draft-ietf-netconf-crypto-types-04.txt   draft-ietf-netconf-crypto-types-05.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Watsen Networks Internet-Draft Watsen Networks
Intended status: Standards Track H. Wang Intended status: Standards Track H. Wang
Expires: September 10, 2019 Huawei Expires: September 10, 2019 Huawei
March 9, 2019 March 9, 2019
Common YANG Data Types for Cryptography Common YANG Data Types for Cryptography
draft-ietf-netconf-crypto-types-04 draft-ietf-netconf-crypto-types-05
Abstract Abstract
This document defines YANG identities, typedefs, the groupings useful This document defines YANG identities, typedefs, the groupings useful
for cryptographic applications. for cryptographic applications.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
This draft contains many placeholder values that need to be replaced This draft contains many placeholder values that need to be replaced
with finalized values at the time of publication. This note with finalized values at the time of publication. This note
skipping to change at page 2, line 49 skipping to change at page 2, line 49
A.2. The "generate-hidden-key" Action . . . . . . . . . . . . 46 A.2. The "generate-hidden-key" Action . . . . . . . . . . . . 46
A.3. The "install-hidden-key" Action . . . . . . . . . . . . . 47 A.3. The "install-hidden-key" Action . . . . . . . . . . . . . 47
A.4. The "generate-certificate-signing-request" Action . . . . 47 A.4. The "generate-certificate-signing-request" Action . . . . 47
A.5. The "certificate-expiration" Notification . . . . . . . . 48 A.5. The "certificate-expiration" Notification . . . . . . . . 48
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 49 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 49
B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 49 B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 49
B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 49 B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 49
B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 49 B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 49
B.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 50 B.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 50
B.5. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 50 B.5. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 50
B.6. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 51
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 51 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 51
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51
1. Introduction 1. Introduction
This document defines a YANG 1.1 [RFC7950] module specifying This document defines a YANG 1.1 [RFC7950] module specifying
identities, typedefs, and groupings useful for cryptography. identities, typedefs, and groupings useful for cryptography.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
skipping to change at page 4, line 43 skipping to change at page 4, line 43
This module has an informational reference to [RFC2986], [RFC3174], This module has an informational reference to [RFC2986], [RFC3174],
[RFC4493], [RFC5915], [RFC6125], [RFC6234], [RFC6239], [RFC6507], [RFC4493], [RFC5915], [RFC6125], [RFC6234], [RFC6239], [RFC6507],
[RFC8017], [RFC8032], [RFC8439]. [RFC8017], [RFC8032], [RFC8439].
<CODE BEGINS> file "ietf-crypto-types@2019-03-09.yang" <CODE BEGINS> file "ietf-crypto-types@2019-03-09.yang"
module ietf-crypto-types { module ietf-crypto-types {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types"; namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types";
prefix "ct"; prefix ct;
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
reference reference
"RFC 6991: Common YANG Data Types"; "RFC 6991: Common YANG Data Types";
} }
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG Web: <http://datatracker.ietf.org/wg/netconf/> "WG Web: <http://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org> WG List: <mailto:netconf@ietf.org>
Author: Kent Watsen <mailto:kent+ietf@watsen.net> Author: Kent Watsen <mailto:kent+ietf@watsen.net>
Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>"; Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>";
description description
"This module defines common YANG types for cryptographic "This module defines common YANG types for cryptographic
applications. applications.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 [RFC2119] are to be interpreted as described in BCP 14 [RFC2119]
[RFC8174] when, and only when, they appear in all [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Copyright (c) 2019 IETF Trust and the persons identified Copyright (c) 2019 IETF Trust and the persons identified
as authors of the code. All rights reserved. as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision "2019-03-09" { revision 2019-03-09 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: Common YANG Data Types for Cryptography"; "RFC XXXX: Common YANG Data Types for Cryptography";
} }
/**************************************/ /**************************************/
/* Identities for Hash Algorithms */ /* Identities for Hash Algorithms */
/**************************************/ /**************************************/
identity hash-algorithm { identity hash-algorithm {
description description
"A base identity for hash algorithm verification."; "A base identity for hash algorithm verification.";
} }
identity sha-224 { identity sha-224 {
base "hash-algorithm"; base hash-algorithm;
description "The SHA-224 algorithm."; description
reference "RFC 6234: US Secure Hash Algorithms."; "The SHA-224 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms.";
} }
identity sha-256 { identity sha-256 {
base "hash-algorithm"; base hash-algorithm;
description "The SHA-256 algorithm."; description
reference "RFC 6234: US Secure Hash Algorithms."; "The SHA-256 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms.";
} }
identity sha-384 { identity sha-384 {
base "hash-algorithm"; base hash-algorithm;
description "The SHA-384 algorithm."; description
reference "RFC 6234: US Secure Hash Algorithms."; "The SHA-384 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms.";
} }
identity sha-512 { identity sha-512 {
base "hash-algorithm"; base hash-algorithm;
description "The SHA-512 algorithm."; description
reference "RFC 6234: US Secure Hash Algorithms."; "The SHA-512 algorithm.";
reference
"RFC 6234: US Secure Hash Algorithms.";
} }
/***********************************************/ /***********************************************/
/* Identities for Asymmetric Key Algorithms */ /* Identities for Asymmetric Key Algorithms */
/***********************************************/ /***********************************************/
identity asymmetric-key-algorithm { identity asymmetric-key-algorithm {
description description
"Base identity from which all asymmetric key "Base identity from which all asymmetric key
encryption Algorithm."; encryption Algorithm.";
skipping to change at page 7, line 42 skipping to change at page 7, line 48
base asymmetric-key-algorithm; base asymmetric-key-algorithm;
description description
"The RSA algorithm using a 7680-bit key."; "The RSA algorithm using a 7680-bit key.";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2."; PKCS #1: RSA Cryptography Specifications Version 2.2.";
} }
identity rsa15360 { identity rsa15360 {
base asymmetric-key-algorithm; base asymmetric-key-algorithm;
description description
