< draft-ietf-netconf-crypto-types-08.txt   draft-ietf-netconf-crypto-types-09.txt >
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Watsen Networks Internet-Draft Watsen Networks
Intended status: Standards Track H. Wang Intended status: Standards Track H. Wang
Expires: December 19, 2019 Huawei Expires: December 22, 2019 Huawei
June 17, 2019 June 20, 2019
Common YANG Data Types for Cryptography Common YANG Data Types for Cryptography
draft-ietf-netconf-crypto-types-08 draft-ietf-netconf-crypto-types-09
Abstract Abstract
This document defines YANG identities, typedefs, the groupings useful This document defines YANG identities, typedefs, the groupings useful
for cryptographic applications. for cryptographic applications.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
This draft contains many placeholder values that need to be replaced This draft contains many placeholder values that need to be replaced
with finalized values at the time of publication. This note with finalized values at the time of publication. This note
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Editor instructions are specified elsewhere in this document. Editor instructions are specified elsewhere in this document.
Artwork in this document contains shorthand references to drafts in Artwork in this document contains shorthand references to drafts in
progress. Please apply the following replacements: progress. Please apply the following replacements:
o "XXXX" --> the assigned RFC value for this draft o "XXXX" --> the assigned RFC value for this draft
Artwork in this document contains placeholder values for the date of Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement: publication of this draft. Please apply the following replacement:
o "2019-06-17" --> the publication date of this draft o "2019-06-20" --> the publication date of this draft
The following Appendix section is to be removed prior to publication: The following Appendix section is to be removed prior to publication:
o Appendix B. Change Log o Appendix B. Change Log
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 19, 2019. This Internet-Draft will expire on December 22, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 6 skipping to change at page 3, line 6
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 53 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 53
B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 53 B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 53
B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 53 B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 53
B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 53 B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 53
B.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 54 B.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 54
B.5. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 54 B.5. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 54
B.6. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 55 B.6. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 55
B.7. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 55 B.7. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 55
B.8. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 55 B.8. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 55
B.9. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 56 B.9. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 56
B.10. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 56
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 56 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 56
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 56
1. Introduction 1. Introduction
This document defines a YANG 1.1 [RFC7950] module specifying This document defines a YANG 1.1 [RFC7950] module specifying
identities, typedefs, and groupings useful for cryptography. identities, typedefs, and groupings useful for cryptography.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
skipping to change at page 3, line 31 skipping to change at page 3, line 32
2.1. Tree Diagram 2.1. Tree Diagram
This section provides a tree diagram [RFC8340] for the "ietf-crypto- This section provides a tree diagram [RFC8340] for the "ietf-crypto-
types" module. Only the groupings as represented, as tree diagrams types" module. Only the groupings as represented, as tree diagrams
have no means to represent identities or typedefs. have no means to represent identities or typedefs.
module: ietf-crypto-types module: ietf-crypto-types
grouping symmetric-key-grouping: grouping symmetric-key-grouping:
+---- algorithm identityref +---- algorithm encryption-algorithm-t
+---- (key-type) +---- (key-type)
+--:(key) +--:(key)
| +---- key? binary | +---- key? binary
+--:(hidden-key) +--:(hidden-key)
+---- hidden-key? empty +---- hidden-key? empty
grouping public-key-grouping: grouping public-key-grouping:
+---- algorithm asymmetric-key-algorithm-ref +---- algorithm asymmetric-key-algorithm-t
+---- public-key binary +---- public-key binary
grouping asymmetric-key-pair-grouping: grouping asymmetric-key-pair-grouping:
+---- algorithm asymmetric-key-algorithm-ref +---- algorithm asymmetric-key-algorithm-t
+---- public-key binary +---- public-key binary
+---- (private-key-type) +---- (private-key-type)
+--:(private-key) +--:(private-key)
| +---- private-key? binary | +---- private-key? binary
+--:(hidden-private-key) +--:(hidden-private-key)
+---- hidden-private-key? empty +---- hidden-private-key? empty
grouping trust-anchor-cert-grouping: grouping trust-anchor-cert-grouping:
+---- cert? trust-anchor-cert-cms +---- cert? trust-anchor-cert-cms
+---n certificate-expiration +---n certificate-expiration
+--ro expiration-date ietf-yang-types:date-and-time +--ro expiration-date ietf-yang-types:date-and-time
skipping to change at page 4, line 19 skipping to change at page 4, line 19
grouping end-entity-cert-grouping: grouping end-entity-cert-grouping:
+---- cert? end-entity-cert-cms +---- cert? end-entity-cert-cms
+---n certificate-expiration +---n certificate-expiration
+--ro expiration-date ietf-yang-types:date-and-time +--ro expiration-date ietf-yang-types:date-and-time
grouping end-entity-certs-grouping: grouping end-entity-certs-grouping:
+---- cert* end-entity-cert-cms +---- cert* end-entity-cert-cms
+---n certificate-expiration +---n certificate-expiration
+--ro expiration-date ietf-yang-types:date-and-time +--ro expiration-date ietf-yang-types:date-and-time
grouping asymmetric-key-pair-with-cert-grouping: grouping asymmetric-key-pair-with-cert-grouping:
+---- algorithm +---- algorithm
| asymmetric-key-algorithm-ref | asymmetric-key-algorithm-t
+---- public-key binary +---- public-key binary
+---- (private-key-type) +---- (private-key-type)
| +--:(private-key) | +--:(private-key)
| | +---- private-key? binary | | +---- private-key? binary
| +--:(hidden-private-key) | +--:(hidden-private-key)
| +---- hidden-private-key? empty | +---- hidden-private-key? empty
+---- cert? end-entity-cert-cms +---- cert? end-entity-cert-cms
+---n certificate-expiration +---n certificate-expiration
+--ro expiration-date ietf-yang-types:date-and-time +--ro expiration-date ietf-yang-types:date-and-time
+---x generate-certificate-signing-request +---x generate-certificate-signing-request
+---- input +---- input
| +---w subject binary | +---w subject binary
| +---w attributes? binary | +---w attributes? binary
+---- output +---- output
+--ro certificate-signing-request binary +--ro certificate-signing-request binary
grouping asymmetric-key-pair-with-certs-grouping: grouping asymmetric-key-pair-with-certs-grouping:
+---- algorithm +---- algorithm
| asymmetric-key-algorithm-ref | asymmetric-key-algorithm-t
+---- public-key binary +---- public-key binary
+---- (private-key-type) +---- (private-key-type)
| +--:(private-key) | +--:(private-key)
| | +---- private-key? binary | | +---- private-key? binary
| +--:(hidden-private-key) | +--:(hidden-private-key)
| +---- hidden-private-key? empty | +---- hidden-private-key? empty
+---- certificates +---- certificates
| +---- certificate* [name] | +---- certificate* [name]
| +---- name string | +---- name string
| +---- cert? end-entity-cert-cms | +---- cert? end-entity-cert-cms
skipping to change at page 5, line 20 skipping to change at page 5, line 21
This module has normative references to [RFC2404], [RFC3565], This module has normative references to [RFC2404], [RFC3565],
[RFC3686], [RFC4106], [RFC4253], [RFC4279], [RFC4309], [RFC4494], [RFC3686], [RFC4106], [RFC4253], [RFC4279], [RFC4309], [RFC4494],
[RFC4543], [RFC4868], [RFC5280], [RFC5652], [RFC5656], [RFC6187], [RFC4543], [RFC4868], [RFC5280], [RFC5652], [RFC5656], [RFC6187],
[RFC6991], [RFC7919], [RFC8268], [RFC8332], [RFC8341], [RFC8422], [RFC6991], [RFC7919], [RFC8268], [RFC8332], [RFC8341], [RFC8422],
[RFC8446], and [ITU.X690.2015]. [RFC8446], and [ITU.X690.2015].
This module has an informational reference to [RFC2986], [RFC3174], This module has an informational reference to [RFC2986], [RFC3174],
[RFC4493], [RFC5915], [RFC6125], [RFC6234], [RFC6239], [RFC6507], [RFC4493], [RFC5915], [RFC6125], [RFC6234], [RFC6239], [RFC6507],
[RFC8017], [RFC8032], [RFC8439]. [RFC8017], [RFC8032], [RFC8439].
<CODE BEGINS> file "ietf-crypto-types@2019-06-17.yang" <CODE BEGINS> file "ietf-crypto-types@2019-06-20.yang"
module ietf-crypto-types {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
prefix ct;
import ietf-yang-types {
prefix yang;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG Web: <http://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";
description
"This module defines common YANG types for cryptographic
applications.
