security: refactoring KeyChain and related classess
1. rename IdentityStorage as SecPublicInfo and PrivateKeyStorage as SecTpm.
2. KeyChain is defined as a template of sub-classes of SecPublicInfo and SecTpm, and KeyChain inherits from these two classes rather than has objects of these two classes.
3. rename some methods of SecPublicInfo and SecTpm to clarify usage and avoid conflicts
SecPublicInfo: addKey, getKey, doesKeyExist, activateKey, deactivateKey
SecTpm: generateKeyPair, getPublicKey, generateKey
4. adjust getter/setter of KeyChain & SecPublicInfo
Change-Id: Ib67631ad1c883100b1200a1a381d837bbbdb1d37
diff --git a/include/ndn-cpp/security/identity/identity-storage.hpp b/include/ndn-cpp/security/identity/identity-storage.hpp
deleted file mode 100644
index 87d93fd..0000000
--- a/include/ndn-cpp/security/identity/identity-storage.hpp
+++ /dev/null
@@ -1,211 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
-/**
- * Copyright (C) 2013 Regents of the University of California.
- * @author: Yingdi Yu <yingdi@cs.ucla.edu>
- * @author: Jeff Thompson <jefft0@remap.ucla.edu>
- * See COPYING for copyright and distribution information.
- */
-
-#ifndef NDN_IDENTITY_STORAGE_HPP
-#define NDN_IDENTITY_STORAGE_HPP
-
-#include "../../name.hpp"
-#include "../security-common.hpp"
-#include "../certificate/public-key.hpp"
-
-namespace ndn {
-
-class Certificate;
-class IdentityCertificate;
-class Data;
-
-/**
- * IdentityStorage is a base class for the storage of identity, public keys and certificates.
- * Private keys are stored in PrivateKeyStorage.
- * This is an abstract base class. A subclass must implement the methods.
- */
-class IdentityStorage {
-public:
- struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
-
- /**
- * The virtual Destructor.
- */
- virtual
- ~IdentityStorage() {}
-
- /**
- * Check if the specified identity already exists.
- * @param identityName The identity name.
- * @return true if the identity exists, otherwise false.
- */
- virtual bool
- doesIdentityExist(const Name& identityName) = 0;
-
- /**
- * Add a new identity. An exception will be thrown if the identity already exists.
- * @param identityName The identity name to be added.
- */
- virtual void
- addIdentity(const Name& identityName) = 0;
-
- /**
- * Revoke the identity.
- * @return true if the identity was revoked, false if not.
- */
- virtual bool
- revokeIdentity() = 0;
-
- /**
- * Generate a name for a new key belonging to the identity.
- * @param identityName The identity name.
- * @param useKsk If true, generate a KSK name, otherwise a DSK name.
- * @return The generated key name.
- */
- Name
- getNewKeyName(const Name& identityName, bool useKsk);
-
- /**
- * Check if the specified key already exists.
- * @param keyName The name of the key.
- * @return true if the key exists, otherwise false.
- */
- virtual bool
- doesKeyExist(const Name& keyName) = 0;
-
- /**
- * Add a public key to the identity storage.
- * @param keyName The name of the public key to be added.
- * @param keyType Type of the public key to be added.
- * @param publicKeyDer A blob of the public key DER to be added.
- */
- virtual void
- addKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer) = 0;
-
- /**
- * Get the public key DER blob from the identity storage.
- * @param keyName The name of the requested public key.
- * @return The DER Blob. If not found, return a Blob with a null pointer.
- */
- virtual ptr_lib::shared_ptr<PublicKey>
- getKey(const Name& keyName) = 0;
-
- /**
- * Activate a key. If a key is marked as inactive, its private part will not be used in packet signing.
- * @param keyName name of the key
- */
- virtual void
- activateKey(const Name& keyName) = 0;
-
- /**
- * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
- * @param keyName name of the key
- */
- virtual void
- deactivateKey(const Name& keyName) = 0;
-
- /**
- * Check if the specified certificate already exists.
- * @param certificateName The name of the certificate.
- * @return true if the certificate exists, otherwise false.
- */
- virtual bool
- doesCertificateExist(const Name& certificateName) = 0;
-
- /**
- * Add a certificate to the identity storage.
- * @param certificate The certificate to be added. This makes a copy of the certificate.
- */
- virtual void
- addCertificate(const IdentityCertificate& certificate) = 0;
-
- /**
- * Get a certificate from the identity storage.
- * @param certificateName The name of the requested certificate.
- * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
- * @return The requested certificate. If not found, return a shared_ptr with a null pointer.
- */
- virtual ptr_lib::shared_ptr<IdentityCertificate>
- getCertificate(const Name &certificateName, bool allowAny = false) = 0;
-
-
- /*****************************************
- * Get/Set Default *
- *****************************************/
-
- /**
- * Get the default identity.
- * @param return The name of default identity, or an empty name if there is no default.
- */
- virtual Name
- getDefaultIdentity() = 0;
-
- /**
- * Get the default key name for the specified identity.
- * @param identityName The identity name.
- * @return The default key name.
- */
- virtual Name
- getDefaultKeyNameForIdentity(const Name& identityName) = 0;
-
- /**
- * Get the default certificate name for the specified identity.
- * @param identityName The identity name.
- * @return The default certificate name.
- */
- Name
- getDefaultCertificateNameForIdentity(const Name& identityName);
-
- /**
- * Get the default certificate name for the specified key.
- * @param keyName The key name.
- * @return The default certificate name.
- */
- virtual Name
- getDefaultCertificateNameForKey(const Name& keyName) = 0;
-
- /**
- * Set the default identity. If the identityName does not exist, then clear the default identity
- * so that getDefaultIdentity() returns an empty name.
- * @param identityName The default identity name.
- */
- virtual void
- setDefaultIdentity(const Name& identityName) = 0;
-
- /**
- * Set the default key name for the specified identity.
- * @param keyName The key name.
- * @param identityNameCheck (optional) The identity name to check the keyName.
- */
- virtual void
- setDefaultKeyNameForIdentity(const Name& keyName, const Name& identityNameCheck = Name()) = 0;
-
- /**
- * Set the default key name for the specified identity.
- * @param keyName The key name.
- * @param certificateName The certificate name.
- */
- virtual void
- setDefaultCertificateNameForKey(const Name& keyName, const Name& certificateName) = 0;
-
-
- virtual std::vector<Name>
- getAllIdentities(bool isDefault) = 0;
-
- virtual std::vector<Name>
- getAllKeyNames(bool isDefault) = 0;
-
- virtual std::vector<Name>
- getAllKeyNamesOfIdentity(const Name& identity, bool isDefault) = 0;
-
- virtual std::vector<Name>
- getAllCertificateNames(bool isDefault) = 0;
-
- virtual std::vector<Name>
- getAllCertificateNamesOfKey(const Name& keyName, bool isDefault) = 0;
-
-};
-
-}
-
-#endif
diff --git a/include/ndn-cpp/security/identity/sec-public-info.hpp b/include/ndn-cpp/security/identity/sec-public-info.hpp
new file mode 100644
index 0000000..3a46310
--- /dev/null
+++ b/include/ndn-cpp/security/identity/sec-public-info.hpp
@@ -0,0 +1,362 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_PUBLIC_INFO_HPP
+#define NDN_SEC_PUBLIC_INFO_HPP
+
+#include "../../name.hpp"
+#include "../security-common.hpp"
+#include "../certificate/public-key.hpp"
+#include "../certificate/identity-certificate.hpp"
+
+namespace ndn {
+
+/**
+ * SecPublicInfo is a base class for the storage of identity, public keys and certificates.
+ * Private keys are stored in SecTpm.
+ * This is an abstract base class. A subclass must implement the methods.
+ */
+class SecPublicInfo {
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ /**
+ * The virtual Destructor.
+ */
+ virtual
+ ~SecPublicInfo() {}
+
+ /**
+ * Check if the specified identity already exists.
+ * @param identityName The identity name.
+ * @return true if the identity exists, otherwise false.
+ */
+ virtual bool
+ doesIdentityExist(const Name& identityName) = 0;
+
+ /**
+ * Add a new identity. An exception will be thrown if the identity already exists.
+ * @param identityName The identity name to be added.
+ */
+ virtual void
+ addIdentity(const Name& identityName) = 0;
+
+ /**
+ * Revoke the identity.
+ * @return true if the identity was revoked, false if not.
+ */
+ virtual bool
+ revokeIdentity() = 0;
+
+ /**
+ * Check if the specified key already exists.
+ * @param keyName The name of the key.
+ * @return true if the key exists, otherwise false.
+ */
+ virtual bool
+ doesPublicKeyExist(const Name& keyName) = 0;
+
+ /**
+ * Add a public key to the identity storage.
+ * @param keyName The name of the public key to be added.
+ * @param keyType Type of the public key to be added.
+ * @param publicKeyDer A blob of the public key DER to be added.
+ */
+ virtual void
+ addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer) = 0;
+
+ /**
+ * Get the public key DER blob from the identity storage.
+ * @param keyName The name of the requested public key.
+ * @return The DER Blob. If not found, return a Blob with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKey(const Name& keyName) = 0;
+
+ /**
+ * Activate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ activatePublicKey(const Name& keyName) = 0;
+
+ /**
+ * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ deactivatePublicKey(const Name& keyName) = 0;
+
+ /**
+ * Check if the specified certificate already exists.
+ * @param certificateName The name of the certificate.
+ * @return true if the certificate exists, otherwise false.
+ */
+ virtual bool
+ doesCertificateExist(const Name& certificateName) = 0;
+
+ /**
+ * Add a certificate to the identity storage.
+ * @param certificate The certificate to be added. This makes a copy of the certificate.
+ */
+ virtual void
+ addCertificate(const IdentityCertificate& certificate) = 0;
+
+ /**
+ * Get a certificate from the identity storage.
+ * @param certificateName The name of the requested certificate.
+ * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
+ * @return The requested certificate. If not found, return a shared_ptr with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<IdentityCertificate>
+ getCertificate(const Name &certificateName, bool allowAny = false) = 0;
+
+
+ /*****************************************
+ * Default Getter *
+ *****************************************/
+
+ /**
+ * Get the default identity.
+ * @param return The name of default identity, or an empty name if there is no default.
+ */
+ virtual Name
+ getDefaultIdentity() = 0;
+
+ /**
+ * Get the default key name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default key name.
+ */
+ virtual Name
+ getDefaultKeyNameForIdentity(const Name& identityName) = 0;
+
+ /**
+ * Get the default certificate name for the specified key.
+ * @param keyName The key name.
+ * @return The default certificate name.
+ */
+ virtual Name
+ getDefaultCertificateNameForKey(const Name& keyName) = 0;
+
+ virtual std::vector<Name>
+ getAllIdentities(bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllKeyNames(bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllKeyNamesOfIdentity(const Name& identity, bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllCertificateNames(bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllCertificateNamesOfKey(const Name& keyName, bool isDefault) = 0;
+
+protected:
+
+ /*****************************************
+ * Default Setter *
+ *****************************************/
+
+ /**
+ * Set the default identity. If the identityName does not exist, then clear the default identity
+ * so that getDefaultIdentity() returns an empty name.
+ * @param identityName The default identity name.
+ */
+ virtual void
+ setDefaultIdentityInternal(const Name& identityName) = 0;
+
+ /**
+ * Set the default key name for the corresponding identity.
+ * @param keyName The key name.
+ */
+ virtual void
+ setDefaultKeyNameForIdentityInternal(const Name& keyName) = 0;
+
+ /**
+ * Set the default certificate name for the corresponding key.
+ * @param certificateName The certificate name.
+ */
+ virtual void
+ setDefaultCertificateNameForKeyInternal(const Name& certificateName) = 0;
+
+public:
+
+ /*****************************************
+ * Helper Methods *
+ *****************************************/
+
+ /**
+ * Set the default identity. If the identityName does not exist, then clear the default identity
+ * so that getDefaultIdentity() returns an empty name.
+ * @param identityName The default identity name.
+ */
+ inline void
+ setDefaultIdentity(const Name& identityName);
+
+ /**
+ * Set the default key name for the corresponding identity.
+ * @param keyName The key name.
+ */
+ inline void
+ setDefaultKeyNameForIdentity(const Name& keyName);
+
+ /**
+ * Set the default certificate name for the corresponding key.
+ * @param certificateName The certificate name.
+ */
+ inline void
+ setDefaultCertificateNameForKey(const Name& certificateName);
+
+ /**
+ * Generate a name for a new key belonging to the identity.
+ * @param identityName The identity name.
+ * @param useKsk If true, generate a KSK name, otherwise a DSK name.
+ * @return The generated key name.
+ */
+ inline Name
+ getNewKeyName(const Name& identityName, bool useKsk);
+
+ /**
+ * Get the default certificate name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default certificate name.
+ */
+ inline Name
+ getDefaultCertificateNameForIdentity(const Name& identityName);
+
+ /**
+ * Get the default certificate name of the default identity, which will be used when signing is based on identity and
+ * the identity is not specified.
+ * @return The requested certificate name.
+ */
+ inline Name
+ getDefaultCertificateName();
+
+ /**
+ * Add a certificate and set the certificate as the default of its corresponding key.
+ * @param certificate The certificate to be added. This makes a copy of the certificate.
+ */
+ inline void
+ addCertificateAsKeyDefault(const IdentityCertificate& certificate);
+
+ /**
+ * Add a certificate into the public key identity storage and set the certificate as the default for its corresponding identity.
+ * @param certificate The certificate to be added. This makes a copy of the certificate.
+ */
+ inline void
+ addCertificateAsIdentityDefault(const IdentityCertificate& certificate);
+
+ inline ptr_lib::shared_ptr<IdentityCertificate>
+ defaultCertificate();
+
+ inline void
+ refreshDefaultCertificate();
+
+protected:
+ ptr_lib::shared_ptr<IdentityCertificate> defaultCertificate_;
+
+};
+
+void
+SecPublicInfo::setDefaultIdentity(const Name& identityName)
+{
+ setDefaultIdentityInternal(identityName);
+ refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::setDefaultKeyNameForIdentity(const Name& keyName)
+{
+ setDefaultKeyNameForIdentityInternal(keyName);
+ refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::setDefaultCertificateNameForKey(const Name& certificateName)
+{
+ setDefaultCertificateNameForKeyInternal(certificateName);
+ refreshDefaultCertificate();
+}
+
+Name
+SecPublicInfo::getDefaultCertificateNameForIdentity(const Name& identityName)
+{
+ return getDefaultCertificateNameForKey(getDefaultKeyNameForIdentity(identityName));
+}
+
+Name
+SecPublicInfo::getNewKeyName (const Name& identityName, bool useKsk)
+{
+ MillisecondsSince1970 ti = getNow();
+ // Get the number of seconds.
