module ietf-crypto-types {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
prefix "ct";
import ietf-yang-types {
prefix yang;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 6536: Network Configuration Protocol (NETCONF) Access
Control Model";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen
";
description
"This module defines common YANG types for cryptography applications.
Copyright (c) 2018 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision "2018-03-05" {
description
"Initial version";
reference
"RFC XXXX: Common YANG Data Types for Cryptography";
}
/****************************************/
/* Identities for Hashing Algorithms */
/****************************************/
identity hash-algorithm {
description
"A base identity for hash algorithm verification.
This identity is used in the ietf-zerotouch-information
module (draft-ietf-netconf-zerotouch)";
}
identity sha-256 {
base "hash-algorithm";
description "The SHA-256 algorithm.";
reference "RFC 6234: US Secure Hash Algorithms.";
}
/************************************************************/
/* Identities for Key Algorithms (used by Certificates) */
/************************************************************/
identity key-algorithm {
description
"Base identity from which all key-algorithms are derived.
This identity is used in the 'private-key-grouping' grouping
and the 'generate-private-key' action below.";
}
identity rsa1024 {
base key-algorithm;
description
"The RSA algorithm using a 1024-bit key.";
reference
"RFC3447: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.1.";
}
identity rsa2048 {
base key-algorithm;
description
"The RSA algorithm using a 2048-bit key.";
reference
"RFC3447: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.1.";
}
identity rsa3072 {
base key-algorithm;
description
"The RSA algorithm using a 3072-bit key.";
reference
"RFC3447: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.1.";
}
identity rsa4096 {
base key-algorithm;
description
"The RSA algorithm using a 4096-bit key.";
reference
"RFC3447: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.1.";
}
identity rsa7680 {
base key-algorithm;
description
"The RSA algorithm using a 7680-bit key.";
reference
"RFC3447: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.1.";
}
identity rsa15360 {
base key-algorithm;
description
"The RSA algorithm using a 15360-bit key.";
reference
"RFC3447: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.1.";
}
identity secp192r1 {
base key-algorithm;
description
"The secp192r1 algorithm.";
reference
"RFC5480:
Elliptic Curve Cryptography Subject Public Key Information.";
}
identity secp256r1 {
base key-algorithm;
description
"The secp256r1 algorithm.";
reference
"RFC5480:
Elliptic Curve Cryptography Subject Public Key Information.";
}
identity secp384r1 {
base key-algorithm;
description
"The secp384r1 algorithm.";
reference
"RFC5480:
Elliptic Curve Cryptography Subject Public Key Information.";
}
identity secp521r1 {
base key-algorithm;
description
"The secp521r1 algorithm.";
reference
"RFC5480:
Elliptic Curve Cryptography Subject Public Key Information.";
}
/************************************/
/* Typedefs for ASN.1 structures */
/************************************/
typedef x509 {
type binary;
description
"A Certificate structure, as specified in RFC 5280, encoded using
ASN.1 distinguished encoding rules (DER), as specified in
ITU-T X.690.";
reference
"RFC 5652:
Cryptographic Message Syntax (CMS)
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
typedef cms {
type binary;
description
"A ContentInfo structure, as specified in RFC 5652, encoded
using ASN.1 distinguished encoding rules (DER), as specified
in ITU-T X.690.";
reference
"RFC 5652:
Cryptographic Message Syntax (CMS)
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
/******************************************************************/
/* Groupings for a Private Key and its Associated Certificates */
/******************************************************************/
grouping private-key-grouping {
description
"A private/public key pair, and an action to request the
system to generate a private key.
This grouping is currently used by the YANG modules
ietf-ssh-client, ietf-ssh-server, ietf-tls-client,
and ietf-tls-server, where it populates the SSH/TLS
peer object's private key parameters.";
leaf algorithm {
type identityref {
base "key-algorithm";
}
description
"Identifies the key's algorithm. More specifically, this
leaf specifies how the 'private-key' and 'public-key'
binary leafs are encoded.";
}
leaf private-key {
nacm:default-deny-all;
type union {
type binary;
type enumeration {
enum "hardware-protected" {
description
"The private key is inaccessible due to being
protected by a cryptographic hardware module
(e.g., a TPM).";
}
}
}
must "../algorithm";
description
"A binary that contains the value of the private key. The
interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an RSA
key is represented as RSAPrivateKey as defined in
[RFC3447], and an Elliptic Curve Cryptography (ECC) key
is represented as ECPrivateKey as defined in [RFC5915]";
reference
"RFC 3447: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.1.
