1 module ietf-crypto-types {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
6 import ietf-yang-types {
9 "RFC 6991: Common YANG Data Types";
12 import ietf-netconf-acm {
15 "RFC 8341: Network Configuration Access Control Model";
19 "IETF NETCONF (Network Configuration) Working Group";
22 "WG Web: <http://datatracker.ietf.org/wg/netconf/>
23 WG List: <mailto:netconf@ietf.org>
24 Author: Kent Watsen <mailto:kent+ietf@watsen.net>
25 Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";
28 "This module defines common YANG types for cryptographic
31 Copyright (c) 2019 IETF Trust and the persons identified
32 as authors of the code. All rights reserved.
34 Redistribution and use in source and binary forms, with
35 or without modification, is permitted pursuant to, and
36 subject to the license terms contained in, the Simplified
37 BSD License set forth in Section 4.c of the IETF Trust's
38 Legal Provisions Relating to IETF Documents
39 (https://trustee.ietf.org/license-info).
41 This version of this YANG module is part of RFC XXXX
42 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
43 itself for full legal notices.;
45 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
46 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
47 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
48 are to be interpreted as described in BCP 14 (RFC 2119)
49 (RFC 8174) when, and only when, they appear in all
50 capitals, as shown here.";
56 "RFC XXXX: Common YANG Data Types for Cryptography";
59 /**************************************/
60 /* Identities for Hash Algorithms */
61 /**************************************/
63 identity hash-algorithm {
65 "A base identity for hash algorithm verification.";
71 "The SHA-224 algorithm.";
73 "RFC 6234: US Secure Hash Algorithms.";
78 "The SHA-256 algorithm.";
80 "RFC 6234: US Secure Hash Algorithms.";
86 "The SHA-384 algorithm.";
88 "RFC 6234: US Secure Hash Algorithms.";
94 "The SHA-512 algorithm.";
96 "RFC 6234: US Secure Hash Algorithms.";
99 /***********************************************/
100 /* Identities for Asymmetric Key Algorithms */
101 /***********************************************/
103 identity asymmetric-key-algorithm {
105 "Base identity from which all asymmetric key
106 encryption Algorithm.";
110 base asymmetric-key-algorithm;
112 "The RSA algorithm using a 1024-bit key.";
115 PKCS #1: RSA Cryptography Specifications Version 2.2.";
119 base asymmetric-key-algorithm;
121 "The RSA algorithm using a 2048-bit key.";
124 PKCS #1: RSA Cryptography Specifications Version 2.2.";
128 base asymmetric-key-algorithm;
130 "The RSA algorithm using a 3072-bit key.";
133 PKCS #1: RSA Cryptography Specifications Version 2.2.";
137 base asymmetric-key-algorithm;
139 "The RSA algorithm using a 4096-bit key.";
142 PKCS #1: RSA Cryptography Specifications Version 2.2.";
146 base asymmetric-key-algorithm;
148 "The RSA algorithm using a 7680-bit key.";
151 PKCS #1: RSA Cryptography Specifications Version 2.2.";
155 base asymmetric-key-algorithm;
157 "The RSA algorithm using a 15360-bit key.";
160 PKCS #1: RSA Cryptography Specifications Version 2.2.";
164 base asymmetric-key-algorithm;
166 "The ECDSA algorithm using a NIST P256 Curve.";
169 Fundamental Elliptic Curve Cryptography Algorithms.";
172 base asymmetric-key-algorithm;
174 "The ECDSA algorithm using a NIST P256 Curve.";
177 Fundamental Elliptic Curve Cryptography Algorithms.";
181 base asymmetric-key-algorithm;
183 "The ECDSA algorithm using a NIST P256 Curve.";
186 Fundamental Elliptic Curve Cryptography Algorithms.";
190 base asymmetric-key-algorithm;
192 "The ECDSA algorithm using a NIST P256 Curve.";
195 Fundamental Elliptic Curve Cryptography Algorithms.";
199 base asymmetric-key-algorithm;
201 "The ECDSA algorithm using a NIST P256 Curve.";
204 Fundamental Elliptic Curve Cryptography Algorithms.";
207 /*************************************/
208 /* Identities for MAC Algorithms */
209 /*************************************/
211 identity mac-algorithm {
213 "A base identity for mac generation.";
219 "Generating MAC using SHA1 hash function";
221 "RFC 3174: US Secure Hash Algorithm 1 (SHA1)";
224 identity hmac-sha1-96 {
227 "Generating MAC using SHA1 hash function";
229 "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";
232 identity hmac-sha2-224 {
235 "Generating MAC using SHA2 hash function";
238 US Secure Hash Algorithms (SHA and SHA-based HMAC and
242 identity hmac-sha2-256 {
245 "Generating MAC using SHA2 hash function";
248 US Secure Hash Algorithms (SHA and SHA-based HMAC and
252 identity hmac-sha2-256-128 {
255 "Generating a 256 bits MAC using SHA2 hash function and
256 truncate it to 128 bits";
259 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
263 identity hmac-sha2-384 {
266 "Generating MAC using SHA2 hash function";
269 US Secure Hash Algorithms (SHA and SHA-based HMAC and
273 identity hmac-sha2-384-192 {
276 "Generating a 384 bits MAC using SHA2 hash function and
277 truncate it to 192 bits";
280 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
284 identity hmac-sha2-512 {
287 "Generating MAC using SHA2 hash function";
290 US Secure Hash Algorithms (SHA and SHA-based HMAC and
294 identity hmac-sha2-512-256 {
297 "Generating a 512 bits MAC using SHA2 hash function and
298 truncating it to 256 bits";
301 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
305 identity aes-128-gmac {
