1 module ietf-truststore {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-truststore";
6 import ietf-netconf-acm {
9 "RFC 8341: Network Configuration Access Control Model";
12 import ietf-crypto-types {
15 "RFC AAAA: YANG Data Types and Groupings for Cryptography";
19 "IETF NETCONF (Network Configuration) Working Group";
22 "WG Web : https://datatracker.ietf.org/wg/netconf
23 WG List : NETCONF WG list <mailto:netconf@ietf.org>
24 Author : Kent Watsen <kent+ietf@watsen.net>";
27 "This module defines a 'truststore' to centralize management
28 of trust anchors including certificates and public keys.
30 Copyright (c) 2023 IETF Trust and the persons identified
31 as authors of the code. All rights reserved.
33 Redistribution and use in source and binary forms, with
34 or without modification, is permitted pursuant to, and
35 subject to the license terms contained in, the Revised
36 BSD License set forth in Section 4.c of the IETF Trust's
37 Legal Provisions Relating to IETF Documents
38 (https://trustee.ietf.org/license-info).
40 This version of this YANG module is part of RFC BBBB
41 (https://www.rfc-editor.org/info/rfcBBBB); see the RFC
42 itself for full legal notices.
44 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
45 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
46 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
47 are to be interpreted as described in BCP 14 (RFC 2119)
48 (RFC 8174) when, and only when, they appear in all
49 capitals, as shown here.";
55 "RFC BBBB: A YANG Data Model for a Truststore";
62 feature central-truststore-supported {
64 "The 'central-truststore-supported' feature indicates that
65 the server supports the truststore (i.e., implements the
66 'ietf-truststore' module).";
69 feature inline-definitions-supported {
71 "The 'inline-definitions-supported' feature indicates that
72 the server supports locally-defined trust anchors.";
75 feature certificates {
77 "The 'certificates' feature indicates that the server
78 implements the /truststore/certificate-bags subtree.";
83 "The 'public-keys' feature indicates that the server
84 implements the /truststore/public-key-bags subtree.";
91 typedef certificate-bag-ref {
93 path "/ts:truststore/ts:certificate-bags/"
94 + "ts:certificate-bag/ts:name";
97 "This typedef defines a reference to a certificate bag
98 in the central truststore.";
101 typedef certificate-ref {
103 path "/ts:truststore/ts:certificate-bags/ts:certificate-bag"
104 + "[ts:name = current()/../certificate-bag]/"
105 + "ts:certificate/ts:name";
108 "This typedef defines a reference to a specific certificate
109 in a certificate bag in the central truststore. This typedef
110 requires that there exist a sibling 'leaf' node called
111 'certificate-bag' that SHOULD have the typedef
112 'certificate-bag-ref'.";
115 typedef public-key-bag-ref {
117 path "/ts:truststore/ts:public-key-bags/"
118 + "ts:public-key-bag/ts:name";
121 "This typedef defines a reference to a public key bag
122 in the central truststore.";
125 typedef public-key-ref {
127 path "/ts:truststore/ts:public-key-bags/ts:public-key-bag"
128 + "[ts:name = current()/../public-key-bag]/"
129 + "ts:public-key/ts:name";
132 "This typedef defines a reference to a specific public key
133 in a public key bag in the truststore. This typedef
134 requires that there exist a sibling 'leaf' node called
135 'public-key-bag' that SHOULD have the typedef
136 'public-key-bag-ref'.";
145 grouping certificate-ref-grouping {
147 "Grouping for the reference to a certificate in a
148 certificate-bag in the central truststore.";
149 leaf certificate-bag {
150 nacm:default-deny-write;
151 if-feature "central-truststore-supported";
152 if-feature "certificates";
153 type ts:certificate-bag-ref;
154 must "../certificate";
156 "Reference to a certificate-bag in the truststore.";
159 nacm:default-deny-write;
161 // FIXME: these two lines are missing in the published model
162 if-feature "central-truststore-supported";
163 if-feature "certificates";
165 type ts:certificate-ref;
166 must "../certificate-bag";
168 "Reference to a specific certificate in the
169 referenced certificate-bag.";
173 grouping public-key-ref-grouping {
175 "Grouping for the reference to a public key in a
176 public-key-bag in the central truststore.";
177 leaf public-key-bag {
178 nacm:default-deny-write;
179 if-feature "central-truststore-supported";
180 if-feature "public-keys";
181 type ts:public-key-bag-ref;
183 "Reference of a public key bag in the truststore inlucding
184 the certificate to authenticate the TLS client.";
187 nacm:default-deny-write;
189 // FIXME: these two lines are missing in the published model
190 if-feature "central-truststore-supported";
191 if-feature "public-keys";
193 type ts:public-key-ref;
195 "Reference to a specific public key in the
196 referenced public-key-bag.";
200 // inline-or-truststore-* groupings
202 grouping inline-or-truststore-certs-grouping {
204 "A grouping for the configuration of a list of certificates.
