security: Signature interface change and initial fixes for OSX private key store
Change-Id: Ic6d074e99346c4bf9d7b2c20c961dd01d770636d
diff --git a/include/ndn-cpp/security/identity/memory-private-key-storage.hpp b/include/ndn-cpp/security/identity/memory-private-key-storage.hpp
index f267583..ee4f706 100644
--- a/include/ndn-cpp/security/identity/memory-private-key-storage.hpp
+++ b/include/ndn-cpp/security/identity/memory-private-key-storage.hpp
@@ -67,10 +67,10 @@
* @return The signature, or a null pointer if signing fails.
*/
virtual Block
- sign(const uint8_t *data, size_t dataLength, const Signature &signature, const Name& keyName, DigestAlgorithm digestAlgorithm);
+ sign(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm);
- virtual Block
- sign(const Data &data, const Signature &signature, const Name& keyName, DigestAlgorithm digestAlgorithm);
+ virtual void
+ sign(Data &data, const Name& keyName, DigestAlgorithm digestAlgorithm);
/**
* Decrypt data.
diff --git a/include/ndn-cpp/security/identity/osx-private-key-storage.hpp b/include/ndn-cpp/security/identity/osx-private-key-storage.hpp
index f860a3c..6ac28ea 100644
--- a/include/ndn-cpp/security/identity/osx-private-key-storage.hpp
+++ b/include/ndn-cpp/security/identity/osx-private-key-storage.hpp
@@ -15,10 +15,6 @@
#include "../../common.hpp"
#include "private-key-storage.hpp"
-#include <CoreFoundation/CoreFoundation.h>
-#include <Security/Security.h>
-#include <CoreServices/CoreServices.h>
-
namespace ndn
{
@@ -36,34 +32,22 @@
virtual
~OSXPrivateKeyStorage();
- /**
- * Generate a pair of asymmetric keys.
- * @param keyName The name of the key pair.
- * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
- * @param keySize The size of the key pair.
- */
+
+ // From PrivateKeyStorage
virtual void
generateKeyPair(const Name& keyName, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048);
- /**
- * Get the public key
- * @param keyName The name of public key.
- * @return The public key.
- */
virtual ptr_lib::shared_ptr<PublicKey>
getPublicKey(const Name& keyName);
- /**
- * Fetch the private key for keyName and sign the data, returning a signature Blob.
- * @param data Pointer to the input byte array.
- * @param dataLength The length of data.
- * @param keyName The name of the signing key.
- * @param digestAlgorithm the digest algorithm.
- * @return The signature, or a null pointer if signing fails.
- */
- virtual Blob
- sign(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256);
-
+ virtual Block
+ sign(const uint8_t *data, size_t dataLength,
+ const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256);
+
+ virtual void
+ sign(Data &data,
+ const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256);
+
/**
* Decrypt data.
* @param keyName The name of the decrypting key.
@@ -72,7 +56,7 @@
* @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
* @return The decrypted data.
*/
- virtual Blob
+ virtual ConstBufferPtr
decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false);
/**
@@ -83,7 +67,7 @@
* @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
* @return The encrypted data.
*/
- virtual Blob
+ virtual ConstBufferPtr
encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false);
/**
@@ -104,6 +88,11 @@
virtual bool
doesKeyExist(const Name& keyName, KeyClass keyClass);
+
+ ////////////////////////////////////////////////////////////////////////////////////
+ // OSX-specifics
+ ////////////////////////////////////////////////////////////////////////////////////
+
/**
* configure ACL of a particular key
* @param keyName the name of key
@@ -115,79 +104,20 @@
bool
setACL(const Name & keyName, KeyClass keyClass, int acl, const std::string & appPath);
- /**
- * verify data (test only)
- * @param keyName the name of key
- * @param pData the data to be verified
- * @param pSig the signature associated with the data
- * @param digestAlgo digest algorithm
- * @return true if signature can be verified, otherwise false
- */
- bool
- verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo = DIGEST_ALGORITHM_SHA256);
+ // /**
+ // * verify data (test only)
+ // * @param keyName the name of key
+ // * @param pData the data to be verified
+ // * @param pSig the signature associated with the data
+ // * @param digestAlgo digest algorithm
+ // * @return true if signature can be verified, otherwise false
+ // */
+ // bool
+ // verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo = DIGEST_ALGORITHM_SHA256);
private:
- /**
- * convert NDN name of a key to internal name of the key
- * @param keyName the NDN name of the key
- * @param keyClass the class of the key
- * @return the internal key name
- */
- std::string
- toInternalKeyName(const Name & keyName, KeyClass keyClass);
-
- /**
- * Get key
- * @param keyName the name of the key
- * @param keyClass the class of the key
