| module ietf-x509-cert-to-name { |
| |
| yang-version 1; |
| |
| namespace |
| "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; |
| |
| prefix x509c2n; |
| |
| import ietf-yang-types { |
| prefix yang; |
| } |
| |
| organization |
| "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; |
| |
| contact |
| "WG Web: <http://tools.ietf.org/wg/netmod/> |
| WG List: <mailto:netmod@ietf.org> |
| |
| WG Chair: Thomas Nadeau |
| <mailto:tnadeau@lucidvision.com> |
| |
| WG Chair: Juergen Schoenwaelder |
| <mailto:j.schoenwaelder@jacobs-university.de> |
| |
| Editor: Martin Bjorklund |
| <mailto:mbj@tail-f.com> |
| |
| Editor: Juergen Schoenwaelder |
| <mailto:j.schoenwaelder@jacobs-university.de>"; |
| |
| description |
| "This module contains a collection of YANG definitions for |
| extracting a name from an X.509 certificate. |
| The algorithm used to extract a name from an X.509 certificate |
| was first defined in RFC 6353. |
| |
| Copyright (c) 2014 IETF Trust and the persons identified as |
| authors of the code. All rights reserved. |
| |
| Redistribution and use in source and binary forms, with or |
| without modification, is permitted pursuant to, and subject |
| to the license terms contained in, the Simplified BSD License |
| set forth in Section 4.c of the IETF Trust's Legal Provisions |
| Relating to IETF Documents |
| (http://trustee.ietf.org/license-info). |
| |
| This version of this YANG module is part of RFC 7407; see |
| the RFC itself for full legal notices."; |
| |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model for |
| the Simple Network Management Protocol (SNMP)"; |
| |
| |
| revision "2014-12-10" { |
| description "Initial revision."; |
| reference |
| "RFC 7407: A YANG Data Model for SNMP Configuration"; |
| |
| } |
| |
| |
| typedef tls-fingerprint { |
| type yang:hex-string { |
| pattern |
| '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; |
| } |
| description |
| "A fingerprint value that can be used to uniquely reference |
| other data of potentially arbitrary length. |
| |
| A tls-fingerprint value is composed of a 1-octet hashing |
| algorithm identifier followed by the fingerprint value. The |
| first octet value identifying the hashing algorithm is taken |
| from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The |
| remaining octets are filled using the results of the hashing |
| algorithm."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol (SNMP). |
| SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; |
| |
| } |
| |
| identity cert-to-name { |
| description |
| "Base identity for algorithms to derive a name from a |
| certificate."; |
| } |
| |
| identity specified { |
| base cert-to-name; |
| description |
| "Directly specifies the name to be used for the certificate. |
| The value of the leaf 'name' in the cert-to-name list is |
| used."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol (SNMP). |
| SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; |
| |
| } |
| |
| identity san-rfc822-name { |
| base cert-to-name; |
| description |
| "Maps a subjectAltName's rfc822Name to a name. The local part |
| of the rfc822Name is passed unaltered, but the host-part of |
| the name must be passed in lowercase. For example, the |
| rfc822Name field FooBar@Example.COM is mapped to name |
| FooBar@example.com."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol (SNMP). |
| SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; |
| |
| } |
| |
| identity san-dns-name { |
| base cert-to-name; |
| description |
| "Maps a subjectAltName's dNSName to a name after first |
| converting it to all lowercase (RFC 5280 does not specify |
| converting to lowercase, so this involves an extra step). |
| This mapping results in a 1:1 correspondence between |
| subjectAltName dNSName values and the name values."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol (SNMP). |
| SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; |
| |
| } |
| |
| identity san-ip-address { |
| base cert-to-name; |
| description |
| "Maps a subjectAltName's iPAddress to a name by |
| transforming the binary-encoded address as follows: |
| |
| 1) for IPv4, the value is converted into a |
| decimal-dotted quad address (e.g., '192.0.2.1'). |
| |
| 2) for IPv6 addresses, the value is converted into a |
| 32-character, all-lowercase hexadecimal string |
| without any colon separators. |
| |
| This mapping results in a 1:1 correspondence between |
| subjectAltName iPAddress values and the name values."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol (SNMP). |
| SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; |
| |
| } |
| |
| identity san-any { |
| base cert-to-name; |
| description |
| "Maps any of the following fields using the corresponding |
| mapping algorithms: |
| |
| +------------+-----------------+ |
| | Type | Algorithm | |
| |------------+-----------------| |
| | rfc822Name | san-rfc822-name | |
| | dNSName | san-dns-name | |
| | iPAddress | san-ip-address | |
| +------------+-----------------+ |
| |
| The first matching subjectAltName value found in the |
| certificate of the above types MUST be used when deriving |
| the name. The mapping algorithm specified in the |
| 'Algorithm' column MUST be used to derive the name. |
| |
| This mapping results in a 1:1 correspondence between |
| subjectAltName values and name values. The three sub-mapping |
| algorithms produced by this combined algorithm cannot produce |
| conflicting results between themselves."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol (SNMP). |
| SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; |
| |
| } |
| |
| identity common-name { |
| base cert-to-name; |
| description |
| "Maps a certificate's CommonName to a name after converting |
| it to a UTF-8 encoding. The usage of CommonNames is |
| deprecated, and users are encouraged to use subjectAltName |
| mapping methods instead. This mapping results in a 1:1 |
| correspondence between certificate CommonName values and name |
| values."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol (SNMP). |
| SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; |
| |
| } |
| |
| grouping cert-to-name { |
| description |
| "Defines nodes for mapping certificates to names. Modules |
| that use this grouping should describe how the resulting |
| name is used."; |
| list cert-to-name { |
| key "id"; |
| description |
| "This list defines how certificates are mapped to names. |
| The name is derived by considering each cert-to-name |
| list entry in order. The cert-to-name entry's fingerprint |
| determines whether the list entry is a match: |
| |
| 1) If the cert-to-name list entry's fingerprint value |
| matches that of the presented certificate, then consider |
| the list entry a successful match. |
| |
| 2) If the cert-to-name list entry's fingerprint value |
| matches that of a locally held copy of a trusted CA |
| certificate, and that CA certificate was part of the CA |
| certificate chain to the presented certificate, then |
| consider the list entry a successful match. |
| |
| Once a matching cert-to-name list entry has been found, the |
| map-type is used to determine how the name associated with |
| the certificate should be determined. See the map-type |
| leaf's description for details on determining the name value. |
| If it is impossible to determine a name from the cert-to-name |
| list entry's data combined with the data presented in the |
| certificate, then additional cert-to-name list entries MUST |
| be searched to look for another potential match. |
| |
| Security administrators are encouraged to make use of |
| certificates with subjectAltName fields that can be mapped to |
| names so that a single root CA certificate can allow all |
| child certificates' subjectAltName fields to map directly to |
| a name via a 1:1 transformation."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol (SNMP). |
| SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; |
| |
| leaf id { |
| type uint32; |
| description |
| "The id specifies the order in which the entries in the |
| cert-to-name list are searched. Entries with lower |
| numbers are searched first."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol |
| (SNMP). |
| SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; |
| |
| } |
| |
| leaf fingerprint { |
| type tls-fingerprint; |
| mandatory true; |
| description |
| "Specifies a value with which the fingerprint of the |
| full certificate presented by the peer is compared. If |
| the fingerprint of the full certificate presented by the |
| peer does not match the fingerprint configured, then the |
| entry is skipped, and the search for a match continues."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol |
| (SNMP). |
| SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; |
| |
| } |
| |
| leaf map-type { |
| type identityref { |
| base cert-to-name; |
| } |
| mandatory true; |
| description |
| "Specifies the algorithm used to map the certificate |
| presented by the peer to a name. |
| |
| Mappings that need additional configuration objects should |
| use the 'when' statement to make them conditional based on |
| the map-type."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol |
| (SNMP). |
| SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; |
| |
| } |
| |
| leaf name { |
| when |
| "../map-type = 'x509c2n:specified'"; |
| type string; |
| mandatory true; |
| description |
| "Directly specifies the NETCONF username when the |
| map-type is 'specified'."; |
| reference |
| "RFC 6353: Transport Layer Security (TLS) Transport Model |
| for the Simple Network Management Protocol |
| (SNMP). |
| SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; |
| |
| } |
| } // list cert-to-name |
| } // grouping cert-to-name |
| } // module ietf-x509-cert-to-name |