1 module ietf-crypto-types {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
6 import ietf-yang-types {
9 "RFC 6991: Common YANG Data Types";
12 import ietf-netconf-acm {
15 "RFC 8341: Network Configuration Access Control Model";
19 "IETF NETCONF (Network Configuration) Working Group";
22 "WG Web: https://datatracker.ietf.org/wg/netconf
23 WG List: NETCONF WG list <mailto:netconf@ietf.org>
24 Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
27 "This module defines common YANG types for cryptographic
30 Copyright (c) 2023 IETF Trust and the persons identified
31 as authors of the code. All rights reserved.
33 Redistribution and use in source and binary forms, with
34 or without modification, is permitted pursuant to, and
35 subject to the license terms contained in, the Revised
36 BSD License set forth in Section 4.c of the IETF Trust's
37 Legal Provisions Relating to IETF Documents
38 (https://trustee.ietf.org/license-info).
40 This version of this YANG module is part of RFC AAAA
41 (https://www.rfc-editor.org/info/rfcAAAA); see the RFC
42 itself for full legal notices.
44 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
45 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
46 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
47 are to be interpreted as described in BCP 14 (RFC 2119)
48 (RFC 8174) when, and only when, they appear in all
49 capitals, as shown here.";
55 "RFC AAAA: YANG Data Types and Groupings for Cryptography";
62 feature one-symmetric-key-format {
64 "Indicates that the server supports the
65 'one-symmetric-key-format' identity.";
68 feature one-asymmetric-key-format {
70 "Indicates that the server supports the
71 'one-asymmetric-key-format' identity.";
74 feature symmetrically-encrypted-value-format {
76 "Indicates that the server supports the
77 'symmetrically-encrypted-value-format' identity.";
80 feature asymmetrically-encrypted-value-format {
82 "Indicates that the server supports the
83 'asymmetrically-encrypted-value-format' identity.";
86 feature cms-enveloped-data-format {
88 "Indicates that the server supports the
89 'cms-enveloped-data-format' identity.";
92 feature cms-encrypted-data-format {
94 "Indicates that the server supports the
95 'cms-encrypted-data-format' identity.";
97 feature p10-csr-format {
99 "Indicates that the server implements support
100 for generating P10-based CSRs, as defined
103 "RFC 2986: PKCS #10: Certification Request Syntax
104 Specification Version 1.7";
107 feature csr-generation {
109 "Indicates that the server implements the
110 'generate-csr' action.";
113 feature certificate-expiration-notification {
115 "Indicates that the server implements the
116 'certificate-expiration' notification.";
119 feature cleartext-passwords {
121 "Indicates that the server supports cleartext
125 feature encrypted-passwords {
127 "Indicates that the server supports password
131 feature cleartext-symmetric-keys {
133 "Indicates that the server supports cleartext
137 feature hidden-symmetric-keys {
139 "Indicates that the server supports hidden keys.";
142 feature encrypted-symmetric-keys {
144 "Indicates that the server supports encryption
148 feature cleartext-private-keys {
150 "Indicates that the server supports cleartext
154 feature hidden-private-keys {
156 "Indicates that the server supports hidden keys.";
159 feature encrypted-private-keys {
161 "Indicates that the server supports encryption
165 /*************************************************/
166 /* Base Identities for Key Format Structures */
167 /*************************************************/
169 identity symmetric-key-format {
171 "Base key-format identity for symmetric keys.";
174 identity public-key-format {
176 "Base key-format identity for public keys.";
179 identity private-key-format {
181 "Base key-format identity for private keys.";
184 /****************************************************/
185 /* Identities for Private Key Format Structures */
186 /****************************************************/
188 identity rsa-private-key-format {
189 base private-key-format;
191 "Indicates that the private key value is encoded as
