This module augments the 'get-bootstrapping-data' RPC, defined in the 'ietf-sztp-bootstrap-server' module from SZTP (RFC 8572), ...
Version: 2024-10-10
module ietf-sztp-csr { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-sztp-csr"; prefix sztp-csr; import ietf-sztp-bootstrap-server { prefix sztp-svr; reference "RFC 8572: Secure Zero Touch Provisioning (SZTP)"; } import ietf-yang-structure-ext { prefix sx; reference "RFC 8791: YANG Data Structure Extensions"; } import ietf-ztp-types { prefix zt; reference "RFC 9646: Conveying a Certificate Signing Request (CSR) in a Secure Zero-Touch Provisioning (SZTP) Bootstrapping Request"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG Web: https://datatracker.ietf.org/wg/netconf WG List: NETCONF WG list <mailto:netconf@ietf.org> Authors: Kent Watsen <mailto:kent+ietf@watsen.net> Russ Housley <mailto:housley@vigilsec.com> Sean Turner <mailto:sean@sn3rd.com>"; description "This module augments the 'get-bootstrapping-data' RPC, defined in the 'ietf-sztp-bootstrap-server' module from SZTP (RFC 8572), enabling the SZTP-client to obtain a signed identity certificate (e.g., an LDevID from IEEE 802.1AR) as part of the SZTP onboarding information response. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2024 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 9646 (https://www.rfc-editor.org/info/rfc9646); see the RFC itself for full legal notices."; revision "2024-10-10" { description "Initial version."; reference "RFC 9646: Conveying a Certificate Signing Request (CSR) in a Secure Zero-Touch Provisioning (SZTP) Bootstrapping Request"; } sx:structure "csr-request"; container csr-request { description "A YANG data structure, per RFC 8791, that specifies details for the CSR that the ZTP-client is to generate."; reference "RFC 8791: YANG Data Structure Extensions"; container key-generation { presence "Provided by a ZTP-server to indicate that it wishes the ZTP-client to generate a new asymmetric key. This statement is present so the mandatory descendant nodes do not imply that this node must be configured."; description "The key generation parameters selected by the ZTP-server. This leaf MUST only appear if the ZTP-client's 'csr-support' included the 'key-generation' node."; container selected-algorithm { description "The key algorithm selected by the ZTP-server. The algorithm MUST be one of the algorithms specified by the 'supported-algorithms' node in the ZTP-client's message containing the 'csr-support' structure."; leaf algorithm-identifier { type binary; mandatory true; description "An AlgorithmIdentifier, as defined in RFC 2986, encoded using ASN.1 Distinguished Encoding Rules (DER), as specified in ITU-T X.690."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7 ITU-T X.690: Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)"; } } // container selected-algorithm } // container key-generation container csr-generation { description "Specifies details for the CSR that the ZTP-client is to generate."; container selected-format { description "The CSR format selected by the ZTP-server. The format MUST be one of the formats specified by the 'supported-formats' node in the ZTP-client's request message."; leaf format-identifier { type identityref { base zt:certificate-request-format; } mandatory true; description "A certificate request format to be used by the ZTP-client."; } } // container selected-format } // container csr-generation leaf cert-req-info { type ct:csr-info; description "A CertificationRequestInfo structure, as defined in RFC 2986, and modeled via a 'typedef' statement by RFC 9640. Enables the ZTP-server to provide a fully populated CertificationRequestInfo structure that the ZTP-client only needs to sign in order to generate the complete 'CertificationRequest' structure to send to the ZTP-server in its next 'get-bootstrapping-data' request message. When provided, the ZTP-client MUST use this structure to generate its CSR; failure to do so will result in a 400 Bad Request response containing another 'csr-request' structure. When not provided, the ZTP-client SHOULD generate a CSR using the same structure defined in its existing identity certificate (e.g., an IDevID from IEEE 802.1AR). If the 'AlgorithmIdentifier' field contained inside the certificate 'SubjectPublicKeyInfo' field does not match the algorithm identified by the 'selected-algorithm' node, then the client MUST reject the certificate and raise an error."; reference "RFC 2986: PKCS #10: Certification Request Syntax Specification Version 1.7 RFC 9640: YANG Data Types and Groupings for Cryptography"; } } // container csr-request } // module ietf-sztp-csr
© 2024 YumaWorks, Inc. All rights reserved.