--- /dev/null
+module ietf-crypto-types {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
+ prefix ct;
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ import ietf-netconf-acm {
+ prefix nacm;
+ reference
+ "RFC 8341: Network Configuration Access Control Model";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+ contact
+ "WG Web: <http://datatracker.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+ Author: Kent Watsen <mailto:kent+ietf@watsen.net>
+ Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";
+
+ description
+ "This module defines common YANG types for cryptographic
+ applications.
+
+ Copyright (c) 2019 IETF Trust and the persons identified
+ as authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with
+ or without modification, is permitted pursuant to, and
+ subject to the license terms contained in, the Simplified
+ BSD License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX
+ (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
+ itself for full legal notices.;
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
+ 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
+ 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
+ are to be interpreted as described in BCP 14 (RFC 2119)
+ (RFC 8174) when, and only when, they appear in all
+ capitals, as shown here.";
+
+ revision 2019-10-18 {
+ description
+ "Initial version";
+ reference
+ "RFC XXXX: Common YANG Data Types for Cryptography";
+ }
+
+ /**************************************/
+ /* Identities for Hash Algorithms */
+ /**************************************/
+
+ typedef hash-algorithm-t {
+ type union {
+ type uint16;
+ type enumeration {
+ enum NONE {
+ value 0;
+ description
+ "Hash algorithm is NULL.";
+ }
+ enum sha1 {
+ value 1;
+ status obsolete;
+ description
+ "The SHA1 algorithm.";
+ reference
+ "RFC 3174: US Secure Hash Algorithms 1 (SHA1).";
+ }
+ enum sha-224 {
+ value 2;
+ description
+ "The SHA-224 algorithm.";
+ reference
+ "RFC 6234: US Secure Hash Algorithms.";
+ }
+ enum sha-256 {
+ value 3;
+ description
+ "The SHA-256 algorithm.";
+ reference
+ "RFC 6234: US Secure Hash Algorithms.";
+ }
+ enum sha-384 {
+ value 4;
+ description
+ "The SHA-384 algorithm.";
+ reference
+ "RFC 6234: US Secure Hash Algorithms.";
+ }
+ enum sha-512 {
+ value 5;
+ description
+ "The SHA-512 algorithm.";
+ reference
+ "RFC 6234: US Secure Hash Algorithms.";
+ }
+ enum shake-128 {
+ value 6;
+ description
+ "The SHA3 algorithm with 128-bits output.";
+ reference
+ "National Institute of Standards and Technology,
+ SHA-3 Standard: Permutation-Based Hash and
+ Extendable-Output Functions, FIPS PUB 202, DOI
+ 10.6028/NIST.FIPS.202, August 2015.";
+ }
+ enum shake-224 {
+ value 7;
+ description
+ "The SHA3 algorithm with 224-bits output.";
+ reference
+ "National Institute of Standards and Technology,
+ SHA-3 Standard: Permutation-Based Hash and
+ Extendable-Output Functions, FIPS PUB 202, DOI
+ 10.6028/NIST.FIPS.202, August 2015.";
+ }
+ enum shake-256 {
+ value 8;
+ description
+ "The SHA3 algorithm with 256-bits output.";
+ reference
+ "National Institute of Standards and Technology,
+ SHA-3 Standard: Permutation-Based Hash and
+ Extendable-Output Functions, FIPS PUB 202, DOI
+ 10.6028/NIST.FIPS.202, August 2015.";
+ }
+ enum shake-384 {
+ value 9;
+ description
+ "The SHA3 algorithm with 384-bits output.";
+ reference
+ "National Institute of Standards and Technology,
+ SHA-3 Standard: Permutation-Based Hash and
+ Extendable-Output Functions, FIPS PUB 202, DOI
+ 10.6028/NIST.FIPS.202, August 2015.";
+ }
+ enum shake-512 {
+ value 10;
+ description
+ "The SHA3 algorithm with 384-bits output.";
+ reference
+ "National Institute of Standards and Technology,
+ SHA-3 Standard: Permutation-Based Hash and
+ Extendable-Output Functions, FIPS PUB 202, DOI
+ 10.6028/NIST.FIPS.202, August 2015.";
+ }
+ }
+ }
+ default "0";
+ description
+ "The uint16 filed shall be set by individual protocol families
+ according to the hash algorithm value assigned by IANA. The
+ setting is optional and by default is 0. The enumeration
+ filed is set to the selected hash algorithm.";
+ }
+
+ /***********************************************/
+ /* Identities for Asymmetric Key Algorithms */
+ /***********************************************/
+
+ typedef asymmetric-key-algorithm-t {
+ type union {
+ type uint16;
+ type enumeration {
+ enum NONE {
+ value 0;
+ description
+ "Asymetric key algorithm is NULL.";
+ }
+ enum rsa1024 {
+ value 1;
+ description
+ "The RSA algorithm using a 1024-bit key.";
+ reference
+ "RFC 8017: PKCS #1: RSA Cryptography
+ Specifications Version 2.2.";
+ }
+ enum rsa2048 {
+ value 2;
+ description
+ "The RSA algorithm using a 2048-bit key.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+ enum rsa3072 {
+ value 3;
+ description
+ "The RSA algorithm using a 3072-bit key.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+ enum rsa4096 {
+ value 4;
+ description
+ "The RSA algorithm using a 4096-bit key.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+ enum rsa7680 {
+ value 5;
+ description
+ "The RSA algorithm using a 7680-bit key.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+ enum rsa15360 {
+ value 6;
+ description
+ "The RSA algorithm using a 15360-bit key.";
+ reference
+ "RFC 8017:
+ PKCS #1: RSA Cryptography Specifications Version 2.2.";
+ }
+ enum secp192r1 {
+ value 7;
+ description
+ "The asymmetric algorithm using a NIST P192 Curve.";
+ reference
+ "RFC 6090:
+ Fundamental Elliptic Curve Cryptography Algorithms.
+ RFC 5480:
+ Elliptic Curve Cryptography Subject Public Key
+ Information.";
+ }
+ enum secp224r1 {
+ value 8;
+ description
+ "The asymmetric algorithm using a NIST P224 Curve.";
+ reference
+ "RFC 6090:
+ Fundamental Elliptic Curve Cryptography Algorithms.
+ RFC 5480:
+ Elliptic Curve Cryptography Subject Public Key
+ Information.";
+ }
+ enum secp256r1 {
+ value 9;
+ description
+ "The asymmetric algorithm using a NIST P256 Curve.";
+ reference
+ "RFC 6090:
+ Fundamental Elliptic Curve Cryptography Algorithms.
+ RFC 5480:
+ Elliptic Curve Cryptography Subject Public Key
+ Information.";
+ }
+ enum secp384r1 {
+ value 10;
+ description
+ "The asymmetric algorithm using a NIST P384 Curve.";
+ reference
+ "RFC 6090:
+ Fundamental Elliptic Curve Cryptography Algorithms.
+ RFC 5480:
+ Elliptic Curve Cryptography Subject Public Key
+ Information.";
+ }
+ enum secp521r1 {
+ value 11;
+ description
+ "The asymmetric algorithm using a NIST P521 Curve.";
+ reference
+ "RFC 6090:
+ Fundamental Elliptic Curve Cryptography Algorithms.
+ RFC 5480:
+ Elliptic Curve Cryptography Subject Public Key
+ Information.";
+ }
+ enum x25519 {
+ value 12;
+ description
+ "The asymmetric algorithm using a x.25519 Curve.";
+ reference
+ "RFC 7748:
+ Elliptic Curves for Security.";
+ }
+ enum x448 {
+ value 13;
+ description
+ "The asymmetric algorithm using a x.448 Curve.";
+ reference
+ "RFC 7748:
+ Elliptic Curves for Security.";
+ }
+ }
+ }
+ default "0";
+ description
+ "The uint16 filed shall be set by individual protocol
+ families according to the asymmetric key algorithm value
+ assigned by IANA. The setting is optional and by default
+ is 0. The enumeration filed is set to the selected
+ asymmetric key algorithm.";
+ }
+
+ /*************************************/
+ /* Identities for MAC Algorithms */
+ /*************************************/
+
+ typedef mac-algorithm-t {
+ type union {
+ type uint16;
+ type enumeration {
+ enum NONE {
+ value 0;
+ description
+ "mac algorithm is NULL.";
+ }
+ enum hmac-sha1 {
+ value 1;
+ description
+ "Generating MAC using SHA1 hash function";
+ reference
+ "RFC 3174: US Secure Hash Algorithm 1 (SHA1)";
+ }
+ enum hmac-sha1-96 {
+ value 2;
+ description
+ "Generating MAC using SHA1 hash function";
+ reference
+ "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";
+ }
+ enum hmac-sha2-224 {
+ value 3;
+ description
+ "Generating MAC using SHA2 hash function";
+ reference
+ "RFC 6234: US Secure Hash Algorithms
+ (SHA and SHA-based HMAC and HKDF)";
+ }
+ enum hmac-sha2-256 {
+ value 4;
+ description
+ "Generating MAC using SHA2 hash function";
+ reference
+ "RFC 6234: US Secure Hash Algorithms
+ (SHA and SHA-based HMAC and HKDF)";
+ }
+ enum hmac-sha2-256-128 {
+ value 5;
+ description
+ "Generating a 256 bits MAC using SHA2 hash function and
+ truncate it to 128 bits";
+ reference
+ "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
+ and HMAC-SHA-512 with IPsec";
+ }
+ enum hmac-sha2-384 {
+ value 6;
+ description
+ "Generating a 384 bits MAC using SHA2 hash function";
+ reference
+ "RFC 6234: US Secure Hash Algorithms
+ (SHA and SHA-based HMAC and HKDF)";
+ }
+ enum hmac-sha2-384-192 {
+ value 7;
+ description
+ "Generating a 384 bits MAC using SHA2 hash function and
+ truncate it to 192 bits";
+ reference
+ "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
+ and HMAC-SHA-512 with IPsec";
+ }
+ enum hmac-sha2-512 {
+ value 8;
+ description
+ "Generating a 512 bits MAC using SHA2 hash function";
+ reference
+ "RFC 6234: US Secure Hash Algorithms
+ (SHA and SHA-based HMAC and HKDF)";
+ }
+ enum hmac-sha2-512-256 {
+ value 9;
+ description
+ "Generating a 512 bits MAC using SHA2 hash function and
+ truncate it to 256 bits";
+ reference
+ "RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
+ and HMAC-SHA-512 with IPsec";
+ }
+ enum aes-128-gmac {
+ value 10;
+ description
+ "Generating 128-bit MAC using the Advanced Encryption
+ Standard (AES) Galois Message Authentication Code
+ (GMAC) as a mechanism to provide data origin
+ authentication.";
+ reference
+ "RFC 4543:
+ The Use of Galois Message Authentication Code (GMAC)
+ in IPsec ESP and AH";
+ }
+ enum aes-192-gmac {
+ value 11;
+ description
+ "Generating 192-bit MAC using the Advanced Encryption
+ Standard (AES) Galois Message Authentication Code
+ (GMAC) as a mechanism to provide data origin
+ authentication.";
+ reference
+ "RFC 4543:
+ The Use of Galois Message Authentication Code (GMAC)
+ in IPsec ESP and AH";
+ }
+ enum aes-256-gmac {
+ value 12;
+ description
+ "Generating 256-bit MAC using the Advanced Encryption
+ Standard (AES) Galois Message Authentication Code
+ (GMAC) as a mechanism to provide data origin
+ authentication.";
+ reference
+ "RFC 4543:
+ The Use of Galois Message Authentication Code (GMAC)
+ in IPsec ESP and AH";
+ }
+ enum aes-cmac-96 {
+ value 13;
+ description
+ "Generating 96-bit MAC using Advanced Encryption
+ Standard (AES) Cipher-based Message Authentication
+ Code (CMAC)";
+ reference
+ "RFC 4494:
+ The AES-CMAC Algorithm and its Use with IPsec";
+ }
+ enum aes-cmac-128 {
+ value 14;
+ description
+ "Generating 128-bit MAC using Advanced Encryption
+ Standard (AES) Cipher-based Message Authentication
+ Code (CMAC)";
+ reference
+ "RFC 4494:
+ The AES-CMAC Algorithm and its Use with IPsec";
+ }
+ enum sha1-des3-kd {
+ value 15;
+ description
+ "Generating MAC using triple DES encryption function";
+ reference
+ "RFC 3961:
+ Encryption and Checksum Specifications for Kerberos
+ 5";
+ }
+ }
+ }
+ default "0";
+ description
+ "The uint16 filed shall be set by individual protocol
+ families according to the mac algorithm value assigned by
+ IANA. The setting is optional and by default is 0. The
+ enumeration filed is set to the selected mac algorithm.";
+ }
+
+ /********************************************/
+ /* Identities for Encryption Algorithms */
+ /********************************************/
+
+ typedef encryption-algorithm-t {
+ type union {
+ type uint16;
+ type enumeration {
+ enum NONE {
+ value 0;
+ description
+ "Encryption algorithm is NULL.";
+ }
+ enum aes-128-cbc {
+ value 1;
+ description
+ "Encrypt message with AES algorithm in CBC mode with
+ a key length of 128 bits.";
+ reference
+ "RFC 3565: Use of the Advanced Encryption Standard (AES)
+ Encryption Algorithm in Cryptographic Message Syntax
+ (CMS)";
+ }
+ enum aes-192-cbc {
+ value 2;
+ description
+ "Encrypt message with AES algorithm in CBC mode with
