+++ /dev/null
-module ietf-keystore {
- yang-version 1.1;
- namespace "urn:ietf:params:xml:ns:yang:ietf-keystore";
- prefix ks;
-
- import ietf-netconf-acm {
- prefix nacm;
- reference
- "RFC 8341: Network Configuration Access Control Model";
- }
-
- import ietf-crypto-types {
- prefix ct;
- reference
- "RFC AAAA: YANG Data Types and Groupings for Cryptography";
- }
-
- organization
- "IETF NETCONF (Network Configuration) Working Group";
-
- contact
- "WG Web: https://datatracker.ietf.org/wg/netconf
- WG List: NETCONF WG list <mailto:netconf@ietf.org>
- Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
-
- description
- "This module defines a 'keystore' to centralize management
- of security credentials.
-
- Copyright (c) 2022 IETF Trust and the persons identified
- as authors of the code. All rights reserved.
-
- Redistribution and use in source and binary forms, with
- or without modification, is permitted pursuant to, and
- subject to the license terms contained in, the Revised
- BSD License set forth in Section 4.c of the IETF Trust's
- Legal Provisions Relating to IETF Documents
- (https://trustee.ietf.org/license-info).
-
- This version of this YANG module is part of RFC CCCC
- (https://www.rfc-editor.org/info/rfcCCCC); see the RFC
- itself for full legal notices.
-
- The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
- 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
- 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
- are to be interpreted as described in BCP 14 (RFC 2119)
- (RFC 8174) when, and only when, they appear in all
- capitals, as shown here.";
-
- revision 2022-12-12 {
- description
- "Initial version";
- reference
- "RFC CCCC: A YANG Data Model for a Keystore";
- }
-
- /****************/
- /* Features */
- /****************/
-
- feature central-keystore-supported {
- description
- "The 'central-keystore-supported' feature indicates that
- the server supports the keystore (i.e., implements the
- 'ietf-keystore' module).";
- }
-
- feature local-definitions-supported {
- description
- "The 'local-definitions-supported' feature indicates that
- the server supports locally-defined keys.";
- }
-
- feature asymmetric-keys {
- description
- "The 'asymmetric-keys' feature indicates that the server
- implements the /keystore/asymmetric-keys subtree.";
-
- }
-
- feature symmetric-keys {
- description
- "The 'symmetric-keys' feature indicates that the server
- implements the /keystore/symmetric-keys subtree.";
- }
-
- /****************/
- /* Typedefs */
- /****************/
-
- typedef symmetric-key-ref {
- type leafref {
- path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key"
- + "/ks:name";
- }
- description
- "This typedef enables modules to easily define a reference
- to a symmetric key stored in the keystore, when this
- module is implemented.";
- }
-
- typedef asymmetric-key-ref {
- type leafref {
- path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
- + "/ks:name";
- }
- description
- "This typedef enables modules to easily define a reference
- to an asymmetric key stored in the keystore, when this
- module is implemented.";
- }
-
- /*****************/
- /* Groupings */
- /*****************/
-
- grouping encrypted-by-choice-grouping {
- description
- "A grouping that defines a 'choice' statement that can be
- augmented into the 'encrypted-by' node, present in the
- 'symmetric-key-grouping' and 'asymmetric-key-pair-grouping'
- groupings defined in RFC AAAA, enabling references to keys
- in the keystore, when this module is implemented.";
- choice encrypted-by-choice {
- nacm:default-deny-write;
- mandatory true;
- description
- "A choice amongst other symmetric or asymmetric keys.";
- case symmetric-key-ref {
- if-feature "central-keystore-supported";
- if-feature "symmetric-keys";
- leaf symmetric-key-ref {
- type ks:symmetric-key-ref;
- description
- "Identifies the symmetric key used to encrypt the
- associated key.";
- }
- }
- case asymmetric-key-ref {
- if-feature "central-keystore-supported";
- if-feature "asymmetric-keys";
- leaf asymmetric-key-ref {
- type ks:asymmetric-key-ref;
- description
- "Identifies the asymmetric key whose public key
- encrypted the associated key.";
- }
- }
- }
- }
-
- grouping asymmetric-key-certificate-ref-grouping {
- description
- "This grouping defines a reference to a specific certificate
- associated with an asymmetric key stored in the keystore,
- when this module is implemented.";
- leaf asymmetric-key {
- nacm:default-deny-write;
- if-feature "central-keystore-supported";
- if-feature "asymmetric-keys";
- type ks:asymmetric-key-ref;
- must '../certificate';
- description
- "A reference to an asymmetric key in the keystore.";
- }
- leaf certificate {
- nacm:default-deny-write;
- type leafref {
- path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
- + "[ks:name = current()/../asymmetric-key]/"
- + "ks:certificates/ks:certificate/ks:name";
- }
- must '../asymmetric-key';
- description
- "A reference to a specific certificate of the
- asymmetric key in the keystore.";
- }
- }
-
- // local-or-keystore-* groupings
-
- grouping local-or-keystore-symmetric-key-grouping {
- description
- "A grouping that expands to allow the symmetric key to be
- either stored locally, i.e., within the using data model,
- or a reference to a symmetric key stored in the keystore.
-
- Servers that do not 'implement' this module, and hence
- 'central-keystore-supported' is not defined, SHOULD
- augment in custom 'case' statements enabling references
- to the alternate keystore locations.";
- choice local-or-keystore {
- nacm:default-deny-write;
- mandatory true;
- description
- "A choice between an inlined definition and a definition
- that exists in the keystore.";
- case local {
- if-feature "local-definitions-supported";
- container local-definition {
- description
- "Container to hold the local key definition.";
- uses ct:symmetric-key-grouping;
- }
- }
- case keystore {
- if-feature "central-keystore-supported";
- if-feature "symmetric-keys";
- leaf keystore-reference {
- type ks:symmetric-key-ref;
- description
- "A reference to an symmetric key that exists in
- the keystore, when this module is implemented.";
- }
- }
- }
- }
- grouping local-or-keystore-asymmetric-key-grouping {
- description
- "A grouping that expands to allow the asymmetric key to be
- either stored locally, i.e., within the using data model,
- or a reference to an asymmetric key stored in the keystore.
-
- Servers that do not 'implement' this module, and hence
- 'central-keystore-supported' is not defined, SHOULD
- augment in custom 'case' statements enabling references
- to the alternate keystore locations.";
- choice local-or-keystore {
- nacm:default-deny-write;
- mandatory true;
- description
- "A choice between an inlined definition and a definition
- that exists in the keystore.";
- case local {
- if-feature "local-definitions-supported";
- container local-definition {
- description
- "Container to hold the local key definition.";
- uses ct:asymmetric-key-pair-grouping;
- }
- }
- case keystore {
- if-feature "central-keystore-supported";
- if-feature "asymmetric-keys";
- leaf keystore-reference {
- type ks:asymmetric-key-ref;
- description
- "A reference to an asymmetric key that exists in
- the keystore, when this module is implemented. The
- intent is to reference just the asymmetric key
- without any regard for any certificates that may
- be associated with it.";
- }
- }
- }
- }
-
- grouping local-or-keystore-asymmetric-key-with-certs-grouping {
- description
- "A grouping that expands to allow an asymmetric key and
- its associated certificates to be either stored locally,
- i.e., within the using data model, or a reference to an
- asymmetric key (and its associated certificates) stored
- in the keystore.
-
- Servers that do not 'implement' this module, and hence
- 'central-keystore-supported' is not defined, SHOULD
- augment in custom 'case' statements enabling references
- to the alternate keystore locations.";
- choice local-or-keystore {
- nacm:default-deny-write;
- mandatory true;
- description
- "A choice between an inlined definition and a definition
- that exists in the keystore.";
- case local {
- if-feature "local-definitions-supported";
- container local-definition {
- description
- "Container to hold the local key definition.";
- uses ct:asymmetric-key-pair-with-certs-grouping;
- }
- }
- case keystore {
- if-feature "central-keystore-supported";
- if-feature "asymmetric-keys";
- leaf keystore-reference {
- type ks:asymmetric-key-ref;
- description
- "A reference to an asymmetric-key (and all of its
- associated certificates) in the keystore, when
- this module is implemented.";
- }
- }
- }
- }
-
- grouping local-or-keystore-end-entity-cert-with-key-grouping {
- description
- "A grouping that expands to allow an end-entity certificate
- (and its associated asymmetric key pair) to be either stored
- locally, i.e., within the using data model, or a reference
- to a specific certificate in the keystore.
-
- Servers that do not 'implement' this module, and hence
- 'central-keystore-supported' is not defined, SHOULD
- augment in custom 'case' statements enabling references
- to the alternate keystore locations.";
- choice local-or-keystore {
- nacm:default-deny-write;
- mandatory true;
- description
- "A choice between an inlined definition and a definition
- that exists in the keystore.";
- case local {
- if-feature "local-definitions-supported";
- container local-definition {
- description
- "Container to hold the local key definition.";
- uses ct:asymmetric-key-pair-with-cert-grouping;
- }
- }
- case keystore {
- if-feature "central-keystore-supported";
- if-feature "asymmetric-keys";
- container keystore-reference {
- uses asymmetric-key-certificate-ref-grouping;
- description
- "A reference to a specific certificate associated with
- an asymmetric key stored in the keystore, when this
- module is implemented.";
- }
- }
- }
- }
-
- grouping keystore-grouping {
- description
- "Grouping definition enables use in other contexts. If ever
- done, implementations MUST augment new 'case' statements
- into the various local-or-keystore 'choice' statements to
- supply leafrefs to the model-specific location(s).";
- container asymmetric-keys {
- nacm:default-deny-write;
- if-feature "asymmetric-keys";
- description
- "A list of asymmetric keys.";
- list asymmetric-key {
- key "name";
- description
- "An asymmetric key.";
- leaf name {
- type string;
- description
- "An arbitrary name for the asymmetric key.";
- }
- uses ct:asymmetric-key-pair-with-certs-grouping;
- }
- }
- container symmetric-keys {
- nacm:default-deny-write;
- if-feature "symmetric-keys";
- description
- "A list of symmetric keys.";
- list symmetric-key {
- key "name";
- description
- "A symmetric key.";
- leaf name {
- type string;
- description
- "An arbitrary name for the symmetric key.";
- }
- uses ct:symmetric-key-grouping;
- }
- }
- }
-
- /*********************************/
- /* Protocol accessible nodes */
- /*********************************/
-
- container keystore {
- if-feature central-keystore-supported;
- description
- "A central keystore containing a list of symmetric keys and
- a list of asymmetric keys.";
- nacm:default-deny-write;
- uses keystore-grouping {
- augment "symmetric-keys/symmetric-key/key-type/encrypted-key/"
- + "encrypted-key/encrypted-by" {
- description
- "Augments in a choice statement enabling the encrypting
- key to be any other symmetric or asymmetric key in the
- central keystore.";
- uses encrypted-by-choice-grouping;
- }
- augment "asymmetric-keys/asymmetric-key/private-key-type/"
- + "encrypted-private-key/encrypted-private-key/"
- + "encrypted-by" {
- description
- "Augments in a choice statement enabling the encrypting
- key to be any other symmetric or asymmetric key in the
- central keystore.";
- uses encrypted-by-choice-grouping;
- }
- }
- }
-}