Copyright (c) 2019 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
revision 2019-06-17 {
description
"Initial version";
reference
"RFC XXXX: Common YANG Data Types for Cryptography";
}
/**************************************/
/* Identities for Hash Algorithms */
/**************************************/
identity hash-algorithm {
description
"A base identity for hash algorithm verification.";
}
identity sha-224 {
base hash-algorithm;
description
"The SHA-224 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms.";
}
identity sha-256 {
base hash-algorithm;
description
"The SHA-256 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms.";
}
identity sha-384 {
base hash-algorithm;
description
"The SHA-384 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms.";
}
identity sha-512 {
base hash-algorithm;
description
"The SHA-512 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms.";
}
/***********************************************/
/* Identities for Asymmetric Key Algorithms */
/***********************************************/
identity asymmetric-key-algorithm {
description
"Base identity from which all asymmetric key
encryption Algorithm.";
}
identity rsa1024 {
base asymmetric-key-algorithm;
description
"The RSA algorithm using a 1024-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
identity rsa2048 {
base asymmetric-key-algorithm;
description
"The RSA algorithm using a 2048-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
identity rsa3072 {
base asymmetric-key-algorithm;
description
"The RSA algorithm using a 3072-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
identity rsa4096 {
base asymmetric-key-algorithm;
description
"The RSA algorithm using a 4096-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
identity rsa7680 {
base asymmetric-key-algorithm;
description
"The RSA algorithm using a 7680-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
identity rsa15360 {
base asymmetric-key-algorithm;
description
"The RSA algorithm using a 15360-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
identity secp192r1 {
base asymmetric-key-algorithm;
description
"The ECDSA algorithm using a NIST P192 Curve.";
reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480:
Elliptic Curve Cryptography Subject Public Key Information.";
}
identity secp224r1 {
base asymmetric-key-algorithm;
description
"The ECDSA algorithm using a NIST P224 Curve.";
reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480:
Elliptic Curve Cryptography Subject Public Key Information.";
}
identity secp256r1 {
base asymmetric-key-algorithm;
description
"The ECDSA algorithm using a NIST P256 Curve.";
reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480:
Elliptic Curve Cryptography Subject Public Key Information.";
}
identity secp384r1 {
base asymmetric-key-algorithm;
description
"The ECDSA algorithm using a NIST P384 Curve.";
reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480:
Elliptic Curve Cryptography Subject Public Key Information.";
}
identity secp521r1 {
base asymmetric-key-algorithm;
description
"The ECDSA algorithm using a NIST P521 Curve.";
reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480:
Elliptic Curve Cryptography Subject Public Key Information.";
}
/*************************************/
/* Identities for MAC Algorithms */
/*************************************/
identity mac-algorithm {
description
"A base identity for mac generation.";
}
identity hmac-sha1 {
base mac-algorithm;
description
"Generating MAC using SHA1 hash function";
reference
"RFC 3174: US Secure Hash Algorithm 1 (SHA1)";
}
identity hmac-sha1-96 {
base mac-algorithm;
description
"Generating MAC using SHA1 hash function";
reference
"RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";
}
identity hmac-sha2-224 {
base mac-algorithm;
description
"Generating MAC using SHA2 hash function";
reference
"RFC 6234:
US Secure Hash Algorithms (SHA and SHA-based HMAC and
HKDF)";
}
identity hmac-sha2-256 {
base mac-algorithm;
description
"Generating MAC using SHA2 hash function";
reference
"RFC 6234:
US Secure Hash Algorithms (SHA and SHA-based HMAC and
HKDF)";
}
identity hmac-sha2-256-128 {
base mac-algorithm;
description
"Generating a 256 bits MAC using SHA2 hash function and
truncate it to 128 bits";
reference
"RFC 4868:
Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
with IPsec";
}
identity hmac-sha2-384 {
base mac-algorithm;
description
"Generating MAC using SHA2 hash function";
reference
"RFC 6234:
US Secure Hash Algorithms (SHA and SHA-based HMAC and
HKDF)";
}
identity hmac-sha2-384-192 {
base mac-algorithm;
description
"Generating a 384 bits MAC using SHA2 hash function and
truncate it to 192 bits";
reference
"RFC 4868:
Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
IPsec";
}
identity hmac-sha2-512 {
base mac-algorithm;
description
"Generating MAC using SHA2 hash function";
reference
"RFC 6234:
US Secure Hash Algorithms (SHA and SHA-based HMAC and
HKDF)";
}
identity hmac-sha2-512-256 {
base mac-algorithm;
description
"Generating a 512 bits MAC using SHA2 hash function and
truncating it to 256 bits";
reference
"RFC 4868:
Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
IPsec";
}
identity aes-128-gmac {
base mac-algorithm;
description
"Generating MAC using the Advanced Encryption Standard (AES)
Galois Message Authentication Code (GMAC) as a mechanism to
provide data origin authentication";
reference
"RFC 4543:
The Use of Galois Message Authentication Code (GMAC) in
IPsec ESP and AH";
}
identity aes-192-gmac {
base mac-algorithm;
description
"Generating MAC using the Advanced Encryption Standard (AES)
Galois Message Authentication Code (GMAC) as a mechanism to
provide data origin authentication";
reference
"RFC 4543:
The Use of Galois Message Authentication Code (GMAC) in
IPsec ESP and AH";
}
identity aes-256-gmac {
base mac-algorithm;
description
"Generating MAC using the Advanced Encryption Standard (AES)
Galois Message Authentication Code (GMAC) as a mechanism to
provide data origin authentication";
reference
"RFC 4543:
The Use of Galois Message Authentication Code (GMAC) in
IPsec ESP and AH";
}
identity aes-cmac-96 {
base mac-algorithm;
description
"Generating MAC using Advanced Encryption Standard (AES)
Cipher-based Message Authentication Code (CMAC)";
reference
"RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec";
}
identity aes-cmac-128 {
base mac-algorithm;
description
"Generating MAC using Advanced Encryption Standard (AES)
Cipher-based Message Authentication Code (CMAC)";
reference
"RFC 4493: The AES-CMAC Algorithm";
}
/********************************************/
/* Identities for Encryption Algorithms */
/********************************************/
identity encryption-algorithm {
description
"A base identity for encryption algorithm.";
}
identity aes-128-cbc {
base encryption-algorithm;
description
"Encrypt message with AES algorithm in CBC mode with a key
length of 128 bits";
reference
"RFC 3565:
Use of the Advanced Encryption Standard (AES) Encryption
Algorithm in Cryptographic Message Syntax (CMS)";
}
identity aes-192-cbc {
base encryption-algorithm;
description
"Encrypt message with AES algorithm in CBC mode with a key
length of 192 bits";
reference
"RFC 3565:
Use of the Advanced Encryption Standard (AES) Encryption
Algorithm in Cryptographic Message Syntax (CMS)";
}
identity aes-256-cbc {
base encryption-algorithm;
description
"Encrypt message with AES algorithm in CBC mode with a key
length of 256 bits";
reference
"RFC 3565:
Use of the Advanced Encryption Standard (AES) Encryption
Algorithm in Cryptographic Message Syntax (CMS)";
}
identity aes-128-ctr {
base encryption-algorithm;
description
"Encrypt message with AES algorithm in CTR mode with a key
length of 128 bits";
reference
"RFC 3686:
Using Advanced Encryption Standard (AES) Counter Mode with
IPsec Encapsulating Security Payload (ESP)";
}
identity aes-192-ctr {
base encryption-algorithm;
description
"Encrypt message with AES algorithm in CTR mode with a key
length of 192 bits";
reference
"RFC 3686:
Using Advanced Encryption Standard (AES) Counter Mode with
IPsec Encapsulating Security Payload (ESP)";
}
identity aes-256-ctr {
base encryption-algorithm;
description
"Encrypt message with AES algorithm in CTR mode with a key
length of 256 bits";
reference
"RFC 3686:
Using Advanced Encryption Standard (AES) Counter Mode with
IPsec Encapsulating Security Payload (ESP)";
}
/****************************************************/
/* Identities for Encryption and MAC Algorithms */
/****************************************************/
identity encryption-and-mac-algorithm {
description
"A base identity for encryption and MAC algorithm.";
}
identity aes-128-ccm {
base encryption-and-mac-algorithm;
description
"Encrypt message with AES algorithm in CCM mode with a key
length of 128 bits; it can also be used for generating MAC";
reference
"RFC 4309:
Using Advanced Encryption Standard (AES) CCM Mode with
IPsec Encapsulating Security Payload (ESP)";
}
identity aes-192-ccm {
base encryption-and-mac-algorithm;
description
"Encrypt message with AES algorithm in CCM mode with a key
length of 192 bits; it can also be used for generating MAC";
reference
"RFC 4309:
Using Advanced Encryption Standard (AES) CCM Mode with
IPsec Encapsulating Security Payload (ESP)";
}
identity aes-256-ccm {
base encryption-and-mac-algorithm;
description
"Encrypt message with AES algorithm in CCM mode with a key
length of 256 bits; it can also be used for generating MAC";
reference
"RFC 4309:
Using Advanced Encryption Standard (AES) CCM Mode with
IPsec Encapsulating Security Payload (ESP)";
}
identity aes-128-gcm {
base encryption-and-mac-algorithm;
description
"Encrypt message with AES algorithm in GCM mode with a key
length of 128 bits; it can also be used for generating MAC";
reference
"RFC 4106:
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Security Payload (ESP)";
}
identity aes-192-gcm {
base encryption-and-mac-algorithm;
description
"Encrypt message with AES algorithm in GCM mode with a key
length of 192 bits; it can also be used for generating MAC";
reference
"RFC 4106:
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Security Payload (ESP)";
}
identity mac-aes-256-gcm {
base encryption-and-mac-algorithm;
description
"Encrypt message with AES algorithm in GCM mode with a key
length of 128 bits; it can also be used for generating MAC";
reference
"RFC 4106:
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Security Payload (ESP)";
}
identity chacha20-poly1305 {
base encryption-and-mac-algorithm;
description
"Encrypt message with chacha20 algorithm and generate MAC with
POLY1305; it can also be used for generating MAC";
reference
"RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";
}
/******************************************/
/* Identities for signature algorithm */
/******************************************/
identity signature-algorithm {
description
"A base identity for asymmetric key encryption algorithm.";
}
identity dsa-sha1 {
base signature-algorithm;
description
"The signature algorithm using DSA algorithm with SHA1 hash
algorithm";
reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
}
identity rsassa-pkcs1-sha1 {
base signature-algorithm;
description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1
hash algorithm.";
reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
}
identity rsassa-pkcs1-sha256 {
base signature-algorithm;
description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the
SHA256 hash algorithm.";
reference
"RFC 8332:
Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
(SSH) Protocol
RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsassa-pkcs1-sha384 {
base signature-algorithm;
description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the
SHA384 hash algorithm.";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsassa-pkcs1-sha512 {
base signature-algorithm;
description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the
SHA512 hash algorithm.";
reference
"RFC 8332:
Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
(SSH) Protocol
RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsassa-pss-rsae-sha256 {
base signature-algorithm;
description
"The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the rsaEncryption
OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsassa-pss-rsae-sha384 {
base signature-algorithm;
description
"The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA384 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the rsaEncryption
OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsassa-pss-rsae-sha512 {
base signature-algorithm;
description
"The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA512 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the rsaEncryption
OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsassa-pss-pss-sha256 {
base signature-algorithm;
description
"The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the RSASSA-PSS
OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsassa-pss-pss-sha384 {
base signature-algorithm;
description
"The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the RSASSA-PSS
OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsassa-pss-pss-sha512 {
base signature-algorithm;
description
"The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the RSASSA-PSS
OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity ecdsa-secp256r1-sha256 {
base signature-algorithm;
description
"The signature algorithm using ECDSA with curve name secp256r1
and SHA256 hash algorithm.";
reference
"RFC 5656: Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer
RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity ecdsa-secp384r1-sha384 {
base signature-algorithm;
description
"The signature algorithm using ECDSA with curve name secp384r1
and SHA384 hash algorithm.";
reference
"RFC 5656: Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer
RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity ecdsa-secp521r1-sha512 {
base signature-algorithm;
description
"The signature algorithm using ECDSA with curve name secp521r1
and SHA512 hash algorithm.";
reference
"RFC 5656: Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer
RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity ed25519 {
base signature-algorithm;
description
"The signature algorithm using EdDSA as defined in RFC 8032 or
its successors.";
reference
"RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
}
identity ed448 {
base signature-algorithm;
description
"The signature algorithm using EdDSA as defined in RFC 8032 or
its successors.";
reference
"RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
}
identity eccsi {
base signature-algorithm;
description
"The signature algorithm using ECCSI signature as defined in
RFC 6507.";
reference
"RFC 6507:
Elliptic Curve-Based Certificateless Signatures for
Identity-based Encryption (ECCSI)";
}
/**********************************************/
/* Identities for key exchange algorithms */
/**********************************************/
identity key-exchange-algorithm {
description
"A base identity for Diffie-Hellman based key exchange
algorithm.";
}
identity psk-only {
base key-exchange-algorithm;
description
"Using Pre-shared key for authentication and key exchange";
reference
"RFC 4279:
Pre-Shared Key cipher suites for Transport Layer Security
(TLS)";
}
identity dhe-ffdhe2048 {
base key-exchange-algorithm;
description
"Ephemeral Diffie Hellman key exchange with 2048 bit
finite field";
reference
"RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)";
}
identity dhe-ffdhe3072 {
base key-exchange-algorithm;
description
"Ephemeral Diffie Hellman key exchange with 3072 bit finite
field";
reference
"RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)";
}
identity dhe-ffdhe4096 {
base key-exchange-algorithm;
description
"Ephemeral Diffie Hellman key exchange with 4096 bit
finite field";
reference
"RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)";
}
identity dhe-ffdhe6144 {
base key-exchange-algorithm;
description
"Ephemeral Diffie Hellman key exchange with 6144 bit
finite field";
reference
"RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)";
}
identity dhe-ffdhe8192 {
base key-exchange-algorithm;
description
"Ephemeral Diffie Hellman key exchange with 8192 bit
finite field";
reference
"RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)";
}
identity psk-dhe-ffdhe2048 {
base key-exchange-algorithm;
description
"Key exchange using pre-shared key with Diffie-Hellman key
generation mechanism, where the DH group is FFDHE2048";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity psk-dhe-ffdhe3072 {
base key-exchange-algorithm;
description
"Key exchange using pre-shared key with Diffie-Hellman key
generation mechanism, where the DH group is FFDHE3072";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity psk-dhe-ffdhe4096 {
base key-exchange-algorithm;
description
"Key exchange using pre-shared key with Diffie-Hellman key
generation mechanism, where the DH group is FFDHE4096";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity psk-dhe-ffdhe6144 {
base key-exchange-algorithm;
description
"Key exchange using pre-shared key with Diffie-Hellman key
generation mechanism, where the DH group is FFDHE6144";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity psk-dhe-ffdhe8192 {
base key-exchange-algorithm;
description
"Key exchange using pre-shared key with Diffie-Hellman key
generation mechanism, where the DH group is FFDHE8192";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity ecdhe-secp256r1 {
base key-exchange-algorithm;
description
"Ephemeral Diffie Hellman key exchange with elliptic group
over curve secp256r1";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier";
}
identity ecdhe-secp384r1 {
base key-exchange-algorithm;
description
"Ephemeral Diffie Hellman key exchange with elliptic group
over curve secp384r1";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier";
}
identity ecdhe-secp521r1 {
base key-exchange-algorithm;
description
"Ephemeral Diffie Hellman key exchange with elliptic group
over curve secp521r1";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier";
}
identity ecdhe-x25519 {
base key-exchange-algorithm;
description
"Ephemeral Diffie Hellman key exchange with elliptic group
over curve x25519";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for module ietf-crypto-types {
Transport Layer Security (TLS) Versions 1.2 and Earlier"; yang-version 1.1;
} namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
prefix ct;
identity ecdhe-x448 { import ietf-yang-types {
base key-exchange-algorithm; prefix yang;
description reference
"Ephemeral Diffie Hellman key exchange with elliptic group "RFC 6991: Common YANG Data Types";
over curve x448"; }
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier";
}
identity psk-ecdhe-secp256r1 { import ietf-netconf-acm {
base key-exchange-algorithm; prefix nacm;
description reference
"Key exchange using pre-shared key with elliptic group-based "RFC 8341: Network Configuration Access Control Model";
Ephemeral Diffie Hellman key exchange over curve secp256r1"; }
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity psk-ecdhe-secp384r1 { organization
base key-exchange-algorithm; "IETF NETCONF (Network Configuration) Working Group";
description
"Key exchange using pre-shared key with elliptic group-based
Ephemeral Diffie Hellman key exchange over curve secp384r1";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity psk-ecdhe-secp521r1 { contact
base key-exchange-algorithm; "WG Web: <http://datatracker.ietf.org/wg/netconf/>
description WG List: <mailto:netconf@ietf.org>
"Key exchange using pre-shared key with elliptic group-based Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Ephemeral Diffie Hellman key exchange over curve secp521r1"; Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity psk-ecdhe-x25519 { description
base key-exchange-algorithm; "This module defines common YANG types for cryptographic
description applications.
"Key exchange using pre-shared key with elliptic group-based
Ephemeral Diffie Hellman key exchange over curve x25519";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity psk-ecdhe-x448 { Copyright (c) 2019 IETF Trust and the persons identified
base key-exchange-algorithm; as authors of the code. All rights reserved.
description
"Key exchange using pre-shared key with elliptic group-based
Ephemeral Diffie Hellman key exchange over curve x448";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity diffie-hellman-group14-sha1 { Redistribution and use in source and binary forms, with
base key-exchange-algorithm; or without modification, is permitted pursuant to, and
description subject to the license terms contained in, the Simplified
"Using DH group14 and SHA1 for key exchange"; BSD License set forth in Section 4.c of the IETF Trust's
reference Legal Provisions Relating to IETF Documents
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; (https://trustee.ietf.org/license-info).
}
identity diffie-hellman-group14-sha256 { This version of this YANG module is part of RFC XXXX
base key-exchange-algorithm; (https://www.rfc-editor.org/info/rfcXXXX); see the RFC
description itself for full legal notices.;
"Using DH group14 and SHA256 for key exchange";
reference
"RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)";
}
identity diffie-hellman-group15-sha512 { The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
base key-exchange-algorithm; 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
description 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
"Using DH group15 and SHA512 for key exchange"; are to be interpreted as described in BCP 14 (RFC 2119)
reference (RFC 8174) when, and only when, they appear in all
"RFC 8268: capitals, as shown here.";
More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)";
}
identity diffie-hellman-group16-sha512 { revision 2019-06-20 {
base key-exchange-algorithm; description
description "Initial version";
"Using DH group16 and SHA512 for key exchange"; reference
reference "RFC XXXX: Common YANG Data Types for Cryptography";
"RFC 8268: }
More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)";
}
identity diffie-hellman-group17-sha512 { /**************************************/
base key-exchange-algorithm; /* Identities for Hash Algorithms */
description /**************************************/
"Using DH group17 and SHA512 for key exchange";
reference
"RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)";
}
identity diffie-hellman-group18-sha512 { typedef hash-algorithm-t {
base key-exchange-algorithm; type union {
description type uint16;
"Using DH group18 and SHA512 for key exchange"; type enumeration {
reference enum NONE {
"RFC 8268: value 0;
More Modular Exponentiation (MODP) Diffie-Hellman (DH) description
Key Exchange (KEX) Groups for Secure Shell (SSH)"; "Hash algorithm is NULL.";
} }
enum sha1 {
value 1;
status obsolete;
description
"The SHA1 algorithm.";
reference
"RFC 3174: US Secure Hash Algorithms 1 (SHA1).";
identity ecdh-sha2-secp256r1 { }
base key-exchange-algorithm; enum sha-224 {
description value 2;
"Elliptic curve-based Diffie Hellman key exchange over curve description
secp256r1 and using SHA2 for MAC generation"; "The SHA-224 algorithm.";
reference reference
"RFC 6239: Suite B Cryptographic Suites for Secure Shell "RFC 6234: US Secure Hash Algorithms.";
(SSH)"; }
} enum sha-256 {
value 3;
description
"The SHA-256 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms.";
}
enum sha-384 {
value 4;
description
"The SHA-384 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms.";
}
enum sha-512 {
value 5;
description
"The SHA-512 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms.";
}
}
}
default "0";
description
"The uint16 filed shall be set by individual protocol families
according to the hash algorithm value assigned by IANA. The
setting is optional and by default is 0. The enumeration
filed is set to the selected hash algorithm.";
}
identity ecdh-sha2-secp384r1 { /***********************************************/
base key-exchange-algorithm; /* Identities for Asymmetric Key Algorithms */
description /***********************************************/
"Elliptic curve-based Diffie Hellman key exchange over curve
secp384r1 and using SHA2 for MAC generation";
reference
"RFC 6239: Suite B Cryptographic Suites for Secure Shell
(SSH)";
}
identity rsaes-oaep { typedef asymmetric-key-algorithm-t {
base key-exchange-algorithm; type union {
description type uint16;
"RSAES-OAEP combines the RSAEP and RSADP primitives with the type enumeration {
EME-OAEP encoding method"; enum NONE {
reference value 0;
"RFC 8017: description
PKCS #1: RSA Cryptography Specifications Version 2.2."; "Asymetric key algorithm is NULL.";
} }
enum rsa1024 {
value 1;
description
"The RSA algorithm using a 1024-bit key.";
reference
"RFC 8017: PKCS #1: RSA Cryptography
Specifications Version 2.2.";
}
enum rsa2048 {
value 2;
description
"The RSA algorithm using a 2048-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
enum rsa3072 {
value 3;
description
"The RSA algorithm using a 3072-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
enum rsa4096 {
value 4;
description
"The RSA algorithm using a 4096-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
enum rsa7680 {
value 5;
description
"The RSA algorithm using a 7680-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
enum rsa15360 {
value 6;
description
"The RSA algorithm using a 15360-bit key.";
identity rsaes-pkcs1-v1_5 { reference
base key-exchange-algorithm; "RFC 8017:
description PKCS #1: RSA Cryptography Specifications Version 2.2.";
" RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives }
with the EME-PKCS1-v1_5 encoding method"; enum secp192r1 {
reference value 7;
"RFC 8017: description
PKCS #1: RSA Cryptography Specifications Version 2.2."; "The ECDSA algorithm using a NIST P192 Curve.";
} reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480:
Elliptic Curve Cryptography Subject Public Key
Information.";
}
enum secp224r1 {
value 8;
description
"The ECDSA algorithm using a NIST P224 Curve.";
reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480:
Elliptic Curve Cryptography Subject Public Key
Information.";
}
enum secp256r1 {
value 9;
description
"The ECDSA algorithm using a NIST P256 Curve.";
reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480:
Elliptic Curve Cryptography Subject Public Key
Information.";
}
enum secp384r1 {
value 10;
description
"The ECDSA algorithm using a NIST P384 Curve.";
reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480:
Elliptic Curve Cryptography Subject Public Key
Information.";
}
enum secp521r1 {
value 11;
description
"The ECDSA algorithm using a NIST P521 Curve.";
reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.
