From 55a26bb0d9818df47907d601908c9f56c46340c6 Mon Sep 17 00:00:00 2001 From: Robert Varga Date: Wed, 5 Jul 2023 19:00:15 +0200 Subject: [PATCH] Update draft-ietf-client-server models There is a new drop for drafts, updating the modules we are packaging. Update them. This aligns the revisions with the models used in netconf-{client,server}. Since this requires some code changes, code is cleaned up to eliminate most of the warnings and take advantage of BindingMap. JIRA: NETCONF-1073 Change-Id: I5c610d852ab504050cb258c6b42bc6e32e5b19e5 Signed-off-by: Robert Varga Signed-off-by: Ruslan Kashapov --- ...-12.yang => ietf-keystore@2023-04-17.yang} | 53 ++-- .../none/NoneKeystoreFeatureProvider.java | 8 +- ...yang => ietf-crypto-types@2023-04-17.yang} | 178 +++++++---- transport/transport-ssh/pom.xml | 14 +- .../netconf/transport/ssh/ConfigUtils.java | 118 +++---- .../transport/ssh/IetfSshClientProvider.java | 10 +- .../transport/ssh/IetfSshCommonProvider.java | 6 +- .../transport/ssh/IetfSshServerProvider.java | 12 +- .../netconf/transport/ssh/SSHClient.java | 37 ++- .../netconf/transport/ssh/SSHServer.java | 57 ++-- .../netconf/transport/ssh/TransportUtils.java | 8 +- ...2.yang => ietf-ssh-client@2023-04-17.yang} | 38 +-- ...2.yang => ietf-ssh-common@2023-04-17.yang} | 25 +- ...2.yang => ietf-ssh-server@2023-04-17.yang} | 68 ++-- .../transport/ssh/SshClientServerTest.java | 16 +- .../netconf/transport/ssh/TestUtils.java | 293 +++++++++--------- transport/transport-tcp/pom.xml | 4 + .../transport/tcp/AbstractNettyImpl.java | 2 +- .../netconf/transport/tcp/EpollNettyImpl.java | 2 +- .../tcp/IetfTcpClientFeatureProvider.java | 6 +- .../tcp/IetfTcpCommonFeatureProvider.java | 4 +- .../tcp/IetfTcpServerFeatureProvider.java | 4 +- .../transport/tcp/NettyTransportSupport.java | 2 +- .../netconf/transport/tcp/NioNettyImpl.java | 2 +- .../netconf/transport/tcp/TCPClient.java | 2 +- .../netconf/transport/tcp/TCPServer.java | 2 +- ...2.yang => ietf-tcp-client@2023-04-17.yang} | 40 ++- ...2.yang => ietf-tcp-common@2023-04-17.yang} | 7 +- ...2.yang => ietf-tcp-server@2023-04-17.yang} | 7 +- .../transport/tcp/TCPClientServerTest.java | 4 +- transport/transport-tls/pom.xml | 22 +- .../netconf/transport/tls/ConfigUtils.java | 99 +++--- .../tls/IetfTlsClientFeatureProvider.java | 6 +- .../tls/IetfTlsCommonFeatureProvider.java | 14 +- .../tls/IetfTlsServerFeatureProvider.java | 8 +- .../transport/tls/SSLEngineFactory.java | 2 +- .../netconf/transport/tls/TLSClient.java | 10 +- .../netconf/transport/tls/TLSServer.java | 10 +- .../transport/tls/TLSTransportStack.java | 22 +- ...2.yang => ietf-tls-client@2023-04-17.yang} | 34 +- ...2.yang => ietf-tls-common@2023-04-17.yang} | 9 +- ...2.yang => ietf-tls-server@2023-04-17.yang} | 34 +- .../transport/tls/ConfigUtilsTest.java | 26 +- .../netconf/transport/tls/TestUtils.java | 104 ++++--- .../transport/tls/TlsClientServerTest.java | 82 ++--- ...2.yang => ietf-truststore@2023-04-17.yang} | 30 +- .../none/NoneTruststoreFeatureProvider.java | 6 +- 47 files changed, 847 insertions(+), 700 deletions(-) rename keystore/keystore-api/src/main/yang/{ietf-keystore@2022-12-12.yang => ietf-keystore@2023-04-17.yang} (91%) rename model/draft-ietf-netconf-crypto-types/src/main/yang/{ietf-crypto-types@2022-12-12.yang => ietf-crypto-types@2023-04-17.yang} (87%) rename transport/transport-ssh/src/main/yang/{ietf-ssh-client@2022-12-12.yang => ietf-ssh-client@2023-04-17.yang} (91%) rename transport/transport-ssh/src/main/yang/{ietf-ssh-common@2022-12-12.yang => ietf-ssh-common@2023-04-17.yang} (91%) rename transport/transport-ssh/src/main/yang/{ietf-ssh-server@2022-12-12.yang => ietf-ssh-server@2023-04-17.yang} (86%) rename transport/transport-tcp/src/main/yang/{ietf-tcp-client@2022-12-12.yang => ietf-tcp-client@2023-04-17.yang} (89%) rename transport/transport-tcp/src/main/yang/{ietf-tcp-common@2022-12-12.yang => ietf-tcp-common@2023-04-17.yang} (95%) rename transport/transport-tcp/src/main/yang/{ietf-tcp-server@2022-12-12.yang => ietf-tcp-server@2023-04-17.yang} (96%) rename transport/transport-tls/src/main/yang/{ietf-tls-client@2022-12-12.yang => ietf-tls-client@2023-04-17.yang} (94%) rename transport/transport-tls/src/main/yang/{ietf-tls-common@2022-12-12.yang => ietf-tls-common@2023-04-17.yang} (97%) rename transport/transport-tls/src/main/yang/{ietf-tls-server@2022-12-12.yang => ietf-tls-server@2023-04-17.yang} (94%) rename truststore/truststore-api/src/main/yang/{ietf-truststore@2022-12-12.yang => ietf-truststore@2023-04-17.yang} (94%) diff --git a/keystore/keystore-api/src/main/yang/ietf-keystore@2022-12-12.yang b/keystore/keystore-api/src/main/yang/ietf-keystore@2023-04-17.yang similarity index 91% rename from keystore/keystore-api/src/main/yang/ietf-keystore@2022-12-12.yang rename to keystore/keystore-api/src/main/yang/ietf-keystore@2023-04-17.yang index 9424c45ce4..8e158fabb7 100644 --- a/keystore/keystore-api/src/main/yang/ietf-keystore@2022-12-12.yang +++ b/keystore/keystore-api/src/main/yang/ietf-keystore@2023-04-17.yang @@ -27,7 +27,7 @@ module ietf-keystore { "This module defines a 'keystore' to centralize management of security credentials. - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with @@ -48,7 +48,7 @@ module ietf-keystore { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -66,9 +66,9 @@ module ietf-keystore { 'ietf-keystore' module)."; } - feature local-definitions-supported { + feature inline-definitions-supported { description - "The 'local-definitions-supported' feature indicates that + "The 'inline-definitions-supported' feature indicates that the server supports locally-defined keys."; } @@ -178,9 +178,9 @@ module ietf-keystore { } } - // local-or-keystore-* groupings + // inline-or-keystore-* groupings - grouping local-or-keystore-symmetric-key-grouping { + grouping inline-or-keystore-symmetric-key-grouping { description "A grouping that expands to allow the symmetric key to be either stored locally, i.e., within the using data model, @@ -190,15 +190,15 @@ module ietf-keystore { 'central-keystore-supported' is not defined, SHOULD augment in custom 'case' statements enabling references to the alternate keystore locations."; - choice local-or-keystore { + choice inline-or-keystore { nacm:default-deny-write; mandatory true; description "A choice between an inlined definition and a definition that exists in the keystore."; - case local { - if-feature "local-definitions-supported"; - container local-definition { + case inline { + if-feature "inline-definitions-supported"; + container inline-definition { description "Container to hold the local key definition."; uses ct:symmetric-key-grouping; @@ -216,7 +216,8 @@ module ietf-keystore { } } } - grouping local-or-keystore-asymmetric-key-grouping { + + grouping inline-or-keystore-asymmetric-key-grouping { description "A grouping that expands to allow the asymmetric key to be either stored locally, i.e., within the using data model, @@ -226,15 +227,15 @@ module ietf-keystore { 'central-keystore-supported' is not defined, SHOULD augment in custom 'case' statements enabling references to the alternate keystore locations."; - choice local-or-keystore { + choice inline-or-keystore { nacm:default-deny-write; mandatory true; description "A choice between an inlined definition and a definition that exists in the keystore."; - case local { - if-feature "local-definitions-supported"; - container local-definition { + case inline { + if-feature "inline-definitions-supported"; + container inline-definition { description "Container to hold the local key definition."; uses ct:asymmetric-key-pair-grouping; @@ -256,7 +257,7 @@ module ietf-keystore { } } - grouping local-or-keystore-asymmetric-key-with-certs-grouping { + grouping inline-or-keystore-asymmetric-key-with-certs-grouping { description "A grouping that expands to allow an asymmetric key and its associated certificates to be either stored locally, @@ -268,15 +269,15 @@ module ietf-keystore { 'central-keystore-supported' is not defined, SHOULD augment in custom 'case' statements enabling references to the alternate keystore locations."; - choice local-or-keystore { + choice inline-or-keystore { nacm:default-deny-write; mandatory true; description "A choice between an inlined definition and a definition that exists in the keystore."; - case local { - if-feature "local-definitions-supported"; - container local-definition { + case inline { + if-feature "inline-definitions-supported"; + container inline-definition { description "Container to hold the local key definition."; uses ct:asymmetric-key-pair-with-certs-grouping; @@ -296,7 +297,7 @@ module ietf-keystore { } } - grouping local-or-keystore-end-entity-cert-with-key-grouping { + grouping inline-or-keystore-end-entity-cert-with-key-grouping { description "A grouping that expands to allow an end-entity certificate (and its associated asymmetric key pair) to be either stored @@ -307,15 +308,15 @@ module ietf-keystore { 'central-keystore-supported' is not defined, SHOULD augment in custom 'case' statements enabling references to the alternate keystore locations."; - choice local-or-keystore { + choice inline-or-keystore { nacm:default-deny-write; mandatory true; description "A choice between an inlined definition and a definition that exists in the keystore."; - case local { - if-feature "local-definitions-supported"; - container local-definition { + case inline { + if-feature "inline-definitions-supported"; + container inline-definition { description "Container to hold the local key definition."; uses ct:asymmetric-key-pair-with-cert-grouping; @@ -339,7 +340,7 @@ module ietf-keystore { description "Grouping definition enables use in other contexts. If ever done, implementations MUST augment new 'case' statements - into the various local-or-keystore 'choice' statements to + into the various inline-or-keystore 'choice' statements to supply leafrefs to the model-specific location(s)."; container asymmetric-keys { nacm:default-deny-write; diff --git a/keystore/keystore-none/src/main/java/org/opendaylight/netconf/keystore/none/NoneKeystoreFeatureProvider.java b/keystore/keystore-none/src/main/java/org/opendaylight/netconf/keystore/none/NoneKeystoreFeatureProvider.java index 68cabcf46d..c31f824bad 100644 --- a/keystore/keystore-none/src/main/java/org/opendaylight/netconf/keystore/none/NoneKeystoreFeatureProvider.java +++ b/keystore/keystore-none/src/main/java/org/opendaylight/netconf/keystore/none/NoneKeystoreFeatureProvider.java @@ -10,9 +10,9 @@ package org.opendaylight.netconf.keystore.none; import java.util.Set; import org.eclipse.jdt.annotation.NonNullByDefault; import org.kohsuke.MetaInfServices; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.AsymmetricKeys; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.IetfKeystoreData; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.LocalDefinitionsSupported; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.AsymmetricKeys; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.IetfKeystoreData; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.InlineDefinitionsSupported; import org.opendaylight.yangtools.yang.binding.YangFeature; import org.opendaylight.yangtools.yang.binding.YangFeatureProvider; @@ -29,6 +29,6 @@ public final class NoneKeystoreFeatureProvider implements YangFeatureProvider> supportedFeatures() { - return Set.of(LocalDefinitionsSupported.VALUE, AsymmetricKeys.VALUE); + return Set.of(InlineDefinitionsSupported.VALUE, AsymmetricKeys.VALUE); } } diff --git a/model/draft-ietf-netconf-crypto-types/src/main/yang/ietf-crypto-types@2022-12-12.yang b/model/draft-ietf-netconf-crypto-types/src/main/yang/ietf-crypto-types@2023-04-17.yang similarity index 87% rename from model/draft-ietf-netconf-crypto-types/src/main/yang/ietf-crypto-types@2022-12-12.yang rename to model/draft-ietf-netconf-crypto-types/src/main/yang/ietf-crypto-types@2023-04-17.yang index 342dde899c..ddabbeec52 100644 --- a/model/draft-ietf-netconf-crypto-types/src/main/yang/ietf-crypto-types@2022-12-12.yang +++ b/model/draft-ietf-netconf-crypto-types/src/main/yang/ietf-crypto-types@2023-04-17.yang @@ -27,7 +27,7 @@ module ietf-crypto-types { "This module defines common YANG types for cryptographic applications. - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with @@ -48,7 +48,7 @@ module ietf-crypto-types { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -94,16 +94,9 @@ module ietf-crypto-types { "Indicates that the server supports the 'cms-encrypted-data-format' identity."; } - - feature csr-generation { + feature p10-csr-format { description - "Indicates that the server implements the - 'generate-csr' action."; - } - - feature p10-based-csrs { - description - "Indicates that the erver implements support + "Indicates that the server implements support for generating P10-based CSRs, as defined in RFC 2986."; reference @@ -111,30 +104,59 @@ module ietf-crypto-types { Specification Version 1.7"; } + feature csr-generation { + description + "Indicates that the server implements the + 'generate-csr' action."; + } + feature certificate-expiration-notification { description "Indicates that the server implements the 'certificate-expiration' notification."; } - feature hidden-keys { + feature cleartext-passwords { description - "Indicates that the server supports hidden keys."; + "Indicates that the server supports cleartext + passwords."; } - feature password-encryption { + feature encrypted-passwords { description "Indicates that the server supports password encryption."; } - feature symmetric-key-encryption { + feature cleartext-symmetric-keys { + description + "Indicates that the server supports cleartext + symmetric keys."; + } + + feature hidden-symmetric-keys { + description + "Indicates that the server supports hidden keys."; + } + + feature encrypted-symmetric-keys { description "Indicates that the server supports encryption of symmetric keys."; } - feature private-key-encryption { + feature cleartext-private-keys { + description + "Indicates that the server supports cleartext + private keys."; + } + + feature hidden-private-keys { + description + "Indicates that the server supports hidden keys."; + } + + feature encrypted-private-keys { description "Indicates that the server supports encryption of private keys."; @@ -166,20 +188,35 @@ module ietf-crypto-types { identity rsa-private-key-format { base private-key-format; description - "Indicates that the private key value is encoded - as an RSAPrivateKey (from RFC 3447)."; + "Indicates that the private key value is encoded as + an RSAPrivateKey (from RFC 3447), encoded using ASN.1 + distinguished encoding rules (DER), as specified in + ITU-T X.690."; reference - "RFC 3447: PKCS #1: RSA Cryptography - Specifications Version 2.2"; + "RFC 3447: + PKCS #1: RSA Cryptography Specifications Version 2.2 + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER) 02/2021."; } identity ec-private-key-format { base private-key-format; description - "Indicates that the private key value is encoded - as an ECPrivateKey (from RFC 5915)"; + "Indicates that the private key value is encoded as + an ECPrivateKey (from RFC 5915), encoded using ASN.1 + distinguished encoding rules (DER), as specified in + ITU-T X.690."; reference - "RFC 5915: Elliptic Curve Private Key Structure"; + "RFC 5915: + Elliptic Curve Private Key Structure + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER) 02/2021."; } identity one-asymmetric-key-format { @@ -196,7 +233,7 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } /***************************************************/ @@ -231,7 +268,7 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } /******************************************************/ @@ -245,11 +282,10 @@ module ietf-crypto-types { The length of the octet string MUST be appropriate for the associated algorithm's block size. - How the associated algorithm is known is outside the - scope of this module. This statement also applies when - the octet string has been encrypted."; + The identity of the associated algorithm is outside the + scope of this specification. This is also true when + the octet string has been encrypted."; } - identity one-symmetric-key-format { if-feature "one-symmetric-key-format"; base symmetric-key-format; @@ -265,7 +301,7 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } /*************************************************/ @@ -306,7 +342,7 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } identity cms-enveloped-data-format { @@ -343,7 +379,7 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } /*********************************************************/ @@ -357,8 +393,8 @@ module ietf-crypto-types { by future efforts."; } - identity p10-csr { - if-feature "p10-based-csrs"; + identity p10-csr-format { + if-feature "p10-csr-format"; base csr-format; description "Indicates the 'CertificationRequest' structure @@ -385,7 +421,7 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } typedef p10-csr { @@ -402,7 +438,7 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } /***************************************************/ @@ -423,7 +459,7 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } typedef crl { @@ -440,12 +476,13 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } /***************************************************/ /* Typedefs for ASN.1 structures from RFC 6960 */ /***************************************************/ + typedef oscp-request { type binary; description @@ -460,7 +497,7 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } typedef oscp-response { @@ -477,7 +514,7 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } /***********************************************/ @@ -497,7 +534,7 @@ module ietf-crypto-types { Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished - Encoding Rules (DER)."; + Encoding Rules (DER) 02/2021."; } typedef data-content-cms { @@ -591,7 +628,7 @@ module ietf-crypto-types { The CMS MUST contain only a single chain of certificates. The client or end-entity certificate MUST only authenticate - to last intermediate CA certificate listed in the chain. + to the last intermediate CA certificate listed in the chain. In all cases, the chain MUST include a self-signed root certificate. In the case where the root certificate is @@ -604,12 +641,15 @@ module ietf-crypto-types { verify the revocation status of the certificates. This CMS encodes the degenerate form of the SignedData - structure that is commonly used to disseminate X.509 - certificates and revocation objects (RFC 5280)."; + structure (RFC 5652, Section 5.2) that is commonly used + to disseminate X.509 certificates and revocation objects + (RFC 5280)."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile."; + and Certificate Revocation List (CRL) Profile. + RFC 5652: + Cryptographic Message Syntax (CMS)"; } typedef end-entity-cert-cms { @@ -630,12 +670,16 @@ module ietf-crypto-types { verify the revocation status of the certificates. This CMS encodes the degenerate form of the SignedData - structure that is commonly used to disseminate X.509 - certificates and revocation objects (RFC 5280)."; + structure (RFC 5652, Section 5.2) that is commonly + used to disseminate X.509 certificates and revocation + objects (RFC 5280)."; + reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate - and Certificate Revocation List (CRL) Profile."; + and Certificate Revocation List (CRL) Profile. + RFC 5652: + Cryptographic Message Syntax (CMS)"; } /*****************/ @@ -658,7 +702,8 @@ module ietf-crypto-types { via a leaf node called 'asymmetric-key-ref'. The leaf nodes MUST be direct descendants in the data tree, - and MAY be direct descendants in the schema tree."; + and MAY be direct descendants in the schema tree (e.g., + choice/case statements are allowed, but not a container)."; } leaf encrypted-value-format { type identityref { @@ -691,13 +736,14 @@ module ietf-crypto-types { grouping password-grouping { description - "A password that MAY be encrypted."; + "A password that may be encrypted."; choice password-type { nacm:default-deny-write; mandatory true; description "Choice between password types."; case cleartext-password { + if-feature "cleartext-passwords"; leaf cleartext-password { nacm:default-deny-all; type string; @@ -706,7 +752,7 @@ module ietf-crypto-types { } } case encrypted-password { - if-feature "password-encryption"; + if-feature "encrypted-passwords"; container encrypted-password { description "A container for the encrypted password value."; @@ -729,8 +775,9 @@ module ietf-crypto-types { SHOULD ensure that the incoming symmetric key value is encoded in the specified format. - For encrypted keys, the value is the same as it would - have been if the key were not encrypted."; + For encrypted keys, the value is the decrypted key's + format (i.e., the 'encrypted-value-format' conveys the + encrypted key's format."; } choice key-type { nacm:default-deny-write; @@ -739,6 +786,7 @@ module ietf-crypto-types { "Choice between key types."; case cleartext-key { leaf cleartext-key { + if-feature "cleartext-symmetric-keys"; nacm:default-deny-all; type binary; must '../key-format'; @@ -748,7 +796,7 @@ module ietf-crypto-types { } } case hidden-key { - if-feature "hidden-keys"; + if-feature "hidden-symmetric-keys"; leaf hidden-key { type empty; must 'not(../key-format)'; @@ -758,7 +806,7 @@ module ietf-crypto-types { } } case encrypted-key { - if-feature "symmetric-key-encryption"; + if-feature "encrypted-symmetric-keys"; container encrypted-key { must '../key-format'; description @@ -810,8 +858,9 @@ module ietf-crypto-types { ensure that the incoming private key value is encoded in the specified format. - For encrypted keys, the value is the same as it would have - been if the key were not encrypted."; + For encrypted keys, the value is the decrypted key's + format (i.e., the 'encrypted-value-format' conveys the + encrypted key's format."; } choice private-key-type { nacm:default-deny-write; @@ -819,6 +868,7 @@ module ietf-crypto-types { description "Choice between key types."; case cleartext-private-key { + if-feature "cleartext-private-keys"; leaf cleartext-private-key { nacm:default-deny-all; type binary; @@ -829,7 +879,7 @@ module ietf-crypto-types { } } case hidden-private-key { - if-feature "hidden-keys"; + if-feature "hidden-private-keys"; leaf hidden-private-key { type empty; must 'not(../private-key-format)'; @@ -839,7 +889,7 @@ module ietf-crypto-types { } } case encrypted-private-key { - if-feature "private-key-encryption"; + if-feature "encrypted-private-keys"; container encrypted-private-key { must '../private-key-format'; description @@ -929,7 +979,7 @@ module ietf-crypto-types { } mandatory true; description - "Specifies the format for the returned certifiacte."; + "Specifies the format for the returned certificate."; } leaf csr-info { type csr-info; @@ -983,7 +1033,7 @@ module ietf-crypto-types { grouping asymmetric-key-pair-with-cert-grouping { description "A private/public key pair and an associated certificate. - Implementations SHOULD assert that certificates contain + Implementations SHOULD assert that the certificate contains the matching public key."; uses asymmetric-key-pair-grouping; uses end-entity-cert-grouping; @@ -992,9 +1042,9 @@ module ietf-crypto-types { grouping asymmetric-key-pair-with-certs-grouping { description - "A private/public key pair and associated certificates. - Implementations SHOULD assert that certificates contain - the matching public key."; + "A private/public key pair and a list of associated + certificates. Implementations SHOULD assert that + certificates contain the matching public key."; uses asymmetric-key-pair-grouping; container certificates { nacm:default-deny-write; diff --git a/transport/transport-ssh/pom.xml b/transport/transport-ssh/pom.xml index 5fcb2fb4e6..bdbd05ddfe 100644 --- a/transport/transport-ssh/pom.xml +++ b/transport/transport-ssh/pom.xml @@ -43,6 +43,10 @@ io.netty netty-transport + + org.bouncycastle + bcprov-jdk18on + org.kohsuke.metainf-services metainf-services @@ -72,8 +76,8 @@ truststore-api - org.bouncycastle - bcprov-jdk18on + org.opendaylight.netconf.model + draft-ietf-netconf-crypto-types @@ -89,6 +93,10 @@ bcpkix-jdk18on test - + + org.opendaylight.mdsal.binding.model.ietf + rfc6991-ietf-inet-types + test + diff --git a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/ConfigUtils.java b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/ConfigUtils.java index 8dc4cae09f..c269465d5d 100644 --- a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/ConfigUtils.java +++ b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/ConfigUtils.java @@ -25,17 +25,17 @@ import org.opendaylight.netconf.shaded.sshd.common.kex.KeyExchangeFactory; import org.opendaylight.netconf.shaded.sshd.common.session.SessionHeartbeatController; import org.opendaylight.netconf.shaded.sshd.server.ServerFactoryManager; import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.AsymmetricKeyPairGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.EcPrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.RsaPrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.SshPublicKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.SubjectPublicKeyInfoFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.asymmetric.key.pair.grouping._private.key.type.CleartextPrivateKey; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.LocalOrKeystoreEndEntityCertWithKeyGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ssh.client.grouping.server.authentication.SshHostKeys; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev221212.TransportParamsGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev221212.transport.params.grouping.KeyExchange; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212.LocalOrTruststoreCertsGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.AsymmetricKeyPairGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.EcPrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.RsaPrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.SshPublicKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.SubjectPublicKeyInfoFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.asymmetric.key.pair.grouping._private.key.type.CleartextPrivateKey; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.InlineOrKeystoreEndEntityCertWithKeyGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.server.authentication.SshHostKeys; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev230417.TransportParamsGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev230417.transport.params.grouping.KeyExchange; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417.InlineOrTruststoreCertsGrouping; import org.opendaylight.yangtools.yang.common.Uint16; import org.opendaylight.yangtools.yang.common.Uint8; @@ -73,7 +73,7 @@ final class ConfigUtils { } static void setKeepAlives(final @NonNull ServerFactoryManager factoryMgr, - final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 + final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 .ssh.server.grouping.Keepalives keepAlives) { setKeepAlives(factoryMgr, keepAlives == null ? null : keepAlives.getMaxWait(), @@ -81,7 +81,7 @@ final class ConfigUtils { } static void setKeepAlives(final @NonNull ClientFactoryManager factoryMgr, - final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212 + final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417 .ssh.client.grouping.Keepalives keepAlives) { setKeepAlives(factoryMgr, keepAlives == null ? null : keepAlives.getMaxWait(), @@ -91,25 +91,25 @@ final class ConfigUtils { @SuppressFBWarnings(value = "DLS_DEAD_LOCAL_STORE", justification = "maxAttempts usage need clarification") private static void setKeepAlives(final @NonNull FactoryManager factoryMgr, final @Nullable Uint16 cfgMaxWait, final @Nullable Uint8 cfgMaxAttempts) { - // FIXME utilize max attempts + // FIXME: utilize max attempts final var maxAttempts = cfgMaxAttempts == null ? KEEP_ALIVE_DEFAULT_ATTEMPTS : cfgMaxAttempts.intValue(); final var maxWait = cfgMaxWait == null ? KEEP_ALIVE_DEFAULT_MAX_WAIT : cfgMaxWait.intValue(); factoryMgr.setSessionHeartbeat(SessionHeartbeatController.HeartbeatType.RESERVED, Duration.ofSeconds(maxWait)); } static List extractServerHostKeys( - final List serverHostKeys) throws UnsupportedConfigurationException { var listBuilder = ImmutableList.builder(); for (var hostKey : serverHostKeys) { if (hostKey.getHostKeyType() - instanceof org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 + instanceof org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 .ssh.server.grouping.server.identity.host.key.host.key.type.PublicKey publicKey && publicKey.getPublicKey() != null) { - listBuilder.add(extractKeyPair(publicKey.getPublicKey().getLocalOrKeystore())); + listBuilder.add(extractKeyPair(publicKey.getPublicKey().getInlineOrKeystore())); } else if (hostKey.getHostKeyType() - instanceof org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 + instanceof org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 .ssh.server.grouping.server.identity.host.key.host.key.type.Certificate certificate && certificate.getCertificate() != null) { listBuilder.add(extractCertificateEntry(certificate.getCertificate()).getKey()); @@ -119,16 +119,16 @@ final class ConfigUtils { } static KeyPair extractKeyPair( - final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.asymmetric.key.grouping.LocalOrKeystore input) + final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.asymmetric.key.grouping.InlineOrKeystore input) throws UnsupportedConfigurationException { - final var local = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.asymmetric.key.grouping.local.or.keystore.Local.class, input); - final var localDef = local.getLocalDefinition(); - if (localDef == null) { - throw new UnsupportedConfigurationException("Missing local definition in " + local); + final var inline = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.asymmetric.key.grouping.inline.or.keystore.Inline.class, input); + final var inlineDef = inline.getInlineDefinition(); + if (inlineDef == null) { + throw new UnsupportedConfigurationException("Missing inline definition in " + inline); } - return extractKeyPair(localDef); + return extractKeyPair(inlineDef); } private static KeyPair extractKeyPair(final AsymmetricKeyPairGrouping input) @@ -172,36 +172,36 @@ final class ConfigUtils { return new KeyPair(publicKey, privateKey); } - static List extractCertificates(@Nullable final LocalOrTruststoreCertsGrouping input) + static List extractCertificates(final @Nullable InlineOrTruststoreCertsGrouping input) throws UnsupportedConfigurationException { if (input == null) { return List.of(); } - final var local = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore - .rev221212.local.or.truststore.certs.grouping.local.or.truststore.Local.class, - input.getLocalOrTruststore()); - final var localDef = local.getLocalDefinition(); - if (localDef == null) { - throw new UnsupportedConfigurationException("Missing local definition in " + local); + final var inline = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore + .rev230417.inline.or.truststore.certs.grouping.inline.or.truststore.Inline.class, + input.getInlineOrTruststore()); + final var inlineDef = inline.getInlineDefinition(); + if (inlineDef == null) { + throw new UnsupportedConfigurationException("Missing inline definition in " + inline); } final var listBuilder = ImmutableList.builder(); - for (var cert : localDef.nonnullCertificate().values()) { + for (var cert : inlineDef.nonnullCertificate().values()) { listBuilder.add(KeyUtils.buildX509Certificate(cert.requireCertData().getValue())); } return listBuilder.build(); } private static Map.Entry> extractCertificateEntry( - final LocalOrKeystoreEndEntityCertWithKeyGrouping input) throws UnsupportedConfigurationException { - final var local = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.end.entity.cert.with.key.grouping.local.or.keystore.Local.class, - input.getLocalOrKeystore()); - final var localDef = local.getLocalDefinition(); - if (localDef == null) { - throw new UnsupportedConfigurationException("Missing local definition in " + local); + final InlineOrKeystoreEndEntityCertWithKeyGrouping input) throws UnsupportedConfigurationException { + final var inline = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.end.entity.cert.with.key.grouping.inline.or.keystore.Inline.class, + input.getInlineOrKeystore()); + final var inlineDef = inline.getInlineDefinition(); + if (inlineDef == null) { + throw new UnsupportedConfigurationException("Missing inline definition in " + inline); } - final var keyPair = extractKeyPair(localDef); - final var certificate = KeyUtils.buildX509Certificate(localDef.requireCertData().getValue()); + final var keyPair = extractKeyPair(inlineDef); + final var certificate = KeyUtils.buildX509Certificate(inlineDef.requireCertData().getValue()); /* ietf-crypto-types:asymmetric-key-pair-with-cert-grouping "A private/public key pair and an associated certificate. @@ -221,30 +221,34 @@ final class ConfigUtils { } static List extractPublicKeys( - final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore._public.keys.grouping.LocalOrTruststore input) + final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore._public.keys.grouping.InlineOrTruststore input) throws UnsupportedConfigurationException { - final var local = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore._public.keys.grouping.local.or.truststore.Local.class, input); - final var localDef = local.getLocalDefinition(); - if (localDef == null) { - throw new UnsupportedConfigurationException("Missing local definition in " + local); + final var inline = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore._public.keys.grouping.inline.or.truststore.Inline.class, input); + final var inlineDef = inline.getInlineDefinition(); + if (inlineDef == null) { + throw new UnsupportedConfigurationException("Missing inline definition in " + inline); } + + final var publicKey = inlineDef.getPublicKey(); + if (publicKey == null) { + return List.of(); + } + final var listBuilder = ImmutableList.builder(); - if (localDef.getPublicKey() != null && localDef.getPublicKey().entrySet() != null) { - for (var entry : localDef.getPublicKey().entrySet()) { - if (!SshPublicKeyFormat.VALUE.equals(entry.getValue().getPublicKeyFormat())) { - throw new UnsupportedConfigurationException("ssh public key format is expected"); - } - listBuilder.add(KeyUtils.buildPublicKeyFromSshEncoding(entry.getValue().getPublicKey())); + for (var entry : publicKey.entrySet()) { + if (!SshPublicKeyFormat.VALUE.equals(entry.getValue().getPublicKeyFormat())) { + throw new UnsupportedConfigurationException("ssh public key format is expected"); } + listBuilder.add(KeyUtils.buildPublicKeyFromSshEncoding(entry.getValue().getPublicKey())); } return listBuilder.build(); } static List extractPublicKeys(final @Nullable SshHostKeys sshHostKeys) throws UnsupportedConfigurationException { - return sshHostKeys == null ? List.of() : extractPublicKeys(sshHostKeys.getLocalOrTruststore()); + return sshHostKeys == null ? List.of() : extractPublicKeys(sshHostKeys.getInlineOrTruststore()); } @FunctionalInterface diff --git a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshClientProvider.java b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshClientProvider.java index 382e6206ad..b863ef4c40 100644 --- a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshClientProvider.java +++ b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshClientProvider.java @@ -10,11 +10,11 @@ package org.opendaylight.netconf.transport.ssh; import java.util.Set; import org.eclipse.jdt.annotation.NonNullByDefault; import org.kohsuke.MetaInfServices; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ClientIdentHostbased; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ClientIdentPassword; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ClientIdentPublickey; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.IetfSshClientData; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.SshClientKeepalives; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ClientIdentHostbased; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ClientIdentPassword; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ClientIdentPublickey; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.IetfSshClientData; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.SshClientKeepalives; import org.opendaylight.yangtools.yang.binding.YangFeature; import org.opendaylight.yangtools.yang.binding.YangFeatureProvider; diff --git a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshCommonProvider.java b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshCommonProvider.java index b34f45ec93..e942352ea8 100644 --- a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshCommonProvider.java +++ b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshCommonProvider.java @@ -10,9 +10,9 @@ package org.opendaylight.netconf.transport.ssh; import java.util.Set; import org.eclipse.jdt.annotation.NonNullByDefault; import org.kohsuke.MetaInfServices; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev221212.IetfSshCommonData; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev221212.SshX509Certs; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev221212.TransportParams; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev230417.IetfSshCommonData; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev230417.SshX509Certs; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev230417.TransportParams; import org.opendaylight.yangtools.yang.binding.YangFeature; import org.opendaylight.yangtools.yang.binding.YangFeatureProvider; diff --git a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshServerProvider.java b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshServerProvider.java index 24fdddb71a..b0c705acc9 100644 --- a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshServerProvider.java +++ b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/IetfSshServerProvider.java @@ -10,12 +10,12 @@ package org.opendaylight.netconf.transport.ssh; import java.util.Set; import org.eclipse.jdt.annotation.NonNullByDefault; import org.kohsuke.MetaInfServices; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.IetfSshServerData; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.LocalUserAuthHostbased; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.LocalUserAuthPassword; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.LocalUserAuthPublickey; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.LocalUsersSupported; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.SshServerKeepalives; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.IetfSshServerData; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.LocalUserAuthHostbased; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.LocalUserAuthPassword; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.LocalUserAuthPublickey; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.LocalUsersSupported; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.SshServerKeepalives; import