Generate a key and certificate signing request(CSR)
This patch provides the d-bus interface to create and export CSR.
Change-Id: I37c9bf58de8d1222700dbb35c869e0a1e3d5f2da
Signed-off-by: Jayanth Othayoth <ojayanth@in.ibm.com>
diff --git a/xyz/openbmc_project/Certs/CSR.interface.yaml b/xyz/openbmc_project/Certs/CSR.interface.yaml
new file mode 100644
index 0000000..82f8dd3
--- /dev/null
+++ b/xyz/openbmc_project/Certs/CSR.interface.yaml
@@ -0,0 +1,18 @@
+description: >
+ Implement to retrieve the Certificate Signing Request(CSR).
+
+methods:
+ - name: CSR
+ description: >
+ Method to get the CSR string.
+
+ Object which implements this interface should implement
+ xyz.openbmc_project.Object.Delete to allow the deletion of CSR objects.
+
+ returns:
+ - name: CSRString
+ type: string
+ description: >
+ CSR string in the Base-64 encoded PEM format.
+ errors:
+ - xyz.openbmc_project.Common.Error.InternalFailure
diff --git a/xyz/openbmc_project/Certs/CSR/Create.interface.yaml b/xyz/openbmc_project/Certs/CSR/Create.interface.yaml
new file mode 100644
index 0000000..48b1bd1
--- /dev/null
+++ b/xyz/openbmc_project/Certs/CSR/Create.interface.yaml
@@ -0,0 +1,159 @@
+description: >
+ Implement to create Certificate Signing Request(CSR).
+
+methods:
+ - name: GenerateCSR
+ description: >
+ This command is used to initiate a certificate signing request.
+ This command only returns the D-Bus path name for the new CSR object.
+ User need to listen on InterfacesAdded signal emitted by
+ /xyz/openbmc_project/Certs to retrieve the CSR string after
+ successful CSR creation.
+
+ Note: Following Parameters are mandatory or optional based on the
+ Redfish documentation.
+
+ Caller is responsible for the input parameter validation.
+
+ If the caller does not wish a field to be included in the
+ CSR Request, initialize the Parameter with blank for strings
+ and zero for integers.
+
+ parameters:
+ - name: AlternativeNames
+ type: array[string]
+ description: >
+ Additional hostnames of the component that is being secured.
+ - name: ChallengePassword
+ type: string
+ description: >
+ The challenge password to be applied to the certificate for
+ revocation requests.
+ - name: City
+ type: string
+ description: >
+ The city or locality of the organization making the request.
+ For Example Austin
+ This is a required parameter.
+ - name: CommonName
+ type: string
+ description: >
+ The fully qualified domain name of the component that is being
+ secured.
+ This is a required parameter.
+ - name: ContactPerson
+ type: string
+ description: >
+ The name of the user making the request.
+ - name: Country
+ type: string
+ description: >
+ The country of the organization making the request.
+ This is a required parameter.
+ - name: Email
+ type: string
+ description: >
+ The email address of the contact within the organization
+ making the request.
+ - name: GivenName
+ type: string
+ description: >
+ The given name of the user making the request.
+ - name: Initials
+ type: string
+ description: >
+ The initials of the user making the request.
+ - name: KeyBitLength
+ type: int64
+ description: >
+ The length of the key in bits, if needed based on the value
+ of the KeyPairAlgorithm parameter.
+
+ Refer https://www.openssl.org/docs/man1.0.2/man1/genpkey.html
+ - name: KeyCurveId
+ type: string
+ description: >
+ The curve ID to be used with the key, if needed based on the
+ value of the KeyPairAlgorithm parameter.
+
+ Refer https://www.openssl.org/docs/man1.0.2/man1/genpkey.html
+ - name: KeyPairAlgorithm
+ type: string
+ description: >
+ The type of key pair for use with signing algorithms.
+
+ Valid built-in algorithm names for private key generation are
+ RSA and EC.
+ - name: KeyUsage
+ type: array[string]
+ description: >
+ Key usage extensions define the purpose of the public key contained
+ in a certificate.
+
+ Valid Key usage extensions and its usage description.
+
+ ClientAuthentication: The public key is used for TLS WWW client
+ authentication.
+ CodeSigning: The public key is used for the signing of executable code.
+ CRLSigning: The public key is used for verifying signatures on
+ certificate revocation lists (CLRs).
+ DataEncipherment: The public key is used for directly enciphering
+ raw user data without the use of an intermediate
+ symmetric cipher.
+ DecipherOnly: The public key could be used for deciphering data
+ while performing key agreement.
+ DigitalSignature: The public key is used for verifying digital
+ signatures, other than signatures on certificates
+ and CRLs.
+ EmailProtection: The public key is used for email protection.
+ EncipherOnly: The public key could be used for enciphering data
+ while performing key agreement.
+ KeyCertSign: The public key is used for verifying signatures on
+ public key certificates.
+ KeyEncipherment: The public key is used for enciphering private or
+ secret keys.
+ NonRepudiation: The public key is used to verify digital signatures,
+ other than signatures on certificates and CRLs,
+ and used to provide a non- repudiation service that
+ protects against the signing entity falsely denying
+ some action.
+ OCSPSigning: The public key is used for signing OCSP responses.
+ ServerAuthentication: The public key is used for TLS WWW server
+ authentication.
+ Timestamping: The public key is used for binding the hash of an
+ object to a time.
+ - name: Organization
+ type: string
+ description: >
+ The legal name of the organization. This should not be abbreviated
+ and should include suffixes such as Inc, Corp, or LLC.
+ For example, IBM Corp.
+ This is a required parameter.
+ - name: OrganizationalUnit
+ type: string
+ description: >
+ The name of the unit or division of the organization making the
+ request.
+ This is a required parameter.
+ - name: State
+ type: string
+ description: >
+ The state or province where the organization is located.
+ This should not be abbreviated. For example, Texas.
+ This is a required parameter.
+ - name: Surname
+ type: string
+ description: >
+ The surname of the user making the request.
+ - name: UnstructuredName
+ type: string
+ description: >
+ The unstructured name of the subject.
+ returns:
+ - name: path
+ type: string
+ description: >
+ The object path of the D-Bus object to be watch for retrieving
+ the CSR string.
+ errors:
+ - xyz.openbmc_project.Common.Error.InternalFailure
diff --git a/xyz/openbmc_project/Certs/README.md b/xyz/openbmc_project/Certs/README.md
index 953ee34..72144e5 100644
--- a/xyz/openbmc_project/Certs/README.md
+++ b/xyz/openbmc_project/Certs/README.md
@@ -7,7 +7,7 @@
update the certificate, using an unencrypted certificate and private key file
in .pem format, which includes both private key and signed certificate.
-### Signed Certificate upload Design flow:
+### Signed Certificate upload Design flow(Pre-generated):
- The REST Server copies the certificate and private key file to a temporary
location.
@@ -68,6 +68,67 @@
500 Internal server error
```
+
+## CSR
+
+### User flow for generating and installing Certificates(CSR Based):
+ Certificate Signing Request [CSR](https://en.wikipedia.org/wiki/Certificate_signing_request)
+is a message sent from an applicant to a certitificate authority in order to
+apply for a digital identity certificate. This section provides the details of
+the CSR based certificate user flow.
+- The user performs the CSR/create interface
+ BMC creates new private key and CSR object which includes CSR information.
+- The user performs the CSR/export interface
+ Allows the user to export the CSR file which is part of newly created
+ CSR object. This can be provided to the CA to create SSL certificate.
+- The user perform the certificate upload on appropriate services.
+ Example: if trying to replace the HTTPS certificate for a Manager,
+ navigate to the Manager’s Certificate object upload interface.
+ The Upload method internally pairs the private key used in the first
+ step with the installed certificate.
+
+### Assumptions:
+- BMC updates the private key associated to CSR for any new CSR request.
+- BMC upload process automatically appends certificate file with system CSR
+ private key, for the service which requirs certificate and key.
+- CSR based Certificate validation is alway's based on private key in the system.
+
+### Example usage for the GenerateCSR POST request
+
+ ```
+ url: /redfish/v1/CertificateService
+ Action: #CertificateService.GenerateCSR {
+ "City": "HYB",
+ "CertificateCollection": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/",
+ "CommonName": "www.company.com",
+ "ContactPerson":"myname",
+ "AlternativeNames":["mycompany.com","mycompany2.com"],
+ "ChallengePassword":"abc123",
+ "Email":"xxx@xx.com",
+ "GivenName":"localhost",
+ "Initials":"G",
+ "Country": "IN",
+ "KeyCurveId":"0",
+ "KeyUsage":["ServerAuthentication","ServerAuthentication"],
+ "KeyBitLength": 2048,
+ "KeyPairAlgorithm": "RSA",
+ "Organization": "ABCD",
+ "OrganizationUnit": "XY",
+ "State": "TX",
+ "SurName": "XX",
+ "UnstructuredName": "xxx"
+ }
+ Description: This is used to perform a certificate signing request.
+ Method: POST
+
+ ```
+
+### Additional interfaces:
+- CertificateService.ReplaceCertificate
+ Allows the user to replace an existing certificate.
+
+### d-bus interfaces:
+
#### d-bus interface to install certificate and private Key
- Certs application must:
- validate the certificate and Private key file by checking, if the Private