1 <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1">
2 <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><?xml version="1.0" encoding="UTF-8"?>
3 <module name="ietf-keystore"
4 xmlns="urn:ietf:params:xml:ns:yang:yin:1"
5 xmlns:ks="urn:ietf:params:xml:ns:yang:ietf-keystore"
6 xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types">
7 <yang-version value="1.1"/>
8 <namespace uri="urn:ietf:params:xml:ns:yang:ietf-keystore"/>
9 <prefix value="ks"/>
10 <import module="ietf-yang-types">
11 <prefix value="yang"/>
13 <text>RFC 6991: Common YANG Data Types</text>
17 <text>IETF NETCONF (Network Configuration) Working Group</text>
20 <text>WG Web: &lt;http://tools.ietf.org/wg/netconf/&gt;
21 WG List: &lt;mailto:netconf@ietf.org&gt;
23 WG Chair: Mehmet Ersue
24 &lt;mailto:mehmet.ersue@nsn.com&gt;
26 WG Chair: Mahesh Jethanandani
27 &lt;mailto:mjethanandani@gmail.com&gt;
30 &lt;mailto:kwatsen@juniper.net&gt;</text>
33 <text>This module defines a keystore to centralize management of
36 Copyright (c) 2014 IETF Trust and the persons identified as
37 authors of the code. All rights reserved.
39 Redistribution and use in source and binary forms, with or
40 without modification, is permitted pursuant to, and subject
41 to the license terms contained in, the Simplified BSD
42 License set forth in Section 4.c of the IETF Trust's
43 Legal Provisions Relating to IETF Documents
44 (http://trustee.ietf.org/license-info).
46 This version of this YANG module is part of RFC VVVV; see
47 the RFC itself for full legal notices.</text>
49 <revision date="2016-10-31">
51 <text>Initial version</text>
54 <text>RFC VVVV: NETCONF Server and RESTCONF Server Configuration
58 <identity name="key-algorithm">
60 <text>Base identity from which all key-algorithms are derived.</text>
63 <identity name="rsa">
64 <base name="key-algorithm"/>
66 <text>The RSA algorithm.</text>
69 <text>RFC3447: Public-Key Cryptography Standards (PKCS) #1:
70 RSA Cryptography Specifications Version 2.1.</text>
73 <identity name="secp192r1">
74 <base name="key-algorithm"/>
76 <text>The secp192r1 algorithm.</text>
80 Elliptic Curve Cryptography Subject Public Key Information.</text>
83 <identity name="secp256r1">
84 <base name="key-algorithm"/>
86 <text>The secp256r1 algorithm.</text>
90 Elliptic Curve Cryptography Subject Public Key Information.</text>
93 <identity name="secp384r1">
94 <base name="key-algorithm"/>
96 <text>The secp384r1 algorithm.</text>
100 Elliptic Curve Cryptography Subject Public Key Information.</text>
103 <identity name="secp521r1">
104 <base name="key-algorithm"/>
106 <text>The secp521r1 algorithm.</text>
110 Elliptic Curve Cryptography Subject Public Key Information.</text>
113 <container name="keystore">
115 <text>A list of private-keys and their associated certificates, as
116 well as lists of trusted certificates for client certificate
117 authentication. RPCs are provided to generate a new private
118 key and to generate a certificate signing requests.</text>
120 <container name="private-keys">
122 <text>A list of private key maintained by the keystore.</text>
124 <list name="private-key">
125 <key value="name"/>
127 <text>A private key.</text>
129 <leaf name="name">
130 <type name="string"/>
132 <text>An arbitrary name for the private key.</text>
135 <leaf name="algorithm">
136 <type name="identityref">
137 <base name="key-algorithm"/>
139 <config value="false"/>
141 <text>The algorithm used by the private key.</text>
144 <leaf name="key-length">
145 <type name="uint32"/>
146 <config value="false"/>
148 <text>The key-length used by the private key.</text>
151 <leaf name="public-key">
152 <type name="binary"/>
153 <config value="false"/>
154 <mandatory value="true"/>
156 <text>An OneAsymmetricKey 'publicKey' structure as specified
157 by RFC 5958, Section 2 encoded using the ASN.1
158 distinguished encoding rules (DER), as specified
159 in ITU-T X.690.</text>
162 <text>RFC 5958:
163 Asymmetric Key Packages
165 Information technology - ASN.1 encoding rules:
166 Specification of Basic Encoding Rules (BER),
167 Canonical Encoding Rules (CER) and Distinguished
168 Encoding Rules (DER).</text>
171 <container name="certificate-chains">
173 <text>Certificate chains associated with this private key.
174 More than one chain per key is enabled to support,
175 for instance, a TPM-protected key that has associated
176 both IDevID and LDevID certificates.</text>
178 <list name="certificate-chain">
179 <key value="name"/>
181 <text>A certificate chain for this public key.</text>
183 <leaf name="name">
184 <type name="string"/>
186 <text>An arbitrary name for the certificate chain. The
187 name must be a unique across all private keys, not
188 just within this private key.</text>
191 <leaf-list name="certificate">
192 <type name="binary"/>
193 <ordered-by value="user"/>
195 <text>An X.509 v3 certificate structure as specified by RFC
196 5280, Section 4 encoded using the ASN.1 distinguished
197 encoding rules (DER), as specified in ITU-T X.690.
198 The list of certificates that run from the server
199 certificate towards the trust anchor. The chain MAY
200 include the trust anchor certificate itself.</text>
203 <text>RFC 5280:
204 Internet X.509 Public Key Infrastructure Certificate
205 and Certificate Revocation List (CRL) Profile.
207 Information technology - ASN.1 encoding rules:
208 Specification of Basic Encoding Rules (BER),
209 Canonical Encoding Rules (CER) and Distinguished
210 Encoding Rules (DER).</text>
215 <action name="generate-certificate-signing-request">
217 <text>Generates a certificate signing request structure for
218 the associated private key using the passed subject and
219 attribute values. Please review both the Security
220 Considerations and Design Considerations sections in
221 RFC VVVV for more information regarding this action
222 statement.</text>
225 <leaf name="subject">
226 <type name="binary"/>
227 <mandatory value="true"/>
229 <text>The 'subject' field from the CertificationRequestInfo
230 structure as specified by RFC 2986, Section 4.1 encoded
231 using the ASN.1 distinguished encoding rules (DER), as
232 specified in ITU-T X.690.</text>
235 <text>RFC 2986:
236 PKCS #10: Certification Request Syntax Specification
239 Information technology - ASN.1 encoding rules:
240 Specification of Basic Encoding Rules (BER),
241 Canonical Encoding Rules (CER) and Distinguished
242 Encoding Rules (DER).</text>
245 <leaf name="attributes">
246 <type name="binary"/>
248 <text>The 'attributes' field from the CertificationRequestInfo
249 structure as specified by RFC 2986, Section 4.1 encoded
250 using the ASN.1 distinguished encoding rules (DER), as
251 specified in ITU-T X.690.</text>
254 <text>RFC 2986:
255 PKCS #10: Certification Request Syntax Specification
258 Information technology - ASN.1 encoding rules:
259 Specification of Basic Encoding Rules (BER),
260 Canonical Encoding Rules (CER) and Distinguished
261 Encoding Rules (DER).</text>
266 <leaf name="certificate-signing-request">
267 <type name="binary"/>
268 <mandatory value="true"/>
270 <text>A CertificationRequest structure as specified by RFC
271 2986, Section 4.1 encoded using the ASN.1 distinguished
272 encoding rules (DER), as specified in ITU-T X.690.</text>
275 <text>RFC 2986:
276 PKCS #10: Certification Request Syntax Specification
279 Information technology - ASN.1 encoding rules:
280 Specification of Basic Encoding Rules (BER),
281 Canonical Encoding Rules (CER) and Distinguished
282 Encoding Rules (DER).</text>
288 <action name="generate-private-key">
290 <text>Requests the device to generate a private key using the
291 specified algorithm and key length.</text>
294 <leaf name="name">
295 <type name="string"/>
296 <mandatory value="true"/>
298 <text>The name this private-key should have when listed
299 in /keystore/private-keys. As such, the passed
300 value must not match any existing 'name' value.</text>
303 <leaf name="algorithm">
304 <type name="identityref">
305 <base name="key-algorithm"/>
307 <mandatory value="true"/>
309 <text>The algorithm to be used when generating the key.</text>
312 <leaf name="key-length">
313 <type name="uint32"/>
315 <text>For algorithms that need a key length specified
316 when generating the key.</text>
321 <action name="load-private-key">
323 <text>Requests the device to load a private key</text>
326 <leaf name="name">
327 <type name="string"/>
328 <mandatory value="true"/>
330 <text>The name this private-key should have when listed
331 in /keystore/private-keys. As such, the passed
332 value must not match any existing 'name' value.</text>
335 <leaf name="private-key">
336 <type name="binary"/>
337 <mandatory value="true"/>
339 <text>An OneAsymmetricKey structure as specified by RFC
340 5958, Section 2 encoded using the ASN.1 distinguished
341 encoding rules (DER), as specified in ITU-T X.690.
342 Note that this is the raw private with no shrouding
343 to protect it. The strength of this private key
344 MUST NOT be greater than the strength of the secure
345 connection over which it is communicated. Devices
346 SHOULD fail this request if ever that happens.</text>
349 <text>RFC 5958:
350 Asymmetric Key Packages
352 Information technology - ASN.1 encoding rules:
353 Specification of Basic Encoding Rules (BER),
354 Canonical Encoding Rules (CER) and Distinguished
355 Encoding Rules (DER).</text>
361 <list name="trusted-certificates">
362 <key value="name"/>
364 <text>A list of trusted certificates. These certificates
365 can be used by a server to authenticate clients, or by clients
366 to authenticate servers. The certificates may be endpoint
367 specific or for certificate authorities (to authenticate many
368 clients at once. Each list of certificates SHOULD be specific
369 to a purpose, as the list as a whole may be referenced by other
370 modules. For instance, a NETCONF server model might point to
371 a list of certificates to use when authenticating client
372 certificates.</text>
374 <leaf name="name">
375 <type name="string"/>
377 <text>An arbitrary name for this list of trusted certificates.</text>
380 <leaf name="description">
381 <type name="string"/>
383 <text>An arbitrary description for this list of trusted
384 certificates.</text>
387 <list name="trusted-certificate">
388 <key value="name"/>
390 <text>A trusted certificate for a specific use. Note, this
391 'certificate' is a list in order to encode any
392 associated intermediate certificates.</text>
394 <leaf name="name">
395 <type name="string"/>
397 <text>An arbitrary name for this trusted certificate. Must
398 be unique across all lists of trusted certificates
399 (not just this list) so that a leafref to it from
400 another module can resolve to unique values.</text>
403 <leaf name="certificate">
404 <type name="binary"/>
406 <text>An X.509 v3 certificate structure as specified by RFC
407 5280, Section 4 encoded using the ASN.1 distinguished
408 encoding rules (DER), as specified in ITU-T X.690.</text>
411 <text>RFC 5280:
412 Internet X.509 Public Key Infrastructure Certificate
413 and Certificate Revocation List (CRL) Profile.
415 Information technology - ASN.1 encoding rules:
416 Specification of Basic Encoding Rules (BER),
417 Canonical Encoding Rules (CER) and Distinguished
418 Encoding Rules (DER).</text>
423 <list name="trusted-ssh-host-keys">
424 <key value="name"/>
426 <text>A list of trusted host-keys. These host-keys can be used
427 by clients to authenticate SSH servers. The host-keys are
428 endpoint specific. Each list of host-keys SHOULD be
429 specific to a purpose, as the list as a whole may be
430 referenced by other modules. For instance, a NETCONF
431 client model might point to a list of host-keys to use
432 when authenticating servers host-keys.</text>
434 <leaf name="name">
435 <type name="string"/>
437 <text>An arbitrary name for this list of trusted SSH host keys.</text>
440 <leaf name="description">
441 <type name="string"/>
443 <text>An arbitrary description for this list of trusted SSH host
447 <list name="trusted-host-key">
448 <key value="name"/>
450 <text>A trusted host key.</text>
452 <leaf name="name">
453 <type name="string"/>
455 <text>An arbitrary name for this trusted host-key. Must be
456 unique across all lists of trusted host-keys (not just
457 this list) so that a leafref to it from another module
458 can resolve to unique values.
460 Note that, for when the SSH client is able to listen
461 for call-home connections as well, there is no reference
462 identifier (e.g., hostname, IP address, etc.) that it
463 can use to uniquely identify the server with. The
464 call-home draft recommends SSH servers use X.509v3
465 certificates (RFC6187) when calling home.</text>
468 <leaf name="host-key">
469 <type name="binary"/>
470 <mandatory value="true"/>
472 <text>An OneAsymmetricKey 'publicKey' structure as specified
473 by RFC 5958, Section 2 encoded using the ASN.1
474 distinguished encoding rules (DER), as specified
475 in ITU-T X.690.</text>
478 <text>RFC 5958:
479 Asymmetric Key Packages
481 Information technology - ASN.1 encoding rules:
482 Specification of Basic Encoding Rules (BER),
483 Canonical Encoding Rules (CER) and Distinguished
484 Encoding Rules (DER).</text>
489 <container name="user-auth-credentials">
491 <text>A list of user authentication credentials that can be used
492 by an SSH client to log into an SSH server, using any of
493 the supported authentication methods (e.g., password,
494 public key, client certificate, etc.).</text>
496 <list name="user-auth-credential">
497 <key value="username"/>
499 <text>The authentication credentials for a specific user.</text>
501 <leaf name="username">
502 <type name="string"/>
504 <text>The username of this user. This will be the username
505 used, for instance, to log into an SSH server.</text>
508 <list name="auth-method">
509 <key value="priority"/>
511 <text>A method of authenticating as this user.</text>
513 <leaf name="priority">
514 <type name="uint8"/>
516 <text>When multiple authentication methods in this list are
517 supported by the server, the one with the lowest priority
518 value will be the one that is used.</text>
521 <choice name="auth-type">
523 <text>The authentication type.</text>
525 <leaf-list name="certificate">
526 <type name="leafref">
527 <path value="/keystore/private-keys/private-key/certificate-chains/certificate-chain/name"/>
529 <ordered-by value="user"/>
531 <text>A list of references to certificates that can be used
532 for user authentication. When multiple certificates
533 in this list supported by the server, the one that
534 comes before the others in the leaf-list will be
538 <leaf-list name="public-key">
539 <type name="leafref">
540 <path value="/keystore/private-keys/private-key/name"/>
542 <ordered-by value="user"/>
544 <text>A list of references to public keys that can be used
545 for user authentication. When multiple public keys
546 in this list supported by the server, the one that
547 comes before the others in the leaf-list will be
551 <leaf name="ciphertext-password">
552 <type name="string"/>
554 <text>An ciphertext password. The method of encipherment
555 and how that method can be determined from this
556 string is implementation-specific.</text>
559 <leaf name="cleartext-password">
560 <type name="string"/>
562 <text>An cleartext password.</text>
570 <notification name="certificate-expiration">
572 <text>A notification indicating that a configured certificate is
573 either about to expire or has already expired. When to send
574 notifications is an implementation specific decision, but
575 it is RECOMMENDED that a notification be sent once a month
576 for 3 months, then once a week for four weeks, and then once
577 a day thereafter.</text>
579 <leaf name="certificate">
580 <type name="instance-identifier"/>
581 <mandatory value="true"/>
583 <text>Identifies which certificate is expiring or is expired.</text>
586 <leaf name="expiration-date">
587 <type name="yang:date-and-time"/>
588 <mandatory value="true"/>
590 <text>Identifies the expiration date on the certificate.</text>
593 </notification>
Code Review / demo.git / blob