Refresh IETF client/server models

[netconf.git] / transport / transport-tls / src / main / yang / ietf-tls-server@2023-12-28.yang
diff --git a/transport/transport-tls/src/main/yang/ietf-tls-server@2023-04-17.yang b/transport/transport-tls/src/main/yang/ietf-tls-server@2023-12-28.yang

similarity index 83%

rename from transport/transport-tls/src/main/yang/ietf-tls-server@2023-04-17.yang

rename to transport/transport-tls/src/main/yang/ietf-tls-server@2023-12-28.yang

index 70db15024a259313f177a0fd9552a6a7c3072799..4b33cf3b161c63c1350f6466c8f9003a7c096f48 100644 (file)
--- a/transport/transport-tls/src/main/yang/ietf-tls-server@2023-04-17.yang
+++ b/transport/transport-tls/src/main/yang/ietf-tls-server@2023-12-28.yang
@@ -67,7 +67,7 @@ module ietf-tls-server {
       (RFC 8174) when, and only when, they appear in all
       capitals, as shown here.";
  
       (RFC 8174) when, and only when, they appear in all
       capitals, as shown here.";
  
-  revision 2023-04-17 {
+  revision 2023-12-28 {
      description
        "Initial version";
      reference
      description
        "Initial version";
      reference
@@ -103,6 +103,7 @@ module ietf-tls-server {
    }
  
    feature server-ident-tls12-psk {
    }
  
    feature server-ident-tls12-psk {
+    if-feature "tlscmn:tls12";
      description
        "Indicates that the server supports identifying itself
         using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys).";
      description
        "Indicates that the server supports identifying itself
         using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys).";
@@ -113,6 +114,7 @@ module ietf-tls-server {
    }
  
    feature server-ident-tls13-epsk {
    }
  
    feature server-ident-tls13-epsk {
+    if-feature "tlscmn:tls13";
      description
        "Indicates that the server supports identifying itself
         using TLS-1.3 External PSKs (pre-shared keys).";
      description
        "Indicates that the server supports identifying itself
         using TLS-1.3 External PSKs (pre-shared keys).";
@@ -213,14 +215,15 @@ module ietf-tls-server {
                "ks:inline-or-keystore-end-entity-cert-with-key-"
                + "grouping" {
                refine "inline-or-keystore/inline/inline-definition" {
                "ks:inline-or-keystore-end-entity-cert-with-key-"
                + "grouping" {
                refine "inline-or-keystore/inline/inline-definition" {
-                must 'derived-from-or-self(public-key-format,'
-                   + ' "ct:subject-public-key-info-format")';
+                must 'not(public-key-format) or derived-from-or-self'
+                   + '(public-key-format,' + ' "ct:subject-public-'
+                   + 'key-info-format")';
                }
                }
-              refine "inline-or-keystore/keystore/keystore-reference"
-                   + "/asymmetric-key" {
-                must 'derived-from-or-self(deref(.)/../ks:public-'
-                   + 'key-format, "ct:subject-public-key-info-'
-                   + 'format")';
+              refine "inline-or-keystore/central-keystore/"
+                   + "central-keystore-reference/asymmetric-key" {
+                must 'not(deref(.)/../ks:public-key-format) or '
+                   + 'derived-from-or-self(deref(.)/../ks:public-key'
+                   + '-format, "ct:subject-public-key-info-format")';
                }
              }
            }
                }
              }
            }
@@ -233,14 +236,15 @@ module ietf-tls-server {
                 private key.";
              uses ks:inline-or-keystore-asymmetric-key-grouping {
                refine "inline-or-keystore/inline/inline-definition" {
                 private key.";
              uses ks:inline-or-keystore-asymmetric-key-grouping {
                refine "inline-or-keystore/inline/inline-definition" {
-                must 'derived-from-or-self(public-key-format,'
-                   + ' "ct:subject-public-key-info-format")';
+                must 'not(public-key-format) or derived-from-or-self'
+                   + '(public-key-format,' + ' "ct:subject-public-'
+                   + 'key-info-format")';
                }
                }
-              refine
-                "inline-or-keystore/keystore/keystore-reference" {
-                must 'derived-from-or-self(deref(.)/../ks:public-'
-                   + 'key-format, "ct:subject-public-key-info-'
-                   + 'format")';
+              refine "inline-or-keystore/central-keystore/"
+                   + "central-keystore-reference" {
+                must 'not(deref(.)/../ks:public-key-format) or '
+                   + 'derived-from-or-self(deref(.)/../ks:public-key'
+                   + '-format, "ct:subject-public-key-info-format")';
                }
              }
            }
                }
              }
            }
@@ -252,7 +256,7 @@ module ietf-tls-server {
                "Specifies the server identity using a PSK (pre-shared
                 or pairwise-symmetric key).";
              uses ks:inline-or-keystore-symmetric-key-grouping;
                "Specifies the server identity using a PSK (pre-shared
                 or pairwise-symmetric key).";
              uses ks:inline-or-keystore-symmetric-key-grouping;
-            leaf id_hint {
+            leaf id-hint {
                type string;
                description
                  "The key 'psk_identity_hint' value used in the TLS
                type string;
                description
                  "The key 'psk_identity_hint' value used in the TLS
@@ -276,41 +280,39 @@ module ietf-tls-server {
                identity and the KDF hash algorithm to be used
                with the PSK MUST also be provisioned.
  
