draft-ietf-netconf-crypto-types-02.txt   draft-ietf-netconf-crypto-types-03.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Juniper Networks Internet-Draft Watsen Networks
Intended status: Standards Track H. Wang Intended status: Standards Track H. Wang
Expires: April 25, 2019 Huawei Expires: September 10, 2019 Huawei
October 22, 2018 March 9, 2019
Common YANG Data Types for Cryptography Common YANG Data Types for Cryptography
draft-ietf-netconf-crypto-types-02 draft-ietf-netconf-crypto-types-03
Abstract Abstract
This document defines YANG identities, typedefs, the groupings useful This document defines YANG identities, typedefs, the groupings useful
for cryptographic applications. for cryptographic applications.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
This draft contains many placeholder values that need to be replaced This draft contains many placeholder values that need to be replaced
with finalized values at the time of publication. This note with finalized values at the time of publication. This note
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Editor instructions are specified elsewhere in this document. Editor instructions are specified elsewhere in this document.
Artwork in this document contains shorthand references to drafts in Artwork in this document contains shorthand references to drafts in
progress. Please apply the following replacements: progress. Please apply the following replacements:
o "XXXX" --> the assigned RFC value for this draft o "XXXX" --> the assigned RFC value for this draft
Artwork in this document contains placeholder values for the date of Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement: publication of this draft. Please apply the following replacement:
o "2018-10-22" --> the publication date of this draft o "2019-03-09" --> the publication date of this draft
The following Appendix section is to be removed prior to publication: The following Appendix section is to be removed prior to publication:
o Appendix B. Change Log o Appendix B. Change Log
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2019. This Internet-Draft will expire on September 10, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Crypto Types Module . . . . . . . . . . . . . . . . . . . 3 2. The Crypto Types Module . . . . . . . . . . . . . . . . . . . 3
2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 3
2.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 4
3. Security Considerations . . . . . . . . . . . . . . . . . . . 39 3. Security Considerations . . . . . . . . . . . . . . . . . . . 38
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39
4.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 40 4.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 39
4.2. The YANG Module Names Registry . . . . . . . . . . . . . 40 4.2. The YANG Module Names Registry . . . . . . . . . . . . . 39
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.1. Normative References . . . . . . . . . . . . . . . . . . 40 5.1. Normative References . . . . . . . . . . . . . . . . . . 39
5.2. Informative References . . . . . . . . . . . . . . . . . 44 5.2. Informative References . . . . . . . . . . . . . . . . . 42
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 45 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 44
A.1. The "asymmetric-key-pair-with-certs-grouping" Grouping . 45 A.1. The "asymmetric-key-pair-with-certs-grouping" Grouping . 44
A.2. The "generate-hidden-key" Action . . . . . . . . . . . . 47 A.2. The "generate-hidden-key" Action . . . . . . . . . . . . 46
A.3. The "install-hidden-key" Action . . . . . . . . . . . . . 48 A.3. The "install-hidden-key" Action . . . . . . . . . . . . . 47
A.4. The "generate-certificate-signing-request" Action . . . . 49 A.4. The "generate-certificate-signing-request" Action . . . . 47
A.5. The "certificate-expiration" Notification . . . . . . . . 50 A.5. The "certificate-expiration" Notification . . . . . . . . 48
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 51 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 49
B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 51 B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 49
B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 51 B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 49
B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 51 B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 49
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 52 B.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 50
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 50
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51
1. Introduction 1. Introduction
This document defines a YANG 1.1 [RFC7950] module specifying This document defines a YANG 1.1 [RFC7950] module specifying
identities, typedefs, and groupings useful for cryptography. identities, typedefs, and groupings useful for cryptography.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. The Crypto Types Module 2. The Crypto Types Module
2.1. Tree Diagram 2.1. Tree Diagram
This section provides a tree diagram [RFC8340] for the "ietf-crypto- This section provides a tree diagram [RFC8340] for the "ietf-crypto-
types" module. Only the groupings as represented, as tree diagrams types" module. Only the groupings as represented, as tree diagrams
have no means to represent identities or typedefs. have no means to represent identities or typedefs.
[Note: '\' line wrapping for formatting only]
module: ietf-crypto-types module: ietf-crypto-types
grouping asymmetric-key-pair-grouping grouping public-key-grouping:
+-- algorithm? asymmetric-key-encryption-algorithm-r\ +---- algorithm? asymmetric-key-algorithm-ref
ef +---- public-key? binary
+-- public-key? binary grouping asymmetric-key-pair-grouping:
+-- private-key? union +---- algorithm? asymmetric-key-algorithm-ref
+---- public-key? binary
+---- private-key? union
+---x generate-hidden-key +---x generate-hidden-key
| +---w input | +---- input
| +---w algorithm asymmetric-key-encryption-algorithm-ref | +---w algorithm asymmetric-key-algorithm-ref
+---x install-hidden-key +---x install-hidden-key
+---w input +---- input
+---w algorithm asymmetric-key-encryption-algorithm-r\ +---w algorithm asymmetric-key-algorithm-ref
ef
+---w public-key? binary +---w public-key? binary
+---w private-key? binary +---w private-key? binary
grouping public-key-grouping grouping trust-anchor-cert-grouping:
+-- algorithm? asymmetric-key-encryption-algorithm-ref +---- cert? trust-anchor-cert-cms
+-- public-key? binary +---n certificate-expiration
grouping asymmetric-key-pair-with-certs-grouping +--ro expiration-date ietf-yang-types:date-and-time
+-- algorithm? grouping end-entity-cert-grouping:
| asymmetric-key-encryption-algorithm-ref +---- cert? end-entity-cert-cms
+-- public-key? binary +---n certificate-expiration
+-- private-key? union +--ro expiration-date ietf-yang-types:date-and-time
grouping asymmetric-key-pair-with-certs-grouping:
+---- algorithm?
| asymmetric-key-algorithm-ref
+---- public-key? binary
+---- private-key? union
+---x generate-hidden-key +---x generate-hidden-key
| +---w input | +---- input
| +---w algorithm asymmetric-key-encryption-algorithm-ref | +---w algorithm asymmetric-key-algorithm-ref
+---x install-hidden-key +---x install-hidden-key
| +---w input | +---- input
| +---w algorithm asymmetric-key-encryption-algorithm-r\ | +---w algorithm asymmetric-key-algorithm-ref
ef
| +---w public-key? binary | +---w public-key? binary
| +---w private-key? binary | +---w private-key? binary
+-- certificates +---- certificates
| +-- certificate* [name] | +---- certificate* [name]
| +-- name? string | +---- name string
| +-- cert? end-entity-cert-cms | +---- cert? end-entity-cert-cms
| +---n certificate-expiration | +---n certificate-expiration
| +-- expiration-date yang:date-and-time | +--ro expiration-date ietf-yang-types:date-and-time
+---x generate-certificate-signing-request +---x generate-certificate-signing-request
+---w input +---- input
| +---w subject binary | +---w subject binary
| +---w attributes? binary | +---w attributes? binary
+--ro output +---- output
+--ro certificate-signing-request binary +--ro certificate-signing-request binary
grouping end-entity-cert-grouping
+-- cert? end-entity-cert-cms
+---n certificate-expiration
+-- expiration-date yang:date-and-time
grouping trust-anchor-cert-grouping
+-- cert? trust-anchor-cert-cms
+---n certificate-expiration
+-- expiration-date yang:date-and-time
2.2. YANG Module 2.2. YANG Module
This module has normative references to [RFC2404], [RFC2986], This module has normative references to [RFC2404], [RFC3565],
[RFC3174], [RFC3565], [RFC3686], [RFC4106], [RFC4253], [RFC4279], [RFC3686], [RFC4106], [RFC4253], [RFC4279], [RFC4309], [RFC4494],
[RFC4309], [RFC4493], [RFC4494], [RFC4543], [RFC4868], [RFC5280], [RFC4543], [RFC4868], [RFC5280], [RFC5652], [RFC5656], [RFC6187],
[RFC5652], [RFC5656], [RFC5915], [RFC6187], [RFC6234], [RFC6239], [RFC6991], [RFC7919], [RFC8268], [RFC8332], [RFC8341], [RFC8422],
[RFC6507], [RFC6991], [RFC7539], [RFC7919], [RFC8017], [RFC8032], [RFC8446], and [ITU.X690.2015].
[RFC8268], [RFC8332], [RFC8341], [RFC8422], [RFC8446], and
[ITU.X690.2015].
This module has an informational reference to [RFC6125]. This module has an informational reference to [RFC2986], [RFC3174],
[RFC4493], [RFC5915], [RFC6125], [RFC6234], [RFC6239], [RFC6507],
[RFC8017], [RFC8032], [RFC8439].
<CODE BEGINS> file "ietf-crypto-types@2018-10-22.yang" <CODE BEGINS> file "ietf-crypto-types@2019-03-09.yang"
module ietf-crypto-types {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types"; module ietf-crypto-types {
prefix "ct"; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
prefix "ct";
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference reference
"RFC 6991: Common YANG Data Types"; "RFC 6991: Common YANG Data Types";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG Web: <http://datatracker.ietf.org/wg/netconf/> "WG Web: <http://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org> WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";
Author: Kent Watsen description
<mailto:kwatsen@juniper.net> "This module defines common YANG types for cryptographic
applications.
Author: Wang Haiguang The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
<wang.haiguang.shieldlab@huawei.com>"; 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 [RFC2119]
[RFC8174] when, and only when, they appear in all
capitals, as shown here.
description Copyright (c) 2019 IETF Trust and the persons identified
"This module defines common YANG types for cryptographic as authors of the code. All rights reserved.
applications.
Copyright (c) 2018 IETF Trust and the persons identified Redistribution and use in source and binary forms, with
as authors of the code. All rights reserved. or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
Redistribution and use in source and binary forms, with This version of this YANG module is part of RFC XXXX; see
or without modification, is permitted pursuant to, and the RFC itself for full legal notices.";
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see revision "2019-03-09" {
the RFC itself for full legal notices."; description
"Initial version";
reference
"RFC XXXX: Common YANG Data Types for Cryptography";
}
revision "2018-10-22" { /**************************************/
description /* Identities for Hash Algorithms */
"Initial version"; /**************************************/
reference identity hash-algorithm {
"RFC XXXX: Common YANG Data Types for Cryptography"; description
} "A base identity for hash algorithm verification.";
/**************************************/ }
/* Identities for Hash Algorithms */
/**************************************/
identity hash-algorithm { identity sha-224 {
description base "hash-algorithm";
"A base identity for hash algorithm verification."; description "The SHA-224 algorithm.";
} reference "RFC 6234: US Secure Hash Algorithms.";
}
identity sha-224 { identity sha-256 {
base "hash-algorithm"; base "hash-algorithm";
description "The SHA-224 algorithm."; description "The SHA-256 algorithm.";
reference "RFC 6234: US Secure Hash Algorithms."; reference "RFC 6234: US Secure Hash Algorithms.";
} }
identity sha-256 { identity sha-384 {
base "hash-algorithm"; base "hash-algorithm";
description "The SHA-256 algorithm."; description "The SHA-384 algorithm.";
reference "RFC 6234: US Secure Hash Algorithms."; reference "RFC 6234: US Secure Hash Algorithms.";
} }
identity sha-384 { identity sha-512 {
base "hash-algorithm"; base "hash-algorithm";
description "The SHA-384 algorithm."; description "The SHA-512 algorithm.";
reference "RFC 6234: US Secure Hash Algorithms."; reference "RFC 6234: US Secure Hash Algorithms.";
} }
identity sha-512 { /***********************************************/
base "hash-algorithm"; /* Identities for Asymmetric Key Algorithms */
description "The SHA-512 algorithm."; /***********************************************/
reference "RFC 6234: US Secure Hash Algorithms.";
}
/********************************************************/ identity asymmetric-key-algorithm {
/* Identities for Asymmetric Key Encyption Algorithms */ description
/********************************************************/ "Base identity from which all asymmetric key
encryption Algorithm.";
}
identity asymmetric-key-encryption-algorithm { identity rsa1024 {
description base asymmetric-key-algorithm;
"Base identity from which all asymmetric key description
encryption Algorithm."; "The RSA algorithm using a 1024-bit key.";
} reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
identity rsa2048 {
base asymmetric-key-algorithm;
description
"The RSA algorithm using a 2048-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
identity rsa1024 { identity rsa3072 {
base asymmetric-key-encryption-algorithm; base asymmetric-key-algorithm;
description description
"The RSA algorithm using a 1024-bit key."; "The RSA algorithm using a 3072-bit key.";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2."; PKCS #1: RSA Cryptography Specifications Version 2.2.";
} }
identity rsa2048 { identity rsa4096 {
base asymmetric-key-encryption-algorithm; base asymmetric-key-algorithm;
description description
"The RSA algorithm using a 2048-bit key."; "The RSA algorithm using a 4096-bit key.";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2."; PKCS #1: RSA Cryptography Specifications Version 2.2.";
} }
identity rsa3072 { identity rsa7680 {
base asymmetric-key-encryption-algorithm; base asymmetric-key-algorithm;
description description
"The RSA algorithm using a 3072-bit key."; "The RSA algorithm using a 7680-bit key.";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2."; PKCS #1: RSA Cryptography Specifications Version 2.2.";
} }
identity rsa4096 { identity rsa15360 {
base asymmetric-key-encryption-algorithm; base asymmetric-key-algorithm;
description description
"The RSA algorithm using a 4096-bit key."; "The RSA algorithm using a 15360-bit key.";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2."; PKCS #1: RSA Cryptography Specifications Version 2.2.";
} }
identity rsa7680 { identity secp192r1 {
base asymmetric-key-encryption-algorithm; base asymmetric-key-algorithm;
description description
"The RSA algorithm using a 7680-bit key.";
reference
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
identity rsa15360 { "The ECDSA algorithm using a NIST P256 Curve.";
base asymmetric-key-encryption-algorithm; reference
description "RFC 6090:
"The RSA algorithm using a 15360-bit key."; Fundamental Elliptic Curve Cryptography Algorithms.";
reference }
"RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
/*************************************/
/* Identities for MAC Algorithms */
/*************************************/
identity mac-algorithm { identity secp224r1 {
description base asymmetric-key-algorithm;
"A base identity for mac generation."; description
} "The ECDSA algorithm using a NIST P256 Curve.";
reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.";
}
identity hmac-sha1 { identity secp256r1 {
base "mac-algorithm"; base asymmetric-key-algorithm;
description "Generating MAC using SHA1 hash function"; description
reference "RFC 3174: US Secure Hash Algorithm 1 (SHA1)"; "The ECDSA algorithm using a NIST P256 Curve.";
} reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.";
}
identity hmac-sha1-96 { identity secp384r1 {
base "mac-algorithm"; base asymmetric-key-algorithm;
description "Generating MAC using SHA1 hash function"; description
reference "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH"; "The ECDSA algorithm using a NIST P256 Curve.";
} reference
"RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms.";
}
identity hmac-sha2-224 { identity secp521r1 {
base "mac-algorithm"; base asymmetric-key-algorithm;
description description
"Generating MAC using SHA2 hash function"; "The ECDSA algorithm using a NIST P256 Curve.";
reference reference
"RFC 6234: "RFC 6090:
US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)"; Fundamental Elliptic Curve Cryptography Algorithms.";
} }
identity hmac-sha2-256 { /*************************************/
base "mac-algorithm"; /* Identities for MAC Algorithms */
description /*************************************/
"Generating MAC using SHA2 hash function";
reference
"RFC 6234:
US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)";
}
identity hmac-sha2-256-128 { identity mac-algorithm {
base "mac-algorithm"; description
description "A base identity for mac generation.";
"Generating a 256 bits MAC using SHA2 hash function and truncate }
it to 128 bits";
reference
"RFC 4868:
Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
IPsec";
} identity hmac-sha1 {
base "mac-algorithm";
description "Generating MAC using SHA1 hash function";
reference "RFC 3174: US Secure Hash Algorithm 1 (SHA1)";
}
identity hmac-sha2-384 { identity hmac-sha1-96 {
base "mac-algorithm"; base "mac-algorithm";
description description "Generating MAC using SHA1 hash function";
"Generating MAC using SHA2 hash function"; reference "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";
reference }
"RFC 6234:
US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)";
}
identity hmac-sha2-384-192 { identity hmac-sha2-224 {
base "mac-algorithm"; base "mac-algorithm";
description description
"Generating a 384 bits MAC using SHA2 hash function and truncate "Generating MAC using SHA2 hash function";
it to 192 bits"; reference
reference "RFC 6234:
"RFC 4868: US Secure Hash Algorithms (SHA and SHA-based HMAC and
Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with HKDF)";
IPsec"; }
}
identity hmac-sha2-512 { identity hmac-sha2-256 {
base "mac-algorithm"; base "mac-algorithm";
description "Generating MAC using SHA2 hash function"; description
reference "Generating MAC using SHA2 hash function";
"RFC 6234: reference
US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)"; "RFC 6234:
} US Secure Hash Algorithms (SHA and SHA-based HMAC and
HKDF)";
}
identity hmac-sha2-512-256 { identity hmac-sha2-256-128 {
base "mac-algorithm"; base "mac-algorithm";
description description
"Generating a 512 bits MAC using SHA2 hash function and "Generating a 256 bits MAC using SHA2 hash function and
truncating it to 256 bits"; truncate it to 128 bits";
reference reference
"RFC 4868: "RFC 4868:
Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
IPsec"; with IPsec";
} }
identity aes-128-gmac { identity hmac-sha2-384 {
base "mac-algorithm"; base "mac-algorithm";
description description
"Generating MAC using the Advanced Encryption Standard (AES) "Generating MAC using SHA2 hash function";
Galois Message Authentication Code (GMAC) as a mechanism to reference
provide data origin authentication"; "RFC 6234:
reference US Secure Hash Algorithms (SHA and SHA-based HMAC and
"RFC 4543: HKDF)";
The Use of Galois Message Authentication Code (GMAC) in }
IPsec ESP and AH";
}
identity aes-192-gmac { identity hmac-sha2-384-192 {
base "mac-algorithm"; base "mac-algorithm";
description description
"Generating MAC using the Advanced Encryption Standard (AES) "Generating a 384 bits MAC using SHA2 hash function and
Galois Message Authentication Code (GMAC) as a mechanism to truncate it to 192 bits";
provide data origin authentication"; reference
reference "RFC 4868:
"RFC 4543: Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
The Use of Galois Message Authentication Code (GMAC) in IPsec";
IPsec ESP and AH"; }
} identity hmac-sha2-512 {
base "mac-algorithm";
description "Generating MAC using SHA2 hash function";
reference
"RFC 6234:
US Secure Hash Algorithms (SHA and SHA-based HMAC and
HKDF)";
}
identity aes-256-gmac { identity hmac-sha2-512-256 {
base "mac-algorithm"; base "mac-algorithm";
description description
"Generating MAC using the Advanced Encryption Standard (AES) "Generating a 512 bits MAC using SHA2 hash function and
Galois Message Authentication Code (GMAC) as a mechanism to truncating it to 256 bits";
provide data origin authentication"; reference
reference "RFC 4868:
"RFC 4543: Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
The Use of Galois Message Authentication Code (GMAC) in IPsec";
IPsec ESP and AH"; }
}
identity aes-cmac-96 { identity aes-128-gmac {
base "mac-algorithm"; base "mac-algorithm";
description description
"Generating MAC using Advanced Encryption Standard (AES) "Generating MAC using the Advanced Encryption Standard (AES)
Cipher-based Message Authentication Code (CMAC)"; Galois Message Authentication Code (GMAC) as a mechanism to
reference provide data origin authentication";
"RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec"; reference
} "RFC 4543:
The Use of Galois Message Authentication Code (GMAC) in
IPsec ESP and AH";
}
identity aes-cmac-128 { identity aes-192-gmac {
base "mac-algorithm"; base "mac-algorithm";
description description
"Generating MAC using Advanced Encryption Standard (AES) "Generating MAC using the Advanced Encryption Standard (AES)
Cipher-based Message Authentication Code (CMAC)"; Galois Message Authentication Code (GMAC) as a mechanism to
reference provide data origin authentication";
"RFC 4493: The AES-CMAC Algorithm"; reference
} "RFC 4543:
identity mac-aes-128-ccm { The Use of Galois Message Authentication Code (GMAC) in
base "mac-algorithm"; IPsec ESP and AH";
description
"Generating MAC using Advanced Encryption Standard (AES) in
CCM (Counter with CBC-MAC) mode (AES CCM)";
reference
"RFC 4309:
Using Advanced Encryption Standard (AES) CCM Mode with
IPsec Encapsulating Security Payload (ESP)";
}
identity mac-aes-192-ccm { }
base "mac-algorithm";
description
"Generating MAC using Advanced Encryption Standard (AES) in
CCM (Counter with CBC-MAC) mode (AES CCM)";
reference
"RFC 4309:
Using Advanced Encryption Standard (AES) CCM Mode with
IPsec Encapsulating Security Payload (ESP)";
}
identity mac-aes-256-ccm { identity aes-256-gmac {
base "mac-algorithm"; base "mac-algorithm";
description description
"Generating MAC using Advanced Encryption Standard (AES) in "Generating MAC using the Advanced Encryption Standard (AES)
CCM (Counter with CBC-MAC) mode (AES CCM)"; Galois Message Authentication Code (GMAC) as a mechanism to
reference provide data origin authentication";
"RFC 4309: reference
Using Advanced Encryption Standard (AES) CCM Mode with "RFC 4543:
IPsec Encapsulating Security Payload (ESP)"; The Use of Galois Message Authentication Code (GMAC) in
} IPsec ESP and AH";
}
identity mac-aes-128-gcm { identity aes-cmac-96 {
base "mac-algorithm"; base "mac-algorithm";
description description
"Generating MAC when using Advanced Encryption Standard (AES) "Generating MAC using Advanced Encryption Standard (AES)
GCM mode for encryption"; Cipher-based Message Authentication Code (CMAC)";
reference reference
"RFC 4106: "RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec";
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating }
Security Payload (ESP)";
}
identity mac-aes-192-gcm { identity aes-cmac-128 {
base "mac-algorithm"; base "mac-algorithm";
description description
"Generating MAC when using Advanced Encryption Standard (AES) "Generating MAC using Advanced Encryption Standard (AES)
GCM mode for encryption"; Cipher-based Message Authentication Code (CMAC)";
reference reference
"RFC 4106: "RFC 4493: The AES-CMAC Algorithm";
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating }
Security Payload (ESP)";
}
identity mac-aes-256-gcm { /********************************************/
base "mac-algorithm"; /* Identities for Encryption Algorithms */
description /********************************************/
"Generating MAC when using Advanced Encryption Standard (AES)
GCM mode for encryption";
reference
"RFC 4106:
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Security Payload (ESP)";
}
identity mac-chacha20-poly1305 { identity encryption-algorithm {
base "mac-algorithm"; description
description "A base identity for encryption algorithm.";
"Generating MAC using poly1305 algorithm"; }
reference
"RFC 7539: ChaCha20 and Poly1305 for IETF Protocols";
}
/*******************************************************/ identity aes-128-cbc {
/* Identities for Symmetric Key Encryption Algorithms*/ base "encryption-algorithm";
/*******************************************************/ description
"Encrypt message with AES algorithm in CBC mode with a key
length of 128 bits";
reference
"RFC 3565:
Use of the Advanced Encryption Standard (AES) Encryption
Algorithm in Cryptographic Message Syntax (CMS)";
}
identity symmetric-key-encryption-algorithm { identity aes-192-cbc {
description base "encryption-algorithm";
"A base identity for encryption algorithm."; description
} "Encrypt message with AES algorithm in CBC mode with a key
length of 192 bits";
reference
"RFC 3565:
Use of the Advanced Encryption Standard (AES) Encryption
Algorithm in Cryptographic Message Syntax (CMS)";
}
identity aes-128-cbc { identity aes-256-cbc {
base "symmetric-key-encryption-algorithm"; base "encryption-algorithm";
description description
"Encrypt message with AES algorithm in CBC mode with a key "Encrypt message with AES algorithm in CBC mode with a key
length of 128 bits"; length of 256 bits";
reference reference
"RFC 3565: "RFC 3565:
Use of the Advanced Encryption Standard (AES) Encryption Use of the Advanced Encryption Standard (AES) Encryption
Algorithm in Cryptographic Message Syntax (CMS)"; Algorithm in Cryptographic Message Syntax (CMS)";
} }
identity aes-192-cbc { identity aes-128-ctr {
base "symmetric-key-encryption-algorithm"; base "encryption-algorithm";
description description
"Encrypt message with AES algorithm in CBC mode with a key "Encrypt message with AES algorithm in CTR mode with a key
length of 192 bits"; length of 128 bits";
reference reference
"RFC 3565: "RFC 3686:
Use of the Advanced Encryption Standard (AES) Encryption Using Advanced Encryption Standard (AES) Counter Mode with
Algorithm in Cryptographic Message Syntax (CMS)"; IPsec Encapsulating Security Payload (ESP)";
} }
identity aes-256-cbc { identity aes-192-ctr {
base "symmetric-key-encryption-algorithm"; base "encryption-algorithm";
description description
"Encrypt message with AES algorithm in CBC mode with a key "Encrypt message with AES algorithm in CTR mode with a key
length of 256 bits"; length of 192 bits";
reference reference
"RFC 3565: "RFC 3686:
Use of the Advanced Encryption Standard (AES) Encryption Using Advanced Encryption Standard (AES) Counter Mode with
Algorithm in Cryptographic Message Syntax (CMS)"; IPsec Encapsulating Security Payload (ESP)";
} }
identity aes-128-ctr { identity aes-256-ctr {
base "symmetric-key-encryption-algorithm"; base "encryption-algorithm";
description description
"Encrypt message with AES algorithm in CTR mode with a key "Encrypt message with AES algorithm in CTR mode with a key
length of 128 bits"; length of 256 bits";
reference reference
"RFC 3686: "RFC 3686:
Using Advanced Encryption Standard (AES) Counter Mode with Using Advanced Encryption Standard (AES) Counter Mode with
IPsec Encapsulating Security Payload (ESP)"; IPsec Encapsulating Security Payload (ESP)";
} }
identity aes-192-ctr { /****************************************************/
base "symmetric-key-encryption-algorithm"; /* Identities for Encryption and MAC Algorithms */
description /****************************************************/
"Encrypt message with AES algorithm in CTR mode with a key
length of 192 bits";
reference
"RFC 3686:
Using Advanced Encryption Standard (AES) Counter Mode with
IPsec Encapsulating Security Payload (ESP)";
}
identity aes-256-ctr { identity encryption-and-mac-algorithm {
base "symmetric-key-encryption-algorithm"; description
description "A base identity for encryption and MAC algorithm.";
"Encrypt message with AES algorithm in CTR mode with a key }
length of 256 bits";
reference identity aes-128-ccm {
"RFC 3686: base "encryption-and-mac-algorithm";
Using Advanced Encryption Standard (AES) Counter Mode with description
IPsec Encapsulating Security Payload (ESP)"; "Encrypt message with AES algorithm in CCM mode with a key
} length of 128 bits; it can also be used for generating MAC";
reference
"RFC 4309:
Using Advanced Encryption Standard (AES) CCM Mode with
IPsec Encapsulating Security Payload (ESP)";
}
identity enc-aes-128-ccm { identity aes-192-ccm {
base "symmetric-key-encryption-algorithm"; base "encryption-and-mac-algorithm";
description description
"Encrypt message with AES algorithm in CCM mode with a key "Encrypt message with AES algorithm in CCM mode with a key
length of 128 bits"; length of 192 bits; it can also be used for generating MAC";
reference reference
"RFC 4309: "RFC 4309:
Using Advanced Encryption Standard (AES) CCM Mode with IPsec Using Advanced Encryption Standard (AES) CCM Mode with
Encapsulating Security Payload (ESP)"; IPsec Encapsulating Security Payload (ESP)";
} }
identity enc-aes-192-ccm { identity aes-256-ccm {
base "symmetric-key-encryption-algorithm"; base "encryption-and-mac-algorithm";
description description
"Encrypt message with AES algorithm in CCM mode with a key "Encrypt message with AES algorithm in CCM mode with a key
length of 192 bits"; length of 256 bits; it can also be used for generating MAC";
reference reference
"RFC 4309: "RFC 4309:
Using Advanced Encryption Standard (AES) CCM Mode with IPsec Using Advanced Encryption Standard (AES) CCM Mode with
Encapsulating Security Payload (ESP)"; IPsec Encapsulating Security Payload (ESP)";
} }
identity enc-aes-256-ccm { identity aes-128-gcm {
base "symmetric-key-encryption-algorithm"; base "encryption-and-mac-algorithm";
description description
"Encrypt message with AES algorithm in CCM mode with a key "Encrypt message with AES algorithm in GCM mode with a key
length of 256 bits"; length of 128 bits; it can also be used for generating MAC";
reference reference
"RFC 4309: "RFC 4106:
Using Advanced Encryption Standard (AES) CCM Mode with IPsec The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Encapsulating Security Payload (ESP)"; Security Payload (ESP)";
} }
identity enc-aes-128-gcm { identity aes-192-gcm {
base "symmetric-key-encryption-algorithm"; base "encryption-and-mac-algorithm";
description description
"Encrypt message with AES algorithm in GCM mode with a key "Encrypt message with AES algorithm in GCM mode with a key
length of 128 bits"; length of 192 bits; it can also be used for generating MAC";
reference reference
"RFC 4106: "RFC 4106:
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Security Payload (ESP)"; Security Payload (ESP)";
}
} identity mac-aes-256-gcm {
base "encryption-and-mac-algorithm";
description
"Encrypt message with AES algorithm in GCM mode with a key
length of 128 bits; it can also be used for generating MAC";
reference
"RFC 4106:
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Security Payload (ESP)";
}
identity enc-aes-192-gcm { identity chacha20-poly1305 {
base "symmetric-key-encryption-algorithm"; base "encryption-and-mac-algorithm";
description description
"Encrypt message with AES algorithm in GCM mode with a key "Encrypt message with chacha20 algorithm and generate MAC with
length of 192 bits"; POLY1305; it can also be used for generating MAC";
reference reference
"RFC 4106: "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating }
Security Payload (ESP)";
}
identity enc-aes-256-gcm { /******************************************/
base "symmetric-key-encryption-algorithm"; /* Identities for signature algorithm */
description /******************************************/
"Encrypt message with AES algorithm in GCM mode with a key
length of 256 bits";
reference
"RFC 4106:
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Security Payload (ESP)";
}
identity enc-chacha20-poly1305 { identity signature-algorithm {
base "symmetric-key-encryption-algorithm"; description
description "A base identity for asymmetric key encryption algorithm.";
"Encrypt message with chacha20 algorithm and generate MAC with }
POLY1305";
reference
"RFC 7539: ChaCha20 and Poly1305 for IETF Protocols";
}
/******************************************/ identity dsa-sha1 {
/* Identities for signature algorithm */ base "signature-algorithm";
/******************************************/ description
"The signature algorithm using DSA algorithm with SHA1 hash
algorithm";
reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
}
identity signature-algorithm { identity rsassa-pkcs1-sha1 {
description base "signature-algorithm";
"A base identity for asymmetric key encryption algorithm."; description
} "The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1
hash algorithm.";
reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
}
identity dsa-sha1 { identity rsassa-pkcs1-sha256 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using DSA algorithm with SHA1 hash "The signature algorithm using RSASSA-PKCS1-v1_5 with the
algorithm"; SHA256 hash algorithm.";
reference reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; "RFC 8332:
} Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
(SSH) Protocol
RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsa-pkcs1-sha1 { identity rsassa-pkcs1-sha384 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1 "The signature algorithm using RSASSA-PKCS1-v1_5 with the
hash algorithm."; SHA384 hash algorithm.";
reference reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; "RFC 8446:
} The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsa-pkcs1-sha256 { identity rsassa-pkcs1-sha512 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the "The signature algorithm using RSASSA-PKCS1-v1_5 with the
SHA256 hash algorithm."; SHA512 hash algorithm.";
reference reference
"RFC 8332: "RFC 8332:
Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
(SSH) Protocol (SSH) Protocol
RFC 8446: RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsa-pkcs1-sha384 { identity rsassa-pss-rsae-sha256 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the "The signature algorithm using RSASSA-PSS with mask generation
SHA384 hash algorithm."; function 1 and SHA256 hash algorithm. If the public key is
reference carried in an X.509 certificate, it MUST use the rsaEncryption
"RFC 8446: OID";
The Transport Layer Security (TLS) Protocol Version 1.3"; reference
} "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsa-pkcs1-sha512 { identity rsassa-pss-rsae-sha384 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the "The signature algorithm using RSASSA-PSS with mask generation
SHA512 hash algorithm."; function 1 and SHA384 hash algorithm. If the public key is
reference carried in an X.509 certificate, it MUST use the rsaEncryption
"RFC 8332: OID";
Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell reference
(SSH) Protocol "RFC 8446:
RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3";
The Transport Layer Security (TLS) Protocol Version 1.3"; }
}
identity rsa-pss-rsae-sha256 {
base "signature-algorithm";
description
"The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the rsaEncryption
OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsa-pss-rsae-sha384 { identity rsassa-pss-rsae-sha512 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using RSASSA-PSS with mask generation "The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA384 hash algorithm. If the public key is function 1 and SHA512 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the rsaEncryption carried in an X.509 certificate, it MUST use the rsaEncryption
OID"; OID";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsa-pss-rsae-sha512 { identity rsassa-pss-pss-sha256 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using RSASSA-PSS with mask generation "The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA512 hash algorithm. If the public key is function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the rsaEncryption carried in an X.509 certificate, it MUST use the RSASSA-PSS
OID"; OID";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsa-pss-pss-sha256 { identity rsassa-pss-pss-sha384 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using RSASSA-PSS with mask generation "The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the RSASSA-PSS carried in an X.509 certificate, it MUST use the RSASSA-PSS
OID"; OID";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsa-pss-pss-sha384 {
base "signature-algorithm";
description
"The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the RSASSA-PSS
OID";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity rsa-pss-pss-sha512 { identity rsassa-pss-pss-sha512 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using RSASSA-PSS with mask generation "The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the RSASSA-PSS carried in an X.509 certificate, it MUST use the RSASSA-PSS
OID"; OID";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity ecdsa-secp256r1-sha256 { identity ecdsa-secp256r1-sha256 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using ECDSA wtih curve name secp256r1 "The signature algorithm using ECDSA with curve name secp256r1
and SHA256 hash algorithm."; and SHA256 hash algorithm.";
reference reference
"RFC 5656: Elliptic Curve Algorithm Integration in the "RFC 5656: Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer Secure Shell Transport Layer
RFC 8446: RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity ecdsa-secp384r1-sha384 { identity ecdsa-secp384r1-sha384 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using ECDSA wtih curve name secp384r1 "The signature algorithm using ECDSA with curve name secp384r1
and SHA384 hash algorithm."; and SHA384 hash algorithm.";
reference reference
"RFC 5656: Elliptic Curve Algorithm Integration in the "RFC 5656: Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer Secure Shell Transport Layer
RFC 8446: RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity ecdsa-secp521r1-sha512 {
base "signature-algorithm";
description
"The signature algorithm using ECDSA wtih curve name secp521r1
and SHA512 hash algorithm.";
reference
"RFC 5656: Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer
RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity x509v3-rsa-pkcs1-sha1 { identity ecdsa-secp521r1-sha512 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using x509v3-ssh-rsa key format and "The signature algorithm using ECDSA with curve name secp521r1
RSASSA-PKCS1-v1_5 with the SHA1 hash algorithm."; and SHA512 hash algorithm.";
reference reference
"RFC 6187: "RFC 5656: Elliptic Curve Algorithm Integration in the
X.509v3 Certificates for Secure Shell Authentication"; Secure Shell Transport Layer
} RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity x509v3-rsa2048-pkcs1-sha256 { identity ed25519 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using x509v3-rsa2048-sha256 "The signature algorithm using EdDSA as defined in RFC 8032 or
key format and RSASSA-PKCS1-v1_5 with the SHA-256 its successors.";
hash algorithm."; reference
reference "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
"RFC 6187: }
X.509v3 Certificates for Secure Shell Authentication";
}
identity x509v3-ecdsa-secp256r1-sha256 { identity ed448 {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using x509v3-ecdsa-sha2-secp256r1 key "The signature algorithm using EdDSA as defined in RFC 8032 or
format and ECDSA algorithm with the SHA-256 hash algorithm."; its successors.";
reference reference
"RFC 6187: "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
X.509v3 Certificates for Secure Shell Authentication"; }
}
identity x509v3-ecdsa-secp384r1-sha384 { identity eccsi {
base "signature-algorithm"; base "signature-algorithm";
description description
"The signature algorithm using x509v3-ecdsa-sha2-secp384r1 key "The signature algorithm using ECCSI signature as defined in
format and ECDSA algorithm with the SHA-384 hash algorithm."; RFC 6507.";
reference
"RFC 6507:
Elliptic Curve-Based Certificateless Signatures for
Identity-based Encryption (ECCSI)";
}
reference /**********************************************/
"RFC 6187: /* Identities for key exchange algorithms */
X.509v3 Certificates for Secure Shell Authentication"; /**********************************************/
}
identity x509v3-ecdsa-secp521r1-sha512 { identity key-exchange-algorithm {
base "signature-algorithm"; description
description "A base identity for Diffie-Hellman based key exchange
"The signature algorithm using x509v3-ecdsa-sha2-secp521r1 key algorithm.";
format and ECDSA algorithm with the SHA-512 hash algorithm."; }
reference
"RFC 6187:
X.509v3 Certificates for Secure Shell Authentication";
}
identity ed25519 { identity psk-only {
base "signature-algorithm"; base "key-exchange-algorithm";
description description
"The signature algorithm using EdDSA as defined in RFC 8032 or "Using Pre-shared key for authentication and key exchange";
its successors."; reference
reference "RFC 4279:
"RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; Pre-Shared Key cipher suites for Transport Layer Security
} (TLS)";
}
identity ed448 { identity dhe-ffdhe2048 {
base "signature-algorithm"; base "key-exchange-algorithm";
description description
"The signature algorithm using EdDSA as defined in RFC 8032 or "Ephemeral Diffie Hellman key exchange with 2048 bit
its successors."; finite field";
reference
"RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
}
identity eccsi { reference
base "signature-algorithm"; "RFC 7919:
description Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
"The signature algorithm using ECCSI signature as defined in for Transport Layer Security (TLS)";
RFC 6507."; }
reference
"RFC 6507:
Elliptic Curve-Based Certificateless Signatures for
Identity-based Encryption (ECCSI)";
}
/**********************************************/ identity dhe-ffdhe3072 {
/* Identities for key exchange algorithms */ base "key-exchange-algorithm";
/**********************************************/ description
identity key-exchange-algorithm { "Ephemeral Diffie Hellman key exchange with 3072 bit finite
description field";
"A base identity for Diffe-Hellman based key exchange reference
algorithm."; "RFC 7919:
} Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)";
}
identity psk-only { identity dhe-ffdhe4096 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Using Pre-shared key for authentication and key exhange"; "Ephemeral Diffie Hellman key exchange with 4096 bit
reference finite field";
"RFC 4279: reference
Pre-Shared Key Ciphersuites for Transport Layer Security "RFC 7919:
(TLS)"; Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
} for Transport Layer Security (TLS)";
}
identity dhe-ffdhe2048 { identity dhe-ffdhe6144 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Ephemeral Diffie Hellman key exhange with 2048 bit "Ephemeral Diffie Hellman key exchange with 6144 bit
finite field"; finite field";
reference reference
"RFC 7919: "RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)"; for Transport Layer Security (TLS)";
} }
identity dhe-ffdhe3072 { identity dhe-ffdhe8192 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Ephemeral Diffie Hellman key exhange with 3072 bit finite "Ephemeral Diffie Hellman key exchange with 8192 bit
field"; finite field";
reference reference
"RFC 7919: "RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)"; for Transport Layer Security (TLS)";
}
identity dhe-ffdhe4096 { }
base "key-exchange-algorithm";
description
"Ephemeral Diffie Hellman key exhange with 4096 bit
finite field";
reference
"RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)";
}
identity dhe-ffdhe6144 {
base "key-exchange-algorithm";
description
"Ephemeral Diffie Hellman key exhange with 6144 bit
finite field";
reference
"RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)";
}
identity dhe-ffdhe8192 { identity psk-dhe-ffdhe2048 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Ephemeral Diffie Hellman key exhange with 8192 bit "Key exchange using pre-shared key with Diffie-Hellman key
finite field"; generation mechanism, where the DH group is FFDHE2048";
reference reference
"RFC 7919: "RFC 8446:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters The Transport Layer Security (TLS) Protocol Version 1.3";
for Transport Layer Security (TLS)"; }
}
identity psk-dhe-ffdhe2048 { identity psk-dhe-ffdhe3072 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Key exchange using pre-shared key with Diffie-Hellman key "Key exchange using pre-shared key with Diffie-Hellman key
generation mechansim, where the DH group is FFDHE2048"; generation mechanism, where the DH group is FFDHE3072";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-dhe-ffdhe3072 { identity psk-dhe-ffdhe4096 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Key exchange using pre-shared key with Diffie-Hellman key "Key exchange using pre-shared key with Diffie-Hellman key
generation mechansim, where the DH group is FFDHE3072"; generation mechanism, where the DH group is FFDHE4096";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-dhe-ffdhe4096 { identity psk-dhe-ffdhe6144 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Key exchange using pre-shared key with Diffie-Hellman key "Key exchange using pre-shared key with Diffie-Hellman key
generation mechansim, where the DH group is FFDHE4096"; generation mechanism, where the DH group is FFDHE6144";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-dhe-ffdhe6144 { identity psk-dhe-ffdhe8192 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Key exchange using pre-shared key with Diffie-Hellman key "Key exchange using pre-shared key with Diffie-Hellman key
generation mechansim, where the DH group is FFDHE6144"; generation mechanism, where the DH group is FFDHE8192";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-dhe-ffdhe8192 { identity ecdhe-secp256r1 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Key exchange using pre-shared key with Diffie-Hellman key "Ephemeral Diffie Hellman key exchange with elliptic group
generation mechansim, where the DH group is FFDHE8192"; over curve secp256r1";
reference reference
"RFC 8446: "RFC 8422:
The Transport Layer Security (TLS) Protocol Version 1.3"; Elliptic Curve Cryptography (ECC) Cipher Suites for
} Transport Layer Security (TLS) Versions 1.2 and Earlier";
}
identity ecdhe-secp256r1 { identity ecdhe-secp384r1 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Ephemeral Diffie Hellman key exhange with elliptic group "Ephemeral Diffie Hellman key exchange with elliptic group
over curve secp256r1"; over curve secp384r1";
reference reference
"RFC 8422: "RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier"; Transport Layer Security (TLS) Versions 1.2 and Earlier";
} }
identity ecdhe-secp384r1 { identity ecdhe-secp521r1 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Ephemeral Diffie Hellman key exhange with elliptic group "Ephemeral Diffie Hellman key exchange with elliptic group
over curve secp384r1"; over curve secp521r1";
reference reference
"RFC 8422: "RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier"; Transport Layer Security (TLS) Versions 1.2 and Earlier";
} }
identity ecdhe-secp521r1 { identity ecdhe-x25519 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Ephemeral Diffie Hellman key exhange with elliptic group "Ephemeral Diffie Hellman key exchange with elliptic group
over curve secp521r1"; over curve x25519";
reference reference
"RFC 8422: "RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier"; Transport Layer Security (TLS) Versions 1.2 and Earlier";
} }
identity ecdhe-x448 {
base "key-exchange-algorithm";
description
"Ephemeral Diffie Hellman key exchange with elliptic group
over curve x448";
reference
"RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier";
}
identity ecdhe-x25519 { identity psk-ecdhe-secp256r1 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Ephemeral Diffie Hellman key exhange with elliptic group "Key exchange using pre-shared key with elliptic group-based
over curve x25519"; Ephemeral Diffie Hellman key exchange over curve secp256r1";
reference reference
"RFC 8422: "RFC 8446:
Elliptic Curve Cryptography (ECC) Cipher Suites for The Transport Layer Security (TLS) Protocol Version 1.3";
Transport Layer Security (TLS) Versions 1.2 and Earlier"; }
}
identity ecdhe-x448 { identity psk-ecdhe-secp384r1 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Ephemeral Diffie Hellman key exhange with elliptic group "Key exchange using pre-shared key with elliptic group-based
over curve x448"; Ephemeral Diffie Hellman key exchange over curve secp384r1";
reference reference
"RFC 8422: "RFC 8446:
Elliptic Curve Cryptography (ECC) Cipher Suites for The Transport Layer Security (TLS) Protocol Version 1.3";
Transport Layer Security (TLS) Versions 1.2 and Earlier"; }
}
identity psk-ecdhe-secp256r1 { identity psk-ecdhe-secp521r1 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Key exchange using pre-shared key with elliptic group-based "Key exchange using pre-shared key with elliptic group-based
Ephemeral Diffie Hellman key exhange over curve secp256r1"; Ephemeral Diffie Hellman key exchange over curve secp521r1";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-ecdhe-secp384r1 { identity psk-ecdhe-x25519 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Key exchange using pre-shared key with elliptic group-based "Key exchange using pre-shared key with elliptic group-based
Ephemeral Diffie Hellman key exhange over curve secp384r1"; Ephemeral Diffie Hellman key exchange over curve x25519";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-ecdhe-secp521r1 { identity psk-ecdhe-x448 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Key exchange using pre-shared key with elliptic group-based "Key exchange using pre-shared key with elliptic group-based
Ephemeral Diffie Hellman key exhange over curve secp521r1"; Ephemeral Diffie Hellman key exchange over curve x448";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-ecdhe-x25519 { identity diffie-hellman-group14-sha1 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Key exchange using pre-shared key with elliptic group-based "Using DH group14 and SHA1 for key exchange";
Ephemeral Diffie Hellman key exhange over curve x25519"; reference
reference "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
"RFC 8446: }
The Transport Layer Security (TLS) Protocol Version 1.3";
}
identity psk-ecdhe-x448 { identity diffie-hellman-group14-sha256 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Key exchange using pre-shared key with elliptic group-based "Using DH group14 and SHA256 for key exchange";
Ephemeral Diffie Hellman key exhange over curve x448"; reference
reference "RFC 8268:
"RFC 8446: More Modular Exponentiation (MODP) Diffie-Hellman (DH)
The Transport Layer Security (TLS) Protocol Version 1.3"; Key Exchange (KEX) Groups for Secure Shell (SSH)";
} }
identity diffie-hellman-group14-sha1 { identity diffie-hellman-group15-sha512 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Using DH group14 and SHA1 for key exchange"; "Using DH group15 and SHA512 for key exchange";
reference reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; "RFC 8268:
} More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)";
