X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=vnfs%2FTestVNF%2Fnetconftemplates%2Fnetconftemplates%2Fietf-keystore%402016-10-31.yang;fp=vnfs%2FTestVNF%2Fnetconftemplates%2Fnetconftemplates%2Fietf-keystore%402016-10-31.yang;h=0c20bd6ed6374eb3c39ecc755cf8073097d32b94;hb=f46c20006c23d119ffc1c83117d203ed649f687c;hp=0000000000000000000000000000000000000000;hpb=2233d21abae761e91d7b056644c6ac972e662d57;p=demo.git diff --git a/vnfs/TestVNF/netconftemplates/netconftemplates/ietf-keystore@2016-10-31.yang b/vnfs/TestVNF/netconftemplates/netconftemplates/ietf-keystore@2016-10-31.yang new file mode 100644 index 00000000..0c20bd6e --- /dev/null +++ b/vnfs/TestVNF/netconftemplates/netconftemplates/ietf-keystore@2016-10-31.yang @@ -0,0 +1,559 @@ + + module ietf-keystore { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-keystore"; + prefix ks; + + import ietf-yang-types { + prefix yang; + reference + "RFC 6991: Common YANG Data Types"; + } + + organization + "IETF NETCONF (Network Configuration) Working Group"; + contact + "WG Web: <http://tools.ietf.org/wg/netconf/> + WG List: <mailto:netconf@ietf.org> + + WG Chair: Mehmet Ersue + <mailto:mehmet.ersue@nsn.com> + + WG Chair: Mahesh Jethanandani + <mailto:mjethanandani@gmail.com> + + Editor: Kent Watsen + <mailto:kwatsen@juniper.net>"; + description + "This module defines a keystore to centralize management of + security credentials. + + Copyright (c) 2014 IETF Trust and the persons identified as + authors of the code. All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD + License set forth in Section 4.c of the IETF Trust's + Legal Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info). + + This version of this YANG module is part of RFC VVVV; see + the RFC itself for full legal notices."; + + revision 2016-10-31 { + description + "Initial version"; + reference + "RFC VVVV: NETCONF Server and RESTCONF Server Configuration + Models"; + } + + identity key-algorithm { + description + "Base identity from which all key-algorithms are derived."; + } + + identity rsa { + base key-algorithm; + description + "The RSA algorithm."; + reference + "RFC3447: Public-Key Cryptography Standards (PKCS) #1: + RSA Cryptography Specifications Version 2.1."; + } + + identity secp192r1 { + base key-algorithm; + description + "The secp192r1 algorithm."; + reference + "RFC5480: + Elliptic Curve Cryptography Subject Public Key Information."; + } + + identity secp256r1 { + base key-algorithm; + description + "The secp256r1 algorithm."; + reference + "RFC5480: + Elliptic Curve Cryptography Subject Public Key Information."; + } + + identity secp384r1 { + base key-algorithm; + description + "The secp384r1 algorithm."; + reference + "RFC5480: + Elliptic Curve Cryptography Subject Public Key Information."; + } + + identity secp521r1 { + base key-algorithm; + description + "The secp521r1 algorithm."; + reference + "RFC5480: + Elliptic Curve Cryptography Subject Public Key Information."; + } + + container keystore { + description + "A list of private-keys and their associated certificates, as + well as lists of trusted certificates for client certificate + authentication. RPCs are provided to generate a new private + key and to generate a certificate signing requests."; + container private-keys { + description + "A list of private key maintained by the keystore."; + list private-key { + key "name"; + description + "A private key."; + leaf name { + type string; + description + "An arbitrary name for the private key."; + } + + leaf algorithm { + type identityref { + base key-algorithm; + } + config false; + description + "The algorithm used by the private key."; + } + + leaf key-length { + type uint32; + config false; + description + "The key-length used by the private key."; + } + + leaf public-key { + type binary; + config false; + mandatory true; + description + "An OneAsymmetricKey 'publicKey' structure as specified + by RFC 5958, Section 2 encoded using the ASN.1 + distinguished encoding rules (DER), as specified + in ITU-T X.690."; + reference + "RFC 5958: + Asymmetric Key Packages + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + + container certificate-chains { + description + "Certificate chains associated with this private key. + More than one chain per key is enabled to support, + for instance, a TPM-protected key that has associated + both IDevID and LDevID certificates."; + list certificate-chain { + key "name"; + description + "A certificate chain for this public key."; + leaf name { + type string; + description + "An arbitrary name for the certificate chain. The + name must be a unique across all private keys, not + just within this private key."; + } + + leaf-list certificate { + type binary; + ordered-by user; + description + "An X.509 v3 certificate structure as specified by RFC + 5280, Section 4 encoded using the ASN.1 distinguished + encoding rules (DER), as specified in ITU-T X.690. + The list of certificates that run from the server + certificate towards the trust anchor. The chain MAY + include the trust anchor certificate itself."; + reference + "RFC 5280: + Internet X.509 Public Key Infrastructure Certificate + and Certificate Revocation List (CRL) Profile. + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + } + } + + action generate-certificate-signing-request { + description + "Generates a certificate signing request structure for + the associated private key using the passed subject and + attribute values. Please review both the Security + Considerations and Design Considerations sections in + RFC VVVV for more information regarding this action + statement."; + input { + leaf subject { + type binary; + mandatory true; + description + "The 'subject' field from the CertificationRequestInfo + structure as specified by RFC 2986, Section 4.1 encoded + using the ASN.1 distinguished encoding rules (DER), as + specified in ITU-T X.690."; + reference + "RFC 2986: + PKCS #10: Certification Request Syntax Specification + Version 1.7. + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + + leaf attributes { + type binary; + description + "The 'attributes' field from the CertificationRequestInfo + structure as specified by RFC 2986, Section 4.1 encoded + using the ASN.1 distinguished encoding rules (DER), as + specified in ITU-T X.690."; + reference + "RFC 2986: + PKCS #10: Certification Request Syntax Specification + Version 1.7. + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + } + + output { + leaf certificate-signing-request { + type binary; + mandatory true; + description + "A CertificationRequest structure as specified by RFC + 2986, Section 4.1 encoded using the ASN.1 distinguished + encoding rules (DER), as specified in ITU-T X.690."; + reference + "RFC 2986: + PKCS #10: Certification Request Syntax Specification + Version 1.7. + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + } + } + } + + action generate-private-key { + description + "Requests the device to generate a private key using the + specified algorithm and key length."; + input { + leaf name { + type string; + mandatory true; + description + "The name this private-key should have when listed + in /keystore/private-keys. As such, the passed + value must not match any existing 'name' value."; + } + + leaf algorithm { + type identityref { + base key-algorithm; + } + mandatory true; + description + "The algorithm to be used when generating the key."; + } + + leaf key-length { + type uint32; + description + "For algorithms that need a key length specified + when generating the key."; + } + } + } + + action load-private-key { + description + "Requests the device to load a private key"; + input { + leaf name { + type string; + mandatory true; + description + "The name this private-key should have when listed + in /keystore/private-keys. As such, the passed + value must not match any existing 'name' value."; + } + + leaf private-key { + type binary; + mandatory true; + description + "An OneAsymmetricKey structure as specified by RFC + 5958, Section 2 encoded using the ASN.1 distinguished + encoding rules (DER), as specified in ITU-T X.690. + Note that this is the raw private with no shrouding + to protect it. The strength of this private key + MUST NOT be greater than the strength of the secure + connection over which it is communicated. Devices + SHOULD fail this request if ever that happens."; + reference + "RFC 5958: + Asymmetric Key Packages + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + } + } + } + + list trusted-certificates { + key "name"; + description + "A list of trusted certificates. These certificates + can be used by a server to authenticate clients, or by clients + to authenticate servers. The certificates may be endpoint + specific or for certificate authorities (to authenticate many + clients at once. Each list of certificates SHOULD be specific + to a purpose, as the list as a whole may be referenced by other + modules. For instance, a NETCONF server model might point to + a list of certificates to use when authenticating client + certificates."; + leaf name { + type string; + description + "An arbitrary name for this list of trusted certificates."; + } + + leaf description { + type string; + description + "An arbitrary description for this list of trusted + certificates."; + } + + list trusted-certificate { + key "name"; + description + "A trusted certificate for a specific use. Note, this + 'certificate' is a list in order to encode any + associated intermediate certificates."; + leaf name { + type string; + description + "An arbitrary name for this trusted certificate. Must + be unique across all lists of trusted certificates + (not just this list) so that a leafref to it from + another module can resolve to unique values."; + } + + leaf