module ietf-keystore {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-keystore";
prefix "ks";
import ietf-crypto-types {
prefix ct;
reference
"RFC CCCC: Common YANG Data Types for Cryptography";
}
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen
";
description
"This module defines a keystore to centralize management
of security credentials.
Copyright (c) 2018 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC VVVV; see
the RFC itself for full legal notices.";
revision "2018-09-20" {
description
"Initial version";
reference
"RFC VVVV:
YANG Data Model for a Centralized Keystore Mechanism";
}
// Features
feature keystore-supported {
description
"The 'keystore-supported' feature indicates that the server
supports the keystore.";
}
feature local-keys-supported {
description
"The 'local-keys-supported' feature indocates that the
server supports locally-defined keys.";
}
// Typedefs
typedef asymmetric-key-ref {
type leafref {
path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
+ "/ks:name";
require-instance false;
}
description
"This typedef enables modules to easily define a reference
to an asymmetric key stored in the keystore. The require
instance attribute is false to enable the referencing of
asymmetric keys that exist only in .";
reference
"RFC 8342: Network Management Datastore Architecture (NMDA)";
}
typedef asymmetric-key-certificate-ref {
type leafref {
path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
+ "/ks:certificates/ks:certificate/ks:name";
require-instance false;
}
description
"This typedef enables modules to easily define a reference
to a specific certificate associated with an asymmetric key
stored in the keystore. The require instance attribute is
false to enable the referencing of certificates that exist
only in .";
reference
"RFC 8342: Network Management Datastore Architecture (NMDA)";
}
// Groupings
// MOVED TO CRYPTO TYPES DRAFT? - OKAY TO REMOVE HERE NOW?
//
// grouping public-key-grouping {
// description
// "A public key.";
// leaf algorithm {
// type ct:key-algorithm-ref;
// description
// "Identifies the key's algorithm. More specifically,
// this leaf specifies how the 'public-key' binary leaf
// is encoded.";
// reference
// "RFC CCCC: Common YANG Data Types for Cryptography";
// }
// leaf public-key {
// type binary;
// description
// "A binary that contains the value of the public key. The
// interpretation of the content is defined by the key
// algorithm. For example, a DSA key is an integer, an RSA
// key is represented as RSAPublicKey as defined in
// RFC 3447, and an Elliptic Curve Cryptography (ECC) key
// is represented using the 'publicKey' described in
// RFC 5915.";
// reference
// "RFC 3447: Public-Key Cryptography Standards (PKCS) #1:
// RSA Cryptography Specifications Version 2.1.
// RFC 5915: Elliptic Curve Private Key Structure.";
// }
// }
//
// grouping asymmetric-key-pair-grouping {
// description
// "A private/public key pair.";
// uses ct:public-key-grouping;
// leaf private-key {
// nacm:default-deny-all;
// type union {
// type binary;
// type enumeration {
// enum "permanently-hidden" {
// description
// "The private key is inaccessible due to being
// protected by the system (e.g., a cryptographic
// hardware module). It is not possible to
// configure a permanently hidden key, as a real
// private key value must be set. Permanently
// hidden keys cannot be archived or backed up.";
// }
// }
// }
// description
// "A binary that contains the value of the private key. The
// interpretation of the content is defined by the key
// algorithm. For example, a DSA key is an integer, an RSA
// key is represented as RSAPrivateKey as defined in
// RFC 3447, and an Elliptic Curve Cryptography (ECC) key
// is represented as ECPrivateKey as defined in RFC 5915.";
// reference
// "RFC 3447: Public-Key Cryptography Standards (PKCS) #1:
// RSA Cryptography Specifications Version 2.1.
