module ietf-keystore {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-keystore";
prefix "ks";
import ietf-yang-types {
prefix yang;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC CCCC: Common YANG Data Types for Cryptography";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen
";
description
"This module defines a keystore to centralize management
of security credentials.
Copyright (c) 2018 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC VVVV; see
the RFC itself for full legal notices.";
revision "2018-06-04" {
description
"Initial version";
reference
"RFC VVVV: YANG Data Model for a 'Keystore' Mechanism";
}
// Features
feature keystore-implemented {
description
"The 'keystore-implemented' feature indicates that the server
implements the keystore, and therefore groupings defined in
this module that reference the keystore are usable.";
}
// Typedefs
typedef asymmetric-key-ref {
type leafref {
path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
+ "/ks:name";
require-instance false;
}
description
"This typedef enables modules to easily define a reference
to an asymmetric key stored in the keystore. The require
instance attribute is false to enable the referencing of
asymmetric keys that exist only in .";
reference
"RFC 8342: Network Management Datastore Architecture (NMDA)";
}
typedef asymmetric-key-certificate-ref {
type leafref {
path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
+ "/ks:certificates/ks:certificate/ks:name";
require-instance false;
}
description
"This typedef enables modules to easily define a reference
to a specific certificate associated with an asymmetric key
stored in the keystore. The require instance attribute is
false to enable the referencing of certificates that exist
only in .";
reference
"RFC 8342: Network Management Datastore Architecture (NMDA)";
}
// Groupings
//
// These groupings are factored out more than needed for
// reusability purposes.
grouping public-key-grouping {
description
"A public key.";
leaf algorithm {
type ct:key-algorithm-ref;
mandatory true;
description
"Identifies the key's algorithm. More specifically,
this leaf specifies how the 'public-key' binary leaf
is encoded.";
reference
"RFC CCCC: Common YANG Data Types for Cryptography";
}
leaf public-key {
type binary;
mandatory true;
description
"A binary that contains the value of the public key. The
interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an RSA
key is represented as RSAPublicKey as defined in
RFC 3447, and an Elliptic Curve Cryptography (ECC) key
is represented using the 'publicKey' described in
RFC 5915.";
reference
"RFC 3447: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.1.
RFC 5915: Elliptic Curve Private Key Structure.";
}
}
grouping asymmetric-key-pair-grouping {
description
"A private/public key pair.";
uses public-key-grouping;
leaf private-key {
type union {
type binary;
type enumeration {
enum "hardware-protected" {
description
"The private key is inaccessible due to being
protected by a cryptographic hardware module
(e.g., a TPM).";
}
}
}
mandatory true;
description
"A binary that contains the value of the private key. The
interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an RSA
key is represented as RSAPrivateKey as defined in
RFC 3447, and an Elliptic Curve Cryptography (ECC) key
is represented as ECPrivateKey as defined in RFC 5915.";
reference
"RFC 3447: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.1.
RFC 5915: Elliptic Curve Private Key Structure.";
}
}
grouping trust-anchor-cert-grouping {
description
"A certificate, and a notification for when it might expire.";
leaf cert {
type ct:trust-anchor-cert-cms;
mandatory true;
description
"The binary certificate data for this certificate.";
reference
"RFC YYYY: Common YANG Data Types for Cryptography";
}
}
grouping end-entity-cert-grouping {
description
"A certificate, and a notification for when it might expire.";
leaf cert {
type ct:end-entity-cert-cms;
mandatory true;
description
"The binary certificate data for this certificate.";
reference
"RFC YYYY: Common YANG Data Types for Cryptography";
}
notification certificate-expiration {
description
"A notification indicating that the configured certificate
is either about to expire or has already expired. When to
send notifications is an implementation specific decision,
but it is RECOMMENDED that a notification be sent once a
month for 3 months, then once a week for four weeks, and
then once a day thereafter until the issue is resolved.";
leaf expiration-date {
type yang:date-and-time;
//mandatory true;
description
"Identifies the expiration date on the certificate.";
}
}
}
grouping asymmetric-key-pair-with-certs-grouping {
description
"A private/public key pair and associated certificates.";
uses asymmetric-key-pair-grouping;
container certificates {
description
"Certificates associated with this asymmetric key.