certificate { + type binary; + description + "An X.509 v3 certificate structure as specified by RFC + 5280, Section 4 encoded using the ASN.1 distinguished + encoding rules (DER), as specified in ITU-T X.690."; + reference + "RFC 5280: + Internet X.509 Public Key Infrastructure Certificate + and Certificate Revocation List (CRL) Profile. + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + } + } + + list trusted-ssh-host-keys { + key "name"; + description + "A list of trusted host-keys. These host-keys can be used + by clients to authenticate SSH servers. The host-keys are + endpoint specific. Each list of host-keys SHOULD be + specific to a purpose, as the list as a whole may be + referenced by other modules. For instance, a NETCONF + client model might point to a list of host-keys to use + when authenticating servers host-keys."; + leaf name { + type string; + description + "An arbitrary name for this list of trusted SSH host keys."; + } + + leaf description { + type string; + description + "An arbitrary description for this list of trusted SSH host + keys."; + } + + list trusted-host-key { + key "name"; + description + "A trusted host key."; + leaf name { + type string; + description + "An arbitrary name for this trusted host-key. Must be + unique across all lists of trusted host-keys (not just + this list) so that a leafref to it from another module + can resolve to unique values. + + Note that, for when the SSH client is able to listen + for call-home connections as well, there is no reference + identifier (e.g., hostname, IP address, etc.) that it + can use to uniquely identify the server with. The + call-home draft recommends SSH servers use X.509v3 + certificates (RFC6187) when calling home."; + } + + leaf host-key { + type binary; + mandatory true; + description + "An OneAsymmetricKey 'publicKey' structure as specified + by RFC 5958, Section 2 encoded using the ASN.1 + distinguished encoding rules (DER), as specified + in ITU-T X.690."; + reference + "RFC 5958: + Asymmetric Key Packages + ITU-T X.690: + Information technology - ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), + Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)."; + } + } + } + + container user-auth-credentials { + description + "A list of user authentication credentials that can be used + by an SSH client to log into an SSH server, using any of + the supported authentication methods (e.g., password, + public key, client certificate, etc.)."; + list user-auth-credential { + key "username"; + description + "The authentication credentials for a specific user."; + leaf username { + type string; + description + "The username of this user. This will be the username + used, for instance, to log into an SSH server."; + } + + list auth-method { + key "priority"; + description + "A method of authenticating as this user."; + leaf priority { + type uint8; + description + "When multiple authentication methods in this list are + supported by the server, the one with the lowest priority + value will be the one that is used."; + } + + choice auth-type { + description + "The authentication type."; + leaf-list certificate { + type leafref { + path "/keystore/private-keys/private-key/certificate-chains/certificate-chain/name"; + } + ordered-by user; + description + "A list of references to certificates that can be used + for user authentication. When multiple certificates + in this list supported by the server, the one that + comes before the others in the leaf-list will be + used."; + } + + leaf-list public-key { + type leafref { + path "/keystore/private-keys/private-key/name"; + } + ordered-by user; + description + "A list of references to public keys that can be used + for user authentication. When multiple public keys + in this list supported by the server, the one that + comes before the others in the leaf-list will be + used."; + } + + leaf ciphertext-password { + type string; + description + "An ciphertext password. The method of encipherment + and how that method can be determined from this + string is implementation-specific."; + } + + leaf cleartext-password { + type string; + description + "An cleartext password."; + } + } + } + } + } + } + + notification certificate-expiration { + description + "A notification indicating that a configured certificate is + either about to expire or has already expired. When to send + notifications is an implementation specific decision, but + it is RECOMMENDED that a notification be sent once a month + for 3 months, then once a week for four weeks, and then once + a day thereafter."; + leaf certificate { + type instance-identifier; + mandatory true; + description + "Identifies which certificate is expiring or is expired."; + } + + leaf expiration-date { + type yang:date-and-time; + mandatory true; + description + "Identifies the expiration date on the certificate."; + } + } +} + +