make: Global change: Move all public headers to include folder. Change source to including public headers using #include <ndn-cpp/*>. Split some header files to minimize exposing C .h files.
diff --git a/include/ndn-cpp/security/certificate/certificate.hpp b/include/ndn-cpp/security/certificate/certificate.hpp
new file mode 100644
index 0000000..29626b3
--- /dev/null
+++ b/include/ndn-cpp/security/certificate/certificate.hpp
@@ -0,0 +1,22 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_CERTIFICATE_HPP
+#define NDN_CERTIFICATE_HPP
+
+#include "../../data.hpp"
+
+namespace ndn {
+
+class Certificate : public Data {
+
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/certificate/oid.hpp b/include/ndn-cpp/security/certificate/oid.hpp
new file mode 100644
index 0000000..bcbcfe9
--- /dev/null
+++ b/include/ndn-cpp/security/certificate/oid.hpp
@@ -0,0 +1,62 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_OID_HPP
+#define NDN_OID_HPP
+
+#include <vector>
+#include <string>
+
+namespace ndn {
+
+class OID {
+public:
+ OID ()
+ {
+ }
+
+ OID(const std::string& oid);
+
+ OID(const std::vector<int>& oid)
+ : oid_(oid)
+ {
+ }
+
+ const std::vector<int> &
+ getIntegerList() const
+ {
+ return oid_;
+ }
+
+ void
+ setIntegerList(const std::vector<int>& value){
+ oid_ = value;
+ }
+
+ std::string
+ toString();
+
+ bool operator == (const OID& oid)
+ {
+ return equal(oid);
+ }
+
+ bool operator != (const OID& oid)
+ {
+ return !equal(oid);
+ }
+
+private:
+ bool equal(const OID& oid);
+
+ std::vector<int> oid_;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/certificate/public-key.hpp b/include/ndn-cpp/security/certificate/public-key.hpp
new file mode 100644
index 0000000..7db3f49
--- /dev/null
+++ b/include/ndn-cpp/security/certificate/public-key.hpp
@@ -0,0 +1,72 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_PUBLIC_KEY_HPP
+#define NDN_PUBLIC_KEY_HPP
+
+#include "../../util/blob.hpp"
+#include "oid.hpp"
+#include "../security-common.hpp"
+
+namespace ndn {
+
+class PublicKey {
+public:
+ /**
+ * The default constructor.
+ */
+ PublicKey() {}
+
+ /**
+ * Constructor
+ * @param algorithm The algorithm of the public key.
+ * @param keyDer The blob of the PublicKeyInfo in terms of DER.
+ */
+ PublicKey(const OID& algorithm, const Blob& keyDer)
+ : algorithm_(algorithm), keyDer_(keyDer)
+ {
+ }
+
+#if 0
+ /**
+ * Encode the public key into DER.
+ * @return the encoded DER syntax tree.
+ */
+ Ptr<der::DerNode>
+ toDer();
+#endif
+
+ /**
+ * Decode the public key from DER blob.
+ * @param keyDer The DER blob.
+ * @return The decoded public key.
+ */
+ static ptr_lib::shared_ptr<PublicKey>
+ fromDer(const Blob& keyDer);
+
+ /*
+ * @brief get the digest of the public key
+ * @param digestAlgorithm The digest algorithm. If omitted, use DIGEST_SHA256 by default.
+ */
+ Blob
+ getDigest(DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256) const;
+
+ /*
+ * Get the raw bytes of the public key in DER format.
+ */
+ const Blob&
+ getKeyDer() const { return keyDer_; }
+
+private:
+ OID algorithm_; /**< Algorithm */
+ Blob keyDer_; /**< PublicKeyInfo in DER */
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/encryption/encryption-manager.hpp b/include/ndn-cpp/security/encryption/encryption-manager.hpp
new file mode 100644
index 0000000..88a69c8
--- /dev/null
+++ b/include/ndn-cpp/security/encryption/encryption-manager.hpp
@@ -0,0 +1,34 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_ENCRYPTION_MANAGER_HPP
+#define NDN_ENCRYPTION_MANAGER_HPP
+
+#include "../../name.hpp"
+#include "../security-common.hpp"
+
+namespace ndn {
+
+class EncryptionManager {
+public:
+ virtual ~EncryptionManager() {}
+
+ virtual void
+ createSymmetricKey(const Name& keyName, KeyType keyType, const Name& signkeyName = Name(), bool isSymmetric = true) = 0;
+
+ virtual Blob
+ encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = false,
+ EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT) = 0;
+
+ virtual Blob
+ decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = false,
+ EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT) = 0;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/identity/basic-identity-storage.hpp b/include/ndn-cpp/security/identity/basic-identity-storage.hpp
new file mode 100644
index 0000000..2e0db30
--- /dev/null
+++ b/include/ndn-cpp/security/identity/basic-identity-storage.hpp
@@ -0,0 +1,211 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_BASIC_IDENTITY_STORAGE_H
+#define NDN_BASIC_IDENTITY_STORAGE_H
+
+// Only compile if ndn-cpp-config.h defines NDN_CPP_HAVE_SQLITE3.
+#include <ndn-cpp/ndn-cpp-config.h>
+#ifdef NDN_CPP_HAVE_SQLITE3
+
+#include <sqlite3.h>
+#include "../../common.hpp"
+#include "identity-storage.hpp"
+
+namespace ndn
+{
+
+/**
+ * BasicIdentityStorage extends IdentityStorage to implement a basic storage of identity, public keys and certificates
+ * using SQLite.
+ */
+class BasicIdentityStorage : public IdentityStorage {
+public:
+ BasicIdentityStorage();
+
+ /**
+ * The virtual Destructor.
+ */
+ virtual
+ ~BasicIdentityStorage();
+
+ /**
+ * Check if the specified identity already exists.
+ * @param identityName The identity name.
+ * @return true if the identity exists, otherwise false.
+ */
+ virtual bool
+ doesIdentityExist(const Name& identityName);
+
+ /**
+ * Add a new identity. An exception will be thrown if the identity already exists.
+ * @param identityName The identity name to be added.
+ */
+ virtual void
+ addIdentity(const Name& identityName);
+
+ /**
+ * Revoke the identity.
+ * @return true if the identity was revoked, false if not.
+ */
+ virtual bool
+ revokeIdentity();
+
+ /**
+ * Generate a name for a new key belonging to the identity.
+ * @param identityName The identity name.
+ * @param useKsk If true, generate a KSK name, otherwise a DSK name.
+ * @return The generated key name.
+ */
+ virtual Name
+ getNewKeyName(const Name& identityName, bool useKsk);
+
+ /**
+ * Check if the specified key already exists.
+ * @param keyName The name of the key.
+ * @return true if the key exists, otherwise false.
+ */
+ virtual bool
+ doesKeyExist(const Name& keyName);
+
+ /**
+ * Extract the key name from the certificate name.
+ * @param certificateName The certificate name to be processed.
+ */
+ virtual Name
+ getKeyNameForCertificate(const Name& certificateName);
+
+ /**
+ * Add a public key to the identity storage.
+ * @param keyName The name of the public key to be added.
+ * @param keyType Type of the public key to be added.
+ * @param publicKeyDer A blob of the public key DER to be added.
+ */
+ virtual void
+ addKey(const Name& keyName, KeyType keyType, const Blob& publicKeyDer);
+
+ /**
+ * Get the public key DER blob from the identity storage.
+ * @param keyName The name of the requested public key.
+ * @return The DER Blob. If not found, return a Blob with a null pointer.
+ */
+ virtual Blob
+ getKey(const Name& keyName);
+
+ /**
+ * Activate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ activateKey(const Name& keyName);
+
+ /**
+ * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ deactivateKey(const Name& keyName);
+
+ /**
+ * Check if the specified certificate already exists.
+ * @param certificateName The name of the certificate.
+ * @return true if the certificate exists, otherwise false.
+ */
+ virtual bool
+ doesCertificateExist(const Name& certificateName);
+
+ /**
+ * Add a certificate in to the identity storage without checking if the identity and key exists.
+ * @param certificate The certificate to be added.
+ */
+ void
+ addAnyCertificate (const Certificate& certificate);
+
+ /**
+ * Add a certificate to the identity storage.
+ * @param certificate The certificate to be added.
+ */
+ virtual void
+ addCertificate(const Certificate& certificate);
+
+ /**
+ * Get a certificate from the identity storage.
+ * @param certificateName The name of the requested certificate.
+ * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
+ * @return The requested certificate. If not found, return a shared_ptr with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<Certificate>
+ getCertificate(const Name &certificateName, bool allowAny = false);
+
+
+ /*****************************************
+ * Get/Set Default *
+ *****************************************/
+
+ /**
+ * Get the default identity.
+ * @param return The name of default identity, or an empty name if there is no default.
+ */
+ virtual Name
+ getDefaultIdentity();
+
+ /**
+ * Get the default key name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default key name.
+ */
+ virtual Name
+ getDefaultKeyNameForIdentity(const Name& identityName);
+
+ /**
+ * Get the default certificate name for the specified key.
+ * @param keyName The key name.
+ * @return The default certificate name.
+ */
+ virtual Name
+ getDefaultCertificateNameForKey(const Name& keyName);
+
+ /**
+ * Set the default identity. If the identityName does not exist, then clear the default identity
+ * so that getDefaultIdentity() returns an empty name.
+ * @param identityName The default identity name.
+ */
+ virtual void
+ setDefaultIdentity(const Name& identityName);
+
+ /**
+ * Set the default key name for the specified identity.
+ * @param keyName The key name.
+ * @param identityNameCheck (optional) The identity name to check the keyName.
+ */
+ virtual void
+ setDefaultKeyNameForIdentity(const Name& keyName, const Name& identityNameCheck = Name());
+
+ /**
+ * Set the default key name for the specified identity.
+ * @param keyName The key name.
+ * @param certificateName The certificate name.
+ */
+ virtual void
+ setDefaultCertificateNameForKey(const Name& keyName, const Name& certificateName);
+
+private:
+
+ virtual void
+ updateKeyStatus(const Name& keyName, bool isActive);
+
+ sqlite3 *database_;
+#if 0
+ Time lastUpdated_;
+#endif
+};
+
+}
+
+#endif // NDN_CPP_HAVE_SQLITE3
+
+#endif
diff --git a/include/ndn-cpp/security/identity/identity-manager.hpp b/include/ndn-cpp/security/identity/identity-manager.hpp
new file mode 100644
index 0000000..08f0434
--- /dev/null
+++ b/include/ndn-cpp/security/identity/identity-manager.hpp
@@ -0,0 +1,227 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_IDENTITY_MANAGER_HPP
+#define NDN_IDENTITY_MANAGER_HPP
+
+#include "../certificate/certificate.hpp"
+#include "identity-storage.hpp"
+#include "../certificate/public-key.hpp"
+#include "private-key-storage.hpp"
+
+namespace ndn {
+
+/**
+ * An IdentityManager is the interface of operations related to identity, keys, and certificates.
+ */
+class IdentityManager {
+public:
+ IdentityManager(const ptr_lib::shared_ptr<IdentityStorage>& identityStorage, const ptr_lib::shared_ptr<PrivateKeyStorage>& privateKeyStorage)
+ : identityStorage_(identityStorage), privateKeyStorage_(privateKeyStorage)
+ {
+ }
+
+ /**
+ * Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.
+ * @param identityName The name of the identity.
+ * @return The key name of the auto-generated KSK of the identity.
+ */
+ Name
+ createIdentity(const Name& identityName);
+
+ /**
+ * Get the default identity.
+ * @return The default identity name.
+ */
+ Name
+ getDefaultIdentity()
+ {
+ return identityStorage_->getDefaultIdentity();
+ }
+
+ /**
+ * Generate a pair of RSA keys for the specified identity.
+ * @param identityName The name of the identity.
+ * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+ * @param keySize The size of the key.
+ * @return The generated key name.
+ */
+ Name
+ generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048);
+
+ /**
+ * Set a key as the default key of an identity.
+ * @param keyName The name of the key.
+ * @param identityName the name of the identity. If not specified, the identity name is inferred from the keyName.
+ */
+ void
+ setDefaultKeyForIdentity(const Name& keyName, const Name& identityName = Name())
+ {
+ identityStorage_->setDefaultKeyNameForIdentity(keyName, identityName);
+ }
+
+ /**
+ * Get the default key for an identity.
+ * @param identityName the name of the identity. If omitted, the identity name is inferred from the keyName.
+ * @return The default key name.
+ */
+ Name
+ getDefaultKeyNameForIdentity(const Name& identityName = Name())
+ {
+ return identityStorage_->getDefaultKeyNameForIdentity(identityName);
+ }
+
+ /**
+ * Generate a pair of RSA keys for the specified identity and set it as default key for the identity.
+ * @param identityName The name of the identity.
+ * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+ * @param keySize The size of the key.
+ * @return The generated key name.
+ */
+ Name
+ generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048);
+
+ /**
+ * Get the public key with the specified name.
+ * @param keyName The name of the key.
+ * @return The public key.
+ */
+ ptr_lib::shared_ptr<PublicKey>
+ getPublicKey(const Name& keyName)
+ {
+ return PublicKey::fromDer(identityStorage_->getKey(keyName));
+ }
+
+ /**
+ * Add a certificate into the public key identity storage.
+ * @param certificate The certificate to to added.
+ */
+ void
+ addCertificate(const Certificate& certificate)
+ {
+ identityStorage_->addCertificate(certificate);
+ }
+
+ /**
+ * Set the certificate as the default for its corresponding key.
+ * @param certificateName The name of the certificate.
+ */
+ void
+ setDefaultCertificateForKey(const Name& certificateName);
+
+ /**
+ * Add a certificate into the public key identity storage and set the certificate as the default for its corresponding identity.
+ * @param certificate The certificate to be added.
+ */
+ void
+ addCertificateAsIdentityDefault(const Certificate& certificate);
+
+ /**
+ * Add a certificate into the public key identity storage and set the certificate as the default of its corresponding key.
+ * certificate the certificate to be added
+ */
+ void
+ addCertificateAsDefault(const Certificate& certificate)
+ {
+ identityStorage_->addCertificate(certificate);
+ setDefaultCertificateForKey(certificate.getName());
+ }
+
+ /**
+ * Get a certificate with the specified name.
