--- /dev/null
+module ietf-crypto-types {\r
+ yang-version 1.1;\r
+ namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";\r
+ prefix ct;\r
+\r
+ import ietf-yang-types {\r
+ prefix yang;\r
+ reference\r
+ "RFC 6991: Common YANG Data Types";\r
+ }\r
+\r
+ import ietf-netconf-acm {\r
+ prefix nacm;\r
+ reference\r
+ "RFC 8341: Network Configuration Access Control Model";\r
+ }\r
+\r
+ organization\r
+ "IETF NETCONF (Network Configuration) Working Group";\r
+\r
+ contact\r
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>\r
+ WG List: <mailto:netconf@ietf.org>\r
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>\r
+ Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";\r
+\r
+ description\r
+ "This module defines common YANG types for cryptographic\r
+ applications.\r
+\r
+ Copyright (c) 2019 IETF Trust and the persons identified\r
+ as authors of the code. All rights reserved.\r
+\r
+ Redistribution and use in source and binary forms, with\r
+ or without modification, is permitted pursuant to, and\r
+ subject to the license terms contained in, the Simplified\r
+ BSD License set forth in Section 4.c of the IETF Trust's\r
+ Legal Provisions Relating to IETF Documents\r
+ (https://trustee.ietf.org/license-info).\r
+\r
+ This version of this YANG module is part of RFC XXXX\r
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC\r
+ itself for full legal notices.;\r
+\r
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',\r
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',\r
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document\r
+ are to be interpreted as described in BCP 14 (RFC 2119)\r
+ (RFC 8174) when, and only when, they appear in all\r
+ capitals, as shown here.";\r
+\r
+ revision 2019-04-29 {\r
+ description\r
+ "Initial version";\r
+ reference\r
+ "RFC XXXX: Common YANG Data Types for Cryptography";\r
+ }\r
+\r
+ /**************************************/\r
+ /* Identities for Hash Algorithms */\r
+ /**************************************/\r
+\r
+ identity hash-algorithm {\r
+ description\r
+ "A base identity for hash algorithm verification.";\r
+ }\r
+\r
+ identity sha-224 {\r
+ base hash-algorithm;\r
+ description\r
+ "The SHA-224 algorithm.";\r
+ reference\r
+ "RFC 6234: US Secure Hash Algorithms.";\r
+ }\r
+ identity sha-256 {\r
+ base hash-algorithm;\r
+ description\r
+ "The SHA-256 algorithm.";\r
+ reference\r
+ "RFC 6234: US Secure Hash Algorithms.";\r
+ }\r
+\r
+ identity sha-384 {\r
+ base hash-algorithm;\r
+ description\r
+ "The SHA-384 algorithm.";\r
+ reference\r
+ "RFC 6234: US Secure Hash Algorithms.";\r
+ }\r
+\r
+ identity sha-512 {\r
+ base hash-algorithm;\r
+ description\r
+ "The SHA-512 algorithm.";\r
+ reference\r
+ "RFC 6234: US Secure Hash Algorithms.";\r
+ }\r
+\r
+ /***********************************************/\r
+ /* Identities for Asymmetric Key Algorithms */\r
+ /***********************************************/\r
+\r
+ identity asymmetric-key-algorithm {\r
+ description\r
+ "Base identity from which all asymmetric key\r
+ encryption Algorithm.";\r
+ }\r
+\r
+ identity rsa1024 {\r
+ base asymmetric-key-algorithm;\r
+ description\r
+ "The RSA algorithm using a 1024-bit key.";\r
+ reference\r
+ "RFC 8017:\r
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
+ }\r
+\r
+ identity rsa2048 {\r
+ base asymmetric-key-algorithm;\r
+ description\r
+ "The RSA algorithm using a 2048-bit key.";\r
+ reference\r
+ "RFC 8017:\r
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
+ }\r
+\r
+ identity rsa3072 {\r
+ base asymmetric-key-algorithm;\r
+ description\r
+ "The RSA algorithm using a 3072-bit key.";\r
+ reference\r
+ "RFC 8017:\r
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
+ }\r
+\r
+ identity rsa4096 {\r
+ base asymmetric-key-algorithm;\r
+ description\r
+ "The RSA algorithm using a 4096-bit key.";\r
+ reference\r
+ "RFC 8017:\r
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
+ }\r
+\r
+ identity rsa7680 {\r
+ base asymmetric-key-algorithm;\r
+ description\r
+ "The RSA algorithm using a 7680-bit key.";\r
+ reference\r
+ "RFC 8017:\r
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
+ }\r
+\r
+ identity rsa15360 {\r
+ base asymmetric-key-algorithm;\r
+ description\r
+ "The RSA algorithm using a 15360-bit key.";\r
+ reference\r
+ "RFC 8017:\r
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
+ }\r
+\r
+ identity secp192r1 {\r
+ base asymmetric-key-algorithm;\r
+ description\r
+ "The ECDSA algorithm using a NIST P256 Curve.";\r
+ reference\r
+ "RFC 6090:\r
+ Fundamental Elliptic Curve Cryptography Algorithms.";\r
+ }\r
+ identity secp224r1 {\r
+ base asymmetric-key-algorithm;\r
+ description\r
+ "The ECDSA algorithm using a NIST P256 Curve.";\r
+ reference\r
+ "RFC 6090:\r
+ Fundamental Elliptic Curve Cryptography Algorithms.";\r
+ }\r
+\r
+ identity secp256r1 {\r
+ base asymmetric-key-algorithm;\r
+ description\r
+ "The ECDSA algorithm using a NIST P256 Curve.";\r
+ reference\r
+ "RFC 6090:\r
+ Fundamental Elliptic Curve Cryptography Algorithms.";\r
+ }\r
+\r
+ identity secp384r1 {\r
+ base asymmetric-key-algorithm;\r
+ description\r
+ "The ECDSA algorithm using a NIST P256 Curve.";\r
+ reference\r
+ "RFC 6090:\r
+ Fundamental Elliptic Curve Cryptography Algorithms.";\r
+ }\r
+\r
+ identity secp521r1 {\r
+ base asymmetric-key-algorithm;\r
+ description\r
+ "The ECDSA algorithm using a NIST P256 Curve.";\r
+ reference\r
+ "RFC 6090:\r
+ Fundamental Elliptic Curve Cryptography Algorithms.";\r
+ }\r
+\r
+ /*************************************/\r
+ /* Identities for MAC Algorithms */\r
+ /*************************************/\r
+\r
+ identity mac-algorithm {\r
+ description\r
+ "A base identity for mac generation.";\r
+ }\r
+\r
+ identity hmac-sha1 {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating MAC using SHA1 hash function";\r
+ reference\r
+ "RFC 3174: US Secure Hash Algorithm 1 (SHA1)";\r
+ }\r
+\r
+ identity hmac-sha1-96 {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating MAC using SHA1 hash function";\r
+ reference\r
+ "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";\r
+ }\r
+\r
+ identity hmac-sha2-224 {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating MAC using SHA2 hash function";\r
+ reference\r
+ "RFC 6234:\r
+ US Secure Hash Algorithms (SHA and SHA-based HMAC and\r
+ HKDF)";\r
+ }\r
+\r
+ identity hmac-sha2-256 {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating MAC using SHA2 hash function";\r
+ reference\r
+ "RFC 6234:\r
+ US Secure Hash Algorithms (SHA and SHA-based HMAC and\r
+ HKDF)";\r
+ }\r
+\r