                identity and the KDF hash algorithm to be used
                with the PSK MUST also be provisioned.
  
-              The structure of this container is designed
-              to satisfy the requirements of RFC 8446
-              Section 4.2.11, the recommendations from
-              I-D ietf-tls-external-psk-guidance Section 6,
-              and the EPSK input fields detailed in
-              I-D draft-ietf-tls-external-psk-importer
-              Section 3.1.  The base-key is based upon
-              ks:inline-or-keystore-symmetric-key-grouping
+              The structure of this container is designed to
+              satisfy the requirements of RFC 8446 Section
+              4.2.11, the recommendations from Section 6 in
+              RFC 9257, and the EPSK input fields detailed in
+              Section 5.1 in RFC 9258.  The base-key is based
+              upon ks:inline-or-keystore-symmetric-key-grouping
                in order to provide users with flexible and
                secure storage options.";
              reference
                "RFC 8446: The Transport Layer Security (TLS)
                           Protocol Version 1.3
                in order to provide users with flexible and
                secure storage options.";
              reference
                "RFC 8446: The Transport Layer Security (TLS)
                           Protocol Version 1.3
-               I-D.ietf-tls-external-psk-importer: Importing
-                         External PSKs for TLS
-               I-D.ietf-tls-external-psk-guidance: Guidance
-                         for External PSK Usage in TLS";
+               RFC 9257: Guidance for External Pre-Shared Key
+                         (PSK) Usage in TLS
+               RFC 9258: Importing External Pre-Shared Keys
+                         (PSKs) for TLS 1.3";
              uses ks:inline-or-keystore-symmetric-key-grouping;
              leaf external-identity {
                type string;
                mandatory true;
                description
                  "As per Section 4.2.11 of RFC 8446, and Section 4.1
              uses ks:inline-or-keystore-symmetric-key-grouping;
              leaf external-identity {
                type string;
                mandatory true;
                description
                  "As per Section 4.2.11 of RFC 8446, and Section 4.1
-                 of I-D. ietf-tls-external-psk-guidance: A sequence
-                 of bytes used to identify an EPSK. A label for a
-                 pre-shared key established externally.";
+                 of RFC 9257, a sequence of bytes used to identify
+                 an EPSK. A label for a pre-shared key established
+                 externally.";
                reference
                  "RFC 8446: The Transport Layer Security (TLS)
                             Protocol Version 1.3
                reference
                  "RFC 8446: The Transport Layer Security (TLS)
                             Protocol Version 1.3
-                 I-D.ietf-tls-external-psk-guidance:
-                           Guidance for External PSK Usage in TLS";
+                 RFC 9257: Guidance for External Pre-Shared Key
+                           (PSK) Usage in TLS";
              }
              leaf hash {
                type tlscmn:epsk-supported-hash;
              }
              leaf hash {
                type tlscmn:epsk-supported-hash;
-              mandatory true;
+              default sha-256;
                description
                  "As per Section 4.2.11 of RFC 8446, for externally
                   established PSKs, the Hash algorithm MUST be set
                description
                  "As per Section 4.2.11 of RFC 8446, for externally
                   established PSKs, the Hash algorithm MUST be set
@@ -326,41 +328,38 @@ module ietf-tls-server {
              leaf context {
                type string;
                description
              leaf context {
                type string;
                description
-                "As per Section 4.1 of I-D.