"The RSA algorithm using a 15360-bit key."; "The RSA algorithm using a 15360-bit key.";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2."; PKCS #1: RSA Cryptography Specifications Version 2.2.";
} }
identity secp192r1 { identity secp192r1 {
base asymmetric-key-algorithm; base asymmetric-key-algorithm;
description description
"The ECDSA algorithm using a NIST P256 Curve."; "The ECDSA algorithm using a NIST P256 Curve.";
reference reference
"RFC 6090: "RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms."; Fundamental Elliptic Curve Cryptography Algorithms.";
} }
identity secp224r1 { identity secp224r1 {
base asymmetric-key-algorithm; base asymmetric-key-algorithm;
description description
"The ECDSA algorithm using a NIST P256 Curve."; "The ECDSA algorithm using a NIST P256 Curve.";
reference reference
"RFC 6090: "RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms."; Fundamental Elliptic Curve Cryptography Algorithms.";
} }
identity secp256r1 { identity secp256r1 {
base asymmetric-key-algorithm; base asymmetric-key-algorithm;
description description
"The ECDSA algorithm using a NIST P256 Curve."; "The ECDSA algorithm using a NIST P256 Curve.";
reference reference
"RFC 6090: "RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms."; Fundamental Elliptic Curve Cryptography Algorithms.";
} }
identity secp384r1 { identity secp384r1 {
base asymmetric-key-algorithm; base asymmetric-key-algorithm;
description description
"The ECDSA algorithm using a NIST P256 Curve."; "The ECDSA algorithm using a NIST P256 Curve.";
reference reference
"RFC 6090: "RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms."; Fundamental Elliptic Curve Cryptography Algorithms.";
} }
identity secp521r1 { identity secp521r1 {
base asymmetric-key-algorithm; base asymmetric-key-algorithm;
description description
"The ECDSA algorithm using a NIST P256 Curve."; "The ECDSA algorithm using a NIST P256 Curve.";
reference reference
"RFC 6090: "RFC 6090:
Fundamental Elliptic Curve Cryptography Algorithms."; Fundamental Elliptic Curve Cryptography Algorithms.";
} }
/*************************************/ /*************************************/
/* Identities for MAC Algorithms */ /* Identities for MAC Algorithms */
/*************************************/ /*************************************/
identity mac-algorithm { identity mac-algorithm {
description description
"A base identity for mac generation."; "A base identity for mac generation.";
} }
identity hmac-sha1 { identity hmac-sha1 {
skipping to change at page 9, line 8 skipping to change at page 9, line 14
/*************************************/ /*************************************/
/* Identities for MAC Algorithms */ /* Identities for MAC Algorithms */
/*************************************/ /*************************************/
identity mac-algorithm { identity mac-algorithm {
description description
"A base identity for mac generation."; "A base identity for mac generation.";
} }
identity hmac-sha1 { identity hmac-sha1 {
base "mac-algorithm"; base mac-algorithm;
description "Generating MAC using SHA1 hash function"; description
reference "RFC 3174: US Secure Hash Algorithm 1 (SHA1)"; "Generating MAC using SHA1 hash function";
reference
"RFC 3174: US Secure Hash Algorithm 1 (SHA1)";
} }
identity hmac-sha1-96 { identity hmac-sha1-96 {
base "mac-algorithm"; base mac-algorithm;
description "Generating MAC using SHA1 hash function"; description
reference "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH"; "Generating MAC using SHA1 hash function";
reference
"RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH";
} }
identity hmac-sha2-224 { identity hmac-sha2-224 {
base "mac-algorithm"; base mac-algorithm;
description description
"Generating MAC using SHA2 hash function"; "Generating MAC using SHA2 hash function";
reference reference
"RFC 6234: "RFC 6234:
US Secure Hash Algorithms (SHA and SHA-based HMAC and US Secure Hash Algorithms (SHA and SHA-based HMAC and
HKDF)"; HKDF)";
} }
identity hmac-sha2-256 { identity hmac-sha2-256 {
base "mac-algorithm"; base mac-algorithm;
description description
"Generating MAC using SHA2 hash function"; "Generating MAC using SHA2 hash function";
reference reference
"RFC 6234: "RFC 6234:
US Secure Hash Algorithms (SHA and SHA-based HMAC and US Secure Hash Algorithms (SHA and SHA-based HMAC and
HKDF)"; HKDF)";
} }
identity hmac-sha2-256-128 { identity hmac-sha2-256-128 {
base "mac-algorithm"; base mac-algorithm;
description description
"Generating a 256 bits MAC using SHA2 hash function and "Generating a 256 bits MAC using SHA2 hash function and
truncate it to 128 bits"; truncate it to 128 bits";
reference reference
"RFC 4868: "RFC 4868:
Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
with IPsec"; with IPsec";
} }
identity hmac-sha2-384 { identity hmac-sha2-384 {
base "mac-algorithm"; base mac-algorithm;
description description
"Generating MAC using SHA2 hash function"; "Generating MAC using SHA2 hash function";
reference reference
"RFC 6234: "RFC 6234:
US Secure Hash Algorithms (SHA and SHA-based HMAC and US Secure Hash Algorithms (SHA and SHA-based HMAC and
HKDF)"; HKDF)";
} }
identity hmac-sha2-384-192 { identity hmac-sha2-384-192 {
base "mac-algorithm"; base mac-algorithm;
description description
"Generating a 384 bits MAC using SHA2 hash function and "Generating a 384 bits MAC using SHA2 hash function and
truncate it to 192 bits"; truncate it to 192 bits";
reference reference
"RFC 4868: "RFC 4868:
Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
IPsec"; IPsec";
} }
identity hmac-sha2-512 { identity hmac-sha2-512 {
base "mac-algorithm"; base mac-algorithm;
description "Generating MAC using SHA2 hash function"; description
"Generating MAC using SHA2 hash function";
reference reference
"RFC 6234: "RFC 6234:
US Secure Hash Algorithms (SHA and SHA-based HMAC and US Secure Hash Algorithms (SHA and SHA-based HMAC and
HKDF)"; HKDF)";
} }
identity hmac-sha2-512-256 { identity hmac-sha2-512-256 {
base "mac-algorithm"; base mac-algorithm;
description description
"Generating a 512 bits MAC using SHA2 hash function and "Generating a 512 bits MAC using SHA2 hash function and
truncating it to 256 bits"; truncating it to 256 bits";
reference reference
"RFC 4868: "RFC 4868:
Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with
IPsec"; IPsec";
} }
identity aes-128-gmac { identity aes-128-gmac {
base "mac-algorithm"; base mac-algorithm;
description description
"Generating MAC using the Advanced Encryption Standard (AES) "Generating MAC using the Advanced Encryption Standard (AES)
Galois Message Authentication Code (GMAC) as a mechanism to Galois Message Authentication Code (GMAC) as a mechanism to
provide data origin authentication"; provide data origin authentication";
reference reference
"RFC 4543: "RFC 4543:
The Use of Galois Message Authentication Code (GMAC) in The Use of Galois Message Authentication Code (GMAC) in
IPsec ESP and AH"; IPsec ESP and AH";
} }
identity aes-192-gmac { identity aes-192-gmac {
base "mac-algorithm"; base mac-algorithm;
description description
"Generating MAC using the Advanced Encryption Standard (AES) "Generating MAC using the Advanced Encryption Standard (AES)
Galois Message Authentication Code (GMAC) as a mechanism to Galois Message Authentication Code (GMAC) as a mechanism to
provide data origin authentication"; provide data origin authentication";
reference reference
"RFC 4543: "RFC 4543:
The Use of Galois Message Authentication Code (GMAC) in The Use of Galois Message Authentication Code (GMAC) in
IPsec ESP and AH"; IPsec ESP and AH";
} }
identity aes-256-gmac { identity aes-256-gmac {
base "mac-algorithm"; base mac-algorithm;
description description
"Generating MAC using the Advanced Encryption Standard (AES) "Generating MAC using the Advanced Encryption Standard (AES)
Galois Message Authentication Code (GMAC) as a mechanism to Galois Message Authentication Code (GMAC) as a mechanism to
provide data origin authentication"; provide data origin authentication";
reference reference
"RFC 4543: "RFC 4543:
The Use of Galois Message Authentication Code (GMAC) in The Use of Galois Message Authentication Code (GMAC) in
IPsec ESP and AH"; IPsec ESP and AH";
} }
identity aes-cmac-96 { identity aes-cmac-96 {
base "mac-algorithm"; base mac-algorithm;
description description
"Generating MAC using Advanced Encryption Standard (AES) "Generating MAC using Advanced Encryption Standard (AES)
Cipher-based Message Authentication Code (CMAC)"; Cipher-based Message Authentication Code (CMAC)";
reference reference
"RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec"; "RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec";
} }
identity aes-cmac-128 { identity aes-cmac-128 {
base "mac-algorithm"; base mac-algorithm;
description description
"Generating MAC using Advanced Encryption Standard (AES) "Generating MAC using Advanced Encryption Standard (AES)
Cipher-based Message Authentication Code (CMAC)"; Cipher-based Message Authentication Code (CMAC)";
reference reference
"RFC 4493: The AES-CMAC Algorithm"; "RFC 4493: The AES-CMAC Algorithm";
} }
/********************************************/ /********************************************/
/* Identities for Encryption Algorithms */ /* Identities for Encryption Algorithms */
/********************************************/ /********************************************/
identity encryption-algorithm { identity encryption-algorithm {
description description
"A base identity for encryption algorithm."; "A base identity for encryption algorithm.";
} }
identity aes-128-cbc { identity aes-128-cbc {
base "encryption-algorithm"; base encryption-algorithm;
description description
"Encrypt message with AES algorithm in CBC mode with a key "Encrypt message with AES algorithm in CBC mode with a key
length of 128 bits"; length of 128 bits";
reference reference
"RFC 3565: "RFC 3565:
Use of the Advanced Encryption Standard (AES) Encryption Use of the Advanced Encryption Standard (AES) Encryption
Algorithm in Cryptographic Message Syntax (CMS)"; Algorithm in Cryptographic Message Syntax (CMS)";
} }
identity aes-192-cbc { identity aes-192-cbc {
base "encryption-algorithm"; base encryption-algorithm;
description description
"Encrypt message with AES algorithm in CBC mode with a key "Encrypt message with AES algorithm in CBC mode with a key
length of 192 bits"; length of 192 bits";
reference reference
"RFC 3565: "RFC 3565:
Use of the Advanced Encryption Standard (AES) Encryption Use of the Advanced Encryption Standard (AES) Encryption
Algorithm in Cryptographic Message Syntax (CMS)"; Algorithm in Cryptographic Message Syntax (CMS)";
} }
identity aes-256-cbc { identity aes-256-cbc {
base "encryption-algorithm"; base encryption-algorithm;
description description
"Encrypt message with AES algorithm in CBC mode with a key "Encrypt message with AES algorithm in CBC mode with a key
length of 256 bits"; length of 256 bits";
reference reference
"RFC 3565: "RFC 3565:
Use of the Advanced Encryption Standard (AES) Encryption Use of the Advanced Encryption Standard (AES) Encryption
Algorithm in Cryptographic Message Syntax (CMS)"; Algorithm in Cryptographic Message Syntax (CMS)";
} }
identity aes-128-ctr { identity aes-128-ctr {
base "encryption-algorithm"; base encryption-algorithm;
description description
"Encrypt message with AES algorithm in CTR mode with a key "Encrypt message with AES algorithm in CTR mode with a key
length of 128 bits"; length of 128 bits";
reference reference
"RFC 3686: "RFC 3686:
Using Advanced Encryption Standard (AES) Counter Mode with Using Advanced Encryption Standard (AES) Counter Mode with
IPsec Encapsulating Security Payload (ESP)"; IPsec Encapsulating Security Payload (ESP)";
} }
identity aes-192-ctr { identity aes-192-ctr {
base "encryption-algorithm"; base encryption-algorithm;
description description
"Encrypt message with AES algorithm in CTR mode with a key "Encrypt message with AES algorithm in CTR mode with a key
length of 192 bits"; length of 192 bits";
reference reference
"RFC 3686: "RFC 3686:
Using Advanced Encryption Standard (AES) Counter Mode with Using Advanced Encryption Standard (AES) Counter Mode with
IPsec Encapsulating Security Payload (ESP)"; IPsec Encapsulating Security Payload (ESP)";
} }
identity aes-256-ctr { identity aes-256-ctr {
base "encryption-algorithm"; base encryption-algorithm;
description description
"Encrypt message with AES algorithm in CTR mode with a key "Encrypt message with AES algorithm in CTR mode with a key
length of 256 bits"; length of 256 bits";
reference reference
"RFC 3686: "RFC 3686:
Using Advanced Encryption Standard (AES) Counter Mode with Using Advanced Encryption Standard (AES) Counter Mode with
IPsec Encapsulating Security Payload (ESP)"; IPsec Encapsulating Security Payload (ESP)";
} }
/****************************************************/ /****************************************************/
/* Identities for Encryption and MAC Algorithms */ /* Identities for Encryption and MAC Algorithms */
/****************************************************/ /****************************************************/
identity encryption-and-mac-algorithm { identity encryption-and-mac-algorithm {
description description
"A base identity for encryption and MAC algorithm."; "A base identity for encryption and MAC algorithm.";
} }
identity aes-128-ccm { identity aes-128-ccm {
base "encryption-and-mac-algorithm"; base encryption-and-mac-algorithm;
description description
"Encrypt message with AES algorithm in CCM mode with a key "Encrypt message with AES algorithm in CCM mode with a key
length of 128 bits; it can also be used for generating MAC"; length of 128 bits; it can also be used for generating MAC";
reference reference
"RFC 4309: "RFC 4309:
Using Advanced Encryption Standard (AES) CCM Mode with Using Advanced Encryption Standard (AES) CCM Mode with
IPsec Encapsulating Security Payload (ESP)"; IPsec Encapsulating Security Payload (ESP)";
} }
identity aes-192-ccm { identity aes-192-ccm {
base "encryption-and-mac-algorithm"; base encryption-and-mac-algorithm;
description description
"Encrypt message with AES algorithm in CCM mode with a key "Encrypt message with AES algorithm in CCM mode with a key
length of 192 bits; it can also be used for generating MAC"; length of 192 bits; it can also be used for generating MAC";
reference reference
"RFC 4309: "RFC 4309:
Using Advanced Encryption Standard (AES) CCM Mode with Using Advanced Encryption Standard (AES) CCM Mode with
IPsec Encapsulating Security Payload (ESP)"; IPsec Encapsulating Security Payload (ESP)";
} }
identity aes-256-ccm { identity aes-256-ccm {
base "encryption-and-mac-algorithm"; base encryption-and-mac-algorithm;
description description
"Encrypt message with AES algorithm in CCM mode with a key "Encrypt message with AES algorithm in CCM mode with a key
length of 256 bits; it can also be used for generating MAC"; length of 256 bits; it can also be used for generating MAC";
