1 module ietf-x509-cert-to-name {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name";
6 import ietf-yang-types {
11 "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
14 "WG Web: <http://tools.ietf.org/wg/netmod/>
15 WG List: <mailto:netmod@ietf.org>
17 WG Chair: Thomas Nadeau
18 <mailto:tnadeau@lucidvision.com>
20 WG Chair: Juergen Schoenwaelder
21 <mailto:j.schoenwaelder@jacobs-university.de>
23 Editor: Martin Bjorklund
24 <mailto:mbj@tail-f.com>
26 Editor: Juergen Schoenwaelder
27 <mailto:j.schoenwaelder@jacobs-university.de>";
30 "This module contains a collection of YANG definitions for
31 extracting a name from an X.509 certificate.
32 The algorithm used to extract a name from an X.509 certificate
33 was first defined in RFC 6353.
35 Copyright (c) 2014 IETF Trust and the persons identified as
36 authors of the code. All rights reserved.
38 Redistribution and use in source and binary forms, with or
39 without modification, is permitted pursuant to, and subject
40 to the license terms contained in, the Simplified BSD License
41 set forth in Section 4.c of the IETF Trust's Legal Provisions
42 Relating to IETF Documents
43 (http://trustee.ietf.org/license-info).
45 This version of this YANG module is part of RFC 7407; see
46 the RFC itself for full legal notices.";
49 "RFC 6353: Transport Layer Security (TLS) Transport Model for
50 the Simple Network Management Protocol (SNMP)";
56 "RFC 7407: A YANG Data Model for SNMP Configuration";
60 typedef tls-fingerprint {
61 type yang:hex-string {
62 pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
65 "A fingerprint value that can be used to uniquely reference
66 other data of potentially arbitrary length.
68 A tls-fingerprint value is composed of a 1-octet hashing
69 algorithm identifier followed by the fingerprint value. The
70 first octet value identifying the hashing algorithm is taken
71 from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The
72 remaining octets are filled using the results of the hashing
75 "RFC 6353: Transport Layer Security (TLS) Transport Model
76 for the Simple Network Management Protocol (SNMP).
77 SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
82 identity cert-to-name {
84 "Base identity for algorithms to derive a name from a
91 "Directly specifies the name to be used for the certificate.
92 The value of the leaf 'name' in the cert-to-name list is
95 "RFC 6353: Transport Layer Security (TLS) Transport Model
96 for the Simple Network Management Protocol (SNMP).
97 SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
100 identity san-rfc822-name {
103 "Maps a subjectAltName's rfc822Name to a name. The local part
104 of the rfc822Name is passed unaltered, but the host-part of
105 the name must be passed in lowercase. For example, the
106 rfc822Name field FooBar@Example.COM is mapped to name
107 FooBar@example.com.";
109 "RFC 6353: Transport Layer Security (TLS) Transport Model
110 for the Simple Network Management Protocol (SNMP).
111 SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name";
114 identity san-dns-name {
117 "Maps a subjectAltName's dNSName to a name after first
118 converting it to all lowercase (RFC 5280 does not specify
119 converting to lowercase, so this involves an extra step).
120 This mapping results in a 1:1 correspondence between
121 subjectAltName dNSName values and the name values.";
123 "RFC 6353: Transport Layer Security (TLS) Transport Model
124 for the Simple Network Management Protocol (SNMP).
125 SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName";
128 identity san-ip-address {
131 "Maps a subjectAltName's iPAddress to a name by
132 transforming the binary-encoded address as follows:
134 1) for IPv4, the value is converted into a
135 decimal-dotted quad address (e.g., '192.0.2.1').
137 2) for IPv6 addresses, the value is converted into a
138 32-character, all-lowercase hexadecimal string
139 without any colon separators.
141 This mapping results in a 1:1 correspondence between
142 subjectAltName iPAddress values and the name values.";
144 "RFC 6353: Transport Layer Security (TLS) Transport Model
145 for the Simple Network Management Protocol (SNMP).