+ * @param certificateName The name of the requested certificate.
+ * @return the requested certificate which is valid.
+ */
+ ptr_lib::shared_ptr<Certificate>
+ getCertificate(const Name& certificateName)
+ {
+ return identityStorage_->getCertificate(certificateName, false);
+ }
+
+ /**
+ * Get a certificate even if the certificate is not valid anymore.
+ * @param certificateName The name of the requested certificate.
+ * @return the requested certificate.
+ */
+ ptr_lib::shared_ptr<Certificate>
+ getAnyCertificate(const Name& certificateName)
+ {
+ return identityStorage_->getCertificate(certificateName, true);
+ }
+
+ /**
+ * Get the default certificate name for the specified identity, which will be used when signing is performed based on identity.
+ * @param identityName The name of the specified identity.
+ * @return The requested certificate name.
+ */
+ Name
+ getDefaultCertificateNameForIdentity(const Name& identityName)
+ {
+ return identityStorage_->getDefaultCertificateNameForIdentity(identityName);
+ }
+
+ /**
+ * Get the default certificate name of the default identity, which will be used when signing is based on identity and
+ * the identity is not specified.
+ * @return The requested certificate name.
+ */
+ Name
+ getDefaultCertificateName()
+ {
+ return identityStorage_->getDefaultCertificateNameForIdentity(getDefaultIdentity());
+ }
+
+#if 0
+ /**
+ * sign blob based on certificate name
+ * @param blob the blob to be signed
+ * @param certificateName the signing certificate name
+ * @return the generated signature
+ */
+ Ptr<Signature>
+ signByCertificate(const Blob& blob, const Name& certificateName);
+#endif
+
+ /**
+ * Sign data packet based on the certificate name.
+ * Note: the caller must make sure the timestamp in data is correct, for example with
+ * data.getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0).
+ * @param data The Data object to sign and update its signature.
+ * @param certificateName The Name identifying the certificate which identifies the signing key.
+ * @param wireFormat The WireFormat for calling encodeData, or WireFormat::getDefaultWireFormat() if omitted.
+ */
+ void
+ signByCertificate(Data& data, const Name& certificateName, WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
+
+private:
+ /**
+ * Generate a key pair for the specified identity.
+ * @param identityName The name of the specified identity.
+ * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+ * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+ * @param keySize The size of the key pair.
+ * @return The name of the generated key.
+ */
+ Name
+ generateKeyPair(const Name& identityName, bool isKsk = false, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048);
+
+ /**
+ * Generate a self-signed certificate for a public key.
+ * @param keyName The name of the public key.
+ * @return The generated certificate.
+ */
+ ptr_lib::shared_ptr<Certificate>
+ selfSign(const Name& keyName);
+
+ ptr_lib::shared_ptr<IdentityStorage> identityStorage_;
+ ptr_lib::shared_ptr<PrivateKeyStorage> privateKeyStorage_;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/identity/identity-storage.hpp b/include/ndn-cpp/security/identity/identity-storage.hpp
new file mode 100644
index 0000000..db6ab0e
--- /dev/null
+++ b/include/ndn-cpp/security/identity/identity-storage.hpp
@@ -0,0 +1,200 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_IDENTITY_STORAGE_HPP
+#define NDN_IDENTITY_STORAGE_HPP
+
+#include "../../name.hpp"
+#include "../security-common.hpp"
+
+namespace ndn {
+
+class Certificate;
+class Data;
+
+/**
+ * IdentityStorage is a base class for the storage of identity, public keys and certificates.
+ * Private keys are stored in PrivateKeyStorage.
+ * This is an abstract base class. A subclass must implement the methods.
+ */
+class IdentityStorage {
+public:
+ /**
+ * The virtual Destructor.
+ */
+ virtual
+ ~IdentityStorage() {}
+
+ /**
+ * Check if the specified identity already exists.
+ * @param identityName The identity name.
+ * @return true if the identity exists, otherwise false.
+ */
+ virtual bool
+ doesIdentityExist(const Name& identityName) = 0;
+
+ /**
+ * Add a new identity. An exception will be thrown if the identity already exists.
+ * @param identityName The identity name to be added.
+ */
+ virtual void
+ addIdentity(const Name& identityName) = 0;
+
+ /**
+ * Revoke the identity.
+ * @return true if the identity was revoked, false if not.
+ */
+ virtual bool
+ revokeIdentity() = 0;
+
+ /**
+ * Generate a name for a new key belonging to the identity.
+ * @param identityName The identity name.
+ * @param useKsk If true, generate a KSK name, otherwise a DSK name.
+ * @return The generated key name.
+ */
+ virtual Name
+ getNewKeyName(const Name& identityName, bool useKsk) = 0;
+
+ /**
+ * Check if the specified key already exists.
+ * @param keyName The name of the key.
+ * @return true if the key exists, otherwise false.
+ */
+ virtual bool
+ doesKeyExist(const Name& keyName) = 0;
+
+ /**
+ * Extract the key name from the certificate name.
+ * @param certificateName The certificate name to be processed.
+ */
+ virtual Name
+ getKeyNameForCertificate(const Name& certificateName) = 0;
+
+ /**
+ * Add a public key to the identity storage.
+ * @param keyName The name of the public key to be added.
+ * @param keyType Type of the public key to be added.
+ * @param publicKeyDer A blob of the public key DER to be added.
+ */
+ virtual void
+ addKey(const Name& keyName, KeyType keyType, const Blob& publicKeyDer) = 0;
+
+ /**
+ * Get the public key DER blob from the identity storage.
+ * @param keyName The name of the requested public key.
+ * @return The DER Blob. If not found, return a Blob with a null pointer.
+ */
+ virtual Blob
+ getKey(const Name& keyName) = 0;
+
+ /**
+ * Activate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ activateKey(const Name& keyName) = 0;
+
+ /**
+ * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ deactivateKey(const Name& keyName) = 0;
+
+ /**
+ * Check if the specified certificate already exists.
+ * @param certificateName The name of the certificate.
+ * @return true if the certificate exists, otherwise false.
+ */
+ virtual bool
+ doesCertificateExist(const Name& certificateName) = 0;
+
+ /**
+ * Add a certificate to the identity storage.
+ * @param certificate The certificate to be added.
+ */
+ virtual void
+ addCertificate(const Certificate& certificate) = 0;
+
+ /**
+ * Get a certificate from the identity storage.
+ * @param certificateName The name of the requested certificate.
+ * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
+ * @return The requested certificate. If not found, return a shared_ptr with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<Certificate>
+ getCertificate(const Name &certificateName, bool allowAny = false) = 0;
+
+
+ /*****************************************
+ * Get/Set Default *
+ *****************************************/
+
+ /**
+ * Get the default identity.
+ * @param return The name of default identity, or an empty name if there is no default.
+ */
+ virtual Name
+ getDefaultIdentity() = 0;
+
+ /**
+ * Get the default key name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default key name.
+ */
+ virtual Name
+ getDefaultKeyNameForIdentity(const Name& identityName) = 0;
+
+ /**
+ * Get the default certificate name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default certificate name.
