<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Jayanth,</p>
<p>I have some querys<br>
</p>
<div class="moz-cite-prefix">On 14/02/19 7:23 PM, Jayanth Othayoth
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACkAXSpTdZ8s_Qd2j1qkwBy7Ti+7ieOzyJtcLkCEqBmsLWs4AQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>All,</div>
<div>Please find the Redflish based CSR ( Certificate
Signing Request) generation and installing the certificate
in BMC. <br>
</div>
<div>This is based on the latest Redfish spec (Reference: <a
href="https://www.dmtf.org/sites/default/files/Redfish_2018_Release_3_Overview.pdf"
moz-do-not-send="true">https://www.dmtf.org/sites/default/files/Redfish_2018_Release_3_Overview.pdf</a>)
and related documents. <br>
</div>
<div>Included the Gerrit link related to d-bus interfaces :
<br>
</div>
<div> Review Link: <a
href="https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/16571/"
moz-do-not-send="true">https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/16571/</a></div>
<div><br>
</div>
<div>Looking for the inputs on this design flow and any
additional changes required from the security aspect on
managing private keys in the BMC. <br>
</div>
<div>
<ul>
<li>The user performs the GenerateCSR action ( URIs:
/redfish/v1/CertificateService ) with required
parameters.</li>
<ul>
<li>Certificate service provides a d-bus interface to
generate CSR .</li>
<ul>
<li>Certificate manager create Private key and saves
the service specific path <br>
</li>
<li>Returns the d-bus path for the newly created
CSR.</li>
</ul>
</ul>
</ul>
</div>
</div>
</div>
</div>
</blockquote>
<p><tt>I am hoping this design is wrt Redfish, which explains the
flow to deploy CSR based certificate.</tt></p>
<p><tt>I was little confused about d-bus interface terminology here,
I understand that in redfish we have certificate service schema
which has action</tt></p>
<p><tt>GenerateCSR, I am assuming we are talking about the same.</tt><br>
</p>
<p><tt>GenerateCSR should not return the d-bus Path however it
should return the </tt><tt><span><span class="objectBox
objectBox-string"> URI of the Certificate Collection where
the certificate will be installed.</span></span></tt></p>
<p><tt>Does the GenerateCSR creates CSR resource which can be
modifiable in future?<br>
</tt></p>
<blockquote type="cite"
cite="mid:CACkAXSpTdZ8s_Qd2j1qkwBy7Ti+7ieOzyJtcLkCEqBmsLWs4AQ@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<ul>
<ul>
<li> Certificate service provides d-bus interface to
download CSR</li>
<ul>
<li> The user need need wait for the creation of CSR
specific d-bus path to download the newly created
CSR</li>
</ul>
</ul>
</ul>
</div>
</div>
</div>
</div>
</blockquote>
<p><tt>Does the certificate service schema have the action Download
CSR?</tt></p>
<p><tt>I hope that response of GenerateCSR returns the CSR, There
should not be another redfish call to get the CSR</tt>.<br>
</p>
<blockquote type="cite"
cite="mid:CACkAXSpTdZ8s_Qd2j1qkwBy7Ti+7ieOzyJtcLkCEqBmsLWs4AQ@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<ul>
<ul>
<li> The user takes the CSR file and get it signed by
the appropriate authority.</li>
<ul>
<li> This step is outside the scope of Redfish.</li>
</ul>
</ul>
<li> The user navigates to the appropriate certificate
collection</li>
<ul>
<li> Example: if trying to replace the HTTPS
certificate for a Manager, navigate to the Manager’s
Certificate Collection that is subordinate to the
NetworkProtocol/HTTPS object</li>
</ul>
<li>The user performs a POST on the Certificate
Collection with the certificate string in the body</li>
<ul>
<li> Use the existing certificate upload d-bus
interface.</li>
</ul>
<li>Certificate manager validates the certificate with
the available service specific private keys in the
BMC.</li>
<li>After successful validation pairs the private key
used in the first step with the installed certificate.</li>
</ul>
</div>
</div>
</div>
</div>
</blockquote>
<p><tt>Would the implementation persist the CSR and associated
private key for verification?</tt></p>
<p><tt>I can understand that we can do the verification of
public/private key through oprenssl function, but is there a
possibility that user can change the CSR request(eg change the
organization)</tt></p>
<p><tt>and get it signed and upload the certificate, How the
implementation takes care of it?</tt></p>
<p><tt>Now suppose user creates three CSR request and on the BMC we
have three associated private keys and once user upload the
certificate</tt></p>
<p><tt>would the implementation starts matching the certificate
public key with all the stored private keys and once it gets
matched</tt></p>
<p><tt>then the implementation creates the pairing?</tt><br>
</p>
<tt>How the certificates would be deleted?</tt><br>
<blockquote type="cite"
cite="mid:CACkAXSpTdZ8s_Qd2j1qkwBy7Ti+7ieOzyJtcLkCEqBmsLWs4AQ@mail.gmail.com">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Assumption:<br>
</div>
<ul>
<li>For a service, BMC allows maximum 3 ( ?) CSR requests.
Any new request after this will remove the oldest
private key information from the BMC.</li>
<li>User has to do a Factory removing the private key
from the system.</li>
</ul>
</div>
</div>
</div>
</blockquote>
<p><tt>Regards</tt></p>
<p><tt>Ratan Gupta</tt><br>
</p>
</body>
</html>