gerrit.o-ran-sc Code Review - scp/oam/modeling.git/blob - data-model/yang/published/ietf/ietf-crypto-types@2019-04-29.yang

1 module ietf-crypto-types {

2 yang-version 1.1;

3 namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";

4 prefix ct;

6 import ietf-yang-types {

7 prefix yang;

8 reference

9 "RFC 6991: Common YANG Data Types";

10 }

12 import ietf-netconf-acm {

13 prefix nacm;

14 reference

15 "RFC 8341: Network Configuration Access Control Model";

16 }

18 organization

19 "IETF NETCONF (Network Configuration) Working Group";

21 contact

22 "WG Web: <http://datatracker.ietf.org/wg/netconf/>

23 WG List: <mailto:netconf@ietf.org>

24 Author: Kent Watsen <mailto:kent+ietf@watsen.net>

25 Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";

27 description

28 "This module defines common YANG types for cryptographic

29 applications.

34 Redistribution and use in source and binary forms, with

35 or without modification, is permitted pursuant to, and

36 subject to the license terms contained in, the Simplified

37 BSD License set forth in Section 4.c of the IETF Trust's

38 Legal Provisions Relating to IETF Documents

39 (https://trustee.ietf.org/license-info).

41 This version of this YANG module is part of RFC XXXX

42 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC

43 itself for full legal notices.;

45 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',

46 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',

47 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document

48 are to be interpreted as described in BCP 14 (RFC 2119)

49 (RFC 8174) when, and only when, they appear in all

50 capitals, as shown here.";

52 revision 2019-04-29 {

53 description

54 "Initial version";

55 reference

56 "RFC XXXX: Common YANG Data Types for Cryptography";

57 }

59 /**************************************/

60 /* Identities for Hash Algorithms */

61 /**************************************/

63 identity hash-algorithm {

64 description

65 "A base identity for hash algorithm verification.";

66 }

68 identity sha-224 {

69 base hash-algorithm;

70 description

71 "The SHA-224 algorithm.";

72 reference

73 "RFC 6234: US Secure Hash Algorithms.";

74 }

75 identity sha-256 {

76 base hash-algorithm;

77 description

78 "The SHA-256 algorithm.";

79 reference

80 "RFC 6234: US Secure Hash Algorithms.";

81 }

83 identity sha-384 {

84 base hash-algorithm;

85 description

86 "The SHA-384 algorithm.";

87 reference

88 "RFC 6234: US Secure Hash Algorithms.";

89 }

91 identity sha-512 {

92 base hash-algorithm;

93 description

94 "The SHA-512 algorithm.";

95 reference

96 "RFC 6234: US Secure Hash Algorithms.";

97 }

99 /***********************************************/

100 /* Identities for Asymmetric Key Algorithms */

101 /***********************************************/

102

103 identity asymmetric-key-algorithm {

104 description

105 "Base identity from which all asymmetric key

106 encryption Algorithm.";

107 }

108

109 identity rsa1024 {

110 base asymmetric-key-algorithm;

111 description

112 "The RSA algorithm using a 1024-bit key.";

113 reference

114 "RFC 8017:

115 PKCS #1: RSA Cryptography Specifications Version 2.2.";

116 }

117

118 identity rsa2048 {

119 base asymmetric-key-algorithm;

120 description

121 "The RSA algorithm using a 2048-bit key.";

122 reference

123 "RFC 8017:

124 PKCS #1: RSA Cryptography Specifications Version 2.2.";

125 }

126

127 identity rsa3072 {

128 base asymmetric-key-algorithm;

129 description

130 "The RSA algorithm using a 3072-bit key.";

131 reference

132 "RFC 8017:

133 PKCS #1: RSA Cryptography Specifications Version 2.2.";

134 }

135

136 identity rsa4096 {

137 base asymmetric-key-algorithm;

138 description

139 "The RSA algorithm using a 4096-bit key.";

140 reference

141 "RFC 8017:

142 PKCS #1: RSA Cryptography Specifications Version 2.2.";

143 }

144

145 identity rsa7680 {

146 base asymmetric-key-algorithm;

147 description

148 "The RSA algorithm using a 7680-bit key.";

149 reference

150 "RFC 8017:

151 PKCS #1: RSA Cryptography Specifications Version 2.2.";

152 }

153

154 identity rsa15360 {

155 base asymmetric-key-algorithm;

156 description

157 "The RSA algorithm using a 15360-bit key.";

158 reference

159 "RFC 8017:

160 PKCS #1: RSA Cryptography Specifications Version 2.2.";

161 }

162

163 identity secp192r1 {

164 base asymmetric-key-algorithm;

165 description

166 "The ECDSA algorithm using a NIST P256 Curve.";

167 reference

168 "RFC 6090:

169 Fundamental Elliptic Curve Cryptography Algorithms.";

170 }

171 identity secp224r1 {

172 base asymmetric-key-algorithm;

173 description

174 "The ECDSA algorithm using a NIST P256 Curve.";

175 reference

176 "RFC 6090:

177 Fundamental Elliptic Curve Cryptography Algorithms.";

178 }

179

180 identity secp256r1 {

181 base asymmetric-key-algorithm;

182 description

183 "The ECDSA algorithm using a NIST P256 Curve.";

184 reference

185 "RFC 6090:

186 Fundamental Elliptic Curve Cryptography Algorithms.";

187 }

188

189 identity secp384r1 {

190 base asymmetric-key-algorithm;

191 description

192 "The ECDSA algorithm using a NIST P256 Curve.";

193 reference

194 "RFC 6090:

195 Fundamental Elliptic Curve Cryptography Algorithms.";

196 }

197

198 identity secp521r1 {

199 base asymmetric-key-algorithm;

200 description

201 "The ECDSA algorithm using a NIST P256 Curve.";

202 reference

203 "RFC 6090:

204 Fundamental Elliptic Curve Cryptography Algorithms.";

205 }

206

207 /*************************************/

208 /* Identities for MAC Algorithms */

209 /*************************************/

210

211 identity mac-algorithm {

212 description

213 "A base identity for mac generation.";

214 }

215

216 identity hmac-sha1 {

217 base mac-algorithm;

218 description

219 "Generating MAC using SHA1 hash function";

220 reference

221 "RFC 3174: US Secure Hash Algorithm 1 (SHA1)";

222 }

223

224 identity hmac-sha1-96 {

225 base mac-algorithm;

226 description

227 "Generating MAC using SHA1 hash function";

228 reference

229 "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";

230 }

231

232 identity hmac-sha2-224 {

233 base mac-algorithm;

234 description

235 "Generating MAC using SHA2 hash function";

236 reference

237 "RFC 6234:

238 US Secure Hash Algorithms (SHA and SHA-based HMAC and

239 HKDF)";

240 }

241

242 identity hmac-sha2-256 {

243 base mac-algorithm;

244 description

245 "Generating MAC using SHA2 hash function";

246 reference

247 "RFC 6234:

248 US Secure Hash Algorithms (SHA and SHA-based HMAC and

249 HKDF)";

250 }

251

252 identity hmac-sha2-256-128 {

253 base mac-algorithm;

254 description

255 "Generating a 256 bits MAC using SHA2 hash function and

256 truncate it to 128 bits";

257 reference

258 "RFC 4868:

259 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512

260 with IPsec";

261 }

262

263 identity hmac-sha2-384 {

264 base mac-algorithm;

265 description

266 "Generating MAC using SHA2 hash function";

267 reference

268 "RFC 6234:

269 US Secure Hash Algorithms (SHA and SHA-based HMAC and

270 HKDF)";

271 }

272

273 identity hmac-sha2-384-192 {

274 base mac-algorithm;

275 description

276 "Generating a 384 bits MAC using SHA2 hash function and

277 truncate it to 192 bits";

278 reference

279 "RFC 4868:

280 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with

281 IPsec";

282 }

283

284 identity hmac-sha2-512 {

285 base mac-algorithm;

286 description

287 "Generating MAC using SHA2 hash function";

288 reference

289 "RFC 6234:

290 US Secure Hash Algorithms (SHA and SHA-based HMAC and

291 HKDF)";

292 }

293

294 identity hmac-sha2-512-256 {

295 base mac-algorithm;

296 description

297 "Generating a 512 bits MAC using SHA2 hash function and

298 truncating it to 256 bits";

299 reference

300 "RFC 4868:

301 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with

302 IPsec";

303 }

304

305 identity aes-128-gmac {

306 base mac-algorithm;

307 description

308 "Generating MAC using the Advanced Encryption Standard (AES)

309 Galois Message Authentication Code (GMAC) as a mechanism to

310 provide data origin authentication";

311 reference

312 "RFC 4543:

313 The Use of Galois Message Authentication Code (GMAC) in

314 IPsec ESP and AH";

315 }

316

317 identity aes-192-gmac {

318 base mac-algorithm;

319 description

320 "Generating MAC using the Advanced Encryption Standard (AES)

321 Galois Message Authentication Code (GMAC) as a mechanism to

322 provide data origin authentication";

323 reference

324 "RFC 4543:

325 The Use of Galois Message Authentication Code (GMAC) in

326 IPsec ESP and AH";

327 }

328

329 identity aes-256-gmac {

330 base mac-algorithm;

331 description

332 "Generating MAC using the Advanced Encryption Standard (AES)

333 Galois Message Authentication Code (GMAC) as a mechanism to

334 provide data origin authentication";

335 reference

336 "RFC 4543:

337 The Use of Galois Message Authentication Code (GMAC) in

338 IPsec ESP and AH";

339 }

340

341 identity aes-cmac-96 {

342 base mac-algorithm;

343 description

344 "Generating MAC using Advanced Encryption Standard (AES)

345 Cipher-based Message Authentication Code (CMAC)";

346 reference

347 "RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec";

348 }

349

350 identity aes-cmac-128 {

351 base mac-algorithm;

352 description

353 "Generating MAC using Advanced Encryption Standard (AES)

354 Cipher-based Message Authentication Code (CMAC)";

355 reference

356 "RFC 4493: The AES-CMAC Algorithm";

357 }

358

359 /********************************************/

360 /* Identities for Encryption Algorithms */

361 /********************************************/

362

363 identity encryption-algorithm {

364 description

365 "A base identity for encryption algorithm.";

366 }

367

368 identity aes-128-cbc {

369 base encryption-algorithm;

370 description

371 "Encrypt message with AES algorithm in CBC mode with a key

372 length of 128 bits";

373 reference

374 "RFC 3565:

375 Use of the Advanced Encryption Standard (AES) Encryption

376 Algorithm in Cryptographic Message Syntax (CMS)";

377 }

378

379 identity aes-192-cbc {

380 base encryption-algorithm;

381 description

382 "Encrypt message with AES algorithm in CBC mode with a key

383 length of 192 bits";

384 reference

385 "RFC 3565:

386 Use of the Advanced Encryption Standard (AES) Encryption

387 Algorithm in Cryptographic Message Syntax (CMS)";

388 }

389

390 identity aes-256-cbc {

391 base encryption-algorithm;

392 description

393 "Encrypt message with AES algorithm in CBC mode with a key

394 length of 256 bits";

395 reference

396 "RFC 3565:

397 Use of the Advanced Encryption Standard (AES) Encryption

398 Algorithm in Cryptographic Message Syntax (CMS)";

399 }

400

401 identity aes-128-ctr {

402 base encryption-algorithm;

403 description

404 "Encrypt message with AES algorithm in CTR mode with a key

405 length of 128 bits";

406 reference

407 "RFC 3686:

408 Using Advanced Encryption Standard (AES) Counter Mode with

409 IPsec Encapsulating Security Payload (ESP)";

410 }

411 identity aes-192-ctr {

412 base encryption-algorithm;

413 description

414 "Encrypt message with AES algorithm in CTR mode with a key

415 length of 192 bits";

416 reference

417 "RFC 3686:

418 Using Advanced Encryption Standard (AES) Counter Mode with

419 IPsec Encapsulating Security Payload (ESP)";

420 }

421

422 identity aes-256-ctr {

423 base encryption-algorithm;

424 description

425 "Encrypt message with AES algorithm in CTR mode with a key

426 length of 256 bits";

427 reference

428 "RFC 3686:

429 Using Advanced Encryption Standard (AES) Counter Mode with

430 IPsec Encapsulating Security Payload (ESP)";

431 }

432

433 /****************************************************/

434 /* Identities for Encryption and MAC Algorithms */

435 /****************************************************/

436

437 identity encryption-and-mac-algorithm {

438 description

439 "A base identity for encryption and MAC algorithm.";

440 }

441

442 identity aes-128-ccm {

443 base encryption-and-mac-algorithm;

444 description

445 "Encrypt message with AES algorithm in CCM mode with a key

446 length of 128 bits; it can also be used for generating MAC";

447 reference

448 "RFC 4309:

449 Using Advanced Encryption Standard (AES) CCM Mode with

450 IPsec Encapsulating Security Payload (ESP)";

451 }

452

453 identity aes-192-ccm {

454 base encryption-and-mac-algorithm;

455 description

456 "Encrypt message with AES algorithm in CCM mode with a key

457 length of 192 bits; it can also be used for generating MAC";

458 reference

459 "RFC 4309:

460 Using Advanced Encryption Standard (AES) CCM Mode with

461 IPsec Encapsulating Security Payload (ESP)";

462 }

463

464 identity aes-256-ccm {

465 base encryption-and-mac-algorithm;

466 description

467 "Encrypt message with AES algorithm in CCM mode with a key

468 length of 256 bits; it can also be used for generating MAC";

469 reference

470 "RFC 4309:

471 Using Advanced Encryption Standard (AES) CCM Mode with

472 IPsec Encapsulating Security Payload (ESP)";

473 }

474

475 identity aes-128-gcm {

476 base encryption-and-mac-algorithm;

477 description

478 "Encrypt message with AES algorithm in GCM mode with a key

479 length of 128 bits; it can also be used for generating MAC";

480 reference

481 "RFC 4106:

482 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating

483 Security Payload (ESP)";

484 }

485

486 identity aes-192-gcm {

487 base encryption-and-mac-algorithm;

488 description

489 "Encrypt message with AES algorithm in GCM mode with a key

490 length of 192 bits; it can also be used for generating MAC";

491 reference

492 "RFC 4106:

493 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating

494 Security Payload (ESP)";

495 }

496

497 identity mac-aes-256-gcm {

498 base encryption-and-mac-algorithm;