+ */
+ Name
+ getDefaultCertificateNameForIdentity(const Name& identityName)
+ {
+ return getDefaultCertificateNameForKey(getDefaultKeyNameForIdentity(identityName));
+ }
+
+ /**
+ * Get the default certificate name for the specified key.
+ * @param keyName The key name.
+ * @return The default certificate name.
+ */
+ virtual Name
+ getDefaultCertificateNameForKey(const Name& keyName) = 0;
+
+ /**
+ * Set the default identity. If the identityName does not exist, then clear the default identity
+ * so that getDefaultIdentity() returns an empty name.
+ * @param identityName The default identity name.
+ */
+ virtual void
+ setDefaultIdentity(const Name& identityName) = 0;
+
+ /**
+ * Set the default key name for the specified identity.
+ * @param keyName The key name.
+ * @param identityNameCheck (optional) The identity name to check the keyName.
+ */
+ virtual void
+ setDefaultKeyNameForIdentity(const Name& keyName, const Name& identityNameCheck = Name()) = 0;
+
+ /**
+ * Set the default key name for the specified identity.
+ * @param keyName The key name.
+ * @param certificateName The certificate name.
+ */
+ virtual void
+ setDefaultCertificateNameForKey(const Name& keyName, const Name& certificateName) = 0;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/identity/memory-identity-storage.hpp b/include/ndn-cpp/security/identity/memory-identity-storage.hpp
new file mode 100644
index 0000000..ba0ea5a
--- /dev/null
+++ b/include/ndn-cpp/security/identity/memory-identity-storage.hpp
@@ -0,0 +1,189 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_MEMORY_IDENTITY_STORAGE_HPP
+#define NDN_MEMORY_IDENTITY_STORAGE_HPP
+
+#include <vector>
+#include "identity-storage.hpp"
+
+namespace ndn {
+
+/**
+ * MemoryIdentityStorage extends IdentityStorage and implements its methods to store identity, public key and certificate objects in memory.
+ * The application must get the objects through its own means and add the objects to the MemoryIdentityStorage object.
+ * To use permanent file-based storage, see BasicIdentityStorage.
+ */
+class MemoryIdentityStorage : public IdentityStorage {
+public:
+ /**
+ * The virtual Destructor.
+ */
+ virtual
+ ~MemoryIdentityStorage();
+
+ /**
+ * Check if the specified identity already exists.
+ * @param identityName The identity name.
+ * @return true if the identity exists, otherwise false.
+ */
+ virtual bool
+ doesIdentityExist(const Name& identityName);
+
+ /**
+ * Add a new identity. An exception will be thrown if the identity already exists.
+ * @param identityName The identity name to be added.
+ */
+ virtual void
+ addIdentity(const Name& identityName);
+
+ /**
+ * Revoke the identity.
+ * @return true if the identity was revoked, false if not.
+ */
+ virtual bool
+ revokeIdentity();
+
+ /**
+ * Generate a name for a new key belonging to the identity.
+ * @param identityName The identity name.
+ * @param useKsk If true, generate a KSK name, otherwise a DSK name.
+ * @return The generated key name.
+ */
+ virtual Name
+ getNewKeyName(const Name& identityName, bool useKsk);
+
+ /**
+ * Check if the specified key already exists.
+ * @param keyName The name of the key.
+ * @return true if the key exists, otherwise false.
+ */
+ virtual bool
+ doesKeyExist(const Name& keyName);
+
+ /**
+ * Extract the key name from the certificate name.
+ * @param certificateName The certificate name to be processed.
+ */
+ virtual Name
+ getKeyNameForCertificate(const Name& certificateName);
+
+ /**
+ * Add a public key to the identity storage.
+ * @param keyName The name of the public key to be added.
+ * @param keyType Type of the public key to be added.
+ * @param publicKeyDer A blob of the public key DER to be added.
+ */
+ virtual void
+ addKey(const Name& keyName, KeyType keyType, const Blob& publicKeyDer);
+
+ /**
+ * Get the public key DER blob from the identity storage.
+ * @param keyName The name of the requested public key.
+ * @return The DER Blob. If not found, return a Blob with a null pointer.
+ */
+ virtual Blob
+ getKey(const Name& keyName);
+
+ /**
+ * Activate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ activateKey(const Name& keyName);
+
+ /**
+ * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ deactivateKey(const Name& keyName);
+
+ /**
+ * Check if the specified certificate already exists.
+ * @param certificateName The name of the certificate.
+ * @return true if the certificate exists, otherwise false.
+ */
+ virtual bool
+ doesCertificateExist(const Name& certificateName);
+
+ /**
+ * Add a certificate to the identity storage.
+ * @param certificate The certificate to be added.
+ */
+ virtual void
+ addCertificate(const Certificate& certificate);
+
+ /**
+ * Get a certificate from the identity storage.
+ * @param certificateName The name of the requested certificate.
+ * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
+ * @return The requested certificate. If not found, return a shared_ptr with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<Certificate>
+ getCertificate(const Name &certificateName, bool allowAny = false);
+
+
+ /*****************************************
+ * Get/Set Default *
+ *****************************************/
+
+ /**
+ * Get the default identity.
+ * @param return The name of default identity, or an empty name if there is no default.
+ */
+ virtual Name
+ getDefaultIdentity();
+
+ /**
+ * Get the default key name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default key name.
+ */
+ virtual Name
+ getDefaultKeyNameForIdentity(const Name& identityName);
+
+ /**
+ * Get the default certificate name for the specified key.
+ * @param keyName The key name.
+ * @return The default certificate name.
+ */
+ virtual Name
+ getDefaultCertificateNameForKey(const Name& keyName);
+
+ /**
+ * Set the default identity. If the identityName does not exist, then clear the default identity
+ * so that getDefaultIdentity() returns an empty name.
+ * @param identityName The default identity name.
+ */
+ virtual void
+ setDefaultIdentity(const Name& identityName);
+
+ /**
+ * Set the default key name for the specified identity.
+ * @param keyName The key name.
+ * @param identityNameCheck (optional) The identity name to check the keyName.
+ */
+ virtual void
+ setDefaultKeyNameForIdentity(const Name& keyName, const Name& identityNameCheck = Name());
+
+ /**
+ * Set the default key name for the specified identity.
+ * @param keyName The key name.
+ * @param certificateName The certificate name.
+ */
+ virtual void
+ setDefaultCertificateNameForKey(const Name& keyName, const Name& certificateName);
+
+private:
+ std::vector<std::string> identityStore_; /**< A list of name URI. */
+ std::string defaultIdentity_; /**< The default identity in identityStore_, or "" if not defined. */
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/identity/memory-private-key-storage.hpp b/include/ndn-cpp/security/identity/memory-private-key-storage.hpp
new file mode 100644
index 0000000..02f8fbc
--- /dev/null
+++ b/include/ndn-cpp/security/identity/memory-private-key-storage.hpp
@@ -0,0 +1,132 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_MEMORY_PRIVATE_KEY_STORAGE_HPP
+#define NDN_MEMORY_PRIVATE_KEY_STORAGE_HPP
+
+#include <map>
+#include "private-key-storage.hpp"
+
+struct rsa_st;
+
+namespace ndn {
+
+/**
+ * MemoryPrivateKeyStorage extends PrivateKeyStorage to implement a simple in-memory private key store. You should
+ * initialize by calling setKeyPairForKeyName.
