1 module ietf-truststore {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-truststore";
6 import ietf-netconf-acm {
9 "RFC 8341: Network Configuration Access Control Model";
12 import ietf-crypto-types {
15 "RFC AAAA: YANG Data Types and Groupings for Cryptography";
19 "IETF NETCONF (Network Configuration) Working Group";
22 "WG Web : https://datatracker.ietf.org/wg/netconf
23 WG List : NETCONF WG list <mailto:netconf@ietf.org>
24 Author : Kent Watsen <kent+ietf@watsen.net>";
26 "This module defines a 'truststore' to centralize management
27 of trust anchors including certificates and public keys.
29 Copyright (c) 2023 IETF Trust and the persons identified
30 as authors of the code. All rights reserved.
32 Redistribution and use in source and binary forms, with
33 or without modification, is permitted pursuant to, and
34 subject to the license terms contained in, the Revised
35 BSD License set forth in Section 4.c of the IETF Trust's
36 Legal Provisions Relating to IETF Documents
37 (https://trustee.ietf.org/license-info).
39 This version of this YANG module is part of RFC BBBB
40 (https://www.rfc-editor.org/info/rfcBBBB); see the RFC
41 itself for full legal notices.
43 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
44 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
45 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
46 are to be interpreted as described in BCP 14 (RFC 2119)
47 (RFC 8174) when, and only when, they appear in all
48 capitals, as shown here.";
54 "RFC BBBB: A YANG Data Model for a Truststore";
61 feature central-truststore-supported {
63 "The 'central-truststore-supported' feature indicates that
64 the server supports the truststore (i.e., implements the
65 'ietf-truststore' module).";
68 feature inline-definitions-supported {
70 "The 'inline-definitions-supported' feature indicates that
71 the server supports locally-defined trust anchors.";
73 feature certificates {
75 "The 'certificates' feature indicates that the server
76 implements the /truststore/certificate-bags subtree.";
81 "The 'public-keys' feature indicates that the server
82 implements the /truststore/public-key-bags subtree.";
89 typedef certificate-bag-ref {
91 path "/ts:truststore/ts:certificate-bags/"
92 + "ts:certificate-bag/ts:name";
95 "This typedef defines a reference to a certificate bag
96 in the truststore, when this module is implemented.";
99 typedef certificate-ref {
101 path "/ts:truststore/ts:certificate-bags/ts:certificate-bag"
102 + "[ts:name = current()/../ts:certificate-bag]/"
103 + "ts:certificate/ts:name";
106 "This typedef defines a reference to a specific certificate
107 in a certificate bag in the truststore, when this module
108 is implemented. This typedef requires that there exist a
109 sibling 'leaf' node called 'certificate-bag' that SHOULD
110 have the typedef 'certificate-bag-ref'.";
113 typedef public-key-bag-ref {
115 path "/ts:truststore/ts:public-key-bags/"
116 + "ts:public-key-bag/ts:name";
119 "This typedef defines a reference to a public key bag
120 in the truststore, when this module is implemented.";
123 typedef public-key-ref {
125 path "/ts:truststore/ts:public-key-bags/ts:public-key-bag"
126 + "[ts:name = current()/../ts:public-key-bag]/"
127 + "ts:public-key/ts:name";
130 "This typedef defines a reference to a specific public key
131 in a public key bag in the truststore, when this module is
132 implemented. This typedef requires that there exist a
133 sibling 'leaf' node called 'public-key-bag' that SHOULD
134 have the typedef 'public-key-bag-ref'.";
141 grouping inline-or-truststore-certs-grouping {
143 "A grouping that allows the certificates to be either
144 configured locally, within the using data model, or be a
145 reference to a certificate bag stored in the truststore.
147 Servers that do not 'implement' this module, and hence
148 'central-truststore-supported' is not defined, SHOULD
149 augment in custom 'case' statements enabling references
150 to the alternate truststore locations.";
151 choice inline-or-truststore {
152 nacm:default-deny-write;
155 "A choice between an inlined definition and a definition
156 that exists in the truststore.";
158 if-feature "inline-definitions-supported";
159 container inline-definition {
161 "A container for locally configured trust anchor
167 "A trust anchor certificate.";
171 "An arbitrary name for this certificate.";
173 uses ct:trust-anchor-cert-grouping {
182 if-feature "central-truststore-supported";
183 if-feature "certificates";
184 leaf truststore-reference {
185 type ts:certificate-bag-ref;
187 "A reference to a certificate bag that exists in the
188 truststore, when this module is implemented.";
194 grouping inline-or-truststore-public-keys-grouping {
196 "A grouping that allows the public keys to be either
197 configured locally, within the using data model, or be a
198 reference to a public key bag stored in the truststore.
200 Servers that do not 'implement' this module, and hence
201 'central-truststore-supported' is not defined, SHOULD
202 augment in custom 'case' statements enabling references
203 to the alternate truststore locations.";
204 choice inline-or-truststore {
205 nacm:default-deny-write;
208 "A choice between an inlined definition and a definition
209 that exists in the truststore.";
211 if-feature "inline-definitions-supported";
212 container inline-definition {
214 "A container to hold local public key definitions.";
218 "A public key definition.";
222 "An arbitrary name for this public key.";
224 uses ct:public-key-grouping;
229 if-feature "central-truststore-supported";
230 if-feature "public-keys";
231 leaf truststore-reference {
232 type ts:public-key-bag-ref;
234 "A reference to a bag of public keys that exists
235 in the truststore, when this module is implemented.";
241 grouping truststore-grouping {
243 "A grouping definition that enables use in other contexts.
244 Where used, implementations MUST augment new 'case'
245 statements into the various inline-or-truststore 'choice'
246 statements to supply leafrefs to the model-specific
248 container certificate-bags {
249 nacm:default-deny-write;
250 if-feature "certificates";
252 "A collection of certificate bags.";
253 list certificate-bag {
256 "A bag of certificates. Each bag of certificates SHOULD
257 be for a specific purpose. For instance, one bag could
258 be used to authenticate a specific set of servers, while
259 another could be used to authenticate a specific set of
264 "An arbitrary name for this bag of certificates.";
269 "A description for this bag of certificates. The
270 intended purpose for the bag SHOULD be described.";
275 "A trust anchor certificate.";
279 "An arbitrary name for this certificate.";
281 uses ct:trust-anchor-cert-grouping {
289 container public-key-bags {
290 nacm:default-deny-write;
291 if-feature "public-keys";
293 "A collection of public key bags.";
294 list public-key-bag {
297 "A bag of public keys. Each bag of keys SHOULD be for
298 a specific purpose. For instance, one bag could be used
299 authenticate a specific set of servers, while another
300 could be used to authenticate a specific set of clients.";
304 "An arbitrary name for this bag of public keys.";
309 "A description for this bag public keys. The
310 intended purpose for the bag SHOULD be described.";
319 "An arbitrary name for this public key.";
321 uses ct:public-key-grouping;
327 /*********************************/
328 /* Protocol accessible nodes */
329 /*********************************/
331 container truststore {
332 if-feature central-truststore-supported;
333 nacm:default-deny-write;
335 "The truststore contains bags of certificates and
337 uses truststore-grouping;