499 description

500 "Encrypt message with AES algorithm in GCM mode with a key

501 length of 128 bits; it can also be used for generating MAC";

502 reference

503 "RFC 4106:

504 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating

505 Security Payload (ESP)";

506 }

507 identity chacha20-poly1305 {

508 base encryption-and-mac-algorithm;

509 description

510 "Encrypt message with chacha20 algorithm and generate MAC with

511 POLY1305; it can also be used for generating MAC";

512 reference

513 "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";

514 }

515

516 /******************************************/

517 /* Identities for signature algorithm */

518 /******************************************/

519

520 identity signature-algorithm {

521 description

522 "A base identity for asymmetric key encryption algorithm.";

523 }

524

525 identity dsa-sha1 {

526 base signature-algorithm;

527 description

528 "The signature algorithm using DSA algorithm with SHA1 hash

529 algorithm";

530 reference

531 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

532 }

533

534 identity rsassa-pkcs1-sha1 {

535 base signature-algorithm;

536 description

537 "The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1

538 hash algorithm.";

539 reference

540 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

541 }

542

543 identity rsassa-pkcs1-sha256 {

544 base signature-algorithm;

545 description

546 "The signature algorithm using RSASSA-PKCS1-v1_5 with the

547 SHA256 hash algorithm.";

548 reference

549 "RFC 8332:

550 Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell

551 (SSH) Protocol

552 RFC 8446:

553 The Transport Layer Security (TLS) Protocol Version 1.3";

554 }

555 identity rsassa-pkcs1-sha384 {

556 base signature-algorithm;

557 description

558 "The signature algorithm using RSASSA-PKCS1-v1_5 with the

559 SHA384 hash algorithm.";

560 reference

561 "RFC 8446:

562 The Transport Layer Security (TLS) Protocol Version 1.3";

563 }

564

565 identity rsassa-pkcs1-sha512 {

566 base signature-algorithm;

567 description

568 "The signature algorithm using RSASSA-PKCS1-v1_5 with the

569 SHA512 hash algorithm.";

570 reference

571 "RFC 8332:

572 Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell

573 (SSH) Protocol

574 RFC 8446:

575 The Transport Layer Security (TLS) Protocol Version 1.3";

576 }

577

578 identity rsassa-pss-rsae-sha256 {

579 base signature-algorithm;

580 description

581 "The signature algorithm using RSASSA-PSS with mask generation

582 function 1 and SHA256 hash algorithm. If the public key is

583 carried in an X.509 certificate, it MUST use the rsaEncryption

584 OID";

585 reference

586 "RFC 8446:

587 The Transport Layer Security (TLS) Protocol Version 1.3";

588 }

589

590 identity rsassa-pss-rsae-sha384 {

591 base signature-algorithm;

592 description

593 "The signature algorithm using RSASSA-PSS with mask generation

594 function 1 and SHA384 hash algorithm. If the public key is

595 carried in an X.509 certificate, it MUST use the rsaEncryption

596 OID";

597 reference

598 "RFC 8446:

599 The Transport Layer Security (TLS) Protocol Version 1.3";

600 }

601

602 identity rsassa-pss-rsae-sha512 {

603 base signature-algorithm;

604 description

605 "The signature algorithm using RSASSA-PSS with mask generation

606 function 1 and SHA512 hash algorithm. If the public key is

607 carried in an X.509 certificate, it MUST use the rsaEncryption

608 OID";

609 reference

610 "RFC 8446:

611 The Transport Layer Security (TLS) Protocol Version 1.3";

612 }

613

614 identity rsassa-pss-pss-sha256 {

615 base signature-algorithm;

616 description

617 "The signature algorithm using RSASSA-PSS with mask generation

618 function 1 and SHA256 hash algorithm. If the public key is

619 carried in an X.509 certificate, it MUST use the RSASSA-PSS

620 OID";

621 reference

622 "RFC 8446:

623 The Transport Layer Security (TLS) Protocol Version 1.3";

624 }

625

626 identity rsassa-pss-pss-sha384 {

627 base signature-algorithm;

628 description

629 "The signature algorithm using RSASSA-PSS with mask generation

630 function 1 and SHA256 hash algorithm. If the public key is

631 carried in an X.509 certificate, it MUST use the RSASSA-PSS

632 OID";

633 reference

634 "RFC 8446:

635 The Transport Layer Security (TLS) Protocol Version 1.3";

636 }

637

638 identity rsassa-pss-pss-sha512 {

639 base signature-algorithm;

640 description

641 "The signature algorithm using RSASSA-PSS with mask generation

642 function 1 and SHA256 hash algorithm. If the public key is

643 carried in an X.509 certificate, it MUST use the RSASSA-PSS

644 OID";

645 reference

646 "RFC 8446:

647 The Transport Layer Security (TLS) Protocol Version 1.3";

648 }

649

650 identity ecdsa-secp256r1-sha256 {

651 base signature-algorithm;

652 description

653 "The signature algorithm using ECDSA with curve name secp256r1

654 and SHA256 hash algorithm.";

655 reference

656 "RFC 5656: Elliptic Curve Algorithm Integration in the

657 Secure Shell Transport Layer

658 RFC 8446:

659 The Transport Layer Security (TLS) Protocol Version 1.3";

660 }

661

662 identity ecdsa-secp384r1-sha384 {

663 base signature-algorithm;

664 description

665 "The signature algorithm using ECDSA with curve name secp384r1

666 and SHA384 hash algorithm.";

667 reference

668 "RFC 5656: Elliptic Curve Algorithm Integration in the

669 Secure Shell Transport Layer

670 RFC 8446:

671 The Transport Layer Security (TLS) Protocol Version 1.3";

672 }

673

674 identity ecdsa-secp521r1-sha512 {

675 base signature-algorithm;

676 description

677 "The signature algorithm using ECDSA with curve name secp521r1

678 and SHA512 hash algorithm.";

679 reference

680 "RFC 5656: Elliptic Curve Algorithm Integration in the

681 Secure Shell Transport Layer

682 RFC 8446:

683 The Transport Layer Security (TLS) Protocol Version 1.3";

684 }

685

686 identity ed25519 {

687 base signature-algorithm;

688 description

689 "The signature algorithm using EdDSA as defined in RFC 8032 or

690 its successors.";

691 reference

692 "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";

693 }

694

695 identity ed448 {

696 base signature-algorithm;

697 description

698 "The signature algorithm using EdDSA as defined in RFC 8032 or

699 its successors.";

700 reference

701 "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";

702 }

703

704 identity eccsi {

705 base signature-algorithm;

706 description

707 "The signature algorithm using ECCSI signature as defined in

708 RFC 6507.";

709 reference

710 "RFC 6507:

711 Elliptic Curve-Based Certificateless Signatures for

712 Identity-based Encryption (ECCSI)";

713 }

714

715 /**********************************************/

716 /* Identities for key exchange algorithms */

717 /**********************************************/

718

719 identity key-exchange-algorithm {

720 description

721 "A base identity for Diffie-Hellman based key exchange

722 algorithm.";

723 }

724

725 identity psk-only {

726 base key-exchange-algorithm;

727 description

728 "Using Pre-shared key for authentication and key exchange";

729 reference

730 "RFC 4279:

