modules/ietf-tls-common@2023-12-28.yang

module ietf-tls-common {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
  prefix tlscmn;

  import iana-tls-cipher-suite-algs {
    prefix tlscsa;
    reference
      "RFC FFFF: YANG Groupings for TLS Clients and SSH Servers";
  }

  import ietf-crypto-types {
    prefix ct;
    reference
      "RFC AAAA: YANG Data Types and Groupings for Cryptography";
  }

  import ietf-keystore {
    prefix ks;
    reference
      "RFC CCCC: A YANG Data Model for a Keystore";
  }

  organization
    "IETF NETCONF (Network Configuration) Working Group";

  contact
    "WG List:  NETCONF WG list <mailto:netconf@ietf.org>
     WG Web:   https://datatracker.ietf.org/wg/netconf
     Author:   Kent Watsen <mailto:kent+ietf@watsen.net>
     Author:   Jeff Hartley <mailto:jeff.hartley@commscope.com>
     Author:   Gary Wu <mailto:garywu@cisco.com>";

   description
    "This module defines a common features and groupings for
     Transport Layer Security (TLS).

     Copyright (c) 2023 IETF Trust and the persons identified
     as authors of the code. All rights reserved.

     Redistribution and use in source and binary forms, with
     or without modification, is permitted pursuant to, and
     subject to the license terms contained in, the Revised
     BSD License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC FFFF
     (https://www.rfc-editor.org/info/rfcFFFF); see the RFC
     itself for full legal notices.

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
     'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
     'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
     are to be interpreted as described in BCP 14 (RFC 2119)
     (RFC 8174) when, and only when, they appear in all
     capitals, as shown here.";

  revision 2023-12-28 {
    description
      "Initial version";
    reference
      "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
  }

  // Features

  feature tls10 {
    status "obsolete";
    description
      "TLS Protocol Version 1.0 is supported.  TLS 1.0 is obsolete
       and thus it is NOT RECOMMENDED to enable this feature.";
    reference
      "RFC 2246: The TLS Protocol Version 1.0";
  }

  feature tls11 {
    status "obsolete";
    description
      "TLS Protocol Version 1.1 is supported.  TLS 1.1 is obsolete
       and thus it is NOT RECOMMENDED to enable this feature.";
    reference
      "RFC 4346: The Transport Layer Security (TLS) Protocol
                 Version 1.1";
  }

  feature tls12 {
    status "deprecated";
    description
      "TLS Protocol Version 1.2 is supported. TLS 1.2 is obsolete
       and thus it is NOT RECOMMENDED to enable this feature.";
    reference
      "RFC 5246: The Transport Layer Security (TLS) Protocol
                 Version 1.2";
  }

  feature tls13 {
    description
      "TLS Protocol Version 1.3 is supported.";
    reference
      "RFC 8446: The Transport Layer Security (TLS)
                 Protocol Version 1.3";
  }

  feature hello-params {
    description
      "TLS hello message parameters are configurable.";
  }

  feature public-key-generation {
    description
      "Indicates that the server implements the
       'generate-public-key' RPC.";
  }

  // Identities

  identity tls-version-base {
    description
      "Base identity used to identify TLS protocol versions.";
  }

  identity tls10 {
    if-feature "tls10";
    base tls-version-base;
    status "obsolete";
    description
      "TLS Protocol Version 1.0.";
    reference
      "RFC 2246: The TLS Protocol Version 1.0";
  }

  identity tls11 {
    if-feature "tls11";
    base tls-version-base;
    status "obsolete";
    description
      "TLS Protocol Version 1.1.";
    reference
      "RFC 4346: The Transport Layer Security (TLS) Protocol
                 Version 1.1";
  }

  identity tls12 {
    if-feature "tls12";
    base tls-version-base;
    status "deprecated";
    description
      "TLS Protocol Version 1.2.";
    reference
      "RFC 5246: The Transport Layer Security (TLS) Protocol
                 Version 1.2";
  }

  identity tls13 {
    if-feature "tls13";
    base tls-version-base;
    description
      "TLS Protocol Version 1.3.";
    reference
      "RFC 8446: The Transport Layer Security (TLS)
                 Protocol Version 1.3";
  }

  // Typedefs

  typedef epsk-supported-hash {
    type enumeration {
      enum sha-256 {
        description
          "The SHA-256 Hash.";
      }
      enum sha-384 {
        description
          "The SHA-384 Hash.";
      }
    }
    description
      "As per Section 4.2.11 of RFC 8446, the hash algorithm
       supported by an instance of an External Pre-Shared
       Key (EPSK).";
    reference
      "RFC 8446: The Transport Layer Security (TLS)
                 Protocol Version 1.3";
  }


  // Groupings

  grouping hello-params-grouping {
    description
      "A reusable grouping for TLS hello message parameters.";
    reference
      "RFC 5246: The Transport Layer Security (TLS) Protocol
                 Version 1.2
       RFC 8446: The Transport Layer Security (TLS) Protocol
                 Version 1.3";
    container tls-versions {
      description
        "Parameters regarding TLS versions.";
      leaf-list tls-version {
        type identityref {
          base tls-version-base;
        }
        ordered-by user;
        description
          "Acceptable TLS protocol versions.

           If this leaf-list is not configured (has zero elements)
           the acceptable TLS protocol versions are implementation-
           defined.";
      }
    }
    container cipher-suites {
      description
        "Parameters regarding cipher suites.";
      leaf-list cipher-suite {
        type identityref {
          base tlscsa:cipher-suite-alg-base;
        }
        ordered-by user;
        description
          "Acceptable cipher suites in order of descending
           preference.  The configured host key algorithms should
           be compatible with the algorithm used by the configured
           private key.  Please see Section 5 of RFC FFFF for
           valid combinations.

           If this leaf-list is not configured (has zero elements)
           the acceptable cipher suites are implementation-
           defined.";
        reference
          "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
      }
    }
  } // hello-params-grouping

  rpc generate-public-key {
    if-feature "public-key-generation";
    description
      "Requests the device to generate an public key using
       the specified key algorithm.";
    input {
      leaf algorithm {
        type tlscsa:cipher-suite-algorithm-ref;
        mandatory true;
        description
          "The cipher suite algorithm that the generated key is
           to work with.  Implementations derive the public key
           algorithm from the cipher suite algorithm.  Example:
           cipher suite 'tls-rsa-with-aes-256-cbc-sha256' maps
           to the RSA public key.";
      }
      leaf num-bits {
        type uint16;
        description
          "Specifies the number of bits in the key to create.
           For RSA keys, the minimum size is 1024 bits and
           the default is 3072 bits. Generally, 3072 bits is
           considered sufficient. DSA keys must be exactly 1024
           bits as specified by FIPS 186-2.  For elliptical
           keys, the 'num-bits' value determines the key length
           of the curve (e.g., 256, 384 or 521), where valid
           values supported by the server are conveyed via an
           unspecified mechanism.  For some public algorithms,
           the keys have a fixed length and thus the 'num-bits'
           value is not specified.";
      }
      container private-key-encoding {
        description
          "Indicates how the private key is to be encoded.";
        choice private-key-encoding {
          mandatory true;
          description
            "A choice amongst optional private key handling.";
          case cleartext {
            if-feature "ct:cleartext-private-keys";
            leaf cleartext {
              type empty;
              description
                "Indicates that the private key is to be returned
                 as a cleartext value.";
            }
          }
          case encrypted {
            if-feature "ct:encrypted-private-keys";
            container encrypted {
              description
                 "Indicates that the key is to be encrypted using
                  the specified symmetric or asymmetric key.";
              uses ks:encrypted-by-grouping;
            }
          }
          case hidden {
            if-feature "ct:hidden-private-keys";
            leaf hidden {
              type empty;
              description
                "Indicates that the private key is to be hidden.

                 Unlike the 'cleartext' and 'encrypt' options, the
                 key returned is a placeholder for an internally
                 stored key.  See the 'Support for Built-in Keys'
                 section in RFC CCCC for information about hidden
                 keys.";
            }
          }
        }
      }
    }
    output {
      uses ct:asymmetric-key-pair-grouping;
    }
  } // end generate-public-key

}