--- /dev/null
+module ietf-keystore {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-keystore";
+ prefix ks;
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ import ietf-crypto-types {
+ prefix ct;
+ reference
+ "RFC AAAA: YANG Data Types and Groupings for Cryptography";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
+
+ description
+ "This module defines a 'keystore' to centralize management
+ of security credentials.
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC CCCC
+ (https://www.rfc-editor.org/info/rfcCCCC); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-12-12 {
+ description
+ "Initial version";
+ reference
+ "RFC CCCC: A YANG Data Model for a Keystore";
+ }
+
+ /****************/
+ /* Features */
+ /****************/
+
+ feature central-keystore-supported {
+ description
+ "The 'central-keystore-supported' feature indicates that
+ the server supports the keystore (i.e., implements the
+ 'ietf-keystore' module).";
+ }
+
+ feature local-definitions-supported {
+ description
+ "The 'local-definitions-supported' feature indicates that
+ the server supports locally-defined keys.";
+ }
+
+ feature asymmetric-keys {
+ description
+ "The 'asymmetric-keys' feature indicates that the server
+ implements the /keystore/asymmetric-keys subtree.";
+
+ }
+
+ feature symmetric-keys {
+ description
+ "The 'symmetric-keys' feature indicates that the server
+ implements the /keystore/symmetric-keys subtree.";
+ }
+
+ /****************/
+ /* Typedefs */
+ /****************/
+
+ typedef symmetric-key-ref {
+ type leafref {
+ path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key"
+ + "/ks:name";
+ }
+ description
+ "This typedef enables modules to easily define a reference
+ to a symmetric key stored in the keystore, when this
+ module is implemented.";
+ }
+
+ typedef asymmetric-key-ref {
+ type leafref {
+ path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
+ + "/ks:name";
+ }
+ description
+ "This typedef enables modules to easily define a reference
+ to an asymmetric key stored in the keystore, when this
+ module is implemented.";
+ }
+
+ /*****************/
+ /* Groupings */
+ /*****************/
+
+ grouping encrypted-by-choice-grouping {
+ description
+ "A grouping that defines a 'choice' statement that can be
+ augmented into the 'encrypted-by' node, present in the
+ 'symmetric-key-grouping' and 'asymmetric-key-pair-grouping'
+ groupings defined in RFC AAAA, enabling references to keys
+ in the keystore, when this module is implemented.";
+ choice encrypted-by-choice {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice amongst other symmetric or asymmetric keys.";
+ case symmetric-key-ref {
+ if-feature "central-keystore-supported";
+ if-feature "symmetric-keys";
+ leaf symmetric-key-ref {
+ type ks:symmetric-key-ref;
+ description
+ "Identifies the symmetric key used to encrypt the
+ associated key.";
+ }
+ }
+ case asymmetric-key-ref {
+ if-feature "central-keystore-supported";
+ if-feature "asymmetric-keys";
+ leaf asymmetric-key-ref {
+ type ks:asymmetric-key-ref;
+ description
+ "Identifies the asymmetric key whose public key
+ encrypted the associated key.";
+ }
+ }
+ }
+ }
+
+ grouping asymmetric-key-certificate-ref-grouping {
+ description
+ "This grouping defines a reference to a specific certificate
+ associated with an asymmetric key stored in the keystore,
+ when this module is implemented.";
+ leaf asymmetric-key {
+ nacm:default-deny-write;
+ if-feature "central-keystore-supported";
+ if-feature "asymmetric-keys";
+ type ks:asymmetric-key-ref;
+ must '../certificate';
+ description
+ "A reference to an asymmetric key in the keystore.";
+ }
+ leaf certificate {
+ nacm:default-deny-write;
+ type leafref {
+ path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
+ + "[ks:name = current()/../asymmetric-key]/"
+ + "ks:certificates/ks:certificate/ks:name";
+ }
+ must '../asymmetric-key';
+ description
+ "A reference to a specific certificate of the
+ asymmetric key in the keystore.";
+ }
+ }
+
+ // local-or-keystore-* groupings
+
+ grouping local-or-keystore-symmetric-key-grouping {
+ description
+ "A grouping that expands to allow the symmetric key to be
+ either stored locally, i.e., within the using data model,
+ or a reference to a symmetric key stored in the keystore.
+
+ Servers that do not 'implement' this module, and hence
+ 'central-keystore-supported' is not defined, SHOULD
+ augment in custom 'case' statements enabling references
+ to the alternate keystore locations.";
+ choice local-or-keystore {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses ct:symmetric-key-grouping;
+ }
+ }
+ case keystore {
+ if-feature "central-keystore-supported";
+ if-feature "symmetric-keys";
+ leaf keystore-reference {
+ type ks:symmetric-key-ref;
+ description
+ "A reference to an symmetric key that exists in
+ the keystore, when this module is implemented.";
+ }
+ }
+ }
+ }
+ grouping local-or-keystore-asymmetric-key-grouping {
+ description
+ "A grouping that expands to allow the asymmetric key to be
+ either stored locally, i.e., within the using data model,
+ or a reference to an asymmetric key stored in the keystore.
