This module defines a 'keystore' to centralize management of security credentials. The key words 'MUST', 'MUST NOT', 'REQUIRED'...
Version: 2024-10-10
module ietf-keystore { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-keystore"; prefix ks; import ietf-netconf-acm { prefix nacm; reference "RFC 8341: Network Configuration Access Control Model"; } import ietf-crypto-types { prefix ct; reference "RFC 9640: YANG Data Types and Groupings for Cryptography"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: https://datatracker.ietf.org/wg/netconf WG List: NETCONF WG list <mailto:netconf@ietf.org> Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; description "This module defines a 'keystore' to centralize management of security credentials. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2024 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 9642 (https://www.rfc-editor.org/info/rfc9642); see the RFC itself for full legal notices."; revision "2024-10-10" { description "Initial version"; reference "RFC 9642: A YANG Data Model for a Keystore"; } feature central-keystore-supported { description "The 'central-keystore-supported' feature indicates that the server supports the central keystore (i.e., fully implements the 'ietf-keystore' module)."; } feature inline-definitions-supported { description "The 'inline-definitions-supported' feature indicates that the server supports locally defined keys."; } feature asymmetric-keys { description "The 'asymmetric-keys' feature indicates that the server implements the /keystore/asymmetric-keys subtree."; } feature symmetric-keys { description "The 'symmetric-keys' feature indicates that the server implements the /keystore/symmetric-keys subtree."; } typedef central-symmetric-key-ref { type leafref { path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key/ks:name"; } description "This typedef enables modules to easily define a reference to a symmetric key stored in the central keystore."; } typedef central-asymmetric-key-ref { type leafref { path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key/ks:name"; } description "This typedef enables modules to easily define a reference to an asymmetric key stored in the central keystore."; } container keystore { nacm:default-deny-write; if-feature central-keystore-supported; description "A central keystore containing a list of symmetric keys and a list of asymmetric keys."; container asymmetric-keys { nacm:default-deny-write; if-feature asymmetric-keys; description "A list of asymmetric keys."; list asymmetric-key { key "name"; description "An asymmetric key."; leaf name { type string; description "An arbitrary name for the asymmetric key."; } leaf public-key-format { nacm:default-deny-write; type identityref { base public-key-format; } mandatory true; description "Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format."; } leaf public-key { nacm:default-deny-write; type binary; mandatory true; description "The binary value of the public key. The interpretation of the value is defined by the 'public-key-format' field."; } leaf private-key-format { nacm:default-deny-write; type identityref { base private-key-format; } description "Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format. For encrypted keys, the value is the decrypted key's format (i.e., the 'encrypted-value-format' conveys the encrypted key's format)."; } choice private-key-type { nacm:default-deny-write; mandatory true; description "Choice between key types."; case cleartext-private-key { if-feature cleartext-private-keys; leaf cleartext-private-key { nacm:default-deny-all; type binary; must "../private-key-format"; description "The value of the binary key. The key's value is interpreted by the 'private-key-format' field."; } } // case cleartext-private-key case hidden-private-key { if-feature hidden-private-keys; leaf hidden-private-key { type empty; must "not(../private-key-format)"; description "A hidden key. It is of type 'empty' as its value is inaccessible via management interfaces. Though hidden to users, such keys are not hidden to the server and may be referenced by configuration to indicate which key a server should use for a cryptographic operation. How such keys are created is outside the scope of this module."; } } // case hidden-private-key case encrypted-private-key { if-feature encrypted-private-keys; container encrypted-private-key { must "../private-key-format"; description "A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node"; container encrypted-by { nacm:default-deny-write; description "An empty container enabling a reference to the key that encrypted the value to be augmented in. The referenced key MUST be a symmetric key or an asymmetric key. A symmetric key MUST be referenced via a leaf node called 'symmetric-key-ref'. An asymmetric key MUST be referenced via a leaf node called 'asymmetric-key-ref'. The leaf nodes MUST be direct descendants in the data tree and MAY be direct descendants in the schema tree (e.g., 'choice'/'case' statements are allowed but not a container)."; choice encrypted-by { nacm:default-deny-write; mandatory true; description "A choice amongst other symmetric or asymmetric keys."; case central-symmetric-key-ref { if-feature central-keystore-supported; if-feature symmetric-keys; leaf symmetric-key-ref { type central-symmetric-key-ref; description "Identifies the symmetric key used to encrypt the associated key."; } } // case central-symmetric-key-ref case central-asymmetric-key-ref { if-feature central-keystore-supported; if-feature asymmetric-keys; leaf asymmetric-key-ref { type central-asymmetric-key-ref; description "Identifies the asymmetric key whose public key encrypted the associated key."; } } // case central-asymmetric-key-ref } // choice encrypted-by } // container encrypted-by leaf encrypted-value-format { type identityref { base encrypted-value-format; } mandatory true; description "Identifies the format of the 'encrypted-value' leaf. If 'encrypted-by' points to a symmetric key, then an identity based on 'symmetrically-encrypted-value-format' MUST be set (e.g., 'cms-encrypted-data-format'). If 'encrypted-by' points to an asymmetric key, then an identity based on 'asymmetrically-encrypted-value-format' MUST be set (e.g., 'cms-enveloped-data-format')."; } leaf encrypted-value { nacm:default-deny-write; type binary; must "../encrypted-by"; mandatory true; description "The value, encrypted using the referenced symmetric or asymmetric key. The value MUST be encoded using the format associated with the 'encrypted-value-format' leaf."; } } // container encrypted-private-key } // case encrypted-private-key } // choice private-key-type container certificates { nacm:default-deny-write; description "Certificates associated with this asymmetric key."; list certificate { key "name"; description "A certificate for this asymmetric key."; leaf name { type string; description "An arbitrary name for the certificate."; } leaf cert-data { nacm:default-deny-all; type end-entity-cert-cms; description "The binary certificate data for this certificate."; } notification certificate-expiration { if-feature certificate-expiration-notification; description "A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation-specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, then once a week for four weeks, and then once a day thereafter until the issue is resolved. If the certificate's issuer maintains a Certificate Revocation List (CRL), the expiration notification MAY be sent if the CRL is about to expire."; leaf expiration-date { type yang:date-and-time; mandatory true; description "Identifies the expiration date on the certificate."; } } // notification certificate-expiration } // list certificate } // container certificates action generate-csr { nacm:default-deny-all; if-feature csr-generation; description "Generates a certificate signing request structure for the associated asymmetric key using the passed subject and attribute values. This 'action' statement is only available when the associated 'public-key-format' node's value is 'subject-public-key-info-format'."; input { leaf csr-format { type identityref { base csr-format; } mandatory true; description "Specifies the format for the returned certificate."; } leaf csr-info { type csr-info; mandatory true; description "A CertificationRequestInfo structure, as defined in RFC 2986. Enables the client to provide a fully populated CertificationRequestInfo structure that the server only needs to sign in order to generate the complete CertificationRequest structure to return in the 'output'. The 'AlgorithmIdentifier' field contained inside the 'SubjectPublicKeyInfo' field MUST be one known to be supported by the device."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification RFC 9640: YANG Data Types and Groupings for Cryptography"; } } output { choice csr-type { mandatory true; description "A choice amongst certificate signing request formats. Additional formats MAY be augmented into this 'choice' statement by future efforts."; case p10-csr { description "A CertificationRequest, as defined in RFC 2986."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification RFC 9640: YANG Data Types and Groupings for Cryptography"; leaf p10-csr { type p10-csr; description "A CertificationRequest, as defined in RFC 2986."; } } // case p10-csr } // choice csr-type } } // rpc generate-csr } // list asymmetric-key } // container asymmetric-keys container symmetric-keys { nacm:default-deny-write; if-feature symmetric-keys; description "A list of symmetric keys."; list symmetric-key { key "name"; description "A symmetric key."; leaf name { type string; description "An arbitrary name for the symmetric key."; } leaf key-format { nacm:default-deny-write; type identityref { base symmetric-key-format; } description "Identifies the symmetric key's format. Implementations SHOULD ensure that the incoming symmetric key value is encoded in the specified format. For encrypted keys, the value is the decrypted key's format (i.e., the 'encrypted-value-format' conveys the encrypted key's format)."; } choice key-type { nacm:default-deny-write; mandatory true; description "Choice between key types."; leaf cleartext-symmetric-key { nacm:default-deny-all; if-feature cleartext-symmetric-keys; type binary; must "../key-format"; description "The binary value of the key. The interpretation of the value is defined by the 'key-format' field."; } case hidden-symmetric-key { if-feature hidden-symmetric-keys; leaf hidden-symmetric-key { type empty; must "not(../key-format)"; description "A hidden key is not exportable and not extractable; therefore, it is of type 'empty' as its value is inaccessible via management interfaces. Though hidden to users, such keys are not hidden to the server and may be referenced by configuration to indicate which key a server should use for a cryptographic operation. How such keys are created is outside the scope of this module."; } } // case hidden-symmetric-key case encrypted-symmetric-key { if-feature encrypted-symmetric-keys; container encrypted-symmetric-key { must "../key-format"; description "A container for the encrypted symmetric key value. The interpretation of the 'encrypted-value' node is via the 'key-format' node"; container encrypted-by { nacm:default-deny-write; description "An empty container enabling a reference to the key that encrypted the value to be augmented in. The referenced key MUST be a symmetric key or an asymmetric key. A symmetric key MUST be referenced via a leaf node called 'symmetric-key-ref'. An asymmetric key MUST be referenced via a leaf node called 'asymmetric-key-ref'. The leaf nodes MUST be direct descendants in the data tree and MAY be direct descendants in the schema tree (e.g., 'choice'/'case' statements are allowed but not a container)."; choice encrypted-by { nacm:default-deny-write; mandatory true; description "A choice amongst other symmetric or asymmetric keys."; case central-symmetric-key-ref { if-feature central-keystore-supported; if-feature symmetric-keys; leaf symmetric-key-ref { type central-symmetric-key-ref; description "Identifies the symmetric key used to encrypt the associated key."; } } // case central-symmetric-key-ref case central-asymmetric-key-ref { if-feature central-keystore-supported; if-feature asymmetric-keys; leaf asymmetric-key-ref { type central-asymmetric-key-ref; description "Identifies the asymmetric key whose public key encrypted the associated key."; } } // case central-asymmetric-key-ref } // choice encrypted-by } // container encrypted-by leaf encrypted-value-format { type identityref { base encrypted-value-format; } mandatory true; description "Identifies the format of the 'encrypted-value' leaf. If 'encrypted-by' points to a symmetric key, then an identity based on 'symmetrically-encrypted-value-format' MUST be set (e.g., 'cms-encrypted-data-format'). If 'encrypted-by' points to an asymmetric key, then an identity based on 'asymmetrically-encrypted-value-format' MUST be set (e.g., 'cms-enveloped-data-format')."; } leaf encrypted-value { nacm:default-deny-write; type binary; must "../encrypted-by"; mandatory true; description "The value, encrypted using the referenced symmetric or asymmetric key. The value MUST be encoded using the format associated with the 'encrypted-value-format' leaf."; } } // container encrypted-symmetric-key } // case encrypted-symmetric-key } // choice key-type } // list symmetric-key } // container symmetric-keys } // container keystore } // module ietf-keystore
© 2024 YumaWorks, Inc. All rights reserved.