reference reference
"RFC 4309: "RFC 4309:
Using Advanced Encryption Standard (AES) CCM Mode with Using Advanced Encryption Standard (AES) CCM Mode with
IPsec Encapsulating Security Payload (ESP)"; IPsec Encapsulating Security Payload (ESP)";
} }
identity aes-128-gcm { identity aes-128-gcm {
base "encryption-and-mac-algorithm"; base encryption-and-mac-algorithm;
description description
"Encrypt message with AES algorithm in GCM mode with a key "Encrypt message with AES algorithm in GCM mode with a key
length of 128 bits; it can also be used for generating MAC"; length of 128 bits; it can also be used for generating MAC";
reference reference
"RFC 4106: "RFC 4106:
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Security Payload (ESP)"; Security Payload (ESP)";
} }
identity aes-192-gcm { identity aes-192-gcm {
base "encryption-and-mac-algorithm"; base encryption-and-mac-algorithm;
description description
"Encrypt message with AES algorithm in GCM mode with a key "Encrypt message with AES algorithm in GCM mode with a key
length of 192 bits; it can also be used for generating MAC"; length of 192 bits; it can also be used for generating MAC";
reference reference
"RFC 4106: "RFC 4106:
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Security Payload (ESP)"; Security Payload (ESP)";
} }
identity mac-aes-256-gcm { identity mac-aes-256-gcm {
base "encryption-and-mac-algorithm"; base encryption-and-mac-algorithm;
description description
"Encrypt message with AES algorithm in GCM mode with a key "Encrypt message with AES algorithm in GCM mode with a key
length of 128 bits; it can also be used for generating MAC"; length of 128 bits; it can also be used for generating MAC";
reference reference
"RFC 4106: "RFC 4106:
The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating
Security Payload (ESP)"; Security Payload (ESP)";
} }
identity chacha20-poly1305 { identity chacha20-poly1305 {
base "encryption-and-mac-algorithm"; base encryption-and-mac-algorithm;
description description
"Encrypt message with chacha20 algorithm and generate MAC with "Encrypt message with chacha20 algorithm and generate MAC with
POLY1305; it can also be used for generating MAC"; POLY1305; it can also be used for generating MAC";
reference reference
"RFC 8439: ChaCha20 and Poly1305 for IETF Protocols"; "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols";
} }
/******************************************/ /******************************************/
/* Identities for signature algorithm */ /* Identities for signature algorithm */
/******************************************/ /******************************************/
identity signature-algorithm { identity signature-algorithm {
description description
"A base identity for asymmetric key encryption algorithm."; "A base identity for asymmetric key encryption algorithm.";
} }
identity dsa-sha1 { identity dsa-sha1 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using DSA algorithm with SHA1 hash "The signature algorithm using DSA algorithm with SHA1 hash
algorithm"; algorithm";
reference reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
} }
identity rsassa-pkcs1-sha1 { identity rsassa-pkcs1-sha1 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1 "The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1
hash algorithm."; hash algorithm.";
reference reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
} }
identity rsassa-pkcs1-sha256 { identity rsassa-pkcs1-sha256 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the "The signature algorithm using RSASSA-PKCS1-v1_5 with the
SHA256 hash algorithm."; SHA256 hash algorithm.";
reference reference
"RFC 8332: "RFC 8332:
Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
(SSH) Protocol (SSH) Protocol
RFC 8446: RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsassa-pkcs1-sha384 { identity rsassa-pkcs1-sha384 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the "The signature algorithm using RSASSA-PKCS1-v1_5 with the
SHA384 hash algorithm."; SHA384 hash algorithm.";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsassa-pkcs1-sha512 { identity rsassa-pkcs1-sha512 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using RSASSA-PKCS1-v1_5 with the "The signature algorithm using RSASSA-PKCS1-v1_5 with the
SHA512 hash algorithm."; SHA512 hash algorithm.";
reference reference
"RFC 8332: "RFC 8332:
Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell
(SSH) Protocol (SSH) Protocol
RFC 8446: RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsassa-pss-rsae-sha256 { identity rsassa-pss-rsae-sha256 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using RSASSA-PSS with mask generation "The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the rsaEncryption carried in an X.509 certificate, it MUST use the rsaEncryption
OID"; OID";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsassa-pss-rsae-sha384 { identity rsassa-pss-rsae-sha384 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using RSASSA-PSS with mask generation "The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA384 hash algorithm. If the public key is function 1 and SHA384 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the rsaEncryption carried in an X.509 certificate, it MUST use the rsaEncryption
OID"; OID";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsassa-pss-rsae-sha512 { identity rsassa-pss-rsae-sha512 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using RSASSA-PSS with mask generation "The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA512 hash algorithm. If the public key is function 1 and SHA512 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the rsaEncryption carried in an X.509 certificate, it MUST use the rsaEncryption
OID"; OID";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsassa-pss-pss-sha256 { identity rsassa-pss-pss-sha256 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using RSASSA-PSS with mask generation "The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the RSASSA-PSS carried in an X.509 certificate, it MUST use the RSASSA-PSS
OID"; OID";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsassa-pss-pss-sha384 { identity rsassa-pss-pss-sha384 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using RSASSA-PSS with mask generation "The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the RSASSA-PSS carried in an X.509 certificate, it MUST use the RSASSA-PSS
OID"; OID";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity rsassa-pss-pss-sha512 { identity rsassa-pss-pss-sha512 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using RSASSA-PSS with mask generation "The signature algorithm using RSASSA-PSS with mask generation
function 1 and SHA256 hash algorithm. If the public key is function 1 and SHA256 hash algorithm. If the public key is
carried in an X.509 certificate, it MUST use the RSASSA-PSS carried in an X.509 certificate, it MUST use the RSASSA-PSS
OID"; OID";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity ecdsa-secp256r1-sha256 { identity ecdsa-secp256r1-sha256 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using ECDSA with curve name secp256r1 "The signature algorithm using ECDSA with curve name secp256r1
and SHA256 hash algorithm."; and SHA256 hash algorithm.";
reference reference
"RFC 5656: Elliptic Curve Algorithm Integration in the "RFC 5656: Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer Secure Shell Transport Layer
