roman | c1d2b09 | 2023-02-02 08:58:27 +0100 | [diff] [blame] | 1 | module ietf-x509-cert-to-name { |
| 2 | |
| 3 | yang-version 1; |
| 4 | |
| 5 | namespace |
| 6 | "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; |
| 7 | |
| 8 | prefix x509c2n; |
| 9 | |
| 10 | import ietf-yang-types { |
| 11 | prefix yang; |
| 12 | } |
| 13 | |
| 14 | organization |
| 15 | "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; |
| 16 | |
| 17 | contact |
| 18 | "WG Web: <http://tools.ietf.org/wg/netmod/> |
| 19 | WG List: <mailto:netmod@ietf.org> |
| 20 | |
| 21 | WG Chair: Thomas Nadeau |
| 22 | <mailto:tnadeau@lucidvision.com> |
| 23 | |
| 24 | WG Chair: Juergen Schoenwaelder |
| 25 | <mailto:j.schoenwaelder@jacobs-university.de> |
| 26 | |
| 27 | Editor: Martin Bjorklund |
| 28 | <mailto:mbj@tail-f.com> |
| 29 | |
| 30 | Editor: Juergen Schoenwaelder |
| 31 | <mailto:j.schoenwaelder@jacobs-university.de>"; |
| 32 | |
| 33 | description |
| 34 | "This module contains a collection of YANG definitions for |
| 35 | extracting a name from an X.509 certificate. |
| 36 | The algorithm used to extract a name from an X.509 certificate |
| 37 | was first defined in RFC 6353. |
| 38 | |
| 39 | Copyright (c) 2014 IETF Trust and the persons identified as |
| 40 | authors of the code. All rights reserved. |
| 41 | |
| 42 | Redistribution and use in source and binary forms, with or |
| 43 | without modification, is permitted pursuant to, and subject |
| 44 | to the license terms contained in, the Simplified BSD License |
| 45 | set forth in Section 4.c of the IETF Trust's Legal Provisions |
| 46 | Relating to IETF Documents |
| 47 | (http://trustee.ietf.org/license-info). |
| 48 | |
| 49 | This version of this YANG module is part of RFC 7407; see |
| 50 | the RFC itself for full legal notices."; |
| 51 | |
| 52 | reference |
| 53 | "RFC 6353: Transport Layer Security (TLS) Transport Model for |
| 54 | the Simple Network Management Protocol (SNMP)"; |
| 55 | |
| 56 | |
| 57 | revision "2014-12-10" { |
| 58 | description "Initial revision."; |
| 59 | reference |
| 60 | "RFC 7407: A YANG Data Model for SNMP Configuration"; |
| 61 | |
| 62 | } |
| 63 | |
| 64 | |
| 65 | typedef tls-fingerprint { |
| 66 | type yang:hex-string { |
| 67 | pattern |
| 68 | '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; |
| 69 | } |
| 70 | description |
| 71 | "A fingerprint value that can be used to uniquely reference |
| 72 | other data of potentially arbitrary length. |
| 73 | |
| 74 | A tls-fingerprint value is composed of a 1-octet hashing |
| 75 | algorithm identifier followed by the fingerprint value. The |
| 76 | first octet value identifying the hashing algorithm is taken |
| 77 | from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The |
| 78 | remaining octets are filled using the results of the hashing |
| 79 | algorithm."; |
| 80 | reference |
| 81 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 82 | for the Simple Network Management Protocol (SNMP). |
| 83 | SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; |
| 84 | |
| 85 | } |
| 86 | |
| 87 | identity cert-to-name { |
| 88 | description |
| 89 | "Base identity for algorithms to derive a name from a |
| 90 | certificate."; |
| 91 | } |
| 92 | |
| 93 | identity specified { |
| 94 | base cert-to-name; |
| 95 | description |
| 96 | "Directly specifies the name to be used for the certificate. |
| 97 | The value of the leaf 'name' in the cert-to-name list is |
| 98 | used."; |
| 99 | reference |
| 100 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 101 | for the Simple Network Management Protocol (SNMP). |
| 102 | SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; |
| 103 | |
| 104 | } |
| 105 | |
| 106 | identity san-rfc822-name { |
| 107 | base cert-to-name; |
| 108 | description |
| 109 | "Maps a subjectAltName's rfc822Name to a name. The local part |
| 110 | of the rfc822Name is passed unaltered, but the host-part of |
| 111 | the name must be passed in lowercase. For example, the |
| 112 | rfc822Name field FooBar@Example.COM is mapped to name |
| 113 | FooBar@example.com."; |
| 114 | reference |
| 115 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 116 | for the Simple Network Management Protocol (SNMP). |
| 117 | SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; |
| 118 | |
| 119 | } |
| 120 | |
| 121 | identity san-dns-name { |
| 122 | base cert-to-name; |
| 123 | description |
| 124 | "Maps a subjectAltName's dNSName to a name after first |
| 125 | converting it to all lowercase (RFC 5280 does not specify |
| 126 | converting to lowercase, so this involves an extra step). |
| 127 | This mapping results in a 1:1 correspondence between |
| 128 | subjectAltName dNSName values and the name values."; |
| 129 | reference |
| 130 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 131 | for the Simple Network Management Protocol (SNMP). |
| 132 | SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; |
| 133 | |
| 134 | } |
| 135 | |
| 136 | identity san-ip-address { |
| 137 | base cert-to-name; |
| 138 | description |
| 139 | "Maps a subjectAltName's iPAddress to a name by |
| 140 | transforming the binary-encoded address as follows: |
| 141 | |
| 142 | 1) for IPv4, the value is converted into a |
| 143 | decimal-dotted quad address (e.g., '192.0.2.1'). |
| 144 | |
| 145 | 2) for IPv6 addresses, the value is converted into a |
| 146 | 32-character, all-lowercase hexadecimal string |
| 147 | without any colon separators. |
| 148 | |
| 149 | This mapping results in a 1:1 correspondence between |
| 150 | subjectAltName iPAddress values and the name values."; |
| 151 | reference |
| 152 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 153 | for the Simple Network Management Protocol (SNMP). |
| 154 | SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; |
| 155 | |
| 156 | } |
| 157 | |
| 158 | identity san-any { |
| 159 | base cert-to-name; |
| 160 | description |
| 161 | "Maps any of the following fields using the corresponding |
| 162 | mapping algorithms: |
| 163 | |
| 164 | +------------+-----------------+ |
| 165 | | Type | Algorithm | |
| 166 | |------------+-----------------| |
| 167 | | rfc822Name | san-rfc822-name | |
| 168 | | dNSName | san-dns-name | |
| 169 | | iPAddress | san-ip-address | |
| 170 | +------------+-----------------+ |
| 171 | |
| 172 | The first matching subjectAltName value found in the |
| 173 | certificate of the above types MUST be used when deriving |
| 174 | the name. The mapping algorithm specified in the |
| 175 | 'Algorithm' column MUST be used to derive the name. |
| 176 | |
| 177 | This mapping results in a 1:1 correspondence between |
| 178 | subjectAltName values and name values. The three sub-mapping |
| 179 | algorithms produced by this combined algorithm cannot produce |
| 180 | conflicting results between themselves."; |
| 181 | reference |
| 182 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 183 | for the Simple Network Management Protocol (SNMP). |
| 184 | SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; |
| 185 | |
| 186 | } |
| 187 | |
| 188 | identity common-name { |
| 189 | base cert-to-name; |
| 190 | description |
| 191 | "Maps a certificate's CommonName to a name after converting |
| 192 | it to a UTF-8 encoding. The usage of CommonNames is |
| 193 | deprecated, and users are encouraged to use subjectAltName |
| 194 | mapping methods instead. This mapping results in a 1:1 |
| 195 | correspondence between certificate CommonName values and name |
| 196 | values."; |
| 197 | reference |
| 198 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 199 | for the Simple Network Management Protocol (SNMP). |
| 200 | SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; |
| 201 | |
| 202 | } |
| 203 | |
| 204 | grouping cert-to-name { |
| 205 | description |
| 206 | "Defines nodes for mapping certificates to names. Modules |
| 207 | that use this grouping should describe how the resulting |
| 208 | name is used."; |
| 209 | list cert-to-name { |
| 210 | key "id"; |
| 211 | description |
| 212 | "This list defines how certificates are mapped to names. |
| 213 | The name is derived by considering each cert-to-name |
| 214 | list entry in order. The cert-to-name entry's fingerprint |
| 215 | determines whether the list entry is a match: |
| 216 | |
| 217 | 1) If the cert-to-name list entry's fingerprint value |
| 218 | matches that of the presented certificate, then consider |
| 219 | the list entry a successful match. |
| 220 | |
| 221 | 2) If the cert-to-name list entry's fingerprint value |
| 222 | matches that of a locally held copy of a trusted CA |
| 223 | certificate, and that CA certificate was part of the CA |
| 224 | certificate chain to the presented certificate, then |
| 225 | consider the list entry a successful match. |
| 226 | |
| 227 | Once a matching cert-to-name list entry has been found, the |
| 228 | map-type is used to determine how the name associated with |
| 229 | the certificate should be determined. See the map-type |
| 230 | leaf's description for details on determining the name value. |
| 231 | If it is impossible to determine a name from the cert-to-name |
| 232 | list entry's data combined with the data presented in the |
| 233 | certificate, then additional cert-to-name list entries MUST |
| 234 | be searched to look for another potential match. |
| 235 | |
| 236 | Security administrators are encouraged to make use of |
| 237 | certificates with subjectAltName fields that can be mapped to |
| 238 | names so that a single root CA certificate can allow all |
| 239 | child certificates' subjectAltName fields to map directly to |
| 240 | a name via a 1:1 transformation."; |
| 241 | reference |
| 242 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 243 | for the Simple Network Management Protocol (SNMP). |
| 244 | SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; |
| 245 | |
| 246 | leaf id { |
| 247 | type uint32; |
| 248 | description |
| 249 | "The id specifies the order in which the entries in the |
| 250 | cert-to-name list are searched. Entries with lower |
| 251 | numbers are searched first."; |
| 252 | reference |
| 253 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 254 | for the Simple Network Management Protocol |
| 255 | (SNMP). |
| 256 | SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; |
| 257 | |
| 258 | } |
| 259 | |
| 260 | leaf fingerprint { |
| 261 | type tls-fingerprint; |
| 262 | mandatory true; |
| 263 | description |
| 264 | "Specifies a value with which the fingerprint of the |
| 265 | full certificate presented by the peer is compared. If |
| 266 | the fingerprint of the full certificate presented by the |
| 267 | peer does not match the fingerprint configured, then the |
| 268 | entry is skipped, and the search for a match continues."; |
| 269 | reference |
| 270 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 271 | for the Simple Network Management Protocol |
| 272 | (SNMP). |
| 273 | SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; |
| 274 | |
| 275 | } |
| 276 | |
| 277 | leaf map-type { |
| 278 | type identityref { |
| 279 | base cert-to-name; |
| 280 | } |
| 281 | mandatory true; |
| 282 | description |
| 283 | "Specifies the algorithm used to map the certificate |
| 284 | presented by the peer to a name. |
| 285 | |
| 286 | Mappings that need additional configuration objects should |
| 287 | use the 'when' statement to make them conditional based on |
| 288 | the map-type."; |
| 289 | reference |
| 290 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 291 | for the Simple Network Management Protocol |
| 292 | (SNMP). |
| 293 | SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; |
| 294 | |
| 295 | } |
| 296 | |
| 297 | leaf name { |
| 298 | when |
| 299 | "../map-type = 'x509c2n:specified'"; |
| 300 | type string; |
| 301 | mandatory true; |
| 302 | description |
| 303 | "Directly specifies the NETCONF username when the |
| 304 | map-type is 'specified'."; |
| 305 | reference |
| 306 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 307 | for the Simple Network Management Protocol |
| 308 | (SNMP). |
| 309 | SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; |
| 310 | |
| 311 | } |
| 312 | } // list cert-to-name |
| 313 | } // grouping cert-to-name |
| 314 | } // module ietf-x509-cert-to-name |