yaml/xyz/openbmc_project/Certs/Certificate.interface.yaml

description: >
    Implement to provide certificate management features.

    An OpenBMC implementation providing installed certificate management
    functions. An implementation service should additionally implement
    xyz.openbmc_project.Object.Delete to allow the deletion of individual
    certificate objects.
properties:
    - name: CertificateString
      type: string
      description: >
          The string for the certificate.

          This is a X.509 public certificate in PEM format. PEM wiki -
          https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail

          An X.509 certificate contains a public key, validity, and an identity
          (a hostname, or an organization, or an individual), and is either
          signed by a certificate authority or self-signed. Refer
          https://en.wikipedia.org/wiki/X.509 for details.
    - name: KeyUsage
      type: array[string]
      description: >
          Key usage extensions define the purpose of the public key contained in
          a certificate.

          Valid Key usage extensions and its usage description is based on
          Redfish Resource and Schema Guide 2018.3 version.
          https://www.dmtf.org/sites/default/files/standards/documents/DSP2046_2018.3.pdf

          ClientAuthentication: The public key is used for TLS WWW client
                                authentication.
          CodeSigning: The public key is used for the signing of executable
          code. CRLSigning: The public key is used for verifying signatures on
                      certificate revocation lists (CLRs).
          DataEncipherment: The public key is used for directly enciphering
                            raw user data without the use of an intermediate
                            symmetric cipher.
          DecipherOnly: The public key could be used for deciphering data
                        while performing key agreement.
          DigitalSignature: The public key is used for verifying digital
                            signatures, other than signatures on certificates
                            and CRLs.
          EmailProtection: The public key is used for email protection.
          EncipherOnly: The public key could be used for enciphering data
                        while performing key agreement.
          KeyCertSign: The public key is used for verifying signatures on
                       public key certificates.
          KeyEncipherment: The public key is used for enciphering private or
                           secret keys.
          NonRepudiation: The public key is used to verify digital signatures,
                          other than signatures on certificates and CRLs,
                          and used to provide a non- repudiation service that
                          protects against the signing entity falsely denying
                          some action.
          OCSPSigning: The public key is used for signing OCSP responses.
          ServerAuthentication: The public key is used for TLS WWW server
                                authentication.
          Timestamping: The public key is used for binding the hash of an
                        object to a time.

    - name: Issuer
      type: string
      description: >
          The issuer of the certificate.

          Refer X.509 certificate wiki for the "Issuer" Key and value details.

          Example: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA Here
          C = country, O=organization, CN= common name.

    - name: Subject
      type: string
      description: >
          The subject of the certificate

          Refer X.509 certificate wiki for the "Subject" Key and value details.
          Refer https://en.wikipedia.org/wiki/X.509

          Example:  Subject: C=US, ST=New York, L=Armonk,
                    O=International Business Machines Corporation,
                    OU=research, CN=www.research.ibm.com
          Here C=country, ST=state, L=locality, O=organization, CN= common name.
               OU= organizational unit

    - name: ValidNotAfter
      type: uint64
      description: >
          The certificate expiry date and time, in epoch time, in milliseconds
    - name: ValidNotBefore
      type: uint64
      description: >
          The certificate validity start date and time, in epoch time, in
          milliseconds.

associations:
    - name: identifying_requester
      description: >
          Objects that implement Certificate can optionally implement the
          "identifying_requester" association to provide a link to the component
          integrity object whose requester's identity is identified by this
          certificate.
      reverse_name: requester_identified_by
      required_endpoint_interfaces:
          - xyz.openbmc_project.Attestation.IdentityAuthentication

    - name: identifying_responder
      description: >
          Objects that implement Certificate can optionally implement the
          "identifying_responder" association to provide a link to the component
          integrity object whose responder's identity is identified by this
          certificate.
      reverse_name: responder_identified_by
      required_endpoint_interfaces:
          - xyz.openbmc_project.Attestation.IdentityAuthentication