1 module ietf-crypto-types {
\r
3 namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
\r
6 import ietf-yang-types {
\r
9 "RFC 6991: Common YANG Data Types";
\r
12 import ietf-netconf-acm {
\r
15 "RFC 8341: Network Configuration Access Control Model";
\r
19 "IETF NETCONF (Network Configuration) Working Group";
\r
22 "WG Web: <http://datatracker.ietf.org/wg/netconf/>
\r
23 WG List: <mailto:netconf@ietf.org>
\r
24 Author: Kent Watsen <mailto:kent+ietf@watsen.net>
\r
25 Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";
\r
28 "This module defines common YANG types for cryptographic
\r
31 Copyright (c) 2019 IETF Trust and the persons identified
\r
32 as authors of the code. All rights reserved.
\r
34 Redistribution and use in source and binary forms, with
\r
35 or without modification, is permitted pursuant to, and
\r
36 subject to the license terms contained in, the Simplified
\r
37 BSD License set forth in Section 4.c of the IETF Trust's
\r
38 Legal Provisions Relating to IETF Documents
\r
39 (https://trustee.ietf.org/license-info).
\r
41 This version of this YANG module is part of RFC XXXX
\r
42 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
\r
43 itself for full legal notices.;
\r
45 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
\r
46 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
\r
47 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
\r
48 are to be interpreted as described in BCP 14 (RFC 2119)
\r
49 (RFC 8174) when, and only when, they appear in all
\r
50 capitals, as shown here.";
\r
52 revision 2019-04-29 {
\r
56 "RFC XXXX: Common YANG Data Types for Cryptography";
\r
59 /**************************************/
\r
60 /* Identities for Hash Algorithms */
\r
61 /**************************************/
\r
63 identity hash-algorithm {
\r
65 "A base identity for hash algorithm verification.";
\r
69 base hash-algorithm;
\r
71 "The SHA-224 algorithm.";
\r
73 "RFC 6234: US Secure Hash Algorithms.";
\r
76 base hash-algorithm;
\r
78 "The SHA-256 algorithm.";
\r
80 "RFC 6234: US Secure Hash Algorithms.";
\r
84 base hash-algorithm;
\r
86 "The SHA-384 algorithm.";
\r
88 "RFC 6234: US Secure Hash Algorithms.";
\r
92 base hash-algorithm;
\r
94 "The SHA-512 algorithm.";
\r
96 "RFC 6234: US Secure Hash Algorithms.";
\r
99 /***********************************************/
\r
100 /* Identities for Asymmetric Key Algorithms */
\r
101 /***********************************************/
\r
103 identity asymmetric-key-algorithm {
\r
105 "Base identity from which all asymmetric key
\r
106 encryption Algorithm.";
\r
110 base asymmetric-key-algorithm;
\r
112 "The RSA algorithm using a 1024-bit key.";
\r
115 PKCS #1: RSA Cryptography Specifications Version 2.2.";
\r
119 base asymmetric-key-algorithm;
\r
121 "The RSA algorithm using a 2048-bit key.";
\r
124 PKCS #1: RSA Cryptography Specifications Version 2.2.";
\r
128 base asymmetric-key-algorithm;
\r
130 "The RSA algorithm using a 3072-bit key.";
\r
133 PKCS #1: RSA Cryptography Specifications Version 2.2.";
\r
137 base asymmetric-key-algorithm;
\r
139 "The RSA algorithm using a 4096-bit key.";
\r
142 PKCS #1: RSA Cryptography Specifications Version 2.2.";
\r
146 base asymmetric-key-algorithm;
\r
148 "The RSA algorithm using a 7680-bit key.";
\r
151 PKCS #1: RSA Cryptography Specifications Version 2.2.";
\r
154 identity rsa15360 {
\r
155 base asymmetric-key-algorithm;
\r
157 "The RSA algorithm using a 15360-bit key.";
\r
160 PKCS #1: RSA Cryptography Specifications Version 2.2.";
\r
163 identity secp192r1 {
\r
164 base asymmetric-key-algorithm;
\r
166 "The ECDSA algorithm using a NIST P256 Curve.";
\r
169 Fundamental Elliptic Curve Cryptography Algorithms.";
\r
171 identity secp224r1 {
\r
172 base asymmetric-key-algorithm;
\r
174 "The ECDSA algorithm using a NIST P256 Curve.";
\r
177 Fundamental Elliptic Curve Cryptography Algorithms.";
\r
180 identity secp256r1 {
\r
181 base asymmetric-key-algorithm;
\r
183 "The ECDSA algorithm using a NIST P256 Curve.";
\r
186 Fundamental Elliptic Curve Cryptography Algorithms.";
\r
189 identity secp384r1 {
\r
190 base asymmetric-key-algorithm;
\r
192 "The ECDSA algorithm using a NIST P256 Curve.";
\r
195 Fundamental Elliptic Curve Cryptography Algorithms.";
\r
198 identity secp521r1 {
\r
199 base asymmetric-key-algorithm;
\r
201 "The ECDSA algorithm using a NIST P256 Curve.";
\r
204 Fundamental Elliptic Curve Cryptography Algorithms.";
\r
207 /*************************************/
\r
208 /* Identities for MAC Algorithms */
\r
209 /*************************************/
\r
211 identity mac-algorithm {
\r
213 "A base identity for mac generation.";
\r
216 identity hmac-sha1 {
\r
217 base mac-algorithm;
\r
219 "Generating MAC using SHA1 hash function";
\r
221 "RFC 3174: US Secure Hash Algorithm 1 (SHA1)";
\r
224 identity hmac-sha1-96 {
\r
225 base mac-algorithm;
\r
227 "Generating MAC using SHA1 hash function";
\r
229 "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";
\r
232 identity hmac-sha2-224 {
\r
233 base mac-algorithm;
\r
235 "Generating MAC using SHA2 hash function";
\r
238 US Secure Hash Algorithms (SHA and SHA-based HMAC and
\r
242 identity hmac-sha2-256 {
\r
243 base mac-algorithm;
\r
245 "Generating MAC using SHA2 hash function";
\r
248 US Secure Hash Algorithms (SHA and SHA-based HMAC and
\r
252 identity hmac-sha2-256-128 {
\r
253 base mac-algorithm;
\r
255 "Generating a 256 bits MAC using SHA2 hash function and
\r
256 truncate it to 128 bits";
\r
259 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
\r
263 identity hmac-sha2-384 {
\r
264 base mac-algorithm;
\r
266 "Generating MAC using SHA2 hash function";
\r
269 US Secure Hash Algorithms (SHA and SHA-based HMAC and
\r
273 identity hmac-sha2-384-192 {
\r
274 base mac-algorithm;
\r
276 "Generating a 384 bits MAC using SHA2 hash function and
\r
277 truncate it to 192 bits";
\r
280 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
\r
