summaryrefslogtreecommitdiffstats
path: root/xyz
diff options
context:
space:
mode:
authorJayanth Othayoth <ojayanth@in.ibm.com>2018-08-08 06:51:43 -0500
committerBrad Bishop <bradleyb@fuzziesquirrel.com>2018-09-17 13:28:43 +0000
commit06b4df97b7f271154abb1d28716cb3a782a27e96 (patch)
treea0b2ff938c986d81002d1fd700fcfac815c55b88 /xyz
parentc6cfd2ce938baa348a830748f06bf02a3e7a01c5 (diff)
downloadphosphor-dbus-interfaces-06b4df97b7f271154abb1d28716cb3a782a27e96.tar.gz
phosphor-dbus-interfaces-06b4df97b7f271154abb1d28716cb3a782a27e96.zip
Add interface to install certificate
An Interface to install the certificate provided by the user and activate the services associated to the certificate. README file provides the design details of uploading signed certificate and private key and activating the new certificate. Change-Id: Ib4e1ae2f957cce71698c2265bb733a04478b0abf Signed-off-by: Jayanth Othayoth <ojayanth@in.ibm.com>
Diffstat (limited to 'xyz')
-rw-r--r--xyz/openbmc_project/Certs/Install.errors.yaml3
-rw-r--r--xyz/openbmc_project/Certs/Install.interface.yaml16
-rw-r--r--xyz/openbmc_project/Certs/Install.metadata.yaml4
-rw-r--r--xyz/openbmc_project/Certs/README.md79
4 files changed, 102 insertions, 0 deletions
diff --git a/xyz/openbmc_project/Certs/Install.errors.yaml b/xyz/openbmc_project/Certs/Install.errors.yaml
new file mode 100644
index 0000000..5381de0
--- /dev/null
+++ b/xyz/openbmc_project/Certs/Install.errors.yaml
@@ -0,0 +1,3 @@
+# xyz.openbmc_project.Certs.Install.Error.InvalidCertificate
+ - name: InvalidCertificate
+ description: Invalid certificate file.
diff --git a/xyz/openbmc_project/Certs/Install.interface.yaml b/xyz/openbmc_project/Certs/Install.interface.yaml
new file mode 100644
index 0000000..8781834
--- /dev/null
+++ b/xyz/openbmc_project/Certs/Install.interface.yaml
@@ -0,0 +1,16 @@
+description: >
+ Certificate management interface to install server and client certificates.
+methods:
+ - name: Install
+ description: >
+ Install the certificate and restart the associated services.
+ parameters:
+ - name: Path
+ type: string
+ description: >
+ Path of file that contains both the certificate public and
+ private key. (Example: a .PEM file containing both signed
+ certificate and private key).
+ errors:
+ - xyz.openbmc_project.Common.Error.InternalFailure
+ - xyz.openbmc_project.Certs.Install.Error.InvalidCertificate
diff --git a/xyz/openbmc_project/Certs/Install.metadata.yaml b/xyz/openbmc_project/Certs/Install.metadata.yaml
new file mode 100644
index 0000000..1d36c14
--- /dev/null
+++ b/xyz/openbmc_project/Certs/Install.metadata.yaml
@@ -0,0 +1,4 @@
+- name: InvalidCertificate
+ meta:
+ - str: "REASON = %s"
+ type: string
diff --git a/xyz/openbmc_project/Certs/README.md b/xyz/openbmc_project/Certs/README.md
new file mode 100644
index 0000000..ad9a228
--- /dev/null
+++ b/xyz/openbmc_project/Certs/README.md
@@ -0,0 +1,79 @@
+# BMC Certificate management
+
+Certificate management allows to replace the existing certificate and private
+key file with another (possibly certification Authority (CA) signed)
+certificate and private key file. Certificate management allows the user to
+install both the server and client certificates. The REST interface allows to
+update the certificate, using an unencrypted certificate and private key file
+in .pem format, which includes both private key and signed certificate.
+
+### Signed Certificate upload Design flow:
+
+- The REST Server copies the certificate and private key file to a temporary
+ location.
+- REST server should map the URI to the target DBus application (Certs) object.
+ The recommendation for the D-Bus application implementing certificate D-Bus
+ objects is to use the same path structure as the REST endpoint.
+ e.g.:
+ - The URI /xyz/openbmc_project/certs/Server/Https maps to instance
+ of the certificate application handling Https server certificate.
+ - The URI /xyz/openbmc_project/certs/Client/LDAP maps to instance
+ of the certificate application handling LDAP client certificate.
+- REST server should call the install method of the certificate application
+ instance.
+
+### REST interface details:
+
+ ```
+ url: /xyz/openbmc_project/certs/Server/Https
+ Description: Update https server signed certificate and the private key.
+ Method: PUT
+
+ url: /xyz/openbmc_project/certs/Server/Https
+ Description: Delete https server signed certificate and the private key.
+ Method: DELETE
+
+ url: /xyz/openbmc_project/certs/Client/LDAP
+ Description: Update ldap client certificate and the private key.
+ Method: PUT
+
+ url: /xyz/openbmc_project/certs/Client/LDAP
+ Description: Delete ldap client certificate and the private key.
+ Method: DELETE
+
+ Return codes
+
+ 200 Success
+ 400 Invalid certificate and private key file.
+ 405 Method not supported.
+ 500 Internal server error
+
+ ```
+
+
+### d-bus interfaces:
+
+#### d-bus interface to install certificate and private Key
+- Certs application must:
+ - validate the certificate and Private key file by checking, if the Private
+ key matches the public key in the certificate file.
+ - copy the certificate and Public Key file to the service specific path
+ based on a configuration file.
+ - Reload the listed service(s) for which the certificate is updated.
+
+#### d-bus interface to Delete certificate and Private Key
+
+- certificate manager should provide interface to delete the existing
+ certificate.
+- Incase of server type certificate deleting a signed certificate will
+ create a new self signed certificate and will install the same.
+
+### Boot process
+- certificate management instances should be created based on the system
+ configuration.
+
+- Incase of no Https certificate or invalid Https certificate, certificate
+ manager should update the https certificate with self signed certificate.
+
+### Repository:
+ phosphor-certificate-manager
OpenPOWER on IntegriCloud