org.opendaylight.yangtools.yang.binding.YangFeature; import org.opendaylight.yangtools.yang.binding.YangFeatureProvider; diff --git a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/SSHClient.java b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/SSHClient.java index 8a7e3b7448..3449b8566d 100644 --- a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/SSHClient.java +++ b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/SSHClient.java @@ -35,12 +35,12 @@ import org.opendaylight.netconf.transport.api.TransportStack; import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException; import org.opendaylight.netconf.transport.tcp.TCPClient; import org.opendaylight.netconf.transport.tcp.TCPServer; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.password.grouping.password.type.CleartextPassword; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.SshClientGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ssh.client.grouping.ClientIdentity; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ssh.client.grouping.ServerAuthentication; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev221212.TcpClientGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev221212.TcpServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.password.grouping.password.type.CleartextPassword; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.SshClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ClientIdentity; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ServerAuthentication; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerGrouping; /** * A {@link TransportStack} acting as an SSH client. @@ -55,16 +55,16 @@ public final class SSHClient extends SSHTransportStack { super(listener); this.clientFactoryManager = clientFactoryManager; this.clientFactoryManager.addSessionListener(new UserAuthSessionListener(sessionAuthHandlers, sessions)); - this.sessionFactory = new SessionFactory(clientFactoryManager) { + sessionFactory = new SessionFactory(clientFactoryManager) { @Override - protected ClientSessionImpl setupSession(ClientSessionImpl session) { + protected ClientSessionImpl setupSession(final ClientSessionImpl session) { session.setUsername(username); return session; } }; - this.ioService = new SshIoService(this.clientFactoryManager, + ioService = new SshIoService(this.clientFactoryManager, new DefaultChannelGroup("sshd-client-channels", GlobalEventExecutor.INSTANCE), - this.sessionFactory); + sessionFactory); } @Override @@ -113,17 +113,19 @@ public final class SSHClient extends SSHTransportStack { if (clientIdentity == null || clientIdentity.getNone() != null) { return; } - var authFactoriesListBuilder = ImmutableList.builder(); - if (clientIdentity.getPassword() != null) { - if (clientIdentity.getPassword().getPasswordType() instanceof CleartextPassword clearTextPassword) { + final var authFactoriesListBuilder = ImmutableList.builder(); + final var password = clientIdentity.getPassword(); + if (password != null) { + if (password.getPasswordType() instanceof CleartextPassword clearTextPassword) { factoryMgr.setPasswordIdentityProvider( PasswordIdentityProvider.wrapPasswords(clearTextPassword.requireCleartextPassword())); authFactoriesListBuilder.add(new UserAuthPasswordFactory()); } // TODO support encrypted password -- requires augmentation of default schema } - if (clientIdentity.getHostbased() != null) { - var keyPair = ConfigUtils.extractKeyPair(clientIdentity.getHostbased().getLocalOrKeystore()); + final var hostBased = clientIdentity.getHostbased(); + if (hostBased != null) { + var keyPair = ConfigUtils.extractKeyPair(hostBased.getInlineOrKeystore()); var factory = new UserAuthHostBasedFactory(); factory.setClientHostKeys(HostKeyIdentityProvider.wrap(keyPair)); factory.setClientUsername(clientIdentity.getUsername()); @@ -131,8 +133,9 @@ public final class SSHClient extends SSHTransportStack { factory.setSignatureFactories(factoryMgr.getSignatureFactories()); authFactoriesListBuilder.add(factory); } - if (clientIdentity.getPublicKey() != null) { - final var keyPairs = ConfigUtils.extractKeyPair(clientIdentity.getPublicKey().getLocalOrKeystore()); + final var publicKey = clientIdentity.getPublicKey(); + if (publicKey != null) { + final var keyPairs = ConfigUtils.extractKeyPair(publicKey.getInlineOrKeystore()); factoryMgr.setKeyIdentityProvider(KeyIdentityProvider.wrapKeyPairs(keyPairs)); final var factory = new UserAuthPublicKeyFactory(); factory.setSignatureFactories(factoryMgr.getSignatureFactories()); diff --git a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/SSHServer.java b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/SSHServer.java index 318c07f18e..f4adf2c70d 100644 --- a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/SSHServer.java +++ b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/SSHServer.java @@ -35,11 +35,11 @@ import org.opendaylight.netconf.transport.api.TransportStack; import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException; import org.opendaylight.netconf.transport.tcp.TCPClient; import org.opendaylight.netconf.transport.tcp.TCPServer; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.SshServerGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.ClientAuthentication; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.ServerIdentity; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev221212.TcpClientGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev221212.TcpServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.SshServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.ClientAuthentication; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.ServerIdentity; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerGrouping; /** * A {@link TransportStack} acting as an SSH server. @@ -53,10 +53,10 @@ public final class SSHServer extends SSHTransportStack { super(listener); this.serverFactoryManager = requireNonNull(serverFactoryManager); this.serverFactoryManager.addSessionListener(new UserAuthSessionListener(sessionAuthHandlers, sessions)); - this.serverSessionFactory = new SessionFactory(serverFactoryManager); - this.ioService = new SshIoService(this.serverFactoryManager, + serverSessionFactory = new SessionFactory(serverFactoryManager); + ioService = new SshIoService(this.serverFactoryManager, new DefaultChannelGroup("sshd-server-channels", GlobalEventExecutor.INSTANCE), - this.serverSessionFactory); + serverSessionFactory); } @Override @@ -95,18 +95,18 @@ public final class SSHServer extends SSHTransportStack { } private static void setServerIdentity(final @NonNull ServerFactoryManager factoryMgr, - final @NonNull ServerIdentity serverIdentity) throws UnsupportedConfigurationException { + final @Nullable ServerIdentity serverIdentity) throws UnsupportedConfigurationException { if (serverIdentity == null) { throw new UnsupportedConfigurationException("Server identity configuration is required"); } - if (serverIdentity.getHostKey() != null && !serverIdentity.getHostKey().isEmpty()) { - final var serverHostKeyPairs = ConfigUtils.extractServerHostKeys(serverIdentity.getHostKey()); - if (!serverHostKeyPairs.isEmpty()) { - factoryMgr.setKeyPairProvider(KeyPairProvider.wrap(serverHostKeyPairs)); - } - } else { + final var hostKey = serverIdentity.getHostKey(); + if (hostKey == null || hostKey.isEmpty()) { throw new UnsupportedConfigurationException("Host keys is missing in server identity configuration"); } + final var serverHostKeyPairs = ConfigUtils.extractServerHostKeys(hostKey); + if (!serverHostKeyPairs.isEmpty()) { + factoryMgr.setKeyPairProvider(KeyPairProvider.wrap(serverHostKeyPairs)); + } } private static void setClientAuthentication(final @NonNull ServerFactoryManager factoryMgr, @@ -114,22 +114,29 @@ public final class SSHServer extends SSHTransportStack { if (clientAuthentication == null) { return; } - if (clientAuthentication.getUsers() != null && clientAuthentication.getUsers().getUser() != null) { + final var users = clientAuthentication.getUsers(); + if (users == null) { + return; + } + final var userMap = users.getUser(); + if (userMap != null) { final var passwordMapBuilder = ImmutableMap.builder(); final var hostBasedMapBuilder = ImmutableMap.>builder(); final var publicKeyMapBuilder = ImmutableMap.>builder(); - for (var entry : clientAuthentication.getUsers().getUser().entrySet()) { + for (var entry : userMap.entrySet()) { final String username = entry.getKey().getName(); - if (entry.getValue().getPassword() != null) { // password - passwordMapBuilder.put(username, entry.getValue().getPassword().getValue()); + final var value = entry.getValue(); + final var password = value.getPassword(); + if (password != null) { + passwordMapBuilder.put(username, password.getValue()); } - if (entry.getValue().getHostbased() != null) { - hostBasedMapBuilder.put(username, - ConfigUtils.extractPublicKeys(entry.getValue().getHostbased().getLocalOrTruststore())); + final var hostBased = value.getHostbased(); + if (hostBased != null) { + hostBasedMapBuilder.put(username, ConfigUtils.extractPublicKeys(hostBased.getInlineOrTruststore())); } - if (entry.getValue().getPublicKeys() != null) { - publicKeyMapBuilder.put(username, - ConfigUtils.extractPublicKeys(entry.getValue().getPublicKeys().getLocalOrTruststore())); + final var publicKey = value.getPublicKeys(); + if (publicKey != null) { + publicKeyMapBuilder.put(username, ConfigUtils.extractPublicKeys(publicKey.getInlineOrTruststore())); } } final var authFactoriesBuilder = ImmutableList.builder(); diff --git a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/TransportUtils.java b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/TransportUtils.java index 4c9c0faadf..de7e390031 100644 --- a/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/TransportUtils.java +++ b/transport/transport-ssh/src/main/java/org/opendaylight/netconf/transport/ssh/TransportUtils.java @@ -72,9 +72,9 @@ import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.ssh.mac.alg import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.ssh.mac.algs.rev220616.HmacSha2256; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.ssh.mac.algs.rev220616.HmacSha2512; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.ssh.mac.algs.rev220616.MacAlgBase; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev221212.transport.params.grouping.Encryption; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev221212.transport.params.grouping.HostKey; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev221212.transport.params.grouping.KeyExchange; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev230417.transport.params.grouping.Encryption; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev230417.transport.params.grouping.HostKey; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev230417.transport.params.grouping.KeyExchange; final class TransportUtils { private static final Map> CIPHERS = @@ -243,7 +243,7 @@ final class TransportUtils { } public static List> getMacFactories( - final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev221212 + final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.common.rev230417 .transport.params.grouping.Mac mac) throws UnsupportedConfigurationException { if (mac != null) { final var macAlg = mac.getMacAlg(); diff --git a/transport/transport-ssh/src/main/yang/ietf-ssh-client@2022-12-12.yang b/transport/transport-ssh/src/main/yang/ietf-ssh-client@2023-04-17.yang similarity index 91% rename from transport/transport-ssh/src/main/yang/ietf-ssh-client@2022-12-12.yang rename to transport/transport-ssh/src/main/yang/ietf-ssh-client@2023-04-17.yang index e4bf20b09e..77c3ea52fc 100644 --- a/transport/transport-ssh/src/main/yang/ietf-ssh-client@2022-12-12.yang +++ b/transport/transport-ssh/src/main/yang/ietf-ssh-client@2023-04-17.yang @@ -42,10 +42,10 @@ module ietf-ssh-client { Author: Kent Watsen "; description - "This module defines reusable groupings for SSH clients that + "This module defines a reusable grouping for SSH clients that can be used as a basis for specific SSH client instances. - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with @@ -66,7 +66,7 @@ module ietf-ssh-client { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -130,7 +130,7 @@ module ietf-ssh-client { established. Note that this grouping uses fairly typical descendant - node names such that a stack of 'uses' statements will + node names such that a nesting of 'uses' statements will have name conflicts. It is intended that the consuming data model will resolve the issue (e.g., by wrapping the 'uses' statement in a container called @@ -167,12 +167,12 @@ module ietf-ssh-client { pair to be used for client identification."; reference "RFC CCCC: A YANG Data Model for a Keystore"; - uses ks:local-or-keystore-asymmetric-key-grouping { - refine "local-or-keystore/local/local-definition" { + uses ks:inline-or-keystore-asymmetric-key-grouping { + refine "inline-or-keystore/inline/inline-definition" { must 'derived-from-or-self(public-key-format,' + ' "ct:ssh-public-key-format")'; } - refine "local-or-keystore/keystore/keystore-reference" { + refine "inline-or-keystore/keystore/keystore-reference" { must 'derived-from-or-self(deref(.)/../ks:public-key-' + 'format, "ct:ssh-public-key-format")'; } @@ -201,12 +201,12 @@ module ietf-ssh-client { pair to be used for host identification."; reference "RFC CCCC: A YANG Data Model for a Keystore"; - uses ks:local-or-keystore-asymmetric-key-grouping { - refine "local-or-keystore/local/local-definition" { + uses ks:inline-or-keystore-asymmetric-key-grouping { + refine "inline-or-keystore/inline/inline-definition" { must 'derived-from-or-self(public-key-format,' + ' "ct:ssh-public-key-format")'; } - refine "local-or-keystore/keystore/keystore-reference" { + refine "inline-or-keystore/keystore/keystore-reference" { must 'derived-from-or-self(deref(.)/../ks:public-key-' + 'format, "ct:ssh-public-key-format")'; } @@ -231,12 +231,13 @@ module ietf-ssh-client { to be used for client identification."; reference "RFC CCCC: A YANG Data Model for a Keystore"; - uses ks:local-or-keystore-end-entity-cert-with-key-grouping { - refine "local-or-keystore/local/local-definition" { + uses + ks:inline-or-keystore-end-entity-cert-with-key-grouping { + refine "inline-or-keystore/inline/inline-definition" { must 'derived-from-or-self(public-key-format,' + ' "ct:subject-public-key-info-format")'; } - refine "local-or-keystore/keystore/keystore-reference" + refine "inline-or-keystore/keystore/keystore-reference" + "/asymmetric-key" { must 'derived-from-or-self(deref(.)/../ks:public-key-' + 'format, "ct:subject-public-key-info-format")'; @@ -264,14 +265,15 @@ module ietf-ssh-client { configured SSH host key."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-public-keys-grouping { + uses ts:inline-or-truststore-public-keys-grouping { refine - "local-or-truststore/local/local-definition/public-key" { + "inline-or-truststore/inline/inline-definition/public" + + "-key" { must 'derived-from-or-self(public-key-format,' + ' "ct:ssh-public-key-format")'; } refine - "local-or-truststore/truststore/truststore-reference" { + "inline-or-truststore/truststore/truststore-reference" { must 'not(deref(.)/../ts:public-key/ts:public-key-' + 'format[not(derived-from-or-self(., "ct:ssh-' + 'public-key-format"))])'; @@ -291,7 +293,7 @@ module ietf-ssh-client { of trust to a configured CA certificate."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-certs-grouping; + uses ts:inline-or-truststore-certs-grouping; } container ee-certs { if-feature "sshcmn:ssh-x509-certs"; @@ -306,7 +308,7 @@ module ietf-ssh-client { end-entity certificate."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-certs-grouping; + uses ts:inline-or-truststore-certs-grouping; } } // container server-authentication diff --git a/transport/transport-ssh/src/main/yang/ietf-ssh-common@2022-12-12.yang b/transport/transport-ssh/src/main/yang/ietf-ssh-common@2023-04-17.yang similarity index 91% rename from transport/transport-ssh/src/main/yang/ietf-ssh-common@2022-12-12.yang rename to transport/transport-ssh/src/main/yang/ietf-ssh-common@2023-04-17.yang index 91f2d72aef..d331660f6c 100644 --- a/transport/transport-ssh/src/main/yang/ietf-ssh-common@2022-12-12.yang +++ b/transport/transport-ssh/src/main/yang/ietf-ssh-common@2023-04-17.yang @@ -52,9 +52,8 @@ module ietf-ssh-common { "This module defines a common features and groupings for Secure Shell (SSH). - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. - Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised @@ -73,7 +72,7 @@ module ietf-ssh-common { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -117,8 +116,9 @@ module ietf-ssh-common { } ordered-by user; description - "Acceptable host key algorithms in order of descending + "Acceptable host key algorithms in order of decreasing preference. + If this leaf-list is not configured (has zero elements) the acceptable host key algorithms are implementation- defined."; @@ -135,7 +135,7 @@ module ietf-ssh-common { } ordered-by user; description - "Acceptable key exchange algorithms in order of descending + "Acceptable key exchange algorithms in order of decreasing preference. If this leaf-list is not configured (has zero elements) @@ -152,7 +152,7 @@ module ietf-ssh-common { } ordered-by user; description - "Acceptable encryption algorithms in order of descending + "Acceptable encryption algorithms in order of decreasing preference. If this leaf-list is not configured (has zero elements) @@ -169,7 +169,7 @@ module ietf-ssh-common { } ordered-by user; description - "Acceptable MAC algorithms in order of descending + "Acceptable MAC algorithms in order of decreasing preference. If this leaf-list is not configured (has zero elements) @@ -200,19 +200,22 @@ module ietf-ssh-common { For RSA keys, the minimum size is 1024 bits and the default is 3072 bits. Generally, 3072 bits is considered sufficient. DSA keys must be exactly 1024 - bits as specified by FIPS 186-2. For ECDSA keys, the + bits as specified by FIPS 186-6. For ECDSA keys, the 'bits' value determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the 'bits' value, if specified, will be ignored."; + reference + "FIPS 186-6: Digital Signature Standard (DSS)"; } choice private-key-encoding { - default cleartext; + mandatory true; description "A choice amongst optional private key handling."; case cleartext { + if-feature "ct:encrypted-private-keys"; leaf cleartext { type empty; description @@ -221,7 +224,7 @@ module ietf-ssh-common { } } case encrypt { - if-feature "ct:private-key-encryption"; + if-feature "ct:encrypted-private-keys"; container encrypt-with { description "Indicates that the key is to be encrypted using @@ -230,7 +233,7 @@ module ietf-ssh-common { } } case hide { - if-feature "ct:hidden-keys"; + if-feature "ct:hidden-private-keys"; leaf hide { type empty; description diff --git a/transport/transport-ssh/src/main/yang/ietf-ssh-server@2022-12-12.yang b/transport/transport-ssh/src/main/yang/ietf-ssh-server@2023-04-17.yang similarity index 86% rename from transport/transport-ssh/src/main/yang/ietf-ssh-server@2022-12-12.yang rename to transport/transport-ssh/src/main/yang/ietf-ssh-server@2023-04-17.yang index 9de0db6c9b..b5b564e725 100644 --- a/transport/transport-ssh/src/main/yang/ietf-ssh-server@2022-12-12.yang +++ b/transport/transport-ssh/src/main/yang/ietf-ssh-server@2023-04-17.yang @@ -48,10 +48,10 @@ module ietf-ssh-server { Author: Kent Watsen "; description - "This module defines reusable groupings for SSH servers that + "This module defines a reusable grouping for SSH servers that can be used as a basis for specific SSH server instances. - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with @@ -72,7 +72,7 @@ module ietf-ssh-server { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -127,7 +127,6 @@ module ietf-ssh-server { "RFC 4252: The Secure Shell (SSH) Authentication Protocol"; } - feature local-user-auth-none { if-feature "local-users-supported"; description @@ -148,7 +147,7 @@ module ietf-ssh-server { established. Note that this grouping uses fairly typical descendant - node names such that a stack of 'uses' statements will + node names such that a nesting of 'uses' statements will have name conflicts. It is intended that the consuming data model will resolve the issue (e.g., by wrapping the 'uses' statement in a container called @@ -166,12 +165,13 @@ module ietf-ssh-server { min-elements 1; ordered-by user; description - "An ordered list of host keys the SSH server will use to - construct its ordered list of algorithms, when sending - its SSH_MSG_KEXINIT message, as defined in Section 7.1 - of RFC 4253."; + "An ordered list of host keys (see RFC 4251) the SSH + server will use to construct its ordered list of + algorithms, when sending its SSH_MSG_KEXINIT message, + as defined in Section 7.1 of RFC 4253."; reference - "RFC 4253: The Secure Shell (SSH) Transport Layer + "RFC 4251: The Secure Shell (SSH) Protocol Architecture + RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; leaf name { type string; @@ -188,13 +188,13 @@ module ietf-ssh-server { to be used for the SSH server's host key."; reference "RFC CCCC: A YANG Data Model for a Keystore"; - uses ks:local-or-keystore-asymmetric-key-grouping { - refine "local-or-keystore/local/local-definition" { + uses ks:inline-or-keystore-asymmetric-key-grouping { + refine "inline-or-keystore/inline/inline-definition" { must 'derived-from-or-self(public-key-format,' + ' "ct:ssh-public-key-format")'; } - refine "local-or-keystore/keystore/" + refine "inline-or-keystore/keystore/" + "keystore-reference" { must 'derived-from-or-self(deref(.)