+ a key length of 192 bits";
+ reference
+ "RFC 3565: Use of the Advanced Encryption Standard (AES)
+ Encryption Algorithm in Cryptographic Message Syntax
+ (CMS)";
+ }
+ enum aes-256-cbc {
+ value 3;
+ description
+ "Encrypt message with AES algorithm in CBC mode with
+ a key length of 256 bits";
+ reference
+ "RFC 3565: Use of the Advanced Encryption Standard (AES)
+ Encryption Algorithm in Cryptographic Message Syntax
+ (CMS)";
+ }
+ enum aes-128-ctr {
+ value 4;
+ description
+ "Encrypt message with AES algorithm in CTR mode with
+ a key length of 128 bits";
+ reference
+ "RFC 3686:
+ Using Advanced Encryption Standard (AES) Counter
+ Mode with IPsec Encapsulating Security Payload
+ (ESP)";
+ }
+ enum aes-192-ctr {
+ value 5;
+ description
+ "Encrypt message with AES algorithm in CTR mode with
+ a key length of 192 bits";
+ reference
+ "RFC 3686:
+ Using Advanced Encryption Standard (AES) Counter
+ Mode with IPsec Encapsulating Security Payload
+ (ESP)";
+ }
+ enum aes-256-ctr {
+ value 6;
+ description
+ "Encrypt message with AES algorithm in CTR mode with
+ a key length of 256 bits";
+ reference
+ "RFC 3686:
+ Using Advanced Encryption Standard (AES) Counter
+ Mode with IPsec Encapsulating Security Payload
+ (ESP)";
+ }
+ enum des3-cbc-sha1-kd {
+ value 7;
+ description
+ "Encrypt message with 3DES algorithm in CBC mode
+ with sha1 function for key derivation";
+ reference
+ "RFC 3961:
+ Encryption and Checksum Specifications for
+ Kerberos 5";
+ }
+ enum rc4-hmac {
+ value 8;
+ description
+ "Encrypt message with rc4 algorithm";
+ reference
+ "RFC 4757:
+ The RC4-HMAC Kerberos Encryption Types Used by
+ Microsoft Windows";
+ }
+ enum rc4-hmac-exp {
+ value 9;
+ description
+ "Encrypt message with rc4 algorithm that is exportable";
+ reference
+ "RFC 4757:
+ The RC4-HMAC Kerberos Encryption Types Used by
+ Microsoft Windows";
+ }
+ }
+ }
+ default "0";
+ description
+ "The uint16 filed shall be set by individual protocol
+ families according to the encryption algorithm value
+ assigned by IANA. The setting is optional and by default
+ is 0. The enumeration filed is set to the selected
+ encryption algorithm.";
+ }
+
+ /****************************************************/
+ /* Identities for Encryption and MAC Algorithms */
+ /****************************************************/
+
+ typedef encryption-and-mac-algorithm-t {
+ type union {
+ type uint16;
+ type enumeration {
+ enum NONE {
+ value 0;
+ description
+ "Encryption and MAC algorithm is NULL.";
+ reference
+ "None";
+ }
+ enum aes-128-ccm {
+ value 1;
+ description
+ "Encrypt message with AES algorithm in CCM
+ mode with a key length of 128 bits; it can
+ also be used for generating MAC";
+ reference
+ "RFC 4309: Using Advanced Encryption Standard
+ (AES) CCM Mode with IPsec Encapsulating Security
+ Payload (ESP)";
+ }
+ enum aes-192-ccm {
+ value 2;
+ description
+ "Encrypt message with AES algorithm in CCM
+ mode with a key length of 192 bits; it can
+ also be used for generating MAC";
+ reference
+ "RFC 4309: Using Advanced Encryption Standard
+ (AES) CCM Mode with IPsec Encapsulating Security
+ Payload (ESP)";
+ }
+ enum aes-256-ccm {
+ value 3;
+ description
+ "Encrypt message with AES algorithm in CCM
+ mode with a key length of 256 bits; it can
+ also be used for generating MAC";
+ reference
+ "RFC 4309: Using Advanced Encryption Standard
+ (AES) CCM Mode with IPsec Encapsulating Security
+ Payload (ESP)";
+ }
+ enum aes-128-gcm {
+ value 4;
+ description
+ "Encrypt message with AES algorithm in GCM
+ mode with a key length of 128 bits; it can
+ also be used for generating MAC";
+ reference
+ "RFC 4106: The Use of Galois/Counter Mode (GCM)
+ in IPsec Encapsulating Security Payload (ESP)";
+ }
+ enum aes-192-gcm {
+ value 5;
+ description
+ "Encrypt message with AES algorithm in GCM
+ mode with a key length of 192 bits; it can
+ also be used for generating MAC";
+ reference
+ "RFC 4106: The Use of Galois/Counter Mode (GCM)
+ in IPsec Encapsulating Security Payload (ESP)";
+ }
+ enum aes-256-gcm {
+ value 6;
+ description
+ "Encrypt message with AES algorithm in GCM
+ mode with a key length of 256 bits; it can
+ also be used for generating MAC";
+ reference
+ "RFC 4106: The Use of Galois/Counter Mode (GCM)
+ in IPsec Encapsulating Security Payload (ESP)";
+ }
+ enum chacha20-poly1305 {
+ value 7;
+ description
+ "Encrypt message with chacha20 algorithm and generate
+ MAC with POLY1305; it can also be used for generating
+ MAC";
+ reference
+ "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";
+ }
+ }
+ }
+ default "0";
+ description
+ "The uint16 filed shall be set by individual protocol
+ families according to the encryption and mac algorithm value
+ assigned by IANA. The setting is optional and by default is
+ 0. The enumeration filed is set to the selected encryption
+ and mac algorithm.";
+ }
+
+ /******************************************/
+ /* Identities for signature algorithm */
+ /******************************************/
+
+ typedef signature-algorithm-t {
+ type union {
+ type uint16;
+ type enumeration {
+ enum NONE {
+ value 0;
+ description
+ "Signature algorithm is NULL";
+ }
+ enum dsa-sha1 {
+ value 1;
+ description
+ "The signature algorithm using DSA algorithm with SHA1
+ hash algorithm";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+ enum rsassa-pkcs1-sha1 {
+ value 2;
+ description
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with
+ the SHA1 hash algorithm.";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+ enum rsassa-pkcs1-sha256 {
+ value 3;
+ description
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with
+ the SHA256 hash algorithm.";
+ reference
+ "RFC 8332:
+ Use of RSA Keys with SHA-256 and SHA-512 in the
+ Secure Shell (SSH) Protocol
+ RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum rsassa-pkcs1-sha384 {
+ value 4;
+ description
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with
