Blame - modules/ietf-x509-cert-to-name.yang - github/CESNET/libnetconf2

blob: 53b5484adc18a92a520fc4860f07567f2c5a1ae3 [file] [log] [blame]

roman	c1d2b09	2023-02-02 08:58:27 +0100	[diff] [blame]	1	module ietf-x509-cert-to-name {
				2
				3	yang-version 1;
				4
				5	namespace
				6	"urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name";
				7
				8	prefix x509c2n;
				9
				10	import ietf-yang-types {
				11	prefix yang;
				12	}
				13
				14	organization
				15	"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
				16
				17	contact
				18	"WG Web: <http://tools.ietf.org/wg/netmod/>
				19	WG List: <mailto:netmod@ietf.org>
				20
				21	WG Chair: Thomas Nadeau
				22	<mailto:tnadeau@lucidvision.com>
				23
				24	WG Chair: Juergen Schoenwaelder
				25	<mailto:j.schoenwaelder@jacobs-university.de>
				26
				27	Editor: Martin Bjorklund
				28	<mailto:mbj@tail-f.com>
				29
				30	Editor: Juergen Schoenwaelder
				31	<mailto:j.schoenwaelder@jacobs-university.de>";
				32
				33	description
				34	"This module contains a collection of YANG definitions for
				35	extracting a name from an X.509 certificate.
				36	The algorithm used to extract a name from an X.509 certificate
				37	was first defined in RFC 6353.
				38
				39	Copyright (c) 2014 IETF Trust and the persons identified as
				40	authors of the code. All rights reserved.
				41
				42	Redistribution and use in source and binary forms, with or
				43	without modification, is permitted pursuant to, and subject
				44	to the license terms contained in, the Simplified BSD License
				45	set forth in Section 4.c of the IETF Trust's Legal Provisions
				46	Relating to IETF Documents
				47	(http://trustee.ietf.org/license-info).
				48
				49	This version of this YANG module is part of RFC 7407; see
				50	the RFC itself for full legal notices.";
				51
				52	reference
				53	"RFC 6353: Transport Layer Security (TLS) Transport Model for
				54	the Simple Network Management Protocol (SNMP)";
				55
				56
				57	revision "2014-12-10" {
				58	description "Initial revision.";
				59	reference
				60	"RFC 7407: A YANG Data Model for SNMP Configuration";
				61
				62	}
				63
				64
				65	typedef tls-fingerprint {
				66	type yang:hex-string {
				67	pattern
				68	'([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
				69	}
				70	description
				71	"A fingerprint value that can be used to uniquely reference
				72	other data of potentially arbitrary length.
				73
				74	A tls-fingerprint value is composed of a 1-octet hashing
				75	algorithm identifier followed by the fingerprint value. The
				76	first octet value identifying the hashing algorithm is taken
				77	from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The
				78	remaining octets are filled using the results of the hashing
				79	algorithm.";
				80	reference
				81	"RFC 6353: Transport Layer Security (TLS) Transport Model
				82	for the Simple Network Management Protocol (SNMP).
				83	SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
				84
				85	}
				86
				87	identity cert-to-name {
				88	description
				89	"Base identity for algorithms to derive a name from a
				90	certificate.";
				91	}
				92
				93	identity specified {
				94	base cert-to-name;
				95	description
				96	"Directly specifies the name to be used for the certificate.
				97	The value of the leaf 'name' in the cert-to-name list is
				98	used.";
				99	reference
				100	"RFC 6353: Transport Layer Security (TLS) Transport Model
				101	for the Simple Network Management Protocol (SNMP).
				102	SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
				103
				104	}
				105
				106	identity san-rfc822-name {
				107	base cert-to-name;
				108	description
				109	"Maps a subjectAltName's rfc822Name to a name. The local part
				110	of the rfc822Name is passed unaltered, but the host-part of
				111	the name must be passed in lowercase. For example, the
				112	rfc822Name field FooBar@Example.COM is mapped to name
				113	FooBar@example.com.";
				114	reference
				115	"RFC 6353: Transport Layer Security (TLS) Transport Model
				116	for the Simple Network Management Protocol (SNMP).
				117	SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name";
				118
				119	}
				120
				121	identity san-dns-name {
				122	base cert-to-name;
				123	description
				124	"Maps a subjectAltName's dNSName to a name after first
				125	converting it to all lowercase (RFC 5280 does not specify
				126	converting to lowercase, so this involves an extra step).
				127	This mapping results in a 1:1 correspondence between
				128	subjectAltName dNSName values and the name values.";
				129	reference
				130	"RFC 6353: Transport Layer Security (TLS) Transport Model
				131	for the Simple Network Management Protocol (SNMP).
				132	SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName";
				133
				134	}
				135
				136	identity san-ip-address {
				137	base cert-to-name;
				138	description
				139	"Maps a subjectAltName's iPAddress to a name by
				140	transforming the binary-encoded address as follows:
				141
				142	1) for IPv4, the value is converted into a
				143	decimal-dotted quad address (e.g., '192.0.2.1').
				144
				145	2) for IPv6 addresses, the value is converted into a
				146	32-character, all-lowercase hexadecimal string
				147	without any colon separators.
				148
				149	This mapping results in a 1:1 correspondence between
				150	subjectAltName iPAddress values and the name values.";
				151	reference
				152	"RFC 6353: Transport Layer Security (TLS) Transport Model
				153	for the Simple Network Management Protocol (SNMP).