RFC 5915: Elliptic Curve Private Key Structure.";
}
leaf public-key {
type binary;
must "../algorithm";
must "../private-key";
description
"A binary that contains the value of the public key. The
interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an RSA
key is represented as RSAPublicKey as defined in
[RFC3447], and an Elliptic Curve Cryptography (ECC) key
is represented using the 'publicKey' described in
[RFC5915]";
reference
"RFC 3447: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.1.
RFC 5915: Elliptic Curve Private Key Structure.";
}
action generate-private-key {
description
"Requests the device to generate a private key using the
specified key algorithm. This action is primarily to
support cryptographic processors that must generate
the private key themselves. The resulting key is
considered operational state and hence only present
in .";
input {
leaf algorithm {
type identityref {
base "key-algorithm";
}
mandatory true;
description
"The algorithm to be used when generating the key.";
}
}
} // end generate-private-key
}
grouping certificates-grouping {
description
"A container of certificates, and an action to generate
a certificate signing request.
This grouping is currently used by the YANG modules
ietf-ssh-client, ietf-ssh-server, ietf-tls-client,
and ietf-tls-server, where it populates the SSH/TLS
peer object's value for a certificates associated
with the private key.";
container certificates {
description
"Certificates associated with this key. More than one
certificate supports, for instance, a TPM-protected
key that has both IDevID and LDevID certificates
associated.";
list certificate {
key name;
description
"A certificate for this private key.";
leaf name {
type string;
description
"An arbitrary name for the certificate.";
}
leaf value {
type binary;
description
"A PKCS #7 SignedData structure, as specified by
Section 9.1 in RFC 2315, containing just certificates
(no content, signatures, or CRLs), encoded using ASN.1
distinguished encoding rules (DER), as specified in
ITU-T X.690.
This structure contains the certificate itself as well
as any intermediate certificates leading up to a trust
anchor certificate. The trust anchor certificate MAY
be included as well.";
reference
"RFC 2315:
PKCS #7: Cryptographic Message Syntax Version 1.5.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
}
}
action generate-certificate-signing-request {
description
"Generates a certificate signing request structure for
the associated private key using the passed subject and
attribute values. The specified assertions need to be
appropriate for the certificate's use. For example,
an entity certificate for a TLS server SHOULD have
values that enable clients to satisfy RFC 6125
processing.";
input {
leaf subject {
type binary;
mandatory true;
description
"The 'subject' field from the CertificationRequestInfo
structure as specified by RFC 2986, Section 4.1 encoded
using the ASN.1 distinguished encoding rules (DER), as
specified in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntax Specification
Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
leaf attributes {
type binary;
description
"The 'attributes' field from the CertificationRequestInfo
structure as specified by RFC 2986, Section 4.1 encoded
using the ASN.1 distinguished encoding rules (DER), as
specified in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntax Specification
Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
}
output {
leaf certificate-signing-request {
type binary;
mandatory true;
description
"A CertificationRequest structure as specified by RFC
2986, Section 4.1 encoded using the ASN.1 distinguished
encoding rules (DER), as specified in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntax Specification
Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
}
}
}
notification certificate-expiration {
description
"A notification indicating that a configured certificate is
either about to expire or has already expired. When to send
notifications is an implementation specific decision, but
it is RECOMMENDED that a notification be sent once a month
for 3 months, then once a week for four weeks, and then once
a day thereafter.";
leaf certificate {
type instance-identifier;
mandatory true;
description
"Identifies which certificate is expiring or is expired.";
}
leaf expiration-date {
type yang:date-and-time;
mandatory true;
description
"Identifies the expiration date on the certificate.";
}
}
}