RFC 8446: RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity ecdsa-secp384r1-sha384 { identity ecdsa-secp384r1-sha384 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using ECDSA with curve name secp384r1 "The signature algorithm using ECDSA with curve name secp384r1
and SHA384 hash algorithm."; and SHA384 hash algorithm.";
reference reference
"RFC 5656: Elliptic Curve Algorithm Integration in the "RFC 5656: Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer Secure Shell Transport Layer
RFC 8446: RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity ecdsa-secp521r1-sha512 { identity ecdsa-secp521r1-sha512 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using ECDSA with curve name secp521r1 "The signature algorithm using ECDSA with curve name secp521r1
and SHA512 hash algorithm."; and SHA512 hash algorithm.";
reference reference
"RFC 5656: Elliptic Curve Algorithm Integration in the "RFC 5656: Elliptic Curve Algorithm Integration in the
Secure Shell Transport Layer Secure Shell Transport Layer
RFC 8446: RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity ed25519 { identity ed25519 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using EdDSA as defined in RFC 8032 or "The signature algorithm using EdDSA as defined in RFC 8032 or
its successors."; its successors.";
reference reference
"RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
} }
identity ed448 { identity ed448 {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using EdDSA as defined in RFC 8032 or "The signature algorithm using EdDSA as defined in RFC 8032 or
its successors."; its successors.";
reference reference
"RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)";
} }
identity eccsi { identity eccsi {
base "signature-algorithm"; base signature-algorithm;
description description
"The signature algorithm using ECCSI signature as defined in "The signature algorithm using ECCSI signature as defined in
RFC 6507."; RFC 6507.";
reference reference
"RFC 6507: "RFC 6507:
Elliptic Curve-Based Certificateless Signatures for Elliptic Curve-Based Certificateless Signatures for
Identity-based Encryption (ECCSI)"; Identity-based Encryption (ECCSI)";
} }
/**********************************************/ /**********************************************/
/* Identities for key exchange algorithms */ /* Identities for key exchange algorithms */
/**********************************************/ /**********************************************/
identity key-exchange-algorithm { identity key-exchange-algorithm {
description description
"A base identity for Diffie-Hellman based key exchange "A base identity for Diffie-Hellman based key exchange
algorithm."; algorithm.";
} }
identity psk-only { identity psk-only {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Using Pre-shared key for authentication and key exchange"; "Using Pre-shared key for authentication and key exchange";
reference reference
"RFC 4279: "RFC 4279:
Pre-Shared Key cipher suites for Transport Layer Security Pre-Shared Key cipher suites for Transport Layer Security
(TLS)"; (TLS)";
} }
identity dhe-ffdhe2048 { identity dhe-ffdhe2048 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Ephemeral Diffie Hellman key exchange with 2048 bit "Ephemeral Diffie Hellman key exchange with 2048 bit
finite field"; finite field";
reference reference
"RFC 7919: "RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)"; for Transport Layer Security (TLS)";
} }
identity dhe-ffdhe3072 { identity dhe-ffdhe3072 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Ephemeral Diffie Hellman key exchange with 3072 bit finite "Ephemeral Diffie Hellman key exchange with 3072 bit finite
field"; field";
reference reference
"RFC 7919: "RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)"; for Transport Layer Security (TLS)";
} }
identity dhe-ffdhe4096 { identity dhe-ffdhe4096 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Ephemeral Diffie Hellman key exchange with 4096 bit "Ephemeral Diffie Hellman key exchange with 4096 bit
finite field"; finite field";
reference reference
"RFC 7919: "RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)"; for Transport Layer Security (TLS)";
} }
identity dhe-ffdhe6144 { identity dhe-ffdhe6144 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Ephemeral Diffie Hellman key exchange with 6144 bit "Ephemeral Diffie Hellman key exchange with 6144 bit
finite field"; finite field";
reference reference
"RFC 7919: "RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)"; for Transport Layer Security (TLS)";
} }
identity dhe-ffdhe8192 { identity dhe-ffdhe8192 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Ephemeral Diffie Hellman key exchange with 8192 bit "Ephemeral Diffie Hellman key exchange with 8192 bit
finite field"; finite field";
reference reference
"RFC 7919: "RFC 7919:
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)"; for Transport Layer Security (TLS)";
} }
identity psk-dhe-ffdhe2048 { identity psk-dhe-ffdhe2048 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Key exchange using pre-shared key with Diffie-Hellman key "Key exchange using pre-shared key with Diffie-Hellman key
generation mechanism, where the DH group is FFDHE2048"; generation mechanism, where the DH group is FFDHE2048";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-dhe-ffdhe3072 { identity psk-dhe-ffdhe3072 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Key exchange using pre-shared key with Diffie-Hellman key "Key exchange using pre-shared key with Diffie-Hellman key
generation mechanism, where the DH group is FFDHE3072"; generation mechanism, where the DH group is FFDHE3072";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-dhe-ffdhe4096 { identity psk-dhe-ffdhe4096 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Key exchange using pre-shared key with Diffie-Hellman key "Key exchange using pre-shared key with Diffie-Hellman key
generation mechanism, where the DH group is FFDHE4096"; generation mechanism, where the DH group is FFDHE4096";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-dhe-ffdhe6144 { identity psk-dhe-ffdhe6144 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Key exchange using pre-shared key with Diffie-Hellman key "Key exchange using pre-shared key with Diffie-Hellman key
generation mechanism, where the DH group is FFDHE6144"; generation mechanism, where the DH group is FFDHE6144";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-dhe-ffdhe8192 { identity psk-dhe-ffdhe8192 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Key exchange using pre-shared key with Diffie-Hellman key "Key exchange using pre-shared key with Diffie-Hellman key
generation mechanism, where the DH group is FFDHE8192"; generation mechanism, where the DH group is FFDHE8192";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity ecdhe-secp256r1 { identity ecdhe-secp256r1 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Ephemeral Diffie Hellman key exchange with elliptic group "Ephemeral Diffie Hellman key exchange with elliptic group
over curve secp256r1"; over curve secp256r1";
reference reference
"RFC 8422: "RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier"; Transport Layer Security (TLS) Versions 1.2 and Earlier";
} }
identity ecdhe-secp384r1 { identity ecdhe-secp384r1 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Ephemeral Diffie Hellman key exchange with elliptic group "Ephemeral Diffie Hellman key exchange with elliptic group
over curve secp384r1"; over curve secp384r1";
reference reference
