X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?a=blobdiff_plain;f=model%2Fdraft-ietf-netconf-crypto-types%2Fsrc%2Fmain%2Fyang%2Fietf-crypto-types%402023-04-17.yang;fp=model%2Fdraft-ietf-netconf-crypto-types%2Fsrc%2Fmain%2Fyang%2Fietf-crypto-types%402023-04-17.yang;h=0000000000000000000000000000000000000000;hb=3b4f0880195460f9d9a00cc6bf4bc319f81e5bb7;hp=ddabbeec52400979eb83642a548ed7491e8a438b;hpb=7d45e6b0afa89f47912b00e20afaaab7fbe96958;p=netconf.git diff --git a/model/draft-ietf-netconf-crypto-types/src/main/yang/ietf-crypto-types@2023-04-17.yang b/model/draft-ietf-netconf-crypto-types/src/main/yang/ietf-crypto-types@2023-04-17.yang deleted file mode 100644 index ddabbeec52..0000000000 --- a/model/draft-ietf-netconf-crypto-types/src/main/yang/ietf-crypto-types@2023-04-17.yang +++ /dev/null @@ -1,1072 +0,0 @@ -module ietf-crypto-types { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types"; - prefix ct; - - import ietf-yang-types { - prefix yang; - reference - "RFC 6991: Common YANG Data Types"; - } - - import ietf-netconf-acm { - prefix nacm; - reference - "RFC 8341: Network Configuration Access Control Model"; - } - - organization - "IETF NETCONF (Network Configuration) Working Group"; - - contact - "WG Web: https://datatracker.ietf.org/wg/netconf - WG List: NETCONF WG list - Author: Kent Watsen "; - - description - "This module defines common YANG types for cryptographic - applications. - - Copyright (c) 2023 IETF Trust and the persons identified - as authors of the code. All rights reserved. - - Redistribution and use in source and binary forms, with - or without modification, is permitted pursuant to, and - subject to the license terms contained in, the Revised - BSD License set forth in Section 4.c of the IETF Trust's - Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info). - - This version of this YANG module is part of RFC AAAA - (https://www.rfc-editor.org/info/rfcAAAA); see the RFC - itself for full legal notices. - - The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', - 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', - 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document - are to be interpreted as described in BCP 14 (RFC 2119) - (RFC 8174) when, and only when, they appear in all - capitals, as shown here."; - - revision 2023-04-17 { - description - "Initial version"; - reference - "RFC AAAA: YANG Data Types and Groupings for Cryptography"; - } - - /****************/ - /* Features */ - /****************/ - - feature one-symmetric-key-format { - description - "Indicates that the server supports the - 'one-symmetric-key-format' identity."; - } - - feature one-asymmetric-key-format { - description - "Indicates that the server supports the - 'one-asymmetric-key-format' identity."; - } - - feature symmetrically-encrypted-value-format { - description - "Indicates that the server supports the - 'symmetrically-encrypted-value-format' identity."; - } - - feature asymmetrically-encrypted-value-format { - description - "Indicates that the server supports the - 'asymmetrically-encrypted-value-format' identity."; - } - - feature cms-enveloped-data-format { - description - "Indicates that the server supports the - 'cms-enveloped-data-format' identity."; - } - - feature cms-encrypted-data-format { - description - "Indicates that the server supports the - 'cms-encrypted-data-format' identity."; - } - feature p10-csr-format { - description - "Indicates that the server implements support - for generating P10-based CSRs, as defined - in RFC 2986."; - reference - "RFC 2986: PKCS #10: Certification Request Syntax - Specification Version 1.7"; - } - - feature csr-generation { - description - "Indicates that the server implements the - 'generate-csr' action."; - } - - feature certificate-expiration-notification { - description - "Indicates that the server implements the - 'certificate-expiration' notification."; - } - - feature cleartext-passwords { - description - "Indicates that the server supports cleartext - passwords."; - } - - feature encrypted-passwords { - description - "Indicates that the server supports password - encryption."; - } - - feature cleartext-symmetric-keys { - description - "Indicates that the server supports cleartext - symmetric keys."; - } - - feature hidden-symmetric-keys { - description - "Indicates that the server supports hidden keys."; - } - - feature encrypted-symmetric-keys { - description - "Indicates that the server supports encryption - of symmetric keys."; - } - - feature cleartext-private-keys { - description - "Indicates that the server supports cleartext - private keys."; - } - - feature hidden-private-keys { - description - "Indicates that the server supports hidden keys."; - } - - feature encrypted-private-keys { - description - "Indicates that the server supports encryption - of private