1 module ietf-crypto-types {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
6 import ietf-yang-types {
9 "RFC 6991: Common YANG Data Types";
12 import ietf-netconf-acm {
15 "RFC 8341: Network Configuration Access Control Model";
19 "IETF NETCONF (Network Configuration) Working Group";
21 "WG Web: <http://datatracker.ietf.org/wg/netconf/>
22 WG List: <mailto:netconf@ietf.org>
23 Author: Kent Watsen <mailto:kent+ietf@watsen.net>
24 Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";
27 "This module defines common YANG types for cryptographic
30 Copyright (c) 2019 IETF Trust and the persons identified
31 as authors of the code. All rights reserved.
33 Redistribution and use in source and binary forms, with
34 or without modification, is permitted pursuant to, and
35 subject to the license terms contained in, the Simplified
36 BSD License set forth in Section 4.c of the IETF Trust's
37 Legal Provisions Relating to IETF Documents
38 (https://trustee.ietf.org/license-info).
40 This version of this YANG module is part of RFC XXXX
41 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
42 itself for full legal notices.;
44 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
45 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
46 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
47 are to be interpreted as described in BCP 14 (RFC 2119)
48 (RFC 8174) when, and only when, they appear in all
49 capitals, as shown here.";
55 "RFC XXXX: Common YANG Data Types for Cryptography";
58 /**************************************/
59 /* Identities for Hash Algorithms */
60 /**************************************/
62 typedef hash-algorithm-t {
69 "Hash algorithm is NULL.";
75 "The SHA1 algorithm.";
77 "RFC 3174: US Secure Hash Algorithms 1 (SHA1).";
82 "The SHA-224 algorithm.";
84 "RFC 6234: US Secure Hash Algorithms.";
89 "The SHA-256 algorithm.";
91 "RFC 6234: US Secure Hash Algorithms.";
96 "The SHA-384 algorithm.";
98 "RFC 6234: US Secure Hash Algorithms.";
103 "The SHA-512 algorithm.";
105 "RFC 6234: US Secure Hash Algorithms.";
110 "The SHA3 algorithm with 128-bits output.";
112 "National Institute of Standards and Technology,
113 SHA-3 Standard: Permutation-Based Hash and
114 Extendable-Output Functions, FIPS PUB 202, DOI
115 10.6028/NIST.FIPS.202, August 2015.";
120 "The SHA3 algorithm with 224-bits output.";
122 "National Institute of Standards and Technology,
123 SHA-3 Standard: Permutation-Based Hash and
124 Extendable-Output Functions, FIPS PUB 202, DOI
125 10.6028/NIST.FIPS.202, August 2015.";
130 "The SHA3 algorithm with 256-bits output.";
132 "National Institute of Standards and Technology,
133 SHA-3 Standard: Permutation-Based Hash and
134 Extendable-Output Functions, FIPS PUB 202, DOI
135 10.6028/NIST.FIPS.202, August 2015.";
140 "The SHA3 algorithm with 384-bits output.";
142 "National Institute of Standards and Technology,
143 SHA-3 Standard: Permutation-Based Hash and
144 Extendable-Output Functions, FIPS PUB 202, DOI
145 10.6028/NIST.FIPS.202, August 2015.";
150 "The SHA3 algorithm with 384-bits output.";
152 "National Institute of Standards and Technology,
153 SHA-3 Standard: Permutation-Based Hash and
154 Extendable-Output Functions, FIPS PUB 202, DOI
155 10.6028/NIST.FIPS.202, August 2015.";
161 "The uint16 filed shall be set by individual protocol families
162 according to the hash algorithm value assigned by IANA. The
163 setting is optional and by default is 0. The enumeration
164 filed is set to the selected hash algorithm.";
167 /***********************************************/
168 /* Identities for Asymmetric Key Algorithms */
169 /***********************************************/
171 typedef asymmetric-key-algorithm-t {
178 "Asymetric key algorithm is NULL.";
183 "The RSA algorithm using a 1024-bit key.";
185 "RFC 8017: PKCS #1: RSA Cryptography
186 Specifications Version 2.2.";
191 "The RSA algorithm using a 2048-bit key.";
194 PKCS #1: RSA Cryptography Specifications Version 2.2.";
199 "The RSA algorithm using a 3072-bit key.";
202 PKCS #1: RSA Cryptography Specifications Version 2.2.";
207 "The RSA algorithm using a 4096-bit key.";
210 PKCS #1: RSA Cryptography Specifications Version 2.2.";
215 "The RSA algorithm using a 7680-bit key.";
218 PKCS #1: RSA Cryptography Specifications Version 2.2.";
223 "The RSA algorithm using a 15360-bit key.";
226 PKCS #1: RSA Cryptography Specifications Version 2.2.";
231 "The asymmetric algorithm using a NIST P192 Curve.";
234 Fundamental Elliptic Curve Cryptography Algorithms.
236 Elliptic Curve Cryptography Subject Public Key
242 "The asymmetric algorithm using a NIST P224 Curve.";
245 Fundamental Elliptic Curve Cryptography Algorithms.
247 Elliptic Curve Cryptography Subject Public Key
253 "The asymmetric algorithm using a NIST P256 Curve.";
256 Fundamental Elliptic Curve Cryptography Algorithms.
258 Elliptic Curve Cryptography Subject Public Key
264 "The asymmetric algorithm using a NIST P384 Curve.";
267 Fundamental Elliptic Curve Cryptography Algorithms.
269 Elliptic Curve Cryptography Subject Public Key
275 "The asymmetric algorithm using a NIST P521 Curve.";
