1# Certificate Revocation List on BMC 2 3Author: Nan Zhou (nanzhoumails@gmail.com) 4 5Created: 02/25/2022 6 7## Problem Description 8 9This design is to add management interfaces for certificate revocation list in 10OpenBMC. 11 12## Background and References 13 14A certificate revocation list (CRL) is a list of digital certificates that 15have been revoked by the issuing certificate authority (CA) before their 16actual or assigned expiration date. In Google, there are use cases that BMC 17needs to install CRLs to the Redfish server, so that clients with revoked 18certificates will be rejected in TLS handshake. Supporting CRL is also 19recommended in most applications. 20 21Current OpenBMC certificate management architecture contains two main 22components. 23 241. [phosphor-certificate-manager](https://github.com/openbmc/phosphor-certificate-manager) 25owns certificate objects and implements management interfaces; currently 26there are three types of certificates supported: client, server, and 27authority. 28 292. [BMCWeb](https://github.com/openbmc/bmcweb): the Redfish front-end which 30translates certificate objects into Redfish resources. BMCWeb is also a 31consumer of these certificates; it uses certificates in its TLS handshake. 32 33DMTF doesn't support CRLs yet in the Redfish spec. Adding them is WIP. See 34[this discussion](https://redfishforum.com/thread/618/resource-certificate-revocation-list?page=1&scrollTo=2173). 35Google doesn't plan on using Redfish interfaces to manage certificates and 36CRLs. Instead, Google has a dedicated daemon for credentials installation, 37and this daemon interacts with the OpenBMC certificate management 38architecture via DBus APIs. 39 40## Requirements 41 42OpenBMC supports management interface for CRLs: 43 441. clients shall be able to install/delete/replace CRLs via DBus APIs 452. whenever CRLs change, the certificate management system shall notify 46consumers which use old CRLs to refresh with the newly given CRLs 473. other daemons, e.g., BMCWeb shall consume CRLs the same way as existing 48authority/server/client certificates, that is, via file path or directory 49determined at compile time. 50 51## Proposed Design 52 53### phosphor-dbus-interfaces 54 55We propose to introduce a new interface `CRL` in [Certs](https://github.com/openbmc/phosphor-dbus-interfaces/tree/master/yaml/xyz/openbmc_project/Certs). 56 57Because no Redfish spec is available, we propose the only attribute of the 58interface to be `CRLString`, which contains the PEM encoded CRL. We can add 59more attributes as needed in the future. 60 61### phosphor-certificate-manager 62 63We propose to add a new type of certificate-manager (CRL-manager) to the 64existing three types of Manager. 65 66The CRL-manager will implement the following common interfaces: 67 681. [InstallAll](https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/yaml/xyz/openbmc_project/Certs/InstallAll.interface.yaml): 69install multiple CRLs and notify consumers. The notification process is 70the existing behaviour which phosphor-certificate-manager uses to tell 71consumers to reload newly installed credentials. 72 732. [ReplaceAll](https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/yaml/xyz/openbmc_project/Certs/ReplaceAll.interface.yaml): 74replace all existing CRLs with multiple new CRLs and notify consumers 75 763. [DeleteAll](https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/yaml/xyz/openbmc_project/Collection/DeleteAll.interface.yaml): 77delete all existing CRLs and notify consumers 78 79### BMCWeb 80 81We propose to introduce CRLs into BMCWeb's SSL Context. Whenever BMCWeb 82reloads, it not only refreshes authority and server certificates, but also 83CRLs. Example codes can be found in many opensource projects, e.g., this 84[snippet](https://github.com/Icinga/icinga2/blob/master/lib/base/tlsutility.cpp#L338). 85 86## Alternatives Considered 87 88We can model the whole CRLs list as a single object, but that's not aligned 89with the existing authorities list design. 90 91## Impacts 92 931. New DBus interfaces 942. More complete security support 95 96## Testing 97 98Add new unit tests in phosphor-certificate-manager. 99 100Manual integration tests: install CRLs and verify clients' revoked 101certificates are rejected. 102