| Gaurav Agrawal | 28920d8 | 2017-10-06 17:39:42 +0530 | [diff] [blame] | 1 | module ietf-x509-cert-to-name { |
| 2 | |
| 3 | namespace "urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"; |
| 4 | prefix x509c2n; |
| 5 | |
| 6 | import ietf-yang-types { |
| 7 | prefix yang; |
| 8 | } |
| 9 | |
| 10 | organization |
| 11 | "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; |
| 12 | |
| 13 | contact |
| 14 | "WG Web: <http://tools.ietf.org/wg/netmod/> |
| 15 | WG List: <mailto:netmod@ietf.org> |
| 16 | |
| 17 | WG Chair: Thomas Nadeau |
| 18 | <mailto:tnadeau@lucidvision.com> |
| 19 | |
| 20 | WG Chair: Juergen Schoenwaelder |
| 21 | <mailto:j.schoenwaelder@jacobs-university.de> |
| 22 | |
| 23 | Editor: Martin Bjorklund |
| 24 | <mailto:mbj@tail-f.com> |
| 25 | |
| 26 | Editor: Juergen Schoenwaelder |
| 27 | <mailto:j.schoenwaelder@jacobs-university.de>"; |
| 28 | |
| 29 | description |
| 30 | "This module contains a collection of YANG definitions for |
| 31 | extracting a name from an X.509 certificate. |
| 32 | The algorithm used to extract a name from an X.509 certificate |
| 33 | was first defined in RFC 6353. |
| 34 | |
| 35 | Copyright (c) 2014 IETF Trust and the persons identified as |
| 36 | authors of the code. All rights reserved. |
| 37 | |
| 38 | Redistribution and use in source and binary forms, with or |
| 39 | without modification, is permitted pursuant to, and subject |
| 40 | to the license terms contained in, the Simplified BSD License |
| 41 | set forth in Section 4.c of the IETF Trust's Legal Provisions |
| 42 | Relating to IETF Documents |
| 43 | (http://trustee.ietf.org/license-info). |
| 44 | |
| 45 | This version of this YANG module is part of RFC 7407; see |
| 46 | the RFC itself for full legal notices."; |
| 47 | |
| 48 | reference |
| 49 | "RFC 6353: Transport Layer Security (TLS) Transport Model for |
| 50 | the Simple Network Management Protocol (SNMP)"; |
| 51 | |
| 52 | revision 2014-12-10 { |
| 53 | description |
| 54 | "Initial revision."; |
| 55 | reference |
| 56 | "RFC 7407: A YANG Data Model for SNMP Configuration"; |
| 57 | |
| 58 | } |
| 59 | |
| 60 | typedef tls-fingerprint { |
| 61 | type yang:hex-string { |
| 62 | pattern '([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}'; |
| 63 | } |
| 64 | description |
| 65 | "A fingerprint value that can be used to uniquely reference |
| 66 | other data of potentially arbitrary length. |
| 67 | |
| 68 | A tls-fingerprint value is composed of a 1-octet hashing |
| 69 | algorithm identifier followed by the fingerprint value. The |
| 70 | first octet value identifying the hashing algorithm is taken |
| 71 | from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The |
| 72 | remaining octets are filled using the results of the hashing |
| 73 | algorithm."; |
| 74 | reference |
| 75 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 76 | for the Simple Network Management Protocol (SNMP). |
| 77 | SNMP-TLS-TM-MIB.SnmpTLSFingerprint"; |
| 78 | } |
| 79 | |
| 80 | /* Identities */ |
| 81 | |
| 82 | identity cert-to-name { |
| 83 | description |
| 84 | "Base identity for algorithms to derive a name from a |
| 85 | certificate."; |
| 86 | } |
| 87 | |
| 88 | identity specified { |
| 89 | base cert-to-name; |
| 90 | description |
| 91 | "Directly specifies the name to be used for the certificate. |
| 92 | The value of the leaf 'name' in the cert-to-name list is |
| 93 | used."; |
| 94 | reference |
| 95 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 96 | for the Simple Network Management Protocol (SNMP). |
| 97 | SNMP-TLS-TM-MIB.snmpTlstmCertSpecified"; |
| 98 | } |
| 99 | |
| 100 | identity san-rfc822-name { |
| 101 | base cert-to-name; |
| 102 | description |
| 103 | "Maps a subjectAltName's rfc822Name to a name. The local part |
| 104 | of the rfc822Name is passed unaltered, but the host-part of |
| 105 | the name must be passed in lowercase. For example, the |
| 106 | rfc822Name field FooBar@Example.COM is mapped to name |
| 107 | FooBar@example.com."; |
| 108 | reference |
| 109 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 110 | for the Simple Network Management Protocol (SNMP). |
| 111 | SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name"; |
| 112 | } |
| 113 | |
| 114 | identity san-dns-name { |
| 115 | base cert-to-name; |
| 116 | description |
| 117 | "Maps a subjectAltName's dNSName to a name after first |
| 118 | converting it to all lowercase (RFC 5280 does not specify |
| 119 | converting to lowercase, so this involves an extra step). |
| 120 | This mapping results in a 1:1 correspondence between |
| 121 | subjectAltName dNSName values and the name values."; |
| 122 | reference |
| 123 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 124 | for the Simple Network Management Protocol (SNMP). |
| 125 | SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName"; |
| 126 | } |
| 127 | |
| 128 | identity san-ip-address { |
| 129 | base cert-to-name; |
| 130 | description |
| 131 | "Maps a subjectAltName's iPAddress to a name by |
| 132 | transforming the binary-encoded address as follows: |
| 133 | |
| 134 | 1) for IPv4, the value is converted into a |
| 135 | decimal-dotted quad address (e.g., '192.0.2.1'). |
| 136 | |
| 137 | 2) for IPv6 addresses, the value is converted into a |
| 138 | 32-character, all-lowercase hexadecimal string |
| 139 | without any colon separators. |
| 140 | |
| 141 | This mapping results in a 1:1 correspondence between |
| 142 | subjectAltName iPAddress values and the name values."; |
| 143 | reference |
| 144 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 145 | for the Simple Network Management Protocol (SNMP). |
| 146 | SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress"; |
| 147 | } |
| 148 | |
| 149 | identity san-any { |
| 150 | base cert-to-name; |
| 151 | description |
| 152 | "Maps any of the following fields using the corresponding |
| 153 | mapping algorithms: |
| 154 | |
| 155 | +------------+-----------------+ |
| 156 | | Type | Algorithm | |
| 157 | |------------+-----------------| |
| 158 | | rfc822Name | san-rfc822-name | |
| 159 | | dNSName | san-dns-name | |
| 160 | | iPAddress | san-ip-address | |
| 161 | +------------+-----------------+ |
| 162 | |
| 163 | The first matching subjectAltName value found in the |
| 164 | certificate of the above types MUST be used when deriving |
| 165 | the name. The mapping algorithm specified in the |
| 166 | 'Algorithm' column MUST be used to derive the name. |
| 167 | |
| 168 | This mapping results in a 1:1 correspondence between |
| 169 | subjectAltName values and name values. The three sub-mapping |
| 170 | algorithms produced by this combined algorithm cannot produce |
| 171 | conflicting results between themselves."; |
| 172 | reference |
| 173 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 174 | for the Simple Network Management Protocol (SNMP). |
| 175 | SNMP-TLS-TM-MIB.snmpTlstmCertSANAny"; |
| 176 | } |
| 177 | |
| 178 | identity common-name { |
| 179 | base cert-to-name; |
| 180 | description |
| 181 | "Maps a certificate's CommonName to a name after converting |
| 182 | it to a UTF-8 encoding. The usage of CommonNames is |
| 183 | deprecated, and users are encouraged to use subjectAltName |
| 184 | mapping methods instead. This mapping results in a 1:1 |
| 185 | correspondence between certificate CommonName values and name |
| 186 | values."; |
| 187 | reference |
| 188 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 189 | for the Simple Network Management Protocol (SNMP). |
| 190 | SNMP-TLS-TM-MIB.snmpTlstmCertCommonName"; |
| 191 | } |
| 192 | |
| 193 | /* |
| 194 | * Groupings |
| 195 | */ |
| 196 | |
| 197 | grouping cert-to-name { |
| 198 | description |
| 199 | "Defines nodes for mapping certificates to names. Modules |
| 200 | that use this grouping should describe how the resulting |
| 201 | name is used."; |
| 202 | |
| 203 | list cert-to-name { |
| 204 | key id; |
| 205 | description |
| 206 | "This list defines how certificates are mapped to names. |
| 207 | The name is derived by considering each cert-to-name |
