security: refactoring KeyChain and related classess
1. rename IdentityStorage as SecPublicInfo and PrivateKeyStorage as SecTpm.
2. KeyChain is defined as a template of sub-classes of SecPublicInfo and SecTpm, and KeyChain inherits from these two classes rather than has objects of these two classes.
3. rename some methods of SecPublicInfo and SecTpm to clarify usage and avoid conflicts
SecPublicInfo: addKey, getKey, doesKeyExist, activateKey, deactivateKey
SecTpm: generateKeyPair, getPublicKey, generateKey
4. adjust getter/setter of KeyChain & SecPublicInfo
Change-Id: Ib67631ad1c883100b1200a1a381d837bbbdb1d37
diff --git a/include/ndn-cpp/security/identity/identity-storage.hpp b/include/ndn-cpp/security/identity/identity-storage.hpp
deleted file mode 100644
index 87d93fd..0000000
--- a/include/ndn-cpp/security/identity/identity-storage.hpp
+++ /dev/null
@@ -1,211 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
-/**
- * Copyright (C) 2013 Regents of the University of California.
- * @author: Yingdi Yu <yingdi@cs.ucla.edu>
- * @author: Jeff Thompson <jefft0@remap.ucla.edu>
- * See COPYING for copyright and distribution information.
- */
-
-#ifndef NDN_IDENTITY_STORAGE_HPP
-#define NDN_IDENTITY_STORAGE_HPP
-
-#include "../../name.hpp"
-#include "../security-common.hpp"
-#include "../certificate/public-key.hpp"
-
-namespace ndn {
-
-class Certificate;
-class IdentityCertificate;
-class Data;
-
-/**
- * IdentityStorage is a base class for the storage of identity, public keys and certificates.
- * Private keys are stored in PrivateKeyStorage.
- * This is an abstract base class. A subclass must implement the methods.
- */
-class IdentityStorage {
-public:
- struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
-
- /**
- * The virtual Destructor.
- */
- virtual
- ~IdentityStorage() {}
-
- /**
- * Check if the specified identity already exists.
- * @param identityName The identity name.
- * @return true if the identity exists, otherwise false.
- */
- virtual bool
- doesIdentityExist(const Name& identityName) = 0;
-
- /**
- * Add a new identity. An exception will be thrown if the identity already exists.
- * @param identityName The identity name to be added.
- */
- virtual void
- addIdentity(const Name& identityName) = 0;
-
- /**
- * Revoke the identity.
- * @return true if the identity was revoked, false if not.
- */
- virtual bool
- revokeIdentity() = 0;
-
- /**
- * Generate a name for a new key belonging to the identity.
- * @param identityName The identity name.
- * @param useKsk If true, generate a KSK name, otherwise a DSK name.
- * @return The generated key name.
- */
- Name
- getNewKeyName(const Name& identityName, bool useKsk);
-
- /**
- * Check if the specified key already exists.
- * @param keyName The name of the key.
- * @return true if the key exists, otherwise false.
- */
- virtual bool
- doesKeyExist(const Name& keyName) = 0;
-
- /**
- * Add a public key to the identity storage.
- * @param keyName The name of the public key to be added.
- * @param keyType Type of the public key to be added.
- * @param publicKeyDer A blob of the public key DER to be added.
- */
- virtual void
- addKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer) = 0;
-
- /**
- * Get the public key DER blob from the identity storage.
- * @param keyName The name of the requested public key.
- * @return The DER Blob. If not found, return a Blob with a null pointer.
- */
- virtual ptr_lib::shared_ptr<PublicKey>
- getKey(const Name& keyName) = 0;
-
- /**
- * Activate a key. If a key is marked as inactive, its private part will not be used in packet signing.
- * @param keyName name of the key
- */
- virtual void
- activateKey(const Name& keyName) = 0;
-
- /**
- * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
- * @param keyName name of the key
- */
- virtual void
- deactivateKey(const Name& keyName) = 0;
-
- /**
- * Check if the specified certificate already exists.
- * @param certificateName The name of the certificate.
- * @return true if the certificate exists, otherwise false.
- */
- virtual bool
- doesCertificateExist(const Name& certificateName) = 0;
-
- /**
- * Add a certificate to the identity storage.
