--- /dev/null
+module ietf-crypto-types {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
+ prefix ct;
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
+
+ description
+ "This module defines common YANG types for cryptographic
+ applications.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.
+
+ Copyright (c) 2024 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC 9640
+ (https://www.rfc-editor.org/info/rfc9640); see the RFC
+ itself for full legal notices.";
+
+ revision 2024-10-10 {
+ description
+ "Initial version.";
+ reference
+ "RFC 9640: YANG Data Types and Groupings for Cryptography";
+ }
+
+ /****************/
+ /* Features */
+ /****************/
+
+ feature one-symmetric-key-format {
+ description
+ "Indicates that the server supports the
+ 'one-symmetric-key-format' identity.";
+ }
+
+ feature one-asymmetric-key-format {
+ description
+ "Indicates that the server supports the
+ 'one-asymmetric-key-format' identity.";
+ }
+
+ feature symmetrically-encrypted-value-format {
+ description
+ "Indicates that the server supports the
+ 'symmetrically-encrypted-value-format' identity.";
+ }
+
+ feature asymmetrically-encrypted-value-format {
+ description
+ "Indicates that the server supports the
+ 'asymmetrically-encrypted-value-format' identity.";
+ }
+
+ feature cms-enveloped-data-format {
+ description
+ "Indicates that the server supports the
+ 'cms-enveloped-data-format' identity.";
+ }
+
+ feature cms-encrypted-data-format {
+ description
+ "Indicates that the server supports the
+ 'cms-encrypted-data-format' identity.";
+ }
+
+ feature p10-csr-format {
+ description
+ "Indicates that the server implements support
+ for generating P10-based CSRs, as defined
+ in RFC 2986.";
+ reference
+ "RFC 2986: PKCS #10: Certification Request Syntax
+ Specification Version 1.7";
+ }
+
+ feature csr-generation {
+ description
+ "Indicates that the server implements the
+ 'generate-csr' action.";
+ }
+
+ feature certificate-expiration-notification {
+ description
+ "Indicates that the server implements the
+ 'certificate-expiration' notification.";
+ }
+
+ feature cleartext-passwords {
+ description
+ "Indicates that the server supports cleartext
+ passwords.";
+ }
+
+ feature encrypted-passwords {
+ description
+ "Indicates that the server supports password
+ encryption.";
+ }
+
+ feature cleartext-symmetric-keys {
+ description
+ "Indicates that the server supports cleartext
+ symmetric keys.";
+ }
+
+ feature hidden-symmetric-keys {
+ description
+ "Indicates that the server supports hidden keys.";
+ }
+
+ feature encrypted-symmetric-keys {
+ description
+ "Indicates that the server supports encryption
+ of symmetric keys.";
+ }
+
+ feature cleartext-private-keys {
+ description
+ "Indicates that the server supports cleartext
+ private keys.";
+ }
+
+ feature hidden-private-keys {
+ description
+ "Indicates that the server supports hidden keys.";
+ }
+
+ feature encrypted-private-keys {
+ description
+ "Indicates that the server supports encryption
+ of private keys.";
+ }
+
+ /*************************************************/
+ /* Base Identities for Key Format Structures */
+ /*************************************************/
+
+ identity symmetric-key-format {
+ description
+ "Base key-format identity for symmetric keys.";
+ }
+
+ identity public-key-format {
+ description
+ "Base key-format identity for public keys.";
+ }
+
+ identity private-key-format {
+ description
+ "Base key-format identity for private keys.";
+ }
+
+ /****************************************************/
+ /* Identities for Private Key Format Structures */
+ /****************************************************/
+
+ identity rsa-private-key-format {
+ base private-key-format;
+ description
+ "Indicates that the private key value is encoded as
+ an RSAPrivateKey (from RFC 8017), encoded using ASN.1
+ distinguished encoding rules (DER), as specified in
+ ITU-T X.690.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ identity ec-private-key-format {
+ base private-key-format;
+ description
+ "Indicates that the private key value is encoded as
+ an ECPrivateKey (from RFC 5915), encoded using ASN.1