192 an RSAPrivateKey (from RFC 3447), encoded using ASN.1
193 distinguished encoding rules (DER), as specified in
197 PKCS #1: RSA Cryptography Specifications Version 2.2
199 Information technology - ASN.1 encoding rules:
200 Specification of Basic Encoding Rules (BER),
201 Canonical Encoding Rules (CER) and Distinguished
202 Encoding Rules (DER) 02/2021.";
205 identity ec-private-key-format {
206 base private-key-format;
208 "Indicates that the private key value is encoded as
209 an ECPrivateKey (from RFC 5915), encoded using ASN.1
210 distinguished encoding rules (DER), as specified in
214 Elliptic Curve Private Key Structure
216 Information technology - ASN.1 encoding rules:
217 Specification of Basic Encoding Rules (BER),
218 Canonical Encoding Rules (CER) and Distinguished
219 Encoding Rules (DER) 02/2021.";
222 identity one-asymmetric-key-format {
223 if-feature "one-asymmetric-key-format";
224 base private-key-format;
226 "Indicates that the private key value is a CMS
227 OneAsymmetricKey structure, as defined in RFC 5958,
228 encoded using ASN.1 distinguished encoding rules
229 (DER), as specified in ITU-T X.690.";
231 "RFC 5958: Asymmetric Key Packages
233 Information technology - ASN.1 encoding rules:
234 Specification of Basic Encoding Rules (BER),
235 Canonical Encoding Rules (CER) and Distinguished
236 Encoding Rules (DER) 02/2021.";
239 /***************************************************/
240 /* Identities for Public Key Format Structures */
241 /***************************************************/
243 identity ssh-public-key-format {
244 base public-key-format;
246 "Indicates that the public key value is an SSH public key,
247 as specified by RFC 4253, Section 6.6, i.e.:
249 string certificate or public key format
251 byte[n] key/certificate data.";
253 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
256 identity subject-public-key-info-format {
257 base public-key-format;
259 "Indicates that the public key value is a SubjectPublicKeyInfo
260 structure, as described in RFC 5280 encoded using ASN.1
261 distinguished encoding rules (DER), as specified in
265 Internet X.509 Public Key Infrastructure Certificate
266 and Certificate Revocation List (CRL) Profile
268 Information technology - ASN.1 encoding rules:
269 Specification of Basic Encoding Rules (BER),
270 Canonical Encoding Rules (CER) and Distinguished
271 Encoding Rules (DER) 02/2021.";
274 /******************************************************/
275 /* Identities for Symmetric Key Format Structures */
276 /******************************************************/
278 identity octet-string-key-format {
279 base symmetric-key-format;
281 "Indicates that the key is encoded as a raw octet string.
282 The length of the octet string MUST be appropriate for
283 the associated algorithm's block size.
285 The identity of the associated algorithm is outside the
286 scope of this specification. This is also true when
287 the octet string has been encrypted.";
289 identity one-symmetric-key-format {
290 if-feature "one-symmetric-key-format";
291 base symmetric-key-format;
293 "Indicates that the private key value is a CMS
294 OneSymmetricKey structure, as defined in RFC 6031,
295 encoded using ASN.1 distinguished encoding rules
296 (DER), as specified in ITU-T X.690.";
298 "RFC 6031: Cryptographic Message Syntax (CMS)
299 Symmetric Key Package Content Type
301 Information technology - ASN.1 encoding rules:
302 Specification of Basic Encoding Rules (BER),
303 Canonical Encoding Rules (CER) and Distinguished
304 Encoding Rules (DER) 02/2021.";
307 /*************************************************/
308 /* Identities for Encrypted Value Structures */
309 /*************************************************/
311 identity encrypted-value-format {
313 "Base format identity for encrypted values.";
316 identity symmetrically-encrypted-value-format {
317 if-feature "symmetrically-encrypted-value-format";
318 base encrypted-value-format;
320 "Base format identity for symmetrically encrypted
324 identity asymmetrically-encrypted-value-format {
325 if-feature "asymmetrically-encrypted-value-format";
326 base encrypted-value-format;
