diff options
Diffstat (limited to 'xyz/openbmc_project/Certs')
| -rw-r--r-- | xyz/openbmc_project/Certs/Certificate.interface.yaml | 94 | ||||
| -rw-r--r-- | xyz/openbmc_project/Certs/Install.errors.yaml | 3 | ||||
| -rw-r--r-- | xyz/openbmc_project/Certs/Install.interface.yaml | 16 | ||||
| -rw-r--r-- | xyz/openbmc_project/Certs/Install.metadata.yaml | 4 | ||||
| -rw-r--r-- | xyz/openbmc_project/Certs/README.md | 94 |
5 files changed, 211 insertions, 0 deletions
diff --git a/xyz/openbmc_project/Certs/Certificate.interface.yaml b/xyz/openbmc_project/Certs/Certificate.interface.yaml new file mode 100644 index 0000000..5bddd3b --- /dev/null +++ b/xyz/openbmc_project/Certs/Certificate.interface.yaml @@ -0,0 +1,94 @@ +description: > + Implement to provide certificate management features. + + An OpenBMC implementation providing installed certificate management + functions. An implementation service should additionally implement + xyz.openbmc_project.Object.Delete to allow the deletion of individual + certificate objects. +properties: + - name: CertificateString + type: string + description: > + The string for the certificate. + + This is a X.509 public certificate in PEM format. + PEM wiki - https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail + + An X.509 certificate contains a public key, validity, and an + identity (a hostname, or an organization, or an individual), + and is either signed by a certificate authority or self-signed. + Refer https://en.wikipedia.org/wiki/X.509 for details. + - name: KeyUsage + type: array[string] + description: > + Key usage extensions define the purpose of the public key contained + in a certificate. + + Valid Key usage extensions and its usage description is based on + Redfish Resource and Schema Guide 2018.3 version. + https://www.dmtf.org/sites/default/files/standards/documents/DSP2046_2018.3.pdf + + ClientAuthentication: The public key is used for TLS WWW client + authentication. + CodeSigning: The public key is used for the signing of executable code. + CRLSigning: The public key is used for verifying signatures on + certificate revocation lists (CLRs). + DataEncipherment: The public key is used for directly enciphering + raw user data without the use of an intermediate + symmetric cipher. + DecipherOnly: The public key could be used for deciphering data + while performing key agreement. + DigitalSignature: The public key is used for verifying digital + signatures, other than signatures on certificates + and CRLs. + EmailProtection: The public key is used for email protection. + EncipherOnly: The public key could be used for enciphering data + while performing key agreement. + KeyCertSign: The public key is used for verifying signatures on + public key certificates. + KeyEncipherment: The public key is used for enciphering private or + secret keys. + NonRepudiation: The public key is used to verify digital signatures, + other than signatures on certificates and CRLs, + and used to provide a non- repudiation service that + protects against the signing entity falsely denying + some action. + OCSPSigning: The public key is used for signing OCSP responses. + ServerAuthentication: The public key is used for TLS WWW server + authentication. + Timestamping: The public key is used for binding the hash of an + object to a time. + + - name: Issuer + type: string + description: > + The issuer of the certificate. + + Refer X.509 certificate wiki for the "Issuer" Key and value details. + + Example: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA + Here C = country, O=organization, CN= common name. + + - name: Subject + type: string + description: > + The subject of the certificate + + Refer X.509 certificate wiki for the "Subject" Key and value details. + Refer https://en.wikipedia.org/wiki/X.509 + + Example: Subject: C=US, ST=New York, L=Armonk, + O=International Business Machines Corporation, + OU=research, CN=www.research.ibm.com + Here C=country, ST=state, L=locality, O=organization, CN= common name. + OU= organizational unit + + - name: ValidNotAfter + type: uint64 + description: > + The certificate expiry date and time, in epoch time, in milliseconds + - name: ValidNotBefore + type: uint64 + description: > + The certificate validity start date and time, + in epoch time, in milliseconds. diff --git a/xyz/openbmc_project/Certs/Install.errors.yaml b/xyz/openbmc_project/Certs/Install.errors.yaml new file mode 100644 index 0000000..5381de0 --- /dev/null +++ b/xyz/openbmc_project/Certs/Install.errors.yaml @@ -0,0 +1,3 @@ +# xyz.openbmc_project.Certs.Install.Error.InvalidCertificate + - name: InvalidCertificate + description: Invalid certificate file. diff --git a/xyz/openbmc_project/Certs/Install.interface.yaml b/xyz/openbmc_project/Certs/Install.interface.yaml new file mode 100644 index 0000000..8781834 --- /dev/null +++ b/xyz/openbmc_project/Certs/Install.interface.yaml @@ -0,0 +1,16 @@ +description: > + Certificate management interface to install server and client