+ identity hmac-sha2-256-128 {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating a 256 bits MAC using SHA2 hash function and\r
+ truncate it to 128 bits";\r
+ reference\r
+ "RFC 4868:\r
+ Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512\r
+ with IPsec";\r
+ }\r
+\r
+ identity hmac-sha2-384 {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating MAC using SHA2 hash function";\r
+ reference\r
+ "RFC 6234:\r
+ US Secure Hash Algorithms (SHA and SHA-based HMAC and\r
+ HKDF)";\r
+ }\r
+\r
+ identity hmac-sha2-384-192 {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating a 384 bits MAC using SHA2 hash function and\r
+ truncate it to 192 bits";\r
+ reference\r
+ "RFC 4868:\r
+ Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with\r
+ IPsec";\r
+ }\r
+\r
+ identity hmac-sha2-512 {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating MAC using SHA2 hash function";\r
+ reference\r
+ "RFC 6234:\r
+ US Secure Hash Algorithms (SHA and SHA-based HMAC and\r
+ HKDF)";\r
+ }\r
+\r
+ identity hmac-sha2-512-256 {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating a 512 bits MAC using SHA2 hash function and\r
+ truncating it to 256 bits";\r
+ reference\r
+ "RFC 4868:\r
+ Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with\r
+ IPsec";\r
+ }\r
+\r
+ identity aes-128-gmac {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating MAC using the Advanced Encryption Standard (AES)\r
+ Galois Message Authentication Code (GMAC) as a mechanism to\r
+ provide data origin authentication";\r
+ reference\r
+ "RFC 4543:\r
+ The Use of Galois Message Authentication Code (GMAC) in\r
+ IPsec ESP and AH";\r
+ }\r
+\r
+ identity aes-192-gmac {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating MAC using the Advanced Encryption Standard (AES)\r
+ Galois Message Authentication Code (GMAC) as a mechanism to\r
+ provide data origin authentication";\r
+ reference\r
+ "RFC 4543:\r
+ The Use of Galois Message Authentication Code (GMAC) in\r
+ IPsec ESP and AH";\r
+ }\r
+\r
+ identity aes-256-gmac {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating MAC using the Advanced Encryption Standard (AES)\r
+ Galois Message Authentication Code (GMAC) as a mechanism to\r
+ provide data origin authentication";\r
+ reference\r
+ "RFC 4543:\r
+ The Use of Galois Message Authentication Code (GMAC) in\r
+ IPsec ESP and AH";\r
+ }\r
+\r
+ identity aes-cmac-96 {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating MAC using Advanced Encryption Standard (AES)\r
+ Cipher-based Message Authentication Code (CMAC)";\r
+ reference\r
+ "RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec";\r
+ }\r
+\r
+ identity aes-cmac-128 {\r
+ base mac-algorithm;\r
+ description\r
+ "Generating MAC using Advanced Encryption Standard (AES)\r
+ Cipher-based Message Authentication Code (CMAC)";\r
+ reference\r
+ "RFC 4493: The AES-CMAC Algorithm";\r
+ }\r
+\r
+ /********************************************/\r
+ /* Identities for Encryption Algorithms */\r
+ /********************************************/\r
+\r
+ identity encryption-algorithm {\r
+ description\r
+ "A base identity for encryption algorithm.";\r
+ }\r
+\r
+ identity aes-128-cbc {\r
+ base encryption-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in CBC mode with a key\r
+ length of 128 bits";\r
+ reference\r
+ "RFC 3565:\r
+ Use of the Advanced Encryption Standard (AES) Encryption\r
+ Algorithm in Cryptographic Message Syntax (CMS)";\r
+ }\r
+\r
+ identity aes-192-cbc {\r
+ base encryption-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in CBC mode with a key\r
+ length of 192 bits";\r
+ reference\r
+ "RFC 3565:\r
+ Use of the Advanced Encryption Standard (AES) Encryption\r
+ Algorithm in Cryptographic Message Syntax (CMS)";\r
+ }\r
+\r
+ identity aes-256-cbc {\r
+ base encryption-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in CBC mode with a key\r
+ length of 256 bits";\r
+ reference\r
+ "RFC 3565:\r
+ Use of the Advanced Encryption Standard (AES) Encryption\r
+ Algorithm in Cryptographic Message Syntax (CMS)";\r
+ }\r
+\r
+ identity aes-128-ctr {\r
+ base encryption-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in CTR mode with a key\r
+ length of 128 bits";\r
+ reference\r
+ "RFC 3686:\r
+ Using Advanced Encryption Standard (AES) Counter Mode with\r
+ IPsec Encapsulating Security Payload (ESP)";\r
+ }\r
+ identity aes-192-ctr {\r
+ base encryption-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in CTR mode with a key\r
+ length of 192 bits";\r
+ reference\r
+ "RFC 3686:\r
+ Using Advanced Encryption Standard (AES) Counter Mode with\r
+ IPsec Encapsulating Security Payload (ESP)";\r
+ }\r
+\r
+ identity aes-256-ctr {\r
+ base encryption-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in CTR mode with a key\r
+ length of 256 bits";\r
+ reference\r
+ "RFC 3686:\r
+ Using Advanced Encryption Standard (AES) Counter Mode with\r
+ IPsec Encapsulating Security Payload (ESP)";\r
+ }\r
+\r
+ /****************************************************/\r
+ /* Identities for Encryption and MAC Algorithms */\r
+ /****************************************************/\r
+\r
+ identity encryption-and-mac-algorithm {\r
+ description\r
+ "A base identity for encryption and MAC algorithm.";\r
+ }\r
+\r
+ identity aes-128-ccm {\r
+ base encryption-and-mac-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in CCM mode with a key\r
+ length of 128 bits; it can also be used for generating MAC";\r
+ reference\r
+ "RFC 4309:\r
+ Using Advanced Encryption Standard (AES) CCM Mode with\r
+ IPsec Encapsulating Security Payload (ESP)";\r
+ }\r
+\r
+ identity aes-192-ccm {\r
+ base encryption-and-mac-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in CCM mode with a key\r
+ length of 192 bits; it can also be used for generating MAC";\r
+ reference\r
+ "RFC 4309:\r
+ Using Advanced Encryption Standard (AES) CCM Mode with\r
+ IPsec Encapsulating Security Payload (ESP)";\r
+ }\r
+\r
+ identity aes-256-ccm {\r
+ base encryption-and-mac-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in CCM mode with a key\r
+ length of 256 bits; it can also be used for generating MAC";\r
+ reference\r
+ "RFC 4309:\r
+ Using Advanced Encryption Standard (AES) CCM Mode with\r
+ IPsec Encapsulating Security Payload (ESP)";\r
+ }\r
+\r
+ identity aes-128-gcm {\r
+ base encryption-and-mac-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in GCM mode with a key\r
+ length of 128 bits; it can also be used for generating MAC";\r
+ reference\r
+ "RFC 4106:\r
+ The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating\r
+ Security Payload (ESP)";\r
+ }\r
+\r
+ identity aes-192-gcm {\r
