[email protected] Maven / Gradle / Ivy
The newest version!
module ietf-tls-common {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix tlscmn;
import iana-tls-cipher-suite-algs {
prefix tlscsa;
reference
"RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
}
import ietf-crypto-types {
prefix ct;
reference
"RFC 9640: YANG Data Types and Groupings for Cryptography";
}
import ietf-keystore {
prefix ks;
reference
"RFC 9642: A YANG Data Model for a Keystore";
}
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
"WG List: NETCONF WG list <mailto:[email protected]>
WG Web: https://datatracker.ietf.org/wg/netconf
Author: Kent Watsen <mailto:[email protected]>
Author: Jeff Hartley <mailto:[email protected]>
Author: Gary Wu <mailto:[email protected]>";
description
"This module defines common features and groupings for
Transport Layer Security (TLS).
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.
Copyright (c) 2024 IETF Trust and the persons identified
as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Revised
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 9645
(https://www.rfc-editor.org/info/rfc9645); see the RFC
itself for full legal notices.";
revision 2024-10-10 {
description
"Initial version.";
reference
"RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
}
// Features
feature tls12 {
description
"TLS Protocol Version 1.2 is supported. TLS 1.2 is obsolete,
and thus it is NOT RECOMMENDED to enable this feature.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
feature tls13 {
description
"TLS Protocol Version 1.3 is supported.";
reference
"RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3";
}
feature hello-params {
description
"TLS hello message parameters are configurable.";
}
feature algorithm-discovery {
description
"Indicates that the server implements the
'supported-algorithms' container.";
}
feature asymmetric-key-pair-generation {
description
"Indicates that the server implements the
'generate-asymmetric-key-pair' RPC.";
}
// Identities
identity tls-version-base {
description
"Base identity used to identify TLS protocol versions.";
}
identity tls12 {
if-feature "tls12";
base tls-version-base;
description
"TLS Protocol Version 1.2.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity tls13 {
if-feature "tls13";
base tls-version-base;
description
"TLS Protocol Version 1.3.";
reference
"RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3";
}
// Typedefs
typedef epsk-supported-hash {
type enumeration {
enum sha-256 {
description
"The SHA-256 hash.";
}
enum sha-384 {
description
"The SHA-384 hash.";
}
}
description
"As per Section 4.2.11 of RFC 8446, the hash algorithm
supported by an instance of an External Pre-Shared
Key (EPSK).";
reference
"RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3";
}
// Groupings
grouping hello-params-grouping {
description
"A reusable grouping for TLS hello message parameters.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2
RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3";
container tls-versions {
description
"Parameters limiting which TLS versions, amongst
those enabled by 'features', are presented during
the TLS handshake.";
leaf min {
type identityref {
base tls-version-base;
}
description
"If not specified, then there is no configured
minimum version.";
}
leaf max {
type identityref {
base tls-version-base;
}
description
"If not specified, then there is no configured
maximum version.";
}
}
container cipher-suites {
description
"Parameters regarding cipher suites.";
leaf-list cipher-suite {
type tlscsa:tls-cipher-suite-algorithm;
ordered-by user;
description
"Acceptable cipher suites in order of descending
preference. The configured host key algorithms should
be compatible with the algorithm used by the configured
private key. Please see Section 5 of RFC 9645 for
valid combinations.
If this leaf-list is not configured (has zero elements),
the acceptable cipher suites are implementation-
defined.";
reference
"RFC 9645: YANG Groupings for TLS Clients and TLS Servers";
}
}
} // hello-params-grouping
// Protocol-accessible Nodes
container supported-algorithms {
if-feature "algorithm-discovery";
config false;
description
"A container for a list of cipher suite algorithms supported
by the server.";
leaf-list supported-algorithm {
type tlscsa:tls-cipher-suite-algorithm;
description
"A cipher suite algorithm supported by the server.";
}
}
rpc generate-asymmetric-key-pair {
if-feature "asymmetric-key-pair-generation";
description
"Requests the device to generate an 'asymmetric-key-pair'
key using the specified key algorithm.";
input {
leaf algorithm {
type tlscsa:tls-cipher-suite-algorithm;
mandatory true;
description
"The cipher suite algorithm that the generated key
works with. Implementations derive the public key
algorithm from the cipher suite algorithm. For
example, cipher suite
'tls-rsa-with-aes-256-cbc-sha256' maps to the RSA
public key.";
}
leaf num-bits {
type uint16;
description
"Specifies the number of bits to create in the key.
For RSA keys, the minimum size is 1024 bits, and
the default is 3072 bits. Generally, 3072 bits is
considered sufficient. DSA keys must be exactly
1024 bits as specified by FIPS 186-2. For
elliptical keys, the 'num-bits' value determines
the key length of the curve (e.g., 256, 384, or 521),
where valid values supported by the server are
conveyed via an unspecified mechanism. For some
public algorithms, the keys have a fixed length, and
thus the 'num-bits' value is not specified.";
}
container private-key-encoding {
description
"Indicates how the private key is to be encoded.";
choice private-key-encoding {
mandatory true;
description
"A choice amongst optional private key handling.";
case cleartext {
if-feature "ct:cleartext-private-keys";
leaf cleartext {
type empty;
description
"Indicates that the private key is to be returned
as a cleartext value.";
}
}
case encrypted {
if-feature "ct:encrypted-private-keys";
container encrypted {
description
"Indicates that the key is to be encrypted using
the specified symmetric or asymmetric key.";
uses ks:encrypted-by-grouping;
}
}
case hidden {
if-feature "ct:hidden-private-keys";
leaf hidden {
type empty;
description
"Indicates that the private key is to be hidden.
Unlike the 'cleartext' and 'encrypt' options, the
key returned is a placeholder for an internally
stored key. See Section 3 of RFC 9642 ('Support
for Built-In Keys') for information about hidden
keys.";
}
}
}
}
}
output {
choice key-or-hidden {
case key {
uses ct:asymmetric-key-pair-grouping;
}
case hidden {
leaf location {
type instance-identifier;
description
"The location to where a hidden key was created.";
}
}
description
"The output can be either a key (for cleartext and
encrypted keys) or the location to where the key
was created (for hidden keys).";
}
}
} // end generate-asymmetric-key-pair
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy