1 module ietf-crypto-types {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
6 import ietf-yang-types {
9 "RFC 6991: Common YANG Data Types";
12 import ietf-netconf-acm {
15 "RFC 8341: Network Configuration Access Control Model";
19 "IETF NETCONF (Network Configuration) Working Group";
22 "WG Web: https://datatracker.ietf.org/wg/netconf
23 WG List: NETCONF WG list <mailto:netconf@ietf.org>
24 Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
27 "This module defines common YANG types for cryptographic
30 Copyright (c) 2023 IETF Trust and the persons identified
31 as authors of the code. All rights reserved.
33 Redistribution and use in source and binary forms, with
34 or without modification, is permitted pursuant to, and
35 subject to the license terms contained in, the Revised
36 BSD License set forth in Section 4.c of the IETF Trust's
37 Legal Provisions Relating to IETF Documents
38 (https://trustee.ietf.org/license-info).
40 This version of this YANG module is part of RFC AAAA
41 (https://www.rfc-editor.org/info/rfcAAAA); see the RFC
42 itself for full legal notices.
44 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
45 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
46 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
47 are to be interpreted as described in BCP 14 (RFC 2119)
48 (RFC 8174) when, and only when, they appear in all
49 capitals, as shown here.";
55 "RFC AAAA: YANG Data Types and Groupings for Cryptography";
62 feature one-symmetric-key-format {
64 "Indicates that the server supports the
65 'one-symmetric-key-format' identity.";
68 feature one-asymmetric-key-format {
70 "Indicates that the server supports the
71 'one-asymmetric-key-format' identity.";
74 feature symmetrically-encrypted-value-format {
76 "Indicates that the server supports the
77 'symmetrically-encrypted-value-format' identity.";
80 feature asymmetrically-encrypted-value-format {
82 "Indicates that the server supports the
83 'asymmetrically-encrypted-value-format' identity.";
86 feature cms-enveloped-data-format {
88 "Indicates that the server supports the
89 'cms-enveloped-data-format' identity.";
92 feature cms-encrypted-data-format {
94 "Indicates that the server supports the
95 'cms-encrypted-data-format' identity.";
98 feature p10-csr-format {
100 "Indicates that the server implements support
101 for generating P10-based CSRs, as defined
104 "RFC 2986: PKCS #10: Certification Request Syntax
105 Specification Version 1.7";
108 feature csr-generation {
110 "Indicates that the server implements the
111 'generate-csr' action.";
114 feature certificate-expiration-notification {
116 "Indicates that the server implements the
117 'certificate-expiration' notification.";
120 feature cleartext-passwords {
122 "Indicates that the server supports cleartext
126 feature encrypted-passwords {
128 "Indicates that the server supports password
132 feature cleartext-symmetric-keys {
134 "Indicates that the server supports cleartext
138 feature hidden-symmetric-keys {
140 "Indicates that the server supports hidden keys.";
143 feature encrypted-symmetric-keys {
145 "Indicates that the server supports encryption
149 feature cleartext-private-keys {
151 "Indicates that the server supports cleartext
155 feature hidden-private-keys {
157 "Indicates that the server supports hidden keys.";
160 feature encrypted-private-keys {
162 "Indicates that the server supports encryption
166 /*************************************************/
167 /* Base Identities for Key Format Structures */
168 /*************************************************/
170 identity symmetric-key-format {
172 "Base key-format identity for symmetric keys.";
175 identity public-key-format {
177 "Base key-format identity for public keys.";
180 identity private-key-format {
182 "Base key-format identity for private keys.";
185 /****************************************************/
186 /* Identities for Private Key Format Structures */
187 /****************************************************/
189 identity rsa-private-key-format {
190 base private-key-format;
192 "Indicates that the private key value is encoded as