284 identity hmac-sha2-512 {
\r
285 base mac-algorithm;
\r
287 "Generating MAC using SHA2 hash function";
\r
290 US Secure Hash Algorithms (SHA and SHA-based HMAC and
\r
294 identity hmac-sha2-512-256 {
\r
295 base mac-algorithm;
\r
297 "Generating a 512 bits MAC using SHA2 hash function and
\r
298 truncating it to 256 bits";
\r
301 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
\r
305 identity aes-128-gmac {
\r
306 base mac-algorithm;
\r
308 "Generating MAC using the Advanced Encryption Standard (AES)
\r
309 Galois Message Authentication Code (GMAC) as a mechanism to
\r
310 provide data origin authentication";
\r
313 The Use of Galois Message Authentication Code (GMAC) in
\r
317 identity aes-192-gmac {
\r
318 base mac-algorithm;
\r
320 "Generating MAC using the Advanced Encryption Standard (AES)
\r
321 Galois Message Authentication Code (GMAC) as a mechanism to
\r
322 provide data origin authentication";
\r
325 The Use of Galois Message Authentication Code (GMAC) in
\r
329 identity aes-256-gmac {
\r
330 base mac-algorithm;
\r
332 "Generating MAC using the Advanced Encryption Standard (AES)
\r
333 Galois Message Authentication Code (GMAC) as a mechanism to
\r
334 provide data origin authentication";
\r
337 The Use of Galois Message Authentication Code (GMAC) in
\r
341 identity aes-cmac-96 {
\r
342 base mac-algorithm;
\r
344 "Generating MAC using Advanced Encryption Standard (AES)
\r
345 Cipher-based Message Authentication Code (CMAC)";
\r
347 "RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec";
\r
350 identity aes-cmac-128 {
\r
351 base mac-algorithm;
\r
353 "Generating MAC using Advanced Encryption Standard (AES)
\r
354 Cipher-based Message Authentication Code (CMAC)";
\r
356 "RFC 4493: The AES-CMAC Algorithm";
\r
359 /********************************************/
\r
360 /* Identities for Encryption Algorithms */
\r
361 /********************************************/
\r
363 identity encryption-algorithm {
\r
365 "A base identity for encryption algorithm.";
\r
368 identity aes-128-cbc {
\r
369 base encryption-algorithm;
\r
371 "Encrypt message with AES algorithm in CBC mode with a key
\r
372 length of 128 bits";
\r
375 Use of the Advanced Encryption Standard (AES) Encryption
\r
376 Algorithm in Cryptographic Message Syntax (CMS)";
\r
379 identity aes-192-cbc {
\r
380 base encryption-algorithm;
\r
382 "Encrypt message with AES algorithm in CBC mode with a key
\r
383 length of 192 bits";
\r
386 Use of the Advanced Encryption Standard (AES) Encryption
\r
387 Algorithm in Cryptographic Message Syntax (CMS)";
\r
390 identity aes-256-cbc {
\r
391 base encryption-algorithm;
\r
393 "Encrypt message with AES algorithm in CBC mode with a key
\r
394 length of 256 bits";
\r
397 Use of the Advanced Encryption Standard (AES) Encryption
\r
398 Algorithm in Cryptographic Message Syntax (CMS)";
\r
401 identity aes-128-ctr {
\r
402 base encryption-algorithm;
\r
404 "Encrypt message with AES algorithm in CTR mode with a key
\r
405 length of 128 bits";
\r
408 Using Advanced Encryption Standard (AES) Counter Mode with
\r
409 IPsec Encapsulating Security Payload (ESP)";
\r
411 identity aes-192-ctr {
\r
412 base encryption-algorithm;
\r
414 "Encrypt message with AES algorithm in CTR mode with a key
\r
415 length of 192 bits";
\r
418 Using Advanced Encryption Standard (AES) Counter Mode with
\r
419 IPsec Encapsulating Security Payload (ESP)";
\r
422 identity aes-256-ctr {
\r
423 base encryption-algorithm;
\r
425 "Encrypt message with AES algorithm in CTR mode with a key
\r
426 length of 256 bits";
\r
429 Using Advanced Encryption Standard (AES) Counter Mode with
\r
430 IPsec Encapsulating Security Payload (ESP)";
\r
433 /****************************************************/
\r
434 /* Identities for Encryption and MAC Algorithms */
\r
435 /****************************************************/
\r
437 identity encryption-and-mac-algorithm {
\r
439 "A base identity for encryption and MAC algorithm.";
\r
442 identity aes-128-ccm {
\r
443 base encryption-and-mac-algorithm;
\r
445 "Encrypt message with AES algorithm in CCM mode with a key
\r
446 length of 128 bits; it can also be used for generating MAC";
\r
449 Using Advanced Encryption Standard (AES) CCM Mode with
\r
450 IPsec Encapsulating Security Payload (ESP)";
\r
453 identity aes-192-ccm {
\r
454 base encryption-and-mac-algorithm;
\r
456 "Encrypt message with AES algorithm in CCM mode with a key
\r
457 length of 192 bits; it can also be used for generating MAC";
\r
460 Using Advanced Encryption Standard (AES) CCM Mode with
\r
461 IPsec Encapsulating Security Payload (ESP)";
\r
464 identity aes-256-ccm {
\r
465 base encryption-and-mac-algorithm;
\r
467 "Encrypt message with AES algorithm in CCM mode with a key
\r
468 length of 256 bits; it can also be used for generating MAC";
\r
471 Using Advanced Encryption Standard (AES) CCM Mode with
\r
472 IPsec Encapsulating Security Payload (ESP)";
\r
475 identity aes-128-gcm {
\r
476 base encryption-and-mac-algorithm;
\r
478 "Encrypt message with AES algorithm in GCM mode with a key
\r
479 length of 128 bits; it can also be used for generating MAC";
\r
482 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
\r
483 Security Payload (ESP)";
\r
486 identity aes-192-gcm {
\r
487 base encryption-and-mac-algorithm;
\r
489 "Encrypt message with AES algorithm in GCM mode with a key
\r
490 length of 192 bits; it can also be used for generating MAC";
\r
493 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
\r
494 Security Payload (ESP)";
\r
497 identity mac-aes-256-gcm {
\r
498 base encryption-and-mac-algorithm;
\r
500 "Encrypt message with AES algorithm in GCM mode with a key
\r
501 length of 128 bits; it can also be used for generating MAC";
\r
504 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
\r
505 Security Payload (ESP)";
\r
507 identity chacha20-poly1305 {
\r
508 base encryption-and-mac-algorithm;
\r