731 Pre-Shared Key cipher suites for Transport Layer Security

732 (TLS)";

733 }

734

735 identity dhe-ffdhe2048 {

736 base key-exchange-algorithm;

737 description

738 "Ephemeral Diffie Hellman key exchange with 2048 bit

739 finite field";

740 reference

741 "RFC 7919:

742 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters

743 for Transport Layer Security (TLS)";

744 }

745

746 identity dhe-ffdhe3072 {

747 base key-exchange-algorithm;

748 description

749 "Ephemeral Diffie Hellman key exchange with 3072 bit finite

750 field";

751 reference

752 "RFC 7919:

753 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters

754 for Transport Layer Security (TLS)";

755 }

756

757 identity dhe-ffdhe4096 {

758 base key-exchange-algorithm;

759 description

760 "Ephemeral Diffie Hellman key exchange with 4096 bit

761 finite field";

762 reference

763 "RFC 7919:

764 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters

765 for Transport Layer Security (TLS)";

766 }

767

768 identity dhe-ffdhe6144 {

769 base key-exchange-algorithm;

770 description

771 "Ephemeral Diffie Hellman key exchange with 6144 bit

772 finite field";

773 reference

774 "RFC 7919:

775 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters

776 for Transport Layer Security (TLS)";

777 }

778

779 identity dhe-ffdhe8192 {

780 base key-exchange-algorithm;

781 description

782 "Ephemeral Diffie Hellman key exchange with 8192 bit

783 finite field";

784 reference

785 "RFC 7919:

786 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters

787 for Transport Layer Security (TLS)";

788 }

789

790 identity psk-dhe-ffdhe2048 {

791 base key-exchange-algorithm;

792 description

793 "Key exchange using pre-shared key with Diffie-Hellman key

794 generation mechanism, where the DH group is FFDHE2048";

795 reference

796 "RFC 8446:

797 The Transport Layer Security (TLS) Protocol Version 1.3";

798 }

799

800 identity psk-dhe-ffdhe3072 {

801 base key-exchange-algorithm;

802 description

803 "Key exchange using pre-shared key with Diffie-Hellman key

804 generation mechanism, where the DH group is FFDHE3072";

805 reference

806 "RFC 8446:

807 The Transport Layer Security (TLS) Protocol Version 1.3";

808 }

809

810 identity psk-dhe-ffdhe4096 {

811 base key-exchange-algorithm;

812 description

813 "Key exchange using pre-shared key with Diffie-Hellman key

814 generation mechanism, where the DH group is FFDHE4096";

815 reference

816 "RFC 8446:

817 The Transport Layer Security (TLS) Protocol Version 1.3";

818 }

819

820 identity psk-dhe-ffdhe6144 {

821 base key-exchange-algorithm;

822 description

823 "Key exchange using pre-shared key with Diffie-Hellman key

824 generation mechanism, where the DH group is FFDHE6144";

825 reference

826 "RFC 8446:

827 The Transport Layer Security (TLS) Protocol Version 1.3";

828 }

829

830 identity psk-dhe-ffdhe8192 {

831 base key-exchange-algorithm;

832 description

833 "Key exchange using pre-shared key with Diffie-Hellman key

834 generation mechanism, where the DH group is FFDHE8192";

835 reference

836 "RFC 8446:

837 The Transport Layer Security (TLS) Protocol Version 1.3";

838 }

839

840 identity ecdhe-secp256r1 {

841 base key-exchange-algorithm;

842 description

843 "Ephemeral Diffie Hellman key exchange with elliptic group

844 over curve secp256r1";

845 reference

846 "RFC 8422:

847 Elliptic Curve Cryptography (ECC) Cipher Suites for

848 Transport Layer Security (TLS) Versions 1.2 and Earlier";

849 }

850

851 identity ecdhe-secp384r1 {

852 base key-exchange-algorithm;

853 description

854 "Ephemeral Diffie Hellman key exchange with elliptic group

855 over curve secp384r1";

856 reference

857 "RFC 8422:

858 Elliptic Curve Cryptography (ECC) Cipher Suites for

859 Transport Layer Security (TLS) Versions 1.2 and Earlier";

860 }

861

862 identity ecdhe-secp521r1 {

863 base key-exchange-algorithm;

864 description

865 "Ephemeral Diffie Hellman key exchange with elliptic group

866 over curve secp521r1";

867 reference

868 "RFC 8422:

869 Elliptic Curve Cryptography (ECC) Cipher Suites for

870 Transport Layer Security (TLS) Versions 1.2 and Earlier";

871 }

872

873 identity ecdhe-x25519 {

874 base key-exchange-algorithm;

875 description

876 "Ephemeral Diffie Hellman key exchange with elliptic group

877 over curve x25519";

878 reference

879 "RFC 8422:

880 Elliptic Curve Cryptography (ECC) Cipher Suites for

881 Transport Layer Security (TLS) Versions 1.2 and Earlier";

882 }

883

884 identity ecdhe-x448 {

885 base key-exchange-algorithm;

886 description

887 "Ephemeral Diffie Hellman key exchange with elliptic group

888 over curve x448";

889 reference

890 "RFC 8422:

891 Elliptic Curve Cryptography (ECC) Cipher Suites for

892 Transport Layer Security (TLS) Versions 1.2 and Earlier";

893 }

894

895 identity psk-ecdhe-secp256r1 {

896 base key-exchange-algorithm;

897 description

898 "Key exchange using pre-shared key with elliptic group-based

899 Ephemeral Diffie Hellman key exchange over curve secp256r1";

900 reference

901 "RFC 8446:

902 The Transport Layer Security (TLS) Protocol Version 1.3";

903 }

904

905 identity psk-ecdhe-secp384r1 {

906 base key-exchange-algorithm;

907 description

908 "Key exchange using pre-shared key with elliptic group-based

909 Ephemeral Diffie Hellman key exchange over curve secp384r1";

910 reference

911 "RFC 8446:

912 The Transport Layer Security (TLS) Protocol Version 1.3";

913 }

914

915 identity psk-ecdhe-secp521r1 {

916 base key-exchange-algorithm;

917 description

918 "Key exchange using pre-shared key with elliptic group-based

919 Ephemeral Diffie Hellman key exchange over curve secp521r1";

920 reference

921 "RFC 8446:

922 The Transport Layer Security (TLS) Protocol Version 1.3";

923 }

924

925 identity psk-ecdhe-x25519 {

926 base key-exchange-algorithm;

927 description

928 "Key exchange using pre-shared key with elliptic group-based

929 Ephemeral Diffie Hellman key exchange over curve x25519";

930 reference

931 "RFC 8446:

932 The Transport Layer Security (TLS) Protocol Version 1.3";

933 }

934

935 identity psk-ecdhe-x448 {

936 base key-exchange-algorithm;

937 description

938 "Key exchange using pre-shared key with elliptic group-based

939 Ephemeral Diffie Hellman key exchange over curve x448";

940 reference

941 "RFC 8446:

942 The Transport Layer Security (TLS) Protocol Version 1.3";

943 }

944

945 identity diffie-hellman-group14-sha1 {

946 base key-exchange-algorithm;

947 description

948 "Using DH group14 and SHA1 for key exchange";

949 reference

950 "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";