328 "Base format identity for asymmetrically encrypted
332 identity cms-encrypted-data-format {
333 if-feature "cms-encrypted-data-format";
334 base symmetrically-encrypted-value-format;
336 "Indicates that the encrypted value conforms to
337 the 'encrypted-data-cms' type with the constraint
338 that the 'unprotectedAttrs' value is not set.";
340 "RFC 5652: Cryptographic Message Syntax (CMS)
342 Information technology - ASN.1 encoding rules:
343 Specification of Basic Encoding Rules (BER),
344 Canonical Encoding Rules (CER) and Distinguished
345 Encoding Rules (DER) 02/2021.";
348 identity cms-enveloped-data-format {
349 if-feature "cms-enveloped-data-format";
350 base asymmetrically-encrypted-value-format;
352 "Indicates that the encrypted value conforms to the
353 'enveloped-data-cms' type with the following constraints:
355 The EnvelopedData structure MUST have exactly one
358 If the asymmetric key supports public key cryptography
359 (e.g., RSA), then the 'RecipientInfo' must be a
360 'KeyTransRecipientInfo' with the 'RecipientIdentifier'
361 using a 'subjectKeyIdentifier' with the value set using
362 'method 1' in RFC 7093 over the recipient's public key.
364 Otherwise, if the asymmetric key supports key agreement
365 (e.g., ECC), then the 'RecipientInfo' must be a
366 'KeyAgreeRecipientInfo'. The 'OriginatorIdentifierOrKey'
367 value must use the 'OriginatorPublicKey' alternative.
368 The 'UserKeyingMaterial' value must not be present.
369 There must be exactly one 'RecipientEncryptedKeys' value
370 having the 'KeyAgreeRecipientIdentifier' set to 'rKeyId'
371 with the value set using 'method 1' in RFC 7093 over the
372 recipient's public key.";
374 "RFC 5652: Cryptographic Message Syntax (CMS)
376 Additional Methods for Generating Key
379 Information technology - ASN.1 encoding rules:
380 Specification of Basic Encoding Rules (BER),
381 Canonical Encoding Rules (CER) and Distinguished
382 Encoding Rules (DER) 02/2021.";
385 /*********************************************************/
386 /* Identities for Certificate Signing Request Formats */
387 /*********************************************************/
389 identity csr-format {
391 "A base identity for the certificate signing request
392 formats. Additional derived identities MAY be defined
396 identity p10-csr-format {
397 if-feature "p10-csr-format";
400 "Indicates the 'CertificationRequest' structure
401 defined in RFC 2986.";
403 "RFC 2986: PKCS #10: Certification Request Syntax
404 Specification Version 1.7";
407 /***************************************************/
408 /* Typedefs for ASN.1 structures from RFC 2986 */
409 /***************************************************/
414 "A CertificationRequestInfo structure, as defined in
415 RFC 2986, encoded using ASN.1 distinguished encoding
416 rules (DER), as specified in ITU-T X.690.";
418 "RFC 2986: PKCS #10: Certification Request Syntax
419 Specification Version 1.7
421 Information technology - ASN.1 encoding rules:
422 Specification of Basic Encoding Rules (BER),
423 Canonical Encoding Rules (CER) and Distinguished
424 Encoding Rules (DER) 02/2021.";
430 "A CertificationRequest structure, as specified in
431 RFC 2986, encoded using ASN.1 distinguished encoding
432 rules (DER), as specified in ITU-T X.690.";
435 PKCS #10: Certification Request Syntax Specification
438 Information technology - ASN.1 encoding rules:
439 Specification of Basic Encoding Rules (BER),
440 Canonical Encoding Rules (CER) and Distinguished
441 Encoding Rules (DER) 02/2021.";
444 /***************************************************/
445 /* Typedefs for ASN.1 structures from RFC 5280 */
446 /***************************************************/
451 "A Certificate structure, as specified in RFC 5280,
452 encoded using ASN.1 distinguished encoding rules (DER),
453 as specified in ITU-T X.690.";
456 Internet X.509 Public Key Infrastructure Certificate
457 and Certificate Revocation List (CRL) Profile
459 Information technology - ASN.1 encoding rules:
460 Specification of Basic Encoding Rules (BER),
461 Canonical Encoding Rules (CER) and Distinguished
462 Encoding Rules (DER) 02/2021.";
