--- /dev/null
+<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1">
+ <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><?xml version="1.0" encoding="UTF-8"?>
+<module name="ietf-x509-cert-to-name"
+ xmlns="urn:ietf:params:xml:ns:yang:yin:1"
+ xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"
+ xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types">
+ <namespace uri="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"/>
+ <prefix value="x509c2n"/>
+ <import module="ietf-yang-types">
+ <prefix value="yang"/>
+ </import>
+ <organization>
+ <text>IETF NETMOD (NETCONF Data Modeling Language) Working Group</text>
+ </organization>
+ <contact>
+ <text>WG Web: &lt;http://tools.ietf.org/wg/netmod/&gt;
+WG List: &lt;mailto:netmod@ietf.org&gt;
+
+WG Chair: Thomas Nadeau
+ &lt;mailto:tnadeau@lucidvision.com&gt;
+
+WG Chair: Juergen Schoenwaelder
+ &lt;mailto:j.schoenwaelder@jacobs-university.de&gt;
+
+Editor: Martin Bjorklund
+ &lt;mailto:mbj@tail-f.com&gt;
+
+Editor: Juergen Schoenwaelder
+ &lt;mailto:j.schoenwaelder@jacobs-university.de&gt;</text>
+ </contact>
+ <description>
+ <text>This module contains a collection of YANG definitions for
+extracting a name from an X.509 certificate.
+The algorithm used to extract a name from an X.509 certificate
+was first defined in RFC 6353.
+
+Copyright (c) 2014 IETF Trust and the persons identified as
+authors of the code. All rights reserved.
+
+Redistribution and use in source and binary forms, with or
+without modification, is permitted pursuant to, and subject
+to the license terms contained in, the Simplified BSD License
+set forth in Section 4.c of the IETF Trust's Legal Provisions
+Relating to IETF Documents
+(http://trustee.ietf.org/license-info).
+
+This version of this YANG module is part of RFC 7407; see
+the RFC itself for full legal notices.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model for
+ the Simple Network Management Protocol (SNMP)</text>
+ </reference>
+ <revision date="2014-12-10">
+ <description>
+ <text>Initial revision.</text>
+ </description>
+ <reference>
+ <text>RFC 7407: A YANG Data Model for SNMP Configuration</text>
+ </reference>
+ </revision>
+ <identity name="cert-to-name">
+ <description>
+ <text>Base identity for algorithms to derive a name from a
+certificate.</text>
+ </description>
+ </identity>
+ <identity name="specified">
+ <base name="cert-to-name"/>
+ <description>
+ <text>Directly specifies the name to be used for the certificate.
+The value of the leaf 'name' in the cert-to-name list is
+used.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSpecified</text>
+ </reference>
+ </identity>
+ <identity name="san-rfc822-name">
+ <base name="cert-to-name"/>
+ <description>
+ <text>Maps a subjectAltName's rfc822Name to a name. The local part
+of the rfc822Name is passed unaltered, but the host-part of
+the name must be passed in lowercase. For example, the
+rfc822Name field FooBar@Example.COM is mapped to name
+FooBar@example.com.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name</text>
+ </reference>
+ </identity>
+ <identity name="san-dns-name">
+ <base name="cert-to-name"/>
+ <description>
+ <text>Maps a subjectAltName's dNSName to a name after first
+converting it to all lowercase (RFC 5280 does not specify
+converting to lowercase, so this involves an extra step).
+This mapping results in a 1:1 correspondence between
+subjectAltName dNSName values and the name values.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName</text>
+ </reference>
+ </identity>
+ <identity name="san-ip-address">
+ <base name="cert-to-name"/>
+ <description>
+ <text>Maps a subjectAltName's iPAddress to a name by
+transforming the binary-encoded address as follows:
+
+ 1) for IPv4, the value is converted into a
+ decimal-dotted quad address (e.g., '192.0.2.1').
+
+ 2) for IPv6 addresses, the value is converted into a
+ 32-character, all-lowercase hexadecimal string
+ without any colon separators.
+
+This mapping results in a 1:1 correspondence between
+subjectAltName iPAddress values and the name values.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress</text>
+ </reference>
+ </identity>
+ <identity name="san-any">
+ <base name="cert-to-name"/>
+ <description>
+ <text>Maps any of the following fields using the corresponding
+mapping algorithms:
+
+ +------------+-----------------+
+ | Type | Algorithm |
+ |------------+-----------------|
+ | rfc822Name | san-rfc822-name |
+ | dNSName | san-dns-name |
+ | iPAddress | san-ip-address |
+ +------------+-----------------+
+
+The first matching subjectAltName value found in the
+certificate of the above types MUST be used when deriving
+the name. The mapping algorithm specified in the
+'Algorithm' column MUST be used to derive the name.
