security: Add a wrapper for export/import information.
Change-Id: I5c226b44573cafdbe8ab7cf1dfe2324f0bc96d54
diff --git a/src/security/key-chain.hpp b/src/security/key-chain.hpp
index a083259..e1fcb79 100644
--- a/src/security/key-chain.hpp
+++ b/src/security/key-chain.hpp
@@ -12,8 +12,8 @@
#include "identity-certificate.hpp"
#include "public-key.hpp"
#include "signature-sha256-with-rsa.hpp"
+#include "secured-bag.hpp"
#include "../interest.hpp"
-#include "../encoding/tlv-security.hpp"
#include "../util/random.hpp"
//PublicInfo
@@ -456,10 +456,10 @@
*
* @param identity The identity to export.
* @param passwordStr The password to secure the private key.
- * @param The encoded export data.
+ * @return The encoded export data.
* @throws InfoError if anything goes wrong in exporting.
*/
- Block
+ shared_ptr<SecuredBag>
exportIdentity(const Name& identity, const std::string& passwordStr)
{
if (!Info::doesIdentityExist(identity))
@@ -476,8 +476,6 @@
{
throw InfoError("Fail to export PKCS8 of private key");
}
- Block wireKey(tlv::security::KeyPackage, pkcs8);
-
shared_ptr<IdentityCertificate> cert;
try
@@ -489,52 +487,35 @@
cert = selfSign(keyName);
Info::addCertificateAsIdentityDefault(*cert);
}
- Block wireCert(tlv::security::CertificatePackage, cert->wireEncode());
- Block wire(tlv::security::IdentityPackage);
- wire.push_back(wireCert);
- wire.push_back(wireKey);
+ shared_ptr<SecuredBag> secureBag = make_shared<SecuredBag>(boost::cref(*cert), boost::cref(pkcs8));
- return wire;
+ return secureBag;
}
/**
* @brief import an identity.
*
- * @param The encoded import data.
+ * @param securedBag The encoded import data.
* @param passwordStr The password to secure the private key.
*/
void
- importIdentity(const Block& block, const std::string& passwordStr)
+ importIdentity(const SecuredBag& securedBag, const std::string& passwordStr)
{
- try
- {
- block.parse();
-
- Data data;
- data.wireDecode(block.get(tlv::security::CertificatePackage).blockFromValue());
- shared_ptr<IdentityCertificate> cert = make_shared<IdentityCertificate>(data);
-
- Name keyName = IdentityCertificate::certificateNameToPublicKeyName(cert->getName());
- Name identity = keyName.getPrefix(-1);
+ Name keyName = IdentityCertificate::certificateNameToPublicKeyName(securedBag.getCertificate().getName());
+ Name identity = keyName.getPrefix(-1);
- // Add identity
- Info::addIdentity(identity);
+ // Add identity
+ Info::addIdentity(identity);
- // Add key
- Block wireKey = block.get(tlv::security::KeyPackage);
- Tpm::importPrivateKeyPkcs8IntoTpm(keyName, wireKey.value(), wireKey.value_size(), passwordStr);
- shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri());
- Info::addPublicKey(keyName, KEY_TYPE_RSA, *pubKey); // HACK! We should set key type according to the pkcs8 info.
- Info::setDefaultKeyNameForIdentity(keyName);
+ // Add key
+ Tpm::importPrivateKeyPkcs8IntoTpm(keyName, securedBag.getKey()->buf(), securedBag.getKey()->size(), passwordStr);
+ shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri());
+ Info::addPublicKey(keyName, KEY_TYPE_RSA, *pubKey); // HACK! We should set key type according to the pkcs8 info.