/../ks:public-' + 'key-format, "ct:ssh-public-key-format")'; @@ -210,12 +210,12 @@ module ietf-ssh-server { reference "RFC CCCC: A YANG Data Model for a Keystore"; uses - ks:local-or-keystore-end-entity-cert-with-key-grouping { - refine "local-or-keystore/local/local-definition" { + ks:inline-or-keystore-end-entity-cert-with-key-grouping{ + refine "inline-or-keystore/inline/inline-definition" { must 'derived-from-or-self(public-key-format,' + ' "ct:subject-public-key-info-format")'; } - refine "local-or-keystore/keystore/keystore-reference" + refine "inline-or-keystore/keystore/keystore-reference" + "/asymmetric-key" { must 'derived-from-or-self(deref(.)/../ks:public-key-' @@ -230,7 +230,11 @@ module ietf-ssh-server { container client-authentication { nacm:default-deny-write; description - "Specifies how the SSH server can authenticate SSH clients."; + "Specifies how the SSH server can be configured to + authenticate SSH clients. See RFC 4252 for a general + discussion about SSH authentication."; + reference + "RFC 4252: The Secure Shell (SSH) Transport Layer"; container users { if-feature "local-users-supported"; description @@ -255,6 +259,9 @@ module ietf-ssh-server { description "The 'user name' for the SSH client, as defined in the SSH_MSG_USERAUTH_REQUEST message in RFC 4253."; + reference + "RFC 4253: The Secure Shell (SSH) Transport Layer + Protocol"; } container public-keys { if-feature "local-user-auth-publickey"; @@ -270,13 +277,13 @@ module ietf-ssh-server { match to a configured public key."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-public-keys-grouping { - refine "local-or-truststore/local/local-definition/" + uses ts:inline-or-truststore-public-keys-grouping { + refine "inline-or-truststore/inline/inline-definition/" + "public-key" { must 'derived-from-or-self(public-key-format,' + ' "ct:ssh-public-key-format")'; } - refine "local-or-truststore/truststore/truststore-" + refine "inline-or-truststore/truststore/truststore-" + "reference" { must 'not(deref(.)/../ts:public-key/ts:public-key-' + 'format[not(derived-from-or-self(., "ct:ssh-' @@ -293,25 +300,25 @@ module ietf-ssh-server { container hostbased { if-feature "local-user-auth-hostbased"; presence - "Indicates that hostbased keys have been configured. - This statement is present so the mandatory descendant - nodes do not imply that this node must be - configured."; + "Indicates that hostbased [RFC4252] keys have been + configured. This statement is present so the + mandatory descendant nodes do not imply that this + node must be configured."; description "A set of SSH host keys used by the SSH server to authenticate this user's host. A user's host is authenticated if its host key is an exact match to a configured host key."; reference - "RFC 4253: The Secure Shell (SSH) Transport Layer + "RFC 4252: The Secure Shell (SSH) Transport Layer RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-public-keys-grouping { - refine "local-or-truststore/local/local-definition/" + uses ts:inline-or-truststore-public-keys-grouping { + refine "inline-or-truststore/inline/inline-definition/" + "public-key" { must 'derived-from-or-self(public-key-format,' + ' "ct:ssh-public-key-format")'; } - refine "local-or-truststore/truststore/truststore-" + refine "inline-or-truststore/truststore/truststore-" + "reference" { must 'not(deref(.)/../ts:public-key/ts:public-key-' + 'format[not(derived-from-or-self(., "ct:ssh-' @@ -344,7 +351,7 @@ module ietf-ssh-server { chain of trust to a configured CA certificate."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-certs-grouping; + uses ts:inline-or-truststore-certs-grouping; } container ee-certs { if-feature "sshcmn:ssh-x509-certs"; @@ -360,7 +367,7 @@ module ietf-ssh-server { to a configured end-entity certificate."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-certs-grouping; + uses ts:inline-or-truststore-certs-grouping; } } // container client-authentication @@ -371,6 +378,7 @@ module ietf-ssh-server { "Configurable parameters of the SSH transport layer."; uses sshcmn:transport-params-grouping; } // container transport-params + container keepalives { nacm:default-deny-write; if-feature "ssh-server-keepalives"; diff --git a/transport/transport-ssh/src/test/java/org/opendaylight/netconf/transport/ssh/SshClientServerTest.java b/transport/transport-ssh/src/test/java/org/opendaylight/netconf/transport/ssh/SshClientServerTest.java index f31fa26817..f6c3a53a67 100644 --- a/transport/transport-ssh/src/test/java/org/opendaylight/netconf/transport/ssh/SshClientServerTest.java +++ b/transport/transport-ssh/src/test/java/org/opendaylight/netconf/transport/ssh/SshClientServerTest.java @@ -58,14 +58,14 @@ import org.opendaylight.netconf.transport.tcp.NettyTransportSupport; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Host; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IetfInetUtil; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.PortNumber; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.SshClientGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ssh.client.grouping.ClientIdentity; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ssh.client.grouping.ServerAuthentication; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.SshServerGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.ClientAuthentication; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.ServerIdentity; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev221212.TcpClientGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev221212.TcpServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.SshClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ClientIdentity; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ServerAuthentication; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.SshServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.ClientAuthentication; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.ServerIdentity; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerGrouping; import org.opendaylight.yangtools.yang.common.Uint16; @ExtendWith(MockitoExtension.class) diff --git a/transport/transport-ssh/src/test/java/org/opendaylight/netconf/transport/ssh/TestUtils.java b/transport/transport-ssh/src/test/java/org/opendaylight/netconf/transport/ssh/TestUtils.java index cb441b677f..148618ed05 100644 --- a/transport/transport-ssh/src/test/java/org/opendaylight/netconf/transport/ssh/TestUtils.java +++ b/transport/transport-ssh/src/test/java/org/opendaylight/netconf/transport/ssh/TestUtils.java @@ -24,7 +24,6 @@ import java.time.Duration; import java.time.Instant; import java.util.Date; import java.util.List; -import java.util.Map; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; @@ -34,30 +33,31 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.crypt.hash.rev140806.CryptHash; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.EcPrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.EndEntityCertCms; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.PrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.RsaPrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.SshPublicKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.SubjectPublicKeyInfoFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.TrustAnchorCertCms; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.asymmetric.key.pair.grouping._private.key.type.CleartextPrivateKeyBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.password.grouping.password.type.CleartextPasswordBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ssh.client.grouping.ClientIdentity; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ssh.client.grouping.ClientIdentityBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ssh.client.grouping.ServerAuthentication; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ssh.client.grouping.ServerAuthenticationBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ssh.client.grouping.server.authentication.CaCertsBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212.ssh.client.grouping.server.authentication.SshHostKeysBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.ClientAuthentication; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.ClientAuthenticationBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.ServerIdentity; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.ServerIdentityBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.client.authentication.UsersBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.client.authentication.users.User; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.client.authentication.users.UserBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212.ssh.server.grouping.client.authentication.users.user.PublicKeysBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212.local.or.truststore.certs.grouping.local.or.truststore.local.local.definition.CertificateBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.EcPrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.EndEntityCertCms; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.PrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.RsaPrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.SshPublicKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.SubjectPublicKeyInfoFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.TrustAnchorCertCms; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.asymmetric.key.pair.grouping._private.key.type.CleartextPrivateKeyBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.password.grouping.password.type.CleartextPasswordBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ClientIdentity; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ClientIdentityBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ServerAuthentication; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.ServerAuthenticationBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.server.authentication.CaCertsBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417.ssh.client.grouping.server.authentication.SshHostKeysBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.ClientAuthentication; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.ClientAuthenticationBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.ServerIdentity; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.ServerIdentityBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.client.authentication.UsersBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.client.authentication.users.User; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.client.authentication.users.UserBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417.ssh.server.grouping.client.authentication.users.user.PublicKeysBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417.inline.or.truststore.certs.grouping.inline.or.truststore.inline.inline.definition.CertificateBuilder; +import org.opendaylight.yangtools.yang.binding.util.BindingMap; public final class TestUtils { @@ -84,116 +84,122 @@ public final class TestUtils { return new ServerIdentityBuilder().setHostKey(List.of(buildServerHostKeyWithCertificate(keyData))).build(); } - private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 + private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 .ssh.server.grouping.server.identity.HostKey buildServerHostKeyWithKeyPair(final KeyData keyData) { - var local = buildAsymmetricKeyLocal(keyData); - var publicKey = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 + return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 + .ssh.server.grouping.server.identity.HostKeyBuilder() + .setName(HOST_KEY_NAME) + .setHostKeyType(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 .ssh.server.grouping.server.identity.host.key.host.key.type.PublicKeyBuilder() - .setPublicKey( - new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 - .ssh.server.grouping.server.identity.host.key.host.key.type._public.key - .PublicKeyBuilder().setLocalOrKeystore(local).build() - ).build(); - return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 - .ssh.server.grouping.server.identity.HostKeyBuilder() - .setName(HOST_KEY_NAME).setHostKeyType(publicKey).build(); + .setPublicKey(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 + .ssh.server.grouping.server.identity.host.key.host.key.type._public.key.PublicKeyBuilder() + .setInlineOrKeystore(buildAsymmetricKeyLocal(keyData)) + .build()) + .build()) + .build(); } - private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 + private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 .ssh.server.grouping.server.identity.HostKey buildServerHostKeyWithCertificate(final KeyData keyData) { - var local = buildEndEntityCertWithKeyLocal(keyData); - var cert = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 + return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 + .ssh.server.grouping.server.identity.HostKeyBuilder() + .setName(HOST_KEY_NAME) + .setHostKeyType(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 .ssh.server.grouping.server.identity.host.key.host.key.type.CertificateBuilder() - .setCertificate( - new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 - .ssh.server.grouping.server.identity.host.key.host.key.type.certificate - .CertificateBuilder().setLocalOrKeystore(local).build() - ).build(); - return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 - .ssh.server.grouping.server.identity.HostKeyBuilder() - .setName(HOST_KEY_NAME).setHostKeyType(cert).build(); + .setCertificate(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 + .ssh.server.grouping.server.identity.host.key.host.key.type.certificate.CertificateBuilder() + .setInlineOrKeystore(buildEndEntityCertWithKeyLocal(keyData)) + .build()) + .build()) + .build(); } public static ServerAuthentication buildServerAuthWithPublicKey(final KeyData keyData) { - return new ServerAuthenticationBuilder().setSshHostKeys( - new SshHostKeysBuilder().setLocalOrTruststore(buildTruststorePublicKeyLocal(keyData)).build() - ).build(); + return new ServerAuthenticationBuilder() + .setSshHostKeys(new SshHostKeysBuilder() + .setInlineOrTruststore(buildTruststorePublicKeyLocal(keyData)) + .build()) + .build(); } - private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore._public.keys.grouping.local.or.truststore.Local buildTruststorePublicKeyLocal( + private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore._public.keys.grouping.inline.or.truststore.Inline buildTruststorePublicKeyLocal( final KeyData keyData) { - final var publicKey = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore._public.keys.grouping.local.or.truststore.local.local.definition.PublicKeyBuilder() - .setName(PUBLIC_KEY_NAME).setPublicKeyFormat(SshPublicKeyFormat.VALUE) - .setPublicKey(keyData.publicKeySshBytes()).build(); - final var localDef = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore._public.keys.grouping.local.or.truststore.local.LocalDefinitionBuilder() - .setPublicKey(Map.of(publicKey.key(), publicKey)).build(); - return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore._public.keys.grouping.local.or.truststore.LocalBuilder() - .setLocalDefinition(localDef).build(); + return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore._public.keys.grouping.inline.or.truststore.InlineBuilder() + .setInlineDefinition(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore._public.keys.grouping.inline.or.truststore.inline.InlineDefinitionBuilder() + .setPublicKey(BindingMap.of(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore + .rev230417.inline.or.truststore._public.keys.grouping.inline.or.truststore.inline.inline.definition + .PublicKeyBuilder() + .setName(PUBLIC_KEY_NAME) + .setPublicKeyFormat(SshPublicKeyFormat.VALUE) + .setPublicKey(keyData.publicKeySshBytes()) + .build())) + .build()) + .build(); } public static ServerAuthentication buildServerAuthWithCertificate(final KeyData keyData) { // NB both CA anc EE certificates are processed same way, no reason for additional eeCerts builder - return new ServerAuthenticationBuilder().setCaCerts( - new CaCertsBuilder().setLocalOrTruststore( - buildTruststoreCertificatesLocal(keyData.certificateBytes()) - ).build()).build(); + return new ServerAuthenticationBuilder() + .setCaCerts(new CaCertsBuilder() + .setInlineOrTruststore(buildTruststoreCertificatesLocal(keyData.certificateBytes())) + .build()) + .build(); } - private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore.certs.grouping.local.or.truststore.Local buildTruststoreCertificatesLocal( + private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore.certs.grouping.inline.or.truststore.Inline buildTruststoreCertificatesLocal( final byte[] certificateBytes) { - final var cert = new CertificateBuilder().setName(CERTIFICATE_NAME) - .setCertData(new TrustAnchorCertCms(certificateBytes)).build(); - final var localDef = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore.certs.grouping.local.or.truststore.local.LocalDefinitionBuilder() - .setCertificate(Map.of(cert.key(), cert)).build(); - return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore.certs.grouping.local.or.truststore.LocalBuilder() - .setLocalDefinition(localDef).build(); + return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore.certs.grouping.inline.or.truststore.InlineBuilder() + .setInlineDefinition(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore.certs.grouping.inline.or.truststore.inline.InlineDefinitionBuilder() + .setCertificate(BindingMap.of(new CertificateBuilder() + .setName(CERTIFICATE_NAME) + .setCertData(new TrustAnchorCertCms(certificateBytes)) + .build())) + .build()) + .build(); } - private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.asymmetric.key.grouping.LocalOrKeystore buildAsymmetricKeyLocal( - final KeyData data) { + private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.asymmetric.key.grouping.InlineOrKeystore buildAsymmetricKeyLocal(final KeyData data) { return buildAsymmetricKeyLocal(data.algorithm(), data.publicKeyBytes(), data.privateKeyBytes()); } - private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.asymmetric.key.grouping.LocalOrKeystore buildAsymmetricKeyLocal( - final String algorithm, final byte[] publicKeyBytes, final byte[] privateKeyBytes) { - var keyFormat = getPrivateKeyFormat(algorithm); - final var localDef = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.asymmetric.key.grouping.local.or.keystore.local.LocalDefinitionBuilder() + private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.asymmetric.key.grouping.InlineOrKeystore buildAsymmetricKeyLocal(final String algorithm, + final byte[] publicKeyBytes, final byte[] privateKeyBytes) { + return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.asymmetric.key.grouping.inline.or.keystore.InlineBuilder() + .setInlineDefinition(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.asymmetric.key.grouping.inline.or.keystore.inline.InlineDefinitionBuilder() .setPublicKeyFormat(SubjectPublicKeyInfoFormat.VALUE) .setPublicKey(publicKeyBytes) - .setPrivateKeyFormat(keyFormat) + .setPrivateKeyFormat(getPrivateKeyFormat(algorithm)) .setPrivateKeyType(new CleartextPrivateKeyBuilder().setCleartextPrivateKey(privateKeyBytes).build()) - .build(); - return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.asymmetric.key.grouping.local.or.keystore.LocalBuilder() - .setLocalDefinition(localDef).build(); + .build()) + .build(); } - public static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.end.entity.cert.with.key.grouping.LocalOrKeystore buildEndEntityCertWithKeyLocal( + public static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.end.entity.cert.with.key.grouping.InlineOrKeystore buildEndEntityCertWithKeyLocal( final KeyData keyData) { - var keyFormat = getPrivateKeyFormat(keyData.algorithm()); - final var localDef = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.end.entity.cert.with.key.grouping.local.or.keystore.local.LocalDefinitionBuilder() + return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.end.entity.cert.with.key.grouping.inline.or.keystore.InlineBuilder() + .setInlineDefinition(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.end.entity.cert.with.key.grouping.inline.or.keystore.inline + .InlineDefinitionBuilder() .setPublicKeyFormat(SubjectPublicKeyInfoFormat.VALUE) .setPublicKey(keyData.publicKeyBytes()) - .setPrivateKeyFormat(keyFormat) + .setPrivateKeyFormat(getPrivateKeyFormat(keyData.algorithm())) .setPrivateKeyType(new CleartextPrivateKeyBuilder() - .setCleartextPrivateKey(keyData.privateKeyBytes()).build()) + .setCleartextPrivateKey(keyData.privateKeyBytes()).build()) .setCertData(new EndEntityCertCms(keyData.certificateBytes())) - .build(); - return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.end.entity.cert.with.key.grouping.local.or.keystore.LocalBuilder() - .setLocalDefinition(localDef).build(); + .build()) + .build(); } public static ClientAuthentication buildClientAuthWithPassword(final String userName, final String cryptHash) { @@ -209,37 +215,44 @@ public final class TestUtils { } private static ClientAuthentication buildClientAuth(final User user) { - return new ClientAuthenticationBuilder().setUsers( - new UsersBuilder().setUser(Map.of(user.key(), user)).build()).build(); + return new ClientAuthenticationBuilder() + .setUsers(new UsersBuilder().setUser(BindingMap.of(user)).build()) + .build(); } private static User buildServerUserHostBased(final String userName, final byte[] publicKeyBytes) { - final var hostBased = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev221212 + return new UserBuilder() + .setName(userName) + .setHostbased(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.server.rev230417 .ssh.server.grouping.client.authentication.users.user.HostbasedBuilder() - .setLocalOrTruststore(buildPublicKeyLocal(publicKeyBytes)).build(); - return new UserBuilder().setName(userName).setHostbased(hostBased).build(); + .setInlineOrTruststore(buildPublicKeyLocal(publicKeyBytes)) + .build()) + .build(); } - private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore._public.keys.grouping.local.or.truststore.Local buildPublicKeyLocal( + private static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore._public.keys.grouping.inline.or.truststore.Inline buildPublicKeyLocal( final byte[] publicKeyBytes) { - final var publicKey = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore._public.keys.grouping.local.or.truststore.local.local.definition.PublicKeyBuilder() - .setPublicKeyFormat(SshPublicKeyFormat.VALUE) - .setName(PUBLIC_KEY_NAME) - .setPublicKey(publicKeyBytes).build(); - final var localDef = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore._public.keys.grouping.local.or.truststore.local.LocalDefinitionBuilder() - .setPublicKey(Map.of(publicKey.key(), publicKey)).build(); - return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore._public.keys.grouping.local.or.truststore.LocalBuilder() - .setLocalDefinition(localDef).build(); + return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore._public.keys.grouping.inline.or.truststore.InlineBuilder() + .setInlineDefinition(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore._public.keys.grouping.inline.or.truststore.inline.InlineDefinitionBuilder() + .setPublicKey(BindingMap.of(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf + .truststore.rev230417.inline.or.truststore._public.keys.grouping.inline.or.truststore.inline.inline + .definition.PublicKeyBuilder() + .setPublicKeyFormat(SshPublicKeyFormat.VALUE) + .setName(PUBLIC_KEY_NAME) + .setPublicKey(publicKeyBytes) + .build())) + .build()) + .build(); } public static User buildServerUserWithPublicKey(final String userName, final byte[] publicKeyBytes) { - final var publicKeys = new PublicKeysBuilder() - .setLocalOrTruststore(buildPublicKeyLocal(publicKeyBytes)).build(); - return new UserBuilder().setName(userName).setPublicKeys(publicKeys).build(); + return new UserBuilder() + .setName(userName) + .setPublicKeys(new PublicKeysBuilder().setInlineOrTruststore(buildPublicKeyLocal(publicKeyBytes)).build()) + .build(); } private static User buildServerUserWithPassword(final String userName, final String cryptHash) { @@ -247,28 +260,32 @@ public final class TestUtils { } public static ClientIdentity buildClientIdentityWithPassword(final String username, final String password) { - return new ClientIdentityBuilder().setUsername(username).setPassword( - new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212 - .ssh.client.grouping.client.identity.PasswordBuilder() - .setPasswordType( - new CleartextPasswordBuilder().setCleartextPassword(password).build() - ).build()).build(); + return new ClientIdentityBuilder() + .setUsername(username) + .setPassword(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417 + .ssh.client.grouping.client.identity.PasswordBuilder() + .setPasswordType(new CleartextPasswordBuilder().setCleartextPassword(password).build()).build()) + .build(); } public static ClientIdentity buildClientIdentityHostBased(final String username, final KeyData data) { - return new ClientIdentityBuilder().setUsername(username).setHostbased( - new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212 - .ssh.client.grouping.client.identity.HostbasedBuilder() - .setLocalOrKeystore(buildAsymmetricKeyLocal(data)).build() - ).build(); + return new ClientIdentityBuilder() + .setUsername(username) + .setHostbased(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417 + .ssh.client.grouping.client.identity.HostbasedBuilder() + .setInlineOrKeystore(buildAsymmetricKeyLocal(data)) + .build()) + .build(); } public static ClientIdentity buildClientIdentityWithPublicKey(final String username, final KeyData data) { - return new ClientIdentityBuilder().setUsername(username).setPublicKey( - new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev221212 - .ssh.client.grouping.client.identity.PublicKeyBuilder() - .setLocalOrKeystore(buildAsymmetricKeyLocal(data)).build() - ).build(); + return new ClientIdentityBuilder() + .setUsername(username) + .setPublicKey(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.ssh.client.rev230417 + .ssh.client.grouping.client.identity.PublicKeyBuilder() + .setInlineOrKeystore(buildAsymmetricKeyLocal(data)) + .build()) + .build(); } private static PrivateKeyFormat getPrivateKeyFormat(final String algorithm) { diff --git a/transport/transport-tcp/pom.xml b/transport/transport-tcp/pom.xml index 9ede8b5606..3100b233c9 100644 --- a/transport/transport-tcp/pom.xml +++ b/transport/transport-tcp/pom.xml @@ -27,6 +27,10 @@ com.google.guava guava + + io.netty + netty-common + io.netty netty-transport diff --git a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/AbstractNettyImpl.java b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/AbstractNettyImpl.java index 4d62993db7..e550b4feac 100644 --- a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/AbstractNettyImpl.java +++ b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/AbstractNettyImpl.java @@ -14,7 +14,7 @@ import io.netty.channel.socket.ServerSocketChannel; import io.netty.channel.socket.SocketChannel; import java.util.concurrent.ThreadFactory; import org.eclipse.jdt.annotation.NonNullByDefault; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev221212.tcp.common.grouping.Keepalives; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev230417.tcp.common.grouping.Keepalives; /** * Wrapper around a particular Netty transport implementation. diff --git a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/EpollNettyImpl.java b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/EpollNettyImpl.java index 2b6f0f3dea..52d8df6832 100644 --- a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/EpollNettyImpl.java +++ b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/EpollNettyImpl.java @@ -17,7 +17,7 @@ import io.netty.channel.epoll.EpollServerSocketChannel; import io.netty.channel.epoll.EpollSocketChannel; import java.util.concurrent.ThreadFactory; import org.eclipse.jdt.annotation.NonNullByDefault; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev221212.tcp.common.grouping.Keepalives; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev230417.tcp.common.grouping.Keepalives; @NonNullByDefault final class EpollNettyImpl extends AbstractNettyImpl { diff --git a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpClientFeatureProvider.java b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpClientFeatureProvider.java index 34ba6bda38..a819e2b498 100644 --- a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpClientFeatureProvider.java +++ b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpClientFeatureProvider.java @@ -10,9 +10,9 @@ package org.opendaylight.netconf.transport.tcp; import java.util.Set; import org.eclipse.jdt.annotation.NonNullByDefault; import org.kohsuke.MetaInfServices; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev221212.IetfTcpClientData; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev221212.LocalBindingSupported; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev221212.TcpClientKeepalives; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.IetfTcpClientData; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.LocalBindingSupported; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientKeepalives; import org.opendaylight.yangtools.yang.binding.YangFeature; import org.opendaylight.yangtools.yang.binding.YangFeatureProvider; diff --git a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpCommonFeatureProvider.java b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpCommonFeatureProvider.java index 94a3618b17..a1335be81b 100644 --- a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpCommonFeatureProvider.java +++ b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpCommonFeatureProvider.java @@ -10,8 +10,8 @@ package org.opendaylight.netconf.transport.tcp; import java.util.Set; import org.eclipse.jdt.annotation.NonNullByDefault; import org.kohsuke.MetaInfServices; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev221212.IetfTcpCommonData; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev221212.KeepalivesSupported; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev230417.IetfTcpCommonData; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev230417.KeepalivesSupported; import org.opendaylight.yangtools.yang.binding.YangFeature; import org.opendaylight.yangtools.yang.binding.YangFeatureProvider; diff --git a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpServerFeatureProvider.java b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpServerFeatureProvider.java index 394924837a..04cfd38382 100644 --- a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpServerFeatureProvider.java +++ b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/IetfTcpServerFeatureProvider.java @@ -10,8 +10,8 @@ package org.opendaylight.netconf.transport.tcp; import java.util.Set; import org.eclipse.jdt.annotation.NonNullByDefault; import org.kohsuke.MetaInfServices; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev221212.IetfTcpServerData; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev221212.TcpServerKeepalives; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.IetfTcpServerData; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerKeepalives; import org.opendaylight.yangtools.yang.binding.YangFeature; import org.opendaylight.yangtools.yang.binding.YangFeatureProvider; diff --git a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/NettyTransportSupport.java b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/NettyTransportSupport.java index 9146cbd859..e89c700ef7 100644 --- a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/NettyTransportSupport.java +++ b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/NettyTransportSupport.java @@ -19,7 +19,7 @@ import io.netty.channel.socket.SocketChannel; import org.eclipse.jdt.annotation.NonNullByDefault; import org.eclipse.jdt.annotation.Nullable; import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev221212.tcp.common.grouping.Keepalives; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev230417.tcp.common.grouping.Keepalives; import org.slf4j.Logger; import org.slf4j.LoggerFactory; diff --git a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/NioNettyImpl.java b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/NioNettyImpl.java index 6bb74e8ddb..3e1f93cf45 100644 --- a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/NioNettyImpl.java +++ b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/NioNettyImpl.java @@ -20,7 +20,7 @@ import java.util.Map; import java.util.concurrent.ThreadFactory; import jdk.net.ExtendedSocketOptions; import org.eclipse.jdt.annotation.NonNullByDefault; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev221212.tcp.common.grouping.Keepalives; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.common.rev230417.tcp.common.grouping.Keepalives; import org.slf4j.LoggerFactory; @NonNullByDefault diff --git a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/TCPClient.java b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/TCPClient.java index b5d52d8671..ede9973cf8 100644 --- a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/TCPClient.java +++ b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/TCPClient.java @@ -18,7 +18,7 @@ import io.netty.channel.ChannelInitializer; import org.eclipse.jdt.annotation.NonNull; import org.opendaylight.netconf.transport.api.TransportChannelListener; import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev221212.TcpClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientGrouping; import org.opendaylight.yangtools.yang.common.Empty; /** diff --git a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/TCPServer.java b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/TCPServer.java index 02d71be5cc..eb49f2099b 100644 --- a/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/TCPServer.java +++ b/transport/transport-tcp/src/main/java/org/opendaylight/netconf/transport/tcp/TCPServer.java @@ -21,7 +21,7 @@ import io.netty.channel.ChannelInitializer; import org.eclipse.jdt.annotation.NonNull; import org.opendaylight.netconf.transport.api.TransportChannelListener; import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev221212.TcpServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerGrouping; import org.opendaylight.yangtools.yang.common.Empty; /** diff --git a/transport/transport-tcp/src/main/yang/ietf-tcp-client@2022-12-12.yang b/transport/transport-tcp/src/main/yang/ietf-tcp-client@2023-04-17.yang similarity index 89% rename from transport/transport-tcp/src/main/yang/ietf-tcp-client@2022-12-12.yang rename to transport/transport-tcp/src/main/yang/ietf-tcp-client@2023-04-17.yang index 171b463d70..95e62149b5 100644 --- a/transport/transport-tcp/src/main/yang/ietf-tcp-client@2022-12-12.yang +++ b/transport/transport-tcp/src/main/yang/ietf-tcp-client@2023-04-17.yang @@ -38,7 +38,7 @@ module ietf-tcp-client { "This module defines reusable groupings for TCP clients that can be used as a basis for specific TCP client instances. - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with @@ -59,7 +59,7 @@ module ietf-tcp-client { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -79,28 +79,39 @@ module ietf-tcp-client { description "Per socket TCP keepalive parameters are configurable for TCP clients on the server implementing this feature."; + reference + "RFC 9293: Transmission Control Protocol (TCP)"; } feature proxy-connect { description "Proxy connection configuration is configurable for - TCP clients on the server implementing this feature."; + TCP clients on the server implementing this feature. + Currently supports SOCKS 4, SOCKS 4a, and SOCKS 5."; + reference + "SOCKS Proceedings: + 1992 Usenix Security Symposium. + OpenSSH message: + SOCKS 4A: A Simple Extension to SOCKS 4 Protocol + https://www.openssh.com/txt/socks4a.protocol + RFC 1928: + SOCKS Protocol Version 5"; } feature socks5-gss-api { description - "Indicates that the server supports authenticating - using GSSAPI when initiating TCP connections via - and SOCKS Version 5 proxy server."; + "Indicates that the server, when acting as a TCP-client, + supports authenticating to a SOCKS Version 5 proxy server + using GSSAPI credentials."; reference "RFC 1928: SOCKS Protocol Version 5"; } feature socks5-username-password { description - "Indicates that the server supports authenticating using - username/password when initiating TCP connections via - and SOCKS Version 5 proxy server."; + "Indicates that the server, when acting as a TCP-client, + supports authenticating to a SOCKS Version 5 proxy server + using 'username' and 'password' credentials."; reference "RFC 1928: SOCKS Protocol Version 5"; } @@ -111,7 +122,7 @@ module ietf-tcp-client { description "A reusable grouping for configuring a TCP client. - Note that this grouping uses fairly typical descendant + Note that this grouping uses fairly typical descendant node names such that a stack of 'uses' statements will have name conflicts. It is intended that the consuming data model will resolve the issue (e.g., by wrapping @@ -138,16 +149,15 @@ module ietf-tcp-client { default "0"; description "The IP port number for the remote peer to establish a - connection with. An invalid default value (0) is used - (instead of 'mandatory true') so that as application - level data model may 'refine' it with an application - specific default port number value."; + connection with. An invalid default value is used + so that importing modules may 'refine' it with the + appropriate default port number value."; } leaf local-address { if-feature "local-binding-supported"; type inet:ip-address; description - "The local IP address/interface (VRF?) to bind to for when + "The local IP address/interface to bind to for when connecting to the remote peer. INADDR_ANY ('0.0.0.0') or INADDR6_ANY ('0:0:0:0:0:0:0:0' a.k.a. '::') MAY be used to explicitly indicate the implicit default, that the server diff --git a/transport/transport-tcp/src/main/yang/ietf-tcp-common@2022-12-12.yang b/transport/transport-tcp/src/main/yang/ietf-tcp-common@2023-04-17.yang similarity index 95% rename from transport/transport-tcp/src/main/yang/ietf-tcp-common@2022-12-12.yang rename to transport/transport-tcp/src/main/yang/ietf-tcp-common@2023-04-17.yang index 48dfbab003..100380ff03 100644 --- a/transport/transport-tcp/src/main/yang/ietf-tcp-common@2022-12-12.yang +++ b/transport/transport-tcp/src/main/yang/ietf-tcp-common@2023-04-17.yang @@ -20,7 +20,7 @@ module ietf-tcp-common { "This module defines reusable groupings for TCP commons that can be used as a basis for specific TCP common instances. - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with @@ -41,7 +41,7 @@ module ietf-tcp-common { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -72,6 +72,9 @@ module ietf-tcp-common { aliveness of the TCP peer. An unresponsive TCP peer is dropped after approximately (idle-time + max-probes * probe-interval) seconds."; + reference + "RFC 9293: + Transmission Control Protocol (TCP), Section 3.8.4.."; leaf idle-time { type uint16 { range "1..max"; diff --git a/transport/transport-tcp/src/main/yang/ietf-tcp-server@2022-12-12.yang b/transport/transport-tcp/src/main/yang/ietf-tcp-server@2023-04-17.yang similarity index 96% rename from transport/transport-tcp/src/main/yang/ietf-tcp-server@2022-12-12.yang rename to transport/transport-tcp/src/main/yang/ietf-tcp-server@2023-04-17.yang index a8337ff743..734494481b 100644 --- a/transport/transport-tcp/src/main/yang/ietf-tcp-server@2022-12-12.yang +++ b/transport/transport-tcp/src/main/yang/ietf-tcp-server@2023-04-17.yang @@ -27,12 +27,11 @@ module ietf-tcp-server { Authors: Kent Watsen Michael Scharf "; - description "This module defines reusable groupings for TCP servers that can be used as a basis for specific TCP server instances. - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with @@ -53,7 +52,7 @@ module ietf-tcp-server { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -66,6 +65,8 @@ module ietf-tcp-server { description "Per socket TCP keepalive parameters are configurable for TCP servers on the server implementing this feature."; + reference + "RFC 9293: Transmission Control Protocol (TCP)"; } // Groupings diff --git a/transport/transport-tcp/src/test/java/org/opendaylight/netconf/transport/tcp/TCPClientServerTest.java b/transport/transport-tcp/src/test/java/org/opendaylight/netconf/transport/tcp/TCPClientServerTest.java index 8e970ee34c..238533851d 100644 --- a/transport/transport-tcp/src/test/java/org/opendaylight/netconf/transport/tcp/TCPClientServerTest.java +++ b/transport/transport-tcp/src/test/java/org/opendaylight/netconf/transport/tcp/TCPClientServerTest.java @@ -37,8 +37,8 @@ import org.opendaylight.netconf.transport.api.TransportChannelListener; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Host; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IetfInetUtil; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.PortNumber; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev221212.TcpClientGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev221212.TcpServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerGrouping; import org.opendaylight.yangtools.yang.common.Uint16; @ExtendWith(MockitoExtension.class) diff --git a/transport/transport-tls/pom.xml b/transport/transport-tls/pom.xml index d6a1954e04..df6d074412 100644 --- a/transport/transport-tls/pom.xml +++ b/transport/transport-tls/pom.xml @@ -23,6 +23,14 @@ NETCONF TLS transport + + io.netty + netty-buffer + + + io.netty + netty-common + io.netty netty-handler @@ -31,6 +39,10 @@ io.netty netty-transport + + org.bouncycastle + bcprov-jdk18on + org.kohsuke.metainf-services metainf-services @@ -52,9 +64,10 @@ truststore-api - org.bouncycastle - bcprov-jdk18on + org.opendaylight.netconf.model + draft-ietf-netconf-crypto-types + org.bouncycastle @@ -67,5 +80,10 @@ linux-x86_64 test + + org.opendaylight.mdsal.binding.model.ietf + rfc6991-ietf-inet-types + test + diff --git a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/ConfigUtils.java b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/ConfigUtils.java index 78c42552eb..a7d05b33b4 100644 --- a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/ConfigUtils.java +++ b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/ConfigUtils.java @@ -27,15 +27,15 @@ import java.util.Map; import org.eclipse.jdt.annotation.NonNull; import org.eclipse.jdt.annotation.Nullable; import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.AsymmetricKeyPairGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.EcPrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.RsaPrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.SshPublicKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.SubjectPublicKeyInfoFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.asymmetric.key.pair.grouping._private.key.type.CleartextPrivateKey; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.LocalOrKeystoreAsymmetricKeyGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.LocalOrKeystoreEndEntityCertWithKeyGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212.LocalOrTruststoreCertsGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.AsymmetricKeyPairGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.EcPrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.RsaPrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.SshPublicKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.SubjectPublicKeyInfoFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.asymmetric.key.pair.grouping._private.key.type.CleartextPrivateKey; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.InlineOrKeystoreAsymmetricKeyGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.InlineOrKeystoreEndEntityCertWithKeyGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417.InlineOrTruststoreCertsGrouping; final class ConfigUtils { @@ -56,11 +56,12 @@ final class ConfigUtils { * @throws UnsupportedConfigurationException if error occurs */ static void setX509Certificates(final @NonNull KeyStore keyStore, - final @Nullable LocalOrTruststoreCertsGrouping caCerts, - final @Nullable LocalOrTruststoreCertsGrouping eeCerts) throws UnsupportedConfigurationException { + final @Nullable InlineOrTruststoreCertsGrouping caCerts, + final @Nullable InlineOrTruststoreCertsGrouping eeCerts) throws UnsupportedConfigurationException { var certMap = ImmutableMap.builder() .putAll(extractCertificates(caCerts, "ca-")) - .putAll(extractCertificates(eeCerts, "ee-")).build(); + .putAll(extractCertificates(eeCerts, "ee-")) + .build(); for (var entry : certMap.entrySet()) { try { keyStore.setCertificateEntry(entry.getKey(), entry.getValue()); @@ -71,20 +72,20 @@ final class ConfigUtils { } private static Map extractCertificates( - @Nullable final LocalOrTruststoreCertsGrouping certs, + @Nullable final InlineOrTruststoreCertsGrouping certs, @NonNull final String aliasPrefix) throws UnsupportedConfigurationException { if (certs == null) { return Map.of(); } - final var local = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore - .rev221212.local.or.truststore.certs.grouping.local.or.truststore.Local.class, - certs.getLocalOrTruststore()); - final var localDef = local.getLocalDefinition(); - if (localDef == null) { - throw new UnsupportedConfigurationException("Missing local definition in " + local); + final var inline = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore + .rev230417.inline.or.truststore.certs.grouping.inline.or.truststore.Inline.class, + certs.getInlineOrTruststore()); + final var inlineDef = inline.getInlineDefinition(); + if (inlineDef == null) { + throw new UnsupportedConfigurationException("Missing inline definition in " + inline); } final var mapBuilder = ImmutableMap.builder(); - for (var cert : localDef.nonnullCertificate().values()) { + for (var cert : inlineDef.nonnullCertificate().values()) { try { final var alias = aliasPrefix + cert.requireName(); mapBuilder.put(alias, buildX509Certificate(cert.requireCertData().getValue())); @@ -103,27 +104,24 @@ final class ConfigUtils { * @throws UnsupportedConfigurationException if key pair is not set to key store */ static void setAsymmetricKey(final @NonNull KeyStore keyStore, - final @NonNull LocalOrKeystoreAsymmetricKeyGrouping input) + final @NonNull InlineOrKeystoreAsymmetricKeyGrouping input) throws UnsupportedConfigurationException { - final var local = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.asymmetric.key.grouping.local.or.keystore.Local.class, - input.getLocalOrKeystore()); - final var localDef = local.getLocalDefinition(); - if (localDef == null) { - throw new UnsupportedConfigurationException("Missing local definition in " + local); + final var inline = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.asymmetric.key.grouping.inline.or.keystore.Inline.class, + input.getInlineOrKeystore()); + final var inlineDef = inline.getInlineDefinition(); + if (inlineDef == null) { + throw new UnsupportedConfigurationException("Missing inline definition in " + inline); } - final var keyPair = extractKeyPair(localDef); - /* - ietf-crypto-types:grouping asymmetric-key-pair-grouping - "A private key and its associated public key. Implementations - SHOULD ensure that the two keys are a matching pair." - */ + final var keyPair = extractKeyPair(inlineDef); + // ietf-crypto-types:grouping asymmetric-key-pair-grouping + // "A private key and its associated public key. Implementations + // SHOULD ensure that the two keys are a matching pair." validateKeyPair(keyPair.getPublic(), keyPair.getPrivate()); try { - // FIXME - // below line throws an exception bc keyStore does not support private key without certificate chain - // (belongs to implementation of raw public key feature support) + // FIXME: the below line throws an exception bc keyStore does not support private key without certificate + // chain (belongs to implementation of raw public key feature support) keyStore.setKeyEntry(DEFAULT_PRIVATE_KEY_ALIAS, keyPair.getPrivate(), EMPTY_SECRET, null); } catch (KeyStoreException e) { throw new UnsupportedConfigurationException("Failed to load private key", e); @@ -139,26 +137,25 @@ final class ConfigUtils { * @throws UnsupportedConfigurationException if key pair and certificate are not set to key store */ static void setEndEntityCertificateWithKey(final @NonNull KeyStore keyStore, - final @NonNull LocalOrKeystoreEndEntityCertWithKeyGrouping input) throws UnsupportedConfigurationException { - final var local = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.end.entity.cert.with.key.grouping.local.or.keystore.Local.class, - input.getLocalOrKeystore()); - final var localDef = local.getLocalDefinition(); - if (localDef == null) { - throw new UnsupportedConfigurationException("Missing local definition in " + local); + final @NonNull InlineOrKeystoreEndEntityCertWithKeyGrouping input) + throws UnsupportedConfigurationException { + final var inline = ofType(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.end.entity.cert.with.key.grouping.inline.or.keystore.Inline.class, + input.getInlineOrKeystore()); + final var inlineDef = inline.getInlineDefinition(); + if (inlineDef == null) { + throw new UnsupportedConfigurationException("Missing inline definition in " + inline); } - final var keyPair = extractKeyPair(localDef); + final var keyPair = extractKeyPair(inlineDef); final Certificate certificate; try { - certificate = buildX509Certificate(localDef.requireCertData().getValue()); + certificate = buildX509Certificate(inlineDef.requireCertData().getValue()); } catch (IOException | CertificateException e) { - throw new UnsupportedConfigurationException("Failed to load certificate" + localDef, e); + throw new UnsupportedConfigurationException("Failed to load certificate" + inlineDef, e); } - /* - ietf-crypto-types:asymmetric-key-pair-with-cert-grouping - "A private/public key pair and an associated certificate. - Implementations SHOULD assert that certificates contain the matching public key." - */ + // ietf-crypto-types:asymmetric-key-pair-with-cert-grouping + // "A private/public key pair and an associated certificate. + // Implementations SHOULD assert that certificates contain the matching public key." validateKeyPair(keyPair.getPublic(), keyPair.getPrivate()); validatePublicKey(keyPair.getPublic(), certificate); try { diff --git a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsClientFeatureProvider.java b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsClientFeatureProvider.java index 21e1bef96e..e651f0b489 100644 --- a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsClientFeatureProvider.java +++ b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsClientFeatureProvider.java @@ -10,9 +10,9 @@ package org.opendaylight.netconf.transport.tls; import java.util.Set; import org.eclipse.jdt.annotation.NonNullByDefault; import org.kohsuke.MetaInfServices; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.ClientIdentX509Cert; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.IetfTlsClientData; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.ServerAuthX509Cert; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417.ClientIdentX509Cert; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417.IetfTlsClientData; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417.ServerAuthX509Cert; import org.opendaylight.yangtools.yang.binding.YangFeature; import org.opendaylight.yangtools.yang.binding.YangFeatureProvider; diff --git a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsCommonFeatureProvider.java b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsCommonFeatureProvider.java index 604877daba..927a7dce27 100644 --- a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsCommonFeatureProvider.java +++ b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsCommonFeatureProvider.java @@ -12,13 +12,13 @@ import java.util.Set; import org.eclipse.jdt.annotation.NonNullByDefault; import org.eclipse.jdt.annotation.Nullable; import org.kohsuke.MetaInfServices; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.HelloParams; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.IetfTlsCommonData; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.Tls12$F; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.Tls12$I; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.Tls13$F; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.Tls13$I; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.TlsVersionBase; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.HelloParams; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.IetfTlsCommonData; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.Tls12$F; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.Tls12$I; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.Tls13$F; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.Tls13$I; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.TlsVersionBase; import org.opendaylight.yangtools.yang.binding.YangFeature; import org.opendaylight.yangtools.yang.binding.YangFeatureProvider; diff --git a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsServerFeatureProvider.java b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsServerFeatureProvider.java index d29068b0a0..6537f86115 100644 --- a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsServerFeatureProvider.java +++ b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/IetfTlsServerFeatureProvider.java @@ -10,10 +10,10 @@ package org.opendaylight.netconf.transport.tls; import java.util.Set; import org.eclipse.jdt.annotation.NonNullByDefault; import org.kohsuke.MetaInfServices; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212.ClientAuthSupported; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212.ClientAuthX509Cert; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212.IetfTlsServerData; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212.ServerIdentX509Cert; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.ClientAuthSupported; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.ClientAuthX509Cert; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.IetfTlsServerData; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.ServerIdentX509Cert; import org.opendaylight.yangtools.yang.binding.YangFeature; import org.opendaylight.yangtools.yang.binding.YangFeatureProvider; diff --git a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/SSLEngineFactory.java b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/SSLEngineFactory.java index a35ff52c9d..c75edfc635 100644 --- a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/SSLEngineFactory.java +++ b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/SSLEngineFactory.java @@ -19,7 +19,7 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.TrustManagerFactory; import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.HelloParamsGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.HelloParamsGrouping; /** * A pre-configured factory for creating {@link SslHandler}s. diff --git a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSClient.java b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSClient.java index e20f6b7e15..b3ec9b7591 100644 --- a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSClient.java +++ b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSClient.java @@ -18,11 +18,11 @@ import org.opendaylight.netconf.transport.api.TransportStack; import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException; import org.opendaylight.netconf.transport.tcp.TCPClient; import org.opendaylight.netconf.transport.tcp.TCPServer; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev221212.TcpClientGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev221212.TcpServerGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.TlsClientGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.tls.client.grouping.client.identity.auth.type.Certificate; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.tls.client.grouping.client.identity.auth.type.RawPublicKey; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417.TlsClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417.tls.client.grouping.client.identity.auth.type.Certificate; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417.tls.client.grouping.client.identity.auth.type.RawPublicKey; /** * A {@link TransportStack} acting as a TLS client. diff --git a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSServer.java b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSServer.java index 0c7cc60bd7..3f0e52726b 100644 --- a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSServer.java +++ b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSServer.java @@ -19,11 +19,11 @@ import org.opendaylight.netconf.transport.api.TransportStack; import org.opendaylight.netconf.transport.api.UnsupportedConfigurationException; import org.opendaylight.netconf.transport.tcp.TCPClient; import org.opendaylight.netconf.transport.tcp.TCPServer; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev221212.TcpClientGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev221212.TcpServerGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212.TlsServerGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212.tls.server.grouping.server.identity.auth.type.Certificate; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212.tls.server.grouping.server.identity.auth.type.RawPrivateKey; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.TlsServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.server.identity.auth.type.Certificate; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.server.identity.auth.type.RawPrivateKey; /** * A {@link TransportStack} acting as a TLS server. diff --git a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSTransportStack.java b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSTransportStack.java index 3c4ed1e39a..2fd483a386 100644 --- a/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSTransportStack.java +++ b/transport/transport-tls/src/main/java/org/opendaylight/netconf/transport/tls/TLSTransportStack.java @@ -56,12 +56,12 @@ import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher. import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheRsaWithAes128GcmSha256; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheRsaWithAes256GcmSha384; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.iana.tls.cipher.suite.algs.rev220616.TlsEcdheRsaWithChacha20Poly1305Sha256; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.LocalOrKeystoreAsymmetricKeyGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.LocalOrKeystoreEndEntityCertWithKeyGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.HelloParamsGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev221212.TlsVersionBase; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212.LocalOrTruststoreCertsGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212.LocalOrTruststorePublicKeysGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.InlineOrKeystoreAsymmetricKeyGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.InlineOrKeystoreEndEntityCertWithKeyGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.HelloParamsGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.common.rev230417.TlsVersionBase; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417.InlineOrTruststoreCertsGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417.InlineOrTruststorePublicKeysGrouping; /** * Base class for TLS TransportStacks. @@ -126,14 +126,14 @@ public abstract sealed class TLSTransportStack extends AbstractOverlayTransportS } static KeyManagerFactory newKeyManager( - final @NonNull LocalOrKeystoreEndEntityCertWithKeyGrouping endEntityCert + final @NonNull InlineOrKeystoreEndEntityCertWithKeyGrouping endEntityCert ) throws UnsupportedConfigurationException { final var keyStore = newKeyStore(); setEndEntityCertificateWithKey(keyStore, endEntityCert); return buildKeyManagerFactory(keyStore); } - static KeyManagerFactory newKeyManager(final @NonNull LocalOrKeystoreAsymmetricKeyGrouping rawPrivateKey) + static KeyManagerFactory newKeyManager(final @NonNull InlineOrKeystoreAsymmetricKeyGrouping rawPrivateKey) throws UnsupportedConfigurationException { final var keyStore = newKeyStore(); setAsymmetricKey(keyStore, rawPrivateKey); @@ -142,9 +142,9 @@ public abstract sealed class TLSTransportStack extends AbstractOverlayTransportS // FIXME: should be TrustManagerBuilder protected static @Nullable TrustManagerFactory newTrustManager( - final @Nullable LocalOrTruststoreCertsGrouping caCerts, - final @Nullable LocalOrTruststoreCertsGrouping eeCerts, - final @Nullable LocalOrTruststorePublicKeysGrouping publicKeys) throws UnsupportedConfigurationException { + final @Nullable InlineOrTruststoreCertsGrouping caCerts, + final @Nullable InlineOrTruststoreCertsGrouping eeCerts, + final @Nullable InlineOrTruststorePublicKeysGrouping publicKeys) throws UnsupportedConfigurationException { if (publicKeys != null) { // FIXME: implement this and advertize server-auth-raw-public-key from IetfTlsClientFeatureProvider diff --git a/transport/transport-tls/src/main/yang/ietf-tls-client@2022-12-12.yang b/transport/transport-tls/src/main/yang/ietf-tls-client@2023-04-17.yang similarity index 94% rename from transport/transport-tls/src/main/yang/ietf-tls-client@2022-12-12.yang rename to transport/transport-tls/src/main/yang/ietf-tls-client@2023-04-17.yang index 00b7ad3795..8bcdb0178b 100644 --- a/transport/transport-tls/src/main/yang/ietf-tls-client@2022-12-12.yang +++ b/transport/transport-tls/src/main/yang/ietf-tls-client@2023-04-17.yang @@ -46,7 +46,7 @@ module ietf-tls-client { "This module defines reusable groupings for TLS clients that can be used as a basis for specific TLS client instances. - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with @@ -67,7 +67,7 @@ module ietf-tls-client { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -208,12 +208,13 @@ module ietf-tls-client { description "Specifies the client identity using a certificate."; uses - ks:local-or-keystore-end-entity-cert-with-key-grouping{ - refine "local-or-keystore/local/local-definition" { + "ks:inline-or-keystore-end-entity-cert-with-key-" + + "grouping" { + refine "inline-or-keystore/inline/inline-definition" { must 'derived-from-or-self(public-key-format,' + ' "ct:subject-public-key-info-format")'; } - refine "local-or-keystore/keystore/keystore-reference" + refine "inline-or-keystore/keystore/keystore-reference" + "/asymmetric-key" { must 'derived-from-or-self(deref(.)/../ks:public-' + 'key-format, "ct:subject-public-key-info-' @@ -228,12 +229,13 @@ module ietf-tls-client { description "Specifies the client identity using a raw private key."; - uses ks:local-or-keystore-asymmetric-key-grouping { - refine "local-or-keystore/local/local-definition" { + uses ks:inline-or-keystore-asymmetric-key-grouping { + refine "inline-or-keystore/inline/inline-definition" { must 'derived-from-or-self(public-key-format,' + ' "ct:subject-public-key-info-format")'; } - refine "local-or-keystore/keystore/keystore-reference"{ + refine + "inline-or-keystore/keystore/keystore-reference" { must 'derived-from-or-self(deref(.)/../ks:public-' + 'key-format, "ct:subject-public-key-info-' + 'format")'; @@ -247,7 +249,7 @@ module ietf-tls-client { description "Specifies the client identity using a PSK (pre-shared or pairwise-symmetric key)."; - uses ks:local-or-keystore-symmetric-key-grouping; + uses ks:inline-or-keystore-symmetric-key-grouping; leaf id { type string; description @@ -279,7 +281,7 @@ module ietf-tls-client { and the EPSK input fields detailed in I-D draft-ietf-tls-external-psk-importer Section 3.1. The base-key is based upon - ks:local-or-keystore-symmetric-key-grouping + ks:inline-or-keystore-symmetric-key-grouping in order to provide users with flexible and secure storage options."; reference @@ -289,7 +291,7 @@ module ietf-tls-client { Importing External PSKs for TLS I-D.ietf-tls-external-psk-guidance: Guidance for External PSK Usage in TLS"; - uses ks:local-or-keystore-symmetric-key-grouping; + uses ks:inline-or-keystore-symmetric-key-grouping; leaf external-identity { type string; mandatory true; @@ -388,7 +390,7 @@ module ietf-tls-client { chain of trust to a configured CA certificate."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-certs-grouping; + uses ts:inline-or-truststore-certs-grouping; } container ee-certs { if-feature "server-auth-x509-cert"; @@ -404,7 +406,7 @@ module ietf-tls-client { match to a configured server certificate."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-certs-grouping; + uses ts:inline-or-truststore-certs-grouping; } container raw-public-keys { if-feature "server-auth-raw-public-key"; @@ -419,13 +421,13 @@ module ietf-tls-client { is an exact match to a configured raw public key."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-public-keys-grouping { - refine "local-or-truststore/local/local-definition/" + uses ts:inline-or-truststore-public-keys-grouping { + refine "inline-or-truststore/inline/inline-definition/" + "public-key" { must 'derived-from-or-self(public-key-format,' + ' "ct:subject-public-key-info-format")'; } - refine "local-or-truststore/truststore/truststore-" + refine "inline-or-truststore/truststore/truststore-" + "reference" { must 'not(deref(.)/../ts:public-key/ts:public-key-' + 'format[not(derived-from-or-self(., "ct:subject-' diff --git a/transport/transport-tls/src/main/yang/ietf-tls-common@2022-12-12.yang b/transport/transport-tls/src/main/yang/ietf-tls-common@2023-04-17.yang similarity index 97% rename from transport/transport-tls/src/main/yang/ietf-tls-common@2022-12-12.yang rename to transport/transport-tls/src/main/yang/ietf-tls-common@2023-04-17.yang index 7c6c0c450d..5ad06f4198 100644 --- a/transport/transport-tls/src/main/yang/ietf-tls-common@2022-12-12.yang +++ b/transport/transport-tls/src/main/yang/ietf-tls-common@2023-04-17.yang @@ -35,7 +35,7 @@ module ietf-tls-common { "This module defines a common features and groupings for Transport Layer Security (TLS). - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with @@ -56,7 +56,7 @@ module ietf-tls-common { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -271,6 +271,7 @@ module ietf-tls-common { description "A choice amongst optional private key handling."; case cleartext { + if-feature "ct:cleartext-private-keys"; leaf cleartext { type empty; description @@ -279,7 +280,7 @@ module ietf-tls-common { } } case encrypt { - if-feature "ct:private-key-encryption"; + if-feature "ct:encrypted-private-keys"; container encrypt-with { description "Indicates that the key is to be encrypted using @@ -288,7 +289,7 @@ module ietf-tls-common { } } case hide { - if-feature "ct:hidden-keys"; + if-feature "ct:hidden-private-keys"; leaf hide { type empty; description diff --git a/transport/transport-tls/src/main/yang/ietf-tls-server@2022-12-12.yang b/transport/transport-tls/src/main/yang/ietf-tls-server@2023-04-17.yang similarity index 94% rename from transport/transport-tls/src/main/yang/ietf-tls-server@2022-12-12.yang rename to transport/transport-tls/src/main/yang/ietf-tls-server@2023-04-17.yang index 4fb37ef4e2..70db15024a 100644 --- a/transport/transport-tls/src/main/yang/ietf-tls-server@2022-12-12.yang +++ b/transport/transport-tls/src/main/yang/ietf-tls-server@2023-04-17.yang @@ -46,7 +46,7 @@ module ietf-tls-server { "This module defines reusable groupings for TLS servers that can be used as a basis for specific TLS server instances. - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with @@ -67,7 +67,7 @@ module ietf-tls-server { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -210,12 +210,13 @@ module ietf-tls-server { description "Specifies the server identity using a certificate."; uses - ks:local-or-keystore-end-entity-cert-with-key-grouping{ - refine "local-or-keystore/local/local-definition" { + "ks:inline-or-keystore-end-entity-cert-with-key-" + + "grouping" { + refine "inline-or-keystore/inline/inline-definition" { must 'derived-from-or-self(public-key-format,' + ' "ct:subject-public-key-info-format")'; } - refine "local-or-keystore/keystore/keystore-reference" + refine "inline-or-keystore/keystore/keystore-reference" + "/asymmetric-key" { must 'derived-from-or-self(deref(.)/../ks:public-' + 'key-format, "ct:subject-public-key-info-' @@ -230,12 +231,13 @@ module ietf-tls-server { description "Specifies the server identity using a raw private key."; - uses ks:local-or-keystore-asymmetric-key-grouping { - refine "local-or-keystore/local/local-definition" { + uses ks:inline-or-keystore-asymmetric-key-grouping { + refine "inline-or-keystore/inline/inline-definition" { must 'derived-from-or-self(public-key-format,' + ' "ct:subject-public-key-info-format")'; } - refine "local-or-keystore/keystore/keystore-reference"{ + refine + "inline-or-keystore/keystore/keystore-reference" { must 'derived-from-or-self(deref(.)/../ks:public-' + 'key-format, "ct:subject-public-key-info-' + 'format")'; @@ -249,7 +251,7 @@ module ietf-tls-server { description "Specifies the server identity using a PSK (pre-shared or pairwise-symmetric key)."; - uses ks:local-or-keystore-symmetric-key-grouping; + uses ks:inline-or-keystore-symmetric-key-grouping; leaf id_hint { type string; description @@ -281,7 +283,7 @@ module ietf-tls-server { and the EPSK input fields detailed in I-D draft-ietf-tls-external-psk-importer Section 3.1. The base-key is based upon - ks:local-or-keystore-symmetric-key-grouping + ks:inline-or-keystore-symmetric-key-grouping in order to provide users with flexible and secure storage options."; reference @@ -291,7 +293,7 @@ module ietf-tls-server { External PSKs for TLS I-D.ietf-tls-external-psk-guidance: Guidance for External PSK Usage in TLS"; - uses ks:local-or-keystore-symmetric-key-grouping; + uses ks:inline-or-keystore-symmetric-key-grouping; leaf external-identity { type string; mandatory true; @@ -396,7 +398,7 @@ module ietf-tls-server { chain of trust to a configured CA certificate."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-certs-grouping; + uses ts:inline-or-truststore-certs-grouping; } container ee-certs { if-feature "client-auth-x509-cert"; @@ -412,7 +414,7 @@ module ietf-tls-server { match to a configured client certificate."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-certs-grouping; + uses ts:inline-or-truststore-certs-grouping; } container raw-public-keys { if-feature "client-auth-raw-public-key"; @@ -427,13 +429,13 @@ module ietf-tls-server { is an exact match to a configured raw public key."; reference "RFC BBBB: A YANG Data Model for a Truststore"; - uses ts:local-or-truststore-public-keys-grouping { - refine "local-or-truststore/local/local-definition/" + uses ts:inline-or-truststore-public-keys-grouping { + refine "inline-or-truststore/inline/inline-definition/" + "public-key" { must 'derived-from-or-self(public-key-format,' + ' "ct:subject-public-key-info-format")'; } - refine "local-or-truststore/truststore/truststore-" + refine "inline-or-truststore/truststore/truststore-" + "reference" { must 'not(deref(.)/../ts:public-key/ts:public-key-' + 'format[not(derived-from-or-self(., "ct:subject-' diff --git a/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/ConfigUtilsTest.java b/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/ConfigUtilsTest.java index acd9df1f91..3524ea5ca1 100644 --- a/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/ConfigUtilsTest.java +++ b/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/ConfigUtilsTest.java @@ -16,7 +16,7 @@ import static org.opendaylight.netconf.transport.tls.ConfigUtils.DEFAULT_PRIVATE import static org.opendaylight.netconf.transport.tls.ConfigUtils.EMPTY_SECRET; import static org.opendaylight.netconf.transport.tls.TestUtils.buildAsymmetricKeyGrouping; import static org.opendaylight.netconf.transport.tls.TestUtils.buildEndEntityCertWithKeyGrouping; -import static org.opendaylight.netconf.transport.tls.TestUtils.buildLocalOrTruststore; +import static org.opendaylight.netconf.transport.tls.TestUtils.buildInlineOrTruststore; import static org.opendaylight.netconf.transport.tls.TestUtils.generateX509CertData; import java.security.KeyStore; @@ -31,16 +31,14 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.Arguments; import org.junit.jupiter.params.provider.MethodSource; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.EcPrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.PrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.PublicKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.RsaPrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.SshPublicKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.SubjectPublicKeyInfoFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.tls.client.grouping.server.authentication.CaCerts; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.tls.client.grouping.server.authentication.CaCertsBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.tls.client.grouping.server.authentication.EeCerts; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.tls.client.grouping.server.authentication.EeCertsBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.EcPrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.PrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.PublicKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.RsaPrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.SshPublicKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.SubjectPublicKeyInfoFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417.tls.client.grouping.server.authentication.CaCertsBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417.tls.client.grouping.server.authentication.EeCertsBuilder; class ConfigUtilsTest { @@ -61,10 +59,10 @@ class ConfigUtilsTest { assertFalse(keyStore.aliases().hasMoreElements()); // defined - final var localOrTruststore = buildLocalOrTruststore( + final var inlineOrTruststore = buildInlineOrTruststore( Map.of("cert-rsa", rsaCertData.certBytes(), "cert-ec", ecCertData.certBytes())); - final CaCerts caCerts = new CaCertsBuilder().setLocalOrTruststore(localOrTruststore).build(); - final EeCerts eeCerts = new EeCertsBuilder().setLocalOrTruststore(localOrTruststore).build(); + final var caCerts = new CaCertsBuilder().setInlineOrTruststore(inlineOrTruststore).build(); + final var eeCerts = new EeCertsBuilder().setInlineOrTruststore(inlineOrTruststore).build(); ConfigUtils.setX509Certificates(keyStore, caCerts, eeCerts); final List aliases = Collections.list(keyStore.aliases()); diff --git a/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/TestUtils.java b/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/TestUtils.java index 6f554605b2..3d666b1c54 100644 --- a/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/TestUtils.java +++ b/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/TestUtils.java @@ -18,7 +18,6 @@ import java.time.Duration; import java.time.Instant; import java.util.Date; import java.util.Map; -import java.util.stream.Collectors; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; @@ -26,16 +25,17 @@ import org.bouncycastle.crypto.util.OpenSSHPublicKeyUtil; import org.bouncycastle.crypto.util.PublicKeyFactory; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.EndEntityCertCms; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.PrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.PublicKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.TrustAnchorCertCms; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.asymmetric.key.pair.grouping._private.key.type.CleartextPrivateKeyBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.LocalOrKeystoreAsymmetricKeyGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212.LocalOrKeystoreEndEntityCertWithKeyGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212.tls.server.grouping.server.identity.auth.type.raw._private.key.RawPrivateKeyBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212.local.or.truststore.certs.grouping.LocalOrTruststore; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212.local.or.truststore.certs.grouping.local.or.truststore.local.local.definition.CertificateBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.EndEntityCertCms; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.PrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.PublicKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.TrustAnchorCertCms; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.asymmetric.key.pair.grouping._private.key.type.CleartextPrivateKeyBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.InlineOrKeystoreAsymmetricKeyGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417.InlineOrKeystoreEndEntityCertWithKeyGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.server.identity.auth.type.raw._private.key.RawPrivateKeyBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417.inline.or.truststore.certs.grouping.InlineOrTruststore; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417.inline.or.truststore.certs.grouping.inline.or.truststore.inline.inline.definition.CertificateBuilder; +import org.opendaylight.yangtools.yang.binding.util.BindingMap; public final class TestUtils { private static final SecureRandom SECURE_RANDOM = new SecureRandom(); @@ -44,57 +44,59 @@ public final class TestUtils { // utility class } - public static LocalOrTruststore buildLocalOrTruststore(Map certNameToBytesMap) { - final var certMap = certNameToBytesMap.entrySet().stream() - .map(entry -> new CertificateBuilder() + public static InlineOrTruststore buildInlineOrTruststore(final Map certNameToBytesMap) { + return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore.certs.grouping.inline.or.truststore.InlineBuilder() + .setInlineDefinition(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417 + .inline.or.truststore.certs.grouping.inline.or.truststore.inline.InlineDefinitionBuilder() + .setCertificate(certNameToBytesMap.entrySet().stream() + .map(entry -> new CertificateBuilder() .setName(entry.getKey()) .setCertData(new TrustAnchorCertCms(entry.getValue())) - .build() - ).collect(Collectors.toMap(cert -> cert.key(), cert -> cert)); - final var localDef = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore.certs.grouping.local.or.truststore.local.LocalDefinitionBuilder() - .setCertificate(certMap).build(); - return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212 - .local.or.truststore.certs.grouping.local.or.truststore.LocalBuilder() - .setLocalDefinition(localDef).build(); + .build()) + .collect(BindingMap.toMap())) + .build()) + .build(); } - public static LocalOrKeystoreAsymmetricKeyGrouping buildAsymmetricKeyGrouping( + public static InlineOrKeystoreAsymmetricKeyGrouping buildAsymmetricKeyGrouping( final PublicKeyFormat publicKeyFormat, final byte[] publicKeyBytes, final PrivateKeyFormat privateKeyFormat, final byte[] privateKeyBytes) { - final var localDef = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.asymmetric.key.grouping.local.or.keystore.local.LocalDefinitionBuilder() - .setPublicKeyFormat(publicKeyFormat) - .setPublicKey(publicKeyBytes) - .setPrivateKeyFormat(privateKeyFormat) - .setPrivateKeyType(new CleartextPrivateKeyBuilder().setCleartextPrivateKey(privateKeyBytes).build()) - .build(); return new RawPrivateKeyBuilder() - .setLocalOrKeystore( - new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.asymmetric.key.grouping.local.or.keystore.LocalBuilder() - .setLocalDefinition(localDef).build()) - .build(); + .setInlineOrKeystore(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.asymmetric.key.grouping.inline.or.keystore.InlineBuilder() + .setInlineDefinition(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore + .rev230417.inline.or.keystore.asymmetric.key.grouping.inline.or.keystore.inline + .InlineDefinitionBuilder() + .setPublicKeyFormat(publicKeyFormat) + .setPublicKey(publicKeyBytes) + .setPrivateKeyFormat(privateKeyFormat) + .setPrivateKeyType(new CleartextPrivateKeyBuilder() + .setCleartextPrivateKey(privateKeyBytes) + .build()) + .build()) + .build()) + .build(); } - public static LocalOrKeystoreEndEntityCertWithKeyGrouping buildEndEntityCertWithKeyGrouping( + public static InlineOrKeystoreEndEntityCertWithKeyGrouping buildEndEntityCertWithKeyGrouping( final PublicKeyFormat publicKeyFormat, final byte[] publicKeyBytes, final PrivateKeyFormat privateKeyFormat, final byte[] privateKeyBytes, final byte[] certificateBytes) { - final var localDef = new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.end.entity.cert.with.key.grouping.local.or.keystore.local.LocalDefinitionBuilder() - .setPublicKeyFormat(publicKeyFormat) - .setPublicKey(publicKeyBytes) - .setPrivateKeyFormat(privateKeyFormat) - .setPrivateKeyType(new CleartextPrivateKeyBuilder().setCleartextPrivateKey(privateKeyBytes).build()) - .setCertData(new EndEntityCertCms(certificateBytes)) - .build(); - return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212 - .tls.server.grouping.server.identity.auth.type.certificate.CertificateBuilder() - .setLocalOrKeystore( - new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev221212 - .local.or.keystore.end.entity.cert.with.key.grouping.local.or.keystore.LocalBuilder() - .setLocalDefinition(localDef).build()) - .build(); + return new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417 + .tls.server.grouping.server.identity.auth.type.certificate.CertificateBuilder() + .setInlineOrKeystore(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore.rev230417 + .inline.or.keystore.end.entity.cert.with.key.grouping.inline.or.keystore.InlineBuilder() + .setInlineDefinition(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.keystore + .rev230417.inline.or.keystore.end.entity.cert.with.key.grouping.inline.or.keystore.inline + .InlineDefinitionBuilder() + .setPublicKeyFormat(publicKeyFormat) + .setPublicKey(publicKeyBytes) + .setPrivateKeyFormat(privateKeyFormat) + .setPrivateKeyType(new CleartextPrivateKeyBuilder().setCleartextPrivateKey(privateKeyBytes).build()) + .setCertData(new EndEntityCertCms(certificateBytes)) + .build()) + .build()) + .build(); } public static X509CertData generateX509CertData(final String algorithm) throws Exception { diff --git a/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/TlsClientServerTest.java b/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/TlsClientServerTest.java index a4406c2107..622802eb6c 100644 --- a/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/TlsClientServerTest.java +++ b/transport/transport-tls/src/test/java/org/opendaylight/netconf/transport/tls/TlsClientServerTest.java @@ -17,7 +17,7 @@ import static org.mockito.Mockito.when; import static org.opendaylight.netconf.transport.tls.KeyUtils.EC_ALGORITHM; import static org.opendaylight.netconf.transport.tls.KeyUtils.RSA_ALGORITHM; import static org.opendaylight.netconf.transport.tls.TestUtils.buildEndEntityCertWithKeyGrouping; -import static org.opendaylight.netconf.transport.tls.TestUtils.buildLocalOrTruststore; +import static org.opendaylight.netconf.transport.tls.TestUtils.buildInlineOrTruststore; import static org.opendaylight.netconf.transport.tls.TestUtils.generateX509CertData; import static org.opendaylight.netconf.transport.tls.TestUtils.isRSA; @@ -43,20 +43,20 @@ import org.mockito.junit.jupiter.MockitoExtension; import org.opendaylight.netconf.transport.api.TransportChannel; import org.opendaylight.netconf.transport.api.TransportChannelListener; import org.opendaylight.netconf.transport.tcp.NettyTransportSupport; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.EcPrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.RsaPrivateKeyFormat; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev221212.SubjectPublicKeyInfoFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.EcPrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.RsaPrivateKeyFormat; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.crypto.types.rev230417.SubjectPublicKeyInfoFormat; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Host; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IetfInetUtil; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.PortNumber; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev221212.TcpClientGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev221212.TcpServerGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.TlsClientGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.tls.client.grouping.ClientIdentityBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212.tls.client.grouping.ServerAuthenticationBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212.TlsServerGrouping; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212.tls.server.grouping.ClientAuthenticationBuilder; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212.tls.server.grouping.ServerIdentityBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.client.rev230417.TcpClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tcp.server.rev230417.TcpServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417.TlsClientGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417.tls.client.grouping.ClientIdentityBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417.tls.client.grouping.ServerAuthenticationBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.TlsServerGrouping; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.ClientAuthenticationBuilder; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417.tls.server.grouping.ServerIdentityBuilder; import org.opendaylight.yangtools.yang.common.Uint16; @ExtendWith(MockitoExtension.class) @@ -121,41 +121,47 @@ class TlsClientServerTest { final var data = generateX509CertData(algorithm); // common config parts - var localOrKeystore = buildEndEntityCertWithKeyGrouping( + var inlineOrKeystore = buildEndEntityCertWithKeyGrouping( SubjectPublicKeyInfoFormat.VALUE, data.publicKey(), isRSA(algorithm) ? RsaPrivateKeyFormat.VALUE : EcPrivateKeyFormat.VALUE, - data.privateKey(), data.certBytes()).getLocalOrKeystore(); - var localOrTrustStore = buildLocalOrTruststore(Map.of("cert", data.certBytes())); + data.privateKey(), data.certBytes()).getInlineOrKeystore(); + var inlineOrTrustStore = buildInlineOrTruststore(Map.of("cert", data.certBytes())); // client config final var clientIdentity = new ClientIdentityBuilder() - .setAuthType(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212 - .tls.client.grouping.client.identity.auth.type.CertificateBuilder() - .setCertificate( - new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212 - .tls.client.grouping.client.identity.auth.type.certificate.CertificateBuilder() - .setLocalOrKeystore(localOrKeystore) - .build()).build()).build(); - final var serverAuth = new ServerAuthenticationBuilder().setCaCerts( - new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev221212 - .tls.client.grouping.server.authentication.CaCertsBuilder() - .setLocalOrTruststore(localOrTrustStore).build()).build(); + .setAuthType(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417 + .tls.client.grouping.client.identity.auth.type.CertificateBuilder() + .setCertificate(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417 + .tls.client.grouping.client.identity.auth.type.certificate.CertificateBuilder() + .setInlineOrKeystore(inlineOrKeystore) + .build()) + .build()) + .build(); + final var serverAuth = new ServerAuthenticationBuilder() + .setCaCerts(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.client.rev230417 + .tls.client.grouping.server.authentication.CaCertsBuilder() + .setInlineOrTruststore(inlineOrTrustStore) + .build()) + .build(); when(tlsClientConfig.getClientIdentity()).thenReturn(clientIdentity); when(tlsClientConfig.getServerAuthentication()).thenReturn(serverAuth); // server config final var serverIdentity = new ServerIdentityBuilder() - .setAuthType(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212 - .tls.server.grouping.server.identity.auth.type.CertificateBuilder() - .setCertificate( - new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212 - .tls.server.grouping.server.identity.auth.type.certificate.CertificateBuilder() - .setLocalOrKeystore(localOrKeystore) - .build()).build()).build(); - final var clientAuth = new ClientAuthenticationBuilder().setCaCerts( - new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev221212 - .tls.server.grouping.client.authentication.CaCertsBuilder() - .setLocalOrTruststore(localOrTrustStore).build()).build(); + .setAuthType(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417 + .tls.server.grouping.server.identity.auth.type.CertificateBuilder() + .setCertificate(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417 + .tls.server.grouping.server.identity.auth.type.certificate.CertificateBuilder() + .setInlineOrKeystore(inlineOrKeystore) + .build()) + .build()) + .build(); + final var clientAuth = new ClientAuthenticationBuilder() + .setCaCerts(new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.tls.server.rev230417 + .tls.server.grouping.client.authentication.CaCertsBuilder() + .setInlineOrTruststore(inlineOrTrustStore) + .build()) + .build(); when(tlsServerConfig.getServerIdentity()).thenReturn(serverIdentity); when(tlsServerConfig.getClientAuthentication()).thenReturn(clientAuth); @@ -190,7 +196,7 @@ class TlsClientServerTest { } } - private static Channel assertChannel(List transportChannels) { + private static Channel assertChannel(final List transportChannels) { assertNotNull(transportChannels); assertEquals(1, transportChannels.size()); final var channel = assertInstanceOf(TLSTransportChannel.class, transportChannels.get(0)).channel(); diff --git a/truststore/truststore-api/src/main/yang/ietf-truststore@2022-12-12.yang b/truststore/truststore-api/src/main/yang/ietf-truststore@2023-04-17.yang similarity index 94% rename from truststore/truststore-api/src/main/yang/ietf-truststore@2022-12-12.yang rename to truststore/truststore-api/src/main/yang/ietf-truststore@2023-04-17.yang index f74f1ef1db..cd0d875f1c 100644 --- a/truststore/truststore-api/src/main/yang/ietf-truststore@2022-12-12.yang +++ b/truststore/truststore-api/src/main/yang/ietf-truststore@2023-04-17.yang @@ -26,7 +26,7 @@ module ietf-truststore { "This module defines a 'truststore' to centralize management of trust anchors including certificates and public keys. - Copyright (c) 2022 IETF Trust and the persons identified + Copyright (c) 2023 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with @@ -47,7 +47,7 @@ module ietf-truststore { (RFC 8174) when, and only when, they appear in all capitals, as shown here."; - revision 2022-12-12 { + revision 2023-04-17 { description "Initial version"; reference @@ -65,9 +65,9 @@ module ietf-truststore { 'ietf-truststore' module)."; } - feature local-definitions-supported { + feature inline-definitions-supported { description - "The 'local-definitions-supported' feature indicates that + "The 'inline-definitions-supported' feature indicates that the server supports locally-defined trust anchors."; } feature certificates { @@ -138,7 +138,7 @@ module ietf-truststore { /* Groupings */ /*****************/ - grouping local-or-truststore-certs-grouping { + grouping inline-or-truststore-certs-grouping { description "A grouping that allows the certificates to be either configured locally, within the using data model, or be a @@ -148,15 +148,15 @@ module ietf-truststore { 'central-truststore-supported' is not defined, SHOULD augment in custom 'case' statements enabling references to the alternate truststore locations."; - choice local-or-truststore { + choice inline-or-truststore { nacm:default-deny-write; mandatory true; description "A choice between an inlined definition and a definition that exists in the truststore."; - case local { - if-feature "local-definitions-supported"; - container local-definition { + case inline { + if-feature "inline-definitions-supported"; + container inline-definition { description "A container for locally configured trust anchor certificates."; @@ -191,7 +191,7 @@ module ietf-truststore { } } - grouping local-or-truststore-public-keys-grouping { + grouping inline-or-truststore-public-keys-grouping { description "A grouping that allows the public keys to be either configured locally, within the using data model, or be a @@ -201,15 +201,15 @@ module ietf-truststore { 'central-truststore-supported' is not defined, SHOULD augment in custom 'case' statements enabling references to the alternate truststore locations."; - choice local-or-truststore { + choice inline-or-truststore { nacm:default-deny-write; mandatory true; description "A choice between an inlined definition and a definition that exists in the truststore."; - case local { - if-feature "local-definitions-supported"; - container local-definition { + case inline { + if-feature "inline-definitions-supported"; + container inline-definition { description "A container to hold local public key definitions."; list public-key { @@ -242,7 +242,7 @@ module ietf-truststore { description "A grouping definition that enables use in other contexts. Where used, implementations MUST augment new 'case' - statements into the various local-or-truststore 'choice' + statements into the various inline-or-truststore 'choice' statements to supply leafrefs to the model-specific location(s)."; container certificate-bags { diff --git a/truststore/truststore-none/src/main/java/org/opendaylight/netconf/truststore/none/NoneTruststoreFeatureProvider.java b/truststore/truststore-none/src/main/java/org/opendaylight/netconf/truststore/none/NoneTruststoreFeatureProvider.java index 0bce94af08..625e82477f 100644 --- a/truststore/truststore-none/src/main/java/org/opendaylight/netconf/truststore/none/NoneTruststoreFeatureProvider.java +++ b/truststore/truststore-none/src/main/java/org/opendaylight/netconf/truststore/none/NoneTruststoreFeatureProvider.java @@ -10,8 +10,8 @@ package org.opendaylight.netconf.truststore.none; import java.util.Set; import org.eclipse.jdt.annotation.NonNullByDefault; import org.kohsuke.MetaInfServices; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212.IetfTruststoreData; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev221212.LocalDefinitionsSupported; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417.IetfTruststoreData; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.truststore.rev230417.InlineDefinitionsSupported; import org.opendaylight.yangtools.yang.binding.YangFeature; import org.opendaylight.yangtools.yang.binding.YangFeatureProvider; @@ -28,6 +28,6 @@ public final class NoneTruststoreFeatureProvider implements YangFeatureProvider< @Override public Set> supportedFeatures() { - return Set.of(LocalDefinitionsSupported.VALUE); + return Set.of(InlineDefinitionsSupported.VALUE); } } -- 2.36.6