1 <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1">
2 <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module ietf-x509-cert-to-name {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name";
6 import ietf-yang-types {
11 "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
13 "WG Web: <http://tools.ietf.org/wg/netmod/>
14 WG List: <mailto:netmod@ietf.org>
16 WG Chair: Thomas Nadeau
17 <mailto:tnadeau@lucidvision.com>
19 WG Chair: Juergen Schoenwaelder
20 <mailto:j.schoenwaelder@jacobs-university.de>
22 Editor: Martin Bjorklund
23 <mailto:mbj@tail-f.com>
25 Editor: Juergen Schoenwaelder
26 <mailto:j.schoenwaelder@jacobs-university.de>";
28 "This module contains a collection of YANG definitions for
29 extracting a name from an X.509 certificate.
30 The algorithm used to extract a name from an X.509 certificate
31 was first defined in RFC 6353.
33 Copyright (c) 2014 IETF Trust and the persons identified as
34 authors of the code. All rights reserved.
36 Redistribution and use in source and binary forms, with or
37 without modification, is permitted pursuant to, and subject
38 to the license terms contained in, the Simplified BSD License
39 set forth in Section 4.c of the IETF Trust's Legal Provisions
40 Relating to IETF Documents
41 (http://trustee.ietf.org/license-info).
43 This version of this YANG module is part of RFC 7407; see
44 the RFC itself for full legal notices.";
46 "RFC 6353: Transport Layer Security (TLS) Transport Model for
47 the Simple Network Management Protocol (SNMP)";
53 "RFC 7407: A YANG Data Model for SNMP Configuration";
56 identity cert-to-name {
58 "Base identity for algorithms to derive a name from a
65 "Directly specifies the name to be used for the certificate.
66 The value of the leaf 'name' in the cert-to-name list is
69 "RFC 6353: Transport Layer Security (TLS) Transport Model
70 for the Simple Network Management Protocol (SNMP).
71 SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
74 identity san-rfc822-name {
77 "Maps a subjectAltName's rfc822Name to a name. The local part
78 of the rfc822Name is passed unaltered, but the host-part of
79 the name must be passed in lowercase. For example, the
80 rfc822Name field FooBar@Example.COM is mapped to name
83 "RFC 6353: Transport Layer Security (TLS) Transport Model
84 for the Simple Network Management Protocol (SNMP).
85 SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name";
88 identity san-dns-name {
91 "Maps a subjectAltName's dNSName to a name after first
92 converting it to all lowercase (RFC 5280 does not specify
93 converting to lowercase, so this involves an extra step).
94 This mapping results in a 1:1 correspondence between
95 subjectAltName dNSName values and the name values.";
97 "RFC 6353: Transport Layer Security (TLS) Transport Model
98 for the Simple Network Management Protocol (SNMP).
99 SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName";
102 identity san-ip-address {
105 "Maps a subjectAltName's iPAddress to a name by
106 transforming the binary-encoded address as follows:
108 1) for IPv4, the value is converted into a
109 decimal-dotted quad address (e.g., '192.0.2.1').
111 2) for IPv6 addresses, the value is converted into a
112 32-character, all-lowercase hexadecimal string
113 without any colon separators.
115 This mapping results in a 1:1 correspondence between
116 subjectAltName iPAddress values and the name values.";
118 "RFC 6353: Transport Layer Security (TLS) Transport Model
119 for the Simple Network Management Protocol (SNMP).
120 SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
126 "Maps any of the following fields using the corresponding
129 +------------+-----------------+
131 |------------+-----------------|
132 | rfc822Name | san-rfc822-name |
133 | dNSName | san-dns-name |
134 | iPAddress | san-ip-address |
135 +------------+-----------------+
137 The first matching subjectAltName value found in the
138 certificate of the above types MUST be used when deriving
139 the name. The mapping algorithm specified in the
140 'Algorithm' column MUST be used to derive the name.