308 "Generating MAC using the Advanced Encryption Standard (AES)
309 Galois Message Authentication Code (GMAC) as a mechanism to
310 provide data origin authentication";
313 The Use of Galois Message Authentication Code (GMAC) in
317 identity aes-192-gmac {
320 "Generating MAC using the Advanced Encryption Standard (AES)
321 Galois Message Authentication Code (GMAC) as a mechanism to
322 provide data origin authentication";
325 The Use of Galois Message Authentication Code (GMAC) in
329 identity aes-256-gmac {
332 "Generating MAC using the Advanced Encryption Standard (AES)
333 Galois Message Authentication Code (GMAC) as a mechanism to
334 provide data origin authentication";
337 The Use of Galois Message Authentication Code (GMAC) in
341 identity aes-cmac-96 {
344 "Generating MAC using Advanced Encryption Standard (AES)
345 Cipher-based Message Authentication Code (CMAC)";
347 "RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec";
350 identity aes-cmac-128 {
353 "Generating MAC using Advanced Encryption Standard (AES)
354 Cipher-based Message Authentication Code (CMAC)";
356 "RFC 4493: The AES-CMAC Algorithm";
359 /********************************************/
360 /* Identities for Encryption Algorithms */
361 /********************************************/
363 identity encryption-algorithm {
365 "A base identity for encryption algorithm.";
368 identity aes-128-cbc {
369 base encryption-algorithm;
371 "Encrypt message with AES algorithm in CBC mode with a key
375 Use of the Advanced Encryption Standard (AES) Encryption
376 Algorithm in Cryptographic Message Syntax (CMS)";
379 identity aes-192-cbc {
380 base encryption-algorithm;
382 "Encrypt message with AES algorithm in CBC mode with a key
386 Use of the Advanced Encryption Standard (AES) Encryption
387 Algorithm in Cryptographic Message Syntax (CMS)";
390 identity aes-256-cbc {
391 base encryption-algorithm;
393 "Encrypt message with AES algorithm in CBC mode with a key
397 Use of the Advanced Encryption Standard (AES) Encryption
398 Algorithm in Cryptographic Message Syntax (CMS)";
401 identity aes-128-ctr {
402 base encryption-algorithm;
404 "Encrypt message with AES algorithm in CTR mode with a key
408 Using Advanced Encryption Standard (AES) Counter Mode with
409 IPsec Encapsulating Security Payload (ESP)";
411 identity aes-192-ctr {
412 base encryption-algorithm;
414 "Encrypt message with AES algorithm in CTR mode with a key
418 Using Advanced Encryption Standard (AES) Counter Mode with
419 IPsec Encapsulating Security Payload (ESP)";
422 identity aes-256-ctr {
423 base encryption-algorithm;
425 "Encrypt message with AES algorithm in CTR mode with a key
429 Using Advanced Encryption Standard (AES) Counter Mode with
430 IPsec Encapsulating Security Payload (ESP)";
433 /****************************************************/
434 /* Identities for Encryption and MAC Algorithms */
435 /****************************************************/
437 identity encryption-and-mac-algorithm {
439 "A base identity for encryption and MAC algorithm.";
442 identity aes-128-ccm {
443 base encryption-and-mac-algorithm;
445 "Encrypt message with AES algorithm in CCM mode with a key
446 length of 128 bits; it can also be used for generating MAC";
449 Using Advanced Encryption Standard (AES) CCM Mode with
450 IPsec Encapsulating Security Payload (ESP)";
453 identity aes-192-ccm {
454 base encryption-and-mac-algorithm;
456 "Encrypt message with AES algorithm in CCM mode with a key
457 length of 192 bits; it can also be used for generating MAC";
460 Using Advanced Encryption Standard (AES) CCM Mode with
461 IPsec Encapsulating Security Payload (ESP)";
464 identity aes-256-ccm {
465 base encryption-and-mac-algorithm;
467 "Encrypt message with AES algorithm in CCM mode with a key
468 length of 256 bits; it can also be used for generating MAC";
471 Using Advanced Encryption Standard (AES) CCM Mode with
472 IPsec Encapsulating Security Payload (ESP)";
475 identity aes-128-gcm {
476 base encryption-and-mac-algorithm;
478 "Encrypt message with AES algorithm in GCM mode with a key
479 length of 128 bits; it can also be used for generating MAC";
482 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
483 Security Payload (ESP)";
486 identity aes-192-gcm {
487 base encryption-and-mac-algorithm;
489 "Encrypt message with AES algorithm in GCM mode with a key
490 length of 192 bits; it can also be used for generating MAC";
493 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
494 Security Payload (ESP)";
497 identity mac-aes-256-gcm {
498 base encryption-and-mac-algorithm;
500 "Encrypt message with AES algorithm in GCM mode with a key
501 length of 128 bits; it can also be used for generating MAC";
504 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
505 Security Payload (ESP)";
507 identity chacha20-poly1305 {
508 base encryption-and-mac-algorithm;
510 "Encrypt message with chacha20 algorithm and generate MAC with
511 POLY1305; it can also be used for generating MAC";
513 "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";
516 /******************************************/
517 /* Identities for signature algorithm */
518 /******************************************/
520 identity signature-algorithm {
522 "A base identity for asymmetric key encryption algorithm.";
526 base signature-algorithm;
528 "The signature algorithm using DSA algorithm with SHA1 hash
