3 namespace "urn:ietf:params:xml:ns:yang:ietf-keystore";
6 import ietf-netconf-acm {
9 "RFC 8341: Network Configuration Access Control Model";
12 import ietf-crypto-types {
15 "RFC AAAA: YANG Data Types and Groupings for Cryptography";
19 "IETF NETCONF (Network Configuration) Working Group";
22 "WG Web: https://datatracker.ietf.org/wg/netconf
23 WG List: NETCONF WG list <mailto:netconf@ietf.org>
24 Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
27 "This module defines a 'keystore' to centralize management
28 of security credentials.
30 Copyright (c) 2022 IETF Trust and the persons identified
31 as authors of the code. All rights reserved.
33 Redistribution and use in source and binary forms, with
34 or without modification, is permitted pursuant to, and
35 subject to the license terms contained in, the Revised
36 BSD License set forth in Section 4.c of the IETF Trust's
37 Legal Provisions Relating to IETF Documents
38 (https://trustee.ietf.org/license-info).
40 This version of this YANG module is part of RFC CCCC
41 (https://www.rfc-editor.org/info/rfcCCCC); see the RFC
42 itself for full legal notices.
44 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
45 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
46 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
47 are to be interpreted as described in BCP 14 (RFC 2119)
48 (RFC 8174) when, and only when, they appear in all
49 capitals, as shown here.";
55 "RFC CCCC: A YANG Data Model for a Keystore";
62 feature central-keystore-supported {
64 "The 'central-keystore-supported' feature indicates that
65 the server supports the keystore (i.e., implements the
66 'ietf-keystore' module).";
69 feature local-definitions-supported {
71 "The 'local-definitions-supported' feature indicates that
72 the server supports locally-defined keys.";
75 feature asymmetric-keys {
77 "The 'asymmetric-keys' feature indicates that the server
78 implements the /keystore/asymmetric-keys subtree.";
82 feature symmetric-keys {
84 "The 'symmetric-keys' feature indicates that the server
85 implements the /keystore/symmetric-keys subtree.";
92 typedef symmetric-key-ref {
94 path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key"
98 "This typedef enables modules to easily define a reference
99 to a symmetric key stored in the keystore, when this
100 module is implemented.";
103 typedef asymmetric-key-ref {
105 path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
109 "This typedef enables modules to easily define a reference
110 to an asymmetric key stored in the keystore, when this
111 module is implemented.";
118 grouping encrypted-by-choice-grouping {
120 "A grouping that defines a 'choice' statement that can be
121 augmented into the 'encrypted-by' node, present in the
122 'symmetric-key-grouping' and 'asymmetric-key-pair-grouping'
123 groupings defined in RFC AAAA, enabling references to keys
124 in the keystore, when this module is implemented.";
125 choice encrypted-by-choice {
126 nacm:default-deny-write;
129 "A choice amongst other symmetric or asymmetric keys.";
130 case symmetric-key-ref {
131 if-feature "central-keystore-supported";
132 if-feature "symmetric-keys";
133 leaf symmetric-key-ref {
134 type ks:symmetric-key-ref;
136 "Identifies the symmetric key used to encrypt the
140 case asymmetric-key-ref {
141 if-feature "central-keystore-supported";
142 if-feature "asymmetric-keys";
143 leaf asymmetric-key-ref {
144 type ks:asymmetric-key-ref;
146 "Identifies the asymmetric key whose public key
147 encrypted the associated key.";
153 grouping asymmetric-key-certificate-ref-grouping {
155 "This grouping defines a reference to a specific certificate
156 associated with an asymmetric key stored in the keystore,
157 when this module is implemented.";
158 leaf asymmetric-key {
159 nacm:default-deny-write;
160 if-feature "central-keystore-supported";
161 if-feature "asymmetric-keys";
162 type ks:asymmetric-key-ref;
163 must '../certificate';
165 "A reference to an asymmetric key in the keystore.";
168 nacm:default-deny-write;
170 path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
171 + "[ks:name = current()/../asymmetric-key]/"
172 + "ks:certificates/ks:certificate/ks:name";
174 must '../asymmetric-key';
176 "A reference to a specific certificate of the
177 asymmetric key in the keystore.";
181 // local-or-keystore-* groupings
183 grouping local-or-keystore-symmetric-key-grouping {
185 "A grouping that expands to allow the symmetric key to be
186 either stored locally, i.e., within the using data model,
187 or a reference to a symmetric key stored in the keystore.
189 Servers that do not 'implement' this module, and hence
190 'central-keystore-supported' is not defined, SHOULD
191 augment in custom 'case' statements enabling references
192 to the alternate keystore locations.";
193 choice local-or-keystore {
194 nacm:default-deny-write;
197 "A choice between an inlined definition and a definition
198 that exists in the keystore.";
200 if-feature "local-definitions-supported";
201 container local-definition {
203 "Container to hold the local key definition.";
204 uses ct:symmetric-key-grouping;
208 if-feature "central-keystore-supported";
209 if-feature "symmetric-keys";
210 leaf keystore-reference {
211 type ks:symmetric-key-ref;
213 "A reference to an symmetric key that exists in
214 the keystore, when this module is implemented.";
219 grouping local-or-keystore-asymmetric-key-grouping {
221 "A grouping that expands to allow the asymmetric key to be
222 either stored locally, i.e., within the using data model,
223 or a reference to an asymmetric key stored in the keystore.