278 Fundamental Elliptic Curve Cryptography Algorithms.
280 Elliptic Curve Cryptography Subject Public Key
286 "The asymmetric algorithm using a x.25519 Curve.";
289 Elliptic Curves for Security.";
294 "The asymmetric algorithm using a x.448 Curve.";
297 Elliptic Curves for Security.";
303 "The uint16 filed shall be set by individual protocol
304 families according to the asymmetric key algorithm value
305 assigned by IANA. The setting is optional and by default
306 is 0. The enumeration filed is set to the selected
307 asymmetric key algorithm.";
310 /*************************************/
311 /* Identities for MAC Algorithms */
312 /*************************************/
314 typedef mac-algorithm-t {
321 "mac algorithm is NULL.";
326 "Generating MAC using SHA1 hash function";
328 "RFC 3174: US Secure Hash Algorithm 1 (SHA1)";
333 "Generating MAC using SHA1 hash function";
335 "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";
340 "Generating MAC using SHA2 hash function";
342 "RFC 6234: US Secure Hash Algorithms
343 (SHA and SHA-based HMAC and HKDF)";
348 "Generating MAC using SHA2 hash function";
350 "RFC 6234: US Secure Hash Algorithms
351 (SHA and SHA-based HMAC and HKDF)";
353 enum hmac-sha2-256-128 {
356 "Generating a 256 bits MAC using SHA2 hash function and
357 truncate it to 128 bits";
359 "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
360 and HMAC-SHA-512 with IPsec";
365 "Generating a 384 bits MAC using SHA2 hash function";
367 "RFC 6234: US Secure Hash Algorithms
368 (SHA and SHA-based HMAC and HKDF)";
370 enum hmac-sha2-384-192 {
373 "Generating a 384 bits MAC using SHA2 hash function and
374 truncate it to 192 bits";
376 "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
377 and HMAC-SHA-512 with IPsec";
382 "Generating a 512 bits MAC using SHA2 hash function";
384 "RFC 6234: US Secure Hash Algorithms
385 (SHA and SHA-based HMAC and HKDF)";
387 enum hmac-sha2-512-256 {
390 "Generating a 512 bits MAC using SHA2 hash function and
391 truncate it to 256 bits";
393 "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
394 and HMAC-SHA-512 with IPsec";
399 "Generating 128-bit MAC using the Advanced Encryption
400 Standard (AES) Galois Message Authentication Code
401 (GMAC) as a mechanism to provide data origin
405 The Use of Galois Message Authentication Code (GMAC)
406 in IPsec ESP and AH";
411 "Generating 192-bit MAC using the Advanced Encryption
412 Standard (AES) Galois Message Authentication Code
413 (GMAC) as a mechanism to provide data origin
417 The Use of Galois Message Authentication Code (GMAC)
418 in IPsec ESP and AH";
423 "Generating 256-bit MAC using the Advanced Encryption
424 Standard (AES) Galois Message Authentication Code
425 (GMAC) as a mechanism to provide data origin
429 The Use of Galois Message Authentication Code (GMAC)
430 in IPsec ESP and AH";
435 "Generating 96-bit MAC using Advanced Encryption
436 Standard (AES) Cipher-based Message Authentication
440 The AES-CMAC Algorithm and its Use with IPsec";
445 "Generating 128-bit MAC using Advanced Encryption
446 Standard (AES) Cipher-based Message Authentication
450 The AES-CMAC Algorithm and its Use with IPsec";
455 "Generating MAC using triple DES encryption function";
458 Encryption and Checksum Specifications for Kerberos
465 "The uint16 filed shall be set by individual protocol
466 families according to the mac algorithm value assigned by
467 IANA. The setting is optional and by default is 0. The
468 enumeration filed is set to the selected mac algorithm.";
471 /********************************************/
472 /* Identities for Encryption Algorithms */
473 /********************************************/
475 typedef encryption-algorithm-t {
482 "Encryption algorithm is NULL.";
487 "Encrypt message with AES algorithm in CBC mode with
488 a key length of 128 bits.";
490 "RFC 3565: Use of the Advanced Encryption Standard (AES)
491 Encryption Algorithm in Cryptographic Message Syntax
497 "Encrypt message with AES algorithm in CBC mode with
498 a key length of 192 bits";
500 "RFC 3565: Use of the Advanced Encryption Standard (AES)
501 Encryption Algorithm in Cryptographic Message Syntax
507 "Encrypt message with AES algorithm in CBC mode with
508 a key length of 256 bits";
510 "RFC 3565: Use of the Advanced Encryption Standard (AES)
511 Encryption Algorithm in Cryptographic Message Syntax
517 "Encrypt message with AES algorithm in CTR mode with
518 a key length of 128 bits";
521 Using Advanced Encryption Standard (AES) Counter
522 Mode with IPsec Encapsulating Security Payload
528 "Encrypt message with AES algorithm in CTR mode with
529 a key length of 192 bits";
532 Using Advanced Encryption Standard (AES) Counter
533 Mode with IPsec Encapsulating Security Payload
539 "Encrypt message with AES algorithm in CTR mode with
540 a key length of 256 bits";
543 Using Advanced Encryption Standard (AES) Counter
544 Mode with IPsec Encapsulating Security Payload
547 enum des3-cbc-sha1-kd {
550 "Encrypt message with 3DES algorithm in CBC mode
551 with sha1 function for key derivation";
554 Encryption and Checksum Specifications for
560 "Encrypt message with rc4 algorithm";
563 The RC4-HMAC Kerberos Encryption Types Used by
569 "Encrypt message with rc4 algorithm that is exportable";
572 The RC4-HMAC Kerberos Encryption Types Used by
579 "The uint16 filed shall be set by individual protocol
580 families according to the encryption algorithm value
581 assigned by IANA. The setting is optional and by default
582 is 0. The enumeration filed is set to the selected
583 encryption algorithm.";
586 /****************************************************/
587 /* Identities for Encryption and MAC Algorithms */
588 /****************************************************/
590 typedef encryption-and-mac-algorithm-t {
597 "Encryption and MAC algorithm is NULL.";
604 "Encrypt message with AES algorithm in CCM
605 mode with a key length of 128 bits; it can
606 also be used for generating MAC";
608 "RFC 4309: Using Advanced Encryption Standard
609 (AES) CCM Mode with IPsec Encapsulating Security
615 "Encrypt message with AES algorithm in CCM
616 mode with a key length of 192 bits; it can
617 also be used for generating MAC";
619 "RFC 4309: Using Advanced Encryption Standard
620 (AES) CCM Mode with IPsec Encapsulating Security
