draft-ietf-netconf-crypto-types-04.txt | draft-ietf-netconf-crypto-types-05.txt | |||
---|---|---|---|---|

NETCONF Working Group K. Watsen | NETCONF Working Group K. Watsen | |||

Internet-Draft Watsen Networks | Internet-Draft Watsen Networks | |||

Intended status: Standards Track H. Wang | Intended status: Standards Track H. Wang | |||

Expires: September 10, 2019 Huawei | Expires: September 10, 2019 Huawei | |||

March 9, 2019 | March 9, 2019 | |||

Common YANG Data Types for Cryptography | Common YANG Data Types for Cryptography | |||

draft-ietf-netconf-crypto-types-04 | draft-ietf-netconf-crypto-types-05 | |||

Abstract | Abstract | |||

This document defines YANG identities, typedefs, the groupings useful | This document defines YANG identities, typedefs, the groupings useful | |||

for cryptographic applications. | for cryptographic applications. | |||

Editorial Note (To be removed by RFC Editor) | Editorial Note (To be removed by RFC Editor) | |||

This draft contains many placeholder values that need to be replaced | This draft contains many placeholder values that need to be replaced | |||

with finalized values at the time of publication. This note | with finalized values at the time of publication. This note | |||

skipping to change at page 2, line 49 ¶ | skipping to change at page 2, line 49 ¶ | |||

A.2. The "generate-hidden-key" Action . . . . . . . . . . . . 46 | A.2. The "generate-hidden-key" Action . . . . . . . . . . . . 46 | |||

A.3. The "install-hidden-key" Action . . . . . . . . . . . . . 47 | A.3. The "install-hidden-key" Action . . . . . . . . . . . . . 47 | |||

A.4. The "generate-certificate-signing-request" Action . . . . 47 | A.4. The "generate-certificate-signing-request" Action . . . . 47 | |||

A.5. The "certificate-expiration" Notification . . . . . . . . 48 | A.5. The "certificate-expiration" Notification . . . . . . . . 48 | |||

Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 49 | Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 49 | |||

B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 49 | B.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||

B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 49 | B.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||

B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 49 | B.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 49 | |||

B.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 50 | B.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 50 | |||

B.5. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 50 | B.5. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 50 | |||

B.6. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 51 | ||||

Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 51 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 51 | |||

Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51 | |||

1. Introduction | 1. Introduction | |||

This document defines a YANG 1.1 [RFC7950] module specifying | This document defines a YANG 1.1 [RFC7950] module specifying | |||

identities, typedefs, and groupings useful for cryptography. | identities, typedefs, and groupings useful for cryptography. | |||

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||

"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||

skipping to change at page 4, line 43 ¶ | skipping to change at page 4, line 43 ¶ | |||

This module has an informational reference to [RFC2986], [RFC3174], | This module has an informational reference to [RFC2986], [RFC3174], | |||

[RFC4493], [RFC5915], [RFC6125], [RFC6234], [RFC6239], [RFC6507], | [RFC4493], [RFC5915], [RFC6125], [RFC6234], [RFC6239], [RFC6507], | |||

[RFC8017], [RFC8032], [RFC8439]. | [RFC8017], [RFC8032], [RFC8439]. | |||

<CODE BEGINS> file "ietf-crypto-types@2019-03-09.yang" | <CODE BEGINS> file "ietf-crypto-types@2019-03-09.yang" | |||

module ietf-crypto-types { | module ietf-crypto-types { | |||

yang-version 1.1; | yang-version 1.1; | |||

namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types"; | namespace "urn:ietf:params:xml:ns:yang:ietf-crypto-types"; | |||

prefix "ct"; | prefix ct; | |||

import ietf-yang-types { | import ietf-yang-types { | |||

prefix yang; | prefix yang; | |||

reference | reference | |||

"RFC 6991: Common YANG Data Types"; | "RFC 6991: Common YANG Data Types"; | |||

} | } | |||

import ietf-netconf-acm { | import ietf-netconf-acm { | |||

prefix nacm; | prefix nacm; | |||

reference | reference | |||

"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||

} | } | |||

organization | organization | |||

"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||

contact | contact | |||

"WG Web: <http://datatracker.ietf.org/wg/netconf/> | "WG Web: <http://datatracker.ietf.org/wg/netconf/> | |||

WG List: <mailto:netconf@ietf.org> | WG List: <mailto:netconf@ietf.org> | |||

Author: Kent Watsen <mailto:kent+ietf@watsen.net> | Author: Kent Watsen <mailto:kent+ietf@watsen.net> | |||

Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>"; | Author: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>"; | |||

description | description | |||

"This module defines common YANG types for cryptographic | "This module defines common YANG types for cryptographic | |||

applications. | applications. | |||

The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | |||

'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | |||

'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | |||

are to be interpreted as described in BCP 14 [RFC2119] | are to be interpreted as described in BCP 14 [RFC2119] | |||

[RFC8174] when, and only when, they appear in all | [RFC8174] when, and only when, they appear in all | |||

capitals, as shown here. | capitals, as shown here. | |||

Copyright (c) 2019 IETF Trust and the persons identified | Copyright (c) 2019 IETF Trust and the persons identified | |||

as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||

Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||

or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||

subject to the license terms contained in, the Simplified | subject to the license terms contained in, the Simplified | |||

BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||

Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||

(http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info). | |||

This version of this YANG module is part of RFC XXXX; see | This version of this YANG module is part of RFC XXXX; see | |||

the RFC itself for full legal notices."; | the RFC itself for full legal notices."; | |||

revision "2019-03-09" { | revision 2019-03-09 { | |||

description | description | |||

"Initial version"; | "Initial version"; | |||

reference | reference | |||

"RFC XXXX: Common YANG Data Types for Cryptography"; | "RFC XXXX: Common YANG Data Types for Cryptography"; | |||

} | } | |||

/**************************************/ | /**************************************/ | |||

/* Identities for Hash Algorithms */ | /* Identities for Hash Algorithms */ | |||

/**************************************/ | /**************************************/ | |||

identity hash-algorithm { | identity hash-algorithm { | |||

description | description | |||

"A base identity for hash algorithm verification."; | "A base identity for hash algorithm verification."; | |||

} | } | |||

identity sha-224 { | identity sha-224 { | |||

base "hash-algorithm"; | base hash-algorithm; | |||

description "The SHA-224 algorithm."; | description | |||

reference "RFC 6234: US Secure Hash Algorithms."; | "The SHA-224 algorithm."; | |||

reference | ||||

"RFC 6234: US Secure Hash Algorithms."; | ||||

} | } | |||

identity sha-256 { | identity sha-256 { | |||

base "hash-algorithm"; | base hash-algorithm; | |||

description "The SHA-256 algorithm."; | description | |||

reference "RFC 6234: US Secure Hash Algorithms."; | "The SHA-256 algorithm."; | |||

reference | ||||

"RFC 6234: US Secure Hash Algorithms."; | ||||

} | } | |||

identity sha-384 { | identity sha-384 { | |||

base "hash-algorithm"; | base hash-algorithm; | |||

description "The SHA-384 algorithm."; | description | |||

reference "RFC 6234: US Secure Hash Algorithms."; | "The SHA-384 algorithm."; | |||

reference | ||||

"RFC 6234: US Secure Hash Algorithms."; | ||||

} | } | |||

identity sha-512 { | identity sha-512 { | |||

base "hash-algorithm"; | base hash-algorithm; | |||

description "The SHA-512 algorithm."; | description | |||

reference "RFC 6234: US Secure Hash Algorithms."; | "The SHA-512 algorithm."; | |||

reference | ||||

"RFC 6234: US Secure Hash Algorithms."; | ||||

} | } | |||

/***********************************************/ | /***********************************************/ | |||

/* Identities for Asymmetric Key Algorithms */ | /* Identities for Asymmetric Key Algorithms */ | |||

/***********************************************/ | /***********************************************/ | |||

identity asymmetric-key-algorithm { | identity asymmetric-key-algorithm { | |||

description | description | |||

"Base identity from which all asymmetric key | "Base identity from which all asymmetric key | |||

encryption Algorithm."; | encryption Algorithm."; | |||

skipping to change at page 7, line 42 ¶ | skipping to change at page 7, line 48 ¶ | |||

base asymmetric-key-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The RSA algorithm using a 7680-bit key."; | "The RSA algorithm using a 7680-bit key."; | |||

reference | reference | |||

"RFC 8017: | "RFC 8017: | |||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | PKCS #1: RSA Cryptography Specifications Version 2.2."; | |||

