Merging upstream version 3.5.5 (Closes: #1098233).
Signed-off-by: Daniel Baumann <daniel@debian.org>
This commit is contained in:
parent
c86ae7dcba
commit
6af28b7e8e
144 changed files with 43534 additions and 11497 deletions
314
modules/ietf-x509-cert-to-name@2014-12-10.yang
Normal file
314
modules/ietf-x509-cert-to-name@2014-12-10.yang
Normal file
|
@ -0,0 +1,314 @@
|
|||
module ietf-x509-cert-to-name {
|
||||
|
||||
yang-version 1;
|
||||
|
||||
namespace
|
||||
"urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name";
|
||||
|
||||
prefix x509c2n;
|
||||
|
||||
import ietf-yang-types {
|
||||
prefix yang;
|
||||
}
|
||||
|
||||
organization
|
||||
"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
|
||||
|
||||
contact
|
||||
"WG Web: <http://tools.ietf.org/wg/netmod/>
|
||||
WG List: <mailto:netmod@ietf.org>
|
||||
|
||||
WG Chair: Thomas Nadeau
|
||||
<mailto:tnadeau@lucidvision.com>
|
||||
|
||||
WG Chair: Juergen Schoenwaelder
|
||||
<mailto:j.schoenwaelder@jacobs-university.de>
|
||||
|
||||
Editor: Martin Bjorklund
|
||||
<mailto:mbj@tail-f.com>
|
||||
|
||||
Editor: Juergen Schoenwaelder
|
||||
<mailto:j.schoenwaelder@jacobs-university.de>";
|
||||
|
||||
description
|
||||
"This module contains a collection of YANG definitions for
|
||||
extracting a name from an X.509 certificate.
|
||||
The algorithm used to extract a name from an X.509 certificate
|
||||
was first defined in RFC 6353.
|
||||
|
||||
Copyright (c) 2014 IETF Trust and the persons identified as
|
||||
authors of the code. All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or
|
||||
without modification, is permitted pursuant to, and subject
|
||||
to the license terms contained in, the Simplified BSD License
|
||||
set forth in Section 4.c of the IETF Trust's Legal Provisions
|
||||
Relating to IETF Documents
|
||||
(http://trustee.ietf.org/license-info).
|
||||
|
||||
This version of this YANG module is part of RFC 7407; see
|
||||
the RFC itself for full legal notices.";
|
||||
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model for
|
||||
the Simple Network Management Protocol (SNMP)";
|
||||
|
||||
|
||||
revision "2014-12-10" {
|
||||
description "Initial revision.";
|
||||
reference
|
||||
"RFC 7407: A YANG Data Model for SNMP Configuration";
|
||||
|
||||
}
|
||||
|
||||
|
||||
typedef tls-fingerprint {
|
||||
type yang:hex-string {
|
||||
pattern
|
||||
'([0-9a-fA-F]){2}(:([0-9a-fA-F]){2}){0,254}';
|
||||
}
|
||||
description
|
||||
"A fingerprint value that can be used to uniquely reference
|
||||
other data of potentially arbitrary length.
|
||||
|
||||
A tls-fingerprint value is composed of a 1-octet hashing
|
||||
algorithm identifier followed by the fingerprint value. The
|
||||
first octet value identifying the hashing algorithm is taken
|
||||
from the IANA 'TLS HashAlgorithm Registry' (RFC 5246). The
|
||||
remaining octets are filled using the results of the hashing
|
||||
algorithm.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol (SNMP).
|
||||
SNMP-TLS-TM-MIB.SnmpTLSFingerprint";
|
||||
|
||||
}
|
||||
|
||||
identity cert-to-name {
|
||||
description
|
||||
"Base identity for algorithms to derive a name from a
|
||||
certificate.";
|
||||
}
|
||||
|
||||
identity specified {
|
||||
base cert-to-name;
|
||||
description
|
||||
"Directly specifies the name to be used for the certificate.
|
||||
The value of the leaf 'name' in the cert-to-name list is
|
||||
used.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol (SNMP).
|
||||
SNMP-TLS-TM-MIB.snmpTlstmCertSpecified";
|
||||
|
||||
}
|
||||
|
||||
identity san-rfc822-name {
|
||||
base cert-to-name;
|
||||
description
|
||||
"Maps a subjectAltName's rfc822Name to a name. The local part
|
||||
of the rfc822Name is passed unaltered, but the host-part of
|
||||
the name must be passed in lowercase. For example, the
|
||||
rfc822Name field FooBar@Example.COM is mapped to name
|
||||
FooBar@example.com.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol (SNMP).
|
||||
SNMP-TLS-TM-MIB.snmpTlstmCertSANRFC822Name";
|
||||
|
||||
}
|
||||
|
||||
identity san-dns-name {
|
||||
base cert-to-name;
|
||||
description
|
||||
"Maps a subjectAltName's dNSName to a name after first
|
||||
converting it to all lowercase (RFC 5280 does not specify
|
||||
converting to lowercase, so this involves an extra step).
|
||||
This mapping results in a 1:1 correspondence between
|
||||
subjectAltName dNSName values and the name values.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol (SNMP).
|
||||
SNMP-TLS-TM-MIB.snmpTlstmCertSANDNSName";
|
||||
|
||||
}
|
||||
|
||||
identity san-ip-address {
|
||||
base cert-to-name;
|
||||
description
|
||||
"Maps a subjectAltName's iPAddress to a name by
|
||||
transforming the binary-encoded address as follows:
|
||||
|
||||
1) for IPv4, the value is converted into a
|
||||
decimal-dotted quad address (e.g., '192.0.2.1').
|
||||
|
||||
2) for IPv6 addresses, the value is converted into a
|
||||
32-character, all-lowercase hexadecimal string
|
||||
without any colon separators.
|
||||
|
||||
This mapping results in a 1:1 correspondence between
|
||||
subjectAltName iPAddress values and the name values.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol (SNMP).
|
||||
SNMP-TLS-TM-MIB.snmpTlstmCertSANIpAddress";
|
||||
|
||||
}
|
||||
|
||||
identity san-any {
|
||||
base cert-to-name;
|
||||
description
|
||||
"Maps any of the following fields using the corresponding
|
||||
mapping algorithms:
|
||||
|
||||
+------------+-----------------+
|
||||
| Type | Algorithm |
|
||||
|------------+-----------------|
|
||||
| rfc822Name | san-rfc822-name |
|
||||
| dNSName | san-dns-name |
|
||||
| iPAddress | san-ip-address |
|
||||
+------------+-----------------+
|
||||
|
||||
The first matching subjectAltName value found in the
|
||||
certificate of the above types MUST be used when deriving
|
||||
the name. The mapping algorithm specified in the
|
||||
'Algorithm' column MUST be used to derive the name.
|
||||
|
||||
This mapping results in a 1:1 correspondence between
|
||||
subjectAltName values and name values. The three sub-mapping
|
||||
algorithms produced by this combined algorithm cannot produce
|
||||
conflicting results between themselves.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol (SNMP).
|
||||
SNMP-TLS-TM-MIB.snmpTlstmCertSANAny";
|
||||
|
||||
}
|
||||
|
||||
identity common-name {
|
||||
base cert-to-name;
|
||||
description
|
||||
"Maps a certificate's CommonName to a name after converting
|
||||
it to a UTF-8 encoding. The usage of CommonNames is
|
||||
deprecated, and users are encouraged to use subjectAltName
|
||||
mapping methods instead. This mapping results in a 1:1
|
||||
correspondence between certificate CommonName values and name
|
||||
values.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol (SNMP).
|
||||
SNMP-TLS-TM-MIB.snmpTlstmCertCommonName";
|
||||
|
||||
}
|
||||
|
||||
grouping cert-to-name {
|
||||
description
|
||||
"Defines nodes for mapping certificates to names. Modules
|
||||
that use this grouping should describe how the resulting
|
||||
name is used.";
|
||||
list cert-to-name {
|
||||
key "id";
|
||||
description
|
||||
"This list defines how certificates are mapped to names.
|
||||
The name is derived by considering each cert-to-name
|
||||
list entry in order. The cert-to-name entry's fingerprint
|
||||
determines whether the list entry is a match:
|
||||
|
||||
1) If the cert-to-name list entry's fingerprint value
|
||||
matches that of the presented certificate, then consider
|
||||
the list entry a successful match.
|
||||
|
||||
2) If the cert-to-name list entry's fingerprint value
|
||||
matches that of a locally held copy of a trusted CA
|
||||
certificate, and that CA certificate was part of the CA
|
||||
certificate chain to the presented certificate, then
|
||||
consider the list entry a successful match.
|
||||
|
||||
Once a matching cert-to-name list entry has been found, the
|
||||
map-type is used to determine how the name associated with
|
||||
the certificate should be determined. See the map-type
|
||||
leaf's description for details on determining the name value.
|
||||
If it is impossible to determine a name from the cert-to-name
|
||||
list entry's data combined with the data presented in the
|
||||
certificate, then additional cert-to-name list entries MUST
|
||||
be searched to look for another potential match.
|
||||
|
||||
Security administrators are encouraged to make use of
|
||||
certificates with subjectAltName fields that can be mapped to
|
||||
names so that a single root CA certificate can allow all
|
||||
child certificates' subjectAltName fields to map directly to
|
||||
a name via a 1:1 transformation.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol (SNMP).
|
||||
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNEntry";
|
||||
|
||||
leaf id {
|
||||
type uint32;
|
||||
description
|
||||
"The id specifies the order in which the entries in the
|
||||
cert-to-name list are searched. Entries with lower
|
||||
numbers are searched first.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol
|
||||
(SNMP).
|
||||
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNID";
|
||||
|
||||
}
|
||||
|
||||
leaf fingerprint {
|
||||
type tls-fingerprint;
|
||||
mandatory true;
|
||||
description
|
||||
"Specifies a value with which the fingerprint of the
|
||||
full certificate presented by the peer is compared. If
|
||||
the fingerprint of the full certificate presented by the
|
||||
peer does not match the fingerprint configured, then the
|
||||
entry is skipped, and the search for a match continues.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol
|
||||
(SNMP).
|
||||
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNFingerprint";
|
||||
|
||||
}
|
||||
|
||||
leaf map-type {
|
||||
type identityref {
|
||||
base cert-to-name;
|
||||
}
|
||||
mandatory true;
|
||||
description
|
||||
"Specifies the algorithm used to map the certificate
|
||||
presented by the peer to a name.
|
||||
|
||||
Mappings that need additional configuration objects should
|
||||
use the 'when' statement to make them conditional based on
|
||||
the map-type.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol
|
||||
(SNMP).
|
||||
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNMapType";
|
||||
|
||||
}
|
||||
|
||||
leaf name {
|
||||
when
|
||||
"../map-type = 'x509c2n:specified'";
|
||||
type string;
|
||||
mandatory true;
|
||||
description
|
||||
"Directly specifies the NETCONF username when the
|
||||
map-type is 'specified'.";
|
||||
reference
|
||||
"RFC 6353: Transport Layer Security (TLS) Transport Model
|
||||
for the Simple Network Management Protocol
|
||||
(SNMP).
|
||||
SNMP-TLS-TM-MIB.snmpTlstmCertToTSNData";
|
||||
|
||||
}
|
||||
} // list cert-to-name
|
||||
} // grouping cert-to-name
|
||||
} // module ietf-x509-cert-to-name
|
Loading…
Add table
Add a link
Reference in a new issue