+++ /dev/null
-module ietf-crypto-types {\r
- yang-version 1.1;\r
- namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";\r
- prefix ct;\r
-\r
- import ietf-yang-types {\r
- prefix yang;\r
- reference\r
- "RFC 6991: Common YANG Data Types";\r
- }\r
-\r
- import ietf-netconf-acm {\r
- prefix nacm;\r
- reference\r
- "RFC 8341: Network Configuration Access Control Model";\r
- }\r
-\r
- organization\r
- "IETF NETCONF (Network Configuration) Working Group";\r
-\r
- contact\r
- "WG Web: <http://datatracker.ietf.org/wg/netconf/>\r
- WG List: <mailto:netconf@ietf.org>\r
- Author: Kent Watsen <mailto:kent+ietf@watsen.net>\r
- Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";\r
-\r
- description\r
- "This module defines common YANG types for cryptographic\r
- applications.\r
-\r
- Copyright (c) 2019 IETF Trust and the persons identified\r
- as authors of the code. All rights reserved.\r
-\r
- Redistribution and use in source and binary forms, with\r
- or without modification, is permitted pursuant to, and\r
- subject to the license terms contained in, the Simplified\r
- BSD License set forth in Section 4.c of the IETF Trust's\r
- Legal Provisions Relating to IETF Documents\r
- (https://trustee.ietf.org/license-info).\r
-\r
- This version of this YANG module is part of RFC XXXX\r
- (https://www.rfc-editor.org/info/rfcXXXX); see the RFC\r
- itself for full legal notices.;\r
-\r
- The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',\r
- 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',\r
- 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document\r
- are to be interpreted as described in BCP 14 (RFC 2119)\r
- (RFC 8174) when, and only when, they appear in all\r
- capitals, as shown here.";\r
-\r
- revision 2019-04-29 {\r
- description\r
- "Initial version";\r
- reference\r
- "RFC XXXX: Common YANG Data Types for Cryptography";\r
- }\r
-\r
- /**************************************/\r
- /* Identities for Hash Algorithms */\r
- /**************************************/\r
-\r
- identity hash-algorithm {\r
- description\r
- "A base identity for hash algorithm verification.";\r
- }\r
-\r
- identity sha-224 {\r
- base hash-algorithm;\r
- description\r
- "The SHA-224 algorithm.";\r
- reference\r
- "RFC 6234: US Secure Hash Algorithms.";\r
- }\r
- identity sha-256 {\r
- base hash-algorithm;\r
- description\r
- "The SHA-256 algorithm.";\r
- reference\r
- "RFC 6234: US Secure Hash Algorithms.";\r
- }\r
-\r
- identity sha-384 {\r
- base hash-algorithm;\r
- description\r
- "The SHA-384 algorithm.";\r
- reference\r
- "RFC 6234: US Secure Hash Algorithms.";\r
- }\r
-\r
- identity sha-512 {\r
- base hash-algorithm;\r
- description\r
- "The SHA-512 algorithm.";\r
- reference\r
- "RFC 6234: US Secure Hash Algorithms.";\r
- }\r
-\r
- /***********************************************/\r
- /* Identities for Asymmetric Key Algorithms */\r
- /***********************************************/\r
-\r
- identity asymmetric-key-algorithm {\r
- description\r
- "Base identity from which all asymmetric key\r
- encryption Algorithm.";\r
- }\r
-\r
- identity rsa1024 {\r
- base asymmetric-key-algorithm;\r
- description\r
- "The RSA algorithm using a 1024-bit key.";\r
- reference\r
- "RFC 8017:\r
- PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
- }\r
-\r
- identity rsa2048 {\r
- base asymmetric-key-algorithm;\r
- description\r
- "The RSA algorithm using a 2048-bit key.";\r
- reference\r
- "RFC 8017:\r
- PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
- }\r
-\r
- identity rsa3072 {\r
- base asymmetric-key-algorithm;\r
- description\r
- "The RSA algorithm using a 3072-bit key.";\r
- reference\r
- "RFC 8017:\r
- PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
- }\r
-\r
- identity rsa4096 {\r
- base asymmetric-key-algorithm;\r
- description\r
- "The RSA algorithm using a 4096-bit key.";\r
- reference\r
- "RFC 8017:\r
- PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
- }\r
-\r
- identity rsa7680 {\r
- base asymmetric-key-algorithm;\r
- description\r
- "The RSA algorithm using a 7680-bit key.";\r
- reference\r
- "RFC 8017:\r
- PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
- }\r
-\r
- identity rsa15360 {\r
- base asymmetric-key-algorithm;\r
- description\r
- "The RSA algorithm using a 15360-bit key.";\r
- reference\r
- "RFC 8017:\r
- PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
- }\r
-\r
- identity secp192r1 {\r
- base asymmetric-key-algorithm;\r
- description\r
- "The ECDSA algorithm using a NIST P256 Curve.";\r
- reference\r
- "RFC 6090:\r
- Fundamental Elliptic Curve Cryptography Algorithms.";\r
- }\r
- identity secp224r1 {\r
- base asymmetric-key-algorithm;\r
- description\r
- "The ECDSA algorithm using a NIST P256 Curve.";\r
- reference\r
- "RFC 6090:\r
- Fundamental Elliptic Curve Cryptography Algorithms.";\r
- }\r
-\r
- identity secp256r1 {\r
- base asymmetric-key-algorithm;\r
- description\r
- "The ECDSA algorithm using a NIST P256 Curve.";\r
- reference\r
- "RFC 6090:\r
- Fundamental Elliptic Curve Cryptography Algorithms.";\r
- }\r
-\r
- identity secp384r1 {\r
- base asymmetric-key-algorithm;\r
- description\r
- "The ECDSA algorithm using a NIST P256 Curve.";\r
- reference\r
- "RFC 6090:\r
- Fundamental Elliptic Curve Cryptography Algorithms.";\r
- }\r
-\r
- identity secp521r1 {\r
- base asymmetric-key-algorithm;\r
- description\r
- "The ECDSA algorithm using a NIST P256 Curve.";\r
- reference\r
- "RFC 6090:\r
- Fundamental Elliptic Curve Cryptography Algorithms.";\r
- }\r
-\r
- /*************************************/\r
- /* Identities for MAC Algorithms */\r
- /*************************************/\r
-\r
- identity mac-algorithm {\r
- description\r
- "A base identity for mac generation.";\r
- }\r
-\r
- identity hmac-sha1 {\r
- base mac-algorithm;\r
- description\r
- "Generating MAC using SHA1 hash function";\r
- reference\r
- "RFC 3174: US Secure Hash Algorithm 1 (SHA1)";\r
- }\r
-\r
- identity hmac-sha1-96 {\r
- base mac-algorithm;\r
- description\r
- "Generating MAC using SHA1 hash function";\r
- reference\r
- "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";\r
- }\r
-\r
- identity hmac-sha2-224 {\r
- base mac-algorithm;\r
- description\r
- "Generating MAC using SHA2 hash function";\r
- reference\r
- "RFC 6234:\r
- US Secure Hash Algorithms (SHA and SHA-based HMAC and\r
- HKDF)";\r
- }\r
-\r
- identity hmac-sha2-256 {\r
- base mac-algorithm;\r
- description\r
- "Generating MAC using SHA2 hash function";\r
- reference\r
- "RFC 6234:\r
- US Secure Hash Algorithms (SHA and SHA-based HMAC and\r
- HKDF)";\r
- }\r
-\r
- identity hmac-sha2-256-128 {\r
- base mac-algorithm;\r
