netconfcentral logo

ietf-keystore@2020-08-20



  module ietf-keystore {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-keystore";

    prefix ks;

    import ietf-netconf-acm {
      prefix nacm;
      reference
        "RFC 8341: Network Configuration Access Control Model";


    }
    import ietf-crypto-types {
      prefix ct;
      reference
        "RFC AAAA: YANG Data Types and Groupings for Cryptography";


    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://datatracker.ietf.org/wg/netconf/>
     WG List:  <mailto:netconf@ietf.org>
     Author:   Kent Watsen <mailto:kent+ietf@watsen.net>";

    description
      "This module defines a Keystore to centralize management
     of security credentials.

     Copyright (c) 2020 IETF Trust and the persons identified
     as authors of the code. All rights reserved.
     Redistribution and use in source and binary forms, with
     or without modification, is permitted pursuant to, and
     subject to the license terms contained in, the Simplified
     BSD License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC CCCC
     (https://www.rfc-editor.org/info/rfcCCCC); see the RFC
     itself for full legal notices.

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
     'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
     'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
     are to be interpreted as described in BCP 14 (RFC 2119)
     (RFC 8174) when, and only when, they appear in all
     capitals, as shown here.";

    revision "2020-08-20" {
      description "Initial version";
      reference
        "RFC CCCC: A YANG Data Model for a Keystore";

    }


    feature keystore-supported {
      description
        "The 'keystore-supported' feature indicates that the server
       supports the Keystore.";
    }

    feature local-definitions-supported {
      description
        "The 'local-definitions-supported' feature indicates that the
       server supports locally-defined keys.";
    }

    typedef symmetric-key-ref {
      type leafref {
        path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key/ks:name";
      }
      description
        "This typedef enables modules to easily define a reference
       to a symmetric key stored in the Keystore.";
    }

    typedef asymmetric-key-ref {
      type leafref {
        path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key/ks:name";
      }
      description
        "This typedef enables modules to easily define a reference
       to an asymmetric key stored in the Keystore.";
    }

    grouping encrypted-by-choice-grouping {
      description
        "A grouping that defines a choice that can be augmented
       into the 'encrypted-by' node presented by the
       'symmetric-key-grouping' and 'asymmetric-key-pair-grouping'
       groupings defined in RFC AAAA.";
      choice encrypted-by-choice {
        nacm:default-deny-write;
        mandatory true;
        description
          "A choice amongst other symmetric or asymmetric keys.";
        leaf symmetric-key-ref {
          type symmetric-key-ref;
          description
            "Identifies the symmetric key used to encrypt the
            associated key.";
        }
        leaf asymmetric-key-ref {
          type asymmetric-key-ref;
          description
            "Identifies the asymmetric key whose public key
            encrypted the associated key.";
        }
      }  // choice encrypted-by-choice
    }  // grouping encrypted-by-choice-grouping

    grouping asymmetric-key-certificate-ref-grouping {
      description
        "This grouping defines a reference to a specific certificate
       associated with an asymmetric key stored in the Keystore.";
      leaf asymmetric-key {
        nacm:default-deny-write;
        type asymmetric-key-ref;
        must '../certificate';
        description
          "A reference to an asymmetric key in the Keystore.";
      }

      leaf certificate {
        nacm:default-deny-write;
        type leafref {
          path
            "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key[ks:"
              + "name = current()/../asymmetric-key]/ks:certificates"
              + "/ks:certificate/ks:name";
        }
        must '../asymmetric-key';
        description
          "A reference to a specific certificate of the
         asymmetric key in the Keystore.";
      }
    }  // grouping asymmetric-key-certificate-ref-grouping

    grouping local-or-keystore-symmetric-key-grouping {
      description
        "A grouping that expands to allow the symmetric key to be
       either stored locally, i.e., within the using data model,
       or a reference to a symmetric key stored in the Keystore.";
      choice local-or-keystore {
        nacm:default-deny-write;
        mandatory true;
        description
          "A choice between an inlined definition and a definition
         that exists in the Keystore.";
        case local {
          if-feature local-definitions-supported;
          container local-definition {
            description
              "Container to hold the local key definition.";
            uses ct:symmetric-key-grouping;
          }  // container local-definition
        }  // case local

        case keystore {
          if-feature keystore-supported;
          leaf keystore-reference {
            type symmetric-key-ref;
            description
              "A reference to an symmetric key that exists in
             the Keystore.";
          }
        }  // case keystore
      }  // choice local-or-keystore
    }  // grouping local-or-keystore-symmetric-key-grouping

    grouping local-or-keystore-asymmetric-key-grouping {
      description
        "A grouping that expands to allow the asymmetric key to be
       either stored locally, i.e., within the using data model,
       or a reference to an asymmetric key stored in the Keystore.";
      choice local-or-keystore {
        nacm:default-deny-write;
        mandatory true;
        description
          "A choice between an inlined definition and a definition
         that exists in the Keystore.";
        case local {
          if-feature local-definitions-supported;
          container local-definition {
            description
              "Container to hold the local key definition.";
            uses ct:asymmetric-key-pair-grouping;
          }  // container local-definition
        }  // case local

        case keystore {
          if-feature keystore-supported;
          leaf keystore-reference {
            type asymmetric-key-ref;
            description
              "A reference to an asymmetric key that exists in
             the Keystore.  The intent is to reference just the
             asymmetric key without any regard for any certificates
             that may be associated with it.";
          }
        }  // case keystore
      }  // choice local-or-keystore
    }  // grouping local-or-keystore-asymmetric-key-grouping

    grouping local-or-keystore-asymmetric-key-with-certs-grouping {
      description
        "A grouping that expands to allow an asymmetric key and
       its associated certificates to be either stored locally,
       i.e., within the using data model, or a reference to an
       asymmetric key (and its associated certificates) stored
       in the Keystore.";
      choice local-or-keystore {
        nacm:default-deny-write;
        mandatory true;
        description
          "A choice between an inlined definition and a definition
         that exists in the Keystore.";
        case local {
          if-feature local-definitions-supported;
          container local-definition {
            description
              "Container to hold the local key definition.";
            uses ct:asymmetric-key-pair-with-certs-grouping;
          }  // container local-definition
        }  // case local

        case keystore {
          if-feature keystore-supported;
          leaf keystore-reference {
            type asymmetric-key-ref;
            description
              "A reference to an asymmetric-key (and all of its
             associated certificates) in the Keystore.";
          }
        }  // case keystore
      }  // choice local-or-keystore
    }  // grouping local-or-keystore-asymmetric-key-with-certs-grouping

    grouping local-or-keystore-end-entity-cert-with-key-grouping {
      description
        "A grouping that expands to allow an end-entity certificate
       (and its associated asymmetric key pair) to be either stored
       locally, i.e., within the using data model, or a reference
       to a specific certificate in the Keystore.";
      choice local-or-keystore {
        nacm:default-deny-write;
        mandatory true;
        description
          "A choice between an inlined definition and a definition
         that exists in the Keystore.";
        case local {
          if-feature local-definitions-supported;
          container local-definition {
            description
              "Container to hold the local key definition.";
            uses ct:asymmetric-key-pair-with-cert-grouping;
          }  // container local-definition
        }  // case local

        case keystore {
          if-feature keystore-supported;
          container keystore-reference {
            description
              "A reference to a specific certificate associated with
             an asymmetric key stored in the Keystore.";
            uses asymmetric-key-certificate-ref-grouping;
          }  // container keystore-reference
        }  // case keystore
      }  // choice local-or-keystore
    }  // grouping local-or-keystore-end-entity-cert-with-key-grouping

    grouping keystore-grouping {
      description
        "Grouping definition enables use in other contexts.  If ever
       done, implementations SHOULD augment new 'case' statements
       into local-or-keystore 'choice' statements to supply leafrefs
       to the new location.";
      container asymmetric-keys {
        nacm:default-deny-write;
        description
          "A list of asymmetric keys.";
        list asymmetric-key {
          key "name";
          description "An asymmetric key.";
          leaf name {
            type string;
            description
              "An arbitrary name for the asymmetric key.";
          }

          uses ct:asymmetric-key-pair-with-certs-grouping;
        }  // list asymmetric-key
      }  // container asymmetric-keys

      container symmetric-keys {
        nacm:default-deny-write;
        description
          "A list of symmetric keys.";
        list symmetric-key {
          key "name";
          description "A symmetric key.";
          leaf name {
            type string;
            description
              "An arbitrary name for the symmetric key.";
          }

          uses ct:symmetric-key-grouping;
        }  // list symmetric-key
      }  // container symmetric-keys
    }  // grouping keystore-grouping

    container keystore {
      nacm:default-deny-write;
      description
        "The Keystore contains a list of symmetric keys and a list
       of asymmetric keys.";
      uses keystore-grouping {
        augment symmetric-keys/symmetric-key/key-type/encrypted-key/encrypted-key/encrypted-by {
          description
            "Augments in a choice statement enabling the encrypting
           key to be any other symmetric or asymmetric key in the
           keystore.";
          uses encrypted-by-choice-grouping;
        }

        augment asymmetric-keys/asymmetric-key/private-key-type/encrypted-private-key/encrypted-private-key/encrypted-by {
          description
            "Augments in a choice statement enabling the encrypting
           key to be any other symmetric or asymmetric key in the
           keystore.";
          uses encrypted-by-choice-grouping;
        }
      }
    }  // container keystore
  }  // module ietf-keystore