+
+ Servers that do not 'implement' this module, and hence
+ 'central-keystore-supported' is not defined, SHOULD
+ augment in custom 'case' statements enabling references
+ to the alternate keystore locations.";
+ choice local-or-keystore {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses ct:asymmetric-key-pair-grouping;
+ }
+ }
+ case keystore {
+ if-feature "central-keystore-supported";
+ if-feature "asymmetric-keys";
+ leaf keystore-reference {
+ type ks:asymmetric-key-ref;
+ description
+ "A reference to an asymmetric key that exists in
+ the keystore, when this module is implemented. The
+ intent is to reference just the asymmetric key
+ without any regard for any certificates that may
+ be associated with it.";
+ }
+ }
+ }
+ }
+
+ grouping local-or-keystore-asymmetric-key-with-certs-grouping {
+ description
+ "A grouping that expands to allow an asymmetric key and
+ its associated certificates to be either stored locally,
+ i.e., within the using data model, or a reference to an
+ asymmetric key (and its associated certificates) stored
+ in the keystore.
+
+ Servers that do not 'implement' this module, and hence
+ 'central-keystore-supported' is not defined, SHOULD
+ augment in custom 'case' statements enabling references
+ to the alternate keystore locations.";
+ choice local-or-keystore {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses ct:asymmetric-key-pair-with-certs-grouping;
+ }
+ }
+ case keystore {
+ if-feature "central-keystore-supported";
+ if-feature "asymmetric-keys";
+ leaf keystore-reference {
+ type ks:asymmetric-key-ref;
+ description
+ "A reference to an asymmetric-key (and all of its
+ associated certificates) in the keystore, when
+ this module is implemented.";
+ }
+ }
+ }
+ }
+
+ grouping local-or-keystore-end-entity-cert-with-key-grouping {
+ description
+ "A grouping that expands to allow an end-entity certificate
+ (and its associated asymmetric key pair) to be either stored
+ locally, i.e., within the using data model, or a reference
+ to a specific certificate in the keystore.
+
+ Servers that do not 'implement' this module, and hence
+ 'central-keystore-supported' is not defined, SHOULD
+ augment in custom 'case' statements enabling references
+ to the alternate keystore locations.";
+ choice local-or-keystore {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "A choice between an inlined definition and a definition
+ that exists in the keystore.";
+ case local {
+ if-feature "local-definitions-supported";
+ container local-definition {
+ description
+ "Container to hold the local key definition.";
+ uses ct:asymmetric-key-pair-with-cert-grouping;
+ }
+ }
+ case keystore {
+ if-feature "central-keystore-supported";
+ if-feature "asymmetric-keys";
+ container keystore-reference {
+ uses asymmetric-key-certificate-ref-grouping;
+ description
+ "A reference to a specific certificate associated with
+ an asymmetric key stored in the keystore, when this
+ module is implemented.";
+ }
+ }
+ }
+ }
+
+ grouping keystore-grouping {
+ description
+ "Grouping definition enables use in other contexts. If ever
+ done, implementations MUST augment new 'case' statements
+ into the various local-or-keystore 'choice' statements to
+ supply leafrefs to the model-specific location(s).";
+ container asymmetric-keys {
+ nacm:default-deny-write;
+ if-feature "asymmetric-keys";
+ description
+ "A list of asymmetric keys.";
+ list asymmetric-key {
+ key "name";
+ description
+ "An asymmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the asymmetric key.";
+ }
+ uses ct:asymmetric-key-pair-with-certs-grouping;
+ }
+ }
+ container symmetric-keys {
+ nacm:default-deny-write;
+ if-feature "symmetric-keys";
+ description
+ "A list of symmetric keys.";
+ list symmetric-key {
+ key "name";
+ description
+ "A symmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the symmetric key.";
+ }
+ uses ct:symmetric-key-grouping;
+ }
+ }
+ }
+
+ /*********************************/
+ /* Protocol accessible nodes */
+ /*********************************/
+
+ container keystore {
+ if-feature central-keystore-supported;
+ description
+ "A central keystore containing a list of symmetric keys and
+ a list of asymmetric keys.";
+ nacm:default-deny-write;
+ uses keystore-grouping {
+ augment "symmetric-keys/symmetric-key/key-type/encrypted-key/"
+ + "encrypted-key/encrypted-by" {
+ description
+ "Augments in a choice statement enabling the encrypting
+ key to be any other symmetric or asymmetric key in the
+ central keystore.";
+ uses encrypted-by-choice-grouping;
+ }
+ augment "asymmetric-keys/asymmetric-key/private-key-type/"
+ + "encrypted-private-key/encrypted-private-key/"
+ + "encrypted-by" {
+ description
+ "Augments in a choice statement enabling the encrypting
+ key to be any other symmetric or asymmetric key in the
+ central keystore.";
+ uses encrypted-by-choice-grouping;
+ }
+ }
+ }
+}