- description\r
- "Generating a 256 bits MAC using SHA2 hash function and\r
- truncate it to 128 bits";\r
- reference\r
- "RFC 4868:\r
- Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512\r
- with IPsec";\r
- }\r
-\r
- identity hmac-sha2-384 {\r
- base mac-algorithm;\r
- description\r
- "Generating MAC using SHA2 hash function";\r
- reference\r
- "RFC 6234:\r
- US Secure Hash Algorithms (SHA and SHA-based HMAC and\r
- HKDF)";\r
- }\r
-\r
- identity hmac-sha2-384-192 {\r
- base mac-algorithm;\r
- description\r
- "Generating a 384 bits MAC using SHA2 hash function and\r
- truncate it to 192 bits";\r
- reference\r
- "RFC 4868:\r
- Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with\r
- IPsec";\r
- }\r
-\r
- identity hmac-sha2-512 {\r
- base mac-algorithm;\r
- description\r
- "Generating MAC using SHA2 hash function";\r
- reference\r
- "RFC 6234:\r
- US Secure Hash Algorithms (SHA and SHA-based HMAC and\r
- HKDF)";\r
- }\r
-\r
- identity hmac-sha2-512-256 {\r
- base mac-algorithm;\r
- description\r
- "Generating a 512 bits MAC using SHA2 hash function and\r
- truncating it to 256 bits";\r
- reference\r
- "RFC 4868:\r
- Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with\r
- IPsec";\r
- }\r
-\r
- identity aes-128-gmac {\r
- base mac-algorithm;\r
- description\r
- "Generating MAC using the Advanced Encryption Standard (AES)\r
- Galois Message Authentication Code (GMAC) as a mechanism to\r
- provide data origin authentication";\r
- reference\r
- "RFC 4543:\r
- The Use of Galois Message Authentication Code (GMAC) in\r
- IPsec ESP and AH";\r
- }\r
-\r
- identity aes-192-gmac {\r
- base mac-algorithm;\r
- description\r
- "Generating MAC using the Advanced Encryption Standard (AES)\r
- Galois Message Authentication Code (GMAC) as a mechanism to\r
- provide data origin authentication";\r
- reference\r
- "RFC 4543:\r
- The Use of Galois Message Authentication Code (GMAC) in\r
- IPsec ESP and AH";\r
- }\r
-\r
- identity aes-256-gmac {\r
- base mac-algorithm;\r
- description\r
- "Generating MAC using the Advanced Encryption Standard (AES)\r
- Galois Message Authentication Code (GMAC) as a mechanism to\r
- provide data origin authentication";\r
- reference\r
- "RFC 4543:\r
- The Use of Galois Message Authentication Code (GMAC) in\r
- IPsec ESP and AH";\r
- }\r
-\r
- identity aes-cmac-96 {\r
- base mac-algorithm;\r
- description\r
- "Generating MAC using Advanced Encryption Standard (AES)\r
- Cipher-based Message Authentication Code (CMAC)";\r
- reference\r
- "RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec";\r
- }\r
-\r
- identity aes-cmac-128 {\r
- base mac-algorithm;\r
- description\r
- "Generating MAC using Advanced Encryption Standard (AES)\r
- Cipher-based Message Authentication Code (CMAC)";\r
- reference\r
- "RFC 4493: The AES-CMAC Algorithm";\r
- }\r
-\r
- /********************************************/\r
- /* Identities for Encryption Algorithms */\r
- /********************************************/\r
-\r
- identity encryption-algorithm {\r
- description\r
- "A base identity for encryption algorithm.";\r
- }\r
-\r
- identity aes-128-cbc {\r
- base encryption-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in CBC mode with a key\r
- length of 128 bits";\r
- reference\r
- "RFC 3565:\r
- Use of the Advanced Encryption Standard (AES) Encryption\r
- Algorithm in Cryptographic Message Syntax (CMS)";\r
- }\r
-\r
- identity aes-192-cbc {\r
- base encryption-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in CBC mode with a key\r
- length of 192 bits";\r
- reference\r
- "RFC 3565:\r
- Use of the Advanced Encryption Standard (AES) Encryption\r
- Algorithm in Cryptographic Message Syntax (CMS)";\r
- }\r
-\r
- identity aes-256-cbc {\r
- base encryption-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in CBC mode with a key\r
- length of 256 bits";\r
- reference\r
- "RFC 3565:\r
- Use of the Advanced Encryption Standard (AES) Encryption\r
- Algorithm in Cryptographic Message Syntax (CMS)";\r
- }\r
-\r
- identity aes-128-ctr {\r
- base encryption-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in CTR mode with a key\r
- length of 128 bits";\r
- reference\r
- "RFC 3686:\r
- Using Advanced Encryption Standard (AES) Counter Mode with\r
- IPsec Encapsulating Security Payload (ESP)";\r
- }\r
- identity aes-192-ctr {\r
- base encryption-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in CTR mode with a key\r
- length of 192 bits";\r
- reference\r
- "RFC 3686:\r
- Using Advanced Encryption Standard (AES) Counter Mode with\r
- IPsec Encapsulating Security Payload (ESP)";\r
- }\r
-\r
- identity aes-256-ctr {\r
- base encryption-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in CTR mode with a key\r
- length of 256 bits";\r
- reference\r
- "RFC 3686:\r
- Using Advanced Encryption Standard (AES) Counter Mode with\r
- IPsec Encapsulating Security Payload (ESP)";\r
- }\r
-\r
- /****************************************************/\r
- /* Identities for Encryption and MAC Algorithms */\r
- /****************************************************/\r
-\r
- identity encryption-and-mac-algorithm {\r
- description\r
- "A base identity for encryption and MAC algorithm.";\r
- }\r
-\r
- identity aes-128-ccm {\r
- base encryption-and-mac-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in CCM mode with a key\r
- length of 128 bits; it can also be used for generating MAC";\r
- reference\r
- "RFC 4309:\r
- Using Advanced Encryption Standard (AES) CCM Mode with\r
- IPsec Encapsulating Security Payload (ESP)";\r
- }\r
-\r
- identity aes-192-ccm {\r
- base encryption-and-mac-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in CCM mode with a key\r
- length of 192 bits; it can also be used for generating MAC";\r
- reference\r
- "RFC 4309:\r
- Using Advanced Encryption Standard (AES) CCM Mode with\r
- IPsec Encapsulating Security Payload (ESP)";\r
- }\r
-\r
- identity aes-256-ccm {\r
- base encryption-and-mac-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in CCM mode with a key\r
- length of 256 bits; it can also be used for generating MAC";\r
- reference\r
- "RFC 4309:\r
- Using Advanced Encryption Standard (AES) CCM Mode with\r
- IPsec Encapsulating Security Payload (ESP)";\r
- }\r
-\r
- identity aes-128-gcm {\r
- base encryption-and-mac-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in GCM mode with a key\r
- length of 128 bits; it can also be used for generating MAC";\r
- reference\r
- "RFC 4106:\r
- The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating\r
- Security Payload (ESP)";\r
- }\r
-\r
- identity aes-192-gcm {\r
