diff options
Diffstat (limited to 'vnfs/TestVNF/netconftemplates/netconftemplates/ietf-x509-cert-to-name@2014-12-10.yin')
| -rw-r--r-- | vnfs/TestVNF/netconftemplates/netconftemplates/ietf-x509-cert-to-name@2014-12-10.yin | 314 |
1 files changed, 314 insertions, 0 deletions
diff --git a/vnfs/TestVNF/netconftemplates/netconftemplates/ietf-x509-cert-to-name@2014-12-10.yin b/vnfs/TestVNF/netconftemplates/netconftemplates/ietf-x509-cert-to-name@2014-12-10.yin new file mode 100644 index 00000000..f39e0267 --- /dev/null +++ b/vnfs/TestVNF/netconftemplates/netconftemplates/ietf-x509-cert-to-name@2014-12-10.yin @@ -0,0 +1,314 @@ +<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1"> + <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><?xml version="1.0" encoding="UTF-8"?> +<module name="ietf-x509-cert-to-name" + xmlns="urn:ietf:params:xml:ns:yang:yin:1" + xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name" + xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types"> + <namespace uri="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"/> + <prefix value="x509c2n"/> + <import module="ietf-yang-types"> + <prefix value="yang"/> + </import> + <organization> + <text>IETF NETMOD (NETCONF Data Modeling Language) Working Group</text> + </organization> + <contact> + <text>WG Web: &lt;http://tools.ietf.org/wg/netmod/&gt; +WG List: &lt;mailto:netmod@ietf.org&gt; + +WG Chair: Thomas Nadeau + &lt;mailto:tnadeau@lucidvision.com&gt; + +WG Chair: Juergen Schoenwaelder + &lt;mailto:j.schoenwaelder@jacobs-university.de&gt; + +Editor: Martin Bjorklund + &lt;mailto:mbj@tail-f.com&gt; + +Editor: Juergen Schoenwaelder + &lt;mailto:j.schoenwaelder@jacobs-university.de&gt;</text> + </contact> + <description> + <text>This module contains a collection of YANG definitions for +extracting a name from an X.509 certificate. +The algorithm used to extract a name from an X.509 certificate +was first defined in RFC 6353. + +Copyright (c) 2014 IETF Trust and the persons identified as +authors of the code. All rights reserved. + +Redistribution and use in source and binary forms, with or +without modification, is permitted pursuant to, and subject +to the license terms contained in, the Simplified BSD License +set forth in Section 4.c of the IETF Trust's Legal Provisions +Relating to IETF Documents +(http://trustee.ietf.org/license-info). + +This version of this YANG module is part of RFC 7407; see +the RFC itself for full legal notices.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model for + the Simple Network Management Protocol (SNMP)</text> + </reference> + <revision date="2014-12-10"> + <description> + <text>Initial revision.</text> + </description> + <reference> + <text>RFC 7407: A YANG Data Model for SNMP Configuration</text> + </reference> + </revision> + <identity name="cert-to-name"> + <description> + <text>Base identity for algorithms to derive a name from a +certificate.</text> + </description> + </identity> + <identity name="specified"> + <base name="cert-to-name"/> + <description> + <text>Directly specifies the name to be used for the certificate. +The value of the leaf 'name' in the cert-to-name list is +used.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertSpecified</text> + </reference> + </identity> + <identity name="san-rfc822-name"> + <base name="cert-to-name"/> + <description> + <text>Maps a subjectAltName's rfc822Name to a name. The local part +of the rfc822Name is passed unaltered, but the host-part of +the name must be passed in lowercase. For example, the +rfc822Name field FooBar@Example.COM is mapped to name +FooBar@example.com.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name</text> + </reference> + </identity> + <identity name="san-dns-name"> + <base name="cert-to-name"/> + <description> + <text>Maps a subjectAltName's dNSName to a name after first +converting it to all lowercase (RFC 5280 does not specify +converting to lowercase, so this involves an extra step). +This mapping results in a 1:1 correspondence between +subjectAltName dNSName values and the name values.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName</text> + </reference> + </identity> + <identity name="san-ip-address"> + <base name="cert-to-name"/> + <description> + <text>Maps a subjectAltName's iPAddress to a name by +transforming the binary-encoded address as follows: + + 1) for IPv4, the value is converted into a + decimal-dotted quad address (e.g., '192.0.2.1'). + + 2) for IPv6 addresses, the value is converted into a + 32-character, all-lowercase hexadecimal string + without any colon separators. + +This mapping results in a 1:1 correspondence between +subjectAltName iPAddress values and the name values.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress</text> + </reference> + </identity> + <identity name="san-any"> + <base name="cert-to-name"/> + <description> + <text>Maps any of the following fields using the corresponding +mapping algorithms: + + +------------+-----------------+ + | Type | Algorithm | + |------------+-----------------| + | rfc822Name | san-rfc822-name | + | dNSName | san-dns-name | + | iPAddress | san-ip-address | + +------------+-----------------+ + +The first matching subjectAltName value found in the +certificate of the above types MUST be used when deriving +the name. The mapping algorithm specified in the +'Algorithm' column MUST be used to derive the name. + +This mapping results in a 1:1 correspondence between +subjectAltName values and name values. The three sub-mapping +algorithms produced by this combined algorithm cannot produce +conflicting results between themselves.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertSANAny</text> + </reference> + </identity> + <identity name="common-name"> + <base name="cert-to-name"/> + <description> + <text>Maps a certificate's CommonName to a name after converting +it to a UTF-8 encoding. The usage of CommonNames is +deprecated, and users are encouraged to use subjectAltName +mapping methods instead. This mapping results in a 1:1 +correspondence between certificate CommonName values and name +values.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertCommonName</text> + </reference> + </identity> + <typedef name="tls-fingerprint"> + <type name="yang:hex-string"> + <pattern value="([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}"/> + </type> + <description> + <text>A fingerprint value that can be used to uniquely reference +other data of potentially arbitrary length. + +A tls-fingerprint value is composed of a 1-octet hashing +algorithm identifier followed by the fingerprint value. The +first octet value identifying the hashing algorithm is taken +from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The +remaining octets are filled using the results of the hashing +algorithm.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.SnmpTLSFingerprint</text> + </reference> + </typedef> + <grouping name="cert-to-name"> + <description> + <text>Defines nodes for mapping certificates to names. Modules +that use this grouping should describe how the resulting +name is used.</text> + </description> + <list name="cert-to-name"> + <key value="id"/> + <description> + <text>This list defines how certificates are mapped to names. +The name is derived by considering each cert-to-name +list entry in order. The cert-to-name entry's fingerprint +determines whether the list entry is a match: + +1) If the cert-to-name list entry's fingerprint value + matches that of the presented certificate, then consider + the list entry a successful match. + +2) If the cert-to-name list entry's fingerprint value + matches that of a locally held copy of a trusted CA + certificate, and that CA certificate was part of the CA + certificate chain to the presented certificate, then + consider the list entry a successful match. + +Once a matching cert-to-name list entry has been found, the +map-type is used to determine how the name associated with +the certificate should be determined. See the map-type +leaf's description for details on determining the name value. +If it is impossible to determine a name from the cert-to-name +list entry's data combined with the data presented in the +certificate, then additional cert-to-name list entries MUST +be searched to look for another potential match. + +Security administrators are encouraged to make use of +certificates with subjectAltName fields that can be mapped to +names so that a single root CA certificate can allow all +child certificates' subjectAltName fields to map directly to +a name via a 1:1 transformation.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry</text> + </reference> + <leaf name="id"> + <type name="uint32"/> + <description> + <text>The id specifies the order in which the entries in the +cert-to-name list are searched. Entries with lower +numbers are searched first.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol + (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID</text> + </reference> + </leaf> + <leaf name="fingerprint"> + <type name="x509c2n:tls-fingerprint"/> + <mandatory value="true"/> + <description> + <text>Specifies a value with which the fingerprint of the +full certificate presented by the peer is compared. If +the fingerprint of the full certificate presented by the +peer does not match the fingerprint configured, then the +entry is skipped, and the search for a match continues.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol + (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint</text> + </reference> + </leaf> + <leaf name="map-type"> + <type name="identityref"> + <base name="cert-to-name"/> + </type> + <mandatory value="true"/> + <description> + <text>Specifies the algorithm used to map the certificate +presented by the peer to a name. + +Mappings that need additional configuration objects should +use the 'when' statement to make them conditional based on +the map-type.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol + (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType</text> + </reference> + </leaf> + <leaf name="name"> + <when condition="../map-type = 'x509c2n:specified'"/> + <type name="string"/> + <mandatory value="true"/> + <description> + <text>Directly specifies the NETCONF username when the +map-type is 'specified'.</text> + </description> + <reference> + <text>RFC 6353: Transport Layer Security (TLS) Transport Model + for the Simple Network Management Protocol + (SNMP). + SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData</text> + </reference> + </leaf> + </list> + </grouping> +</module> +</data> +</rpc-reply> |