+ base encryption-and-mac-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in GCM mode with a key\r
+ length of 192 bits; it can also be used for generating MAC";\r
+ reference\r
+ "RFC 4106:\r
+ The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating\r
+ Security Payload (ESP)";\r
+ }\r
+\r
+ identity mac-aes-256-gcm {\r
+ base encryption-and-mac-algorithm;\r
+ description\r
+ "Encrypt message with AES algorithm in GCM mode with a key\r
+ length of 128 bits; it can also be used for generating MAC";\r
+ reference\r
+ "RFC 4106:\r
+ The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating\r
+ Security Payload (ESP)";\r
+ }\r
+ identity chacha20-poly1305 {\r
+ base encryption-and-mac-algorithm;\r
+ description\r
+ "Encrypt message with chacha20 algorithm and generate MAC with\r
+ POLY1305; it can also be used for generating MAC";\r
+ reference\r
+ "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";\r
+ }\r
+\r
+ /******************************************/\r
+ /* Identities for signature algorithm */\r
+ /******************************************/\r
+\r
+ identity signature-algorithm {\r
+ description\r
+ "A base identity for asymmetric key encryption algorithm.";\r
+ }\r
+\r
+ identity dsa-sha1 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using DSA algorithm with SHA1 hash\r
+ algorithm";\r
+ reference\r
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";\r
+ }\r
+\r
+ identity rsassa-pkcs1-sha1 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1\r
+ hash algorithm.";\r
+ reference\r
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";\r
+ }\r
+\r
+ identity rsassa-pkcs1-sha256 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with the\r
+ SHA256 hash algorithm.";\r
+ reference\r
+ "RFC 8332:\r
+ Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell\r
+ (SSH) Protocol\r
+ RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+ identity rsassa-pkcs1-sha384 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with the\r
+ SHA384 hash algorithm.";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity rsassa-pkcs1-sha512 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with the\r
+ SHA512 hash algorithm.";\r
+ reference\r
+ "RFC 8332:\r
+ Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell\r
+ (SSH) Protocol\r
+ RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity rsassa-pss-rsae-sha256 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using RSASSA-PSS with mask generation\r
+ function 1 and SHA256 hash algorithm. If the public key is\r
+ carried in an X.509 certificate, it MUST use the rsaEncryption\r
+ OID";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity rsassa-pss-rsae-sha384 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using RSASSA-PSS with mask generation\r
+ function 1 and SHA384 hash algorithm. If the public key is\r
+ carried in an X.509 certificate, it MUST use the rsaEncryption\r
+ OID";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity rsassa-pss-rsae-sha512 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using RSASSA-PSS with mask generation\r
+ function 1 and SHA512 hash algorithm. If the public key is\r
+ carried in an X.509 certificate, it MUST use the rsaEncryption\r
+ OID";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity rsassa-pss-pss-sha256 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using RSASSA-PSS with mask generation\r
+ function 1 and SHA256 hash algorithm. If the public key is\r
+ carried in an X.509 certificate, it MUST use the RSASSA-PSS\r
+ OID";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity rsassa-pss-pss-sha384 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using RSASSA-PSS with mask generation\r
+ function 1 and SHA256 hash algorithm. If the public key is\r
+ carried in an X.509 certificate, it MUST use the RSASSA-PSS\r
+ OID";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity rsassa-pss-pss-sha512 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using RSASSA-PSS with mask generation\r
+ function 1 and SHA256 hash algorithm. If the public key is\r
+ carried in an X.509 certificate, it MUST use the RSASSA-PSS\r
+ OID";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity ecdsa-secp256r1-sha256 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using ECDSA with curve name secp256r1\r
+ and SHA256 hash algorithm.";\r
+ reference\r
+ "RFC 5656: Elliptic Curve Algorithm Integration in the\r
+ Secure Shell Transport Layer\r
+ RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity ecdsa-secp384r1-sha384 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using ECDSA with curve name secp384r1\r
+ and SHA384 hash algorithm.";\r
+ reference\r
+ "RFC 5656: Elliptic Curve Algorithm Integration in the\r
+ Secure Shell Transport Layer\r
+ RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity ecdsa-secp521r1-sha512 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using ECDSA with curve name secp521r1\r
+ and SHA512 hash algorithm.";\r
+ reference\r
+ "RFC 5656: Elliptic Curve Algorithm Integration in the\r
+ Secure Shell Transport Layer\r
+ RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity ed25519 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using EdDSA as defined in RFC 8032 or\r
+ its successors.";\r
+ reference\r
+ "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";\r
+ }\r
+\r
+ identity ed448 {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using EdDSA as defined in RFC 8032 or\r
+ its successors.";\r
+ reference\r
+ "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";\r
+ }\r
+\r
+ identity eccsi {\r
+ base signature-algorithm;\r
+ description\r
+ "The signature algorithm using ECCSI signature as defined in\r
+ RFC 6507.";\r
+ reference\r
+ "RFC 6507:\r
+ Elliptic Curve-Based Certificateless Signatures for\r
+ Identity-based Encryption (ECCSI)";\r
+ }\r
+\r
+ /**********************************************/\r
+ /* Identities for key exchange algorithms */\r
+ /**********************************************/\r
+\r
+ identity key-exchange-algorithm {\r
+ description\r
+ "A base identity for Diffie-Hellman based key exchange\r
+ algorithm.";\r
+ }\r
+\r
+ identity psk-only {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Using Pre-shared key for authentication and key exchange";\r
+ reference\r
+ "RFC 4279:\r
+ Pre-Shared Key cipher suites for Transport Layer Security\r
+ (TLS)";\r
+ }\r
+\r
+ identity dhe-ffdhe2048 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Ephemeral Diffie Hellman key exchange with 2048 bit\r
+ finite field";\r
+ reference\r
+ "RFC 7919:\r