- base encryption-and-mac-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in GCM mode with a key\r
- length of 192 bits; it can also be used for generating MAC";\r
- reference\r
- "RFC 4106:\r
- The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating\r
- Security Payload (ESP)";\r
- }\r
-\r
- identity mac-aes-256-gcm {\r
- base encryption-and-mac-algorithm;\r
- description\r
- "Encrypt message with AES algorithm in GCM mode with a key\r
- length of 128 bits; it can also be used for generating MAC";\r
- reference\r
- "RFC 4106:\r
- The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating\r
- Security Payload (ESP)";\r
- }\r
- identity chacha20-poly1305 {\r
- base encryption-and-mac-algorithm;\r
- description\r
- "Encrypt message with chacha20 algorithm and generate MAC with\r
- POLY1305; it can also be used for generating MAC";\r
- reference\r
- "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";\r
- }\r
-\r
- /******************************************/\r
- /* Identities for signature algorithm */\r
- /******************************************/\r
-\r
- identity signature-algorithm {\r
- description\r
- "A base identity for asymmetric key encryption algorithm.";\r
- }\r
-\r
- identity dsa-sha1 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using DSA algorithm with SHA1 hash\r
- algorithm";\r
- reference\r
- "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";\r
- }\r
-\r
- identity rsassa-pkcs1-sha1 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1\r
- hash algorithm.";\r
- reference\r
- "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";\r
- }\r
-\r
- identity rsassa-pkcs1-sha256 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using RSASSA-PKCS1-v1_5 with the\r
- SHA256 hash algorithm.";\r
- reference\r
- "RFC 8332:\r
- Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell\r
- (SSH) Protocol\r
- RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
- identity rsassa-pkcs1-sha384 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using RSASSA-PKCS1-v1_5 with the\r
- SHA384 hash algorithm.";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity rsassa-pkcs1-sha512 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using RSASSA-PKCS1-v1_5 with the\r
- SHA512 hash algorithm.";\r
- reference\r
- "RFC 8332:\r
- Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell\r
- (SSH) Protocol\r
- RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity rsassa-pss-rsae-sha256 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using RSASSA-PSS with mask generation\r
- function 1 and SHA256 hash algorithm. If the public key is\r
- carried in an X.509 certificate, it MUST use the rsaEncryption\r
- OID";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity rsassa-pss-rsae-sha384 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using RSASSA-PSS with mask generation\r
- function 1 and SHA384 hash algorithm. If the public key is\r
- carried in an X.509 certificate, it MUST use the rsaEncryption\r
- OID";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity rsassa-pss-rsae-sha512 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using RSASSA-PSS with mask generation\r
- function 1 and SHA512 hash algorithm. If the public key is\r
- carried in an X.509 certificate, it MUST use the rsaEncryption\r
- OID";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity rsassa-pss-pss-sha256 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using RSASSA-PSS with mask generation\r
- function 1 and SHA256 hash algorithm. If the public key is\r
- carried in an X.509 certificate, it MUST use the RSASSA-PSS\r
- OID";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity rsassa-pss-pss-sha384 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using RSASSA-PSS with mask generation\r
- function 1 and SHA256 hash algorithm. If the public key is\r
- carried in an X.509 certificate, it MUST use the RSASSA-PSS\r
- OID";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity rsassa-pss-pss-sha512 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using RSASSA-PSS with mask generation\r
- function 1 and SHA256 hash algorithm. If the public key is\r
- carried in an X.509 certificate, it MUST use the RSASSA-PSS\r
- OID";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity ecdsa-secp256r1-sha256 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using ECDSA with curve name secp256r1\r
- and SHA256 hash algorithm.";\r
- reference\r
- "RFC 5656: Elliptic Curve Algorithm Integration in the\r
- Secure Shell Transport Layer\r
- RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity ecdsa-secp384r1-sha384 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using ECDSA with curve name secp384r1\r
- and SHA384 hash algorithm.";\r
- reference\r
- "RFC 5656: Elliptic Curve Algorithm Integration in the\r
- Secure Shell Transport Layer\r
- RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity ecdsa-secp521r1-sha512 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using ECDSA with curve name secp521r1\r
- and SHA512 hash algorithm.";\r
- reference\r
- "RFC 5656: Elliptic Curve Algorithm Integration in the\r
- Secure Shell Transport Layer\r
- RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity ed25519 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using EdDSA as defined in RFC 8032 or\r
- its successors.";\r
- reference\r
- "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";\r
- }\r
-\r
- identity ed448 {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using EdDSA as defined in RFC 8032 or\r
- its successors.";\r
- reference\r
- "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";\r
- }\r
-\r
- identity eccsi {\r
- base signature-algorithm;\r
- description\r
- "The signature algorithm using ECCSI signature as defined in\r
- RFC 6507.";\r
- reference\r
- "RFC 6507:\r
- Elliptic Curve-Based Certificateless Signatures for\r
- Identity-based Encryption (ECCSI)";\r
- }\r
-\r
- /**********************************************/\r
- /* Identities for key exchange algorithms */\r
- /**********************************************/\r
-\r
- identity key-exchange-algorithm {\r
- description\r
- "A base identity for Diffie-Hellman based key exchange\r
- algorithm.";\r
- }\r
-\r
- identity psk-only {\r
- base key-exchange-algorithm;\r
- description\r
- "Using Pre-shared key for authentication and key exchange";\r
- reference\r
- "RFC 4279:\r
- Pre-Shared Key cipher suites for Transport Layer Security\r
- (TLS)";\r
- }\r
-\r
- identity dhe-ffdhe2048 {\r
- base key-exchange-algorithm;\r
- description\r
- "Ephemeral Diffie Hellman key exchange with 2048 bit\r
- finite field";\r
- reference\r