} | } | |||

identity rsa15360 { | identity rsa15360 { | |||

base asymmetric-key-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The RSA algorithm using a 15360-bit key."; | "The RSA algorithm using a 15360-bit key."; | |||

reference | reference | |||

"RFC 8017: | "RFC 8017: | |||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | PKCS #1: RSA Cryptography Specifications Version 2.2."; | |||

} | } | |||

identity secp192r1 { | identity secp192r1 { | |||

base asymmetric-key-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The ECDSA algorithm using a NIST P256 Curve."; | "The ECDSA algorithm using a NIST P256 Curve."; | |||

reference | reference | |||

"RFC 6090: | "RFC 6090: | |||

Fundamental Elliptic Curve Cryptography Algorithms."; | Fundamental Elliptic Curve Cryptography Algorithms."; | |||

} | } | |||

identity secp224r1 { | identity secp224r1 { | |||

base asymmetric-key-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The ECDSA algorithm using a NIST P256 Curve."; | "The ECDSA algorithm using a NIST P256 Curve."; | |||

reference | reference | |||

"RFC 6090: | "RFC 6090: | |||

Fundamental Elliptic Curve Cryptography Algorithms."; | Fundamental Elliptic Curve Cryptography Algorithms."; | |||

} | } | |||

identity secp256r1 { | identity secp256r1 { | |||

base asymmetric-key-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The ECDSA algorithm using a NIST P256 Curve."; | "The ECDSA algorithm using a NIST P256 Curve."; | |||

reference | reference | |||

"RFC 6090: | "RFC 6090: | |||

Fundamental Elliptic Curve Cryptography Algorithms."; | Fundamental Elliptic Curve Cryptography Algorithms."; | |||

} | } | |||

identity secp384r1 { | identity secp384r1 { | |||

base asymmetric-key-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The ECDSA algorithm using a NIST P256 Curve."; | "The ECDSA algorithm using a NIST P256 Curve."; | |||

reference | reference | |||

"RFC 6090: | "RFC 6090: | |||

Fundamental Elliptic Curve Cryptography Algorithms."; | Fundamental Elliptic Curve Cryptography Algorithms."; | |||

} | } | |||

identity secp521r1 { | identity secp521r1 { | |||

base asymmetric-key-algorithm; | base asymmetric-key-algorithm; | |||

description | description | |||

"The ECDSA algorithm using a NIST P256 Curve."; | "The ECDSA algorithm using a NIST P256 Curve."; | |||

reference | reference | |||

"RFC 6090: | "RFC 6090: | |||

Fundamental Elliptic Curve Cryptography Algorithms."; | Fundamental Elliptic Curve Cryptography Algorithms."; | |||

} | } | |||

/*************************************/ | /*************************************/ | |||

/* Identities for MAC Algorithms */ | /* Identities for MAC Algorithms */ | |||

/*************************************/ | /*************************************/ | |||

identity mac-algorithm { | identity mac-algorithm { | |||

description | description | |||

"A base identity for mac generation."; | "A base identity for mac generation."; | |||

} | } | |||

identity hmac-sha1 { | identity hmac-sha1 { | |||

skipping to change at page 9, line 8 ¶ | skipping to change at page 9, line 14 ¶ | |||

/*************************************/ | /*************************************/ | |||

/* Identities for MAC Algorithms */ | /* Identities for MAC Algorithms */ | |||

/*************************************/ | /*************************************/ | |||

identity mac-algorithm { | identity mac-algorithm { | |||

description | description | |||

"A base identity for mac generation."; | "A base identity for mac generation."; | |||

} | } | |||

identity hmac-sha1 { | identity hmac-sha1 { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description "Generating MAC using SHA1 hash function"; | description | |||

reference "RFC 3174: US Secure Hash Algorithm 1 (SHA1)"; | "Generating MAC using SHA1 hash function"; | |||

reference | ||||

"RFC 3174: US Secure Hash Algorithm 1 (SHA1)"; | ||||

} | } | |||

identity hmac-sha1-96 { | identity hmac-sha1-96 { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description "Generating MAC using SHA1 hash function"; | description | |||

reference "RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH"; | "Generating MAC using SHA1 hash function"; | |||

reference | ||||

"RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH"; | ||||

} | } | |||

identity hmac-sha2-224 { | identity hmac-sha2-224 { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description | description | |||

"Generating MAC using SHA2 hash function"; | "Generating MAC using SHA2 hash function"; | |||

reference | reference | |||

"RFC 6234: | "RFC 6234: | |||

US Secure Hash Algorithms (SHA and SHA-based HMAC and | US Secure Hash Algorithms (SHA and SHA-based HMAC and | |||

HKDF)"; | HKDF)"; | |||

} | } | |||

identity hmac-sha2-256 { | identity hmac-sha2-256 { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description | description | |||

"Generating MAC using SHA2 hash function"; | "Generating MAC using SHA2 hash function"; | |||

reference | reference | |||

"RFC 6234: | "RFC 6234: | |||

US Secure Hash Algorithms (SHA and SHA-based HMAC and | US Secure Hash Algorithms (SHA and SHA-based HMAC and | |||

HKDF)"; | HKDF)"; | |||

} | } | |||

identity hmac-sha2-256-128 { | identity hmac-sha2-256-128 { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description | description | |||

"Generating a 256 bits MAC using SHA2 hash function and | "Generating a 256 bits MAC using SHA2 hash function and | |||

truncate it to 128 bits"; | truncate it to 128 bits"; | |||

reference | reference | |||

"RFC 4868: | "RFC 4868: | |||

Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 | Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 | |||

with IPsec"; | with IPsec"; | |||

} | } | |||

identity hmac-sha2-384 { | identity hmac-sha2-384 { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description | description | |||

"Generating MAC using SHA2 hash function"; | "Generating MAC using SHA2 hash function"; | |||

reference | reference | |||

"RFC 6234: | "RFC 6234: | |||

US Secure Hash Algorithms (SHA and SHA-based HMAC and | US Secure Hash Algorithms (SHA and SHA-based HMAC and | |||

HKDF)"; | HKDF)"; | |||

} | } | |||

identity hmac-sha2-384-192 { | identity hmac-sha2-384-192 { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description | description | |||

"Generating a 384 bits MAC using SHA2 hash function and | "Generating a 384 bits MAC using SHA2 hash function and | |||

truncate it to 192 bits"; | truncate it to 192 bits"; | |||

reference | reference | |||

"RFC 4868: | "RFC 4868: | |||

Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with | Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with | |||

IPsec"; | IPsec"; | |||

} | } | |||

identity hmac-sha2-512 { | identity hmac-sha2-512 { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description "Generating MAC using SHA2 hash function"; | description | |||

"Generating MAC using SHA2 hash function"; | ||||

reference | reference | |||

"RFC 6234: | "RFC 6234: | |||

US Secure Hash Algorithms (SHA and SHA-based HMAC and | US Secure Hash Algorithms (SHA and SHA-based HMAC and | |||

HKDF)"; | HKDF)"; | |||

} | } | |||

identity hmac-sha2-512-256 { | identity hmac-sha2-512-256 { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description | description | |||

"Generating a 512 bits MAC using SHA2 hash function and | "Generating a 512 bits MAC using SHA2 hash function and | |||

truncating it to 256 bits"; | truncating it to 256 bits"; | |||

reference | reference | |||

"RFC 4868: | "RFC 4868: | |||

Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with | Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with | |||

IPsec"; | IPsec"; | |||

} | } | |||

identity aes-128-gmac { | identity aes-128-gmac { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description | description | |||

"Generating MAC using the Advanced Encryption Standard (AES) | "Generating MAC using the Advanced Encryption Standard (AES) | |||

Galois Message Authentication Code (GMAC) as a mechanism to | Galois Message Authentication Code (GMAC) as a mechanism to | |||

provide data origin authentication"; | provide data origin authentication"; | |||

reference | reference | |||

"RFC 4543: | "RFC 4543: | |||

The Use of Galois Message Authentication Code (GMAC) in | The Use of Galois Message Authentication Code (GMAC) in | |||

