netconfcentral logo

ietf-keystore

HTML

ietf-keystore@2020-08-20



  module ietf-keystore {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-keystore";

    prefix ks;

    import ietf-netconf-acm {
      prefix nacm;
      reference
        "RFC 8341: Network Configuration Access Control Model";


    }
    import ietf-crypto-types {
      prefix ct;
      reference
        "RFC AAAA: YANG Data Types and Groupings for Cryptography";


    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://datatracker.ietf.org/wg/netconf/>
     WG List:  <mailto:netconf@ietf.org>
     Author:   Kent Watsen <mailto:kent+ietf@watsen.net>";

    description
      "This module defines a Keystore to centralize management
     of security credentials.

     Copyright (c) 2020 IETF Trust and the persons identified
     as authors of the code. All rights reserved.
     Redistribution and use in source and binary forms, with
     or without modification, is permitted pursuant to, and
     subject to the license terms contained in, the Simplified
     BSD License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC CCCC
     (https://www.rfc-editor.org/info/rfcCCCC); see the RFC
     itself for full legal notices.

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
     'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
     'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
     are to be interpreted as described in BCP 14 (RFC 2119)
     (RFC 8174) when, and only when, they appear in all
     capitals, as shown here.";

    revision "2020-08-20" {
      description "Initial version";
      reference
        "RFC CCCC: A YANG Data Model for a Keystore";

    }


    feature keystore-supported {
      description
        "The 'keystore-supported' feature indicates that the server
       supports the Keystore.";
    }

    feature local-definitions-supported {
      description
        "The 'local-definitions-supported' feature indicates that the
       server supports locally-defined keys.";
    }

    typedef symmetric-key-ref {
      type leafref {
        path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key/ks:name";
      }
      description
        "This typedef enables modules to easily define a reference
       to a symmetric key stored in the Keystore.";
    }

    typedef asymmetric-key-ref {
      type leafref {
        path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key/ks:name";
      }
      description
        "This typedef enables modules to easily define a reference
       to an asymmetric key stored in the Keystore.";
    }

    grouping encrypted-by-choice-grouping {
      description
        "A grouping that defines a choice that can be augmented
       into the 'encrypted-by' node presented by the
       'symmetric-key-grouping' and 'asymmetric-key-pair-grouping'
       groupings defined in RFC AAAA.";
      choice encrypted-by-choice {
        nacm:default-deny-write;
        mandatory true;
        description
          "A choice amongst other symmetric or asymmetric keys.";
        leaf symmetric-key-ref {
          type symmetric-key-ref;
          description
            "Identifies the symmetric key used to encrypt the
            associated key.";
        }
        leaf asymmetric-key-ref {
          type asymmetric-key-ref;
          description
            "Identifies the asymmetric key whose public key
            encrypted the associated key.";
        }
      }  // choice encrypted-by-choice
    }  // grouping encrypted-by-choice-grouping

    grouping asymmetric-key-certificate-ref-grouping {
      description
        "This grouping defines a reference to a specific certificate
       associated with an asymmetric key stored in the Keystore.";
      leaf asymmetric-key {
        nacm:default-deny-write;
        type asymmetric-key-ref;
        must '../certificate';
        description
          "A reference to an asymmetric key in the Keystore.";
      }

      leaf certificate {
        nacm:default-deny-write;
        type leafref {
          path
            "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key[ks:"
              + "name = current()/../asymmetric-key]/ks:certificates"
              + "/ks:certificate/ks:name";
        }
        must '../asymmetric-key';
        description
          "A reference to a specific certificate of the
         asymmetric key in the Keystore.";
      }
    }  // grouping asymmetric-key-certificate-ref-grouping

    grouping local-or-keystore-symmetric-key-grouping {
      description
        "A grouping that expands to allow the symmetric key to be
       either stored locally, i.e., within the using data model,
       or a reference to a symmetric key stored in the Keystore.";
      choice local-or-keystore {
        nacm:default-deny-write;
        mandatory true;
        description
          "A choice between an inlined definition and a definition
         that exists in the Keystore.";
        case local {
          if-feature local-definitions-supported;
          container local-definition {
            description
              "Container to hold the local key definition.";
            uses ct:symmetric-key-grouping;
          }  // container local-definition
        }  // case local

        case keystore {
          if-feature keystore-supported;
          leaf keystore-reference {
            type symmetric-key-ref;
            description
              "A reference to an symmetric key that exists in
             the Keystore.";
          }
        }  // case keystore
      }  // choice local-or-keystore
    }  // grouping local-or-keystore-symmetric-key-grouping

    grouping local-or-keystore-asymmetric-key-grouping {
      description
        "A grouping that expands to allow the asymmetric key to be
       either stored locally, i.e., within the using data model,
       or a reference to an asymmetric key stored in the Keystore.";
      choice local-or-keystore {
        nacm:default-deny-write;
        mandatory true;
        description
          "A choice between an inlined definition and a definition
         that exists in the Keystore.";
        case local {
          if-feature local-definitions-supported;
          container local-definition {
            description
              "Container to hold the local key definition.";
            uses ct:asymmetric-key-pair-grouping;
          }  // container local-definition
        }  // case local

        case keystore {
          if-feature keystore-supported;
          leaf keystore-reference {
            type asymmetric-key-ref;
            description
              "A reference to an asymmetric key that exists in
             the Keystore.  The intent is to reference just the
             asymmetric key without any regard for any certificates
             that may be associated with it.";
          }
        }  // case keystore
      }  // choice local-or-keystore
    }  // grouping local-or-keystore-asymmetric-key-grouping

    grouping local-or-keystore-asymmetric-key-with-certs-grouping {
      description
        "A grouping that expands to allow an asymmetric key and
       its associated certificates to be either stored locally,
       i.e., within the using data model, or a reference to an
       asymmetric key (and its associated certificates) stored
       in the Keystore.";
      choice local-or-keystore {
        nacm:default-deny-write;
        mandatory true;
        description
          "A choice between an inlined definition and a definition
         that exists in the Keystore.";
        case local {
          if-feature local-definitions-supported;
          container local-definition {
            description
              "Container to hold the local key definition.";
            uses ct:asymmetric-key-pair-with-certs-grouping;
          }  // container local-definition
        }  // case local

        case keystore {
          if-feature keystore-supported;
          leaf keystore-reference {
            type asymmetric-key-ref;
            description
              "A reference to an asymmetric-key (and all of its
             associated certificates) in the Keystore.";
          }
        }  // case keystore
      }  // choice local-or-keystore
    }  // grouping local-or-keystore-asymmetric-key-with-certs-grouping

    grouping local-or-keystore-end-entity-cert-with-key-grouping {
      description
        "A grouping that expands to allow an end-entity certificate
       (and its associated asymmetric key pair) to be either stored
       locally, i.e., within the using data model, or a reference
       to a specific certificate in the Keystore.";
      choice local-or-keystore {
        nacm:default-deny-write;
        mandatory true;
        description
          "A choice between an inlined definition and a definition
         that exists in the Keystore.";
        case local {
          if-feature local-definitions-supported;
          container local-definition {
            description
              "Container to hold the local key definition.";
            uses ct:asymmetric-key-pair-with-cert-grouping;
          }  // container local-definition
        }  // case local

        case keystore {
          if-feature keystore-supported;
          container keystore-reference {
            description
              "A reference to a specific certificate associated with
             an asymmetric key stored in the Keystore.";
            uses asymmetric-key-certificate-ref-grouping;
          }  // container keystore-reference
        }  // case keystore
      }  // choice local-or-keystore
    }  // grouping local-or-keystore-end-entity-cert-with-key-grouping

    grouping keystore-grouping {
      description
        "Grouping definition enables use in other contexts.  If ever
       done, implementations SHOULD augment new 'case' statements
       into local-or-keystore 'choice' statements to supply leafrefs
       to the new location.";
      container asymmetric-keys {
        nacm:default-deny-write;
        description
          "A list of asymmetric keys.";
        list asymmetric-key {
          key "name";
          description "An asymmetric key.";
          leaf name {
            type string;
            description
              "An arbitrary name for the asymmetric key.";
          }

          uses ct:asymmetric-key-pair-with-certs-grouping;
        }  // list asymmetric-key
      }  // container asymmetric-keys

      container symmetric-keys {
        nacm:default-deny-write;
        description
          "A list of symmetric keys.";
        list symmetric-key {
          key "name";
          description "A symmetric key.";
          leaf name {
            type string;
            description
              "An arbitrary name for the symmetric key.";
          }

          uses ct:symmetric-key-grouping;
        }  // list symmetric-key
      }  // container symmetric-keys
    }  // grouping keystore-grouping

    container keystore {
      nacm:default-deny-write;
      description
        "The Keystore contains a list of symmetric keys and a list
       of asymmetric keys.";
      uses keystore-grouping {
        augment symmetric-keys/symmetric-key/key-type/encrypted-key/encrypted-key/encrypted-by {
          description
            "Augments in a choice statement enabling the encrypting
           key to be any other symmetric or asymmetric key in the
           keystore.";
          uses encrypted-by-choice-grouping;
        }

        augment asymmetric-keys/asymmetric-key/private-key-type/encrypted-private-key/encrypted-private-key/encrypted-by {
          description
            "Augments in a choice statement enabling the encrypting
           key to be any other symmetric or asymmetric key in the
           keystore.";
          uses encrypted-by-choice-grouping;
        }
      }
    }  // container keystore
  }  // module ietf-keystore

Summary

  
  
Organization IETF NETCONF (Network Configuration) Working Group
  
Module ietf-keystore
Version 2020-08-20
File ietf-keystore@2020-08-20.yang
  
Prefix ks
Namespace urn:ietf:params:xml:ns:yang:ietf-keystore
  
Cooked /cookedmodules/ietf-keystore/2020-08-20
YANG /src/ietf-keystore@2020-08-20.yang
XSD /xsd/ietf-keystore@2020-08-20.xsd
  
Abstract This module defines a Keystore to centralize management of security credentials. Copyright (c) 2020 IETF Trust and the persons ...
  
Contact
WG Web:   <http://datatracker.ietf.org/wg/netconf/>
WG List:  <mailto:netconf@ietf.org>
Author:   Kent Watsen <mailto:kent+ietf@watsen.net>

Description

 
This module defines a Keystore to centralize management
of security credentials.

Copyright (c) 2020 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC CCCC
(https://www.rfc-editor.org/info/rfcCCCC); see the RFC
itself for full legal notices.

The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.

Typedefs

Typedef Base type Abstract
asymmetric-key-ref leafref This typedef enables modules to easily define a reference to an asymmetric key stored in the Keystore.
symmetric-key-ref leafref This typedef enables modules to easily define a reference to a symmetric key stored in the Keystore.

Groupings

Grouping Objects Abstract
asymmetric-key-certificate-ref-grouping asymmetric-key certificate This grouping defines a reference to a specific certificate associated with an asymmetric key stored in the Keystore.
encrypted-by-choice-grouping encrypted-by-choice A grouping that defines a choice that can be augmented into the 'encrypted-by' node presented by the 'symmetric-key-grouping' and 'asymmetric-key-pair-grouping' groupings defined in RFC AAAA.
keystore-grouping asymmetric-keys symmetric-keys Grouping definition enables use in other contexts. If ever done, implementations SHOULD augment new 'case' statements into local-or-keystore 'choice' statements to supply leafrefs to the new location.
local-or-keystore-asymmetric-key-grouping local-or-keystore A grouping that expands to allow the asymmetric key to be either stored locally, i.e., within the using data model, or a reference to an asymmetric key stored in the Keystore.
local-or-keystore-asymmetric-key-with-certs-grouping local-or-keystore A grouping that expands to allow an asymmetric key and its associated certificates to be either stored locally, i.e., within the using data model, or a reference to an asymmetric key (and its associated certificates) stored in the Keystore.
local-or-keystore-end-entity-cert-with-key-grouping local-or-keystore A grouping that expands to allow an end-entity certificate (and its associated asymmetric key pair) to be either stored locally, i.e., within the using data model, or a reference to a specific certificate in the Keystore.
local-or-keystore-symmetric-key-grouping local-or-keystore A grouping that expands to allow the symmetric key to be either stored locally, i.e., within the using data model, or a reference to a symmetric key stored in the Keystore.

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
keystore container The Keystore contains a list of symmetric keys and a list of asymmetric keys.
   asymmetric-keys container A list of asymmetric keys.
      asymmetric-key list An asymmetric key.
         certificates container Certificates associated with this asymmetric key. More than one certificate supports, for instance, a TPM-protected asymmetric key that has both IDevID and LDevID certificates associated.
            certificate list A certificate for this asymmetric key.
               cert-data leaf The binary certificate data for this certificate.
               name leaf An arbitrary name for the certificate. If the name matches the name of a certificate that exists independently in <operational> (i.e., an IDevID), then the 'cert' node MUST NOT be configured.
         name leaf An arbitrary name for the asymmetric key.
         private-key-format leaf Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format.
         private-key-type choice Choice between key types.
            cleartext-private-key case cleartext-private-key
               cleartext-private-key leaf The value of the binary key The key's value is interpreted by the 'private-key-format' field.
            encrypted-private-key case encrypted-private-key
               encrypted-private-key container A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node
                  encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                     encrypted-by-choice choice A choice amongst other symmetric or asymmetric keys.
                        asymmetric-key-ref case asymmetric-key-ref
                           asymmetric-key-ref leaf Identifies the asymmetric key whose public key encrypted the associated key.
                        symmetric-key-ref case symmetric-key-ref
                           symmetric-key-ref leaf Identifies the symmetric key used to encrypt the associated key.
                  encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
            hidden-private-key case hidden-private-key
               hidden-private-key leaf A hidden key. How such keys are created is outside the scope of this module.
         public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
         public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
   symmetric-keys container A list of symmetric keys.
      symmetric-key list A symmetric key.
         key-format leaf Identifies the symmetric key's format. Implementations SHOULD ensure that the incoming symmetric key value is encoded in the specified format.
         key-type choice Choice between key types.
            cleartext-key case cleartext-key
               cleartext-key leaf The binary value of the key. The interpretation of the value is defined by the 'key-format' field.
            encrypted-key case encrypted-key
               encrypted-key container A container for the encrypted symmetric key value. The interpretation of the 'encrypted-value' node is via the 'key-format' node
                  encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                     encrypted-by-choice choice A choice amongst other symmetric or asymmetric keys.
                        asymmetric-key-ref case asymmetric-key-ref
                           asymmetric-key-ref leaf Identifies the asymmetric key whose public key encrypted the associated key.
                        symmetric-key-ref case symmetric-key-ref
                           symmetric-key-ref leaf Identifies the symmetric key used to encrypt the associated key.
                  encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
            hidden-key case hidden-key
               hidden-key leaf A hidden key. How such keys are created is outside the scope of this module.
         name leaf An arbitrary name for the symmetric key.

Notifications

Notification Abstract
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...