keys."; - } - - /*************************************************/ - /* Base Identities for Key Format Structures */ - /*************************************************/ - - identity symmetric-key-format { - description - "Base key-format identity for symmetric keys."; - } - - identity public-key-format { - description - "Base key-format identity for public keys."; - } - - identity private-key-format { - description - "Base key-format identity for private keys."; - } - - /****************************************************/ - /* Identities for Private Key Format Structures */ - /****************************************************/ - - identity rsa-private-key-format { - base private-key-format; - description - "Indicates that the private key value is encoded as - an RSAPrivateKey (from RFC 3447), encoded using ASN.1 - distinguished encoding rules (DER), as specified in - ITU-T X.690."; - reference - "RFC 3447: - PKCS #1: RSA Cryptography Specifications Version 2.2 - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - identity ec-private-key-format { - base private-key-format; - description - "Indicates that the private key value is encoded as - an ECPrivateKey (from RFC 5915), encoded using ASN.1 - distinguished encoding rules (DER), as specified in - ITU-T X.690."; - reference - "RFC 5915: - Elliptic Curve Private Key Structure - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - identity one-asymmetric-key-format { - if-feature "one-asymmetric-key-format"; - base private-key-format; - description - "Indicates that the private key value is a CMS - OneAsymmetricKey structure, as defined in RFC 5958, - encoded using ASN.1 distinguished encoding rules - (DER), as specified in ITU-T X.690."; - reference - "RFC 5958: Asymmetric Key Packages - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - /***************************************************/ - /* Identities for Public Key Format Structures */ - /***************************************************/ - - identity ssh-public-key-format { - base public-key-format; - description - "Indicates that the public key value is an SSH public key, - as specified by RFC 4253, Section 6.6, i.e.: - - string certificate or public key format - identifier - byte[n] key/certificate data."; - reference - "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; - } - - identity subject-public-key-info-format { - base public-key-format; - description - "Indicates that the public key value is a SubjectPublicKeyInfo - structure, as described in RFC 5280 encoded using ASN.1 - distinguished encoding rules (DER), as specified in - ITU-T X.690."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - /******************************************************/ - /* Identities for Symmetric Key Format Structures */ - /******************************************************/ - - identity octet-string-key-format { - base symmetric-key-format; - description - "Indicates that the key is encoded as a raw octet string. - The length of the octet string MUST be appropriate for - the associated algorithm's block size. - - The identity of the associated algorithm is outside the - scope of this specification. This is also true when - the octet string has been encrypted."; - } - identity one-symmetric-key-format { - if-feature "one-symmetric-key-format"; - base symmetric-key-format; - description - "Indicates that the private key value is a CMS - OneSymmetricKey structure, as defined in RFC 6031, - encoded using ASN.1 distinguished encoding rules - (DER), as specified in ITU-T X.690."; - reference - "RFC 6031: Cryptographic Message Syntax (CMS) - Symmetric Key Package Content Type - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - /*************************************************/ - /* Identities for Encrypted Value Structures */ - /*************************************************/ - - identity encrypted-value-format { - description - "Base format identity for encrypted values."; - } - - identity symmetrically-encrypted-value-format { - if-feature "symmetrically-encrypted-value-format"; - base encrypted-value-format; - description - "Base format identity for symmetrically encrypted - values."; - } - - identity asymmetrically-encrypted-value-format { - if-feature "asymmetrically-encrypted-value-format"; - base encrypted-value-format; - description - "Base format identity for asymmetrically encrypted - values."; - } - - identity cms-encrypted-data-format { - if-feature "cms-encrypted-data-format"; - base symmetrically-encrypted-value-format; - description - "Indicates that the encrypted value conforms to - the 'encrypted-data-cms' type with the constraint - that the 'unprotectedAttrs' value is not set."