+++ /dev/null
-module ietf-crypto-types {
- yang-version 1.1;
- namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
- prefix ct;
-
- import ietf-yang-types {
- prefix yang;
- reference
- "RFC 6991: Common YANG Data Types";
- }
-
- import ietf-netconf-acm {
- prefix nacm;
- reference
- "RFC 8341: Network Configuration Access Control Model";
- }
-
- organization
- "IETF NETCONF (Network Configuration) Working Group";
-
- contact
- "WG Web: https://datatracker.ietf.org/wg/netconf
- WG List: NETCONF WG list <mailto:netconf@ietf.org>
- Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
-
- description
- "This module defines common YANG types for cryptographic
- applications.
-
- Copyright (c) 2023 IETF Trust and the persons identified
- as authors of the code. All rights reserved.
-
- Redistribution and use in source and binary forms, with
- or without modification, is permitted pursuant to, and
- subject to the license terms contained in, the Revised
- BSD License set forth in Section 4.c of the IETF Trust's
- Legal Provisions Relating to IETF Documents
- (https://trustee.ietf.org/license-info).
-
- This version of this YANG module is part of RFC AAAA
- (https://www.rfc-editor.org/info/rfcAAAA); see the RFC
- itself for full legal notices.
-
- The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
- 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
- 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
- are to be interpreted as described in BCP 14 (RFC 2119)
- (RFC 8174) when, and only when, they appear in all
- capitals, as shown here.";
-
- revision 2023-04-17 {
- description
- "Initial version";
- reference
- "RFC AAAA: YANG Data Types and Groupings for Cryptography";
- }
-
- /****************/
- /* Features */
- /****************/
-
- feature one-symmetric-key-format {
- description
- "Indicates that the server supports the
- 'one-symmetric-key-format' identity.";
- }
-
- feature one-asymmetric-key-format {
- description
- "Indicates that the server supports the
- 'one-asymmetric-key-format' identity.";
- }
-
- feature symmetrically-encrypted-value-format {
- description
- "Indicates that the server supports the
- 'symmetrically-encrypted-value-format' identity.";
- }
-
- feature asymmetrically-encrypted-value-format {
- description
- "Indicates that the server supports the
- 'asymmetrically-encrypted-value-format' identity.";
- }
-
- feature cms-enveloped-data-format {
- description
- "Indicates that the server supports the
- 'cms-enveloped-data-format' identity.";
- }
-
- feature cms-encrypted-data-format {
- description
- "Indicates that the server supports the
- 'cms-encrypted-data-format' identity.";
- }
- feature p10-csr-format {
- description
- "Indicates that the server implements support
- for generating P10-based CSRs, as defined
- in RFC 2986.";
- reference
- "RFC 2986: PKCS #10: Certification Request Syntax
- Specification Version 1.7";
- }
-
- feature csr-generation {
- description
- "Indicates that the server implements the
- 'generate-csr' action.";
- }
-
- feature certificate-expiration-notification {
- description
- "Indicates that the server implements the
- 'certificate-expiration' notification.";
- }
-
- feature cleartext-passwords {
- description
- "Indicates that the server supports cleartext
- passwords.";
- }
-
- feature encrypted-passwords {
- description
- "Indicates that the server supports password
- encryption.";
- }
-
- feature cleartext-symmetric-keys {
- description
- "Indicates that the server supports cleartext
- symmetric keys.";
- }
-
- feature hidden-symmetric-keys {
- description
- "Indicates that the server supports hidden keys.";
- }
-
- feature encrypted-symmetric-keys {
- description
- "Indicates that the server supports encryption
- of symmetric keys.";
- }
-
- feature cleartext-private-keys {
- description
- "Indicates that the server supports cleartext
- private keys.";
- }
-
- feature hidden-private-keys {
- description
- "Indicates that the server supports hidden keys.";
- }
-
- feature encrypted-private-keys {
- description
- "Indicates that the server supports encryption
- of private keys.";
- }
-
- /*************************************************/
- /* Base Identities for Key Format Structures */
- /*************************************************/
-
- identity symmetric-key-format {
- description
- "Base key-format identity for symmetric keys.";
- }
-
- identity public-key-format {
- description
- "Base key-format identity for public keys.";
- }
-
- identity private-key-format {
- description
- "Base key-format identity for private keys.";
- }
-
- /****************************************************/
- /* Identities for Private Key Format Structures */
- /****************************************************/
-
- identity rsa-private-key-format {