More than one certificate supports, for instance,
a TPM-protected asymmetric key that has both IDevID
and LDevID certificates associated.";
list certificate {
key name;
description
"A certificate for this asymmetric key.";
leaf name {
type string;
description
"An arbitrary name for the certificate.";
}
uses end-entity-cert-grouping;
} // end certifcate
} // end certificates
action generate-certificate-signing-request {
description
"Generates a certificate signing request structure for
the associated asymmetric key using the passed subject
and attribute values. The specified assertions need
to be appropriate for the certificate's use. For
example, an entity certificate for a TLS server
SHOULD have values that enable clients to satisfy
RFC 6125 processing.";
input {
leaf subject {
type binary;
mandatory true;
description
"The 'subject' field per the CertificationRequestInfo
structure as specified by RFC 2986, Section 4.1
encoded using the ASN.1 distinguished encoding
rules (DER), as specified in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntaxi
Specification Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
leaf attributes {
type binary;
description
"The 'attributes' field from the structure
CertificationRequestInfo as specified by RFC 2986,
Section 4.1 encoded using the ASN.1 distinguished
encoding rules (DER), as specified in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntax
Specification Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
}
output {
leaf certificate-signing-request {
type binary;
mandatory true;
description
"A CertificationRequest structure as specified by
RFC 2986, Section 4.2 encoded using the ASN.1
distinguished encoding rules (DER), as specified
in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntax
Specification Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
} // end output
} // end generate-certificate-signing-request
}
grouping local-or-keystore-asymmetric-key-grouping {
description
"A grouping that expands to allow the key to be either stored
locally within the using data model, or be a reference to an
asymmetric key stored in the keystore.";
choice local-or-keystore {
mandatory true;
case local {
uses asymmetric-key-pair-grouping;
}
case keystore {
if-feature "keystore-implemented";
leaf reference {
type ks:asymmetric-key-ref;
mandatory true;
description
"A reference to a value that exists in the keystore.";
}
}
description
"A choice between an inlined definition and a definition
that exists in the keystore.";
}
}
grouping local-or-keystore-asymmetric-key-with-certs-grouping {
description
"A grouping that expands to allow the key to be either stored
locally within the using data model, or be a reference to an
asymmetric key stored in the keystore.";
choice local-or-keystore {
mandatory true;
case local {
uses asymmetric-key-pair-with-certs-grouping;
}
case keystore {
if-feature "keystore-implemented";
leaf reference {
type ks:asymmetric-key-ref;
mandatory true;
description
"A reference to a value that exists in the keystore.";
}
}
description
"A choice between an inlined definition and a definition
that exists in the keystore.";
}
}
grouping local-or-keystore-end-entity-certificate-grouping {
description
"A grouping that expands to allow the end-entity certificate
(and the associated private key) to be either stored locally
within the using data model, or be a reference to a specific
certificate in the keystore.";
choice local-or-keystore {
mandatory true;
case local {
uses ks:asymmetric-key-pair-grouping;
uses ks:end-entity-cert-grouping;
}
case keystore {
if-feature "keystore-implemented";
leaf reference {
type ks:asymmetric-key-certificate-ref;
mandatory true;
description
"A reference to a value that exists in the keystore.";
}
}
description
"A choice between an inlined definition and a definition
that exists in the keystore.";
}
}
// protocol accessible nodes
container keystore {
description
"The keystore contains a list of keys.";
container asymmetric-keys {
description
"A list of asymmetric keys.";
list asymmetric-key {
key name;
description
"An asymmetric key.";
leaf name {
type string;
description
"An arbitrary name for the asymmetric key.";
}
uses asymmetric-key-pair-with-certs-grouping;
} // end asymmetric-key
action generate-asymmetric-key {
description
"Requests the device to generate an asymmetric key using
the specified asymmetric key algorithm. This action is
primarily to support cryptographic processors that must
generate the asymmetric key themselves. The resulting
asymmetric key is considered operational state and hence
present only in .";
input {
leaf name {
type string;
mandatory true;
description
"The name the asymmetric key should have when listed
in /keystore/asymmetric-keys/asymmetric-key, in
.";
}
leaf algorithm {
type ct:key-algorithm-ref;
mandatory true;
description
"The algorithm to be used when generating the
asymmetric key.";
reference
"RFC CCCC: Common YANG Data Types for Cryptography";
}
}
} // end generate-asymmetric-key
} // end asymmetric-keys
} // end keystore
}