+ Negotiated Finite Field Diffie-Hellman Ephemeral Parameters\r
+ for Transport Layer Security (TLS)";\r
+ }\r
+\r
+ identity dhe-ffdhe3072 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Ephemeral Diffie Hellman key exchange with 3072 bit finite\r
+ field";\r
+ reference\r
+ "RFC 7919:\r
+ Negotiated Finite Field Diffie-Hellman Ephemeral Parameters\r
+ for Transport Layer Security (TLS)";\r
+ }\r
+\r
+ identity dhe-ffdhe4096 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Ephemeral Diffie Hellman key exchange with 4096 bit\r
+ finite field";\r
+ reference\r
+ "RFC 7919:\r
+ Negotiated Finite Field Diffie-Hellman Ephemeral Parameters\r
+ for Transport Layer Security (TLS)";\r
+ }\r
+\r
+ identity dhe-ffdhe6144 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Ephemeral Diffie Hellman key exchange with 6144 bit\r
+ finite field";\r
+ reference\r
+ "RFC 7919:\r
+ Negotiated Finite Field Diffie-Hellman Ephemeral Parameters\r
+ for Transport Layer Security (TLS)";\r
+ }\r
+\r
+ identity dhe-ffdhe8192 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Ephemeral Diffie Hellman key exchange with 8192 bit\r
+ finite field";\r
+ reference\r
+ "RFC 7919:\r
+ Negotiated Finite Field Diffie-Hellman Ephemeral Parameters\r
+ for Transport Layer Security (TLS)";\r
+ }\r
+\r
+ identity psk-dhe-ffdhe2048 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Key exchange using pre-shared key with Diffie-Hellman key\r
+ generation mechanism, where the DH group is FFDHE2048";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity psk-dhe-ffdhe3072 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Key exchange using pre-shared key with Diffie-Hellman key\r
+ generation mechanism, where the DH group is FFDHE3072";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity psk-dhe-ffdhe4096 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Key exchange using pre-shared key with Diffie-Hellman key\r
+ generation mechanism, where the DH group is FFDHE4096";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity psk-dhe-ffdhe6144 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Key exchange using pre-shared key with Diffie-Hellman key\r
+ generation mechanism, where the DH group is FFDHE6144";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity psk-dhe-ffdhe8192 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Key exchange using pre-shared key with Diffie-Hellman key\r
+ generation mechanism, where the DH group is FFDHE8192";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity ecdhe-secp256r1 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Ephemeral Diffie Hellman key exchange with elliptic group\r
+ over curve secp256r1";\r
+ reference\r
+ "RFC 8422:\r
+ Elliptic Curve Cryptography (ECC) Cipher Suites for\r
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";\r
+ }\r
+\r
+ identity ecdhe-secp384r1 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Ephemeral Diffie Hellman key exchange with elliptic group\r
+ over curve secp384r1";\r
+ reference\r
+ "RFC 8422:\r
+ Elliptic Curve Cryptography (ECC) Cipher Suites for\r
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";\r
+ }\r
+\r
+ identity ecdhe-secp521r1 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Ephemeral Diffie Hellman key exchange with elliptic group\r
+ over curve secp521r1";\r
+ reference\r
+ "RFC 8422:\r
+ Elliptic Curve Cryptography (ECC) Cipher Suites for\r
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";\r
+ }\r
+\r
+ identity ecdhe-x25519 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Ephemeral Diffie Hellman key exchange with elliptic group\r
+ over curve x25519";\r
+ reference\r
+ "RFC 8422:\r
+ Elliptic Curve Cryptography (ECC) Cipher Suites for\r
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";\r
+ }\r
+\r
+ identity ecdhe-x448 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Ephemeral Diffie Hellman key exchange with elliptic group\r
+ over curve x448";\r
+ reference\r
+ "RFC 8422:\r
+ Elliptic Curve Cryptography (ECC) Cipher Suites for\r
+ Transport Layer Security (TLS) Versions 1.2 and Earlier";\r
+ }\r
+\r
+ identity psk-ecdhe-secp256r1 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Key exchange using pre-shared key with elliptic group-based\r
+ Ephemeral Diffie Hellman key exchange over curve secp256r1";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity psk-ecdhe-secp384r1 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Key exchange using pre-shared key with elliptic group-based\r
+ Ephemeral Diffie Hellman key exchange over curve secp384r1";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity psk-ecdhe-secp521r1 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Key exchange using pre-shared key with elliptic group-based\r
+ Ephemeral Diffie Hellman key exchange over curve secp521r1";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity psk-ecdhe-x25519 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Key exchange using pre-shared key with elliptic group-based\r
+ Ephemeral Diffie Hellman key exchange over curve x25519";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity psk-ecdhe-x448 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Key exchange using pre-shared key with elliptic group-based\r
+ Ephemeral Diffie Hellman key exchange over curve x448";\r
+ reference\r
+ "RFC 8446:\r
+ The Transport Layer Security (TLS) Protocol Version 1.3";\r
+ }\r
+\r
+ identity diffie-hellman-group14-sha1 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Using DH group14 and SHA1 for key exchange";\r
+ reference\r
+ "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";\r
+ }\r
+\r
+ identity diffie-hellman-group14-sha256 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Using DH group14 and SHA256 for key exchange";\r
+ reference\r
+ "RFC 8268:\r
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)\r
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";\r
+ }\r
+\r
+ identity diffie-hellman-group15-sha512 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Using DH group15 and SHA512 for key exchange";\r
+ reference\r
+ "RFC 8268:\r
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)\r
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";\r
+ }\r
+\r
+ identity diffie-hellman-group16-sha512 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Using DH group16 and SHA512 for key exchange";\r
+ reference\r
+ "RFC 8268:\r
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)\r
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";\r
+ }\r
+\r
+ identity diffie-hellman-group17-sha512 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Using DH group17 and SHA512 for key exchange";\r
+\r
+ reference\r
+ "RFC 8268:\r
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)\r
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";\r
+ }\r
+\r
+ identity diffie-hellman-group18-sha512 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Using DH group18 and SHA512 for key exchange";\r
+ reference\r
+ "RFC 8268:\r
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)\r
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";\r
+ }\r
+\r
+ identity ecdh-sha2-secp256r1 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Elliptic curve-based Diffie Hellman key exchange over curve\r
+ secp256r1 and using SHA2 for MAC generation";\r
+ reference\r
+ "RFC 6239: Suite B Cryptographic Suites for Secure Shell\r
+ (SSH)";\r
+ }\r
+\r
+ identity ecdh-sha2-secp384r1 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "Elliptic curve-based Diffie Hellman key exchange over curve\r
+ secp384r1 and using SHA2 for MAC generation";\r
+ reference\r
+ "RFC 6239: Suite B Cryptographic Suites for Secure Shell\r
+ (SSH)";\r
+ }\r
+\r
+ identity rsaes-oaep {\r
+ base key-exchange-algorithm;\r
+ description\r
+ "RSAES-OAEP combines the RSAEP and RSADP primitives with the\r
+ EME-OAEP encoding method";\r
+ reference\r
+ "RFC 8017:\r
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
+ }\r
+\r
+ identity rsaes-pkcs1-v1_5 {\r
+ base key-exchange-algorithm;\r
+ description\r
+ " RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives\r
+ with the EME-PKCS1-v1_5 encoding method";\r
+ reference\r
+ "RFC 8017:\r
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
+ }\r
+\r
+ /**********************************************************/\r
+ /* Typedefs for identityrefs to above base identities */\r
+ /**********************************************************/\r
+\r
+ typedef hash-algorithm-ref {\r
+ type identityref {\r
+ base hash-algorithm;\r
+ }\r
+ description\r
+ "This typedef enables importing modules to easily define an\r
+ identityref to the 'hash-algorithm' base identity.";\r
+ }\r
+\r
+ typedef signature-algorithm-ref {\r
+ type identityref {\r
+ base signature-algorithm;\r
+ }\r
+ description\r
+ "This typedef enables importing modules to easily define an\r
+ identityref to the 'signature-algorithm' base identity.";\r
+ }\r
+\r
+ typedef mac-algorithm-ref {\r
+ type identityref {\r
+ base mac-algorithm;\r
+ }\r
+ description\r
+ "This typedef enables importing modules to easily define an\r
+ identityref to the 'mac-algorithm' base identity.";\r
+ }\r
+\r
+ typedef encryption-algorithm-ref {\r
+ type identityref {\r
+ base encryption-algorithm;\r
+ }\r
+ description\r
+ "This typedef enables importing modules to easily define an\r
+ identityref to the 'encryption-algorithm'\r
+ base identity.";\r
+ }\r
+\r
+ typedef encryption-and-mac-algorithm-ref {\r
+ type identityref {\r
+ base encryption-and-mac-algorithm;\r
+ }\r
+ description\r
+ "This typedef enables importing modules to easily define an\r
+ identityref to the 'encryption-and-mac-algorithm'\r
+ base identity.";\r
+ }\r
+\r
+ typedef asymmetric-key-algorithm-ref {\r
+ type identityref {\r
+ base asymmetric-key-algorithm;\r
+ }\r
+ description\r
+ "This typedef enables importing modules to easily define an\r
+ identityref to the 'asymmetric-key-algorithm'\r
+ base identity.";\r
+ }\r
+\r
+ typedef key-exchange-algorithm-ref {\r
+ type identityref {\r
+ base key-exchange-algorithm;\r
+ }\r
+ description\r
+ "This typedef enables importing modules to easily define an\r
+ identityref to the 'key-exchange-algorithm' base identity.";\r
+ }\r
+\r
+ /***************************************************/\r
+ /* Typedefs for ASN.1 structures from RFC 5280 */\r
+ /***************************************************/\r
+\r
+ typedef x509 {\r
+ type binary;\r
+ description\r
+ "A Certificate structure, as specified in RFC 5280,\r
+ encoded using ASN.1 distinguished encoding rules (DER),\r
+ as specified in ITU-T X.690.";\r
+ reference\r
+ "RFC 5280:\r
+ Internet X.509 Public Key Infrastructure Certificate\r
+ and Certificate Revocation List (CRL) Profile\r
+ ITU-T X.690:\r
+ Information technology - ASN.1 encoding rules:\r
+ Specification of Basic Encoding Rules (BER),\r
+ Canonical Encoding Rules (CER) and Distinguished\r
+ Encoding Rules (DER).";\r
+ }\r
+\r
+ typedef crl {\r
+ type binary;\r
+ description\r
+ "A CertificateList structure, as specified in RFC 5280,\r
+ encoded using ASN.1 distinguished encoding rules (DER),\r
+ as specified in ITU-T X.690.";\r
+ reference\r
+ "RFC 5280:\r
+ Internet X.509 Public Key Infrastructure Certificate\r
+ and Certificate Revocation List (CRL) Profile\r
+ ITU-T X.690:\r
+ Information technology - ASN.1 encoding rules:\r
+ Specification of Basic Encoding Rules (BER),\r
+ Canonical Encoding Rules (CER) and Distinguished\r
+ Encoding Rules (DER).";\r
+ }\r
+\r
+ /***********************************************/\r
+ /* Typedefs for ASN.1 structures from 5652 */\r
+ /***********************************************/\r
+\r
+ typedef cms {\r
+ type binary;\r
+ description\r
+ "A ContentInfo structure, as specified in RFC 5652,\r
+ encoded using ASN.1 distinguished encoding rules (DER),\r
+ as specified in ITU-T X.690.";\r
+ reference\r
+ "RFC 5652:\r
+ Cryptographic Message Syntax (CMS)\r
+ ITU-T X.690:\r
+ Information technology - ASN.1 encoding rules:\r
+ Specification of Basic Encoding Rules (BER),\r
+ Canonical Encoding Rules (CER) and Distinguished\r
+ Encoding Rules (DER).";\r
+ }\r
+\r
+ typedef data-content-cms {\r
+ type cms;\r
+ description\r
+ "A CMS structure whose top-most content type MUST be the\r
+ data content type, as described by Section 4 in RFC 5652.";\r
+ reference\r
+ "RFC 5652: Cryptographic Message Syntax (CMS)";\r
+ }\r
+\r
+ typedef signed-data-cms {\r
+ type cms;\r
+ description\r
+ "A CMS structure whose top-most content type MUST be the\r
+ signed-data content type, as described by Section 5 in\r
+ RFC 5652.";\r
+ reference\r
+ "RFC 5652: Cryptographic Message Syntax (CMS)";\r
+ }\r
+\r
+ typedef enveloped-data-cms {\r
+ type cms;\r
+ description\r
+ "A CMS structure whose top-most content type MUST be the\r
+ enveloped-data content type, as described by Section 6\r
+ in RFC 5652.";\r
+ reference\r
+ "RFC 5652: Cryptographic Message Syntax (CMS)";\r
+ }\r
+\r
+ typedef digested-data-cms {\r
+ type cms;\r
+ description\r
+ "A CMS structure whose top-most content type MUST be the\r
+ digested-data content type, as described by Section 7\r
+ in RFC 5652.";\r
+ reference\r
