blob: bd3733c55b445479d5b4163ab7e67329a19a68a8 [file] [log] [blame]
description: >
Implement to provide certificate management features.
An OpenBMC implementation providing installed certificate management
functions. An implementation service should additionally implement
xyz.openbmc_project.Object.Delete to allow the deletion of individual
certificate objects.
properties:
- name: CertificateString
type: string
description: >
The string for the certificate.
This is a X.509 public certificate in PEM format. PEM wiki -
https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail
An X.509 certificate contains a public key, validity, and an identity
(a hostname, or an organization, or an individual), and is either
signed by a certificate authority or self-signed. Refer
https://en.wikipedia.org/wiki/X.509 for details.
- name: KeyUsage
type: array[string]
description: >
Key usage extensions define the purpose of the public key contained in
a certificate.
Valid Key usage extensions and its usage description is based on
Redfish Resource and Schema Guide 2018.3 version.
https://www.dmtf.org/sites/default/files/standards/documents/DSP2046_2018.3.pdf
ClientAuthentication: The public key is used for TLS WWW client
authentication.
CodeSigning: The public key is used for the signing of executable
code. CRLSigning: The public key is used for verifying signatures on
certificate revocation lists (CLRs).
DataEncipherment: The public key is used for directly enciphering
raw user data without the use of an intermediate
symmetric cipher.
DecipherOnly: The public key could be used for deciphering data
while performing key agreement.
DigitalSignature: The public key is used for verifying digital
signatures, other than signatures on certificates
and CRLs.
EmailProtection: The public key is used for email protection.
EncipherOnly: The public key could be used for enciphering data
while performing key agreement.
KeyCertSign: The public key is used for verifying signatures on
public key certificates.
KeyEncipherment: The public key is used for enciphering private or
secret keys.
NonRepudiation: The public key is used to verify digital signatures,
other than signatures on certificates and CRLs,
and used to provide a non- repudiation service that
protects against the signing entity falsely denying
some action.
OCSPSigning: The public key is used for signing OCSP responses.
ServerAuthentication: The public key is used for TLS WWW server
authentication.
Timestamping: The public key is used for binding the hash of an
object to a time.
- name: Issuer
type: string
description: >
The issuer of the certificate.
Refer X.509 certificate wiki for the "Issuer" Key and value details.
Example: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA Here
C = country, O=organization, CN= common name.
- name: Subject
type: string
description: >
The subject of the certificate
Refer X.509 certificate wiki for the "Subject" Key and value details.
Refer https://en.wikipedia.org/wiki/X.509
Example: Subject: C=US, ST=New York, L=Armonk,
O=International Business Machines Corporation,
OU=research, CN=www.research.ibm.com
Here C=country, ST=state, L=locality, O=organization, CN= common name.
OU= organizational unit
- name: ValidNotAfter
type: uint64
description: >
The certificate expiry date and time, in epoch time, in milliseconds
- name: ValidNotBefore
type: uint64
description: >
The certificate validity start date and time, in epoch time, in
milliseconds.
associations:
- name: identifying_requester
description: >
Objects that implement Certificate can optionally implement the
"identifying_requester" association to provide a link to the component
integrity object whose requester's identity is identified by this
certificate.
reverse_name: requester_identified_by
required_endpoint_interfaces:
- xyz.openbmc_project.Attestation.IdentityAuthentication
- name: identifying_responder
description: >
Objects that implement Certificate can optionally implement the
"identifying_responder" association to provide a link to the component
integrity object whose responder's identity is identified by this
certificate.
reverse_name: responder_identified_by
required_endpoint_interfaces:
- xyz.openbmc_project.Attestation.IdentityAuthentication