Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libnetconf2 / 4cb8bb18ae6ac6493e7b0541573390935c20cb86 / . / modules / ietf-truststore@2023-04-17.yang
blob: cd0d875f1c68aec55b4e8d80f834e8cc17f4513a [file] [log] [blame]
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]1module ietf-truststore {
2 yang-version 1.1;
3 namespace "urn:ietf:params:xml:ns:yang:ietf-truststore";
4 prefix ts;
5
6 import ietf-netconf-acm {
7 prefix nacm;
8 reference
9 "RFC 8341: Network Configuration Access Control Model";
10 }
11
12 import ietf-crypto-types {
13 prefix ct;
14 reference
15 "RFC AAAA: YANG Data Types and Groupings for Cryptography";
16 }
17
18 organization
19 "IETF NETCONF (Network Configuration) Working Group";
20
21 contact
22 "WG Web : https://datatracker.ietf.org/wg/netconf
23 WG List : NETCONF WG list <mailto:netconf@ietf.org>
24 Author : Kent Watsen <kent+ietf@watsen.net>";
25 description
26 "This module defines a 'truststore' to centralize management
27 of trust anchors including certificates and public keys.
28
roman7fdc84d2023-06-06 13:14:53 +0200[diff] [blame]29 Copyright (c) 2023 IETF Trust and the persons identified
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]30 as authors of the code. All rights reserved.
31
32 Redistribution and use in source and binary forms, with
33 or without modification, is permitted pursuant to, and
34 subject to the license terms contained in, the Revised
35 BSD License set forth in Section 4.c of the IETF Trust's
36 Legal Provisions Relating to IETF Documents
37 (https://trustee.ietf.org/license-info).
38
39 This version of this YANG module is part of RFC BBBB
40 (https://www.rfc-editor.org/info/rfcBBBB); see the RFC
41 itself for full legal notices.
42
43 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
44 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
45 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
46 are to be interpreted as described in BCP 14 (RFC 2119)
47 (RFC 8174) when, and only when, they appear in all
48 capitals, as shown here.";
49
roman7fdc84d2023-06-06 13:14:53 +0200[diff] [blame]50 revision 2023-04-17 {
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]51 description
52 "Initial version";
53 reference
54 "RFC BBBB: A YANG Data Model for a Truststore";
55 }
56
57 /****************/
58 /* Features */
59 /****************/
60
61 feature central-truststore-supported {
62 description
63 "The 'central-truststore-supported' feature indicates that
64 the server supports the truststore (i.e., implements the
65 'ietf-truststore' module).";
66 }
67
roman7fdc84d2023-06-06 13:14:53 +0200[diff] [blame]68 feature inline-definitions-supported {
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]69 description
roman7fdc84d2023-06-06 13:14:53 +0200[diff] [blame]70 "The 'inline-definitions-supported' feature indicates that
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]71 the server supports locally-defined trust anchors.";
72 }
73 feature certificates {
74 description
75 "The 'certificates' feature indicates that the server
76 implements the /truststore/certificate-bags subtree.";
77 }
78
79 feature public-keys {
80 description
81 "The 'public-keys' feature indicates that the server
82 implements the /truststore/public-key-bags subtree.";
83 }
84
85 /****************/
86 /* Typedefs */
87 /****************/
88
89 typedef certificate-bag-ref {
90 type leafref {
91 path "/ts:truststore/ts:certificate-bags/"
92 + "ts:certificate-bag/ts:name";
93 }
94 description
95 "This typedef defines a reference to a certificate bag
96 in the truststore, when this module is implemented.";
97 }
98
99 typedef certificate-ref {
100 type leafref {
101 path "/ts:truststore/ts:certificate-bags/ts:certificate-bag"
102 + "[ts:name = current()/../ts:certificate-bag]/"
103 + "ts:certificate/ts:name";
104 }
105 description
106 "This typedef defines a reference to a specific certificate
107 in a certificate bag in the truststore, when this module
108 is implemented. This typedef requires that there exist a
109 sibling 'leaf' node called 'certificate-bag' that SHOULD
110 have the typedef 'certificate-bag-ref'.";
111 }
112
113 typedef public-key-bag-ref {
114 type leafref {
115 path "/ts:truststore/ts:public-key-bags/"
116 + "ts:public-key-bag/ts:name";
117 }
118 description
119 "This typedef defines a reference to a public key bag
120 in the truststore, when this module is implemented.";
121 }
122
123 typedef public-key-ref {
124 type leafref {
125 path "/ts:truststore/ts:public-key-bags/ts:public-key-bag"
126 + "[ts:name = current()/../ts:public-key-bag]/"
127 + "ts:public-key/ts:name";
128 }
129 description
130 "This typedef defines a reference to a specific public key
131 in a public key bag in the truststore, when this module is
132 implemented. This typedef requires that there exist a
133 sibling 'leaf' node called 'public-key-bag' that SHOULD
134 have the typedef 'public-key-bag-ref'.";
135 }
136
137 /*****************/
138 /* Groupings */
139 /*****************/
140
roman7fdc84d2023-06-06 13:14:53 +0200[diff] [blame]141 grouping inline-or-truststore-certs-grouping {
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]142 description
143 "A grouping that allows the certificates to be either
144 configured locally, within the using data model, or be a
145 reference to a certificate bag stored in the truststore.
146
147 Servers that do not 'implement' this module, and hence
148 'central-truststore-supported' is not defined, SHOULD
149 augment in custom 'case' statements enabling references
150 to the alternate truststore locations.";
roman7fdc84d2023-06-06 13:14:53 +0200[diff] [blame]151 choice inline-or-truststore {
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]152 nacm:default-deny-write;
153 mandatory true;
154 description
155 "A choice between an inlined definition and a definition
156 that exists in the truststore.";
roman7fdc84d2023-06-06 13:14:53 +0200[diff] [blame]157 case inline {
158 if-feature "inline-definitions-supported";
159 container inline-definition {
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]160 description
161 "A container for locally configured trust anchor
162 certificates.";
163 list certificate {
164 key "name";
165 min-elements 1;
166 description
167 "A trust anchor certificate.";
168 leaf name {
169 type string;
170 description
171 "An arbitrary name for this certificate.";
172 }
173 uses ct:trust-anchor-cert-grouping {
174 refine "cert-data" {
175 mandatory true;
176 }
177 }
178 }
179 }
180 }
181 case truststore {
182 if-feature "central-truststore-supported";
183 if-feature "certificates";
184 leaf truststore-reference {
185 type ts:certificate-bag-ref;
186 description
187 "A reference to a certificate bag that exists in the
188 truststore, when this module is implemented.";
189 }
190 }
191 }
192 }
193
roman7fdc84d2023-06-06 13:14:53 +0200[diff] [blame]194 grouping inline-or-truststore-public-keys-grouping {
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]195 description
196 "A grouping that allows the public keys to be either
197 configured locally, within the using data model, or be a
198 reference to a public key bag stored in the truststore.
199
200 Servers that do not 'implement' this module, and hence
201 'central-truststore-supported' is not defined, SHOULD
202 augment in custom 'case' statements enabling references
203 to the alternate truststore locations.";
roman7fdc84d2023-06-06 13:14:53 +0200[diff] [blame]204 choice inline-or-truststore {
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]205 nacm:default-deny-write;
206 mandatory true;
207 description
208 "A choice between an inlined definition and a definition
209 that exists in the truststore.";
roman7fdc84d2023-06-06 13:14:53 +0200[diff] [blame]210 case inline {
211 if-feature "inline-definitions-supported";
212 container inline-definition {
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]213 description
214 "A container to hold local public key definitions.";
215 list public-key {
216 key "name";
217 description
218 "A public key definition.";
219 leaf name {
220 type string;
221 description
222 "An arbitrary name for this public key.";
223 }
224 uses ct:public-key-grouping;
225 }
226 }
227 }
228 case truststore {
229 if-feature "central-truststore-supported";
230 if-feature "public-keys";
231 leaf truststore-reference {
232 type ts:public-key-bag-ref;
233 description
234 "A reference to a bag of public keys that exists
235 in the truststore, when this module is implemented.";
236 }
237 }
238 }
239 }
240
241 grouping truststore-grouping {
242 description
243 "A grouping definition that enables use in other contexts.
244 Where used, implementations MUST augment new 'case'
roman7fdc84d2023-06-06 13:14:53 +0200[diff] [blame]245 statements into the various inline-or-truststore 'choice'
romanc1d2b092023-02-02 08:58:27 +0100[diff] [blame]246 statements to supply leafrefs to the model-specific
247 location(s).";
248 container certificate-bags {
249 nacm:default-deny-write;
250 if-feature "certificates";
251 description
252 "A collection of certificate bags.";
253 list certificate-bag {
254 key "name";
255 description
256 "A bag of certificates. Each bag of certificates SHOULD
257 be for a specific purpose. For instance, one bag could
258 be used to authenticate a specific set of servers, while
259 another could be used to authenticate a specific set of
260 clients.";
261 leaf name {
262 type string;
263 description
264 "An arbitrary name for this bag of certificates.";
265 }
266 leaf description {
267 type string;
268 description
269 "A description for this bag of certificates. The
270 intended purpose for the bag SHOULD be described.";
271 }
272 list certificate {
273 key "name";
274 description
275 "A trust anchor certificate.";
276 leaf name {
277 type string;
278 description
279 "An arbitrary name for this certificate.";
280 }
281 uses ct:trust-anchor-cert-grouping {
282 refine "cert-data" {
283 mandatory true;
284 }
285 }
286 }
287 }
288 }
289 container public-key-bags {
290 nacm:default-deny-write;
291 if-feature "public-keys";
292 description
293 "A collection of public key bags.";
294 list public-key-bag {
295 key "name";
296 description
297 "A bag of public keys. Each bag of keys SHOULD be for
298 a specific purpose. For instance, one bag could be used
299 authenticate a specific set of servers, while another
300 could be used to authenticate a specific set of clients.";
301 leaf name {
302 type string;
303 description
304 "An arbitrary name for this bag of public keys.";
305 }
306 leaf description {
307 type string;
308 description
309 "A description for this bag public keys. The
310 intended purpose for the bag SHOULD be described.";
311 }
312 list public-key {
313 key "name";
314 description
315 "A public key.";
316 leaf name {
317 type string;
318 description
319 "An arbitrary name for this public key.";
320 }
321 uses ct:public-key-grouping;
322 }
323 }
324 }
325 }
326
327 /*********************************/
328 /* Protocol accessible nodes */
329 /*********************************/
330
331 container truststore {
332 if-feature central-truststore-supported;
333 nacm:default-deny-write;
334 description
335 "The truststore contains bags of certificates and
336 public keys.";
337 uses truststore-grouping;
338 }
339}