193 an RSAPrivateKey (from RFC 3447), encoded using ASN.1
194 distinguished encoding rules (DER), as specified in
198 PKCS #1: RSA Cryptography Specifications Version 2.2
200 Information technology - ASN.1 encoding rules:
201 Specification of Basic Encoding Rules (BER),
202 Canonical Encoding Rules (CER) and Distinguished
203 Encoding Rules (DER) 02/2021.";
206 identity ec-private-key-format {
207 base private-key-format;
209 "Indicates that the private key value is encoded as
210 an ECPrivateKey (from RFC 5915), encoded using ASN.1
211 distinguished encoding rules (DER), as specified in
215 Elliptic Curve Private Key Structure
217 Information technology - ASN.1 encoding rules:
218 Specification of Basic Encoding Rules (BER),
219 Canonical Encoding Rules (CER) and Distinguished
220 Encoding Rules (DER) 02/2021.";
223 identity one-asymmetric-key-format {
224 if-feature "one-asymmetric-key-format";
225 base private-key-format;
227 "Indicates that the private key value is a CMS
228 OneAsymmetricKey structure, as defined in RFC 5958,
229 encoded using ASN.1 distinguished encoding rules
230 (DER), as specified in ITU-T X.690.";
232 "RFC 5958: Asymmetric Key Packages
234 Information technology - ASN.1 encoding rules:
235 Specification of Basic Encoding Rules (BER),
236 Canonical Encoding Rules (CER) and Distinguished
237 Encoding Rules (DER) 02/2021.";
240 /***************************************************/
241 /* Identities for Public Key Format Structures */
242 /***************************************************/
244 identity ssh-public-key-format {
245 base public-key-format;
247 "Indicates that the public key value is an SSH public key,
248 as specified by RFC 4253, Section 6.6, i.e.:
250 string certificate or public key format
252 byte[n] key/certificate data.";
254 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
257 identity subject-public-key-info-format {
258 base public-key-format;
260 "Indicates that the public key value is a SubjectPublicKeyInfo
261 structure, as described in RFC 5280 encoded using ASN.1
262 distinguished encoding rules (DER), as specified in
266 Internet X.509 Public Key Infrastructure Certificate
267 and Certificate Revocation List (CRL) Profile
269 Information technology - ASN.1 encoding rules:
270 Specification of Basic Encoding Rules (BER),
271 Canonical Encoding Rules (CER) and Distinguished
272 Encoding Rules (DER) 02/2021.";
275 /******************************************************/
276 /* Identities for Symmetric Key Format Structures */
277 /******************************************************/
279 identity octet-string-key-format {
280 base symmetric-key-format;
282 "Indicates that the key is encoded as a raw octet string.
283 The length of the octet string MUST be appropriate for
284 the associated algorithm's block size.
286 The identity of the associated algorithm is outside the
287 scope of this specification. This is also true when
288 the octet string has been encrypted.";
291 identity one-symmetric-key-format {
292 if-feature "one-symmetric-key-format";
293 base symmetric-key-format;
295 "Indicates that the private key value is a CMS
296 OneSymmetricKey structure, as defined in RFC 6031,
297 encoded using ASN.1 distinguished encoding rules
298 (DER), as specified in ITU-T X.690.";
300 "RFC 6031: Cryptographic Message Syntax (CMS)
301 Symmetric Key Package Content Type
303 Information technology - ASN.1 encoding rules:
304 Specification of Basic Encoding Rules (BER),
305 Canonical Encoding Rules (CER) and Distinguished
306 Encoding Rules (DER) 02/2021.";
309 /*************************************************/
310 /* Identities for Encrypted Value Structures */
311 /*************************************************/
313 identity encrypted-value-format {
315 "Base format identity for encrypted values.";
318 identity symmetrically-encrypted-value-format {
319 if-feature "symmetrically-encrypted-value-format";
320 base encrypted-value-format;
322 "Base format identity for symmetrically encrypted
326 identity asymmetrically-encrypted-value-format {
327 if-feature "asymmetrically-encrypted-value-format";
328 base encrypted-value-format;
330 "Base format identity for asymmetrically encrypted
334 identity cms-encrypted-data-format {
335 if-feature "cms-encrypted-data-format";
336 base symmetrically-encrypted-value-format;
338 "Indicates that the encrypted value conforms to
339 the 'encrypted-data-cms' type with the constraint
340 that the 'unprotectedAttrs' value is not set.";
342 "RFC 5652: Cryptographic Message Syntax (CMS)
344 Information technology - ASN.1 encoding rules:
345 Specification of Basic Encoding Rules (BER),
346 Canonical Encoding Rules (CER) and Distinguished
347 Encoding Rules (DER) 02/2021.";
350 identity cms-enveloped-data-format {
351 if-feature "cms-enveloped-data-format";
352 base asymmetrically-encrypted-value-format;
354 "Indicates that the encrypted value conforms to the
355 'enveloped-data-cms' type with the following constraints:
357 The EnvelopedData structure MUST have exactly one
360 If the asymmetric key supports public key cryptography
361 (e.g., RSA), then the 'RecipientInfo' must be a
362 'KeyTransRecipientInfo' with the 'RecipientIdentifier'
363 using a 'subjectKeyIdentifier' with the value set using
364 'method 1' in RFC 7093 over the recipient's public key.
366 Otherwise, if the asymmetric key supports key agreement
367 (e.g., ECC), then the 'RecipientInfo' must be a
368 'KeyAgreeRecipientInfo'. The 'OriginatorIdentifierOrKey'
369 value must use the 'OriginatorPublicKey' alternative.
370 The 'UserKeyingMaterial' value must not be present.
371 There must be exactly one 'RecipientEncryptedKeys' value
372 having the 'KeyAgreeRecipientIdentifier' set to 'rKeyId'
373 with the value set using 'method 1' in RFC 7093 over the
374 recipient's public key.";
376 "RFC 5652: Cryptographic Message Syntax (CMS)
378 Additional Methods for Generating Key
381 Information technology - ASN.1 encoding rules:
382 Specification of Basic Encoding Rules (BER),
383 Canonical Encoding Rules (CER) and Distinguished
384 Encoding Rules (DER) 02/2021.";
387 /*********************************************************/
388 /* Identities for Certificate Signing Request Formats */
389 /*********************************************************/
391 identity csr-format {
393 "A base identity for the certificate signing request
394 formats. Additional derived identities MAY be defined
398 identity p10-csr-format {
399 if-feature "p10-csr-format";
402 "Indicates the 'CertificationRequest' structure
403 defined in RFC 2986.";
405 "RFC 2986: PKCS #10: Certification Request Syntax
406 Specification Version 1.7";
410 /***************************************************/
411 /* Typedefs for ASN.1 structures from RFC 2986 */
412 /***************************************************/
417 "A CertificationRequestInfo structure, as defined in
418 RFC 2986, encoded using ASN.1 distinguished encoding
419 rules (DER), as specified in ITU-T X.690.";
421 "RFC 2986: PKCS #10: Certification Request Syntax
422 Specification Version 1.7
424 Information technology - ASN.1 encoding rules:
425 Specification of Basic Encoding Rules (BER),
426 Canonical Encoding Rules (CER) and Distinguished
427 Encoding Rules (DER) 02/2021.";
433 "A CertificationRequest structure, as specified in
434 RFC 2986, encoded using ASN.1 distinguished encoding
435 rules (DER), as specified in ITU-T X.690.";
438 PKCS #10: Certification Request Syntax Specification
441 Information technology - ASN.1 encoding rules:
442 Specification of Basic Encoding Rules (BER),
443 Canonical Encoding Rules (CER) and Distinguished
444 Encoding Rules (DER) 02/2021.";
447 /***************************************************/
448 /* Typedefs for ASN.1 structures from RFC 5280 */
449 /***************************************************/
454 "A Certificate structure, as specified in RFC 5280,
455 encoded using ASN.1 distinguished encoding rules (DER),
456 as specified in ITU-T X.690.";
459 Internet X.509 Public Key Infrastructure Certificate
460 and Certificate Revocation List (CRL) Profile
462 Information technology - ASN.1 encoding rules:
463 Specification of Basic Encoding Rules (BER),
464 Canonical Encoding Rules (CER) and Distinguished
465 Encoding Rules (DER) 02/2021.";
471 "A CertificateList structure, as specified in RFC 5280,
472 encoded using ASN.1 distinguished encoding rules (DER),
473 as specified in ITU-T X.690.";
476 Internet X.509 Public Key Infrastructure Certificate
477 and Certificate Revocation List (CRL) Profile
479 Information technology - ASN.1 encoding rules:
480 Specification of Basic Encoding Rules (BER),
481 Canonical Encoding Rules (CER) and Distinguished
482 Encoding Rules (DER) 02/2021.";
485 /***************************************************/
486 /* Typedefs for ASN.1 structures from RFC 6960 */
487 /***************************************************/
489 typedef oscp-request {
492 "A OCSPRequest structure, as specified in RFC 6960,
493 encoded using ASN.1 distinguished encoding rules
494 (DER), as specified in ITU-T X.690.";
497 X.509 Internet Public Key Infrastructure Online
498 Certificate Status Protocol - OCSP
500 Information technology - ASN.1 encoding rules:
501 Specification of Basic Encoding Rules (BER),
502 Canonical Encoding Rules (CER) and Distinguished
503 Encoding Rules (DER) 02/2021.";
506 typedef oscp-response {
509 "A OCSPResponse structure, as specified in RFC 6960,
510 encoded using ASN.1 distinguished encoding rules
511 (DER), as specified in ITU-T X.690.";
514 X.509 Internet Public Key Infrastructure Online
515 Certificate Status Protocol - OCSP
517 Information technology - ASN.1 encoding rules:
518 Specification of Basic Encoding Rules (BER),
519 Canonical Encoding Rules (CER) and Distinguished
520 Encoding Rules (DER) 02/2021.";
523 /***********************************************/
524 /* Typedefs for ASN.1 structures from 5652 */
525 /***********************************************/
530 "A ContentInfo structure, as specified in RFC 5652,
531 encoded using ASN.1 distinguished encoding rules (DER),
532 as specified in ITU-T X.690.";
535 Cryptographic Message Syntax (CMS)
537 Information technology - ASN.1 encoding rules:
538 Specification of Basic Encoding Rules (BER),
539 Canonical Encoding Rules (CER) and Distinguished
540 Encoding Rules (DER) 02/2021.";
543 typedef data-content-cms {
546 "A CMS structure whose top-most content type MUST be the
547 data content type, as described by Section 4 in RFC 5652.";
549 "RFC 5652: Cryptographic Message Syntax (CMS)";
552 typedef signed-data-cms {
555 "A CMS structure whose top-most content type MUST be the
556 signed-data content type, as described by Section 5 in
559 "RFC 5652: Cryptographic Message Syntax (CMS)";
562 typedef enveloped-data-cms {
565 "A CMS structure whose top-most content type MUST be the
566 enveloped-data content type, as described by Section 6
569 "RFC 5652: Cryptographic Message Syntax (CMS)";
572 typedef digested-data-cms {
575 "A CMS structure whose top-most content type MUST be the
576 digested-data content type, as described by Section 7
579 "RFC 5652: Cryptographic Message Syntax (CMS)";
582 typedef encrypted-data-cms {
585 "A CMS structure whose top-most content type MUST be the
586 encrypted-data content type, as described by Section 8
589 "RFC 5652: Cryptographic Message Syntax (CMS)";
592 typedef authenticated-data-cms {
595 "A CMS structure whose top-most content type MUST be the
596 authenticated-data content type, as described by Section 9
599 "RFC 5652: Cryptographic Message Syntax (CMS)";
602 /*********************************************************/
603 /* Typedefs for ASN.1 structures related to RFC 5280 */
604 /*********************************************************/
606 typedef trust-anchor-cert-x509 {
609 "A Certificate structure that MUST encode a self-signed
613 typedef end-entity-cert-x509 {
616 "A Certificate structure that MUST encode a certificate
617 that is neither self-signed nor having Basic constraint
621 /*********************************************************/
622 /* Typedefs for ASN.1 structures related to RFC 5652 */
623 /*********************************************************/
625 typedef trust-anchor-cert-cms {
626 type signed-data-cms;
628 "A CMS SignedData structure that MUST contain the chain of
629 X.509 certificates needed to authenticate the certificate
630 presented by a client or end-entity.
632 The CMS MUST contain only a single chain of certificates.
633 The client or end-entity certificate MUST only authenticate
634 to the last intermediate CA certificate listed in the chain.
636 In all cases, the chain MUST include a self-signed root
637 certificate. In the case where the root certificate is
638 itself the issuer of the client or end-entity certificate,
639 only one certificate is present.
641 This CMS structure MAY (as applicable where this type is
642 used) also contain suitably fresh (as defined by local
643 policy) revocation objects with which the device can
644 verify the revocation status of the certificates.
646 This CMS encodes the degenerate form of the SignedData
647 structure (RFC 5652, Section 5.2) that is commonly used
648 to disseminate X.509 certificates and revocation objects
652 Internet X.509 Public Key Infrastructure Certificate
653 and Certificate Revocation List (CRL) Profile.
655 Cryptographic Message Syntax (CMS)";
658 typedef end-entity-cert-cms {
659 type signed-data-cms;
661 "A CMS SignedData structure that MUST contain the end
662 entity certificate itself, and MAY contain any number
663 of intermediate certificates leading up to a trust
664 anchor certificate. The trust anchor certificate
665 MAY be included as well.
667 The CMS MUST contain a single end entity certificate.
668 The CMS MUST NOT contain any spurious certificates.
670 This CMS structure MAY (as applicable where this type is
671 used) also contain suitably fresh (as defined by local
672 policy) revocation objects with which the device can
673 verify the revocation status of the certificates.
675 This CMS encodes the degenerate form of the SignedData
676 structure (RFC 5652, Section 5.2) that is commonly
677 used to disseminate X.509 certificates and revocation
678 objects (RFC 5280).";
682 Internet X.509 Public Key Infrastructure Certificate
683 and Certificate Revocation List (CRL) Profile.
685 Cryptographic Message Syntax (CMS)";
692 grouping encrypted-value-grouping {
694 "A reusable grouping for a value that has been encrypted by
695 a referenced symmetric or asymmetric key.";
696 container encrypted-by {
697 nacm:default-deny-write;
699 "An empty container enabling a reference to the key that
700 encrypted the value to be augmented in. The referenced
701 key MUST be a symmetric key or an asymmetric key.
703 A symmetric key MUST be referenced via a leaf node called
704 'symmetric-key-ref'. An asymmetric key MUST be referenced
705 via a leaf node called 'asymmetric-key-ref'.
707 The leaf nodes MUST be direct descendants in the data tree,
708 and MAY be direct descendants in the schema tree (e.g.,
709 choice/case statements are allowed, but not a container).";
711 leaf encrypted-value-format {
713 base encrypted-value-format;
717 "Identifies the format of the 'encrypted-value' leaf.
719 If 'encrypted-by' points to a symmetric key, then a
720 'symmetrically-encrypted-value-format' based identity
721 MUST by set (e.g., cms-encrypted-data-format).
723 If 'encrypted-by' points to an asymmetric key, then an
724 'asymmetrically-encrypted-value-format' based identity
725 MUST by set (e.g., cms-enveloped-data-format).";
727 leaf encrypted-value {
728 nacm:default-deny-write;
730 must '../encrypted-by';
733 "The value, encrypted using the referenced symmetric
734 or asymmetric key. The value MUST be encoded using
735 the format associated with the 'encrypted-value-format'
740 grouping password-grouping {
742 "A password that may be encrypted.";
743 choice password-type {
744 nacm:default-deny-write;
747 "Choice between password types.";
748 case cleartext-password {
749 if-feature "cleartext-passwords";
750 leaf cleartext-password {
751 nacm:default-deny-all;
754 "The cleartext value of the password.";
757 case encrypted-password {
758 if-feature "encrypted-passwords";
759 container encrypted-password {
761 "A container for the encrypted password value.";
762 uses encrypted-value-grouping;
768 grouping symmetric-key-grouping {
772 nacm:default-deny-write;
774 base symmetric-key-format;
777 "Identifies the symmetric key's format. Implementations
778 SHOULD ensure that the incoming symmetric key value is
779 encoded in the specified format.
781 For encrypted keys, the value is the decrypted key's
782 format (i.e., the 'encrypted-value-format' conveys the
783 encrypted key's format.";
786 nacm:default-deny-write;
789 "Choice between key types.";
792 if-feature "cleartext-symmetric-keys";
793 nacm:default-deny-all;
795 must '../key-format';
797 "The binary value of the key. The interpretation of
798 the value is defined by the 'key-format' field.";
802 if-feature "hidden-symmetric-keys";
805 must 'not(../key-format)';
807 "A hidden key. How such keys are created is outside
808 the scope of this module.";
812 if-feature "encrypted-symmetric-keys";
813 container encrypted-key {
814 must '../key-format';
816 "A container for the encrypted symmetric key value.
817 The interpretation of the 'encrypted-value' node
818 is via the 'key-format' node";
819 uses encrypted-value-grouping;
825 grouping public-key-grouping {
828 leaf public-key-format {
829 nacm:default-deny-write;
831 base public-key-format;
835 "Identifies the public key's format. Implementations SHOULD
836 ensure that the incoming public key value is encoded in the
840 nacm:default-deny-write;
844 "The binary value of the public key. The interpretation
845 of the value is defined by 'public-key-format' field.";
849 grouping private-key-grouping {
852 leaf private-key-format {
853 nacm:default-deny-write;
855 base private-key-format;
858 "Identifies the private key's format. Implementations SHOULD
859 ensure that the incoming private key value is encoded in the
862 For encrypted keys, the value is the decrypted key's
863 format (i.e., the 'encrypted-value-format' conveys the
864 encrypted key's format.";
866 choice private-key-type {
867 nacm:default-deny-write;
870 "Choice between key types.";
871 case cleartext-private-key {
872 if-feature "cleartext-private-keys";
873 leaf cleartext-private-key {
874 nacm:default-deny-all;
876 must '../private-key-format';
878 "The value of the binary key The key's value is
879 interpreted by the 'private-key-format' field.";
882 case hidden-private-key {
883 if-feature "hidden-private-keys";
884 leaf hidden-private-key {
886 must 'not(../private-key-format)';
888 "A hidden key. How such keys are created is
889 outside the scope of this module.";
892 case encrypted-private-key {
893 if-feature "encrypted-private-keys";
894 container encrypted-private-key {
895 must '../private-key-format';
897 "A container for the encrypted asymmetric private key
898 value. The interpretation of the 'encrypted-value'
899 node is via the 'private-key-format' node";
900 uses encrypted-value-grouping;
906 grouping asymmetric-key-pair-grouping {
908 "A private key and, optionally, its associated public key.
909 Implementations SHOULD ensure that the two keys, when both
910 are specified, are a matching pair.";
911 uses public-key-grouping {
912 refine public-key-format {
919 uses private-key-grouping;
922 grouping certificate-expiration-grouping {
924 "A notification for when a certificate is about to, or
925 already has, expired.";
926 notification certificate-expiration {
927 if-feature "certificate-expiration-notification";
929 "A notification indicating that the configured certificate
930 is either about to expire or has already expired. When to
931 send notifications is an implementation specific decision,
932 but it is RECOMMENDED that a notification be sent once a
933 month for 3 months, then once a week for four weeks, and
934 then once a day thereafter until the issue is resolved.";
935 leaf expiration-date {
936 type yang:date-and-time;
939 "Identifies the expiration date on the certificate.";
944 grouping trust-anchor-cert-grouping {
946 "A trust anchor certificate, and a notification for when
947 it is about to (or already has) expire.";
949 nacm:default-deny-write;
950 type trust-anchor-cert-cms;
952 "The binary certificate data for this certificate.";
954 uses certificate-expiration-grouping;
957 grouping end-entity-cert-grouping {
959 "An end entity certificate, and a notification for when
960 it is about to (or already has) expire. Implementations
961 SHOULD assert that, where used, the end entity certificate
962 contains the expected public key.";
964 nacm:default-deny-write;
965 type end-entity-cert-cms;
967 "The binary certificate data for this certificate.";
969 uses certificate-expiration-grouping;
974 grouping generate-csr-grouping {
976 "Defines the 'generate-csr' action.";
977 action generate-csr {
978 if-feature "csr-generation";
979 nacm:default-deny-all;
981 "Generates a certificate signing request structure for
982 the associated asymmetric key using the passed subject
983 and attribute values.
985 This action statement is only available when the
986 associated 'public-key-format' node's value is
987 'subject-public-key-info-format'.";
990 Representation and Verification of Domain-Based
991 Application Service Identity within Internet Public Key
992 Infrastructure Using X.509 (PKIX) Certificates in the
993 Context of Transport Layer Security (TLS)";
1001 "Specifies the format for the returned certificate.";
1007 "A CertificationRequestInfo structure, as defined in
1010 Enables the client to provide a fully-populated
1011 CertificationRequestInfo structure that the server
1012 only needs to sign in order to generate the complete
1013 'CertificationRequest' structure to return in the
1016 The 'AlgorithmIdentifier' field contained inside
1017 the 'SubjectPublicKeyInfo' field MUST be one known
1018 to be supported by the device.";
1021 PKCS #10: Certification Request Syntax Specification
1023 YANG Data Types and Groupings for Cryptography";
1030 "A choice amongst certificate signing request formats.
1031 Additional formats MAY be augmented into this 'choice'
1032 statement by future efforts.";
1037 "A CertificationRequest, as defined in RFC 2986.";
1040 "A CertificationRequest, as defined in RFC 2986.";
1043 PKCS #10: Certification Request Syntax Specification
1045 YANG Data Types and Groupings for Cryptography";
1050 } // generate-csr-grouping
1052 grouping asymmetric-key-pair-with-cert-grouping {
1054 "A private/public key pair and an associated certificate.
1055 Implementations SHOULD assert that the certificate contains
1056 the matching public key.";
1057 uses asymmetric-key-pair-grouping;
1058 uses end-entity-cert-grouping;
1059 uses generate-csr-grouping;
1060 } // asymmetric-key-pair-with-cert-grouping
1062 grouping asymmetric-key-pair-with-certs-grouping {
1064 "A private/public key pair and a list of associated
1065 certificates. Implementations SHOULD assert that
1066 certificates contain the matching public key.";
1067 uses asymmetric-key-pair-grouping;
1068 container certificates {
1069 nacm:default-deny-write;
1071 "Certificates associated with this asymmetric key.";
1075 "A certificate for this asymmetric key.";
1079 "An arbitrary name for the certificate.";
1081 uses end-entity-cert-grouping {
1082 refine "cert-data" {
1088 uses generate-csr-grouping;
1089 } // asymmetric-key-pair-with-certs-grouping