626 "Encrypt message with AES algorithm in CCM
627 mode with a key length of 256 bits; it can
628 also be used for generating MAC";
630 "RFC 4309: Using Advanced Encryption Standard
631 (AES) CCM Mode with IPsec Encapsulating Security
637 "Encrypt message with AES algorithm in GCM
638 mode with a key length of 128 bits; it can
639 also be used for generating MAC";
641 "RFC 4106: The Use of Galois/Counter Mode (GCM)
642 in IPsec Encapsulating Security Payload (ESP)";
647 "Encrypt message with AES algorithm in GCM
648 mode with a key length of 192 bits; it can
649 also be used for generating MAC";
651 "RFC 4106: The Use of Galois/Counter Mode (GCM)
652 in IPsec Encapsulating Security Payload (ESP)";
657 "Encrypt message with AES algorithm in GCM
658 mode with a key length of 256 bits; it can
659 also be used for generating MAC";
661 "RFC 4106: The Use of Galois/Counter Mode (GCM)
662 in IPsec Encapsulating Security Payload (ESP)";
664 enum chacha20-poly1305 {
667 "Encrypt message with chacha20 algorithm and generate
668 MAC with POLY1305; it can also be used for generating
671 "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";
677 "The uint16 filed shall be set by individual protocol
678 families according to the encryption and mac algorithm value
679 assigned by IANA. The setting is optional and by default is
680 0. The enumeration filed is set to the selected encryption
684 /******************************************/
685 /* Identities for signature algorithm */
686 /******************************************/
688 typedef signature-algorithm-t {
695 "Signature algorithm is NULL";
700 "The signature algorithm using DSA algorithm with SHA1
704 The Secure Shell (SSH) Transport Layer Protocol";
706 enum rsassa-pkcs1-sha1 {
709 "The signature algorithm using RSASSA-PKCS1-v1_5 with
710 the SHA1 hash algorithm.";
713 The Secure Shell (SSH) Transport Layer Protocol";
715 enum rsassa-pkcs1-sha256 {
718 "The signature algorithm using RSASSA-PKCS1-v1_5 with
719 the SHA256 hash algorithm.";
722 Use of RSA Keys with SHA-256 and SHA-512 in the
723 Secure Shell (SSH) Protocol
725 The Transport Layer Security (TLS) Protocol
728 enum rsassa-pkcs1-sha384 {
731 "The signature algorithm using RSASSA-PKCS1-v1_5 with
732 the SHA384 hash algorithm.";
735 The Transport Layer Security (TLS) Protocol
738 enum rsassa-pkcs1-sha512 {
741 "The signature algorithm using RSASSA-PKCS1-v1_5 with
742 the SHA512 hash algorithm.";
745 Use of RSA Keys with SHA-256 and SHA-512 in the
746 Secure Shell (SSH) Protocol
748 The Transport Layer Security (TLS) Protocol
751 enum rsassa-pss-rsae-sha256 {
754 "The signature algorithm using RSASSA-PSS with mask
755 generation function 1 and SHA256 hash algorithm. If
756 the public key is carried in an X.509 certificate,
757 it MUST use the rsaEncryption OID";
760 The Transport Layer Security (TLS) Protocol
763 enum rsassa-pss-rsae-sha384 {
766 "The signature algorithm using RSASSA-PSS with mask
767 generation function 1 and SHA384 hash algorithm. If
768 the public key is carried in an X.509 certificate,
769 it MUST use the rsaEncryption OID";
772 The Transport Layer Security (TLS) Protocol
775 enum rsassa-pss-rsae-sha512 {
778 "The signature algorithm using RSASSA-PSS with mask
779 generation function 1 and SHA512 hash algorithm. If
780 the public key is carried in an X.509 certificate,
781 it MUST use the rsaEncryption OID";
784 The Transport Layer Security (TLS) Protocol
787 enum rsassa-pss-pss-sha256 {
790 "The signature algorithm using RSASSA-PSS with mask
791 generation function 1 and SHA256 hash algorithm. If
792 the public key is carried in an X.509 certificate,
793 it MUST use the rsaEncryption OID";
796 The Transport Layer Security (TLS) Protocol
799 enum rsassa-pss-pss-sha384 {
802 "The signature algorithm using RSASSA-PSS with mask
803 generation function 1 and SHA384 hash algorithm. If
804 the public key is carried in an X.509 certificate,
805 it MUST use the rsaEncryption OID";
808 The Transport Layer Security (TLS) Protocol
811 enum rsassa-pss-pss-sha512 {
814 "The signature algorithm using RSASSA-PSS with mask
815 generation function 1 and SHA512 hash algorithm. If
816 the public key is carried in an X.509 certificate,
817 it MUST use the rsaEncryption OID";
820 The Transport Layer Security (TLS) Protocol
823 enum ecdsa-secp256r1-sha256 {
826 "The signature algorithm using ECDSA with curve name
827 secp256r1 and SHA256 hash algorithm.";
830 Elliptic Curve Algorithm Integration in the Secure
831 Shell Transport Layer
833 The Transport Layer Security (TLS) Protocol
836 enum ecdsa-secp384r1-sha384 {
839 "The signature algorithm using ECDSA with curve name
840 secp384r1 and SHA384 hash algorithm.";
843 Elliptic Curve Algorithm Integration in the Secure
844 Shell Transport Layer
846 The Transport Layer Security (TLS) Protocol
849 enum ecdsa-secp521r1-sha512 {
852 "The signature algorithm using ECDSA with curve name
853 secp521r1 and SHA512 hash algorithm.";
856 Elliptic Curve Algorithm Integration in the Secure
857 Shell Transport Layer
859 The Transport Layer Security (TLS) Protocol
865 "The signature algorithm using EdDSA with curve x25519";
868 Edwards-Curve Digital Signature Algorithm (EdDSA)";
873 "The signature algorithm using EdDSA with curve x25519
877 Edwards-Curve Digital Signature Algorithm (EdDSA)";
882 "The signature algorithm using EdDSA with curve x25519
886 Edwards-Curve Digital Signature Algorithm (EdDSA)";
888 enum ed25519-sha512 {
891 "The signature algorithm using EdDSA with curve x25519
892 and SHA-512 function";
895 Use of Edwards-Curve Digital Signature Algorithm
896 (EdDSA) Signatures in the Cryptographic Message
902 "The signature algorithm using EdDSA with curve x448";
905 Edwards-Curve Digital Signature Algorithm (EdDSA)";
910 "The signature algorithm using EdDSA with curve x448
911 and with PH being SHAKE256(x, 64) and phflag being 1";
914 Edwards-Curve Digital Signature Algorithm (EdDSA)";
916 enum ed448-shake256 {
919 "The signature algorithm using EdDSA with curve x448
920 and SHAKE-256 function";
923 Use of Edwards-Curve Digital Signature Algorithm
924 (EdDSA) Signatures in the Cryptographic Message
927 enum ed448-shake256-len {
930 "The signature algorithm using EdDSA with curve x448
931 and SHAKE-256 function and a customized hash output";
934 Use of Edwards-Curve Digital Signature Algorithm
