openbmc.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
* OpenBmc Redfish support etag property  error
@ 2021-08-31  8:09 Zhang, ShuoX
  2021-08-31 17:17 ` Ed Tanous
  0 siblings, 1 reply; 3+ messages in thread
From: Zhang, ShuoX @ 2021-08-31  8:09 UTC (permalink / raw)
  To: openbmc

[-- Attachment #1: Type: text/plain, Size: 4221 bytes --]

hi,
              Etag is to check whether the json string returned by the server has changed ,  I plan to use MD5 encryption to generate etag , can't  find etag in http request header.

              Here are the steps I tested:
              1,  I used postman to send the first request to a URL, and  added the etag property to the header of the response use hard code , then http connection function async_write respond  header  buffer
              2,  Request the same url, read the header of the request, no etag can be found.

              Here are some logs:

Respond:
Jan 11 23:45:25 intel-obmc bmcweb[361]: (2021-01-11 23:45:25) [DEBUG "http_connection.hpp":683] 0x1a3e4c8 doWrite
Jan 11 23:45:25 intel-obmc bmcweb[361]: zs_debug res result : 200
Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : Strict-Transport-Security , /text: Strict-Transport-Security ,Value: max-age=315
36000; includeSubdomains; preload
Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : X-Frame-Options , /text: X-Frame-Options ,Value: DENY
Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : Pragma , /text: Pragma ,Value: no-cache
Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : Cache-Control , /text: Cache-Control ,Value: no-Store,no-Cache
Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : <unknown-field> , /text: X-XSS-Protection ,Value: 1; mode=block
Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : <unknown-field> , /text: X-Content-Type-Options ,Value: nosniff
Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : <unknown-field> , /text: Content-Security-Policy ,Value: default-src 'none'; img
-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:
Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : Content-Type , /text: Content-Type ,Value: application/json
Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : ETag , /text: ETag ,Value: ba2e34ec8c7d9168cc2bf880a1674ae4
Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : Content-Length , /text: Content-Length ,Value: 525
Jan 11 23:45:25 intel-obmc bmcweb[361]: zs_debug response: {
Jan 11 23:45:25 intel-obmc bmcweb[361]:   "@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
Jan 11 23:45:25 intel-obmc bmcweb[361]:   "@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
Jan 11 23:45:25 intel-obmc bmcweb[361]:   "Description": "Defines a resource that an administrator can use in order to locate all
certificates installed on a given service",
Jan 11 23:45:25 intel-obmc bmcweb[361]:   "Id": "CertificateLocations",
Jan 11 23:45:25 intel-obmc bmcweb[361]:   "Links": {
Jan 11 23:45:25 intel-obmc bmcweb[361]:     "Certificates": [
Jan 11 23:45:25 intel-obmc bmcweb[361]:       {
Jan 11 23:45:25 intel-obmc bmcweb[361]:         "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
Jan 11 23:45:25 intel-obmc bmcweb[361]:       }
Jan 11 23:45:25 intel-obmc bmcweb[361]:     ],
Jan 11 23:45:25 intel-obmc bmcweb[361]:     Certificates@odata.count<mailto:Certificates@odata.count>: 1
Jan 11 23:45:25 intel-obmc bmcweb[361]:   },
Jan 11 23:45:25 intel-obmc bmcweb[361]:   "Name": "Certificate Locations"
Jan 11 23:45:25 intel-obmc bmcweb[361]: }
Jan 11 23:45:25 intel-obmc bmcweb[361]: (2021-01-11 23:45:25) [DEBUG "http_connection.hpp":698] 0x1a3e4c8 async_write 997 bytes

Second Request:
Jan 11 23:45:25 intel-obmc bmcweb[361]: (2021-01-11 23:45:25) [DEBUG "http_connection.hpp":511] 0x1a3e4c8 doReadHeaders
Jan 11 23:45:25 intel-obmc bmcweb[361]: zs_debug read http_head :GET /redfish/v1/CertificateService/CertificateLocations HTTP/1.1
Jan 11 23:45:25 intel-obmc bmcweb[361]: Authorization: Basic cm9vdDowcGVuQm1j
Jan 11 23:45:25 intel-obmc bmcweb[361]: User-Agent: PostmanRuntime/7.28.4
Jan 11 23:45:25 intel-obmc bmcweb[361]: Accept: */*
Jan 11 23:45:25 intel-obmc bmcweb[361]: Cache-Control: no-cache
Jan 11 23:45:25 intel-obmc bmcweb[361]: Postman-Token: 1981d43c-7067-4959-a853-dd7f93bb04fa
Jan 11 23:45:25 intel-obmc bmcweb[361]: Host: 10.239.138.19
Jan 11 23:45:25 intel-obmc bmcweb[361]: Accept-Encoding: gzip, deflate, br
Jan 11 23:45:25 intel-obmc bmcweb[361]: Connection: keep-alive
Jan 11 23:45:25 intel-obmc bmcweb[361]:

[-- Attachment #2: Type: text/html, Size: 10837 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: OpenBmc Redfish support etag property error
  2021-08-31  8:09 OpenBmc Redfish support etag property error Zhang, ShuoX
@ 2021-08-31 17:17 ` Ed Tanous
  2021-08-31 23:14   ` OpenBmc Redfish support etag property error - sha512 Joseph Reynolds
  0 siblings, 1 reply; 3+ messages in thread
From: Ed Tanous @ 2021-08-31 17:17 UTC (permalink / raw)
  To: Zhang, ShuoX; +Cc: openbmc

On Tue, Aug 31, 2021 at 1:11 AM Zhang, ShuoX <shuox.zhang@intel.com> wrote:
>
> hi,
>
>               Etag is to check whether the json string returned by the server has changed ,  I plan to use MD5 encryption to generate etag , can’t  find etag in http request header.