+ distinguished encoding rules (DER), as specified in
+ ITU-T X.690.";
+ reference
+ "RFC 5915:
+ Elliptic Curve Private Key Structure
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ identity one-asymmetric-key-format {
+ if-feature "one-asymmetric-key-format";
+ base private-key-format;
+ description
+ "Indicates that the private key value is a
+ Cryptographic Message Syntax (CMS) OneAsymmetricKey
+ structure, as defined in RFC 5958, encoded using
+ ASN.1 distinguished encoding rules (DER), as
+ specified in ITU-T X.690.";
+ reference
+ "RFC 5958:
+ Asymmetric Key Packages
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ /***************************************************/
+ /* Identities for Public Key Format Structures */
+ /***************************************************/
+
+ identity ssh-public-key-format {
+ base public-key-format;
+ description
+ "Indicates that the public key value is a Secure Shell (SSH)
+ public key, as specified in RFC 4253, Section 6.6, i.e.:
+
+ string certificate or public key format
+ identifier
+ byte[n] key/certificate data.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity subject-public-key-info-format {
+ base public-key-format;
+ description
+ "Indicates that the public key value is a SubjectPublicKeyInfo
+ structure, as described in RFC 5280, encoded using ASN.1
+ distinguished encoding rules (DER), as specified in
+ ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ /******************************************************/
+ /* Identities for Symmetric Key Format Structures */
+ /******************************************************/
+
+ identity octet-string-key-format {
+ base symmetric-key-format;
+ description
+ "Indicates that the key is encoded as a raw octet string.
+ The length of the octet string MUST be appropriate for
+ the associated algorithm's block size.
+
+ The identity of the associated algorithm is outside the
+ scope of this specification. This is also true when
+ the octet string has been encrypted.";
+ }
+
+ identity one-symmetric-key-format {
+ if-feature "one-symmetric-key-format";
+ base symmetric-key-format;
+ description
+ "Indicates that the private key value is a CMS
+ OneSymmetricKey structure, as defined in RFC 6031,
+ encoded using ASN.1 distinguished encoding rules
+ (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 6031:
+ Cryptographic Message Syntax (CMS)
+ Symmetric Key Package Content Type
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ /*************************************************/
+ /* Identities for Encrypted Value Structures */
+ /*************************************************/
+
+ identity encrypted-value-format {
+ description
+ "Base format identity for encrypted values.";
+ }
+
+ identity symmetrically-encrypted-value-format {
+ if-feature "symmetrically-encrypted-value-format";
+ base encrypted-value-format;
+ description
+ "Base format identity for symmetrically encrypted
+ values.";
+ }
+
+ identity asymmetrically-encrypted-value-format {
+ if-feature "asymmetrically-encrypted-value-format";
+ base encrypted-value-format;
+ description
+ "Base format identity for asymmetrically encrypted
+ values.";
+ }
+
+ identity cms-encrypted-data-format {
+ if-feature "cms-encrypted-data-format";
+ base symmetrically-encrypted-value-format;
+ description
+ "Indicates that the encrypted value conforms to
+ the 'encrypted-data-cms' type with the constraint
+ that the 'unprotectedAttrs' value is not set.";
+ reference
+ "RFC 5652:
+ Cryptographic Message Syntax (CMS)
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ identity cms-enveloped-data-format {
+ if-feature "cms-enveloped-data-format";
+ base asymmetrically-encrypted-value-format;
+ description
+ "Indicates that the encrypted value conforms to the
+ 'enveloped-data-cms' type with the following constraints:
+
+ The EnvelopedData structure MUST have exactly one
+ 'RecipientInfo'.
+
+ If the asymmetric key supports public key cryptography
+ (e.g., RSA), then the 'RecipientInfo' must be a
+ 'KeyTransRecipientInfo' with the 'RecipientIdentifier'
+ using a 'subjectKeyIdentifier' with the value set using
+ 'method 1' in RFC 7093 over the recipient's public key.