225 Servers that do not 'implement' this module, and hence
226 'central-keystore-supported' is not defined, SHOULD
227 augment in custom 'case' statements enabling references
228 to the alternate keystore locations.";
229 choice local-or-keystore {
230 nacm:default-deny-write;
233 "A choice between an inlined definition and a definition
234 that exists in the keystore.";
236 if-feature "local-definitions-supported";
237 container local-definition {
239 "Container to hold the local key definition.";
240 uses ct:asymmetric-key-pair-grouping;
244 if-feature "central-keystore-supported";
245 if-feature "asymmetric-keys";
246 leaf keystore-reference {
247 type ks:asymmetric-key-ref;
249 "A reference to an asymmetric key that exists in
250 the keystore, when this module is implemented. The
251 intent is to reference just the asymmetric key
252 without any regard for any certificates that may
253 be associated with it.";
259 grouping local-or-keystore-asymmetric-key-with-certs-grouping {
261 "A grouping that expands to allow an asymmetric key and
262 its associated certificates to be either stored locally,
263 i.e., within the using data model, or a reference to an
264 asymmetric key (and its associated certificates) stored
267 Servers that do not 'implement' this module, and hence
268 'central-keystore-supported' is not defined, SHOULD
269 augment in custom 'case' statements enabling references
270 to the alternate keystore locations.";
271 choice local-or-keystore {
272 nacm:default-deny-write;
275 "A choice between an inlined definition and a definition
276 that exists in the keystore.";
278 if-feature "local-definitions-supported";
279 container local-definition {
281 "Container to hold the local key definition.";
282 uses ct:asymmetric-key-pair-with-certs-grouping;
286 if-feature "central-keystore-supported";
287 if-feature "asymmetric-keys";
288 leaf keystore-reference {
289 type ks:asymmetric-key-ref;
291 "A reference to an asymmetric-key (and all of its
292 associated certificates) in the keystore, when
293 this module is implemented.";
299 grouping local-or-keystore-end-entity-cert-with-key-grouping {
301 "A grouping that expands to allow an end-entity certificate
302 (and its associated asymmetric key pair) to be either stored
303 locally, i.e., within the using data model, or a reference
304 to a specific certificate in the keystore.
306 Servers that do not 'implement' this module, and hence
307 'central-keystore-supported' is not defined, SHOULD
308 augment in custom 'case' statements enabling references
309 to the alternate keystore locations.";
310 choice local-or-keystore {
311 nacm:default-deny-write;
314 "A choice between an inlined definition and a definition
315 that exists in the keystore.";
317 if-feature "local-definitions-supported";
318 container local-definition {
320 "Container to hold the local key definition.";
321 uses ct:asymmetric-key-pair-with-cert-grouping;
325 if-feature "central-keystore-supported";
326 if-feature "asymmetric-keys";
327 container keystore-reference {
328 uses asymmetric-key-certificate-ref-grouping;
330 "A reference to a specific certificate associated with
331 an asymmetric key stored in the keystore, when this
332 module is implemented.";
338 grouping keystore-grouping {
340 "Grouping definition enables use in other contexts. If ever
341 done, implementations MUST augment new 'case' statements
342 into the various local-or-keystore 'choice' statements to
343 supply leafrefs to the model-specific location(s).";
344 container asymmetric-keys {
345 nacm:default-deny-write;
346 if-feature "asymmetric-keys";
348 "A list of asymmetric keys.";
349 list asymmetric-key {
352 "An asymmetric key.";
356 "An arbitrary name for the asymmetric key.";
358 uses ct:asymmetric-key-pair-with-certs-grouping;
361 container symmetric-keys {
362 nacm:default-deny-write;
363 if-feature "symmetric-keys";
365 "A list of symmetric keys.";
373 "An arbitrary name for the symmetric key.";
375 uses ct:symmetric-key-grouping;
380 /*********************************/
381 /* Protocol accessible nodes */
382 /*********************************/
385 if-feature central-keystore-supported;
387 "A central keystore containing a list of symmetric keys and
388 a list of asymmetric keys.";
389 nacm:default-deny-write;
390 uses keystore-grouping {
391 augment "symmetric-keys/symmetric-key/key-type/encrypted-key/"
392 + "encrypted-key/encrypted-by" {
394 "Augments in a choice statement enabling the encrypting
395 key to be any other symmetric or asymmetric key in the
397 uses encrypted-by-choice-grouping;
399 augment "asymmetric-keys/asymmetric-key/private-key-type/"
400 + "encrypted-private-key/encrypted-private-key/"
403 "Augments in a choice statement enabling the encrypting
404 key to be any other symmetric or asymmetric key in the
406 uses encrypted-by-choice-grouping;