+ the SHA384 hash algorithm.";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum rsassa-pkcs1-sha512 {
+ value 5;
+ description
+ "The signature algorithm using RSASSA-PKCS1-v1_5 with
+ the SHA512 hash algorithm.";
+ reference
+ "RFC 8332:
+ Use of RSA Keys with SHA-256 and SHA-512 in the
+ Secure Shell (SSH) Protocol
+ RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum rsassa-pss-rsae-sha256 {
+ value 6;
+ description
+ "The signature algorithm using RSASSA-PSS with mask
+ generation function 1 and SHA256 hash algorithm. If
+ the public key is carried in an X.509 certificate,
+ it MUST use the rsaEncryption OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum rsassa-pss-rsae-sha384 {
+ value 7;
+ description
+ "The signature algorithm using RSASSA-PSS with mask
+ generation function 1 and SHA384 hash algorithm. If
+ the public key is carried in an X.509 certificate,
+ it MUST use the rsaEncryption OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum rsassa-pss-rsae-sha512 {
+ value 8;
+ description
+ "The signature algorithm using RSASSA-PSS with mask
+ generation function 1 and SHA512 hash algorithm. If
+ the public key is carried in an X.509 certificate,
+ it MUST use the rsaEncryption OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum rsassa-pss-pss-sha256 {
+ value 9;
+ description
+ "The signature algorithm using RSASSA-PSS with mask
+ generation function 1 and SHA256 hash algorithm. If
+ the public key is carried in an X.509 certificate,
+ it MUST use the rsaEncryption OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum rsassa-pss-pss-sha384 {
+ value 10;
+ description
+ "The signature algorithm using RSASSA-PSS with mask
+ generation function 1 and SHA384 hash algorithm. If
+ the public key is carried in an X.509 certificate,
+ it MUST use the rsaEncryption OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum rsassa-pss-pss-sha512 {
+ value 11;
+ description
+ "The signature algorithm using RSASSA-PSS with mask
+ generation function 1 and SHA512 hash algorithm. If
+ the public key is carried in an X.509 certificate,
+ it MUST use the rsaEncryption OID";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum ecdsa-secp256r1-sha256 {
+ value 12;
+ description
+ "The signature algorithm using ECDSA with curve name
+ secp256r1 and SHA256 hash algorithm.";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the Secure
+ Shell Transport Layer
+ RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum ecdsa-secp384r1-sha384 {
+ value 13;
+ description
+ "The signature algorithm using ECDSA with curve name
+ secp384r1 and SHA384 hash algorithm.";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the Secure
+ Shell Transport Layer
+ RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum ecdsa-secp521r1-sha512 {
+ value 14;
+ description
+ "The signature algorithm using ECDSA with curve name
+ secp521r1 and SHA512 hash algorithm.";
+ reference
+ "RFC 5656:
+ Elliptic Curve Algorithm Integration in the Secure
+ Shell Transport Layer
+ RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum ed25519 {
+ value 15;
+ description
+ "The signature algorithm using EdDSA with curve x25519";
+ reference
+ "RFC 8032:
+ Edwards-Curve Digital Signature Algorithm (EdDSA)";
+ }
+ enum ed25519-cts {
+ value 16;
+ description
+ "The signature algorithm using EdDSA with curve x25519
+ with phflag = 0";
+ reference
+ "RFC 8032:
+ Edwards-Curve Digital Signature Algorithm (EdDSA)";
+ }
+ enum ed25519-ph {
+ value 17;
+ description
+ "The signature algorithm using EdDSA with curve x25519
+ with phflag = 1";
+ reference
+ "RFC 8032:
+ Edwards-Curve Digital Signature Algorithm (EdDSA)";
+ }
+ enum ed25519-sha512 {
+ value 18;
+ description
+ "The signature algorithm using EdDSA with curve x25519
+ and SHA-512 function";
+ reference
+ "RFC 8419:
+ Use of Edwards-Curve Digital Signature Algorithm
+ (EdDSA) Signatures in the Cryptographic Message
+ Syntax (CMS)";
+ }
+ enum ed448 {
+ value 19;
+ description
+ "The signature algorithm using EdDSA with curve x448";
+ reference
+ "RFC 8032:
+ Edwards-Curve Digital Signature Algorithm (EdDSA)";
+ }
+ enum ed448-ph {
+ value 20;
+ description
+ "The signature algorithm using EdDSA with curve x448
+ and with PH being SHAKE256(x, 64) and phflag being 1";
+ reference
+ "RFC 8032:
+ Edwards-Curve Digital Signature Algorithm (EdDSA)";
+ }
+ enum ed448-shake256 {
+ value 21;
+ description
+ "The signature algorithm using EdDSA with curve x448
+ and SHAKE-256 function";
+ reference
+ "RFC 8419:
+ Use of Edwards-Curve Digital Signature Algorithm
+ (EdDSA) Signatures in the Cryptographic Message
+ Syntax (CMS)";
+ }
+ enum ed448-shake256-len {
+ value 22;
+ description
+ "The signature algorithm using EdDSA with curve x448
+ and SHAKE-256 function and a customized hash output";
+ reference
+ "RFC 8419:
+ Use of Edwards-Curve Digital Signature Algorithm
+ (EdDSA) Signatures in the Cryptographic Message
+ Syntax (CMS)";
+ }
+ enum rsa-sha2-256 {
+ value 23;
+ description
+ "The signature algorithm using RSA with SHA2 function
+ for SSH protocol";
+ reference
+ "RFC 8332:
+ Use of RSA Keys with SHA-256 and SHA-512
+ in the Secure Shell (SSH) Protocol";
+ }
+ enum rsa-sha2-512 {
+ value 24;
+ description
+ "The signature algorithm using RSA with SHA2 function
+ for SSH protocol";
+ reference
+ "RFC 8332:
+ Use of RSA Keys with SHA-256 and SHA-512
+ in the Secure Shell (SSH) Protocol";
+ }
+ enum eccsi {
+ value 25;
+ description
+ "The signature algorithm using ECCSI signature as
+ defined in RFC 6507.";
+ reference
+ "RFC 6507:
+ Elliptic Curve-Based Certificateless Signatures
+ for Identity-based Encryption (ECCSI)";
+ }
+ }
+ }
+ default "0";
+ description
+ "The uint16 filed shall be set by individual protocol
+ families according to the signature algorithm value
+ assigned by IANA. The setting is optional and by default
+ is 0. The enumeration filed is set to the selected