146 SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
152 "Maps any of the following fields using the corresponding
155 +------------+-----------------+
157 |------------+-----------------|
158 | rfc822Name | san-rfc822-name |
159 | dNSName | san-dns-name |
160 | iPAddress | san-ip-address |
161 +------------+-----------------+
163 The first matching subjectAltName value found in the
164 certificate of the above types MUST be used when deriving
165 the name. The mapping algorithm specified in the
166 'Algorithm' column MUST be used to derive the name.
168 This mapping results in a 1:1 correspondence between
169 subjectAltName values and name values. The three sub-mapping
170 algorithms produced by this combined algorithm cannot produce
171 conflicting results between themselves.";
173 "RFC 6353: Transport Layer Security (TLS) Transport Model
174 for the Simple Network Management Protocol (SNMP).
175 SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
178 identity common-name {
181 "Maps a certificate's CommonName to a name after converting
182 it to a UTF-8 encoding. The usage of CommonNames is
183 deprecated, and users are encouraged to use subjectAltName
184 mapping methods instead. This mapping results in a 1:1
185 correspondence between certificate CommonName values and name
188 "RFC 6353: Transport Layer Security (TLS) Transport Model
189 for the Simple Network Management Protocol (SNMP).
190 SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
197 grouping cert-to-name {
199 "Defines nodes for mapping certificates to names. Modules
200 that use this grouping should describe how the resulting
206 "This list defines how certificates are mapped to names.
207 The name is derived by considering each cert-to-name
208 list entry in order. The cert-to-name entry's fingerprint
209 determines whether the list entry is a match:
211 1) If the cert-to-name list entry's fingerprint value
212 matches that of the presented certificate, then consider
213 the list entry a successful match.
215 2) If the cert-to-name list entry's fingerprint value
216 matches that of a locally held copy of a trusted CA
217 certificate, and that CA certificate was part of the CA
218 certificate chain to the presented certificate, then
219 consider the list entry a successful match.
221 Once a matching cert-to-name list entry has been found, the
222 map-type is used to determine how the name associated with
223 the certificate should be determined. See the map-type
224 leaf's description for details on determining the name value.
225 If it is impossible to determine a name from the cert-to-name
226 list entry's data combined with the data presented in the
227 certificate, then additional cert-to-name list entries MUST
228 be searched to look for another potential match.
230 Security administrators are encouraged to make use of
231 certificates with subjectAltName fields that can be mapped to
232 names so that a single root CA certificate can allow all
233 child certificates' subjectAltName fields to map directly to
234 a name via a 1:1 transformation.";
236 "RFC 6353: Transport Layer Security (TLS) Transport Model
237 for the Simple Network Management Protocol (SNMP).
238 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
243 "The id specifies the order in which the entries in the
244 cert-to-name list are searched. Entries with lower
245 numbers are searched first.";
247 "RFC 6353: Transport Layer Security (TLS) Transport Model
248 for the Simple Network Management Protocol
250 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
254 type x509c2n:tls-fingerprint;
257 "Specifies a value with which the fingerprint of the
258 full certificate presented by the peer is compared. If
259 the fingerprint of the full certificate presented by the
260 peer does not match the fingerprint configured, then the
261 entry is skipped, and the search for a match continues.";
263 "RFC 6353: Transport Layer Security (TLS) Transport Model
264 for the Simple Network Management Protocol
266 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
275 "Specifies the algorithm used to map the certificate
276 presented by the peer to a name.
278 Mappings that need additional configuration objects should
279 use the 'when' statement to make them conditional based on
282 "RFC 6353: Transport Layer Security (TLS) Transport Model
283 for the Simple Network Management Protocol
285 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
289 when "../map-type = 'x509c2n:specified'";
293 "Directly specifies the NETCONF username when the
294 map-type is 'specified'.";
296 "RFC 6353: Transport Layer Security (TLS) Transport Model
297 for the Simple Network Management Protocol
299 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";