tools: Convert ndnsec to v2::KeyChain
This commit removes the following tools:
- cert-revoke (wasn't working properly before and need a new
design)
- set-acl (wasn't working before)
- dsk-gen (no longer makes sense with the new certificate naming
conventions, new tools for creating derivative certificates will
be created later)
This commit also fixes Bug #3644 causing import command to ask for
unnecessary password confirmation.
ndnsec main now catch all exceptions logs the extended message
Change-Id: Ib50e0994970020bcf0a1840aca6bc3942818094b
Refs: #3098, #3644
diff --git a/docs/conf.py b/docs/conf.py
index dbcdd3b..7712d74 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -240,7 +240,6 @@
('manpages/ndnsec', 'ndnsec', u'NDN security tools', None, 1),
('manpages/ndnsec-cert-dump', 'ndnsec-cert-dump', 'part of NDN security tools', None, 1),
('manpages/ndnsec-cert-gen', 'ndnsec-cert-gen', 'part of NDN security tools', None, 1),
- ('manpages/ndnsec-cert-revoke', 'ndnsec-cert-revoke', 'part of NDN security tools', None, 1),
('manpages/ndnsec-cert-install', 'ndnsec-cert-instal', 'part of NDN security tools', None, 1),
('manpages/ndnsec-delete', 'ndnsec-delete', 'part of NDN security tools', None, 1),
('manpages/ndnsec-export', 'ndnsec-export', 'part of NDN security tools', None, 1),
@@ -248,7 +247,6 @@
('manpages/ndnsec-import', 'ndnsec-import', 'part of NDN security tools', None, 1),
('manpages/ndnsec-key-gen', 'ndnsec-key-gen', 'part of NDN security tools', None, 1),
('manpages/ndnsec-list', 'ndnsec-list', 'part of NDN security tools', None, 1),
- ('manpages/ndnsec-set-acl', 'ndnsec-set-acl', 'part of NDN security tools', None, 1),
('manpages/ndnsec-set-default', 'ndnsec-set-default', 'part of NDN security tools', None, 1),
('manpages/ndnsec-sign-req', 'ndnsec-sign-req', 'part of NDN security tools', None, 1),
('manpages/ndnsec-unlock-tpm', 'ndnsec-unlock-tpm', 'part of NDN security tools', None, 1),
diff --git a/docs/manpages.rst b/docs/manpages.rst
index 450d20d..67f69a3 100644
--- a/docs/manpages.rst
+++ b/docs/manpages.rst
@@ -8,20 +8,12 @@
ndnsec-get-default <manpages/ndnsec-get-default>
ndnsec-set-default <manpages/ndnsec-set-default>
ndnsec-key-gen <manpages/ndnsec-key-gen>
- ndnsec-dsk-gen <manpages/ndnsec-dsk-gen>
ndnsec-sign-req <manpages/ndnsec-sign-req>
ndnsec-cert-gen <manpages/ndnsec-cert-gen>
- ndnsec-cert-revoke <manpages/ndnsec-cert-revoke>
ndnsec-cert-install <manpages/ndnsec-cert-install>
ndnsec-cert-dump <manpages/ndnsec-cert-dump>
ndnsec-delete <manpages/ndnsec-delete>
ndnsec-export <manpages/ndnsec-export>
ndnsec-import <manpages/ndnsec-import>
ndnsec-unlock-tpm <manpages/ndnsec-unlock-tpm>
- ndnsec-set-acl <manpages/ndnsec-set-acl>
:maxdepth: 1
-
-..
- manpages/ndnsec-op-tool
- manpages/ndnsec-set-acl
- manpages/ndnsec-sig-verify
diff --git a/docs/manpages/ndnsec-cert-dump.rst b/docs/manpages/ndnsec-cert-dump.rst
index 9daf52c..0a66d9b 100644
--- a/docs/manpages/ndnsec-cert-dump.rst
+++ b/docs/manpages/ndnsec-cert-dump.rst
@@ -43,14 +43,14 @@
Dump a certificate from PIB to standard output:
::
- $ ndnsec-cert-dump /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
+ $ ndnsec-cert-dump /ndn/test/david/KEY/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
Dump a certificate to a human-readable format:
::
- $ ndnsec-cert-dump -p /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
+ $ ndnsec-cert-dump -p /ndn/test/david/KEY/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
Certificate name:
- /ndn/test/KEY/david/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
+ /ndn/test/david/KEY/ksk-1396913058196/ID-CERT/%00%00%01E%3E%9D%A0%DE
Validity:
NotBefore: 20140401T000000
NotAfter: 20150331T235959
diff --git a/docs/manpages/ndnsec-cert-gen.rst b/docs/manpages/ndnsec-cert-gen.rst
index 923c936..25c6427 100644
--- a/docs/manpages/ndnsec-cert-gen.rst
+++ b/docs/manpages/ndnsec-cert-gen.rst
@@ -8,7 +8,7 @@
::
- $ ndnsec-cert-gen [-h] [-S timestamp] [-E timestamp] [-N name] [-I info] [-s sign-id] [-p cert-prefix] request
+ $ ndnsec-cert-gen [-h] [-S timestamp] [-E timestamp] [-I info] [-s sign-id] [-i issuer-id] request
Description
-----------
@@ -24,7 +24,6 @@
The generated certificate will be written to standard output in base64 encoding.
-
Options
-------
@@ -34,25 +33,20 @@
``-E timestamp``
Timestamp when the certificate expires. The default value is one year from now.
-``-N name``
- Name of the certificate owner.
-
``-I info``
- Other information about the certificate owner. ``subject-info`` is a list of pairs of OID and
- corresponding value. For example, "2.5.4.10 'Some Organization' 2.5.4.3 'http://home.page/'".
+ Other information to be included in the issued certificate. For example,
+
+ ::
+
+ -I "affiliation Some Organization" -I "homepage http://home.page/"
``-s sign-id``
Signing identity. The default key/certificate of ``sign-id`` will be used to sign the requested
certificate. If this option is not specified, the system default identity will be used.
-``-p cert-prefix``
- The certificate prefix, which is the part of certificate name before ``KEY`` component.
-
- By default, the certificate prefix will be inferred from the certificate name according
- to the relation between the signing identity and the subject identity. If the signing
- identity is a prefix of the subject identity, ``KEY`` will be inserted after the
- signingIdentity, otherwise ``KEY`` is inserted after subject identity (i.e., before
- ``ksk-....``).
+``-s issuer-id``
+ Issuer's ID to be included as part of the issued certificate name. If not specified, "NA"
+ value will be used
Examples
--------
diff --git a/docs/manpages/ndnsec-cert-revoke.rst b/docs/manpages/ndnsec-cert-revoke.rst
deleted file mode 100644
index 5136fe1..0000000
--- a/docs/manpages/ndnsec-cert-revoke.rst
+++ /dev/null
@@ -1,36 +0,0 @@
-ndnsec-cert-revoke
-==================
-
-``ndnsec-cert-revoke`` is a tool to generate a certificate revocation data.
-
-Usage
------
-
-::
-
- $ ndnsec-cert-revoke [-h] request
-
-Description
------------
-
-This command takes an identity ertificate as input.
-The tool will check whether user is the issuer of the certificate (by checking whether user has the key pointed by the KeyLocator of the certificate).
-If so, the tool will generate an empty packet named by the certificate name appended with "REVOKED" as a revocation data.
-If user is not the issuer of the certificate, the command will return error.
-
-This tool generates a revocation Data.
-It does not actually revoke a certificate.
-How to publish and use the revocation Data is not finalized yet.
-
-Options
--------
-
-``request``
- request is file name of the certificate to revoke (``-`` for standard input)
-
-Examples
---------
-
-::
-
- $ ndnsec-cert-revoke some-cert-to-revoke.ndncert
diff --git a/docs/manpages/ndnsec-dsk-gen.rst b/docs/manpages/ndnsec-dsk-gen.rst
deleted file mode 100644
index 1b87669..0000000
--- a/docs/manpages/ndnsec-dsk-gen.rst
+++ /dev/null
@@ -1,43 +0,0 @@
-ndnsec-dsk-gen
-==============
-
-``ndnsec-dsk-gen`` is tool to generate a pair of Data-Signing-Key (DSK) for the specified ``identity``
-and sign the generated key using the corresponding Key-Signing-Key (KSK).
-The generated DSK will be set as the default key of the identity.
-
-Usage
------
-
-::
-
- $ ndnsec-dsk-gen [-h] [-t keyType] identity
-
-Description
------------
-
-``ndnsec-dsk-gen`` creates a pair of Data-Signing-Key (DSK) for the specified ``identity``
-and sign the generated key using the corresponding Key-Signing-Key (KSK).
-The tool will first check the default KSK of the identity, and then generate a DSK
-and sign the DSK using the KSK.
-The information encoded in the DSK certificate is set the same as the KSK certificate.
-In the end, the DSK is set as the default key of the identity.
-
-Options
--------
-
-``-t keyType``
- Specify the key type, ``r`` (default) for RSA and ``e`` for ECDSA.
-
-Examples
---------
-
-::
-
- $ ndnsec-dsk-gen /ndn/test
- OK: dsk certificate with name [/ndn/test/KEY/dsk-1417501749768/ID-CERT/%FD%00%00%01J%09%B02%8B] has been successfully installed
- $ ndnsec-list -c
- * /ndn/test
- +->* /ndn/test/dsk-1417501749768
- +->* /ndn/test/KEY/dsk-1417501749768/ID-CERT/%FD%00%00%01J%09%B02%8B
- +-> /ndn/test/ksk-1417475325879
- +->* /ndn/test/KEY/ksk-1417475325879/ID-CERT/%FD%00%00%01J%09%AE.Y
diff --git a/docs/manpages/ndnsec-key-gen.rst b/docs/manpages/ndnsec-key-gen.rst
index d340128..253073b 100644
--- a/docs/manpages/ndnsec-key-gen.rst
+++ b/docs/manpages/ndnsec-key-gen.rst
@@ -25,8 +25,8 @@
``-n``
Do not set the identity as the system default identity.
-``-d``
- Generate Data-Signing-Key (DSK) instead of the default Key-Signing-Key (KSK).
+ Note that if it is the first identity/key/certificate, then it will be
+ set as default regardless of ``-n`` flag.
``-t keyType``
Specify the key type. ``r`` (default) for RSA key. ``e`` for ECDSA key.
diff --git a/docs/manpages/ndnsec-set-acl.rst b/docs/manpages/ndnsec-set-acl.rst
deleted file mode 100644
index 23eb1a3..0000000
--- a/docs/manpages/ndnsec-set-acl.rst
+++ /dev/null
@@ -1,26 +0,0 @@
-ndnsec-set-acl
-==============
-
-``ndnsec-set-acl`` is a tool to add an application into access control list of an private key.
-
-Usage
------
-
-::
-
- $ ndnsec-set-acl [-h] keyName appPath
-
-Description
------------
-
-``ndnsec-set-acl`` will add the application pointed by ``appPath`` into the ACL of a key with name
-``keyName``.
-
-Examples
---------
-
-Add an application into a key's ACL:
-
-::
-
- $ ndnsec-set-acl /ndn/test/alice/ksk-1394129695025 /test/app/path