- * @returns pointer to the key
- */
- SecKeychainItemRef
- getKey(const Name & keyName, KeyClass keyClass);
-
- /**
- * convert keyType to MAC OS symmetric key key type
- * @param keyType
- * @returns MAC OS key type
- */
- const CFTypeRef
- getSymKeyType(KeyType keyType);
-
- /**
- * convert keyType to MAC OS asymmetirc key type
- * @param keyType
- * @returns MAC OS key type
- */
- const CFTypeRef
- getAsymKeyType(KeyType keyType);
-
- /**
- * convert keyClass to MAC OS key class
- * @param keyClass
- * @returns MAC OS key class
- */
- const CFTypeRef
- getKeyClass(KeyClass keyClass);
-
- /**
- * convert digestAlgo to MAC OS algorithm id
- * @param digestAlgo
- * @returns MAC OS algorithm id
- */
- const CFStringRef
- getDigestAlgorithm(DigestAlgorithm digestAlgo);
-
- /**
- * get the digest size of the corresponding algorithm
- * @param digestAlgo the digest algorithm
- * @return digest size
- */
- long
- getDigestSize(DigestAlgorithm digestAlgo);
-
- const std::string keyChainName_;
- SecKeychainRef keyChainRef_;
- SecKeychainRef originalDefaultKeyChain_;
+ class Impl;
+ std::auto_ptr<Impl> impl_;
};
}
diff --git a/include/ndn-cpp/security/identity/private-key-storage.hpp b/include/ndn-cpp/security/identity/private-key-storage.hpp
index 9777d64..5446484 100644
--- a/include/ndn-cpp/security/identity/private-key-storage.hpp
+++ b/include/ndn-cpp/security/identity/private-key-storage.hpp
@@ -55,12 +55,10 @@
*/
virtual Block
sign(const uint8_t *data, size_t dataLength,
- const Signature &signature,
const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256) = 0;
- virtual Block
- sign(const Data &data,
- const Signature &signature,
+ virtual void
+ sign(Data &data,
const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256) = 0;
/**
diff --git a/src/security/identity/identity-manager.cpp b/src/security/identity/identity-manager.cpp
index 1befdcd..ce6ff21 100644
--- a/src/security/identity/identity-manager.cpp
+++ b/src/security/identity/identity-manager.cpp
@@ -228,9 +228,10 @@
SignatureSha256WithRsa signature;
signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
-
+
// For temporary usage, we support RSA + SHA256 only, but will support more.
- signature.setValue(tpm().sign(buffer, bufferLength, signature, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256));
+ signature.setValue
+ (tpm().sign(buffer, bufferLength, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256));
return signature;
}
@@ -243,10 +244,10 @@
SignatureSha256WithRsa signature;
signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
+ data.setSignature(signature);
// For temporary usage, we support RSA + SHA256 only, but will support more.
- signature.setValue(tpm().sign(data, signature, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256));
- data.setSignature(signature);
+ tpm().sign(data, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
}
void
@@ -254,10 +255,10 @@
{
SignatureSha256WithRsa signature;
signature.setKeyLocator(certificate.getName().getPrefix(-1));
+ data.setSignature(signature);
// For temporary usage, we support RSA + SHA256 only, but will support more.
- signature.setValue(tpm().sign(data, signature, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256));
- data.setSignature(signature);
+ tpm().sign(data, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
}
void
@@ -265,10 +266,10 @@
{
SignatureSha256WithRsa signature;
signature.setKeyLocator(cert.getName().getPrefix(cert.getName().size()-1)); // implicit conversion should take care
+ cert.setSignature(signature);
// For temporary usage, we support RSA + SHA256 only, but will support more.
- signature.setValue(tpm().sign(cert, signature, cert.getPublicKeyName(), DIGEST_ALGORITHM_SHA256));
- cert.setSignature(signature);
+ tpm().sign(cert, cert.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
}
Name
diff --git a/src/security/identity/memory-private-key-storage.cpp b/src/security/identity/memory-private-key-storage.cpp
index 7c3a2e0..1394126 100644
--- a/src/security/identity/memory-private-key-storage.cpp
+++ b/src/security/identity/memory-private-key-storage.cpp
@@ -5,26 +5,56 @@
* See COPYING for copyright and distribution information.
*/
-#if 1
-#include <stdexcept>
-#endif
-#include "../../c/util/crypto.h"
-#include <ndn-cpp/security/security-exception.hpp>
-#include <ndn-cpp/security/identity/memory-private-key-storage.hpp>
+#include "memory-private-key-storage.hpp"
+#include "../certificate/public-key.hpp"
+#include <openssl/ssl.h>
+#include <openssl/sha.h>
+#include <openssl/rsa.h>
using namespace std;
namespace ndn {
+/**
+ * RsaPrivateKey is a simple class to hold an RSA private key.
+ */
+class MemoryPrivateKeyStorage::RsaPrivateKey {
+public:
+ RsaPrivateKey(const uint8_t *keyDer, size_t keyDerLength)
+ {
+ // Use a temporary pointer since d2i updates it.
+ const uint8_t *derPointer = keyDer;
+ privateKey_ = d2i_RSAPrivateKey(NULL, &derPointer, keyDerLength);
+ if (!privateKey_)
+ throw Error("RsaPrivateKey constructor: Error decoding private key DER");
+ }
+
+ ~RsaPrivateKey()
+ {
+ if (privateKey_)
+ RSA_free(privateKey_);
+ }
+
+ rsa_st *
+ getPrivateKey()
+ {
+ return privateKey_;
+ }
+
+private:
+ rsa_st * privateKey_;
+};
+
MemoryPrivateKeyStorage::~MemoryPrivateKeyStorage()
{
}
-void MemoryPrivateKeyStorage::setKeyPairForKeyName
- (const Name& keyName, uint8_t *publicKeyDer, size_t publicKeyDerLength, uint8_t *privateKeyDer,
- size_t privateKeyDerLength)
+void
+MemoryPrivateKeyStorage::setKeyPairForKeyName(const Name& keyName,
+ uint8_t *publicKeyDer, size_t publicKeyDerLength,
+ uint8_t *privateKeyDer, size_t privateKeyDerLength)
{
- publicKeyStore_[keyName.toUri()] = PublicKey::fromDer(Blob(publicKeyDer, publicKeyDerLength));
+ publicKeyStore_[keyName.toUri()] = ptr_lib::make_shared<PublicKey>(publicKeyDer, publicKeyDerLength);
privateKeyStore_[keyName.toUri()] = ptr_lib::make_shared<RsaPrivateKey>(privateKeyDer, privateKeyDerLength);
}
@@ -32,54 +62,105 @@
MemoryPrivateKeyStorage::generateKeyPair(const Name& keyName, KeyType keyType, int keySize)
{
#if 1
- throw runtime_error("MemoryPrivateKeyStorage::generateKeyPair not implemented");
+ throw Error("MemoryPrivateKeyStorage::generateKeyPair not implemented");
#endif
}
ptr_lib::shared_ptr<PublicKey>
MemoryPrivateKeyStorage::getPublicKey(const Name& keyName)
{
- map<string, ptr_lib::shared_ptr<PublicKey> >::iterator publicKey = publicKeyStore_.find(keyName.toUri());
+ PublicKeyStore::iterator publicKey = publicKeyStore_.find(keyName.toUri());
if (publicKey == publicKeyStore_.end())
- throw SecurityException(string("MemoryPrivateKeyStorage: Cannot find public key ") + keyName.toUri());
+ throw Error(string("MemoryPrivateKeyStorage: Cannot find public key ") + keyName.toUri());
return publicKey->second;
}
-Blob
-MemoryPrivateKeyStorage::sign(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm)
+Block
+MemoryPrivateKeyStorage::sign(const uint8_t *data, size_t dataLength,
+ const Name& keyName,
+ DigestAlgorithm digestAlgorithm)
{
if (digestAlgorithm != DIGEST_ALGORITHM_SHA256)
- return Blob();
+ return ConstBufferPtr();
- uint8_t digest[SHA256_DIGEST_LENGTH];
- ndn_digestSha256(data, dataLength, digest);
- // TODO: use RSA_size to get the proper size of the signature buffer.
- uint8_t signatureBits[1000];
- unsigned int signatureBitsLength;
-
// Find the private key and sign.
- map<string, ptr_lib::shared_ptr<RsaPrivateKey> >::iterator privateKey = privateKeyStore_.find(keyName.toUri());
+ PrivateKeyStore::iterator privateKey = privateKeyStore_.find(keyName.toUri());
if (privateKey == privateKeyStore_.end())
- throw SecurityException(string("MemoryPrivateKeyStorage: Cannot find private key ") + keyName.toUri());
- if (!RSA_sign(NID_sha256, digest, sizeof(digest), signatureBits, &signatureBitsLength, privateKey->second->getPrivateKey()))
- throw SecurityException("Error in RSA_sign");
+ throw Error(string("MemoryPrivateKeyStorage: Cannot find private key ") + keyName.toUri());
- return Blob(signatureBits, (size_t)signatureBitsLength);
+ uint8_t digest[SHA256_DIGEST_LENGTH];
+ SHA256_CTX sha256;
+ SHA256_Init(&sha256);
+ SHA256_Update(&sha256, data, dataLength);
+ SHA256_Final(digest, &sha256);
+
+ BufferPtr signatureBuffer = ptr_lib::make_shared<Buffer>();
+ signatureBuffer->resize(RSA_size(privateKey->second->getPrivateKey()));
+
+ unsigned int signatureBitsLength;
+ if (!RSA_sign(NID_sha256, digest, sizeof(digest),
+ signatureBuffer->buf(),
+ &signatureBitsLength,
+ privateKey->second->getPrivateKey()))
+ {
+ throw Error("Error in RSA_sign");
+ }
+
+ return Block(Tlv::SignatureValue, signatureBuffer);
}
-Blob
+void
+MemoryPrivateKeyStorage::sign(Data &d,
+ const Name& keyName,
+ DigestAlgorithm digestAlgorithm)
+{
+ if (digestAlgorithm != DIGEST_ALGORITHM_SHA256)
+ Error("MemoryPrivateKeyStorage::sign only SHA256 digest is supported");
+
+ // Find the private key and sign.
+ PrivateKeyStore::iterator privateKey = privateKeyStore_.find(keyName.toUri());
+ if (privateKey == privateKeyStore_.end())
+ throw Error(string("MemoryPrivateKeyStorage: Cannot find private key ") + keyName.toUri());
+
+ uint8_t digest[SHA256_DIGEST_LENGTH];
+ SHA256_CTX sha256;
+ SHA256_Init(&sha256);
+
+ SHA256_Update(&sha256, d.getName(). wireEncode().wire(), d.getName(). wireEncode().size());
+ SHA256_Update(&sha256, d.getMetaInfo().wireEncode().wire(), d.getMetaInfo().wireEncode().size());
+ SHA256_Update(&sha256, d.getContent(). wire(), d.getContent(). size());
+ SHA256_Update(&sha256, d.getSignature().getInfo(). wire(), d.getSignature().getInfo(). size());
+
+ SHA256_Final(digest, &sha256);
+
+ BufferPtr signatureBuffer = ptr_lib::make_shared<Buffer>();
+ signatureBuffer->resize(RSA_size(privateKey->second->getPrivateKey()));
+
+ unsigned int signatureBitsLength;
+ if (!RSA_sign(NID_sha256, digest, sizeof(digest),
+ signatureBuffer->buf(),
+ &signatureBitsLength,
+ privateKey->second->getPrivateKey()))
+ {
+ throw Error("Error in RSA_sign");
+ }
+
+ d.setSignatureValue(Block(Tlv::SignatureValue, signatureBuffer));
+}
+
+ConstBufferPtr
MemoryPrivateKeyStorage::decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric)
{
#if 1
- throw runtime_error("MemoryPrivateKeyStorage::decrypt not implemented");
+ throw Error("MemoryPrivateKeyStorage::decrypt not implemented");
#endif
}
-Blob
+ConstBufferPtr
MemoryPrivateKeyStorage::encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric)
{
#if 1
- throw runtime_error("MemoryPrivateKeyStorage::encrypt not implemented");
+ throw Error("MemoryPrivateKeyStorage::encrypt not implemented");
#endif
}
@@ -87,7 +168,7 @@
MemoryPrivateKeyStorage::generateKey(const Name& keyName, KeyType keyType, int keySize)
{
#if 1
- throw runtime_error("MemoryPrivateKeyStorage::generateKey not implemented");
+ throw Error("MemoryPrivateKeyStorage::generateKey not implemented");
#endif
}
@@ -103,19 +184,4 @@
return false;
}
-MemoryPrivateKeyStorage::RsaPrivateKey::RsaPrivateKey(uint8_t *keyDer, size_t keyDerLength)
-{
- // Use a temporary pointer since d2i updates it.
- const uint8_t *derPointer = keyDer;
- privateKey_ = d2i_RSAPrivateKey(NULL, &derPointer, keyDerLength);
- if (!privateKey_)
- throw SecurityException("RsaPrivateKey constructor: Error decoding private key DER");
-}
-
-MemoryPrivateKeyStorage::RsaPrivateKey::~RsaPrivateKey()
-{
- if (privateKey_)
- RSA_free(privateKey_);
-}
-
}
diff --git a/src/security/identity/osx-private-key-storage.cpp b/src/security/identity/osx-private-key-storage.cpp
index e504616..f41f89f 100644
--- a/src/security/identity/osx-private-key-storage.cpp
+++ b/src/security/identity/osx-private-key-storage.cpp
@@ -11,11 +11,14 @@
#include <fstream>
#include <sstream>
-#include <CoreFoundation/CoreFoundation.h>
#include "../../util/logging.hpp"
-#include <ndn-cpp/security/identity/osx-private-key-storage.hpp>
-#include <ndn-cpp/security/security-exception.hpp>
+#include "osx-private-key-storage.hpp"
+#include "../certificate/public-key.hpp"
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <CoreServices/CoreServices.h>
using namespace std;
@@ -23,31 +26,107 @@
namespace ndn
{
+ class OSXPrivateKeyStorage::Impl {
+ public:
+ Impl(const std::string &keychainName)
+ : keyChainName_ ("" == keychainName ? "NDN.keychain" : keychainName)
+ {
+ }
+
+ /**
+ * convert NDN name of a key to internal name of the key
+ * @param keyName the NDN name of the key
+ * @param keyClass the class of the key
+ * @return the internal key name
+ */
+ std::string
+ toInternalKeyName(const Name & keyName, KeyClass keyClass);
+
+ /**
+ * Get key
+ * @param keyName the name of the key
+ * @param keyClass the class of the key
+ * @returns pointer to the key
+ */
+ SecKeychainItemRef
+ getKey(const Name & keyName, KeyClass keyClass);
+
+ /**
+ * convert keyType to MAC OS symmetric key key type
+ * @param keyType
+ * @returns MAC OS key type
+ */
+ const CFTypeRef
+ getSymKeyType(KeyType keyType);
+
+ /**
+ * convert keyType to MAC OS asymmetirc key type
+ * @param keyType
+ * @returns MAC OS key type