+ "RFC 5652: Cryptographic Message Syntax (CMS)";\r
+ }\r
+\r
+ typedef encrypted-data-cms {\r
+ type cms;\r
+ description\r
+ "A CMS structure whose top-most content type MUST be the\r
+ encrypted-data content type, as described by Section 8\r
+ in RFC 5652.";\r
+ reference\r
+ "RFC 5652: Cryptographic Message Syntax (CMS)";\r
+ }\r
+\r
+ typedef authenticated-data-cms {\r
+ type cms;\r
+ description\r
+ "A CMS structure whose top-most content type MUST be the\r
+ authenticated-data content type, as described by Section 9\r
+ in RFC 5652.";\r
+ reference\r
+ "RFC 5652: Cryptographic Message Syntax (CMS)";\r
+ }\r
+\r
+ /***************************************************/\r
+ /* Typedefs for structures related to RFC 4253 */\r
+ /***************************************************/\r
+\r
+ typedef ssh-host-key {\r
+ type binary;\r
+ description\r
+ "The binary public key data for this SSH key, as\r
+ specified by RFC 4253, Section 6.6, i.e.:\r
+\r
+ string certificate or public key format\r
+ identifier\r
+ byte[n] key/certificate data.";\r
+ reference\r
+ "RFC 4253: The Secure Shell (SSH) Transport Layer\r
+ Protocol";\r
+ }\r
+\r
+ /*********************************************************/\r
+ /* Typedefs for ASN.1 structures related to RFC 5280 */\r
+ /*********************************************************/\r
+\r
+ typedef trust-anchor-cert-x509 {\r
+ type x509;\r
+ description\r
+ "A Certificate structure that MUST encode a self-signed\r
+ root certificate.";\r
+ }\r
+\r
+ typedef end-entity-cert-x509 {\r
+ type x509;\r
+ description\r
+ "A Certificate structure that MUST encode a certificate\r
+ that is neither self-signed nor having Basic constraint\r
+ CA true.";\r
+ }\r
+\r
+ /*********************************************************/\r
+ /* Typedefs for ASN.1 structures related to RFC 5652 */\r
+ /*********************************************************/\r
+\r
+ typedef trust-anchor-cert-cms {\r
+ type signed-data-cms;\r
+ description\r
+ "A CMS SignedData structure that MUST contain the chain of\r
+ X.509 certificates needed to authenticate the certificate\r
+ presented by a client or end-entity.\r
+\r
+ The CMS MUST contain only a single chain of certificates.\r
+ The client or end-entity certificate MUST only authenticate\r
+ to last intermediate CA certificate listed in the chain.\r
+\r
+ In all cases, the chain MUST include a self-signed root\r
+ certificate. In the case where the root certificate is\r
+ itself the issuer of the client or end-entity certificate,\r
+ only one certificate is present.\r
+\r
+ This CMS structure MAY (as applicable where this type is\r
+ used) also contain suitably fresh (as defined by local\r
+ policy) revocation objects with which the device can\r
+ verify the revocation status of the certificates.\r
+\r
+ This CMS encodes the degenerate form of the SignedData\r
+ structure that is commonly used to disseminate X.509\r
+ certificates and revocation objects (RFC 5280).";\r
+ reference\r
+ "RFC 5280:\r
+ Internet X.509 Public Key Infrastructure Certificate\r
+ and Certificate Revocation List (CRL) Profile.";\r
+ }\r
+\r
+ typedef end-entity-cert-cms {\r
+ type signed-data-cms;\r
+ description\r
+ "A CMS SignedData structure that MUST contain the end\r
+ entity certificate itself, and MAY contain any number\r
+ of intermediate certificates leading up to a trust\r
+ anchor certificate. The trust anchor certificate\r
+ MAY be included as well.\r
+\r
+ The CMS MUST contain a single end entity certificate.\r
+ The CMS MUST NOT contain any spurious certificates.\r
+\r
+ This CMS structure MAY (as applicable where this type is\r
+ used) also contain suitably fresh (as defined by local\r
+ policy) revocation objects with which the device can\r
+ verify the revocation status of the certificates.\r
+\r
+ This CMS encodes the degenerate form of the SignedData\r
+ structure that is commonly used to disseminate X.509\r
+ certificates and revocation objects (RFC 5280).";\r
+ reference\r
+ "RFC 5280:\r
+ Internet X.509 Public Key Infrastructure Certificate\r
+ and Certificate Revocation List (CRL) Profile.";\r
+ }\r
+\r
+ /**********************************************/\r
+ /* Groupings for keys and/or certificates */\r
+ /**********************************************/\r
+\r
+ grouping public-key-grouping {\r
+ description\r
+ "A public key.\r
+\r
+ The 'algorithm' and 'public-key' nodes are not\r
+ mandatory because they MAY be defined in <operational>.\r
+ Implementations SHOULD assert that these values are\r
+ either configured or that they exist in <operational>.";\r
+ leaf algorithm {\r
+ nacm:default-deny-write;\r
+ type asymmetric-key-algorithm-ref;\r
+ must '../public-key';\r
+ description\r
+ "Identifies the key's algorithm. More specifically,\r
+ this leaf specifies how the 'public-key' binary leaf\r
+ is encoded.";\r
+ reference\r
+ "RFC CCCC: Common YANG Data Types for Cryptography";\r
+ }\r
+ leaf public-key {\r
+ nacm:default-deny-write;\r
+ type binary;\r
+ must '../algorithm';\r
+ description\r
+ "A binary that contains the value of the public key. The\r
+ interpretation of the content is defined by the key\r
+ algorithm. For example, a DSA key is an integer, an RSA\r
+ key is represented as RSAPublicKey as defined in\r
+ RFC 8017, and an Elliptic Curve Cryptography (ECC) key\r
+ is represented using the 'publicKey' described in\r
+ RFC 5915.";\r
+ reference\r
+ "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:\r
+ RSA Cryptography Specifications Version 2.2.\r
+ RFC 5915: Elliptic Curve Private Key Structure.";\r
+ }\r
+ }\r
+\r
+ grouping asymmetric-key-pair-grouping {\r
+ description\r
+ "A private/public key pair.\r
+ The 'algorithm', 'public-key', and 'private-key' nodes are\r
+ not mandatory because they MAY be defined in <operational>.\r
+ Implementations SHOULD assert that these values are either\r
+ configured or that they exist in <operational>.";\r
+ uses public-key-grouping;\r
+ leaf private-key {\r
+ nacm:default-deny-all;\r
+ type union {\r
+ type binary;\r
+ type enumeration {\r
+ enum permanently-hidden {\r
+ description\r
+ "The private key is inaccessible due to being\r
+ protected by the system (e.g., a cryptographic\r
+ hardware module).\r
+\r
+ How such keys are backed-up and restored, if\r
+ at all, is implementation specific.\r
+\r
+ Servers MUST fail any attempt by a client to\r
+ configure this value directly. This value is\r
+ not set by clients, but rather is set by the\r
+ 'generate-hidden-key' and 'install-hidden-key'\r
+ actions.";\r
+ }\r
+ }\r
+ }\r
+ must '../public-key';\r
+ description\r