IPsec ESP and AH"; | IPsec ESP and AH"; | |||

} | } | |||

identity aes-192-gmac { | identity aes-192-gmac { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description | description | |||

"Generating MAC using the Advanced Encryption Standard (AES) | "Generating MAC using the Advanced Encryption Standard (AES) | |||

Galois Message Authentication Code (GMAC) as a mechanism to | Galois Message Authentication Code (GMAC) as a mechanism to | |||

provide data origin authentication"; | provide data origin authentication"; | |||

reference | reference | |||

"RFC 4543: | "RFC 4543: | |||

The Use of Galois Message Authentication Code (GMAC) in | The Use of Galois Message Authentication Code (GMAC) in | |||

IPsec ESP and AH"; | IPsec ESP and AH"; | |||

} | } | |||

identity aes-256-gmac { | identity aes-256-gmac { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description | description | |||

"Generating MAC using the Advanced Encryption Standard (AES) | "Generating MAC using the Advanced Encryption Standard (AES) | |||

Galois Message Authentication Code (GMAC) as a mechanism to | Galois Message Authentication Code (GMAC) as a mechanism to | |||

provide data origin authentication"; | provide data origin authentication"; | |||

reference | reference | |||

"RFC 4543: | "RFC 4543: | |||

The Use of Galois Message Authentication Code (GMAC) in | The Use of Galois Message Authentication Code (GMAC) in | |||

IPsec ESP and AH"; | IPsec ESP and AH"; | |||

} | } | |||

identity aes-cmac-96 { | identity aes-cmac-96 { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description | description | |||

"Generating MAC using Advanced Encryption Standard (AES) | "Generating MAC using Advanced Encryption Standard (AES) | |||

Cipher-based Message Authentication Code (CMAC)"; | Cipher-based Message Authentication Code (CMAC)"; | |||

reference | reference | |||

"RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec"; | "RFC 4494: The AES-CMAC-96 Algorithm and its Use with IPsec"; | |||

} | } | |||

identity aes-cmac-128 { | identity aes-cmac-128 { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

description | description | |||

"Generating MAC using Advanced Encryption Standard (AES) | "Generating MAC using Advanced Encryption Standard (AES) | |||

Cipher-based Message Authentication Code (CMAC)"; | Cipher-based Message Authentication Code (CMAC)"; | |||

reference | reference | |||

"RFC 4493: The AES-CMAC Algorithm"; | "RFC 4493: The AES-CMAC Algorithm"; | |||

} | } | |||

/********************************************/ | /********************************************/ | |||

/* Identities for Encryption Algorithms */ | /* Identities for Encryption Algorithms */ | |||

/********************************************/ | /********************************************/ | |||

identity encryption-algorithm { | identity encryption-algorithm { | |||

description | description | |||

"A base identity for encryption algorithm."; | "A base identity for encryption algorithm."; | |||

} | } | |||

identity aes-128-cbc { | identity aes-128-cbc { | |||

base "encryption-algorithm"; | base encryption-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in CBC mode with a key | "Encrypt message with AES algorithm in CBC mode with a key | |||

length of 128 bits"; | length of 128 bits"; | |||

reference | reference | |||

"RFC 3565: | "RFC 3565: | |||

Use of the Advanced Encryption Standard (AES) Encryption | Use of the Advanced Encryption Standard (AES) Encryption | |||

Algorithm in Cryptographic Message Syntax (CMS)"; | Algorithm in Cryptographic Message Syntax (CMS)"; | |||

} | } | |||

identity aes-192-cbc { | identity aes-192-cbc { | |||

base "encryption-algorithm"; | base encryption-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in CBC mode with a key | "Encrypt message with AES algorithm in CBC mode with a key | |||

length of 192 bits"; | length of 192 bits"; | |||

reference | reference | |||

"RFC 3565: | "RFC 3565: | |||

Use of the Advanced Encryption Standard (AES) Encryption | Use of the Advanced Encryption Standard (AES) Encryption | |||

Algorithm in Cryptographic Message Syntax (CMS)"; | Algorithm in Cryptographic Message Syntax (CMS)"; | |||

} | } | |||

identity aes-256-cbc { | identity aes-256-cbc { | |||

base "encryption-algorithm"; | base encryption-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in CBC mode with a key | "Encrypt message with AES algorithm in CBC mode with a key | |||

length of 256 bits"; | length of 256 bits"; | |||

reference | reference | |||

"RFC 3565: | "RFC 3565: | |||

Use of the Advanced Encryption Standard (AES) Encryption | Use of the Advanced Encryption Standard (AES) Encryption | |||

Algorithm in Cryptographic Message Syntax (CMS)"; | Algorithm in Cryptographic Message Syntax (CMS)"; | |||

} | } | |||

identity aes-128-ctr { | identity aes-128-ctr { | |||

base "encryption-algorithm"; | base encryption-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in CTR mode with a key | "Encrypt message with AES algorithm in CTR mode with a key | |||

length of 128 bits"; | length of 128 bits"; | |||

reference | reference | |||

"RFC 3686: | "RFC 3686: | |||

Using Advanced Encryption Standard (AES) Counter Mode with | Using Advanced Encryption Standard (AES) Counter Mode with | |||

IPsec Encapsulating Security Payload (ESP)"; | IPsec Encapsulating Security Payload (ESP)"; | |||

} | } | |||

identity aes-192-ctr { | identity aes-192-ctr { | |||

base "encryption-algorithm"; | base encryption-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in CTR mode with a key | "Encrypt message with AES algorithm in CTR mode with a key | |||

length of 192 bits"; | length of 192 bits"; | |||

reference | reference | |||

"RFC 3686: | "RFC 3686: | |||

Using Advanced Encryption Standard (AES) Counter Mode with | Using Advanced Encryption Standard (AES) Counter Mode with | |||

IPsec Encapsulating Security Payload (ESP)"; | IPsec Encapsulating Security Payload (ESP)"; | |||

} | } | |||

identity aes-256-ctr { | identity aes-256-ctr { | |||

base "encryption-algorithm"; | base encryption-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in CTR mode with a key | "Encrypt message with AES algorithm in CTR mode with a key | |||

length of 256 bits"; | length of 256 bits"; | |||

reference | reference | |||

"RFC 3686: | "RFC 3686: | |||

Using Advanced Encryption Standard (AES) Counter Mode with | Using Advanced Encryption Standard (AES) Counter Mode with | |||

IPsec Encapsulating Security Payload (ESP)"; | IPsec Encapsulating Security Payload (ESP)"; | |||

} | } | |||

/****************************************************/ | /****************************************************/ | |||

/* Identities for Encryption and MAC Algorithms */ | /* Identities for Encryption and MAC Algorithms */ | |||

/****************************************************/ | /****************************************************/ | |||

identity encryption-and-mac-algorithm { | identity encryption-and-mac-algorithm { | |||

description | description | |||

"A base identity for encryption and MAC algorithm."; | "A base identity for encryption and MAC algorithm."; | |||

} | } | |||

identity aes-128-ccm { | identity aes-128-ccm { | |||

base "encryption-and-mac-algorithm"; | base encryption-and-mac-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in CCM mode with a key | "Encrypt message with AES algorithm in CCM mode with a key | |||

length of 128 bits; it can also be used for generating MAC"; | length of 128 bits; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 4309: | "RFC 4309: | |||

Using Advanced Encryption Standard (AES) CCM Mode with | Using Advanced Encryption Standard (AES) CCM Mode with | |||

IPsec Encapsulating Security Payload (ESP)"; | IPsec Encapsulating Security Payload (ESP)"; | |||

} | } | |||

identity aes-192-ccm { | identity aes-192-ccm { | |||

base "encryption-and-mac-algorithm"; | base encryption-and-mac-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in CCM mode with a key | "Encrypt message with AES algorithm in CCM mode with a key | |||

length of 192 bits; it can also be used for generating MAC"; | length of 192 bits; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 4309: | "RFC 4309: | |||

Using Advanced Encryption Standard (AES) CCM Mode with | Using Advanced Encryption Standard (AES) CCM Mode with | |||

