--- /dev/null
+<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1">
+ <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">module ietf-keystore {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-keystore";
+ prefix ks;
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991: Common YANG Data Types";
+ }
+
+ organization
+ "IETF NETCONF (Network Configuration) Working Group";
+ contact
+ "WG Web: <http://tools.ietf.org/wg/netconf/>
+ WG List: <mailto:netconf@ietf.org>
+
+ WG Chair: Mehmet Ersue
+ <mailto:mehmet.ersue@nsn.com>
+
+ WG Chair: Mahesh Jethanandani
+ <mailto:mjethanandani@gmail.com>
+
+ Editor: Kent Watsen
+ <mailto:kwatsen@juniper.net>";
+ description
+ "This module defines a keystore to centralize management of
+ security credentials.
+
+ Copyright (c) 2014 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD
+ License set forth in Section 4.c of the IETF Trust's
+ Legal Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC VVVV; see
+ the RFC itself for full legal notices.";
+
+ revision 2016-10-31 {
+ description
+ "Initial version";
+ reference
+ "RFC VVVV: NETCONF Server and RESTCONF Server Configuration
+ Models";
+ }
+
+ identity key-algorithm {
+ description
+ "Base identity from which all key-algorithms are derived.";
+ }
+
+ identity rsa {
+ base key-algorithm;
+ description
+ "The RSA algorithm.";
+ reference
+ "RFC3447: Public-Key Cryptography Standards (PKCS) #1:
+ RSA Cryptography Specifications Version 2.1.";
+ }
+
+ identity secp192r1 {
+ base key-algorithm;
+ description
+ "The secp192r1 algorithm.";
+ reference
+ "RFC5480:
+ Elliptic Curve Cryptography Subject Public Key Information.";
+ }
+
+ identity secp256r1 {
+ base key-algorithm;
+ description
+ "The secp256r1 algorithm.";
+ reference
+ "RFC5480:
+ Elliptic Curve Cryptography Subject Public Key Information.";
+ }
+
+ identity secp384r1 {
+ base key-algorithm;
+ description
+ "The secp384r1 algorithm.";
+ reference
+ "RFC5480:
+ Elliptic Curve Cryptography Subject Public Key Information.";
+ }
+
+ identity secp521r1 {
+ base key-algorithm;
+ description
+ "The secp521r1 algorithm.";
+ reference
+ "RFC5480:
+ Elliptic Curve Cryptography Subject Public Key Information.";
+ }
+
+ container keystore {
+ description
+ "A list of private-keys and their associated certificates, as
+ well as lists of trusted certificates for client certificate
+ authentication. RPCs are provided to generate a new private
+ key and to generate a certificate signing requests.";
+ container private-keys {
+ description
+ "A list of private key maintained by the keystore.";
+ list private-key {
+ key "name";
+ description
+ "A private key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the private key.";
+ }
+
+ leaf algorithm {
+ type identityref {
+ base key-algorithm;
+ }
+ config false;
+ description
+ "The algorithm used by the private key.";
+ }
+
+ leaf key-length {
+ type uint32;
+ config false;
+ description
+ "The key-length used by the private key.";
+ }
+
+ leaf public-key {
+ type binary;
+ config false;
+ mandatory true;
+ description
+ "An OneAsymmetricKey 'publicKey' structure as specified
+ by RFC 5958, Section 2 encoded using the ASN.1
+ distinguished encoding rules (DER), as specified
+ in ITU-T X.690.";
+ reference
+ "RFC 5958:
+ Asymmetric Key Packages
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ container certificate-chains {
+ description
+ "Certificate chains associated with this private key.
+ More than one chain per key is enabled to support,
+ for instance, a TPM-protected key that has associated
+ both IDevID and LDevID certificates.";
+ list certificate-chain {
+ key "name";
+ description
+ "A certificate chain for this public key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for the certificate chain. The
+ name must be a unique across all private keys, not
+ just within this private key.";
+ }
+
+ leaf-list certificate {
+ type binary;
+ ordered-by user;
+ description
+ "An X.509 v3 certificate structure as specified by RFC
+ 5280, Section 4 encoded using the ASN.1 distinguished
+ encoding rules (DER), as specified in ITU-T X.690.
+ The list of certificates that run from the server
+ certificate towards the trust anchor. The chain MAY
+ include the trust anchor certificate itself.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ }
+
+ action generate-certificate-signing-request {
+ description
+ "Generates a certificate signing request structure for
+ the associated private key using the passed subject and
+ attribute values. Please review both the Security
+ Considerations and Design Considerations sections in
+ RFC VVVV for more information regarding this action
+ statement.";
+ input {
+ leaf subject {
+ type binary;
+ mandatory true;
+ description
+ "The 'subject' field from the CertificationRequestInfo
+ structure as specified by RFC 2986, Section 4.1 encoded
+ using the ASN.1 distinguished encoding rules (DER), as
+ specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+
+ leaf attributes {
+ type binary;
+ description
+ "The 'attributes' field from the CertificationRequestInfo
+ structure as specified by RFC 2986, Section 4.1 encoded
+ using the ASN.1 distinguished encoding rules (DER), as
+ specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+
+ output {
+ leaf certificate-signing-request {
+ type binary;
+ mandatory true;
+ description
+ "A CertificationRequest structure as specified by RFC
+ 2986, Section 4.1 encoded using the ASN.1 distinguished
+ encoding rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 2986:
+ PKCS #10: Certification Request Syntax Specification
+ Version 1.7.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ }
+ }
+
+ action generate-private-key {
+ description
+ "Requests the device to generate a private key using the
+ specified algorithm and key length.";
+ input {
+ leaf name {
+ type string;
+ mandatory true;
+ description
+ "The name this private-key should have when listed
+ in /keystore/private-keys. As such, the passed
+ value must not match any existing 'name' value.";
+ }
+
+ leaf algorithm {
+ type identityref {
+ base key-algorithm;
+ }
+ mandatory true;
+ description
+ "The algorithm to be used when generating the key.";
+ }
+
+ leaf key-length {
+ type uint32;
+ description
+ "For algorithms that need a key length specified
+ when generating the key.";
+ }
+ }
+ }
+
+ action load-private-key {
+ description
+ "Requests the device to load a private key";
+ input {
+ leaf name {
+ type string;
+ mandatory true;
+ description
+ "The name this private-key should have when listed
+ in /keystore/private-keys. As such, the passed
+ value must not match any existing 'name' value.";
+ }
+
+ leaf private-key {
+ type binary;
+ mandatory true;
+ description
+ "An OneAsymmetricKey structure as specified by RFC
+ 5958, Section 2 encoded using the ASN.1 distinguished
+ encoding rules (DER), as specified in ITU-T X.690.
+ Note that this is the raw private with no shrouding
+ to protect it. The strength of this private key
+ MUST NOT be greater than the strength of the secure
+ connection over which it is communicated. Devices
+ SHOULD fail this request if ever that happens.";
+ reference
+ "RFC 5958:
+ Asymmetric Key Packages
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ }
+ }
+
+ list trusted-certificates {
+ key "name";
+ description
+ "A list of trusted certificates. These certificates
+ can be used by a server to authenticate clients, or by clients
+ to authenticate servers. The certificates may be endpoint
+ specific or for certificate authorities (to authenticate many
+ clients at once. Each list of certificates SHOULD be specific
+ to a purpose, as the list as a whole may be referenced by other
+ modules. For instance, a NETCONF server model might point to
+ a list of certificates to use when authenticating client
+ certificates.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this list of trusted certificates.";
+ }
+
+ leaf description {
+ type string;
+ description
+ "An arbitrary description for this list of trusted
+ certificates.";
+ }
+
+ list trusted-certificate {
+ key "name";
+ description
+ "A trusted certificate for a specific use. Note, this
+ 'certificate' is a list in order to encode any
+ associated intermediate certificates.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this trusted certificate. Must
+ be unique across all lists of trusted certificates
+ (not just this list) so that a leafref to it from
+ another module can resolve to unique values.";
+ }
+
+ leaf certificate {
+ type binary;
+ description
+ "An X.509 v3 certificate structure as specified by RFC
+ 5280, Section 4 encoded using the ASN.1 distinguished
+ encoding rules (DER), as specified in ITU-T X.690.";
+ reference
+ "RFC 5280:
+ Internet X.509 Public Key Infrastructure Certificate
+ and Certificate Revocation List (CRL) Profile.
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ }
+
+ list trusted-ssh-host-keys {
+ key "name";
+ description
+ "A list of trusted host-keys. These host-keys can be used
+ by clients to authenticate SSH servers. The host-keys are
+ endpoint specific. Each list of host-keys SHOULD be
+ specific to a purpose, as the list as a whole may be
+ referenced by other modules. For instance, a NETCONF
+ client model might point to a list of host-keys to use
+ when authenticating servers host-keys.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this list of trusted SSH host keys.";
+ }
+
+ leaf description {
+ type string;
+ description
+ "An arbitrary description for this list of trusted SSH host
+ keys.";
+ }
+
+ list trusted-host-key {
+ key "name";
+ description
+ "A trusted host key.";
+ leaf name {
+ type string;
+ description
+ "An arbitrary name for this trusted host-key. Must be
+ unique across all lists of trusted host-keys (not just
+ this list) so that a leafref to it from another module
+ can resolve to unique values.
+
+ Note that, for when the SSH client is able to listen
+ for call-home connections as well, there is no reference
+ identifier (e.g., hostname, IP address, etc.) that it
+ can use to uniquely identify the server with. The
+ call-home draft recommends SSH servers use X.509v3
+ certificates (RFC6187) when calling home.";
+ }
+
+ leaf host-key {
+ type binary;
+ mandatory true;
+ description
+ "An OneAsymmetricKey 'publicKey' structure as specified
+ by RFC 5958, Section 2 encoded using the ASN.1
+ distinguished encoding rules (DER), as specified
+ in ITU-T X.690.";
+ reference
+ "RFC 5958:
+ Asymmetric Key Packages
+ ITU-T X.690:
+ Information technology - ASN.1 encoding rules:
+ Specification of Basic Encoding Rules (BER),
+ Canonical Encoding Rules (CER) and Distinguished
+ Encoding Rules (DER).";
+ }
+ }
+ }
+
+ container user-auth-credentials {
+ description
+ "A list of user authentication credentials that can be used
+ by an SSH client to log into an SSH server, using any of
+ the supported authentication methods (e.g., password,
+ public key, client certificate, etc.).";
+ list user-auth-credential {
+ key "username";
+ description
+ "The authentication credentials for a specific user.";
+ leaf username {
+ type string;
+ description
+ "The username of this user. This will be the username
+ used, for instance, to log into an SSH server.";
+ }
+
+ list auth-method {
+ key "priority";
+ description
+ "A method of authenticating as this user.";
+ leaf priority {
+ type uint8;
+ description
+ "When multiple authentication methods in this list are
+ supported by the server, the one with the lowest priority
+ value will be the one that is used.";
+ }
+
+ choice auth-type {
+ description
+ "The authentication type.";
+ leaf-list certificate {
+ type leafref {
+ path "/keystore/private-keys/private-key/certificate-chains/certificate-chain/name";
+ }
+ ordered-by user;
+ description
+ "A list of references to certificates that can be used
+ for user authentication. When multiple certificates
+ in this list supported by the server, the one that
+ comes before the others in the leaf-list will be
+ used.";
+ }
+
+ leaf-list public-key {
+ type leafref {
+ path "/keystore/private-keys/private-key/name";
+ }
+ ordered-by user;
+ description
+ "A list of references to public keys that can be used
+ for user authentication. When multiple public keys
+ in this list supported by the server, the one that
+ comes before the others in the leaf-list will be
+ used.";
+ }
+
+ leaf ciphertext-password {
+ type string;
+ description
+ "An ciphertext password. The method of encipherment
+ and how that method can be determined from this
+ string is implementation-specific.";
+ }
+
+ leaf cleartext-password {
+ type string;
+ description
+ "An cleartext password.";
+ }
+ }
+ }
+ }
+ }
+ }
+
+ notification certificate-expiration {
+ description
+ "A notification indicating that a configured certificate is
+ either about to expire or has already expired. When to send
+ notifications is an implementation specific decision, but
+ it is RECOMMENDED that a notification be sent once a month
+ for 3 months, then once a week for four weeks, and then once
+ a day thereafter.";
+ leaf certificate {
+ type instance-identifier;
+ mandatory true;
+ description
+ "Identifies which certificate is expiring or is expired.";
+ }
+
+ leaf expiration-date {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "Identifies the expiration date on the certificate.";
+ }
+ }
+}
+</data>
+</rpc-reply>
Code Review / demo.git / blobdiff