Redfish: Violations: /redfish/v1/Managers/bmc/Truststore/Certificates

[gtmills]

1. A certificate collection can only be implemented at these paths:
   https://redfish.dmtf.org/schemas/v1/CertificateCollection_v1.xml

The options under Managers are:
/redfish/v1/Managers/{ManagerId}/RemoteAccountService/Accounts/{ManagerAccountId}/Certificates
/redfish/v1/Managers/{ManagerId}/RemoteAccountService/ActiveDirectory/Certificates
/redfish/v1/Managers/{ManagerId}/RemoteAccountService/LDAP/Certificates
/redfish/v1/Managers/{ManagerId}/RemoteAccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates
/redfish/v1/Managers/{ManagerId}/NetworkProtocol/HTTPS/Certificates

2. If /redfish/v1/Managers/bmc/Truststore/Certificates is a path; /redfish/v1/Managers/bmc/Truststore should also be a valid path.

$curl -k https://${bmc}/redfish/v1/Managers/bmc
...
  "Oem": {
    "@odata.context": "/redfish/v1/$metadata#OemManager.Oem",
    "@odata.id": "/redfish/v1/Managers/bmc#/Oem",
    "@odata.type": "#OemManager.Oem",
    "OpenBmc": {
      "@odata.context": "/redfish/v1/$metadata#OemManager.OpenBmc",
      "@odata.id": "/redfish/v1/Managers/bmc#/Oem/OpenBmc",
      "@odata.type": "#OemManager.OpenBmc",
      "Certificates": {
        "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates"
      }
    }
  },
...

$ curl -k https://${bmc}/redfish/v1/Managers/bmc/Truststore
Not Found

$ curl -k https://${bmc}/redfish/v1/Managers/bmc/Truststore/Certificates
{
  "@odata.context": "/redfish/v1/$metadata#CertificateCollection.CertificateCollection",
  "@odata.id": "/redfish/v1/Managers/bmc/Truststore/Certificates/",
  "@odata.type": "#CertificateCollection.CertificateCollection",
  "Description": "A Collection of TrustStore certificate instances",
  "Members": [],
  "[email protected]": 0,
  "Name": "TrustStore Certificates Collection"
}

[gtmills]

@devenrao

[devenrao]

If your question is about the below URL should be a valid path, then I guess you are correct, but there is nothing that we can show there when compared to the other URL''s like HPPTS and LDAP.

$ curl -k https://${bmc}/redfish/v1/Managers/bmc/Truststore
Not Found

[gtmills]

@devenrao This violates the Redfish spec, Redfish has expanded where the Certificate schema can be implemented.

https://redfish.dmtf.org/schemas/v1/CertificateCollection_v1.xml

/redfish/v1/AccountService/Accounts/{ManagerAccountId}/Certificates /redfish/v1/AccountService/ActiveDirectory/Certificates /redfish/v1/AccountService/LDAP/Certificates /redfish/v1/AccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates /redfish/v1/Managers/{ManagerId}/RemoteAccountService/Accounts/{ManagerAccountId}/Certificates /redfish/v1/Managers/{ManagerId}/RemoteAccountService/ActiveDirectory/Certificates /redfish/v1/Managers/{ManagerId}/RemoteAccountService/LDAP/Certificates /redfish/v1/Managers/{ManagerId}/RemoteAccountService/ExternalAccountProviders/{ExternalAccountProviderId}/Certificates /redfish/v1/Managers/{ManagerId}/NetworkProtocol/HTTPS/Certificates /redfish/v1/Systems/{ComputerSystemId}/Boot/Certificates /redfish/v1/CompositionService/ResourceBlocks/{ResourceBlockId}/Systems/{ComputerSystemId}/Boot/Certificates /redfish/v1/ResourceBlocks/{ResourceBlockId}/Systems/{ComputerSystemId}/Boot/Certificates /redfish/v1/Systems/{ComputerSystemId}/SecureBoot/SecureBootDatabases/{DatabaseId}/Certificates /redfish/v1/CompositionService/ResourceBlocks/{ResourceBlockId}/Systems/{ComputerSystemId}/SecureBoot/SecureBootDatabases/{DatabaseId}/Certificates /redfish/v1/ResourceBlocks/{ResourceBlockId}/Systems/{ComputerSystemId}/SecureBoot/SecureBootDatabases/{DatabaseId}/Certificates

Can we move to one of these ?

[jiaqingz-intel]

Here TrustStore lists certificates trusted by BMC (like ca certificates). In Redfish spec, there is no URL for this purpose. I think that's why it was added initially.

/​redfish/​v1/​Managers/​{ManagerId}/​Certificates is "The link to a collection of certificates for device identity and attestation." It cannot be used here.

[edtanous]

In Redfish spec, there is no URL for this purpose.

Manager.Certificates would generally be used for this purpose, which was added in 2021.2

[pboyd04]

If I understand the use case here the better place would actually be: /redfish/v1/Managers/{ManagerId}/SecurityPolicy/TLS/Client/TrustedCertificates

[jiaqingz-intel]

If I understand the use case here the better place would actually be: /redfish/v1/Managers/{ManagerId}/SecurityPolicy/TLS/Client/TrustedCertificates

Agreed. But SecurityPolicy is introduced in Manager v1.16+, now bmcweb is still using Manager v1.14, a schema verison bump is needed.

[edtanous]

If I understand the use case here the better place would actually be: /redfish/v1/Managers/{ManagerId}/SecurityPolicy/TLS/Client/TrustedCertificates

Yep, this is what I meant (my message was not very clear).

[gtmills]

This is still a problem, https://gerrit.openbmc.org/c/openbmc/bmcweb/+/61958 was an attempt to fix but needs more thought