				154	SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
				155
				156	}
				157
				158	identity san-any {
				159	base cert-to-name;
				160	description
				161	"Maps any of the following fields using the corresponding
				162	mapping algorithms:
				163
				164	+------------+-----------------+
				165	\| Type \| Algorithm \|
				166	\|------------+-----------------\|
				167	\| rfc822Name \| san-rfc822-name \|
				168	\| dNSName \| san-dns-name \|
				169	\| iPAddress \| san-ip-address \|
				170	+------------+-----------------+
				171
				172	The first matching subjectAltName value found in the
				173	certificate of the above types MUST be used when deriving
				174	the name. The mapping algorithm specified in the
				175	'Algorithm' column MUST be used to derive the name.
				176
				177	This mapping results in a 1:1 correspondence between
				178	subjectAltName values and name values. The three sub-mapping
				179	algorithms produced by this combined algorithm cannot produce
				180	conflicting results between themselves.";
				181	reference
				182	"RFC 6353: Transport Layer Security (TLS) Transport Model
				183	for the Simple Network Management Protocol (SNMP).
				184	SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
				185
				186	}
				187
				188	identity common-name {
				189	base cert-to-name;
				190	description
				191	"Maps a certificate's CommonName to a name after converting
				192	it to a UTF-8 encoding. The usage of CommonNames is
				193	deprecated, and users are encouraged to use subjectAltName
				194	mapping methods instead. This mapping results in a 1:1
				195	correspondence between certificate CommonName values and name
				196	values.";
				197	reference
				198	"RFC 6353: Transport Layer Security (TLS) Transport Model
				199	for the Simple Network Management Protocol (SNMP).
				200	SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
				201
				202	}
				203
				204	grouping cert-to-name {
				205	description
				206	"Defines nodes for mapping certificates to names. Modules
				207	that use this grouping should describe how the resulting
				208	name is used.";
				209	list cert-to-name {
				210	key "id";
				211	description
				212	"This list defines how certificates are mapped to names.
				213	The name is derived by considering each cert-to-name
				214	list entry in order. The cert-to-name entry's fingerprint
				215	determines whether the list entry is a match:
				216
				217	1) If the cert-to-name list entry's fingerprint value
				218	matches that of the presented certificate, then consider
				219	the list entry a successful match.
				220
				221	2) If the cert-to-name list entry's fingerprint value
				222	matches that of a locally held copy of a trusted CA
				223	certificate, and that CA certificate was part of the CA
				224	certificate chain to the presented certificate, then
				225	consider the list entry a successful match.
				226
				227	Once a matching cert-to-name list entry has been found, the
				228	map-type is used to determine how the name associated with
				229	the certificate should be determined. See the map-type
				230	leaf's description for details on determining the name value.
				231	If it is impossible to determine a name from the cert-to-name
				232	list entry's data combined with the data presented in the
				233	certificate, then additional cert-to-name list entries MUST
				234	be searched to look for another potential match.
				235
				236	Security administrators are encouraged to make use of
				237	certificates with subjectAltName fields that can be mapped to
				238	names so that a single root CA certificate can allow all
				239	child certificates' subjectAltName fields to map directly to
				240	a name via a 1:1 transformation.";
				241	reference
				242	"RFC 6353: Transport Layer Security (TLS) Transport Model
				243	for the Simple Network Management Protocol (SNMP).
				244	SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
				245
				246	leaf id {
				247	type uint32;
				248	description
				249	"The id specifies the order in which the entries in the
				250	cert-to-name list are searched. Entries with lower
				251	numbers are searched first.";
				252	reference
				253	"RFC 6353: Transport Layer Security (TLS) Transport Model
				254	for the Simple Network Management Protocol
				255	(SNMP).
				256	SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
				257
				258	}
				259
				260	leaf fingerprint {
				261	type tls-fingerprint;
				262	mandatory true;
				263	description
				264	"Specifies a value with which the fingerprint of the
				265	full certificate presented by the peer is compared. If
				266	the fingerprint of the full certificate presented by the
				267	peer does not match the fingerprint configured, then the
				268	entry is skipped, and the search for a match continues.";
				269	reference
				270	"RFC 6353: Transport Layer Security (TLS) Transport Model
				271	for the Simple Network Management Protocol
				272	(SNMP).
				273	SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
				274
				275	}
				276
				277	leaf map-type {
				278	type identityref {
				279	base cert-to-name;
				280	}
				281	mandatory true;
				282	description
				283	"Specifies the algorithm used to map the certificate
				284	presented by the peer to a name.
				285
				286	Mappings that need additional configuration objects should
				287	use the 'when' statement to make them conditional based on
				288	the map-type.";
				289	reference
				290	"RFC 6353: Transport Layer Security (TLS) Transport Model
				291	for the Simple Network Management Protocol
				292	(SNMP).
				293	SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
				294
				295	}
				296
				297	leaf name {
				298	when
				299	"../map-type = 'x509c2n:specified'";
				300	type string;
				301	mandatory true;
				302	description
				303	"Directly specifies the NETCONF username when the
				304	map-type is 'specified'.";
				305	reference
				306	"RFC 6353: Transport Layer Security (TLS) Transport Model
				307	for the Simple Network Management Protocol
				308	(SNMP).
				309	SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";
				310
				311	}
				312	} // list cert-to-name
				313	} // grouping cert-to-name
				314	} // module ietf-x509-cert-to-name