|
|
Post by adamp on Jan 20, 2023 10:08:41 GMT
Hello,
One of actions in CertificateService is ReplaceCertificate.
I want to ask about circumstance when both certificate and private key have to be replaced (web server TLS certificate).
According to description, private key should be a part of CertificateString: "the client shall provide the private key as part of the string in the POST request"
1. Why not to use separate property for private key?
For current solution additional code is needed to split key and certificate, private keys can be in different format, it is not stated how the private key should be added: before certificate, after certificate, some boundary marker should be used? This makes backend implementation more difficult, is it good solution?
Thank you,
Adam
|
|
|
|
Post by mraineri on Jan 20, 2023 13:50:57 GMT
We noticed many examples where PEM-encoded certificate files contained both a public portion and a private portion as a single file, so at the time it did not seem necessary to break it apart into two properties due to prior art.
The Redfish Data Model Specification (https://www.dmtf.org/sites/default/files/standards/documents/DSP0268_2022.2.pdf) contains additional text to describe the format of what's expected in the string, including the ordering of data (see 6.16.5.2.2 PEM). The forum uses this document to further describe properties or other elements in the model where it's difficult to express in a property description in a schema file. Delimiters are also standardized by RFC7468, where the public certificate is wrapped with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----", and the private key is wrapped with "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----". Off the shelf tools already parse these contents from what we've found.
|
|
|
|
Post by adamp on Jan 23, 2023 14:40:02 GMT
1. 6.16.5.2.2 PEM says: "The private key shall be encoded as described in section 10 of RFC7468" The section 10 in question is "One Asymmetric Key and the Textual Encoding of PKCS #8 Private Key Info" PKCS #8 valid markers are: -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY----- According to the above, are PKCS #1 private keys not supported in Redfish? PKCS #1 valid markers are: -----BEGIN RSA PRIVATE KEY-----, -----END RSA PRIVATE KEY----- 2. Resource CertificateService has action ReplaceCertificate One of required parameters is CertificateType From my understanding, certificate type shall be provided by user in Redfish request. Why user have to know the internal format of certificate? When the certificate format is "optional", this is not compliant with Redfish spec? developer.dell.com/apis/2978/versions/5.xx/openapi.yaml/paths/~1redfish~1v1~1CertificateService~1Actions~1CertificateService.ReplaceCertificate/postThank you, Adam |
|
|
|
Post by mraineri on Jan 23, 2023 16:15:32 GMT
1) By that definition today, you're correct in that I would not expect a key to be wrapped with "BEGIN RSA PRIVATE KEY" and "END RSA PRIVATE KEY". However, you can encode an RSA key as a PKCS #8 structure. If we need to expand the usage to specifically allow for PKCS #1, we can raise this for further discussion.
2) Correct; CertificateType is mandatory in the client's request. If the user does not specify this, then the service is expected to reject the request. The reason this is mandatory is because without it, it makes consumption of the raw string very difficult due to similarities in some of the different types. For example, PEM and PEMchain share the same types of delimiters, so knowing this distinction ahead of time gives consumers expectations about the expected contents of the string.
|
|
|
|
Post by adamp on Jan 24, 2023 10:03:25 GMT
|
|
