1description: >
2    Implement to provide certificate management features.
3
4    An OpenBMC implementation providing installed certificate management
5    functions. An implementation service should additionally implement
6    xyz.openbmc_project.Object.Delete to allow the deletion of individual
7    certificate objects.
8properties:
9    - name: CertificateString
10      type: string
11      description: >
12          The string for the certificate.
13
14          This is a X.509 public certificate in PEM format. PEM wiki -
15          https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail
16
17          An X.509 certificate contains a public key, validity, and an identity
18          (a hostname, or an organization, or an individual), and is either
19          signed by a certificate authority or self-signed. Refer
20          https://en.wikipedia.org/wiki/X.509 for details.
21    - name: KeyUsage
22      type: array[string]
23      description: >
24          Key usage extensions define the purpose of the public key contained in
25          a certificate.
26
27          Valid Key usage extensions and its usage description is based on
28          Redfish Resource and Schema Guide 2018.3 version.
29          https://www.dmtf.org/sites/default/files/standards/documents/DSP2046_2018.3.pdf
30
31          ClientAuthentication: The public key is used for TLS WWW client
32                                authentication.
33          CodeSigning: The public key is used for the signing of executable
34          code. CRLSigning: The public key is used for verifying signatures on
35                      certificate revocation lists (CLRs).
36          DataEncipherment: The public key is used for directly enciphering
37                            raw user data without the use of an intermediate
38                            symmetric cipher.
39          DecipherOnly: The public key could be used for deciphering data
40                        while performing key agreement.
41          DigitalSignature: The public key is used for verifying digital
42                            signatures, other than signatures on certificates
43                            and CRLs.
44          EmailProtection: The public key is used for email protection.
45          EncipherOnly: The public key could be used for enciphering data
46                        while performing key agreement.
47          KeyCertSign: The public key is used for verifying signatures on
48                       public key certificates.
49          KeyEncipherment: The public key is used for enciphering private or
50                           secret keys.
51          NonRepudiation: The public key is used to verify digital signatures,
52                          other than signatures on certificates and CRLs,
53                          and used to provide a non- repudiation service that
54                          protects against the signing entity falsely denying
55                          some action.
56          OCSPSigning: The public key is used for signing OCSP responses.
57          ServerAuthentication: The public key is used for TLS WWW server
58                                authentication.
59          Timestamping: The public key is used for binding the hash of an
60                        object to a time.
61
62    - name: Issuer
63      type: string
64      description: >
65          The issuer of the certificate.
66
67          Refer X.509 certificate wiki for the "Issuer" Key and value details.
68
69          Example: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA Here
70          C = country, O=organization, CN= common name.
71
72    - name: Subject
73      type: string
74      description: >
75          The subject of the certificate
76
77          Refer X.509 certificate wiki for the "Subject" Key and value details.
78          Refer https://en.wikipedia.org/wiki/X.509
79
80          Example:  Subject: C=US, ST=New York, L=Armonk,
81                    O=International Business Machines Corporation,
82                    OU=research, CN=www.research.ibm.com
83          Here C=country, ST=state, L=locality, O=organization, CN= common name.
84               OU= organizational unit
85
86    - name: ValidNotAfter
87      type: uint64
88      description: >
89          The certificate expiry date and time, in epoch time, in milliseconds
90    - name: ValidNotBefore
91      type: uint64
92      description: >
93          The certificate validity start date and time, in epoch time, in
94          milliseconds.
95
96associations:
97    - name: identifying_requester
98      description: >
99          Objects that implement Certificate can optionally implement the
100          "identifying_requester" association to provide a link to the component
101          integrity object whose requester's identity is identified by this
102          certificate.
103      reverse_name: requester_identified_by
104      required_endpoint_interfaces:
105          - xyz.openbmc_project.Attestation.IdentityAuthentication
106
107    - name: identifying_responder
108      description: >
109          Objects that implement Certificate can optionally implement the
110          "identifying_responder" association to provide a link to the component
111          integrity object whose responder's identity is identified by this
112          certificate.
113      reverse_name: responder_identified_by
114      required_endpoint_interfaces:
115          - xyz.openbmc_project.Attestation.IdentityAuthentication
116