commit 88064f0d61a8ff8f28cee73caa094f3325abb5ae
author Marri Devender Rao <devenrao@in.ibm.com> Mon Aug 19 09:00:30 2019 -0500
committer Andrew Geissler <geissonator@yahoo.com> Thu Aug 22 19:27:56 2019 +0000
tree 526608d7f10379035c94f77573fa23823b7231da
parent 577a5032c46f472d92fb7e12c4f2404b87880df5

For generate CSR set key usage based on certificate type

Redfish allows various values for setting the key usage in
generating CSR.

Modified to auto-set the key usage value based on the
certificate type set for generating the CSR.

Example for "Server" certifiacte set the key usage as
"ServerAuthentication" and "Client" certificate set the key
usage as "ClientAuthentication".

Setting default values so that user does not select unrelated
key usage value like "EmailProtection" for server certificate.

Certificate manager does not validate the key usage value rather
it is used for display purpose when listing the certificate
properties.

Tested:
python openbmctool.py -H $BMC -U aaa -P bbbb certificate generatecsr server
NJ w3.ibm.com US IBM IBM-UNIT NY EC 2048 prime256v1 cp abc.com an.com,bm.com gn
sn un in
Attempting login...
Generating CSR url=/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/
GenerateCSR complete.
{
  "CSRString": "-----BEGIN CERTIFICATE
REQUEST-----\n-----END CERTIFICATE REQUEST-----\n",
  "CertificateCollection": {
    "@odata.id": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/"
  }
}
User root has been logged out

Signed-off-by: Marri Devender Rao <devenrao@in.ibm.com>
Change-Id: If5ab55f9d35b5e9f0c9e1d3e3dc2e75adf2fa6e9

thalerj/openbmctool.py

diff --git a/thalerj/openbmctool.py b/thalerj/openbmctool.py
index 799375f..138c34c 100755
--- a/thalerj/openbmctool.py
+++ b/thalerj/openbmctool.py
@@ -2723,8 +2723,8 @@
         Called by certificate management function. Generate CSR for server/
         client certificates
         Example:
-        certificate generatecsr server NJ w3.ibm.com US IBM IBM-UNIT NY EC 2048 prime256v1 cp abc.com an.com,bm.com gn sn un in ClientAuthentication,CodeSigning
-        certificate generatecsr client NJ w3.ibm.com US IBM IBM-UNIT NY EC 2048 prime256v1 cp abc.com an.com,bm.com gn sn un in ClientAuthentication,CodeSigning
+        certificate generatecsr server NJ w3.ibm.com US IBM IBM-UNIT NY EC 2048 prime256v1 cp abc.com an.com,bm.com gn sn un in
+        certificate generatecsr client NJ w3.ibm.com US IBM IBM-UNIT NY EC 2048 prime256v1 cp abc.com an.com,bm.com gn sn un in
         @param host: string, the hostname or IP address of the bmc
         @param args: contains additional arguments used by the certificate replace sub command
         @param session: the active session to use
@@ -2737,15 +2737,16 @@
     url = "";
     if(args.type.lower() == 'server'):
         url = "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/"
+        usage_list = ["ServerAuthentication"]
     elif(args.type.lower() == 'client'):
         url = "/redfish/v1/AccountService/LDAP/Certificates/"
+        usage_list = ["ClientAuthentication"]
     elif(args.type.lower() == 'authority'):
         url = "/redfish/v1/Managers/bmc/Truststore/Certificates/"
     print("Generating CSR url=" + url)
     generateCSRUrl = "https://" + host + \
         "/redfish/v1/CertificateService/Actions/CertificateService.GenerateCSR"
     try:
-        usage_list = args.keyUsage.split(",")
         alt_name_list = args.alternativeNames.split(",")
         data ={"CertificateCollection":{"@odata.id":url},
             "CommonName":args.commonName, "City":args.city,
@@ -4156,8 +4157,6 @@
         help="he unstructured name of the subject")
     certGenerateCSR.add_argument('initials',
         help="The initials of the user making the request")
-    certGenerateCSR.add_argument('keyUsage', help="The usage of the key contained in the certificate")
-
     certGenerateCSR.set_defaults(func=certificateGenerateCSR)
 
     # local users