+ signature algorithm.";
+ }
+
+ /**********************************************/
+ /* Identities for key exchange algorithms */
+ /**********************************************/
+
+ typedef key-exchange-algorithm-t {
+ type union {
+ type uint16;
+ type enumeration {
+ enum NONE {
+ value 0;
+ description
+ "Key exchange algorithm is NULL.";
+ }
+ enum psk-only {
+ value 1;
+ description
+ "Using Pre-shared key for authentication and key
+ exchange";
+ reference
+ "RFC 4279:
+ Pre-Shared Key cipher suites for Transport Layer
+ Security (TLS)";
+ }
+ enum dhe-ffdhe2048 {
+ value 2;
+ description
+ "Ephemeral Diffie Hellman key exchange with 2048 bit
+ finite field";
+ reference
+ "RFC 7919:
+ Negotiated Finite Field Diffie-Hellman Ephemeral
+ Parameters for Transport Layer Security (TLS)";
+ }
+ enum dhe-ffdhe3072 {
+ value 3;
+ description
+ "Ephemeral Diffie Hellman key exchange with 3072 bit
+ finite field";
+ reference
+ "RFC 7919:
+ Negotiated Finite Field Diffie-Hellman Ephemeral
+ Parameters for Transport Layer Security (TLS)";
+ }
+ enum dhe-ffdhe4096 {
+ value 4;
+ description
+ "Ephemeral Diffie Hellman key exchange with 4096 bit
+ finite field";
+ reference
+ "RFC 7919:
+ Negotiated Finite Field Diffie-Hellman Ephemeral
+ Parameters for Transport Layer Security (TLS)";
+ }
+ enum dhe-ffdhe6144 {
+ value 5;
+ description
+ "Ephemeral Diffie Hellman key exchange with 6144 bit
+ finite field";
+ reference
+ "RFC 7919:
+ Negotiated Finite Field Diffie-Hellman Ephemeral
+ Parameters for Transport Layer Security (TLS)";
+ }
+ enum dhe-ffdhe8192 {
+ value 6;
+ description
+ "Ephemeral Diffie Hellman key exchange with 8192 bit
+ finite field";
+ reference
+ "RFC 7919:
+ Negotiated Finite Field Diffie-Hellman Ephemeral
+ Parameters for Transport Layer Security (TLS)";
+ }
+ enum psk-dhe-ffdhe2048 {
+ value 7;
+ description
+ "Key exchange using pre-shared key with Diffie-Hellman
+ key generation mechanism, where the DH group is
+ FFDHE2048";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum psk-dhe-ffdhe3072 {
+ value 8;
+ description
+ "Key exchange using pre-shared key with Diffie-Hellman
+ key generation mechanism, where the DH group is
+ FFDHE3072";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum psk-dhe-ffdhe4096 {
+ value 9;
+ description
+ "Key exchange using pre-shared key with Diffie-Hellman
+ key generation mechanism, where the DH group is
+ FFDHE4096";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum psk-dhe-ffdhe6144 {
+ value 10;
+ description
+ "Key exchange using pre-shared key with Diffie-Hellman
+ key generation mechanism, where the DH group is
+ FFDHE6144";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum psk-dhe-ffdhe8192 {
+ value 11;
+ description
+ "Key exchange using pre-shared key with Diffie-Hellman
+ key generation mechanism, where the DH group is
+ FFDHE8192";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum ecdhe-secp256r1 {
+ value 12;
+ description
+ "Ephemeral Diffie Hellman key exchange with elliptic
+ group over curve secp256r1";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites
+ for Transport Layer Security (TLS) Versions 1.2
+ and Earlier";
+ }
+ enum ecdhe-secp384r1 {
+ value 13;
+ description
+ "Ephemeral Diffie Hellman key exchange with elliptic
+ group over curve secp384r1";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites
+ for Transport Layer Security (TLS) Versions 1.2
+ and Earlier";
+ }
+ enum ecdhe-secp521r1 {
+ value 14;
+ description
+ "Ephemeral Diffie Hellman key exchange with elliptic
+ group over curve secp521r1";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites
+ for Transport Layer Security (TLS) Versions 1.2
+ and Earlier";
+ }
+ enum ecdhe-x25519 {
+ value 15;
+ description
+ "Ephemeral Diffie Hellman key exchange with elliptic
+ group over curve x25519";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites
+ for Transport Layer Security (TLS) Versions 1.2
+ and Earlier";
+ }
+ enum ecdhe-x448 {
+ value 16;
+ description
+ "Ephemeral Diffie Hellman key exchange with elliptic
+ group over curve x448";
+ reference
+ "RFC 8422:
+ Elliptic Curve Cryptography (ECC) Cipher Suites
+ for Transport Layer Security (TLS) Versions 1.2
+ and Earlier";
+ }
+ enum psk-ecdhe-secp256r1 {
+ value 17;
+ description
+ "Key exchange using pre-shared key with elliptic
+ group-based Ephemeral Diffie Hellman key exchange
+ over curve secp256r1";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum psk-ecdhe-secp384r1 {
+ value 18;
+ description
+ "Key exchange using pre-shared key with elliptic
+ group-based Ephemeral Diffie Hellman key exchange
+ over curve secp384r1";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum psk-ecdhe-secp521r1 {
+ value 19;
+ description
+ "Key exchange using pre-shared key with elliptic
+ group-based Ephemeral Diffie Hellman key exchange
+ over curve secp521r1";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum psk-ecdhe-x25519 {
+ value 20;
+ description
+ "Key exchange using pre-shared key with elliptic
+ group-based Ephemeral Diffie Hellman key exchange
+ over curve x25519";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum psk-ecdhe-x448 {
+ value 21;
+ description
+ "Key exchange using pre-shared key with elliptic
+ group-based Ephemeral Diffie Hellman key exchange
+ over curve x448";
+ reference
+ "RFC 8446:
+ The Transport Layer Security (TLS) Protocol
+ Version 1.3";
+ }
+ enum diffie-hellman-group14-sha1 {
+ value 22;
+ description
+ "Using DH group14 and SHA1 for key exchange";
+ reference
+ "RFC 4253:
+ The Secure Shell (SSH) Transport Layer Protocol";
+ }
+ enum diffie-hellman-group14-sha256 {
+ value 23;
+ description
+ "Using DH group14 and SHA-256 for key exchange";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+ enum diffie-hellman-group15-sha512 {
+ value 24;
+ description
+ "Using DH group15 and SHA-512 for key exchange";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+ enum diffie-hellman-group16-sha512 {
+ value 25;
+ description
+ "Using DH group16 and SHA-512 for key exchange";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+ enum diffie-hellman-group17-sha512 {
+ value 26;
+ description
+ "Using DH group17 and SHA-512 for key exchange";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+ enum diffie-hellman-group18-sha512 {
+ value 27;
+ description
+ "Using DH group18 and SHA-512 for key exchange";
+ reference
+ "RFC 8268:
+ More Modular Exponentiation (MODP) Diffie-Hellman (DH)
+ Key Exchange (KEX) Groups for Secure Shell (SSH)";
+ }
+ enum ecdh-sha2-secp256r1 {
+ value 28;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve ecp256r1 and using SHA2 for MAC generation";
+ reference
+ "RFC 6239:
+ Suite B Cryptographic Suites for Secure Shell (SSH)";
+ }
+ enum ecdh-sha2-secp384r1 {
+ value 29;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve ecp384r1 and using SHA2 for MAC generation";
+ reference
+ "RFC 6239:
+ Suite B Cryptographic Suites for Secure Shell (SSH)";
+ }
+ enum ecdh-x25519-x9.63-sha256 {
+ value 30;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.25519 and using ANSI x9.63 with SHA256 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+ enum ecdh-x25519-x9.63-sha384 {
+ value 31;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.25519 and using ANSI x9.63 with SHA384 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+ enum ecdh-x25519-x9.63-sha512 {
+ value 32;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.25519 and using ANSI x9.63 with SHA512 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+ enum ecdh-x25519-hkdf-sha256 {
+ value 33;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.25519 and using HKDF with SHA256 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+ enum ecdh-x25519-hkdf-sha384 {
+ value 34;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.25519 and using HKDF with SHA384 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+ enum ecdh-x25519-hkdf-sha512 {
+ value 35;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.25519 and using HKDF with SHA512 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+ enum ecdh-x448-x9.63-sha256 {
+ value 36;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.448 and using ANSI x9.63 with SHA256 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+ enum ecdh-x448-x9.63-sha384 {
+ value 37;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.448 and using ANSI x9.63 with SHA384 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+ enum ecdh-x448-x9.63-sha512 {
+ value 38;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.448 and using ANSI x9.63 with SHA512 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+ enum ecdh-x448-hkdf-sha256 {
+ value 39;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.448 and using HKDF with SHA256 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+ enum ecdh-x448-hkdf-sha384 {
+ value 40;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.448 and using HKDF with SHA384 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+ enum ecdh-x448-hkdf-sha512 {
+ value 41;
+ description
+ "Elliptic curve-based Diffie Hellman key exchange over
+ curve x.448 and using HKDF with SHA512 as KDF";
+ reference
+ "RFC 8418:
+ Use of the Elliptic Curve Diffie-Hellman Key Agreement
+ Algorithm with X25519 and X448 in the Cryptographic
+ Message Syntax (CMS)";
+ }
+
+ enum rsaes-oaep {
+ value 42;
+ description
+ "RSAES-OAEP combines the RSAEP and RSADP primitives with
+ the EME-OAEP encoding method";
+ reference
+ "RFC 8017:
+ PKCS #1:
+ RSA Cryptography Specifications Version 2.2.";
+ }
+ enum rsaes-pkcs1-v1_5 {
+ value 43;
+ description
+ "RSAES-PKCS1-v1_5 combines the RSAEP and RSADP
+ primitives with the EME-PKCS1-v1_5 encoding method";
+ reference
+ "RFC 8017:
+ PKCS #1:
+ RSA Cryptography Specifications Version 2.2.";
+ }
+ }
+ }
+ default "0";
+ description
+ "The uint16 filed shall be set by individual protocol
+ families according to the key exchange algorithm value
+ assigned by IANA. The setting is optional and by default
+ is 0. The enumeration filed is set to the selected key
+ exchange algorithm.";
+ }
+
+ /********************************************/
+ /* Identities for Key Format Structures */
+ /********************************************/
+
+ /*** all key format types ****/
+
+ identity key-format-base {
+ description "Base key-format identity for all keys.";
+ }
+
+ identity public-key-format {
+ base "key-format-base";
+ description "Base key-format identity for public keys.";
+ }
+
+ identity private-key-format {
+ base "key-format-base";
+ description "Base key-format identity for private keys.";
+ }
+
+ identity symmetric-key-format {
+ base "key-format-base";
+ description "Base key-format identity for symmetric keys.";
+ }
+
+ /**** for private keys ****/
+
+ identity rsa-private-key-format {
+ base "private-key-format";
+ description "An RSAPrivateKey (from RFC 3447).";
+ }
+
+ identity ec-private-key-format {
+ base "private-key-format";
+ description "An ECPrivateKey (from RFC 5915)";
+ }
+
+ identity one-asymmetric-key-format {
+ base "private-key-format";
+ description "A OneAsymmetricKey (from RFC 5958).";
+ }
+
+ identity encrypted-private-key-format {
+ base "private-key-format";
+ description
+ "A CMS EncryptedData structure (RFC 5652)
+ containing a OneAsymmetricKey (RFC 5958).";
+ }
+
+ /**** for public keys ****/
+
+ identity ssh-public-key-format {
+ base "public-key-format";
+ description
+ "The public key format described by RFC 4716.";
+ }
+
+ identity subject-public-key-info-format {
+ base "public-key-format";
+ description
+ "A SubjectPublicKeyInfo (from RFC 5280).";
+ }
+
+ /**** for symmetric keys ****/
+
+ identity octet-string-key-format {
+ base "symmetric-key-format";
+ description "An OctetString from ASN.1.";
+ /*
+ // Knowing that it is an "OctetString" isn't really helpful.