+ Info::setDefaultKeyNameForIdentity(keyName);
- // Add cert
- Info::addCertificateAsIdentityDefault(*cert);
- }
- catch(Block::Error& e)
- {
- return;
- }
+ // Add cert
+ Info::addCertificateAsIdentityDefault(securedBag.getCertificate());
}
diff --git a/src/security/secured-bag.hpp b/src/security/secured-bag.hpp
new file mode 100644
index 0000000..3a8cd29
--- /dev/null
+++ b/src/security/secured-bag.hpp
@@ -0,0 +1,82 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SECURITY_SECURED_BAG_HPP
+#define NDN_SECURITY_SECURED_BAG_HPP
+
+#include "../common.hpp"
+#include "identity-certificate.hpp"
+#include "../encoding/tlv-security.hpp"
+
+namespace ndn {
+
+class SecuredBag
+{
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ SecuredBag()
+ : m_wire(tlv::security::IdentityPackage)
+ {}
+
+ SecuredBag(const IdentityCertificate& cert,
+ ConstBufferPtr key)
+ : m_cert(cert)
+ , m_key(key)
+ , m_wire(tlv::security::IdentityPackage)
+ {
+ Block wireKey(tlv::security::KeyPackage, m_key);
+ Block wireCert(tlv::security::CertificatePackage, cert.wireEncode());
+ m_wire.push_back(wireCert);
+ m_wire.push_back(wireKey);
+ }
+
+ virtual
+ ~SecuredBag()
+ {}
+
+ void
+ wireDecode(const Block &wire)
+ {
+ m_wire = wire;
+ m_wire.parse();
+
+ m_cert.wireDecode(m_wire.get(tlv::security::CertificatePackage).blockFromValue());
+
+ Block wireKey = m_wire.get(tlv::security::KeyPackage);
+ shared_ptr<Buffer> key = make_shared<Buffer>(wireKey.value(), wireKey.value_size());
+ m_key = key;
+ }
+
+ inline const Block&
+ wireEncode() const
+ {
+ m_wire.encode();
+ return m_wire;
+ }
+
+ const IdentityCertificate&
+ getCertificate() const
+ {
+ return m_cert;
+ }
+
+ ConstBufferPtr
+ getKey() const
+ {
+ return m_key;
+ }
+
+private:
+ IdentityCertificate m_cert;
+ ConstBufferPtr m_key;
+
+ mutable Block m_wire;
+};
+
+} // namespace ndn
+
+#endif //NDN_SECURITY_IDENTITY_CERTIFICATE_HPP
diff --git a/tests/security/test-keychain.cpp b/tests/security/test-keychain.cpp
index fb8ee23..3e9b4fc 100644
--- a/tests/security/test-keychain.cpp
+++ b/tests/security/test-keychain.cpp
@@ -22,7 +22,9 @@
Name identity(string("/TestKeyChain/ExportIdentity/") + boost::lexical_cast<std::string>(time::now()));
keyChain.createIdentity(identity);
- Block exported = keyChain.exportIdentity(identity, "1234");
+ shared_ptr<SecuredBag> exported = keyChain.exportIdentity(identity, "1234");
+
+ Block block = exported->wireEncode();
Name keyName = keyChain.getDefaultKeyNameForIdentity(identity);
Name certName = keyChain.getDefaultCertificateNameForKey(keyName);
@@ -35,7 +37,9 @@
BOOST_REQUIRE(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PUBLIC) == false);
BOOST_REQUIRE(keyChain.doesCertificateExist(certName) == false);
- keyChain.importIdentity(exported, "1234");
+ SecuredBag imported;
+ imported.wireDecode(block);
+ keyChain.importIdentity(imported, "1234");
BOOST_REQUIRE(keyChain.doesIdentityExist(identity));
BOOST_REQUIRE(keyChain.doesPublicKeyExist(keyName));
diff --git a/tools/ndnsec-export.hpp b/tools/ndnsec-export.hpp
index c7753f3..ca3662f 100644