"RFC 8422: "RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier"; Transport Layer Security (TLS) Versions 1.2 and Earlier";
} }
identity ecdhe-secp521r1 { identity ecdhe-secp521r1 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Ephemeral Diffie Hellman key exchange with elliptic group "Ephemeral Diffie Hellman key exchange with elliptic group
over curve secp521r1"; over curve secp521r1";
reference reference
"RFC 8422: "RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier"; Transport Layer Security (TLS) Versions 1.2 and Earlier";
} }
identity ecdhe-x25519 { identity ecdhe-x25519 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Ephemeral Diffie Hellman key exchange with elliptic group "Ephemeral Diffie Hellman key exchange with elliptic group
over curve x25519"; over curve x25519";
reference reference
"RFC 8422: "RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier"; Transport Layer Security (TLS) Versions 1.2 and Earlier";
} }
identity ecdhe-x448 { identity ecdhe-x448 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Ephemeral Diffie Hellman key exchange with elliptic group "Ephemeral Diffie Hellman key exchange with elliptic group
over curve x448"; over curve x448";
reference reference
"RFC 8422: "RFC 8422:
Elliptic Curve Cryptography (ECC) Cipher Suites for Elliptic Curve Cryptography (ECC) Cipher Suites for
Transport Layer Security (TLS) Versions 1.2 and Earlier"; Transport Layer Security (TLS) Versions 1.2 and Earlier";
} }
identity psk-ecdhe-secp256r1 { identity psk-ecdhe-secp256r1 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Key exchange using pre-shared key with elliptic group-based "Key exchange using pre-shared key with elliptic group-based
Ephemeral Diffie Hellman key exchange over curve secp256r1"; Ephemeral Diffie Hellman key exchange over curve secp256r1";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-ecdhe-secp384r1 { identity psk-ecdhe-secp384r1 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Key exchange using pre-shared key with elliptic group-based "Key exchange using pre-shared key with elliptic group-based
Ephemeral Diffie Hellman key exchange over curve secp384r1"; Ephemeral Diffie Hellman key exchange over curve secp384r1";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-ecdhe-secp521r1 { identity psk-ecdhe-secp521r1 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Key exchange using pre-shared key with elliptic group-based "Key exchange using pre-shared key with elliptic group-based
Ephemeral Diffie Hellman key exchange over curve secp521r1"; Ephemeral Diffie Hellman key exchange over curve secp521r1";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-ecdhe-x25519 { identity psk-ecdhe-x25519 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Key exchange using pre-shared key with elliptic group-based "Key exchange using pre-shared key with elliptic group-based
Ephemeral Diffie Hellman key exchange over curve x25519"; Ephemeral Diffie Hellman key exchange over curve x25519";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity psk-ecdhe-x448 { identity psk-ecdhe-x448 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Key exchange using pre-shared key with elliptic group-based "Key exchange using pre-shared key with elliptic group-based
Ephemeral Diffie Hellman key exchange over curve x448"; Ephemeral Diffie Hellman key exchange over curve x448";
reference reference
"RFC 8446: "RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3"; The Transport Layer Security (TLS) Protocol Version 1.3";
} }
identity diffie-hellman-group14-sha1 { identity diffie-hellman-group14-sha1 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Using DH group14 and SHA1 for key exchange"; "Using DH group14 and SHA1 for key exchange";
reference reference
"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol";
} }
identity diffie-hellman-group14-sha256 { identity diffie-hellman-group14-sha256 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Using DH group14 and SHA256 for key exchange"; "Using DH group14 and SHA256 for key exchange";
reference reference
"RFC 8268: "RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH) More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)"; Key Exchange (KEX) Groups for Secure Shell (SSH)";
} }
identity diffie-hellman-group15-sha512 { identity diffie-hellman-group15-sha512 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Using DH group15 and SHA512 for key exchange"; "Using DH group15 and SHA512 for key exchange";
reference reference
"RFC 8268: "RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH) More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)"; Key Exchange (KEX) Groups for Secure Shell (SSH)";
} }
identity diffie-hellman-group16-sha512 { identity diffie-hellman-group16-sha512 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Using DH group16 and SHA512 for key exchange"; "Using DH group16 and SHA512 for key exchange";
reference reference
"RFC 8268: "RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH) More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)"; Key Exchange (KEX) Groups for Secure Shell (SSH)";
} }
identity diffie-hellman-group17-sha512 { identity diffie-hellman-group17-sha512 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Using DH group17 and SHA512 for key exchange"; "Using DH group17 and SHA512 for key exchange";
reference reference
"RFC 8268: "RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH) More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)"; Key Exchange (KEX) Groups for Secure Shell (SSH)";
} }
identity diffie-hellman-group18-sha512 { identity diffie-hellman-group18-sha512 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Using DH group18 and SHA512 for key exchange"; "Using DH group18 and SHA512 for key exchange";
reference reference
"RFC 8268: "RFC 8268:
More Modular Exponentiation (MODP) Diffie-Hellman (DH) More Modular Exponentiation (MODP) Diffie-Hellman (DH)
Key Exchange (KEX) Groups for Secure Shell (SSH)"; Key Exchange (KEX) Groups for Secure Shell (SSH)";
} }
identity ecdh-sha2-secp256r1 { identity ecdh-sha2-secp256r1 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Elliptic curve-based Diffie Hellman key exchange over curve "Elliptic curve-based Diffie Hellman key exchange over curve
secp256r1 and using SHA2 for MAC generation"; secp256r1 and using SHA2 for MAC generation";
reference reference
"RFC 6239: Suite B Cryptographic Suites for Secure Shell "RFC 6239: Suite B Cryptographic Suites for Secure Shell
(SSH)"; (SSH)";
} }
identity ecdh-sha2-secp384r1 { identity ecdh-sha2-secp384r1 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"Elliptic curve-based Diffie Hellman key exchange over curve "Elliptic curve-based Diffie Hellman key exchange over curve
secp384r1 and using SHA2 for MAC generation"; secp384r1 and using SHA2 for MAC generation";
reference reference
"RFC 6239: Suite B Cryptographic Suites for Secure Shell "RFC 6239: Suite B Cryptographic Suites for Secure Shell
(SSH)"; (SSH)";
} }
identity rsaes-oaep { identity rsaes-oaep {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
"RSAES-OAEP combines the RSAEP and RSADP primitives with the "RSAES-OAEP combines the RSAEP and RSADP primitives with the
EME-OAEP encoding method"; EME-OAEP encoding method";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2."; PKCS #1: RSA Cryptography Specifications Version 2.2.";
} }
identity rsaes-pkcs1-v1_5 { identity rsaes-pkcs1-v1_5 {
base "key-exchange-algorithm"; base key-exchange-algorithm;
description description
" RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives " RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives
with the EME-PKCS1-v1_5 encoding method"; with the EME-PKCS1-v1_5 encoding method";
reference reference
"RFC 8017: "RFC 8017:
PKCS #1: RSA Cryptography Specifications Version 2.2."; PKCS #1: RSA Cryptography Specifications Version 2.2.";
} }
/**********************************************************/ /**********************************************************/
/* Typedefs for identityrefs to above base identities */ /* Typedefs for identityrefs to above base identities */
/**********************************************************/ /**********************************************************/
typedef hash-algorithm-ref { typedef hash-algorithm-ref {
type identityref { type identityref {
base "hash-algorithm"; base hash-algorithm;
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'hash-algorithm' base identity."; identityref to the 'hash-algorithm' base identity.";
} }
typedef signature-algorithm-ref { typedef signature-algorithm-ref {
type identityref { type identityref {
base "signature-algorithm"; base signature-algorithm;
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'signature-algorithm' base identity."; identityref to the 'signature-algorithm' base identity.";
} }
typedef mac-algorithm-ref { typedef mac-algorithm-ref {
type identityref { type identityref {
base "mac-algorithm"; base mac-algorithm;
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'mac-algorithm' base identity."; identityref to the 'mac-algorithm' base identity.";
} }
typedef encryption-algorithm-ref { typedef encryption-algorithm-ref {
type identityref { type identityref {
base "encryption-algorithm"; base encryption-algorithm;
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'encryption-algorithm' identityref to the 'encryption-algorithm'
base identity."; base identity.";
} }
typedef encryption-and-mac-algorithm-ref { typedef encryption-and-mac-algorithm-ref {
type identityref { type identityref {
base "encryption-and-mac-algorithm"; base encryption-and-mac-algorithm;
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'encryption-and-mac-algorithm' identityref to the 'encryption-and-mac-algorithm'
base identity."; base identity.";
} }
typedef asymmetric-key-algorithm-ref { typedef asymmetric-key-algorithm-ref {
type identityref { type identityref {
base "asymmetric-key-algorithm"; base asymmetric-key-algorithm;
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'asymmetric-key-algorithm' identityref to the 'asymmetric-key-algorithm'
base identity."; base identity.";
} }
typedef key-exchange-algorithm-ref { typedef key-exchange-algorithm-ref {
type identityref { type identityref {
base "key-exchange-algorithm"; base key-exchange-algorithm;
} }
description description
"This typedef enables importing modules to easily define an "This typedef enables importing modules to easily define an
identityref to the 'key-exchange-algorithm' base identity."; identityref to the 'key-exchange-algorithm' base identity.";
} }
/***************************************************/ /***************************************************/
/* Typedefs for ASN.1 structures from RFC 5280 */ /* Typedefs for ASN.1 structures from RFC 5280 */
/***************************************************/ /***************************************************/
typedef x509 { typedef x509 {
type binary; type binary;
description description
"A Certificate structure, as specified in RFC 5280, "A Certificate structure, as specified in RFC 5280,
encoded using ASN.1 distinguished encoding rules (DER), encoded using ASN.1 distinguished encoding rules (DER),
as specified in ITU-T X.690."; as specified in ITU-T X.690.";
reference reference
"RFC 5280: "RFC 5280:
Internet X.509 Public Key Infrastructure Certificate Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile and Certificate Revocation List (CRL) Profile
ITU-T X.690: ITU-T X.690:
Information technology - ASN.1 encoding rules: Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER)."; Encoding Rules (DER).";
} }
skipping to change at page 32, line 46 skipping to change at page 33, line 4
algorithm. For example, a DSA key is an integer, an RSA algorithm. For example, a DSA key is an integer, an RSA
key is represented as RSAPublicKey as defined in key is represented as RSAPublicKey as defined in
RFC 8017, and an Elliptic Curve Cryptography (ECC) key RFC 8017, and an Elliptic Curve Cryptography (ECC) key
is represented using the 'publicKey' described in is represented using the 'publicKey' described in
RFC 5915."; RFC 5915.";
reference reference
"RFC 8017: Public-Key Cryptography Standards (PKCS) #1: "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.2. RSA Cryptography Specifications Version 2.2.
RFC 5915: Elliptic Curve Private Key Structure."; RFC 5915: Elliptic Curve Private Key Structure.";
} }
} }
grouping asymmetric-key-pair-grouping { grouping asymmetric-key-pair-grouping {
description description
"A private/public key pair."; "A private/public key pair.";
uses public-key-grouping; uses public-key-grouping;
leaf private-key { leaf private-key {
nacm:default-deny-all; nacm:default-deny-all;
type union { type union {
type binary; type binary;
type enumeration { type enumeration {
enum "permanently-hidden" { enum permanently-hidden {
description description
"The private key is inaccessible due to being "The private key is inaccessible due to being
protected by the system (e.g., a cryptographic protected by the system (e.g., a cryptographic
hardware module). It is not possible to hardware module). It is not possible to
configure a permanently hidden key, as a real configure a permanently hidden key, as a real
private key value must be set. Permanently private key value must be set. Permanently
hidden keys cannot be archived or backed up."; hidden keys cannot be archived or backed up.";
} }
} }
} }
description description
"A binary that contains the value of the private key. The "A binary that contains the value of the private key. The
interpretation of the content is defined by the key interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an RSA algorithm. For example, a DSA key is an integer, an RSA
key is represented as RSAPrivateKey as defined in key is represented as RSAPrivateKey as defined in
RFC 8017, and an Elliptic Curve Cryptography (ECC) key RFC 8017, and an Elliptic Curve Cryptography (ECC) key
is represented as ECPrivateKey as defined in RFC 5915."; is represented as ECPrivateKey as defined in RFC 5915.";
skipping to change at page 35, line 4 skipping to change at page 35, line 11
The interpretation of the content is defined by the key The interpretation of the content is defined by the key
algorithm. For example, a DSA key is an integer, an RSA algorithm. For example, a DSA key is an integer, an RSA
key is represented as RSAPrivateKey as defined in key is represented as RSAPrivateKey as defined in
RFC 8017, and an Elliptic Curve Cryptography (ECC) key RFC 8017, and an Elliptic Curve Cryptography (ECC) key
is represented as ECPrivateKey as defined in RFC 5915."; is represented as ECPrivateKey as defined in RFC 5915.";
reference reference
"RFC 8017: Public-Key Cryptography Standards (PKCS) #1: "RFC 8017: Public-Key Cryptography Standards (PKCS) #1:
RSA Cryptography Specifications Version 2.2. RSA Cryptography Specifications Version 2.2.
RFC 5915: Elliptic Curve Private Key Structure."; RFC 5915: Elliptic Curve Private Key Structure.";
} }
} }
} // install-hidden-key } // install-hidden-key
} // asymmetric-key-pair-grouping } // asymmetric-key-pair-grouping
grouping trust-anchor-cert-grouping { grouping trust-anchor-cert-grouping {
description description
"A certificate, and a notification for when it might expire."; "A certificate, and a notification for when it might expire.";
leaf cert { leaf cert {
type trust-anchor-cert-cms; type trust-anchor-cert-cms;
description description
"The binary certificate data for this certificate."; "The binary certificate data for this certificate.";
reference reference
"RFC YYYY: Common YANG Data Types for Cryptography"; "RFC YYYY: Common YANG Data Types for Cryptography";
} }
notification certificate-expiration { notification certificate-expiration {
description description
"A notification indicating that the configured certificate "A notification indicating that the configured certificate
is either about to expire or has already expired. When to is either about to expire or has already expired. When to
send notifications is an implementation specific decision, send notifications is an implementation specific decision,
but it is RECOMMENDED that a notification be sent once a but it is RECOMMENDED that a notification be sent once a
month for 3 months, then once a week for four weeks, and month for 3 months, then once a week for four weeks, and
then once a day thereafter until the issue is resolved."; then once a day thereafter until the issue is resolved.";
leaf expiration-date { leaf expiration-date {
type yang:date-and-time; type yang:date-and-time;
mandatory true; mandatory true;
description description
"Identifies the expiration date on the certificate."; "Identifies the expiration date on the certificate.";
} }
} }
} }
grouping end-entity-cert-grouping { grouping end-entity-cert-grouping {
description description
"A certificate, and a notification for when it might expire."; "A certificate, and a notification for when it might expire.";
leaf cert { leaf cert {
type end-entity-cert-cms; type end-entity-cert-cms;
description description
"The binary certificate data for this certificate."; "The binary certificate data for this certificate.";
reference reference
"RFC YYYY: Common YANG Data Types for Cryptography"; "RFC YYYY: Common YANG Data Types for Cryptography";
} }
notification certificate-expiration { notification certificate-expiration {
description description
"A notification indicating that the configured certificate "A notification indicating that the configured certificate
is either about to expire or has already expired. When to is either about to expire or has already expired. When to
send notifications is an implementation specific decision, send notifications is an implementation specific decision,
but it is RECOMMENDED that a notification be sent once a but it is RECOMMENDED that a notification be sent once a
month for 3 months, then once a week for four weeks, and month for 3 months, then once a week for four weeks, and
then once a day thereafter until the issue is resolved."; then once a day thereafter until the issue is resolved.";
leaf expiration-date { leaf expiration-date {
skipping to change at page 36, line 20 skipping to change at page 36, line 27
description description
"Identifies the expiration date on the certificate."; "Identifies the expiration date on the certificate.";
} }
} }
} }
grouping asymmetric-key-pair-with-certs-grouping { grouping asymmetric-key-pair-with-certs-grouping {
description description
"A private/public key pair and associated certificates."; "A private/public key pair and associated certificates.";
uses asymmetric-key-pair-grouping; uses asymmetric-key-pair-grouping;
container certificates { container certificates {
description description
"Certificates associated with this asymmetric key. "Certificates associated with this asymmetric key.
More than one certificate supports, for instance, More than one certificate supports, for instance,
a TPM-protected asymmetric key that has both IDevID a TPM-protected asymmetric key that has both IDevID
and LDevID certificates associated."; and LDevID certificates associated.";
list certificate { list certificate {
key name; key "name";
description description
"A certificate for this asymmetric key."; "A certificate for this asymmetric key.";
leaf name { leaf name {
type string; type string;
description description
"An arbitrary name for the certificate. If the name "An arbitrary name for the certificate. If the name
matches the name of a certificate that exists matches the name of a certificate that exists
independently in <operational> (i.e., an IDevID), independently in <operational> (i.e., an IDevID),
then the 'cert' node MUST NOT be configured."; then the 'cert' node MUST NOT be configured.";
} }
uses end-entity-cert-grouping; uses end-entity-cert-grouping;
} }
} // certificates } // certificates
action generate-certificate-signing-request { action generate-certificate-signing-request {
description description
"Generates a certificate signing request structure for "Generates a certificate signing request structure for
the associated asymmetric key using the passed subject the associated asymmetric key using the passed subject
and attribute values. The specified assertions need and attribute values. The specified assertions need
skipping to change at page 37, line 11 skipping to change at page 37, line 14
and attribute values. The specified assertions need and attribute values. The specified assertions need
to be appropriate for the certificate's use. For to be appropriate for the certificate's use. For
example, an entity certificate for a TLS server example, an entity certificate for a TLS server
SHOULD have values that enable clients to satisfy SHOULD have values that enable clients to satisfy
RFC 6125 processing."; RFC 6125 processing.";
input { input {
leaf subject { leaf subject {
type binary; type binary;
mandatory true; mandatory true;
description description
"The 'subject' field per the CertificationRequestInfo "The 'subject' field per the CertificationRequestInfo
structure as specified by RFC 2986, Section 4.1 structure as specified by RFC 2986, Section 4.1
encoded using the ASN.1 distinguished encoding encoded using the ASN.1 distinguished encoding
rules (DER), as specified in ITU-T X.690."; rules (DER), as specified in ITU-T X.690.";
reference reference
"RFC 2986: "RFC 2986:
PKCS #10: Certification Request Syntax PKCS #10: Certification Request Syntax
Specification Version 1.7. Specification Version 1.7.
ITU-T X.690: ITU-T X.690:
Information technology - ASN.1 encoding rules: Information technology - ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Specification of Basic Encoding Rules (BER),
Canonical Encoding Rules (CER) and Distinguished Canonical Encoding Rules (CER) and Distinguished
Encoding Rules (DER)."; Encoding Rules (DER).";
} }
skipping to change at page 51, line 5 skipping to change at page 51, line 5
o added typedef 'encryption-and-mac-algorithm-ref'. o added typedef 'encryption-and-mac-algorithm-ref'.
o Updated copyright date, boilerplate template, affiliation, and o Updated copyright date, boilerplate template, affiliation, and
folding algorithm. folding algorithm.
B.5. 03 to 04 B.5. 03 to 04
o ran YANG module through formatter. o ran YANG module through formatter.
B.6. 04 to 05
o fixed broken symlink causing reformatted YANG module to not show.
Acknowledgements Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Martin Bjorklund, on list and in the halls (ordered by last name): Martin Bjorklund,
Balazs Kovacs, Eric Voit, and Liang Xia. Balazs Kovacs, Eric Voit, and Liang Xia.
Authors' Addresses Authors' Addresses
Kent Watsen Kent Watsen
Watsen Networks Watsen Networks
 End of changes. 147 change blocks. 
173 lines changed or deleted 189 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/