| module ietf-system-tls-auth { |
| |
| yang-version 1; |
| |
| namespace |
| "urn:ietf:params:xml:ns:yang:ietf-system-tls-auth"; |
| |
| prefix system-tls-auth; |
| |
| import ietf-system { |
| prefix sys; |
| } |
| import ietf-netconf-acm { |
| prefix nacm; |
| } |
| import ietf-yang-types { |
| prefix yang; |
| } |
| import ietf-x509-cert-to-name { |
| prefix x509c2n; |
| } |
| |
| organization |
| "IETF NETCONF (Network Configuration) Working Group"; |
| |
| contact |
| "WG Web: <http://tools.ietf.org/wg/netconf/> |
| WG List: <mailto:netconf@ietf.org> |
| |
| WG Chair: Mehmet Ersue |
| <mailto:mehmet.ersue@nsn.com> |
| |
| WG Chair: Bert Wijnen |
| <mailto:bertietf@bwijnen.net> |
| |
| Editor: Kent Watsen |
| <mailto:kwatsen@juniper.net> |
| |
| Juergen Schoenwaelder |
| <mailto:j.schoenwaelder@jacobs-university.de>"; |
| |
| description |
| "This module augments the ietf-system module in order to |
| add TLS authentication configuration nodes to the |
| 'authentication' container. |
| |
| Copyright (c) 2014 IETF Trust and the persons identified as |
| authors of the code. All rights reserved. |
| |
| Redistribution and use in source and binary forms, with or |
| without modification, is permitted pursuant to, and subject |
| to the license terms contained in, the Simplified BSD |
| License set forth in Section 4.c of the IETF Trust's |
| Legal Provisions Relating to IETF Documents |
| (http://trustee.ietf.org/license-info). |
| |
| This version of this YANG module is part of RFC XXXX; see |
| the RFC itself for full legal notices."; |
| |
| revision "2014-05-24" { |
| description "Initial version"; |
| reference |
| "RFC XXXX: NETCONF Server Configuration Model"; |
| |
| } |
| |
| |
| feature tls-map-certificates { |
| description |
| "The tls-map-certificates feature indicates that the |
| NETCONF server implements mapping X.509 certificates to NETCONF |
| usernames."; |
| } |
| |
| feature tls-map-pre-shared-keys { |
| description |
| "The tls-map-pre-shared-keys feature indicates that the |
| NETCONF server implements mapping TLS pre-shared keys to NETCONF |
| usernames."; |
| } |
| |
| grouping tls-global-config { |
| container trusted-ca-certs { |
| description |
| "A list of Certificate Authority (CA) certificates that a |
| NETCONF server can use to authenticate a NETCONF client's |
| certificate. A client's certificate is authenticated if |
| its Issuer matches one of the configured trusted CA |
| certificates."; |
| leaf-list trusted-ca-cert { |
| type binary; |
| description |
| "The binary certificate structure, as |
| specified by RFC 5246, Section 7.4.6, i.e.,: |
| |
| opaque ASN.1Cert<1..2^24>; |
| |
| "; |
| reference |
| "RFC 5246: The Transport Layer Security (TLS) |
| Protocol Version 1.2"; |
| |
| } |
| } // container trusted-ca-certs |
| |
| container trusted-client-certs { |
| description |
| "A list of client certificates that a NETCONF server can |
| use to authenticate a NETCONF client's certificate. A |
| client's certificate is authenticated if it is an exact |
| match to one of the configured trusted client certificates."; |
| leaf-list trusted-client-cert { |
| type binary; |
| description |
| "The binary certificate structure, as |
| specified by RFC 5246, Section 7.4.6, i.e.,: |
| |
| opaque ASN.1Cert<1..2^24>; |
| |
| "; |
| reference |
| "RFC 5246: The Transport Layer Security (TLS) |
| Protocol Version 1.2"; |
| |
| } |
| } // container trusted-client-certs |
| |
| container cert-maps { |
| if-feature tls-map-certificates; |
| description |
| "The cert-maps container is used by a NETCONF server to |
| map the NETCONF client's presented X.509 certificate to |
| a NETCONF username. |
| |
| If no matching and valid cert-to-name list entry can be |
| found, then the NETCONF server MUST close the connection, |
| and MUST NOT accept NETCONF messages over it."; |
| uses x509c2n:cert-to-name; |
| } // container cert-maps |
| |
| container psk-maps { |
| if-feature tls-map-pre-shared-keys; |
| description |
| "During the TLS Handshake, the client indicates which |
| key to use by including a PSK identity in the TLS |
| ClientKeyExchange message. On the NETCONF server side, |
| this PSK identity is used to look up an entry in the psk-map |
| list. If such an entry is found, and the pre-shared keys |
| match, then the client is authenticated. The NETCONF |
| server uses the value from the user-name leaf in the |
| psk-map list as the NETCONF username. If the NETCONF |
| server cannot find an entry in the psk-map list, or if |
| the pre-shared keys do not match, then the NETCONF |
| server terminates the connection."; |
| reference |
| "RFC 4279: Pre-Shared Key Ciphersuites for Transport Layer |
| Security (TLS)"; |
| |
| list psk-map { |
| key "psk-identity"; |
| leaf psk-identity { |
| type string; |
| description |
| "The PSK identity encoded as a UTF-8 string. For |
| details how certain common PSK identity formats can |
| be encoded in UTF-8, see section 5.1. of RFC 4279."; |
| reference |
| "RFC 4279: Pre-Shared Key Ciphersuites for Transport |
| Layer Security (TLS)"; |
| |
| } |
| |
| leaf user-name { |
| type nacm:user-name-type; |
| mandatory true; |
| description |
| "The NETCONF username associated with this PSK |
| identity."; |
| } |
| |
| leaf not-valid-before { |
| type yang:date-and-time; |
| description |
| "This PSK identity is not valid before the given date |
| and time."; |
| } |
| |
| leaf not-valid-after { |
| type yang:date-and-time; |
| description |
| "This PSK identity is not valid after the given date |
| and time."; |
| } |
| |
| leaf key { |
| // nacm:default-deny-all; |
| type yang:hex-string; |
| mandatory true; |
| description |
| "The key associated with the PSK identity"; |
| reference |
| "RFC 4279: Pre-Shared Key Ciphersuites for Transport |
| Layer Security (TLS)"; |
| |
| } |
| } // list psk-map |
| } // container psk-maps |
| } // grouping tls-global-config |
| |
| augment /sys:system/sys:authentication { |
| container tls { |
| uses tls-global-config; |
| } // container tls |
| } |
| } // module ietf-system-tls-auth |