531 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
534 identity rsassa-pkcs1-sha1 {
535 base signature-algorithm;
537 "The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1
540 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
543 identity rsassa-pkcs1-sha256 {
544 base signature-algorithm;
546 "The signature algorithm using RSASSA-PKCS1-v1_5 with the
547 SHA256 hash algorithm.";
550 Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
553 The Transport Layer Security (TLS) Protocol Version 1.3";
555 identity rsassa-pkcs1-sha384 {
556 base signature-algorithm;
558 "The signature algorithm using RSASSA-PKCS1-v1_5 with the
559 SHA384 hash algorithm.";
562 The Transport Layer Security (TLS) Protocol Version 1.3";
565 identity rsassa-pkcs1-sha512 {
566 base signature-algorithm;
568 "The signature algorithm using RSASSA-PKCS1-v1_5 with the
569 SHA512 hash algorithm.";
572 Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
575 The Transport Layer Security (TLS) Protocol Version 1.3";
578 identity rsassa-pss-rsae-sha256 {
579 base signature-algorithm;
581 "The signature algorithm using RSASSA-PSS with mask generation
582 function 1 and SHA256 hash algorithm. If the public key is
583 carried in an X.509 certificate, it MUST use the rsaEncryption
587 The Transport Layer Security (TLS) Protocol Version 1.3";
590 identity rsassa-pss-rsae-sha384 {
591 base signature-algorithm;
593 "The signature algorithm using RSASSA-PSS with mask generation
594 function 1 and SHA384 hash algorithm. If the public key is
595 carried in an X.509 certificate, it MUST use the rsaEncryption
599 The Transport Layer Security (TLS) Protocol Version 1.3";
602 identity rsassa-pss-rsae-sha512 {
603 base signature-algorithm;
605 "The signature algorithm using RSASSA-PSS with mask generation
606 function 1 and SHA512 hash algorithm. If the public key is
607 carried in an X.509 certificate, it MUST use the rsaEncryption
611 The Transport Layer Security (TLS) Protocol Version 1.3";
614 identity rsassa-pss-pss-sha256 {
615 base signature-algorithm;
617 "The signature algorithm using RSASSA-PSS with mask generation
618 function 1 and SHA256 hash algorithm. If the public key is
619 carried in an X.509 certificate, it MUST use the RSASSA-PSS
623 The Transport Layer Security (TLS) Protocol Version 1.3";
626 identity rsassa-pss-pss-sha384 {
627 base signature-algorithm;
629 "The signature algorithm using RSASSA-PSS with mask generation
630 function 1 and SHA256 hash algorithm. If the public key is
631 carried in an X.509 certificate, it MUST use the RSASSA-PSS
635 The Transport Layer Security (TLS) Protocol Version 1.3";
638 identity rsassa-pss-pss-sha512 {
639 base signature-algorithm;
641 "The signature algorithm using RSASSA-PSS with mask generation
642 function 1 and SHA256 hash algorithm. If the public key is
643 carried in an X.509 certificate, it MUST use the RSASSA-PSS
647 The Transport Layer Security (TLS) Protocol Version 1.3";
650 identity ecdsa-secp256r1-sha256 {
651 base signature-algorithm;
653 "The signature algorithm using ECDSA with curve name secp256r1
654 and SHA256 hash algorithm.";
656 "RFC 5656: Elliptic Curve Algorithm Integration in the
657 Secure Shell Transport Layer
659 The Transport Layer Security (TLS) Protocol Version 1.3";
662 identity ecdsa-secp384r1-sha384 {
663 base signature-algorithm;
665 "The signature algorithm using ECDSA with curve name secp384r1
666 and SHA384 hash algorithm.";
668 "RFC 5656: Elliptic Curve Algorithm Integration in the
669 Secure Shell Transport Layer
671 The Transport Layer Security (TLS) Protocol Version 1.3";
674 identity ecdsa-secp521r1-sha512 {
675 base signature-algorithm;
677 "The signature algorithm using ECDSA with curve name secp521r1
678 and SHA512 hash algorithm.";
680 "RFC 5656: Elliptic Curve Algorithm Integration in the
681 Secure Shell Transport Layer
683 The Transport Layer Security (TLS) Protocol Version 1.3";
687 base signature-algorithm;
689 "The signature algorithm using EdDSA as defined in RFC 8032 or
692 "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
696 base signature-algorithm;
698 "The signature algorithm using EdDSA as defined in RFC 8032 or
701 "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
705 base signature-algorithm;
707 "The signature algorithm using ECCSI signature as defined in
711 Elliptic Curve-Based Certificateless Signatures for
712 Identity-based Encryption (ECCSI)";
715 /**********************************************/
716 /* Identities for key exchange algorithms */
717 /**********************************************/
719 identity key-exchange-algorithm {
721 "A base identity for Diffie-Hellman based key exchange
726 base key-exchange-algorithm;
728 "Using Pre-shared key for authentication and key exchange";
731 Pre-Shared Key cipher suites for Transport Layer Security
735 identity dhe-ffdhe2048 {
736 base key-exchange-algorithm;
738 "Ephemeral Diffie Hellman key exchange with 2048 bit
742 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
743 for Transport Layer Security (TLS)";
746 identity dhe-ffdhe3072 {
747 base key-exchange-algorithm;
749 "Ephemeral Diffie Hellman key exchange with 3072 bit finite
753 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
754 for Transport Layer Security (TLS)";
757 identity dhe-ffdhe4096 {
758 base key-exchange-algorithm;
760 "Ephemeral Diffie Hellman key exchange with 4096 bit