+ // Knowing the length of the octet string would be helpful,
+ // as it relates to the algorithm's block size. We may want
+ // to only (for now) use "one-symmetric-key-format" for
+ // symmetric keys...were the usability issues Juergen
+ // mentioned before only apply to asymmetric keys?
+ */
+ }
+
+ identity one-symmetric-key-format {
+ base "symmetric-key-format";
+ description "A OneSymmetricKey (from RFC6031).";
+ }
+
+ identity encrypted-symmetric-key-format {
+ base "symmetric-key-format";
+ description
+ "A CMS EncryptedData structure (RFC 5652)
+ containing a OneSymmetricKey (RFC 6031).";
+ }
+
+ /***************************************************/
+ /* Typedefs for ASN.1 structures from RFC 5280 */
+ /***************************************************/
+
+ typedef x509 {
+ type binary;
+ description
+ "A Certificate structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ typedef crl {
+ type binary;
+ description
+ "A CertificateList structure, as specified in RFC 5280,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ /***********************************************/
+ /* Typedefs for ASN.1 structures from 5652 */
+ /***********************************************/
+
+ typedef cms {
+ type binary;
+ description
+ "A ContentInfo structure, as specified in RFC 5652,
+ encoded using ASN.1 distinguished encoding rules (DER),
+ as specified in ITU-T X.690.";
+ reference
+ "RFC 5652:
+ Cryptographic Message Syntax (CMS)
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ typedef data-content-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ data content type, as described by Section 4 in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef signed-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ signed-data content type, as described by Section 5 in
+ RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef enveloped-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ enveloped-data content type, as described by Section 6
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef digested-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ digested-data content type, as described by Section 7
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ typedef encrypted-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ encrypted-data content type, as described by Section 8
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+ typedef authenticated-data-cms {
+ type cms;
+ description
+ "A CMS structure whose top-most content type MUST be the
+ authenticated-data content type, as described by Section 9
+ in RFC 5652.";
+ reference
+ "RFC 5652: Cryptographic Message Syntax (CMS)";
+ }
+
+ /***************************************************/
+ /* Typedefs for structures related to RFC 4253 */
+ /***************************************************/
+
+ typedef ssh-host-key {
+ type binary;
+ description
+ "The binary public key data for this SSH key, as
+ specified by RFC 4253, Section 6.6, i.e.:
+
+ string certificate or public key format
+ identifier
+ byte[n] key/certificate data.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport Layer
+ Protocol";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5280 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a self-signed
+ root certificate.";
+ }
+
+ typedef end-entity-cert-x509 {
+ type x509;
+ description
+ "A Certificate structure that MUST encode a certificate
+ that is neither self-signed nor having Basic constraint
+ CA true.";
+ }
+
+ /*********************************************************/
+ /* Typedefs for ASN.1 structures related to RFC 5652 */
+ /*********************************************************/
+
+ typedef trust-anchor-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the chain of
+ X.509 certificates needed to authenticate the certificate
+ presented by a client or end-entity.
+
+ The CMS MUST contain only a single chain of certificates.
+ The client or end-entity certificate MUST only authenticate
+ to last intermediate CA certificate listed in the chain.
+
+ In all cases, the chain MUST include a self-signed root
+ certificate. In the case where the root certificate is
+ itself the issuer of the client or end-entity certificate,
+ only one certificate is present.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure that is commonly used to disseminate X.509
+ certificates and revocation objects (RFC 5280).";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.";
+ }
+
+ typedef end-entity-cert-cms {
+ type signed-data-cms;
+ description
+ "A CMS SignedData structure that MUST contain the end
+ entity certificate itself, and MAY contain any number
+ of intermediate certificates leading up to a trust
+ anchor certificate. The trust anchor certificate
+ MAY be included as well.
+
+ The CMS MUST contain a single end entity certificate.
+ The CMS MUST NOT contain any spurious certificates.
+
+ This CMS structure MAY (as applicable where this type is
+ used) also contain suitably fresh (as defined by local
+ policy) revocation objects with which the device can
+ verify the revocation status of the certificates.
+
+ This CMS encodes the degenerate form of the SignedData
+ structure that is commonly used to disseminate X.509
+ certificates and revocation objects (RFC 5280).";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.";
+ }
+
+ typedef ssh-public-key-type { // DELETE?
+ type binary;
+ description
+ "The binary public key data for this SSH key, as
+ specified by RFC 4253, Section 6.6, i.e.:
+
+ string certificate or public key format
+ identifier
+ byte[n] key/certificate data.";
+ reference
+ "RFC 4253: The Secure Shell (SSH) Transport
+ Layer Protocol";
+ }
+
+ /**********************************************/
+ /* Groupings for keys and/or certificates */
+ /**********************************************/
+
+ grouping symmetric-key-grouping {
+ description
+ "A symmetric key and algorithm.";
+ leaf algorithm {
+ type encryption-algorithm-t;
+ mandatory true;
+ description
+ "The algorithm to be used when generating the key.";
+ reference
+ "RFC CCCC: Common YANG Data Types for Cryptography";
+ }
+ leaf key-format {
+ nacm:default-deny-write;
+ when "../key";
+ type identityref {
+ base symmetric-key-format;
+ }
+ description "Identifies the symmetric key's format.";
+ }
+ choice key-type {
+ mandatory true;
+ description
+ "Choice between key types.";
+ leaf key {
+ nacm:default-deny-all;
+ type binary;
+ //must "../key-format"; FIXME: remove comment if approach ok
+ description
+ "The binary value of the key. The interpretation of
+ the value is defined by 'key-format'. For example,
+ FIXME.";
+ reference
+ "RFC XXXX: FIXME";
+ }
+ leaf hidden-key {
+ nacm:default-deny-write;
+ type empty;
+ description
+ "A permanently hidden key. How such keys are created
+ is outside the scope of this module.";
+ }
+ }
+ }
+
+ grouping public-key-grouping {
+ description
+ "A public key and its associated algorithm.";
+ leaf algorithm {
+ nacm:default-deny-write;
+ type asymmetric-key-algorithm-t;
+ mandatory true;
+ description
+ "Identifies the key's algorithm.";
+ reference
+ "RFC CCCC: Common YANG Data Types for Cryptography";
+ }
+ leaf public-key-format {
+ nacm:default-deny-write;
+ when "../public-key";
+ type identityref {
+ base public-key-format;
+ }
+ description "Identifies the key's format.";
+ }
+ leaf public-key {
+ nacm:default-deny-write;
+ type binary;
+ //must "../public-key-format"; FIXME: rm comment if approach ok
+ mandatory true;
+ description
+ "The binary value of the public key. The interpretation
+ of the value is defined by 'public-key-format' field.";
+ }
+ }
+
+ grouping asymmetric-key-pair-grouping {
+ description
+ "A private key and its associated public key and algorithm.";
+ uses public-key-grouping;
+ leaf private-key-format {
+ nacm:default-deny-write;
+ when "../private-key";
+ type identityref {
+ base private-key-format;
+ }
+ description "Identifies the key's format.";
+ }
+ choice private-key-type {
+ mandatory true;
+ description
+ "Choice between key types.";
+ leaf private-key {
+ nacm:default-deny-all;
+ type binary;
+ //must "../private-key-format"; FIXME: rm comment if ok
+ description
+ "The value of the binary key. The key's value is
+ interpreted by the 'private-key-format' field.";
+ }
+ leaf hidden-private-key {
+ nacm:default-deny-write;
+ type empty;
+ description
+ "A permanently hidden key. How such keys are created
+ is outside the scope of this module.";
+ }
+ }
+ }
+
+ grouping trust-anchor-cert-grouping {
+ description
+ "A trust anchor certificate, and a notification for when
+ it is about to (or already has) expire.";
+ leaf cert {
+ nacm:default-deny-write;
+ type trust-anchor-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping trust-anchor-certs-grouping {
+ description
+ "A list of trust anchor certificates, and a notification
+ for when one is about to (or already has) expire.";
+ leaf-list cert {
+ nacm:default-deny-write;
+ type trust-anchor-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping end-entity-cert-grouping {
+ description
+ "An end entity certificate, and a notification for when
+ it is about to (or already has) expire. Implementations
+ SHOULD assert that, where used, the end entity certificate
+ contains the expected public key.";
+ leaf cert {
+ nacm:default-deny-write;
+ type end-entity-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping end-entity-certs-grouping {
+ description
+ "A list of end entity certificates, and a notification for
+ when one is about to (or already has) expire.";
+ leaf-list cert {
+ nacm:default-deny-write;
+ type end-entity-cert-cms;
+ description
+ "The binary certificate data for this certificate.";
+ reference
+ "RFC YYYY: Common YANG Data Types for Cryptography";
+ }
+ notification certificate-expiration {
+ description
+ "A notification indicating that the configured certificate
+ is either about to expire or has already expired. When to
+ send notifications is an implementation specific decision,
+ but it is RECOMMENDED that a notification be sent once a
+ month for 3 months, then once a week for four weeks, and
+ then once a day thereafter until the issue is resolved.";
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+ }
+
+ grouping asymmetric-key-pair-with-cert-grouping {
+ description
+ "A private/public key pair and an associated certificate.
+ Implementations SHOULD assert that certificates contain
+ the matching public key.";
+ uses asymmetric-key-pair-grouping;
+ uses end-entity-cert-grouping;
+ action generate-certificate-signing-request {
+ nacm:default-deny-all;
+ description
+ "Generates a certificate signing request structure for
+ the associated asymmetric key using the passed subject
+ and attribute values. The specified assertions need
+ to be appropriate for the certificate's use. For
+ example, an entity certificate for a TLS server
+ SHOULD have values that enable clients to satisfy
+ RFC 6125 processing.";
+ input {
+ leaf subject {
+ type binary;
+ mandatory true;
+ description
+ "The 'subject' field per the CertificationRequestInfo
+ structure as specified by RFC 2986, Section 4.1
+ encoded using the ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ leaf attributes {
+ type binary; // FIXME: does this need to be mandatory?
+ description
+ "The 'attributes' field from the structure
+ CertificationRequestInfo as specified by RFC 2986,
+ Section 4.1 encoded using the ASN.1 distinguished
+ encoding rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ output {
+ leaf certificate-signing-request {
+ type binary;
+ mandatory true;
+ description
+ "A CertificationRequest structure as specified by
+ RFC 2986, Section 4.2 encoded using the ASN.1
+ distinguished encoding rules (DER), as specified
+ in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ } // generate-certificate-signing-request
+ } // asymmetric-key-pair-with-cert-grouping
+
+ grouping asymmetric-key-pair-with-certs-grouping {
+ description
+ "A private/public key pair and associated certificates.
+ Implementations SHOULD assert that certificates contain
+ the matching public key.";
+ uses asymmetric-key-pair-grouping;
+ container certificates {
+ nacm:default-deny-write;
+ description
+ "Certificates associated with this asymmetric key.
+ More than one certificate supports, for instance,
+ a TPM-protected asymmetric key that has both IDevID
+ and LDevID certificates associated.";
+ list certificate {
+ key "name";
+ description
+ "A certificate for this asymmetric key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the certificate. If the name
+ matches the name of a certificate that exists
+ independently in <operational> (i.e., an IDevID),
+ then the 'cert' node MUST NOT be configured.";
+ }
+ uses end-entity-cert-grouping;
+ }
+ } // certificates
+ action generate-certificate-signing-request {
+ nacm:default-deny-all;
+ description
+ "Generates a certificate signing request structure for
+ the associated asymmetric key using the passed subject
+ and attribute values. The specified assertions need
+ to be appropriate for the certificate's use. For
+ example, an entity certificate for a TLS server
+ SHOULD have values that enable clients to satisfy
+ RFC 6125 processing.";
+ input {
+ leaf subject {
+ type binary;
+ mandatory true;
+ description
+ "The 'subject' field per the CertificationRequestInfo
+ structure as specified by RFC 2986, Section 4.1
+ encoded using the ASN.1 distinguished encoding
+ rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ leaf attributes {
+ type binary; // FIXME: does this need to be mandatory?
+ description
+ "The 'attributes' field from the structure
+ CertificationRequestInfo as specified by RFC 2986,
+ Section 4.1 encoded using the ASN.1 distinguished
+ encoding rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ output {
+ leaf certificate-signing-request {
+ type binary;
+ mandatory true;
+ description
+ "A CertificationRequest structure as specified by
+ RFC 2986, Section 4.2 encoded using the ASN.1
+ distinguished encoding rules (DER), as specified
+ in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax
+ Specification Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ } // generate-certificate-signing-request
+ } // asymmetric-key-pair-with-certs-grouping
+}
\ No newline at end of file
Code Review / sim / o1-interface.git / blobdiff