1# BMC Certificate management
2
3Certificate management allows to replace the existing certificate and private
4key file with another (possibly certification Authority (CA) signed)
5certificate and private key file. Certificate management allows the user to
6install both the server and client certificates. The REST interface allows to
7update the certificate, using an unencrypted certificate and private key file
8in .pem format, which includes both private key and signed certificate.
9
10### Signed Certificate upload Design flow(Pre-generated):
11
12- The REST Server copies the certificate and private key file to a temporary
13  location.
14- REST server should map the URI to the target DBus application (Certs) object.
15  The recommendation for the D-Bus application implementing certificate D-Bus
16  objects is to use the same path structure as the REST endpoint.
17     e.g.:
18     - The URI /xyz/openbmc_project/certs/server/https maps to instance
19           of the certificate application handling Https server certificate.
20     - The URI /xyz/openbmc_project/certs/client/ldap maps to instance
21           of the certificate application handling LDAP client certificate.
22     - The URI /xyz/openbmc_project/certs/authority/ldap maps to instance
23           of the certificate application handling Certificate Autohority
24           certificates.
25- REST server should call the install method of the certificate application
26  instance.
27- Certificate manager application also implements d-bus object
28  xyz.openbmc_project.Certs.Manager. This includes the collection of
29  "certificates specific d-bus objects" installed in the system. This d-bus
30  provide option to view the certificate on PEM format and delete the same.
31  Refer https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail for details.
32- Applications should subscribe the xyz.openbmc_project.Certs.Manager
33  to see any new certificate is uploaded or change in the existing
34  certificates.
35- Certificate manager scope is limited to manage the certificate and impacted
36  application is responsible for application specific changes.
37- In case of delete action, certificate manager creates a new self signed
38  certificate after successful delete (regards only server type certificates)
39
40### REST interface details:
41
42   ```
43   url: /xyz/openbmc_project/certs/server/https
44   Description: Update https server signed certificate and the private key.
45   Method: PUT
46
47   url: /xyz/openbmc_project/certs/server/https/<cert_id>
48   Description: Delete https server signed certificate and the private key.
49   Method: DELETE
50
51   url: /xyz/openbmc_project/certs/client/ldap
52   Description: Update ldap client certificate and the private key.
53   Method: PUT
54
55   url: /xyz/openbmc_project/certs/client/ldap/<cert_id>
56   Description: Delete ldap client certificate and the private key.
57   Method: DELETE
58
59   Return codes
60
61       200  Success
62       400  Invalid certificate and private key file.
63       405  Method not supported.
64       500  Internal server error
65
66   ```
67
68## CSR
69
70### User flow for generating and installing Certificates(CSR Based):
71   Certificate Signing Request [CSR](https://en.wikipedia.org/wiki/Certificate_signing_request)
72is a message sent from an applicant to a certitificate authority in order to
73apply for a digital identity certificate. This section provides the details of
74the CSR based certificate user flow.
75- The user performs the CSR/create interface
76      BMC creates new private key and CSR object which includes CSR information.
77- The user performs the CSR/export interface
78      Allows the user to export the CSR file which is part of newly created
79      CSR object. This can be provided to the CA to create SSL certificate.
80- The user perform the certificate upload on appropriate services.
81      Example: if trying to replace the HTTPS certificate for a Manager,
82      navigate to the Manager’s Certificate object upload interface.
83      The Upload method internally  pairs the private key used in the first
84      step with the installed certificate.
85
86### Assumptions:
87- BMC updates the private key associated to CSR for any new CSR request.
88- BMC upload process automatically appends certificate file with system CSR
89  private key, for the service which requirs certificate and key.
90- CSR based Certificate validation is alway's based on private key in the system.
91
92### CSR Request
93- CSR requests initiated through D-Bus are time-consuming and might result
94  D-Bus time-out error.
95- To overcome the time-out error, parent process is forked and CSR operation
96  is performed in the child process so that parent process can return the
97  calling thread immediately.
98- OpenSSL library is used in generating CSR based on the algorithm type.
99- At present supporting generating CSR for only "RSA" algorithm type.
100- Parent process registers child process PID and a callback method in the
101  sd_event_lopp so that callback method is invoked upon completion
102  the CSR request in the child process.
103- Callback method invoked creates a CSR object with the status of the CSR
104  operation returned from the child process.
105- CSR read operation will return the CSR string if status is SUCCESS else throws
106  InternalFailure exception to the caller.
107- Certificate Manager implements "/xyz/openbmc_project/Certs/CSR/Create"
108  interface.
109- CSR object created implements "/xyz/openbmc_project/Certs/CSR" interface.
110- Caller needs to validate the CSR request parameters.
111- Caller need to wait on "InterfacesAdded" signal generated upon creation
112  of the CSR object to start reading CSR string.
113
114### Example usage for the GenerateCSR POST request
115
116   ```
117   url: /redfish/v1/CertificateService
118   Action: #CertificateService.GenerateCSR {
119    "City": "HYB",
120    "CertificateCollection": "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/",
121    "CommonName": "www.company.com",
122    "ContactPerson":"myname",
123    "AlternativeNames":["mycompany.com","mycompany2.com"],
124    "ChallengePassword":"abc123",
125    "Email":"xxx@xx.com",
126    "GivenName":"localhost",
127    "Initials":"G",
128    "Country": "IN",
129    "KeyCurveId":"0",
130    "KeyUsage":["ServerAuthentication","ServerAuthentication"],
131    "KeyBitLength": 2048,
132    "KeyPairAlgorithm": "RSA",
133    "Organization": "ABCD",
134    "OrganizationUnit": "XY",
135    "State": "TX",
136    "SurName": "XX",
137    "UnstructuredName": "xxx"
138   }
139   Description: This is used to perform a certificate signing request.
140   Method: POST
141
142  ```
143
144### Additional interfaces:
145- CertificateService.ReplaceCertificate
146      Allows the user to replace an existing certificate.
147
148### d-bus interfaces:
149
150#### d-bus interface to install certificate and private Key
151- Certs application must:
152  - validate the certificate and Private key file by checking, if the Private
153    key matches the public key in the certificate file.
154  - copy the certificate and Public Key file to the service specific path
155    based on a configuration file.
156  - Reload the listed service(s) for which the certificate is updated.
157
158#### d-bus interface to Delete certificate and Private Key
159
160- certificate manager should provide interface to delete the existing
161  certificate.
162- Incase of server type certificate deleting a signed certificate will
163  create a new self signed certificate and will install the same.
164
165### Boot process
166-  certificate management instances should be created based on the system
167   configuration.
168
169-  Incase of no Https certificate or invalid Https certificate, certificate
170   manager should update the https certificate with self signed certificate.
171
172### Repository:
173  phosphor-certificate-manager
174### Redfish Certificate Support
175#### Certificate Upload
176- Certificate Manager implements "xyz.openbmc_project.Certs.Install" interface
177  for installing certificates in the system.
178- Redfish initiates certificate upload by issuing a POST request on the Redfish
179  CertificateCollection with the certificate file. Acceptable body formats are:
180  raw pem text or json that is acceptable by action
181  [CertificateService.ReplaceCertificate](
182  https://www.dmtf.org/sites/default/files/standards/documents/DSP2046_2019.1.pdf)
183
184  For example the HTTPS certificate upload POST request is issued on URI
185  "/redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates"
186- Bmcweb receives the POST request and it maps the Redfish URI to the
187  corresponding Certificate Manager D-Bus URI.
188  e.g: HTTPS certificate collection URI
189  /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates mapped to
190  /xyz/openbmc_project/certs/server/https.
191- Bmcweb initiates an asynchronous call which invokes the "Install" method of
192  the Certificate Manager.
193- Certificate Manager "Install" method validates, installs the certificate file
194  and creates a Certificate object.
195- Certificate Manager initiates Reload of the Bmcweb service to trigger
196  configuration reload.
197- BMCweb service raises SIGHUP signal as part of Reload.
198- Bmcweb application handles the SIGHUP signal and reloads the SSL context with
199  the installed certificate.
200- Bmcweb invokes the Callback method with the status of the "Install" method
201  received from the Certificate Manager.
202- Callback method set the response message with error details for failure, sets
203  the response message with newly created certificate details for success.
204- Certificate object D-Bus path mapped to corresponding Redfish certificate URI.
205  e.g: /xyz/openbmc_project/certs/server/https/1 is mapped to
206  /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1
207  ID of the certificate is appended to the collection URI.
208
209#### Certificate Replace
210- Certificate Object implements "xyz.openbmc_project.Certs.Replace" interface to
211  for replacing existing certificate.
212- Redfish issues Replace certificate request by invoking the ReplaceCertificate
213  action of the CertificateService.
214- Redfish Certificate Collection URI is mapped to corresponding Certificate
215  D-Bus object URI
216  e.g: HTTPS certificate object 1 URI
217  /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates/1 is mapped to
218  /xyz/openbmc_project/certs/server/https/1.
219- Bmcweb receives POST request for Replace Certificate, invokes the Replace
220  D-Bus method of the Certificate object asynchronously.
221- Callback method will be passed to the bmcweb asynchronous method which will
222  called after completion of the D-Bus Replace method.
223- Callback method checks the response received, if failure response message is
224  set with error details, if success response message is set with the replaced
225  certificate details.
226
227#### Bootup
228- During bootup certificate objects created for the existing certificates.
229### Errors thrown by Certificate Manager
230- NotAllowed exception thrown if Install method invoked with a certificate
231  already existing. At present only one certificate per server and client
232  certificate type is allowed.
233- InvalidCertificate excption thrown for validation errors.
234
235#### Certificate Deletion
236- For server and client certificate type the certificate deletion is not
237  allowed. In case of authority certificate type the delete option is
238  acceptable and can be done on individial certificates, for example:
239
240  ```
241  url: redfish/v1/Managers/bmc/Truststore/Certificates/1
242  Method: DELETE
243
244  Returns: code 204 with empty body content.
245  ```
246
247