764 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
765 for Transport Layer Security (TLS)";
768 identity dhe-ffdhe6144 {
769 base key-exchange-algorithm;
771 "Ephemeral Diffie Hellman key exchange with 6144 bit
775 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
776 for Transport Layer Security (TLS)";
779 identity dhe-ffdhe8192 {
780 base key-exchange-algorithm;
782 "Ephemeral Diffie Hellman key exchange with 8192 bit
786 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
787 for Transport Layer Security (TLS)";
790 identity psk-dhe-ffdhe2048 {
791 base key-exchange-algorithm;
793 "Key exchange using pre-shared key with Diffie-Hellman key
794 generation mechanism, where the DH group is FFDHE2048";
797 The Transport Layer Security (TLS) Protocol Version 1.3";
800 identity psk-dhe-ffdhe3072 {
801 base key-exchange-algorithm;
803 "Key exchange using pre-shared key with Diffie-Hellman key
804 generation mechanism, where the DH group is FFDHE3072";
807 The Transport Layer Security (TLS) Protocol Version 1.3";
810 identity psk-dhe-ffdhe4096 {
811 base key-exchange-algorithm;
813 "Key exchange using pre-shared key with Diffie-Hellman key
814 generation mechanism, where the DH group is FFDHE4096";
817 The Transport Layer Security (TLS) Protocol Version 1.3";
820 identity psk-dhe-ffdhe6144 {
821 base key-exchange-algorithm;
823 "Key exchange using pre-shared key with Diffie-Hellman key
824 generation mechanism, where the DH group is FFDHE6144";
827 The Transport Layer Security (TLS) Protocol Version 1.3";
830 identity psk-dhe-ffdhe8192 {
831 base key-exchange-algorithm;
833 "Key exchange using pre-shared key with Diffie-Hellman key
834 generation mechanism, where the DH group is FFDHE8192";
837 The Transport Layer Security (TLS) Protocol Version 1.3";
840 identity ecdhe-secp256r1 {
841 base key-exchange-algorithm;
843 "Ephemeral Diffie Hellman key exchange with elliptic group
844 over curve secp256r1";
847 Elliptic Curve Cryptography (ECC) Cipher Suites for
848 Transport Layer Security (TLS) Versions 1.2 and Earlier";
851 identity ecdhe-secp384r1 {
852 base key-exchange-algorithm;
854 "Ephemeral Diffie Hellman key exchange with elliptic group
855 over curve secp384r1";
858 Elliptic Curve Cryptography (ECC) Cipher Suites for
859 Transport Layer Security (TLS) Versions 1.2 and Earlier";
862 identity ecdhe-secp521r1 {
863 base key-exchange-algorithm;
865 "Ephemeral Diffie Hellman key exchange with elliptic group
866 over curve secp521r1";
869 Elliptic Curve Cryptography (ECC) Cipher Suites for
870 Transport Layer Security (TLS) Versions 1.2 and Earlier";
873 identity ecdhe-x25519 {
874 base key-exchange-algorithm;
876 "Ephemeral Diffie Hellman key exchange with elliptic group
880 Elliptic Curve Cryptography (ECC) Cipher Suites for
881 Transport Layer Security (TLS) Versions 1.2 and Earlier";
884 identity ecdhe-x448 {
885 base key-exchange-algorithm;
887 "Ephemeral Diffie Hellman key exchange with elliptic group
891 Elliptic Curve Cryptography (ECC) Cipher Suites for
892 Transport Layer Security (TLS) Versions 1.2 and Earlier";
895 identity psk-ecdhe-secp256r1 {
896 base key-exchange-algorithm;
898 "Key exchange using pre-shared key with elliptic group-based
899 Ephemeral Diffie Hellman key exchange over curve secp256r1";
902 The Transport Layer Security (TLS) Protocol Version 1.3";
905 identity psk-ecdhe-secp384r1 {
906 base key-exchange-algorithm;
908 "Key exchange using pre-shared key with elliptic group-based
909 Ephemeral Diffie Hellman key exchange over curve secp384r1";
912 The Transport Layer Security (TLS) Protocol Version 1.3";
915 identity psk-ecdhe-secp521r1 {
916 base key-exchange-algorithm;
918 "Key exchange using pre-shared key with elliptic group-based
919 Ephemeral Diffie Hellman key exchange over curve secp521r1";
922 The Transport Layer Security (TLS) Protocol Version 1.3";
925 identity psk-ecdhe-x25519 {
926 base key-exchange-algorithm;
928 "Key exchange using pre-shared key with elliptic group-based
929 Ephemeral Diffie Hellman key exchange over curve x25519";
932 The Transport Layer Security (TLS) Protocol Version 1.3";
935 identity psk-ecdhe-x448 {
936 base key-exchange-algorithm;
938 "Key exchange using pre-shared key with elliptic group-based
939 Ephemeral Diffie Hellman key exchange over curve x448";
942 The Transport Layer Security (TLS) Protocol Version 1.3";
945 identity diffie-hellman-group14-sha1 {
946 base key-exchange-algorithm;
948 "Using DH group14 and SHA1 for key exchange";
950 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
953 identity diffie-hellman-group14-sha256 {
954 base key-exchange-algorithm;
956 "Using DH group14 and SHA256 for key exchange";
959 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
960 Key Exchange (KEX) Groups for Secure Shell (SSH)";
963 identity diffie-hellman-group15-sha512 {
964 base key-exchange-algorithm;
966 "Using DH group15 and SHA512 for key exchange";
969 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
970 Key Exchange (KEX) Groups for Secure Shell (SSH)";
973 identity diffie-hellman-group16-sha512 {
974 base key-exchange-algorithm;
976 "Using DH group16 and SHA512 for key exchange";
979 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
980 Key Exchange (KEX) Groups for Secure Shell (SSH)";
983 identity diffie-hellman-group17-sha512 {
984 base key-exchange-algorithm;
986 "Using DH group17 and SHA512 for key exchange";
