module ietf-trust-anchors {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-trust-anchors";
prefix "ta";
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC YYYY: Common YANG Data Types for Cryptography";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web:
WG List:
Author: Kent Watsen
";
description
"This module defines a data model for configuring global
trust anchors used by other data models. The data model
enables the configuration of sets of trust anchors.
This data model supports configuring trust anchors for
both X.509 certificates and SSH host keys.
Copyright (c) 2018 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision "2018-10-22" {
description
"Initial version";
reference
"RFC XXXX: YANG Data Model for Global Trust Anchors";
}
/************************************************************/
/* Typedefs for leafrefs to commonly referenced objects */
/************************************************************/
feature x509-certificates {
description
"The 'x509-certificates' feature indicates that the server
implements the /trust-anchors/pinned-certificates subtree.";
}
feature ssh-host-keys {
description
"The 'ssh-host-keys' feature indicates that the server
implements the /trust-anchors/pinned-host-keys subtree.";
}
/************************************************************/
/* Typedefs for leafrefs to commonly referenced objects */
/************************************************************/
typedef pinned-certificates-ref {
type leafref {
path "/ta:trust-anchors/ta:pinned-certificates/ta:name";
require-instance false;
}
description
"This typedef enables importing modules to easily define a
leafref to a 'pinned-certificates' object. The require
instance attribute is false to enable the referencing of
pinned certificates that exist only in .";
reference
"RFC 8342: Network Management Datastore Architecture (NMDA)";
}
typedef pinned-host-keys-ref {
type leafref {
path "/ta:trust-anchors/ta:pinned-host-keys/ta:name";
require-instance false;
}
description
"This typedef enables importing modules to easily define a
leafref to a 'pinned-host-keys' object. The require
instance attribute is false to enable the referencing of
pinned host keys that exist only in .";
reference
"RFC 8342: Network Management Datastore Architecture (NMDA)";
}
/*********************************/
/* Protocol accessible nodes */
/*********************************/
container trust-anchors {
nacm:default-deny-write;
description
"Contains sets of X.509 certificates and SSH host keys.";
list pinned-certificates {
if-feature "x509-certificates";
key name;
description
"A list of pinned certificates. These certificates can be
used by a server to authenticate clients, or by a client
to authenticate servers. Each list of pinned certificates
SHOULD be specific to a purpose, as the list as a whole
may be referenced by other modules. For instance, a
RESTCONF server's configuration might use a specific list
of pinned certificates for when authenticating RESTCONF
client connections.";
leaf name {
type string;
description
"An arbitrary name for this list of pinned certificates.";
}
leaf description {
type string;
description
"An arbitrary description for this list of pinned
certificates.";
}
list pinned-certificate {
key name;
description
"A pinned certificate.";
leaf name {
type string;
description
"An arbitrary name for this pinned certificate. The
name must be unique across all lists of pinned
certificates (not just this list) so that leafrefs
from another module can resolve to unique values.";
}
uses ct:trust-anchor-cert-grouping {
refine cert {
mandatory true;
}
}
}
}
list pinned-host-keys {
if-feature "ssh-host-keys";
key name;
description
"A list of pinned host keys. These pinned host-keys can
be used by clients to authenticate SSH servers. Each
list of pinned host keys SHOULD be specific to a purpose,
so the list as a whole may be referenced by other modules.
For instance, a NETCONF client's configuration might
point to a specific list of pinned host keys for when
authenticating specific SSH servers.";
leaf name {
type string;
description
"An arbitrary name for this list of pinned SSH
host keys.";
}
leaf description {
type string;
description
"An arbitrary description for this list of pinned SSH
host keys.";
}
list pinned-host-key {
key name;
description
"A pinned host key.";
leaf name {
type string;
description
"An arbitrary name for this pinned host-key. Must be
unique across all lists of pinned host-keys (not just
this list) so that a leafref to it from another module
can resolve to unique values.";
}
leaf host-key {
type ct:ssh-host-key;
mandatory true;
description
"The binary public key data for this pinned host key.";
reference
"RFC YYYY: Common YANG Data Types for Cryptography";
}
}
}
}
}