module ietf-keystore { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-keystore"; prefix "ks"; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types"; } import ietf-netconf-acm { prefix nacm; reference "RFC 6536: Network Configuration Protocol (NETCONF) Access Control Model"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: WG List: Author: Kent Watsen "; description "This module defines a keystore to centralize management of security credentials. Copyright (c) 2017 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC VVVV; see the RFC itself for full legal notices."; revision "2017-10-30" { description "Initial version"; reference "RFC VVVV: YANG Data Model for a 'Keystore' Mechanism"; } // Identities identity key-algorithm { description "Base identity from which all key-algorithms are derived."; } identity rsa1024 { base key-algorithm; description "The RSA algorithm using a 1024-bit key."; reference "RFC3447: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1."; } identity rsa2048 { base key-algorithm; description "The RSA algorithm using a 2048-bit key."; reference "RFC3447: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1."; } identity rsa3072 { base key-algorithm; description "The RSA algorithm using a 3072-bit key."; reference "RFC3447: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1."; } identity rsa4096 { base key-algorithm; description "The RSA algorithm using a 4096-bit key."; reference "RFC3447: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1."; } identity rsa7680 { base key-algorithm; description "The RSA algorithm using a 7680-bit key."; reference "RFC3447: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1."; } identity rsa15360 { base key-algorithm; description "The RSA algorithm using a 15360-bit key."; reference "RFC3447: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1."; } identity secp192r1 { base key-algorithm; description "The secp192r1 algorithm."; reference "RFC5480: Elliptic Curve Cryptography Subject Public Key Information."; } identity secp256r1 { base key-algorithm; description "The secp256r1 algorithm."; reference "RFC5480: Elliptic Curve Cryptography Subject Public Key Information."; } identity secp384r1 { base key-algorithm; description "The secp384r1 algorithm."; reference "RFC5480: Elliptic Curve Cryptography Subject Public Key Information."; } identity secp521r1 { base key-algorithm; description "The secp521r1 algorithm."; reference "RFC5480: Elliptic Curve Cryptography Subject Public Key Information."; } // typedefs typedef pinned-certificates { type leafref { path "/ks:keystore/ks:pinned-certificates/ks:name"; } description "This typedef enables importing modules to easily define a reference to pinned-certificates. Use of this type also impacts the YANG tree diagram output."; reference "I-D.ietf-netmod-yang-tree-diagrams: YANG Tree Diagrams"; } typedef pinned-host-keys { type leafref { path "/ks:keystore/ks:pinned-host-keys/ks:name"; } description "This typedef enables importing modules to easily define a reference to pinned-host-keys. Use of this type also impacts the YANG tree diagram output."; reference "I-D.ietf-netmod-yang-tree-diagrams: YANG Tree Diagrams"; } // groupings grouping private-key-grouping { description "A private/public key pair, and an action to request the system to generate a private key."; leaf algorithm { type identityref { base "key-algorithm"; } description "Identifies the key's algorithm. More specifically, this leaf specifies how the 'private-key' and 'public-key' binary leafs are encoded."; } leaf private-key { nacm:default-deny-all; type union { type binary; type enumeration { enum "hardware-protected" { description "The private key is inaccessible due to being protected by a cryptographic hardware module (e.g., a TPM)."; } } } must "../algorithm"; description "A binary that contains the value of the private key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPrivateKey as defined in [RFC3447], and an Elliptic Curve Cryptography (ECC) key is represented as ECPrivateKey as defined in [RFC5915]"; reference "RFC 3447: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 5915: Elliptic Curve Private Key Structure."; } leaf public-key { type binary; must "../algorithm"; must "../private-key"; description "A binary that contains the value of the public key. The interpretation of the content is defined by the key algorithm. For example, a DSA key is an integer, an RSA key is represented as RSAPublicKey as defined in [RFC3447], and an Elliptic Curve Cryptography (ECC) key is represented using the 'publicKey' described in [RFC5915]"; reference "RFC 3447: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 5915: Elliptic Curve Private Key Structure."; } action generate-private-key { description "Requests the device to generate a private key using the specified key algorithm. This action is primarily to support cryptographic processors that must generate the private key themselves. The resulting key is considered operational state and hence only present in the ."; input { leaf algorithm { type identityref { base "key-algorithm"; } mandatory true; description "The algorithm to be used when generating the key."; } } } // end generate-private-key } grouping certificate-grouping { description "A container of certificates, and an