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS) - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - identity cms-enveloped-data-format { - if-feature "cms-enveloped-data-format"; - base asymmetrically-encrypted-value-format; - description - "Indicates that the encrypted value conforms to the - 'enveloped-data-cms' type with the following constraints: - - The EnvelopedData structure MUST have exactly one - 'RecipientInfo'. - - If the asymmetric key supports public key cryptography - (e.g., RSA), then the 'RecipientInfo' must be a - 'KeyTransRecipientInfo' with the 'RecipientIdentifier' - using a 'subjectKeyIdentifier' with the value set using - 'method 1' in RFC 7093 over the recipient's public key. - - Otherwise, if the asymmetric key supports key agreement - (e.g., ECC), then the 'RecipientInfo' must be a - 'KeyAgreeRecipientInfo'. The 'OriginatorIdentifierOrKey' - value must use the 'OriginatorPublicKey' alternative. - The 'UserKeyingMaterial' value must not be present. - There must be exactly one 'RecipientEncryptedKeys' value - having the 'KeyAgreeRecipientIdentifier' set to 'rKeyId' - with the value set using 'method 1' in RFC 7093 over the - recipient's public key."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS) - RFC 7093: - Additional Methods for Generating Key - Identifiers Values - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - /*********************************************************/ - /* Identities for Certificate Signing Request Formats */ - /*********************************************************/ - - identity csr-format { - description - "A base identity for the certificate signing request - formats. Additional derived identities MAY be defined - by future efforts."; - } - - identity p10-csr-format { - if-feature "p10-csr-format"; - base csr-format; - description - "Indicates the 'CertificationRequest' structure - defined in RFC 2986."; - reference - "RFC 2986: PKCS #10: Certification Request Syntax - Specification Version 1.7"; - } - - /***************************************************/ - /* Typedefs for ASN.1 structures from RFC 2986 */ - /***************************************************/ - - typedef csr-info { - type binary; - description - "A CertificationRequestInfo structure, as defined in - RFC 2986, encoded using ASN.1 distinguished encoding - rules (DER), as specified in ITU-T X.690."; - reference - "RFC 2986: PKCS #10: Certification Request Syntax - Specification Version 1.7 - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - typedef p10-csr { - type binary; - description - "A CertificationRequest structure, as specified in - RFC 2986, encoded using ASN.1 distinguished encoding - rules (DER), as specified in ITU-T X.690."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax Specification - Version 1.7 - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - /***************************************************/ - /* Typedefs for ASN.1 structures from RFC 5280 */ - /***************************************************/ - - typedef x509 { - type binary; - description - "A Certificate structure, as specified in RFC 5280, - encoded using ASN.1 distinguished encoding rules (DER), - as specified in ITU-T X.690."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - typedef crl { - type binary; - description - "A CertificateList structure, as specified in RFC 5280, - encoded using ASN.1 distinguished encoding rules (DER), - as specified in ITU-T X.690."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - /***************************************************/ - /* Typedefs for ASN.1 structures from RFC 6960 */ - /***************************************************/ - - typedef oscp-request { - type binary; - description - "A OCSPRequest structure, as specified in RFC 6960, - encoded using ASN.1 distinguished encoding rules - (DER), as specified in ITU-T X.690."; - reference - "RFC 6960: - X.509 Internet Public Key Infrastructure Online - Certificate Status Protocol - OCSP - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - typedef oscp-response { - type binary; - description - "A OCSPResponse structure, as specified in RFC 6960, - encoded using ASN.1 distinguished encoding rules - (DER), as specified in ITU-T X.690."; - reference - "RFC 6960: - X.509 Internet Public Key Infrastructure Online - Certificate Status Protocol - OCSP - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - /***********************************************/ - /* Typedefs for ASN.1 structures from 5652 */ - /***********************************************/ - - typedef cms { - type binary; - description - "A ContentInfo structure, as specified in RFC 5652, - encoded using ASN.1 distinguished encoding rules (DER), - as specified in ITU-T X.690."; - reference - "RFC 5652: - Cryptographic Message Syntax (CMS) - ITU-T X.690: - Information technology - ASN.1 encoding rules: - Specification of Basic Encoding Rules (BER), - Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER) 02/2021."; - } - - typedef