}
identity diffie-hellman-group14-sha256 { identity diffie-hellman-group16-sha512 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Using DH group14 and SHA256 for key exchange"; "Using DH group16 and SHA512 for key exchange";
reference reference
"RFC 8268: "RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH) More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)"; Key Exchange (KEX) Groups for Secure Shell (SSH)";
} }
identity diffie-hellman-group15-sha512 { identity diffie-hellman-group17-sha512 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Using DH group15 and SHA512 for key exchange"; "Using DH group17 and SHA512 for key exchange";
reference reference
"RFC 8268: "RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH) More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)"; Key Exchange (KEX) Groups for Secure Shell (SSH)";
} }
identity diffie-hellman-group16-sha512 { identity diffie-hellman-group18-sha512 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Using DH group16 and SHA512 for key exchange"; "Using DH group18 and SHA512 for key exchange";
reference reference
"RFC 8268: "RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH) More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)"; Key Exchange (KEX) Groups for Secure Shell (SSH)";
} }
identity diffie-hellman-group17-sha512 { identity ecdh-sha2-secp256r1 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Using DH group17 and SHA512 for key exchange"; "Elliptic curve-based Diffie Hellman key exchange over curve
reference secp256r1 and using SHA2 for MAC generation";
"RFC 8268: reference
More Modular Exponentiation (MODP) Diffie-Hellman (DH) "RFC 6239: Suite B Cryptographic Suites for Secure Shell
Key Exchange (KEX) Groups for Secure Shell (SSH)"; (SSH)";
} }
identity diffie-hellman-group18-sha512 { identity ecdh-sha2-secp384r1 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Using DH group18 and SHA512 for key exchange"; "Elliptic curve-based Diffie Hellman key exchange over curve
reference secp384r1 and using SHA2 for MAC generation";
"RFC 8268: reference
More Modular Exponentiation (MODP) Diffie-Hellman (DH) "RFC 6239: Suite B Cryptographic Suites for Secure Shell
Key Exchange (KEX) Groups for Secure Shell (SSH)"; (SSH)";
} }
identity ecdh-sha2-secp256r1 { identity rsaes-oaep {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Elliptic curve-based Diffie Hellman key exhange over curve "RSAES-OAEP combines the RSAEP and RSADP primitives with the
secp256r1 and using SHA2 for MAC generation"; EME-OAEP encoding method";
reference reference
"RFC 6239: Suite B Cryptographic Suites for Secure Shell (SSH)"; "RFC 8017:
} PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
identity ecdh-sha2-secp384r1 { identity rsaes-pkcs1-v1_5 {
base "key-exchange-algorithm"; base "key-exchange-algorithm";
description description
"Elliptic curve-based Diffie Hellman key exhange over curve " RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives
secp384r1 and using SHA2 for MAC generation"; with the EME-PKCS1-v1_5 encoding method";
reference reference
"RFC 6239: Suite B Cryptographic Suites for Secure Shell (SSH)"; "RFC 8017:
} PKCS #1: RSA Cryptography Specifications Version 2.2.";
}
/*********************************************************/ /**********************************************************/
/* Typedefs for identityrefs to above base identites */ /* Typedefs for identityrefs to above base identities */
/*********************************************************/ /**********************************************************/
typedef hash-algorithm-ref { typedef hash-algorithm-ref {
type identityref { type identityref {
base "hash-algorithm"; base "hash-algorithm";
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'hash-algorithm' base identity."; identityref to the 'hash-algorithm' base identity.";
} }
typedef signature-algorithm-ref { typedef signature-algorithm-ref {
type identityref { type identityref {
base "signature-algorithm"; base "signature-algorithm";
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'signature-algorithm' base identity."; identityref to the 'signature-algorithm' base identity.";
} }
typedef mac-algorithm-ref { typedef mac-algorithm-ref {
type identityref { type identityref {
base "mac-algorithm"; base "mac-algorithm";
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'mac-algorithm' base identity."; identityref to the 'mac-algorithm' base identity.";
} }
typedef symmetric-key-encryption-algorithm-ref { typedef encryption-algorithm-ref {
type identityref { type identityref {
base "symmetric-key-encryption-algorithm"; base "encryption-algorithm";
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'symmetric-key-encryption-algorithm' identityref to the 'encryption-algorithm'
base identity."; base identity.";
} }
typedef asymmetric-key-encryption-algorithm-ref { typedef encryption-and-mac-algorithm-ref {
type identityref { type identityref {
base "asymmetric-key-encryption-algorithm"; base "encryption-and-mac-algorithm";
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'asymmetric-key-encryption-algorithm' identityref to the 'encryption-and-mac-algorithm'
base identity."; base identity.";
} }
typedef key-exchange-algorithm-ref { typedef asymmetric-key-algorithm-ref {
type identityref { type identityref {
base "key-exchange-algorithm"; base "asymmetric-key-algorithm";
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'key-exchange-algorithm' base identity."; identityref to the 'asymmetric-key-algorithm'
} base identity.";
}
/***************************************************/ typedef key-exchange-algorithm-ref {
/* Typedefs for ASN.1 structures from RFC 5280 */ type identityref {
/***************************************************/ base "key-exchange-algorithm";
}
description
"This typedef enables importing modules to easily define an
identityref to the 'key-exchange-algorithm' base identity.";
}
typedef x509 { /***************************************************/
type binary; /* Typedefs for ASN.1 structures from RFC 5280 */
description /***************************************************/
"A Certificate structure, as specified in RFC 5280,
encoded using ASN.1 distinguished encoding rules (DER),
as specified in ITU-T X.690.";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
typedef crl { typedef x509 {
type binary; type binary;
description description
"A CertificateList structure, as specified in RFC 5280, "A Certificate structure, as specified in RFC 5280,
encoded using ASN.1 distinguished encoding rules (DER), encoded using ASN.1 distinguished encoding rules (DER),
as specified in ITU-T X.690."; as specified in ITU-T X.690.";
reference
"RFC 5280:
Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
/***********************************************/ reference
/* Typedefs for ASN.1 structures from 5652 */ "RFC 5280:
/***********************************************/ Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
typedef cms { typedef crl {
type binary; type binary;
description description
"A ContentInfo structure, as specified in RFC 5652, "A CertificateList structure, as specified in RFC 5280,
encoded using ASN.1 distinguished encoding rules (DER), encoded using ASN.1 distinguished encoding rules (DER),
as specified in ITU-T X.690."; as specified in ITU-T X.690.";
reference reference
"RFC 5652: "RFC 5280:
Cryptographic Message Syntax (CMS) Internet X.509 Public Key Infrastructure Certificate
ITU-T X.690: and Certificate Revocation List (CRL) Profile
Information technology - ASN.1 encoding rules: ITU-T X.690:
Specification of Basic Encoding Rules (BER), Information technology - ASN.1 encoding rules:
Canonical Encoding Rules (CER) and Distinguished Specification of Basic Encoding Rules (BER),
Encoding Rules (DER)."; Canonical Encoding Rules (CER) and Distinguished
} Encoding Rules (DER).";
}
typedef data-content-cms { /***********************************************/
type cms; /* Typedefs for ASN.1 structures from 5652 */
description /***********************************************/
"A CMS structure whose top-most content type MUST be the
data content type, as described by Section 4 in RFC 5652.";
reference
"RFC 5652: Cryptographic Message Syntax (CMS)";
}
typedef signed-data-cms { typedef cms {
type cms; type binary;
description description
"A CMS structure whose top-most content type MUST be the "A ContentInfo structure, as specified in RFC 5652,
signed-data content type, as described by Section 5 in encoded using ASN.1 distinguished encoding rules (DER),
RFC 5652."; as specified in ITU-T X.690.";
reference reference
"RFC 5652: Cryptographic Message Syntax (CMS)"; "RFC 5652:
} Cryptographic Message Syntax (CMS)
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
}
typedef data-content-cms {
type cms;
description
"A CMS structure whose top-most content type MUST be the
data content type, as described by Section 4 in RFC 5652.";
reference
"RFC 5652: Cryptographic Message Syntax (CMS)";
}
typedef enveloped-data-cms { typedef signed-data-cms {
type cms; type cms;
description description
"A CMS structure whose top-most content type MUST be the "A CMS structure whose top-most content type MUST be the
enveloped-data content type, as described by Section 6 signed-data content type, as described by Section 5 in
in RFC 5652."; RFC 5652.";
reference reference
"RFC 5652: Cryptographic Message Syntax (CMS)"; "RFC 5652: Cryptographic Message Syntax (CMS)";
} }
typedef digested-data-cms { typedef enveloped-data-cms {
type cms; type cms;
description description
"A CMS structure whose top-most content type MUST be the "A CMS structure whose top-most content type MUST be the
digested-data content type, as described by Section 7 enveloped-data content type, as described by Section 6
in RFC 5652."; in RFC 5652.";
reference reference
"RFC 5652: Cryptographic Message Syntax (CMS)"; "RFC 5652: Cryptographic Message Syntax (CMS)";
} }
typedef encrypted-data-cms { typedef digested-data-cms {
type cms; type cms;
description description
"A CMS structure whose top-most content type MUST be the "A CMS structure whose top-most content type MUST be the
encrypted-data content type, as described by Section 8 digested-data content type, as described by Section 7
in RFC 5652."; in RFC 5652.";
reference reference
"RFC 5652: Cryptographic Message Syntax (CMS)"; "RFC 5652: Cryptographic Message Syntax (CMS)";
} }
typedef authenticated-data-cms { typedef encrypted-data-cms {
type cms; type cms;
description description
"A CMS structure whose top-most content type MUST be the "A CMS structure whose top-most content type MUST be the
authenticated-data content type, as described by Section 9 encrypted-data content type, as described by Section 8
in RFC 5652."; in RFC 5652.";
reference reference
"RFC 5652: Cryptographic Message Syntax (CMS)"; "RFC 5652: Cryptographic Message Syntax (CMS)";
} }
typedef authenticated-data-cms {
type cms;
description
"A CMS structure whose top-most content type MUST be the
authenticated-data content type, as described by Section 9
in RFC 5652.";
reference
"RFC 5652: Cryptographic Message Syntax (CMS)";
}
/***************************************************/ /***************************************************/
/* Typedefs for structures related to RFC 4253 */ /* Typedefs for structures related to RFC 4253 */
/***************************************************/ /***************************************************/
typedef ssh-host-key { typedef ssh-host-key {
type binary; type binary;
description description
"The binary public key data for this SSH key, as "The binary public key data for this SSH key, as
specified by RFC 4253, Section 6.6, i.e.: specified by RFC 4253, Section 6.6, i.e.:
string certificate or public key format string certificate or public key format
identifier identifier
byte[n] key/certificate data."; byte[n] key/certificate data.";
reference reference
"RFC 4253: The Secure Shell (SSH) Transport Layer "RFC 4253: The Secure Shell (SSH) Transport Layer
Protocol"; Protocol";
} }
/*********************************************************/ /*********************************************************/
/* Typedefs for ASN.1 structures related to RFC 5280 */ /* Typedefs for ASN.1 structures related to RFC 5280 */
/*********************************************************/ /*********************************************************/
typedef trust-anchor-cert-x509 { typedef trust-anchor-cert-x509 {
type x509; type x509;
description description
"A Certificate structure that MUST encode a self-signed "A Certificate structure that MUST encode a self-signed
root certificate."; root certificate.";
} }
typedef end-entity-cert-x509 { typedef end-entity-cert-x509 {
type x509; type x509;
description description
"A Certificate structure that MUST encode a certificate "A Certificate structure that MUST encode a certificate
that is neither self-signed nor having Basic constraint that is neither self-signed nor having Basic constraint
CA true."; CA true.";
} }
/*********************************************************/ /*********************************************************/
/* Typedefs for ASN.1 structures related to RFC 5652 */ /* Typedefs for ASN.1 structures related to RFC 5652 */
/*********************************************************/ /*********************************************************/
typedef trust-anchor-cert-cms { typedef trust-anchor-cert-cms {
type signed-data-cms; type signed-data-cms;
description description
"A CMS SignedData structure that MUST contain the chain of "A CMS SignedData structure that MUST contain the chain of
X.509 certificates needed to authenticate the certificate X.509 certificates needed to authenticate the certificate
presented by a client or end-entity. presented by a client or end-entity.
The CMS MUST contain only a single chain of certificates. The CMS MUST contain only a single chain of certificates.
The client or end-entity certificate MUST only authenticate The client or end-entity certificate MUST only authenticate
to last intermediate CA certificate listed in the chain. to last intermediate CA certificate listed in the chain.
In all cases, the chain MUST include a self-signed root In all cases, the chain MUST include a self-signed root
certificate. In the case where the root certificate is certificate. In the case where the root certificate is
itself the issuer of the client or end-entity certificate, itself the issuer of the client or end-entity certificate,
only one certificate is present. only one certificate is present.
This CMS structure MAY (as applicable where this type is This CMS structure MAY (as applicable where this type is
used) also contain suitably fresh (as defined by local used) also contain suitably fresh (as defined by local
policy) revocation objects with which the device can policy) revocation objects with which the device can
verify the revocation status of the certificates. verify the revocation status of the certificates.
This CMS encodes the degenerate form of the SignedData This CMS encodes the degenerate form of the SignedData
structure that is commonly used to disseminate X.509 structure that is commonly used to disseminate X.509
certificates and revocation objects (RFC 5280)."; certificates and revocation objects (RFC 5280).";
reference reference
"RFC 5280: "RFC 5280:
Internet X.509 Public Key Infrastructure Certificate Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile."; and Certificate Revocation List (CRL) Profile.";
} }
typedef end-entity-cert-cms { typedef end-entity-cert-cms {
type signed-data-cms; type signed-data-cms;
description description
"A CMS SignedData structure that MUST contain the end "A CMS SignedData structure that MUST contain the end
entity certificate itself, and MAY contain any number entity certificate itself, and MAY contain any number
of intermediate certificates leading up to a trust of intermediate certificates leading up to a trust
anchor certificate. The trust anchor certificate anchor certificate. The trust anchor certificate
MAY be included as well. MAY be included as well.
The CMS MUST contain a single end entity certificate. The CMS MUST contain a single end entity certificate.
The CMS MUST NOT contain any spurious certificates. The CMS MUST NOT contain any spurious certificates.
This CMS structure MAY (as applicable where this type is This CMS structure MAY (as applicable where this type is
used) also contain suitably fresh (as defined by local used) also contain suitably fresh (as defined by local
policy) revocation objects with which the device can policy) revocation objects with which the device can
verify the revocation status of the certificates. verify the revocation status of the certificates.
This CMS encodes the degenerate form of the SignedData This CMS encodes the degenerate form of the SignedData
structure that is commonly used to disseminate X.509 structure that is commonly used to disseminate X.509
certificates and revocation objects (RFC 5280)."; certificates and revocation objects (RFC 5280).";
reference reference
"RFC 5280: "RFC 5280:
Internet X.509 Public Key Infrastructure Certificate Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile."; and Certificate Revocation List (CRL) Profile.";
} }
/**********************************************/
/* Groupings for keys and/or certificates */
/**********************************************/
grouping public-key-grouping { /**********************************************/
description /* Groupings for keys and/or certificates */
"A public key."; /**********************************************/
leaf algorithm {
type asymmetric-key-encryption-algorithm-ref;
description
"Identifies the key's algorithm. More specifically,
this leaf specifies how the 'public-key' binary leaf
is encoded.";
reference
"RFC CCCC: Common YANG Data Types for Cryptography";
}
leaf public-key {
type binary;
description
"A binary that contains the value of the public key. The
interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an RSA
key is represented as RSAPublicKey as defined in
RFC 8017, and an Elliptic Curve Cryptography (ECC) key
is represented using the 'publicKey' described in
RFC 5915.";
reference
"RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.2.
RFC 5915: Elliptic Curve Private Key Structure.";
}
} // end public-key-grouping
grouping asymmetric-key-pair-grouping { grouping public-key-grouping {
description description
"A private/public key pair."; "A public key.";
uses public-key-grouping; leaf algorithm {
leaf private-key { type asymmetric-key-algorithm-ref;
nacm:default-deny-all; description
type union { "Identifies the key's algorithm. More specifically,
type binary; this leaf specifies how the 'public-key' binary leaf
type enumeration { is encoded.";
enum "permanently-hidden" { reference
description "RFC CCCC: Common YANG Data Types for Cryptography";
"The private key is inaccessible due to being }
protected by the system (e.g., a cryptographic leaf public-key {
hardware module). It is not possible to type binary;
configure a permanently hidden key, as a real description
private key value must be set. Permanently "A binary that contains the value of the public key. The
hidden keys cannot be archived or backed up."; interpretation of the content is defined by the key
} algorithm. For example, a DSA key is an integer, an RSA
} key is represented as RSAPublicKey as defined in
} RFC 8017, and an Elliptic Curve Cryptography (ECC) key
description is represented using the 'publicKey' described in
"A binary that contains the value of the private key. The RFC 5915.";
interpretation of the content is defined by the key reference
algorithm. For example, a DSA key is an integer, an RSA "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
key is represented as RSAPrivateKey as defined in RSA Cryptography Specifications Version 2.2.
RFC 8017, and an Elliptic Curve Cryptography (ECC) key RFC 5915: Elliptic Curve Private Key Structure.";
is represented as ECPrivateKey as defined in RFC 5915."; }
reference }
"RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.2.
RFC 5915: Elliptic Curve Private Key Structure.";
} // end private-key
action generate-hidden-key { grouping asymmetric-key-pair-grouping {
description description
"Requests the device to generate a hidden key using the "A private/public key pair.";
specified asymmetric key algorithm. This action is uses public-key-grouping;
used to request the system to generate a key that leaf private-key {
is 'permanently-hidden', perhaps protected by a nacm:default-deny-all;
cryptographic hardware module. The resulting type union {
asymmetric key values are considered operational type binary;
state and hence present only in <operational>."; type enumeration {
input { enum "permanently-hidden" {
leaf algorithm { description
type asymmetric-key-encryption-algorithm-ref; "The private key is inaccessible due to being
mandatory true; protected by the system (e.g., a cryptographic
description hardware module). It is not possible to
"The algorithm to be used when generating the configure a permanently hidden key, as a real
asymmetric key."; private key value must be set. Permanently
reference hidden keys cannot be archived or backed up.";
"RFC CCCC: Common YANG Data Types for Cryptography"; }
} }
} }
} // end generate-hidden-key description
"A binary that contains the value of the private key. The
interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an RSA
key is represented as RSAPrivateKey as defined in
RFC 8017, and an Elliptic Curve Cryptography (ECC) key
is represented as ECPrivateKey as defined in RFC 5915.";
reference
"RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.2.
RFC 5915: Elliptic Curve Private Key Structure.";
} // private-key
action install-hidden-key { action generate-hidden-key {
description description
"Requests the device to load the specified values into "Requests the device to generate a hidden key using the
a hidden key. The resulting asymmetric key values are specified asymmetric key algorithm. This action is
considered operational state and hence present only in used to request the system to generate a key that
<operational>."; is 'permanently-hidden', perhaps protected by a
input { cryptographic hardware module. The resulting
leaf algorithm { asymmetric key values are considered operational
type asymmetric-key-encryption-algorithm-ref; state and hence present only in <operational>.";
mandatory true; input {
description leaf algorithm {
"The algorithm to be used when generating the type asymmetric-key-algorithm-ref;
asymmetric key."; mandatory true;
reference description
"RFC CCCC: Common YANG Data Types for Cryptography"; "The algorithm to be used when generating the
} asymmetric key.";
leaf public-key { reference
type binary; "RFC CCCC: Common YANG Data Types for Cryptography";
description }
"A binary that contains the value of the public key.
The interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an
RSA key is represented as RSAPublicKey as defined in
RFC 8017, and an Elliptic Curve Cryptography (ECC) key
is represented using the 'publicKey' described in
RFC 5915.";
reference
"RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.2.
RFC 5915: Elliptic Curve Private Key Structure.";
}
leaf private-key {
type binary;
description
"A binary that contains the value of the private key.
The interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an RSA
key is represented as RSAPrivateKey as defined in
RFC 8017, and an Elliptic Curve Cryptography (ECC) key
is represented as ECPrivateKey as defined in RFC 5915.";
reference
"RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.2.
RFC 5915: Elliptic Curve Private Key Structure.";
}
}
} // end install-hidden-key
} // end asymmetric-key-pair-grouping
grouping trust-anchor-cert-grouping { }
description } // generate-hidden-key
"A certificate, and a notification for when it might expire.";
leaf cert {
type trust-anchor-cert-cms;
description
"The binary certificate data for this certificate.";
reference
"RFC YYYY: Common YANG Data Types for Cryptography";
}
notification certificate-expiration {
description
"A notification indicating that the configured certificate
is either about to expire or has already expired. When to
send notifications is an implementation specific decision,
but it is RECOMMENDED that a notification be sent once a
month for 3 months, then once a week for four weeks, and
then once a day thereafter until the issue is resolved.";
leaf expiration-date {
type yang:date-and-time;
mandatory true;
description
"Identifies the expiration date on the certificate.";
}
}
} // end trust-anchor-cert-grouping
grouping end-entity-cert-grouping { action install-hidden-key {
description description
"A certificate, and a notification for when it might expire."; "Requests the device to load the specified values into
leaf cert { a hidden key. The resulting asymmetric key values are
type end-entity-cert-cms; considered operational state and hence present only in
description <operational>.";
"The binary certificate data for this certificate."; input {
reference leaf algorithm {
type asymmetric-key-algorithm-ref;
mandatory true;
description
"The algorithm to be used when generating the
asymmetric key.";
reference
"RFC CCCC: Common YANG Data Types for Cryptography";
}
leaf public-key {
type binary;
description
"A binary that contains the value of the public key.
The interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an
RSA key is represented as RSAPublicKey as defined in
RFC 8017, and an Elliptic Curve Cryptography (ECC) key
is represented using the 'publicKey' described in
RFC 5915.";
reference
"RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.2.
RFC 5915: Elliptic Curve Private Key Structure.";
}
leaf private-key {
type binary;
description
"A binary that contains the value of the private key.
The interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an RSA
key is represented as RSAPrivateKey as defined in
RFC 8017, and an Elliptic Curve Cryptography (ECC) key
is represented as ECPrivateKey as defined in RFC 5915.";
reference
"RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.2.
RFC 5915: Elliptic Curve Private Key Structure.";
}
}
} // install-hidden-key
} // asymmetric-key-pair-grouping
grouping trust-anchor-cert-grouping {
description
"A certificate, and a notification for when it might expire.";
leaf cert {
type trust-anchor-cert-cms;
description
"The binary certificate data for this certificate.";
reference
"RFC YYYY: Common YANG Data Types for Cryptography"; "RFC YYYY: Common YANG Data Types for Cryptography";
} }
notification certificate-expiration { notification certificate-expiration {
description description
"A notification indicating that the configured certificate "A notification indicating that the configured certificate
is either about to expire or has already expired. When to is either about to expire or has already expired. When to
send notifications is an implementation specific decision, send notifications is an implementation specific decision,
but it is RECOMMENDED that a notification be sent once a but it is RECOMMENDED that a notification be sent once a
month for 3 months, then once a week for four weeks, and month for 3 months, then once a week for four weeks, and
then once a day thereafter until the issue is resolved."; then once a day thereafter until the issue is resolved.";
leaf expiration-date { leaf expiration-date {
type yang:date-and-time; type yang:date-and-time;
mandatory true; mandatory true;
description description
"Identifies the expiration date on the certificate."; "Identifies the expiration date on the certificate.";
} }
} }
}
} // end end-entity-cert-grouping grouping end-entity-cert-grouping {
description
"A certificate, and a notification for when it might expire.";
leaf cert {
type end-entity-cert-cms;
description
"The binary certificate data for this certificate.";
reference
"RFC YYYY: Common YANG Data Types for Cryptography";
}
notification certificate-expiration {
description
"A notification indicating that the configured certificate
is either about to expire or has already expired. When to
send notifications is an implementation specific decision,
but it is RECOMMENDED that a notification be sent once a
month for 3 months, then once a week for four weeks, and
then once a day thereafter until the issue is resolved.";
leaf expiration-date {
type yang:date-and-time;
mandatory true;
description
"Identifies the expiration date on the certificate.";
}
}
}
grouping asymmetric-key-pair-with-certs-grouping { grouping asymmetric-key-pair-with-certs-grouping {
description description
"A private/public key pair and associated certificates."; "A private/public key pair and associated certificates.";
uses asymmetric-key-pair-grouping; uses asymmetric-key-pair-grouping;
container certificates {
description
"Certificates associated with this asymmetric key.
More than one certificate supports, for instance,
a TPM-protected asymmetric key that has both IDevID
and LDevID certificates associated.";
list certificate {
key name;
description
"A certificate for this asymmetric key.";
leaf name {
type string;
description
"An arbitrary name for the certificate. If the name
matches the name of a certificate that exists
independently in <operational> (i.e., an IDevID),
then the 'cert' node MUST NOT be configured.";
} container certificates {
uses end-entity-cert-grouping; description
} // end certificate "Certificates associated with this asymmetric key.
} // end certificates More than one certificate supports, for instance,
a TPM-protected asymmetric key that has both IDevID
and LDevID certificates associated.";
list certificate {
key name;
description
"A certificate for this asymmetric key.";
leaf name {
type string;
description
"An arbitrary name for the certificate. If the name
matches the name of a certificate that exists
independently in <operational> (i.e., an IDevID),
then the 'cert' node MUST NOT be configured.";
action generate-certificate-signing-request { }
description uses end-entity-cert-grouping;
"Generates a certificate signing request structure for }
the associated asymmetric key using the passed subject } // certificates
and attribute values. The specified assertions need
to be appropriate for the certificate's use. For
example, an entity certificate for a TLS server
SHOULD have values that enable clients to satisfy
RFC 6125 processing.";
input {
leaf subject {
type binary;
mandatory true;
description
"The 'subject' field per the CertificationRequestInfo
structure as specified by RFC 2986, Section 4.1
encoded using the ASN.1 distinguished encoding
rules (DER), as specified in ITU-T X.690.";
reference action generate-certificate-signing-request {
"RFC 2986: description
PKCS #10: Certification Request Syntax "Generates a certificate signing request structure for
Specification Version 1.7. the associated asymmetric key using the passed subject
ITU-T X.690: and attribute values. The specified assertions need
Information technology - ASN.1 encoding rules: to be appropriate for the certificate's use. For
Specification of Basic Encoding Rules (BER), example, an entity certificate for a TLS server
Canonical Encoding Rules (CER) and Distinguished SHOULD have values that enable clients to satisfy
Encoding Rules (DER)."; RFC 6125 processing.";
} input {
leaf attributes { leaf subject {
type binary; type binary;
description mandatory true;
"The 'attributes' field from the structure description
CertificationRequestInfo as specified by RFC 2986, "The 'subject' field per the CertificationRequestInfo
Section 4.1 encoded using the ASN.1 distinguished structure as specified by RFC 2986, Section 4.1
encoding rules (DER), as specified in ITU-T X.690."; encoded using the ASN.1 distinguished encoding
reference rules (DER), as specified in ITU-T X.690.";
"RFC 2986: reference
PKCS #10: Certification Request Syntax "RFC 2986:
Specification Version 1.7. PKCS #10: Certification Request Syntax
ITU-T X.690: Specification Version 1.7.
Information technology - ASN.1 encoding rules: ITU-T X.690:
Specification of Basic Encoding Rules (BER), Information technology - ASN.1 encoding rules:
Canonical Encoding Rules (CER) and Distinguished Specification of Basic Encoding Rules (BER),
Encoding Rules (DER)."; Canonical Encoding Rules (CER) and Distinguished
} Encoding Rules (DER).";
} }
output { leaf attributes {
leaf certificate-signing-request { type binary;
type binary; description
mandatory true; "The 'attributes' field from the structure
description CertificationRequestInfo as specified by RFC 2986,
"A CertificationRequest structure as specified by Section 4.1 encoded using the ASN.1 distinguished
RFC 2986, Section 4.2 encoded using the ASN.1 encoding rules (DER), as specified in ITU-T X.690.";
distinguished encoding rules (DER), as specified reference
in ITU-T X.690."; "RFC 2986:
reference PKCS #10: Certification Request Syntax
"RFC 2986: Specification Version 1.7.
PKCS #10: Certification Request Syntax ITU-T X.690:
Specification Version 1.7. Information technology - ASN.1 encoding rules:
ITU-T X.690: Specification of Basic Encoding Rules (BER),
Information technology - ASN.1 encoding rules: Canonical Encoding Rules (CER) and Distinguished
Specification of Basic Encoding Rules (BER), Encoding Rules (DER).";
Canonical Encoding Rules (CER) and Distinguished }
Encoding Rules (DER)."; }
output {
leaf certificate-signing-request {
type binary;
mandatory true;
description
"A CertificationRequest structure as specified by
RFC 2986, Section 4.2 encoded using the ASN.1
distinguished encoding rules (DER), as specified
in ITU-T X.690.";
} reference
"RFC 2986:
PKCS #10: Certification Request Syntax
Specification Version 1.7.
ITU-T X.690:
Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER).";
} }
} // end generate-certificate-signing-request }
} // end asymmetric-key-pair-with-certs-grouping } // generate-certificate-signing-request
} // asymmetric-key-pair-with-certs-grouping
} }
<CODE ENDS>
<CODE ENDS>
3. Security Considerations 3. Security Considerations
In order to use YANG identities for algorithm identifiers, only the In order to use YANG identities for algorithm identifiers, only the
most commonly used RSA key lengths are supported for the RSA most commonly used RSA key lengths are supported for the RSA
algorithm. Additional key lengths can be defined in another module algorithm. Additional key lengths can be defined in another module
or added into a future version of this document. or added into a future version of this document.
This document limits the number of elliptical curves supported. This This document limits the number of elliptical curves supported. This
was done to match industry trends and IETF best practice (e.g., was done to match industry trends and IETF best practice (e.g.,
skipping to change at page 40, line 49 skipping to change at page 40, line 9
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within
ESP and AH", RFC 2404, DOI 10.17487/RFC2404, November ESP and AH", RFC 2404, DOI 10.17487/RFC2404, November
1998, <https://www.rfc-editor.org/info/rfc2404>. 1998, <https://www.rfc-editor.org/info/rfc2404>.
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
DOI 10.17487/RFC2986, November 2000,
<https://www.rfc-editor.org/info/rfc2986>.
[RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1
(SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001,
<https://www.rfc-editor.org/info/rfc3174>.
[RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES)
Encryption Algorithm in Cryptographic Message Syntax Encryption Algorithm in Cryptographic Message Syntax
(CMS)", RFC 3565, DOI 10.17487/RFC3565, July 2003, (CMS)", RFC 3565, DOI 10.17487/RFC3565, July 2003,
<https://www.rfc-editor.org/info/rfc3565>. <https://www.rfc-editor.org/info/rfc3565>.
[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
Counter Mode With IPsec Encapsulating Security Payload Counter Mode With IPsec Encapsulating Security Payload
(ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004, (ESP)", RFC 3686, DOI 10.17487/RFC3686, January 2004,
<https://www.rfc-editor.org/info/rfc3686>. <https://www.rfc-editor.org/info/rfc3686>.
skipping to change at page 41, line 38 skipping to change at page 40, line 38
[RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key
Ciphersuites for Transport Layer Security (TLS)", Ciphersuites for Transport Layer Security (TLS)",
RFC 4279, DOI 10.17487/RFC4279, December 2005, RFC 4279, DOI 10.17487/RFC4279, December 2005,
<https://www.rfc-editor.org/info/rfc4279>. <https://www.rfc-editor.org/info/rfc4279>.
[RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM [RFC4309] Housley, R., "Using Advanced Encryption Standard (AES) CCM
Mode with IPsec Encapsulating Security Payload (ESP)", Mode with IPsec Encapsulating Security Payload (ESP)",
RFC 4309, DOI 10.17487/RFC4309, December 2005, RFC 4309, DOI 10.17487/RFC4309, December 2005,
<https://www.rfc-editor.org/info/rfc4309>. <https://www.rfc-editor.org/info/rfc4309>.
[RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The
AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June
2006, <https://www.rfc-editor.org/info/rfc4493>.
[RFC4494] Song, JH., Poovendran, R., and J. Lee, "The AES-CMAC-96 [RFC4494] Song, JH., Poovendran, R., and J. Lee, "The AES-CMAC-96
Algorithm and Its Use with IPsec", RFC 4494, Algorithm and Its Use with IPsec", RFC 4494,
DOI 10.17487/RFC4494, June 2006, DOI 10.17487/RFC4494, June 2006,
<https://www.rfc-editor.org/info/rfc4494>. <https://www.rfc-editor.org/info/rfc4494>.
[RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message [RFC4543] McGrew, D. and J. Viega, "The Use of Galois Message
Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543, Authentication Code (GMAC) in IPsec ESP and AH", RFC 4543,
DOI 10.17487/RFC4543, May 2006, DOI 10.17487/RFC4543, May 2006,
<https://www.rfc-editor.org/info/rfc4543>. <https://www.rfc-editor.org/info/rfc4543>.
skipping to change at page 42, line 25 skipping to change at page 41, line 20
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009, RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/info/rfc5652>. <https://www.rfc-editor.org/info/rfc5652>.
[RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm [RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm
Integration in the Secure Shell Transport Layer", Integration in the Secure Shell Transport Layer",
RFC 5656, DOI 10.17487/RFC5656, December 2009, RFC 5656, DOI 10.17487/RFC5656, December 2009,
<https://www.rfc-editor.org/info/rfc5656>. <https://www.rfc-editor.org/info/rfc5656>.
[RFC5915] Turner, S. and D. Brown, "Elliptic Curve Private Key
Structure", RFC 5915, DOI 10.17487/RFC5915, June 2010,
<https://www.rfc-editor.org/info/rfc5915>.
[RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure [RFC6187] Igoe, K. and D. Stebila, "X.509v3 Certificates for Secure
Shell Authentication", RFC 6187, DOI 10.17487/RFC6187, Shell Authentication", RFC 6187, DOI 10.17487/RFC6187,
March 2011, <https://www.rfc-editor.org/info/rfc6187>. March 2011, <https://www.rfc-editor.org/info/rfc6187>.
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>.
[RFC6239] Igoe, K., "Suite B Cryptographic Suites for Secure Shell
(SSH)", RFC 6239, DOI 10.17487/RFC6239, May 2011,
<https://www.rfc-editor.org/info/rfc6239>.
[RFC6507] Groves, M., "Elliptic Curve-Based Certificateless
Signatures for Identity-Based Encryption (ECCSI)",
RFC 6507, DOI 10.17487/RFC6507, February 2012,
<https://www.rfc-editor.org/info/rfc6507>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7539] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 7539, DOI 10.17487/RFC7539, May 2015,
<https://www.rfc-editor.org/info/rfc7539>.
[RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman [RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman
Ephemeral Parameters for Transport Layer Security (TLS)", Ephemeral Parameters for Transport Layer Security (TLS)",
RFC 7919, DOI 10.17487/RFC7919, August 2016, RFC 7919, DOI 10.17487/RFC7919, August 2016,
<https://www.rfc-editor.org/info/rfc7919>. <https://www.rfc-editor.org/info/rfc7919>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
"PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, DOI 10.17487/RFC8017, November 2016,
<https://www.rfc-editor.org/info/rfc8017>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/info/rfc8032>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8268] Baushke, M., "More Modular Exponentiation (MODP) Diffie- [RFC8268] Baushke, M., "More Modular Exponentiation (MODP) Diffie-
Hellman (DH) Key Exchange (KEX) Groups for Secure Shell Hellman (DH) Key Exchange (KEX) Groups for Secure Shell
(SSH)", RFC 8268, DOI 10.17487/RFC8268, December 2017, (SSH)", RFC 8268, DOI 10.17487/RFC8268, December 2017,
<https://www.rfc-editor.org/info/rfc8268>. <https://www.rfc-editor.org/info/rfc8268>.
[RFC8332] Bider, D., "Use of RSA Keys with SHA-256 and SHA-512 in [RFC8332] Bider, D., "Use of RSA Keys with SHA-256 and SHA-512 in
skipping to change at page 44, line 11 skipping to change at page 42, line 22
Security (TLS) Versions 1.2 and Earlier", RFC 8422, Security (TLS) Versions 1.2 and Earlier", RFC 8422,
DOI 10.17487/RFC8422, August 2018, DOI 10.17487/RFC8422, August 2018,
<https://www.rfc-editor.org/info/rfc8422>. <https://www.rfc-editor.org/info/rfc8422>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
5.2. Informative References 5.2. Informative References
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
DOI 10.17487/RFC2986, November 2000,
<https://www.rfc-editor.org/info/rfc2986>.
[RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1
(SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001,
<https://www.rfc-editor.org/info/rfc3174>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure
Certificate Request Message Format (CRMF)", RFC 4211, Certificate Request Message Format (CRMF)", RFC 4211,
DOI 10.17487/RFC4211, September 2005, DOI 10.17487/RFC4211, September 2005,
<https://www.rfc-editor.org/info/rfc4211>. <https://www.rfc-editor.org/info/rfc4211>.
[RFC4493] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The
AES-CMAC Algorithm", RFC 4493, DOI 10.17487/RFC4493, June
2006, <https://www.rfc-editor.org/info/rfc4493>.
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007,
<https://www.rfc-editor.org/info/rfc5056>. <https://www.rfc-editor.org/info/rfc5056>.
[RFC5915] Turner, S. and D. Brown, "Elliptic Curve Private Key
Structure", RFC 5915, DOI 10.17487/RFC5915, June 2010,
<https://www.rfc-editor.org/info/rfc5915>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509 within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer (PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
2011, <https://www.rfc-editor.org/info/rfc6125>. 2011, <https://www.rfc-editor.org/info/rfc6125>.
[RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
<https://www.rfc-editor.org/info/rfc6234>.
[RFC6239] Igoe, K., "Suite B Cryptographic Suites for Secure Shell
(SSH)", RFC 6239, DOI 10.17487/RFC6239, May 2011,
<https://www.rfc-editor.org/info/rfc6239>.
[RFC6507] Groves, M., "Elliptic Curve-Based Certificateless
Signatures for Identity-Based Encryption (ECCSI)",
RFC 6507, DOI 10.17487/RFC6507, February 2012,
<https://www.rfc-editor.org/info/rfc6507>.
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
"PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, DOI 10.17487/RFC8017, November 2016,
<https://www.rfc-editor.org/info/rfc8017>.
[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
Signature Algorithm (EdDSA)", RFC 8032,
DOI 10.17487/RFC8032, January 2017,
<https://www.rfc-editor.org/info/rfc8032>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
[RFC8439] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018,
<https://www.rfc-editor.org/info/rfc8439>.
Appendix A. Examples Appendix A. Examples
A.1. The "asymmetric-key-pair-with-certs-grouping" Grouping A.1. The "asymmetric-key-pair-with-certs-grouping" Grouping
The following example module has been constructed to illustrate use The following example module has been constructed to illustrate use
of the "asymmetric-key-pair-with-certs-grouping" grouping defined in of the "asymmetric-key-pair-with-certs-grouping" grouping defined in
the "ietf-crypto-types" module. the "ietf-crypto-types" module.
Note that the "asymmetric-key-pair-with-certs-grouping" grouping uses Note that the "asymmetric-key-pair-with-certs-grouping" grouping uses
both the "asymmetric-key-pair-grouping" and "end-entity-cert- both the "asymmetric-key-pair-grouping" and "end-entity-cert-
skipping to change at page 48, line 6 skipping to change at page 46, line 31
</certificates> </certificates>
</key> </key>
</keys> </keys>
A.2. The "generate-hidden-key" Action A.2. The "generate-hidden-key" Action
The following example illustrates the "generate-hidden-key" action in The following example illustrates the "generate-hidden-key" action in
use with the NETCONF protocol. use with the NETCONF protocol.
REQUEST REQUEST
-------
<rpc message-id="101" <rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<action xmlns="urn:ietf:params:xml:ns:yang:1"> <action xmlns="urn:ietf:params:xml:ns:yang:1">
<keys xmlns="http://example.com/ns/example-crypto-types-usage"> <keys xmlns="http://example.com/ns/example-crypto-types-usage">
<key> <key>
<name>empty-key</name> <name>empty-key</name>
<generate-hidden-key> <generate-hidden-key>
<algorithm <algorithm
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types">
ct:rsa2048 ct:rsa2048
skipping to change at page 48, line 23 skipping to change at page 47, line 4
<generate-hidden-key> <generate-hidden-key>
<algorithm <algorithm
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types">
ct:rsa2048 ct:rsa2048
</algorithm> </algorithm>
</generate-hidden-key> </generate-hidden-key>
</key> </key>
</keys> </keys>
</action> </action>
</rpc> </rpc>
RESPONSE RESPONSE
--------
<rpc-reply message-id="101" <rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<ok/> <ok/>
</rpc-reply> </rpc-reply>
A.3. The "install-hidden-key" Action A.3. The "install-hidden-key" Action
The following example illustrates the "install-hidden-key" action in The following example illustrates the "install-hidden-key" action in
use with the NETCONF protocol. use with the NETCONF protocol.
REQUEST REQUEST
-------
<rpc message-id="101" <rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<action xmlns="urn:ietf:params:xml:ns:yang:1"> <action xmlns="urn:ietf:params:xml:ns:yang:1">
<keys xmlns="http://example.com/ns/example-crypto-types-usage"> <keys xmlns="http://example.com/ns/example-crypto-types-usage">
<key> <key>
<name>empty-key</name> <name>empty-key</name>
<install-hidden-key> <install-hidden-key>
<algorithm <algorithm
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types">
ct:rsa2048 ct:rsa2048
</algorithm> </algorithm>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<private-key>base64encodedvalue==</private-key> <private-key>base64encodedvalue==</private-key>
</install-hidden-key> </install-hidden-key>
</key> </key>
</keys> </keys>
</action> </action>
</rpc> </rpc>
RESPONSE RESPONSE
--------
<rpc-reply message-id="101" <rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<ok/> <ok/>
</rpc-reply> </rpc-reply>
A.4. The "generate-certificate-signing-request" Action A.4. The "generate-certificate-signing-request" Action
The following example illustrates the "generate-certificate-signing- The following example illustrates the "generate-certificate-signing-
request" action in use with the NETCONF protocol. request" action in use with the NETCONF protocol.
REQUEST REQUEST
-------
<rpc message-id="101" <rpc message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<action xmlns="urn:ietf:params:xml:ns:yang:1"> <action xmlns="urn:ietf:params:xml:ns:yang:1">
<keys xmlns="http://example.com/ns/example-crypto-types-usage"> <keys xmlns="http://example.com/ns/example-crypto-types-usage">
<key> <key>
<name>ex-key-sect571r1</name> <name>ex-key-sect571r1</name>
<generate-certificate-signing-request> <generate-certificate-signing-request>
<subject>base64encodedvalue==</subject> <subject>base64encodedvalue==</subject>
<attributes>base64encodedvalue==</attributes> <attributes>base64encodedvalue==</attributes>
</generate-certificate-signing-request> </generate-certificate-signing-request>
</key> </key>
</keys> </keys>
</action> </action>
</rpc> </rpc>
RESPONSE RESPONSE
--------
<rpc-reply message-id="101" <rpc-reply message-id="101"
xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<certificate-signing-request <certificate-signing-request
xmlns="http://example.com/ns/example-crypto-types-usage"> xmlns="http://example.com/ns/example-crypto-types-usage">
base64encodedvalue== base64encodedvalue==
</certificate-signing-request> </certificate-signing-request>
</rpc-reply> </rpc-reply>
A.5. The "certificate-expiration" Notification A.5. The "certificate-expiration" Notification
skipping to change at page 51, line 51 skipping to change at page 49, line 51
o Moved groupings from the draft-ietf-netconf-keystore here. o Moved groupings from the draft-ietf-netconf-keystore here.
B.3. 01 to 02 B.3. 01 to 02
o Removed unwanted "mandatory" and "must" statements. o Removed unwanted "mandatory" and "must" statements.
o Added many new crypto algorithms (thanks Haiguang!) o Added many new crypto algorithms (thanks Haiguang!)
o Clarified in asymmetric-key-pair-with-certs-grouping, in o Clarified in asymmetric-key-pair-with-certs-grouping, in
certificates/certificate/name/description, that if the name MUST certificates/certificate/name/description, that if the name MUST
not match the name of a certificate that exists independently in NOT match the name of a certificate that exists independently in
<operational>, enabling certs installed by the manufacturer (e.g., <operational>, enabling certs installed by the manufacturer (e.g.,
an IDevID). an IDevID).
B.4. 02 to 03
o renamed base identity 'asymmetric-key-encryption-algorithm' to
'asymmetric-key-algorithm'.
o added new 'asymmetric-key-algorithm' identities for secp192r1,
secp224r1, secp256r1, secp384r1, and secp521r1.
o removed 'mac-algorithm' identities for mac-aes-128-ccm, mac-aes-
192-ccm, mac-aes-256-ccm, mac-aes-128-gcm, mac-aes-192-gcm, mac-
aes-256-gcm, and mac-chacha20-poly1305.
o for all -cbc and -ctr identities, renamed base identity
'symmetric-key-encryption-algorithm' to 'encryption-algorithm'.
o for all -ccm and -gcm identities, renamed base identity
'symmetric-key-encryption-algorithm' to 'encryption-and-mac-
algorithm' and renamed the identity to remove the "enc-" prefix.
o for all the 'signature-algorithm' based identities, renamed from
'rsa-*' to 'rsassa-*'.
o removed all of the "x509v3-" prefixed 'signature-algorithm' based
identities.
o added 'key-exchange-algorithm' based identities for 'rsaes-oaep'
and 'rsaes-pkcs1-v1_5'.
o renamed typedef 'symmetric-key-encryption-algorithm-ref' to
'symmetric-key-algorithm-ref'.
o renamed typedef 'asymmetric-key-encryption-algorithm-ref' to
'asymmetric-key-algorithm-ref'.
o added typedef 'encryption-and-mac-algorithm-ref'.
o Updated copyright date, boilerplate template, affiliation, and
folding algorithm.
Acknowledgements Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Martin Bjorklund, on list and in the halls (ordered by last name): Martin Bjorklund,
Balazs Kovacs, Eric Voit, and Liang Xia. Balazs Kovacs, Eric Voit, and Liang Xia.
Authors' Addresses Authors' Addresses
Kent Watsen Kent Watsen
Juniper Networks Watsen Networks
EMail: kwatsen@juniper.net EMail: kent+ietf@watsen.net
Wang Haiguang Wang Haiguang
Huawei Huawei
EMail: wang.haiguang.shieldlab@huawei.com EMail: wang.haiguang.shieldlab@huawei.com
 End of changes. 211 change blocks. 
1604 lines changed or deleted 1612 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/