+ */
+class MemoryPrivateKeyStorage : public PrivateKeyStorage {
+public:
+ /**
+ * The virtual destructor
+ */
+ virtual
+ ~MemoryPrivateKeyStorage();
+
+ /**
+ * Set the public and private key for the keyName.
+ * @param keyName The key name.
+ * @param publicKeyDer The public key DER byte array.
+ * @param publicKeyDerLength The length of publicKeyDer.
+ * @param privateKeyDer The private key DER byte array.
+ * @param privateKeyDerLength The length of privateKeyDer.
+ */
+ void setKeyPairForKeyName
+ (const Name& keyName, uint8_t *publicKeyDer, size_t publicKeyDerLength, uint8_t *privateKeyDer,
+ size_t privateKeyDerLength);
+
+ /**
+ * Generate a pair of asymmetric keys.
+ * @param keyName The name of the key pair.
+ * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+ * @param keySize The size of the key pair.
+ */
+ virtual void
+ generateKeyPair(const Name& keyName, KeyType keyType, int keySize);
+
+ /**
+ * Get the public key
+ * @param keyName The name of public key.
+ * @return The public key.
+ */
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKey(const Name& keyName);
+
+ /**
+ * Fetch the private key for keyName and sign the data, returning a signature Blob.
+ * @param data Pointer to the input byte array.
+ * @param dataLength The length of data.
+ * @param keyName The name of the signing key.
+ * @param digestAlgorithm the digest algorithm.
+ * @return The signature, or a null pointer if signing fails.
+ */
+ virtual Blob
+ sign(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm);
+
+ /**
+ * Decrypt data.
+ * @param keyName The name of the decrypting key.
+ * @param data The byte to be decrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The decrypted data.
+ */
+ virtual Blob
+ decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric);
+
+ /**
+ * Encrypt data.
+ * @param keyName The name of the encrypting key.
+ * @param data The byte to be encrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The encrypted data.
+ */
+ virtual Blob
+ encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric);
+
+ /**
+ * @brief Generate a symmetric key.
+ * @param keyName The name of the key.
+ * @param keyType The type of the key, e.g. KEY_TYPE_AES.
+ * @param keySize The size of the key.
+ */
+ virtual void
+ generateKey(const Name& keyName, KeyType keyType, int keySize);
+
+ /**
+ * Check if a particular key exists.
+ * @param keyName The name of the key.
+ * @param keyClass The class of the key, e.g. KEY_CLASS_PUBLIC, KEY_CLASS_PRIVATE, or KEY_CLASS_SYMMETRIC.
+ * @return True if the key exists, otherwise false.
+ */
+ virtual bool
+ doesKeyExist(const Name& keyName, KeyClass keyClass);
+
+private:
+ /**
+ * RsaPrivateKey is a simple class to hold an RSA private key.
+ */
+ class RsaPrivateKey {
+ public:
+ RsaPrivateKey(uint8_t *keyDer, size_t keyDerLength);
+
+ ~RsaPrivateKey();
+
+ struct rsa_st* getPrivateKey() { return privateKey_; }
+
+ private:
+ struct rsa_st* privateKey_;
+ };
+
+ std::map<std::string, ptr_lib::shared_ptr<PublicKey> > publicKeyStore_; /**< The map key is the keyName.toUri() */
+ std::map<std::string, ptr_lib::shared_ptr<RsaPrivateKey> > privateKeyStore_; /**< The map key is the keyName.toUri() */
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/identity/osx-private-key-storage.hpp b/include/ndn-cpp/security/identity/osx-private-key-storage.hpp
new file mode 100644
index 0000000..729bf9e
--- /dev/null
+++ b/include/ndn-cpp/security/identity/osx-private-key-storage.hpp
@@ -0,0 +1,205 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_OSX_PRIVATEKEY_STORAGE_H
+#define NDN_OSX_PRIVATEKEY_STORAGE_H
+
+// Only compile if ndn-cpp-config.h defines NDN_CPP_HAVE_OSX_SECURITY 1.
+#include <ndn-cpp/ndn-cpp-config.h>
+#if NDN_CPP_HAVE_OSX_SECURITY
+
+#include "../../common.hpp"
+#include "private-key-storage.hpp"
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <CoreServices/CoreServices.h>
+
+namespace ndn
+{
+
+class OSXPrivateKeyStorage : public PrivateKeyStorage {
+public:
+ /**
+ * constructor of OSXPrivateKeyStorage
+ * @param keychainName the name of keychain
+ */
+ OSXPrivateKeyStorage(const std::string & keychainName = "");
+
+ /**
+ * destructor of OSXPrivateKeyStore
+ */
+ virtual
+ ~OSXPrivateKeyStorage();
+
+ /**
+ * Generate a pair of asymmetric keys.
+ * @param keyName The name of the key pair.
+ * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+ * @param keySize The size of the key pair.
+ */
+ virtual void
+ generateKeyPair(const Name& keyName, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048);
+
+ /**
+ * Get the public key
+ * @param keyName The name of public key.
+ * @return The public key.
+ */
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKey(const Name& keyName);
+
+ /**
+ * Fetch the private key for keyName and sign the data, returning a signature Blob.
+ * @param data Pointer to the input byte array.
+ * @param dataLength The length of data.
+ * @param keyName The name of the signing key.
+ * @param digestAlgorithm the digest algorithm.
+ * @return The signature, or a null pointer if signing fails.
+ */
+ virtual Blob
+ sign(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256);
+
+ /**
+ * Decrypt data.
+ * @param keyName The name of the decrypting key.
+ * @param data The byte to be decrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The decrypted data.
+ */
+ virtual Blob
+ decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false);
+
+ /**
+ * Encrypt data.
+ * @param keyName The name of the encrypting key.
+ * @param data The byte to be encrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The encrypted data.
+ */
+ virtual Blob
+ encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false);
+
+ /**
+ * Generate a symmetric key.
+ * @param keyName The name of the key.
+ * @param keyType The type of the key, e.g. KEY_TYPE_AES.
+ * @param keySize The size of the key.
+ */
+ virtual void
+ generateKey(const Name& keyName, KeyType keyType = KEY_TYPE_AES, int keySize = 256);
+
+ /**
+ * Check if a particular key exists.
+ * @param keyName The name of the key.
+ * @param keyClass The class of the key, e.g. KEY_CLASS_PUBLIC, KEY_CLASS_PRIVATE, or KEY_CLASS_SYMMETRIC.
+ * @return True if the key exists, otherwise false.
