1 <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1">
2 <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module ietf-keystore {
4 namespace "urn:ietf:params:xml:ns:yang:ietf-keystore";
7 import ietf-yang-types {
10 "RFC 6991: Common YANG Data Types";
14 "IETF NETCONF (Network Configuration) Working Group";
16 "WG Web: <http://tools.ietf.org/wg/netconf/>
17 WG List: <mailto:netconf@ietf.org>
19 WG Chair: Mehmet Ersue
20 <mailto:mehmet.ersue@nsn.com>
22 WG Chair: Mahesh Jethanandani
23 <mailto:mjethanandani@gmail.com>
26 <mailto:kwatsen@juniper.net>";
28 "This module defines a keystore to centralize management of
31 Copyright (c) 2014 IETF Trust and the persons identified as
32 authors of the code. All rights reserved.
34 Redistribution and use in source and binary forms, with or
35 without modification, is permitted pursuant to, and subject
36 to the license terms contained in, the Simplified BSD
37 License set forth in Section 4.c of the IETF Trust's
38 Legal Provisions Relating to IETF Documents
39 (http://trustee.ietf.org/license-info).
41 This version of this YANG module is part of RFC VVVV; see
42 the RFC itself for full legal notices.";
48 "RFC VVVV: NETCONF Server and RESTCONF Server Configuration
52 identity key-algorithm {
54 "Base identity from which all key-algorithms are derived.";
62 "RFC3447: Public-Key Cryptography Standards (PKCS) #1:
63 RSA Cryptography Specifications Version 2.1.";
69 "The secp192r1 algorithm.";
72 Elliptic Curve Cryptography Subject Public Key Information.";
78 "The secp256r1 algorithm.";
81 Elliptic Curve Cryptography Subject Public Key Information.";
87 "The secp384r1 algorithm.";
90 Elliptic Curve Cryptography Subject Public Key Information.";
96 "The secp521r1 algorithm.";
99 Elliptic Curve Cryptography Subject Public Key Information.";
104 "A list of private-keys and their associated certificates, as
105 well as lists of trusted certificates for client certificate
106 authentication. RPCs are provided to generate a new private
107 key and to generate a certificate signing requests.";
108 container private-keys {
110 "A list of private key maintained by the keystore.";
118 "An arbitrary name for the private key.";
127 "The algorithm used by the private key.";
134 "The key-length used by the private key.";
142 "An OneAsymmetricKey 'publicKey' structure as specified
143 by RFC 5958, Section 2 encoded using the ASN.1
144 distinguished encoding rules (DER), as specified
148 Asymmetric Key Packages
150 Information technology - ASN.1 encoding rules:
151 Specification of Basic Encoding Rules (BER),
152 Canonical Encoding Rules (CER) and Distinguished
153 Encoding Rules (DER).";
156 container certificate-chains {
158 "Certificate chains associated with this private key.
159 More than one chain per key is enabled to support,
160 for instance, a TPM-protected key that has associated
161 both IDevID and LDevID certificates.";
162 list certificate-chain {
165 "A certificate chain for this public key.";
169 "An arbitrary name for the certificate chain. The
170 name must be a unique across all private keys, not
171 just within this private key.";
174 leaf-list certificate {
178 "An X.509 v3 certificate structure as specified by RFC
179 5280, Section 4 encoded using the ASN.1 distinguished
180 encoding rules (DER), as specified in ITU-T X.690.
181 The list of certificates that run from the server
182 certificate towards the trust anchor. The chain MAY
183 include the trust anchor certificate itself.";
186 Internet X.509 Public Key Infrastructure Certificate
187 and Certificate Revocation List (CRL) Profile.
189 Information technology - ASN.1 encoding rules:
190 Specification of Basic Encoding Rules (BER),
191 Canonical Encoding Rules (CER) and Distinguished
192 Encoding Rules (DER).";
197 action generate-certificate-signing-request {
199 "Generates a certificate signing request structure for
200 the associated private key using the passed subject and
201 attribute values. Please review both the Security
202 Considerations and Design Considerations sections in
203 RFC VVVV for more information regarding this action
210 "The 'subject' field from the CertificationRequestInfo
211 structure as specified by RFC 2986, Section 4.1 encoded
212 using the ASN.1 distinguished encoding rules (DER), as
213 specified in ITU-T X.690.";
216 PKCS #10: Certification Request Syntax Specification
219 Information technology - ASN.1 encoding rules:
220 Specification of Basic Encoding Rules (BER),
221 Canonical Encoding Rules (CER) and Distinguished
222 Encoding Rules (DER).";
228 "The 'attributes' field from the CertificationRequestInfo
229 structure as specified by RFC 2986, Section 4.1 encoded
230 using the ASN.1 distinguished encoding rules (DER), as
231 specified in ITU-T X.690.";
234 PKCS #10: Certification Request Syntax Specification
237 Information technology - ASN.1 encoding rules:
238 Specification of Basic Encoding Rules (BER),
239 Canonical Encoding Rules (CER) and Distinguished
240 Encoding Rules (DER).";
245 leaf certificate-signing-request {
249 "A CertificationRequest structure as specified by RFC
250 2986, Section 4.1 encoded using the ASN.1 distinguished
251 encoding rules (DER), as specified in ITU-T X.690.";
254 PKCS #10: Certification Request Syntax Specification
257 Information technology - ASN.1 encoding rules:
258 Specification of Basic Encoding Rules (BER),
259 Canonical Encoding Rules (CER) and Distinguished
260 Encoding Rules (DER).";
266 action generate-private-key {
268 "Requests the device to generate a private key using the
269 specified algorithm and key length.";
275 "The name this private-key should have when listed
276 in /keystore/private-keys. As such, the passed
277 value must not match any existing 'name' value.";
286 "The algorithm to be used when generating the key.";
292 "For algorithms that need a key length specified
293 when generating the key.";
298 action load-private-key {
300 "Requests the device to load a private key";
306 "The name this private-key should have when listed
307 in /keystore/private-keys. As such, the passed
308 value must not match any existing 'name' value.";
315 "An OneAsymmetricKey structure as specified by RFC
316 5958, Section 2 encoded using the ASN.1 distinguished
317 encoding rules (DER), as specified in ITU-T X.690.