990 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
991 Key Exchange (KEX) Groups for Secure Shell (SSH)";
994 identity diffie-hellman-group18-sha512 {
995 base key-exchange-algorithm;
997 "Using DH group18 and SHA512 for key exchange";
1000 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
1001 Key Exchange (KEX) Groups for Secure Shell (SSH)";
1004 identity ecdh-sha2-secp256r1 {
1005 base key-exchange-algorithm;
1007 "Elliptic curve-based Diffie Hellman key exchange over curve
1008 secp256r1 and using SHA2 for MAC generation";
1010 "RFC 6239: Suite B Cryptographic Suites for Secure Shell
1014 identity ecdh-sha2-secp384r1 {
1015 base key-exchange-algorithm;
1017 "Elliptic curve-based Diffie Hellman key exchange over curve
1018 secp384r1 and using SHA2 for MAC generation";
1020 "RFC 6239: Suite B Cryptographic Suites for Secure Shell
1024 identity rsaes-oaep {
1025 base key-exchange-algorithm;
1027 "RSAES-OAEP combines the RSAEP and RSADP primitives with the
1028 EME-OAEP encoding method";
1031 PKCS #1: RSA Cryptography Specifications Version 2.2.";
1034 identity rsaes-pkcs1-v1_5 {
1035 base key-exchange-algorithm;
1037 " RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives
1038 with the EME-PKCS1-v1_5 encoding method";
1041 PKCS #1: RSA Cryptography Specifications Version 2.2.";
1044 /**********************************************************/
1045 /* Typedefs for identityrefs to above base identities */
1046 /**********************************************************/
1048 typedef hash-algorithm-ref {
1050 base hash-algorithm;
1053 "This typedef enables importing modules to easily define an
1054 identityref to the 'hash-algorithm' base identity.";
1057 typedef signature-algorithm-ref {
1059 base signature-algorithm;
1062 "This typedef enables importing modules to easily define an
1063 identityref to the 'signature-algorithm' base identity.";
1066 typedef mac-algorithm-ref {
1071 "This typedef enables importing modules to easily define an
1072 identityref to the 'mac-algorithm' base identity.";
1075 typedef encryption-algorithm-ref {
1077 base encryption-algorithm;
1080 "This typedef enables importing modules to easily define an
1081 identityref to the 'encryption-algorithm'
1085 typedef encryption-and-mac-algorithm-ref {
1087 base encryption-and-mac-algorithm;
1090 "This typedef enables importing modules to easily define an
1091 identityref to the 'encryption-and-mac-algorithm'
1095 typedef asymmetric-key-algorithm-ref {
1097 base asymmetric-key-algorithm;
1100 "This typedef enables importing modules to easily define an
1101 identityref to the 'asymmetric-key-algorithm'
1105 typedef key-exchange-algorithm-ref {
1107 base key-exchange-algorithm;
1110 "This typedef enables importing modules to easily define an
1111 identityref to the 'key-exchange-algorithm' base identity.";
1114 /***************************************************/
1115 /* Typedefs for ASN.1 structures from RFC 5280 */
1116 /***************************************************/
1121 "A Certificate structure, as specified in RFC 5280,
1122 encoded using ASN.1 distinguished encoding rules (DER),
1123 as specified in ITU-T X.690.";
1126 Internet X.509 Public Key Infrastructure Certificate
1127 and Certificate Revocation List (CRL) Profile
1129 Information technology - ASN.1 encoding rules:
1130 Specification of Basic Encoding Rules (BER),
1131 Canonical Encoding Rules (CER) and Distinguished
1132 Encoding Rules (DER).";
1138 "A CertificateList structure, as specified in RFC 5280,
1139 encoded using ASN.1 distinguished encoding rules (DER),
1140 as specified in ITU-T X.690.";
1143 Internet X.509 Public Key Infrastructure Certificate
1144 and Certificate Revocation List (CRL) Profile
1146 Information technology - ASN.1 encoding rules:
1147 Specification of Basic Encoding Rules (BER),
1148 Canonical Encoding Rules (CER) and Distinguished
1149 Encoding Rules (DER).";
1152 /***********************************************/
1153 /* Typedefs for ASN.1 structures from 5652 */
1154 /***********************************************/
1159 "A ContentInfo structure, as specified in RFC 5652,
1160 encoded using ASN.1 distinguished encoding rules (DER),
1161 as specified in ITU-T X.690.";
1164 Cryptographic Message Syntax (CMS)
1166 Information technology - ASN.1 encoding rules:
1167 Specification of Basic Encoding Rules (BER),
1168 Canonical Encoding Rules (CER) and Distinguished
1169 Encoding Rules (DER).";
1172 typedef data-content-cms {
1175 "A CMS structure whose top-most content type MUST be the
1176 data content type, as described by Section 4 in RFC 5652.";
1178 "RFC 5652: Cryptographic Message Syntax (CMS)";
1181 typedef signed-data-cms {
1184 "A CMS structure whose top-most content type MUST be the
1185 signed-data content type, as described by Section 5 in
1188 "RFC 5652: Cryptographic Message Syntax (CMS)";
1191 typedef enveloped-data-cms {
1194 "A CMS structure whose top-most content type MUST be the
1195 enveloped-data content type, as described by Section 6
1198 "RFC 5652: Cryptographic Message Syntax (CMS)";
1201 typedef digested-data-cms {
1204 "A CMS structure whose top-most content type MUST be the
1205 digested-data content type, as described by Section 7
1208 "RFC 5652: Cryptographic Message Syntax (CMS)";
1211 typedef encrypted-data-cms {
1214 "A CMS structure whose top-most content type MUST be the
