<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Jayanth,<br>
</p>
<div class="moz-cite-prefix">On 15/02/19 10:52 AM, Jayanth Othayoth
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACkAXSpKjAkJ4tntZWRdpsdaFkKRjntV8H3aUH0bM_gDutHDiA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Feb 15, 2019 at 9:54
AM Ratan Gupta <<a
href="mailto:ratagupt@linux.vnet.ibm.com"
moz-do-not-send="true">ratagupt@linux.vnet.ibm.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hi Jayanth,</p>
<p>I have some querys<br>
</p>
<div class="gmail-m_-4306834406775087264moz-cite-prefix">On
14/02/19 7:23 PM, Jayanth Othayoth wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>All,</div>
<div>Please find the Redflish based CSR (
Certificate Signing Request) generation and
installing the certificate in BMC. <br>
</div>
<div>This is based on the latest Redfish spec
(Reference: <a
href="https://www.dmtf.org/sites/default/files/Redfish_2018_Release_3_Overview.pdf"
target="_blank" moz-do-not-send="true">https://www.dmtf.org/sites/default/files/Redfish_2018_Release_3_Overview.pdf</a>)
and related documents. <br>
</div>
<div>Included the Gerrit link related to d-bus
interfaces : <br>
</div>
<div> Review Link: <a
href="https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/16571/"
target="_blank" moz-do-not-send="true">https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/16571/</a></div>
<div><br>
</div>
<div>Looking for the inputs on this design flow
and any additional changes required from the
security aspect on managing private keys in the
BMC. <br>
</div>
<div>
<ul>
<li>The user performs the GenerateCSR action (
URIs: /redfish/v1/CertificateService ) with
required parameters.</li>
<ul>
<li>Certificate service provides a d-bus
interface to generate CSR .</li>
<ul>
<li>Certificate manager create Private key
and saves the service specific path <br>
</li>
<li>Returns the d-bus path for the newly
created CSR.</li>
</ul>
</ul>
</ul>
</div>
</div>
</div>
</div>
</blockquote>
<p><tt>I am hoping this design is wrt Redfish, which
explains the flow to deploy CSR based certificate.</tt></p>
<p><tt>I was little confused about d-bus interface
terminology here, I understand that in redfish we have
certificate service schema which has action</tt></p>
<p><tt>GenerateCSR, I am assuming we are talking about the
same.</tt><br>
</p>
<p><tt>GenerateCSR should not return the d-bus Path
however it should return the </tt><tt><span><span
class="gmail-m_-4306834406775087264objectBox
gmail-m_-4306834406775087264objectBox-string"> URI
of the Certificate Collection where the
certificate will be installed.</span></span></tt></p>
</div>
</blockquote>
<div>@ratan Certificate manager design is services ( HTTPS
Server, LDAP client etc) . we don't need to get collection
object based uri here because BMC web is running from
collection object context . The d-bus object uri mentioned
here , just used to watch CSR is ready and return info to
redfish user.<br>
</div>
</div>
</div>
</blockquote>
<tt>I didn't follow that "certificate manager design is services".</tt><br>
<p><tt>I don't understand why implementation doesn't need to get the
collection based uri.</tt><br>
</p>
<p><tt>GenerateCSR returns the the </tt><tt><span><span
class="gmail-m_-4306834406775087264objectBox
gmail-m_-4306834406775087264objectBox-string"> URI of the
Certificate Collection where the certificate will be
installed.</span></span></tt></p>
<p><tt><span><span class="gmail-m_-4306834406775087264objectBox
gmail-m_-4306834406775087264objectBox-string">So the
response which you get from the GenerateCSR, that would be
used to POST the next request which will create a
certificate resource.<br>
</span></span></tt></p>
<p><tt><span><span class="gmail-m_-4306834406775087264objectBox
gmail-m_-4306834406775087264objectBox-string">What do you
mean by "</span></span></tt><tt><span><span
class="gmail-m_-4306834406775087264objectBox
gmail-m_-4306834406775087264objectBox-string">BMC web is
running from collection object context "? I don't follow it.</span></span></tt></p>
<p><tt><span><span class="gmail-m_-4306834406775087264objectBox
gmail-m_-4306834406775087264objectBox-string">What info you
would send as part of GenerateCSR request, for that we need
to adhere with the standard, and the standard says that it
would be the CSR string and </span></span></tt><br>
<tt><span><span class="gmail-m_-4306834406775087264objectBox
gmail-m_-4306834406775087264objectBox-string"><tt>the </tt><tt><span><span
class="gmail-m_-4306834406775087264objectBox
gmail-m_-4306834406775087264objectBox-string"> URI of