+
+ Otherwise, if the asymmetric key supports key agreement
+ (e.g., Elliptic Curve Cryptography (ECC)), then the
+ 'RecipientInfo' must be a 'KeyAgreeRecipientInfo'. The
+ 'OriginatorIdentifierOrKey' value must use the
+ 'OriginatorPublicKey' alternative. The
+ 'UserKeyingMaterial' value must not be present. There
+ must be exactly one 'RecipientEncryptedKeys' value
+ having the 'KeyAgreeRecipientIdentifier' set to 'rKeyId'
+ with the value set using 'method 1' in RFC 7093 over the
+ recipient's public key.";
+ reference
+ "RFC 5652:
+ Cryptographic Message Syntax (CMS)
+ RFC 7093:
+ Additional Methods for Generating Key
+ Identifiers Values
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ /*********************************************************/
+ /* Identities for Certificate Signing Request Formats */
+ /*********************************************************/
+
+ identity csr-format {
+ description
+ "A base identity for the certificate signing request
+ formats. Additional derived identities MAY be defined
+ by future efforts.";
+ }
+
+ identity p10-csr-format {
+ if-feature "p10-csr-format";
+ base csr-format;
+ description
+ "Indicates the CertificationRequest structure
+ defined in RFC 2986.";
+ reference
+ "RFC 2986: PKCS #10: Certification Request Syntax
+ Specification Version 1.7";
+ }
+
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 2986 */
+ /***************************************************/
+
+ typedef csr-info {
+ type binary;
+ description
+ "A CertificationRequestInfo structure, as defined in
+ RFC 2986, encoded using ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ typedef p10-csr {
+ type binary;
+ description
+ "A CertificationRequest structure, as specified in
+ RFC 2986, encoded using ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ Version 1.7
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 5280 */
+ /***************************************************/
+
+ typedef x509 {
+ type binary;
+ description
+ "A Certificate structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ typedef crl {
+ type binary;
+ description
+ "A CertificateList structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 6960 */
+ /***************************************************/
+
+ typedef oscp-request {
+ type binary;
+ description
+ "A OCSPRequest structure, as specified in RFC 6960,
+ encoded using ASN.1 distinguished encoding rules
+ (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 6960:
+ X.509 Internet Public Key Infrastructure Online
+ Certificate Status Protocol - OCSP
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ typedef oscp-response {
+ type binary;
+ description
+ "A OCSPResponse structure, as specified in RFC 6960,
+ encoded using ASN.1 distinguished encoding rules
+ (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 6960:
+ X.509 Internet Public Key Infrastructure Online
+ Certificate Status Protocol - OCSP
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ /***********************************************/
+ /* Typedefs for ASN.1 structures from 5652 */
+ /***********************************************/
+
+ typedef cms {
+ type binary;
+ description
+ "A ContentInfo structure, as specified in RFC 5652,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5652:
+ Cryptographic Message Syntax (CMS)
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER) 02/2021";
+ }
+
+ typedef data-content-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ data content type, as described in Section 4 of RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef signed-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ signed-data content type, as described in Section 5 of
+ RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef enveloped-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ enveloped-data content type, as described in Section 6
+ of RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef digested-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ digested-data content type, as described in Section 7
+ of RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef encrypted-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ encrypted-data content type, as described in Section 8
+ of RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef authenticated-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ authenticated-data content type, as described in Section 9
+ of RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5280 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a self-signed
+ root certificate.";
+ }
+
+ typedef end-entity-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a certificate
+ that is neither self-signed nor has Basic constraint
+ CA true.";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5652 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the chain of
+ X.509 certificates needed to authenticate the certificate
+ presented by a client or end entity.
+
+ The CMS MUST contain only a single chain of certificates.
+ The client or end-entity certificate MUST only authenticate
+ to the last intermediate CA certificate listed in the chain.