+ "A binary that contains the value of the private key. The\r
+ interpretation of the content is defined by the key\r
+ algorithm. For example, a DSA key is an integer, an RSA\r
+ key is represented as RSAPrivateKey as defined in\r
+ RFC 8017, and an Elliptic Curve Cryptography (ECC) key\r
+ is represented as ECPrivateKey as defined in RFC 5915.";\r
+ reference\r
+ "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:\r
+ RSA Cryptography Specifications Version 2.2.\r
+ RFC 5915: Elliptic Curve Private Key Structure.";\r
+ } // private-key\r
+\r
+ action generate-hidden-key {\r
+ nacm:default-deny-all;\r
+ description\r
+ "Requests the device to generate a hidden key using the\r
+ specified asymmetric key algorithm. This action is\r
+ used to request the system to generate a key that is\r
+ 'permanently-hidden', perhaps protected by a cryptographic\r
+ hardware module. The resulting asymmetric key values are\r
+ considered operational state and hence present only in\r
+ <operational> and bound to the lifetime of the parent\r
+ 'config true' node. Subsequent invocations of this or\r
+ the 'install-hidden-key' action are denied with error-tag\r
+ 'data-exists'.";\r
+ input {\r
+ leaf algorithm {\r
+ type asymmetric-key-algorithm-ref;\r
+ mandatory true;\r
+ description\r
+ "The algorithm to be used when generating the\r
+ asymmetric key.";\r
+ reference\r
+ "RFC CCCC: Common YANG Data Types for Cryptography";\r
+ }\r
+ }\r
+ } // generate-hidden-key\r
+\r
+ action install-hidden-key {\r
+ nacm:default-deny-all;\r
+ description\r
+ "Requests the device to load the specified values into\r
+ a hidden key. The resulting asymmetric key values are\r
+ considered operational state and hence present only in\r
+ <operational> and bound to the lifetime of the parent\r
+ 'config true' node. Subsequent invocations of this\r
+ or the 'generate-hidden-key' action are denied with\r
+ error-tag 'data-exists'.";\r
+ input {\r
+ leaf algorithm {\r
+ type asymmetric-key-algorithm-ref;\r
+ mandatory true;\r
+ description\r
+ "The algorithm to be used when generating the\r
+ asymmetric key.";\r
+ reference\r
+ "RFC CCCC: Common YANG Data Types for Cryptography";\r
+ }\r
+ leaf public-key {\r
+ type binary;\r
+ description\r
+ "A binary that contains the value of the public key.\r
+ The interpretation of the content is defined by the key\r
+ algorithm. For example, a DSA key is an integer, an\r
+ RSA key is represented as RSAPublicKey as defined in\r
+ RFC 8017, and an Elliptic Curve Cryptography (ECC) key\r
+ is represented using the 'publicKey' described in\r
+ RFC 5915.";\r
+ reference\r
+ "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:\r
+ RSA Cryptography Specifications Version 2.2.\r
+ RFC 5915: Elliptic Curve Private Key Structure.";\r
+ }\r
+ leaf private-key {\r
+ type binary;\r
+ description\r
+ "A binary that contains the value of the private key.\r
+ The interpretation of the content is defined by the key\r
+ algorithm. For example, a DSA key is an integer, an RSA\r
+ key is represented as RSAPrivateKey as defined in\r
+ RFC 8017, and an Elliptic Curve Cryptography (ECC) key\r
+ is represented as ECPrivateKey as defined in RFC 5915.";\r
+ reference\r
+ "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:\r
+ RSA Cryptography Specifications Version 2.2.\r
+ RFC 5915: Elliptic Curve Private Key Structure.";\r
+ }\r
+ }\r
+ } // install-hidden-key\r
+ } // asymmetric-key-pair-grouping\r
+\r
+\r
+ grouping trust-anchor-cert-grouping {\r
+ description\r
+ "A trust anchor certificate, and a notification for when\r
+ it is about to (or already has) expire.";\r
+ leaf cert {\r
+ nacm:default-deny-write;\r
+ type trust-anchor-cert-cms;\r
+ description\r
+ "The binary certificate data for this certificate.";\r
+ reference\r
+ "RFC YYYY: Common YANG Data Types for Cryptography";\r
+ }\r
+ notification certificate-expiration {\r
+ description\r
+ "A notification indicating that the configured certificate\r
+ is either about to expire or has already expired. When to\r
+ send notifications is an implementation specific decision,\r
+ but it is RECOMMENDED that a notification be sent once a\r
+ month for 3 months, then once a week for four weeks, and\r
+ then once a day thereafter until the issue is resolved.";\r
+ leaf expiration-date {\r
+ type yang:date-and-time;\r
+ mandatory true;\r
+ description\r
+ "Identifies the expiration date on the certificate.";\r
+ }\r
+ }\r
+ }\r
+\r
+ grouping trust-anchor-certs-grouping {\r
+ description\r
+ "A list of trust anchor certificates, and a notification\r
+ for when one is about to (or already has) expire.";\r
+ leaf-list cert {\r
+ nacm:default-deny-write;\r
+ type trust-anchor-cert-cms;\r
+ description\r
+ "The binary certificate data for this certificate.";\r
+ reference\r
+ "RFC YYYY: Common YANG Data Types for Cryptography";\r
+ }\r
+ notification certificate-expiration {\r
+ description\r
+ "A notification indicating that the configured certificate\r
+ is either about to expire or has already expired. When to\r
+ send notifications is an implementation specific decision,\r
+ but it is RECOMMENDED that a notification be sent once a\r
+ month for 3 months, then once a week for four weeks, and\r
+ then once a day thereafter until the issue is resolved.";\r
+ leaf expiration-date {\r
+ type yang:date-and-time;\r
+ mandatory true;\r
+ description\r
+ "Identifies the expiration date on the certificate.";\r
+ }\r
+ }\r
+ }\r
+\r
+ grouping end-entity-cert-grouping {\r
+ description\r
+ "An end entity certificate, and a notification for when\r
+ it is about to (or already has) expire.";\r
+ leaf cert {\r
+ nacm:default-deny-write;\r
+ type end-entity-cert-cms;\r
+ description\r
+ "The binary certificate data for this certificate.";\r
+ reference\r
+ "RFC YYYY: Common YANG Data Types for Cryptography";\r
+ }\r
+ notification certificate-expiration {\r
+ description\r
+ "A notification indicating that the configured certificate\r
+ is either about to expire or has already expired. When to\r
+ send notifications is an implementation specific decision,\r
+ but it is RECOMMENDED that a notification be sent once a\r
+ month for 3 months, then once a week for four weeks, and\r
+ then once a day thereafter until the issue is resolved.";\r
+ leaf expiration-date {\r
+ type yang:date-and-time;\r
+ mandatory true;\r
+ description\r
+ "Identifies the expiration date on the certificate.";\r
+ }\r
+ }\r
+ }\r
+\r
+ grouping end-entity-certs-grouping {\r
+ description\r
+ "A list of end entity certificates, and a notification for\r
+ when one is about to (or already has) expire.";\r