| 208 | list entry in order. The cert-to-name entry's fingerprint |
| 209 | determines whether the list entry is a match: |
| 210 | |
| 211 | 1) If the cert-to-name list entry's fingerprint value |
| 212 | matches that of the presented certificate, then consider |
| 213 | the list entry a successful match. |
| 214 | |
| 215 | 2) If the cert-to-name list entry's fingerprint value |
| 216 | matches that of a locally held copy of a trusted CA |
| 217 | certificate, and that CA certificate was part of the CA |
| 218 | certificate chain to the presented certificate, then |
| 219 | consider the list entry a successful match. |
| 220 | |
| 221 | Once a matching cert-to-name list entry has been found, the |
| 222 | map-type is used to determine how the name associated with |
| 223 | the certificate should be determined. See the map-type |
| 224 | leaf's description for details on determining the name value. |
| 225 | If it is impossible to determine a name from the cert-to-name |
| 226 | list entry's data combined with the data presented in the |
| 227 | certificate, then additional cert-to-name list entries MUST |
| 228 | be searched to look for another potential match. |
| 229 | |
| 230 | Security administrators are encouraged to make use of |
| 231 | certificates with subjectAltName fields that can be mapped to |
| 232 | names so that a single root CA certificate can allow all |
| 233 | child certificates' subjectAltName fields to map directly to |
| 234 | a name via a 1:1 transformation."; |
| 235 | reference |
| 236 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 237 | for the Simple Network Management Protocol (SNMP). |
| 238 | SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry"; |
| 239 | |
| 240 | leaf id { |
| 241 | type uint32; |
| 242 | description |
| 243 | "The id specifies the order in which the entries in the |
| 244 | cert-to-name list are searched. Entries with lower |
| 245 | numbers are searched first."; |
| 246 | reference |
| 247 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 248 | for the Simple Network Management Protocol |
| 249 | (SNMP). |
| 250 | SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID"; |
| 251 | } |
| 252 | |
| 253 | leaf fingerprint { |
| 254 | type x509c2n:tls-fingerprint; |
| 255 | mandatory true; |
| 256 | description |
| 257 | "Specifies a value with which the fingerprint of the |
| 258 | full certificate presented by the peer is compared. If |
| 259 | the fingerprint of the full certificate presented by the |
| 260 | peer does not match the fingerprint configured, then the |
| 261 | entry is skipped, and the search for a match continues."; |
| 262 | reference |
| 263 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 264 | for the Simple Network Management Protocol |
| 265 | (SNMP). |
| 266 | SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint"; |
| 267 | } |
| 268 | |
| 269 | leaf map-type { |
| 270 | type identityref { |
| 271 | base cert-to-name; |
| 272 | } |
| 273 | mandatory true; |
| 274 | description |
| 275 | "Specifies the algorithm used to map the certificate |
| 276 | presented by the peer to a name. |
| 277 | |
| 278 | Mappings that need additional configuration objects should |
| 279 | use the 'when' statement to make them conditional based on |
| 280 | the map-type."; |
| 281 | reference |
| 282 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 283 | for the Simple Network Management Protocol |
| 284 | (SNMP). |
| 285 | SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType"; |
| 286 | } |
| 287 | |
| 288 | leaf name { |
| 289 | when "../map-type = 'x509c2n:specified'"; |
| 290 | type string; |
| 291 | mandatory true; |
| 292 | description |
| 293 | "Directly specifies the NETCONF username when the |
| 294 | map-type is 'specified'."; |
| 295 | reference |
| 296 | "RFC 6353: Transport Layer Security (TLS) Transport Model |
| 297 | for the Simple Network Management Protocol |
| 298 | (SNMP). |
| 299 | SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData"; |
| 300 | } |
| 301 | } |
| 302 | } |
| 303 | } |