+ */
+ const CFTypeRef
+ getAsymKeyType(KeyType keyType);
+
+ /**
+ * convert keyClass to MAC OS key class
+ * @param keyClass
+ * @returns MAC OS key class
+ */
+ const CFTypeRef
+ getKeyClass(KeyClass keyClass);
+
+ /**
+ * convert digestAlgo to MAC OS algorithm id
+ * @param digestAlgo
+ * @returns MAC OS algorithm id
+ */
+ const CFStringRef
+ getDigestAlgorithm(DigestAlgorithm digestAlgo);
+
+ /**
+ * get the digest size of the corresponding algorithm
+ * @param digestAlgo the digest algorithm
+ * @return digest size
+ */
+ long
+ getDigestSize(DigestAlgorithm digestAlgo);
+
+ ///////////////////////////////////////////////
+ // everything here is public, including data //
+ ///////////////////////////////////////////////
+ public:
+ const std::string keyChainName_;
+ SecKeychainRef keyChainRef_;
+ SecKeychainRef originalDefaultKeyChain_;
+ };
+
+
+
OSXPrivateKeyStorage::OSXPrivateKeyStorage(const string & keychainName)
- : keyChainName_("" == keychainName ? "NDN.keychain" : keychainName)
+ : impl_(new Impl(keychainName))
{
- OSStatus res = SecKeychainCreate(keyChainName_.c_str(), //Keychain path
+ OSStatus res = SecKeychainCreate(impl_->keyChainName_.c_str(), //Keychain path
0, //Keychain password length
NULL, //Keychain password
true, //User prompt
NULL, //Initial access of Keychain
- &keyChainRef_); //Keychain reference
+ &impl_->keyChainRef_); //Keychain reference
if (res == errSecDuplicateKeychain)
- res = SecKeychainOpen(keyChainName_.c_str(),
- &keyChainRef_);
+ res = SecKeychainOpen(impl_->keyChainName_.c_str(),
+ &impl_->keyChainRef_);
if (res != errSecSuccess){
_LOG_DEBUG("Fail to initialize keychain ref: " << res);
- throw SecurityException("Fail to initialize keychain ref");
+ throw Error("Fail to initialize keychain ref");
}
- res = SecKeychainCopyDefault(&originalDefaultKeyChain_);
+ res = SecKeychainCopyDefault(&impl_->originalDefaultKeyChain_);
- res = SecKeychainSetDefault(keyChainRef_);
+ res = SecKeychainSetDefault(impl_->keyChainRef_);
if (res != errSecSuccess){
_LOG_DEBUG("Fail to set default keychain: " << res);
- throw SecurityException("Fail to set default keychain");
+ throw Error("Fail to set default keychain");
}
}
@@ -61,10 +140,10 @@
if(doesKeyExist(keyName, KEY_CLASS_PUBLIC)){
_LOG_DEBUG("keyName has existed");
- throw SecurityException("keyName has existed");
+ throw Error("keyName has existed");
}
- string keyNameUri = toInternalKeyName(keyName, KEY_CLASS_PUBLIC);
+ string keyNameUri = impl_->toInternalKeyName(keyName, KEY_CLASS_PUBLIC);
SecKeyRef publicKey, privateKey;
@@ -77,7 +156,7 @@
&kCFTypeDictionaryKeyCallBacks,
NULL);
- CFDictionaryAddValue(attrDict, kSecAttrKeyType, getAsymKeyType(keyType));
+ CFDictionaryAddValue(attrDict, kSecAttrKeyType, impl_->getAsymKeyType(keyType));
CFDictionaryAddValue(attrDict, kSecAttrKeySizeInBits, CFNumberCreate(NULL, kCFNumberIntType, &keySize));
CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
@@ -88,7 +167,7 @@
if (res != errSecSuccess){
_LOG_DEBUG("Fail to create a key pair: " << res);
- throw SecurityException("Fail to create a key pair");
+ throw Error("Fail to create a key pair");
}
}
@@ -97,9 +176,9 @@
{
if(doesKeyExist(keyName, KEY_CLASS_SYMMETRIC))
- throw SecurityException("keyName has existed!");
+ throw Error("keyName has existed!");
- string keyNameUri = toInternalKeyName(keyName, KEY_CLASS_SYMMETRIC);
+ string keyNameUri = impl_->toInternalKeyName(keyName, KEY_CLASS_SYMMETRIC);
CFMutableDictionaryRef attrDict = CFDictionaryCreateMutable(kCFAllocatorDefault,
0,
@@ -110,7 +189,7 @@
keyNameUri.c_str(),
kCFStringEncodingUTF8);
- CFDictionaryAddValue(attrDict, kSecAttrKeyType, getSymKeyType(keyType));
+ CFDictionaryAddValue(attrDict, kSecAttrKeyType, impl_->getSymKeyType(keyType));
CFDictionaryAddValue(attrDict, kSecAttrKeySizeInBits, CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &keySize));
CFDictionaryAddValue(attrDict, kSecAttrIsPermanent, kCFBooleanTrue);
CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
@@ -120,14 +199,15 @@
SecKeyRef symmetricKey = SecKeyGenerateSymmetric(attrDict, &error);
if (error)
- throw SecurityException("Fail to create a symmetric key");
+ throw Error("Fail to create a symmetric key");
}
- ptr_lib::shared_ptr<PublicKey> OSXPrivateKeyStorage::getPublicKey(const Name & keyName)
+ ptr_lib::shared_ptr<PublicKey>
+ OSXPrivateKeyStorage::getPublicKey(const Name & keyName)
{
_LOG_TRACE("OSXPrivateKeyStorage::getPublickey");
- SecKeychainItemRef publicKey = getKey(keyName, KEY_CLASS_PUBLIC);
+ SecKeychainItemRef publicKey = impl_->getKey(keyName, KEY_CLASS_PUBLIC);
CFDataRef exportedKey;
@@ -136,59 +216,78 @@
0,
NULL,
&exportedKey);
-
- Blob blob(CFDataGetBytePtr(exportedKey), CFDataGetLength(exportedKey));
- return PublicKey::fromDer(blob);
+ return ptr_lib::make_shared<PublicKey>(CFDataGetBytePtr(exportedKey), CFDataGetLength(exportedKey));
}
- Blob OSXPrivateKeyStorage::sign(const uint8_t *data, size_t dataLength, const Name & keyName, DigestAlgorithm digestAlgo)
+ Block
+ OSXPrivateKeyStorage::sign(const uint8_t *data, size_t dataLength,
+ const Name& keyName, DigestAlgorithm digestAlgorithm/* = DIGEST_ALGORITHM_SHA256*/)
{
_LOG_TRACE("OSXPrivateKeyStorage::Sign");
- CFDataRef dataRef = CFDataCreate(NULL,
- reinterpret_cast<const unsigned char*>(data),
- dataLength
- );
+ CFDataRef dataRef = CFDataCreateWithBytesNoCopy(NULL,
+ data,
+ dataLength,
+ kCFAllocatorNull
+ );
- SecKeyRef privateKey = (SecKeyRef)getKey(keyName, KEY_CLASS_PRIVATE);
+ SecKeyRef privateKey = (SecKeyRef)impl_->getKey(keyName, KEY_CLASS_PRIVATE);
CFErrorRef error;
SecTransformRef signer = SecSignTransformCreate((SecKeyRef)privateKey, &error);
- if (error) throw SecurityException("Fail to create signer");
-
+ if (error) throw Error("Fail to create signer");
+
+ // Set input
Boolean set_res = SecTransformSetAttribute(signer,
kSecTransformInputAttributeName,
dataRef,
&error);
- if (error) throw SecurityException("Fail to configure input of signer");
+ if (error) throw Error("Fail to configure input of signer");
+ // Enable use of padding
+ SecTransformSetAttribute(
+ signer,
+ kSecPaddingKey,
+ kSecPaddingPKCS1Key,
+ &error);
+ if (error) throw Error("Fail to configure digest algorithm of signer");
+
+ // Set padding type
set_res = SecTransformSetAttribute(signer,
kSecDigestTypeAttribute,
- getDigestAlgorithm(digestAlgo),
+ impl_->getDigestAlgorithm(digestAlgorithm),
&error);
- if (error) throw SecurityException("Fail to configure digest algorithm of signer");
+ if (error) throw Error("Fail to configure digest algorithm of signer");
- long digestSize = getDigestSize(digestAlgo);
-
+ // Set padding attribute
+ long digestSize = impl_->getDigestSize(digestAlgorithm);
set_res = SecTransformSetAttribute(signer,
kSecDigestLengthAttribute,
CFNumberCreate(NULL, kCFNumberLongType, &digestSize),
&error);
- if (error) throw SecurityException("Fail to configure digest size of signer");
+ if (error) throw Error("Fail to configure digest size of signer");
+ // Actually sign
CFDataRef signature = (CFDataRef) SecTransformExecute(signer, &error);
if (error) {
CFShow(error);
- throw SecurityException("Fail to sign data");
+ throw Error("Fail to sign data");
}
- if (!signature) throw SecurityException("Signature is NULL!\n");
+ if (!signature) throw Error("Signature is NULL!\n");
- return Blob(CFDataGetBytePtr(signature), CFDataGetLength(signature));
+ return Block(Tlv::SignatureValue, ptr_lib::make_shared<Buffer>(CFDataGetBytePtr(signature), CFDataGetLength(signature)));
}
- Blob OSXPrivateKeyStorage::decrypt(const Name & keyName, const uint8_t* data, size_t dataLength, bool sym)
+ void
+ OSXPrivateKeyStorage::sign(Data &data,
+ const Name& keyName, DigestAlgorithm digestAlgorithm/* = DIGEST_ALGORITHM_SHA256 */)
+ {
+ }
+
+ ConstBufferPtr
+ OSXPrivateKeyStorage::decrypt(const Name & keyName, const uint8_t* data, size_t dataLength, bool sym)
{
_LOG_TRACE("OSXPrivateKeyStorage::Decrypt");
@@ -205,34 +304,35 @@
// _LOG_DEBUG("CreateData");
- SecKeyRef decryptKey = (SecKeyRef)getKey(keyName, keyClass);
+ SecKeyRef decryptKey = (SecKeyRef)impl_->getKey(keyName, keyClass);
// _LOG_DEBUG("GetKey");
CFErrorRef error;
SecTransformRef decrypt = SecDecryptTransformCreate(decryptKey, &error);
- if (error) throw SecurityException("Fail to create decrypt");
+ if (error) throw Error("Fail to create decrypt");
Boolean set_res = SecTransformSetAttribute(decrypt,
kSecTransformInputAttributeName,
dataRef,
&error);
- if (error) throw SecurityException("Fail to configure decrypt");
+ if (error) throw Error("Fail to configure decrypt");
CFDataRef output = (CFDataRef) SecTransformExecute(decrypt, &error);
if (error)
{
CFShow(error);
- throw SecurityException("Fail to decrypt data");
+ throw Error("Fail to decrypt data");
}
- if (!output) throw SecurityException("Output is NULL!\n");
+ if (!output) throw Error("Output is NULL!\n");
- return Blob(CFDataGetBytePtr(output), CFDataGetLength(output));
+ return ptr_lib::make_shared<Buffer>(CFDataGetBytePtr(output), CFDataGetLength(output));
}
- bool OSXPrivateKeyStorage::setACL(const Name & keyName, KeyClass keyClass, int acl, const string & appPath)
+ bool
+ OSXPrivateKeyStorage::setACL(const Name & keyName, KeyClass keyClass, int acl, const string & appPath)
{
- SecKeychainItemRef privateKey = getKey(keyName, keyClass);
+ SecKeychainItemRef privateKey = impl_->getKey(keyName, keyClass);
SecAccessRef accRef;
OSStatus acc_res = SecKeychainItemCopyAccess(privateKey, &accRef);
@@ -279,53 +379,55 @@
return true;
}
- bool OSXPrivateKeyStorage::verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo)
- {
- _LOG_TRACE("OSXPrivateKeyStorage::Verify");
+ // bool
+ // OSXPrivateKeyStorage::verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo)
+ // {
+ // _LOG_TRACE("OSXPrivateKeyStorage::Verify");
- CFDataRef dataRef = CFDataCreate(NULL,
- reinterpret_cast<const unsigned char*>(pData.buf()),
- pData.size());
+ // CFDataRef dataRef = CFDataCreate(NULL,
+ // reinterpret_cast<const unsigned char*>(pData.buf()),
+ // pData.size());
- CFDataRef sigRef = CFDataCreate(NULL,
- reinterpret_cast<const unsigned char*>(pSig.buf()),
- pSig.size());
+ // CFDataRef sigRef = CFDataCreate(NULL,
+ // reinterpret_cast<const unsigned char*>(pSig.buf()),
+ // pSig.size());
- SecKeyRef publicKey = (SecKeyRef)getKey(keyName, KEY_CLASS_PUBLIC);
+ // SecKeyRef publicKey = (SecKeyRef)impl_->getKey(keyName, KEY_CLASS_PUBLIC);
- CFErrorRef error;
- SecTransformRef verifier = SecVerifyTransformCreate(publicKey, sigRef, &error);
- if (error) throw SecurityException("Fail to create verifier");
+ // CFErrorRef error;
+ // SecTransformRef verifier = SecVerifyTransformCreate(publicKey, sigRef, &error);
+ // if (error) throw Error("Fail to create verifier");
- Boolean set_res = SecTransformSetAttribute(verifier,
- kSecTransformInputAttributeName,
- dataRef,
- &error);
- if (error) throw SecurityException("Fail to configure input of verifier");
+ // Boolean set_res = SecTransformSetAttribute(verifier,
+ // kSecTransformInputAttributeName,
+ // dataRef,
+ // &error);
+ // if (error) throw Error("Fail to configure input of verifier");
- set_res = SecTransformSetAttribute(verifier,
- kSecDigestTypeAttribute,
- getDigestAlgorithm(digestAlgo),
- &error);
- if (error) throw SecurityException("Fail to configure digest algorithm of verifier");
+ // set_res = SecTransformSetAttribute(verifier,
+ // kSecDigestTypeAttribute,
+ // impl_->getDigestAlgorithm(digestAlgo),
+ // &error);
+ // if (error) throw Error("Fail to configure digest algorithm of verifier");
- long digestSize = getDigestSize(digestAlgo);
- set_res = SecTransformSetAttribute(verifier,
- kSecDigestLengthAttribute,
- CFNumberCreate(NULL, kCFNumberLongType, &digestSize),
- &error);
- if (error) throw SecurityException("Fail to configure digest size of verifier");
+ // long digestSize = impl_->getDigestSize(digestAlgo);
+ // set_res = SecTransformSetAttribute(verifier,
+ // kSecDigestLengthAttribute,
+ // CFNumberCreate(NULL, kCFNumberLongType, &digestSize),
+ // &error);
+ // if (error) throw Error("Fail to configure digest size of verifier");
- CFBooleanRef result = (CFBooleanRef) SecTransformExecute(verifier, &error);
- if (error) throw SecurityException("Fail to verify data");
+ // CFBooleanRef result = (CFBooleanRef) SecTransformExecute(verifier, &error);
+ // if (error) throw Error("Fail to verify data");
- if (result == kCFBooleanTrue)
- return true;
- else
- return false;
- }
+ // if (result == kCFBooleanTrue)
+ // return true;
+ // else
+ // return false;
+ // }
- Blob OSXPrivateKeyStorage::encrypt(const Name & keyName, const uint8_t* data, size_t dataLength, bool sym)
+ ConstBufferPtr
+ OSXPrivateKeyStorage::encrypt(const Name & keyName, const uint8_t* data, size_t dataLength, bool sym)
{
_LOG_TRACE("OSXPrivateKeyStorage::Encrypt");
@@ -340,31 +442,32 @@
dataLength
);
- SecKeyRef encryptKey = (SecKeyRef)getKey(keyName, keyClass);
+ SecKeyRef encryptKey = (SecKeyRef)impl_->getKey(keyName, keyClass);
CFErrorRef error;
SecTransformRef encrypt = SecEncryptTransformCreate(encryptKey, &error);
- if (error) throw SecurityException("Fail to create encrypt");
+ if (error) throw Error("Fail to create encrypt");
Boolean set_res = SecTransformSetAttribute(encrypt,
kSecTransformInputAttributeName,
dataRef,
&error);
- if (error) throw SecurityException("Fail to configure encrypt");
+ if (error) throw Error("Fail to configure encrypt");
CFDataRef output = (CFDataRef) SecTransformExecute(encrypt, &error);
- if (error) throw SecurityException("Fail to encrypt data");
+ if (error) throw Error("Fail to encrypt data");
- if (!output) throw SecurityException("Output is NULL!\n");
+ if (!output) throw Error("Output is NULL!\n");
- return Blob(CFDataGetBytePtr(output), CFDataGetLength(output));
+ return ptr_lib::make_shared<Buffer> (CFDataGetBytePtr(output), CFDataGetLength(output));
}
- bool OSXPrivateKeyStorage::doesKeyExist(const Name & keyName, KeyClass keyClass)
+ bool
+ OSXPrivateKeyStorage::doesKeyExist(const Name & keyName, KeyClass keyClass)
{
_LOG_TRACE("OSXPrivateKeyStorage::doesKeyExist");
- string keyNameUri = toInternalKeyName(keyName, keyClass);
+ string keyNameUri = impl_->toInternalKeyName(keyName, keyClass);
CFStringRef keyLabel = CFStringCreateWithCString(NULL,
keyNameUri.c_str(),
@@ -375,7 +478,7 @@
&kCFTypeDictionaryKeyCallBacks,
NULL);
- CFDictionaryAddValue(attrDict, kSecAttrKeyClass, getKeyClass(keyClass));
+ CFDictionaryAddValue(attrDict, kSecAttrKeyClass, impl_->getKeyClass(keyClass));
CFDictionaryAddValue(attrDict, kSecAttrLabel, keyLabel);
CFDictionaryAddValue(attrDict, kSecReturnRef, kCFBooleanTrue);
@@ -389,7 +492,13 @@
}
- SecKeychainItemRef OSXPrivateKeyStorage::getKey(const Name & keyName, KeyClass keyClass)
+
+ ////////////////////////////////
+ // OSXPrivateKeyStorage::Impl //
+ ////////////////////////////////
+
+ SecKeychainItemRef
+ OSXPrivateKeyStorage::Impl::getKey(const Name & keyName, KeyClass keyClass)
{
string keyNameUri = toInternalKeyName(keyName, keyClass);
@@ -419,7 +528,7 @@
return keyItem;
}
- string OSXPrivateKeyStorage::toInternalKeyName(const Name & keyName, KeyClass keyClass)
+ string OSXPrivateKeyStorage::Impl::toInternalKeyName(const Name & keyName, KeyClass keyClass)
{
string keyUri = keyName.toUri();
@@ -429,7 +538,7 @@
return keyUri;
}
- const CFTypeRef OSXPrivateKeyStorage::getAsymKeyType(KeyType keyType)
+ const CFTypeRef OSXPrivateKeyStorage::Impl::getAsymKeyType(KeyType keyType)
{
switch(keyType){
case KEY_TYPE_RSA:
@@ -440,7 +549,7 @@
}
}
- const CFTypeRef OSXPrivateKeyStorage::getSymKeyType(KeyType keyType)
+ const CFTypeRef OSXPrivateKeyStorage::Impl::getSymKeyType(KeyType keyType)
{
switch(keyType){
case KEY_TYPE_AES:
@@ -451,7 +560,7 @@
}
}
- const CFTypeRef OSXPrivateKeyStorage::getKeyClass(KeyClass keyClass)
+ const CFTypeRef OSXPrivateKeyStorage::Impl::getKeyClass(KeyClass keyClass)
{
switch(keyClass){
case KEY_CLASS_PRIVATE:
@@ -466,7 +575,7 @@
}
}
- const CFStringRef OSXPrivateKeyStorage::getDigestAlgorithm(DigestAlgorithm digestAlgo)
+ const CFStringRef OSXPrivateKeyStorage::Impl::getDigestAlgorithm(DigestAlgorithm digestAlgo)
{
switch(digestAlgo){
// case DIGEST_MD2:
@@ -483,7 +592,7 @@
}
}
- long OSXPrivateKeyStorage::getDigestSize(DigestAlgorithm digestAlgo)
+ long OSXPrivateKeyStorage::Impl::getDigestSize(DigestAlgorithm digestAlgo)
{
switch(digestAlgo){
case DIGEST_ALGORITHM_SHA256: