1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
|
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="m-1">
<data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring"><?xml version="1.0" encoding="UTF-8"?>
<module name="ietf-x509-cert-to-name"
xmlns="urn:ietf:params:xml:ns:yang:yin:1"
xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"
xmlns:yang="urn:ietf:params:xml:ns:yang:ietf-yang-types">
<namespace uri="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name"/>
<prefix value="x509c2n"/>
<import module="ietf-yang-types">
<prefix value="yang"/>
</import>
<organization>
<text>IETF NETMOD (NETCONF Data Modeling Language) Working Group</text>
</organization>
<contact>
<text>WG Web: &lt;http://tools.ietf.org/wg/netmod/&gt;
WG List: &lt;mailto:netmod@ietf.org&gt;
WG Chair: Thomas Nadeau
&lt;mailto:tnadeau@lucidvision.com&gt;
WG Chair: Juergen Schoenwaelder
&lt;mailto:j.schoenwaelder@jacobs-university.de&gt;
Editor: Martin Bjorklund
&lt;mailto:mbj@tail-f.com&gt;
Editor: Juergen Schoenwaelder
&lt;mailto:j.schoenwaelder@jacobs-university.de&gt;</text>
</contact>
<description>
<text>This module contains a collection of YANG definitions for
extracting a name from an X.509 certificate.
The algorithm used to extract a name from an X.509 certificate
was first defined in RFC 6353.
Copyright (c) 2014 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 7407; see
the RFC itself for full legal notices.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model for
the Simple Network Management Protocol (SNMP)</text>
</reference>
<revision date="2014-12-10">
<description>
<text>Initial revision.</text>
</description>
<reference>
<text>RFC 7407: A YANG Data Model for SNMP Configuration</text>
</reference>
</revision>
<identity name="cert-to-name">
<description>
<text>Base identity for algorithms to derive a name from a
certificate.</text>
</description>
</identity>
<identity name="specified">
<base name="cert-to-name"/>
<description>
<text>Directly specifies the name to be used for the certificate.
The value of the leaf 'name' in the cert-to-name list is
used.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSpecified</text>
</reference>
</identity>
<identity name="san-rfc822-name">
<base name="cert-to-name"/>
<description>
<text>Maps a subjectAltName's rfc822Name to a name. The local part
of the rfc822Name is passed unaltered, but the host-part of
the name must be passed in lowercase. For example, the
rfc822Name field FooBar@Example.COM is mapped to name
FooBar@example.com.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name</text>
</reference>
</identity>
<identity name="san-dns-name">
<base name="cert-to-name"/>
<description>
<text>Maps a subjectAltName's dNSName to a name after first
converting it to all lowercase (RFC 5280 does not specify
converting to lowercase, so this involves an extra step).
This mapping results in a 1:1 correspondence between
subjectAltName dNSName values and the name values.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName</text>
</reference>
</identity>
<identity name="san-ip-address">
<base name="cert-to-name"/>
<description>
<text>Maps a subjectAltName's iPAddress to a name by
transforming the binary-encoded address as follows:
1) for IPv4, the value is converted into a
decimal-dotted quad address (e.g., '192.0.2.1').
2) for IPv6 addresses, the value is converted into a
32-character, all-lowercase hexadecimal string
without any colon separators.
This mapping results in a 1:1 correspondence between
subjectAltName iPAddress values and the name values.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress</text>
</reference>
</identity>
<identity name="san-any">
<base name="cert-to-name"/>
<description>
<text>Maps any of the following fields using the corresponding
mapping algorithms:
+------------+-----------------+
| Type | Algorithm |
|------------+-----------------|
| rfc822Name | san-rfc822-name |
| dNSName | san-dns-name |
| iPAddress | san-ip-address |
+------------+-----------------+
The first matching subjectAltName value found in the
certificate of the above types MUST be used when deriving
the name. The mapping algorithm specified in the
'Algorithm' column MUST be used to derive the name.