That's because we don't currently implement etag.  If you're looking
at adding it, keep in mind, implementation of etag is more than simply
including the header, and likely has some changes that would need to
be made to the internals of the system.

PS, MD5 hasn't really been acceptable for hashing algorithms for a
while now.  Please research what the current guidance is on what hash
to use for this;  I suspect the guidance is still sha256.

>
>
>
>               Here are the steps I tested:
>
>               1,  I used postman to send the first request to a URL, and  added the etag property to the header of the response use hard code , then http connection function async_write respond  header  buffer
>
>               2,  Request the same url, read the header of the request, no etag can be found.
>
>
>
>               Here are some logs:
>
>
>
> Respond:
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: (2021-01-11 23:45:25) [DEBUG "http_connection.hpp":683] 0x1a3e4c8 doWrite
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: zs_debug res result : 200
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : Strict-Transport-Security , /text: Strict-Transport-Security ,Value: max-age=315
>
> 36000; includeSubdomains; preload
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : X-Frame-Options , /text: X-Frame-Options ,Value: DENY
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : Pragma , /text: Pragma ,Value: no-cache
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : Cache-Control , /text: Cache-Control ,Value: no-Store,no-Cache
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : <unknown-field> , /text: X-XSS-Protection ,Value: 1; mode=block
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : <unknown-field> , /text: X-Content-Type-Options ,Value: nosniff
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : <unknown-field> , /text: Content-Security-Policy ,Value: default-src 'none'; img
>
> -src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : Content-Type , /text: Content-Type ,Value: application/json
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : ETag , /text: ETag ,Value: ba2e34ec8c7d9168cc2bf880a1674ae4
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:  field : Content-Length , /text: Content-Length ,Value: 525
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: zs_debug response: {
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:   "@odata.id": "/redfish/v1/CertificateService/CertificateLocations",
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:   "@odata.type": "#CertificateLocations.v1_0_0.CertificateLocations",
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:   "Description": "Defines a resource that an administrator can use in order to locate all
>
> certificates installed on a given service",
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:   "Id": "CertificateLocations",
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:   "Links": {
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:     "Certificates": [
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:       {
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:         "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1"
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:       }
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:     ],
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:     Certificates@odata.count: 1
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:   },
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:   "Name": "Certificate Locations"
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: }
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: (2021-01-11 23:45:25) [DEBUG "http_connection.hpp":698] 0x1a3e4c8 async_write 997 bytes
>
>
>
> Second Request:
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: (2021-01-11 23:45:25) [DEBUG "http_connection.hpp":511] 0x1a3e4c8 doReadHeaders
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: zs_debug read http_head :GET /redfish/v1/CertificateService/CertificateLocations HTTP/1.1
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: Authorization: Basic cm9vdDowcGVuQm1j
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: User-Agent: PostmanRuntime/7.28.4
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: Accept: */*
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: Cache-Control: no-cache
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: Postman-Token: 1981d43c-7067-4959-a853-dd7f93bb04fa
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: Host: 10.239.138.19
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: Accept-Encoding: gzip, deflate, br
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]: Connection: keep-alive
>
> Jan 11 23:45:25 intel-obmc bmcweb[361]:

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: OpenBmc Redfish support etag property error - sha512
  2021-08-31 17:17 ` Ed Tanous
@ 2021-08-31 23:14   ` Joseph Reynolds
  0 siblings, 0 replies; 3+ messages in thread
From: Joseph Reynolds @ 2021-08-31 23:14 UTC (permalink / raw)
  To: Ed Tanous, Zhang, ShuoX; +Cc: openbmc



On 8/31/21 12:17 PM, Ed Tanous wrote:
> On Tue, Aug 31, 2021 at 1:11 AM Zhang, ShuoX <shuox.zhang@intel.com> wrote:
>> hi,
>>
>>                Etag is to check whether the json string returned by the server has changed ,  I plan to use MD5 encryption to generate etag , can’t  find etag in http request header.
> That's because we don't currently implement etag.  If you're looking
> at adding it, keep in mind, implementation of etag is more than simply
> including the header, and likely has some changes that would need to
> be made to the internals of the system.
>
> PS, MD5 hasn't really been acceptable for hashing algorithms for a
> while now.  Please research what the current guidance is on what hash
> to use for this;  I suspect the guidance is still sha256.
>
>
...snip...

FWIW, OpenBMC Linux-PAM modules (pam_unix.so) use the SHA-512 secure 
hash algorithm.  OpenBMC gets this setting by default from 
Yocto/OpenEmbedded configuration.

For background reading, see 
https://en.wikipedia.org/wiki/Secure_Hash_Algorithms

- Joseph

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-08-31 23:14 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-31  8:09 OpenBmc Redfish support etag property error Zhang, ShuoX
2021-08-31 17:17 ` Ed Tanous
2021-08-31 23:14   ` OpenBmc Redfish support etag property error - sha512 Joseph Reynolds

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).