RFC 5480:
Elliptic Curve Cryptography Subject Public Key
Information.";
}
}
}
default "0";
description
"The uint16 filed shall be set by individual protocol
families according to the asymmetric key algorithm value
assigned by IANA. The setting is optional and by default
is 0. The enumeration filed is set to the selected
asymmetric key algorithm.";
}
/**********************************************************/ /*************************************/
/* Typedefs for identityrefs to above base identities */ /* Identities for MAC Algorithms */
/**********************************************************/ /*************************************/
typedef hash-algorithm-ref { typedef mac-algorithm-t {
type identityref { type union {
base hash-algorithm; type uint16;
} type enumeration {
description enum NONE {
"This typedef enables importing modules to easily define an value 0;
identityref to the 'hash-algorithm' base identity."; description
} "mac algorithm is NULL.";
}
enum hmac-sha1 {
value 1;
description
"Generating MAC using SHA1 hash function";
reference
"RFC 3174: US Secure Hash Algorithm 1 (SHA1)";
}
enum hmac-sha1-96 {
value 2;
description
"Generating MAC using SHA1 hash function";
reference
"RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";
typedef signature-algorithm-ref { }
type identityref { enum hmac-sha2-224 {
base signature-algorithm; value 3;
} description
description "Generating MAC using SHA2 hash function";
"This typedef enables importing modules to easily define an reference
identityref to the 'signature-algorithm' base identity."; "RFC 6234: US Secure Hash Algorithms
} (SHA and SHA-based HMAC and HKDF)";
}
enum hmac-sha2-256 {
value 4;
description
"Generating MAC using SHA2 hash function";
reference
"RFC 6234: US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)";
}
enum hmac-sha2-256-128 {
value 5;
description
"Generating a 256 bits MAC using SHA2 hash function and
truncate it to 128 bits";
reference
"RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
and HMAC-SHA-512 with IPsec";
}
enum hmac-sha2-384 {
value 6;
description
"Generating a 384 bits MAC using SHA2 hash function";
reference
"RFC 6234: US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)";
}
enum hmac-sha2-384-192 {
value 7;
description
"Generating a 384 bits MAC using SHA2 hash function and
truncate it to 192 bits";
reference
"RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
and HMAC-SHA-512 with IPsec";
}
enum hmac-sha2-512 {
value 8;
description
"Generating a 512 bits MAC using SHA2 hash function";
reference
"RFC 6234: US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)";
}
enum hmac-sha2-512-256 {
value 9;
description
"Generating a 512 bits MAC using SHA2 hash function and
truncate it to 256 bits";
reference
"RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384,
and HMAC-SHA-512 with IPsec";
}
enum aes-128-gmac {
value 10;
description
"Generating 128-bit MAC using the Advanced Encryption
Standard (AES) Galois Message Authentication Code
(GMAC) as a mechanism to provide data origin
authentication.";
reference
"RFC 4543:
The Use of Galois Message Authentication Code (GMAC)
in IPsec ESP and AH";
}
enum aes-192-gmac {
value 11;
description
"Generating 192-bit MAC using the Advanced Encryption
Standard (AES) Galois Message Authentication Code
(GMAC) as a mechanism to provide data origin
authentication.";
reference
"RFC 4543:
The Use of Galois Message Authentication Code (GMAC)
in IPsec ESP and AH";
}
enum aes-256-gmac {
value 12;
description
"Generating 256-bit MAC using the Advanced Encryption
Standard (AES) Galois Message Authentication Code
(GMAC) as a mechanism to provide data origin
authentication.";
reference
"RFC 4543:
The Use of Galois Message Authentication Code (GMAC)
in IPsec ESP and AH";
}
enum aes-cmac-96 {
value 13;
description
"Generating 96-bit MAC using Advanced Encryption
Standard (AES) Cipher-based Message Authentication
Code (CMAC)";
reference
"RFC 4494:
The AES-CMAC Algorithm and its Use with IPsec";
}
enum aes-cmac-128 {
value 14;
description
"Generating 128-bit MAC using Advanced Encryption
Standard (AES) Cipher-based Message Authentication
Code (CMAC)";
reference
"RFC 4494:
The AES-CMAC Algorithm and its Use with IPsec";
}
}
}
default "0";
description
"The uint16 filed shall be set by individual protocol
families according to the mac algorithm value assigned by
IANA. The setting is optional and by default is 0. The
enumeration filed is set to the selected mac algorithm.";
}
typedef mac-algorithm-ref { /********************************************/
type identityref { /* Identities for Encryption Algorithms */
base mac-algorithm; /********************************************/
}
description
"This typedef enables importing modules to easily define an
identityref to the 'mac-algorithm' base identity.";
} typedef encryption-algorithm-t {
type union {
type uint16;
type enumeration {
enum NONE {
value 0;
description
"Encryption algorithm is NULL.";
}
enum aes-128-cbc {
value 1;
description
"Encrypt message with AES algorithm in CBC mode with
a key length of 128 bits.";
typedef encryption-algorithm-ref { reference
type identityref { "RFC 3565: Use of the Advanced Encryption Standard (AES)
base encryption-algorithm; Encryption Algorithm in Cryptographic Message Syntax
} (CMS)";
description }
"This typedef enables importing modules to easily define an enum aes-192-cbc {
identityref to the 'encryption-algorithm' value 2;
base identity."; description
} "Encrypt message with AES algorithm in CBC mode with
a key length of 192 bits";
reference
"RFC 3565: Use of the Advanced Encryption Standard (AES)
Encryption Algorithm in Cryptographic Message Syntax
(CMS)";
}
enum aes-256-cbc {
value 3;
description
"Encrypt message with AES algorithm in CBC mode with
a key length of 256 bits";
reference
"RFC 3565: Use of the Advanced Encryption Standard (AES)
Encryption Algorithm in Cryptographic Message Syntax
(CMS)";
}
enum aes-128-ctr {
value 4;
description
"Encrypt message with AES algorithm in CTR mode with
a key length of 128 bits";
reference
"RFC 3686:
Using Advanced Encryption Standard (AES) Counter
Mode with IPsec Encapsulating Security Payload
(ESP)";
}
enum aes-192-ctr {
value 5;
description
"Encrypt message with AES algorithm in CTR mode with
a key length of 192 bits";
reference
"RFC 3686:
Using Advanced Encryption Standard (AES) Counter
Mode with IPsec Encapsulating Security Payload
(ESP)";
}
enum aes-256-ctr {
value 6;
description
"Encrypt message with AES algorithm in CTR mode with
a key length of 256 bits";
reference
"RFC 3686:
Using Advanced Encryption Standard (AES) Counter
Mode with IPsec Encapsulating Security Payload
(ESP)";
}
}
}
default "0";
description
"The uint16 filed shall be set by individual protocol
families according to the encryption algorithm value
assigned by IANA. The setting is optional and by default
is 0. The enumeration filed is set to the selected
encryption algorithm.";
}
typedef encryption-and-mac-algorithm-ref { /****************************************************/
type identityref { /* Identities for Encryption and MAC Algorithms */
base encryption-and-mac-algorithm; /****************************************************/
}
description
"This typedef enables importing modules to easily define an
identityref to the 'encryption-and-mac-algorithm'
base identity.";
}
typedef asymmetric-key-algorithm-ref { typedef encryption-and-mac-algorithm-t {
type identityref { type union {
base asymmetric-key-algorithm; type uint16;
} type enumeration {
description enum NONE {
"This typedef enables importing modules to easily define an value 0;
identityref to the 'asymmetric-key-algorithm' description
base identity."; "Encryption and MAC algorithm is NULL.";
} reference
"None";
}
enum aes-128-ccm {
value 1;
description
"Encrypt message with AES algorithm in CCM
mode with a key length of 128 bits; it can
also be used for generating MAC";
reference
"RFC 4309: Using Advanced Encryption Standard
(AES) CCM Mode with IPsec Encapsulating Security
Payload (ESP)";
}
enum aes-192-ccm {
value 2;
description
"Encrypt message with AES algorithm in CCM
mode with a key length of 192 bits; it can
also be used for generating MAC";
reference
"RFC 4309: Using Advanced Encryption Standard
(AES) CCM Mode with IPsec Encapsulating Security
Payload (ESP)";
}
enum aes-256-ccm {
value 3;
description
"Encrypt message with AES algorithm in CCM
mode with a key length of 256 bits; it can
also be used for generating MAC";
reference
"RFC 4309: Using Advanced Encryption Standard
(AES) CCM Mode with IPsec Encapsulating Security
Payload (ESP)";
}
enum aes-128-gcm {
value 4;
description
"Encrypt message with AES algorithm in GCM
mode with a key length of 128 bits; it can
also be used for generating MAC";
reference
"RFC 4106: The Use of Galois/Counter Mode (GCM)
in IPsec Encapsulating Security Payload (ESP)";
}
enum aes-192-gcm {
value 5;
description
"Encrypt message with AES algorithm in GCM
mode with a key length of 192 bits; it can
also be used for generating MAC";
reference
"RFC 4106: The Use of Galois/Counter Mode (GCM)
in IPsec Encapsulating Security Payload (ESP)";
}
enum aes-256-gcm {
value 6;
description
"Encrypt message with AES algorithm in GCM
mode with a key length of 256 bits; it can
also be used for generating MAC";
reference
"RFC 4106: The Use of Galois/Counter Mode (GCM)
in IPsec Encapsulating Security Payload (ESP)";
}
enum chacha20-poly1305 {
value 7;
description
"Encrypt message with chacha20 algorithm and generate
MAC with POLY1305; it can also be used for generating
MAC";
reference
"RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";
}
}
}
default "0";
description
"The uint16 filed shall be set by individual protocol
families according to the encryption and mac algorithm value
assigned by IANA. The setting is optional and by default is
0. The enumeration filed is set to the selected encryption
and mac algorithm.";
}
typedef key-exchange-algorithm-ref { /******************************************/
type identityref { /* Identities for signature algorithm */
base key-exchange-algorithm; /******************************************/
}
description
"This typedef enables importing modules to easily define an
identityref to the 'key-exchange-algorithm' base identity.";
}
/***************************************************/ typedef signature-algorithm-t {
/* Typedefs for ASN.1 structures from RFC 5280 */ type union {
/***************************************************/ type uint16;
type enumeration {
enum NONE {
value 0;
description
"Signature algorithm is NULL";
}
enum dsa-sha1 {
value 1;
description
"The signature algorithm using DSA algorithm with SHA1
hash algorithm";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
enum rsassa-pkcs1-sha1 {
value 2;
description
"The signature algorithm using RSASSA-PKCS1-v1_5 with
the SHA1 hash algorithm.";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
enum rsassa-pkcs1-sha256 {
value 3;
description
"The signature algorithm using RSASSA-PKCS1-v1_5 with
the SHA256 hash algorithm.";
reference
"RFC 8332:
Use of RSA Keys with SHA-256 and SHA-512 in the
Secure Shell (SSH) Protocol
RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum rsassa-pkcs1-sha384 {
value 4;
description
"The signature algorithm using RSASSA-PKCS1-v1_5 with
the SHA384 hash algorithm.";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum rsassa-pkcs1-sha512 {
value 5;
description
"The signature algorithm using RSASSA-PKCS1-v1_5 with
the SHA512 hash algorithm.";
reference
"RFC 8332:
Use of RSA Keys with SHA-256 and SHA-512 in the
Secure Shell (SSH) Protocol
RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum rsassa-pss-rsae-sha256 {
value 6;
description
"The signature algorithm using RSASSA-PSS with mask
generation function 1 and SHA256 hash algorithm. If
