This module defines common features and groupings for Transport Layer Security (TLS). The key words 'MUST', 'MUST NOT', 'REQUIR...
Version: 2024-10-10
module ietf-tls-common { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; prefix tlscmn; import iana-tls-cipher-suite-algs { prefix tlscsa; reference "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; } import ietf-crypto-types { prefix ct; reference "RFC 9640: YANG Data Types and Groupings for Cryptography"; } import ietf-keystore { prefix ks; reference "RFC 9642: A YANG Data Model for a Keystore"; } organization "IETF NETCONF (Network Configuration) Working Group"; contact "WG List: NETCONF WG list <mailto:netconf@ietf.org> WG Web: https://datatracker.ietf.org/wg/netconf Author: Kent Watsen <mailto:kent+ietf@watsen.net> Author: Jeff Hartley <mailto:intensifysecurity@gmail.com> Author: Gary Wu <mailto:garywu@cisco.com>"; description "This module defines common features and groupings for Transport Layer Security (TLS). The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here. Copyright (c) 2024 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC 9645 (https://www.rfc-editor.org/info/rfc9645); see the RFC itself for full legal notices."; revision "2024-10-10" { description "Initial version."; reference "RFC 9645: YANG Groupings for TLS Clients and TLS Servers"; } feature tls12 { description "TLS Protocol Version 1.2 is supported. TLS 1.2 is obsolete, and thus it is NOT RECOMMENDED to enable this feature."; reference "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2"; } feature tls13 { description "TLS Protocol Version 1.3 is supported."; reference "RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3"; } feature hello-params { description "TLS hello message parameters are configurable."; } feature algorithm-discovery { description "Indicates that the server implements the 'supported-algorithms' container."; } feature asymmetric-key-pair-generation { description "Indicates that the server implements the 'generate-asymmetric-key-pair' RPC."; } identity tls-version-base { description "Base identity used to identify TLS protocol versions."; } identity tls12 { base tls-version-base; description "TLS Protocol Version 1.2."; reference "RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2"; } identity tls13 { base tls-version-base; description "TLS Protocol Version 1.3."; reference "RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3"; } typedef epsk-supported-hash { type enumeration { enum "sha-256" { value 0; description "The SHA-256 hash."; } enum "sha-384" { value 1; description "The SHA-384 hash."; } } description "As per Section 4.2.11 of RFC 8446, the hash algorithm supported by an instance of an External Pre-Shared Key (EPSK)."; reference "RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3"; } container supported-algorithms { if-feature algorithm-discovery; config false; description "A container for a list of cipher suite algorithms supported by the server."; leaf-list supported-algorithm { type tlscsa:tls-cipher-suite-algorithm; description "A cipher suite algorithm supported by the server."; } } // container supported-algorithms rpc generate-asymmetric-key-pair { if-feature asymmetric-key-pair-generation; description "Requests the device to generate an 'asymmetric-key-pair' key using the specified key algorithm."; input { leaf algorithm { type tlscsa:tls-cipher-suite-algorithm; mandatory true; description "The cipher suite algorithm that the generated key works with. Implementations derive the public key algorithm from the cipher suite algorithm. For example, cipher suite 'tls-rsa-with-aes-256-cbc-sha256' maps to the RSA public key."; } leaf num-bits { type uint16; description "Specifies the number of bits to create in the key. For RSA keys, the minimum size is 1024 bits, and the default is 3072 bits. Generally, 3072 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For elliptical keys, the 'num-bits' value determines the key length of the curve (e.g., 256, 384, or 521), where valid values supported by the server are conveyed via an unspecified mechanism. For some public algorithms, the keys have a fixed length, and thus the 'num-bits' value is not specified."; } container private-key-encoding { description "Indicates how the private key is to be encoded."; choice private-key-encoding { mandatory true; description "A choice amongst optional private key handling."; case cleartext { if-feature ct:cleartext-private-keys; leaf cleartext { type empty; description "Indicates that the private key is to be returned as a cleartext value."; } } // case cleartext case encrypted { if-feature ct:encrypted-private-keys; container encrypted { description "Indicates that the key is to be encrypted using the specified symmetric or asymmetric key."; choice encrypted-by { nacm:default-deny-write; mandatory