+ leaf-list cert {\r
+ nacm:default-deny-write;\r
+ type end-entity-cert-cms;\r
+ description\r
+ "The binary certificate data for this certificate.";\r
+ reference\r
+ "RFC YYYY: Common YANG Data Types for Cryptography";\r
+ }\r
+ notification certificate-expiration {\r
+ description\r
+ "A notification indicating that the configured certificate\r
+ is either about to expire or has already expired. When to\r
+ send notifications is an implementation specific decision,\r
+ but it is RECOMMENDED that a notification be sent once a\r
+ month for 3 months, then once a week for four weeks, and\r
+ then once a day thereafter until the issue is resolved.";\r
+ leaf expiration-date {\r
+ type yang:date-and-time;\r
+ mandatory true;\r
+ description\r
+ "Identifies the expiration date on the certificate.";\r
+ }\r
+ }\r
+ }\r
+\r
+ grouping asymmetric-key-pair-with-cert-grouping {\r
+ description\r
+ "A private/public key pair and an associated certificate.";\r
+ uses asymmetric-key-pair-grouping;\r
+ uses end-entity-cert-grouping;\r
+\r
+ action generate-certificate-signing-request {\r
+ nacm:default-deny-all;\r
+ description\r
+ "Generates a certificate signing request structure for\r
+ the associated asymmetric key using the passed subject\r
+ and attribute values. The specified assertions need\r
+ to be appropriate for the certificate's use. For\r
+ example, an entity certificate for a TLS server\r
+ SHOULD have values that enable clients to satisfy\r
+ RFC 6125 processing.";\r
+ input {\r
+ leaf subject {\r
+ type binary;\r
+ mandatory true;\r
+ description\r
+ "The 'subject' field per the CertificationRequestInfo\r
+ structure as specified by RFC 2986, Section 4.1\r
+ encoded using the ASN.1 distinguished encoding\r
+ rules (DER), as specified in ITU-T X.690.";\r
+ reference\r
+ "RFC 2986:\r
+ PKCS #10: Certification Request Syntax\r
+ Specification Version 1.7.\r
+ ITU-T X.690:\r
+ Information technology - ASN.1 encoding rules:\r
+ Specification of Basic Encoding Rules (BER),\r
+ Canonical Encoding Rules (CER) and Distinguished\r
+ Encoding Rules (DER).";\r
+ }\r
+ leaf attributes {\r
+ type binary;\r
+ description\r
+ "The 'attributes' field from the structure\r
+ CertificationRequestInfo as specified by RFC 2986,\r
+ Section 4.1 encoded using the ASN.1 distinguished\r
+ encoding rules (DER), as specified in ITU-T X.690.";\r
+ reference\r
+ "RFC 2986:\r
+ PKCS #10: Certification Request Syntax\r
+ Specification Version 1.7.\r
+ ITU-T X.690:\r
+ Information technology - ASN.1 encoding rules:\r
+ Specification of Basic Encoding Rules (BER),\r
+ Canonical Encoding Rules (CER) and Distinguished\r
+ Encoding Rules (DER).";\r
+ }\r
+ }\r
+ output {\r
+ leaf certificate-signing-request {\r
+ type binary;\r
+ mandatory true;\r
+ description\r
+ "A CertificationRequest structure as specified by\r
+ RFC 2986, Section 4.2 encoded using the ASN.1\r
+ distinguished encoding rules (DER), as specified\r
+ in ITU-T X.690.";\r
+ reference\r
+ "RFC 2986:\r
+ PKCS #10: Certification Request Syntax\r
+ Specification Version 1.7.\r
+ ITU-T X.690:\r
+ Information technology - ASN.1 encoding rules:\r
+ Specification of Basic Encoding Rules (BER),\r
+ Canonical Encoding Rules (CER) and Distinguished\r
+ Encoding Rules (DER).";\r
+ }\r
+ }\r
+ } // generate-certificate-signing-request\r
+ } // asymmetric-key-pair-with-cert-grouping\r
+\r
+\r
+ grouping asymmetric-key-pair-with-certs-grouping {\r
+ description\r
+ "A private/public key pair and associated certificates.";\r
+ uses asymmetric-key-pair-grouping;\r
+ container certificates {\r
+ nacm:default-deny-write;\r
+ description\r
+ "Certificates associated with this asymmetric key.\r
+ More than one certificate supports, for instance,\r
+ a TPM-protected asymmetric key that has both IDevID\r
+ and LDevID certificates associated.";\r
+ list certificate {\r
+ key "name";\r
+ description\r
+ "A certificate for this asymmetric key.";\r
+ leaf name {\r
+ type string;\r
+ description\r
+ "An arbitrary name for the certificate. If the name\r
+ matches the name of a certificate that exists\r
+ independently in <operational> (i.e., an IDevID),\r
+ then the 'cert' node MUST NOT be configured.";\r
+ }\r
+ uses end-entity-cert-grouping;\r
+ }\r
+ } // certificates\r
+\r
+ action generate-certificate-signing-request {\r
+ nacm:default-deny-all;\r
+ description\r
+ "Generates a certificate signing request structure for\r
+ the associated asymmetric key using the passed subject\r
+ and attribute values. The specified assertions need\r
+ to be appropriate for the certificate's use. For\r
+ example, an entity certificate for a TLS server\r
+ SHOULD have values that enable clients to satisfy\r
+ RFC 6125 processing.";\r
+ input {\r
+ leaf subject {\r
+ type binary;\r
+ mandatory true;\r
+ description\r
+ "The 'subject' field per the CertificationRequestInfo\r
+ structure as specified by RFC 2986, Section 4.1\r
+ encoded using the ASN.1 distinguished encoding\r
+ rules (DER), as specified in ITU-T X.690.";\r
+ reference\r
+ "RFC 2986:\r
+ PKCS #10: Certification Request Syntax\r
+ Specification Version 1.7.\r
+ ITU-T X.690:\r
+ Information technology - ASN.1 encoding rules:\r
+ Specification of Basic Encoding Rules (BER),\r
+ Canonical Encoding Rules (CER) and Distinguished\r
+ Encoding Rules (DER).";\r
+ }\r
+ leaf attributes {\r
+ type binary;\r
+ description\r
+ "The 'attributes' field from the structure\r
+ CertificationRequestInfo as specified by RFC 2986,\r
+ Section 4.1 encoded using the ASN.1 distinguished\r
+ encoding rules (DER), as specified in ITU-T X.690.";\r
+ reference\r
+ "RFC 2986:\r
+ PKCS #10: Certification Request Syntax\r
+ Specification Version 1.7.\r
+ ITU-T X.690:\r
+ Information technology - ASN.1 encoding rules:\r
+ Specification of Basic Encoding Rules (BER),\r
+ Canonical Encoding Rules (CER) and Distinguished\r
+ Encoding Rules (DER).";\r
+ }\r
+ }\r
+ output {\r
+ leaf certificate-signing-request {\r
+ type binary;\r
+ mandatory true;\r
+ description\r
+ "A CertificationRequest structure as specified by\r
+ RFC 2986, Section 4.2 encoded using the ASN.1\r
+ distinguished encoding rules (DER), as specified\r
+ in ITU-T X.690.";\r
+ reference\r
+ "RFC 2986:\r
+ PKCS #10: Certification Request Syntax\r
+ Specification Version 1.7.\r
+ ITU-T X.690:\r
+ Information technology - ASN.1 encoding rules:\r
+ Specification of Basic Encoding Rules (BER),\r
+ Canonical Encoding Rules (CER) and Distinguished\r
+ Encoding Rules (DER).";\r
+ }\r
+ }\r
+ } // generate-certificate-signing-request\r
+ } // asymmetric-key-pair-with-certs-grouping\r
+}\r