- "RFC 7919:\r
- Negotiated Finite Field Diffie-Hellman Ephemeral Parameters\r
- for Transport Layer Security (TLS)";\r
- }\r
-\r
- identity dhe-ffdhe3072 {\r
- base key-exchange-algorithm;\r
- description\r
- "Ephemeral Diffie Hellman key exchange with 3072 bit finite\r
- field";\r
- reference\r
- "RFC 7919:\r
- Negotiated Finite Field Diffie-Hellman Ephemeral Parameters\r
- for Transport Layer Security (TLS)";\r
- }\r
-\r
- identity dhe-ffdhe4096 {\r
- base key-exchange-algorithm;\r
- description\r
- "Ephemeral Diffie Hellman key exchange with 4096 bit\r
- finite field";\r
- reference\r
- "RFC 7919:\r
- Negotiated Finite Field Diffie-Hellman Ephemeral Parameters\r
- for Transport Layer Security (TLS)";\r
- }\r
-\r
- identity dhe-ffdhe6144 {\r
- base key-exchange-algorithm;\r
- description\r
- "Ephemeral Diffie Hellman key exchange with 6144 bit\r
- finite field";\r
- reference\r
- "RFC 7919:\r
- Negotiated Finite Field Diffie-Hellman Ephemeral Parameters\r
- for Transport Layer Security (TLS)";\r
- }\r
-\r
- identity dhe-ffdhe8192 {\r
- base key-exchange-algorithm;\r
- description\r
- "Ephemeral Diffie Hellman key exchange with 8192 bit\r
- finite field";\r
- reference\r
- "RFC 7919:\r
- Negotiated Finite Field Diffie-Hellman Ephemeral Parameters\r
- for Transport Layer Security (TLS)";\r
- }\r
-\r
- identity psk-dhe-ffdhe2048 {\r
- base key-exchange-algorithm;\r
- description\r
- "Key exchange using pre-shared key with Diffie-Hellman key\r
- generation mechanism, where the DH group is FFDHE2048";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity psk-dhe-ffdhe3072 {\r
- base key-exchange-algorithm;\r
- description\r
- "Key exchange using pre-shared key with Diffie-Hellman key\r
- generation mechanism, where the DH group is FFDHE3072";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity psk-dhe-ffdhe4096 {\r
- base key-exchange-algorithm;\r
- description\r
- "Key exchange using pre-shared key with Diffie-Hellman key\r
- generation mechanism, where the DH group is FFDHE4096";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity psk-dhe-ffdhe6144 {\r
- base key-exchange-algorithm;\r
- description\r
- "Key exchange using pre-shared key with Diffie-Hellman key\r
- generation mechanism, where the DH group is FFDHE6144";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity psk-dhe-ffdhe8192 {\r
- base key-exchange-algorithm;\r
- description\r
- "Key exchange using pre-shared key with Diffie-Hellman key\r
- generation mechanism, where the DH group is FFDHE8192";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity ecdhe-secp256r1 {\r
- base key-exchange-algorithm;\r
- description\r
- "Ephemeral Diffie Hellman key exchange with elliptic group\r
- over curve secp256r1";\r
- reference\r
- "RFC 8422:\r
- Elliptic Curve Cryptography (ECC) Cipher Suites for\r
- Transport Layer Security (TLS) Versions 1.2 and Earlier";\r
- }\r
-\r
- identity ecdhe-secp384r1 {\r
- base key-exchange-algorithm;\r
- description\r
- "Ephemeral Diffie Hellman key exchange with elliptic group\r
- over curve secp384r1";\r
- reference\r
- "RFC 8422:\r
- Elliptic Curve Cryptography (ECC) Cipher Suites for\r
- Transport Layer Security (TLS) Versions 1.2 and Earlier";\r
- }\r
-\r
- identity ecdhe-secp521r1 {\r
- base key-exchange-algorithm;\r
- description\r
- "Ephemeral Diffie Hellman key exchange with elliptic group\r
- over curve secp521r1";\r
- reference\r
- "RFC 8422:\r
- Elliptic Curve Cryptography (ECC) Cipher Suites for\r
- Transport Layer Security (TLS) Versions 1.2 and Earlier";\r
- }\r
-\r
- identity ecdhe-x25519 {\r
- base key-exchange-algorithm;\r
- description\r
- "Ephemeral Diffie Hellman key exchange with elliptic group\r
- over curve x25519";\r
- reference\r
- "RFC 8422:\r
- Elliptic Curve Cryptography (ECC) Cipher Suites for\r
- Transport Layer Security (TLS) Versions 1.2 and Earlier";\r
- }\r
-\r
- identity ecdhe-x448 {\r
- base key-exchange-algorithm;\r
- description\r
- "Ephemeral Diffie Hellman key exchange with elliptic group\r
- over curve x448";\r
- reference\r
- "RFC 8422:\r
- Elliptic Curve Cryptography (ECC) Cipher Suites for\r
- Transport Layer Security (TLS) Versions 1.2 and Earlier";\r
- }\r
-\r
- identity psk-ecdhe-secp256r1 {\r
- base key-exchange-algorithm;\r
- description\r
- "Key exchange using pre-shared key with elliptic group-based\r
- Ephemeral Diffie Hellman key exchange over curve secp256r1";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity psk-ecdhe-secp384r1 {\r
- base key-exchange-algorithm;\r
- description\r
- "Key exchange using pre-shared key with elliptic group-based\r
- Ephemeral Diffie Hellman key exchange over curve secp384r1";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity psk-ecdhe-secp521r1 {\r
- base key-exchange-algorithm;\r
- description\r
- "Key exchange using pre-shared key with elliptic group-based\r
- Ephemeral Diffie Hellman key exchange over curve secp521r1";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity psk-ecdhe-x25519 {\r
- base key-exchange-algorithm;\r
- description\r
- "Key exchange using pre-shared key with elliptic group-based\r
- Ephemeral Diffie Hellman key exchange over curve x25519";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity psk-ecdhe-x448 {\r
- base key-exchange-algorithm;\r
- description\r
- "Key exchange using pre-shared key with elliptic group-based\r
- Ephemeral Diffie Hellman key exchange over curve x448";\r
- reference\r
- "RFC 8446:\r
- The Transport Layer Security (TLS) Protocol Version 1.3";\r
- }\r
-\r
- identity diffie-hellman-group14-sha1 {\r
- base key-exchange-algorithm;\r
- description\r
- "Using DH group14 and SHA1 for key exchange";\r
- reference\r
- "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";\r
- }\r
-\r
- identity diffie-hellman-group14-sha256 {\r
- base key-exchange-algorithm;\r
- description\r
- "Using DH group14 and SHA256 for key exchange";\r
- reference\r
- "RFC 8268:\r
- More Modular Exponentiation (MODP) Diffie-Hellman (DH)\r
- Key Exchange (KEX) Groups for Secure Shell (SSH)";\r
- }\r
-\r
- identity diffie-hellman-group15-sha512 {\r
- base key-exchange-algorithm;\r
- description\r
- "Using DH group15 and SHA512 for key exchange";\r
- reference\r
- "RFC 8268:\r
- More Modular Exponentiation (MODP) Diffie-Hellman (DH)\r
- Key Exchange (KEX) Groups for Secure Shell (SSH)";\r
- }\r
-\r
- identity diffie-hellman-group16-sha512 {\r
- base key-exchange-algorithm;\r
- description\r
- "Using DH group16 and SHA512 for key exchange";\r
- reference\r
- "RFC 8268:\r
- More Modular Exponentiation (MODP) Diffie-Hellman (DH)\r
- Key Exchange (KEX) Groups for Secure Shell (SSH)";\r
- }\r
-\r
- identity diffie-hellman-group17-sha512 {\r
- base key-exchange-algorithm;\r
- description\r
- "Using DH group17 and SHA512 for key exchange";\r
-\r
- reference\r
- "RFC 8268:\r
- More Modular Exponentiation (MODP) Diffie-Hellman (DH)\r
- Key Exchange (KEX) Groups for Secure Shell (SSH)";\r
- }\r
-\r
- identity diffie-hellman-group18-sha512 {\r
- base key-exchange-algorithm;\r
- description\r
- "Using DH group18 and SHA512 for key exchange";\r
- reference\r
- "RFC 8268:\r
- More Modular Exponentiation (MODP) Diffie-Hellman (DH)\r
- Key Exchange (KEX) Groups for Secure Shell (SSH)";\r
- }\r
-\r
- identity ecdh-sha2-secp256r1 {\r
- base key-exchange-algorithm;\r
- description\r
- "Elliptic curve-based Diffie Hellman key exchange over curve\r
- secp256r1 and using SHA2 for MAC generation";\r
- reference\r
- "RFC 6239: Suite B Cryptographic Suites for Secure Shell\r
- (SSH)";\r
- }\r
-\r
- identity ecdh-sha2-secp384r1 {\r
- base key-exchange-algorithm;\r
- description\r
- "Elliptic curve-based Diffie Hellman key exchange over curve\r
- secp384r1 and using SHA2 for MAC generation";\r
- reference\r
- "RFC 6239: Suite B Cryptographic Suites for Secure Shell\r
- (SSH)";\r
- }\r
-\r
- identity rsaes-oaep {\r
- base key-exchange-algorithm;\r
- description\r
- "RSAES-OAEP combines the RSAEP and RSADP primitives with the\r
- EME-OAEP encoding method";\r
- reference\r
- "RFC 8017:\r
- PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
- }\r
-\r
- identity rsaes-pkcs1-v1_5 {\r
- base key-exchange-algorithm;\r
- description\r
- " RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives\r
- with the EME-PKCS1-v1_5 encoding method";\r
- reference\r
- "RFC 8017:\r
- PKCS #1: RSA Cryptography Specifications Version 2.2.";\r
- }\r
-\r
- /**********************************************************/\r
- /* Typedefs for identityrefs to above base identities */\r
- /**********************************************************/\r
-\r
- typedef hash-algorithm-ref {\r
- type identityref {\r
- base hash-algorithm;\r
- }\r
- description\r
- "This typedef enables importing modules to easily define an\r
- identityref to the 'hash-algorithm' base identity.";\r
- }\r
-\r
- typedef signature-algorithm-ref {\r
- type identityref {\r
- base signature-algorithm;\r
- }\r
- description\r
- "This typedef enables importing modules to easily define an\r
- identityref to the 'signature-algorithm' base identity.";\r
- }\r
-\r
- typedef mac-algorithm-ref {\r
- type identityref {\r
- base mac-algorithm;\r
- }\r
- description\r
- "This typedef enables importing modules to easily define an\r
- identityref to the 'mac-algorithm' base identity.";\r
- }\r
-\r
- typedef encryption-algorithm-ref {\r
- type identityref {\r
- base encryption-algorithm;\r
- }\r
- description\r
- "This typedef enables importing modules to easily define an\r
- identityref to the 'encryption-algorithm'\r
- base identity.";\r
- }\r
-\r
- typedef encryption-and-mac-algorithm-ref {\r
- type identityref {\r
- base encryption-and-mac-algorithm;\r
- }\r
- description\r
- "This typedef enables importing modules to easily define an\r
- identityref to the 'encryption-and-mac-algorithm'\r
- base identity.";\r
- }\r
-\r
- typedef asymmetric-key-algorithm-ref {\r
- type identityref {\r
- base asymmetric-key-algorithm;\r
- }\r
- description\r
- "This typedef enables importing modules to easily define an\r
- identityref to the 'asymmetric-key-algorithm'\r
- base identity.";\r
- }\r
-\r
- typedef key-exchange-algorithm-ref {\r
- type identityref {\r
- base key-exchange-algorithm;\r
- }\r
- description\r
- "This typedef enables importing modules to easily define an\r
- identityref to the 'key-exchange-algorithm' base identity.";\r
- }\r
-\r
- /***************************************************/\r
- /* Typedefs for ASN.1 structures from RFC 5280 */\r
- /***************************************************/\r
-\r
- typedef x509 {\r
- type binary;\r
- description\r
- "A Certificate structure, as specified in RFC 5280,\r
- encoded using ASN.1 distinguished encoding rules (DER),\r
- as specified in ITU-T X.690.";\r
- reference\r
- "RFC 5280:\r
- Internet X.509 Public Key Infrastructure Certificate\r
- and Certificate Revocation List (CRL) Profile\r
- ITU-T X.690:\r
- Information technology - ASN.1 encoding rules:\r
- Specification of Basic Encoding Rules (BER),\r
- Canonical Encoding Rules (CER) and Distinguished\r
- Encoding Rules (DER).";\r
- }\r
-\r
- typedef crl {\r
- type binary;\r
- description\r
- "A CertificateList structure, as specified in RFC 5280,\r
- encoded using ASN.1 distinguished encoding rules (DER),\r
- as specified in ITU-T X.690.";\r
- reference\r
- "RFC 5280:\r
- Internet X.509 Public Key Infrastructure Certificate\r
- and Certificate Revocation List (CRL) Profile\r
- ITU-T X.690:\r
- Information technology - ASN.1 encoding rules:\r
- Specification of Basic Encoding Rules (BER),\r
- Canonical Encoding Rules (CER) and Distinguished\r
- Encoding Rules (DER).";\r
- }\r
-\r
- /***********************************************/\r
- /* Typedefs for ASN.1 structures from 5652 */\r
- /***********************************************/\r
-\r
- typedef cms {\r
- type binary;\r
- description\r
- "A ContentInfo structure, as specified in RFC 5652,\r
- encoded using ASN.1 distinguished encoding rules (DER),\r
- as specified in ITU-T X.690.";\r
- reference\r
- "RFC 5652:\r
- Cryptographic Message Syntax (CMS)\r
- ITU-T X.690:\r
- Information technology - ASN.1 encoding rules:\r
- Specification of Basic Encoding Rules (BER),\r
- Canonical Encoding Rules (CER) and Distinguished\r
- Encoding Rules (DER).";\r
- }\r
-\r
- typedef data-content-cms {\r
- type cms;\r
- description\r
- "A CMS structure whose top-most content type MUST be the\r
- data content type, as described by Section 4 in RFC 5652.";\r
- reference\r
- "RFC 5652: Cryptographic Message Syntax (CMS)";\r
- }\r
-\r
- typedef signed-data-cms {\r
- type cms;\r
- description\r
- "A CMS structure whose top-most content type MUST be the\r
- signed-data content type, as described by Section 5 in\r
- RFC 5652.";\r
- reference\r
- "RFC 5652: Cryptographic Message Syntax (CMS)";\r
- }\r
-\r
- typedef enveloped-data-cms {\r
- type cms;\r
- description\r
- "A CMS structure whose top-most content type MUST be the\r
- enveloped-data content type, as described by Section 6\r
- in RFC 5652.";\r
- reference\r
- "RFC 5652: Cryptographic Message Syntax (CMS)";\r
- }\r
-\r
- typedef digested-data-cms {\r
- type cms;\r
- description\r
- "A CMS structure whose top-most content type MUST be the\r
- digested-data content type, as described by Section 7\r
- in RFC 5652.";\r
- reference\r
- "RFC 5652: Cryptographic Message Syntax (CMS)";\r
- }\r
-\r
- typedef encrypted-data-cms {\r
- type cms;\r
- description\r
- "A CMS structure whose top-most content type MUST be the\r
- encrypted-data content type, as described by Section 8\r
- in RFC 5652.";\r
- reference\r
- "RFC 5652: Cryptographic Message Syntax (CMS)";\r
- }\r
-\r
- typedef authenticated-data-cms {\r
- type cms;\r
- description\r
- "A CMS structure whose top-most content type MUST be the\r
- authenticated-data content type, as described by Section 9\r
- in RFC 5652.";\r
- reference\r
- "RFC 5652: Cryptographic Message Syntax (CMS)";\r
- }\r
-\r
- /***************************************************/\r
- /* Typedefs for structures related to RFC 4253 */\r
- /***************************************************/\r
-\r
- typedef ssh-host-key {\r
- type binary;\r
- description\r
- "The binary public key data for this SSH key, as\r
- specified by RFC 4253, Section 6.6, i.e.:\r
-\r
- string certificate or public key format\r
- identifier\r
- byte[n] key/certificate data.";\r
- reference\r
- "RFC 4253: The Secure Shell (SSH) Transport Layer\r
- Protocol";\r
- }\r
-\r
- /*********************************************************/\r
- /* Typedefs for ASN.1 structures related to RFC 5280 */\r
- /*********************************************************/\r
-\r
- typedef trust-anchor-cert-x509 {\r
- type x509;\r
- description\r
- "A Certificate structure that MUST encode a self-signed\r
- root certificate.";\r
- }\r
-\r
- typedef end-entity-cert-x509 {\r
- type x509;\r
- description\r
- "A Certificate structure that MUST encode a certificate\r
- that is neither self-signed nor having Basic constraint\r
- CA true.";\r
- }\r
-\r
- /*********************************************************/\r
- /* Typedefs for ASN.1 structures related to RFC 5652 */\r
- /*********************************************************/\r
-\r
- typedef trust-anchor-cert-cms {\r
- type signed-data-cms;\r
- description\r
- "A CMS SignedData structure that MUST contain the chain of\r
- X.509 certificates needed to authenticate the certificate\r
- presented by a client or end-entity.\r
-\r
- The CMS MUST contain only a single chain of certificates.\r
- The client or end-entity certificate MUST only authenticate\r
- to last intermediate CA certificate listed in the chain.\r
-\r
- In all cases, the chain MUST include a self-signed root\r
- certificate. In the case where the root certificate is\r
- itself the issuer of the client or end-entity certificate,\r
- only one certificate is present.\r
-\r
- This CMS structure MAY (as applicable where this type is\r
- used) also contain suitably fresh (as defined by local\r
- policy) revocation objects with which the device can\r
- verify the revocation status of the certificates.\r
-\r
- This CMS encodes the degenerate form of the SignedData\r
- structure that is commonly used to disseminate X.509\r
- certificates and revocation objects (RFC 5280).";\r
- reference\r
- "RFC 5280:\r
- Internet X.509 Public Key Infrastructure Certificate\r
- and Certificate Revocation List (CRL) Profile.";\r
- }\r
-\r
- typedef end-entity-cert-cms {\r
- type signed-data-cms;\r
- description\r
- "A CMS SignedData structure that MUST contain the end\r
- entity certificate itself, and MAY contain any number\r
- of intermediate certificates leading up to a trust\r
- anchor certificate. The trust anchor certificate\r
- MAY be included as well.\r
-\r
- The CMS MUST contain a single end entity certificate.\r
- The CMS MUST NOT contain any spurious certificates.\r
-\r
- This CMS structure MAY (as applicable where this type is\r
- used) also contain suitably fresh (as defined by local\r
- policy) revocation objects with which the device can\r
- verify the revocation status of the certificates.\r
-\r
- This CMS encodes the degenerate form of the SignedData\r
- structure that is commonly used to disseminate X.509\r
- certificates and revocation objects (RFC 5280).";\r
- reference\r
- "RFC 5280:\r
- Internet X.509 Public Key Infrastructure Certificate\r
- and Certificate Revocation List (CRL) Profile.";\r
- }\r
-\r
- /**********************************************/\r
- /* Groupings for keys and/or certificates */\r
- /**********************************************/\r
-\r
- grouping public-key-grouping {\r
- description\r
- "A public key.\r
-\r
- The 'algorithm' and 'public-key' nodes are not\r
- mandatory because they MAY be defined in <operational>.\r
- Implementations SHOULD assert that these values are\r
- either configured or that they exist in <operational>.";\r
- leaf algorithm {\r
- nacm:default-deny-write;\r
- type asymmetric-key-algorithm-ref;\r
- must '../public-key';\r
- description\r
- "Identifies the key's algorithm. More specifically,\r
- this leaf specifies how the 'public-key' binary leaf\r
- is encoded.";\r
- reference\r
- "RFC CCCC: Common YANG Data Types for Cryptography";\r
- }\r
- leaf public-key {\r
- nacm:default-deny-write;\r
- type binary;\r
- must '../algorithm';\r
- description\r
- "A binary that contains the value of the public key. The\r
- interpretation of the content is defined by the key\r
- algorithm. For example, a DSA key is an integer, an RSA\r
- key is represented as RSAPublicKey as defined in\r
- RFC 8017, and an Elliptic Curve Cryptography (ECC) key\r
- is represented using the 'publicKey' described in\r
- RFC 5915.";\r
- reference\r
- "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:\r
- RSA Cryptography Specifications Version 2.2.\r
- RFC 5915: Elliptic Curve Private Key Structure.";\r
- }\r
- }\r
-\r
- grouping asymmetric-key-pair-grouping {\r
- description\r
- "A private/public key pair.\r
- The 'algorithm', 'public-key', and 'private-key' nodes are\r
- not mandatory because they MAY be defined in <operational>.\r
- Implementations SHOULD assert that these values are either\r
- configured or that they exist in <operational>.";\r
- uses public-key-grouping;\r
- leaf private-key {\r
- nacm:default-deny-all;\r
- type union {\r
- type binary;\r
- type enumeration {\r
- enum permanently-hidden {\r
- description\r
- "The private key is inaccessible due to being\r
- protected by the system (e.g., a cryptographic\r
- hardware module).\r
-\r
- How such keys are backed-up and restored, if\r
- at all, is implementation specific.\r
-\r
- Servers MUST fail any attempt by a client to\r
- configure this value directly. This value is\r
- not set by clients, but rather is set by the\r
- 'generate-hidden-key' and 'install-hidden-key'\r
- actions.";\r
- }\r
- }\r
- }\r
- must '../public-key';\r
