netconfcentral logo

ietf-keystore

HTML

ietf-keystore@2017-10-30



  module ietf-keystore {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-keystore";

    prefix ks;

    import ietf-yang-types {
      prefix yang;
      reference
        "RFC 6991: Common YANG Data Types";


    }
    import ietf-netconf-acm {
      prefix nacm;
      reference
        "RFC 6536: Network Configuration Protocol (NETCONF) Access
        Control Model";


    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://tools.ietf.org/wg/netconf/>
    WG List:  <mailto:netconf@ietf.org>

    Author:   Kent Watsen
              <mailto:kwatsen@juniper.net>";

    description
      "This module defines a keystore to centralize management
    of security credentials.

    Copyright (c) 2017 IETF Trust and the persons identified
    as authors of the code. All rights reserved.

    Redistribution and use in source and binary forms, with
    or without modification, is permitted pursuant to, and
    subject to the license terms contained in, the Simplified
    BSD License set forth in Section 4.c of the IETF Trust's
    Legal Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info).

    This version of this YANG module is part of RFC VVVV; see
    the RFC itself for full legal notices.";

    revision "2017-10-30" {
      description "Initial version";
      reference
        "RFC VVVV: YANG Data Model for a 'Keystore' Mechanism";

    }


    identity key-algorithm {
      base 
      description
        "Base identity from which all key-algorithms are derived.";
    }

    identity rsa1024 {
      base key-algorithm;
      description
        "The RSA algorithm using a 1024-bit key.";
      reference
        "RFC3447: Public-Key Cryptography Standards (PKCS) #1:
        	 RSA Cryptography Specifications Version 2.1.";

    }

    identity rsa2048 {
      base key-algorithm;
      description
        "The RSA algorithm using a 2048-bit key.";
      reference
        "RFC3447: Public-Key Cryptography Standards (PKCS) #1:
        	 RSA Cryptography Specifications Version 2.1.";

    }

    identity rsa3072 {
      base key-algorithm;
      description
        "The RSA algorithm using a 3072-bit key.";
      reference
        "RFC3447: Public-Key Cryptography Standards (PKCS) #1:
        	 RSA Cryptography Specifications Version 2.1.";

    }

    identity rsa4096 {
      base key-algorithm;
      description
        "The RSA algorithm using a 4096-bit key.";
      reference
        "RFC3447: Public-Key Cryptography Standards (PKCS) #1:
        	 RSA Cryptography Specifications Version 2.1.";

    }

    identity rsa7680 {
      base key-algorithm;
      description
        "The RSA algorithm using a 7680-bit key.";
      reference
        "RFC3447: Public-Key Cryptography Standards (PKCS) #1:
        	 RSA Cryptography Specifications Version 2.1.";

    }

    identity rsa15360 {
      base key-algorithm;
      description
        "The RSA algorithm using a 15360-bit key.";
      reference
        "RFC3447: Public-Key Cryptography Standards (PKCS) #1:
        	 RSA Cryptography Specifications Version 2.1.";

    }

    identity secp192r1 {
      base key-algorithm;
      description "The secp192r1 algorithm.";
      reference
        "RFC5480:
          Elliptic Curve Cryptography Subject Public Key Information.";

    }

    identity secp256r1 {
      base key-algorithm;
      description "The secp256r1 algorithm.";
      reference
        "RFC5480:
          Elliptic Curve Cryptography Subject Public Key Information.";

    }

    identity secp384r1 {
      base key-algorithm;
      description "The secp384r1 algorithm.";
      reference
        "RFC5480:
          Elliptic Curve Cryptography Subject Public Key Information.";

    }

    identity secp521r1 {
      base key-algorithm;
      description "The secp521r1 algorithm.";
      reference
        "RFC5480:
          Elliptic Curve Cryptography Subject Public Key Information.";

    }

    typedef pinned-certificates {
      type leafref {
        path "/ks:keystore/ks:pinned-certificates/ks:name";
      }
      description
        "This typedef enables importing modules to easily define a
       reference to pinned-certificates.  Use of this type also
       impacts the YANG tree diagram output.";
      reference
        "I-D.ietf-netmod-yang-tree-diagrams: YANG Tree Diagrams";