1215 encrypted-data content type, as described by Section 8
1218 "RFC 5652: Cryptographic Message Syntax (CMS)";
1221 typedef authenticated-data-cms {
1224 "A CMS structure whose top-most content type MUST be the
1225 authenticated-data content type, as described by Section 9
1228 "RFC 5652: Cryptographic Message Syntax (CMS)";
1231 /***************************************************/
1232 /* Typedefs for structures related to RFC 4253 */
1233 /***************************************************/
1235 typedef ssh-host-key {
1238 "The binary public key data for this SSH key, as
1239 specified by RFC 4253, Section 6.6, i.e.:
1241 string certificate or public key format
1243 byte[n] key/certificate data.";
1245 "RFC 4253: The Secure Shell (SSH) Transport Layer
1249 /*********************************************************/
1250 /* Typedefs for ASN.1 structures related to RFC 5280 */
1251 /*********************************************************/
1253 typedef trust-anchor-cert-x509 {
1256 "A Certificate structure that MUST encode a self-signed
1260 typedef end-entity-cert-x509 {
1263 "A Certificate structure that MUST encode a certificate
1264 that is neither self-signed nor having Basic constraint
1268 /*********************************************************/
1269 /* Typedefs for ASN.1 structures related to RFC 5652 */
1270 /*********************************************************/
1272 typedef trust-anchor-cert-cms {
1273 type signed-data-cms;
1275 "A CMS SignedData structure that MUST contain the chain of
1276 X.509 certificates needed to authenticate the certificate
1277 presented by a client or end-entity.
1279 The CMS MUST contain only a single chain of certificates.
1280 The client or end-entity certificate MUST only authenticate
1281 to last intermediate CA certificate listed in the chain.
1283 In all cases, the chain MUST include a self-signed root
1284 certificate. In the case where the root certificate is
1285 itself the issuer of the client or end-entity certificate,
1286 only one certificate is present.
1288 This CMS structure MAY (as applicable where this type is
1289 used) also contain suitably fresh (as defined by local
1290 policy) revocation objects with which the device can
1291 verify the revocation status of the certificates.
1293 This CMS encodes the degenerate form of the SignedData
1294 structure that is commonly used to disseminate X.509
1295 certificates and revocation objects (RFC 5280).";
1298 Internet X.509 Public Key Infrastructure Certificate
1299 and Certificate Revocation List (CRL) Profile.";
1302 typedef end-entity-cert-cms {
1303 type signed-data-cms;
1305 "A CMS SignedData structure that MUST contain the end
1306 entity certificate itself, and MAY contain any number
1307 of intermediate certificates leading up to a trust
1308 anchor certificate. The trust anchor certificate
1309 MAY be included as well.
1311 The CMS MUST contain a single end entity certificate.
1312 The CMS MUST NOT contain any spurious certificates.
1314 This CMS structure MAY (as applicable where this type is
1315 used) also contain suitably fresh (as defined by local
1316 policy) revocation objects with which the device can
1317 verify the revocation status of the certificates.
1319 This CMS encodes the degenerate form of the SignedData
1320 structure that is commonly used to disseminate X.509
1321 certificates and revocation objects (RFC 5280).";
1324 Internet X.509 Public Key Infrastructure Certificate
1325 and Certificate Revocation List (CRL) Profile.";
1328 /**********************************************/
1329 /* Groupings for keys and/or certificates */
1330 /**********************************************/
1332 grouping public-key-grouping {
1336 The 'algorithm' and 'public-key' nodes are not
1337 mandatory because they MAY be defined in <operational>.
1338 Implementations SHOULD assert that these values are
1339 either configured or that they exist in <operational>.";
1341 nacm:default-deny-write;
1342 type asymmetric-key-algorithm-ref;
1343 must '../public-key';
1345 "Identifies the key's algorithm. More specifically,
1346 this leaf specifies how the 'public-key' binary leaf
1349 "RFC CCCC: Common YANG Data Types for Cryptography";
1352 nacm:default-deny-write;
1354 must '../algorithm';
1356 "A binary that contains the value of the public key. The
1357 interpretation of the content is defined by the key
1358 algorithm. For example, a DSA key is an integer, an RSA
1359 key is represented as RSAPublicKey as defined in
1360 RFC 8017, and an Elliptic Curve Cryptography (ECC) key
1361 is represented using the 'publicKey' described in
1364 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
1365 RSA Cryptography Specifications Version 2.2.
1366 RFC 5915: Elliptic Curve Private Key Structure.";
1370 grouping asymmetric-key-pair-grouping {
1372 "A private/public key pair.
1373 The 'algorithm', 'public-key', and 'private-key' nodes are
1374 not mandatory because they MAY be defined in <operational>.
1375 Implementations SHOULD assert that these values are either
1376 configured or that they exist in <operational>.";
1377 uses public-key-grouping;
1379 nacm:default-deny-all;
1383 enum permanently-hidden {
1385 "The private key is inaccessible due to being
1386 protected by the system (e.g., a cryptographic
1389 How such keys are backed-up and restored, if
1390 at all, is implementation specific.
1392 Servers MUST fail any attempt by a client to
1393 configure this value directly. This value is
1394 not set by clients, but rather is set by the
1395 'generate-hidden-key' and 'install-hidden-key'
1400 must '../public-key';
1402 "A binary that contains the value of the private key. The
1403 interpretation of the content is defined by the key
1404 algorithm. For example, a DSA key is an integer, an RSA
1405 key is represented as RSAPrivateKey as defined in
1406 RFC 8017, and an Elliptic Curve Cryptography (ECC) key
1407 is represented as ECPrivateKey as defined in RFC 5915.";
1409 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
1410 RSA Cryptography Specifications Version 2.2.
1411 RFC 5915: Elliptic Curve Private Key Structure.";
1414 action generate-hidden-key {
1415 nacm:default-deny-all;
1417 "Requests the device to generate a hidden key using the
1418 specified asymmetric key algorithm. This action is
1419 used to request the system to generate a key that is
1420 'permanently-hidden', perhaps protected by a cryptographic
1421 hardware module. The resulting asymmetric key values are
1422 considered operational state and hence present only in
1423 <operational> and bound to the lifetime of the parent
1424 'config true' node. Subsequent invocations of this or
1425 the 'install-hidden-key' action are denied with error-tag
1429 type asymmetric-key-algorithm-ref;
1432 "The algorithm to be used when generating the
1435 "RFC CCCC: Common YANG Data Types for Cryptography";
1438 } // generate-hidden-key
1440 action install-hidden-key {
1441 nacm:default-deny-all;
1443 "Requests the device to load the specified values into
1444 a hidden key. The resulting asymmetric key values are
1445 considered operational state and hence present only in
1446 <operational> and bound to the lifetime of the parent
1447 'config true' node. Subsequent invocations of this
1448 or the 'generate-hidden-key' action are denied with
1449 error-tag 'data-exists'.";
1452 type asymmetric-key-algorithm-ref;
1455 "The algorithm to be used when generating the
1458 "RFC CCCC: Common YANG Data Types for Cryptography";
1463 "A binary that contains the value of the public key.
1464 The interpretation of the content is defined by the key
1465 algorithm. For example, a DSA key is an integer, an
1466 RSA key is represented as RSAPublicKey as defined in
1467 RFC 8017, and an Elliptic Curve Cryptography (ECC) key
1468 is represented using the 'publicKey' described in
1471 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
1472 RSA Cryptography Specifications Version 2.2.
1473 RFC 5915: Elliptic Curve Private Key Structure.";
1478 "A binary that contains the value of the private key.
1479 The interpretation of the content is defined by the key
1480 algorithm. For example, a DSA key is an integer, an RSA
1481 key is represented as RSAPrivateKey as defined in
1482 RFC 8017, and an Elliptic Curve Cryptography (ECC) key
1483 is represented as ECPrivateKey as defined in RFC 5915.";
1485 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
1486 RSA Cryptography Specifications Version 2.2.
1487 RFC 5915: Elliptic Curve Private Key Structure.";
1490 } // install-hidden-key
1491 } // asymmetric-key-pair-grouping
1494 grouping trust-anchor-cert-grouping {
1496 "A trust anchor certificate, and a notification for when
1497 it is about to (or already has) expire.";
1499 nacm:default-deny-write;
1500 type trust-anchor-cert-cms;
1502 "The binary certificate data for this certificate.";
1504 "RFC YYYY: Common YANG Data Types for Cryptography";
1506 notification certificate-expiration {
1508 "A notification indicating that the configured certificate
1509 is either about to expire or has already expired. When to
1510 send notifications is an implementation specific decision,
1511 but it is RECOMMENDED that a notification be sent once a
1512 month for 3 months, then once a week for four weeks, and
1513 then once a day thereafter until the issue is resolved.";
1514 leaf expiration-date {
1515 type yang:date-and-time;
1518 "Identifies the expiration date on the certificate.";
1523 grouping trust-anchor-certs-grouping {
1525 "A list of trust anchor certificates, and a notification
1526 for when one is about to (or already has) expire.";
1528 nacm:default-deny-write;
1529 type trust-anchor-cert-cms;
1531 "The binary certificate data for this certificate.";
1533 "RFC YYYY: Common YANG Data Types for Cryptography";
1535 notification certificate-expiration {
1537 "A notification indicating that the configured certificate
1538 is either about to expire or has already expired. When to
1539 send notifications is an implementation specific decision,
1540 but it is RECOMMENDED that a notification be sent once a
1541 month for 3 months, then once a week for four weeks, and
1542 then once a day thereafter until the issue is resolved.";
1543 leaf expiration-date {
1544 type yang:date-and-time;
1547 "Identifies the expiration date on the certificate.";
1552 grouping end-entity-cert-grouping {
1554 "An end entity certificate, and a notification for when
1555 it is about to (or already has) expire.";
1557 nacm:default-deny-write;
1558 type end-entity-cert-cms;
1560 "The binary certificate data for this certificate.";
1562 "RFC YYYY: Common YANG Data Types for Cryptography";
1564 notification certificate-expiration {
1566 "A notification indicating that the configured certificate
1567 is either about to expire or has already expired. When to
1568 send notifications is an implementation specific decision,
1569 but it is RECOMMENDED that a notification be sent once a
1570 month for 3 months, then once a week for four weeks, and
1571 then once a day thereafter until the issue is resolved.";
1572 leaf expiration-date {
1573 type yang:date-and-time;
1576 "Identifies the expiration date on the certificate.";
1581 grouping end-entity-certs-grouping {
1583 "A list of end entity certificates, and a notification for
1584 when one is about to (or already has) expire.";
1586 nacm:default-deny-write;
1587 type end-entity-cert-cms;
1589 "The binary certificate data for this certificate.";
1591 "RFC YYYY: Common YANG Data Types for Cryptography";
1593 notification certificate-expiration {
1595 "A notification indicating that the configured certificate
1596 is either about to expire or has already expired. When to
1597 send notifications is an implementation specific decision,
1598 but it is RECOMMENDED that a notification be sent once a
1599 month for 3 months, then once a week for four weeks, and
1600 then once a day thereafter until the issue is resolved.";
1601 leaf expiration-date {
1602 type yang:date-and-time;
1605 "Identifies the expiration date on the certificate.";
1610 grouping asymmetric-key-pair-with-cert-grouping {
1612 "A private/public key pair and an associated certificate.";
1613 uses asymmetric-key-pair-grouping;
1614 uses end-entity-cert-grouping;
1616 action generate-certificate-signing-request {
1617 nacm:default-deny-all;
1619 "Generates a certificate signing request structure for
1620 the associated asymmetric key using the passed subject
1621 and attribute values. The specified assertions need
1622 to be appropriate for the certificate's use. For
1623 example, an entity certificate for a TLS server
1624 SHOULD have values that enable clients to satisfy
1625 RFC 6125 processing.";
1631 "The 'subject' field per the CertificationRequestInfo
1632 structure as specified by RFC 2986, Section 4.1
1633 encoded using the ASN.1 distinguished encoding
1634 rules (DER), as specified in ITU-T X.690.";
1637 PKCS #10: Certification Request Syntax
1638 Specification Version 1.7.
1640 Information technology - ASN.1 encoding rules:
1641 Specification of Basic Encoding Rules (BER),
1642 Canonical Encoding Rules (CER) and Distinguished
1643 Encoding Rules (DER).";
1648 "The 'attributes' field from the structure
1649 CertificationRequestInfo as specified by RFC 2986,
1650 Section 4.1 encoded using the ASN.1 distinguished
1651 encoding rules (DER), as specified in ITU-T X.690.";
1654 PKCS #10: Certification Request Syntax
1655 Specification Version 1.7.
1657 Information technology - ASN.1 encoding rules:
1658 Specification of Basic Encoding Rules (BER),
1659 Canonical Encoding Rules (CER) and Distinguished
1660 Encoding Rules (DER).";
1664 leaf certificate-signing-request {
1668 "A CertificationRequest structure as specified by
1669 RFC 2986, Section 4.2 encoded using the ASN.1
1670 distinguished encoding rules (DER), as specified
1674 PKCS #10: Certification Request Syntax
1675 Specification Version 1.7.
1677 Information technology - ASN.1 encoding rules:
1678 Specification of Basic Encoding Rules (BER),
1679 Canonical Encoding Rules (CER) and Distinguished
1680 Encoding Rules (DER).";
1683 } // generate-certificate-signing-request
1684 } // asymmetric-key-pair-with-cert-grouping
1687 grouping asymmetric-key-pair-with-certs-grouping {
1689 "A private/public key pair and associated certificates.";
1690 uses asymmetric-key-pair-grouping;
1691 container certificates {
1692 nacm:default-deny-write;
1694 "Certificates associated with this asymmetric key.
1695 More than one certificate supports, for instance,
1696 a TPM-protected asymmetric key that has both IDevID
1697 and LDevID certificates associated.";
1701 "A certificate for this asymmetric key.";
1705 "An arbitrary name for the certificate. If the name
1706 matches the name of a certificate that exists
1707 independently in <operational> (i.e., an IDevID),
1708 then the 'cert' node MUST NOT be configured.";
1710 uses end-entity-cert-grouping;
1714 action generate-certificate-signing-request {
1715 nacm:default-deny-all;
1717 "Generates a certificate signing request structure for
1718 the associated asymmetric key using the passed subject
1719 and attribute values. The specified assertions need
1720 to be appropriate for the certificate's use. For
1721 example, an entity certificate for a TLS server
1722 SHOULD have values that enable clients to satisfy
1723 RFC 6125 processing.";
1729 "The 'subject' field per the CertificationRequestInfo
1730 structure as specified by RFC 2986, Section 4.1
1731 encoded using the ASN.1 distinguished encoding
1732 rules (DER), as specified in ITU-T X.690.";
1735 PKCS #10: Certification Request Syntax
1736 Specification Version 1.7.
1738 Information technology - ASN.1 encoding rules:
1739 Specification of Basic Encoding Rules (BER),
1740 Canonical Encoding Rules (CER) and Distinguished
1741 Encoding Rules (DER).";
1746 "The 'attributes' field from the structure
1747 CertificationRequestInfo as specified by RFC 2986,
1748 Section 4.1 encoded using the ASN.1 distinguished
1749 encoding rules (DER), as specified in ITU-T X.690.";
1752 PKCS #10: Certification Request Syntax
1753 Specification Version 1.7.
1755 Information technology - ASN.1 encoding rules:
1756 Specification of Basic Encoding Rules (BER),
1757 Canonical Encoding Rules (CER) and Distinguished
1758 Encoding Rules (DER).";
1762 leaf certificate-signing-request {
1766 "A CertificationRequest structure as specified by
1767 RFC 2986, Section 4.2 encoded using the ASN.1
1768 distinguished encoding rules (DER), as specified
1772 PKCS #10: Certification Request Syntax
1773 Specification Version 1.7.
1775 Information technology - ASN.1 encoding rules:
1776 Specification of Basic Encoding Rules (BER),
1777 Canonical Encoding Rules (CER) and Distinguished
1778 Encoding Rules (DER).";
1781 } // generate-certificate-signing-request
1782 } // asymmetric-key-pair-with-certs-grouping