510 "Encrypt message with chacha20 algorithm and generate MAC with
\r
511 POLY1305; it can also be used for generating MAC";
\r
513 "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";
\r
516 /******************************************/
\r
517 /* Identities for signature algorithm */
\r
518 /******************************************/
\r
520 identity signature-algorithm {
\r
522 "A base identity for asymmetric key encryption algorithm.";
\r
525 identity dsa-sha1 {
\r
526 base signature-algorithm;
\r
528 "The signature algorithm using DSA algorithm with SHA1 hash
\r
531 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
\r
534 identity rsassa-pkcs1-sha1 {
\r
535 base signature-algorithm;
\r
537 "The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1
\r
540 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
\r
543 identity rsassa-pkcs1-sha256 {
\r
544 base signature-algorithm;
\r
546 "The signature algorithm using RSASSA-PKCS1-v1_5 with the
\r
547 SHA256 hash algorithm.";
\r
550 Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
\r
553 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
555 identity rsassa-pkcs1-sha384 {
\r
556 base signature-algorithm;
\r
558 "The signature algorithm using RSASSA-PKCS1-v1_5 with the
\r
559 SHA384 hash algorithm.";
\r
562 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
565 identity rsassa-pkcs1-sha512 {
\r
566 base signature-algorithm;
\r
568 "The signature algorithm using RSASSA-PKCS1-v1_5 with the
\r
569 SHA512 hash algorithm.";
\r
572 Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
\r
575 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
578 identity rsassa-pss-rsae-sha256 {
\r
579 base signature-algorithm;
\r
581 "The signature algorithm using RSASSA-PSS with mask generation
\r
582 function 1 and SHA256 hash algorithm. If the public key is
\r
583 carried in an X.509 certificate, it MUST use the rsaEncryption
\r
587 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
590 identity rsassa-pss-rsae-sha384 {
\r
591 base signature-algorithm;
\r
593 "The signature algorithm using RSASSA-PSS with mask generation
\r
594 function 1 and SHA384 hash algorithm. If the public key is
\r
595 carried in an X.509 certificate, it MUST use the rsaEncryption
\r
599 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
602 identity rsassa-pss-rsae-sha512 {
\r
603 base signature-algorithm;
\r
605 "The signature algorithm using RSASSA-PSS with mask generation
\r
606 function 1 and SHA512 hash algorithm. If the public key is
\r
607 carried in an X.509 certificate, it MUST use the rsaEncryption
\r
611 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
614 identity rsassa-pss-pss-sha256 {
\r
615 base signature-algorithm;
\r
617 "The signature algorithm using RSASSA-PSS with mask generation
\r
618 function 1 and SHA256 hash algorithm. If the public key is
\r
619 carried in an X.509 certificate, it MUST use the RSASSA-PSS
\r
623 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
626 identity rsassa-pss-pss-sha384 {
\r
627 base signature-algorithm;
\r
629 "The signature algorithm using RSASSA-PSS with mask generation
\r
630 function 1 and SHA256 hash algorithm. If the public key is
\r
631 carried in an X.509 certificate, it MUST use the RSASSA-PSS
\r
635 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
638 identity rsassa-pss-pss-sha512 {
\r
639 base signature-algorithm;
\r
641 "The signature algorithm using RSASSA-PSS with mask generation
\r
642 function 1 and SHA256 hash algorithm. If the public key is
\r
643 carried in an X.509 certificate, it MUST use the RSASSA-PSS
\r
647 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
650 identity ecdsa-secp256r1-sha256 {
\r
651 base signature-algorithm;
\r
653 "The signature algorithm using ECDSA with curve name secp256r1
\r
654 and SHA256 hash algorithm.";
\r
656 "RFC 5656: Elliptic Curve Algorithm Integration in the
\r
657 Secure Shell Transport Layer
\r
659 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
662 identity ecdsa-secp384r1-sha384 {
\r
663 base signature-algorithm;
\r
665 "The signature algorithm using ECDSA with curve name secp384r1
\r
666 and SHA384 hash algorithm.";
\r
668 "RFC 5656: Elliptic Curve Algorithm Integration in the
\r
669 Secure Shell Transport Layer
\r
671 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
674 identity ecdsa-secp521r1-sha512 {
\r
675 base signature-algorithm;
\r
677 "The signature algorithm using ECDSA with curve name secp521r1
\r
678 and SHA512 hash algorithm.";
\r
680 "RFC 5656: Elliptic Curve Algorithm Integration in the
\r
681 Secure Shell Transport Layer
\r
683 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
687 base signature-algorithm;
\r
689 "The signature algorithm using EdDSA as defined in RFC 8032 or
\r
692 "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
\r
696 base signature-algorithm;
\r
698 "The signature algorithm using EdDSA as defined in RFC 8032 or
\r
701 "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
\r
705 base signature-algorithm;
\r
707 "The signature algorithm using ECCSI signature as defined in
\r
711 Elliptic Curve-Based Certificateless Signatures for
\r
712 Identity-based Encryption (ECCSI)";
\r
715 /**********************************************/
\r
716 /* Identities for key exchange algorithms */
\r
717 /**********************************************/
\r
719 identity key-exchange-algorithm {
\r
721 "A base identity for Diffie-Hellman based key exchange
\r
725 identity psk-only {
\r
726 base key-exchange-algorithm;
\r
728 "Using Pre-shared key for authentication and key exchange";
\r
731 Pre-Shared Key cipher suites for Transport Layer Security
\r
735 identity dhe-ffdhe2048 {
\r
736 base key-exchange-algorithm;
\r
738 "Ephemeral Diffie Hellman key exchange with 2048 bit
\r
742 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
\r
743 for Transport Layer Security (TLS)";
\r
746 identity dhe-ffdhe3072 {
\r
747 base key-exchange-algorithm;