- * @param certificate The certificate to be added. This makes a copy of the certificate.
- */
- virtual void
- addCertificate(const IdentityCertificate& certificate) = 0;
-
- /**
- * Get a certificate from the identity storage.
- * @param certificateName The name of the requested certificate.
- * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
- * @return The requested certificate. If not found, return a shared_ptr with a null pointer.
- */
- virtual ptr_lib::shared_ptr<IdentityCertificate>
- getCertificate(const Name &certificateName, bool allowAny = false) = 0;
-
-
- /*****************************************
- * Get/Set Default *
- *****************************************/
-
- /**
- * Get the default identity.
- * @param return The name of default identity, or an empty name if there is no default.
- */
- virtual Name
- getDefaultIdentity() = 0;
-
- /**
- * Get the default key name for the specified identity.
- * @param identityName The identity name.
- * @return The default key name.
- */
- virtual Name
- getDefaultKeyNameForIdentity(const Name& identityName) = 0;
-
- /**
- * Get the default certificate name for the specified identity.
- * @param identityName The identity name.
- * @return The default certificate name.
- */
- Name
- getDefaultCertificateNameForIdentity(const Name& identityName);
-
- /**
- * Get the default certificate name for the specified key.
- * @param keyName The key name.
- * @return The default certificate name.
- */
- virtual Name
- getDefaultCertificateNameForKey(const Name& keyName) = 0;
-
- /**
- * Set the default identity. If the identityName does not exist, then clear the default identity
- * so that getDefaultIdentity() returns an empty name.
- * @param identityName The default identity name.
- */
- virtual void
- setDefaultIdentity(const Name& identityName) = 0;
-
- /**
- * Set the default key name for the specified identity.
- * @param keyName The key name.
- * @param identityNameCheck (optional) The identity name to check the keyName.
- */
- virtual void
- setDefaultKeyNameForIdentity(const Name& keyName, const Name& identityNameCheck = Name()) = 0;
-
- /**
- * Set the default key name for the specified identity.
- * @param keyName The key name.
- * @param certificateName The certificate name.
- */
- virtual void
- setDefaultCertificateNameForKey(const Name& keyName, const Name& certificateName) = 0;
-
-
- virtual std::vector<Name>
- getAllIdentities(bool isDefault) = 0;
-
- virtual std::vector<Name>
- getAllKeyNames(bool isDefault) = 0;
-
- virtual std::vector<Name>
- getAllKeyNamesOfIdentity(const Name& identity, bool isDefault) = 0;
-
- virtual std::vector<Name>
- getAllCertificateNames(bool isDefault) = 0;
-
- virtual std::vector<Name>
- getAllCertificateNamesOfKey(const Name& keyName, bool isDefault) = 0;
-
-};
-
-}
-
-#endif
diff --git a/include/ndn-cpp/security/identity/sec-public-info.hpp b/include/ndn-cpp/security/identity/sec-public-info.hpp
new file mode 100644
index 0000000..3a46310
--- /dev/null
+++ b/include/ndn-cpp/security/identity/sec-public-info.hpp
@@ -0,0 +1,362 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_PUBLIC_INFO_HPP
+#define NDN_SEC_PUBLIC_INFO_HPP
+
+#include "../../name.hpp"
+#include "../security-common.hpp"
+#include "../certificate/public-key.hpp"
+#include "../certificate/identity-certificate.hpp"
+
+namespace ndn {
+
+/**
+ * SecPublicInfo is a base class for the storage of identity, public keys and certificates.
+ * Private keys are stored in SecTpm.
+ * This is an abstract base class. A subclass must implement the methods.
+ */
+class SecPublicInfo {
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ /**
+ * The virtual Destructor.
+ */
+ virtual
+ ~SecPublicInfo() {}
+
+ /**
+ * Check if the specified identity already exists.
+ * @param identityName The identity name.
+ * @return true if the identity exists, otherwise false.
+ */
+ virtual bool
+ doesIdentityExist(const Name& identityName) = 0;
+
+ /**
+ * Add a new identity. An exception will be thrown if the identity already exists.
+ * @param identityName The identity name to be added.
+ */
+ virtual void
+ addIdentity(const Name& identityName) = 0;
+
+ /**
+ * Revoke the identity.
+ * @return true if the identity was revoked, false if not.