951 }

952

953 identity diffie-hellman-group14-sha256 {

954 base key-exchange-algorithm;

955 description

956 "Using DH group14 and SHA256 for key exchange";

957 reference

958 "RFC 8268:

959 More Modular Exponentiation (MODP) Diffie-Hellman (DH)

960 Key Exchange (KEX) Groups for Secure Shell (SSH)";

961 }

962

963 identity diffie-hellman-group15-sha512 {

964 base key-exchange-algorithm;

965 description

966 "Using DH group15 and SHA512 for key exchange";

967 reference

968 "RFC 8268:

969 More Modular Exponentiation (MODP) Diffie-Hellman (DH)

970 Key Exchange (KEX) Groups for Secure Shell (SSH)";

971 }

972

973 identity diffie-hellman-group16-sha512 {

974 base key-exchange-algorithm;

975 description

976 "Using DH group16 and SHA512 for key exchange";

977 reference

978 "RFC 8268:

979 More Modular Exponentiation (MODP) Diffie-Hellman (DH)

980 Key Exchange (KEX) Groups for Secure Shell (SSH)";

981 }

982

983 identity diffie-hellman-group17-sha512 {

984 base key-exchange-algorithm;

985 description

986 "Using DH group17 and SHA512 for key exchange";

987

988 reference

989 "RFC 8268:

990 More Modular Exponentiation (MODP) Diffie-Hellman (DH)

991 Key Exchange (KEX) Groups for Secure Shell (SSH)";

992 }

993

994 identity diffie-hellman-group18-sha512 {

995 base key-exchange-algorithm;

996 description

997 "Using DH group18 and SHA512 for key exchange";

998 reference

999 "RFC 8268:

1000 More Modular Exponentiation (MODP) Diffie-Hellman (DH)

1001 Key Exchange (KEX) Groups for Secure Shell (SSH)";

1002 }

1003

1004 identity ecdh-sha2-secp256r1 {

1005 base key-exchange-algorithm;

1006 description

1007 "Elliptic curve-based Diffie Hellman key exchange over curve

1008 secp256r1 and using SHA2 for MAC generation";

1009 reference

1010 "RFC 6239: Suite B Cryptographic Suites for Secure Shell

1011 (SSH)";

1012 }

1013

1014 identity ecdh-sha2-secp384r1 {

1015 base key-exchange-algorithm;

1016 description

1017 "Elliptic curve-based Diffie Hellman key exchange over curve

1018 secp384r1 and using SHA2 for MAC generation";

1019 reference

1020 "RFC 6239: Suite B Cryptographic Suites for Secure Shell

1021 (SSH)";

1022 }

1023

1024 identity rsaes-oaep {

1025 base key-exchange-algorithm;

1026 description

1027 "RSAES-OAEP combines the RSAEP and RSADP primitives with the

1028 EME-OAEP encoding method";

1029 reference

1030 "RFC 8017:

1031 PKCS #1: RSA Cryptography Specifications Version 2.2.";

1032 }

1033

1034 identity rsaes-pkcs1-v1_5 {

1035 base key-exchange-algorithm;

1036 description

1037 " RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives

1038 with the EME-PKCS1-v1_5 encoding method";

1039 reference

1040 "RFC 8017:

1041 PKCS #1: RSA Cryptography Specifications Version 2.2.";

1042 }

1043

1044 /**********************************************************/

1045 /* Typedefs for identityrefs to above base identities */

1046 /**********************************************************/

1047

1048 typedef hash-algorithm-ref {

1049 type identityref {

1050 base hash-algorithm;

1051 }

1052 description

1053 "This typedef enables importing modules to easily define an

1054 identityref to the 'hash-algorithm' base identity.";

1055 }

1056

1057 typedef signature-algorithm-ref {

1058 type identityref {

1059 base signature-algorithm;

1060 }

1061 description

1062 "This typedef enables importing modules to easily define an

1063 identityref to the 'signature-algorithm' base identity.";

1064 }

1065

1066 typedef mac-algorithm-ref {

1067 type identityref {

1068 base mac-algorithm;

1069 }

1070 description

1071 "This typedef enables importing modules to easily define an

1072 identityref to the 'mac-algorithm' base identity.";

1073 }

1074

1075 typedef encryption-algorithm-ref {

1076 type identityref {

1077 base encryption-algorithm;

1078 }

1079 description

1080 "This typedef enables importing modules to easily define an

1081 identityref to the 'encryption-algorithm'

1082 base identity.";

1083 }

1084

1085 typedef encryption-and-mac-algorithm-ref {

1086 type identityref {

1087 base encryption-and-mac-algorithm;

1088 }

1089 description

1090 "This typedef enables importing modules to easily define an

1091 identityref to the 'encryption-and-mac-algorithm'

1092 base identity.";

1093 }

1094

1095 typedef asymmetric-key-algorithm-ref {

1096 type identityref {

1097 base asymmetric-key-algorithm;

1098 }

1099 description

1100 "This typedef enables importing modules to easily define an

1101 identityref to the 'asymmetric-key-algorithm'

1102 base identity.";

1103 }

1104

1105 typedef key-exchange-algorithm-ref {

1106 type identityref {

1107 base key-exchange-algorithm;

1108 }

1109 description

1110 "This typedef enables importing modules to easily define an

1111 identityref to the 'key-exchange-algorithm' base identity.";

1112 }

1113

1114 /***************************************************/

1115 /* Typedefs for ASN.1 structures from RFC 5280 */

1116 /***************************************************/

1117

1118 typedef x509 {

1119 type binary;

1120 description

1121 "A Certificate structure, as specified in RFC 5280,

1122 encoded using ASN.1 distinguished encoding rules (DER),

1123 as specified in ITU-T X.690.";

1124 reference

1125 "RFC 5280:

1126 Internet X.509 Public Key Infrastructure Certificate

1127 and Certificate Revocation List (CRL) Profile

1128 ITU-T X.690:

1129 Information technology - ASN.1 encoding rules:

1130 Specification of Basic Encoding Rules (BER),

1131 Canonical Encoding Rules (CER) and Distinguished

1132 Encoding Rules (DER).";

1133 }

1134

1135 typedef crl {

1136 type binary;

1137 description

1138 "A CertificateList structure, as specified in RFC 5280,

1139 encoded using ASN.1 distinguished encoding rules (DER),

1140 as specified in ITU-T X.690.";

1141 reference

1142 "RFC 5280:

1143 Internet X.509 Public Key Infrastructure Certificate

1144 and Certificate Revocation List (CRL) Profile

1145 ITU-T X.690:

1146 Information technology - ASN.1 encoding rules:

1147 Specification of Basic Encoding Rules (BER),

1148 Canonical Encoding Rules (CER) and Distinguished

1149 Encoding Rules (DER).";

1150 }

1151

1152 /***********************************************/

1153 /* Typedefs for ASN.1 structures from 5652 */

1154 /***********************************************/

1155

1156 typedef cms {

1157 type binary;

1158 description

1159 "A ContentInfo structure, as specified in RFC 5652,

1160 encoded using ASN.1 distinguished encoding rules (DER),

1161 as specified in ITU-T X.690.";

1162 reference

1163 "RFC 5652:

1164 Cryptographic Message Syntax (CMS)

1165 ITU-T X.690:

1166 Information technology - ASN.1 encoding rules:

1167 Specification of Basic Encoding Rules (BER),

1168 Canonical Encoding Rules (CER) and Distinguished

1169 Encoding Rules (DER).";

1170 }

1171

1172 typedef data-content-cms {

1173 type cms;

1174 description

1175 "A CMS structure whose top-most content type MUST be the

1176 data content type, as described by Section 4 in RFC 5652.";

1177 reference

1178 "RFC 5652: Cryptographic Message Syntax (CMS)";

1179 }

1180

1181 typedef signed-data-cms {

1182 type cms;

1183 description

1184 "A CMS structure whose top-most content type MUST be the

1185 signed-data content type, as described by Section 5 in

1186 RFC 5652.";

1187 reference

1188 "RFC 5652: Cryptographic Message Syntax (CMS)";

1189 }

1190

1191 typedef enveloped-data-cms {

1192 type cms;

1193 description

1194 "A CMS structure whose top-most content type MUST be the

1195 enveloped-data content type, as described by Section 6

1196 in RFC 5652.";

1197 reference

1198 "RFC 5652: Cryptographic Message Syntax (CMS)";

1199 }

1200

1201 typedef digested-data-cms {

1202 type cms;

1203 description

1204 "A CMS structure whose top-most content type MUST be the

1205 digested-data content type, as described by Section 7

1206 in RFC 5652.";

1207 reference

1208 "RFC 5652: Cryptographic Message Syntax (CMS)";

1209 }

1210

1211 typedef encrypted-data-cms {

1212 type cms;

1213 description

1214 "A CMS structure whose top-most content type MUST be the

1215 encrypted-data content type, as described by Section 8

1216 in RFC 5652.";

1217 reference

1218 "RFC 5652: Cryptographic Message Syntax (CMS)";

1219 }

1220

1221 typedef authenticated-data-cms {

1222 type cms;

1223 description

1224 "A CMS structure whose top-most content type MUST be the

1225 authenticated-data content type, as described by Section 9

1226 in RFC 5652.";

1227 reference

1228 "RFC 5652: Cryptographic Message Syntax (CMS)";

1229 }

1230

1231 /***************************************************/

1232 /* Typedefs for structures related to RFC 4253 */

1233 /***************************************************/

1234

1235 typedef ssh-host-key {

1236 type binary;

1237 description

1238 "The binary public key data for this SSH key, as

1239 specified by RFC 4253, Section 6.6, i.e.:

1240

1241 string certificate or public key format

1242 identifier

1243 byte[n] key/certificate data.";

1244 reference

1245 "RFC 4253: The Secure Shell (SSH) Transport Layer

1246 Protocol";

1247 }

1248

1249 /*********************************************************/

1250 /* Typedefs for ASN.1 structures related to RFC 5280 */

1251 /*********************************************************/

1252

1253 typedef trust-anchor-cert-x509 {

1254 type x509;

1255 description

1256 "A Certificate structure that MUST encode a self-signed

1257 root certificate.";

1258 }

1259

1260 typedef end-entity-cert-x509 {

1261 type x509;

1262 description

1263 "A Certificate structure that MUST encode a certificate

1264 that is neither self-signed nor having Basic constraint

1265 CA true.";

1266 }

1267

1268 /*********************************************************/

1269 /* Typedefs for ASN.1 structures related to RFC 5652 */

1270 /*********************************************************/

1271

1272 typedef trust-anchor-cert-cms {

1273 type signed-data-cms;

1274 description

1275 "A CMS SignedData structure that MUST contain the chain of

1276 X.509 certificates needed to authenticate the certificate

1277 presented by a client or end-entity.

1278

1279 The CMS MUST contain only a single chain of certificates.

1280 The client or end-entity certificate MUST only authenticate

1281 to last intermediate CA certificate listed in the chain.

1282

1283 In all cases, the chain MUST include a self-signed root

1284 certificate. In the case where the root certificate is

1285 itself the issuer of the client or end-entity certificate,

1286 only one certificate is present.

1287

1288 This CMS structure MAY (as applicable where this type is

1289 used) also contain suitably fresh (as defined by local

1290 policy) revocation objects with which the device can

1291 verify the revocation status of the certificates.

1292

1293 This CMS encodes the degenerate form of the SignedData

1294 structure that is commonly used to disseminate X.509

1295 certificates and revocation objects (RFC 5280).";

1296 reference

1297 "RFC 5280:

1298 Internet X.509 Public Key Infrastructure Certificate

1299 and Certificate Revocation List (CRL) Profile.";

1300 }

1301

1302 typedef end-entity-cert-cms {

1303 type signed-data-cms;

1304 description

1305 "A CMS SignedData structure that MUST contain the end

1306 entity certificate itself, and MAY contain any number

1307 of intermediate certificates leading up to a trust

1308 anchor certificate. The trust anchor certificate

1309 MAY be included as well.

1310

1311 The CMS MUST contain a single end entity certificate.

1312 The CMS MUST NOT contain any spurious certificates.

1313

1314 This CMS structure MAY (as applicable where this type is

1315 used) also contain suitably fresh (as defined by local

1316 policy) revocation objects with which the device can

1317 verify the revocation status of the certificates.

1318

1319 This CMS encodes the degenerate form of the SignedData

1320 structure that is commonly used to disseminate X.509

1321 certificates and revocation objects (RFC 5280).";

1322 reference

1323 "RFC 5280:

1324 Internet X.509 Public Key Infrastructure Certificate

1325 and Certificate Revocation List (CRL) Profile.";

1326 }

1327

1328 /**********************************************/

1329 /* Groupings for keys and/or certificates */

1330 /**********************************************/

1331

1332 grouping public-key-grouping {

1333 description

1334 "A public key.

1335

1336 The 'algorithm' and 'public-key' nodes are not

1337 mandatory because they MAY be defined in <operational>.

1338 Implementations SHOULD assert that these values are

1339 either configured or that they exist in <operational>.";

1340 leaf algorithm {

1341 nacm:default-deny-write;

1342 type asymmetric-key-algorithm-ref;

1343 must '../public-key';

1344 description

1345 "Identifies the key's algorithm. More specifically,

1346 this leaf specifies how the 'public-key' binary leaf

1347 is encoded.";

1348 reference

1349 "RFC CCCC: Common YANG Data Types for Cryptography";

1350 }

1351 leaf public-key {

1352 nacm:default-deny-write;

1353 type binary;

1354 must '../algorithm';

1355 description

1356 "A binary that contains the value of the public key. The

1357 interpretation of the content is defined by the key

1358 algorithm. For example, a DSA key is an integer, an RSA

1359 key is represented as RSAPublicKey as defined in

1360 RFC 8017, and an Elliptic Curve Cryptography (ECC) key

1361 is represented using the 'publicKey' described in

1362 RFC 5915.";

1363 reference

1364 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:

1365 RSA Cryptography Specifications Version 2.2.

1366 RFC 5915: Elliptic Curve Private Key Structure.";

1367 }

1368 }

1369

1370 grouping asymmetric-key-pair-grouping {

1371 description

1372 "A private/public key pair.

1373 The 'algorithm', 'public-key', and 'private-key' nodes are

1374 not mandatory because they MAY be defined in <operational>.