certificates. +methods: + - name: Install + description: > + Install the certificate and restart the associated services. + parameters: + - name: Path + type: string + description: > + Path of file that contains both the certificate public and + private key. (Example: a .PEM file containing both signed + certificate and private key). + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Certs.Install.Error.InvalidCertificate diff --git a/xyz/openbmc_project/Certs/Install.metadata.yaml b/xyz/openbmc_project/Certs/Install.metadata.yaml new file mode 100644 index 0000000..1d36c14 --- /dev/null +++ b/xyz/openbmc_project/Certs/Install.metadata.yaml @@ -0,0 +1,4 @@ +- name: InvalidCertificate + meta: + - str: "REASON = %s" + type: string diff --git a/xyz/openbmc_project/Certs/README.md b/xyz/openbmc_project/Certs/README.md new file mode 100644 index 0000000..d438faa --- /dev/null +++ b/xyz/openbmc_project/Certs/README.md @@ -0,0 +1,94 @@ +# BMC Certificate management + +Certificate management allows to replace the existing certificate and private +key file with another (possibly certification Authority (CA) signed) +certificate and private key file. Certificate management allows the user to +install both the server and client certificates. The REST interface allows to +update the certificate, using an unencrypted certificate and private key file +in .pem format, which includes both private key and signed certificate. + +### Signed Certificate upload Design flow: + +- The REST Server copies the certificate and private key file to a temporary + location. +- REST server should map the URI to the target DBus application (Certs) object. + The recommendation for the D-Bus application implementing certificate D-Bus + objects is to use the same path structure as the REST endpoint. + e.g.: + - The URI /xyz/openbmc_project/certs/Server/Https maps to instance + of the certificate application handling Https server certificate. + - The URI /xyz/openbmc_project/certs/Client/LDAP maps to instance + of the certificate application handling LDAP client certificate. +- REST server should call the install method of the certificate application + instance. +- Certificate manager application also implements d-bus object + xyz.openbmc_project.Certs.Manager. This includes the collection of + "certificates specific d-bus objects" installed in the system. This d-bus + provide option to view the certificate on PEM format and delete the same. + Refer https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail for details. + e.g. for Certificate specific d-bus path + - /xyz/openbmc_project/certs/Server/<unique-id> maps to + instance of the server types certificate. + - /xyz/openbmc_project/certs/Client/<unique-id> maps to + instance of the client type certificate. + note: unique id is the hash value of certificate issuer and serial number. + +- Applications should subscribe the xyz.openbmc_project.Certs.Manager + to see any new certificate is uploaded or change in the existing + certificates. +- Certificate manager scope is limited to manage the certificate and impacted + application is responsible for application specific changes. +- Incase of delete action, certificate manager creates a new self signed + certificate after successful delete. + +### REST interface details: + + ``` + url: /xyz/openbmc_project/certs/Server/Https + Description: Update https server signed certificate and the private key. + Method: PUT + + url: /xyz/openbmc_project/certs/Server/Https + Description: Delete https server signed certificate and the private key. + Method: DELETE + + url: /xyz/openbmc_project/certs/Client/LDAP + Description: Update ldap client certificate and the private key. + Method: PUT + + url: /xyz/openbmc_project/certs/Client/LDAP + Description: Delete ldap client certificate and the private key. + Method: DELETE + + Return codes + + 200 Success + 400 Invalid certificate and private key file. + 405 Method not supported. + 500 Internal server error + + ``` +#### d-bus interface to install certificate and private Key +- Certs application must: + - validate the certificate and Private key file by checking, if the Private + key matches the public key in the certificate file. + - copy the certificate and Public Key file to the service specific path + based on a configuration file. + - Reload the listed service(s) for which the certificate is updated. + +#### d-bus interface to Delete certificate and Private Key + +- certificate manager should provide interface to delete the existing + certificate. +- Incase of server type certificate deleting a signed certificate will + create a new self signed certificate and will install the same. + +### Boot process +- certificate management instances should be created based on the system + configuration. + +- Incase of no Https certificate or invalid Https certificate, certificate + manager should update the https certificate with self signed certificate. + +### Repository: + phosphor-certificate-manager |