142 This mapping results in a 1:1 correspondence between
143 subjectAltName values and name values. The three sub-mapping
144 algorithms produced by this combined algorithm cannot produce
145 conflicting results between themselves.";
147 "RFC 6353: Transport Layer Security (TLS) Transport Model
148 for the Simple Network Management Protocol (SNMP).
149 SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
152 identity common-name {
155 "Maps a certificate's CommonName to a name after converting
156 it to a UTF-8 encoding. The usage of CommonNames is
157 deprecated, and users are encouraged to use subjectAltName
158 mapping methods instead. This mapping results in a 1:1
159 correspondence between certificate CommonName values and name
162 "RFC 6353: Transport Layer Security (TLS) Transport Model
163 for the Simple Network Management Protocol (SNMP).
164 SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
167 typedef tls-fingerprint {
168 type yang:hex-string {
169 pattern "([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}";
172 "A fingerprint value that can be used to uniquely reference
173 other data of potentially arbitrary length.
175 A tls-fingerprint value is composed of a 1-octet hashing
176 algorithm identifier followed by the fingerprint value. The
177 first octet value identifying the hashing algorithm is taken
178 from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The
179 remaining octets are filled using the results of the hashing
182 "RFC 6353: Transport Layer Security (TLS) Transport Model
183 for the Simple Network Management Protocol (SNMP).
184 SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
187 grouping cert-to-name {
189 "Defines nodes for mapping certificates to names. Modules
190 that use this grouping should describe how the resulting
195 "This list defines how certificates are mapped to names.
196 The name is derived by considering each cert-to-name
197 list entry in order. The cert-to-name entry's fingerprint
198 determines whether the list entry is a match:
200 1) If the cert-to-name list entry's fingerprint value
201 matches that of the presented certificate, then consider
202 the list entry a successful match.
204 2) If the cert-to-name list entry's fingerprint value
205 matches that of a locally held copy of a trusted CA
206 certificate, and that CA certificate was part of the CA
207 certificate chain to the presented certificate, then
208 consider the list entry a successful match.
210 Once a matching cert-to-name list entry has been found, the
211 map-type is used to determine how the name associated with
212 the certificate should be determined. See the map-type
213 leaf's description for details on determining the name value.
214 If it is impossible to determine a name from the cert-to-name
215 list entry's data combined with the data presented in the
216 certificate, then additional cert-to-name list entries MUST
217 be searched to look for another potential match.
219 Security administrators are encouraged to make use of
220 certificates with subjectAltName fields that can be mapped to
221 names so that a single root CA certificate can allow all
222 child certificates' subjectAltName fields to map directly to
223 a name via a 1:1 transformation.";
225 "RFC 6353: Transport Layer Security (TLS) Transport Model
226 for the Simple Network Management Protocol (SNMP).
227 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
231 "The id specifies the order in which the entries in the
232 cert-to-name list are searched. Entries with lower
233 numbers are searched first.";
235 "RFC 6353: Transport Layer Security (TLS) Transport Model
236 for the Simple Network Management Protocol
238 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
242 type x509c2n:tls-fingerprint;
245 "Specifies a value with which the fingerprint of the
246 full certificate presented by the peer is compared. If
247 the fingerprint of the full certificate presented by the
248 peer does not match the fingerprint configured, then the
249 entry is skipped, and the search for a match continues.";
251 "RFC 6353: Transport Layer Security (TLS) Transport Model
252 for the Simple Network Management Protocol
254 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
263 "Specifies the algorithm used to map the certificate
264 presented by the peer to a name.
266 Mappings that need additional configuration objects should
267 use the 'when' statement to make them conditional based on
270 "RFC 6353: Transport Layer Security (TLS) Transport Model
271 for the Simple Network Management Protocol
273 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
277 when "../map-type = 'x509c2n:specified'";
281 "Directly specifies the NETCONF username when the
282 map-type is 'specified'.";
284 "RFC 6353: Transport Layer Security (TLS) Transport Model
285 for the Simple Network Management Protocol
287 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";