| Sean Condon | fae8e66 | 2016-12-15 10:25:13 +0000 | [diff] [blame] | 1 | module ietf-system-tls-auth { |
| 2 | |
| 3 | yang-version 1; |
| 4 | |
| 5 | namespace |
| 6 | "urn:ietf:params:xml:ns:yang:ietf-system-tls-auth"; |
| 7 | |
| 8 | prefix system-tls-auth; |
| 9 | |
| 10 | import ietf-system { |
| 11 | prefix sys; |
| 12 | } |
| 13 | import ietf-netconf-acm { |
| 14 | prefix nacm; |
| 15 | } |
| 16 | import ietf-yang-types { |
| 17 | prefix yang; |
| 18 | } |
| 19 | import ietf-x509-cert-to-name { |
| 20 | prefix x509c2n; |
| 21 | } |
| 22 | |
| 23 | organization |
| 24 | "IETF NETCONF (Network Configuration) Working Group"; |
| 25 | |
| 26 | contact |
| 27 | "WG Web: <http://tools.ietf.org/wg/netconf/> |
| 28 | WG List: <mailto:netconf@ietf.org> |
| 29 | |
| 30 | WG Chair: Mehmet Ersue |
| 31 | <mailto:mehmet.ersue@nsn.com> |
| 32 | |
| 33 | WG Chair: Bert Wijnen |
| 34 | <mailto:bertietf@bwijnen.net> |
| 35 | |
| 36 | Editor: Kent Watsen |
| 37 | <mailto:kwatsen@juniper.net> |
| 38 | |
| 39 | Juergen Schoenwaelder |
| 40 | <mailto:j.schoenwaelder@jacobs-university.de>"; |
| 41 | |
| 42 | description |
| 43 | "This module augments the ietf-system module in order to |
| 44 | add TLS authentication configuration nodes to the |
| 45 | 'authentication' container. |
| 46 | |
| 47 | Copyright (c) 2014 IETF Trust and the persons identified as |
| 48 | authors of the code. All rights reserved. |
| 49 | |
| 50 | Redistribution and use in source and binary forms, with or |
| 51 | without modification, is permitted pursuant to, and subject |
| 52 | to the license terms contained in, the Simplified BSD |
| 53 | License set forth in Section 4.c of the IETF Trust's |
| 54 | Legal Provisions Relating to IETF Documents |
| 55 | (http://trustee.ietf.org/license-info). |
| 56 | |
| 57 | This version of this YANG module is part of RFC XXXX; see |
| 58 | the RFC itself for full legal notices."; |
| 59 | |
| 60 | revision "2014-05-24" { |
| 61 | description "Initial version"; |
| 62 | reference |
| 63 | "RFC XXXX: NETCONF Server Configuration Model"; |
| 64 | |
| 65 | } |
| 66 | |
| 67 | |
| 68 | feature tls-map-certificates { |
| 69 | description |
| 70 | "The tls-map-certificates feature indicates that the |
| 71 | NETCONF server implements mapping X.509 certificates to NETCONF |
| 72 | usernames."; |
| 73 | } |
| 74 | |
| 75 | feature tls-map-pre-shared-keys { |
| 76 | description |
| 77 | "The tls-map-pre-shared-keys feature indicates that the |
| 78 | NETCONF server implements mapping TLS pre-shared keys to NETCONF |
| 79 | usernames."; |
| 80 | } |
| 81 | |
| 82 | grouping tls-global-config { |
| 83 | container trusted-ca-certs { |
| 84 | description |
| 85 | "A list of Certificate Authority (CA) certificates that a |
| 86 | NETCONF server can use to authenticate a NETCONF client's |
| 87 | certificate. A client's certificate is authenticated if |
| 88 | its Issuer matches one of the configured trusted CA |
| 89 | certificates."; |
| 90 | leaf-list trusted-ca-cert { |
| 91 | type binary; |
| 92 | description |
| 93 | "The binary certificate structure, as |
| 94 | specified by RFC 5246, Section 7.4.6, i.e.,: |
| 95 | |
| 96 | opaque ASN.1Cert<1..2^24>; |
| 97 | |
| 98 | "; |
| 99 | reference |
| 100 | "RFC 5246: The Transport Layer Security (TLS) |
| 101 | Protocol Version 1.2"; |
| 102 | |
| 103 | } |
| 104 | } // container trusted-ca-certs |
| 105 | |
| 106 | container trusted-client-certs { |
| 107 | description |
| 108 | "A list of client certificates that a NETCONF server can |
| 109 | use to authenticate a NETCONF client's certificate. A |
| 110 | client's certificate is authenticated if it is an exact |