the public key is carried in an X.509 certificate,
it MUST use the rsaEncryption OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum rsassa-pss-rsae-sha384 {
value 7;
description
"The signature algorithm using RSASSA-PSS with mask
generation function 1 and SHA384 hash algorithm. If
the public key is carried in an X.509 certificate,
it MUST use the rsaEncryption OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum rsassa-pss-rsae-sha512 {
value 8;
description
"The signature algorithm using RSASSA-PSS with mask
generation function 1 and SHA512 hash algorithm. If
the public key is carried in an X.509 certificate,
it MUST use the rsaEncryption OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum rsassa-pss-pss-sha256 {
value 9;
description
"The signature algorithm using RSASSA-PSS with mask
generation function 1 and SHA256 hash algorithm. If
the public key is carried in an X.509 certificate,
it MUST use the rsaEncryption OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum rsassa-pss-pss-sha384 {
value 10;
description
"The signature algorithm using RSASSA-PSS with mask
generation function 1 and SHA384 hash algorithm. If
the public key is carried in an X.509 certificate,
it MUST use the rsaEncryption OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum rsassa-pss-pss-sha512 {
value 11;
description
"The signature algorithm using RSASSA-PSS with mask
generation function 1 and SHA512 hash algorithm. If
the public key is carried in an X.509 certificate,
it MUST use the rsaEncryption OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum ecdsa-secp256r1-sha256 {
value 12;
description
"The signature algorithm using ECDSA with curve name
secp256r1 and SHA256 hash algorithm.";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the Secure
Shell Transport Layer
RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum ecdsa-secp384r1-sha384 {
value 13;
description
"The signature algorithm using ECDSA with curve name
secp384r1 and SHA384 hash algorithm.";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the Secure
Shell Transport Layer
RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum ecdsa-secp521r1-sha512 {
value 14;
description
"The signature algorithm using ECDSA with curve name
secp521r1 and SHA512 hash algorithm.";
reference
"RFC 5656:
Elliptic Curve Algorithm Integration in the Secure
Shell Transport Layer
RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum ed25519 {
value 15;
description
"The signature algorithm using EdDSA as defined in
RFC 8032 or its successors.";
reference
"RFC 8032:
Edwards-Curve Digital Signature Algorithm (EdDSA)";
}
enum ed448 {
value 16;
description
"The signature algorithm using EdDSA as defined in
RFC 8032 or its successors.";
reference
"RFC 8032:
Edwards-Curve Digital Signature Algorithm (EdDSA)";
}
enum eccsi {
value 17;
description
"The signature algorithm using ECCSI signature as
defined in RFC 6507.";
reference
"RFC 6507:
Elliptic Curve-Based Certificateless Signatures
for Identity-based Encryption (ECCSI)";
}
}
}
default "0";
description
"The uint16 filed shall be set by individual protocol
families according to the signature algorithm value
assigned by IANA. The setting is optional and by default
is 0. The enumeration filed is set to the selected
signature algorithm.";
}
/**********************************************/
/* Identities for key exchange algorithms */
/**********************************************/
typedef x509 { typedef key-exchange-algorithm-t {
type binary; type union {
description type uint16;
"A Certificate structure, as specified in RFC 5280, type enumeration {
encoded using ASN.1 distinguished encoding rules (DER), enum NONE {
as specified in ITU-T X.690."; value 0;
reference description
"RFC 5280: "Key exchange algorithm is NULL.";
Internet X.509 Public Key Infrastructure Certificate }
and Certificate Revocation List (CRL) Profile enum psk-only {
ITU-T X.690: value 1;
Information technology - ASN.1 encoding rules: description
Specification of Basic Encoding Rules (BER), "Using Pre-shared key for authentication and key
Canonical Encoding Rules (CER) and Distinguished exchange";
Encoding Rules (DER)."; reference
} "RFC 4279:
Pre-Shared Key cipher suites for Transport Layer
Security (TLS)";
}
enum dhe-ffdhe2048 {
value 2;
description
"Ephemeral Diffie Hellman key exchange with 2048 bit
finite field";
reference
"RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral
Parameters for Transport Layer Security (TLS)";
}
enum dhe-ffdhe3072 {
value 3;
description
"Ephemeral Diffie Hellman key exchange with 3072 bit
finite field";
reference
"RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral
Parameters for Transport Layer Security (TLS)";
}
enum dhe-ffdhe4096 {
value 4;
description
"Ephemeral Diffie Hellman key exchange with 4096 bit
finite field";
typedef crl { reference
type binary; "RFC 7919:
description Negotiated Finite Field Diffie-Hellman Ephemeral
"A CertificateList structure, as specified in RFC 5280, Parameters for Transport Layer Security (TLS)";
encoded using ASN.1 distinguished encoding rules (DER), }
as specified in ITU-T X.690."; enum dhe-ffdhe6144 {
reference value 5;
"RFC 5280: description
Internet X.509 Public Key Infrastructure Certificate "Ephemeral Diffie Hellman key exchange with 6144 bit
and Certificate Revocation List (CRL) Profile finite field";
ITU-T X.690: reference
Information technology - ASN.1 encoding rules: "RFC 7919:
Specification of Basic Encoding Rules (BER), Negotiated Finite Field Diffie-Hellman Ephemeral
Canonical Encoding Rules (CER) and Distinguished Parameters for Transport Layer Security (TLS)";
Encoding Rules (DER)."; }
} enum dhe-ffdhe8192 {
value 6;
description
"Ephemeral Diffie Hellman key exchange with 8192 bit
finite field";
reference
"RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral
Parameters for Transport Layer Security (TLS)";
}
enum psk-dhe-ffdhe2048 {
value 7;
description
"Key exchange using pre-shared key with Diffie-Hellman
key generation mechanism, where the DH group is
FFDHE2048";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum psk-dhe-ffdhe3072 {
value 8;
description
"Key exchange using pre-shared key with Diffie-Hellman
key generation mechanism, where the DH group is
FFDHE3072";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum psk-dhe-ffdhe4096 {
value 9;
description
"Key exchange using pre-shared key with Diffie-Hellman
key generation mechanism, where the DH group is
FFDHE4096";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum psk-dhe-ffdhe6144 {
value 10;
description
"Key exchange using pre-shared key with Diffie-Hellman
key generation mechanism, where the DH group is
FFDHE6144";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum psk-dhe-ffdhe8192 {
value 11;
description
"Key exchange using pre-shared key with Diffie-Hellman
key generation mechanism, where the DH group is
FFDHE8192";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum ecdhe-secp256r1 {
value 12;
description
"Ephemeral Diffie Hellman key exchange with elliptic
group over curve secp256r1";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS) Versions 1.2
and Earlier";
}
enum ecdhe-secp384r1 {
value 13;
description
"Ephemeral Diffie Hellman key exchange with elliptic
group over curve secp384r1";
/***********************************************/ reference
/* Typedefs for ASN.1 structures from 5652 */ "RFC 8422:
/***********************************************/ Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS) Versions 1.2
and Earlier";
}
enum ecdhe-secp521r1 {
value 14;
description
"Ephemeral Diffie Hellman key exchange with elliptic
group over curve secp521r1";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS) Versions 1.2
and Earlier";
}
enum ecdhe-x25519 {
value 15;
description
"Ephemeral Diffie Hellman key exchange with elliptic
group over curve x25519";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS) Versions 1.2
and Earlier";
}
enum ecdhe-x448 {
value 16;
description
"Ephemeral Diffie Hellman key exchange with elliptic
group over curve x448";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS) Versions 1.2
and Earlier";
}
enum psk-ecdhe-secp256r1 {
value 17;
description
"Key exchange using pre-shared key with elliptic
group-based Ephemeral Diffie Hellman key exchange
over curve secp256r1";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum psk-ecdhe-secp384r1 {
value 18;
description
"Key exchange using pre-shared key with elliptic
group-based Ephemeral Diffie Hellman key exchange
over curve secp384r1";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum psk-ecdhe-secp521r1 {
value 19;
description
"Key exchange using pre-shared key with elliptic
group-based Ephemeral Diffie Hellman key exchange
over curve secp521r1";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum psk-ecdhe-x25519 {
value 20;
description
"Key exchange using pre-shared key with elliptic
group-based Ephemeral Diffie Hellman key exchange
over curve x25519";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum psk-ecdhe-x448 {
value 21;
description
"Key exchange using pre-shared key with elliptic
group-based Ephemeral Diffie Hellman key exchange
over curve x448";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol
Version 1.3";
}
enum diffie-hellman-group14-sha1 {
value 22;
description
"Using DH group14 and SHA1 for key exchange";
reference
"RFC 4253:
The Secure Shell (SSH) Transport Layer Protocol";
}
enum diffie-hellman-group14-sha256 {
value 23;
description
"Using DH group14 and SHA-256 for key exchange";
reference
"RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)";
}
enum diffie-hellman-group15-sha512 {
value 24;
description
"Using DH group15 and SHA-512 for key exchange";
reference
"RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)";
}
enum diffie-hellman-group16-sha512 {
value 25;
description
"Using DH group16 and SHA-512 for key exchange";
reference
"RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)";
}
enum diffie-hellman-group17-sha512 {
value 26;
description
"Using DH group17 and SHA-512 for key exchange";
reference
"RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)";
}
enum diffie-hellman-group18-sha512 {
value 27;
description
"Using DH group18 and SHA-512 for key exchange";
reference
"RFC 8268:
typedef cms { More Modular Exponentiation (MODP) Diffie-Hellman (DH)
type binary; Key Exchange (KEX) Groups for Secure Shell (SSH)";
description }
"A ContentInfo structure, as specified in RFC 5652, enum ecdh-sha2-secp256r1 {
encoded using ASN.1 distinguished encoding rules (DER), value 28;
as specified in ITU-T X.690."; description
reference "Elliptic curve-based Diffie Hellman key exchange over
"RFC 5652: curve ecp256r1 and using SHA2 for MAC generation";
Cryptographic Message Syntax (CMS) reference
ITU-T X.690: "RFC 6239:
Information technology - ASN.1 encoding rules: Suite B Cryptographic Suites for Secure Shell (SSH)";
Specification of Basic Encoding Rules (BER), }
Canonical Encoding Rules (CER) and Distinguished enum ecdh-sha2-secp384r1 {
Encoding Rules (DER)."; value 29;
} description
"Elliptic curve-based Diffie Hellman key exchange over
curve ecp384r1 and using SHA2 for MAC generation";
reference
"RFC 6239:
Suite B Cryptographic Suites for Secure Shell (SSH)";
}
enum rsaes-oaep {
value 30;
description
"RSAES-OAEP combines the RSAEP and RSADP primitives with
the EME-OAEP encoding method";
reference
"RFC 8017:
PKCS #1:
RSA Cryptography Specifications Version 2.2.";
}
enum rsaes-pkcs1-v1_5 {
value 31;
description
"RSAES-PKCS1-v1_5 combines the RSAEP and RSADP
primitives with the EME-PKCS1-v1_5 encoding method";
reference
"RFC 8017:
PKCS #1:
RSA Cryptography Specifications Version 2.2.";
}
}
}
default "0";
description
"The uint16 filed shall be set by individual protocol
families according to the key exchange algorithm value
