security: Continue porting security elements to the updated framework
Change-Id: I682156142a8714b2756ca429903a19d2b9064e13
diff --git a/src/security/identity/identity-manager.cpp b/src/security/identity/identity-manager.cpp
index ce90cc5..1befdcd 100644
--- a/src/security/identity/identity-manager.cpp
+++ b/src/security/identity/identity-manager.cpp
@@ -90,6 +90,8 @@
Name
IdentityManager::generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk, int keySize)
{
+ defaultCertificate_.reset();
+
Name keyName = generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize);
info().setDefaultKeyNameForIdentity(keyName, identityName);
@@ -104,10 +106,14 @@
const MillisecondsSince1970& notAfter)
{
Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
+
+ ptr_lib::shared_ptr<PublicKey> pubKey = info().getKey(keyName);
+ if (!pubKey)
+ throw Error("Requested public key [" + keyName.toUri() + "] doesn't exist");
ptr_lib::shared_ptr<IdentityCertificate> certificate =
createIdentityCertificate(certificatePrefix,
- *info().getKey(keyName),
+ *pubKey,
signerCertificateName,
notBefore, notAfter);
@@ -148,11 +154,15 @@
Name certificateName = keyName.getSubName(0, keyName.size() - 1);
certificateName.append("KEY").append(keyName.get(keyName.size() - 1)).append("ID-CERT").appendVersion();
+
+ ptr_lib::shared_ptr<PublicKey> pubKey = info().getKey(keyName);
+ if (!pubKey)
+ throw Error("Requested public key [" + keyName.toUri() + "] doesn't exist");
certificate->setName(certificateName);
certificate->setNotBefore(ndn_getNowMilliseconds());
certificate->setNotAfter(ndn_getNowMilliseconds() + 630720000 /* 20 years*/);
- certificate->setPublicKeyInfo(*info().getKey(keyName));
+ certificate->setPublicKeyInfo(*pubKey);
certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri()));
certificate->encode();
@@ -183,6 +193,8 @@
void
IdentityManager::setDefaultCertificateForKey(const IdentityCertificate& certificate)
{
+ defaultCertificate_.reset();
+
Name keyName = certificate.getPublicKeyName();
if(!info().doesKeyExist(keyName))
@@ -190,11 +202,30 @@
info().setDefaultCertificateNameForKey(keyName, certificate.getName());
}
-
+
+void
+IdentityManager::sign(Data &data)
+{
+ if (!defaultCertificate_)
+ {
+ defaultCertificate_ = info().getCertificate(
+ info().getDefaultCertificateNameForIdentity(
+ info().getDefaultIdentity()));
+
+ if(!defaultCertificate_)
+ throw Error("Default IdentityCertificate cannot be determined");
+ }
+
+ signByCertificate(data, *defaultCertificate_);
+}
+
Signature
IdentityManager::signByCertificate(const uint8_t* buffer, size_t bufferLength, const Name& certificateName)
{
ptr_lib::shared_ptr<IdentityCertificate> cert = info().getCertificate(certificateName);
+ if (!cert)
+ throw Error("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
+
SignatureSha256WithRsa signature;
signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
@@ -207,6 +238,9 @@
IdentityManager::signByCertificate(Data &data, const Name &certificateName)
{
ptr_lib::shared_ptr<IdentityCertificate> cert = info().getCertificate(certificateName);
+ if (!cert)
+ throw Error("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
+
SignatureSha256WithRsa signature;
signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
@@ -216,6 +250,17 @@
}
void
+IdentityManager::signByCertificate(Data& data, const IdentityCertificate& certificate)
+{
+ SignatureSha256WithRsa signature;
+ signature.setKeyLocator(certificate.getName().getPrefix(-1));
+
+ // For temporary usage, we support RSA + SHA256 only, but will support more.
+ signature.setValue(tpm().sign(data, signature, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256));
+ data.setSignature(signature);
+}
+
+void
IdentityManager::selfSign (IdentityCertificate& cert)
{
SignatureSha256WithRsa signature;
diff --git a/src/security/identity/memory-identity-storage.cpp b/src/security/identity/memory-identity-storage.cpp
index fae1f14..117ca35 100644
--- a/src/security/identity/memory-identity-storage.cpp
+++ b/src/security/identity/memory-identity-storage.cpp
@@ -138,17 +138,13 @@
Name
MemoryIdentityStorage::getDefaultKeyNameForIdentity(const Name& identityName)
{
-#if 1
- throw runtime_error("MemoryIdentityStorage::getDefaultKeyNameForIdentity not implemented");
-#endif
+ return defaultKeyName_;
}
Name
MemoryIdentityStorage::getDefaultCertificateNameForKey(const Name& keyName)
{
-#if 1
- throw runtime_error("MemoryIdentityStorage::getDefaultCertificateNameForKey not implemented");
-#endif
+ return defaultCert_;
}
void
@@ -165,17 +161,13 @@
void
MemoryIdentityStorage::setDefaultKeyNameForIdentity(const Name& keyName, const Name& identityNameCheck)
{
-#if 1
- throw runtime_error("MemoryIdentityStorage::setDefaultKeyNameForIdentity not implemented");
-#endif
+ defaultKeyName_ = identityNameCheck;
}
void
MemoryIdentityStorage::setDefaultCertificateNameForKey(const Name& keyName, const Name& certificateName)
{
-#if 1
- throw runtime_error("MemoryIdentityStorage::setDefaultCertificateNameForKey not implemented");
-#endif
+ defaultCert_ = certificateName;
}
diff --git a/src/security/key-chain.cpp b/src/security/key-chain.cpp
index 017a462..ba9060d 100644
--- a/src/security/key-chain.cpp
+++ b/src/security/key-chain.cpp
@@ -62,17 +62,6 @@
// #endif
}
-void
-KeyChain::sign(Data& data, const Name& certificateName)
-{
- identities().signByCertificate(data, certificateName);
-}
-
-Signature
-KeyChain::sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName)
-{
- return identities().signByCertificate(buffer, bufferLength, certificateName);
-}
void
KeyChain::signByIdentity(Data& data, const Name& identityName)
@@ -95,7 +84,7 @@
if (!policyManager_->checkSigningPolicy(data.getName(), signingCertificateName))
throw Error("Signing Cert name does not comply with signing policy");
- identities().signByCertificate(data, signingCertificateName);
+ identities().signByCertificate(data, signingCertificateName);
}
Signature