| module ietf-keystore { |
| yang-version 1.1; |
| namespace "urn:ietf:params:xml:ns:yang:ietf-keystore"; |
| prefix ks; |
| |
| import ietf-netconf-acm { |
| prefix nacm; |
| reference |
| "RFC 8341: Network Configuration Access Control Model"; |
| } |
| |
| import ietf-crypto-types { |
| prefix ct; |
| reference |
| "RFC AAAA: YANG Data Types and Groupings for Cryptography"; |
| } |
| |
| organization |
| "IETF NETCONF (Network Configuration) Working Group"; |
| |
| contact |
| "WG Web: https://datatracker.ietf.org/wg/netconf |
| WG List: NETCONF WG list <mailto:netconf@ietf.org> |
| Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; |
| |
| description |
| "This module defines a 'keystore' to centralize management |
| of security credentials. |
| |
| Copyright (c) 2023 IETF Trust and the persons identified |
| as authors of the code. All rights reserved. |
| |
| Redistribution and use in source and binary forms, with |
| or without modification, is permitted pursuant to, and |
| subject to the license terms contained in, the Revised |
| BSD License set forth in Section 4.c of the IETF Trust's |
| Legal Provisions Relating to IETF Documents |
| (https://trustee.ietf.org/license-info). |
| |
| This version of this YANG module is part of RFC CCCC |
| (https://www.rfc-editor.org/info/rfcCCCC); see the RFC |
| itself for full legal notices. |
| |
| The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', |
| 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', |
| 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document |
| are to be interpreted as described in BCP 14 (RFC 2119) |
| (RFC 8174) when, and only when, they appear in all |
| capitals, as shown here."; |
| |
| revision 2023-12-28 { |
| description |
| "Initial version"; |
| reference |
| "RFC CCCC: A YANG Data Model for a Keystore"; |
| } |
| |
| /****************/ |
| /* Features */ |
| /****************/ |
| |
| feature central-keystore-supported { |
| description |
| "The 'central-keystore-supported' feature indicates that |
| the server supports the central keystore (i.e., fully |
| implements the 'ietf-keystore' module)."; |
| } |
| |
| feature inline-definitions-supported { |
| description |
| "The 'inline-definitions-supported' feature indicates that |
| the server supports locally-defined keys."; |
| } |
| |
| feature asymmetric-keys { |
| description |
| "The 'asymmetric-keys' feature indicates that the server |
| implements the /keystore/asymmetric-keys subtree."; |
| |
| } |
| |
| feature symmetric-keys { |
| description |
| "The 'symmetric-keys' feature indicates that the server |
| implements the /keystore/symmetric-keys subtree."; |
| } |
| |
| /****************/ |
| /* Typedefs */ |
| /****************/ |
| |
| typedef symmetric-key-ref { |
| type leafref { |
| path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key" |
| + "/ks:name"; |
| } |
| description |
| "This typedef enables modules to easily define a reference |
| to a symmetric key stored in the central keystore."; |
| } |
| |
| typedef asymmetric-key-ref { |
| type leafref { |
| path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key" |
| + "/ks:name"; |
| } |
| description |
| "This typedef enables modules to easily define a reference |
| to an asymmetric key stored in the central keystore."; |
| } |
| |
| /*****************/ |
| /* Groupings */ |
| /*****************/ |
| |
| grouping encrypted-by-grouping { |
| description |
| "A grouping that defines a 'choice' statement that can be |
| augmented into the 'encrypted-by' node, present in the |
| 'symmetric-key-grouping' and 'asymmetric-key-pair-grouping' |
| groupings defined in RFC AAAA, enabling references to keys |
| in the central keystore."; |
| choice encrypted-by { |
| nacm:default-deny-write; |
| mandatory true; |
| description |
| "A choice amongst other symmetric or asymmetric keys."; |
| case symmetric-key-ref { |
| if-feature "central-keystore-supported"; |
| if-feature "symmetric-keys"; |
| leaf symmetric-key-ref { |
| type ks:symmetric-key-ref; |
| description |
| "Identifies the symmetric key used to encrypt the |
| associated key."; |
| } |
| } |
| case asymmetric-key-ref { |
| if-feature "central-keystore-supported"; |
| if-feature "asymmetric-keys"; |
| leaf asymmetric-key-ref { |
| type ks:asymmetric-key-ref; |
| description |
| "Identifies the asymmetric key whose public key |
| encrypted the associated key."; |
| } |
| } |
| } |
| } |
| |
| // *-ref groupings |
| |
| grouping asymmetric-key-certificate-ref-grouping { |
| description |
| "Grouping for the reference to a certificate associated |
| with an asymmetric key stored in the central keystore."; |
| leaf asymmetric-key { |
| nacm:default-deny-write; |
| if-feature "central-keystore-supported"; |
| if-feature "asymmetric-keys"; |
| type ks:asymmetric-key-ref; |
| must '../certificate'; |
| description |
| "A reference to an asymmetric key in the keystore."; |
| } |
| leaf certificate { |
| nacm:default-deny-write; |
| type leafref { |
| path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key" |
| + "[ks:name = current()/../asymmetric-key]/" |
| + "ks:certificates/ks:certificate/ks:name"; |
| } |
| must '../asymmetric-key'; |
| description |
| "A reference to a specific certificate of the |
| asymmetric key in the keystore."; |
| } |
| } |
| |
| // inline-or-keystore-* groupings |
| |
| grouping inline-or-keystore-symmetric-key-grouping { |
| description |
| "A grouping for the configuration of a symmetric key. The |
| symmetric key may be defined inline or as a reference to |
| a symmetric key stored in the central keystore. |
| |
| Servers that do not define the 'central-keystore-supported' |
| feature SHOULD augment in custom 'case' statements enabling |
| references to alternate keystore locations."; |
| choice inline-or-keystore { |
| nacm:default-deny-write; |
| mandatory true; |
| description |
| "A choice between an inlined definition and a definition |
| that exists in the keystore."; |
| case inline { |
| if-feature "inline-definitions-supported"; |
| container inline-definition { |
| description |
| "Container to hold the local key definition."; |
| uses ct:symmetric-key-grouping; |
| } |
| } |
| case central-keystore { |
| if-feature "central-keystore-supported"; |
| if-feature "symmetric-keys"; |
| leaf central-keystore-reference { |
| type ks:symmetric-key-ref; |
| description |
| "A reference to an symmetric key that exists in |
| the central keystore."; |
| } |
| } |
| } |
| } |
| |
| grouping inline-or-keystore-asymmetric-key-grouping { |
| description |
| "A grouping for the configuration of an asymmetric key. The |
| asymmetric key may be defined inline or as a reference to |
| an asymmetric key stored in the central keystore. |
| |
| Servers that do not define the 'central-keystore-supported' |
| feature SHOULD augment in custom 'case' statements enabling |
| references to alternate keystore locations."; |
| choice inline-or-keystore { |
| nacm:default-deny-write; |
| mandatory true; |
| description |
| "A choice between an inlined definition and a definition |
| that exists in the keystore."; |
| case inline { |
| if-feature "inline-definitions-supported"; |
| container inline-definition { |
| description |
| "Container to hold the local key definition."; |
| uses ct:asymmetric-key-pair-grouping; |
| } |
| } |
| case central-keystore { |
| if-feature "central-keystore-supported"; |
| if-feature "asymmetric-keys"; |
| leaf central-keystore-reference { |
| type ks:asymmetric-key-ref; |
| description |
| "A reference to an asymmetric key that exists in |
| the central keystore. The intent is to reference |
| just the asymmetric key without any regard for |
| any certificates that may be associated with it."; |
| } |
| } |
| } |
| } |
| |
| grouping inline-or-keystore-asymmetric-key-with-certs-grouping { |
| description |
| "A grouping for the configuration of an asymmetric key and |
| its associated certificates. The asymmetric key and its |
| associated certificates may be defined inline or as a |
| reference to an asymmetric key (and its associated |
| certificates) in the central keystore. |
| |
| Servers that do not define the 'central-keystore-supported' |
| feature SHOULD augment in custom 'case' statements enabling |
| references to alternate keystore locations."; |
| choice inline-or-keystore { |
| nacm:default-deny-write; |
| mandatory true; |
| description |
| "A choice between an inlined definition and a definition |
| that exists in the keystore."; |
| case inline { |
| if-feature "inline-definitions-supported"; |
| container inline-definition { |
| description |
| "Container to hold the local key definition."; |
| uses ct:asymmetric-key-pair-with-certs-grouping; |
| } |
| } |
| case central-keystore { |
| if-feature "central-keystore-supported"; |
| if-feature "asymmetric-keys"; |
| leaf central-keystore-reference { |
| type ks:asymmetric-key-ref; |
| description |
| "A reference to an asymmetric-key (and all of its |
| associated certificates) in the keystore, when |
| this module is implemented."; |
| } |
| } |
| } |
| } |
| |
| grouping inline-or-keystore-end-entity-cert-with-key-grouping { |
| description |
| "A grouping for the configuration of an asymmetric key and |
| its associated end-entity certificate. The asymmetric key |
| and its associated end-entity certificate may be defined |
| inline or as a reference to an asymmetric key (and its |
| associated end-entity certificate) in the central keystore. |
| |
| Servers that do not define the 'central-keystore-supported' |
| feature SHOULD augment in custom 'case' statements enabling |
| references to alternate keystore locations."; |
| choice inline-or-keystore { |
| nacm:default-deny-write; |
| mandatory true; |
| description |
| "A choice between an inlined definition and a definition |
| that exists in the keystore."; |
| case inline { |
| if-feature "inline-definitions-supported"; |
| container inline-definition { |
| description |
| "Container to hold the local key definition."; |
| uses ct:asymmetric-key-pair-with-cert-grouping; |
| } |
| } |
| case central-keystore { |
| if-feature "central-keystore-supported"; |
| if-feature "asymmetric-keys"; |
| container central-keystore-reference { |
| uses asymmetric-key-certificate-ref-grouping; |
| description |
| "A reference to a specific certificate associated with |
| an asymmetric key stored in the central keystore."; |
| } |
| } |
| } |
| } |
| |
| // the keystore grouping |
| |
| grouping keystore-grouping { |
| description |
| "Grouping definition enables use in other contexts. If ever |
| done, implementations MUST augment new 'case' statements |
| into the various inline-or-keystore 'choice' statements to |
| supply leafrefs to the model-specific location(s)."; |
| container asymmetric-keys { |
| nacm:default-deny-write; |
| if-feature "asymmetric-keys"; |
| description |
| "A list of asymmetric keys."; |
| list asymmetric-key { |
| key "name"; |
| description |
| "An asymmetric key."; |
| leaf name { |
| type string; |
| description |
| "An arbitrary name for the asymmetric key."; |
| } |
| uses ct:asymmetric-key-pair-with-certs-grouping; |
| } |
| } |
| container symmetric-keys { |
| nacm:default-deny-write; |
| if-feature "symmetric-keys"; |
| description |
| "A list of symmetric keys."; |
| list symmetric-key { |
| key "name"; |
| description |
| "A symmetric key."; |
| leaf name { |
| type string; |
| description |
| "An arbitrary name for the symmetric key."; |
| } |
| uses ct:symmetric-key-grouping; |
| } |
| } |
| } |
| |
| /*********************************/ |
| /* Protocol accessible nodes */ |
| /*********************************/ |
| |
| container keystore { |
| if-feature central-keystore-supported; |
| description |
| "A central keystore containing a list of symmetric keys and |
| a list of asymmetric keys."; |
| nacm:default-deny-write; |
| uses keystore-grouping { |
| augment "symmetric-keys/symmetric-key/key-type/encrypted-key/" |
| + "encrypted-key/encrypted-by" { |
| description |
| "Augments in a choice statement enabling the encrypting |
| key to be any other symmetric or asymmetric key in the |
| central keystore."; |
| uses encrypted-by-grouping; |
| } |
| augment "asymmetric-keys/asymmetric-key/private-key-type/" |
| + "encrypted-private-key/encrypted-private-key/" |
| + "encrypted-by" { |
| description |
| "Augments in a choice statement enabling the encrypting |
| key to be any other symmetric or asymmetric key in the |
| central keystore."; |
| uses encrypted-by-grouping; |
| } |
| } |
| } |
| } |