--- /dev/null
+module ietf-crypto-types {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
+ prefix ct;
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+
+ contact
+ "WG Web: https://datatracker.ietf.org/wg/netconf
+ WG List: NETCONF WG list <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>";
+
+ description
+ "This module defines common YANG types for cryptographic
+ applications.
+
+ Copyright (c) 2022 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Revised
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC AAAA
+ (https://www.rfc-editor.org/info/rfcAAAA); see the RFC
+ itself for full legal notices.
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2022-07-07 {
+ description
+ "Initial version";
+ reference
+ "RFC AAAA: YANG Data Types and Groupings for Cryptography";
+ }
+
+ /****************/
+ /* Features */
+ /****************/
+
+ feature one-symmetric-key-format {
+ description
+ "Indicates that the server supports the
+ 'one-symmetric-key-format' identity.";
+ }
+
+ feature one-asymmetric-key-format {
+ description
+ "Indicates that the server supports the
+ 'one-asymmetric-key-format' identity.";
+ }
+
+ feature symmetrically-encrypted-value-format {
+ description
+ "Indicates that the server supports the
+ 'symmetrically-encrypted-value-format' identity.";
+ }
+
+ feature asymmetrically-encrypted-value-format {
+ description
+ "Indicates that the server supports the
+ 'asymmetrically-encrypted-value-format' identity.";
+ }
+
+ feature cms-enveloped-data-format {
+ description
+ "Indicates that the server supports the
+ 'cms-enveloped-data-format' identity.";
+ }
+
+ feature cms-encrypted-data-format {
+ description
+ "Indicates that the server supports the
+ 'cms-encrypted-data-format' identity.";
+ }
+ feature csr-generation {
+ description
+ "Indicates that the server implements the
+ 'generate-csr' action.";
+ }
+
+ feature p10-based-csrs {
+ description
+ "Indicates that the erver implements support
+ for generating P10-based CSRs, as defined
+ in RFC 2986.";
+ reference
+ "RFC 2986: PKCS #10: Certification Request Syntax
+ Specification Version 1.7";
+ }
+
+ feature certificate-expiration-notification {
+ description
+ "Indicates that the server implements the
+ 'certificate-expiration' notification.";
+ }
+
+ feature hidden-keys {
+ description
+ "Indicates that the server supports hidden keys.";
+ }
+
+ feature password-encryption {
+ description
+ "Indicates that the server supports password
+ encryption.";
+ }
+
+ feature symmetric-key-encryption {
+ description
+ "Indicates that the server supports encryption
+ of symmetric keys.";
+ }
+
+ feature private-key-encryption {
+ description
+ "Indicates that the server supports encryption
+ of private keys.";
+ }
+
+ /*************************************************/
+ /* Base Identities for Key Format Structures */
+ /*************************************************/
+ identity symmetric-key-format {
+ description
+ "Base key-format identity for symmetric keys.";
+ }
+
+ identity public-key-format {
+ description
+ "Base key-format identity for public keys.";
+ }
+
+ identity private-key-format {
+ description
+ "Base key-format identity for private keys.";
+ }
+
+ /****************************************************/
+ /* Identities for Private Key Format Structures */
+ /****************************************************/
+
+ identity rsa-private-key-format {
+ base private-key-format;
+ description
+ "Indicates that the private key value is encoded
+ as an RSAPrivateKey (from RFC 3447).";
+ reference
+ "RFC 3447: PKCS #1: RSA Cryptography
+ Specifications Version 2.2";
+ }
+
+ identity ec-private-key-format {
+ base private-key-format;
+ description
+ "Indicates that the private key value is encoded
+ as an ECPrivateKey (from RFC 5915)";
+ reference
+ "RFC 5915: Elliptic Curve Private Key Structure";
+ }
+
+ identity one-asymmetric-key-format {
+ if-feature "one-asymmetric-key-format";
+ base private-key-format;
+ description
+ "Indicates that the private key value is a CMS
+ OneAsymmetricKey structure, as defined in RFC 5958,
+ encoded using ASN.1 distinguished encoding rules
+ (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 5958: Asymmetric Key Packages
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /***************************************************/
+ /* Identities for Public Key Format Structures */
+ /***************************************************/
+
+ identity ssh-public-key-format {
+ base public-key-format;
+ description
+ "Indicates that the public key value is an SSH public key,
+ as specified by RFC 4253, Section 6.6, i.e.:
+
+ string certificate or public key format
+ identifier
+ byte[n] key/certificate data.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
+ }
+
+ identity subject-public-key-info-format {
+ base public-key-format;
+ description
+ "Indicates that the public key value is a SubjectPublicKeyInfo
+ structure, as described in RFC 5280 encoded using ASN.1
+ distinguished encoding rules (DER), as specified in
+ ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /******************************************************/
+ /* Identities for Symmetric Key Format Structures */
+ /******************************************************/
+
+ identity octet-string-key-format {
+ base symmetric-key-format;
+ description
+ "Indicates that the key is encoded as a raw octet string.