\r
749 "Ephemeral Diffie Hellman key exchange with 3072 bit finite
\r
753 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
\r
754 for Transport Layer Security (TLS)";
\r
757 identity dhe-ffdhe4096 {
\r
758 base key-exchange-algorithm;
\r
760 "Ephemeral Diffie Hellman key exchange with 4096 bit
\r
764 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
\r
765 for Transport Layer Security (TLS)";
\r
768 identity dhe-ffdhe6144 {
\r
769 base key-exchange-algorithm;
\r
771 "Ephemeral Diffie Hellman key exchange with 6144 bit
\r
775 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
\r
776 for Transport Layer Security (TLS)";
\r
779 identity dhe-ffdhe8192 {
\r
780 base key-exchange-algorithm;
\r
782 "Ephemeral Diffie Hellman key exchange with 8192 bit
\r
786 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
\r
787 for Transport Layer Security (TLS)";
\r
790 identity psk-dhe-ffdhe2048 {
\r
791 base key-exchange-algorithm;
\r
793 "Key exchange using pre-shared key with Diffie-Hellman key
\r
794 generation mechanism, where the DH group is FFDHE2048";
\r
797 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
800 identity psk-dhe-ffdhe3072 {
\r
801 base key-exchange-algorithm;
\r
803 "Key exchange using pre-shared key with Diffie-Hellman key
\r
804 generation mechanism, where the DH group is FFDHE3072";
\r
807 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
810 identity psk-dhe-ffdhe4096 {
\r
811 base key-exchange-algorithm;
\r
813 "Key exchange using pre-shared key with Diffie-Hellman key
\r
814 generation mechanism, where the DH group is FFDHE4096";
\r
817 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
820 identity psk-dhe-ffdhe6144 {
\r
821 base key-exchange-algorithm;
\r
823 "Key exchange using pre-shared key with Diffie-Hellman key
\r
824 generation mechanism, where the DH group is FFDHE6144";
\r
827 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
830 identity psk-dhe-ffdhe8192 {
\r
831 base key-exchange-algorithm;
\r
833 "Key exchange using pre-shared key with Diffie-Hellman key
\r
834 generation mechanism, where the DH group is FFDHE8192";
\r
837 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
840 identity ecdhe-secp256r1 {
\r
841 base key-exchange-algorithm;
\r
843 "Ephemeral Diffie Hellman key exchange with elliptic group
\r
844 over curve secp256r1";
\r
847 Elliptic Curve Cryptography (ECC) Cipher Suites for
\r
848 Transport Layer Security (TLS) Versions 1.2 and Earlier";
\r
851 identity ecdhe-secp384r1 {
\r
852 base key-exchange-algorithm;
\r
854 "Ephemeral Diffie Hellman key exchange with elliptic group
\r
855 over curve secp384r1";
\r
858 Elliptic Curve Cryptography (ECC) Cipher Suites for
\r
859 Transport Layer Security (TLS) Versions 1.2 and Earlier";
\r
862 identity ecdhe-secp521r1 {
\r
863 base key-exchange-algorithm;
\r
865 "Ephemeral Diffie Hellman key exchange with elliptic group
\r
866 over curve secp521r1";
\r
869 Elliptic Curve Cryptography (ECC) Cipher Suites for
\r
870 Transport Layer Security (TLS) Versions 1.2 and Earlier";
\r
873 identity ecdhe-x25519 {
\r
874 base key-exchange-algorithm;
\r
876 "Ephemeral Diffie Hellman key exchange with elliptic group
\r
877 over curve x25519";
\r
880 Elliptic Curve Cryptography (ECC) Cipher Suites for
\r
881 Transport Layer Security (TLS) Versions 1.2 and Earlier";
\r
884 identity ecdhe-x448 {
\r
885 base key-exchange-algorithm;
\r
887 "Ephemeral Diffie Hellman key exchange with elliptic group
\r
891 Elliptic Curve Cryptography (ECC) Cipher Suites for
\r
892 Transport Layer Security (TLS) Versions 1.2 and Earlier";
\r
895 identity psk-ecdhe-secp256r1 {
\r
896 base key-exchange-algorithm;
\r
898 "Key exchange using pre-shared key with elliptic group-based
\r
899 Ephemeral Diffie Hellman key exchange over curve secp256r1";
\r
902 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
905 identity psk-ecdhe-secp384r1 {
\r
906 base key-exchange-algorithm;
\r
908 "Key exchange using pre-shared key with elliptic group-based
\r
909 Ephemeral Diffie Hellman key exchange over curve secp384r1";
\r
912 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
915 identity psk-ecdhe-secp521r1 {
\r
916 base key-exchange-algorithm;
\r
918 "Key exchange using pre-shared key with elliptic group-based
\r
919 Ephemeral Diffie Hellman key exchange over curve secp521r1";
\r
922 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
925 identity psk-ecdhe-x25519 {
\r
926 base key-exchange-algorithm;
\r
928 "Key exchange using pre-shared key with elliptic group-based
\r
929 Ephemeral Diffie Hellman key exchange over curve x25519";
\r
932 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
935 identity psk-ecdhe-x448 {
\r
936 base key-exchange-algorithm;
\r
938 "Key exchange using pre-shared key with elliptic group-based
\r
939 Ephemeral Diffie Hellman key exchange over curve x448";
\r
942 The Transport Layer Security (TLS) Protocol Version 1.3";
\r
945 identity diffie-hellman-group14-sha1 {
\r
946 base key-exchange-algorithm;
\r
948 "Using DH group14 and SHA1 for key exchange";
\r
950 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
\r
953 identity diffie-hellman-group14-sha256 {
\r
954 base key-exchange-algorithm;
\r
956 "Using DH group14 and SHA256 for key exchange";
\r
959 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
\r
960 Key Exchange (KEX) Groups for Secure Shell (SSH)";
\r
963 identity diffie-hellman-group15-sha512 {
\r
964 base key-exchange-algorithm;
\r
966 "Using DH group15 and SHA512 for key exchange";
\r
969 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
\r
970 Key Exchange (KEX) Groups for Secure Shell (SSH)";
\r
973 identity diffie-hellman-group16-sha512 {
\r
974 base key-exchange-algorithm;
\r
976 "Using DH group16 and SHA512 for key exchange";
\r
979 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
\r
980 Key Exchange (KEX) Groups for Secure Shell (SSH)";
\r