IPsec Encapsulating Security Payload (ESP)"; | IPsec Encapsulating Security Payload (ESP)"; | |||

} | } | |||

identity aes-256-ccm { | identity aes-256-ccm { | |||

base "encryption-and-mac-algorithm"; | base encryption-and-mac-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in CCM mode with a key | "Encrypt message with AES algorithm in CCM mode with a key | |||

length of 256 bits; it can also be used for generating MAC"; | length of 256 bits; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 4309: | "RFC 4309: | |||

Using Advanced Encryption Standard (AES) CCM Mode with | Using Advanced Encryption Standard (AES) CCM Mode with | |||

IPsec Encapsulating Security Payload (ESP)"; | IPsec Encapsulating Security Payload (ESP)"; | |||

} | } | |||

identity aes-128-gcm { | identity aes-128-gcm { | |||

base "encryption-and-mac-algorithm"; | base encryption-and-mac-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in GCM mode with a key | "Encrypt message with AES algorithm in GCM mode with a key | |||

length of 128 bits; it can also be used for generating MAC"; | length of 128 bits; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 4106: | "RFC 4106: | |||

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | |||

Security Payload (ESP)"; | Security Payload (ESP)"; | |||

} | } | |||

identity aes-192-gcm { | identity aes-192-gcm { | |||

base "encryption-and-mac-algorithm"; | base encryption-and-mac-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in GCM mode with a key | "Encrypt message with AES algorithm in GCM mode with a key | |||

length of 192 bits; it can also be used for generating MAC"; | length of 192 bits; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 4106: | "RFC 4106: | |||

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | |||

Security Payload (ESP)"; | Security Payload (ESP)"; | |||

} | } | |||

identity mac-aes-256-gcm { | identity mac-aes-256-gcm { | |||

base "encryption-and-mac-algorithm"; | base encryption-and-mac-algorithm; | |||

description | description | |||

"Encrypt message with AES algorithm in GCM mode with a key | "Encrypt message with AES algorithm in GCM mode with a key | |||

length of 128 bits; it can also be used for generating MAC"; | length of 128 bits; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 4106: | "RFC 4106: | |||

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating | |||

Security Payload (ESP)"; | Security Payload (ESP)"; | |||

} | } | |||

identity chacha20-poly1305 { | identity chacha20-poly1305 { | |||

base "encryption-and-mac-algorithm"; | base encryption-and-mac-algorithm; | |||

description | description | |||

"Encrypt message with chacha20 algorithm and generate MAC with | "Encrypt message with chacha20 algorithm and generate MAC with | |||

POLY1305; it can also be used for generating MAC"; | POLY1305; it can also be used for generating MAC"; | |||

reference | reference | |||

"RFC 8439: ChaCha20 and Poly1305 for IETF Protocols"; | "RFC 8439: ChaCha20 and Poly1305 for IETF Protocols"; | |||

} | } | |||

/******************************************/ | /******************************************/ | |||

/* Identities for signature algorithm */ | /* Identities for signature algorithm */ | |||

/******************************************/ | /******************************************/ | |||

identity signature-algorithm { | identity signature-algorithm { | |||

description | description | |||

"A base identity for asymmetric key encryption algorithm."; | "A base identity for asymmetric key encryption algorithm."; | |||

} | } | |||

identity dsa-sha1 { | identity dsa-sha1 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using DSA algorithm with SHA1 hash | "The signature algorithm using DSA algorithm with SHA1 hash | |||

algorithm"; | algorithm"; | |||

reference | reference | |||

"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | |||

} | } | |||

identity rsassa-pkcs1-sha1 { | identity rsassa-pkcs1-sha1 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1 | "The signature algorithm using RSASSA-PKCS1-v1_5 with the SHA1 | |||

hash algorithm."; | hash algorithm."; | |||

reference | reference | |||

"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | |||

} | } | |||

identity rsassa-pkcs1-sha256 { | identity rsassa-pkcs1-sha256 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using RSASSA-PKCS1-v1_5 with the | "The signature algorithm using RSASSA-PKCS1-v1_5 with the | |||

SHA256 hash algorithm."; | SHA256 hash algorithm."; | |||

reference | reference | |||

"RFC 8332: | "RFC 8332: | |||

Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell | Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell | |||

(SSH) Protocol | (SSH) Protocol | |||

RFC 8446: | RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsassa-pkcs1-sha384 { | identity rsassa-pkcs1-sha384 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using RSASSA-PKCS1-v1_5 with the | "The signature algorithm using RSASSA-PKCS1-v1_5 with the | |||

SHA384 hash algorithm."; | SHA384 hash algorithm."; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsassa-pkcs1-sha512 { | identity rsassa-pkcs1-sha512 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using RSASSA-PKCS1-v1_5 with the | "The signature algorithm using RSASSA-PKCS1-v1_5 with the | |||

SHA512 hash algorithm."; | SHA512 hash algorithm."; | |||

reference | reference | |||

"RFC 8332: | "RFC 8332: | |||

Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell | Use of RSA Keys with SHA-256 and SHA-512 in the Secure Shell | |||

(SSH) Protocol | (SSH) Protocol | |||

RFC 8446: | RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsassa-pss-rsae-sha256 { | identity rsassa-pss-rsae-sha256 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using RSASSA-PSS with mask generation | "The signature algorithm using RSASSA-PSS with mask generation | |||

function 1 and SHA256 hash algorithm. If the public key is | function 1 and SHA256 hash algorithm. If the public key is | |||

carried in an X.509 certificate, it MUST use the rsaEncryption | carried in an X.509 certificate, it MUST use the rsaEncryption | |||

OID"; | OID"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsassa-pss-rsae-sha384 { | identity rsassa-pss-rsae-sha384 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using RSASSA-PSS with mask generation | "The signature algorithm using RSASSA-PSS with mask generation | |||

function 1 and SHA384 hash algorithm. If the public key is | function 1 and SHA384 hash algorithm. If the public key is | |||

carried in an X.509 certificate, it MUST use the rsaEncryption | carried in an X.509 certificate, it MUST use the rsaEncryption | |||

OID"; | OID"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsassa-pss-rsae-sha512 { | identity rsassa-pss-rsae-sha512 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using RSASSA-PSS with mask generation | "The signature algorithm using RSASSA-PSS with mask generation | |||

function 1 and SHA512 hash algorithm. If the public key is | function 1 and SHA512 hash algorithm. If the public key is | |||

carried in an X.509 certificate, it MUST use the rsaEncryption | carried in an X.509 certificate, it MUST use the rsaEncryption | |||

OID"; | OID"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsassa-pss-pss-sha256 { | identity rsassa-pss-pss-sha256 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using RSASSA-PSS with mask generation | "The signature algorithm using RSASSA-PSS with mask generation | |||

function 1 and SHA256 hash algorithm. If the public key is | function 1 and SHA256 hash algorithm. If the public key is | |||

carried in an X.509 certificate, it MUST use the RSASSA-PSS | carried in an X.509 certificate, it MUST use the RSASSA-PSS | |||

OID"; | OID"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsassa-pss-pss-sha384 { | identity rsassa-pss-pss-sha384 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using RSASSA-PSS with mask generation | "The signature algorithm using RSASSA-PSS with mask generation | |||

function 1 and SHA256 hash algorithm. If the public key is | function 1 and SHA256 hash algorithm. If the public key is | |||

carried in an X.509 certificate, it MUST use the RSASSA-PSS | carried in an X.509 certificate, it MUST use the RSASSA-PSS | |||

OID"; | OID"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity rsassa-pss-pss-sha512 { | identity rsassa-pss-pss-sha512 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using RSASSA-PSS with mask generation | "The signature algorithm using RSASSA-PSS with mask generation | |||

function 1 and SHA256 hash algorithm. If the public key is | function 1 and SHA256 hash algorithm. If the public key is | |||

carried in an X.509 certificate, it MUST use the RSASSA-PSS | carried in an X.509 certificate, it MUST use the RSASSA-PSS | |||

OID"; | OID"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity ecdsa-secp256r1-sha256 { | identity ecdsa-secp256r1-sha256 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using ECDSA with curve name secp256r1 | "The signature algorithm using ECDSA with curve name secp256r1 | |||

and SHA256 hash algorithm."; | and SHA256 hash algorithm."; | |||

reference | reference | |||

"RFC 5656: Elliptic Curve Algorithm Integration in the | "RFC 5656: Elliptic Curve Algorithm Integration in the | |||