+
+ In all cases, the chain MUST include a self-signed root
+ certificate. In the case where the root certificate is
+ itself the issuer of the client or end-entity certificate,
+ only one certificate is present.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure (RFC 5652, Section 5.2) that is commonly used
+ to disseminate X.509 certificates and revocation objects
+ (RFC 5280).";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ RFC 5652:
+ Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef end-entity-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the end-entity
+ certificate itself and MAY contain any number
+ of intermediate certificates leading up to a trust
+ anchor certificate. The trust anchor certificate
+ MAY be included as well.
+
+ The CMS MUST contain a single end-entity certificate.
+ The CMS MUST NOT contain any spurious certificates.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure (RFC 5652, Section 5.2) that is commonly
+ used to disseminate X.509 certificates and revocation
+ objects (RFC 5280).";
+
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ RFC 5652:
+ Cryptographic Message Syntax (CMS)";
+ }
+
+ /*****************/
+ /* Groupings */
+ /*****************/
+
+ grouping encrypted-value-grouping {
+ description
+ "A reusable grouping for a value that has been encrypted by
+ a referenced symmetric or asymmetric key.";
+ container encrypted-by {
+ nacm:default-deny-write;
+ description
+ "An empty container enabling a reference to the key that
+ encrypted the value to be augmented in. The referenced
+ key MUST be a symmetric key or an asymmetric key.
+
+ A symmetric key MUST be referenced via a leaf node called
+ 'symmetric-key-ref'. An asymmetric key MUST be referenced
+ via a leaf node called 'asymmetric-key-ref'.
+
+ The leaf nodes MUST be direct descendants in the data tree
+ and MAY be direct descendants in the schema tree (e.g.,
+ 'choice'/'case' statements are allowed but not a
+ container).";
+ }
+ leaf encrypted-value-format {
+ type identityref {
+ base encrypted-value-format;
+ }
+ mandatory true;
+ description
+ "Identifies the format of the 'encrypted-value' leaf.
+
+ If 'encrypted-by' points to a symmetric key, then an
+ identity based on 'symmetrically-encrypted-value-format'
+ MUST be set (e.g., 'cms-encrypted-data-format').
+
+ If 'encrypted-by' points to an asymmetric key, then an
+ identity based on 'asymmetrically-encrypted-value-format'
+ MUST be set (e.g., 'cms-enveloped-data-format').";
+ }
+ leaf encrypted-value {
+ nacm:default-deny-write;
+ type binary;
+ must '../encrypted-by';
+ mandatory true;
+ description
+ "The value, encrypted using the referenced symmetric
+ or asymmetric key. The value MUST be encoded using
+ the format associated with the 'encrypted-value-format'
+ leaf.";
+ }
+ }
+
+ grouping password-grouping {
+ description
+ "A password used for authenticating to a remote system.
+
+ The 'ianach:crypt-hash' typedef from RFC 7317 should be
+ used instead when needing a password to authenticate a
+ local account.";
+ choice password-type {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "Choice between password types.";
+ case cleartext-password {
+ if-feature "cleartext-passwords";
+ leaf cleartext-password {
+ nacm:default-deny-all;
+ type string;
+ description
+ "The cleartext value of the password.";
+ }
+ }
+ case encrypted-password {
+ if-feature "encrypted-passwords";
+ container encrypted-password {
+ description
+ "A container for the encrypted password value.";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping symmetric-key-grouping {
+ description
+ "A symmetric key.";
+ leaf key-format {
+ nacm:default-deny-write;
+ type identityref {
+ base symmetric-key-format;
+ }
+ description
+ "Identifies the symmetric key's format. Implementations
+ SHOULD ensure that the incoming symmetric key value is
+ encoded in the specified format.
+
+ For encrypted keys, the value is the decrypted key's
+ format (i.e., the 'encrypted-value-format' conveys the
+ encrypted key's format).";
+ }
+ choice key-type {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "Choice between key types.";
+ case cleartext-symmetric-key {
+ leaf cleartext-symmetric-key {
+ if-feature "cleartext-symmetric-keys";
+ nacm:default-deny-all;
+ type binary;
+ must '../key-format';
+ description
+ "The binary value of the key. The interpretation of
+ the value is defined by the 'key-format' field.";
+ }
+ }
+ case hidden-symmetric-key {
+ if-feature "hidden-symmetric-keys";
+ leaf hidden-symmetric-key {
+ type empty;
+ must 'not(../key-format)';
+ description
+ "A hidden key is not exportable and not extractable;
+ therefore, it is of type 'empty' as its value is
+ inaccessible via management interfaces. Though hidden
+ to users, such keys are not hidden to the server and
+ may be referenced by configuration to indicate which
+ key a server should use for a cryptographic operation.
+ How such keys are created is outside the scope of this
+ module.";
+ }
+ }
+ case encrypted-symmetric-key {
+ if-feature "encrypted-symmetric-keys";
+ container encrypted-symmetric-key {
+ must '../key-format';
+ description
+ "A container for the encrypted symmetric key value.
+ The interpretation of the 'encrypted-value' node
+ is via the 'key-format' node";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping public-key-grouping {
+ description
+ "A public key.";
+ leaf public-key-format {
+ nacm:default-deny-write;
+ type identityref {
+ base public-key-format;
+ }
+ mandatory true;
+ description
+ "Identifies the public key's format. Implementations SHOULD
+ ensure that the incoming public key value is encoded in the
+ specified format.";
+ }
+ leaf public-key {
+ nacm:default-deny-write;
+ type binary;
+ mandatory true;
+ description
+ "The binary value of the public key. The interpretation
+ of the value is defined by the 'public-key-format' field.";
+ }
+ }
+
+ grouping private-key-grouping {
+ description
+ "A private key.";
+ leaf private-key-format {
+ nacm:default-deny-write;
+ type identityref {
+ base private-key-format;
+ }
+ description
+ "Identifies the private key's format. Implementations SHOULD
+ ensure that the incoming private key value is encoded in the
+ specified format.
+
+ For encrypted keys, the value is the decrypted key's
+ format (i.e., the 'encrypted-value-format' conveys the
+ encrypted key's format).";
+ }
+ choice private-key-type {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "Choice between key types.";
+ case cleartext-private-key {
+ if-feature "cleartext-private-keys";
+ leaf cleartext-private-key {
+ nacm:default-deny-all;
+ type binary;
+ must '../private-key-format';
+ description
+ "The value of the binary key. The key's value is
+ interpreted by the 'private-key-format' field.";
+ }
+ }
+ case hidden-private-key {
+ if-feature "hidden-private-keys";
+ leaf hidden-private-key {
+ type empty;
+ must 'not(../private-key-format)';
+ description
+ "A hidden key. It is of type 'empty' as its value is
+ inaccessible via management interfaces. Though hidden
+ to users, such keys are not hidden to the server and
+ may be referenced by configuration to indicate which
+ key a server should use for a cryptographic operation.
+ How such keys are created is outside the scope of this
+ module.";
+ }
+ }
+ case encrypted-private-key {
+ if-feature "encrypted-private-keys";
+ container encrypted-private-key {
+ must '../private-key-format';
+ description
+ "A container for the encrypted asymmetric private key
+ value. The interpretation of the 'encrypted-value'
+ node is via the 'private-key-format' node";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping asymmetric-key-pair-grouping {
+ description
+ "A private key and, optionally, its associated public key.
+ Implementations MUST ensure that the two keys, when both
+ are specified, are a matching pair.";
+ uses public-key-grouping {
+ refine "public-key-format" {
+ mandatory false;
+ }
+ refine "public-key" {
+ mandatory false;
+ }
+ }
+ uses private-key-grouping;
+ }
+
+ grouping certificate-expiration-grouping {
+ description
+ "A notification for when a certificate is about to expire or
+ has already expired.";
+ notification certificate-expiration {
+ if-feature "certificate-expiration-notification";
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation-specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.
+
+ If the certificate's issuer maintains a Certificate
+ Revocation List (CRL), the expiration notification MAY
+ be sent if the CRL is about to expire.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping trust-anchor-cert-grouping {
+ description
+ "A trust anchor certificate and a notification for when
+ it is about to expire or has already expired.";
+ leaf cert-data {
+ nacm:default-deny-all;
+ type trust-anchor-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ }
+ uses certificate-expiration-grouping;
+ }
+
+ grouping end-entity-cert-grouping {
+ description
+ "An end-entity certificate and a notification for when
+ it is about to expire or has already expired. Implementations
+ SHOULD assert that, where used, the end-entity certificate
+ contains the expected public key.";
+ leaf cert-data {
+ nacm:default-deny-all;
+ type end-entity-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ }
+ uses certificate-expiration-grouping;
+ }
+
+
+
+ grouping generate-csr-grouping {
+ description
+ "Defines the 'generate-csr' action.";
+ action generate-csr {
+ if-feature "csr-generation";
+ nacm:default-deny-all;
+ description
+ "Generates a certificate signing request structure for
+ the associated asymmetric key using the passed subject
+ and attribute values.
+
+ This 'action' statement is only available when the
+ associated 'public-key-format' node's value is
+ 'subject-public-key-info-format'.";
+ input {
+ leaf csr-format {
+ type identityref {
+ base csr-format;
+ }
+ mandatory true;
+ description
+ "Specifies the format for the returned certificate.";
+ }
+ leaf csr-info {
+ type csr-info;
+ mandatory true;
+ description
+ "A CertificationRequestInfo structure, as defined in
+ RFC 2986.
+
+ Enables the client to provide a fully populated
+ CertificationRequestInfo structure that the server
+ only needs to sign in order to generate the complete
+ CertificationRequest structure to return in the
+ 'output'.
+
+ The 'AlgorithmIdentifier' field contained inside
+ the 'SubjectPublicKeyInfo' field MUST be one known
+ to be supported by the device.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ RFC 9640:
+ YANG Data Types and Groupings for Cryptography";
+ }
+ }
+ output {
+ choice csr-type {
+ mandatory true;
+ description
+ "A choice amongst certificate signing request formats.
+ Additional formats MAY be augmented into this 'choice'
+ statement by future efforts.";
+ case p10-csr {
+ leaf p10-csr {
+ type p10-csr;
+ description
+ "A CertificationRequest, as defined in RFC 2986.";
+ }
+ description
+ "A CertificationRequest, as defined in RFC 2986.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ RFC 9640:
+ YANG Data Types and Groupings for Cryptography";
+ }
+ }
+ }
+ }
+ } // generate-csr-grouping
+
+ grouping asymmetric-key-pair-with-cert-grouping {
+ description
+ "A private/public key pair and an associated certificate.
+ Implementations MUST assert that the certificate contains
+ the matching public key.";
+ uses asymmetric-key-pair-grouping;
+ uses end-entity-cert-grouping;
+ uses generate-csr-grouping;
+ } // asymmetric-key-pair-with-cert-grouping
+
+ grouping asymmetric-key-pair-with-certs-grouping {
+ description
+ "A private/public key pair and a list of associated
+ certificates. Implementations MUST assert that
+ certificates contain the matching public key.";
+ uses asymmetric-key-pair-grouping;
+ container certificates {
+ nacm:default-deny-write;
+ description
+ "Certificates associated with this asymmetric key.";
+ list certificate {
+ key "name";
+ description
+ "A certificate for this asymmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the certificate.";
+ }
+ uses end-entity-cert-grouping {
+ refine "cert-data" {
+ mandatory true;
+ }
+ }
+ }
+ }
+ uses generate-csr-grouping;
+ } // asymmetric-key-pair-with-certs-grouping
+
+}
Code Review / mdsal.git / commitdiff