+
+This mapping results in a 1:1 correspondence between
+subjectAltName values and name values. The three sub-mapping
+algorithms produced by this combined algorithm cannot produce
+conflicting results between themselves.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertSANAny</text>
+ </reference>
+ </identity>
+ <identity name="common-name">
+ <base name="cert-to-name"/>
+ <description>
+ <text>Maps a certificate's CommonName to a name after converting
+it to a UTF-8 encoding. The usage of CommonNames is
+deprecated, and users are encouraged to use subjectAltName
+mapping methods instead. This mapping results in a 1:1
+correspondence between certificate CommonName values and name
+values.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertCommonName</text>
+ </reference>
+ </identity>
+ <typedef name="tls-fingerprint">
+ <type name="yang:hex-string">
+ <pattern value="([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}"/>
+ </type>
+ <description>
+ <text>A fingerprint value that can be used to uniquely reference
+other data of potentially arbitrary length.
+
+A tls-fingerprint value is composed of a 1-octet hashing
+algorithm identifier followed by the fingerprint value. The
+first octet value identifying the hashing algorithm is taken
+from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The
+remaining octets are filled using the results of the hashing
+algorithm.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.SnmpTLSFingerprint</text>
+ </reference>
+ </typedef>
+ <grouping name="cert-to-name">
+ <description>
+ <text>Defines nodes for mapping certificates to names. Modules
+that use this grouping should describe how the resulting
+name is used.</text>
+ </description>
+ <list name="cert-to-name">
+ <key value="id"/>
+ <description>
+ <text>This list defines how certificates are mapped to names.
+The name is derived by considering each cert-to-name
+list entry in order. The cert-to-name entry's fingerprint
+determines whether the list entry is a match:
+
+1) If the cert-to-name list entry's fingerprint value
+ matches that of the presented certificate, then consider
+ the list entry a successful match.
+
+2) If the cert-to-name list entry's fingerprint value
+ matches that of a locally held copy of a trusted CA
+ certificate, and that CA certificate was part of the CA
+ certificate chain to the presented certificate, then
+ consider the list entry a successful match.
+
+Once a matching cert-to-name list entry has been found, the
+map-type is used to determine how the name associated with
+the certificate should be determined. See the map-type
+leaf's description for details on determining the name value.
+If it is impossible to determine a name from the cert-to-name
+list entry's data combined with the data presented in the
+certificate, then additional cert-to-name list entries MUST
+be searched to look for another potential match.
+
+Security administrators are encouraged to make use of
+certificates with subjectAltName fields that can be mapped to
+names so that a single root CA certificate can allow all
+child certificates' subjectAltName fields to map directly to
+a name via a 1:1 transformation.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry</text>
+ </reference>
+ <leaf name="id">
+ <type name="uint32"/>
+ <description>
+ <text>The id specifies the order in which the entries in the
+cert-to-name list are searched. Entries with lower
+numbers are searched first.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID</text>
+ </reference>
+ </leaf>
+ <leaf name="fingerprint">
+ <type name="x509c2n:tls-fingerprint"/>
+ <mandatory value="true"/>
+ <description>
+ <text>Specifies a value with which the fingerprint of the
+full certificate presented by the peer is compared. If
+the fingerprint of the full certificate presented by the
+peer does not match the fingerprint configured, then the
+entry is skipped, and the search for a match continues.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint</text>
+ </reference>
+ </leaf>
+ <leaf name="map-type">
+ <type name="identityref">
+ <base name="cert-to-name"/>
+ </type>
+ <mandatory value="true"/>
+ <description>
+ <text>Specifies the algorithm used to map the certificate
+presented by the peer to a name.
+
+Mappings that need additional configuration objects should
+use the 'when' statement to make them conditional based on
+the map-type.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType</text>
+ </reference>
+ </leaf>
+ <leaf name="name">
+ <when condition="../map-type = 'x509c2n:specified'"/>
+ <type name="string"/>
+ <mandatory value="true"/>
+ <description>
+ <text>Directly specifies the NETCONF username when the
+map-type is 'specified'.</text>
+ </description>
+ <reference>
+ <text>RFC 6353: Transport Layer Security (TLS) Transport Model
+ for the Simple Network Management Protocol
+ (SNMP).
+ SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData</text>
+ </reference>
+ </leaf>
+ </list>
+ </grouping>
+</module>
+</data>
+</rpc-reply>
Code Review / demo.git / blobdiff