summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--xyz/openbmc_project/Certs/Certificate.interface.yaml94
-rw-r--r--xyz/openbmc_project/Certs/README.md23
2 files changed, 113 insertions, 4 deletions
diff --git a/xyz/openbmc_project/Certs/Certificate.interface.yaml b/xyz/openbmc_project/Certs/Certificate.interface.yaml
new file mode 100644
index 0000000..5bddd3b
--- /dev/null
+++ b/xyz/openbmc_project/Certs/Certificate.interface.yaml
@@ -0,0 +1,94 @@
+description: >
+ Implement to provide certificate management features.
+
+ An OpenBMC implementation providing installed certificate management
+ functions. An implementation service should additionally implement
+ xyz.openbmc_project.Object.Delete to allow the deletion of individual
+ certificate objects.
+properties:
+ - name: CertificateString
+ type: string
+ description: >
+ The string for the certificate.
+
+ This is a X.509 public certificate in PEM format.
+ PEM wiki - https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail
+
+ An X.509 certificate contains a public key, validity, and an
+ identity (a hostname, or an organization, or an individual),
+ and is either signed by a certificate authority or self-signed.
+ Refer https://en.wikipedia.org/wiki/X.509 for details.
+ - name: KeyUsage
+ type: array[string]
+ description: >
+ Key usage extensions define the purpose of the public key contained
+ in a certificate.
+
+ Valid Key usage extensions and its usage description is based on
+ Redfish Resource and Schema Guide 2018.3 version.
+ https://www.dmtf.org/sites/default/files/standards/documents/DSP2046_2018.3.pdf
+
+ ClientAuthentication: The public key is used for TLS WWW client
+ authentication.
+ CodeSigning: The public key is used for the signing of executable code.
+ CRLSigning: The public key is used for verifying signatures on
+ certificate revocation lists (CLRs).
+ DataEncipherment: The public key is used for directly enciphering
+ raw user data without the use of an intermediate
+ symmetric cipher.
+ DecipherOnly: The public key could be used for deciphering data
+ while performing key agreement.
+ DigitalSignature: The public key is used for verifying digital
+ signatures, other than signatures on certificates
+ and CRLs.
+ EmailProtection: The public key is used for email protection.
+ EncipherOnly: The public key could be used for enciphering data
+ while performing key agreement.
+ KeyCertSign: The public key is used for verifying signatures on
+ public key certificates.
+ KeyEncipherment: The public key is used for enciphering private or
+ secret keys.
+ NonRepudiation: The public key is used to verify digital signatures,
+ other than signatures on certificates and CRLs,
+ and used to provide a non- repudiation service that
+ protects against the signing entity falsely denying
+ some action.
+ OCSPSigning: The public key is used for signing OCSP responses.
+ ServerAuthentication: The public key is used for TLS WWW server
+ authentication.
+ Timestamping: The public key is used for binding the hash of an
+ object to a time.
+
+ - name: Issuer
+ type: string
+ description: >
+ The issuer of the certificate.
+
+ Refer X.509 certificate wiki for the "Issuer" Key and value details.
+
+ Example: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
+ Here C = country, O=organization, CN= common name.
+
+ - name: Subject
+ type: string
+ description: >
+ The subject of the certificate
+
+ Refer X.509 certificate wiki for the "Subject" Key and value details.
+ Refer https://en.wikipedia.org/wiki/X.509
+
+ Example: Subject: C=US, ST=New York, L=Armonk,
+ O=International Business Machines Corporation,
+ OU=research, CN=www.research.ibm.com
+ Here C=country, ST=state, L=locality, O=organization, CN= common name.
+ OU= organizational unit
+
+ - name: ValidNotAfter
+ type: uint64
+ description: >
+ The certificate expiry date and time, in epoch time, in milliseconds
+ - name: ValidNotBefore
+ type: uint64
+ description: >
+ The certificate validity start date and time,
+ in epoch time, in milliseconds.
diff --git a/xyz/openbmc_project/Certs/README.md b/xyz/openbmc_project/Certs/README.md
index ad9a228..d438faa 100644
--- a/xyz/openbmc_project/Certs/README.md
+++ b/xyz/openbmc_project/Certs/README.md
@@ -21,6 +21,25 @@ in .pem format, which includes both private key and signed certificate.
of the certificate application handling LDAP client certificate.
- REST server should call the install method of the certificate application
instance.
+- Certificate manager application also implements d-bus object
+ xyz.openbmc_project.Certs.Manager. This includes the collection of
+ "certificates specific d-bus objects" installed in the system. This d-bus
+ provide option to view the certificate on PEM format and delete the same.
+ Refer https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail for details.
+ e.g. for Certificate specific d-bus path
+ - /xyz/openbmc_project/certs/Server/<unique-id> maps to
+ instance of the server types certificate.
+ - /xyz/openbmc_project/certs/Client/<unique-id> maps to
+ instance of the client type certificate.
+ note: unique id is the hash value of certificate issuer and serial number.
+
+- Applications should subscribe the xyz.openbmc_project.Certs.Manager
+ to see any new certificate is uploaded or change in the existing
+ certificates.
+- Certificate manager scope is limited to manage the certificate and impacted
+ application is responsible for application specific changes.
+- Incase of delete action, certificate manager creates a new self signed
+ certificate after successful delete.
### REST interface details:
@@ -49,10 +68,6 @@ in .pem format, which includes both private key and signed certificate.
500 Internal server error
```
-
-
-### d-bus interfaces:
-
#### d-bus interface to install certificate and private Key
- Certs application must:
- validate the certificate and Private key file by checking, if the Private
OpenPOWER on IntegriCloud