<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 15, 2019 at 9:54 AM Ratan Gupta <<a href="mailto:ratagupt@linux.vnet.ibm.com">ratagupt@linux.vnet.ibm.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hi Jayanth,</p>
<p>I have some querys<br>
</p>
<div class="gmail-m_-4306834406775087264moz-cite-prefix">On 14/02/19 7:23 PM, Jayanth Othayoth
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>All,</div>
<div>Please find the Redflish based CSR ( Certificate
Signing Request) generation and installing the certificate
in BMC. <br>
</div>
<div>This is based on the latest Redfish spec (Reference: <a href="https://www.dmtf.org/sites/default/files/Redfish_2018_Release_3_Overview.pdf" target="_blank">https://www.dmtf.org/sites/default/files/Redfish_2018_Release_3_Overview.pdf</a>)
and related documents. <br>
</div>
<div>Included the Gerrit link related to d-bus interfaces :
<br>
</div>
<div> Review Link: <a href="https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/16571/" target="_blank">https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/16571/</a></div>
<div><br>
</div>
<div>Looking for the inputs on this design flow and any
additional changes required from the security aspect on
managing private keys in the BMC. <br>
</div>
<div>
<ul>
<li>The user performs the GenerateCSR action ( URIs:
/redfish/v1/CertificateService ) with required
parameters.</li>
<ul>
<li>Certificate service provides a d-bus interface to
generate CSR .</li>
<ul>
<li>Certificate manager create Private key and saves
the service specific path <br>
</li>
<li>Returns the d-bus path for the newly created
CSR.</li>
</ul>
</ul>
</ul>
</div>
</div>
</div>
</div>
</blockquote>
<p><tt>I am hoping this design is wrt Redfish, which explains the
flow to deploy CSR based certificate.</tt></p>
<p><tt>I was little confused about d-bus interface terminology here,
I understand that in redfish we have certificate service schema
which has action</tt></p>
<p><tt>GenerateCSR, I am assuming we are talking about the same.</tt><br>
</p>
<p><tt>GenerateCSR should not return the d-bus Path however it
should return the </tt><tt><span><span class="gmail-m_-4306834406775087264objectBox gmail-m_-4306834406775087264objectBox-string"> URI of the Certificate Collection where
the certificate will be installed.</span></span></tt></p></div></blockquote><div>@ratan Certificate manager design is services ( HTTPS Server, LDAP client etc) . we don't need to get collection object based uri here because BMC web is running from collection object context . The d-bus object uri mentioned here , just used to watch CSR is ready and return info to redfish user.<br></div><div><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
<p><tt>Does the GenerateCSR creates CSR resource which can be
modifiable in future?<br>
</tt></p>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<ul>
<ul>
<li> Certificate service provides d-bus interface to
download CSR</li>
<ul>
<li> The user need need wait for the creation of CSR
specific d-bus path to download the newly created
CSR</li>
</ul>
</ul>
</ul>
</div>
</div>
</div>
</div>
</blockquote>
<p><tt>Does the certificate service schema have the action Download
CSR?</tt></p></div></blockquote><div>-No , Redfish GenerateCSR methods expect CSR text as output.<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
<p><tt>I hope that response of GenerateCSR returns the CSR, There
should not be another redfish call to get the CSR</tt>.<br></p></div></blockquote><div>- Single call from Redfish point. <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF"><p>
</p>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<ul>
<ul>
<li> The user takes the CSR file and get it signed by
the appropriate authority.</li>
<ul>
<li> This step is outside the scope of Redfish.</li>
</ul>
</ul>
<li> The user navigates to the appropriate certificate
collection</li>
<ul>
<li> Example: if trying to replace the HTTPS
certificate for a Manager, navigate to the Manager’s
Certificate Collection that is subordinate to the
NetworkProtocol/HTTPS object</li>
</ul>
<li>The user performs a POST on the Certificate
Collection with the certificate string in the body</li>
<ul>
<li> Use the existing certificate upload d-bus
interface.</li>
</ul>
<li>Certificate manager validates the certificate with
the available service specific private keys in the
BMC.</li>
<li>After successful validation pairs the private key
used in the first step with the installed certificate.</li>
</ul>
</div>
</div>
</div>
</div>
</blockquote>
<p><tt>Would the implementation persist the CSR and associated
private key for verification?</tt></p></div></blockquote><div>- yes.<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
<p><tt>I can understand that we can do the verification of
public/private key through oprenssl function, but is there a
possibility that user can change the CSR request(eg change the
organization)</tt></p></div></blockquote><div> Redfish doesn't support this now , Any real use case for this?<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF">
<p><tt>and get it signed and upload the certificate, How the
implementation takes care of it?</tt></p>
<p><tt>Now suppose user creates three CSR request and on the BMC we
have three associated private keys and once user upload the
certificate</tt></p>
<p><tt>would the implementation starts matching the certificate
public key with all the stored private keys and once it gets
matched</tt></p>
<p><tt>then the implementation creates the pairing?</tt><br>
</p>
<tt>How the certificates would be deleted?</tt></div></blockquote><div><br></div><div>redfish supports only certificate replace. no delete , <br></div><div>Planing to check with redfish community on this , this feature will be useful for Authority type certificates. <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF"><br>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Assumption:<br>
</div>
<ul>
<li>For a service, BMC allows maximum 3 ( ?) CSR requests.
Any new request after this will remove the oldest
private key information from the BMC.</li>
<li>User has to do a Factory removing the private key
from the system.</li>
</ul>
</div>
</div>
</div>
</blockquote>
<p><tt>Regards</tt></p>
<p><tt>Ratan Gupta</tt><br>
</p>
</div>
</blockquote></div></div>