// RFC 5915: Elliptic Curve Private Key Structure.";
// }
// action generate-hidden-key {
// description
// "Requests the device to generate a hidden key using the
// specified asymmetric key algorithm. This action is
// used to request the system the generate a key that
// is 'permanently-hidden', perhaps protected by a
// cryptographic hardware module. The resulting
// asymmetric key values are considered operational
// state and hence present only in .";
// input {
// leaf algorithm {
// type ct:key-algorithm-ref;
// mandatory true;
// description
// "The algorithm to be used when generating the
// asymmetric key.";
// reference
// "RFC CCCC: Common YANG Data Types for Cryptography";
// }
// }
// } // end generate-hidden-key
// action install-hidden-key {
// description
// "Requests the device to load the specified values into
// a hidden key. The resulting asymmetric key values are
// considered operational state and hence present only in
// .";
// input {
// leaf algorithm {
// type ct:key-algorithm-ref;
// mandatory true;
// description
// "The algorithm to be used when generating the
// asymmetric key.";
// reference
// "RFC CCCC: Common YANG Data Types for Cryptography";
// }
// leaf public-key {
// type binary;
// description
// "A binary that contains the value of the public key.
// The interpretation of the content is defined by the key
// algorithm. For example, a DSA key is an integer, an
// RSA key is represented as RSAPublicKey as defined in
// RFC 3447, and an Elliptic Curve Cryptography (ECC) key
// is represented using the 'publicKey' described in
// RFC 5915.";
// reference
// "RFC 3447: Public-Key Cryptography Standards (PKCS) #1:
// RSA Cryptography Specifications Version 2.1.
// RFC 5915: Elliptic Curve Private Key Structure.";
// }
// leaf private-key {
// type binary;
// description
// "A binary that contains the value of the private key.
// The interpretation of the content is defined by the k\
ey
// algorithm. For example, a DSA key is an integer, an RSA
// key is represented as RSAPrivateKey as defined in
// RFC 3447, and an Elliptic Curve Cryptography (ECC) key
// is represented as ECPrivateKey as defined in RFC 5915.\
";
// reference
// "RFC 3447: Public-Key Cryptography Standards (PKCS) #1:
// RSA Cryptography Specifications Version 2.1.
// RFC 5915: Elliptic Curve Private Key Structure.";
// }
// }
// } // end install-hidden-key
// }
//
// grouping trust-anchor-cert-grouping {
// description
// "A certificate, and a notification for when it might expire.";
// leaf cert {
// type ct:trust-anchor-cert-cms;
// mandatory true;
// description
// "The binary certificate data for this certificate.";
// reference
// "RFC YYYY: Common YANG Data Types for Cryptography";
// }
// }
//
// grouping end-entity-cert-grouping {
// description
// "A certificate, and a notification for when it might expire.";
// leaf cert {
// type ct:end-entity-cert-cms;
// mandatory true;
// description
// "The binary certificate data for this certificate.";
// reference
// "RFC YYYY: Common YANG Data Types for Cryptography";
// }
// notification certificate-expiration {
// description
// "A notification indicating that the configured certificate
// is either about to expire or has already expired. When to
// send notifications is an implementation specific decision,
// but it is RECOMMENDED that a notification be sent once a
// month for 3 months, then once a week for four weeks, and
// then once a day thereafter until the issue is resolved.";
// leaf expiration-date {
// type yang:date-and-time;
// //mandatory true;
// description
// "Identifies the expiration date on the certificate.";
// }
// }
// }
//
// grouping asymmetric-key-pair-with-certs-grouping {
// description
// "A private/public key pair and associated certificates.";
// uses ct:asymmetric-key-pair-grouping;
// container certificates {
// description
// "Certificates associated with this asymmetric key.
// More than one certificate supports, for instance,
// a TPM-protected asymmetric key that has both IDevID
// and LDevID certificates associated.";
// list certificate {
// must "../../algorithm
// and ../../public-key
// and ../../private-key";
// key name;
// description
// "A certificate for this asymmetric key.";
// leaf name {
// type string;
// description
// "An arbitrary name for the certificate.";
// }
// uses ct:end-entity-cert-grouping;
// } // end certifcate
// } // end certificates
// action generate-certificate-signing-request {
// description
// "Generates a certificate signing request structure for
// the associated asymmetric key using the passed subject
// and attribute values. The specified assertions need
// to be appropriate for the certificate's use. For
// example, an entity certificate for a TLS server
// SHOULD have values that enable clients to satisfy
// RFC 6125 processing.";
// input {
// leaf subject {
// type binary;
// mandatory true;
// description
// "The 'subject' field per the CertificationRequestInfo
// structure as specified by RFC 2986, Section 4.1
// encoded using the ASN.1 distinguished encoding
// rules (DER), as specified in ITU-T X.690.";
// reference
// "RFC 2986:
// PKCS #10: Certification Request Syntaxi
// Specification Version 1.7.
// ITU-T X.690:
// Information technology - ASN.1 encoding rules:
// Specification of Basic Encoding Rules (BER),
// Canonical Encoding Rules (CER) and Distinguished
// Encoding Rules (DER).";
// }
// leaf attributes {
// type binary;
// description
// "The 'attributes' field from the structure
// CertificationRequestInfo as specified by RFC 2986,
// Section 4.1 encoded using the ASN.1 distinguished
// encoding rules (DER), as specified in ITU-T X.690.";
// reference
// "RFC 2986:
// PKCS #10: Certification Request Syntax
// Specification Version 1.7.
// ITU-T X.690:
// Information technology - ASN.1 encoding rules:
// Specification of Basic Encoding Rules (BER),
// Canonical Encoding Rules (CER) and Distinguished
// Encoding Rules (DER).";
// }
// }
// output {
// leaf certificate-signing-request {
// type binary;
// mandatory true;
// description
// "A CertificationRequest structure as specified by
// RFC 2986, Section 4.2 encoded using the ASN.1
// distinguished encoding rules (DER), as specified
// in ITU-T X.690.";
// reference
// "RFC 2986:
// PKCS #10: Certification Request Syntax
// Specification Version 1.7.
// ITU-T X.690:
// Information technology - ASN.1 encoding rules:
// Specification of Basic Encoding Rules (BER),
// Canonical Encoding Rules (CER) and Distinguished
// Encoding Rules (DER).";
//
// }
// } // end output
// } // end generate-certificate-signing-request
// }
//
// MOVED TO CRYPTO TYPES DRAFT? - OKAY TO REMOVE HERE NOW?
grouping local-or-keystore-asymmetric-key-grouping {
description
"A grouping that expands to allow the key to be either stored
locally within the using data model, or be a reference to an
asymmetric key stored in the keystore.";
choice local-or-keystore {
mandatory true;
case local {
if-feature "local-keys-supported";
uses ct:asymmetric-key-pair-grouping;
}
case keystore {
if-feature "keystore-supported";
leaf reference {
type ks:asymmetric-key-ref;
description
"A reference to a value that exists in the keystore.";
}
}
description
"A choice between an inlined definition and a definition
that exists in the keystore.";
}
}
grouping local-or-keystore-asymmetric-key-with-certs-grouping {
description
"A grouping that expands to allow the key to be either stored
locally within the using data model, or be a reference to an
asymmetric key stored in the keystore.";
choice local-or-keystore {
mandatory true;
case local {
if-feature "local-keys-supported";
uses ct:asymmetric-key-pair-with-certs-grouping;
}
case keystore {
if-feature "keystore-supported";
leaf reference {
type ks:asymmetric-key-ref;
description
"A reference to a value that exists in the keystore.";
}
}
description
"A choice between an inlined definition and a definition
that exists in the keystore.";
}
}
grouping local-or-keystore-end-entity-certificate-grouping {
description
"A grouping that expands to allow the end-entity certificate
(and the associated private key) to be either stored locally
within the using data model, or be a reference to a specific
certificate in the keystore.";
choice local-or-keystore {
mandatory true;
case local {
if-feature "local-keys-supported";
uses ct:asymmetric-key-pair-grouping;
uses ct:end-entity-cert-grouping;
}
case keystore {
if-feature "keystore-supported";
leaf reference {
type ks:asymmetric-key-certificate-ref;
description
"A reference to a value that exists in the keystore.";
}
}
description
"A choice between an inlined definition and a definition
that exists in the keystore.";
}
}
// protocol accessible nodes
container keystore {
nacm:default-deny-write;
description
"The keystore contains a list of keys.";
container asymmetric-keys {
description
"A list of asymmetric keys.";
list asymmetric-key {
must "(algorithm and public-key and private-key)
or not (algorithm or public-key or private-key)";
key name;
description
"An asymmetric key.";
leaf name {
type string;
description
"An arbitrary name for the asymmetric key.";
}
uses ct:asymmetric-key-pair-with-certs-grouping;
} // end asymmetric-key
} // end asymmetric-keys
} // end keystore
}