+ */
+ virtual bool
+ doesKeyExist(const Name& keyName, KeyClass keyClass);
+
+ /**
+ * configure ACL of a particular key
+ * @param keyName the name of key
+ * @param keyClass the class of key, e.g. Private Key
+ * @param acl the new acl of the key
+ * @param appPath the absolute path to the application
+ * @returns true if setting succeeds
+ */
+ bool
+ setACL(const Name & keyName, KeyClass keyClass, int acl, const std::string & appPath);
+
+ /**
+ * verify data (test only)
+ * @param keyName the name of key
+ * @param pData the data to be verified
+ * @param pSig the signature associated with the data
+ * @param digestAlgo digest algorithm
+ * @return true if signature can be verified, otherwise false
+ */
+ bool
+ verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo = DIGEST_ALGORITHM_SHA256);
+
+ private:
+ /**
+ * convert NDN name of a key to internal name of the key
+ * @param keyName the NDN name of the key
+ * @param keyClass the class of the key
+ * @return the internal key name
+ */
+ std::string
+ toInternalKeyName(const Name & keyName, KeyClass keyClass);
+
+ /**
+ * Get key
+ * @param keyName the name of the key
+ * @param keyClass the class of the key
+ * @returns pointer to the key
+ */
+ SecKeychainItemRef
+ getKey(const Name & keyName, KeyClass keyClass);
+
+ /**
+ * convert keyType to MAC OS symmetric key key type
+ * @param keyType
+ * @returns MAC OS key type
+ */
+ const CFTypeRef
+ getSymKeyType(KeyType keyType);
+
+ /**
+ * convert keyType to MAC OS asymmetirc key type
+ * @param keyType
+ * @returns MAC OS key type
+ */
+ const CFTypeRef
+ getAsymKeyType(KeyType keyType);
+
+ /**
+ * convert keyClass to MAC OS key class
+ * @param keyClass
+ * @returns MAC OS key class
+ */
+ const CFTypeRef
+ getKeyClass(KeyClass keyClass);
+
+ /**
+ * convert digestAlgo to MAC OS algorithm id
+ * @param digestAlgo
+ * @returns MAC OS algorithm id
+ */
+ const CFStringRef
+ getDigestAlgorithm(DigestAlgorithm digestAlgo);
+
+ /**
+ * convert format to MAC OS key format
+ * @param format
+ * @returns MAC OS keyformat
+ */
+ SecExternalFormat
+ getFormat(KeyFormat format);
+
+ /**
+ * get the digest size of the corresponding algorithm
+ * @param digestAlgo the digest algorithm
+ * @return digest size
+ */
+ long
+ getDigestSize(DigestAlgorithm digestAlgo);
+
+ const std::string keyChainName_;
+ SecKeychainRef keyChainRef_;
+ SecKeychainRef originalDefaultKeyChain_;
+};
+
+}
+
+#endif NDN_CPP_HAVE_OSX_SECURITY
+
+#endif
diff --git a/include/ndn-cpp/security/identity/private-key-storage.hpp b/include/ndn-cpp/security/identity/private-key-storage.hpp
new file mode 100644
index 0000000..8917c92
--- /dev/null
+++ b/include/ndn-cpp/security/identity/private-key-storage.hpp
@@ -0,0 +1,117 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_PRIVATE_KEY_STORAGE_HPP
+#define NDN_PRIVATE_KEY_STORAGE_HPP
+
+#include <string>
+#include "../../util/blob.hpp"
+#include "../certificate/public-key.hpp"
+#include "../security-common.hpp"
+#include "../../name.hpp"
+
+namespace ndn {
+
+class PrivateKeyStorage {
+public:
+ /**
+ * The virtual destructor.
+ */
+ virtual
+ ~PrivateKeyStorage() {}
+
+ /**
+ * Generate a pair of asymmetric keys.
+ * @param keyName The name of the key pair.
+ * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+ * @param keySize The size of the key pair.
+ */
+ virtual void
+ generateKeyPair(const Name& keyName, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048) = 0;
+
+ /**
+ * Get the public key
+ * @param keyName The name of public key.
+ * @return The public key.
+ */
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKey(const Name& keyName) = 0;
+
+ /**
+ * Fetch the private key for keyName and sign the data, returning a signature Blob.
+ * @param data Pointer to the input byte array.
+ * @param dataLength The length of data.
+ * @param keyName The name of the signing key.
+ * @param digestAlgorithm the digest algorithm.
+ * @return The signature, or a null pointer if signing fails.
+ */
+ virtual Blob
+ sign(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256) = 0;
+
+ Blob
+ sign(const Blob& data, const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256)
+ {
+ sign(data.buf(), data.size(), keyName, digestAlgorithm);
+ }
+
+ /**
+ * Decrypt data.
+ * @param keyName The name of the decrypting key.
+ * @param data The byte to be decrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The decrypted data.
+ */
+ virtual Blob
+ decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false) = 0;
+
+ Blob
+ decrypt(const Name& keyName, const Blob& data, bool isSymmetric = false)
+ {
+ decrypt(keyName, data.buf(), data.size(), isSymmetric);
+ }
+
+ /**
+ * Encrypt data.
+ * @param keyName The name of the encrypting key.
+ * @param data The byte to be encrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The encrypted data.
+ */
+ virtual Blob
+ encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false) = 0;
+
+ Blob
+ encrypt(const Name& keyName, const Blob& data, bool isSymmetric = false)
+ {
+ encrypt(keyName, data.buf(), data.size(), isSymmetric);
+ }
+
+ /**
+ * @brief Generate a symmetric key.
+ * @param keyName The name of the key.
+ * @param keyType The type of the key, e.g. KEY_TYPE_AES.
+ * @param keySize The size of the key.
+ */
+ virtual void
+ generateKey(const Name& keyName, KeyType keyType = KEY_TYPE_AES, int keySize = 256) = 0;
+
+ /**
+ * Check if a particular key exists.
+ * @param keyName The name of the key.
+ * @param keyClass The class of the key, e.g. KEY_CLASS_PUBLIC, KEY_CLASS_PRIVATE, or KEY_CLASS_SYMMETRIC.
+ * @return True if the key exists, otherwise false.
+ */
+ virtual bool
+ doesKeyExist(const Name& keyName, KeyClass keyClass) = 0;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/key-chain.hpp b/include/ndn-cpp/security/key-chain.hpp
new file mode 100644
index 0000000..97db9d8
--- /dev/null
+++ b/include/ndn-cpp/security/key-chain.hpp
@@ -0,0 +1,285 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_KEY_CHAIN_HPP
+#define NDN_KEY_CHAIN_HPP
+
+#include "../data.hpp"
+#include "../face.hpp"
+#include "identity/identity-manager.hpp"
+#include "encryption/encryption-manager.hpp"
+
+namespace ndn {
+
+class PolicyManager;
+
+/**
+ * An OnVerified function object is used to pass a callback to verifyData to report a successful verification.
+ */
+typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerified;
+
+/**
+ * An OnVerifyFailed function object is used to pass a callback to verifyData to report a failed verification.
+ */
+typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerifyFailed;
+
+/**
+ * Keychain is the main class of the security library.
+ *
+ * The Keychain class provides a set of interfaces to the security library such as identity management, policy configuration
+ * and packet signing and verification.
+ */
+class KeyChain {
+public:
+ KeyChain
+ (const ptr_lib::shared_ptr<IdentityManager>& identityManager, const ptr_lib::shared_ptr<PolicyManager>& policyManager);
+
+ /*****************************************
+ * Identity Management *
+ *****************************************/
+
+ /**
+ * Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.
+ * @param identityName The name of the identity.
+ * @return The key name of the auto-generated KSK of the identity.
+ */
+ Name
+ createIdentity(const Name& identityName)
+ {
+ return identityManager_->createIdentity(identityName);
+ }
+
+ /**
+ * Get the default identity.
+ * @return The default identity name.
+ */
+ Name
+ getDefaultIdentity()
+ {
+ return identityManager_->getDefaultIdentity();
+ }
+
+ /**
+ * Generate a pair of RSA keys for the specified identity.
+ * @param identityName The name of the identity.
+ * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+ * @param keySize The size of the key.
+ * @return The generated key name.
+ */
+ Name
+ generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048)
+ {
+ return identityManager_->generateRSAKeyPair(identityName, isKsk, keySize);
+ }
+
+ /**
+ * Set a key as the default key of an identity.
+ * @param keyName The name of the key.
+ * @param identityName the name of the identity. If not specified, the identity name is inferred from the keyName.
+ */
+ void
+ setDefaultKeyForIdentity(const Name& keyName, const Name& identityName = Name())
+ {
+ return identityManager_->setDefaultKeyForIdentity(keyName, identityName);
+ }
+
+ /**
+ * Generate a pair of RSA keys for the specified identity and set it as default key for the identity.
+ * @param identityName The name of the identity.
+ * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+ * @param keySize The size of the key.
+ * @return The generated key name.
+ */
+ Name
+ generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048)
+ {
+ return identityManager_->generateRSAKeyPairAsDefault(identityName, isKsk, keySize);
+ }
+
+ /**
+ * Create a public key signing request.
+ * @param keyName The name of the key.
+ * @returns The signing request data.
+ */
+ Blob
+ createSigningRequest(const Name& keyName)
+ {
+ return identityManager_->getPublicKey(keyName)->getKeyDer();
+ }
+
+ /**
+ * Install an identity certificate into the public key identity storage.
+ * @param certificate The certificate to to added.
+ */
+ void
+ installIdentityCertificate(const Certificate& certificate)
+ {
+ identityManager_->addCertificate(certificate);
+ }
+
+ /**
+ * Set the certificate as the default for its corresponding key.
+ * @param certificateName The name of the certificate.
+ */
+ void
+ setDefaultCertificateForKey(const Name& certificateName)
+ {
+ identityManager_->setDefaultCertificateForKey(certificateName);
+ }
+
+ /**
+ * Get a certificate with the specified name.
+ * @param certificateName The name of the requested certificate.
+ * @return the requested certificate.
+ */
+ ptr_lib::shared_ptr<Certificate>
+ getCertificate(const Name& certificateName)
+ {
+ return identityManager_->getCertificate(certificateName);
+ }
+
+ /**
+ * Get a certificate even if the certificate is not valid anymore.
+ * @param certificateName The name of the requested certificate.
+ * @return the requested certificate.
+ */
+ ptr_lib::shared_ptr<Certificate>
+ getAnyCertificate(const Name& certificateName)
+ {
+ return identityManager_->getAnyCertificate(certificateName);
+ }
+
+ /**
+ * Revoke a key
+ * @param keyName the name of the key that will be revoked
+ */
+ void
+ revokeKey(const Name & keyName)
+ {
+ //TODO: Implement
+ }
+
+ /**
+ * Revoke a certificate
+ * @param certificateName the name of the certificate that will be revoked
+ */
+ void
+ revokeCertificate(const Name & certificateName)
+ {
+ //TODO: Implement
+ }
+
+ /*****************************************
+ * Policy Management *
+ *****************************************/
+
+ const ptr_lib::shared_ptr<PolicyManager>&
+ getPolicyManager() { return policyManager_; }
+
+ /*****************************************
+ * Sign/Verify *
+ *****************************************/
+
+ /**
+ * Wire encode the Data object, sign it and set its signature.
+ * Note: the caller must make sure the timestamp is correct, for example with
+ * data.getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0).
+ * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
+ * @param certificateName The certificate name of the key to use for signing. If omitted, infer the signing identity from the data packet name.
+ * @param wireFormat A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat().
+ */
+ void
+ sign(Data& data, const Name& certificateName, WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
+
+ /**
+ * Wire encode the Data object, sign it and set its signature.
+ * Note: the caller must make sure the timestamp is correct, for example with
+ * data.getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0).
+ * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
+ * @param identityName The identity name for the key to use for signing. If omitted, infer the signing identity from the data packet name.
+ * @param wireFormat A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat().
+ */
+ void
+ signByIdentity(Data& data, const Name& identityName = Name(), WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
+
+ /**
+ * Check the signature on the Data object and call either onVerify or onVerifyFailed.
+ * We use callback functions because verify may fetch information to check the signature.
+ * @param data The Data object with the signature to check. It is an error if data does not have a wireEncoding.
+ * To set the wireEncoding, you can call data.wireDecode.
+ * @param onVerified If the signature is verified, this calls onVerified(data).
+ * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
+ */
+ void
+ verifyData
+ (const ptr_lib::shared_ptr<Data>& data, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed, int stepCount = 0);
+
+ /*****************************************
+ * Encrypt/Decrypt *
+ *****************************************/
+
+ /**
+ * Generate a symmetric key.
+ * @param keyName The name of the generated key.
+ * @param keyType The type of the key, e.g. KEY_TYPE_AES
+ */
+ void
+ generateSymmetricKey(const Name& keyName, KeyType keyType)
+ {
+ encryptionManager_->createSymmetricKey(keyName, keyType);
+ }
+
+ /**
+ * Encrypt a byte array.
+ * @param keyName The name of the encrypting key.
+ * @param data The byte array that will be encrypted.
+ * @param dataLength The length of data.
+ * @param useSymmetric If true then symmetric encryption is used, otherwise asymmetric encryption is used.
+ * @param encryptMode the encryption mode
+ * @return the encrypted data as an immutable Blob.
+ */
+ Blob
+ encrypt(const Name &keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = true,
+ EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT)
+ {
+ return encryptionManager_->encrypt(keyName, data, dataLength, useSymmetric, encryptMode);
+ }
+
+ /**
+ * Decrypt a byte array.
+ * @param keyName The name of the decrypting key.
+ * @param data The byte array that will be decrypted.
+ * @param dataLength The length of data.
+ * @param useSymmetric If true then symmetric encryption is used, otherwise asymmetric encryption is used.
+ * @param encryptMode the encryption mode
+ * @return the decrypted data as an immutable Blob.
+ */
+ Blob
+ decrypt(const Name &keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = true,
+ EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT)
+ {
+ return encryptionManager_->decrypt(keyName, data, dataLength, useSymmetric, encryptMode);
+ }
+
+ /**
+ * Set the Face which will be used to fetch required certificates.
+ * @param face A pointer to the Face object.
+ */
+ void
+ setFace(Face* face) { face_ = face; }
+
+private:
+ ptr_lib::shared_ptr<IdentityManager> identityManager_;
+ ptr_lib::shared_ptr<PolicyManager> policyManager_;
+ ptr_lib::shared_ptr<EncryptionManager> encryptionManager_;
+ Face* face_;
+ const int maxSteps_;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/policy/no-verify-policy-manager.hpp b/include/ndn-cpp/security/policy/no-verify-policy-manager.hpp
new file mode 100644
index 0000000..8b72eda
--- /dev/null
+++ b/include/ndn-cpp/security/policy/no-verify-policy-manager.hpp
@@ -0,0 +1,72 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_NO_VERIFY_POLICY_MANAGER_HPP
+#define NDN_NO_VERIFY_POLICY_MANAGER_HPP
+
+#include "policy-manager.hpp"
+
+namespace ndn {
+
+class NoVerifyPolicyManager : public PolicyManager {
+public:
+ /**
+ * The virtual destructor.
+ */
+ virtual
+ ~NoVerifyPolicyManager();
+
+ /**
+ * Override to always skip verification and trust as valid.
+ * @param data The received data packet.
+ * @return true.
+ */
+ virtual bool
+ skipVerifyAndTrust(const Data& data);
+
+ /**
+ * Override to return false for no verification rule for the received data.
+ * @param data The received data packet.
+ * @return false.
+ */
+ virtual bool
+ requireVerify(const Data& data);
+
+ /**
+ * Override to call onVerified(data) and to indicate no further verification step.
+ * @param data The Data object with the signature to check.
+ * @param stepCount The number of verification steps that have been done, used to track the verification progress.
+ * @param onVerified This does override to call onVerified(data).
+ * @param onVerifyFailed Override to ignore this.
+ * @return null for no further step.
+ */
+ virtual ptr_lib::shared_ptr<ValidationRequest>
+ checkVerificationPolicy
+ (const ptr_lib::shared_ptr<Data>& data, const int& stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed);
+
+ /**
+ * Override to always indicate that the signing certificate name and data name satisfy the signing policy.
+ * @param dataName The name of data to be signed.
+ * @param certificateName The name of signing certificate.
+ * @return true to indicate that the signing certificate can be used to sign the data.
+ */
+ virtual bool
+ checkSigningPolicy(const Name& dataName, const Name& certificateName);
+
+ /**
+ * Override to indicate that the signing identity cannot be inferred.
+ * @param dataName The name of data to be signed.
+ * @return An empty name because cannot infer.
+ */
+ virtual Name
+ inferSigningIdentity(const Name& dataName);
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/policy/policy-manager.hpp b/include/ndn-cpp/security/policy/policy-manager.hpp
new file mode 100644
index 0000000..458f84f
--- /dev/null
+++ b/include/ndn-cpp/security/policy/policy-manager.hpp
@@ -0,0 +1,79 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_POLICY_MANAGER_HPP
+#define NDN_POLICY_MANAGER_HPP
+
+#include "../../data.hpp"
+#include "../key-chain.hpp"
+
+namespace ndn {
+
+class ValidationRequest;
+
+/**
+ * A PolicyManager is an abstract base class to represent the policy for verifying data packets.
+ * You must create an object of a subclass.
+ */
+class PolicyManager {
+public:
+ /**
+ * The virtual destructor.
+ */
+ virtual
+ ~PolicyManager() {}
+
+ /**
+ * Check if the received data packet can escape from verification and be trusted as valid.
+ * @param data The received data packet.
+ * @return true if the data does not need to be verified to be trusted as valid, otherwise false.
+ */
+ virtual bool
+ skipVerifyAndTrust(const Data& data) = 0;
+
+ /**
+ * Check if this PolicyManager has a verification rule for the received data.
+ * @param data The received data packet.
+ * @return true if the data must be verified, otherwise false.
+ */
+ virtual bool
+ requireVerify(const Data& data) = 0;
+
+ /**
+ * Check whether the received data packet complies with the verification policy, and get the indication of the next verification step.
+ * @param data The Data object with the signature to check.
+ * @param stepCount The number of verification steps that have been done, used to track the verification progress.
+ * @param onVerified If the signature is verified, this calls onVerified(data).
+ * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
+ * @return the indication of next verification step, null if there is no further step.
+ */
+ virtual ptr_lib::shared_ptr<ValidationRequest>
+ checkVerificationPolicy
+ (const ptr_lib::shared_ptr<Data>& data, const int& stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed) = 0;
+
+ /**
+ * Check if the signing certificate name and data name satisfy the signing policy.
+ * @param dataName The name of data to be signed.
+ * @param certificateName The name of signing certificate.
+ * @return true if the signing certificate can be used to sign the data, otherwise false.
+ */
+ virtual bool
+ checkSigningPolicy(const Name& dataName, const Name& certificateName) = 0;
+
+ /**
+ * Infer the signing identity name according to the policy. If the signing identity cannot be inferred, return an empty name.
+ * @param dataName The name of data to be signed.
+ * @return The signing identity or an empty name if cannot infer.
+ */
+ virtual Name
+ inferSigningIdentity(const Name& dataName) = 0;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/security-common.hpp b/include/ndn-cpp/security/security-common.hpp
new file mode 100644
index 0000000..1222480
--- /dev/null
+++ b/include/ndn-cpp/security/security-common.hpp
@@ -0,0 +1,47 @@
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SECURITY_COMMON_HPP
+#define NDN_SECURITY_COMMON_HPP
+
+namespace ndn {
+
+enum KeyType {
+ KEY_TYPE_RSA,
+ // KEY_TYPE_DSA,
+ KEY_TYPE_AES,
+ // KEY_TYPE_DES,
+ // KEY_TYPE_RC4,
+ // KEY_TYPE_RC2
+};
+
+enum KeyClass {
+ KEY_CLASS_PUBLIC,
+ KEY_CLASS_PRIVATE,
+ KEY_CLASS_SYMMETRIC
+};
+
+enum KeyFormat {
+ KEY_FORMAT_PUBLIC_OPENSSL,
+};
+
+enum DigestAlgorithm {
+ // DIGEST_ALGORITHM_MD2,
+ // DIGEST_ALGORITHM_MD5,
+ // DIGEST_ALGORITHM_SHA1,
+ DIGEST_ALGORITHM_SHA256
+};
+
+enum EncryptMode {
+ ENCRYPT_MODE_DEFAULT,
+ ENCRYPT_MODE_CFB_AES,
+ // ENCRYPT_MODE_CBC_AES
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/security-exception.hpp b/include/ndn-cpp/security/security-exception.hpp
new file mode 100644
index 0000000..f14948f
--- /dev/null
+++ b/include/ndn-cpp/security/security-exception.hpp
@@ -0,0 +1,49 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SECURITY_EXCEPTION_HPP
+#define NDN_SECURITY_EXCEPTION_HPP
+
+#include <exception>
+#include <string>
+
+namespace ndn {
+
+class SecurityException : public std::exception {
+public:
+ SecurityException(const std::string& errorMessage) throw();
+
+ virtual ~SecurityException() throw();
+
+ std::string Msg() { return errorMessage_; }
+
+ virtual const char* what() const throw() { return errorMessage_.c_str(); }
+
+private:
+ const std::string errorMessage_;
+};
+
+class UnrecognizedKeyFormatException : public SecurityException {
+public:
+ UnrecognizedKeyFormatException(const std::string& errorMessage)
+ : SecurityException(errorMessage)
+ {
+ }
+};
+
+class UnrecognizedDigestAlgorithmException : public SecurityException {
+public:
+ UnrecognizedDigestAlgorithmException(const std::string& errorMessage)
+ : SecurityException(errorMessage)
+ {
+ }
+};
+
+}
+
+#endif