983 identity diffie-hellman-group17-sha512 {
\r
984 base key-exchange-algorithm;
\r
986 "Using DH group17 and SHA512 for key exchange";
\r
990 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
\r
991 Key Exchange (KEX) Groups for Secure Shell (SSH)";
\r
994 identity diffie-hellman-group18-sha512 {
\r
995 base key-exchange-algorithm;
\r
997 "Using DH group18 and SHA512 for key exchange";
\r
1000 More Modular Exponentiation (MODP) Diffie-Hellman (DH)
\r
1001 Key Exchange (KEX) Groups for Secure Shell (SSH)";
\r
1004 identity ecdh-sha2-secp256r1 {
\r
1005 base key-exchange-algorithm;
\r
1007 "Elliptic curve-based Diffie Hellman key exchange over curve
\r
1008 secp256r1 and using SHA2 for MAC generation";
\r
1010 "RFC 6239: Suite B Cryptographic Suites for Secure Shell
\r
1014 identity ecdh-sha2-secp384r1 {
\r
1015 base key-exchange-algorithm;
\r
1017 "Elliptic curve-based Diffie Hellman key exchange over curve
\r
1018 secp384r1 and using SHA2 for MAC generation";
\r
1020 "RFC 6239: Suite B Cryptographic Suites for Secure Shell
\r
1024 identity rsaes-oaep {
\r
1025 base key-exchange-algorithm;
\r
1027 "RSAES-OAEP combines the RSAEP and RSADP primitives with the
\r
1028 EME-OAEP encoding method";
\r
1031 PKCS #1: RSA Cryptography Specifications Version 2.2.";
\r
1034 identity rsaes-pkcs1-v1_5 {
\r
1035 base key-exchange-algorithm;
\r
1037 " RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives
\r
1038 with the EME-PKCS1-v1_5 encoding method";
\r
1041 PKCS #1: RSA Cryptography Specifications Version 2.2.";
\r
1044 /**********************************************************/
\r
1045 /* Typedefs for identityrefs to above base identities */
\r
1046 /**********************************************************/
\r
1048 typedef hash-algorithm-ref {
\r
1049 type identityref {
\r
1050 base hash-algorithm;
\r
1053 "This typedef enables importing modules to easily define an
\r
1054 identityref to the 'hash-algorithm' base identity.";
\r
1057 typedef signature-algorithm-ref {
\r
1058 type identityref {
\r
1059 base signature-algorithm;
\r
1062 "This typedef enables importing modules to easily define an
\r
1063 identityref to the 'signature-algorithm' base identity.";
\r
1066 typedef mac-algorithm-ref {
\r
1067 type identityref {
\r
1068 base mac-algorithm;
\r
1071 "This typedef enables importing modules to easily define an
\r
1072 identityref to the 'mac-algorithm' base identity.";
\r
1075 typedef encryption-algorithm-ref {
\r
1076 type identityref {
\r
1077 base encryption-algorithm;
\r
1080 "This typedef enables importing modules to easily define an
\r
1081 identityref to the 'encryption-algorithm'
\r
1085 typedef encryption-and-mac-algorithm-ref {
\r
1086 type identityref {
\r
1087 base encryption-and-mac-algorithm;
\r
1090 "This typedef enables importing modules to easily define an
\r
1091 identityref to the 'encryption-and-mac-algorithm'
\r
1095 typedef asymmetric-key-algorithm-ref {
\r
1096 type identityref {
\r
1097 base asymmetric-key-algorithm;
\r
1100 "This typedef enables importing modules to easily define an
\r
1101 identityref to the 'asymmetric-key-algorithm'
\r
1105 typedef key-exchange-algorithm-ref {
\r
1106 type identityref {
\r
1107 base key-exchange-algorithm;
\r
1110 "This typedef enables importing modules to easily define an
\r
1111 identityref to the 'key-exchange-algorithm' base identity.";
\r
1114 /***************************************************/
\r
1115 /* Typedefs for ASN.1 structures from RFC 5280 */
\r
1116 /***************************************************/
\r
1121 "A Certificate structure, as specified in RFC 5280,
\r
1122 encoded using ASN.1 distinguished encoding rules (DER),
\r
1123 as specified in ITU-T X.690.";
\r
1126 Internet X.509 Public Key Infrastructure Certificate
\r
1127 and Certificate Revocation List (CRL) Profile
\r
1129 Information technology - ASN.1 encoding rules:
\r
1130 Specification of Basic Encoding Rules (BER),
\r
1131 Canonical Encoding Rules (CER) and Distinguished
\r
1132 Encoding Rules (DER).";
\r
1138 "A CertificateList structure, as specified in RFC 5280,
\r
1139 encoded using ASN.1 distinguished encoding rules (DER),
\r
1140 as specified in ITU-T X.690.";
\r
1143 Internet X.509 Public Key Infrastructure Certificate
\r
1144 and Certificate Revocation List (CRL) Profile
\r
1146 Information technology - ASN.1 encoding rules:
\r
1147 Specification of Basic Encoding Rules (BER),
\r
1148 Canonical Encoding Rules (CER) and Distinguished
\r
1149 Encoding Rules (DER).";
\r
1152 /***********************************************/
\r
1153 /* Typedefs for ASN.1 structures from 5652 */
\r
1154 /***********************************************/
\r
1159 "A ContentInfo structure, as specified in RFC 5652,
\r
1160 encoded using ASN.1 distinguished encoding rules (DER),
\r
1161 as specified in ITU-T X.690.";
\r
1164 Cryptographic Message Syntax (CMS)
\r
1166 Information technology - ASN.1 encoding rules:
\r
1167 Specification of Basic Encoding Rules (BER),
\r
1168 Canonical Encoding Rules (CER) and Distinguished
\r
1169 Encoding Rules (DER).";
\r
1172 typedef data-content-cms {
\r
1175 "A CMS structure whose top-most content type MUST be the
\r
1176 data content type, as described by Section 4 in RFC 5652.";
\r
1178 "RFC 5652: Cryptographic Message Syntax (CMS)";
\r
1181 typedef signed-data-cms {
\r
1184 "A CMS structure whose top-most content type MUST be the
\r
1185 signed-data content type, as described by Section 5 in
\r
1188 "RFC 5652: Cryptographic Message Syntax (CMS)";
\r
1191 typedef enveloped-data-cms {
\r
1194 "A CMS structure whose top-most content type MUST be the
\r
1195 enveloped-data content type, as described by Section 6
\r
1198 "RFC 5652: Cryptographic Message Syntax (CMS)";
\r
1201 typedef digested-data-cms {
\r
1204 "A CMS structure whose top-most content type MUST be the
\r
1205 digested-data content type, as described by Section 7
\r
1208 "RFC 5652: Cryptographic Message Syntax (CMS)";
