--- /dev/null
+<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1">
+ <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><?xml version="1.0" encoding="UTF-8"?>
+<module name="ietf-keystore"
+ xmlns="urn:ietf:params:xml:ns:yang:yin:1"
+ xmlns:ks="urn:ietf:params:xml:ns:yang:ietf-keystore"
+ xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types">
+ <yang-version value="1.1"/>
+ <namespace uri="urn:ietf:params:xml:ns:yang:ietf-keystore"/>
+ <prefix value="ks"/>
+ <import module="ietf-yang-types">
+ <prefix value="yang"/>
+ <reference>
+ <text>RFC 6991: Common YANG Data Types</text>
+ </reference>
+ </import>
+ <organization>
+ <text>IETF NETCONF (Network Configuration) Working Group</text>
+ </organization>
+ <contact>
+ <text>WG Web: &lt;http://tools.ietf.org/wg/netconf/&gt;
+WG List: &lt;mailto:netconf@ietf.org&gt;
+
+WG Chair: Mehmet Ersue
+ &lt;mailto:mehmet.ersue@nsn.com&gt;
+
+WG Chair: Mahesh Jethanandani
+ &lt;mailto:mjethanandani@gmail.com&gt;
+
+Editor: Kent Watsen
+ &lt;mailto:kwatsen@juniper.net&gt;</text>
+ </contact>
+ <description>
+ <text>This module defines a keystore to centralize management of
+security credentials.
+
+Copyright (c) 2014 IETF Trust and the persons identified as
+authors of the code. All rights reserved.
+
+Redistribution and use in source and binary forms, with or
+without modification, is permitted pursuant to, and subject
+to the license terms contained in, the Simplified BSD
+License set forth in Section 4.c of the IETF Trust's
+Legal Provisions Relating to IETF Documents
+(http://trustee.ietf.org/license-info).
+
+This version of this YANG module is part of RFC VVVV; see
+the RFC itself for full legal notices.</text>
+ </description>
+ <revision date="2016-10-31">
+ <description>
+ <text>Initial version</text>
+ </description>
+ <reference>
+ <text>RFC VVVV: NETCONF Server and RESTCONF Server Configuration
+ Models</text>
+ </reference>
+ </revision>
+ <identity name="key-algorithm">
+ <description>
+ <text>Base identity from which all key-algorithms are derived.</text>
+ </description>
+ </identity>
+ <identity name="rsa">
+ <base name="key-algorithm"/>
+ <description>
+ <text>The RSA algorithm.</text>
+ </description>
+ <reference>
+ <text>RFC3447: Public-Key Cryptography Standards (PKCS) #1:
+ RSA Cryptography Specifications Version 2.1.</text>
+ </reference>
+ </identity>
+ <identity name="secp192r1">
+ <base name="key-algorithm"/>
+ <description>
+ <text>The secp192r1 algorithm.</text>
+ </description>
+ <reference>
+ <text>RFC5480:
+ Elliptic Curve Cryptography Subject Public Key Information.</text>
+ </reference>
+ </identity>
+ <identity name="secp256r1">
+ <base name="key-algorithm"/>
+ <description>
+ <text>The secp256r1 algorithm.</text>
+ </description>
+ <reference>
+ <text>RFC5480:
+ Elliptic Curve Cryptography Subject Public Key Information.</text>
+ </reference>
+ </identity>
+ <identity name="secp384r1">
+ <base name="key-algorithm"/>
+ <description>
+ <text>The secp384r1 algorithm.</text>
+ </description>
+ <reference>
+ <text>RFC5480:
+ Elliptic Curve Cryptography Subject Public Key Information.</text>
+ </reference>
+ </identity>
+ <identity name="secp521r1">
+ <base name="key-algorithm"/>
+ <description>
+ <text>The secp521r1 algorithm.</text>
+ </description>
+ <reference>
+ <text>RFC5480:
+ Elliptic Curve Cryptography Subject Public Key Information.</text>
+ </reference>
+ </identity>
+ <container name="keystore">
+ <description>
+ <text>A list of private-keys and their associated certificates, as
+well as lists of trusted certificates for client certificate
+authentication. RPCs are provided to generate a new private
+key and to generate a certificate signing requests.</text>
+ </description>
+ <container name="private-keys">
+ <description>
+ <text>A list of private key maintained by the keystore.</text>
+ </description>
+ <list name="private-key">
+ <key value="name"/>
+ <description>
+ <text>A private key.</text>
+ </description>
+ <leaf name="name">
+ <type name="string"/>
+ <description>
+ <text>An arbitrary name for the private key.</text>
+ </description>
+ </leaf>
+ <leaf name="algorithm">
+ <type name="identityref">
+ <base name="key-algorithm"/>
+ </type>
+ <config value="false"/>
+ <description>
+ <text>The algorithm used by the private key.</text>
+ </description>
+ </leaf>
+ <leaf name="key-length">
+ <type name="uint32"/>
+ <config value="false"/>
+ <description>
+ <text>The key-length used by the private key.</text>
+ </description>
+ </leaf>
+ <leaf name="public-key">
+ <type name="binary"/>
+ <config value="false"/>
+ <mandatory value="true"/>
+ <description>
+ <text>An OneAsymmetricKey 'publicKey' structure as specified
+by RFC 5958, Section 2 encoded using the ASN.1
+distinguished encoding rules (DER), as specified
+in ITU-T X.690.</text>
+ </description>
+ <reference>
+ <text>RFC 5958:
+ Asymmetric Key Packages
+ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).</text>
+ </reference>
+ </leaf>
+ <container name="certificate-chains">
+ <description>
+ <text>Certificate chains associated with this private key.