+ */
+ virtual bool
+ revokeIdentity() = 0;
+
+ /**
+ * Check if the specified key already exists.
+ * @param keyName The name of the key.
+ * @return true if the key exists, otherwise false.
+ */
+ virtual bool
+ doesPublicKeyExist(const Name& keyName) = 0;
+
+ /**
+ * Add a public key to the identity storage.
+ * @param keyName The name of the public key to be added.
+ * @param keyType Type of the public key to be added.
+ * @param publicKeyDer A blob of the public key DER to be added.
+ */
+ virtual void
+ addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer) = 0;
+
+ /**
+ * Get the public key DER blob from the identity storage.
+ * @param keyName The name of the requested public key.
+ * @return The DER Blob. If not found, return a Blob with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKey(const Name& keyName) = 0;
+
+ /**
+ * Activate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ activatePublicKey(const Name& keyName) = 0;
+
+ /**
+ * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ deactivatePublicKey(const Name& keyName) = 0;
+
+ /**
+ * Check if the specified certificate already exists.
+ * @param certificateName The name of the certificate.
+ * @return true if the certificate exists, otherwise false.
+ */
+ virtual bool
+ doesCertificateExist(const Name& certificateName) = 0;
+
+ /**
+ * Add a certificate to the identity storage.
+ * @param certificate The certificate to be added. This makes a copy of the certificate.
+ */
+ virtual void
+ addCertificate(const IdentityCertificate& certificate) = 0;
+
+ /**
+ * Get a certificate from the identity storage.
+ * @param certificateName The name of the requested certificate.
+ * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
+ * @return The requested certificate. If not found, return a shared_ptr with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<IdentityCertificate>
+ getCertificate(const Name &certificateName, bool allowAny = false) = 0;
+
+
+ /*****************************************
+ * Default Getter *
+ *****************************************/
+
+ /**
+ * Get the default identity.
+ * @param return The name of default identity, or an empty name if there is no default.
+ */
+ virtual Name
+ getDefaultIdentity() = 0;
+
+ /**
+ * Get the default key name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default key name.
+ */
+ virtual Name
+ getDefaultKeyNameForIdentity(const Name& identityName) = 0;
+
+ /**
+ * Get the default certificate name for the specified key.
+ * @param keyName The key name.
+ * @return The default certificate name.
+ */
+ virtual Name
+ getDefaultCertificateNameForKey(const Name& keyName) = 0;
+
+ virtual std::vector<Name>
+ getAllIdentities(bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllKeyNames(bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllKeyNamesOfIdentity(const Name& identity, bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllCertificateNames(bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllCertificateNamesOfKey(const Name& keyName, bool isDefault) = 0;
+
+protected:
+
+ /*****************************************
+ * Default Setter *
+ *****************************************/
+
+ /**
+ * Set the default identity. If the identityName does not exist, then clear the default identity
+ * so that getDefaultIdentity() returns an empty name.
+ * @param identityName The default identity name.
+ */
+ virtual void
+ setDefaultIdentityInternal(const Name& identityName) = 0;
+
+ /**
+ * Set the default key name for the corresponding identity.
+ * @param keyName The key name.
+ */
+ virtual void
+ setDefaultKeyNameForIdentityInternal(const Name& keyName) = 0;
+
+ /**
+ * Set the default certificate name for the corresponding key.
+ * @param certificateName The certificate name.
+ */
+ virtual void
+ setDefaultCertificateNameForKeyInternal(const Name& certificateName) = 0;
+
+public:
+
+ /*****************************************
+ * Helper Methods *
+ *****************************************/
+
+ /**
+ * Set the default identity. If the identityName does not exist, then clear the default identity
+ * so that getDefaultIdentity() returns an empty name.
+ * @param identityName The default identity name.
+ */
+ inline void
+ setDefaultIdentity(const Name& identityName);
+
+ /**
+ * Set the default key name for the corresponding identity.
+ * @param keyName The key name.
+ */
+ inline void
+ setDefaultKeyNameForIdentity(const Name& keyName);
+
+ /**
+ * Set the default certificate name for the corresponding key.
+ * @param certificateName The certificate name.
+ */
+ inline void
+ setDefaultCertificateNameForKey(const Name& certificateName);
+
+ /**
+ * Generate a name for a new key belonging to the identity.