\r
1211 typedef encrypted-data-cms {
\r
1214 "A CMS structure whose top-most content type MUST be the
\r
1215 encrypted-data content type, as described by Section 8
\r
1218 "RFC 5652: Cryptographic Message Syntax (CMS)";
\r
1221 typedef authenticated-data-cms {
\r
1224 "A CMS structure whose top-most content type MUST be the
\r
1225 authenticated-data content type, as described by Section 9
\r
1228 "RFC 5652: Cryptographic Message Syntax (CMS)";
\r
1231 /***************************************************/
\r
1232 /* Typedefs for structures related to RFC 4253 */
\r
1233 /***************************************************/
\r
1235 typedef ssh-host-key {
\r
1238 "The binary public key data for this SSH key, as
\r
1239 specified by RFC 4253, Section 6.6, i.e.:
\r
1241 string certificate or public key format
\r
1243 byte[n] key/certificate data.";
\r
1245 "RFC 4253: The Secure Shell (SSH) Transport Layer
\r
1249 /*********************************************************/
\r
1250 /* Typedefs for ASN.1 structures related to RFC 5280 */
\r
1251 /*********************************************************/
\r
1253 typedef trust-anchor-cert-x509 {
\r
1256 "A Certificate structure that MUST encode a self-signed
\r
1257 root certificate.";
\r
1260 typedef end-entity-cert-x509 {
\r
1263 "A Certificate structure that MUST encode a certificate
\r
1264 that is neither self-signed nor having Basic constraint
\r
1268 /*********************************************************/
\r
1269 /* Typedefs for ASN.1 structures related to RFC 5652 */
\r
1270 /*********************************************************/
\r
1272 typedef trust-anchor-cert-cms {
\r
1273 type signed-data-cms;
\r
1275 "A CMS SignedData structure that MUST contain the chain of
\r
1276 X.509 certificates needed to authenticate the certificate
\r
1277 presented by a client or end-entity.
\r
1279 The CMS MUST contain only a single chain of certificates.
\r
1280 The client or end-entity certificate MUST only authenticate
\r
1281 to last intermediate CA certificate listed in the chain.
\r
1283 In all cases, the chain MUST include a self-signed root
\r
1284 certificate. In the case where the root certificate is
\r
1285 itself the issuer of the client or end-entity certificate,
\r
1286 only one certificate is present.
\r
1288 This CMS structure MAY (as applicable where this type is
\r
1289 used) also contain suitably fresh (as defined by local
\r
1290 policy) revocation objects with which the device can
\r
1291 verify the revocation status of the certificates.
\r
1293 This CMS encodes the degenerate form of the SignedData
\r
1294 structure that is commonly used to disseminate X.509
\r
1295 certificates and revocation objects (RFC 5280).";
\r
1298 Internet X.509 Public Key Infrastructure Certificate
\r
1299 and Certificate Revocation List (CRL) Profile.";
\r
1302 typedef end-entity-cert-cms {
\r
1303 type signed-data-cms;
\r
1305 "A CMS SignedData structure that MUST contain the end
\r
1306 entity certificate itself, and MAY contain any number
\r
1307 of intermediate certificates leading up to a trust
\r
1308 anchor certificate. The trust anchor certificate
\r
1309 MAY be included as well.
\r
1311 The CMS MUST contain a single end entity certificate.
\r
1312 The CMS MUST NOT contain any spurious certificates.
\r
1314 This CMS structure MAY (as applicable where this type is
\r
1315 used) also contain suitably fresh (as defined by local
\r
1316 policy) revocation objects with which the device can
\r
1317 verify the revocation status of the certificates.
\r
1319 This CMS encodes the degenerate form of the SignedData
\r
1320 structure that is commonly used to disseminate X.509
\r
1321 certificates and revocation objects (RFC 5280).";
\r
1324 Internet X.509 Public Key Infrastructure Certificate
\r
1325 and Certificate Revocation List (CRL) Profile.";
\r
1328 /**********************************************/
\r
1329 /* Groupings for keys and/or certificates */
\r
1330 /**********************************************/
\r
1332 grouping public-key-grouping {
\r
1336 The 'algorithm' and 'public-key' nodes are not
\r
1337 mandatory because they MAY be defined in <operational>.
\r
1338 Implementations SHOULD assert that these values are
\r
1339 either configured or that they exist in <operational>.";
\r
1341 nacm:default-deny-write;
\r
1342 type asymmetric-key-algorithm-ref;
\r
1343 must '../public-key';
\r
1345 "Identifies the key's algorithm. More specifically,
\r
1346 this leaf specifies how the 'public-key' binary leaf
\r
1349 "RFC CCCC: Common YANG Data Types for Cryptography";
\r
1352 nacm:default-deny-write;
\r
1354 must '../algorithm';
\r
1356 "A binary that contains the value of the public key. The
\r
1357 interpretation of the content is defined by the key
\r
1358 algorithm. For example, a DSA key is an integer, an RSA
\r
1359 key is represented as RSAPublicKey as defined in
\r
1360 RFC 8017, and an Elliptic Curve Cryptography (ECC) key
\r
1361 is represented using the 'publicKey' described in
\r
1364 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
\r
1365 RSA Cryptography Specifications Version 2.2.
\r
1366 RFC 5915: Elliptic Curve Private Key Structure.";
\r
1370 grouping asymmetric-key-pair-grouping {
\r
1372 "A private/public key pair.
\r
1373 The 'algorithm', 'public-key', and 'private-key' nodes are
\r
1374 not mandatory because they MAY be defined in <operational>.
\r
1375 Implementations SHOULD assert that these values are either
\r
1376 configured or that they exist in <operational>.";
\r
1377 uses public-key-grouping;
\r
1378 leaf private-key {
\r
1379 nacm:default-deny-all;
\r
1382 type enumeration {
\r
1383 enum permanently-hidden {
\r
1385 "The private key is inaccessible due to being
\r
1386 protected by the system (e.g., a cryptographic
\r
1389 How such keys are backed-up and restored, if
\r
1390 at all, is implementation specific.