assigned by IANA. The setting is optional and by default
is 0. The enumeration filed is set to the selected key
exchange algorithm.";
}
typedef data-content-cms { /***************************************************/
type cms; /* Typedefs for ASN.1 structures from RFC 5280 */
description /***************************************************/
"A CMS structure whose top-most content type MUST be the
data content type, as described by Section 4 in RFC 5652.";
reference
"RFC 5652: Cryptographic Message Syntax (CMS)";
}
typedef signed-data-cms { typedef x509 {
type cms; type binary;
description description
"A CMS structure whose top-most content type MUST be the "A Certificate structure, as specified in RFC 5280,
signed-data content type, as described by Section 5 in encoded using ASN.1 distinguished encoding rules (DER),
RFC 5652."; as specified in ITU-T X.690.";
reference reference
"RFC 5652: Cryptographic Message Syntax (CMS)"; "RFC 5280:
} Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
typedef enveloped-data-cms { typedef crl {
type cms; type binary;
description description
"A CMS structure whose top-most content type MUST be the "A CertificateList structure, as specified in RFC 5280,
enveloped-data content type, as described by Section 6 encoded using ASN.1 distinguished encoding rules (DER),
in RFC 5652."; as specified in ITU-T X.690.";
reference reference
"RFC 5652: Cryptographic Message Syntax (CMS)"; "RFC 5280:
} Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
typedef digested-data-cms { /***********************************************/
type cms; /* Typedefs for ASN.1 structures from 5652 */
description /***********************************************/
"A CMS structure whose top-most content type MUST be the
digested-data content type, as described by Section 7
in RFC 5652.";
reference
"RFC 5652: Cryptographic Message Syntax (CMS)";
}
typedef encrypted-data-cms { typedef cms {
type cms; type binary;
description description
"A CMS structure whose top-most content type MUST be the "A ContentInfo structure, as specified in RFC 5652,
encrypted-data content type, as described by Section 8 encoded using ASN.1 distinguished encoding rules (DER),
in RFC 5652."; as specified in ITU-T X.690.";
reference
"RFC 5652:
Cryptographic Message Syntax (CMS)
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
reference typedef data-content-cms {
"RFC 5652: Cryptographic Message Syntax (CMS)"; type cms;
} description
"A CMS structure whose top-most content type MUST be the
data content type, as described by Section 4 in RFC 5652.";
reference
"RFC 5652: Cryptographic Message Syntax (CMS)";
}
typedef authenticated-data-cms { typedef signed-data-cms {
type cms; type cms;
description description
"A CMS structure whose top-most content type MUST be the "A CMS structure whose top-most content type MUST be the
authenticated-data content type, as described by Section 9 signed-data content type, as described by Section 5 in
in RFC 5652."; RFC 5652.";
reference reference
"RFC 5652: Cryptographic Message Syntax (CMS)"; "RFC 5652: Cryptographic Message Syntax (CMS)";
} }
/***************************************************/ typedef enveloped-data-cms {
/* Typedefs for structures related to RFC 4253 */ type cms;
/***************************************************/ description
"A CMS structure whose top-most content type MUST be the
enveloped-data content type, as described by Section 6
in RFC 5652.";
reference
"RFC 5652: Cryptographic Message Syntax (CMS)";
}
typedef ssh-host-key { typedef digested-data-cms {
type binary; type cms;
description description
"The binary public key data for this SSH key, as "A CMS structure whose top-most content type MUST be the
specified by RFC 4253, Section 6.6, i.e.: digested-data content type, as described by Section 7
in RFC 5652.";
reference
"RFC 5652: Cryptographic Message Syntax (CMS)";
}
string certificate or public key format typedef encrypted-data-cms {
identifier type cms;
byte[n] key/certificate data."; description
reference "A CMS structure whose top-most content type MUST be the
"RFC 4253: The Secure Shell (SSH) Transport Layer encrypted-data content type, as described by Section 8
Protocol"; in RFC 5652.";
} reference
"RFC 5652: Cryptographic Message Syntax (CMS)";
}
/*********************************************************/ typedef authenticated-data-cms {
/* Typedefs for ASN.1 structures related to RFC 5280 */ type cms;
/*********************************************************/ description
"A CMS structure whose top-most content type MUST be the
authenticated-data content type, as described by Section 9
in RFC 5652.";
reference
"RFC 5652: Cryptographic Message Syntax (CMS)";
}
typedef trust-anchor-cert-x509 { /***************************************************/
type x509; /* Typedefs for structures related to RFC 4253 */
description /***************************************************/
"A Certificate structure that MUST encode a self-signed
root certificate.";
}
typedef end-entity-cert-x509 { typedef ssh-host-key {
type x509; type binary;
description description
"A Certificate structure that MUST encode a certificate "The binary public key data for this SSH key, as
that is neither self-signed nor having Basic constraint specified by RFC 4253, Section 6.6, i.e.:
CA true.";
}
/*********************************************************/ string certificate or public key format
/* Typedefs for ASN.1 structures related to RFC 5652 */ identifier
/*********************************************************/ byte[n] key/certificate data.";
reference
"RFC 4253: The Secure Shell (SSH) Transport Layer
Protocol";
}
typedef trust-anchor-cert-cms { /*********************************************************/
type signed-data-cms; /* Typedefs for ASN.1 structures related to RFC 5280 */
description /*********************************************************/
"A CMS SignedData structure that MUST contain the chain of
X.509 certificates needed to authenticate the certificate
presented by a client or end-entity.
The CMS MUST contain only a single chain of certificates. typedef trust-anchor-cert-x509 {
The client or end-entity certificate MUST only authenticate type x509;
to last intermediate CA certificate listed in the chain. description
"A Certificate structure that MUST encode a self-signed
root certificate.";
}
In all cases, the chain MUST include a self-signed root typedef end-entity-cert-x509 {
certificate. In the case where the root certificate is type x509;
itself the issuer of the client or end-entity certificate, description
only one certificate is present. "A Certificate structure that MUST encode a certificate
that is neither self-signed nor having Basic constraint
CA true.";
}
This CMS structure MAY (as applicable where this type is /*********************************************************/
used) also contain suitably fresh (as defined by local /* Typedefs for ASN.1 structures related to RFC 5652 */
policy) revocation objects with which the device can /*********************************************************/
verify the revocation status of the certificates.
This CMS encodes the degenerate form of the SignedData typedef trust-anchor-cert-cms {
structure that is commonly used to disseminate X.509 type signed-data-cms;
certificates and revocation objects (RFC 5280)."; description
reference "A CMS SignedData structure that MUST contain the chain of
"RFC 5280: X.509 certificates needed to authenticate the certificate
Internet X.509 Public Key Infrastructure Certificate presented by a client or end-entity.
and Certificate Revocation List (CRL) Profile.";
}
typedef end-entity-cert-cms { The CMS MUST contain only a single chain of certificates.
type signed-data-cms; The client or end-entity certificate MUST only authenticate
description to last intermediate CA certificate listed in the chain.
"A CMS SignedData structure that MUST contain the end
entity certificate itself, and MAY contain any number
of intermediate certificates leading up to a trust
anchor certificate. The trust anchor certificate
MAY be included as well.
The CMS MUST contain a single end entity certificate. In all cases, the chain MUST include a self-signed root
The CMS MUST NOT contain any spurious certificates. certificate. In the case where the root certificate is
itself the issuer of the client or end-entity certificate,
only one certificate is present.
This CMS structure MAY (as applicable where this type is This CMS structure MAY (as applicable where this type is
used) also contain suitably fresh (as defined by local used) also contain suitably fresh (as defined by local
policy) revocation objects with which the device can policy) revocation objects with which the device can
verify the revocation status of the certificates. verify the revocation status of the certificates.
This CMS encodes the degenerate form of the SignedData This CMS encodes the degenerate form of the SignedData
structure that is commonly used to disseminate X.509 structure that is commonly used to disseminate X.509
certificates and revocation objects (RFC 5280)."; certificates and revocation objects (RFC 5280).";
reference reference
"RFC 5280: "RFC 5280:
Internet X.509 Public Key Infrastructure Certificate Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile."; and Certificate Revocation List (CRL) Profile.";
} }
typedef end-entity-cert-cms {
type signed-data-cms;
description
"A CMS SignedData structure that MUST contain the end
entity certificate itself, and MAY contain any number
of intermediate certificates leading up to a trust
anchor certificate. The trust anchor certificate
MAY be included as well.
/**********************************************/ The CMS MUST contain a single end entity certificate.
/* Groupings for keys and/or certificates */ The CMS MUST NOT contain any spurious certificates.
/**********************************************/
grouping symmetric-key-grouping { This CMS structure MAY (as applicable where this type is
description used) also contain suitably fresh (as defined by local
"A symmetric key and algorithm."; policy) revocation objects with which the device can
leaf algorithm { verify the revocation status of the certificates.
type identityref {
base "ct:encryption-algorithm";
}
mandatory true;
description
"The algorithm to be used when generating the key.";
reference
"RFC CCCC: Common YANG Data Types for Cryptography";
}
choice key-type {
mandatory true;
description
"Choice between key types.";
leaf key {
nacm:default-deny-all;
type binary;
description
"The binary value of the key. The interpretation of
the value is defined by 'algorithm'. For example,
FIXME.";
reference
"RFC XXXX: FIXME";
}
leaf hidden-key {
nacm:default-deny-write;
type empty;
description
"A permanently hidden key. How such keys are created
is outside the scope of this module.";
}
}
}
grouping public-key-grouping { This CMS encodes the degenerate form of the SignedData
description structure that is commonly used to disseminate X.509
"A public key and its associated algorithm."; certificates and revocation objects (RFC 5280).";
leaf algorithm { reference
nacm:default-deny-write; "RFC 5280:
type asymmetric-key-algorithm-ref; Internet X.509 Public Key Infrastructure Certificate
mandatory true; and Certificate Revocation List (CRL) Profile.";
description }
"Identifies the key's algorithm.";
reference
"RFC CCCC: Common YANG Data Types for Cryptography";
}
leaf public-key {
nacm:default-deny-write;
type binary;
mandatory true;
description
"The binary value of the public key. The interpretation of
the value is defined by 'algorithm'. For example, a DSA
key is an integer, an RSA key is represented as RSAPublicKey
per RFC 8017, and an ECC key is represented using the
'publicKey' described in RFC 5915.";
reference
"RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.2.
