reformat with latest settings
Reformat with the latest settings from openbmc-build-scripts (and
copy latest config files where appropriate). Fix a few minor
markdownlint issues.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I55205817c29dc3f182a165ddf9cd5d4e07b90063
diff --git a/yaml/xyz/openbmc_project/Certs/Authority.interface.yaml b/yaml/xyz/openbmc_project/Certs/Authority.interface.yaml
index e081bfa..b994a51 100644
--- a/yaml/xyz/openbmc_project/Certs/Authority.interface.yaml
+++ b/yaml/xyz/openbmc_project/Certs/Authority.interface.yaml
@@ -9,14 +9,16 @@
- name: CSR
type: string
description: >
- Should be a valid PEM encoded Certificate signing request string.
+ Should be a valid PEM encoded Certificate signing request
+ string.
returns:
- name: path
type: object_path
description: >
The object path of an object that implements, at a minimum,
- xyz.openbmc_project.Certs.Entry and xyz.openbmc_project.Object.Delete
+ xyz.openbmc_project.Certs.Entry and
+ xyz.openbmc_project.Object.Delete
errors:
- xyz.openbmc_project.Common.Error.InvalidArgument
diff --git a/yaml/xyz/openbmc_project/Certs/CSR.interface.yaml b/yaml/xyz/openbmc_project/Certs/CSR.interface.yaml
index 0741de7..61d037a 100644
--- a/yaml/xyz/openbmc_project/Certs/CSR.interface.yaml
+++ b/yaml/xyz/openbmc_project/Certs/CSR.interface.yaml
@@ -7,7 +7,8 @@
Method to get the CSR string.
Object which implements this interface should implement
- xyz.openbmc_project.Object.Delete to allow the deletion of CSR objects.
+ xyz.openbmc_project.Object.Delete to allow the deletion of CSR
+ objects.
returns:
- name: CSRString
diff --git a/yaml/xyz/openbmc_project/Certs/CSR/Create.interface.yaml b/yaml/xyz/openbmc_project/Certs/CSR/Create.interface.yaml
index 824c6cc..7404d83 100644
--- a/yaml/xyz/openbmc_project/Certs/CSR/Create.interface.yaml
+++ b/yaml/xyz/openbmc_project/Certs/CSR/Create.interface.yaml
@@ -4,11 +4,11 @@
methods:
- name: GenerateCSR
description: >
- This command is used to initiate a certificate signing request.
- This command only returns the D-Bus path name for the new CSR object.
- User need to listen on InterfacesAdded signal emitted by
- /xyz/openbmc_project/Certs to retrieve the CSR string after
- successful CSR creation.
+ This command is used to initiate a certificate signing request. This
+ command only returns the D-Bus path name for the new CSR object. User
+ need to listen on InterfacesAdded signal emitted by
+ /xyz/openbmc_project/Certs to retrieve the CSR string after successful
+ CSR creation.
Note: Following Parameters are mandatory or optional based on the
Redfish documentation.
@@ -32,15 +32,13 @@
- name: City
type: string
description: >
- The city or locality of the organization making the request.
- For Example Austin
- This is a required parameter.
+ The city or locality of the organization making the request. For
+ Example Austin This is a required parameter.
- name: CommonName
type: string
description: >
The fully qualified domain name of the component that is being
- secured.
- This is a required parameter.
+ secured. This is a required parameter.
- name: ContactPerson
type: string
description: >
@@ -48,13 +46,13 @@
- name: Country
type: string
description: >
- The country of the organization making the request.
- This is a required parameter.
+ The country of the organization making the request. This is a
+ required parameter.
- name: Email
type: string
description: >
- The email address of the contact within the organization
- making the request.
+ The email address of the contact within the organization making
+ the request.
- name: GivenName
type: string
description: >
@@ -66,8 +64,8 @@
- name: KeyBitLength
type: int64
description: >
- The length of the key in bits, if needed based on the value
- of the KeyPairAlgorithm parameter.
+ The length of the key in bits, if needed based on the value of
+ the KeyPairAlgorithm parameter.
Refer https://www.openssl.org/docs/man1.0.2/man1/genpkey.html
- name: KeyCurveId
@@ -87,35 +85,43 @@
- name: KeyUsage
type: array[string]
description: >
- Key usage extensions define the purpose of the public key contained
- in a certificate.
+ Key usage extensions define the purpose of the public key
+ contained in a certificate.
Valid Key usage extensions and its usage description.
ClientAuthentication: The public key is used for TLS WWW client
authentication.
- CodeSigning: The public key is used for the signing of executable code.