935 (EdDSA) Signatures in the Cryptographic Message
941 "The signature algorithm using RSA with SHA2 function
945 Use of RSA Keys with SHA-256 and SHA-512
946 in the Secure Shell (SSH) Protocol";
951 "The signature algorithm using RSA with SHA2 function
955 Use of RSA Keys with SHA-256 and SHA-512
956 in the Secure Shell (SSH) Protocol";
961 "The signature algorithm using ECCSI signature as
962 defined in RFC 6507.";
965 Elliptic Curve-Based Certificateless Signatures
966 for Identity-based Encryption (ECCSI)";
972 "The uint16 filed shall be set by individual protocol
973 families according to the signature algorithm value
974 assigned by IANA. The setting is optional and by default
975 is 0. The enumeration filed is set to the selected
976 signature algorithm.";
979 /**********************************************/
980 /* Identities for key exchange algorithms */
981 /**********************************************/
983 typedef key-exchange-algorithm-t {
990 "Key exchange algorithm is NULL.";
995 "Using Pre-shared key for authentication and key
999 Pre-Shared Key cipher suites for Transport Layer
1002 enum dhe-ffdhe2048 {
1005 "Ephemeral Diffie Hellman key exchange with 2048 bit
1009 Negotiated Finite Field Diffie-Hellman Ephemeral
1010 Parameters for Transport Layer Security (TLS)";
1012 enum dhe-ffdhe3072 {
1015 "Ephemeral Diffie Hellman key exchange with 3072 bit
1019 Negotiated Finite Field Diffie-Hellman Ephemeral
1020 Parameters for Transport Layer Security (TLS)";
1022 enum dhe-ffdhe4096 {
1025 "Ephemeral Diffie Hellman key exchange with 4096 bit
1029 Negotiated Finite Field Diffie-Hellman Ephemeral
1030 Parameters for Transport Layer Security (TLS)";
1032 enum dhe-ffdhe6144 {
1035 "Ephemeral Diffie Hellman key exchange with 6144 bit
1039 Negotiated Finite Field Diffie-Hellman Ephemeral
1040 Parameters for Transport Layer Security (TLS)";
1042 enum dhe-ffdhe8192 {
1045 "Ephemeral Diffie Hellman key exchange with 8192 bit
1049 Negotiated Finite Field Diffie-Hellman Ephemeral
1050 Parameters for Transport Layer Security (TLS)";
1052 enum psk-dhe-ffdhe2048 {
1055 "Key exchange using pre-shared key with Diffie-Hellman
1056 key generation mechanism, where the DH group is
1060 The Transport Layer Security (TLS) Protocol
1063 enum psk-dhe-ffdhe3072 {
1066 "Key exchange using pre-shared key with Diffie-Hellman
1067 key generation mechanism, where the DH group is
1071 The Transport Layer Security (TLS) Protocol
1074 enum psk-dhe-ffdhe4096 {
1077 "Key exchange using pre-shared key with Diffie-Hellman
1078 key generation mechanism, where the DH group is
1082 The Transport Layer Security (TLS) Protocol
1085 enum psk-dhe-ffdhe6144 {
1088 "Key exchange using pre-shared key with Diffie-Hellman
1089 key generation mechanism, where the DH group is
1093 The Transport Layer Security (TLS) Protocol
1096 enum psk-dhe-ffdhe8192 {
1099 "Key exchange using pre-shared key with Diffie-Hellman
1100 key generation mechanism, where the DH group is
1104 The Transport Layer Security (TLS) Protocol
1107 enum ecdhe-secp256r1 {
1110 "Ephemeral Diffie Hellman key exchange with elliptic
1111 group over curve secp256r1";
1114 Elliptic Curve Cryptography (ECC) Cipher Suites
1115 for Transport Layer Security (TLS) Versions 1.2
1118 enum ecdhe-secp384r1 {
1121 "Ephemeral Diffie Hellman key exchange with elliptic
1122 group over curve secp384r1";
1125 Elliptic Curve Cryptography (ECC) Cipher Suites
1126 for Transport Layer Security (TLS) Versions 1.2
1129 enum ecdhe-secp521r1 {
1132 "Ephemeral Diffie Hellman key exchange with elliptic
1133 group over curve secp521r1";
1136 Elliptic Curve Cryptography (ECC) Cipher Suites
1137 for Transport Layer Security (TLS) Versions 1.2
1143 "Ephemeral Diffie Hellman key exchange with elliptic
1144 group over curve x25519";
1147 Elliptic Curve Cryptography (ECC) Cipher Suites
1148 for Transport Layer Security (TLS) Versions 1.2
1154 "Ephemeral Diffie Hellman key exchange with elliptic
1155 group over curve x448";
1158 Elliptic Curve Cryptography (ECC) Cipher Suites
1159 for Transport Layer Security (TLS) Versions 1.2
1162 enum psk-ecdhe-secp256r1 {
1165 "Key exchange using pre-shared key with elliptic
1166 group-based Ephemeral Diffie Hellman key exchange
1167 over curve secp256r1";
1170 The Transport Layer Security (TLS) Protocol
1173 enum psk-ecdhe-secp384r1 {
1176 "Key exchange using pre-shared key with elliptic
1177 group-based Ephemeral Diffie Hellman key exchange
1178 over curve secp384r1";
1181 The Transport Layer Security (TLS) Protocol
1184 enum psk-ecdhe-secp521r1 {
1187 "Key exchange using pre-shared key with elliptic
1188 group-based Ephemeral Diffie Hellman key exchange
1189 over curve secp521r1";
1192 The Transport Layer Security (TLS) Protocol
1195 enum psk-ecdhe-x25519 {
1198 "Key exchange using pre-shared key with elliptic
1199 group-based Ephemeral Diffie Hellman key exchange
1203 The Transport Layer Security (TLS) Protocol
1206 enum psk-ecdhe-x448 {
1209 "Key exchange using pre-shared key with elliptic
1210 group-based Ephemeral Diffie Hellman key exchange
1214 The Transport Layer Security (TLS) Protocol
1217 enum diffie-hellman-group14-sha1 {
1220 "Using DH group14 and SHA1 for key exchange";
1223 The Secure Shell (SSH) Transport Layer Protocol";
1225 enum diffie-hellman-group14-sha256 {
1228 "Using DH group14 and SHA-256 for key exchange";
1231 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
1232 Key Exchange (KEX) Groups for Secure Shell (SSH)";
1234 enum diffie-hellman-group15-sha512 {
1237 "Using DH group15 and SHA-512 for key exchange";
1240 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
1241 Key Exchange (KEX) Groups for Secure Shell (SSH)";
1243 enum diffie-hellman-group16-sha512 {
1246 "Using DH group16 and SHA-512 for key exchange";
1249 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
1250 Key Exchange (KEX) Groups for Secure Shell (SSH)";
1252 enum diffie-hellman-group17-sha512 {
1255 "Using DH group17 and SHA-512 for key exchange";
1258 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
1259 Key Exchange (KEX) Groups for Secure Shell (SSH)";
1261 enum diffie-hellman-group18-sha512 {
1264 "Using DH group18 and SHA-512 for key exchange";
1267 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
1268 Key Exchange (KEX) Groups for Secure Shell (SSH)";