--- a/tools/ndnsec-export.hpp
+++ b/tools/ndnsec-export.hpp
@@ -19,11 +19,13 @@
std::string identityStr;
std::string output;
std::string exportPassword;
+ bool privateExport = false;
- po::options_description desc("General Usage\n ndnsec export [-h] [-o output] identity \nGeneral options");
+ po::options_description desc("General Usage\n ndnsec export [-h] [-o output] [-p] identity \nGeneral options");
desc.add_options()
("help,h", "Produce help message")
("output,o", po::value<std::string>(&output), "(Optional) output file, stdout if not specified")
+ ("private,p", "export info contains private key")
("identity,i", po::value<std::string>(&identityStr), "Identity to export")
;
@@ -48,83 +50,89 @@
return 0;
}
+ if (vm.count("private"))
+ privateExport = true;
+
if (!vm.count("output"))
output = "-";
- Block wire;
Name identity(identityStr);
-
- try
+ if(!privateExport)
{
- KeyChain keyChain;
-
- int count = 3;
- while(!getPassword(exportPassword, "Passphrase for the private key: "))
+ try
{
- count--;
- if(count <= 0)
- {
- std::cerr << "ERROR: invalid password" << std::endl;
- memset(const_cast<char*>(exportPassword.c_str()), 0, exportPassword.size());
- return 1;
- }
+ KeyChain keyChain;
+ shared_ptr<IdentityCertificate> cert = keyChain.getCertificate(keyChain.getDefaultCertificateNameForIdentity(identity));
+ if(output == "-")
+ io::save(*cert, std::cout);
+ else
+ io::save(*cert, output);
+
+ return 0;
}
- wire = keyChain.exportIdentity(identity, exportPassword);
- memset(const_cast<char*>(exportPassword.c_str()), 0, exportPassword.size());
- wire.encode();
+ catch(SecPublicInfo::Error& e)
+ {
+ std::cerr << "ERROR: " << e.what() << std::endl;
+ return 1;
+ }
+ catch(SecTpm::Error& e)
+ {
+ std::cerr << "ERROR: " << e.what() << std::endl;
+ return 1;
+ }
+ catch(io::Error& e)
+ {
+ std::cerr << "ERROR: " << e.what() << std::endl;
+ return 1;
+ }
}
- catch(Block::Error& e)
- {
- std::cerr << "ERROR: " << e.what() << std::endl;
- memset(const_cast<char*>(exportPassword.c_str()), 0, exportPassword.size());
- return 1;
- }
- catch(SecPublicInfo::Error& e)
- {
- std::cerr << "ERROR: " << e.what() << std::endl;
- memset(const_cast<char*>(exportPassword.c_str()), 0, exportPassword.size());
- return 1;
- }
- catch(SecTpm::Error& e)
- {
- std::cerr << "ERROR: " << e.what() << std::endl;
- memset(const_cast<char*>(exportPassword.c_str()), 0, exportPassword.size());
- return 1;
- }
-
- std::ostream* ofs;
- std::ostream* ffs = 0;
- if(output == "-")
- ofs = &std::cout;
else
{
- ofs = new std::ofstream(output.c_str());
- ffs = ofs;
+ Block wire;
+ try
+ {
+ KeyChain keyChain;
+
+ int count = 3;
+ while(!getPassword(exportPassword, "Passphrase for the private key: "))
+ {
+ count--;
+ if(count <= 0)
+ {
+ std::cerr << "ERROR: invalid password" << std::endl;
+ memset(const_cast<char*>(exportPassword.c_str()), 0, exportPassword.size());
+ return 1;
+ }
+ }
+ shared_ptr<SecuredBag> securedBag = keyChain.exportIdentity(identity, exportPassword);
+ memset(const_cast<char*>(exportPassword.c_str()), 0, exportPassword.size());
+
+ if(output == "-")
+ io::save(*securedBag, std::cout);
+ else
+ io::save(*securedBag, output);
+
+ return 0;
+ }
+ catch(io::Error& e)
+ {
+ std::cerr << "ERROR: " << e.what() << std::endl;
+ memset(const_cast<char*>(exportPassword.c_str()), 0, exportPassword.size());
+ return 1;
+ }
+ catch(SecPublicInfo::Error& e)
+ {
+ std::cerr << "ERROR: " << e.what() << std::endl;
+ memset(const_cast<char*>(exportPassword.c_str()), 0, exportPassword.size());
+ return 1;
+ }
+ catch(SecTpm::Error& e)
+ {
+ std::cerr << "ERROR: " << e.what() << std::endl;
+ memset(const_cast<char*>(exportPassword.c_str()), 0, exportPassword.size());
+ return 1;
+ }
}
-
- try
- {
- using namespace CryptoPP;
-
- StringSource ss(wire.wire(), wire.size(), true,
- new Base64Encoder(new FileSink(*ofs), true, 64));
- if(ffs)
- delete ffs;
- ffs = 0;
- ofs = 0;
- }
- catch(CryptoPP::Exception& e)
- {
- if(ffs)
- delete ffs;
- ffs = 0;
- ofs = 0;
-
- std::cerr << "ERROR: " << e.what() << std::endl;
- return 1;
- }
-
- return 0;
}
#endif //NDNSEC_EXPORT_HPP
diff --git a/tools/ndnsec-import.hpp b/tools/ndnsec-import.hpp
index b73e1cf..16c2f95 100644
--- a/tools/ndnsec-import.hpp
+++ b/tools/ndnsec-import.hpp
@@ -18,11 +18,13 @@
std::string input;
std::string importPassword;
+ bool privateImport = false;
- po::options_description desc("General Usage\n ndnsec import [-h] input \nGeneral options");
+ po::options_description desc("General Usage\n ndnsec import [-h] [-p] input \nGeneral options");
desc.add_options()
("help,h", "produce help message")
- ("input,i", po::value<std::string>(&input), "input source, stdin if not specified")
+ ("private,p", "import info contains private key")
+ ("input,i", po::value<std::string>(&input), "input source, stdin if -")
;
po::positional_options_description p;
@@ -46,61 +48,61 @@
return 0;
}
- if (!vm.count("input"))
- input = "-";
+ if (vm.count("private"))
+ privateImport = true;
- KeyChain keyChain;
-
- OBufferStream os;
- std::istream* ifs;
- if(input == "-")
- ifs = &std::cin;
+ if(!privateImport)
+ {
+ std::cerr << "You are trying to import certificate!\nPlease use ndnsec cert-install!" << std::endl;
+ return 1;
+ }
else
- ifs = new std::ifstream(input.c_str());
-
- {
- using namespace CryptoPP;
- FileSource ss(*ifs, true, new Base64Decoder(new FileSink(os)));
- }
-
- try
{
- Block wire(os.buf());
-
- int count = 3;
- while(!getPassword(importPassword, "Passphrase for the private key: "))
+ try
{
- count--;
- if(count <= 0)
- {
- std::cerr << "ERROR: Fail to get password" << std::endl;
- memset(const_cast<char*>(importPassword.c_str()), 0, importPassword.size());
- return 1;
- }
- }
- keyChain.importIdentity(wire, importPassword);
- memset(const_cast<char*>(importPassword.c_str()), 0, importPassword.size());
- }
- catch(Block::Error& e)
- {
- std::cerr << "ERROR: " << e.what() << std::endl;
- memset(const_cast<char*>(importPassword.c_str()), 0, importPassword.size());
- return 1;
- }
- catch(SecPublicInfo::Error& e)
- {
- std::cerr << "ERROR: " << e.what() << std::endl;
- memset(const_cast<char*>(importPassword.c_str()), 0, importPassword.size());
