diff options
author | Jayanth Othayoth <ojayanth@in.ibm.com> | 2018-11-02 05:40:09 -0500 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-02-15 20:18:29 +0000 |
commit | 1838fe7365ecd4e867601329f6ae81b852d9d3af (patch) | |
tree | f45338cac1caea4e7c9752e3a570dd88379f18c3 | |
parent | 2dd39570f27fa11c96568ffcf0f0f04309a5147c (diff) | |
download | phosphor-dbus-interfaces-1838fe7365ecd4e867601329f6ae81b852d9d3af.tar.gz phosphor-dbus-interfaces-1838fe7365ecd4e867601329f6ae81b852d9d3af.zip |
Add Certs Manager interface.
xyz.openbmc_project.Certs.Certificate provides the properties
for the specific certificates.
Currently KeyUsage property limited to support
ClientAuthentication, KeyCertSign, ServerAuthentication purpose.
Properties are based on the Redfish (DSP2046: 2018.3)
certificate schema.
Change-Id: I2bf74cb43ebb27d1aa6cf570c7f06b148b86ea49
Signed-off-by: Jayanth Othayoth <ojayanth@in.ibm.com>
-rw-r--r-- | xyz/openbmc_project/Certs/Certificate.interface.yaml | 94 | ||||
-rw-r--r-- | xyz/openbmc_project/Certs/README.md | 23 |
2 files changed, 113 insertions, 4 deletions
diff --git a/xyz/openbmc_project/Certs/Certificate.interface.yaml b/xyz/openbmc_project/Certs/Certificate.interface.yaml new file mode 100644 index 0000000..5bddd3b --- /dev/null +++ b/xyz/openbmc_project/Certs/Certificate.interface.yaml @@ -0,0 +1,94 @@ +description: > + Implement to provide certificate management features. + + An OpenBMC implementation providing installed certificate management + functions. An implementation service should additionally implement + xyz.openbmc_project.Object.Delete to allow the deletion of individual + certificate objects. +properties: + - name: CertificateString + type: string + description: > + The string for the certificate. + + This is a X.509 public certificate in PEM format. + PEM wiki - https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail + + An X.509 certificate contains a public key, validity, and an + identity (a hostname, or an organization, or an individual), + and is either signed by a certificate authority or self-signed. + Refer https://en.wikipedia.org/wiki/X.509 for details. + - name: KeyUsage + type: array[string] + description: > + Key usage extensions define the purpose of the public key contained + in a certificate. + + Valid Key usage extensions and its usage description is based on + Redfish Resource and Schema Guide 2018.3 version. + https://www.dmtf.org/sites/default/files/standards/documents/DSP2046_2018.3.pdf + + ClientAuthentication: The public key is used for TLS WWW client + authentication. + CodeSigning: The public key is used for the signing of executable code. + CRLSigning: The public key is used for verifying signatures on + certificate revocation lists (CLRs). + DataEncipherment: The public key is used for directly enciphering + raw user data without the use of an intermediate + symmetric cipher. + DecipherOnly: The public key could be used for deciphering data + while performing key agreement. + DigitalSignature: The public key is used for verifying digital + signatures, other than signatures on certificates + and CRLs. + EmailProtection: The public key is used for email protection. + EncipherOnly: The public key could be used for enciphering data + while performing key agreement. + KeyCertSign: The public key is used for verifying signatures on + public key certificates. + KeyEncipherment: The public key is used for enciphering private or + secret keys. + NonRepudiation: The public key is used to verify digital signatures, + other than signatures on certificates and CRLs, + and used to provide a non- repudiation service that + protects against the signing entity falsely denying + some action. + OCSPSigning: The public key is used for signing OCSP responses. + ServerAuthentication: The public key is used for TLS WWW server + authentication. + Timestamping: The public key is used for binding the hash of an + object to a time. + + - name: Issuer + type: string + description: > + The issuer of the certificate. + + Refer X.509 certificate wiki for the "Issuer" Key and value details. + + Example: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA + Here C = country, O=organization, CN= common name. + + - name: Subject + type: string + description: > + The subject of the certificate + + Refer X.509 certificate wiki for the "Subject" Key and value details. + Refer https://en.wikipedia.org/wiki/X.509 + + Example: Subject: C=US, ST=New York, L=Armonk, + O=International Business Machines Corporation, + OU=research, CN=www.research.ibm.com + Here C=country, ST=state, L=locality, O=organization, CN= common name. + OU= organizational unit + + - name: ValidNotAfter + type: uint64 + description: > + The certificate expiry date and time, in epoch time, in milliseconds + - name: ValidNotBefore + type: uint64 + description: > + The certificate validity start date and time, + in epoch time, in milliseconds. diff --git a/xyz/openbmc_project/Certs/README.md b/xyz/openbmc_project/Certs/README.md index ad9a228..d438faa 100644 --- a/xyz/openbmc_project/Certs/README.md +++ b/xyz/openbmc_project/Certs/README.md @@ -21,6 +21,25 @@ in .pem format, which includes both private key and signed certificate. of the certificate application handling LDAP client certificate. - REST server should call the install method of the certificate application instance. +- Certificate manager application also implements d-bus object + xyz.openbmc_project.Certs.Manager. This includes the collection of + "certificates specific d-bus objects" installed in the system. This d-bus + provide option to view the certificate on PEM format and delete the same. + Refer https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail for details. + e.g. for Certificate specific d-bus path + - /xyz/openbmc_project/certs/Server/<unique-id> maps to + instance of the server types certificate. + - /xyz/openbmc_project/certs/Client/<unique-id> maps to + instance of the client type certificate. + note: unique id is the hash value of certificate issuer and serial number. + +- Applications should subscribe the xyz.openbmc_project.Certs.Manager + to see any new certificate is uploaded or change in the existing + certificates. +- Certificate manager scope is limited to manage the certificate and impacted + application is responsible for application specific changes. +- Incase of delete action, certificate manager creates a new self signed + certificate after successful delete. ### REST interface details: @@ -49,10 +68,6 @@ in .pem format, which includes both private key and signed certificate. 500 Internal server error ``` - - -### d-bus interfaces: - #### d-bus interface to install certificate and private Key - Certs application must: - validate the certificate and Private key file by checking, if the Private |