the Certificate Collection where</span></span></tt></span></span></tt><tt><span><span
class="gmail-m_-4306834406775087264objectBox
gmail-m_-4306834406775087264objectBox-string"><tt><span><span
class="gmail-m_-4306834406775087264objectBox
gmail-m_-4306834406775087264objectBox-string"><span><span
class="objectBox objectBox-string"> the
certificate will be installed(as per the schema
definition)</span></span></span></span></tt></span></span></tt></p>
<blockquote type="cite"
cite="mid:CACkAXSpKjAkJ4tntZWRdpsdaFkKRjntV8H3aUH0bM_gDutHDiA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><tt>Does the GenerateCSR creates CSR resource which can
be modifiable in future?<br>
</tt></p>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<ul>
<ul>
<li> Certificate service provides d-bus
interface to download CSR</li>
<ul>
<li> The user need need wait for the
creation of CSR specific d-bus path to
download the newly created CSR</li>
</ul>
</ul>
</ul>
</div>
</div>
</div>
</div>
</blockquote>
<p><tt>Does the certificate service schema have the action
Download CSR?</tt></p>
</div>
</blockquote>
<div>-No , Redfish GenerateCSR methods expect CSR text as
output.<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><tt>I hope that response of GenerateCSR returns the
CSR, There should not be another redfish call to get
the CSR</tt>.<br>
</p>
</div>
</blockquote>
<div>- Single call from Redfish point. <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p> </p>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<ul>
<ul>
<li> The user takes the CSR file and get it
signed by the appropriate authority.</li>
<ul>
<li> This step is outside the scope of
Redfish.</li>
</ul>
</ul>
<li> The user navigates to the appropriate
certificate collection</li>
<ul>
<li> Example: if trying to replace the
HTTPS certificate for a Manager, navigate
to the Manager’s Certificate Collection
that is subordinate to the
NetworkProtocol/HTTPS object</li>
</ul>
<li>The user performs a POST on the
Certificate Collection with the certificate
string in the body</li>
<ul>
<li> Use the existing certificate upload
d-bus interface.</li>
</ul>
<li>Certificate manager validates the
certificate with the available service
specific private keys in the BMC.</li>
<li>After successful validation pairs the
private key used in the first step with the
installed certificate.</li>
</ul>
</div>
</div>
</div>
</div>
</blockquote>
<p><tt>Would the implementation persist the CSR and
associated private key for verification?</tt></p>
</div>
</blockquote>
<div>- yes.<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><tt>I can understand that we can do the verification of
public/private key through oprenssl function, but is
there a possibility that user can change the CSR
request(eg change the organization)</tt></p>
</div>
</blockquote>
<div> Redfish doesn't support this now , Any real use case for
this?<br>
</div>
</div>
</div>
</blockquote>
<p><tt>How you would validate the Certificate with the CSR(which is
persisted on the BMC).</tt></p>
<p><tt>CSR have the subject and other info and the public key.If
user changes the subject info but doesn't change the public
key,Can we verify that? </tt><br>
</p>
<blockquote type="cite"
cite="mid:CACkAXSpKjAkJ4tntZWRdpsdaFkKRjntV8H3aUH0bM_gDutHDiA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><tt>and get it signed and upload the certificate, How
the implementation takes care of it?</tt></p>
<p><tt>Now suppose user creates three CSR request and on
the BMC we have three associated private keys and once
user upload the certificate</tt></p>
<p><tt>would the implementation starts matching the
certificate public key with all the stored private
keys and once it gets matched</tt></p>
<p><tt>then the implementation creates the pairing?</tt><br>
</p>
<tt>How the certificates would be deleted?</tt></div>
</blockquote>
<div><br>
</div>
<div>redfish supports only certificate replace. no delete , <br>
</div>
<div>Planing to check with redfish community on this , this
feature will be useful for Authority type certificates. <br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"><br>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Assumption:<br>
</div>
<ul>
<li>For a service, BMC allows maximum 3 ( ?) CSR
requests. Any new request after this will
remove the oldest private key information from
the BMC.</li>
<li>User has to do a Factory removing the
private key from the system.</li>
</ul>
</div>
</div>
</div>
</blockquote>
<p><tt>Regards</tt></p>
<p><tt>Ratan Gupta</tt><br>
</p>
</div>
</blockquote>
</div>
</div>
</blockquote>
</body>
</html>