security: In KeyChain constructor, added PolicyManager. Use in sign().
diff --git a/ndn-cpp/security/key-chain.cpp b/ndn-cpp/security/key-chain.cpp
index a39c4be..5bcc4c1 100644
--- a/ndn-cpp/security/key-chain.cpp
+++ b/ndn-cpp/security/key-chain.cpp
@@ -9,6 +9,7 @@
#include "../encoding/binary-xml-encoder.hpp"
#include "../sha256-with-rsa-signature.hpp"
#include "../util/logging.hpp"
+#include "policy/policy-manager.hpp"
#include "security-exception.hpp"
#include "key-chain.hpp"
@@ -31,8 +32,8 @@
};
#endif
-KeyChain::KeyChain(const shared_ptr<IdentityManager>& identityManager)
-: identityManager_(identityManager), face_(0), maxSteps_(100)
+KeyChain::KeyChain(const shared_ptr<IdentityManager>& identityManager, const shared_ptr<PolicyManager>& policyManager)
+: identityManager_(identityManager), policyManager_(policyManager), face_(0), maxSteps_(100)
{
}
@@ -98,31 +99,33 @@
}
void
-KeyChain::signData(Data& data, const Name& certificateNameIn, WireFormat& wireFormat)
+KeyChain::sign(Data& data, const Name& certificateName, WireFormat& wireFormat)
{
- Name inferredCertificateName;
- const Name* certificateName;
+ identityManager_->signByCertificate(data, certificateName, wireFormat);
+}
+
+void
+KeyChain::signByIdentity(Data& data, const Name& identityName, WireFormat& wireFormat)
+{
+ Name signingCertificateName;
- if (certificateNameIn.getComponentCount() == 0) {
-#if 0
- inferredCertificateName = identityManager_->getDefaultCertificateNameForIdentity(policyManager_->inferSigningIdentity(data.getName ()));
-#else
- inferredCertificateName = Name();
-#endif
- if (inferredCertificateName.getComponentCount() == 0)
- throw SecurityException("No qualified certificate name can be inferred");
-
- certificateName = &inferredCertificateName;
+ if (identityName.getComponentCount() == 0) {
+ Name inferredIdentity = policyManager_->inferSigningIdentity(data.getName());
+ if (inferredIdentity.getComponentCount() == 0)
+ signingCertificateName = identityManager_->getDefaultCertificateName();
+ else
+ signingCertificateName = identityManager_->getDefaultCertificateNameForIdentity(inferredIdentity);
}
else
- certificateName = &certificateNameIn;
-
-#if 0
- if (!policyManager_->checkSigningPolicy (data.getName (), certificateName))
+ signingCertificateName = identityManager_->getDefaultCertificateNameForIdentity(identityName);
+
+ if (signingCertificateName.getComponentCount() == 0)
+ throw SecurityException("No qualified certificate name found!");
+
+ if (!policyManager_->checkSigningPolicy(data.getName(), signingCertificateName))
throw SecurityException("Signing Cert name does not comply with signing policy");
-#endif
-
- identityManager_->signByCertificate(data, *certificateName, wireFormat);
+
+ identityManager_->signByCertificate(data, signingCertificateName);
}
void
@@ -140,7 +143,7 @@
#endif
onVerified(data);
else
- onVerifyFailed();
+ onVerifyFailed(data);
}
}
diff --git a/ndn-cpp/security/key-chain.hpp b/ndn-cpp/security/key-chain.hpp
index 3340908..ff54aa9 100644
--- a/ndn-cpp/security/key-chain.hpp
+++ b/ndn-cpp/security/key-chain.hpp
@@ -13,6 +13,8 @@
namespace ndn {
+class PolicyManager;
+
/**
* An OnVerified function object is used to pass a callback to verifyData to report a successful verification.
*/
@@ -21,7 +23,7 @@
/**
* An OnVerifyFailed function object is used to pass a callback to verifyData to report a failed verification.
*/
-typedef func_lib::function<void()> OnVerifyFailed;
+typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerifyFailed;
/**
* Keychain is main class of security library.
@@ -31,33 +33,8 @@
*/
class KeyChain {
public:
- KeyChain(const ptr_lib::shared_ptr<IdentityManager>& identityManager);
-
- /**
- * Get the default certificate name for the specified identity, which will be used when signing is performed based on identity.
- * @param identityName The name of the specified identity.
- * @return The requested certificate name.
- */
- Name
- getDefaultCertificateNameForIdentity(const Name& identityName)
- {
- return identityManager_->getDefaultCertificateNameForIdentity(identityName);
- }
-
- /**
- * Examine the data packet Name and infer the identity name for signing the content.
- * @param name The data packet name to examine.
- * @return A new identity name for signing a data packet.
- */
- Name
- inferSigningIdentity(const Name& name)
- {
-#if 0
- policyManager_->inferSigningIdentity(name)
-#else
- return Name();
-#endif
- }
+ KeyChain
+ (const ptr_lib::shared_ptr<IdentityManager>& identityManager, const ptr_lib::shared_ptr<PolicyManager>& policyManager);
/**
* Wire encode the Data object, sign it and set its signature.
@@ -68,14 +45,26 @@
* @param wireFormat A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat().
*/
void
- signData(Data& data, const Name& certificateName = Name(), WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
+ sign(Data& data, const Name& certificateName, WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
+
+ /**
+ * Wire encode the Data object, sign it and set its signature.
+ * Note: the caller must make sure the timestamp is correct, for example with
+ * data.getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0).
+ * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
+ * @param identityName The identity name for the key to use for signing. If omitted, infer the signing identity from the data packet name.
+ * @param wireFormat A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat().
+ */
+ void
+ signByIdentity(Data& data, const Name& identityName = Name(), WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
/**
* Check the signature on the Data object and call either onVerify or onVerifyFailed.
* We use callback functions because verify may fetch information to check the signature.
- * @param data
- * @param onVerified
- * @param onVerifyFailed
+ * @param data The Data object with the signature to check. It is an error if data does not have a wireEncoding.
+ * To set the wireEncoding, you can call data.wireDecode.
+ * @param onVerified If the signature is verified, this calls onVerified(data).
+ * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
*/
void
verifyData
@@ -90,6 +79,7 @@
private:
ptr_lib::shared_ptr<IdentityManager> identityManager_;
+ ptr_lib::shared_ptr<PolicyManager> policyManager_;
Face* face_;
const int maxSteps_;
};
diff --git a/tests/test-encode-decode-data.cpp b/tests/test-encode-decode-data.cpp
index 70cf81c..189397f 100644
--- a/tests/test-encode-decode-data.cpp
+++ b/tests/test-encode-decode-data.cpp
@@ -12,6 +12,7 @@
#include "../ndn-cpp/data.hpp"
#include "../ndn-cpp/security/identity/memory-identity-storage.hpp"
#include "../ndn-cpp/security/identity/memory-private-key-storage.hpp"
+#include "../ndn-cpp/security/policy/no-verify-policy-manager.hpp"
#include "../ndn-cpp/security/key-chain.hpp"
#include "../ndn-cpp/sha256-with-rsa-signature.hpp"
@@ -212,7 +213,7 @@
cout << prefix << " signature verification: VERIFIED" << endl;
}
-static void onVerifyFailed(const char *prefix)
+static void onVerifyFailed(const char *prefix, const shared_ptr<Data>& data)
{
cout << prefix << " signature verification: FAILED" << endl;
}
@@ -238,8 +239,9 @@
freshData->getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0);
shared_ptr<MemoryPrivateKeyStorage> privateKeyStorage(new MemoryPrivateKeyStorage());
- KeyChain keyChain(shared_ptr<IdentityManager>
- (new IdentityManager(make_shared<MemoryIdentityStorage>(), privateKeyStorage)));
+ KeyChain keyChain
+ (make_shared<IdentityManager>(make_shared<MemoryIdentityStorage>(), privateKeyStorage),
+ make_shared<NoVerifyPolicyManager>());
// Initialize the storage.
Name keyName("/testname/DSK-123");
@@ -247,11 +249,11 @@
privateKeyStorage->setKeyPairForKeyName
(keyName, DEFAULT_PUBLIC_KEY_DER, sizeof(DEFAULT_PUBLIC_KEY_DER), DEFAULT_PRIVATE_KEY_DER, sizeof(DEFAULT_PRIVATE_KEY_DER));
- keyChain.signData(*freshData, certificateName);
+ keyChain.sign(*freshData, certificateName);
cout << endl << "Freshly-signed Data:" << endl;
dumpData(*freshData);
- keyChain.verifyData(freshData, bind(&onVerified, "Freshly-signed Data", _1), bind(&onVerifyFailed, "Freshly-signed Data"));
+ keyChain.verifyData(freshData, bind(&onVerified, "Freshly-signed Data", _1), bind(&onVerifyFailed, "Freshly-signed Data", _1));
} catch (std::exception& e) {
cout << "exception: " << e.what() << endl;
}
diff --git a/tests/test-publish-async.cpp b/tests/test-publish-async.cpp
index 467780e..2e99357 100644
--- a/tests/test-publish-async.cpp
+++ b/tests/test-publish-async.cpp
@@ -11,12 +11,12 @@
#include "../ndn-cpp/face.hpp"
#include "../ndn-cpp/security/identity/memory-identity-storage.hpp"
#include "../ndn-cpp/security/identity/memory-private-key-storage.hpp"
+#include "../ndn-cpp/security/policy/no-verify-policy-manager.hpp"
#include "../ndn-cpp/security/key-chain.hpp"
using namespace std;
using namespace ndn;
-using namespace ptr_lib;
-using namespace func_lib;
+using namespace ndn::ptr_lib;
static uint8_t DEFAULT_PUBLIC_KEY_DER[] = {
0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81,
@@ -82,7 +82,7 @@
string content(string("Echo ") + interest->getName().toUri());
data.setContent((const uint8_t *)&content[0], content.size());
data.getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0);
- keyChain_.signData(data, certificateName_);
+ keyChain_.sign(data, certificateName_);
Blob encodedData = data.wireEncode();
cout << "Sent content " << content << endl;
@@ -90,7 +90,7 @@
}
// onRegisterFailed.
- void operator()(const ptr_lib::shared_ptr<const Name>& prefix)
+ void operator()(const shared_ptr<const Name>& prefix)
{
++responseCount_;
cout << "Register failed for prefix " << prefix->toUri() << endl;
@@ -107,8 +107,9 @@
Face face("localhost");
shared_ptr<MemoryPrivateKeyStorage> privateKeyStorage(new MemoryPrivateKeyStorage());
- KeyChain keyChain(shared_ptr<IdentityManager>
- (new IdentityManager(make_shared<MemoryIdentityStorage>(), privateKeyStorage)));
+ KeyChain keyChain
+ (make_shared<IdentityManager>(make_shared<MemoryIdentityStorage>(), privateKeyStorage),
+ make_shared<NoVerifyPolicyManager>());
keyChain.setFace(&face);
// Initialize the storage.