- base private-key-format;
- description
- "Indicates that the private key value is encoded as
- an RSAPrivateKey (from RFC 3447), encoded using ASN.1
- distinguished encoding rules (DER), as specified in
- ITU-T X.690.";
- reference
- "RFC 3447:
- PKCS #1: RSA Cryptography Specifications Version 2.2
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- identity ec-private-key-format {
- base private-key-format;
- description
- "Indicates that the private key value is encoded as
- an ECPrivateKey (from RFC 5915), encoded using ASN.1
- distinguished encoding rules (DER), as specified in
- ITU-T X.690.";
- reference
- "RFC 5915:
- Elliptic Curve Private Key Structure
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- identity one-asymmetric-key-format {
- if-feature "one-asymmetric-key-format";
- base private-key-format;
- description
- "Indicates that the private key value is a CMS
- OneAsymmetricKey structure, as defined in RFC 5958,
- encoded using ASN.1 distinguished encoding rules
- (DER), as specified in ITU-T X.690.";
- reference
- "RFC 5958: Asymmetric Key Packages
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- /***************************************************/
- /* Identities for Public Key Format Structures */
- /***************************************************/
-
- identity ssh-public-key-format {
- base public-key-format;
- description
- "Indicates that the public key value is an SSH public key,
- as specified by RFC 4253, Section 6.6, i.e.:
-
- string certificate or public key format
- identifier
- byte[n] key/certificate data.";
- reference
- "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
- }
-
- identity subject-public-key-info-format {
- base public-key-format;
- description
- "Indicates that the public key value is a SubjectPublicKeyInfo
- structure, as described in RFC 5280 encoded using ASN.1
- distinguished encoding rules (DER), as specified in
- ITU-T X.690.";
- reference
- "RFC 5280:
- Internet X.509 Public Key Infrastructure Certificate
- and Certificate Revocation List (CRL) Profile
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- /******************************************************/
- /* Identities for Symmetric Key Format Structures */
- /******************************************************/
-
- identity octet-string-key-format {
- base symmetric-key-format;
- description
- "Indicates that the key is encoded as a raw octet string.
- The length of the octet string MUST be appropriate for
- the associated algorithm's block size.
-
- The identity of the associated algorithm is outside the
- scope of this specification. This is also true when
- the octet string has been encrypted.";
- }
- identity one-symmetric-key-format {
- if-feature "one-symmetric-key-format";
- base symmetric-key-format;
- description
- "Indicates that the private key value is a CMS
- OneSymmetricKey structure, as defined in RFC 6031,
- encoded using ASN.1 distinguished encoding rules
- (DER), as specified in ITU-T X.690.";
- reference
- "RFC 6031: Cryptographic Message Syntax (CMS)
- Symmetric Key Package Content Type
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- /*************************************************/
- /* Identities for Encrypted Value Structures */
- /*************************************************/
-
- identity encrypted-value-format {
- description
- "Base format identity for encrypted values.";
- }
-
- identity symmetrically-encrypted-value-format {
- if-feature "symmetrically-encrypted-value-format";
- base encrypted-value-format;
- description
- "Base format identity for symmetrically encrypted
- values.";
- }
-
- identity asymmetrically-encrypted-value-format {
- if-feature "asymmetrically-encrypted-value-format";
- base encrypted-value-format;
- description
- "Base format identity for asymmetrically encrypted
- values.";
- }
-
- identity cms-encrypted-data-format {
- if-feature "cms-encrypted-data-format";
- base symmetrically-encrypted-value-format;
- description
- "Indicates that the encrypted value conforms to
- the 'encrypted-data-cms' type with the constraint
- that the 'unprotectedAttrs' value is not set.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- identity cms-enveloped-data-format {
- if-feature "cms-enveloped-data-format";
- base asymmetrically-encrypted-value-format;
- description
- "Indicates that the encrypted value conforms to the
- 'enveloped-data-cms' type with the following constraints:
-
- The EnvelopedData structure MUST have exactly one
- 'RecipientInfo'.
-
- If the asymmetric key supports public key cryptography
- (e.g., RSA), then the 'RecipientInfo' must be a
- 'KeyTransRecipientInfo' with the 'RecipientIdentifier'
- using a 'subjectKeyIdentifier' with the value set using
- 'method 1' in RFC 7093 over the recipient's public key.