- return 1;
- }
- catch(SecTpm::Error& e)
- {
- std::cerr << "ERROR: " << e.what() << std::endl;
- memset(const_cast<char*>(importPassword.c_str()), 0, importPassword.size());
- return 1;
- }
+ KeyChain keyChain;
- return 0;
+ shared_ptr<SecuredBag> securedBag;
+ if(input == "-")
+ securedBag = io::load<SecuredBag>(std::cin);
+ else
+ securedBag = io::load<SecuredBag>(input);
+
+ int count = 3;
+ while(!getPassword(importPassword, "Passphrase for the private key: "))
+ {
+ count--;
+ if(count <= 0)
+ {
+ std::cerr << "ERROR: Fail to get password" << std::endl;
+ memset(const_cast<char*>(importPassword.c_str()), 0, importPassword.size());
+ return 1;
+ }
+ }
+ keyChain.importIdentity(*securedBag, importPassword);
+ memset(const_cast<char*>(importPassword.c_str()), 0, importPassword.size());
+ }
+ catch(io::Error& e)
+ {
+ std::cerr << "ERROR: " << e.what() << std::endl;
+ memset(const_cast<char*>(importPassword.c_str()), 0, importPassword.size());
+ return 1;
+ }
+ catch(SecPublicInfo::Error& e)
+ {
+ std::cerr << "ERROR: " << e.what() << std::endl;
+ memset(const_cast<char*>(importPassword.c_str()), 0, importPassword.size());
+ return 1;
+ }
+ catch(SecTpm::Error& e)
+ {
+ std::cerr << "ERROR: " << e.what() << std::endl;
+ memset(const_cast<char*>(importPassword.c_str()), 0, importPassword.size());
+ return 1;
+ }
+
+ return 0;
+ }
}
#endif //NDNSEC_IMPORT_HPP
diff --git a/tools/ndnsec-util.hpp b/tools/ndnsec-util.hpp
index 2827023..f2fc390 100644
--- a/tools/ndnsec-util.hpp
+++ b/tools/ndnsec-util.hpp
@@ -26,6 +26,7 @@
#include <cryptopp/files.h>
#include "security/key-chain.hpp"
+#include "util/io.hpp"
bool
getPassword(std::string& password, const std::string& prompt)
@@ -67,54 +68,11 @@
ndn::shared_ptr<ndn::IdentityCertificate>
getIdentityCertificate(const std::string& fileName)
{
- std::istream* ifs;
- std::istream* ffs = 0;
- if(fileName == "-")
- ifs = &std::cin;
- else
- {
- ifs = new std::ifstream(fileName.c_str());
- ffs = ifs;
- }
- ndn::OBufferStream os;
- try
- {
- CryptoPP::FileSource ss2(*ifs, true, new CryptoPP::Base64Decoder(new CryptoPP::FileSink(os)));
-
- if(ffs)
- delete ffs;
- ffs = 0;
- ifs = 0;
-
- }
- catch(const CryptoPP::Exception& e)
- {
- if(ffs)
- delete ffs;
- ffs = 0;
- ifs = 0;
-
- std::cerr << "ERROR: " << e.what() << std::endl;
- return ndn::shared_ptr<ndn::IdentityCertificate>();
- }
-
- try
- {
- ndn::shared_ptr<ndn::IdentityCertificate> identityCertificate = ndn::make_shared<ndn::IdentityCertificate>();
- identityCertificate->wireDecode(ndn::Block(os.buf()));
- return identityCertificate;
- }
- catch(const ndn::SecPublicInfo::Error& e)
- {
- std::cerr << "ERROR: " << e.what() << std::endl;
- return ndn::shared_ptr<ndn::IdentityCertificate>();
- }
- catch(const ndn::SecTpm::Error& e)
- {
- std::cerr << "ERROR: " << e.what() << std::endl;
- return ndn::shared_ptr<ndn::IdentityCertificate>();
- }
+ if(fileName == "-")
+ return ndn::io::load<ndn::IdentityCertificate>(std::cin);
+ else
+ return ndn::io::load<ndn::IdentityCertificate>(fileName);
}
#endif //NDNSEC_UTIL_HPP