468 "A CertificateList structure, as specified in RFC 5280,
469 encoded using ASN.1 distinguished encoding rules (DER),
470 as specified in ITU-T X.690.";
473 Internet X.509 Public Key Infrastructure Certificate
474 and Certificate Revocation List (CRL) Profile
476 Information technology - ASN.1 encoding rules:
477 Specification of Basic Encoding Rules (BER),
478 Canonical Encoding Rules (CER) and Distinguished
479 Encoding Rules (DER) 02/2021.";
482 /***************************************************/
483 /* Typedefs for ASN.1 structures from RFC 6960 */
484 /***************************************************/
486 typedef oscp-request {
489 "A OCSPRequest structure, as specified in RFC 6960,
490 encoded using ASN.1 distinguished encoding rules
491 (DER), as specified in ITU-T X.690.";
494 X.509 Internet Public Key Infrastructure Online
495 Certificate Status Protocol - OCSP
497 Information technology - ASN.1 encoding rules:
498 Specification of Basic Encoding Rules (BER),
499 Canonical Encoding Rules (CER) and Distinguished
500 Encoding Rules (DER) 02/2021.";
503 typedef oscp-response {
506 "A OCSPResponse structure, as specified in RFC 6960,
507 encoded using ASN.1 distinguished encoding rules
508 (DER), as specified in ITU-T X.690.";
511 X.509 Internet Public Key Infrastructure Online
512 Certificate Status Protocol - OCSP
514 Information technology - ASN.1 encoding rules:
515 Specification of Basic Encoding Rules (BER),
516 Canonical Encoding Rules (CER) and Distinguished
517 Encoding Rules (DER) 02/2021.";
520 /***********************************************/
521 /* Typedefs for ASN.1 structures from 5652 */
522 /***********************************************/
527 "A ContentInfo structure, as specified in RFC 5652,
528 encoded using ASN.1 distinguished encoding rules (DER),
529 as specified in ITU-T X.690.";
532 Cryptographic Message Syntax (CMS)
534 Information technology - ASN.1 encoding rules:
535 Specification of Basic Encoding Rules (BER),
536 Canonical Encoding Rules (CER) and Distinguished
537 Encoding Rules (DER) 02/2021.";
540 typedef data-content-cms {
543 "A CMS structure whose top-most content type MUST be the
544 data content type, as described by Section 4 in RFC 5652.";
546 "RFC 5652: Cryptographic Message Syntax (CMS)";
549 typedef signed-data-cms {
552 "A CMS structure whose top-most content type MUST be the
553 signed-data content type, as described by Section 5 in
556 "RFC 5652: Cryptographic Message Syntax (CMS)";
559 typedef enveloped-data-cms {
562 "A CMS structure whose top-most content type MUST be the
563 enveloped-data content type, as described by Section 6
566 "RFC 5652: Cryptographic Message Syntax (CMS)";
569 typedef digested-data-cms {
572 "A CMS structure whose top-most content type MUST be the
573 digested-data content type, as described by Section 7
576 "RFC 5652: Cryptographic Message Syntax (CMS)";
579 typedef encrypted-data-cms {
582 "A CMS structure whose top-most content type MUST be the
583 encrypted-data content type, as described by Section 8
586 "RFC 5652: Cryptographic Message Syntax (CMS)";
589 typedef authenticated-data-cms {
592 "A CMS structure whose top-most content type MUST be the
593 authenticated-data content type, as described by Section 9
596 "RFC 5652: Cryptographic Message Syntax (CMS)";
599 /*********************************************************/
600 /* Typedefs for ASN.1 structures related to RFC 5280 */
601 /*********************************************************/
603 typedef trust-anchor-cert-x509 {
606 "A Certificate structure that MUST encode a self-signed
610 typedef end-entity-cert-x509 {
613 "A Certificate structure that MUST encode a certificate
614 that is neither self-signed nor having Basic constraint
618 /*********************************************************/
619 /* Typedefs for ASN.1 structures related to RFC 5652 */
620 /*********************************************************/
622 typedef trust-anchor-cert-cms {
623 type signed-data-cms;
625 "A CMS SignedData structure that MUST contain the chain of
626 X.509 certificates needed to authenticate the certificate
627 presented by a client or end-entity.
629 The CMS MUST contain only a single chain of certificates.
630 The client or end-entity certificate MUST only authenticate
631 to the last intermediate CA certificate listed in the chain.
633 In all cases, the chain MUST include a self-signed root
634 certificate. In the case where the root certificate is
635 itself the issuer of the client or end-entity certificate,
636 only one certificate is present.
638 This CMS structure MAY (as applicable where this type is
639 used) also contain suitably fresh (as defined by local
640 policy) revocation objects with which the device can
641 verify the revocation status of the certificates.
643 This CMS encodes the degenerate form of the SignedData
644 structure (RFC 5652, Section 5.2) that is commonly used
645 to disseminate X.509 certificates and revocation objects
649 Internet X.509 Public Key Infrastructure Certificate
650 and Certificate Revocation List (CRL) Profile.
652 Cryptographic Message Syntax (CMS)";
655 typedef end-entity-cert-cms {
656 type signed-data-cms;
658 "A CMS SignedData structure that MUST contain the end
659 entity certificate itself, and MAY contain any number
660 of intermediate certificates leading up to a trust
661 anchor certificate. The trust anchor certificate
662 MAY be included as well.
664 The CMS MUST contain a single end entity certificate.
665 The CMS MUST NOT contain any spurious certificates.
667 This CMS structure MAY (as applicable where this type is
668 used) also contain suitably fresh (as defined by local
669 policy) revocation objects with which the device can
670 verify the revocation status of the certificates.
672 This CMS encodes the degenerate form of the SignedData
673 structure (RFC 5652, Section 5.2) that is commonly
674 used to disseminate X.509 certificates and revocation
675 objects (RFC 5280).";
679 Internet X.509 Public Key Infrastructure Certificate
680 and Certificate Revocation List (CRL) Profile.
682 Cryptographic Message Syntax (CMS)";
689 grouping encrypted-value-grouping {
691 "A reusable grouping for a value that has been encrypted by
692 a referenced symmetric or asymmetric key.";
693 container encrypted-by {
694 nacm:default-deny-write;
696 "An empty container enabling a reference to the key that
697 encrypted the value to be augmented in. The referenced
698 key MUST be a symmetric key or an asymmetric key.
700 A symmetric key MUST be referenced via a leaf node called
701 'symmetric-key-ref'. An asymmetric key MUST be referenced
702 via a leaf node called 'asymmetric-key-ref'.
704 The leaf nodes MUST be direct descendants in the data tree,
705 and MAY be direct descendants in the schema tree (e.g.,
706 choice/case statements are allowed, but not a container).";
708 leaf encrypted-value-format {
710 base encrypted-value-format;
714 "Identifies the format of the 'encrypted-value' leaf.
716 If 'encrypted-by' points to a symmetric key, then a
717 'symmetrically-encrypted-value-format' based identity
718 MUST by set (e.g., cms-encrypted-data-format).
720 If 'encrypted-by' points to an asymmetric key, then an
721 'asymmetrically-encrypted-value-format' based identity
722 MUST by set (e.g., cms-enveloped-data-format).";
724 leaf encrypted-value {
725 nacm:default-deny-write;
727 must '../encrypted-by';
730 "The value, encrypted using the referenced symmetric
731 or asymmetric key. The value MUST be encoded using
732 the format associated with the 'encrypted-value-format'
737 grouping password-grouping {
739 "A password that may be encrypted.";
740 choice password-type {
741 nacm:default-deny-write;
744 "Choice between password types.";
745 case cleartext-password {
746 if-feature "cleartext-passwords";
747 leaf cleartext-password {
748 nacm:default-deny-all;
751 "The cleartext value of the password.";
754 case encrypted-password {
755 if-feature "encrypted-passwords";
756 container encrypted-password {
758 "A container for the encrypted password value.";
759 uses encrypted-value-grouping;
765 grouping symmetric-key-grouping {
769 nacm:default-deny-write;
771 base symmetric-key-format;
774 "Identifies the symmetric key's format. Implementations
775 SHOULD ensure that the incoming symmetric key value is
776 encoded in the specified format.
778 For encrypted keys, the value is the decrypted key's
779 format (i.e., the 'encrypted-value-format' conveys the
780 encrypted key's format.";
783 nacm:default-deny-write;
786 "Choice between key types.";
789 if-feature "cleartext-symmetric-keys";
790 nacm:default-deny-all;
792 must '../key-format';
794 "The binary value of the key. The interpretation of
795 the value is defined by the 'key-format' field.";
799 if-feature "hidden-symmetric-keys";
802 must 'not(../key-format)';
804 "A hidden key. How such keys are created is outside
805 the scope of this module.";
809 if-feature "encrypted-symmetric-keys";
810 container encrypted-key {
811 must '../key-format';
813 "A container for the encrypted symmetric key value.
814 The interpretation of the 'encrypted-value' node
815 is via the 'key-format' node";
816 uses encrypted-value-grouping;
822 grouping public-key-grouping {
825 leaf public-key-format {
826 nacm:default-deny-write;
828 base public-key-format;
832 "Identifies the public key's format. Implementations SHOULD
833 ensure that the incoming public key value is encoded in the
837 nacm:default-deny-write;
841 "The binary value of the public key. The interpretation
842 of the value is defined by 'public-key-format' field.";
846 grouping asymmetric-key-pair-grouping {
848 "A private key and its associated public key. Implementations
849 SHOULD ensure that the two keys are a matching pair.";
850 uses public-key-grouping;
851 leaf private-key-format {
852 nacm:default-deny-write;
854 base private-key-format;
857 "Identifies the private key's format. Implementations SHOULD
858 ensure that the incoming private key value is encoded in the
861 For encrypted keys, the value is the decrypted key's
862 format (i.e., the 'encrypted-value-format' conveys the
863 encrypted key's format.";
865 choice private-key-type {
866 nacm:default-deny-write;
869 "Choice between key types.";
870 case cleartext-private-key {
871 if-feature "cleartext-private-keys";
872 leaf cleartext-private-key {
873 nacm:default-deny-all;
875 must '../private-key-format';
877 "The value of the binary key The key's value is
878 interpreted by the 'private-key-format' field.";
881 case hidden-private-key {
882 if-feature "hidden-private-keys";
883 leaf hidden-private-key {
885 must 'not(../private-key-format)';
887 "A hidden key. How such keys are created is
888 outside the scope of this module.";
891 case encrypted-private-key {
892 if-feature "encrypted-private-keys";
893 container encrypted-private-key {
894 must '../private-key-format';
896 "A container for the encrypted asymmetric private key
897 value. The interpretation of the 'encrypted-value'
898 node is via the 'private-key-format' node";
899 uses encrypted-value-grouping;
905 grouping certificate-expiration-grouping {
907 "A notification for when a certificate is about to, or
908 already has, expired.";
909 notification certificate-expiration {
910 if-feature "certificate-expiration-notification";
912 "A notification indicating that the configured certificate
913 is either about to expire or has already expired. When to
914 send notifications is an implementation specific decision,
915 but it is RECOMMENDED that a notification be sent once a
916 month for 3 months, then once a week for four weeks, and
917 then once a day thereafter until the issue is resolved.";
918 leaf expiration-date {
919 type yang:date-and-time;
922 "Identifies the expiration date on the certificate.";
927 grouping trust-anchor-cert-grouping {
929 "A trust anchor certificate, and a notification for when
930 it is about to (or already has) expire.";
932 nacm:default-deny-write;
933 type trust-anchor-cert-cms;
935 "The binary certificate data for this certificate.";
937 uses certificate-expiration-grouping;
940 grouping end-entity-cert-grouping {
942 "An end entity certificate, and a notification for when
943 it is about to (or already has) expire. Implementations
944 SHOULD assert that, where used, the end entity certificate
945 contains the expected public key.";
947 nacm:default-deny-write;
948 type end-entity-cert-cms;
950 "The binary certificate data for this certificate.";
952 uses certificate-expiration-grouping;
955 grouping generate-csr-grouping {
957 "Defines the 'generate-csr' action.";
958 action generate-csr {
959 if-feature "csr-generation";
960 nacm:default-deny-all;
962 "Generates a certificate signing request structure for
963 the associated asymmetric key using the passed subject
964 and attribute values.
966 This action statement is only available when the
967 associated 'public-key-format' node's value is
968 'subject-public-key-info-format'.";
971 Representation and Verification of Domain-Based
972 Application Service Identity within Internet Public Key
973 Infrastructure Using X.509 (PKIX) Certificates in the
974 Context of Transport Layer Security (TLS)";
982 "Specifies the format for the returned certificate.";
988 "A CertificationRequestInfo structure, as defined in
991 Enables the client to provide a fully-populated
992 CertificationRequestInfo structure that the server
993 only needs to sign in order to generate the complete
994 'CertificationRequest' structure to return in the
997 The 'AlgorithmIdentifier' field contained inside
998 the 'SubjectPublicKeyInfo' field MUST be one known
999 to be supported by the device.";
1002 PKCS #10: Certification Request Syntax Specification
1004 YANG Data Types and Groupings for Cryptography";
1011 "A choice amongst certificate signing request formats.
1012 Additional formats MAY be augmented into this 'choice'
1013 statement by future efforts.";
1018 "A CertificationRequest, as defined in RFC 2986.";
1021 "A CertificationRequest, as defined in RFC 2986.";
1024 PKCS #10: Certification Request Syntax Specification
1026 YANG Data Types and Groupings for Cryptography";
1031 } // generate-csr-grouping
1033 grouping asymmetric-key-pair-with-cert-grouping {
1035 "A private/public key pair and an associated certificate.
1036 Implementations SHOULD assert that the certificate contains
1037 the matching public key.";
1038 uses asymmetric-key-pair-grouping;
1039 uses end-entity-cert-grouping;
1040 uses generate-csr-grouping;
1041 } // asymmetric-key-pair-with-cert-grouping
1043 grouping asymmetric-key-pair-with-certs-grouping {
1045 "A private/public key pair and a list of associated
1046 certificates. Implementations SHOULD assert that
1047 certificates contain the matching public key.";
1048 uses asymmetric-key-pair-grouping;
1049 container certificates {
1050 nacm:default-deny-write;
1052 "Certificates associated with this asymmetric key.";
1056 "A certificate for this asymmetric key.";
1060 "An arbitrary name for the certificate.";
1062 uses end-entity-cert-grouping {
1063 refine "cert-data" {
1069 uses generate-csr-grouping;
1070 } // asymmetric-key-pair-with-certs-grouping