Secure Shell Transport Layer | Secure Shell Transport Layer | |||

RFC 8446: | RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity ecdsa-secp384r1-sha384 { | identity ecdsa-secp384r1-sha384 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using ECDSA with curve name secp384r1 | "The signature algorithm using ECDSA with curve name secp384r1 | |||

and SHA384 hash algorithm."; | and SHA384 hash algorithm."; | |||

reference | reference | |||

"RFC 5656: Elliptic Curve Algorithm Integration in the | "RFC 5656: Elliptic Curve Algorithm Integration in the | |||

Secure Shell Transport Layer | Secure Shell Transport Layer | |||

RFC 8446: | RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity ecdsa-secp521r1-sha512 { | identity ecdsa-secp521r1-sha512 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using ECDSA with curve name secp521r1 | "The signature algorithm using ECDSA with curve name secp521r1 | |||

and SHA512 hash algorithm."; | and SHA512 hash algorithm."; | |||

reference | reference | |||

"RFC 5656: Elliptic Curve Algorithm Integration in the | "RFC 5656: Elliptic Curve Algorithm Integration in the | |||

Secure Shell Transport Layer | Secure Shell Transport Layer | |||

RFC 8446: | RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity ed25519 { | identity ed25519 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using EdDSA as defined in RFC 8032 or | "The signature algorithm using EdDSA as defined in RFC 8032 or | |||

its successors."; | its successors."; | |||

reference | reference | |||

"RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; | "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; | |||

} | } | |||

identity ed448 { | identity ed448 { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using EdDSA as defined in RFC 8032 or | "The signature algorithm using EdDSA as defined in RFC 8032 or | |||

its successors."; | its successors."; | |||

reference | reference | |||

"RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; | "RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)"; | |||

} | } | |||

identity eccsi { | identity eccsi { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

description | description | |||

"The signature algorithm using ECCSI signature as defined in | "The signature algorithm using ECCSI signature as defined in | |||

RFC 6507."; | RFC 6507."; | |||

reference | reference | |||

"RFC 6507: | "RFC 6507: | |||

Elliptic Curve-Based Certificateless Signatures for | Elliptic Curve-Based Certificateless Signatures for | |||

Identity-based Encryption (ECCSI)"; | Identity-based Encryption (ECCSI)"; | |||

} | } | |||

/**********************************************/ | /**********************************************/ | |||

/* Identities for key exchange algorithms */ | /* Identities for key exchange algorithms */ | |||

/**********************************************/ | /**********************************************/ | |||

identity key-exchange-algorithm { | identity key-exchange-algorithm { | |||

description | description | |||

"A base identity for Diffie-Hellman based key exchange | "A base identity for Diffie-Hellman based key exchange | |||

algorithm."; | algorithm."; | |||

} | } | |||

identity psk-only { | identity psk-only { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Using Pre-shared key for authentication and key exchange"; | "Using Pre-shared key for authentication and key exchange"; | |||

reference | reference | |||

"RFC 4279: | "RFC 4279: | |||

Pre-Shared Key cipher suites for Transport Layer Security | Pre-Shared Key cipher suites for Transport Layer Security | |||

(TLS)"; | (TLS)"; | |||

} | } | |||

identity dhe-ffdhe2048 { | identity dhe-ffdhe2048 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Ephemeral Diffie Hellman key exchange with 2048 bit | "Ephemeral Diffie Hellman key exchange with 2048 bit | |||

finite field"; | finite field"; | |||

reference | reference | |||

"RFC 7919: | "RFC 7919: | |||

Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | |||

for Transport Layer Security (TLS)"; | for Transport Layer Security (TLS)"; | |||

} | } | |||

identity dhe-ffdhe3072 { | identity dhe-ffdhe3072 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Ephemeral Diffie Hellman key exchange with 3072 bit finite | "Ephemeral Diffie Hellman key exchange with 3072 bit finite | |||

field"; | field"; | |||

reference | reference | |||

"RFC 7919: | "RFC 7919: | |||

Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | |||

for Transport Layer Security (TLS)"; | for Transport Layer Security (TLS)"; | |||

} | } | |||

identity dhe-ffdhe4096 { | identity dhe-ffdhe4096 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Ephemeral Diffie Hellman key exchange with 4096 bit | "Ephemeral Diffie Hellman key exchange with 4096 bit | |||

finite field"; | finite field"; | |||

reference | reference | |||

"RFC 7919: | "RFC 7919: | |||

Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | |||

for Transport Layer Security (TLS)"; | for Transport Layer Security (TLS)"; | |||

} | } | |||

identity dhe-ffdhe6144 { | identity dhe-ffdhe6144 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Ephemeral Diffie Hellman key exchange with 6144 bit | "Ephemeral Diffie Hellman key exchange with 6144 bit | |||

finite field"; | finite field"; | |||

reference | reference | |||

"RFC 7919: | "RFC 7919: | |||

Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | |||

for Transport Layer Security (TLS)"; | for Transport Layer Security (TLS)"; | |||

} | } | |||

identity dhe-ffdhe8192 { | identity dhe-ffdhe8192 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Ephemeral Diffie Hellman key exchange with 8192 bit | "Ephemeral Diffie Hellman key exchange with 8192 bit | |||

finite field"; | finite field"; | |||

reference | reference | |||

"RFC 7919: | "RFC 7919: | |||

Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | Negotiated Finite Field Diffie-Hellman Ephemeral Parameters | |||

for Transport Layer Security (TLS)"; | for Transport Layer Security (TLS)"; | |||

} | } | |||

identity psk-dhe-ffdhe2048 { | identity psk-dhe-ffdhe2048 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Key exchange using pre-shared key with Diffie-Hellman key | "Key exchange using pre-shared key with Diffie-Hellman key | |||

generation mechanism, where the DH group is FFDHE2048"; | generation mechanism, where the DH group is FFDHE2048"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-dhe-ffdhe3072 { | identity psk-dhe-ffdhe3072 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Key exchange using pre-shared key with Diffie-Hellman key | "Key exchange using pre-shared key with Diffie-Hellman key | |||

generation mechanism, where the DH group is FFDHE3072"; | generation mechanism, where the DH group is FFDHE3072"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-dhe-ffdhe4096 { | identity psk-dhe-ffdhe4096 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Key exchange using pre-shared key with Diffie-Hellman key | "Key exchange using pre-shared key with Diffie-Hellman key | |||

generation mechanism, where the DH group is FFDHE4096"; | generation mechanism, where the DH group is FFDHE4096"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-dhe-ffdhe6144 { | identity psk-dhe-ffdhe6144 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Key exchange using pre-shared key with Diffie-Hellman key | "Key exchange using pre-shared key with Diffie-Hellman key | |||

generation mechanism, where the DH group is FFDHE6144"; | generation mechanism, where the DH group is FFDHE6144"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-dhe-ffdhe8192 { | identity psk-dhe-ffdhe8192 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Key exchange using pre-shared key with Diffie-Hellman key | "Key exchange using pre-shared key with Diffie-Hellman key | |||

generation mechanism, where the DH group is FFDHE8192"; | generation mechanism, where the DH group is FFDHE8192"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity ecdhe-secp256r1 { | identity ecdhe-secp256r1 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Ephemeral Diffie Hellman key exchange with elliptic group | "Ephemeral Diffie Hellman key exchange with elliptic group | |||

over curve secp256r1"; | over curve secp256r1"; | |||

reference | reference | |||

"RFC 8422: | "RFC 8422: | |||

Elliptic Curve Cryptography (ECC) Cipher Suites for | Elliptic Curve Cryptography (ECC) Cipher Suites for | |||

Transport Layer Security (TLS) Versions 1.2 and Earlier"; | Transport Layer Security (TLS) Versions 1.2 and Earlier"; | |||

} | } | |||

identity ecdhe-secp384r1 { | identity ecdhe-secp384r1 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Ephemeral Diffie Hellman key exchange with elliptic group | "Ephemeral Diffie Hellman key exchange with elliptic group | |||

over curve secp384r1"; | over curve secp384r1"; | |||

reference | reference | |||

"RFC 8422: | "RFC 8422: | |||

Elliptic Curve Cryptography (ECC) Cipher Suites for | Elliptic Curve Cryptography (ECC) Cipher Suites for | |||

Transport Layer Security (TLS) Versions 1.2 and Earlier"; | Transport Layer Security (TLS) Versions 1.2 and Earlier"; | |||

} | } | |||

identity ecdhe-secp521r1 { | identity ecdhe-secp521r1 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Ephemeral Diffie Hellman key exchange with elliptic group | "Ephemeral Diffie Hellman key exchange with elliptic group | |||

over curve secp521r1"; | over curve secp521r1"; | |||

reference | reference | |||

"RFC 8422: | "RFC 8422: | |||

Elliptic Curve Cryptography (ECC) Cipher Suites for | Elliptic Curve Cryptography (ECC) Cipher Suites for | |||

Transport Layer Security (TLS) Versions 1.2 and Earlier"; | Transport Layer Security (TLS) Versions 1.2 and Earlier"; | |||

} | } | |||

identity ecdhe-x25519 { | identity ecdhe-x25519 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Ephemeral Diffie Hellman key exchange with elliptic group | "Ephemeral Diffie Hellman key exchange with elliptic group | |||

over curve x25519"; | over curve x25519"; | |||

reference | reference | |||

"RFC 8422: | "RFC 8422: | |||

Elliptic Curve Cryptography (ECC) Cipher Suites for | Elliptic Curve Cryptography (ECC) Cipher Suites for | |||

Transport Layer Security (TLS) Versions 1.2 and Earlier"; | Transport Layer Security (TLS) Versions 1.2 and Earlier"; | |||

} | } | |||

identity ecdhe-x448 { | identity ecdhe-x448 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Ephemeral Diffie Hellman key exchange with elliptic group | "Ephemeral Diffie Hellman key exchange with elliptic group | |||

over curve x448"; | over curve x448"; | |||

reference | reference | |||

"RFC 8422: | "RFC 8422: | |||

Elliptic Curve Cryptography (ECC) Cipher Suites for | Elliptic Curve Cryptography (ECC) Cipher Suites for | |||

Transport Layer Security (TLS) Versions 1.2 and Earlier"; | Transport Layer Security (TLS) Versions 1.2 and Earlier"; | |||

} | } | |||

identity psk-ecdhe-secp256r1 { | identity psk-ecdhe-secp256r1 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Key exchange using pre-shared key with elliptic group-based | "Key exchange using pre-shared key with elliptic group-based | |||

Ephemeral Diffie Hellman key exchange over curve secp256r1"; | Ephemeral Diffie Hellman key exchange over curve secp256r1"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-ecdhe-secp384r1 { | identity psk-ecdhe-secp384r1 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Key exchange using pre-shared key with elliptic group-based | "Key exchange using pre-shared key with elliptic group-based | |||

Ephemeral Diffie Hellman key exchange over curve secp384r1"; | Ephemeral Diffie Hellman key exchange over curve secp384r1"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-ecdhe-secp521r1 { | identity psk-ecdhe-secp521r1 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Key exchange using pre-shared key with elliptic group-based | "Key exchange using pre-shared key with elliptic group-based | |||

Ephemeral Diffie Hellman key exchange over curve secp521r1"; | Ephemeral Diffie Hellman key exchange over curve secp521r1"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-ecdhe-x25519 { | identity psk-ecdhe-x25519 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Key exchange using pre-shared key with elliptic group-based | "Key exchange using pre-shared key with elliptic group-based | |||

Ephemeral Diffie Hellman key exchange over curve x25519"; | Ephemeral Diffie Hellman key exchange over curve x25519"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity psk-ecdhe-x448 { | identity psk-ecdhe-x448 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Key exchange using pre-shared key with elliptic group-based | "Key exchange using pre-shared key with elliptic group-based | |||

Ephemeral Diffie Hellman key exchange over curve x448"; | Ephemeral Diffie Hellman key exchange over curve x448"; | |||

reference | reference | |||

"RFC 8446: | "RFC 8446: | |||

The Transport Layer Security (TLS) Protocol Version 1.3"; | The Transport Layer Security (TLS) Protocol Version 1.3"; | |||

} | } | |||

identity diffie-hellman-group14-sha1 { | identity diffie-hellman-group14-sha1 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Using DH group14 and SHA1 for key exchange"; | "Using DH group14 and SHA1 for key exchange"; | |||

reference | reference | |||

"RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | |||

} | } | |||

identity diffie-hellman-group14-sha256 { | identity diffie-hellman-group14-sha256 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Using DH group14 and SHA256 for key exchange"; | "Using DH group14 and SHA256 for key exchange"; | |||

reference | reference | |||

"RFC 8268: | "RFC 8268: | |||

More Modular Exponentiation (MODP) Diffie-Hellman (DH) | More Modular Exponentiation (MODP) Diffie-Hellman (DH) | |||

Key Exchange (KEX) Groups for Secure Shell (SSH)"; | Key Exchange (KEX) Groups for Secure Shell (SSH)"; | |||

} | } | |||

identity diffie-hellman-group15-sha512 { | identity diffie-hellman-group15-sha512 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Using DH group15 and SHA512 for key exchange"; | "Using DH group15 and SHA512 for key exchange"; | |||

reference | reference | |||

"RFC 8268: | "RFC 8268: | |||

More Modular Exponentiation (MODP) Diffie-Hellman (DH) | More Modular Exponentiation (MODP) Diffie-Hellman (DH) | |||

Key Exchange (KEX) Groups for Secure Shell (SSH)"; | Key Exchange (KEX) Groups for Secure Shell (SSH)"; | |||

} | } | |||

identity diffie-hellman-group16-sha512 { | identity diffie-hellman-group16-sha512 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Using DH group16 and SHA512 for key exchange"; | "Using DH group16 and SHA512 for key exchange"; | |||

reference | reference | |||

"RFC 8268: | "RFC 8268: | |||

More Modular Exponentiation (MODP) Diffie-Hellman (DH) | More Modular Exponentiation (MODP) Diffie-Hellman (DH) | |||

Key Exchange (KEX) Groups for Secure Shell (SSH)"; | Key Exchange (KEX) Groups for Secure Shell (SSH)"; | |||

} | } | |||

identity diffie-hellman-group17-sha512 { | identity diffie-hellman-group17-sha512 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Using DH group17 and SHA512 for key exchange"; | "Using DH group17 and SHA512 for key exchange"; | |||

reference | reference | |||

"RFC 8268: | "RFC 8268: | |||

More Modular Exponentiation (MODP) Diffie-Hellman (DH) | More Modular Exponentiation (MODP) Diffie-Hellman (DH) | |||

Key Exchange (KEX) Groups for Secure Shell (SSH)"; | Key Exchange (KEX) Groups for Secure Shell (SSH)"; | |||

} | } | |||

identity diffie-hellman-group18-sha512 { | identity diffie-hellman-group18-sha512 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Using DH group18 and SHA512 for key exchange"; | "Using DH group18 and SHA512 for key exchange"; | |||

reference | reference | |||

"RFC 8268: | "RFC 8268: | |||

More Modular Exponentiation (MODP) Diffie-Hellman (DH) | More Modular Exponentiation (MODP) Diffie-Hellman (DH) | |||

Key Exchange (KEX) Groups for Secure Shell (SSH)"; | Key Exchange (KEX) Groups for Secure Shell (SSH)"; | |||

} | } | |||

identity ecdh-sha2-secp256r1 { | identity ecdh-sha2-secp256r1 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Elliptic curve-based Diffie Hellman key exchange over curve | "Elliptic curve-based Diffie Hellman key exchange over curve | |||

secp256r1 and using SHA2 for MAC generation"; | secp256r1 and using SHA2 for MAC generation"; | |||

reference | reference | |||

"RFC 6239: Suite B Cryptographic Suites for Secure Shell | "RFC 6239: Suite B Cryptographic Suites for Secure Shell | |||