This mapping results in a 1:1 correspondence between
subjectAltName values and name values. The three sub-mapping
algorithms produced by this combined algorithm cannot produce
conflicting results between themselves.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertSANAny</text>
</reference>
</identity>
<identity name="common-name">
<base name="cert-to-name"/>
<description>
<text>Maps a certificate's CommonName to a name after converting
it to a UTF-8 encoding. The usage of CommonNames is
deprecated, and users are encouraged to use subjectAltName
mapping methods instead. This mapping results in a 1:1
correspondence between certificate CommonName values and name
values.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertCommonName</text>
</reference>
</identity>
<typedef name="tls-fingerprint">
<type name="yang:hex-string">
<pattern value="([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}"/>
</type>
<description>
<text>A fingerprint value that can be used to uniquely reference
other data of potentially arbitrary length.
A tls-fingerprint value is composed of a 1-octet hashing
algorithm identifier followed by the fingerprint value. The
first octet value identifying the hashing algorithm is taken
from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The
remaining octets are filled using the results of the hashing
algorithm.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.SnmpTLSFingerprint</text>
</reference>
</typedef>
<grouping name="cert-to-name">
<description>
<text>Defines nodes for mapping certificates to names. Modules
that use this grouping should describe how the resulting
name is used.</text>
</description>
<list name="cert-to-name">
<key value="id"/>
<description>
<text>This list defines how certificates are mapped to names.
The name is derived by considering each cert-to-name
list entry in order. The cert-to-name entry's fingerprint
determines whether the list entry is a match:
1) If the cert-to-name list entry's fingerprint value
matches that of the presented certificate, then consider
the list entry a successful match.
2) If the cert-to-name list entry's fingerprint value
matches that of a locally held copy of a trusted CA
certificate, and that CA certificate was part of the CA
certificate chain to the presented certificate, then
consider the list entry a successful match.
Once a matching cert-to-name list entry has been found, the
map-type is used to determine how the name associated with
the certificate should be determined. See the map-type
leaf's description for details on determining the name value.
If it is impossible to determine a name from the cert-to-name
list entry's data combined with the data presented in the
certificate, then additional cert-to-name list entries MUST
be searched to look for another potential match.
Security administrators are encouraged to make use of
certificates with subjectAltName fields that can be mapped to
names so that a single root CA certificate can allow all
child certificates' subjectAltName fields to map directly to
a name via a 1:1 transformation.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol (SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry</text>
</reference>
<leaf name="id">
<type name="uint32"/>
<description>
<text>The id specifies the order in which the entries in the
cert-to-name list are searched. Entries with lower
numbers are searched first.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID</text>
</reference>
</leaf>
<leaf name="fingerprint">
<type name="x509c2n:tls-fingerprint"/>
<mandatory value="true"/>
<description>
<text>Specifies a value with which the fingerprint of the
full certificate presented by the peer is compared. If
the fingerprint of the full certificate presented by the
peer does not match the fingerprint configured, then the
entry is skipped, and the search for a match continues.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint</text>
</reference>
</leaf>
<leaf name="map-type">
<type name="identityref">
<base name="cert-to-name"/>
</type>
<mandatory value="true"/>
<description>
<text>Specifies the algorithm used to map the certificate
presented by the peer to a name.
Mappings that need additional configuration objects should
use the 'when' statement to make them conditional based on
the map-type.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType</text>
</reference>
</leaf>
<leaf name="name">
<when condition="../map-type = 'x509c2n:specified'"/>
<type name="string"/>
<mandatory value="true"/>
<description>
<text>Directly specifies the NETCONF username when the
map-type is 'specified'.</text>
</description>
<reference>
<text>RFC 6353: Transport Layer Security (TLS) Transport Model
for the Simple Network Management Protocol
(SNMP).
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData</text>
</reference>
</leaf>
</list>
</grouping>
</module>
</data>
</rpc-reply>
|