+ std::ostringstream oss;
+ oss << floor(ti / 1000.0);
+
+ std::string keyIdStr;
+
+ if (useKsk)
+ keyIdStr = ("KSK-" + oss.str());
+ else
+ keyIdStr = ("DSK-" + oss.str());
+
+ Name keyName = Name(identityName).append(keyIdStr);
+
+ if (doesPublicKeyExist(keyName))
+ throw Error("Key name already exists");
+
+ return keyName;
+}
+
+Name
+SecPublicInfo::getDefaultCertificateName()
+{
+ if(!static_cast<bool>(defaultCertificate_))
+ refreshDefaultCertificate();
+
+ if(!static_cast<bool>(defaultCertificate_))
+ return Name();
+
+ return defaultCertificate_->getName();
+}
+
+void
+SecPublicInfo::addCertificateAsKeyDefault(const IdentityCertificate& certificate)
+{
+ addCertificate(certificate);
+ setDefaultCertificateNameForKeyInternal(certificate.getName());
+ refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::addCertificateAsIdentityDefault(const IdentityCertificate& certificate)
+{
+ addCertificate(certificate);
+ setDefaultKeyNameForIdentityInternal(certificate.getPublicKeyName());
+ setDefaultCertificateNameForKeyInternal(certificate.getName());
+ refreshDefaultCertificate();
+}
+
+ptr_lib::shared_ptr<IdentityCertificate>
+SecPublicInfo::defaultCertificate()
+{
+ return defaultCertificate_;
+}
+
+void
+SecPublicInfo::refreshDefaultCertificate()
+{
+ defaultCertificate_ = getCertificate(getDefaultCertificateNameForIdentity(getDefaultIdentity()));
+}
+
+
+}
+
+#endif
diff --git a/include/ndn-cpp/security/identity/private-key-storage.hpp b/include/ndn-cpp/security/identity/sec-tpm.hpp
similarity index 79%
rename from include/ndn-cpp/security/identity/private-key-storage.hpp
rename to include/ndn-cpp/security/identity/sec-tpm.hpp
index 5446484..9452f9f 100644
--- a/include/ndn-cpp/security/identity/private-key-storage.hpp
+++ b/include/ndn-cpp/security/identity/sec-tpm.hpp
@@ -6,19 +6,18 @@
* See COPYING for copyright and distribution information.
*/
-#ifndef NDN_PRIVATE_KEY_STORAGE_HPP
-#define NDN_PRIVATE_KEY_STORAGE_HPP
+#ifndef NDN_SEC_TPM_HPP
+#define NDN_SEC_TPM_HPP
#include <string>
#include "../security-common.hpp"
#include "../../name.hpp"
#include "../../data.hpp"
+#include "../certificate/public-key.hpp"
namespace ndn {
-class PublicKey;
-
-class PrivateKeyStorage {
+class SecTpm {
public:
struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
@@ -26,7 +25,7 @@
* The virtual destructor.
*/
virtual
- ~PrivateKeyStorage() {}
+ ~SecTpm() {}
/**
* Generate a pair of asymmetric keys.
@@ -35,7 +34,7 @@
* @param keySize The size of the key pair.
*/
virtual void
- generateKeyPair(const Name& keyName, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048) = 0;
+ generateKeyPairInTpm(const Name& keyName, KeyType keyType, int keySize) = 0;
/**
* Get the public key
@@ -43,7 +42,7 @@
* @return The public key.
*/
virtual ptr_lib::shared_ptr<PublicKey>
- getPublicKey(const Name& keyName) = 0;
+ getPublicKeyFromTpm(const Name& keyName) = 0;
/**
* Fetch the private key for keyName and sign the data, returning a signature Blob.
@@ -54,12 +53,10 @@
* @return The signature, or a null pointer if signing fails.
*/
virtual Block
- sign(const uint8_t *data, size_t dataLength,
- const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256) = 0;
+ sign(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm) = 0;
virtual void
- sign(Data &data,
- const Name& keyName, DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256) = 0;
+ sign(Data &data, const Name& keyName, DigestAlgorithm digestAlgorithm) = 0;
/**
* Decrypt data.
@@ -70,7 +67,7 @@
* @return The decrypted data.
*/
virtual ConstBufferPtr
- decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false) = 0;
+ decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric) = 0;
/**
* Encrypt data.
@@ -81,7 +78,7 @@
* @return The encrypted data.
*/
virtual ConstBufferPtr
- encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric = false) = 0;
+ encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric) = 0;
/**
* @brief Generate a symmetric key.
@@ -90,7 +87,7 @@
* @param keySize The size of the key.
*/
virtual void
- generateKey(const Name& keyName, KeyType keyType = KEY_TYPE_AES, int keySize = 256) = 0;
+ generateSymmetricKey(const Name& keyName, KeyType keyType, int keySize) = 0;
/**
* Check if a particular key exists.