205 The list of certificate may be defined inline or as a
206 reference to a certificate bag in the central truststore.
208 Servers that do not define the 'central-truststore-supported'
209 feature SHOULD augment in custom 'case' statements enabling
210 references to alternate truststore locations.";
211 choice inline-or-truststore {
212 nacm:default-deny-write;
215 "A choice between an inlined definition and a definition
216 that exists in the truststore.";
218 if-feature "inline-definitions-supported";
219 container inline-definition {
221 "A container for locally configured trust anchor
227 "A trust anchor certificate.";
231 "An arbitrary name for this certificate.";
233 uses ct:trust-anchor-cert-grouping {
241 case central-truststore {
242 if-feature "central-truststore-supported";
243 if-feature "certificates";
244 leaf central-truststore-reference {
245 type ts:certificate-bag-ref;
247 "A reference to a certificate bag that exists in the
248 central truststore.";
254 grouping inline-or-truststore-public-keys-grouping {
256 "A grouping that allows the public keys to be either
257 configured locally, within the using data model, or be a
258 reference to a public key bag stored in the truststore.
260 Servers that do not define the 'central-truststore-supported'
261 feature SHOULD augment in custom 'case' statements enabling
262 references to alternate truststore locations.";
263 choice inline-or-truststore {
264 nacm:default-deny-write;
267 "A choice between an inlined definition and a definition
268 that exists in the truststore.";
270 if-feature "inline-definitions-supported";
271 container inline-definition {
273 "A container to hold local public key definitions.";
277 "A public key definition.";
281 "An arbitrary name for this public key.";
283 uses ct:public-key-grouping;
287 case central-truststore {
288 if-feature "central-truststore-supported";
289 if-feature "public-keys";
290 leaf central-truststore-reference {
291 type ts:public-key-bag-ref;
293 "A reference to a bag of public keys that exists
294 in the central truststore.";
301 // the truststore grouping
303 grouping truststore-grouping {
305 "A grouping definition that enables use in other contexts.
306 Where used, implementations MUST augment new 'case'
307 statements into the various inline-or-truststore 'choice'
308 statements to supply leafrefs to the model-specific
310 container certificate-bags {
311 nacm:default-deny-write;
312 if-feature "certificates";
314 "A collection of certificate bags.";
315 list certificate-bag {
318 "A bag of certificates. Each bag of certificates SHOULD
319 be for a specific purpose. For instance, one bag could
320 be used to authenticate a specific set of servers, while
321 another could be used to authenticate a specific set of
326 "An arbitrary name for this bag of certificates.";
331 "A description for this bag of certificates. The
332 intended purpose for the bag SHOULD be described.";
337 "A trust anchor certificate.";
341 "An arbitrary name for this certificate.";
343 uses ct:trust-anchor-cert-grouping {
351 container public-key-bags {
352 nacm:default-deny-write;
353 if-feature "public-keys";
355 "A collection of public key bags.";
356 list public-key-bag {
359 "A bag of public keys. Each bag of keys SHOULD be for
360 a specific purpose. For instance, one bag could be used
361 authenticate a specific set of servers, while another
362 could be used to authenticate a specific set of clients.";
366 "An arbitrary name for this bag of public keys.";
371 "A description for this bag public keys. The
372 intended purpose for the bag SHOULD be described.";
381 "An arbitrary name for this public key.";
383 uses ct:public-key-grouping;
389 /*********************************/
390 /* Protocol accessible nodes */
391 /*********************************/
393 container truststore {
394 if-feature central-truststore-supported;
395 nacm:default-deny-write;
397 "The truststore contains bags of certificates and
399 uses truststore-grouping;