+ The length of the octet string MUST be appropriate for
+ the associated algorithm's block size.
+
+ How the associated algorithm is known is outside the
+ scope of this module. This statement also applies when
+ the octet string has been encrypted.";
+ }
+
+ identity one-symmetric-key-format {
+ if-feature "one-symmetric-key-format";
+ base symmetric-key-format;
+ description
+ "Indicates that the private key value is a CMS
+ OneSymmetricKey structure, as defined in RFC 6031,
+ encoded using ASN.1 distinguished encoding rules
+ (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 6031: Cryptographic Message Syntax (CMS)
+ Symmetric Key Package Content Type
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /*************************************************/
+ /* Identities for Encrypted Value Structures */
+ /*************************************************/
+
+ identity encrypted-value-format {
+ description
+ "Base format identity for encrypted values.";
+ }
+
+ identity symmetrically-encrypted-value-format {
+ if-feature "symmetrically-encrypted-value-format";
+ base encrypted-value-format;
+ description
+ "Base format identity for symmetrically encrypted
+ values.";
+ }
+
+ identity asymmetrically-encrypted-value-format {
+ if-feature "asymmetrically-encrypted-value-format";
+ base encrypted-value-format;
+ description
+ "Base format identity for asymmetrically encrypted
+ values.";
+ }
+
+ identity cms-encrypted-data-format {
+ if-feature "cms-encrypted-data-format";
+ base symmetrically-encrypted-value-format;
+ description
+ "Indicates that the encrypted value conforms to
+ the 'encrypted-data-cms' type with the constraint
+ that the 'unprotectedAttrs' value is not set.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ identity cms-enveloped-data-format {
+ if-feature "cms-enveloped-data-format";
+ base asymmetrically-encrypted-value-format;
+ description
+ "Indicates that the encrypted value conforms to the
+ 'enveloped-data-cms' type with the following constraints:
+
+ The EnvelopedData structure MUST have exactly one
+ 'RecipientInfo'.
+
+ If the asymmetric key supports public key cryptography
+ (e.g., RSA), then the 'RecipientInfo' must be a
+ 'KeyTransRecipientInfo' with the 'RecipientIdentifier'
+ using a 'subjectKeyIdentifier' with the value set using
+ 'method 1' in RFC 7093 over the recipient's public key.
+
+ Otherwise, if the asymmetric key supports key agreement
+ (e.g., ECC), then the 'RecipientInfo' must be a
+ 'KeyAgreeRecipientInfo'. The 'OriginatorIdentifierOrKey'
+ value must use the 'OriginatorPublicKey' alternative.
+ The 'UserKeyingMaterial' value must not be present.
+ There must be exactly one 'RecipientEncryptedKeys' value
+ having the 'KeyAgreeRecipientIdentifier' set to 'rKeyId'
+ with the value set using 'method 1' in RFC 7093 over the
+ recipient's public key.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)
+ RFC 7093:
+ Additional Methods for Generating Key
+ Identifiers Values
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /*********************************************************/
+ /* Identities for Certificate Signing Request Formats */
+ /*********************************************************/
+
+ identity csr-format {
+ description
+ "A base identity for the certificate signing request
+ formats. Additional derived identities MAY be defined
+ by future efforts.";
+ }
+
+ identity p10-csr {
+ if-feature "p10-based-csrs";
+ base csr-format;
+ description
+ "Indicates the 'CertificationRequest' structure
+ defined in RFC 2986.";
+ reference
+ "RFC 2986: PKCS #10: Certification Request Syntax
+ Specification Version 1.7";
+ }
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 2986 */
+ /***************************************************/
+
+ typedef csr-info {
+ type binary;
+ description
+ "A CertificationRequestInfo structure, as defined in
+ RFC 2986, encoded using ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986: PKCS #10: Certification Request Syntax
+ Specification Version 1.7
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef p10-csr {
+ type binary;
+ description
+ "A CertificationRequest structure, as specified in
+ RFC 2986, encoded using ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ Version 1.7
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 5280 */
+ /***************************************************/
+
+ typedef x509 {
+ type binary;
+ description
+ "A Certificate structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef crl {
+ type binary;
+ description
+ "A CertificateList structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 6960 */
+ /***************************************************/
+
+ typedef oscp-request {
+ type binary;
+ description
+ "A OCSPRequest structure, as specified in RFC 6960,
+ encoded using ASN.1 distinguished encoding rules
+ (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 6960:
+ X.509 Internet Public Key Infrastructure Online
+ Certificate Status Protocol - OCSP
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef oscp-response {
+ type binary;
+ description
+ "A OCSPResponse structure, as specified in RFC 6960,
+ encoded using ASN.1 distinguished encoding rules
+ (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 6960:
+ X.509 Internet Public Key Infrastructure Online
+ Certificate Status Protocol - OCSP
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /***********************************************/
+ /* Typedefs for ASN.1 structures from 5652 */
+ /***********************************************/
+
+ typedef cms {
+ type binary;
+ description
+ "A ContentInfo structure, as specified in RFC 5652,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5652:
+ Cryptographic Message Syntax (CMS)
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef data-content-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ data content type, as described by Section 4 in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef signed-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ signed-data content type, as described by Section 5 in
+ RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef enveloped-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ enveloped-data content type, as described by Section 6
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef digested-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ digested-data content type, as described by Section 7
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef encrypted-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ encrypted-data content type, as described by Section 8
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef authenticated-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ authenticated-data content type, as described by Section 9
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5280 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a self-signed
+ root certificate.";
+ }
+
+ typedef end-entity-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a certificate
+ that is neither self-signed nor having Basic constraint
+ CA true.";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5652 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the chain of
+ X.509 certificates needed to authenticate the certificate
+ presented by a client or end-entity.
+
+ The CMS MUST contain only a single chain of certificates.
+ The client or end-entity certificate MUST only authenticate
+ to last intermediate CA certificate listed in the chain.
+
+ In all cases, the chain MUST include a self-signed root
+ certificate. In the case where the root certificate is
+ itself the issuer of the client or end-entity certificate,
+ only one certificate is present.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure that is commonly used to disseminate X.509
+ certificates and revocation objects (RFC 5280).";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.";
+ }
+
+ typedef end-entity-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the end
+ entity certificate itself, and MAY contain any number
+ of intermediate certificates leading up to a trust
+ anchor certificate. The trust anchor certificate
+ MAY be included as well.
+
+ The CMS MUST contain a single end entity certificate.
+ The CMS MUST NOT contain any spurious certificates.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure that is commonly used to disseminate X.509
+ certificates and revocation objects (RFC 5280).";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.";
+ }
+
+ /*****************/
+ /* Groupings */
+ /*****************/
+
+ grouping encrypted-value-grouping {
+ description
+ "A reusable grouping for a value that has been encrypted by
+ a referenced symmetric or asymmetric key.";
+ container encrypted-by {
+ nacm:default-deny-write;
+ description
+ "An empty container enabling a reference to the key that
+ encrypted the value to be augmented in. The referenced
+ key MUST be a symmetric key or an asymmetric key.
+
+ A symmetric key MUST be referenced via a leaf node called
+ 'symmetric-key-ref'. An asymmetric key MUST be referenced
+ via a leaf node called 'asymmetric-key-ref'.
+
+ The leaf nodes MUST be direct descendants in the data tree,
+ and MAY be direct descendants in the schema tree.";
+ }
+ leaf encrypted-value-format {
+ type identityref {
+ base encrypted-value-format;
+ }
+ mandatory true;
+ description
+ "Identifies the format of the 'encrypted-value' leaf.
+
+ If 'encrypted-by' points to a symmetric key, then a
+ 'symmetrically-encrypted-value-format' based identity
+ MUST by set (e.g., cms-encrypted-data-format).
+
+ If 'encrypted-by' points to an asymmetric key, then an
+ 'asymmetrically-encrypted-value-format' based identity
+ MUST by set (e.g., cms-enveloped-data-format).";
+ }
+ leaf encrypted-value {
+ nacm:default-deny-write;
+ type binary;
+ must '../encrypted-by';
+ mandatory true;
+ description
+ "The value, encrypted using the referenced symmetric
+ or asymmetric key. The value MUST be encoded using
+ the format associated with the 'encrypted-value-format'
+ leaf.";
+ }
+ }
+
+ grouping password-grouping {
+ description
+ "A password that MAY be encrypted.";
+ choice password-type {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "Choice between password types.";
+ case cleartext-password {
+ leaf cleartext-password {
+ nacm:default-deny-all;
+ type string;
+ description
+ "The cleartext value of the password.";
+ }
+ }
+ case encrypted-password {
+ if-feature "password-encryption";
+ container encrypted-password {
+ description
+ "A container for the encrypted password value.";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping symmetric-key-grouping {
+ description
+ "A symmetric key.";
+ leaf key-format {
+ nacm:default-deny-write;
+ type identityref {
+ base symmetric-key-format;
+ }
+ description
+ "Identifies the symmetric key's format. Implementations
+ SHOULD ensure that the incoming symmetric key value is
+ encoded in the specified format.
+
+ For encrypted keys, the value is the same as it would
+ have been if the key were not encrypted.";
+ }
+ choice key-type {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "Choice between key types.";
+ case cleartext-key {
+ leaf cleartext-key {
+ nacm:default-deny-all;
+ type binary;
+ must '../key-format';
+ description
+ "The binary value of the key. The interpretation of
+ the value is defined by the 'key-format' field.";
+ }
+ }
+ case hidden-key {
+ if-feature "hidden-keys";
+ leaf hidden-key {
+ type empty;
+ must 'not(../key-format)';
+ description
+ "A hidden key. How such keys are created is outside
+ the scope of this module.";
+ }
+ }
+ case encrypted-key {
+ if-feature "symmetric-key-encryption";
+ container encrypted-key {
+ must '../key-format';
+ description
+ "A container for the encrypted symmetric key value.
+ The interpretation of the 'encrypted-value' node
+ is via the 'key-format' node";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping public-key-grouping {
+ description
+ "A public key.";
+ leaf public-key-format {
+ nacm:default-deny-write;
+ type identityref {
+ base public-key-format;
+ }
+ mandatory true;
+ description
+ "Identifies the public key's format. Implementations SHOULD
+ ensure that the incoming public key value is encoded in the
+ specified format.";
+ }
+ leaf public-key {
+ nacm:default-deny-write;
+ type binary;
+ mandatory true;
+ description
+ "The binary value of the public key. The interpretation
+ of the value is defined by 'public-key-format' field.";
+ }
+ }
+
+ grouping asymmetric-key-pair-grouping {
+ description
+ "A private key and its associated public key. Implementations
+ SHOULD ensure that the two keys are a matching pair.";
+ uses public-key-grouping;
+ leaf private-key-format {
+ nacm:default-deny-write;
+ type identityref {
+ base private-key-format;
+ }
+ description
+ "Identifies the private key's format. Implementations SHOULD
+ ensure that the incoming private key value is encoded in the
+ specified format.
+
+ For encrypted keys, the value is the same as it would have
+ been if the key were not encrypted.";
+ }
+ choice private-key-type {
+ nacm:default-deny-write;
+ mandatory true;
+ description
+ "Choice between key types.";
+ case cleartext-private-key {
+ leaf cleartext-private-key {
+ nacm:default-deny-all;
+ type binary;
+ must '../private-key-format';
+ description
+ "The value of the binary key The key's value is
+ interpreted by the 'private-key-format' field.";
+ }
+ }
+ case hidden-private-key {
+ if-feature "hidden-keys";
+ leaf hidden-private-key {
+ type empty;
+ must 'not(../private-key-format)';
+ description
+ "A hidden key. How such keys are created is
+ outside the scope of this module.";
+ }
+ }
+ case encrypted-private-key {
+ if-feature "private-key-encryption";
+ container encrypted-private-key {
+ must '../private-key-format';
+ description
+ "A container for the encrypted asymmetric private key
+ value. The interpretation of the 'encrypted-value'
+ node is via the 'private-key-format' node";
+ uses encrypted-value-grouping;
+ }
+ }
+ }
+ }
+
+ grouping certificate-expiration-grouping {
+ description
+ "A notification for when a certificate is about to, or
+ already has, expired.";
+ notification certificate-expiration {
+ if-feature "certificate-expiration-notification";
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping trust-anchor-cert-grouping {
+ description
+ "A trust anchor certificate, and a notification for when
+ it is about to (or already has) expire.";
+ leaf cert-data {
+ nacm:default-deny-write;
+ type trust-anchor-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ }
+ uses certificate-expiration-grouping;
+ }
+
+ grouping end-entity-cert-grouping {
+ description
+ "An end entity certificate, and a notification for when
+ it is about to (or already has) expire. Implementations
+ SHOULD assert that, where used, the end entity certificate
+ contains the expected public key.";
+ leaf cert-data {
+ nacm:default-deny-write;
+ type end-entity-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ }
+ uses certificate-expiration-grouping;
+ }
+
+ grouping generate-csr-grouping {
+ description
+ "Defines the 'generate-csr' action.";
+ action generate-csr {
+ if-feature "csr-generation";
+ nacm:default-deny-all;
+ description
+ "Generates a certificate signing request structure for
+ the associated asymmetric key using the passed subject
+ and attribute values.
+
+ This action statement is only available when the
+ associated 'public-key-format' node's value is
+ 'subject-public-key-info-format'.";
+ reference
+ "RFC 6125:
+ Representation and Verification of Domain-Based
+ Application Service Identity within Internet Public Key
+ Infrastructure Using X.509 (PKIX) Certificates in the
+ Context of Transport Layer Security (TLS)";
+ input {
+ leaf csr-format {
+ type identityref {
+ base csr-format;
+ }
+ mandatory true;
+ description
+ "Specifies the format for the returned certifiacte.";
+ }
+ leaf csr-info {
+ type csr-info;
+ mandatory true;
+ description
+ "A CertificationRequestInfo structure, as defined in
+ RFC 2986.
+
+ Enables the client to provide a fully-populated
+ CertificationRequestInfo structure that the server
+ only needs to sign in order to generate the complete
+ 'CertificationRequest' structure to return in the
+ 'output'.
+
+ The 'AlgorithmIdentifier' field contained inside
+ the 'SubjectPublicKeyInfo' field MUST be one known
+ to be supported by the device.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ RFC AAAA:
+ YANG Data Types and Groupings for Cryptography";
+ }
+ }
+ output {
+ choice csr-type {
+ mandatory true;
+ description
+ "A choice amongst certificate signing request formats.
+ Additional formats MAY be augmented into this 'choice'
+ statement by future efforts.";
+ case p10-csr {
+ leaf p10-csr {
+ type p10-csr;
+ description
+ "A CertificationRequest, as defined in RFC 2986.";
+ }
+ description
+ "A CertificationRequest, as defined in RFC 2986.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ RFC AAAA:
+ YANG Data Types and Groupings for Cryptography";
+ }
+ }
+ }
+ }
+ } // generate-csr-grouping
+
+ grouping asymmetric-key-pair-with-cert-grouping {
+ description
+ "A private/public key pair and an associated certificate.
+ Implementations SHOULD assert that certificates contain
+ the matching public key.";
+ uses asymmetric-key-pair-grouping;
+ uses end-entity-cert-grouping;
+ uses generate-csr-grouping;
+ } // asymmetric-key-pair-with-cert-grouping
+
+ grouping asymmetric-key-pair-with-certs-grouping {
+ description
+ "A private/public key pair and associated certificates.
+ Implementations SHOULD assert that certificates contain
+ the matching public key.";
+ uses asymmetric-key-pair-grouping;
+ container certificates {
+ nacm:default-deny-write;
+ description
+ "Certificates associated with this asymmetric key.";
+ list certificate {
+ key "name";
+ description
+ "A certificate for this asymmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the certificate.";
+ }
+ uses end-entity-cert-grouping {
+ refine "cert-data" {
+ mandatory true;
+ }
+ }
+ }
+ }
+ uses generate-csr-grouping;
+ } // asymmetric-key-pair-with-certs-grouping
+
+}
Code Review / netconf.git / commitdiff