- CRLSigning: The public key is used for verifying signatures on
+ CodeSigning: The public key is used for the signing of
+ executable code. CRLSigning: The public key is used for
+ verifying signatures on
certificate revocation lists (CLRs).
- DataEncipherment: The public key is used for directly enciphering
- raw user data without the use of an intermediate
+ DataEncipherment: The public key is used for directly
+ enciphering
+ raw user data without the use of an
+ intermediate
symmetric cipher.
DecipherOnly: The public key could be used for deciphering data
while performing key agreement.
DigitalSignature: The public key is used for verifying digital
- signatures, other than signatures on certificates
+ signatures, other than signatures on
+ certificates
and CRLs.
EmailProtection: The public key is used for email protection.
EncipherOnly: The public key could be used for enciphering data
while performing key agreement.
KeyCertSign: The public key is used for verifying signatures on
public key certificates.
- KeyEncipherment: The public key is used for enciphering private or
+ KeyEncipherment: The public key is used for enciphering private
+ or
secret keys.
- NonRepudiation: The public key is used to verify digital signatures,
+ NonRepudiation: The public key is used to verify digital
+ signatures,
other than signatures on certificates and CRLs,
- and used to provide a non- repudiation service that
- protects against the signing entity falsely denying
+ and used to provide a non- repudiation service
+ that
+ protects against the signing entity falsely
+ denying
some action.
OCSPSigning: The public key is used for signing OCSP responses.
ServerAuthentication: The public key is used for TLS WWW server
@@ -125,22 +131,20 @@
- name: Organization
type: string
description: >
- The legal name of the organization. This should not be abbreviated
- and should include suffixes such as Inc, Corp, or LLC.
- For example, IBM Corp.
- This is a required parameter.
+ The legal name of the organization. This should not be
+ abbreviated and should include suffixes such as Inc, Corp, or
+ LLC. For example, IBM Corp. This is a required parameter.
- name: OrganizationalUnit
type: string
description: >
The name of the unit or division of the organization making the
- request.
- This is a required parameter.
+ request. This is a required parameter.
- name: State
type: string
description: >
- The state or province where the organization is located.
- This should not be abbreviated. For example, Texas.
- This is a required parameter.
+ The state or province where the organization is located. This
+ should not be abbreviated. For example, Texas. This is a
+ required parameter.
- name: Surname
type: string
description: >
diff --git a/yaml/xyz/openbmc_project/Certs/Certificate.interface.yaml b/yaml/xyz/openbmc_project/Certs/Certificate.interface.yaml
index 5bddd3b..799d9da 100644
--- a/yaml/xyz/openbmc_project/Certs/Certificate.interface.yaml
+++ b/yaml/xyz/openbmc_project/Certs/Certificate.interface.yaml
@@ -11,18 +11,18 @@
description: >
The string for the certificate.
- This is a X.509 public certificate in PEM format.
- PEM wiki - https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail
+ This is a X.509 public certificate in PEM format. PEM wiki -
+ https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail
- An X.509 certificate contains a public key, validity, and an
- identity (a hostname, or an organization, or an individual),
- and is either signed by a certificate authority or self-signed.
- Refer https://en.wikipedia.org/wiki/X.509 for details.
+ An X.509 certificate contains a public key, validity, and an identity
+ (a hostname, or an organization, or an individual), and is either
+ signed by a certificate authority or self-signed. Refer
+ https://en.wikipedia.org/wiki/X.509 for details.
- name: KeyUsage
type: array[string]
description: >
- Key usage extensions define the purpose of the public key contained
- in a certificate.
+ Key usage extensions define the purpose of the public key contained in
+ a certificate.
Valid Key usage extensions and its usage description is based on
Redfish Resource and Schema Guide 2018.3 version.
@@ -30,8 +30,8 @@
ClientAuthentication: The public key is used for TLS WWW client
authentication.
- CodeSigning: The public key is used for the signing of executable code.
- CRLSigning: The public key is used for verifying signatures on
+ CodeSigning: The public key is used for the signing of executable
+ code. CRLSigning: The public key is used for verifying signatures on
certificate revocation lists (CLRs).
DataEncipherment: The public key is used for directly enciphering
raw user data without the use of an intermediate
@@ -66,8 +66,8 @@
Refer X.509 certificate wiki for the "Issuer" Key and value details.
- Example: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
- Here C = country, O=organization, CN= common name.
+ Example: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA Here
+ C = country, O=organization, CN= common name.
- name: Subject
type: string
@@ -90,5 +90,5 @@
- name: ValidNotBefore
type: uint64
description: >
- The certificate validity start date and time,
- in epoch time, in milliseconds.
+ The certificate validity start date and time, in epoch time, in
+ milliseconds.
diff --git a/yaml/xyz/openbmc_project/Certs/Entry.interface.yaml b/yaml/xyz/openbmc_project/Certs/Entry.interface.yaml
index 4547798..1ac93fd 100644
--- a/yaml/xyz/openbmc_project/Certs/Entry.interface.yaml
+++ b/yaml/xyz/openbmc_project/Certs/Entry.interface.yaml
@@ -1,13 +1,11 @@
description: >
- Implement to get CSR string signed by authority and get
- client certificate.
+ Implement to get CSR string signed by authority and get client certificate.
properties:
- name: ClientCertificate
type: string
description: >
- Client certificate content.
- User reads this property based on status.
+ Client certificate content. User reads this property based on status.
The value of this property is empty until Status.State == complete.
- name: Status
type: enum[self.State]
diff --git a/yaml/xyz/openbmc_project/Certs/README.md b/yaml/xyz/openbmc_project/Certs/README.md
index abfdf6d..31d9005 100644
--- a/yaml/xyz/openbmc_project/Certs/README.md
+++ b/yaml/xyz/openbmc_project/Certs/README.md
@@ -3,11 +3,11 @@
## Overview
Certificate management allows to replace the existing certificate and private
-key file with another (possibly certification Authority (CA) signed)
-certificate and private key file. Certificate management allows the user to
-install both the server and client certificates. The REST interface allows to
-update the certificate, using an unencrypted certificate and private key file
-in .pem format, which includes both private key and signed certificate.
+key file with another (possibly certification Authority (CA) signed) certificate
+and private key file. Certificate management allows the user to install both the
+server and client certificates. The REST interface allows to update the
+certificate, using an unencrypted certificate and private key file in .pem
+format, which includes both private key and signed certificate.
### Signed Certificate upload Design flow(Pre-generated)
@@ -15,15 +15,13 @@
location.
- REST server should map the URI to the target DBus application (Certs) object.
The recommendation for the D-Bus application implementing certificate D-Bus
- objects is to use the same path structure as the REST endpoint.
- e.g.:
- - The URI /xyz/openbmc_project/certs/server/https maps to instance
- of the certificate application handling Https server certificate.
- - The URI /xyz/openbmc_project/certs/client/ldap maps to instance
- of the certificate application handling LDAP client certificate.
- - The URI /xyz/openbmc_project/certs/authority/ldap maps to instance
- of the certificate application handling Certificate Autohority
- certificates.
+ objects is to use the same path structure as the REST endpoint. e.g.:
+ - The URI /xyz/openbmc_project/certs/server/https maps to instance of the
+ certificate application handling Https server certificate.
+ - The URI /xyz/openbmc_project/certs/client/ldap maps to instance of the
+ certificate application handling LDAP client certificate.
+ - The URI /xyz/openbmc_project/certs/authority/ldap maps to instance of the
+ certificate application handling Certificate Autohority certificates.
- REST server should call the install method of the certificate application
instance.
- Certificate manager application also implements d-bus object
@@ -31,9 +29,8 @@
"certificates specific d-bus objects" installed in the system. This d-bus
provide option to view the certificate on PEM format and delete the same.
Refer [Wikipedia][privacy-enhanced-mail] for details.
-- Applications should subscribe the xyz.openbmc_project.Certs.Manager
- to see any new certificate is uploaded or change in the existing
- certificates.
+- Applications should subscribe the xyz.openbmc_project.Certs.Manager to see any
+ new certificate is uploaded or change in the existing certificates.
- Certificate manager scope is limited to manage the certificate and impacted
application is responsible for application specific changes.
- In case of delete action, certificate manager creates a new self signed
@@ -73,20 +70,19 @@
### User flow for generating and installing Certificates(CSR Based)
-[Certificate Signing Request][csr](CSR) is a message sent from an applicant to
-a certitificate authority in order to apply for a digital identity certificate.
+[Certificate Signing Request][csr](CSR) is a message sent from an applicant to a
+certitificate authority in order to apply for a digital identity certificate.
This section provides the details of the CSR based certificate user flow.
-- The user performs the CSR/create interface
- BMC creates new private key and CSR object which includes CSR information.
-- The user performs the CSR/export interface
- Allows the user to export the CSR file which is part of newly created
- CSR object. This can be provided to the CA to create SSL certificate.
-- The user perform the certificate upload on appropriate services.
- Example: if trying to replace the HTTPS certificate for a Manager,
- navigate to the Manager’s Certificate object upload interface.
- The Upload method internally pairs the private key used in the first
- step with the installed certificate.
+- The user performs the CSR/create interface BMC creates new private key and CSR
+ object which includes CSR information.
+- The user performs the CSR/export interface Allows the user to export the CSR
+ file which is part of newly created CSR object. This can be provided to the CA
+ to create SSL certificate.
+- The user perform the certificate upload on appropriate services. Example: if
+ trying to replace the HTTPS certificate for a Manager, navigate to the
+ Manager’s Certificate object upload interface. The Upload method internally
+ pairs the private key used in the first step with the installed certificate.
[csr]: https://en.wikipedia.org/wiki/Certificate_signing_request
@@ -100,16 +96,16 @@
### CSR Request
-- CSR requests initiated through D-Bus are time-consuming and might result
- D-Bus time-out error.
-- To overcome the time-out error, parent process is forked and CSR operation
- is performed in the child process so that parent process can return the
- calling thread immediately.
+- CSR requests initiated through D-Bus are time-consuming and might result D-Bus
+ time-out error.
+- To overcome the time-out error, parent process is forked and CSR operation is
+ performed in the child process so that parent process can return the calling
+ thread immediately.
- OpenSSL library is used in generating CSR based on the algorithm type.
- At present supporting generating CSR for only "RSA" algorithm type.
- Parent process registers child process PID and a callback method in the
- sd_event_lopp so that callback method is invoked upon completion
- the CSR request in the child process.
+ sd_event_lopp so that callback method is invoked upon completion the CSR
+ request in the child process.
- Callback method invoked creates a CSR object with the status of the CSR
operation returned from the child process.
- CSR read operation will return the CSR string if status is SUCCESS else throws
@@ -118,8 +114,8 @@
interface.
- CSR object created implements "/xyz/openbmc_project/Certs/CSR" interface.
- Caller needs to validate the CSR request parameters.
-- Caller need to wait on "InterfacesAdded" signal generated upon creation
- of the CSR object to start reading CSR string.
+- Caller need to wait on "InterfacesAdded" signal generated upon creation of the
+ CSR object to start reading CSR string.
### Example usage for the GenerateCSR POST request
@@ -154,8 +150,8 @@
### Additional interfaces
-- CertificateService.ReplaceCertificate
- Allows the user to replace an existing certificate.
+- CertificateService.ReplaceCertificate Allows the user to replace an existing
+ certificate.
### d-bus interfaces
@@ -164,16 +160,16 @@
- Certs application must:
- validate the certificate and Private key file by checking, if the Private
key matches the public key in the certificate file.
- - copy the certificate and Public Key file to the service specific path
- based on a configuration file.
+ - copy the certificate and Public Key file to the service specific path based
+ on a configuration file.
- Reload the listed service(s) for which the certificate is updated.
#### d-bus interface to Delete certificate and Private Key
- certificate manager should provide interface to delete the existing
certificate.
-- Incase of server type certificate deleting a signed certificate will
- create a new self signed certificate and will install the same.
+- Incase of server type certificate deleting a signed certificate will create a
+ new self signed certificate and will install the same.
### Boot process
@@ -202,9 +198,8 @@
"/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates"
- Bmcweb receives the POST request and it maps the Redfish URI to the
- corresponding Certificate Manager D-Bus URI.
- e.g: HTTPS certificate collection URI
- /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates mapped to
+ corresponding Certificate Manager D-Bus URI. e.g: HTTPS certificate collection
+ URI /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates mapped to
/xyz/openbmc_project/certs/server/https.
- Bmcweb initiates an asynchronous call which invokes the "Install" method of
the Certificate Manager.
@@ -221,8 +216,8 @@
the response message with newly created certificate details for success.
- Certificate object D-Bus path mapped to corresponding Redfish certificate URI.
e.g: /xyz/openbmc_project/certs/server/https/1 is mapped to
- /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
- ID of the certificate is appended to the collection URI.
+ /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 ID of the
+ certificate is appended to the collection URI.
#### Certificate Replace
@@ -231,8 +226,7 @@
- Redfish issues Replace certificate request by invoking the ReplaceCertificate
action of the CertificateService.
- Redfish Certificate Collection URI is mapped to corresponding Certificate
- D-Bus object URI
- e.g: HTTPS certificate object 1 URI
+ D-Bus object URI e.g: HTTPS certificate object 1 URI
/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 is mapped to
/xyz/openbmc_project/certs/server/https/1.
- Bmcweb receives POST request for Replace Certificate, invokes the Replace
@@ -257,8 +251,8 @@
#### Certificate Deletion
- For server and client certificate type the certificate deletion is not
- allowed. In case of authority certificate type the delete option is
- acceptable and can be done on individial certificates, for example:
+ allowed. In case of authority certificate type the delete option is acceptable
+ and can be done on individial certificates, for example:
```plain
url: redfish/v1/Managers/bmc/Truststore/Certificates/1