    }

    typedef pinned-host-keys {
      type leafref {
        path "/ks:keystore/ks:pinned-host-keys/ks:name";
      }
      description
        "This typedef enables importing modules to easily define a
       reference to pinned-host-keys.  Use of this type also
       impacts the YANG tree diagram output.";
      reference
        "I-D.ietf-netmod-yang-tree-diagrams: YANG Tree Diagrams";

    }

    grouping private-key-grouping {
      description
        "A private/public key pair, and an action to request the
       system to generate a private key.";
      leaf algorithm {
        type identityref {
          base key-algorithm;
        }
        description
          "Identifies the key's algorithm.  More specifically, this
         leaf specifies how the 'private-key' and 'public-key'
         binary leafs are encoded.";
      }

      leaf private-key {
        nacm:default-deny-all;
        type union {
          type binary;
          type enumeration {
            enum "hardware-protected" {
              value 0;
              description
                "The private key is inaccessible due to being
              protected by a cryptographic hardware module
              (e.g., a TPM).";
            }
          }
        }
        must "../algorithm";
        description
          "A binary that contains the value of the private key.  The
         interpretation of the content is defined by the key
         algorithm.  For example, a DSA key is an integer, an RSA
         key is represented as RSAPrivateKey as defined in
         [RFC3447], and an Elliptic Curve Cryptography (ECC) key
         is represented as ECPrivateKey as defined in [RFC5915]";
        reference
          "RFC 3447: Public-Key Cryptography Standards (PKCS) #1:
          	  RSA Cryptography Specifications Version 2.1.
           RFC 5915: Elliptic Curve Private Key Structure.";

      }

      leaf public-key {
        type binary;
        must "../algorithm";
        must "../private-key";
        description
          "A binary that contains the value of the public key.  The
         interpretation of the content is defined by the key
         algorithm.  For example, a DSA key is an integer, an RSA
         key is represented as RSAPublicKey as defined in
         [RFC3447], and an Elliptic Curve Cryptography (ECC) key
         is represented using the 'publicKey' described in
         [RFC5915]";
        reference
          "RFC 3447: Public-Key Cryptography Standards (PKCS) #1:
          	  RSA Cryptography Specifications Version 2.1.
           RFC 5915: Elliptic Curve Private Key Structure.";

      }

      action generate-private-key {
        description
          "Requests the device to generate a private key using the
         specified key algorithm.  This action is primarily to
         support cryptographic processors that must generate
         the private key themselves.  The resulting key is
         considered operational state and hence only present
         in the <operational>.";
        input {
          leaf algorithm {
            type identityref {
              base key-algorithm;
            }
            mandatory true;
            description
              "The algorithm to be used when generating the key.";
          }
        }
      }  // rpc generate-private-key
    }  // grouping private-key-grouping

    grouping certificate-grouping {
      description
        "A container of certificates, and an action to generate
       a certificate signing request.";
      container certificates {
        description
          "Certificates associated with this key.  More than one
         certificate supports, for instance, a TPM-protected
         key that has both IDevID and LDevID certificates
         associated.";
        list certificate {
          key "name";
          description
            "A certificate for this private key.";
          leaf name {
            type string;
            description
              "An arbitrary name for the certificate.";
          }

          leaf value {
            type binary;
            description
              "A PKCS #7 SignedData structure, as specified by
            Section 9.1 in RFC 2315, containing just certificates
            (no content, signatures, or CRLs), encoded using ASN.1
            distinguished encoding rules (DER), as specified in
            ITU-T X.690.

            This structure contains the certificate itself as well
            as any intermediate certificates leading up to a trust
            anchor certificate.  The trust anchor certificate MAY
            be included as well.";
            reference
              "RFC 2315:
                PKCS #7: Cryptographic Message Syntax Version 1.5.
              ITU-T X.690:
                Information technology - ASN.1 encoding rules:
                Specification of Basic Encoding Rules (BER),
                Canonical Encoding Rules (CER) and Distinguished
                Encoding Rules (DER).";

          }
        }  // list certificate
      }  // container certificates

      action generate-certificate-signing-request {
        description
          "Generates a certificate signing request structure for
         the associated private key using the passed subject and
         attribute values.  The specified assertions need to be
         appropriate for the certificate's use.  For example,
         an entity certificate for a TLS server SHOULD have
         values that enable clients to satisfy RFC 6125
         processing.";
        input {
          leaf subject {
            type binary;
            mandatory true;
            description
              "The 'subject' field from the CertificationRequestInfo
             structure as specified by RFC 2986, Section 4.1 encoded
             using the ASN.1 distinguished encoding rules (DER), as
             specified in ITU-T X.690.";
            reference
              "RFC 2986:
                PKCS #10: Certification Request Syntax Specification
                Version 1.7.
              ITU-T X.690:
                 Information technology - ASN.1 encoding rules:
                 Specification of Basic Encoding Rules (BER),
                 Canonical Encoding Rules (CER) and Distinguished
                 Encoding Rules (DER).";

          }

          leaf attributes {
            type binary;
            description
              "The 'attributes' field from the CertificationRequestInfo
            structure as specified by RFC 2986, Section 4.1 encoded
            using the ASN.1 distinguished encoding rules (DER), as
            specified in ITU-T X.690.";
            reference
              "RFC 2986:
                PKCS #10: Certification Request Syntax Specification
                Version 1.7.
              ITU-T X.690:
                 Information technology - ASN.1 encoding rules:
                 Specification of Basic Encoding Rules (BER),
                 Canonical Encoding Rules (CER) and Distinguished
                 Encoding Rules (DER).";

          }
        }

        output {
          leaf certificate-signing-request {
            type binary;
            mandatory true;
            description
              "A CertificationRequest structure as specified by RFC
             2986, Section 4.1 encoded using the ASN.1 distinguished
             encoding rules (DER), as specified in ITU-T X.690.";
            reference
              "RFC 2986:
                PKCS #10: Certification Request Syntax Specification
                Version 1.7.
              ITU-T X.690:
                 Information technology - ASN.1 encoding rules:
                 Specification of Basic Encoding Rules (BER),
                 Canonical Encoding Rules (CER) and Distinguished
                 Encoding Rules (DER).";

          }
        }
      }  // rpc generate-certificate-signing-request
    }  // grouping certificate-grouping

    container keystore {
      nacm:default-deny-write;
      description
        "The keystore contains X.509 certificates and SSH host keys.";
      list pinned-certificates {
        key "name";
        description
          "A list of pinned certificates.  These certificates can be
         used by a server to authenticate clients, or by clients to
         authenticate servers.   Each list of pinned certificates
         SHOULD be specific to a purpose, as the list as a whole
         may be referenced by other modules.  For instance, a
         NETCONF server's configuration might use a specific list
         of pinned certificates for when authenticating NETCONF
         client connections.";
        leaf name {
          type string;
          description
            "An arbitrary name for this list of pinned certificates.";
        }

        leaf description {
          type string;
          description
            "An arbitrary description for this list of pinned
           certificates.";
        }

        list pinned-certificate {
          key "name";
          description
            "A pinned certificate.";
          leaf name {
            type string;
            description
              "An arbitrary name for this pinned certificate. The
             name must be unique across all lists of pinned
             certificates (not just this list) so that leafrefs
             from another module can resolve to unique values.";
          }

          leaf data {
            type binary;
            mandatory true;
            description
              "An X.509 v3 certificate structure as specified by RFC
             5280, Section 4 encoded using the ASN.1 distinguished
             encoding rules (DER), as specified in ITU-T X.690.";
            reference
              "RFC 5280:
                Internet X.509 Public Key Infrastructure Certificate
                and Certificate Revocation List (CRL) Profile.
              ITU-T X.690:
                 Information technology - ASN.1 encoding rules:
                 Specification of Basic Encoding Rules (BER),
                 Canonical Encoding Rules (CER) and Distinguished
                 Encoding Rules (DER).";

          }
        }  // list pinned-certificate
      }  // list pinned-certificates

      list pinned-host-keys {
        key "name";
        description
          "A list of pinned host keys.  These pinned host-keys can
         be used by clients to authenticate SSH servers.  Each
         list of pinned host keys SHOULD be specific to a purpose,
         so the list as a whole may be referenced by other modules.
         For instance, a NETCONF client's configuration might
         point to a specific list of pinned host keys for when
         authenticating specific SSH servers.";
        leaf name {
          type string;
          description
            "An arbitrary name for this list of pinned SSH host keys.";
        }

        leaf description {
          type string;
          description
            "An arbitrary description for this list of pinned SSH host
           keys.";
        }

        list pinned-host-key {
          key "name";
          description "A pinned host key.";
          leaf name {
            type string;
            description
              "An arbitrary name for this pinned host-key. Must be
             unique across all lists of pinned host-keys (not just
             this list) so that a leafref to it from another module
             can resolve to unique values.";
          }

          leaf data {
            type binary;
            mandatory true;
            description
              "The binary public key data for this SSH key, as
             specified by RFC 4253, Section 6.6, i.e.:

               string    certificate or public key format
                         identifier
               byte[n]   key/certificate data.";
            reference
              "RFC 4253: The Secure Shell (SSH) Transport Layer
              	  Protocol";

          }
        }  // list pinned-host-key
      }  // list pinned-host-keys
    }  // container keystore

    notification certificate-expiration {
      description
        "A notification indicating that a configured certificate is
       either about to expire or has already expired.  When to send
       notifications is an implementation specific decision, but
       it is RECOMMENDED that a notification be sent once a month
       for 3 months, then once a week for four weeks, and then once
       a day thereafter.";
      leaf certificate {
        type instance-identifier;
        mandatory true;
        description
          "Identifies which certificate is expiring or is expired.";
      }

      leaf expiration-date {
        type yang:date-and-time;
        mandatory true;
        description
          "Identifies the expiration date on the certificate.";
      }
    }  // notification certificate-expiration
  }  // module ietf-keystore

Summary

  
  
Organization IETF NETCONF (Network Configuration) Working Group
  
Module ietf-keystore
Version 2017-10-30
File ietf-keystore@2017-10-30.yang
  
Prefix ks
Namespace urn:ietf:params:xml:ns:yang:ietf-keystore
  
Cooked /cookedmodules/ietf-keystore/2017-10-30
YANG /src/ietf-keystore@2017-10-30.yang
XSD /xsd/ietf-keystore@2017-10-30.xsd
  
Abstract This module defines a keystore to centralize management of security credentials. Copyright (c) 2017 IETF Trust and the persons ...
  
Contact
WG Web:   <http://tools.ietf.org/wg/netconf/>
WG List:  <mailto:netconf@ietf.org>

Author:   Kent Watsen
	  <mailto:kwatsen@juniper.net>

Description

 
This module defines a keystore to centralize management
of security credentials.

Copyright (c) 2017 IETF Trust and the persons identified
as authors of the code. All rights reserved.

Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC VVVV; see
the RFC itself for full legal notices.

Typedefs

Typedef Base type Abstract
pinned-certificates leafref This typedef enables importing modules to easily define a reference to pinned-certificates. Use of this type also impacts the YANG tree diagram output.
pinned-host-keys leafref This typedef enables importing modules to easily define a reference to pinned-host-keys. Use of this type also impacts the YANG tree diagram output.

Groupings

Grouping Objects Abstract
certificate-grouping certificates generate-certificate-signing-request A container of certificates, and an action to generate a certificate signing request.
private-key-grouping algorithm private-key public-key generate-private-key A private/public key pair, and an action to request the system to generate a private key.

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
keystore container The keystore contains X.509 certificates and SSH host keys.
   pinned-certificates list A list of pinned certificates. These certificates can be used by a server to authenticate clients, or by clients to authenticate servers. Each list of pinned certificates SHOULD be specific to a purpose, as the list as a whole may be referenced by othe...
      description leaf An arbitrary description for this list of pinned certificates.
      name leaf An arbitrary name for this list of pinned certificates.
      pinned-certificate list A pinned certificate.
         data leaf An X.509 v3 certificate structure as specified by RFC 5280, Section 4 encoded using the ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690.
         name leaf An arbitrary name for this pinned certificate. The name must be unique across all lists of pinned certificates (not just this list) so that leafrefs from another module can resolve to unique values.
   pinned-host-keys list A list of pinned host keys. These pinned host-keys can be used by clients to authenticate SSH servers. Each list of pinned host keys SHOULD be specific to a purpose, so the list as a whole may be referenced by other modules. For instance, a NETCONF clie...
      description leaf An arbitrary description for this list of pinned SSH host keys.
      name leaf An arbitrary name for this list of pinned SSH host keys.
      pinned-host-key list A pinned host key.
         data leaf The binary public key data for this SSH key, as specified by RFC 4253, Section 6.6, i.e.: string certificate or public key format identifier byte[n] key/certificate data.
         name leaf An arbitrary name for this pinned host-key. Must be unique across all lists of pinned host-keys (not just this list) so that a leafref to it from another module can resolve to unique values.

Notifications

Notification Abstract
certificate-expiration A notification indicating that a configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, then...