318 Note that this is the raw private with no shrouding
319 to protect it. The strength of this private key
320 MUST NOT be greater than the strength of the secure
321 connection over which it is communicated. Devices
322 SHOULD fail this request if ever that happens.";
325 Asymmetric Key Packages
327 Information technology - ASN.1 encoding rules:
328 Specification of Basic Encoding Rules (BER),
329 Canonical Encoding Rules (CER) and Distinguished
330 Encoding Rules (DER).";
336 list trusted-certificates {
339 "A list of trusted certificates. These certificates
340 can be used by a server to authenticate clients, or by clients
341 to authenticate servers. The certificates may be endpoint
342 specific or for certificate authorities (to authenticate many
343 clients at once. Each list of certificates SHOULD be specific
344 to a purpose, as the list as a whole may be referenced by other
345 modules. For instance, a NETCONF server model might point to
346 a list of certificates to use when authenticating client
351 "An arbitrary name for this list of trusted certificates.";
357 "An arbitrary description for this list of trusted
361 list trusted-certificate {
364 "A trusted certificate for a specific use. Note, this
365 'certificate' is a list in order to encode any
366 associated intermediate certificates.";
370 "An arbitrary name for this trusted certificate. Must
371 be unique across all lists of trusted certificates
372 (not just this list) so that a leafref to it from
373 another module can resolve to unique values.";
379 "An X.509 v3 certificate structure as specified by RFC
380 5280, Section 4 encoded using the ASN.1 distinguished
381 encoding rules (DER), as specified in ITU-T X.690.";
384 Internet X.509 Public Key Infrastructure Certificate
385 and Certificate Revocation List (CRL) Profile.
387 Information technology - ASN.1 encoding rules:
388 Specification of Basic Encoding Rules (BER),
389 Canonical Encoding Rules (CER) and Distinguished
390 Encoding Rules (DER).";
395 list trusted-ssh-host-keys {
398 "A list of trusted host-keys. These host-keys can be used
399 by clients to authenticate SSH servers. The host-keys are
400 endpoint specific. Each list of host-keys SHOULD be
401 specific to a purpose, as the list as a whole may be
402 referenced by other modules. For instance, a NETCONF
403 client model might point to a list of host-keys to use
404 when authenticating servers host-keys.";
408 "An arbitrary name for this list of trusted SSH host keys.";
414 "An arbitrary description for this list of trusted SSH host
418 list trusted-host-key {
421 "A trusted host key.";
425 "An arbitrary name for this trusted host-key. Must be
426 unique across all lists of trusted host-keys (not just
427 this list) so that a leafref to it from another module
428 can resolve to unique values.
430 Note that, for when the SSH client is able to listen
431 for call-home connections as well, there is no reference
432 identifier (e.g., hostname, IP address, etc.) that it
433 can use to uniquely identify the server with. The
434 call-home draft recommends SSH servers use X.509v3
435 certificates (RFC6187) when calling home.";
442 "An OneAsymmetricKey 'publicKey' structure as specified
443 by RFC 5958, Section 2 encoded using the ASN.1
444 distinguished encoding rules (DER), as specified
448 Asymmetric Key Packages
450 Information technology - ASN.1 encoding rules:
451 Specification of Basic Encoding Rules (BER),
452 Canonical Encoding Rules (CER) and Distinguished
453 Encoding Rules (DER).";
458 container user-auth-credentials {
460 "A list of user authentication credentials that can be used
461 by an SSH client to log into an SSH server, using any of
462 the supported authentication methods (e.g., password,
463 public key, client certificate, etc.).";
464 list user-auth-credential {
467 "The authentication credentials for a specific user.";
471 "The username of this user. This will be the username
472 used, for instance, to log into an SSH server.";
478 "A method of authenticating as this user.";
482 "When multiple authentication methods in this list are
483 supported by the server, the one with the lowest priority
484 value will be the one that is used.";
489 "The authentication type.";
490 leaf-list certificate {
492 path "/keystore/private-keys/private-key/certificate-chains/certificate-chain/name";
496 "A list of references to certificates that can be used
497 for user authentication. When multiple certificates
498 in this list supported by the server, the one that
499 comes before the others in the leaf-list will be
503 leaf-list public-key {
505 path "/keystore/private-keys/private-key/name";
509 "A list of references to public keys that can be used
510 for user authentication. When multiple public keys
511 in this list supported by the server, the one that
512 comes before the others in the leaf-list will be
516 leaf ciphertext-password {
519 "An ciphertext password. The method of encipherment
520 and how that method can be determined from this
521 string is implementation-specific.";
524 leaf cleartext-password {
527 "An cleartext password.";
535 notification certificate-expiration {
537 "A notification indicating that a configured certificate is
538 either about to expire or has already expired. When to send
539 notifications is an implementation specific decision, but
540 it is RECOMMENDED that a notification be sent once a month
541 for 3 months, then once a week for four weeks, and then once
544 type instance-identifier;
547 "Identifies which certificate is expiring or is expired.";
550 leaf expiration-date {
551 type yang:date-and-time;
554 "Identifies the expiration date on the certificate.";