(SSH)"; | (SSH)"; | |||

} | } | |||

identity ecdh-sha2-secp384r1 { | identity ecdh-sha2-secp384r1 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"Elliptic curve-based Diffie Hellman key exchange over curve | "Elliptic curve-based Diffie Hellman key exchange over curve | |||

secp384r1 and using SHA2 for MAC generation"; | secp384r1 and using SHA2 for MAC generation"; | |||

reference | reference | |||

"RFC 6239: Suite B Cryptographic Suites for Secure Shell | "RFC 6239: Suite B Cryptographic Suites for Secure Shell | |||

(SSH)"; | (SSH)"; | |||

} | } | |||

identity rsaes-oaep { | identity rsaes-oaep { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

"RSAES-OAEP combines the RSAEP and RSADP primitives with the | "RSAES-OAEP combines the RSAEP and RSADP primitives with the | |||

EME-OAEP encoding method"; | EME-OAEP encoding method"; | |||

reference | reference | |||

"RFC 8017: | "RFC 8017: | |||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | PKCS #1: RSA Cryptography Specifications Version 2.2."; | |||

} | } | |||

identity rsaes-pkcs1-v1_5 { | identity rsaes-pkcs1-v1_5 { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

description | description | |||

" RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives | " RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives | |||

with the EME-PKCS1-v1_5 encoding method"; | with the EME-PKCS1-v1_5 encoding method"; | |||

reference | reference | |||

"RFC 8017: | "RFC 8017: | |||

PKCS #1: RSA Cryptography Specifications Version 2.2."; | PKCS #1: RSA Cryptography Specifications Version 2.2."; | |||

} | } | |||

/**********************************************************/ | /**********************************************************/ | |||

/* Typedefs for identityrefs to above base identities */ | /* Typedefs for identityrefs to above base identities */ | |||

/**********************************************************/ | /**********************************************************/ | |||

typedef hash-algorithm-ref { | typedef hash-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "hash-algorithm"; | base hash-algorithm; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'hash-algorithm' base identity."; | identityref to the 'hash-algorithm' base identity."; | |||

} | } | |||

typedef signature-algorithm-ref { | typedef signature-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "signature-algorithm"; | base signature-algorithm; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'signature-algorithm' base identity."; | identityref to the 'signature-algorithm' base identity."; | |||

} | } | |||

typedef mac-algorithm-ref { | typedef mac-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "mac-algorithm"; | base mac-algorithm; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'mac-algorithm' base identity."; | identityref to the 'mac-algorithm' base identity."; | |||

} | } | |||

typedef encryption-algorithm-ref { | typedef encryption-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "encryption-algorithm"; | base encryption-algorithm; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'encryption-algorithm' | identityref to the 'encryption-algorithm' | |||

base identity."; | base identity."; | |||

} | } | |||

typedef encryption-and-mac-algorithm-ref { | typedef encryption-and-mac-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "encryption-and-mac-algorithm"; | base encryption-and-mac-algorithm; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'encryption-and-mac-algorithm' | identityref to the 'encryption-and-mac-algorithm' | |||

base identity."; | base identity."; | |||

} | } | |||

typedef asymmetric-key-algorithm-ref { | typedef asymmetric-key-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "asymmetric-key-algorithm"; | base asymmetric-key-algorithm; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'asymmetric-key-algorithm' | identityref to the 'asymmetric-key-algorithm' | |||

base identity."; | base identity."; | |||

} | } | |||

typedef key-exchange-algorithm-ref { | typedef key-exchange-algorithm-ref { | |||

type identityref { | type identityref { | |||

base "key-exchange-algorithm"; | base key-exchange-algorithm; | |||

} | } | |||

description | description | |||

"This typedef enables importing modules to easily define an | "This typedef enables importing modules to easily define an | |||

identityref to the 'key-exchange-algorithm' base identity."; | identityref to the 'key-exchange-algorithm' base identity."; | |||

} | } | |||

/***************************************************/ | /***************************************************/ | |||

/* Typedefs for ASN.1 structures from RFC 5280 */ | /* Typedefs for ASN.1 structures from RFC 5280 */ | |||

/***************************************************/ | /***************************************************/ | |||

typedef x509 { | typedef x509 { | |||

type binary; | type binary; | |||

description | description | |||

"A Certificate structure, as specified in RFC 5280, | "A Certificate structure, as specified in RFC 5280, | |||

encoded using ASN.1 distinguished encoding rules (DER), | encoded using ASN.1 distinguished encoding rules (DER), | |||

as specified in ITU-T X.690."; | as specified in ITU-T X.690."; | |||

reference | reference | |||

"RFC 5280: | "RFC 5280: | |||

Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||

and Certificate Revocation List (CRL) Profile | and Certificate Revocation List (CRL) Profile | |||

ITU-T X.690: | ITU-T X.690: | |||

Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||

Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||

Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||

Encoding Rules (DER)."; | Encoding Rules (DER)."; | |||

} | } | |||

skipping to change at page 32, line 46 ¶ | skipping to change at page 33, line 4 ¶ | |||

algorithm. For example, a DSA key is an integer, an RSA | algorithm. For example, a DSA key is an integer, an RSA | |||

key is represented as RSAPublicKey as defined in | key is represented as RSAPublicKey as defined in | |||

RFC 8017, and an Elliptic Curve Cryptography (ECC) key | RFC 8017, and an Elliptic Curve Cryptography (ECC) key | |||

is represented using the 'publicKey' described in | is represented using the 'publicKey' described in | |||

RFC 5915."; | RFC 5915."; | |||

reference | reference | |||

"RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | "RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | |||

RSA Cryptography Specifications Version 2.2. | RSA Cryptography Specifications Version 2.2. | |||

RFC 5915: Elliptic Curve Private Key Structure."; | RFC 5915: Elliptic Curve Private Key Structure."; | |||

} | } | |||

} | } | |||

grouping asymmetric-key-pair-grouping { | grouping asymmetric-key-pair-grouping { | |||

description | description | |||

"A private/public key pair."; | "A private/public key pair."; | |||

uses public-key-grouping; | uses public-key-grouping; | |||

leaf private-key { | leaf private-key { | |||

nacm:default-deny-all; | nacm:default-deny-all; | |||

type union { | type union { | |||

type binary; | type binary; | |||

type enumeration { | type enumeration { | |||

enum "permanently-hidden" { | enum permanently-hidden { | |||

description | description | |||

"The private key is inaccessible due to being | "The private key is inaccessible due to being | |||

protected by the system (e.g., a cryptographic | protected by the system (e.g., a cryptographic | |||

hardware module). It is not possible to | hardware module). It is not possible to | |||

configure a permanently hidden key, as a real | configure a permanently hidden key, as a real | |||

private key value must be set. Permanently | private key value must be set. Permanently | |||

hidden keys cannot be archived or backed up."; | hidden keys cannot be archived or backed up."; | |||

} | } | |||

} | } | |||

} | } | |||

description | description | |||

"A binary that contains the value of the private key. The | "A binary that contains the value of the private key. The | |||

interpretation of the content is defined by the key | interpretation of the content is defined by the key | |||

algorithm. For example, a DSA key is an integer, an RSA | algorithm. For example, a DSA key is an integer, an RSA | |||

key is represented as RSAPrivateKey as defined in | key is represented as RSAPrivateKey as defined in | |||

RFC 8017, and an Elliptic Curve Cryptography (ECC) key | RFC 8017, and an Elliptic Curve Cryptography (ECC) key | |||

is represented as ECPrivateKey as defined in RFC 5915."; | is represented as ECPrivateKey as defined in RFC 5915."; | |||

skipping to change at page 35, line 4 ¶ | skipping to change at page 35, line 11 ¶ | |||

The interpretation of the content is defined by the key | The interpretation of the content is defined by the key | |||

algorithm. For example, a DSA key is an integer, an RSA | algorithm. For example, a DSA key is an integer, an RSA | |||

key is represented as RSAPrivateKey as defined in | key is represented as RSAPrivateKey as defined in | |||

RFC 8017, and an Elliptic Curve Cryptography (ECC) key | RFC 8017, and an Elliptic Curve Cryptography (ECC) key | |||

is represented as ECPrivateKey as defined in RFC 5915."; | is represented as ECPrivateKey as defined in RFC 5915."; | |||

reference | reference | |||

"RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | "RFC 8017: Public-Key Cryptography Standards (PKCS) #1: | |||

RSA Cryptography Specifications Version 2.2. | RSA Cryptography Specifications Version 2.2. | |||

RFC 5915: Elliptic Curve Private Key Structure."; | RFC 5915: Elliptic Curve Private Key Structure."; | |||

} | } | |||

} | } | |||

} // install-hidden-key | } // install-hidden-key | |||

} // asymmetric-key-pair-grouping | } // asymmetric-key-pair-grouping | |||

grouping trust-anchor-cert-grouping { | grouping trust-anchor-cert-grouping { | |||

description | description | |||

"A certificate, and a notification for when it might expire."; | "A certificate, and a notification for when it might expire."; | |||

leaf cert { | leaf cert { | |||

type trust-anchor-cert-cms; | type trust-anchor-cert-cms; | |||

description | description | |||

"The binary certificate data for this certificate."; | "The binary certificate data for this certificate."; | |||

reference | reference | |||

"RFC YYYY: Common YANG Data Types for Cryptography"; | "RFC YYYY: Common YANG Data Types for Cryptography"; | |||

} | } | |||

notification certificate-expiration { | notification certificate-expiration { | |||

description | description | |||

"A notification indicating that the configured certificate | "A notification indicating that the configured certificate | |||

is either about to expire or has already expired. When to | is either about to expire or has already expired. When to | |||

send notifications is an implementation specific decision, | send notifications is an implementation specific decision, | |||

but it is RECOMMENDED that a notification be sent once a | but it is RECOMMENDED that a notification be sent once a | |||

month for 3 months, then once a week for four weeks, and | month for 3 months, then once a week for four weeks, and | |||

then once a day thereafter until the issue is resolved."; | then once a day thereafter until the issue is resolved."; | |||

leaf expiration-date { | leaf expiration-date { | |||

type yang:date-and-time; | type yang:date-and-time; | |||

mandatory true; | mandatory true; | |||

description | description | |||

"Identifies the expiration date on the certificate."; | "Identifies the expiration date on the certificate."; | |||

} | } | |||

} | } | |||

} | } | |||

grouping end-entity-cert-grouping { | grouping end-entity-cert-grouping { | |||

description | description | |||

"A certificate, and a notification for when it might expire."; | "A certificate, and a notification for when it might expire."; | |||

leaf cert { | leaf cert { | |||

type end-entity-cert-cms; | type end-entity-cert-cms; | |||

description | description | |||

"The binary certificate data for this certificate."; | "The binary certificate data for this certificate."; | |||

reference | reference | |||

"RFC YYYY: Common YANG Data Types for Cryptography"; | "RFC YYYY: Common YANG Data Types for Cryptography"; | |||

} | } | |||

notification certificate-expiration { | notification certificate-expiration { | |||

description | description | |||

"A notification indicating that the configured certificate | "A notification indicating that the configured certificate | |||

is either about to expire or has already expired. When to | is either about to expire or has already expired. When to | |||

send notifications is an implementation specific decision, | send notifications is an implementation specific decision, | |||

but it is RECOMMENDED that a notification be sent once a | but it is RECOMMENDED that a notification be sent once a | |||

month for 3 months, then once a week for four weeks, and | month for 3 months, then once a week for four weeks, and | |||

then once a day thereafter until the issue is resolved."; | then once a day thereafter until the issue is resolved."; | |||

leaf expiration-date { | leaf expiration-date { | |||

skipping to change at page 36, line 20 ¶ | skipping to change at page 36, line 27 ¶ | |||

description | description | |||

"Identifies the expiration date on the certificate."; | "Identifies the expiration date on the certificate."; | |||

} | } | |||

} | } | |||

} | } | |||

grouping asymmetric-key-pair-with-certs-grouping { | grouping asymmetric-key-pair-with-certs-grouping { | |||

description | description | |||

"A private/public key pair and associated certificates."; | "A private/public key pair and associated certificates."; | |||

uses asymmetric-key-pair-grouping; | uses asymmetric-key-pair-grouping; | |||

container certificates { | container certificates { | |||

description | description | |||

"Certificates associated with this asymmetric key. | "Certificates associated with this asymmetric key. | |||

More than one certificate supports, for instance, | More than one certificate supports, for instance, | |||

a TPM-protected asymmetric key that has both IDevID | a TPM-protected asymmetric key that has both IDevID | |||

and LDevID certificates associated."; | and LDevID certificates associated."; | |||

list certificate { | list certificate { | |||

key name; | key "name"; | |||

description | description | |||

"A certificate for this asymmetric key."; | "A certificate for this asymmetric key."; | |||

leaf name { | leaf name { | |||

type string; | type string; | |||

description | description | |||

"An arbitrary name for the certificate. If the name | "An arbitrary name for the certificate. If the name | |||

matches the name of a certificate that exists | matches the name of a certificate that exists | |||

independently in <operational> (i.e., an IDevID), | independently in <operational> (i.e., an IDevID), | |||

then the 'cert' node MUST NOT be configured."; | then the 'cert' node MUST NOT be configured."; | |||

} | } | |||

uses end-entity-cert-grouping; | uses end-entity-cert-grouping; | |||

} | } | |||

} // certificates | } // certificates | |||

action generate-certificate-signing-request { | action generate-certificate-signing-request { | |||

description | description | |||

"Generates a certificate signing request structure for | "Generates a certificate signing request structure for | |||

the associated asymmetric key using the passed subject | the associated asymmetric key using the passed subject | |||

and attribute values. The specified assertions need | and attribute values. The specified assertions need | |||

skipping to change at page 37, line 11 ¶ | skipping to change at page 37, line 14 ¶ | |||

and attribute values. The specified assertions need | and attribute values. The specified assertions need | |||

to be appropriate for the certificate's use. For | to be appropriate for the certificate's use. For | |||

example, an entity certificate for a TLS server | example, an entity certificate for a TLS server | |||

SHOULD have values that enable clients to satisfy | SHOULD have values that enable clients to satisfy | |||

RFC 6125 processing."; | RFC 6125 processing."; | |||

input { | input { | |||

leaf subject { | leaf subject { | |||

type binary; | type binary; | |||

mandatory true; | mandatory true; | |||

description | description | |||

"The 'subject' field per the CertificationRequestInfo | "The 'subject' field per the CertificationRequestInfo | |||

structure as specified by RFC 2986, Section 4.1 | structure as specified by RFC 2986, Section 4.1 | |||

encoded using the ASN.1 distinguished encoding | encoded using the ASN.1 distinguished encoding | |||

rules (DER), as specified in ITU-T X.690."; | rules (DER), as specified in ITU-T X.690."; | |||

reference | reference | |||

"RFC 2986: | "RFC 2986: | |||

PKCS #10: Certification Request Syntax | PKCS #10: Certification Request Syntax | |||

Specification Version 1.7. | Specification Version 1.7. | |||

ITU-T X.690: | ITU-T X.690: | |||

Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||

Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||

Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||

Encoding Rules (DER)."; | Encoding Rules (DER)."; | |||

} | } | |||

skipping to change at page 51, line 5 ¶ | skipping to change at page 51, line 5 ¶ | |||

o added typedef 'encryption-and-mac-algorithm-ref'. | o added typedef 'encryption-and-mac-algorithm-ref'. | |||

o Updated copyright date, boilerplate template, affiliation, and | o Updated copyright date, boilerplate template, affiliation, and | |||

folding algorithm. | folding algorithm. | |||

B.5. 03 to 04 | B.5. 03 to 04 | |||

o ran YANG module through formatter. | o ran YANG module through formatter. | |||

B.6. 04 to 05 | ||||

o fixed broken symlink causing reformatted YANG module to not show. | ||||

Acknowledgements | Acknowledgements | |||

The authors would like to thank for following for lively discussions | The authors would like to thank for following for lively discussions | |||

on list and in the halls (ordered by last name): Martin Bjorklund, | on list and in the halls (ordered by last name): Martin Bjorklund, | |||

Balazs Kovacs, Eric Voit, and Liang Xia. | Balazs Kovacs, Eric Voit, and Liang Xia. | |||

Authors' Addresses | Authors' Addresses | |||

Kent Watsen | Kent Watsen | |||

Watsen Networks | Watsen Networks | |||

End of changes. 147 change blocks. | ||||

173 lines changed or deleted | | 189 lines changed or added | ||

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |