Generate a key and certificate signing request(CSR)
This patch provides the d-bus interface to create and export CSR.
Change-Id: I37c9bf58de8d1222700dbb35c869e0a1e3d5f2da
Signed-off-by: Jayanth Othayoth <ojayanth@in.ibm.com>
diff --git a/xyz/openbmc_project/Certs/CSR.interface.yaml b/xyz/openbmc_project/Certs/CSR.interface.yaml
new file mode 100644
index 0000000..82f8dd3
--- /dev/null
+++ b/xyz/openbmc_project/Certs/CSR.interface.yaml
@@ -0,0 +1,18 @@
+description: >
+    Implement to retrieve the Certificate Signing Request(CSR).
+
+methods:
+    - name: CSR
+      description: >
+          Method to get the CSR string.
+
+          Object which implements this interface should implement
+          xyz.openbmc_project.Object.Delete to allow the deletion of CSR objects.
+
+      returns:
+        - name: CSRString
+          type: string
+          description: >
+              CSR string in the Base-64 encoded PEM format.
+      errors:
+        - xyz.openbmc_project.Common.Error.InternalFailure
diff --git a/xyz/openbmc_project/Certs/CSR/Create.interface.yaml b/xyz/openbmc_project/Certs/CSR/Create.interface.yaml
new file mode 100644
index 0000000..48b1bd1
--- /dev/null
+++ b/xyz/openbmc_project/Certs/CSR/Create.interface.yaml
@@ -0,0 +1,159 @@
+description: >
+    Implement to create Certificate Signing Request(CSR).
+
+methods:
+    - name: GenerateCSR
+      description: >
+          This command is used to initiate a certificate signing request.
+          This command only returns the D-Bus path name for the new CSR object.
+          User need to listen on InterfacesAdded signal emitted by
+          /xyz/openbmc_project/Certs to retrieve the CSR string after
+          successful CSR creation.
+
+          Note: Following Parameters are mandatory or optional based on the
+                Redfish documentation.
+
+                Caller is responsible for the input parameter validation.
+
+                If the caller does not wish a field to be included in the
+                CSR Request, initialize the Parameter with blank for strings
+                and zero for integers.
+
+      parameters:
+        - name: AlternativeNames
+          type: array[string]
+          description: >
+              Additional hostnames of the component that is being secured.
+        - name: ChallengePassword
+          type: string
+          description: >
+              The challenge password to be applied to the certificate for
+              revocation requests.
+        - name: City
+          type: string
+          description: >
+              The city or locality of the organization making the request.
+              For Example Austin
+              This is a required parameter.
+        - name: CommonName
+          type: string
+          description: >
+              The fully qualified domain name of the component that is being
+              secured.
+              This is a required parameter.
+        - name: ContactPerson
+          type: string
+          description: >
+              The name of the user making the request.
+        - name: Country
+          type: string
+          description: >
+              The country of the organization making the request.
+              This is a required parameter.
+        - name: Email
+          type: string
+          description: >
+              The email address of the contact within the organization
+              making the request.
+        - name: GivenName
+          type: string
+          description: >
+              The given name of the user making the request.
+        - name: Initials
+          type: string
+          description: >
+              The initials of the user making the request.
+        - name: KeyBitLength
+          type: int64
+          description: >
+              The length of the key in bits, if needed based on the value
+              of the KeyPairAlgorithm parameter.
+
+              Refer https://www.openssl.org/docs/man1.0.2/man1/genpkey.html
+        - name: KeyCurveId
+          type: string
+          description: >
+              The curve ID to be used with the key, if needed based on the
+              value of the KeyPairAlgorithm parameter.
+
+              Refer https://www.openssl.org/docs/man1.0.2/man1/genpkey.html
+        - name: KeyPairAlgorithm
+          type: string
+          description: >
+             The type of key pair for use with signing algorithms.
+
+             Valid built-in algorithm names for private key generation are
+             RSA and EC.
+        - name: KeyUsage
+          type: array[string]
+          description: >
+             Key usage extensions define the purpose of the public key contained
+             in a certificate.
+
+             Valid Key usage extensions and its usage description.
+
+             ClientAuthentication: The public key is used for TLS WWW client
+                                   authentication.
+             CodeSigning: The public key is used for the signing of executable code.
+             CRLSigning: The public key is used for verifying signatures on
+                         certificate revocation lists (CLRs).
+             DataEncipherment: The public key is used for directly enciphering
+                               raw user data without the use of an intermediate
+                               symmetric cipher.
+             DecipherOnly: The public key could be used for deciphering data
+                           while performing key agreement.
+             DigitalSignature: The public key is used for verifying digital
+                               signatures, other than signatures on certificates
+                               and CRLs.
+             EmailProtection: The public key is used for email protection.
+             EncipherOnly: The public key could be used for enciphering data
+                           while performing key agreement.
+             KeyCertSign: The public key is used for verifying signatures on
+                          public key certificates.
+             KeyEncipherment: The public key is used for enciphering private or
+                              secret keys.
+             NonRepudiation: The public key is used to verify digital signatures,
+                             other than signatures on certificates and CRLs,
+                             and used to provide a non- repudiation service that
+                             protects against the signing entity falsely denying
+                             some action.
+             OCSPSigning: The public key is used for signing OCSP responses.
+             ServerAuthentication: The public key is used for TLS WWW server
+                                   authentication.
+             Timestamping: The public key is used for binding the hash of an
+                           object to a time.
+        - name: Organization
+          type: string
+          description: >
+              The legal name of the organization. This should not be abbreviated
+              and should include suffixes such as Inc, Corp, or LLC.
+              For example, IBM Corp.
+              This is a required parameter.
+        - name: OrganizationalUnit
+          type: string
+          description: >
+              The name of the unit or division of the organization making the
+              request.
+              This is a required parameter.
+        - name: State
+          type: string
+          description: >
+              The state or province where the organization is located.
+              This should not be abbreviated. For example, Texas.
+              This is a required parameter.
+        - name: Surname
+          type: string
+          description: >
+              The surname of the user making the request.
+        - name: UnstructuredName
+          type: string
+          description: >
+              The unstructured name of the subject.
+      returns:
+        - name: path
+          type: string
+          description: >
+              The object path of the D-Bus object to be watch for retrieving
+              the CSR string.
+      errors:
+        - xyz.openbmc_project.Common.Error.InternalFailure
diff --git a/xyz/openbmc_project/Certs/README.md b/xyz/openbmc_project/Certs/README.md
index 953ee34..72144e5 100644
--- a/xyz/openbmc_project/Certs/README.md
+++ b/xyz/openbmc_project/Certs/README.md
@@ -7,7 +7,7 @@
 update the certificate, using an unencrypted certificate and private key file
 in .pem format, which includes both private key and signed certificate.
 
-### Signed Certificate upload Design flow:
+### Signed Certificate upload Design flow(Pre-generated):
 
 - The REST Server copies the certificate and private key file to a temporary
   location.
@@ -68,6 +68,67 @@
        500  Internal server error
 
    ```
+
+## CSR
+
+### User flow for generating and installing Certificates(CSR Based):
+   Certificate Signing Request [CSR](https://en.wikipedia.org/wiki/Certificate_signing_request)
+is a message sent from an applicant to a certitificate authority in order to
+apply for a digital identity certificate. This section provides the details of
+the CSR based certificate user flow.
+- The user performs the CSR/create interface
+      BMC creates new private key and CSR object which includes CSR information.
+- The user performs the CSR/export interface
+      Allows the user to export the CSR file which is part of newly created
+      CSR object. This can be provided to the CA to create SSL certificate.
+- The user perform the certificate upload on appropriate services.
+      Example: if trying to replace the HTTPS certificate for a Manager,
+      navigate to the Manager’s Certificate object upload interface.
+      The Upload method internally  pairs the private key used in the first
+      step with the installed certificate.
+
+### Assumptions:
+- BMC updates the private key associated to CSR for any new CSR request.
+- BMC upload process automatically appends certificate file with system CSR
+  private key, for the service which requirs certificate and key.
+- CSR based Certificate validation is alway's based on private key in the system.
+
+### Example usage for the GenerateCSR POST request
+
+   ```
+   url: /redfish/v1/CertificateService
+   Action: #CertificateService.GenerateCSR {
+    "City": "HYB",
+    "CertificateCollection": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/",
+    "CommonName": "www.company.com",
+    "ContactPerson":"myname",
+    "AlternativeNames":["mycompany.com","mycompany2.com"],
+    "ChallengePassword":"abc123",
+    "Email":"xxx@xx.com",
+    "GivenName":"localhost",
+    "Initials":"G",
+    "Country": "IN",
+    "KeyCurveId":"0",
+    "KeyUsage":["ServerAuthentication","ServerAuthentication"],
+    "KeyBitLength": 2048,
+    "KeyPairAlgorithm": "RSA",
+    "Organization": "ABCD",
+    "OrganizationUnit": "XY",
+    "State": "TX",
+    "SurName": "XX",
+    "UnstructuredName": "xxx"
+   }
+   Description: This is used to perform a certificate signing request.
+   Method: POST
+
+  ```
+
+### Additional interfaces:
+- CertificateService.ReplaceCertificate
+      Allows the user to replace an existing certificate.
+
+### d-bus interfaces:
+
 #### d-bus interface to install certificate and private Key
 - Certs application must:
   - validate the certificate and Private key file by checking, if the Private