1270 enum ecdh-sha2-secp256r1 {
1273 "Elliptic curve-based Diffie Hellman key exchange over
1274 curve ecp256r1 and using SHA2 for MAC generation";
1277 Suite B Cryptographic Suites for Secure Shell (SSH)";
1279 enum ecdh-sha2-secp384r1 {
1282 "Elliptic curve-based Diffie Hellman key exchange over
1283 curve ecp384r1 and using SHA2 for MAC generation";
1286 Suite B Cryptographic Suites for Secure Shell (SSH)";
1288 enum ecdh-x25519-x9.63-sha256 {
1291 "Elliptic curve-based Diffie Hellman key exchange over
1292 curve x.25519 and using ANSI x9.63 with SHA256 as KDF";
1295 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1296 Algorithm with X25519 and X448 in the Cryptographic
1297 Message Syntax (CMS)";
1299 enum ecdh-x25519-x9.63-sha384 {
1302 "Elliptic curve-based Diffie Hellman key exchange over
1303 curve x.25519 and using ANSI x9.63 with SHA384 as KDF";
1306 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1307 Algorithm with X25519 and X448 in the Cryptographic
1308 Message Syntax (CMS)";
1310 enum ecdh-x25519-x9.63-sha512 {
1313 "Elliptic curve-based Diffie Hellman key exchange over
1314 curve x.25519 and using ANSI x9.63 with SHA512 as KDF";
1317 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1318 Algorithm with X25519 and X448 in the Cryptographic
1319 Message Syntax (CMS)";
1321 enum ecdh-x25519-hkdf-sha256 {
1324 "Elliptic curve-based Diffie Hellman key exchange over
1325 curve x.25519 and using HKDF with SHA256 as KDF";
1328 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1329 Algorithm with X25519 and X448 in the Cryptographic
1330 Message Syntax (CMS)";
1332 enum ecdh-x25519-hkdf-sha384 {
1335 "Elliptic curve-based Diffie Hellman key exchange over
1336 curve x.25519 and using HKDF with SHA384 as KDF";
1339 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1340 Algorithm with X25519 and X448 in the Cryptographic
1341 Message Syntax (CMS)";
1343 enum ecdh-x25519-hkdf-sha512 {
1346 "Elliptic curve-based Diffie Hellman key exchange over
1347 curve x.25519 and using HKDF with SHA512 as KDF";
1350 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1351 Algorithm with X25519 and X448 in the Cryptographic
1352 Message Syntax (CMS)";
1354 enum ecdh-x448-x9.63-sha256 {
1357 "Elliptic curve-based Diffie Hellman key exchange over
1358 curve x.448 and using ANSI x9.63 with SHA256 as KDF";
1361 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1362 Algorithm with X25519 and X448 in the Cryptographic
1363 Message Syntax (CMS)";
1365 enum ecdh-x448-x9.63-sha384 {
1368 "Elliptic curve-based Diffie Hellman key exchange over
1369 curve x.448 and using ANSI x9.63 with SHA384 as KDF";
1372 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1373 Algorithm with X25519 and X448 in the Cryptographic
1374 Message Syntax (CMS)";
1376 enum ecdh-x448-x9.63-sha512 {
1379 "Elliptic curve-based Diffie Hellman key exchange over
1380 curve x.448 and using ANSI x9.63 with SHA512 as KDF";
1383 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1384 Algorithm with X25519 and X448 in the Cryptographic
1385 Message Syntax (CMS)";
1387 enum ecdh-x448-hkdf-sha256 {
1390 "Elliptic curve-based Diffie Hellman key exchange over
1391 curve x.448 and using HKDF with SHA256 as KDF";
1394 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1395 Algorithm with X25519 and X448 in the Cryptographic
1396 Message Syntax (CMS)";
1398 enum ecdh-x448-hkdf-sha384 {
1401 "Elliptic curve-based Diffie Hellman key exchange over
1402 curve x.448 and using HKDF with SHA384 as KDF";
1405 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1406 Algorithm with X25519 and X448 in the Cryptographic
1407 Message Syntax (CMS)";
1409 enum ecdh-x448-hkdf-sha512 {
1412 "Elliptic curve-based Diffie Hellman key exchange over
1413 curve x.448 and using HKDF with SHA512 as KDF";
1416 Use of the Elliptic Curve Diffie-Hellman Key Agreement
1417 Algorithm with X25519 and X448 in the Cryptographic
1418 Message Syntax (CMS)";
1424 "RSAES-OAEP combines the RSAEP and RSADP primitives with
1425 the EME-OAEP encoding method";
1429 RSA Cryptography Specifications Version 2.2.";
1431 enum rsaes-pkcs1-v1_5 {
1434 "RSAES-PKCS1-v1_5 combines the RSAEP and RSADP
1435 primitives with the EME-PKCS1-v1_5 encoding method";
1439 RSA Cryptography Specifications Version 2.2.";
1445 "The uint16 filed shall be set by individual protocol
1446 families according to the key exchange algorithm value
1447 assigned by IANA. The setting is optional and by default
1448 is 0. The enumeration filed is set to the selected key
1449 exchange algorithm.";
1452 /********************************************/
1453 /* Identities for Key Format Structures */
1454 /********************************************/
1456 /*** all key format types ****/
1458 identity key-format-base {
1459 description "Base key-format identity for all keys.";
1462 identity public-key-format {
1463 base "key-format-base";
1464 description "Base key-format identity for public keys.";
1467 identity private-key-format {
1468 base "key-format-base";
1469 description "Base key-format identity for private keys.";
1472 identity symmetric-key-format {
1473 base "key-format-base";
1474 description "Base key-format identity for symmetric keys.";
1477 /**** for private keys ****/
1479 identity rsa-private-key-format {
1480 base "private-key-format";
1481 description "An RSAPrivateKey (from RFC 3447).";
1484 identity ec-private-key-format {
1485 base "private-key-format";
1486 description "An ECPrivateKey (from RFC 5915)";
1489 identity one-asymmetric-key-format {
1490 base "private-key-format";
1491 description "A OneAsymmetricKey (from RFC 5958).";
1494 identity encrypted-private-key-format {
1495 base "private-key-format";
1497 "A CMS EncryptedData structure (RFC 5652)
1498 containing a OneAsymmetricKey (RFC 5958).";
1501 /**** for public keys ****/
1503 identity ssh-public-key-format {
1504 base "public-key-format";
1506 "The public key format described by RFC 4716.";
1509 identity subject-public-key-info-format {
1510 base "public-key-format";
1512 "A SubjectPublicKeyInfo (from RFC 5280).";
1515 /**** for symmetric keys ****/
1517 identity octet-string-key-format {
1518 base "symmetric-key-format";
1519 description "An OctetString from ASN.1.";
1521 // Knowing that it is an "OctetString" isn't really helpful.