+More than one chain per key is enabled to support,
+for instance, a TPM-protected key that has associated
+both IDevID and LDevID certificates.</text>
+ </description>
+ <list name="certificate-chain">
+ <key value="name"/>
+ <description>
+ <text>A certificate chain for this public key.</text>
+ </description>
+ <leaf name="name">
+ <type name="string"/>
+ <description>
+ <text>An arbitrary name for the certificate chain. The
+name must be a unique across all private keys, not
+just within this private key.</text>
+ </description>
+ </leaf>
+ <leaf-list name="certificate">
+ <type name="binary"/>
+ <ordered-by value="user"/>
+ <description>
+ <text>An X.509 v3 certificate structure as specified by RFC
+5280, Section 4 encoded using the ASN.1 distinguished
+encoding rules (DER), as specified in ITU-T X.690.
+The list of certificates that run from the server
+certificate towards the trust anchor. The chain MAY
+include the trust anchor certificate itself.</text>
+ </description>
+ <reference>
+ <text>RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.
+ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).</text>
+ </reference>
+ </leaf-list>
+ </list>
+ </container>
+ <action name="generate-certificate-signing-request">
+ <description>
+ <text>Generates a certificate signing request structure for
+the associated private key using the passed subject and
+attribute values. Please review both the Security
+Considerations and Design Considerations sections in
+RFC VVVV for more information regarding this action
+statement.</text>
+ </description>
+ <input>
+ <leaf name="subject">
+ <type name="binary"/>
+ <mandatory value="true"/>
+ <description>
+ <text>The 'subject' field from the CertificationRequestInfo
+structure as specified by RFC 2986, Section 4.1 encoded
+using the ASN.1 distinguished encoding rules (DER), as
+specified in ITU-T X.690.</text>
+ </description>
+ <reference>
+ <text>RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ Version 1.7.
+ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).</text>
+ </reference>
+ </leaf>
+ <leaf name="attributes">
+ <type name="binary"/>
+ <description>
+ <text>The 'attributes' field from the CertificationRequestInfo
+structure as specified by RFC 2986, Section 4.1 encoded
+using the ASN.1 distinguished encoding rules (DER), as
+specified in ITU-T X.690.</text>
+ </description>
+ <reference>
+ <text>RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ Version 1.7.
+ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).</text>
+ </reference>
+ </leaf>
+ </input>
+ <output>
+ <leaf name="certificate-signing-request">
+ <type name="binary"/>
+ <mandatory value="true"/>
+ <description>
+ <text>A CertificationRequest structure as specified by RFC
+2986, Section 4.1 encoded using the ASN.1 distinguished
+encoding rules (DER), as specified in ITU-T X.690.</text>
+ </description>
+ <reference>
+ <text>RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ Version 1.7.
+ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).</text>
+ </reference>
+ </leaf>
+ </output>
+ </action>
+ </list>
+ <action name="generate-private-key">
+ <description>
+ <text>Requests the device to generate a private key using the
+specified algorithm and key length.</text>
+ </description>
+ <input>
+ <leaf name="name">
+ <type name="string"/>
+ <mandatory value="true"/>
+ <description>
+ <text>The name this private-key should have when listed
+in /keystore/private-keys. As such, the passed
+value must not match any existing 'name' value.</text>
+ </description>
+ </leaf>
+ <leaf name="algorithm">
+ <type name="identityref">
+ <base name="key-algorithm"/>
+ </type>
+ <mandatory value="true"/>
+ <description>
+ <text>The algorithm to be used when generating the key.</text>
+ </description>
+ </leaf>
+ <leaf name="key-length">
+ <type name="uint32"/>
+ <description>
+ <text>For algorithms that need a key length specified
+when generating the key.</text>
+ </description>
+ </leaf>
+ </input>
+ </action>
+ <action name="load-private-key">
+ <description>
+ <text>Requests the device to load a private key</text>
+ </description>
+ <input>
+ <leaf name="name">
+ <type name="string"/>
+ <mandatory value="true"/>
+ <description>
+ <text>The name this private-key should have when listed
+in /keystore/private-keys. As such, the passed
+value must not match any existing 'name' value.</text>
+ </description>
+ </leaf>
+ <leaf name="private-key">
+ <type name="binary"/>
+ <mandatory value="true"/>
+ <description>
+ <text>An OneAsymmetricKey structure as specified by RFC
+5958, Section 2 encoded using the ASN.1 distinguished
+encoding rules (DER), as specified in ITU-T X.690.
+Note that this is the raw private with no shrouding
+to protect it. The strength of this private key
+MUST NOT be greater than the strength of the secure
+connection over which it is communicated. Devices
+SHOULD fail this request if ever that happens.</text>
+ </description>
+ <reference>
+ <text>RFC 5958:
+ Asymmetric Key Packages
+ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).</text>
+ </reference>
+ </leaf>
+ </input>
+ </action>
+ </container>
+ <list name="trusted-certificates">
+ <key value="name"/>
+ <description>
+ <text>A list of trusted certificates. These certificates
+can be used by a server to authenticate clients, or by clients
+to authenticate servers. The certificates may be endpoint
+specific or for certificate authorities (to authenticate many
+clients at once. Each list of certificates SHOULD be specific
+to a purpose, as the list as a whole may be referenced by other
+modules. For instance, a NETCONF server model might point to
+a list of certificates to use when authenticating client
+certificates.</text>
+ </description>
+ <leaf name="name">
+ <type name="string"/>
+ <description>
+ <text>An arbitrary name for this list of trusted certificates.</text>
+ </description>
+ </leaf>
+ <leaf name="description">
+ <type name="string"/>
+ <description>
+ <text>An arbitrary description for this list of trusted
+certificates.</text>
+ </description>
+ </leaf>
+ <list name="trusted-certificate">
+ <key value="name"/>
+ <description>
+ <text>A trusted certificate for a specific use. Note, this
+'certificate' is a list in order to encode any
+associated intermediate certificates.</text>
+ </description>
+ <leaf name="name">
+ <type name="string"/>
+ <description>
+ <text>An arbitrary name for this trusted certificate. Must
+be unique across all lists of trusted certificates
+(not just this list) so that a leafref to it from
+another module can resolve to unique values.</text>
+ </description>
+ </leaf>
+ <leaf name="certificate">
+ <type name="binary"/>
+ <description>
+ <text>An X.509 v3 certificate structure as specified by RFC
+5280, Section 4 encoded using the ASN.1 distinguished
+encoding rules (DER), as specified in ITU-T X.690.</text>
+ </description>
+ <reference>
+ <text>RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.
+ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).</text>
+ </reference>
+ </leaf>
+ </list>
+ </list>
+ <list name="trusted-ssh-host-keys">
+ <key value="name"/>
+ <description>
+ <text>A list of trusted host-keys. These host-keys can be used
+by clients to authenticate SSH servers. The host-keys are
+endpoint specific. Each list of host-keys SHOULD be
+specific to a purpose, as the list as a whole may be
+referenced by other modules. For instance, a NETCONF
+client model might point to a list of host-keys to use
+when authenticating servers host-keys.</text>
+ </description>
+ <leaf name="name">
+ <type name="string"/>
+ <description>
+ <text>An arbitrary name for this list of trusted SSH host keys.</text>
+ </description>
+ </leaf>
+ <leaf name="description">
+ <type name="string"/>
+ <description>
+ <text>An arbitrary description for this list of trusted SSH host
+keys.</text>
+ </description>
+ </leaf>
+ <list name="trusted-host-key">
+ <key value="name"/>
+ <description>
+ <text>A trusted host key.</text>
+ </description>
+ <leaf name="name">
+ <type name="string"/>
+ <description>
+ <text>An arbitrary name for this trusted host-key. Must be
+unique across all lists of trusted host-keys (not just
+this list) so that a leafref to it from another module
+can resolve to unique values.
+
+Note that, for when the SSH client is able to listen
+for call-home connections as well, there is no reference
+identifier (e.g., hostname, IP address, etc.) that it
+can use to uniquely identify the server with. The
+call-home draft recommends SSH servers use X.509v3
+certificates (RFC6187) when calling home.</text>
+ </description>
+ </leaf>
+ <leaf name="host-key">
+ <type name="binary"/>
+ <mandatory value="true"/>
+ <description>
+ <text>An OneAsymmetricKey 'publicKey' structure as specified
+by RFC 5958, Section 2 encoded using the ASN.1
+distinguished encoding rules (DER), as specified
+in ITU-T X.690.</text>
+ </description>
+ <reference>
+ <text>RFC 5958:
+ Asymmetric Key Packages
+ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).</text>
+ </reference>
+ </leaf>
+ </list>
+ </list>
+ <container name="user-auth-credentials">
+ <description>
+ <text>A list of user authentication credentials that can be used
+by an SSH client to log into an SSH server, using any of
+the supported authentication methods (e.g., password,
+public key, client certificate, etc.).</text>
+ </description>
+ <list name="user-auth-credential">
+ <key value="username"/>
+ <description>
+ <text>The authentication credentials for a specific user.</text>
+ </description>
+ <leaf name="username">
+ <type name="string"/>
+ <description>
+ <text>The username of this user. This will be the username
+used, for instance, to log into an SSH server.</text>
+ </description>
+ </leaf>
+ <list name="auth-method">
+ <key value="priority"/>
+ <description>
+ <text>A method of authenticating as this user.</text>
+ </description>
+ <leaf name="priority">
+ <type name="uint8"/>
+ <description>
+ <text>When multiple authentication methods in this list are
+supported by the server, the one with the lowest priority
+value will be the one that is used.</text>
+ </description>
+ </leaf>
+ <choice name="auth-type">
+ <description>
+ <text>The authentication type.</text>
+ </description>
+ <leaf-list name="certificate">
+ <type name="leafref">
+ <path value="/keystore/private-keys/private-key/certificate-chains/certificate-chain/name"/>
+ </type>
+ <ordered-by value="user"/>
+ <description>
+ <text>A list of references to certificates that can be used
+for user authentication. When multiple certificates
+in this list supported by the server, the one that
+comes before the others in the leaf-list will be
+used.</text>
+ </description>
+ </leaf-list>
+ <leaf-list name="public-key">
+ <type name="leafref">
+ <path value="/keystore/private-keys/private-key/name"/>
+ </type>
+ <ordered-by value="user"/>
+ <description>
+ <text>A list of references to public keys that can be used
+for user authentication. When multiple public keys
+in this list supported by the server, the one that
+comes before the others in the leaf-list will be
+used.</text>
+ </description>
+ </leaf-list>
+ <leaf name="ciphertext-password">
+ <type name="string"/>
+ <description>
+ <text>An ciphertext password. The method of encipherment
+and how that method can be determined from this
+string is implementation-specific.</text>
+ </description>
+ </leaf>
+ <leaf name="cleartext-password">
+ <type name="string"/>
+ <description>
+ <text>An cleartext password.</text>
+ </description>
+ </leaf>
+ </choice>
+ </list>
+ </list>
+ </container>
+ </container>
+ <notification name="certificate-expiration">
+ <description>
+ <text>A notification indicating that a configured certificate is
+either about to expire or has already expired. When to send
+notifications is an implementation specific decision, but
+it is RECOMMENDED that a notification be sent once a month
+for 3 months, then once a week for four weeks, and then once
+a day thereafter.</text>
+ </description>
+ <leaf name="certificate">
+ <type name="instance-identifier"/>
+ <mandatory value="true"/>
+ <description>
+ <text>Identifies which certificate is expiring or is expired.</text>
+ </description>
+ </leaf>
+ <leaf name="expiration-date">
+ <type name="yang:date-and-time"/>
+ <mandatory value="true"/>
+ <description>
+ <text>Identifies the expiration date on the certificate.</text>
+ </description>
+ </leaf>
+ </notification>
+</module>
+</data>
+</rpc-reply>