RFC 5915: Elliptic Curve Private Key Structure.";
}
}
grouping asymmetric-key-pair-grouping { /**********************************************/
description /* Groupings for keys and/or certificates */
"A private key and its associated public key and algorithm."; /**********************************************/
uses public-key-grouping;
choice private-key-type {
mandatory true;
description
"Choice between key types.";
leaf private-key {
nacm:default-deny-all;
type binary;
description
"The value of the binary key. The key's value is
interpreted by the 'algorithm'. For example, a DSA key
is an integer, an RSA key is represented as RSAPrivateKey
as defined in RFC 8017, and an ECC key is represented as
ECPrivateKey as defined in RFC 5915.";
reference
"RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.2.
RFC 5915: Elliptic Curve Private Key Structure.";
}
leaf hidden-private-key {
nacm:default-deny-write;
type empty;
description
"A permanently hidden key. How such keys are created
is outside the scope of this module.";
}
}
}
grouping trust-anchor-cert-grouping { grouping symmetric-key-grouping {
description description
"A trust anchor certificate, and a notification for when "A symmetric key and algorithm.";
it is about to (or already has) expire."; leaf algorithm {
leaf cert { type encryption-algorithm-t;
nacm:default-deny-write; mandatory true;
type trust-anchor-cert-cms; description
description "The algorithm to be used when generating the key.";
"The binary certificate data for this certificate."; reference
reference "RFC CCCC: Common YANG Data Types for Cryptography";
"RFC YYYY: Common YANG Data Types for Cryptography"; }
} choice key-type {
notification certificate-expiration { mandatory true;
description description
"A notification indicating that the configured certificate "Choice between key types.";
is either about to expire or has already expired. When to leaf key {
send notifications is an implementation specific decision, nacm:default-deny-all;
but it is RECOMMENDED that a notification be sent once a type binary;
month for 3 months, then once a week for four weeks, and description
then once a day thereafter until the issue is resolved."; "The binary value of the key. The interpretation of
leaf expiration-date { the value is defined by 'algorithm'. For example,
type yang:date-and-time; FIXME.";
mandatory true; reference
description "RFC XXXX: FIXME";
"Identifies the expiration date on the certificate."; }
} leaf hidden-key {
} nacm:default-deny-write;
} type empty;
grouping trust-anchor-certs-grouping { description
description "A permanently hidden key. How such keys are created
"A list of trust anchor certificates, and a notification is outside the scope of this module.";
for when one is about to (or already has) expire."; }
leaf-list cert { }
nacm:default-deny-write; }
type trust-anchor-cert-cms;
description
"The binary certificate data for this certificate.";
reference
"RFC YYYY: Common YANG Data Types for Cryptography";
}
notification certificate-expiration {
description
"A notification indicating that the configured certificate
is either about to expire or has already expired. When to
send notifications is an implementation specific decision,
but it is RECOMMENDED that a notification be sent once a
month for 3 months, then once a week for four weeks, and
then once a day thereafter until the issue is resolved.";
leaf expiration-date {
type yang:date-and-time;
mandatory true;
description
"Identifies the expiration date on the certificate.";
}
}
}
grouping end-entity-cert-grouping { grouping public-key-grouping {
description description
"An end entity certificate, and a notification for when "A public key and its associated algorithm.";
it is about to (or already has) expire. Implementations leaf algorithm {
SHOULD assert that, where used, the end entity certificate nacm:default-deny-write;
contains the expected public key."; type asymmetric-key-algorithm-t;
leaf cert { mandatory true;
nacm:default-deny-write; description
type end-entity-cert-cms; "Identifies the key's algorithm.";
description reference
"The binary certificate data for this certificate."; "RFC CCCC: Common YANG Data Types for Cryptography";
reference }
"RFC YYYY: Common YANG Data Types for Cryptography"; leaf public-key {
} nacm:default-deny-write;
notification certificate-expiration { type binary;
description mandatory true;
"A notification indicating that the configured certificate description
is either about to expire or has already expired. When to "The binary value of the public key. The interpretation
send notifications is an implementation specific decision, of the value is defined by 'algorithm'. For example,
but it is RECOMMENDED that a notification be sent once a a DSA key is an integer, an RSA key is represented as
month for 3 months, then once a week for four weeks, and RSAPublicKey per RFC 8017, and an ECC key is represented
then once a day thereafter until the issue is resolved."; using the 'publicKey' described in RFC 5915.";
leaf expiration-date { reference
type yang:date-and-time; "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
mandatory true; RSA Cryptography Specifications Version 2.2.
description RFC 5915: Elliptic Curve Private Key Structure.";
"Identifies the expiration date on the certificate."; }
} }
}
}
grouping end-entity-certs-grouping { grouping asymmetric-key-pair-grouping {
description description
"A list of end entity certificates, and a notification for "A private key and its associated public key and algorithm.";
when one is about to (or already has) expire."; uses public-key-grouping;
leaf-list cert { choice private-key-type {
nacm:default-deny-write; mandatory true;
type end-entity-cert-cms; description
description "Choice between key types.";
"The binary certificate data for this certificate."; leaf private-key {
reference nacm:default-deny-all;
"RFC YYYY: Common YANG Data Types for Cryptography"; type binary;
} description
notification certificate-expiration { "The value of the binary key. The key's value is
description interpreted by the 'algorithm'. For example, a DSA key
"A notification indicating that the configured certificate is an integer, an RSA key is represented as RSAPrivateKey
is either about to expire or has already expired. When to as defined in RFC 8017, and an ECC key is represented as
send notifications is an implementation specific decision, ECPrivateKey as defined in RFC 5915.";
but it is RECOMMENDED that a notification be sent once a reference
month for 3 months, then once a week for four weeks, and "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
then once a day thereafter until the issue is resolved."; RSA Cryptography Specifications Version 2.2.
leaf expiration-date { RFC 5915: Elliptic Curve Private Key Structure.";
type yang:date-and-time; }
mandatory true; leaf hidden-private-key {
description nacm:default-deny-write;
"Identifies the expiration date on the certificate."; type empty;
} description
} "A permanently hidden key. How such keys are created
} is outside the scope of this module.";
}
}
}
grouping asymmetric-key-pair-with-cert-grouping { grouping trust-anchor-cert-grouping {
description description
"A private/public key pair and an associated certificate. "A trust anchor certificate, and a notification for when
Implementations SHOULD assert that certificates contain it is about to (or already has) expire.";
the matching public key."; leaf cert {
nacm:default-deny-write;
type trust-anchor-cert-cms;
description
"The binary certificate data for this certificate.";
reference
"RFC YYYY: Common YANG Data Types for Cryptography";
}
notification certificate-expiration {
description
"A notification indicating that the configured certificate
is either about to expire or has already expired. When to
send notifications is an implementation specific decision,
but it is RECOMMENDED that a notification be sent once a
month for 3 months, then once a week for four weeks, and
then once a day thereafter until the issue is resolved.";
leaf expiration-date {
type yang:date-and-time;
mandatory true;
description
"Identifies the expiration date on the certificate.";
}
}
}
uses asymmetric-key-pair-grouping; grouping trust-anchor-certs-grouping {
uses end-entity-cert-grouping; description
"A list of trust anchor certificates, and a notification
for when one is about to (or already has) expire.";
leaf-list cert {
nacm:default-deny-write;
type trust-anchor-cert-cms;
description
"The binary certificate data for this certificate.";
reference
"RFC YYYY: Common YANG Data Types for Cryptography";
}
notification certificate-expiration {
description
"A notification indicating that the configured certificate
is either about to expire or has already expired. When to
send notifications is an implementation specific decision,
but it is RECOMMENDED that a notification be sent once a
month for 3 months, then once a week for four weeks, and
then once a day thereafter until the issue is resolved.";
leaf expiration-date {
type yang:date-and-time;
mandatory true;
description
"Identifies the expiration date on the certificate.";
}
}
}
action generate-certificate-signing-request { grouping end-entity-cert-grouping {
nacm:default-deny-all; description
description "An end entity certificate, and a notification for when
"Generates a certificate signing request structure for it is about to (or already has) expire. Implementations
the associated asymmetric key using the passed subject SHOULD assert that, where used, the end entity certificate
and attribute values. The specified assertions need contains the expected public key.";
to be appropriate for the certificate's use. For leaf cert {
example, an entity certificate for a TLS server nacm:default-deny-write;
SHOULD have values that enable clients to satisfy type end-entity-cert-cms;
RFC 6125 processing."; description
input { "The binary certificate data for this certificate.";
leaf subject { reference
type binary; "RFC YYYY: Common YANG Data Types for Cryptography";
mandatory true; }
description notification certificate-expiration {
"The 'subject' field per the CertificationRequestInfo description
structure as specified by RFC 2986, Section 4.1 "A notification indicating that the configured certificate
encoded using the ASN.1 distinguished encoding is either about to expire or has already expired. When to
rules (DER), as specified in ITU-T X.690."; send notifications is an implementation specific decision,
reference but it is RECOMMENDED that a notification be sent once a
"RFC 2986: month for 3 months, then once a week for four weeks, and
PKCS #10: Certification Request Syntax then once a day thereafter until the issue is resolved.";
Specification Version 1.7. leaf expiration-date {
ITU-T X.690: type yang:date-and-time;
Information technology - ASN.1 encoding rules: mandatory true;
Specification of Basic Encoding Rules (BER), description
Canonical Encoding Rules (CER) and Distinguished "Identifies the expiration date on the certificate.";
Encoding Rules (DER)."; }
} }
leaf attributes { }
type binary; // FIXME: does this need to be mandatory?
description
"The 'attributes' field from the structure
CertificationRequestInfo as specified by RFC 2986,
Section 4.1 encoded using the ASN.1 distinguished
encoding rules (DER), as specified in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntax
Specification Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
} grouping end-entity-certs-grouping {
output { description
leaf certificate-signing-request { "A list of end entity certificates, and a notification for
type binary; when one is about to (or already has) expire.";
mandatory true; leaf-list cert {
description nacm:default-deny-write;
"A CertificationRequest structure as specified by type end-entity-cert-cms;
RFC 2986, Section 4.2 encoded using the ASN.1 description
distinguished encoding rules (DER), as specified "The binary certificate data for this certificate.";
in ITU-T X.690."; reference
reference "RFC YYYY: Common YANG Data Types for Cryptography";
"RFC 2986: }
PKCS #10: Certification Request Syntax notification certificate-expiration {
Specification Version 1.7. description
ITU-T X.690: "A notification indicating that the configured certificate
Information technology - ASN.1 encoding rules: is either about to expire or has already expired. When to
Specification of Basic Encoding Rules (BER), send notifications is an implementation specific decision,
Canonical Encoding Rules (CER) and Distinguished but it is RECOMMENDED that a notification be sent once a
Encoding Rules (DER)."; month for 3 months, then once a week for four weeks, and
} then once a day thereafter until the issue is resolved.";
} leaf expiration-date {
} // generate-certificate-signing-request type yang:date-and-time;
} // asymmetric-key-pair-with-cert-grouping mandatory true;
description
"Identifies the expiration date on the certificate.";
grouping asymmetric-key-pair-with-certs-grouping { }
description }
"A private/public key pair and associated certificates. }
Implementations SHOULD assert that certificates contain
the matching public key.";
uses asymmetric-key-pair-grouping;
container certificates {
nacm:default-deny-write;
description
"Certificates associated with this asymmetric key.
More than one certificate supports, for instance,
a TPM-protected asymmetric key that has both IDevID
and LDevID certificates associated.";
list certificate {
key "name";
description
"A certificate for this asymmetric key.";
leaf name {
type string;
description
"An arbitrary name for the certificate. If the name
matches the name of a certificate that exists
independently in <operational> (i.e., an IDevID),
then the 'cert' node MUST NOT be configured.";
}
uses end-entity-cert-grouping;
}
} // certificates
action generate-certificate-signing-request { grouping asymmetric-key-pair-with-cert-grouping {
nacm:default-deny-all; description
description "A private/public key pair and an associated certificate.
"Generates a certificate signing request structure for Implementations SHOULD assert that certificates contain
the associated asymmetric key using the passed subject the matching public key.";
and attribute values. The specified assertions need uses asymmetric-key-pair-grouping;
to be appropriate for the certificate's use. For uses end-entity-cert-grouping;
example, an entity certificate for a TLS server action generate-certificate-signing-request {
SHOULD have values that enable clients to satisfy nacm:default-deny-all;
RFC 6125 processing."; description
input { "Generates a certificate signing request structure for
leaf subject { the associated asymmetric key using the passed subject
type binary; and attribute values. The specified assertions need
mandatory true; to be appropriate for the certificate's use. For
description example, an entity certificate for a TLS server
"The 'subject' field per the CertificationRequestInfo SHOULD have values that enable clients to satisfy
structure as specified by RFC 2986, Section 4.1 RFC 6125 processing.";
encoded using the ASN.1 distinguished encoding input {
rules (DER), as specified in ITU-T X.690."; leaf subject {
reference type binary;
"RFC 2986: mandatory true;
PKCS #10: Certification Request Syntax description
Specification Version 1.7. "The 'subject' field per the CertificationRequestInfo
ITU-T X.690: structure as specified by RFC 2986, Section 4.1
Information technology - ASN.1 encoding rules: encoded using the ASN.1 distinguished encoding
Specification of Basic Encoding Rules (BER), rules (DER), as specified in ITU-T X.690.";
Canonical Encoding Rules (CER) and Distinguished reference
Encoding Rules (DER)."; "RFC 2986:
} PKCS #10: Certification Request Syntax
leaf attributes { Specification Version 1.7.
type binary; // FIXME: does this need to be mandatory? ITU-T X.690:
description Information technology - ASN.1 encoding rules:
"The 'attributes' field from the structure Specification of Basic Encoding Rules (BER),
CertificationRequestInfo as specified by RFC 2986, Canonical Encoding Rules (CER) and Distinguished
Section 4.1 encoded using the ASN.1 distinguished Encoding Rules (DER).";
encoding rules (DER), as specified in ITU-T X.690."; }
reference leaf attributes {
"RFC 2986: type binary; // FIXME: does this need to be mandatory?
PKCS #10: Certification Request Syntax description
Specification Version 1.7. "The 'attributes' field from the structure
ITU-T X.690: CertificationRequestInfo as specified by RFC 2986,
Information technology - ASN.1 encoding rules: Section 4.1 encoded using the ASN.1 distinguished
encoding rules (DER), as specified in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntax
Specification Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
}
output {
leaf certificate-signing-request {
type binary;
mandatory true;
description
"A CertificationRequest structure as specified by
RFC 2986, Section 4.2 encoded using the ASN.1
distinguished encoding rules (DER), as specified
in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntax
Specification Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
}
} // generate-certificate-signing-request
} // asymmetric-key-pair-with-cert-grouping
Specification of Basic Encoding Rules (BER), grouping asymmetric-key-pair-with-certs-grouping {
Canonical Encoding Rules (CER) and Distinguished description
Encoding Rules (DER)."; "A private/public key pair and associated certificates.
} Implementations SHOULD assert that certificates contain
} the matching public key.";
output { uses asymmetric-key-pair-grouping;
leaf certificate-signing-request { container certificates {
type binary; nacm:default-deny-write;
mandatory true; description
description "Certificates associated with this asymmetric key.
"A CertificationRequest structure as specified by More than one certificate supports, for instance,
RFC 2986, Section 4.2 encoded using the ASN.1 a TPM-protected asymmetric key that has both IDevID
distinguished encoding rules (DER), as specified and LDevID certificates associated.";
in ITU-T X.690."; list certificate {
reference key "name";
"RFC 2986: description
PKCS #10: Certification Request Syntax "A certificate for this asymmetric key.";
Specification Version 1.7. leaf name {
ITU-T X.690: type string;
Information technology - ASN.1 encoding rules: description
Specification of Basic Encoding Rules (BER), "An arbitrary name for the certificate. If the name
Canonical Encoding Rules (CER) and Distinguished matches the name of a certificate that exists
Encoding Rules (DER)."; independently in <operational> (i.e., an IDevID),
} then the 'cert' node MUST NOT be configured.";
} }
} // generate-certificate-signing-request uses end-entity-cert-grouping;
} // asymmetric-key-pair-with-certs-grouping }
} } // certificates
action generate-certificate-signing-request {
nacm:default-deny-all;
description
"Generates a certificate signing request structure for
the associated asymmetric key using the passed subject
and attribute values. The specified assertions need
to be appropriate for the certificate's use. For
example, an entity certificate for a TLS server
SHOULD have values that enable clients to satisfy
RFC 6125 processing.";
input {
leaf subject {
type binary;
mandatory true;
description
"The 'subject' field per the CertificationRequestInfo
structure as specified by RFC 2986, Section 4.1
encoded using the ASN.1 distinguished encoding
rules (DER), as specified in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntax
Specification Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
leaf attributes {
type binary; // FIXME: does this need to be mandatory?
description
"The 'attributes' field from the structure
CertificationRequestInfo as specified by RFC 2986,
Section 4.1 encoded using the ASN.1 distinguished
encoding rules (DER), as specified in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntax
Specification Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
}
output {
leaf certificate-signing-request {
type binary;
mandatory true;
description
"A CertificationRequest structure as specified by
RFC 2986, Section 4.2 encoded using the ASN.1
distinguished encoding rules (DER), as specified
in ITU-T X.690.";
reference
"RFC 2986:
PKCS #10: Certification Request Syntax
Specification Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
}
} // generate-certificate-signing-request
} // asymmetric-key-pair-with-certs-grouping
}
<CODE ENDS> <CODE ENDS>
3. Security Considerations 3. Security Considerations
3.1. Support for Algorithms 3.1. Support for Algorithms
In order to use YANG identities for algorithm identifiers, only the In order to use YANG identities for algorithm identifiers, only the
most commonly used RSA key lengths are supported for the RSA most commonly used RSA key lengths are supported for the RSA
algorithm. Additional key lengths can be defined in another module algorithm. Additional key lengths can be defined in another module
or added into a future version of this document. or added into a future version of this document.
skipping to change at page 51, line 10 skipping to change at page 51, line 10
"An asymmetric key pair with associated certificates."; "An asymmetric key pair with associated certificates.";
} }
} }
} }
Given the above example usage module, the following example Given the above example usage module, the following example
illustrates some configured keys. illustrates some configured keys.
<keys xmlns="http://example.com/ns/example-crypto-types-usage"> <keys xmlns="http://example.com/ns/example-crypto-types-usage">
<key> <key>
<name>ex-key</name> <name>ex-key</name>
<algorithm <algorithm>rsa2048</algorithm>
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types">
ct:rsa2048
</algorithm>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<private-key>base64encodedvalue==</private-key> <private-key>base64encodedvalue==</private-key>
<certificates> <certificates>
<certificate> <certificate>
<name>ex-cert</name> <name>ex-cert</name>
<cert>base64encodedvalue==</cert> <cert>base64encodedvalue==</cert>
</certificate> </certificate>
</certificates> </certificates>
</key> </key>
<key> <key>
<name>ex-hidden-key</name> <name>ex-hidden-key</name>
<algorithm <algorithm>rsa2048</algorithm>
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types">
ct:rsa2048
</algorithm>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<hidden-private-key/> <hidden-private-key/>
<certificates> <certificates>
<certificate> <certificate>
<name>ex-hidden-key-cert</name> <name>ex-hidden-key-cert</name>
<cert>base64encodedvalue==</cert> <cert>base64encodedvalue==</cert>
</certificate> </certificate>
</certificates> </certificates>
</key> </key>
</keys> </keys>
skipping to change at page 56, line 15 skipping to change at page 56, line 15
B.9. 07 to 08 B.9. 07 to 08
o Removed the 'generate-key and 'hidden-key' features. o Removed the 'generate-key and 'hidden-key' features.
o Added grouping symmetric-key-grouping o Added grouping symmetric-key-grouping
o Modified 'asymmetric-key-pair-grouping' to have a 'choice' o Modified 'asymmetric-key-pair-grouping' to have a 'choice'
statement for the keystone module to augment into, as well as statement for the keystone module to augment into, as well as
replacing the 'union' with leafs (having different NACM settings. replacing the 'union' with leafs (having different NACM settings.
B.10. 08 to 09
o Converting algorithm from identities to enumerations.
Acknowledgements Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Martin Bjorklund, on list and in the halls (ordered by last name): Martin Bjorklund,
Nick Hancock, Balazs Kovacs, Juergen Schoenwaelder, Eric Voit, and Nick Hancock, Balazs Kovacs, Juergen Schoenwaelder, Eric Voit, and
Liang Xia. Liang Xia.
Authors' Addresses Authors' Addresses
Kent Watsen Kent Watsen
 End of changes. 83 change blocks. 
1698 lines changed or deleted 1703 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/