1522 // Knowing the length of the octet string would be helpful,
1523 // as it relates to the algorithm's block size. We may want
1524 // to only (for now) use "one-symmetric-key-format" for
1525 // symmetric keys...were the usability issues Juergen
1526 // mentioned before only apply to asymmetric keys?
1530 identity one-symmetric-key-format {
1531 base "symmetric-key-format";
1532 description "A OneSymmetricKey (from RFC6031).";
1535 identity encrypted-symmetric-key-format {
1536 base "symmetric-key-format";
1538 "A CMS EncryptedData structure (RFC 5652)
1539 containing a OneSymmetricKey (RFC 6031).";
1542 /***************************************************/
1543 /* Typedefs for ASN.1 structures from RFC 5280 */
1544 /***************************************************/
1549 "A Certificate structure, as specified in RFC 5280,
1550 encoded using ASN.1 distinguished encoding rules (DER),
1551 as specified in ITU-T X.690.";
1554 Internet X.509 Public Key Infrastructure Certificate
1555 and Certificate Revocation List (CRL) Profile
1557 Information technology - ASN.1 encoding rules:
1558 Specification of Basic Encoding Rules (BER),
1559 Canonical Encoding Rules (CER) and Distinguished
1560 Encoding Rules (DER).";
1566 "A CertificateList structure, as specified in RFC 5280,
1567 encoded using ASN.1 distinguished encoding rules (DER),
1568 as specified in ITU-T X.690.";
1571 Internet X.509 Public Key Infrastructure Certificate
1572 and Certificate Revocation List (CRL) Profile
1574 Information technology - ASN.1 encoding rules:
1575 Specification of Basic Encoding Rules (BER),
1576 Canonical Encoding Rules (CER) and Distinguished
1577 Encoding Rules (DER).";
1580 /***********************************************/
1581 /* Typedefs for ASN.1 structures from 5652 */
1582 /***********************************************/
1587 "A ContentInfo structure, as specified in RFC 5652,
1588 encoded using ASN.1 distinguished encoding rules (DER),
1589 as specified in ITU-T X.690.";
1592 Cryptographic Message Syntax (CMS)
1594 Information technology - ASN.1 encoding rules:
1595 Specification of Basic Encoding Rules (BER),
1596 Canonical Encoding Rules (CER) and Distinguished
1597 Encoding Rules (DER).";
1599 typedef data-content-cms {
1602 "A CMS structure whose top-most content type MUST be the
1603 data content type, as described by Section 4 in RFC 5652.";
1605 "RFC 5652: Cryptographic Message Syntax (CMS)";
1608 typedef signed-data-cms {
1611 "A CMS structure whose top-most content type MUST be the
1612 signed-data content type, as described by Section 5 in
1615 "RFC 5652: Cryptographic Message Syntax (CMS)";
1618 typedef enveloped-data-cms {
1621 "A CMS structure whose top-most content type MUST be the
1622 enveloped-data content type, as described by Section 6
1625 "RFC 5652: Cryptographic Message Syntax (CMS)";
1628 typedef digested-data-cms {
1631 "A CMS structure whose top-most content type MUST be the
1632 digested-data content type, as described by Section 7
1635 "RFC 5652: Cryptographic Message Syntax (CMS)";
1638 typedef encrypted-data-cms {
1641 "A CMS structure whose top-most content type MUST be the
1642 encrypted-data content type, as described by Section 8
1645 "RFC 5652: Cryptographic Message Syntax (CMS)";
1647 typedef authenticated-data-cms {
1650 "A CMS structure whose top-most content type MUST be the
1651 authenticated-data content type, as described by Section 9
1654 "RFC 5652: Cryptographic Message Syntax (CMS)";
1657 /***************************************************/
1658 /* Typedefs for structures related to RFC 4253 */
1659 /***************************************************/
1661 typedef ssh-host-key {
1664 "The binary public key data for this SSH key, as
1665 specified by RFC 4253, Section 6.6, i.e.:
1667 string certificate or public key format
1669 byte[n] key/certificate data.";
1671 "RFC 4253: The Secure Shell (SSH) Transport Layer
1675 /*********************************************************/
1676 /* Typedefs for ASN.1 structures related to RFC 5280 */
1677 /*********************************************************/
1679 typedef trust-anchor-cert-x509 {
1682 "A Certificate structure that MUST encode a self-signed
1686 typedef end-entity-cert-x509 {
1689 "A Certificate structure that MUST encode a certificate
1690 that is neither self-signed nor having Basic constraint
1694 /*********************************************************/
1695 /* Typedefs for ASN.1 structures related to RFC 5652 */
1696 /*********************************************************/
1698 typedef trust-anchor-cert-cms {
1699 type signed-data-cms;
1701 "A CMS SignedData structure that MUST contain the chain of
1702 X.509 certificates needed to authenticate the certificate
1703 presented by a client or end-entity.
1705 The CMS MUST contain only a single chain of certificates.
1706 The client or end-entity certificate MUST only authenticate
1707 to last intermediate CA certificate listed in the chain.
1709 In all cases, the chain MUST include a self-signed root
1710 certificate. In the case where the root certificate is
1711 itself the issuer of the client or end-entity certificate,
1712 only one certificate is present.
1714 This CMS structure MAY (as applicable where this type is
1715 used) also contain suitably fresh (as defined by local
1716 policy) revocation objects with which the device can
1717 verify the revocation status of the certificates.
1719 This CMS encodes the degenerate form of the SignedData
1720 structure that is commonly used to disseminate X.509
1721 certificates and revocation objects (RFC 5280).";
1724 Internet X.509 Public Key Infrastructure Certificate
1725 and Certificate Revocation List (CRL) Profile.";
1728 typedef end-entity-cert-cms {
1729 type signed-data-cms;
1731 "A CMS SignedData structure that MUST contain the end
1732 entity certificate itself, and MAY contain any number
1733 of intermediate certificates leading up to a trust
1734 anchor certificate. The trust anchor certificate
1735 MAY be included as well.
1737 The CMS MUST contain a single end entity certificate.
1738 The CMS MUST NOT contain any spurious certificates.
1740 This CMS structure MAY (as applicable where this type is
1741 used) also contain suitably fresh (as defined by local
1742 policy) revocation objects with which the device can
1743 verify the revocation status of the certificates.
1745 This CMS encodes the degenerate form of the SignedData
1746 structure that is commonly used to disseminate X.509
1747 certificates and revocation objects (RFC 5280).";
1750 Internet X.509 Public Key Infrastructure Certificate
1751 and Certificate Revocation List (CRL) Profile.";
1754 typedef ssh-public-key-type { // DELETE?
1757 "The binary public key data for this SSH key, as
1758 specified by RFC 4253, Section 6.6, i.e.:
1760 string certificate or public key format
1762 byte[n] key/certificate data.";
1764 "RFC 4253: The Secure Shell (SSH) Transport
1768 /**********************************************/
1769 /* Groupings for keys and/or certificates */
1770 /**********************************************/
1772 grouping symmetric-key-grouping {
1774 "A symmetric key and algorithm.";
1776 type encryption-algorithm-t;
1779 "The algorithm to be used when generating the key.";
1781 "RFC CCCC: Common YANG Data Types for Cryptography";
1784 nacm:default-deny-write;
1787 base symmetric-key-format;
1789 description "Identifies the symmetric key's format.";
1794 "Choice between key types.";
1796 nacm:default-deny-all;
1798 //must "../key-format"; FIXME: remove comment if approach ok
1800 "The binary value of the key. The interpretation of
1801 the value is defined by 'key-format'. For example,
1807 nacm:default-deny-write;
1810 "A permanently hidden key. How such keys are created
1811 is outside the scope of this module.";
1816 grouping public-key-grouping {
1818 "A public key and its associated algorithm.";
1820 nacm:default-deny-write;
1821 type asymmetric-key-algorithm-t;
1824 "Identifies the key's algorithm.";
1826 "RFC CCCC: Common YANG Data Types for Cryptography";
1828 leaf public-key-format {
1829 nacm:default-deny-write;
1830 when "../public-key";
1832 base public-key-format;
1834 description "Identifies the key's format.";
1837 nacm:default-deny-write;
1839 //must "../public-key-format"; FIXME: rm comment if approach ok
1842 "The binary value of the public key. The interpretation
1843 of the value is defined by 'public-key-format' field.";
1847 grouping asymmetric-key-pair-grouping {
1849 "A private key and its associated public key and algorithm.";
1850 uses public-key-grouping;
1851 leaf private-key-format {
1852 nacm:default-deny-write;
1853 when "../private-key";
1855 base private-key-format;
1857 description "Identifies the key's format.";
1859 choice private-key-type {
1862 "Choice between key types.";
1864 nacm:default-deny-all;
1866 //must "../private-key-format"; FIXME: rm comment if ok
1868 "The value of the binary key. The key's value is
1869 interpreted by the 'private-key-format' field.";
1871 leaf hidden-private-key {
1872 nacm:default-deny-write;
1875 "A permanently hidden key. How such keys are created
1876 is outside the scope of this module.";
1881 grouping trust-anchor-cert-grouping {
1883 "A trust anchor certificate, and a notification for when
1884 it is about to (or already has) expire.";
1886 nacm:default-deny-write;
1887 type trust-anchor-cert-cms;
1889 "The binary certificate data for this certificate.";
1891 "RFC YYYY: Common YANG Data Types for Cryptography";
1893 notification certificate-expiration {
1895 "A notification indicating that the configured certificate
1896 is either about to expire or has already expired. When to
1897 send notifications is an implementation specific decision,
1898 but it is RECOMMENDED that a notification be sent once a
1899 month for 3 months, then once a week for four weeks, and
1900 then once a day thereafter until the issue is resolved.";
1901 leaf expiration-date {
1902 type yang:date-and-time;
1905 "Identifies the expiration date on the certificate.";
1910 grouping trust-anchor-certs-grouping {
1912 "A list of trust anchor certificates, and a notification
1913 for when one is about to (or already has) expire.";
1915 nacm:default-deny-write;
1916 type trust-anchor-cert-cms;
1918 "The binary certificate data for this certificate.";
1920 "RFC YYYY: Common YANG Data Types for Cryptography";
1922 notification certificate-expiration {
1924 "A notification indicating that the configured certificate
1925 is either about to expire or has already expired. When to
1926 send notifications is an implementation specific decision,
1927 but it is RECOMMENDED that a notification be sent once a
1928 month for 3 months, then once a week for four weeks, and
1929 then once a day thereafter until the issue is resolved.";
1930 leaf expiration-date {
1931 type yang:date-and-time;
1934 "Identifies the expiration date on the certificate.";
1939 grouping end-entity-cert-grouping {
1941 "An end entity certificate, and a notification for when
1942 it is about to (or already has) expire. Implementations
1943 SHOULD assert that, where used, the end entity certificate
1944 contains the expected public key.";
1946 nacm:default-deny-write;
1947 type end-entity-cert-cms;
1949 "The binary certificate data for this certificate.";
1951 "RFC YYYY: Common YANG Data Types for Cryptography";
1953 notification certificate-expiration {
1955 "A notification indicating that the configured certificate
1956 is either about to expire or has already expired. When to
1957 send notifications is an implementation specific decision,
1958 but it is RECOMMENDED that a notification be sent once a
1959 month for 3 months, then once a week for four weeks, and
1960 then once a day thereafter until the issue is resolved.";
1961 leaf expiration-date {
1962 type yang:date-and-time;
1965 "Identifies the expiration date on the certificate.";
1970 grouping end-entity-certs-grouping {
1972 "A list of end entity certificates, and a notification for
1973 when one is about to (or already has) expire.";
1975 nacm:default-deny-write;
1976 type end-entity-cert-cms;
1978 "The binary certificate data for this certificate.";
1980 "RFC YYYY: Common YANG Data Types for Cryptography";
1982 notification certificate-expiration {
1984 "A notification indicating that the configured certificate
1985 is either about to expire or has already expired. When to
1986 send notifications is an implementation specific decision,
1987 but it is RECOMMENDED that a notification be sent once a
1988 month for 3 months, then once a week for four weeks, and
1989 then once a day thereafter until the issue is resolved.";
1990 leaf expiration-date {
1991 type yang:date-and-time;
1994 "Identifies the expiration date on the certificate.";
1999 grouping asymmetric-key-pair-with-cert-grouping {
2001 "A private/public key pair and an associated certificate.
2002 Implementations SHOULD assert that certificates contain
2003 the matching public key.";
2004 uses asymmetric-key-pair-grouping;
2005 uses end-entity-cert-grouping;
2006 action generate-certificate-signing-request {
2007 nacm:default-deny-all;
2009 "Generates a certificate signing request structure for
2010 the associated asymmetric key using the passed subject
2011 and attribute values. The specified assertions need
2012 to be appropriate for the certificate's use. For
2013 example, an entity certificate for a TLS server
2014 SHOULD have values that enable clients to satisfy
2015 RFC 6125 processing.";
2021 "The 'subject' field per the CertificationRequestInfo
2022 structure as specified by RFC 2986, Section 4.1
2023 encoded using the ASN.1 distinguished encoding
2024 rules (DER), as specified in ITU-T X.690.";
2027 PKCS #10: Certification Request Syntax
2028 Specification Version 1.7.
2030 Information technology - ASN.1 encoding rules:
2031 Specification of Basic Encoding Rules (BER),
2032 Canonical Encoding Rules (CER) and Distinguished
2033 Encoding Rules (DER).";
2036 type binary; // FIXME: does this need to be mandatory?
2038 "The 'attributes' field from the structure
2039 CertificationRequestInfo as specified by RFC 2986,
2040 Section 4.1 encoded using the ASN.1 distinguished
2041 encoding rules (DER), as specified in ITU-T X.690.";
2044 PKCS #10: Certification Request Syntax
2045 Specification Version 1.7.
2047 Information technology - ASN.1 encoding rules:
2048 Specification of Basic Encoding Rules (BER),
2049 Canonical Encoding Rules (CER) and Distinguished
2050 Encoding Rules (DER).";
2054 leaf certificate-signing-request {
2058 "A CertificationRequest structure as specified by
2059 RFC 2986, Section 4.2 encoded using the ASN.1
2060 distinguished encoding rules (DER), as specified
2064 PKCS #10: Certification Request Syntax
2065 Specification Version 1.7.
2067 Information technology - ASN.1 encoding rules:
2068 Specification of Basic Encoding Rules (BER),
2069 Canonical Encoding Rules (CER) and Distinguished
2070 Encoding Rules (DER).";
2073 } // generate-certificate-signing-request
2074 } // asymmetric-key-pair-with-cert-grouping
2076 grouping asymmetric-key-pair-with-certs-grouping {
2078 "A private/public key pair and associated certificates.
2079 Implementations SHOULD assert that certificates contain
2080 the matching public key.";
2081 uses asymmetric-key-pair-grouping;
2082 container certificates {
2083 nacm:default-deny-write;
2085 "Certificates associated with this asymmetric key.
2086 More than one certificate supports, for instance,
2087 a TPM-protected asymmetric key that has both IDevID
2088 and LDevID certificates associated.";
2092 "A certificate for this asymmetric key.";
2096 "An arbitrary name for the certificate. If the name
2097 matches the name of a certificate that exists
2098 independently in <operational> (i.e., an IDevID),
2099 then the 'cert' node MUST NOT be configured.";
2101 uses end-entity-cert-grouping;
2104 action generate-certificate-signing-request {
2105 nacm:default-deny-all;
2107 "Generates a certificate signing request structure for
2108 the associated asymmetric key using the passed subject
2109 and attribute values. The specified assertions need
2110 to be appropriate for the certificate's use. For
2111 example, an entity certificate for a TLS server
2112 SHOULD have values that enable clients to satisfy
2113 RFC 6125 processing.";
2119 "The 'subject' field per the CertificationRequestInfo
2120 structure as specified by RFC 2986, Section 4.1
2121 encoded using the ASN.1 distinguished encoding
2122 rules (DER), as specified in ITU-T X.690.";
2125 PKCS #10: Certification Request Syntax
2126 Specification Version 1.7.
2128 Information technology - ASN.1 encoding rules:
2129 Specification of Basic Encoding Rules (BER),
2130 Canonical Encoding Rules (CER) and Distinguished
2131 Encoding Rules (DER).";
2134 type binary; // FIXME: does this need to be mandatory?
2136 "The 'attributes' field from the structure
2137 CertificationRequestInfo as specified by RFC 2986,
2138 Section 4.1 encoded using the ASN.1 distinguished
2139 encoding rules (DER), as specified in ITU-T X.690.";
2142 PKCS #10: Certification Request Syntax
2143 Specification Version 1.7.
2145 Information technology - ASN.1 encoding rules:
2146 Specification of Basic Encoding Rules (BER),
2147 Canonical Encoding Rules (CER) and Distinguished
2148 Encoding Rules (DER).";
2152 leaf certificate-signing-request {
2156 "A CertificationRequest structure as specified by
2157 RFC 2986, Section 4.2 encoded using the ASN.1
2158 distinguished encoding rules (DER), as specified
2162 PKCS #10: Certification Request Syntax
2163 Specification Version 1.7.
2165 Information technology - ASN.1 encoding rules:
2166 Specification of Basic Encoding Rules (BER),
2167 Canonical Encoding Rules (CER) and Distinguished
2168 Encoding Rules (DER).";
2171 } // generate-certificate-signing-request
2172 } // asymmetric-key-pair-with-certs-grouping