module netconf-keystore {
    namespace "urn:opendaylight:netconf:keystore";
    prefix "keystore";

    revision "2023-11-09" {
        description "Using binary type instead of string for base64 leafs.";
    }

    revision "2017-10-17" {
        description "Initial revision of the Netconf SBP keystore.";
    }

    description "Store used for key based Credentials for Netconf SBP. Before a connector with key based authentication
                 is created it needs to have a record for the key pair it uses. All the records here need to be
                 encrypted as they contain sensitive data. Therefore NEVER do direct writes and only use the provided
                 RPCs for adding/removing key entries.";

    grouping keystore-entry {
        list key-credential {
            key key-id;

            leaf key-id {
                type string;
            }

            leaf private-key {
                description "Binary array of Base64 encoded private key that should be used for authentication with a
                             netconf device. Do not include a public key as that is calculated from the private key.
                             Used for writing directly into the data store, encrypted key expected.";
                type binary;
            }

            leaf passphrase {
                description "If the provided key is encrypted by a passphrase this needs to be included. Leave empty
                             if the key does not have a passphrase.
                             Used for writing directly into the data store, encrypted passphrase expected.";
                type binary;
            }
        }
    }

    grouping rpc-keystore-entry {
        list key-credential {
            key key-id;

            leaf key-id {
                type string;
            }

            leaf private-key {
                description "Base64 encoded private key that should be used for authentication with a netconf device.
                             Do not include a public key as that is calculated from the private key.
                             Used for RPCs only. Will encrypt the key before the entry is written into the data store.";
                type string;
            }

            leaf passphrase {
                description "If the provided key is encrypted by a passphrase this needs to be included. Leave empty
                             if the key does not have a passphrase.
                             Used for RPCs only. Will encrypt the passphrase before the entry is written into the data
                             store.";
                type string;
            }
        }
    }

    grouping private-keys {
        list private-key {
            key name;
            description "A private key.";
            leaf name {
                type string;
            }
            leaf data {
                description "Binary array of Base64 encoded private key.";
                type binary;
            }
            leaf-list certificate-chain {
                description "A certificate chain for this public key. Each certificate is an X.509 v3 certificate
                             structure as specified by RFC5280, binary data encoded using the Base64 format.";
                type binary;
                ordered-by user;
            }
        }
    }

    grouping rpc-private-keys {
        list private-key {
            key name;
            description "A private key.";
            leaf name {
                type string;
            }
            leaf data {
                description "Base64 encoded private key.";
                type string;
            }
            leaf-list certificate-chain {
                description "A certificate chain for this public key. Each certificate is an X.509 v3 certificate
                             structure as specified by RFC5280, encoded using the Base64 format.";
                type string;
                ordered-by user;
            }
        }
    }

    grouping trusted-certificates {
        list trusted-certificate {
            key name;
            description "A list of trusted certificate. These certificates can be used by a server to authenticate
                         clients, or by clients to authenticate servers.";
            leaf name {
                type string;
            }
            leaf certificate {
                description "An X.509 v3 certificate structure as specified by RFC5280, binary data encoded using
                             the Base64 format.";
                type binary;
            }
        }
    }

    grouping rpc-trusted-certificates {
        list trusted-certificate {
            key name;
            description "A list of trusted certificate. These certificates can be used by a server to authenticate
                         clients, or by clients to authenticate servers.";
            leaf name {
                type string;
            }
            leaf certificate {
                description "An X.509 v3 certificate structure as specified by RFC5280, encoded using
                             the Base64 format.";
                type string;
          }
        }
    }

    container keystore {
        uses keystore-entry;
        uses private-keys;
        uses trusted-certificates;
    }

    rpc add-keystore-entry {
        description "Use this rpc to add a single or multiple new keys into the keystore. The private key and passphrase
                     will both be encrypted before they are written into the data store.";
        input {
            uses rpc-keystore-entry;
        }
    }

    rpc remove-keystore-entry {
        description "Use this rpc to remove a single or multiple keys from the data store.";
        input {
            leaf-list key-id {
                type string;
            }
        }
    }

    rpc add-private-key {
        description "Add a list of private keys into the keystore.";
        input {
            uses rpc-private-keys;
        }
    }

    rpc remove-private-key {
        description "Remove a list of private keys from the data store.";
        input {
            leaf-list name {
                type string;
            }
        }
    }

    rpc add-trusted-certificate {
        description "Add a list of trusted certificates into the keystore.";
        input {
            uses rpc-trusted-certificates;
        }
    }

    rpc remove-trusted-certificate {
        description "Remove a list of trusted certificates from the data store.";
        input {
            leaf-list name {
                type string;
            }
        }
    }
}