true; description "A choice amongst other symmetric or asymmetric keys."; case central-symmetric-key-ref { if-feature central-keystore-supported; if-feature symmetric-keys; leaf symmetric-key-ref { type ks:central-symmetric-key-ref; description "Identifies the symmetric key used to encrypt the associated key."; } } // case central-symmetric-key-ref case central-asymmetric-key-ref { if-feature central-keystore-supported; if-feature asymmetric-keys; leaf asymmetric-key-ref { type ks:central-asymmetric-key-ref; description "Identifies the asymmetric key whose public key encrypted the associated key."; } } // case central-asymmetric-key-ref } // choice encrypted-by } // container encrypted } // case encrypted case hidden { if-feature ct:hidden-private-keys; leaf hidden { type empty; description "Indicates that the private key is to be hidden. Unlike the 'cleartext' and 'encrypt' options, the key returned is a placeholder for an internally stored key. See Section 3 of RFC 9642 ('Support for Built-In Keys') for information about hidden keys."; } } // case hidden } // choice private-key-encoding } // container private-key-encoding } output { choice key-or-hidden { description "The output can be either a key (for cleartext and encrypted keys) or the location to where the key was created (for hidden keys)."; case key { leaf public-key-format { nacm:default-deny-write; type identityref { base public-key-format; } mandatory true; description "Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format."; } leaf public-key { nacm:default-deny-write; type binary; mandatory true; description "The binary value of the public key. The interpretation of the value is defined by the 'public-key-format' field."; } leaf private-key-format { nacm:default-deny-write; type identityref { base private-key-format; } description "Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format. For encrypted keys, the value is the decrypted key's format (i.e., the 'encrypted-value-format' conveys the encrypted key's format)."; } choice private-key-type { nacm:default-deny-write; mandatory true; description "Choice between key types."; case cleartext-private-key { if-feature cleartext-private-keys; leaf cleartext-private-key { nacm:default-deny-all; type binary; must "../private-key-format"; description "The value of the binary key. The key's value is interpreted by the 'private-key-format' field."; } } // case cleartext-private-key case hidden-private-key { if-feature hidden-private-keys; leaf hidden-private-key { type empty; must "not(../private-key-format)"; description "A hidden key. It is of type 'empty' as its value is inaccessible via management interfaces. Though hidden to users, such keys are not hidden to the server and may be referenced by configuration to indicate which key a server should use for a cryptographic operation. How such keys are created is outside the scope of this module."; } } // case hidden-private-key case encrypted-private-key { if-feature encrypted-private-keys; container encrypted-private-key { must "../private-key-format"; description "A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node"; container encrypted-by { nacm:default-deny-write; description "An empty container enabling a reference to the key that encrypted the value to be augmented in. The referenced key MUST be a symmetric key or an asymmetric key. A symmetric key MUST be referenced via a leaf node called 'symmetric-key-ref'. An asymmetric key MUST be referenced via a leaf node called 'asymmetric-key-ref'. The leaf nodes MUST be direct descendants in the data tree and MAY be direct descendants in the schema tree (e.g., 'choice'/'case' statements are allowed but not a container)."; } // container encrypted-by leaf encrypted-value-format { type identityref { base encrypted-value-format; } mandatory true; description "Identifies the format of the 'encrypted-value' leaf. If 'encrypted-by' points to a symmetric key, then an identity based on 'symmetrically-encrypted-value-format' MUST be set (e.g., 'cms-encrypted-data-format'). If 'encrypted-by' points to an asymmetric key, then an identity based on 'asymmetrically-encrypted-value-format' MUST be set (e.g., 'cms-enveloped-data-format')."; } leaf encrypted-value { nacm:default-deny-write; type binary; must "../encrypted-by"; mandatory true; description "The value, encrypted using the referenced symmetric or asymmetric key. The value MUST be encoded using the format associated with the 'encrypted-value-format' leaf."; } } // container encrypted-private-key } // case encrypted-private-key } // choice private-key-type } // case key leaf location { type instance-identifier; description "The location to where a hidden key was created."; } } // choice key-or-hidden } } // rpc generate-asymmetric-key-pair } // module ietf-tls-common
© 2024 YumaWorks, Inc. All rights reserved.