1 <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1">
2 <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><?xml version="1.0" encoding="UTF-8"?>
3 <module name="ietf-x509-cert-to-name"
4 xmlns="urn:ietf:params:xml:ns:yang:yin:1"
5 xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"
6 xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types">
7 <namespace uri="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"/>
8 <prefix value="x509c2n"/>
9 <import module="ietf-yang-types">
10 <prefix value="yang"/>
13 <text>IETF NETMOD (NETCONF Data Modeling Language) Working Group</text>
16 <text>WG Web: &lt;http://tools.ietf.org/wg/netmod/&gt;
17 WG List: &lt;mailto:netmod@ietf.org&gt;
19 WG Chair: Thomas Nadeau
20 &lt;mailto:tnadeau@lucidvision.com&gt;
22 WG Chair: Juergen Schoenwaelder
23 &lt;mailto:j.schoenwaelder@jacobs-university.de&gt;
25 Editor: Martin Bjorklund
26 &lt;mailto:mbj@tail-f.com&gt;
28 Editor: Juergen Schoenwaelder
29 &lt;mailto:j.schoenwaelder@jacobs-university.de&gt;</text>
32 <text>This module contains a collection of YANG definitions for
33 extracting a name from an X.509 certificate.
34 The algorithm used to extract a name from an X.509 certificate
35 was first defined in RFC 6353.
37 Copyright (c) 2014 IETF Trust and the persons identified as
38 authors of the code. All rights reserved.
40 Redistribution and use in source and binary forms, with or
41 without modification, is permitted pursuant to, and subject
42 to the license terms contained in, the Simplified BSD License
43 set forth in Section 4.c of the IETF Trust's Legal Provisions
44 Relating to IETF Documents
45 (http://trustee.ietf.org/license-info).
47 This version of this YANG module is part of RFC 7407; see
48 the RFC itself for full legal notices.</text>
51 <text>RFC 6353: Transport Layer Security (TLS) Transport Model for
52 the Simple Network Management Protocol (SNMP)</text>
54 <revision date="2014-12-10">
56 <text>Initial revision.</text>
59 <text>RFC 7407: A YANG Data Model for SNMP Configuration</text>
62 <identity name="cert-to-name">
64 <text>Base identity for algorithms to derive a name from a
65 certificate.</text>
68 <identity name="specified">
69 <base name="cert-to-name"/>
71 <text>Directly specifies the name to be used for the certificate.
72 The value of the leaf 'name' in the cert-to-name list is
76 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
77 for the Simple Network Management Protocol (SNMP).
78 SNMP-TLS-TM-MIB.snmpTlstmCertSpecified</text>
81 <identity name="san-rfc822-name">
82 <base name="cert-to-name"/>
84 <text>Maps a subjectAltName's rfc822Name to a name. The local part
85 of the rfc822Name is passed unaltered, but the host-part of
86 the name must be passed in lowercase. For example, the
87 rfc822Name field FooBar@Example.COM is mapped to name
88 FooBar@example.com.</text>
91 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
92 for the Simple Network Management Protocol (SNMP).
93 SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name</text>
96 <identity name="san-dns-name">
97 <base name="cert-to-name"/>
99 <text>Maps a subjectAltName's dNSName to a name after first
100 converting it to all lowercase (RFC 5280 does not specify
101 converting to lowercase, so this involves an extra step).
102 This mapping results in a 1:1 correspondence between
103 subjectAltName dNSName values and the name values.</text>
106 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
107 for the Simple Network Management Protocol (SNMP).
108 SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName</text>
111 <identity name="san-ip-address">
112 <base name="cert-to-name"/>
114 <text>Maps a subjectAltName's iPAddress to a name by
115 transforming the binary-encoded address as follows:
117 1) for IPv4, the value is converted into a
118 decimal-dotted quad address (e.g., '192.0.2.1').
120 2) for IPv6 addresses, the value is converted into a
121 32-character, all-lowercase hexadecimal string
122 without any colon separators.
124 This mapping results in a 1:1 correspondence between
125 subjectAltName iPAddress values and the name values.</text>
128 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
129 for the Simple Network Management Protocol (SNMP).
130 SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress</text>
133 <identity name="san-any">
134 <base name="cert-to-name"/>
136 <text>Maps any of the following fields using the corresponding
139 +------------+-----------------+
141 |------------+-----------------|
142 | rfc822Name | san-rfc822-name |
143 | dNSName | san-dns-name |
144 | iPAddress | san-ip-address |
145 +------------+-----------------+
147 The first matching subjectAltName value found in the
148 certificate of the above types MUST be used when deriving
149 the name. The mapping algorithm specified in the
150 'Algorithm' column MUST be used to derive the name.
