diff options
Diffstat (limited to 'xyz')
-rw-r--r-- | xyz/openbmc_project/Certs/Install.errors.yaml | 3 | ||||
-rw-r--r-- | xyz/openbmc_project/Certs/Install.interface.yaml | 16 | ||||
-rw-r--r-- | xyz/openbmc_project/Certs/Install.metadata.yaml | 4 | ||||
-rw-r--r-- | xyz/openbmc_project/Certs/README.md | 79 |
4 files changed, 102 insertions, 0 deletions
diff --git a/xyz/openbmc_project/Certs/Install.errors.yaml b/xyz/openbmc_project/Certs/Install.errors.yaml new file mode 100644 index 0000000..5381de0 --- /dev/null +++ b/xyz/openbmc_project/Certs/Install.errors.yaml @@ -0,0 +1,3 @@ +# xyz.openbmc_project.Certs.Install.Error.InvalidCertificate + - name: InvalidCertificate + description: Invalid certificate file. diff --git a/xyz/openbmc_project/Certs/Install.interface.yaml b/xyz/openbmc_project/Certs/Install.interface.yaml new file mode 100644 index 0000000..8781834 --- /dev/null +++ b/xyz/openbmc_project/Certs/Install.interface.yaml @@ -0,0 +1,16 @@ +description: > + Certificate management interface to install server and client certificates. +methods: + - name: Install + description: > + Install the certificate and restart the associated services. + parameters: + - name: Path + type: string + description: > + Path of file that contains both the certificate public and + private key. (Example: a .PEM file containing both signed + certificate and private key). + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Certs.Install.Error.InvalidCertificate diff --git a/xyz/openbmc_project/Certs/Install.metadata.yaml b/xyz/openbmc_project/Certs/Install.metadata.yaml new file mode 100644 index 0000000..1d36c14 --- /dev/null +++ b/xyz/openbmc_project/Certs/Install.metadata.yaml @@ -0,0 +1,4 @@ +- name: InvalidCertificate + meta: + - str: "REASON = %s" + type: string diff --git a/xyz/openbmc_project/Certs/README.md b/xyz/openbmc_project/Certs/README.md new file mode 100644 index 0000000..ad9a228 --- /dev/null +++ b/xyz/openbmc_project/Certs/README.md @@ -0,0 +1,79 @@ +# BMC Certificate management + +Certificate management allows to replace the existing certificate and private +key file with another (possibly certification Authority (CA) signed) +certificate and private key file. Certificate management allows the user to +install both the server and client certificates. The REST interface allows to +update the certificate, using an unencrypted certificate and private key file +in .pem format, which includes both private key and signed certificate. + +### Signed Certificate upload Design flow: + +- The REST Server copies the certificate and private key file to a temporary + location. +- REST server should map the URI to the target DBus application (Certs) object. + The recommendation for the D-Bus application implementing certificate D-Bus + objects is to use the same path structure as the REST endpoint. + e.g.: + - The URI /xyz/openbmc_project/certs/Server/Https maps to instance + of the certificate application handling Https server certificate. + - The URI /xyz/openbmc_project/certs/Client/LDAP maps to instance + of the certificate application handling LDAP client certificate. +- REST server should call the install method of the certificate application + instance. + +### REST interface details: + + ``` + url: /xyz/openbmc_project/certs/Server/Https + Description: Update https server signed certificate and the private key. + Method: PUT + + url: /xyz/openbmc_project/certs/Server/Https + Description: Delete https server signed certificate and the private key. + Method: DELETE + + url: /xyz/openbmc_project/certs/Client/LDAP + Description: Update ldap client certificate and the private key. + Method: PUT + + url: /xyz/openbmc_project/certs/Client/LDAP + Description: Delete ldap client certificate and the private key. + Method: DELETE + + Return codes + + 200 Success + 400 Invalid certificate and private key file. + 405 Method not supported. + 500 Internal server error + + ``` + + +### d-bus interfaces: + +#### d-bus interface to install certificate and private Key +- Certs application must: + - validate the certificate and Private key file by checking, if the Private + key matches the public key in the certificate file. + - copy the certificate and Public Key file to the service specific path + based on a configuration file. + - Reload the listed service(s) for which the certificate is updated. + +#### d-bus interface to Delete certificate and Private Key + +- certificate manager should provide interface to delete the existing + certificate. +- Incase of server type certificate deleting a signed certificate will + create a new self signed certificate and will install the same. + +### Boot process +- certificate management instances should be created based on the system + configuration. + +- Incase of no Https certificate or invalid Https certificate, certificate + manager should update the https certificate with self signed certificate. + +### Repository: + phosphor-certificate-manager |