data-content-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - data content type, as described by Section 4 in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef signed-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - signed-data content type, as described by Section 5 in - RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef enveloped-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - enveloped-data content type, as described by Section 6 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef digested-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - digested-data content type, as described by Section 7 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef encrypted-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - encrypted-data content type, as described by Section 8 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - typedef authenticated-data-cms { - type cms; - description - "A CMS structure whose top-most content type MUST be the - authenticated-data content type, as described by Section 9 - in RFC 5652."; - reference - "RFC 5652: Cryptographic Message Syntax (CMS)"; - } - - /*********************************************************/ - /* Typedefs for ASN.1 structures related to RFC 5280 */ - /*********************************************************/ - - typedef trust-anchor-cert-x509 { - type x509; - description - "A Certificate structure that MUST encode a self-signed - root certificate."; - } - - typedef end-entity-cert-x509 { - type x509; - description - "A Certificate structure that MUST encode a certificate - that is neither self-signed nor having Basic constraint - CA true."; - } - - /*********************************************************/ - /* Typedefs for ASN.1 structures related to RFC 5652 */ - /*********************************************************/ - - typedef trust-anchor-cert-cms { - type signed-data-cms; - description - "A CMS SignedData structure that MUST contain the chain of - X.509 certificates needed to authenticate the certificate - presented by a client or end-entity. - - The CMS MUST contain only a single chain of certificates. - The client or end-entity certificate MUST only authenticate - to the last intermediate CA certificate listed in the chain. - - In all cases, the chain MUST include a self-signed root - certificate. In the case where the root certificate is - itself the issuer of the client or end-entity certificate, - only one certificate is present. - - This CMS structure MAY (as applicable where this type is - used) also contain suitably fresh (as defined by local - policy) revocation objects with which the device can - verify the revocation status of the certificates. - - This CMS encodes the degenerate form of the SignedData - structure (RFC 5652, Section 5.2) that is commonly used - to disseminate X.509 certificates and revocation objects - (RFC 5280)."; - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile. - RFC 5652: - Cryptographic Message Syntax (CMS)"; - } - - typedef end-entity-cert-cms { - type signed-data-cms; - description - "A CMS SignedData structure that MUST contain the end - entity certificate itself, and MAY contain any number - of intermediate certificates leading up to a trust - anchor certificate. The trust anchor certificate - MAY be included as well. - - The CMS MUST contain a single end entity certificate. - The CMS MUST NOT contain any spurious certificates. - - This CMS structure MAY (as applicable where this type is - used) also contain suitably fresh (as defined by local - policy) revocation objects with which the device can - verify the revocation status of the certificates. - - This CMS encodes the degenerate form of the SignedData - structure (RFC 5652, Section 5.2) that is commonly - used to disseminate X.509 certificates and revocation - objects (RFC 5280)."; - - reference - "RFC 5280: - Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile. - RFC 5652: - Cryptographic Message Syntax (CMS)"; - } - - /*****************/ - /* Groupings */ - /*****************/ - - grouping encrypted-value-grouping { - description - "A reusable grouping for a value that has been encrypted by - a referenced symmetric or asymmetric key."; - container encrypted-by { - nacm:default-deny-write; - description - "An empty container enabling a reference to the key that - encrypted the value to be augmented in. The referenced - key MUST be a symmetric key or an asymmetric key. - - A symmetric key MUST be referenced via a leaf node called - 'symmetric-key-ref'. An asymmetric key MUST be referenced - via a leaf node called 'asymmetric-key-ref'. - - The leaf nodes MUST be direct descendants in the data tree, - and MAY be direct descendants in the schema tree (e.g., - choice/case statements are allowed, but not a container)."; - } - leaf encrypted-value-format { - type identityref { - base encrypted-value-format; - } - mandatory true; - description - "Identifies the format of the 'encrypted-value' leaf. - - If 'encrypted-by' points to a symmetric key, then a - 'symmetrically-encrypted-value-format' based identity - MUST by set (e.g., cms-encrypted-data-format). - - If 'encrypted-by' points to an asymmetric key, then an - 'asymmetrically-encrypted-value-format' based identity - MUST by set (e.g., cms-enveloped-data-format)."; - } - leaf encrypted-value { - nacm:default-deny-write; - type binary; - must '../encrypted-by'; - mandatory true; - description - "The value, encrypted using the referenced symmetric - or asymmetric key. The value MUST be encoded using - the format associated with the 'encrypted-value-format' - leaf."; - } - } - - grouping password-grouping { - description - "A password that may be encrypted."; - choice password-type { - nacm:default-deny-write; - mandatory true; - description - "Choice between password types."; - case cleartext-password { - if-feature "cleartext-passwords"; - leaf cleartext-password { - nacm:default-deny-all; - type string; - description - "The cleartext value of the password."; - } - } - case encrypted-password { - if-feature "encrypted-passwords"; - container encrypted-password { - description - "A container for the encrypted password value."; - uses encrypted-value-grouping; - } - } - } - } - - grouping symmetric-key-grouping { - description - "A symmetric key."; - leaf key-format { - nacm:default-deny-write; - type identityref { - base symmetric-key-format; - } - description - "Identifies the symmetric key's format. Implementations - SHOULD ensure that the incoming symmetric key value is - encoded in the specified format. - - For encrypted keys, the value is the decrypted key's - format (i.e., the 'encrypted-value-format' conveys the - encrypted key's format."; - } - choice key-type { - nacm:default-deny-write; - mandatory true; - description - "Choice between key types."; - case cleartext-key { - leaf cleartext-key { - if-feature "cleartext-symmetric-keys"; - nacm:default-deny-all; - type binary; - must '../key-format'; - description - "The binary value of the key. The interpretation of - the value is defined by the 'key-format' field."; - } - } - case hidden-key { - if-feature "hidden-symmetric-keys"; - leaf hidden-key { - type empty; - must 'not(../key-format)'; - description - "A hidden key. How such keys are created is outside - the scope of this module."; - } - } - case encrypted-key { - if-feature "encrypted-symmetric-keys"; - container encrypted-key { - must '../key-format'; - description - "A container for the encrypted symmetric key value. - The interpretation of the 'encrypted-value' node - is via the 'key-format' node"; - uses encrypted-value-grouping; - } - } - } - } - - grouping public-key-grouping { - description - "A public key."; - leaf public-key-format { - nacm:default-deny-write; - type identityref { - base public-key-format; - } - mandatory true; - description - "Identifies the public key's format. Implementations SHOULD - ensure that the incoming public key value is encoded in the - specified format."; - } - leaf public-key { - nacm:default-deny-write; - type binary; - mandatory true; - description - "The binary value of the public key. The interpretation - of the value is defined by 'public-key-format' field."; - } - } - - grouping asymmetric-key-pair-grouping { - description - "A private key and its associated public key. Implementations - SHOULD ensure that the two keys are a matching pair."; - uses public-key-grouping; - leaf private-key-format { - nacm:default-deny-write; - type identityref { - base private-key-format; - } - description - "Identifies the private key's format. Implementations SHOULD - ensure that the incoming private key value is encoded in the - specified format. - - For encrypted keys, the value is the decrypted key's - format (i.e., the 'encrypted-value-format' conveys the - encrypted key's format."; - } - choice private-key-type { - nacm:default-deny-write; - mandatory true; - description - "Choice between key types."; - case cleartext-private-key { - if-feature "cleartext-private-keys"; - leaf cleartext-private-key { - nacm:default-deny-all; - type binary; - must '../private-key-format'; - description - "The value of the binary key The key's value is - interpreted by the 'private-key-format' field."; - } - } - case hidden-private-key { - if-feature "hidden-private-keys"; - leaf hidden-private-key { - type empty; - must 'not(../private-key-format)'; - description - "A hidden key. How such keys are created is - outside the scope of this module."; - } - } - case encrypted-private-key { - if-feature "encrypted-private-keys"; - container encrypted-private-key { - must '../private-key-format'; - description - "A container for the encrypted asymmetric private key - value. The interpretation of the 