CA certificates) and send that. What 
>> does BMCWeb do?

>>  - What is BMCWeb's default default?
>>  - Need better docs, for example: How can a BMC admin replace 
>> theBMCWeb site cert?  Is it okay to concatenate intermediate certs? 
>> Can we document this for BMCWeb?
>
> As discussed during the meeting, I've looked into that and looks like 
> bmcweb doesn't support sending the cert chain at all right now. When 
> loading it expects the server's cert file to have just a private key 
> and certificate in a single file [1], just as we've discussed during 
> the meeting, and server's init code only loads those [2]. There's an 
> API in Boost.Asio that could allow loading a chain [3], but it's not 
> used anywhere, so for bmcweb to support that, a patch must be created.

Thank you for finding that.  I think we want to add a function to BMCWeb 
to be able to handle certificate chains.  Would we need to enhance the 
REST APIs [4] to upload server certificates as part of this work?

[4]: 
https://github.com/openbmc/phosphor-dbus-interfaces/tree/master/xyz/openbmc_project/Certs

- Joseph

> HTH,
> Alexander
>
> [1] https://github.com/openbmc/bmcweb/blob/master/http/http_server.h#L159
> [2] https://github.com/openbmc/bmcweb/blob/master/http/app.h#L158-L159
> [3] 
> https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio/reference/ssl__context/use_certificate_chain_file.html
>