+ * @param identityName The identity name.
+ * @param useKsk If true, generate a KSK name, otherwise a DSK name.
+ * @return The generated key name.
+ */
+ inline Name
+ getNewKeyName(const Name& identityName, bool useKsk);
+
+ /**
+ * Get the default certificate name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default certificate name.
+ */
+ inline Name
+ getDefaultCertificateNameForIdentity(const Name& identityName);
+
+ /**
+ * Get the default certificate name of the default identity, which will be used when signing is based on identity and
+ * the identity is not specified.
+ * @return The requested certificate name.
+ */
+ inline Name
+ getDefaultCertificateName();
+
+ /**
+ * Add a certificate and set the certificate as the default of its corresponding key.
+ * @param certificate The certificate to be added. This makes a copy of the certificate.
+ */
+ inline void
+ addCertificateAsKeyDefault(const IdentityCertificate& certificate);
+
+ /**
+ * Add a certificate into the public key identity storage and set the certificate as the default for its corresponding identity.
+ * @param certificate The certificate to be added. This makes a copy of the certificate.
+ */
+ inline void
+ addCertificateAsIdentityDefault(const IdentityCertificate& certificate);
+
+ inline ptr_lib::shared_ptr<IdentityCertificate>
+ defaultCertificate();
+
+ inline void
+ refreshDefaultCertificate();
+
+protected:
+ ptr_lib::shared_ptr<IdentityCertificate> defaultCertificate_;
+
+};
+
+void
+SecPublicInfo::setDefaultIdentity(const Name& identityName)
+{
+ setDefaultIdentityInternal(identityName);
+ refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::setDefaultKeyNameForIdentity(const Name& keyName)
+{
+ setDefaultKeyNameForIdentityInternal(keyName);
+ refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::setDefaultCertificateNameForKey(const Name& certificateName)
+{
+ setDefaultCertificateNameForKeyInternal(certificateName);
+ refreshDefaultCertificate();
+}
+
+Name
+SecPublicInfo::getDefaultCertificateNameForIdentity(const Name& identityName)
+{
+ return getDefaultCertificateNameForKey(getDefaultKeyNameForIdentity(identityName));
+}
+
+Name
+SecPublicInfo::getNewKeyName (const Name& identityName, bool useKsk)
+{
+ MillisecondsSince1970 ti = getNow();
+ // Get the number of seconds.
+ std::ostringstream oss;
+ oss << floor(ti / 1000.0);
+
+ std::string keyIdStr;
+
+ if (useKsk)
+ keyIdStr = ("KSK-" + oss.str());
+ else
+ keyIdStr = ("DSK-" + oss.str());
+
+ Name keyName = Name(identityName).append(keyIdStr);
+
+ if (doesPublicKeyExist(keyName))
+ throw Error("Key name already exists");
+
+ return keyName;
+}
+
+Name
+SecPublicInfo::getDefaultCertificateName()
+{
+ if(!static_cast<bool>(defaultCertificate_))
+ refreshDefaultCertificate();
+
+ if(!static_cast<bool>(defaultCertificate_))
+ return Name();
+
+ return defaultCertificate_->getName();
+}
+
+void
+SecPublicInfo::addCertificateAsKeyDefault(const IdentityCertificate& certificate)
+{
+ addCertificate(certificate);
+ setDefaultCertificateNameForKeyInternal(certificate.getName());
+ refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::addCertificateAsIdentityDefault(const IdentityCertificate& certificate)
+{
+ addCertificate(certificate);
+ setDefaultKeyNameForIdentityInternal(certificate.getPublicKeyName());
+ setDefaultCertificateNameForKeyInternal(certificate.getName());
+ refreshDefaultCertificate();
+}
+
+ptr_lib::shared_ptr<IdentityCertificate>
+SecPublicInfo::defaultCertificate()
+{
+ return defaultCertificate_;
+}
+
+void
+SecPublicInfo::refreshDefaultCertificate()
+{
+ defaultCertificate_ = getCertificate(getDefaultCertificateNameForIdentity(getDefaultIdentity()));
+}
+
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/identity/private-key-storage.hpp b/include/ndn-cpp/security/identity/sec-tpm.hpp
similarity index 79%
rename from include/ndn-cpp/security/identity/private-key-storage.hpp
rename to include/ndn-cpp/security/identity/sec-tpm.hpp
index 5446484..9452f9f 100644
--- a/include/ndn-cpp/security/identity/private-key-storage.hpp
+++ b/include/ndn-cpp/security/identity/sec-tpm.hpp
@@ -6,19 +6,18 @@
* See COPYING for copyright and distribution information.
*/
-#ifndef NDN_PRIVATE_KEY_STORAGE_HPP
-#define NDN_PRIVATE_KEY_STORAGE_HPP
+#ifndef NDN_SEC_TPM_HPP
+#define NDN_SEC_TPM_HPP
#include <string>
#include "../security-common.hpp"
#include "../../name.hpp"
#include "../../data.hpp"
+#include "../certificate/public-key.hpp"
namespace ndn {
-class PublicKey;
-
-class PrivateKeyStorage {
+class SecTpm {
public:
struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
@@ -26,7 +25,7 @@
* The virtual destructor.
*/
virtual
- ~PrivateKeyStorage() {}
+ ~SecTpm() {}
/**
* Generate a pair of asymmetric keys.
@@ -35,7 +34,7 @@
* @param keySize The size of the key pair.
*/
virtual void
- generateKeyPair(const Name& keyName, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048) = 0;
+ generateKeyPairInTpm(const Name& keyName, KeyType keyType, int keySize) = 0;
/**
* Get the public key
@@ -43,7 +42,7 @@
* @return The public key.
*/
virtual ptr_lib::shared_ptr<PublicKey>
- getPublicKey(const Name& keyName) = 0;
+ getPublicKeyFromTpm(const Name& keyName) = 0;
/**
* Fetch the private key for keyName and sign the data, returning a signature Blob.
@@ -54,12 +53,10 @@
* @return The signature, or a null pointer if signing fails.
*/
virtual Block
- sign(const uint8_t *data, size_t dataLength,
- const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256) = 0;
+ sign(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm) = 0;
virtual void
- sign(Data &data,
- const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256) = 0;
+ sign(Data &data, const Name& keyName, DigestAlgorithm digestAlgorithm) = 0;
/**
* Decrypt data.
@@ -70,7 +67,7 @@
* @return The decrypted data.
*/
virtual ConstBufferPtr
- decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false) = 0;
+ decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric) = 0;
/**
* Encrypt data.
@@ -81,7 +78,7 @@
* @return The encrypted data.
*/
virtual ConstBufferPtr
- encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false) = 0;
+ encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric) = 0;
/**
* @brief Generate a symmetric key.
@@ -90,7 +87,7 @@
* @param keySize The size of the key.
*/
virtual void
- generateKey(const Name& keyName, KeyType keyType = KEY_TYPE_AES, int keySize = 256) = 0;
+ generateSymmetricKey(const Name& keyName, KeyType keyType, int keySize) = 0;
/**
* Check if a particular key exists.
diff --git a/include/ndn-cpp/security/key-chain.hpp b/include/ndn-cpp/security/key-chain.hpp
index 5f9854e..c4efe3c 100644
--- a/include/ndn-cpp/security/key-chain.hpp
+++ b/include/ndn-cpp/security/key-chain.hpp
@@ -11,8 +11,12 @@
#include "certificate/identity-certificate.hpp"
#include "certificate/public-key.hpp"
-#include "identity/identity-storage.hpp"
-#include "identity/private-key-storage.hpp"
+#include "signature/signature-sha256-with-rsa.hpp"
+
+#include "identity/sec-public-info-sqlite3.hpp"
+#include "identity/sec-public-info-memory.hpp"
+#include "identity/sec-tpm-osx.hpp"
+#include "identity/sec-tpm-memory.hpp"
namespace ndn {
@@ -22,25 +26,11 @@
*
* The KeyChain class provides a set of interfaces of identity management and private key related operations.
*/
-class KeyChain {
+template<class Info, class Tpm>
+class KeyChainImpl : public Info, public Tpm
+{
public:
- struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
-
- KeyChain(const ptr_lib::shared_ptr<IdentityStorage> &identityStorage = DefaultIdentityStorage,
- const ptr_lib::shared_ptr<PrivateKeyStorage> &privateKeyStorage = DefaultPrivateKeyStorage);
-
- inline IdentityStorage&
- info();
-
- inline const IdentityStorage&
- info() const;
-
- inline PrivateKeyStorage&
- tpm();
-
- inline const PrivateKeyStorage&
- tpm() const;
-
+ // struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
/**
* Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.
@@ -48,7 +38,22 @@
* @return The key name of the auto-generated KSK of the identity.
*/
Name
- createIdentity(const Name& identityName);
+ createIdentity(const Name& identityName)
+ {
+ if (!Info::doesIdentityExist(identityName)) {
+ Info::addIdentity(identityName);
+
+ Name keyName = generateRSAKeyPairAsDefault(identityName, true);
+
+ ptr_lib::shared_ptr<IdentityCertificate> selfCert = selfSign(keyName);
+
+ Info::addCertificateAsDefault(*selfCert);
+
+ return keyName;
+ }
+ else
+ return Name();
+ }
/**
* Generate a pair of RSA keys for the specified identity.
@@ -58,18 +63,9 @@
* @return The generated key name.
*/
Name
- generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048);
-
- /**
- * Set a key as the default key of an identity.
- * @param keyName The name of the key.
- * @param identityName the name of the identity. If not specified, the identity name is inferred from the keyName.
- */
- void
- setDefaultKeyForIdentity(const Name& keyName, const Name& identityName = Name())
+ generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048)
{
- info().setDefaultKeyNameForIdentity(keyName, identityName);
- defaultCertificate_.reset();
+ return generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize);
}
/**
@@ -80,7 +76,16 @@
* @return The generated key name.
*/
Name
- generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048);
+ generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048)
+ {
+ Name keyName = generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize);
+
+ Info::setDefaultKeyNameForIdentity(keyName);
+
+ Info::refreshDefaultCertificate();
+
+ return keyName;
+ }
/**
* Create an identity certificate for a public key managed by this IdentityManager.
@@ -95,7 +100,25 @@
(const Name& certificatePrefix,
const Name& signerCertificateName,
const MillisecondsSince1970& notBefore,
- const MillisecondsSince1970& notAfter);
+ const MillisecondsSince1970& notAfter)
+ {
+ Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
+
+ ptr_lib::shared_ptr<PublicKey> pubKey = Info::getPublicKey(keyName);
+ if (!pubKey)
+ throw std::runtime_error("Requested public key [" + keyName.toUri() + "] doesn't exist");
+
+ ptr_lib::shared_ptr<IdentityCertificate> certificate =
+ createIdentityCertificate(certificatePrefix,
+ *pubKey,
+ signerCertificateName,
+ notBefore, notAfter);
+
+ Info::addCertificate(*certificate);
+
+ return certificate;
+ }
+
/**
* Create an identity certificate for a public key supplied by the caller.
@@ -109,45 +132,42 @@
ptr_lib::shared_ptr<IdentityCertificate>
createIdentityCertificate
(const Name& certificatePrefix,
- const PublicKey& publickey,
+ const PublicKey& publicKey,
const Name& signerCertificateName,
const MillisecondsSince1970& notBefore,
- const MillisecondsSince1970& notAfter);
-
- /**
- * Set the certificate as the default for its corresponding key.
- * @param certificateName The certificate.
- */
- void
- setDefaultCertificateForKey(const IdentityCertificate& certificate);
-
- /**
- * Add a certificate into the public key identity storage and set the certificate as the default for its corresponding identity.
- * @param certificate The certificate to be added. This makes a copy of the certificate.
- */
- void
- addCertificateAsIdentityDefault(const IdentityCertificate& certificate);
-
- /**
- * Add a certificate into the public key identity storage and set the certificate as the default of its corresponding key.
- * @param certificate The certificate to be added. This makes a copy of the certificate.
- */
- void
- addCertificateAsDefault(const IdentityCertificate& certificate);
-
- /**
- * Get the default certificate name of the default identity, which will be used when signing is based on identity and
- * the identity is not specified.
- * @return The requested certificate name.
- */
- Name
- getDefaultCertificateName()
+ const MillisecondsSince1970& notAfter)
{
- return info().getDefaultCertificateNameForIdentity(info().getDefaultIdentity());
+ ptr_lib::shared_ptr<IdentityCertificate> certificate (new IdentityCertificate());
+ Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
+
+ Name certificateName = certificatePrefix;
+ certificateName.append("ID-CERT").appendVersion();
+
+ certificate->setName(certificateName);
+ certificate->setNotBefore(notBefore);
+ certificate->setNotAfter(notAfter);
+ certificate->setPublicKeyInfo(publicKey);
+ certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri()));
+ certificate->encode();
+
+ sign(*certificate, signerCertificateName);
+
+ return certificate;
}
void
- sign(Data &data);
+ sign(Data &data)
+ {
+ if (!Info::defaultCertificate())
+ {
+ Info::refreshDefaultCertificate();
+
+ if(!Info::defaultCertificate())
+ throw std::runtime_error("Default IdentityCertificate cannot be determined");
+ }
+
+ sign(data, *Info::defaultCertificate());
+ }
/**
* Wire encode the Data object, sign it and set its signature.
@@ -155,10 +175,30 @@
* @param certificateName The certificate name of the key to use for signing. If omitted, infer the signing identity from the data packet name.
*/
void
- sign(Data& data, const Name& certificateName);
+ sign(Data& data, const Name& certificateName)
+ {
+ ptr_lib::shared_ptr<IdentityCertificate> cert = Info::getCertificate(certificateName);
+ if (!cert)
+ throw std::runtime_error("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
+
+ SignatureSha256WithRsa signature;
+ signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
+ data.setSignature(signature);
+
+ // For temporary usage, we support RSA + SHA256 only, but will support more.
+ Tpm::sign(data, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
+ }
void
- sign(Data& data, const IdentityCertificate& certificate);
+ sign(Data& data, const IdentityCertificate& certificate)
+ {
+ SignatureSha256WithRsa signature;
+ signature.setKeyLocator(certificate.getName().getPrefix(-1));
+ data.setSignature(signature);
+
+ // For temporary usage, we support RSA + SHA256 only, but will support more.
+ Tpm::sign(data, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
+ }
/**
* Sign the byte array using a certificate name and return a Signature object.
@@ -168,7 +208,19 @@
* @return The Signature.
*/
Signature
- sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName);
+ sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName)
+ {
+ ptr_lib::shared_ptr<IdentityCertificate> cert = Info::getCertificate(certificateName);
+ if (!cert)
+ throw std::runtime_error("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
+
+ SignatureSha256WithRsa signature;
+ signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
+
+ // For temporary usage, we support RSA + SHA256 only, but will support more.
+ signature.setValue(Tpm::sign(buffer, bufferLength, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256));
+ return signature;
+ }
/**
* Wire encode the Data object, sign it and set its signature.
@@ -176,7 +228,15 @@
* @param identityName The identity name for the key to use for signing. If omitted, infer the signing identity from the data packet name.
*/
void
- signByIdentity(Data& data, const Name& identityName = Name());
+ signByIdentity(Data& data, const Name& identityName = Name())
+ {
+ Name signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName);
+
+ if (signingCertificateName.getComponentCount() == 0)
+ throw std::runtime_error("No qualified certificate name found!");
+
+ sign(data, signingCertificateName);
+ }
/**
* Sign the byte array using an identity name and return a Signature object.
@@ -186,7 +246,15 @@
* @return The Signature.
*/
Signature
- signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName = Name());
+ signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName = Name())
+ {
+ Name signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName);
+
+ if (signingCertificateName.size() == 0)
+ throw std::runtime_error("No qualified certificate name found!");
+
+ return sign(buffer, bufferLength, signingCertificateName);
+ }
/**
* Generate a self-signed certificate for a public key.
@@ -194,13 +262,42 @@
* @return The generated certificate.
*/
ptr_lib::shared_ptr<IdentityCertificate>
- selfSign(const Name& keyName);
+ selfSign(const Name& keyName)
+ {
+ ptr_lib::shared_ptr<IdentityCertificate> certificate = ptr_lib::make_shared<IdentityCertificate>();
+
+ Name certificateName = keyName.getPrefix(-1);
+ certificateName.append("KEY").append(keyName.get(-1)).append("ID-CERT").appendVersion();
+
+ ptr_lib::shared_ptr<PublicKey> pubKey = Info::getPublicKey(keyName);
+ if (!pubKey)
+ throw std::runtime_error("Requested public key [" + keyName.toUri() + "] doesn't exist");
+
+ certificate->setName(certificateName);
+ certificate->setNotBefore(getNow());
+ certificate->setNotAfter(getNow() + 630720000 /* 20 years*/);
+ certificate->setPublicKeyInfo(*pubKey);
+ certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri()));
+ certificate->encode();
+
+ selfSign(*certificate);
+ return certificate;
+ }
/**
* @brief Self-sign the supplied identity certificate
*/
void
- selfSign (IdentityCertificate& cert);
+ selfSign (IdentityCertificate& cert)
+ {
+ SignatureSha256WithRsa signature;
+ signature.setKeyLocator(cert.getName().getPrefix(-1)); // implicit conversion should take care
+ cert.setSignature(signature);
+
+ // For temporary usage, we support RSA + SHA256 only, but will support more.
+ Tpm::sign(cert, cert.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
+ }
+
private:
/**
@@ -212,58 +309,57 @@
* @return The name of the generated key.
*/
Name
- generateKeyPair(const Name& identityName, bool isKsk = false, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048);
+ generateKeyPair(const Name& identityName, bool isKsk = false, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048)
+ {
+ Name keyName = Info::getNewKeyName(identityName, isKsk);
+
+ Tpm::generateKeyPairInTpm(keyName.toUri(), keyType, keySize);
+
+ ptr_lib::shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri());
+ Tpm::addPublicKey(keyName, keyType, *pubKey);
+
+ return keyName;
+ }
static Name
- getKeyNameFromCertificatePrefix(const Name& certificatePrefix);
+ getKeyNameFromCertificatePrefix(const Name& certificatePrefix)
+ {
+ Name result;
-public:
- static const ptr_lib::shared_ptr<IdentityStorage> DefaultIdentityStorage;
- static const ptr_lib::shared_ptr<PrivateKeyStorage> DefaultPrivateKeyStorage;
+ std::string keyString("KEY");
+ int i = 0;
+ for(; i < certificatePrefix.size(); i++) {
+ if (certificatePrefix.get(i).toEscapedString() == keyString)
+ break;
+ }
-private:
- ptr_lib::shared_ptr<IdentityStorage> publicInfoStorage_;
- ptr_lib::shared_ptr<PrivateKeyStorage> privateKeyStorage_;
+ if (i >= certificatePrefix.size())
+ throw std::runtime_error("Identity Certificate Prefix does not have a KEY component");
- ptr_lib::shared_ptr<IdentityCertificate> defaultCertificate_;
+ result.append(certificatePrefix.getSubName(0, i));
+ result.append(certificatePrefix.getSubName(i + 1, certificatePrefix.size()-i-1));
+
+ return result;
+ }
+
};
+}
-inline IdentityStorage&
-KeyChain::info()
+#ifdef NDN_CPP_HAVE_OSX_SECURITY
+
+namespace ndn
{
- if (!publicInfoStorage_)
- throw Error("IdentityStorage is not assigned to IdentityManager");
+typedef KeyChainImpl<SecPublicInfoSqlite3, SecTpmOsx> KeyChain;
+};
- return *publicInfoStorage_;
-}
+#else
-inline const IdentityStorage&
-KeyChain::info() const
+namespace ndn
{
- if (!publicInfoStorage_)
- throw Error("IdentityStorage is not assigned to IdentityManager");
-
- return *publicInfoStorage_;
-}
+typedef KeyChainImpl<SecPublicInfoMemory, SecTpmMemory> KeyChain;
+};
-inline PrivateKeyStorage&
-KeyChain::tpm()
-{
- if (!privateKeyStorage_)
- throw Error("PrivateKeyStorage is not assigned to IdentityManager");
-
- return *privateKeyStorage_;
-}
-
-inline const PrivateKeyStorage&
-KeyChain::tpm() const
-{
- if (!privateKeyStorage_)
- throw Error("PrivateKeyStorage is not assigned to IdentityManager");
- return *privateKeyStorage_;
-}
-
-}
+#endif //NDN_CPP_HAVE_OSX_SECURITY
#endif