-
- Otherwise, if the asymmetric key supports key agreement
- (e.g., ECC), then the 'RecipientInfo' must be a
- 'KeyAgreeRecipientInfo'. The 'OriginatorIdentifierOrKey'
- value must use the 'OriginatorPublicKey' alternative.
- The 'UserKeyingMaterial' value must not be present.
- There must be exactly one 'RecipientEncryptedKeys' value
- having the 'KeyAgreeRecipientIdentifier' set to 'rKeyId'
- with the value set using 'method 1' in RFC 7093 over the
- recipient's public key.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)
- RFC 7093:
- Additional Methods for Generating Key
- Identifiers Values
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- /*********************************************************/
- /* Identities for Certificate Signing Request Formats */
- /*********************************************************/
-
- identity csr-format {
- description
- "A base identity for the certificate signing request
- formats. Additional derived identities MAY be defined
- by future efforts.";
- }
-
- identity p10-csr-format {
- if-feature "p10-csr-format";
- base csr-format;
- description
- "Indicates the 'CertificationRequest' structure
- defined in RFC 2986.";
- reference
- "RFC 2986: PKCS #10: Certification Request Syntax
- Specification Version 1.7";
- }
-
- /***************************************************/
- /* Typedefs for ASN.1 structures from RFC 2986 */
- /***************************************************/
-
- typedef csr-info {
- type binary;
- description
- "A CertificationRequestInfo structure, as defined in
- RFC 2986, encoded using ASN.1 distinguished encoding
- rules (DER), as specified in ITU-T X.690.";
- reference
- "RFC 2986: PKCS #10: Certification Request Syntax
- Specification Version 1.7
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- typedef p10-csr {
- type binary;
- description
- "A CertificationRequest structure, as specified in
- RFC 2986, encoded using ASN.1 distinguished encoding
- rules (DER), as specified in ITU-T X.690.";
- reference
- "RFC 2986:
- PKCS #10: Certification Request Syntax Specification
- Version 1.7
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- /***************************************************/
- /* Typedefs for ASN.1 structures from RFC 5280 */
- /***************************************************/
-
- typedef x509 {
- type binary;
- description
- "A Certificate structure, as specified in RFC 5280,
- encoded using ASN.1 distinguished encoding rules (DER),
- as specified in ITU-T X.690.";
- reference
- "RFC 5280:
- Internet X.509 Public Key Infrastructure Certificate
- and Certificate Revocation List (CRL) Profile
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- typedef crl {
- type binary;
- description
- "A CertificateList structure, as specified in RFC 5280,
- encoded using ASN.1 distinguished encoding rules (DER),
- as specified in ITU-T X.690.";
- reference
- "RFC 5280:
- Internet X.509 Public Key Infrastructure Certificate
- and Certificate Revocation List (CRL) Profile
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- /***************************************************/
- /* Typedefs for ASN.1 structures from RFC 6960 */
- /***************************************************/
-
- typedef oscp-request {
- type binary;
- description
- "A OCSPRequest structure, as specified in RFC 6960,
- encoded using ASN.1 distinguished encoding rules
- (DER), as specified in ITU-T X.690.";
- reference
- "RFC 6960:
- X.509 Internet Public Key Infrastructure Online
- Certificate Status Protocol - OCSP
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- typedef oscp-response {
- type binary;
- description
- "A OCSPResponse structure, as specified in RFC 6960,
- encoded using ASN.1 distinguished encoding rules
- (DER), as specified in ITU-T X.690.";
- reference
- "RFC 6960:
- X.509 Internet Public Key Infrastructure Online
- Certificate Status Protocol - OCSP
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- /***********************************************/
- /* Typedefs for ASN.1 structures from 5652 */
- /***********************************************/
-
- typedef cms {
- type binary;
- description
- "A ContentInfo structure, as specified in RFC 5652,
- encoded using ASN.1 distinguished encoding rules (DER),
- as specified in ITU-T X.690.";
- reference
- "RFC 5652:
- Cryptographic Message Syntax (CMS)
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER) 02/2021.";
- }
-
- typedef data-content-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- data content type, as described by Section 4 in RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
-
- typedef signed-data-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- signed-data content type, as described by Section 5 in
- RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
-
- typedef enveloped-data-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- enveloped-data content type, as described by Section 6
- in RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
-
- typedef digested-data-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- digested-data content type, as described by Section 7
- in RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
-
- typedef encrypted-data-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- encrypted-data content type, as described by Section 8
- in RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
-
- typedef authenticated-data-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- authenticated-data content type, as described by Section 9
- in RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
-
- /*********************************************************/
- /* Typedefs for ASN.1 structures related to RFC 5280 */
- /*********************************************************/
-
- typedef trust-anchor-cert-x509 {
- type x509;
- description
- "A Certificate structure that MUST encode a self-signed
- root certificate.";
- }
-
- typedef end-entity-cert-x509 {
- type x509;
- description
- "A Certificate structure that MUST encode a certificate
- that is neither self-signed nor having Basic constraint
- CA true.";
- }
-
- /*********************************************************/
- /* Typedefs for ASN.1 structures related to RFC 5652 */
- /*********************************************************/
-
- typedef trust-anchor-cert-cms {
- type signed-data-cms;
- description
- "A CMS SignedData structure that MUST contain the chain of
- X.509 certificates needed to authenticate the certificate
- presented by a client or end-entity.
-
- The CMS MUST contain only a single chain of certificates.
- The client or end-entity certificate MUST only authenticate
- to the last intermediate CA certificate listed in the chain.
-
- In all cases, the chain MUST include a self-signed root
- certificate. In the case where the root certificate is
- itself the issuer of the client or end-entity certificate,
- only one certificate is present.
-
- This CMS structure MAY (as applicable where this type is
- used) also contain suitably fresh (as defined by local
- policy) revocation objects with which the device can
- verify the revocation status of the certificates.
-
- This CMS encodes the degenerate form of the SignedData
- structure (RFC 5652, Section 5.2) that is commonly used
- to disseminate X.509 certificates and revocation objects
- (RFC 5280).";
- reference
- "RFC 5280:
- Internet X.509 Public Key Infrastructure Certificate
- and Certificate Revocation List (CRL) Profile.
- RFC 5652:
- Cryptographic Message Syntax (CMS)";
- }
-
- typedef end-entity-cert-cms {
- type signed-data-cms;
- description
- "A CMS SignedData structure that MUST contain the end
- entity certificate itself, and MAY contain any number
- of intermediate certificates leading up to a trust
- anchor certificate. The trust anchor certificate
- MAY be included as well.
-
- The CMS MUST contain a single end entity certificate.
- The CMS MUST NOT contain any spurious certificates.
-
- This CMS structure MAY (as applicable where this type is
- used) also contain suitably fresh (as defined by local
- policy) revocation objects with which the device can
- verify the revocation status of the certificates.
-
- This CMS encodes the degenerate form of the SignedData
- structure (RFC 5652, Section 5.2) that is commonly
- used to disseminate X.509 certificates and revocation
- objects (RFC 5280).";
-
- reference
- "RFC 5280:
- Internet X.509 Public Key Infrastructure Certificate
- and Certificate Revocation List (CRL) Profile.
- RFC 5652:
- Cryptographic Message Syntax (CMS)";
- }
-
- /*****************/
- /* Groupings */
- /*****************/
-
- grouping encrypted-value-grouping {
- description
- "A reusable grouping for a value that has been encrypted by
- a referenced symmetric or asymmetric key.";
- container encrypted-by {
- nacm:default-deny-write;
- description
- "An empty container enabling a reference to the key that
- encrypted the value to be augmented in. The referenced
- key MUST be a symmetric key or an asymmetric key.
-
- A symmetric key MUST be referenced via a leaf node called
- 'symmetric-key-ref'. An asymmetric key MUST be referenced
- via a leaf node called 'asymmetric-key-ref'.
-
- The leaf nodes MUST be direct descendants in the data tree,
- and MAY be direct descendants in the schema tree (e.g.,
- choice/case statements are allowed, but not a container).";
- }
- leaf encrypted-value-format {
- type identityref {
- base encrypted-value-format;
- }
- mandatory true;
- description
- "Identifies the format of the 'encrypted-value' leaf.
-
- If 'encrypted-by' points to a symmetric key, then a
- 'symmetrically-encrypted-value-format' based identity
- MUST by set (e.g., cms-encrypted-data-format).
-
- If 'encrypted-by' points to an asymmetric key, then an
- 'asymmetrically-encrypted-value-format' based identity
- MUST by set (e.g., cms-enveloped-data-format).";
- }
- leaf encrypted-value {
- nacm:default-deny-write;
- type binary;
- must '../encrypted-by';
- mandatory true;
- description
- "The value, encrypted using the referenced symmetric
- or asymmetric key. The value MUST be encoded using
- the format associated with the 'encrypted-value-format'
- leaf.";
- }
- }
-
- grouping password-grouping {
- description
- "A password that may be encrypted.";
- choice password-type {
- nacm:default-deny-write;
- mandatory true;
- description
- "Choice between password types.";
- case cleartext-password {
- if-feature "cleartext-passwords";
- leaf cleartext-password {
- nacm:default-deny-all;
- type string;
- description
- "The cleartext value of the password.";
- }
- }
- case encrypted-password {
- if-feature "encrypted-passwords";
- container encrypted-password {
- description
- "A container for the encrypted password value.";
- uses encrypted-value-grouping;
- }
- }
- }
- }
-
- grouping symmetric-key-grouping {
- description
- "A symmetric key.";
- leaf key-format {
- nacm:default-deny-write;
- type identityref {
- base symmetric-key-format;
- }
- description
- "Identifies the symmetric key's format. Implementations
- SHOULD ensure that the incoming symmetric key value is
- encoded in the specified format.
-
- For encrypted keys, the value is the decrypted key's
- format (i.e., the 'encrypted-value-format' conveys the
- encrypted key's format.";
- }
- choice key-type {
- nacm:default-deny-write;
- mandatory true;
- description
- "Choice between key types.";
- case cleartext-key {
- leaf cleartext-key {
- if-feature "cleartext-symmetric-keys";
- nacm:default-deny-all;
- type binary;
- must '../key-format';
- description
- "The binary value of the key. The interpretation of
- the value is defined by the 'key-format' field.";
- }
- }
- case hidden-key {
- if-feature "hidden-symmetric-keys";
- leaf hidden-key {
- type empty;
- must 'not(../key-format)';
- description
- "A hidden key. How such keys are created is outside
- the scope of this module.";
- }
- }
- case encrypted-key {
- if-feature "encrypted-symmetric-keys";
- container encrypted-key {
- must '../key-format';
- description
- "A container for the encrypted symmetric key value.
- The interpretation of the 'encrypted-value' node
- is via the 'key-format' node";
- uses encrypted-value-grouping;
- }
- }
- }
- }
-
- grouping public-key-grouping {
- description
- "A public key.";
- leaf public-key-format {
- nacm:default-deny-write;
- type identityref {
- base public-key-format;
- }
- mandatory true;
- description
- "Identifies the public key's format. Implementations SHOULD
- ensure that the incoming public key value is encoded in the
- specified format.";
- }
- leaf public-key {
- nacm:default-deny-write;
- type binary;
- mandatory true;
- description
- "The binary value of the public key. The interpretation
- of the value is defined by 'public-key-format' field.";
- }
- }
-
- grouping asymmetric-key-pair-grouping {
- description
- "A private key and its associated public key. Implementations
- SHOULD ensure that the two keys are a matching pair.";
- uses public-key-grouping;
- leaf private-key-format {
- nacm:default-deny-write;
- type identityref {
- base private-key-format;
- }
- description
- "Identifies the private key's format. Implementations SHOULD
- ensure that the incoming private key value is encoded in the
- specified format.
-
- For encrypted keys, the value is the decrypted key's
- format (i.e., the 'encrypted-value-format' conveys the
- encrypted key's format.";
- }
- choice private-key-type {
- nacm:default-deny-write;
- mandatory true;
- description
- "Choice between key types.";
- case cleartext-private-key {
- if-feature "cleartext-private-keys";
- leaf cleartext-private-key {
- nacm:default-deny-all;
- type binary;
- must '../private-key-format';
- description
- "The value of the binary key The key's value is
- interpreted by the 'private-key-format' field.";
- }
- }
- case hidden-private-key {
- if-feature "hidden-private-keys";
- leaf hidden-private-key {
- type empty;
- must 'not(../private-key-format)';
- description
- "A hidden key. How such keys are created is
- outside the scope of this module.";
- }
- }
- case encrypted-private-key {
- if-feature "encrypted-private-keys";
- container encrypted-private-key {
- must '../private-key-format';
- description
- "A container for the encrypted asymmetric private key
- value. The interpretation of the 'encrypted-value'
- node is via the 'private-key-format' node";
- uses encrypted-value-grouping;
- }
- }
- }
- }
-
- grouping certificate-expiration-grouping {