- description\r
- "A binary that contains the value of the private key. The\r
- interpretation of the content is defined by the key\r
- algorithm. For example, a DSA key is an integer, an RSA\r
- key is represented as RSAPrivateKey as defined in\r
- RFC 8017, and an Elliptic Curve Cryptography (ECC) key\r
- is represented as ECPrivateKey as defined in RFC 5915.";\r
- reference\r
- "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:\r
- RSA Cryptography Specifications Version 2.2.\r
- RFC 5915: Elliptic Curve Private Key Structure.";\r
- } // private-key\r
-\r
- action generate-hidden-key {\r
- nacm:default-deny-all;\r
- description\r
- "Requests the device to generate a hidden key using the\r
- specified asymmetric key algorithm. This action is\r
- used to request the system to generate a key that is\r
- 'permanently-hidden', perhaps protected by a cryptographic\r
- hardware module. The resulting asymmetric key values are\r
- considered operational state and hence present only in\r
- <operational> and bound to the lifetime of the parent\r
- 'config true' node. Subsequent invocations of this or\r
- the 'install-hidden-key' action are denied with error-tag\r
- 'data-exists'.";\r
- input {\r
- leaf algorithm {\r
- type asymmetric-key-algorithm-ref;\r
- mandatory true;\r
- description\r
- "The algorithm to be used when generating the\r
- asymmetric key.";\r
- reference\r
- "RFC CCCC: Common YANG Data Types for Cryptography";\r
- }\r
- }\r
- } // generate-hidden-key\r
-\r
- action install-hidden-key {\r
- nacm:default-deny-all;\r
- description\r
- "Requests the device to load the specified values into\r
- a hidden key. The resulting asymmetric key values are\r
- considered operational state and hence present only in\r
- <operational> and bound to the lifetime of the parent\r
- 'config true' node. Subsequent invocations of this\r
- or the 'generate-hidden-key' action are denied with\r
- error-tag 'data-exists'.";\r
- input {\r
- leaf algorithm {\r
- type asymmetric-key-algorithm-ref;\r
- mandatory true;\r
- description\r
- "The algorithm to be used when generating the\r
- asymmetric key.";\r
- reference\r
- "RFC CCCC: Common YANG Data Types for Cryptography";\r
- }\r
- leaf public-key {\r
- type binary;\r
- description\r
- "A binary that contains the value of the public key.\r
- The interpretation of the content is defined by the key\r
- algorithm. For example, a DSA key is an integer, an\r
- RSA key is represented as RSAPublicKey as defined in\r
- RFC 8017, and an Elliptic Curve Cryptography (ECC) key\r
- is represented using the 'publicKey' described in\r
- RFC 5915.";\r
- reference\r
- "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:\r
- RSA Cryptography Specifications Version 2.2.\r
- RFC 5915: Elliptic Curve Private Key Structure.";\r
- }\r
- leaf private-key {\r
- type binary;\r
- description\r
- "A binary that contains the value of the private key.\r
- The interpretation of the content is defined by the key\r
- algorithm. For example, a DSA key is an integer, an RSA\r
- key is represented as RSAPrivateKey as defined in\r
- RFC 8017, and an Elliptic Curve Cryptography (ECC) key\r
- is represented as ECPrivateKey as defined in RFC 5915.";\r
- reference\r
- "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:\r
- RSA Cryptography Specifications Version 2.2.\r
- RFC 5915: Elliptic Curve Private Key Structure.";\r
- }\r
- }\r
- } // install-hidden-key\r
- } // asymmetric-key-pair-grouping\r
-\r
-\r
- grouping trust-anchor-cert-grouping {\r
- description\r
- "A trust anchor certificate, and a notification for when\r
- it is about to (or already has) expire.";\r
- leaf cert {\r
- nacm:default-deny-write;\r
- type trust-anchor-cert-cms;\r
- description\r
- "The binary certificate data for this certificate.";\r
- reference\r
- "RFC YYYY: Common YANG Data Types for Cryptography";\r
- }\r
- notification certificate-expiration {\r
- description\r
- "A notification indicating that the configured certificate\r
- is either about to expire or has already expired. When to\r
- send notifications is an implementation specific decision,\r
- but it is RECOMMENDED that a notification be sent once a\r
- month for 3 months, then once a week for four weeks, and\r
- then once a day thereafter until the issue is resolved.";\r
- leaf expiration-date {\r
- type yang:date-and-time;\r
- mandatory true;\r
- description\r
- "Identifies the expiration date on the certificate.";\r
- }\r
- }\r
- }\r
-\r
- grouping trust-anchor-certs-grouping {\r
- description\r
- "A list of trust anchor certificates, and a notification\r
- for when one is about to (or already has) expire.";\r
- leaf-list cert {\r
- nacm:default-deny-write;\r
- type trust-anchor-cert-cms;\r
- description\r
- "The binary certificate data for this certificate.";\r
- reference\r
- "RFC YYYY: Common YANG Data Types for Cryptography";\r
- }\r
- notification certificate-expiration {\r
- description\r
- "A notification indicating that the configured certificate\r
- is either about to expire or has already expired. When to\r
- send notifications is an implementation specific decision,\r
- but it is RECOMMENDED that a notification be sent once a\r
- month for 3 months, then once a week for four weeks, and\r
- then once a day thereafter until the issue is resolved.";\r
- leaf expiration-date {\r
- type yang:date-and-time;\r
- mandatory true;\r
- description\r
- "Identifies the expiration date on the certificate.";\r
- }\r
- }\r
- }\r
-\r
- grouping end-entity-cert-grouping {\r
- description\r
- "An end entity certificate, and a notification for when\r
- it is about to (or already has) expire.";\r
- leaf cert {\r
- nacm:default-deny-write;\r
- type end-entity-cert-cms;\r
- description\r
- "The binary certificate data for this certificate.";\r
- reference\r
- "RFC YYYY: Common YANG Data Types for Cryptography";\r
- }\r
- notification certificate-expiration {\r
- description\r
- "A notification indicating that the configured certificate\r
- is either about to expire or has already expired. When to\r
- send notifications is an implementation specific decision,\r
- but it is RECOMMENDED that a notification be sent once a\r
- month for 3 months, then once a week for four weeks, and\r
- then once a day thereafter until the issue is resolved.";\r
- leaf expiration-date {\r
- type yang:date-and-time;\r
- mandatory true;\r
- description\r
- "Identifies the expiration date on the certificate.";\r
- }\r
- }\r
- }\r
-\r
- grouping end-entity-certs-grouping {\r
- description\r
- "A list of end entity certificates, and a notification for\r
- when one is about to (or already has) expire.";\r
- leaf-list cert {\r
- nacm:default-deny-write;\r
- type end-entity-cert-cms;\r
- description\r
- "The binary certificate data for this certificate.";\r
- reference\r
- "RFC YYYY: Common YANG Data Types for Cryptography";\r
- }\r
- notification certificate-expiration {\r
- description\r
- "A notification indicating that the configured certificate\r
- is either about to expire or has already expired. When to\r
- send notifications is an implementation specific decision,\r
- but it is RECOMMENDED that a notification be sent once a\r
- month for 3 months, then once a week for four weeks, and\r
- then once a day thereafter until the issue is resolved.";\r
- leaf expiration-date {\r
- type yang:date-and-time;\r
- mandatory true;\r
- description\r
- "Identifies the expiration date on the certificate.";\r
- }\r
- }\r
- }\r
-\r
- grouping asymmetric-key-pair-with-cert-grouping {\r
- description\r
- "A private/public key pair and an associated certificate.";\r
- uses asymmetric-key-pair-grouping;\r
- uses end-entity-cert-grouping;\r
-\r
- action generate-certificate-signing-request {\r
- nacm:default-deny-all;\r
- description\r
- "Generates a certificate signing request structure for\r
- the associated asymmetric key using the passed subject\r
- and attribute values. The specified assertions need\r
- to be appropriate for the certificate's use. For\r
- example, an entity certificate for a TLS server\r
- SHOULD have values that enable clients to satisfy\r
- RFC 6125 processing.";\r
- input {\r
- leaf subject {\r
- type binary;\r
- mandatory true;\r
- description\r
- "The 'subject' field per the CertificationRequestInfo\r
- structure as specified by RFC 2986, Section 4.1\r
- encoded using the ASN.1 distinguished encoding\r
- rules (DER), as specified in ITU-T X.690.";\r
- reference\r
- "RFC 2986:\r
- PKCS #10: Certification Request Syntax\r
- Specification Version 1.7.\r
- ITU-T X.690:\r
- Information technology - ASN.1 encoding rules:\r
- Specification of Basic Encoding Rules (BER),\r
- Canonical Encoding Rules (CER) and Distinguished\r
- Encoding Rules (DER).";\r
- }\r
- leaf attributes {\r
- type binary;\r
- description\r
- "The 'attributes' field from the structure\r
- CertificationRequestInfo as specified by RFC 2986,\r
- Section 4.1 encoded using the ASN.1 distinguished\r
- encoding rules (DER), as specified in ITU-T X.690.";\r
- reference\r
- "RFC 2986:\r
- PKCS #10: Certification Request Syntax\r
- Specification Version 1.7.\r
- ITU-T X.690:\r
- Information technology - ASN.1 encoding rules:\r
- Specification of Basic Encoding Rules (BER),\r
- Canonical Encoding Rules (CER) and Distinguished\r
- Encoding Rules (DER).";\r
- }\r
- }\r
- output {\r
- leaf certificate-signing-request {\r
- type binary;\r
- mandatory true;\r
- description\r
- "A CertificationRequest structure as specified by\r
- RFC 2986, Section 4.2 encoded using the ASN.1\r
- distinguished encoding rules (DER), as specified\r
- in ITU-T X.690.";\r
- reference\r
- "RFC 2986:\r
- PKCS #10: Certification Request Syntax\r
- Specification Version 1.7.\r
- ITU-T X.690:\r
- Information technology - ASN.1 encoding rules:\r
- Specification of Basic Encoding Rules (BER),\r
- Canonical Encoding Rules (CER) and Distinguished\r
- Encoding Rules (DER).";\r
- }\r
- }\r
- } // generate-certificate-signing-request\r
- } // asymmetric-key-pair-with-cert-grouping\r
-\r
-\r
- grouping asymmetric-key-pair-with-certs-grouping {\r
- description\r
- "A private/public key pair and associated certificates.";\r
- uses asymmetric-key-pair-grouping;\r
- container certificates {\r
- nacm:default-deny-write;\r
- description\r
- "Certificates associated with this asymmetric key.\r
- More than one certificate supports, for instance,\r
- a TPM-protected asymmetric key that has both IDevID\r
- and LDevID certificates associated.";\r
- list certificate {\r
- key "name";\r
- description\r
- "A certificate for this asymmetric key.";\r
- leaf name {\r
- type string;\r
- description\r
- "An arbitrary name for the certificate. If the name\r
- matches the name of a certificate that exists\r
- independently in <operational> (i.e., an IDevID),\r
- then the 'cert' node MUST NOT be configured.";\r
- }\r
- uses end-entity-cert-grouping;\r
- }\r
- } // certificates\r
-\r
- action generate-certificate-signing-request {\r
- nacm:default-deny-all;\r
- description\r
- "Generates a certificate signing request structure for\r
- the associated asymmetric key using the passed subject\r
- and attribute values. The specified assertions need\r
- to be appropriate for the certificate's use. For\r
- example, an entity certificate for a TLS server\r
- SHOULD have values that enable clients to satisfy\r
- RFC 6125 processing.";\r
- input {\r
- leaf subject {\r
- type binary;\r
- mandatory true;\r
- description\r
- "The 'subject' field per the CertificationRequestInfo\r
- structure as specified by RFC 2986, Section 4.1\r
- encoded using the ASN.1 distinguished encoding\r
- rules (DER), as specified in ITU-T X.690.";\r
- reference\r
- "RFC 2986:\r
- PKCS #10: Certification Request Syntax\r
- Specification Version 1.7.\r
- ITU-T X.690:\r
- Information technology - ASN.1 encoding rules:\r
- Specification of Basic Encoding Rules (BER),\r
- Canonical Encoding Rules (CER) and Distinguished\r
- Encoding Rules (DER).";\r
- }\r
- leaf attributes {\r
- type binary;\r
- description\r
- "The 'attributes' field from the structure\r
- CertificationRequestInfo as specified by RFC 2986,\r
- Section 4.1 encoded using the ASN.1 distinguished\r
- encoding rules (DER), as specified in ITU-T X.690.";\r
- reference\r
- "RFC 2986:\r
- PKCS #10: Certification Request Syntax\r
- Specification Version 1.7.\r
- ITU-T X.690:\r
- Information technology - ASN.1 encoding rules:\r
- Specification of Basic Encoding Rules (BER),\r
- Canonical Encoding Rules (CER) and Distinguished\r
- Encoding Rules (DER).";\r
- }\r
- }\r
- output {\r
- leaf certificate-signing-request {\r
- type binary;\r
- mandatory true;\r
- description\r
- "A CertificationRequest structure as specified by\r
- RFC 2986, Section 4.2 encoded using the ASN.1\r
- distinguished encoding rules (DER), as specified\r
- in ITU-T X.690.";\r
- reference\r
- "RFC 2986:\r
- PKCS #10: Certification Request Syntax\r
- Specification Version 1.7.\r
- ITU-T X.690:\r
- Information technology - ASN.1 encoding rules:\r
- Specification of Basic Encoding Rules (BER),\r
- Canonical Encoding Rules (CER) and Distinguished\r
- Encoding Rules (DER).";\r
- }\r
- }\r
- } // generate-certificate-signing-request\r
- } // asymmetric-key-pair-with-certs-grouping\r
-}\r