\r
1392 Servers MUST fail any attempt by a client to
\r
1393 configure this value directly. This value is
\r
1394 not set by clients, but rather is set by the
\r
1395 'generate-hidden-key' and 'install-hidden-key'
\r
1400 must '../public-key';
\r
1402 "A binary that contains the value of the private key. The
\r
1403 interpretation of the content is defined by the key
\r
1404 algorithm. For example, a DSA key is an integer, an RSA
\r
1405 key is represented as RSAPrivateKey as defined in
\r
1406 RFC 8017, and an Elliptic Curve Cryptography (ECC) key
\r
1407 is represented as ECPrivateKey as defined in RFC 5915.";
\r
1409 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
\r
1410 RSA Cryptography Specifications Version 2.2.
\r
1411 RFC 5915: Elliptic Curve Private Key Structure.";
\r
1414 action generate-hidden-key {
\r
1415 nacm:default-deny-all;
\r
1417 "Requests the device to generate a hidden key using the
\r
1418 specified asymmetric key algorithm. This action is
\r
1419 used to request the system to generate a key that is
\r
1420 'permanently-hidden', perhaps protected by a cryptographic
\r
1421 hardware module. The resulting asymmetric key values are
\r
1422 considered operational state and hence present only in
\r
1423 <operational> and bound to the lifetime of the parent
\r
1424 'config true' node. Subsequent invocations of this or
\r
1425 the 'install-hidden-key' action are denied with error-tag
\r
1429 type asymmetric-key-algorithm-ref;
\r
1432 "The algorithm to be used when generating the
\r
1435 "RFC CCCC: Common YANG Data Types for Cryptography";
\r
1438 } // generate-hidden-key
\r
1440 action install-hidden-key {
\r
1441 nacm:default-deny-all;
\r
1443 "Requests the device to load the specified values into
\r
1444 a hidden key. The resulting asymmetric key values are
\r
1445 considered operational state and hence present only in
\r
1446 <operational> and bound to the lifetime of the parent
\r
1447 'config true' node. Subsequent invocations of this
\r
1448 or the 'generate-hidden-key' action are denied with
\r
1449 error-tag 'data-exists'.";
\r
1452 type asymmetric-key-algorithm-ref;
\r
1455 "The algorithm to be used when generating the
\r
1458 "RFC CCCC: Common YANG Data Types for Cryptography";
\r
1463 "A binary that contains the value of the public key.
\r
1464 The interpretation of the content is defined by the key
\r
1465 algorithm. For example, a DSA key is an integer, an
\r
1466 RSA key is represented as RSAPublicKey as defined in
\r
1467 RFC 8017, and an Elliptic Curve Cryptography (ECC) key
\r
1468 is represented using the 'publicKey' described in
\r
1471 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
\r
1472 RSA Cryptography Specifications Version 2.2.
\r
1473 RFC 5915: Elliptic Curve Private Key Structure.";
\r
1475 leaf private-key {
\r
1478 "A binary that contains the value of the private key.
\r
1479 The interpretation of the content is defined by the key
\r
1480 algorithm. For example, a DSA key is an integer, an RSA
\r
1481 key is represented as RSAPrivateKey as defined in
\r
1482 RFC 8017, and an Elliptic Curve Cryptography (ECC) key
\r
1483 is represented as ECPrivateKey as defined in RFC 5915.";
\r
1485 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
\r
1486 RSA Cryptography Specifications Version 2.2.
\r
1487 RFC 5915: Elliptic Curve Private Key Structure.";
\r
1490 } // install-hidden-key
\r
1491 } // asymmetric-key-pair-grouping
\r
1494 grouping trust-anchor-cert-grouping {
\r
1496 "A trust anchor certificate, and a notification for when
\r
1497 it is about to (or already has) expire.";
\r
1499 nacm:default-deny-write;
\r
1500 type trust-anchor-cert-cms;
\r
1502 "The binary certificate data for this certificate.";
\r
1504 "RFC YYYY: Common YANG Data Types for Cryptography";
\r
1506 notification certificate-expiration {
\r
1508 "A notification indicating that the configured certificate
\r
1509 is either about to expire or has already expired. When to
\r
1510 send notifications is an implementation specific decision,
\r
1511 but it is RECOMMENDED that a notification be sent once a
\r
1512 month for 3 months, then once a week for four weeks, and
\r
1513 then once a day thereafter until the issue is resolved.";
\r
1514 leaf expiration-date {
\r
1515 type yang:date-and-time;
\r
1518 "Identifies the expiration date on the certificate.";
\r
1523 grouping trust-anchor-certs-grouping {
\r
1525 "A list of trust anchor certificates, and a notification
\r
1526 for when one is about to (or already has) expire.";
\r
1528 nacm:default-deny-write;
\r
1529 type trust-anchor-cert-cms;
\r
1531 "The binary certificate data for this certificate.";
\r
1533 "RFC YYYY: Common YANG Data Types for Cryptography";
\r
1535 notification certificate-expiration {
\r
1537 "A notification indicating that the configured certificate
\r
1538 is either about to expire or has already expired. When to
\r
1539 send notifications is an implementation specific decision,
\r
1540 but it is RECOMMENDED that a notification be sent once a
\r
1541 month for 3 months, then once a week for four weeks, and
\r
1542 then once a day thereafter until the issue is resolved.";
\r
1543 leaf expiration-date {
\r
1544 type yang:date-and-time;
\r
1547 "Identifies the expiration date on the certificate.";
\r
1552 grouping end-entity-cert-grouping {
\r
1554 "An end entity certificate, and a notification for when
\r
1555 it is about to (or already has) expire.";
\r
1557 nacm:default-deny-write;
\r
1558 type end-entity-cert-cms;
\r
1560 "The binary certificate data for this certificate.";
\r
1562 "RFC YYYY: Common YANG Data Types for Cryptography";
\r
1564 notification certificate-expiration {
\r
1566 "A notification indicating that the configured certificate
\r
1567 is either about to expire or has already expired. When to
\r
1568 send notifications is an implementation specific decision,
\r
1569 but it is RECOMMENDED that a notification be sent once a
\r
1570 month for 3 months, then once a week for four weeks, and
\r
1571 then once a day thereafter until the issue is resolved.";
\r
1572 leaf expiration-date {
\r
1573 type yang:date-and-time;
\r
1576 "Identifies the expiration date on the certificate.";
\r
1581 grouping end-entity-certs-grouping {
\r
1583 "A list of end entity certificates, and a notification for
\r
1584 when one is about to (or already has) expire.";
\r
1586 nacm:default-deny-write;
\r
1587 type end-entity-cert-cms;
\r
1589 "The binary certificate data for this certificate.";
\r
1591 "RFC YYYY: Common YANG Data Types for Cryptography";
\r
1593 notification certificate-expiration {
\r
1595 "A notification indicating that the configured certificate
\r
1596 is either about to expire or has already expired. When to
\r
1597 send notifications is an implementation specific decision,
\r
1598 but it is RECOMMENDED that a notification be sent once a
\r
1599 month for 3 months, then once a week for four weeks, and
\r
1600 then once a day thereafter until the issue is resolved.";
\r
1601 leaf expiration-date {
\r
1602 type yang:date-and-time;
\r
1605 "Identifies the expiration date on the certificate.";
\r
1610 grouping asymmetric-key-pair-with-cert-grouping {
\r
1612 "A private/public key pair and an associated certificate.";
\r
1613 uses asymmetric-key-pair-grouping;
\r
1614 uses end-entity-cert-grouping;
\r
1616 action generate-certificate-signing-request {
\r
1617 nacm:default-deny-all;
\r
1619 "Generates a certificate signing request structure for
\r
1620 the associated asymmetric key using the passed subject
\r
1621 and attribute values. The specified assertions need
\r
1622 to be appropriate for the certificate's use. For
\r
1623 example, an entity certificate for a TLS server
\r
1624 SHOULD have values that enable clients to satisfy
\r
1625 RFC 6125 processing.";
\r
1631 "The 'subject' field per the CertificationRequestInfo
\r
1632 structure as specified by RFC 2986, Section 4.1
\r
1633 encoded using the ASN.1 distinguished encoding
\r
1634 rules (DER), as specified in ITU-T X.690.";
\r
1637 PKCS #10: Certification Request Syntax
\r
1638 Specification Version 1.7.
\r
1640 Information technology - ASN.1 encoding rules:
\r
1641 Specification of Basic Encoding Rules (BER),
\r
1642 Canonical Encoding Rules (CER) and Distinguished
\r
1643 Encoding Rules (DER).";
\r
1648 "The 'attributes' field from the structure
\r
1649 CertificationRequestInfo as specified by RFC 2986,
\r
1650 Section 4.1 encoded using the ASN.1 distinguished
\r
1651 encoding rules (DER), as specified in ITU-T X.690.";
\r
1654 PKCS #10: Certification Request Syntax
\r
1655 Specification Version 1.7.
\r
1657 Information technology - ASN.1 encoding rules:
\r
1658 Specification of Basic Encoding Rules (BER),
\r
1659 Canonical Encoding Rules (CER) and Distinguished
\r
1660 Encoding Rules (DER).";
\r
1664 leaf certificate-signing-request {
\r
1668 "A CertificationRequest structure as specified by
\r
1669 RFC 2986, Section 4.2 encoded using the ASN.1
\r
1670 distinguished encoding rules (DER), as specified
\r
1674 PKCS #10: Certification Request Syntax
\r
1675 Specification Version 1.7.
\r
1677 Information technology - ASN.1 encoding rules:
\r
1678 Specification of Basic Encoding Rules (BER),
\r
1679 Canonical Encoding Rules (CER) and Distinguished
\r
1680 Encoding Rules (DER).";
\r
1683 } // generate-certificate-signing-request
\r
1684 } // asymmetric-key-pair-with-cert-grouping
\r
1687 grouping asymmetric-key-pair-with-certs-grouping {
\r
1689 "A private/public key pair and associated certificates.";
\r
1690 uses asymmetric-key-pair-grouping;
\r
1691 container certificates {
\r
1692 nacm:default-deny-write;
\r
1694 "Certificates associated with this asymmetric key.
\r
1695 More than one certificate supports, for instance,
\r
1696 a TPM-protected asymmetric key that has both IDevID
\r
1697 and LDevID certificates associated.";
\r
1698 list certificate {
\r
1701 "A certificate for this asymmetric key.";
\r
1705 "An arbitrary name for the certificate. If the name
\r
1706 matches the name of a certificate that exists
\r
1707 independently in <operational> (i.e., an IDevID),
\r
1708 then the 'cert' node MUST NOT be configured.";
\r
1710 uses end-entity-cert-grouping;
\r
1714 action generate-certificate-signing-request {
\r
1715 nacm:default-deny-all;
\r
1717 "Generates a certificate signing request structure for
\r
1718 the associated asymmetric key using the passed subject
\r
1719 and attribute values. The specified assertions need
\r
1720 to be appropriate for the certificate's use. For
\r
1721 example, an entity certificate for a TLS server
\r
1722 SHOULD have values that enable clients to satisfy
\r
1723 RFC 6125 processing.";
\r
1729 "The 'subject' field per the CertificationRequestInfo
\r
1730 structure as specified by RFC 2986, Section 4.1
\r
1731 encoded using the ASN.1 distinguished encoding
\r
1732 rules (DER), as specified in ITU-T X.690.";
\r
1735 PKCS #10: Certification Request Syntax
\r
1736 Specification Version 1.7.
\r
1738 Information technology - ASN.1 encoding rules:
\r
1739 Specification of Basic Encoding Rules (BER),
\r
1740 Canonical Encoding Rules (CER) and Distinguished
\r
1741 Encoding Rules (DER).";
\r
1746 "The 'attributes' field from the structure
\r
1747 CertificationRequestInfo as specified by RFC 2986,
\r
1748 Section 4.1 encoded using the ASN.1 distinguished
\r
1749 encoding rules (DER), as specified in ITU-T X.690.";
\r
1752 PKCS #10: Certification Request Syntax
\r
1753 Specification Version 1.7.
\r
1755 Information technology - ASN.1 encoding rules:
\r
1756 Specification of Basic Encoding Rules (BER),
\r
1757 Canonical Encoding Rules (CER) and Distinguished
\r
1758 Encoding Rules (DER).";
\r
1762 leaf certificate-signing-request {
\r
1766 "A CertificationRequest structure as specified by
\r
1767 RFC 2986, Section 4.2 encoded using the ASN.1
\r
1768 distinguished encoding rules (DER), as specified
\r
1772 PKCS #10: Certification Request Syntax
\r
1773 Specification Version 1.7.
\r
1775 Information technology - ASN.1 encoding rules:
\r
1776 Specification of Basic Encoding Rules (BER),
\r
1777 Canonical Encoding Rules (CER) and Distinguished
\r
1778 Encoding Rules (DER).";
\r
1781 } // generate-certificate-signing-request
\r
1782 } // asymmetric-key-pair-with-certs-grouping
\r