'encrypted-value' - node is via the 'private-key-format' node"; - uses encrypted-value-grouping; - } - } - } - } - - grouping certificate-expiration-grouping { - description - "A notification for when a certificate is about to, or - already has, expired."; - notification certificate-expiration { - if-feature "certificate-expiration-notification"; - description - "A notification indicating that the configured certificate - is either about to expire or has already expired. When to - send notifications is an implementation specific decision, - but it is RECOMMENDED that a notification be sent once a - month for 3 months, then once a week for four weeks, and - then once a day thereafter until the issue is resolved."; - leaf expiration-date { - type yang:date-and-time; - mandatory true; - description - "Identifies the expiration date on the certificate."; - } - } - } - - grouping trust-anchor-cert-grouping { - description - "A trust anchor certificate, and a notification for when - it is about to (or already has) expire."; - leaf cert-data { - nacm:default-deny-write; - type trust-anchor-cert-cms; - description - "The binary certificate data for this certificate."; - } - uses certificate-expiration-grouping; - } - - grouping end-entity-cert-grouping { - description - "An end entity certificate, and a notification for when - it is about to (or already has) expire. Implementations - SHOULD assert that, where used, the end entity certificate - contains the expected public key."; - leaf cert-data { - nacm:default-deny-write; - type end-entity-cert-cms; - description - "The binary certificate data for this certificate."; - } - uses certificate-expiration-grouping; - } - - grouping generate-csr-grouping { - description - "Defines the 'generate-csr' action."; - action generate-csr { - if-feature "csr-generation"; - nacm:default-deny-all; - description - "Generates a certificate signing request structure for - the associated asymmetric key using the passed subject - and attribute values. - - This action statement is only available when the - associated 'public-key-format' node's value is - 'subject-public-key-info-format'."; - reference - "RFC 6125: - Representation and Verification of Domain-Based - Application Service Identity within Internet Public Key - Infrastructure Using X.509 (PKIX) Certificates in the - Context of Transport Layer Security (TLS)"; - input { - leaf csr-format { - type identityref { - base csr-format; - } - mandatory true; - description - "Specifies the format for the returned certificate."; - } - leaf csr-info { - type csr-info; - mandatory true; - description - "A CertificationRequestInfo structure, as defined in - RFC 2986. - - Enables the client to provide a fully-populated - CertificationRequestInfo structure that the server - only needs to sign in order to generate the complete - 'CertificationRequest' structure to return in the - 'output'. - - The 'AlgorithmIdentifier' field contained inside - the 'SubjectPublicKeyInfo' field MUST be one known - to be supported by the device."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax Specification - RFC AAAA: - YANG Data Types and Groupings for Cryptography"; - } - } - output { - choice csr-type { - mandatory true; - description - "A choice amongst certificate signing request formats. - Additional formats MAY be augmented into this 'choice' - statement by future efforts."; - case p10-csr { - leaf p10-csr { - type p10-csr; - description - "A CertificationRequest, as defined in RFC 2986."; - } - description - "A CertificationRequest, as defined in RFC 2986."; - reference - "RFC 2986: - PKCS #10: Certification Request Syntax Specification - RFC AAAA: - YANG Data Types and Groupings for Cryptography"; - } - } - } - } - } // generate-csr-grouping - - grouping asymmetric-key-pair-with-cert-grouping { - description - "A private/public key pair and an associated certificate. - Implementations SHOULD assert that the certificate contains - the matching public key."; - uses asymmetric-key-pair-grouping; - uses end-entity-cert-grouping; - uses generate-csr-grouping; - } // asymmetric-key-pair-with-cert-grouping - - grouping asymmetric-key-pair-with-certs-grouping { - description - "A private/public key pair and a list of associated - certificates. Implementations SHOULD assert that - certificates contain the matching public key."; - uses asymmetric-key-pair-grouping; - container certificates { - nacm:default-deny-write; - description - "Certificates associated with this asymmetric key."; - list certificate { - key "name"; - description - "A certificate for this asymmetric key."; - leaf name { - type string; - description - "An arbitrary name for the certificate."; - } - uses end-entity-cert-grouping { - refine "cert-data" { - mandatory true; - } - } - } - } - uses generate-csr-grouping; - } // asymmetric-key-pair-with-certs-grouping - -}