action to generate a certificate signing request."; container certificates { description "Certificates associated with this key. More than one certificate supports, for instance, a TPM-protected key that has both IDevID and LDevID certificates associated."; list certificate { key name; description "A certificate for this private key."; leaf name { type string; description "An arbitrary name for the certificate."; } leaf value { type binary; description "A PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. This structure contains the certificate itself as well as any intermediate certificates leading up to a trust anchor certificate. The trust anchor certificate MAY be included as well."; reference "RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5. ITU-T X.690: Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } } } action generate-certificate-signing-request { description "Generates a certificate signing request structure for the associated private key using the passed subject and attribute values. The specified assertions need to be appropriate for the certificate's use. For example, an entity certificate for a TLS server SHOULD have values that enable clients to satisfy RFC 6125 processing."; input { leaf subject { type binary; mandatory true; description "The 'subject' field from the CertificationRequestInfo structure as specified by RFC 2986, Section 4.1 encoded using the ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7. ITU-T X.690: Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } leaf attributes { type binary; description "The 'attributes' field from the CertificationRequestInfo structure as specified by RFC 2986, Section 4.1 encoded using the ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7. ITU-T X.690: Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } } output { leaf certificate-signing-request { type binary; mandatory true; description "A CertificationRequest structure as specified by RFC 2986, Section 4.1 encoded using the ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7. ITU-T X.690: Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } } } } // protocol accessible nodes container keystore { nacm:default-deny-write; description "The keystore contains X.509 certificates and SSH host keys."; list pinned-certificates { key name; description "A list of pinned certificates. These certificates can be used by a server to authenticate clients, or by clients to authenticate servers. Each list of pinned certificates SHOULD be specific to a purpose, as the list as a whole may be referenced by other modules. For instance, a NETCONF server's configuration might use a specific list of pinned certificates for when authenticating NETCONF client connections."; leaf name { type string; description "An arbitrary name for this list of pinned certificates."; } leaf description { type string; description "An arbitrary description for this list of pinned certificates."; } list pinned-certificate { key name; description "A pinned certificate."; leaf name { type string; description "An arbitrary name for this pinned certificate. The name must be unique across all lists of pinned certificates (not just this list) so that leafrefs from another module can resolve to unique values."; } leaf data { type binary; mandatory true; description "An X.509 v3 certificate structure as specified by RFC 5280, Section 4 encoded using the ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690."; reference "RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. ITU-T X.690: Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)."; } } } list pinned-host-keys { key name; description "A list of pinned host keys. These pinned host-keys can be used by clients to authenticate SSH servers. Each list of pinned host keys SHOULD be specific to a purpose, so the list as a whole may be referenced by other modules. For instance, a NETCONF client's configuration might point to a specific list of pinned host keys for when authenticating specific SSH servers."; leaf name { type string; description "An arbitrary name for this list of pinned SSH host keys."; } leaf description { type string; description "An arbitrary description for this list of pinned SSH host keys."; } list pinned-host-key { key name; description "A pinned host key."; leaf name { type string; description "An arbitrary name for this pinned host-key. Must be unique across all lists of pinned host-keys (not just this list) so that a leafref to it from another module can resolve to unique values."; } leaf data { type binary; mandatory true; description "The binary public key data for this SSH key, as specified by RFC 4253, Section 6.6, i.e.: string certificate or public key format identifier byte[n] key/certificate data."; reference "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; } } } } notification certificate-expiration { description "A notification indicating that a configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, then once a week for four weeks, and then once a day thereafter."; leaf certificate { type instance-identifier; mandatory true; description "Identifies which certificate is expiring or is expired."; } leaf expiration-date { type yang:date-and-time; mandatory true; description "Identifies the expiration date on the certificate."; } } }