152 This mapping results in a 1:1 correspondence between
153 subjectAltName values and name values. The three sub-mapping
154 algorithms produced by this combined algorithm cannot produce
155 conflicting results between themselves.</text>
158 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
159 for the Simple Network Management Protocol (SNMP).
160 SNMP-TLS-TM-MIB.snmpTlstmCertSANAny</text>
163 <identity name="common-name">
164 <base name="cert-to-name"/>
166 <text>Maps a certificate's CommonName to a name after converting
167 it to a UTF-8 encoding. The usage of CommonNames is
168 deprecated, and users are encouraged to use subjectAltName
169 mapping methods instead. This mapping results in a 1:1
170 correspondence between certificate CommonName values and name
174 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
175 for the Simple Network Management Protocol (SNMP).
176 SNMP-TLS-TM-MIB.snmpTlstmCertCommonName</text>
179 <typedef name="tls-fingerprint">
180 <type name="yang:hex-string">
181 <pattern value="([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}"/>
184 <text>A fingerprint value that can be used to uniquely reference
185 other data of potentially arbitrary length.
187 A tls-fingerprint value is composed of a 1-octet hashing
188 algorithm identifier followed by the fingerprint value. The
189 first octet value identifying the hashing algorithm is taken
190 from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The
191 remaining octets are filled using the results of the hashing
192 algorithm.</text>
195 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
196 for the Simple Network Management Protocol (SNMP).
197 SNMP-TLS-TM-MIB.SnmpTLSFingerprint</text>
200 <grouping name="cert-to-name">
202 <text>Defines nodes for mapping certificates to names. Modules
203 that use this grouping should describe how the resulting
204 name is used.</text>
206 <list name="cert-to-name">
207 <key value="id"/>
209 <text>This list defines how certificates are mapped to names.
210 The name is derived by considering each cert-to-name
211 list entry in order. The cert-to-name entry's fingerprint
212 determines whether the list entry is a match:
214 1) If the cert-to-name list entry's fingerprint value
215 matches that of the presented certificate, then consider
216 the list entry a successful match.
218 2) If the cert-to-name list entry's fingerprint value
219 matches that of a locally held copy of a trusted CA
220 certificate, and that CA certificate was part of the CA
221 certificate chain to the presented certificate, then
222 consider the list entry a successful match.
224 Once a matching cert-to-name list entry has been found, the
225 map-type is used to determine how the name associated with
226 the certificate should be determined. See the map-type
227 leaf's description for details on determining the name value.
228 If it is impossible to determine a name from the cert-to-name
229 list entry's data combined with the data presented in the
230 certificate, then additional cert-to-name list entries MUST
231 be searched to look for another potential match.
233 Security administrators are encouraged to make use of
234 certificates with subjectAltName fields that can be mapped to
235 names so that a single root CA certificate can allow all
236 child certificates' subjectAltName fields to map directly to
237 a name via a 1:1 transformation.</text>
240 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
241 for the Simple Network Management Protocol (SNMP).
242 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry</text>
244 <leaf name="id">
245 <type name="uint32"/>
247 <text>The id specifies the order in which the entries in the
248 cert-to-name list are searched. Entries with lower
249 numbers are searched first.</text>
252 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
253 for the Simple Network Management Protocol
255 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID</text>
258 <leaf name="fingerprint">
259 <type name="x509c2n:tls-fingerprint"/>
260 <mandatory value="true"/>
262 <text>Specifies a value with which the fingerprint of the
263 full certificate presented by the peer is compared. If
264 the fingerprint of the full certificate presented by the
265 peer does not match the fingerprint configured, then the
266 entry is skipped, and the search for a match continues.</text>
269 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
270 for the Simple Network Management Protocol
272 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint</text>
275 <leaf name="map-type">
276 <type name="identityref">
277 <base name="cert-to-name"/>
279 <mandatory value="true"/>
281 <text>Specifies the algorithm used to map the certificate
282 presented by the peer to a name.
284 Mappings that need additional configuration objects should
285 use the 'when' statement to make them conditional based on
286 the map-type.</text>
289 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
290 for the Simple Network Management Protocol
292 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType</text>
295 <leaf name="name">
296 <when condition="../map-type = 'x509c2n:specified'"/>
297 <type name="string"/>
298 <mandatory value="true"/>
300 <text>Directly specifies the NETCONF username when the
301 map-type is 'specified'.</text>
304 <text>RFC 6353: Transport Layer Security (TLS) Transport Model
305 for the Simple Network Management Protocol
307 SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData</text>