-                 ietf-tls-external-psk-guidance: Context
-                 may include information about peer roles or
-                 identities to mitigate Selfie-style reflection
-                 attacks [Selfie].  If the EPSK is a key derived
-                 from some other protocol or sequence of protocols,
-                 context MUST include a channel binding for the
-                 deriving protocols [RFC5056].  The details of
-                 this binding are protocol specific.";
+                "Per Section 5.1 of RFC 9258, context MUST include
+                 the context used to determine the EPSK, if
+                 any exists. For example, context may include
+                 information about peer roles or identities
+                 to mitigate Selfie-style reflection attacks.
+                 Since the EPSK is a key derived from an external
+                 protocol or sequence of protocols, context MUST
+                 include a channel binding for the deriving
+                 protocols [RFC5056].  The details of this
+                 binding are protocol specfic and out of scope
+                 for this document.";
                reference
                reference
-                "I-D.ietf-tls-external-psk-importer:
-                           Importing External PSKs for TLS
-                 I-D.ietf-tls-external-psk-guidance:
-                           Guidance for External PSK Usage in TLS";
+                "RFC 9258: Importing External Pre-Shared Keys
+                           (PSKs) for TLS 1.3";
              }
              leaf target-protocol {
                type uint16;
                description
              }
              leaf target-protocol {
                type uint16;
                description
-                "As per Section 3.1 of I-D.
-                 ietf-tls-external-psk-guidance: The protocol
+                "As per Section 3.1 of RFC 9258, the protocol
                   for which a PSK is imported for use.";
                reference
                   for which a PSK is imported for use.";
                reference
-                "I-D.ietf-tls-external-psk-importer:
-                           Importing External PSKs for TLS";
+                "RFC 9258: Importing External Pre-Shared Keys
+                           (PSKs) for TLS 1.3";
              }
              leaf target-kdf {
                type uint16;
                description
              }
              leaf target-kdf {
                type uint16;
                description
-                "As per Section 3.1 of I-D.
-                 ietf-tls-external-psk-guidance: The specific Key
-                 Derivation Function (KDF) for which a PSK is
-                 imported for use.";
+                "As per Section 3 of RFC 9258, the KDF for
+                 which a PSK is imported for use.";
                reference
                reference
-                "I-D.ietf-tls-external-psk-importer:
-                           Importing External PSKs for TLS";
+                "RFC 9258: Importing External Pre-Shared Keys
+                           (PSKs) for TLS 1.3";
              }
            }
          }
              }
            }
          }
@@ -435,8 +434,8 @@ module ietf-tls-server {
              must 'derived-from-or-self(public-key-format,'
                 + ' "ct:subject-public-key-info-format")';
            }
              must 'derived-from-or-self(public-key-format,'
                 + ' "ct:subject-public-key-info-format")';
            }
-          refine "inline-or-truststore/truststore/truststore-"
-               + "reference" {
+          refine "inline-or-truststore/central-truststore/"
+               + "central-truststore-reference" {
              must 'not(deref(.)/../ts:public-key/ts:public-key-'
                 + 'format[not(derived-from-or-self(., "ct:subject-'
                 + 'public-key-info-format"))])';
              must 'not(deref(.)/../ts:public-key/ts:public-key-'
                 + 'format[not(derived-from-or-self(., "ct:subject-'
                 + 'public-key-info-format"))])';