| 111 | match to one of the configured trusted client certificates."; |
| 112 | leaf-list trusted-client-cert { |
| 113 | type binary; |
| 114 | description |
| 115 | "The binary certificate structure, as |
| 116 | specified by RFC 5246, Section 7.4.6, i.e.,: |
| 117 | |
| 118 | opaque ASN.1Cert<1..2^24>; |
| 119 | |
| 120 | "; |
| 121 | reference |
| 122 | "RFC 5246: The Transport Layer Security (TLS) |
| 123 | Protocol Version 1.2"; |
| 124 | |
| 125 | } |
| 126 | } // container trusted-client-certs |
| 127 | |
| 128 | container cert-maps { |
| 129 | if-feature tls-map-certificates; |
| 130 | description |
| 131 | "The cert-maps container is used by a NETCONF server to |
| 132 | map the NETCONF client's presented X.509 certificate to |
| 133 | a NETCONF username. |
| 134 | |
| 135 | If no matching and valid cert-to-name list entry can be |
| 136 | found, then the NETCONF server MUST close the connection, |
| 137 | and MUST NOT accept NETCONF messages over it."; |
| 138 | uses x509c2n:cert-to-name; |
| 139 | } // container cert-maps |
| 140 | |
| 141 | container psk-maps { |
| 142 | if-feature tls-map-pre-shared-keys; |
| 143 | description |
| 144 | "During the TLS Handshake, the client indicates which |
| 145 | key to use by including a PSK identity in the TLS |
| 146 | ClientKeyExchange message. On the NETCONF server side, |
| 147 | this PSK identity is used to look up an entry in the psk-map |
| 148 | list. If such an entry is found, and the pre-shared keys |
| 149 | match, then the client is authenticated. The NETCONF |
| 150 | server uses the value from the user-name leaf in the |
| 151 | psk-map list as the NETCONF username. If the NETCONF |
| 152 | server cannot find an entry in the psk-map list, or if |
| 153 | the pre-shared keys do not match, then the NETCONF |
| 154 | server terminates the connection."; |
| 155 | reference |
| 156 | "RFC 4279: Pre-Shared Key Ciphersuites for Transport Layer |
| 157 | Security (TLS)"; |
| 158 | |
| 159 | list psk-map { |
| 160 | key "psk-identity"; |
| 161 | leaf psk-identity { |
| 162 | type string; |
| 163 | description |
| 164 | "The PSK identity encoded as a UTF-8 string. For |
| 165 | details how certain common PSK identity formats can |
| 166 | be encoded in UTF-8, see section 5.1. of RFC 4279."; |
| 167 | reference |
| 168 | "RFC 4279: Pre-Shared Key Ciphersuites for Transport |
| 169 | Layer Security (TLS)"; |
| 170 | |
| 171 | } |
| 172 | |
| 173 | leaf user-name { |
| 174 | type nacm:user-name-type; |
| 175 | mandatory true; |
| 176 | description |
| 177 | "The NETCONF username associated with this PSK |
| 178 | identity."; |
| 179 | } |
| 180 | |
| 181 | leaf not-valid-before { |
| 182 | type yang:date-and-time; |
| 183 | description |
| 184 | "This PSK identity is not valid before the given date |
| 185 | and time."; |
| 186 | } |
| 187 | |
| 188 | leaf not-valid-after { |
| 189 | type yang:date-and-time; |
| 190 | description |
| 191 | "This PSK identity is not valid after the given date |
| 192 | and time."; |
| 193 | } |
| 194 | |
| 195 | leaf key { |
| 196 | // nacm:default-deny-all; |
| 197 | type yang:hex-string; |
| 198 | mandatory true; |
| 199 | description |
| 200 | "The key associated with the PSK identity"; |
| 201 | reference |
| 202 | "RFC 4279: Pre-Shared Key Ciphersuites for Transport |
| 203 | Layer Security (TLS)"; |
| 204 | |
| 205 | } |
| 206 | } // list psk-map |
| 207 | } // container psk-maps |
| 208 | } // grouping tls-global-config |
| 209 | |
| 210 | augment /sys:system/sys:authentication { |
| 211 | container tls { |
| 212 | uses tls-global-config; |
| 213 | } // container tls |
| 214 | } |
| 215 | } // module ietf-system-tls-auth |