1375 Implementations SHOULD assert that these values are either

1376 configured or that they exist in <operational>.";

1377 uses public-key-grouping;

1378 leaf private-key {

1379 nacm:default-deny-all;

1380 type union {

1381 type binary;

1382 type enumeration {

1383 enum permanently-hidden {

1384 description

1385 "The private key is inaccessible due to being

1386 protected by the system (e.g., a cryptographic

1387 hardware module).

1388

1389 How such keys are backed-up and restored, if

1390 at all, is implementation specific.

1391

1392 Servers MUST fail any attempt by a client to

1393 configure this value directly. This value is

1394 not set by clients, but rather is set by the

1395 'generate-hidden-key' and 'install-hidden-key'

1396 actions.";

1397 }

1398 }

1399 }

1400 must '../public-key';

1401 description

1402 "A binary that contains the value of the private key. The

1403 interpretation of the content is defined by the key

1404 algorithm. For example, a DSA key is an integer, an RSA

1405 key is represented as RSAPrivateKey as defined in

1406 RFC 8017, and an Elliptic Curve Cryptography (ECC) key

1407 is represented as ECPrivateKey as defined in RFC 5915.";

1408 reference

1409 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:

1410 RSA Cryptography Specifications Version 2.2.

1411 RFC 5915: Elliptic Curve Private Key Structure.";

1412 } // private-key

1413

1414 action generate-hidden-key {

1415 nacm:default-deny-all;

1416 description

1417 "Requests the device to generate a hidden key using the

1418 specified asymmetric key algorithm. This action is

1419 used to request the system to generate a key that is

1420 'permanently-hidden', perhaps protected by a cryptographic

1421 hardware module. The resulting asymmetric key values are

1422 considered operational state and hence present only in

1423 <operational> and bound to the lifetime of the parent

1424 'config true' node. Subsequent invocations of this or

1425 the 'install-hidden-key' action are denied with error-tag

1426 'data-exists'.";

1427 input {

1428 leaf algorithm {

1429 type asymmetric-key-algorithm-ref;

1430 mandatory true;

1431 description

1432 "The algorithm to be used when generating the

1433 asymmetric key.";

1434 reference

1435 "RFC CCCC: Common YANG Data Types for Cryptography";

1436 }

1437 }

1438 } // generate-hidden-key

1439

1440 action install-hidden-key {

1441 nacm:default-deny-all;

1442 description

1443 "Requests the device to load the specified values into

1444 a hidden key. The resulting asymmetric key values are

1445 considered operational state and hence present only in

1446 <operational> and bound to the lifetime of the parent

1447 'config true' node. Subsequent invocations of this

1448 or the 'generate-hidden-key' action are denied with

1449 error-tag 'data-exists'.";

1450 input {

1451 leaf algorithm {

1452 type asymmetric-key-algorithm-ref;

1453 mandatory true;

1454 description

1455 "The algorithm to be used when generating the

1456 asymmetric key.";

1457 reference

1458 "RFC CCCC: Common YANG Data Types for Cryptography";

1459 }

1460 leaf public-key {

1461 type binary;

1462 description

1463 "A binary that contains the value of the public key.

1464 The interpretation of the content is defined by the key

1465 algorithm. For example, a DSA key is an integer, an

1466 RSA key is represented as RSAPublicKey as defined in

1467 RFC 8017, and an Elliptic Curve Cryptography (ECC) key

1468 is represented using the 'publicKey' described in

1469 RFC 5915.";

1470 reference

1471 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:

1472 RSA Cryptography Specifications Version 2.2.

1473 RFC 5915: Elliptic Curve Private Key Structure.";

1474 }

1475 leaf private-key {

1476 type binary;

1477 description

1478 "A binary that contains the value of the private key.

1479 The interpretation of the content is defined by the key

1480 algorithm. For example, a DSA key is an integer, an RSA

1481 key is represented as RSAPrivateKey as defined in

1482 RFC 8017, and an Elliptic Curve Cryptography (ECC) key

1483 is represented as ECPrivateKey as defined in RFC 5915.";

1484 reference

1485 "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:

1486 RSA Cryptography Specifications Version 2.2.

1487 RFC 5915: Elliptic Curve Private Key Structure.";

1488 }

1489 }

1490 } // install-hidden-key

1491 } // asymmetric-key-pair-grouping

1492

1493

1494 grouping trust-anchor-cert-grouping {

1495 description

1496 "A trust anchor certificate, and a notification for when

1497 it is about to (or already has) expire.";

1498 leaf cert {

1499 nacm:default-deny-write;

1500 type trust-anchor-cert-cms;

1501 description

1502 "The binary certificate data for this certificate.";

1503 reference

1504 "RFC YYYY: Common YANG Data Types for Cryptography";

1505 }

1506 notification certificate-expiration {

1507 description

1508 "A notification indicating that the configured certificate

1509 is either about to expire or has already expired. When to

1510 send notifications is an implementation specific decision,

1511 but it is RECOMMENDED that a notification be sent once a

1512 month for 3 months, then once a week for four weeks, and

1513 then once a day thereafter until the issue is resolved.";

1514 leaf expiration-date {

1515 type yang:date-and-time;

1516 mandatory true;

1517 description

1518 "Identifies the expiration date on the certificate.";

1519 }

1520 }

1521 }

1522

1523 grouping trust-anchor-certs-grouping {

1524 description

1525 "A list of trust anchor certificates, and a notification

1526 for when one is about to (or already has) expire.";

1527 leaf-list cert {

1528 nacm:default-deny-write;

1529 type trust-anchor-cert-cms;

1530 description

1531 "The binary certificate data for this certificate.";

1532 reference

1533 "RFC YYYY: Common YANG Data Types for Cryptography";

1534 }

1535 notification certificate-expiration {

1536 description

1537 "A notification indicating that the configured certificate

1538 is either about to expire or has already expired. When to

1539 send notifications is an implementation specific decision,

1540 but it is RECOMMENDED that a notification be sent once a

1541 month for 3 months, then once a week for four weeks, and

1542 then once a day thereafter until the issue is resolved.";

1543 leaf expiration-date {

1544 type yang:date-and-time;

1545 mandatory true;

1546 description

1547 "Identifies the expiration date on the certificate.";

1548 }

1549 }

1550 }

1551

1552 grouping end-entity-cert-grouping {

1553 description

1554 "An end entity certificate, and a notification for when

1555 it is about to (or already has) expire.";

1556 leaf cert {

1557 nacm:default-deny-write;

1558 type end-entity-cert-cms;

1559 description

1560 "The binary certificate data for this certificate.";

1561 reference

1562 "RFC YYYY: Common YANG Data Types for Cryptography";

1563 }

1564 notification certificate-expiration {

1565 description

1566 "A notification indicating that the configured certificate

1567 is either about to expire or has already expired. When to

1568 send notifications is an implementation specific decision,

1569 but it is RECOMMENDED that a notification be sent once a

1570 month for 3 months, then once a week for four weeks, and

1571 then once a day thereafter until the issue is resolved.";

1572 leaf expiration-date {

1573 type yang:date-and-time;

1574 mandatory true;

1575 description

1576 "Identifies the expiration date on the certificate.";

1577 }

1578 }

1579 }

1580

1581 grouping end-entity-certs-grouping {

1582 description

1583 "A list of end entity certificates, and a notification for

1584 when one is about to (or already has) expire.";

1585 leaf-list cert {

1586 nacm:default-deny-write;

1587 type end-entity-cert-cms;

1588 description

1589 "The binary certificate data for this certificate.";

1590 reference

1591 "RFC YYYY: Common YANG Data Types for Cryptography";

1592 }

1593 notification certificate-expiration {

1594 description

1595 "A notification indicating that the configured certificate

1596 is either about to expire or has already expired. When to

1597 send notifications is an implementation specific decision,

1598 but it is RECOMMENDED that a notification be sent once a

1599 month for 3 months, then once a week for four weeks, and

1600 then once a day thereafter until the issue is resolved.";

1601 leaf expiration-date {

1602 type yang:date-and-time;

1603 mandatory true;

1604 description

1605 "Identifies the expiration date on the certificate.";

1606 }

1607 }

1608 }

1609

1610 grouping asymmetric-key-pair-with-cert-grouping {

1611 description

1612 "A private/public key pair and an associated certificate.";

1613 uses asymmetric-key-pair-grouping;

1614 uses end-entity-cert-grouping;

1615

1616 action generate-certificate-signing-request {

1617 nacm:default-deny-all;

1618 description

1619 "Generates a certificate signing request structure for

1620 the associated asymmetric key using the passed subject

1621 and attribute values. The specified assertions need

1622 to be appropriate for the certificate's use. For

1623 example, an entity certificate for a TLS server

1624 SHOULD have values that enable clients to satisfy

1625 RFC 6125 processing.";

1626 input {

1627 leaf subject {

1628 type binary;

1629 mandatory true;

1630 description

1631 "The 'subject' field per the CertificationRequestInfo

1632 structure as specified by RFC 2986, Section 4.1

1633 encoded using the ASN.1 distinguished encoding

1634 rules (DER), as specified in ITU-T X.690.";

1635 reference

1636 "RFC 2986:

1637 PKCS #10: Certification Request Syntax

1638 Specification Version 1.7.

1639 ITU-T X.690:

1640 Information technology - ASN.1 encoding rules:

1641 Specification of Basic Encoding Rules (BER),

1642 Canonical Encoding Rules (CER) and Distinguished

1643 Encoding Rules (DER).";

1644 }

1645 leaf attributes {

1646 type binary;

1647 description

1648 "The 'attributes' field from the structure

1649 CertificationRequestInfo as specified by RFC 2986,

1650 Section 4.1 encoded using the ASN.1 distinguished

1651 encoding rules (DER), as specified in ITU-T X.690.";

1652 reference

1653 "RFC 2986:

1654 PKCS #10: Certification Request Syntax

1655 Specification Version 1.7.

1656 ITU-T X.690:

1657 Information technology - ASN.1 encoding rules:

1658 Specification of Basic Encoding Rules (BER),

1659 Canonical Encoding Rules (CER) and Distinguished

1660 Encoding Rules (DER).";

1661 }

1662 }

1663 output {

1664 leaf certificate-signing-request {

1665 type binary;

1666 mandatory true;

1667 description

1668 "A CertificationRequest structure as specified by

1669 RFC 2986, Section 4.2 encoded using the ASN.1

1670 distinguished encoding rules (DER), as specified

1671 in ITU-T X.690.";

1672 reference

1673 "RFC 2986:

1674 PKCS #10: Certification Request Syntax

1675 Specification Version 1.7.

1676 ITU-T X.690:

1677 Information technology - ASN.1 encoding rules:

1678 Specification of Basic Encoding Rules (BER),

1679 Canonical Encoding Rules (CER) and Distinguished

1680 Encoding Rules (DER).";

1681 }

1682 }

1683 } // generate-certificate-signing-request

1684 } // asymmetric-key-pair-with-cert-grouping

1685

1686

1687 grouping asymmetric-key-pair-with-certs-grouping {

1688 description

1689 "A private/public key pair and associated certificates.";

1690 uses asymmetric-key-pair-grouping;

1691 container certificates {

1692 nacm:default-deny-write;

1693 description

1694 "Certificates associated with this asymmetric key.

1695 More than one certificate supports, for instance,

1696 a TPM-protected asymmetric key that has both IDevID

1697 and LDevID certificates associated.";

1698 list certificate {

1699 key "name";

1700 description

1701 "A certificate for this asymmetric key.";

1702 leaf name {

1703 type string;

1704 description

1705 "An arbitrary name for the certificate. If the name

1706 matches the name of a certificate that exists

1707 independently in <operational> (i.e., an IDevID),

1708 then the 'cert' node MUST NOT be configured.";

1709 }

1710 uses end-entity-cert-grouping;

1711 }

1712 } // certificates

1713

1714 action generate-certificate-signing-request {

1715 nacm:default-deny-all;

1716 description

1717 "Generates a certificate signing request structure for

1718 the associated asymmetric key using the passed subject

1719 and attribute values. The specified assertions need

1720 to be appropriate for the certificate's use. For

1721 example, an entity certificate for a TLS server

1722 SHOULD have values that enable clients to satisfy

1723 RFC 6125 processing.";

1724 input {

1725 leaf subject {

1726 type binary;

1727 mandatory true;

1728 description

1729 "The 'subject' field per the CertificationRequestInfo

1730 structure as specified by RFC 2986, Section 4.1

1731 encoded using the ASN.1 distinguished encoding

1732 rules (DER), as specified in ITU-T X.690.";

1733 reference

1734 "RFC 2986:

1735 PKCS #10: Certification Request Syntax

1736 Specification Version 1.7.

1737 ITU-T X.690:

1738 Information technology - ASN.1 encoding rules:

1739 Specification of Basic Encoding Rules (BER),

1740 Canonical Encoding Rules (CER) and Distinguished

1741 Encoding Rules (DER).";

1742 }

1743 leaf attributes {

1744 type binary;

1745 description

1746 "The 'attributes' field from the structure

1747 CertificationRequestInfo as specified by RFC 2986,

1748 Section 4.1 encoded using the ASN.1 distinguished

1749 encoding rules (DER), as specified in ITU-T X.690.";

1750 reference

1751 "RFC 2986:

1752 PKCS #10: Certification Request Syntax

1753 Specification Version 1.7.

1754 ITU-T X.690:

1755 Information technology - ASN.1 encoding rules:

1756 Specification of Basic Encoding Rules (BER),

1757 Canonical Encoding Rules (CER) and Distinguished

1758 Encoding Rules (DER).";

1759 }

1760 }

1761 output {

1762 leaf certificate-signing-request {

1763 type binary;

1764 mandatory true;

1765 description

1766 "A CertificationRequest structure as specified by

1767 RFC 2986, Section 4.2 encoded using the ASN.1

1768 distinguished encoding rules (DER), as specified

1769 in ITU-T X.690.";

1770 reference

1771 "RFC 2986:

1772 PKCS #10: Certification Request Syntax

1773 Specification Version 1.7.

1774 ITU-T X.690:

1775 Information technology - ASN.1 encoding rules:

1776 Specification of Basic Encoding Rules (BER),

1777 Canonical Encoding Rules (CER) and Distinguished

1778 Encoding Rules (DER).";

1779 }

1780 }

1781 } // generate-certificate-signing-request

1782 } // asymmetric-key-pair-with-certs-grouping

1783 }