-module ietf-crypto-types {
- yang-version 1.1;
- namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
- prefix ct;
-
- import ietf-yang-types {
- prefix yang;
- reference
- "RFC 6991: Common YANG Data Types";
- }
-
- import ietf-netconf-acm {
- prefix nacm;
- reference
- "RFC 8341: Network Configuration Access Control Model";
- }
-
- organization
- "IETF NETCONF (Network Configuration) Working Group";
- contact
- "WG Web: <http://datatracker.ietf.org/wg/netconf/>
- WG List: <mailto:netconf@ietf.org>
- Author: Kent Watsen <mailto:kent+ietf@watsen.net>
- Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";
-
- description
- "This module defines common YANG types for cryptographic
- applications.
-
- Copyright (c) 2019 IETF Trust and the persons identified
- as authors of the code. All rights reserved.
-
- Redistribution and use in source and binary forms, with
- or without modification, is permitted pursuant to, and
- subject to the license terms contained in, the Simplified
- BSD License set forth in Section 4.c of the IETF Trust's
- Legal Provisions Relating to IETF Documents
- (https://trustee.ietf.org/license-info).
-
- This version of this YANG module is part of RFC XXXX
- (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
- itself for full legal notices.;
-
- The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
- 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
- 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
- are to be interpreted as described in BCP 14 (RFC 2119)
- (RFC 8174) when, and only when, they appear in all
- capitals, as shown here.";
-
- revision 2019-10-18 {
- description
- "Initial version";
- reference
- "RFC XXXX: Common YANG Data Types for Cryptography";
- }
-
- /**************************************/
- /* Identities for Hash Algorithms */
- /**************************************/
-
- typedef hash-algorithm-t {
- type union {
- type uint16;
- type enumeration {
- enum NONE {
- value 0;
- description
- "Hash algorithm is NULL.";
- }
- enum sha1 {
- value 1;
- status obsolete;
- description
- "The SHA1 algorithm.";
- reference
- "RFC 3174: US Secure Hash Algorithms 1 (SHA1).";
- }
- enum sha-224 {
- value 2;
- description
- "The SHA-224 algorithm.";
- reference
- "RFC 6234: US Secure Hash Algorithms.";
- }
- enum sha-256 {
- value 3;
- description
- "The SHA-256 algorithm.";
- reference
- "RFC 6234: US Secure Hash Algorithms.";
- }
- enum sha-384 {
- value 4;
- description
- "The SHA-384 algorithm.";
- reference
- "RFC 6234: US Secure Hash Algorithms.";
- }
- enum sha-512 {
- value 5;
- description
- "The SHA-512 algorithm.";
- reference
- "RFC 6234: US Secure Hash Algorithms.";
- }
- enum shake-128 {
- value 6;
- description
- "The SHA3 algorithm with 128-bits output.";
- reference
- "National Institute of Standards and Technology,
- SHA-3 Standard: Permutation-Based Hash and
- Extendable-Output Functions, FIPS PUB 202, DOI
- 10.6028/NIST.FIPS.202, August 2015.";
- }
- enum shake-224 {
- value 7;
- description
- "The SHA3 algorithm with 224-bits output.";
- reference
- "National Institute of Standards and Technology,
- SHA-3 Standard: Permutation-Based Hash and
- Extendable-Output Functions, FIPS PUB 202, DOI
- 10.6028/NIST.FIPS.202, August 2015.";
- }
- enum shake-256 {
- value 8;
- description
- "The SHA3 algorithm with 256-bits output.";
- reference
- "National Institute of Standards and Technology,
- SHA-3 Standard: Permutation-Based Hash and
- Extendable-Output Functions, FIPS PUB 202, DOI
- 10.6028/NIST.FIPS.202, August 2015.";
- }
- enum shake-384 {
- value 9;
- description
- "The SHA3 algorithm with 384-bits output.";
- reference
- "National Institute of Standards and Technology,
- SHA-3 Standard: Permutation-Based Hash and
- Extendable-Output Functions, FIPS PUB 202, DOI
- 10.6028/NIST.FIPS.202, August 2015.";
- }
- enum shake-512 {
- value 10;
- description
- "The SHA3 algorithm with 384-bits output.";
- reference
- "National Institute of Standards and Technology,
- SHA-3 Standard: Permutation-Based Hash and
- Extendable-Output Functions, FIPS PUB 202, DOI
- 10.6028/NIST.FIPS.202, August 2015.";
- }
- }
- }
- default "0";
- description
- "The uint16 filed shall be set by individual protocol families
- according to the hash algorithm value assigned by IANA. The
- setting is optional and by default is 0. The enumeration
- filed is set to the selected hash algorithm.";
- }
-
- /***********************************************/
- /* Identities for Asymmetric Key Algorithms */
- /***********************************************/
-
- typedef asymmetric-key-algorithm-t {
- type union {
- type uint16;
- type enumeration {
- enum NONE {
- value 0;
- description
- "Asymetric key algorithm is NULL.";
- }
- enum rsa1024 {
- value 1;
- description
- "The RSA algorithm using a 1024-bit key.";
- reference
- "RFC 8017: PKCS #1: RSA Cryptography
- Specifications Version 2.2.";
- }
- enum rsa2048 {
- value 2;
- description
- "The RSA algorithm using a 2048-bit key.";
- reference
- "RFC 8017:
- PKCS #1: RSA Cryptography Specifications Version 2.2.";
- }
- enum rsa3072 {
- value 3;
- description
- "The RSA algorithm using a 3072-bit key.";
- reference
- "RFC 8017:
- PKCS #1: RSA Cryptography Specifications Version 2.2.";
- }
- enum rsa4096 {
- value 4;
- description
- "The RSA algorithm using a 4096-bit key.";
- reference
- "RFC 8017:
- PKCS #1: RSA Cryptography Specifications Version 2.2.";
- }
- enum rsa7680 {
- value 5;
- description
- "The RSA algorithm using a 7680-bit key.";
- reference
- "RFC 8017:
- PKCS #1: RSA Cryptography Specifications Version 2.2.";
- }
- enum rsa15360 {
- value 6;
- description
- "The RSA algorithm using a 15360-bit key.";
- reference
- "RFC 8017:
- PKCS #1: RSA Cryptography Specifications Version 2.2.";
- }
- enum secp192r1 {
- value 7;
- description
- "The asymmetric algorithm using a NIST P192 Curve.";
- reference
- "RFC 6090:
- Fundamental Elliptic Curve Cryptography Algorithms.
- RFC 5480:
- Elliptic Curve Cryptography Subject Public Key
- Information.";
- }
- enum secp224r1 {
- value 8;
- description
- "The asymmetric algorithm using a NIST P224 Curve.";
- reference
- "RFC 6090:
- Fundamental Elliptic Curve Cryptography Algorithms.
- RFC 5480:
- Elliptic Curve Cryptography Subject Public Key
- Information.";
- }
- enum secp256r1 {
- value 9;
- description
- "The asymmetric algorithm using a NIST P256 Curve.";
- reference
- "RFC 6090:
- Fundamental Elliptic Curve Cryptography Algorithms.
- RFC 5480:
- Elliptic Curve Cryptography Subject Public Key
- Information.";
- }
- enum secp384r1 {
- value 10;
- description
- "The asymmetric algorithm using a NIST P384 Curve.";
- reference
- "RFC 6090:
- Fundamental Elliptic Curve Cryptography Algorithms.
- RFC 5480:
- Elliptic Curve Cryptography Subject Public Key
- Information.";
- }
- enum secp521r1 {
- value 11;
- description
- "The asymmetric algorithm using a NIST P521 Curve.";
- reference
- "RFC 6090:
- Fundamental Elliptic Curve Cryptography Algorithms.
- RFC 5480:
- Elliptic Curve Cryptography Subject Public Key
- Information.";
- }
- enum x25519 {
- value 12;
- description
- "The asymmetric algorithm using a x.25519 Curve.";
- reference
- "RFC 7748:
- Elliptic Curves for Security.";
- }
- enum x448 {
- value 13;
- description
- "The asymmetric algorithm using a x.448 Curve.";
- reference
- "RFC 7748:
- Elliptic Curves for Security.";
- }
- }
- }
- default "0";
- description
- "The uint16 filed shall be set by individual protocol
- families according to the asymmetric key algorithm value
- assigned by IANA. The setting is optional and by default
- is 0. The enumeration filed is set to the selected
- asymmetric key algorithm.";
- }
-
- /*************************************/
- /* Identities for MAC Algorithms */
- /*************************************/
-
- typedef mac-algorithm-t {
- type union {
- type uint16;
- type enumeration {
- enum NONE {
- value 0;
- description
- "mac algorithm is NULL.";
- }
- enum hmac-sha1 {
- value 1;
- description
- "Generating MAC using SHA1 hash function";
- reference
- "RFC 3174: US Secure Hash Algorithm 1 (SHA1)";
- }
- enum hmac-sha1-96 {
- value 2;
- description
- "Generating MAC using SHA1 hash function";
- reference
- "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";
- }
- enum hmac-sha2-224 {
- value 3;
- description
- "Generating MAC using SHA2 hash function";
- reference
- "RFC 6234: US Secure Hash Algorithms
- (SHA and SHA-based HMAC and HKDF)";
- }
- enum hmac-sha2-256 {
- value 4;
- description
- "Generating MAC using SHA2 hash function";
- reference
- "RFC 6234: US Secure Hash Algorithms
- (SHA and SHA-based HMAC and HKDF)";
- }
- enum hmac-sha2-256-128 {
- value 5;
- description
- "Generating a 256 bits MAC using SHA2 hash function and
- truncate it to 128 bits";
- reference
- "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
- and HMAC-SHA-512 with IPsec";
- }
- enum hmac-sha2-384 {
- value 6;
- description
- "Generating a 384 bits MAC using SHA2 hash function";
- reference
- "RFC 6234: US Secure Hash Algorithms
- (SHA and SHA-based HMAC and HKDF)";
- }
- enum hmac-sha2-384-192 {
- value 7;
- description
- "Generating a 384 bits MAC using SHA2 hash function and
- truncate it to 192 bits";
- reference
- "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
- and HMAC-SHA-512 with IPsec";
- }
- enum hmac-sha2-512 {
- value 8;
- description
- "Generating a 512 bits MAC using SHA2 hash function";
- reference
- "RFC 6234: US Secure Hash Algorithms
- (SHA and SHA-based HMAC and HKDF)";
- }
- enum hmac-sha2-512-256 {
- value 9;
- description
- "Generating a 512 bits MAC using SHA2 hash function and
- truncate it to 256 bits";
- reference
- "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
- and HMAC-SHA-512 with IPsec";
- }
- enum aes-128-gmac {
- value 10;
- description
- "Generating 128-bit MAC using the Advanced Encryption
- Standard (AES) Galois Message Authentication Code
- (GMAC) as a mechanism to provide data origin
- authentication.";
- reference
- "RFC 4543:
- The Use of Galois Message Authentication Code (GMAC)
- in IPsec ESP and AH";
- }
- enum aes-192-gmac {
- value 11;
- description
- "Generating 192-bit MAC using the Advanced Encryption
- Standard (AES) Galois Message Authentication Code
- (GMAC) as a mechanism to provide data origin
- authentication.";
- reference
- "RFC 4543:
- The Use of Galois Message Authentication Code (GMAC)
- in IPsec ESP and AH";
- }
- enum aes-256-gmac {
- value 12;
- description
- "Generating 256-bit MAC using the Advanced Encryption
- Standard (AES) Galois Message Authentication Code
- (GMAC) as a mechanism to provide data origin
- authentication.";
- reference
- "RFC 4543:
- The Use of Galois Message Authentication Code (GMAC)
- in IPsec ESP and AH";
- }
- enum aes-cmac-96 {
- value 13;
- description
- "Generating 96-bit MAC using Advanced Encryption
- Standard (AES) Cipher-based Message Authentication
- Code (CMAC)";
- reference
- "RFC 4494:
- The AES-CMAC Algorithm and its Use with IPsec";
- }
- enum aes-cmac-128 {
- value 14;
- description
- "Generating 128-bit MAC using Advanced Encryption
- Standard (AES) Cipher-based Message Authentication
- Code (CMAC)";
- reference
- "RFC 4494:
- The AES-CMAC Algorithm and its Use with IPsec";
- }
- enum sha1-des3-kd {
- value 15;
- description
- "Generating MAC using triple DES encryption function";
- reference
- "RFC 3961:
- Encryption and Checksum Specifications for Kerberos
- 5";
- }
- }
- }
- default "0";
- description
- "The uint16 filed shall be set by individual protocol
- families according to the mac algorithm value assigned by
- IANA. The setting is optional and by default is 0. The
- enumeration filed is set to the selected mac algorithm.";
- }
-
- /********************************************/
- /* Identities for Encryption Algorithms */
- /********************************************/
-
- typedef encryption-algorithm-t {
- type union {
- type uint16;
- type enumeration {
- enum NONE {
- value 0;
- description
- "Encryption algorithm is NULL.";
- }
- enum aes-128-cbc {
- value 1;
- description
- "Encrypt message with AES algorithm in CBC mode with
- a key length of 128 bits.";
- reference
- "RFC 3565: Use of the Advanced Encryption Standard (AES)
- Encryption Algorithm in Cryptographic Message Syntax
- (CMS)";
- }
- enum aes-192-cbc {
- value 2;
- description
- "Encrypt message with AES algorithm in CBC mode with
- a key length of 192 bits";
- reference
- "RFC 3565: Use of the Advanced Encryption Standard (AES)
- Encryption Algorithm in Cryptographic Message Syntax
- (CMS)";
- }
- enum aes-256-cbc {
- value 3;
- description
- "Encrypt message with AES algorithm in CBC mode with
- a key length of 256 bits";
- reference
- "RFC 3565: Use of the Advanced Encryption Standard (AES)
- Encryption Algorithm in Cryptographic Message Syntax
- (CMS)";
- }
- enum aes-128-ctr {
- value 4;
- description
- "Encrypt message with AES algorithm in CTR mode with
- a key length of 128 bits";
- reference
- "RFC 3686:
- Using Advanced Encryption Standard (AES) Counter
- Mode with IPsec Encapsulating Security Payload
- (ESP)";
- }
- enum aes-192-ctr {
- value 5;
- description
- "Encrypt message with AES algorithm in CTR mode with
- a key length of 192 bits";
- reference
- "RFC 3686:
- Using Advanced Encryption Standard (AES) Counter
- Mode with IPsec Encapsulating Security Payload
- (ESP)";
- }
- enum aes-256-ctr {
- value 6;
- description
- "Encrypt message with AES algorithm in CTR mode with
- a key length of 256 bits";
- reference
- "RFC 3686:
- Using Advanced Encryption Standard (AES) Counter
- Mode with IPsec Encapsulating Security Payload
- (ESP)";
- }
- enum des3-cbc-sha1-kd {
- value 7;
- description
- "Encrypt message with 3DES algorithm in CBC mode
- with sha1 function for key derivation";
- reference
- "RFC 3961:
- Encryption and Checksum Specifications for
- Kerberos 5";
- }
- enum rc4-hmac {
- value 8;
- description
- "Encrypt message with rc4 algorithm";
- reference
- "RFC 4757:
- The RC4-HMAC Kerberos Encryption Types Used by
- Microsoft Windows";
- }
- enum rc4-hmac-exp {
- value 9;
- description
- "Encrypt message with rc4 algorithm that is exportable";
- reference
- "RFC 4757:
- The RC4-HMAC Kerberos Encryption Types Used by
- Microsoft Windows";
- }
- }
- }
- default "0";
- description
- "The uint16 filed shall be set by individual protocol
- families according to the encryption algorithm value
- assigned by IANA. The setting is optional and by default
- is 0. The enumeration filed is set to the selected
- encryption algorithm.";
- }
-
- /****************************************************/
- /* Identities for Encryption and MAC Algorithms */
- /****************************************************/
-
- typedef encryption-and-mac-algorithm-t {
- type union {
- type uint16;
- type enumeration {
- enum NONE {
- value 0;
- description
- "Encryption and MAC algorithm is NULL.";
- reference
- "None";
- }
- enum aes-128-ccm {
- value 1;
- description
- "Encrypt message with AES algorithm in CCM
- mode with a key length of 128 bits; it can
- also be used for generating MAC";
- reference
- "RFC 4309: Using Advanced Encryption Standard
- (AES) CCM Mode with IPsec Encapsulating Security
- Payload (ESP)";
- }
- enum aes-192-ccm {
- value 2;
- description
- "Encrypt message with AES algorithm in CCM
- mode with a key length of 192 bits; it can
- also be used for generating MAC";
- reference
- "RFC 4309: Using Advanced Encryption Standard
- (AES) CCM Mode with IPsec Encapsulating Security
- Payload (ESP)";
- }
- enum aes-256-ccm {
- value 3;
- description
- "Encrypt message with AES algorithm in CCM
- mode with a key length of 256 bits; it can
- also be used for generating MAC";
- reference
- "RFC 4309: Using Advanced Encryption Standard
- (AES) CCM Mode with IPsec Encapsulating Security
- Payload (ESP)";
- }
- enum aes-128-gcm {
- value 4;
- description
- "Encrypt message with AES algorithm in GCM
- mode with a key length of 128 bits; it can
- also be used for generating MAC";
- reference
- "RFC 4106: The Use of Galois/Counter Mode (GCM)
- in IPsec Encapsulating Security Payload (ESP)";
- }
- enum aes-192-gcm {
- value 5;
- description
- "Encrypt message with AES algorithm in GCM
- mode with a key length of 192 bits; it can
- also be used for generating MAC";
- reference
- "RFC 4106: The Use of Galois/Counter Mode (GCM)
- in IPsec Encapsulating Security Payload (ESP)";
- }
- enum aes-256-gcm {
- value 6;
- description
- "Encrypt message with AES algorithm in GCM
- mode with a key length of 256 bits; it can
- also be used for generating MAC";
- reference
- "RFC 4106: The Use of Galois/Counter Mode (GCM)
- in IPsec Encapsulating Security Payload (ESP)";
- }
- enum chacha20-poly1305 {
- value 7;
- description
- "Encrypt message with chacha20 algorithm and generate
- MAC with POLY1305; it can also be used for generating
- MAC";
- reference
- "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";
- }
- }
- }
- default "0";
- description
- "The uint16 filed shall be set by individual protocol
- families according to the encryption and mac algorithm value
- assigned by IANA. The setting is optional and by default is
- 0. The enumeration filed is set to the selected encryption
- and mac algorithm.";
- }
-
- /******************************************/
- /* Identities for signature algorithm */
- /******************************************/
-
- typedef signature-algorithm-t {
- type union {
- type uint16;
- type enumeration {
- enum NONE {
- value 0;
- description
- "Signature algorithm is NULL";
- }
- enum dsa-sha1 {
- value 1;
- description
- "The signature algorithm using DSA algorithm with SHA1
- hash algorithm";
- reference
- "RFC 4253:
- The Secure Shell (SSH) Transport Layer Protocol";
- }
- enum rsassa-pkcs1-sha1 {
- value 2;
- description
- "The signature algorithm using RSASSA-PKCS1-v1_5 with
- the SHA1 hash algorithm.";
- reference
- "RFC 4253:
- The Secure Shell (SSH) Transport Layer Protocol";
- }
- enum rsassa-pkcs1-sha256 {
- value 3;
- description
- "The signature algorithm using RSASSA-PKCS1-v1_5 with
- the SHA256 hash algorithm.";
- reference
- "RFC 8332:
- Use of RSA Keys with SHA-256 and SHA-512 in the
- Secure Shell (SSH) Protocol
- RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum rsassa-pkcs1-sha384 {
- value 4;
- description
- "The signature algorithm using RSASSA-PKCS1-v1_5 with
- the SHA384 hash algorithm.";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum rsassa-pkcs1-sha512 {
- value 5;
- description
- "The signature algorithm using RSASSA-PKCS1-v1_5 with
- the SHA512 hash algorithm.";
- reference
- "RFC 8332:
- Use of RSA Keys with SHA-256 and SHA-512 in the
- Secure Shell (SSH) Protocol
- RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum rsassa-pss-rsae-sha256 {
- value 6;
- description
- "The signature algorithm using RSASSA-PSS with mask
- generation function 1 and SHA256 hash algorithm. If
- the public key is carried in an X.509 certificate,
- it MUST use the rsaEncryption OID";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum rsassa-pss-rsae-sha384 {
- value 7;
- description
- "The signature algorithm using RSASSA-PSS with mask
- generation function 1 and SHA384 hash algorithm. If
- the public key is carried in an X.509 certificate,
- it MUST use the rsaEncryption OID";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum rsassa-pss-rsae-sha512 {
- value 8;
- description
- "The signature algorithm using RSASSA-PSS with mask
- generation function 1 and SHA512 hash algorithm. If
- the public key is carried in an X.509 certificate,
- it MUST use the rsaEncryption OID";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum rsassa-pss-pss-sha256 {
- value 9;
- description
- "The signature algorithm using RSASSA-PSS with mask
- generation function 1 and SHA256 hash algorithm. If
- the public key is carried in an X.509 certificate,
- it MUST use the rsaEncryption OID";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum rsassa-pss-pss-sha384 {
- value 10;
- description
- "The signature algorithm using RSASSA-PSS with mask
- generation function 1 and SHA384 hash algorithm. If
- the public key is carried in an X.509 certificate,
- it MUST use the rsaEncryption OID";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum rsassa-pss-pss-sha512 {
- value 11;
- description
- "The signature algorithm using RSASSA-PSS with mask
- generation function 1 and SHA512 hash algorithm. If
- the public key is carried in an X.509 certificate,
- it MUST use the rsaEncryption OID";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum ecdsa-secp256r1-sha256 {
- value 12;
- description
- "The signature algorithm using ECDSA with curve name
- secp256r1 and SHA256 hash algorithm.";
- reference
- "RFC 5656:
- Elliptic Curve Algorithm Integration in the Secure
- Shell Transport Layer
- RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum ecdsa-secp384r1-sha384 {
- value 13;
- description
- "The signature algorithm using ECDSA with curve name
- secp384r1 and SHA384 hash algorithm.";
- reference
- "RFC 5656:
- Elliptic Curve Algorithm Integration in the Secure
- Shell Transport Layer
- RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum ecdsa-secp521r1-sha512 {
- value 14;
- description
- "The signature algorithm using ECDSA with curve name
- secp521r1 and SHA512 hash algorithm.";
- reference
- "RFC 5656:
- Elliptic Curve Algorithm Integration in the Secure
- Shell Transport Layer
- RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum ed25519 {
- value 15;
- description
- "The signature algorithm using EdDSA with curve x25519";
- reference
- "RFC 8032:
- Edwards-Curve Digital Signature Algorithm (EdDSA)";
- }
- enum ed25519-cts {
- value 16;
- description
- "The signature algorithm using EdDSA with curve x25519
- with phflag = 0";
- reference
- "RFC 8032:
- Edwards-Curve Digital Signature Algorithm (EdDSA)";
- }
- enum ed25519-ph {
- value 17;
- description
- "The signature algorithm using EdDSA with curve x25519
- with phflag = 1";
- reference
- "RFC 8032:
- Edwards-Curve Digital Signature Algorithm (EdDSA)";
- }
- enum ed25519-sha512 {
- value 18;
- description
- "The signature algorithm using EdDSA with curve x25519
- and SHA-512 function";
- reference
- "RFC 8419:
- Use of Edwards-Curve Digital Signature Algorithm
- (EdDSA) Signatures in the Cryptographic Message
- Syntax (CMS)";
- }
- enum ed448 {
- value 19;
- description
- "The signature algorithm using EdDSA with curve x448";
- reference
- "RFC 8032:
- Edwards-Curve Digital Signature Algorithm (EdDSA)";
- }
- enum ed448-ph {
- value 20;
- description
- "The signature algorithm using EdDSA with curve x448
- and with PH being SHAKE256(x, 64) and phflag being 1";
- reference
- "RFC 8032:
- Edwards-Curve Digital Signature Algorithm (EdDSA)";
- }
- enum ed448-shake256 {
- value 21;
- description
- "The signature algorithm using EdDSA with curve x448
- and SHAKE-256 function";
- reference
- "RFC 8419:
- Use of Edwards-Curve Digital Signature Algorithm
- (EdDSA) Signatures in the Cryptographic Message
- Syntax (CMS)";
- }
- enum ed448-shake256-len {
- value 22;
- description
- "The signature algorithm using EdDSA with curve x448
- and SHAKE-256 function and a customized hash output";
- reference
- "RFC 8419:
- Use of Edwards-Curve Digital Signature Algorithm
- (EdDSA) Signatures in the Cryptographic Message
- Syntax (CMS)";
- }
- enum rsa-sha2-256 {
- value 23;
- description
- "The signature algorithm using RSA with SHA2 function
- for SSH protocol";
- reference
- "RFC 8332:
- Use of RSA Keys with SHA-256 and SHA-512
- in the Secure Shell (SSH) Protocol";
- }
- enum rsa-sha2-512 {
- value 24;
- description
- "The signature algorithm using RSA with SHA2 function
- for SSH protocol";
- reference
- "RFC 8332:
- Use of RSA Keys with SHA-256 and SHA-512
- in the Secure Shell (SSH) Protocol";
- }
- enum eccsi {
- value 25;
- description
- "The signature algorithm using ECCSI signature as
- defined in RFC 6507.";
- reference
- "RFC 6507:
- Elliptic Curve-Based Certificateless Signatures
- for Identity-based Encryption (ECCSI)";
- }
- }
- }
- default "0";
- description
- "The uint16 filed shall be set by individual protocol
- families according to the signature algorithm value
- assigned by IANA. The setting is optional and by default
- is 0. The enumeration filed is set to the selected
- signature algorithm.";
- }
-
- /**********************************************/
- /* Identities for key exchange algorithms */
- /**********************************************/
-
- typedef key-exchange-algorithm-t {
- type union {
- type uint16;
- type enumeration {
- enum NONE {
- value 0;
- description
- "Key exchange algorithm is NULL.";
- }
- enum psk-only {
- value 1;
- description
- "Using Pre-shared key for authentication and key
- exchange";
- reference
- "RFC 4279:
- Pre-Shared Key cipher suites for Transport Layer
- Security (TLS)";
- }
- enum dhe-ffdhe2048 {
- value 2;
- description
- "Ephemeral Diffie Hellman key exchange with 2048 bit
- finite field";
- reference
- "RFC 7919:
- Negotiated Finite Field Diffie-Hellman Ephemeral
- Parameters for Transport Layer Security (TLS)";
- }
- enum dhe-ffdhe3072 {
- value 3;
- description
- "Ephemeral Diffie Hellman key exchange with 3072 bit
- finite field";
- reference
- "RFC 7919:
- Negotiated Finite Field Diffie-Hellman Ephemeral
- Parameters for Transport Layer Security (TLS)";
- }
- enum dhe-ffdhe4096 {
- value 4;
- description
- "Ephemeral Diffie Hellman key exchange with 4096 bit
- finite field";
- reference
- "RFC 7919:
- Negotiated Finite Field Diffie-Hellman Ephemeral
- Parameters for Transport Layer Security (TLS)";
- }
- enum dhe-ffdhe6144 {
- value 5;
- description
- "Ephemeral Diffie Hellman key exchange with 6144 bit
- finite field";
- reference
- "RFC 7919:
- Negotiated Finite Field Diffie-Hellman Ephemeral
- Parameters for Transport Layer Security (TLS)";
- }
- enum dhe-ffdhe8192 {
- value 6;
- description
- "Ephemeral Diffie Hellman key exchange with 8192 bit
- finite field";
- reference
- "RFC 7919:
- Negotiated Finite Field Diffie-Hellman Ephemeral
- Parameters for Transport Layer Security (TLS)";
- }
- enum psk-dhe-ffdhe2048 {
- value 7;
- description
- "Key exchange using pre-shared key with Diffie-Hellman
- key generation mechanism, where the DH group is
- FFDHE2048";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum psk-dhe-ffdhe3072 {
- value 8;
- description
- "Key exchange using pre-shared key with Diffie-Hellman
- key generation mechanism, where the DH group is
- FFDHE3072";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum psk-dhe-ffdhe4096 {
- value 9;
- description
- "Key exchange using pre-shared key with Diffie-Hellman
- key generation mechanism, where the DH group is
- FFDHE4096";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum psk-dhe-ffdhe6144 {
- value 10;
- description
- "Key exchange using pre-shared key with Diffie-Hellman
- key generation mechanism, where the DH group is
- FFDHE6144";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum psk-dhe-ffdhe8192 {
- value 11;
- description
- "Key exchange using pre-shared key with Diffie-Hellman
- key generation mechanism, where the DH group is
- FFDHE8192";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum ecdhe-secp256r1 {
- value 12;
- description
- "Ephemeral Diffie Hellman key exchange with elliptic
- group over curve secp256r1";
- reference
- "RFC 8422:
- Elliptic Curve Cryptography (ECC) Cipher Suites
- for Transport Layer Security (TLS) Versions 1.2
- and Earlier";
- }
- enum ecdhe-secp384r1 {
- value 13;
- description
- "Ephemeral Diffie Hellman key exchange with elliptic
- group over curve secp384r1";
- reference
- "RFC 8422:
- Elliptic Curve Cryptography (ECC) Cipher Suites
- for Transport Layer Security (TLS) Versions 1.2
- and Earlier";
- }
- enum ecdhe-secp521r1 {
- value 14;
- description
- "Ephemeral Diffie Hellman key exchange with elliptic
- group over curve secp521r1";
- reference
- "RFC 8422:
- Elliptic Curve Cryptography (ECC) Cipher Suites
- for Transport Layer Security (TLS) Versions 1.2
- and Earlier";
- }
- enum ecdhe-x25519 {
- value 15;
- description
- "Ephemeral Diffie Hellman key exchange with elliptic
- group over curve x25519";
- reference
- "RFC 8422:
- Elliptic Curve Cryptography (ECC) Cipher Suites
- for Transport Layer Security (TLS) Versions 1.2
- and Earlier";
- }
- enum ecdhe-x448 {
- value 16;
- description
- "Ephemeral Diffie Hellman key exchange with elliptic
- group over curve x448";
- reference
- "RFC 8422:
- Elliptic Curve Cryptography (ECC) Cipher Suites
- for Transport Layer Security (TLS) Versions 1.2
- and Earlier";
- }
- enum psk-ecdhe-secp256r1 {
- value 17;
- description
- "Key exchange using pre-shared key with elliptic
- group-based Ephemeral Diffie Hellman key exchange
- over curve secp256r1";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum psk-ecdhe-secp384r1 {
- value 18;
- description
- "Key exchange using pre-shared key with elliptic
- group-based Ephemeral Diffie Hellman key exchange
- over curve secp384r1";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum psk-ecdhe-secp521r1 {
- value 19;
- description
- "Key exchange using pre-shared key with elliptic
- group-based Ephemeral Diffie Hellman key exchange
- over curve secp521r1";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum psk-ecdhe-x25519 {
- value 20;
- description
- "Key exchange using pre-shared key with elliptic
- group-based Ephemeral Diffie Hellman key exchange
- over curve x25519";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum psk-ecdhe-x448 {
- value 21;
- description
- "Key exchange using pre-shared key with elliptic
- group-based Ephemeral Diffie Hellman key exchange
- over curve x448";
- reference
- "RFC 8446:
- The Transport Layer Security (TLS) Protocol
- Version 1.3";
- }
- enum diffie-hellman-group14-sha1 {
- value 22;
- description
- "Using DH group14 and SHA1 for key exchange";
- reference
- "RFC 4253:
- The Secure Shell (SSH) Transport Layer Protocol";
- }
- enum diffie-hellman-group14-sha256 {
- value 23;
- description
- "Using DH group14 and SHA-256 for key exchange";
- reference
- "RFC 8268:
- More Modular Exponentiation (MODP) Diffie-Hellman (DH)
- Key Exchange (KEX) Groups for Secure Shell (SSH)";
- }
- enum diffie-hellman-group15-sha512 {
- value 24;
- description
- "Using DH group15 and SHA-512 for key exchange";
- reference
- "RFC 8268:
- More Modular Exponentiation (MODP) Diffie-Hellman (DH)
- Key Exchange (KEX) Groups for Secure Shell (SSH)";
- }
- enum diffie-hellman-group16-sha512 {
- value 25;
- description
- "Using DH group16 and SHA-512 for key exchange";
- reference
- "RFC 8268:
- More Modular Exponentiation (MODP) Diffie-Hellman (DH)
- Key Exchange (KEX) Groups for Secure Shell (SSH)";
- }
- enum diffie-hellman-group17-sha512 {
- value 26;
- description
- "Using DH group17 and SHA-512 for key exchange";
- reference
- "RFC 8268:
- More Modular Exponentiation (MODP) Diffie-Hellman (DH)
- Key Exchange (KEX) Groups for Secure Shell (SSH)";
- }
- enum diffie-hellman-group18-sha512 {
- value 27;
- description
- "Using DH group18 and SHA-512 for key exchange";
- reference
- "RFC 8268:
- More Modular Exponentiation (MODP) Diffie-Hellman (DH)
- Key Exchange (KEX) Groups for Secure Shell (SSH)";
- }
- enum ecdh-sha2-secp256r1 {
- value 28;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve ecp256r1 and using SHA2 for MAC generation";
- reference
- "RFC 6239:
- Suite B Cryptographic Suites for Secure Shell (SSH)";
- }
- enum ecdh-sha2-secp384r1 {
- value 29;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve ecp384r1 and using SHA2 for MAC generation";
- reference
- "RFC 6239:
- Suite B Cryptographic Suites for Secure Shell (SSH)";
- }
- enum ecdh-x25519-x9.63-sha256 {
- value 30;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.25519 and using ANSI x9.63 with SHA256 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
- enum ecdh-x25519-x9.63-sha384 {
- value 31;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.25519 and using ANSI x9.63 with SHA384 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
- enum ecdh-x25519-x9.63-sha512 {
- value 32;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.25519 and using ANSI x9.63 with SHA512 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
- enum ecdh-x25519-hkdf-sha256 {
- value 33;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.25519 and using HKDF with SHA256 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
- enum ecdh-x25519-hkdf-sha384 {
- value 34;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.25519 and using HKDF with SHA384 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
- enum ecdh-x25519-hkdf-sha512 {
- value 35;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.25519 and using HKDF with SHA512 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
- enum ecdh-x448-x9.63-sha256 {
- value 36;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.448 and using ANSI x9.63 with SHA256 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
- enum ecdh-x448-x9.63-sha384 {
- value 37;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.448 and using ANSI x9.63 with SHA384 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
- enum ecdh-x448-x9.63-sha512 {
- value 38;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.448 and using ANSI x9.63 with SHA512 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
- enum ecdh-x448-hkdf-sha256 {
- value 39;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.448 and using HKDF with SHA256 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
- enum ecdh-x448-hkdf-sha384 {
- value 40;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.448 and using HKDF with SHA384 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
- enum ecdh-x448-hkdf-sha512 {
- value 41;
- description
- "Elliptic curve-based Diffie Hellman key exchange over
- curve x.448 and using HKDF with SHA512 as KDF";
- reference
- "RFC 8418:
- Use of the Elliptic Curve Diffie-Hellman Key Agreement
- Algorithm with X25519 and X448 in the Cryptographic
- Message Syntax (CMS)";
- }
-
- enum rsaes-oaep {
- value 42;
- description
- "RSAES-OAEP combines the RSAEP and RSADP primitives with
- the EME-OAEP encoding method";
- reference
- "RFC 8017:
- PKCS #1:
- RSA Cryptography Specifications Version 2.2.";
- }
- enum rsaes-pkcs1-v1_5 {
- value 43;
- description
- "RSAES-PKCS1-v1_5 combines the RSAEP and RSADP
- primitives with the EME-PKCS1-v1_5 encoding method";
- reference
- "RFC 8017:
- PKCS #1:
- RSA Cryptography Specifications Version 2.2.";
- }
- }
- }
- default "0";
- description
- "The uint16 filed shall be set by individual protocol
- families according to the key exchange algorithm value
- assigned by IANA. The setting is optional and by default
- is 0. The enumeration filed is set to the selected key
- exchange algorithm.";
- }
-
- /********************************************/
- /* Identities for Key Format Structures */
- /********************************************/
-
- /*** all key format types ****/
-
- identity key-format-base {
- description "Base key-format identity for all keys.";
- }
-
- identity public-key-format {
- base "key-format-base";
- description "Base key-format identity for public keys.";
- }
-
- identity private-key-format {
- base "key-format-base";
- description "Base key-format identity for private keys.";
- }
-
- identity symmetric-key-format {
- base "key-format-base";
- description "Base key-format identity for symmetric keys.";
- }
-
- /**** for private keys ****/
-
- identity rsa-private-key-format {
- base "private-key-format";
- description "An RSAPrivateKey (from RFC 3447).";
- }
-
- identity ec-private-key-format {
- base "private-key-format";
- description "An ECPrivateKey (from RFC 5915)";
- }
-
- identity one-asymmetric-key-format {
- base "private-key-format";
- description "A OneAsymmetricKey (from RFC 5958).";
- }
-
- identity encrypted-private-key-format {
- base "private-key-format";
- description
- "A CMS EncryptedData structure (RFC 5652)
- containing a OneAsymmetricKey (RFC 5958).";
- }
-
- /**** for public keys ****/
-
- identity ssh-public-key-format {
- base "public-key-format";
- description
- "The public key format described by RFC 4716.";
- }
-
- identity subject-public-key-info-format {
- base "public-key-format";
- description
- "A SubjectPublicKeyInfo (from RFC 5280).";
- }
-
- /**** for symmetric keys ****/
-
- identity octet-string-key-format {
- base "symmetric-key-format";
- description "An OctetString from ASN.1.";
- /*
- // Knowing that it is an "OctetString" isn't really helpful.
- // Knowing the length of the octet string would be helpful,
- // as it relates to the algorithm's block size. We may want
- // to only (for now) use "one-symmetric-key-format" for
- // symmetric keys...were the usability issues Juergen
- // mentioned before only apply to asymmetric keys?
- */
- }
-
- identity one-symmetric-key-format {
- base "symmetric-key-format";
- description "A OneSymmetricKey (from RFC6031).";
- }
-
- identity encrypted-symmetric-key-format {
- base "symmetric-key-format";
- description
- "A CMS EncryptedData structure (RFC 5652)
- containing a OneSymmetricKey (RFC 6031).";
- }
-
- /***************************************************/
- /* Typedefs for ASN.1 structures from RFC 5280 */
- /***************************************************/
-
- typedef x509 {
- type binary;
- description
- "A Certificate structure, as specified in RFC 5280,
- encoded using ASN.1 distinguished encoding rules (DER),
- as specified in ITU-T X.690.";
- reference
- "RFC 5280:
- Internet X.509 Public Key Infrastructure Certificate
- and Certificate Revocation List (CRL) Profile
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER).";
- }
-
- typedef crl {
- type binary;
- description
- "A CertificateList structure, as specified in RFC 5280,
- encoded using ASN.1 distinguished encoding rules (DER),
- as specified in ITU-T X.690.";
- reference
- "RFC 5280:
- Internet X.509 Public Key Infrastructure Certificate
- and Certificate Revocation List (CRL) Profile
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER).";
- }
-
- /***********************************************/
- /* Typedefs for ASN.1 structures from 5652 */
- /***********************************************/
-
- typedef cms {
- type binary;
- description
- "A ContentInfo structure, as specified in RFC 5652,
- encoded using ASN.1 distinguished encoding rules (DER),
- as specified in ITU-T X.690.";
- reference
- "RFC 5652:
- Cryptographic Message Syntax (CMS)
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER).";
- }
- typedef data-content-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- data content type, as described by Section 4 in RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
-
- typedef signed-data-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- signed-data content type, as described by Section 5 in
- RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
-
- typedef enveloped-data-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- enveloped-data content type, as described by Section 6
- in RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
-
- typedef digested-data-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- digested-data content type, as described by Section 7
- in RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
-
- typedef encrypted-data-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- encrypted-data content type, as described by Section 8
- in RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
- typedef authenticated-data-cms {
- type cms;
- description
- "A CMS structure whose top-most content type MUST be the
- authenticated-data content type, as described by Section 9
- in RFC 5652.";
- reference
- "RFC 5652: Cryptographic Message Syntax (CMS)";
- }
-
- /***************************************************/
- /* Typedefs for structures related to RFC 4253 */
- /***************************************************/
-
- typedef ssh-host-key {
- type binary;
- description
- "The binary public key data for this SSH key, as
- specified by RFC 4253, Section 6.6, i.e.:
-
- string certificate or public key format
- identifier
- byte[n] key/certificate data.";
- reference
- "RFC 4253: The Secure Shell (SSH) Transport Layer
- Protocol";
- }
-
- /*********************************************************/
- /* Typedefs for ASN.1 structures related to RFC 5280 */
- /*********************************************************/
-
- typedef trust-anchor-cert-x509 {
- type x509;
- description
- "A Certificate structure that MUST encode a self-signed
- root certificate.";
- }
-
- typedef end-entity-cert-x509 {
- type x509;
- description
- "A Certificate structure that MUST encode a certificate
- that is neither self-signed nor having Basic constraint
- CA true.";
- }
-
- /*********************************************************/
- /* Typedefs for ASN.1 structures related to RFC 5652 */
- /*********************************************************/
-
- typedef trust-anchor-cert-cms {
- type signed-data-cms;
- description
- "A CMS SignedData structure that MUST contain the chain of
- X.509 certificates needed to authenticate the certificate
- presented by a client or end-entity.
-
- The CMS MUST contain only a single chain of certificates.
- The client or end-entity certificate MUST only authenticate
- to last intermediate CA certificate listed in the chain.
-
- In all cases, the chain MUST include a self-signed root
- certificate. In the case where the root certificate is
- itself the issuer of the client or end-entity certificate,
- only one certificate is present.
-
- This CMS structure MAY (as applicable where this type is
- used) also contain suitably fresh (as defined by local
- policy) revocation objects with which the device can
- verify the revocation status of the certificates.
-
- This CMS encodes the degenerate form of the SignedData
- structure that is commonly used to disseminate X.509
- certificates and revocation objects (RFC 5280).";
- reference
- "RFC 5280:
- Internet X.509 Public Key Infrastructure Certificate
- and Certificate Revocation List (CRL) Profile.";
- }
-
- typedef end-entity-cert-cms {
- type signed-data-cms;
- description
- "A CMS SignedData structure that MUST contain the end
- entity certificate itself, and MAY contain any number
- of intermediate certificates leading up to a trust
- anchor certificate. The trust anchor certificate
- MAY be included as well.
-
- The CMS MUST contain a single end entity certificate.
- The CMS MUST NOT contain any spurious certificates.
-
- This CMS structure MAY (as applicable where this type is
- used) also contain suitably fresh (as defined by local
- policy) revocation objects with which the device can
- verify the revocation status of the certificates.
-
- This CMS encodes the degenerate form of the SignedData
- structure that is commonly used to disseminate X.509
- certificates and revocation objects (RFC 5280).";
- reference
- "RFC 5280:
- Internet X.509 Public Key Infrastructure Certificate
- and Certificate Revocation List (CRL) Profile.";
- }
-
- typedef ssh-public-key-type { // DELETE?
- type binary;
- description
- "The binary public key data for this SSH key, as
- specified by RFC 4253, Section 6.6, i.e.:
-
- string certificate or public key format
- identifier
- byte[n] key/certificate data.";
- reference
- "RFC 4253: The Secure Shell (SSH) Transport
- Layer Protocol";
- }
-
- /**********************************************/
- /* Groupings for keys and/or certificates */
- /**********************************************/
-
- grouping symmetric-key-grouping {
- description
- "A symmetric key and algorithm.";
- leaf algorithm {
- type encryption-algorithm-t;
- mandatory true;
- description
- "The algorithm to be used when generating the key.";
- reference
- "RFC CCCC: Common YANG Data Types for Cryptography";
- }
- leaf key-format {
- nacm:default-deny-write;
- when "../key";
- type identityref {
- base symmetric-key-format;
- }
- description "Identifies the symmetric key's format.";
- }
- choice key-type {
- mandatory true;
- description
- "Choice between key types.";
- leaf key {
- nacm:default-deny-all;
- type binary;
- //must "../key-format"; FIXME: remove comment if approach ok
- description
- "The binary value of the key. The interpretation of
- the value is defined by 'key-format'. For example,
- FIXME.";
- reference
- "RFC XXXX: FIXME";
- }
- leaf hidden-key {
- nacm:default-deny-write;
- type empty;
- description
- "A permanently hidden key. How such keys are created
- is outside the scope of this module.";
- }
- }
- }
-
- grouping public-key-grouping {
- description
- "A public key and its associated algorithm.";
- leaf algorithm {
- nacm:default-deny-write;
- type asymmetric-key-algorithm-t;
- mandatory true;
- description
- "Identifies the key's algorithm.";
- reference
- "RFC CCCC: Common YANG Data Types for Cryptography";
- }
- leaf public-key-format {
- nacm:default-deny-write;
- when "../public-key";
- type identityref {
- base public-key-format;
- }
- description "Identifies the key's format.";
- }
- leaf public-key {
- nacm:default-deny-write;
- type binary;
- //must "../public-key-format"; FIXME: rm comment if approach ok
- mandatory true;
- description
- "The binary value of the public key. The interpretation
- of the value is defined by 'public-key-format' field.";
- }
- }
-
- grouping asymmetric-key-pair-grouping {
- description
- "A private key and its associated public key and algorithm.";
- uses public-key-grouping;
- leaf private-key-format {
- nacm:default-deny-write;
- when "../private-key";
- type identityref {
- base private-key-format;
- }
- description "Identifies the key's format.";
- }
- choice private-key-type {
- mandatory true;
- description
- "Choice between key types.";
- leaf private-key {
- nacm:default-deny-all;
- type binary;
- //must "../private-key-format"; FIXME: rm comment if ok
- description
- "The value of the binary key. The key's value is
- interpreted by the 'private-key-format' field.";
- }
- leaf hidden-private-key {
- nacm:default-deny-write;
- type empty;
- description
- "A permanently hidden key. How such keys are created
- is outside the scope of this module.";
- }
- }
- }
-
- grouping trust-anchor-cert-grouping {
- description
- "A trust anchor certificate, and a notification for when
- it is about to (or already has) expire.";
- leaf cert {
- nacm:default-deny-write;
- type trust-anchor-cert-cms;
- description
- "The binary certificate data for this certificate.";
- reference
- "RFC YYYY: Common YANG Data Types for Cryptography";
- }
- notification certificate-expiration {
- description
- "A notification indicating that the configured certificate
- is either about to expire or has already expired. When to
- send notifications is an implementation specific decision,
- but it is RECOMMENDED that a notification be sent once a
- month for 3 months, then once a week for four weeks, and
- then once a day thereafter until the issue is resolved.";
- leaf expiration-date {
- type yang:date-and-time;
- mandatory true;
- description
- "Identifies the expiration date on the certificate.";
- }
- }
- }
-
- grouping trust-anchor-certs-grouping {
- description
- "A list of trust anchor certificates, and a notification
- for when one is about to (or already has) expire.";
- leaf-list cert {
- nacm:default-deny-write;
- type trust-anchor-cert-cms;
- description
- "The binary certificate data for this certificate.";
- reference
- "RFC YYYY: Common YANG Data Types for Cryptography";
- }
- notification certificate-expiration {
- description
- "A notification indicating that the configured certificate
- is either about to expire or has already expired. When to
- send notifications is an implementation specific decision,
- but it is RECOMMENDED that a notification be sent once a
- month for 3 months, then once a week for four weeks, and
- then once a day thereafter until the issue is resolved.";
- leaf expiration-date {
- type yang:date-and-time;
- mandatory true;
- description
- "Identifies the expiration date on the certificate.";
- }
- }
- }
-
- grouping end-entity-cert-grouping {
- description
- "An end entity certificate, and a notification for when
- it is about to (or already has) expire. Implementations
- SHOULD assert that, where used, the end entity certificate
- contains the expected public key.";
- leaf cert {
- nacm:default-deny-write;
- type end-entity-cert-cms;
- description
- "The binary certificate data for this certificate.";
- reference
- "RFC YYYY: Common YANG Data Types for Cryptography";
- }
- notification certificate-expiration {
- description
- "A notification indicating that the configured certificate
- is either about to expire or has already expired. When to
- send notifications is an implementation specific decision,
- but it is RECOMMENDED that a notification be sent once a
- month for 3 months, then once a week for four weeks, and
- then once a day thereafter until the issue is resolved.";
- leaf expiration-date {
- type yang:date-and-time;
- mandatory true;
- description
- "Identifies the expiration date on the certificate.";
- }
- }
- }
-
- grouping end-entity-certs-grouping {
- description
- "A list of end entity certificates, and a notification for
- when one is about to (or already has) expire.";
- leaf-list cert {
- nacm:default-deny-write;
- type end-entity-cert-cms;
- description
- "The binary certificate data for this certificate.";
- reference
- "RFC YYYY: Common YANG Data Types for Cryptography";
- }
- notification certificate-expiration {
- description
- "A notification indicating that the configured certificate
- is either about to expire or has already expired. When to
- send notifications is an implementation specific decision,
- but it is RECOMMENDED that a notification be sent once a
- month for 3 months, then once a week for four weeks, and
- then once a day thereafter until the issue is resolved.";
- leaf expiration-date {
- type yang:date-and-time;
- mandatory true;
- description
- "Identifies the expiration date on the certificate.";
- }
- }
- }
-
- grouping asymmetric-key-pair-with-cert-grouping {
- description
- "A private/public key pair and an associated certificate.
- Implementations SHOULD assert that certificates contain
- the matching public key.";
- uses asymmetric-key-pair-grouping;
- uses end-entity-cert-grouping;
- action generate-certificate-signing-request {
- nacm:default-deny-all;
- description
- "Generates a certificate signing request structure for
- the associated asymmetric key using the passed subject
- and attribute values. The specified assertions need
- to be appropriate for the certificate's use. For
- example, an entity certificate for a TLS server
- SHOULD have values that enable clients to satisfy
- RFC 6125 processing.";
- input {
- leaf subject {
- type binary;
- mandatory true;
- description
- "The 'subject' field per the CertificationRequestInfo
- structure as specified by RFC 2986, Section 4.1
- encoded using the ASN.1 distinguished encoding
- rules (DER), as specified in ITU-T X.690.";
- reference
- "RFC 2986:
- PKCS #10: Certification Request Syntax
- Specification Version 1.7.
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER).";
- }
- leaf attributes {
- type binary; // FIXME: does this need to be mandatory?
- description
- "The 'attributes' field from the structure
- CertificationRequestInfo as specified by RFC 2986,
- Section 4.1 encoded using the ASN.1 distinguished
- encoding rules (DER), as specified in ITU-T X.690.";
- reference
- "RFC 2986:
- PKCS #10: Certification Request Syntax
- Specification Version 1.7.
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER).";
- }
- }
- output {
- leaf certificate-signing-request {
- type binary;
- mandatory true;
- description
- "A CertificationRequest structure as specified by
- RFC 2986, Section 4.2 encoded using the ASN.1
- distinguished encoding rules (DER), as specified
- in ITU-T X.690.";
- reference
- "RFC 2986:
- PKCS #10: Certification Request Syntax
- Specification Version 1.7.
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER).";
- }
- }
- } // generate-certificate-signing-request
- } // asymmetric-key-pair-with-cert-grouping
-
- grouping asymmetric-key-pair-with-certs-grouping {
- description
- "A private/public key pair and associated certificates.
- Implementations SHOULD assert that certificates contain
- the matching public key.";
- uses asymmetric-key-pair-grouping;
- container certificates {
- nacm:default-deny-write;
- description
- "Certificates associated with this asymmetric key.
- More than one certificate supports, for instance,
- a TPM-protected asymmetric key that has both IDevID
- and LDevID certificates associated.";
- list certificate {
- key "name";
- description
- "A certificate for this asymmetric key.";
- leaf name {
- type string;
- description
- "An arbitrary name for the certificate. If the name
- matches the name of a certificate that exists
- independently in <operational> (i.e., an IDevID),
- then the 'cert' node MUST NOT be configured.";
- }
- uses end-entity-cert-grouping;
- }
- } // certificates
- action generate-certificate-signing-request {
- nacm:default-deny-all;
- description
- "Generates a certificate signing request structure for
- the associated asymmetric key using the passed subject
- and attribute values. The specified assertions need
- to be appropriate for the certificate's use. For
- example, an entity certificate for a TLS server
- SHOULD have values that enable clients to satisfy
- RFC 6125 processing.";
- input {
- leaf subject {
- type binary;
- mandatory true;
- description
- "The 'subject' field per the CertificationRequestInfo
- structure as specified by RFC 2986, Section 4.1
- encoded using the ASN.1 distinguished encoding
- rules (DER), as specified in ITU-T X.690.";
- reference
- "RFC 2986:
- PKCS #10: Certification Request Syntax
- Specification Version 1.7.
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER).";
- }
- leaf attributes {
- type binary; // FIXME: does this need to be mandatory?
- description
- "The 'attributes' field from the structure
- CertificationRequestInfo as specified by RFC 2986,
- Section 4.1 encoded using the ASN.1 distinguished
- encoding rules (DER), as specified in ITU-T X.690.";
- reference
- "RFC 2986:
- PKCS #10: Certification Request Syntax
- Specification Version 1.7.
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER).";
- }
- }
- output {
- leaf certificate-signing-request {
- type binary;
- mandatory true;
- description
- "A CertificationRequest structure as specified by
- RFC 2986, Section 4.2 encoded using the ASN.1
- distinguished encoding rules (DER), as specified
- in ITU-T X.690.";
- reference
- "RFC 2986:
- PKCS #10: Certification Request Syntax
- Specification Version 1.7.
- ITU-T X.690:
- Information technology - ASN.1 encoding rules:
- Specification of Basic Encoding Rules (BER),
- Canonical Encoding Rules (CER) and Distinguished
- Encoding Rules (DER).";
- }
- }
- } // generate-certificate-signing-request
- } // asymmetric-key-pair-with-certs-grouping
-}
\ No newline at end of file