- description
- "A notification for when a certificate is about to, or
- already has, expired.";
- notification certificate-expiration {
- if-feature "certificate-expiration-notification";
- description
- "A notification indicating that the configured certificate
- is either about to expire or has already expired. When to
- send notifications is an implementation specific decision,
- but it is RECOMMENDED that a notification be sent once a
- month for 3 months, then once a week for four weeks, and
- then once a day thereafter until the issue is resolved.";
- leaf expiration-date {
- type yang:date-and-time;
- mandatory true;
- description
- "Identifies the expiration date on the certificate.";
- }
- }
- }
-
- grouping trust-anchor-cert-grouping {
- description
- "A trust anchor certificate, and a notification for when
- it is about to (or already has) expire.";
- leaf cert-data {
- nacm:default-deny-write;
- type trust-anchor-cert-cms;
- description
- "The binary certificate data for this certificate.";
- }
- uses certificate-expiration-grouping;
- }
-
- grouping end-entity-cert-grouping {
- description
- "An end entity certificate, and a notification for when
- it is about to (or already has) expire. Implementations
- SHOULD assert that, where used, the end entity certificate
- contains the expected public key.";
- leaf cert-data {
- nacm:default-deny-write;
- type end-entity-cert-cms;
- description
- "The binary certificate data for this certificate.";
- }
- uses certificate-expiration-grouping;
- }
-
- grouping generate-csr-grouping {
- description
- "Defines the 'generate-csr' action.";
- action generate-csr {
- if-feature "csr-generation";
- nacm:default-deny-all;
- description
- "Generates a certificate signing request structure for
- the associated asymmetric key using the passed subject
- and attribute values.
-
- This action statement is only available when the
- associated 'public-key-format' node's value is
- 'subject-public-key-info-format'.";
- reference
- "RFC 6125:
- Representation and Verification of Domain-Based
- Application Service Identity within Internet Public Key
- Infrastructure Using X.509 (PKIX) Certificates in the
- Context of Transport Layer Security (TLS)";
- input {
- leaf csr-format {
- type identityref {
- base csr-format;
- }
- mandatory true;
- description
- "Specifies the format for the returned certificate.";
- }
- leaf csr-info {
- type csr-info;
- mandatory true;
- description
- "A CertificationRequestInfo structure, as defined in
- RFC 2986.
-
- Enables the client to provide a fully-populated
- CertificationRequestInfo structure that the server
- only needs to sign in order to generate the complete
- 'CertificationRequest' structure to return in the
- 'output'.
-
- The 'AlgorithmIdentifier' field contained inside
- the 'SubjectPublicKeyInfo' field MUST be one known
- to be supported by the device.";
- reference
- "RFC 2986:
- PKCS #10: Certification Request Syntax Specification
- RFC AAAA:
- YANG Data Types and Groupings for Cryptography";
- }
- }
- output {
- choice csr-type {
- mandatory true;
- description
- "A choice amongst certificate signing request formats.
- Additional formats MAY be augmented into this 'choice'
- statement by future efforts.";
- case p10-csr {
- leaf p10-csr {
- type p10-csr;
- description
- "A CertificationRequest, as defined in RFC 2986.";
- }
- description
- "A CertificationRequest, as defined in RFC 2986.";
- reference
- "RFC 2986:
- PKCS #10: Certification Request Syntax Specification
- RFC AAAA:
- YANG Data Types and Groupings for Cryptography";
- }
- }
- }
- }
- } // generate-csr-grouping
-
- grouping asymmetric-key-pair-with-cert-grouping {
- description
- "A private/public key pair and an associated certificate.
- Implementations SHOULD assert that the certificate contains
- the matching public key.";
- uses asymmetric-key-pair-grouping;
- uses end-entity-cert-grouping;
- uses generate-csr-grouping;
- } // asymmetric-key-pair-with-cert-grouping
-
- grouping asymmetric-key-pair-with-certs-grouping {
- description
- "A private/public key pair and a list of associated
- certificates. Implementations SHOULD assert that
- certificates contain the matching public key.";
- uses asymmetric-key-pair-grouping;
- container certificates {
- nacm:default-deny-write;
- description
- "Certificates associated with this asymmetric key.";
- list certificate {
- key "name";
- description
- "A certificate for this asymmetric key.";
- leaf name {
- type string;
- description
- "An arbitrary name for the certificate.";
- }
- uses end-entity-cert-grouping {
- refine "cert-data" {
- mandatory true;
- }
- }
- }
- }
- uses generate-csr-grouping;
- } // asymmetric-key-pair-with-certs-grouping
-
-}