| description: > |
| Implement to provide certificate management features. |
| |
| An OpenBMC implementation providing installed certificate management |
| functions. An implementation service should additionally implement |
| xyz.openbmc_project.Object.Delete to allow the deletion of individual |
| certificate objects. |
| properties: |
| - name: CertificateString |
| type: string |
| description: > |
| The string for the certificate. |
| |
| This is a X.509 public certificate in PEM format. PEM wiki - |
| https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail |
| |
| An X.509 certificate contains a public key, validity, and an identity |
| (a hostname, or an organization, or an individual), and is either |
| signed by a certificate authority or self-signed. Refer |
| https://en.wikipedia.org/wiki/X.509 for details. |
| - name: KeyUsage |
| type: array[string] |
| description: > |
| Key usage extensions define the purpose of the public key contained in |
| a certificate. |
| |
| Valid Key usage extensions and its usage description is based on |
| Redfish Resource and Schema Guide 2018.3 version. |
| https://www.dmtf.org/sites/default/files/standards/documents/DSP2046_2018.3.pdf |
| |
| ClientAuthentication: The public key is used for TLS WWW client |
| authentication. |
| CodeSigning: The public key is used for the signing of executable |
| code. CRLSigning: The public key is used for verifying signatures on |
| certificate revocation lists (CLRs). |
| DataEncipherment: The public key is used for directly enciphering |
| raw user data without the use of an intermediate |
| symmetric cipher. |
| DecipherOnly: The public key could be used for deciphering data |
| while performing key agreement. |
| DigitalSignature: The public key is used for verifying digital |
| signatures, other than signatures on certificates |
| and CRLs. |
| EmailProtection: The public key is used for email protection. |
| EncipherOnly: The public key could be used for enciphering data |
| while performing key agreement. |
| KeyCertSign: The public key is used for verifying signatures on |
| public key certificates. |
| KeyEncipherment: The public key is used for enciphering private or |
| secret keys. |
| NonRepudiation: The public key is used to verify digital signatures, |
| other than signatures on certificates and CRLs, |
| and used to provide a non- repudiation service that |
| protects against the signing entity falsely denying |
| some action. |
| OCSPSigning: The public key is used for signing OCSP responses. |
| ServerAuthentication: The public key is used for TLS WWW server |
| authentication. |
| Timestamping: The public key is used for binding the hash of an |
| object to a time. |
| |
| - name: Issuer |
| type: string |
| description: > |
| The issuer of the certificate. |
| |
| Refer X.509 certificate wiki for the "Issuer" Key and value details. |
| |
| Example: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA Here |
| C = country, O=organization, CN= common name. |
| |
| - name: Subject |
| type: string |
| description: > |
| The subject of the certificate |
| |
| Refer X.509 certificate wiki for the "Subject" Key and value details. |
| Refer https://en.wikipedia.org/wiki/X.509 |
| |
| Example: Subject: C=US, ST=New York, L=Armonk, |
| O=International Business Machines Corporation, |
| OU=research, CN=www.research.ibm.com |
| Here C=country, ST=state, L=locality, O=organization, CN= common name. |
| OU= organizational unit |
| |
| - name: ValidNotAfter |
| type: uint64 |
| description: > |
| The certificate expiry date and time, in epoch time, in milliseconds |
| - name: ValidNotBefore |
| type: uint64 |
| description: > |
| The certificate validity start date and time, in epoch time, in |
| milliseconds. |
| |
| associations: |
| - name: identifying_requester |
| description: > |
| Objects that implement Certificate can optionally implement the |
| "identifying_requester" association to provide a link to the component |
| integrity object whose requester's identity is identified by this |
| certificate. |
| reverse_name: requester_identified_by |
| required_endpoint_interfaces: |
| - xyz.openbmc_project.Attestation.IdentityAuthentication |
| |
| - name: identifying_responder |
| description: > |
| Objects that implement Certificate can optionally implement the |
| "identifying_responder" association to provide a link to the component |
| integrity object whose responder's identity is identified by this |
| certificate. |
| reverse_name: responder_identified_by |
| required_endpoint_interfaces: |
| - xyz.openbmc_project.Attestation.IdentityAuthentication |