security: Checkpoint after requiring signData to supply the certificateName.
diff --git a/ndn-cpp/security/identity/identity-manager.cpp b/ndn-cpp/security/identity/identity-manager.cpp
index 0378c5f..a5adfc3 100644
--- a/ndn-cpp/security/identity/identity-manager.cpp
+++ b/ndn-cpp/security/identity/identity-manager.cpp
@@ -5,38 +5,20 @@
* See COPYING for copyright and distribution information.
*/
-#if 1
-#include "../../c/util/crypto.h"
-#endif
#include "../../sha256-with-rsa-signature.hpp"
#include "identity-manager.hpp"
-namespace ndn {
+using namespace std;
+using namespace ndn::ptr_lib;
-#if 1
-static unsigned char DEFAULT_PUBLIC_KEY_DER[] = {
-0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81,
-0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xE1, 0x7D, 0x30, 0xA7, 0xD8, 0x28, 0xAB, 0x1B, 0x84, 0x0B, 0x17,
-0x54, 0x2D, 0xCA, 0xF6, 0x20, 0x7A, 0xFD, 0x22, 0x1E, 0x08, 0x6B, 0x2A, 0x60, 0xD1, 0x6C, 0xB7, 0xF5, 0x44, 0x48, 0xBA,
-0x9F, 0x3F, 0x08, 0xBC, 0xD0, 0x99, 0xDB, 0x21, 0xDD, 0x16, 0x2A, 0x77, 0x9E, 0x61, 0xAA, 0x89, 0xEE, 0xE5, 0x54, 0xD3,
-0xA4, 0x7D, 0xE2, 0x30, 0xBC, 0x7A, 0xC5, 0x90, 0xD5, 0x24, 0x06, 0x7C, 0x38, 0x98, 0xBB, 0xA6, 0xF5, 0xDC, 0x43, 0x60,
-0xB8, 0x45, 0xED, 0xA4, 0x8C, 0xBD, 0x9C, 0xF1, 0x26, 0xA7, 0x23, 0x44, 0x5F, 0x0E, 0x19, 0x52, 0xD7, 0x32, 0x5A, 0x75,
-0xFA, 0xF5, 0x56, 0x14, 0x4F, 0x9A, 0x98, 0xAF, 0x71, 0x86, 0xB0, 0x27, 0x86, 0x85, 0xB8, 0xE2, 0xC0, 0x8B, 0xEA, 0x87,
-0x17, 0x1B, 0x4D, 0xEE, 0x58, 0x5C, 0x18, 0x28, 0x29, 0x5B, 0x53, 0x95, 0xEB, 0x4A, 0x17, 0x77, 0x9F, 0x02, 0x03, 0x01,
-0x00, 01
-};
-#endif
+namespace ndn {
void
IdentityManager::signByCertificate(Data &data, const Name &certificateName, WireFormat& wireFormat)
{
-#if 0
- Name keyName = m_publicStorage->getKeyNameForCertificate(certName);
-
- Ptr<Publickey> publickey = m_privateStorage->getPublickey (keyName.toUri());
-#else
- Name keyName;
-#endif
+ Name keyName = identityStorage_->getKeyNameForCertificate(certificateName);
+
+ shared_ptr<PublicKey> publicKey = privateKeyStorage_->getPublicKey(keyName);
// For temporary usage, we support RSA + SHA256 only, but will support more.
data.setSignature(Sha256WithRsaSignature());
@@ -46,24 +28,16 @@
signature->getKeyLocator().setType(ndn_KeyLocatorType_KEYNAME);
signature->getKeyLocator().setKeyName(certificateName);
- signature->getKeyLocator().setKeyNameType(ndn_KeyNameType_PUBLISHER_CERTIFICATE_DIGEST);
-#if 0
- signature->getKeyLocator().setKeyData(certificateDigest);
-#endif
+ // Omit the certificate digest.
+ signature->getKeyLocator().setKeyNameType((ndn_KeyNameType)-1);
// Ignore witness and leave the digestAlgorithm as the default.
-#if 0
- signature->getPublisherPublicKeyDigest().setPublisherKeyDigest (*publickey->getDigest ());
-#else
- unsigned char publicKeyDigest[SHA256_DIGEST_LENGTH];
- ndn_digestSha256(DEFAULT_PUBLIC_KEY_DER, sizeof(DEFAULT_PUBLIC_KEY_DER), publicKeyDigest);
- signature->getPublisherPublicKeyDigest().setPublisherPublicKeyDigest(publicKeyDigest, sizeof(publicKeyDigest));
-#endif
+ signature->getPublisherPublicKeyDigest().setPublisherPublicKeyDigest(publicKey->getDigest());
// Encode once to get the signed portion.
SignedBlob encoding = data.wireEncode(wireFormat);
signature->setSignature
- (privateKeyStorage_->sign(encoding.signedBuf(), encoding.signedSize(), keyName.toUri(), digestAlgorithm));
+ (privateKeyStorage_->sign(encoding.signedBuf(), encoding.signedSize(), keyName, digestAlgorithm));
// Encode again to include the signature.
data.wireEncode(wireFormat);
diff --git a/ndn-cpp/security/identity/identity-manager.hpp b/ndn-cpp/security/identity/identity-manager.hpp
index 2db82b1..fee8b99 100644
--- a/ndn-cpp/security/identity/identity-manager.hpp
+++ b/ndn-cpp/security/identity/identity-manager.hpp
@@ -9,6 +9,7 @@
#define NDN_IDENTITY_MANAGER_HPP
#include "../../data.hpp"
+#include "identity-storage.hpp"
#include "private-key-storage.hpp"
namespace ndn {
@@ -18,11 +19,163 @@
*/
class IdentityManager {
public:
- IdentityManager(const ptr_lib::shared_ptr<PrivateKeyStorage> &privateKeyStorage)
- : privateKeyStorage_(privateKeyStorage)
+ IdentityManager(const ptr_lib::shared_ptr<IdentityStorage>& identityStorage, const ptr_lib::shared_ptr<PrivateKeyStorage>& privateKeyStorage)
+ : identityStorage_(identityStorage), privateKeyStorage_(privateKeyStorage)
{
}
+#if 0
+ /**
+ * Create identity, by default it will create a pair of Key-Signing-Key(KSK) for this identity and a self-signed certificate of the KSK
+ * @param identityName the name of the identity
+ * @return the key name of the auto-generated KSK of the identity
+ */
+ Name
+ createIdentity(const Name& identityName);
+#endif
+
+ /**
+ * Get the default identity.
+ * @return The default identity name.
+ */
+ Name
+ getDefaultIdentity()
+ {
+ return identityStorage_->getDefaultIdentity();
+ }
+
+#if 0
+ /**
+ * Generate a pair of RSA keys for the specified identity
+ * @param identityName the name of the identity
+ * @param ksk create a KSK or not, true for KSK, false for DSK
+ * @param keySize the size of the key
+ * @return the generated key name
+ */
+ Name
+ generateRSAKeyPair(const Name& identityName, bool ksk = false, int keySize = 2048);
+
+ /**
+ * Set a key as the default key of an identity
+ * @param keyName the name of the key
+ * @param identityName the name of the identity, if not specified the identity name can be inferred from the keyName
+ */
+ void
+ setDefaultKeyForIdentity(const Name& keyName, const Name& identityName = Name());
+
+ /**
+ * Generate a pair of RSA keys for the specified identity and set it as default key of the identity
+ * @param identityName the name of the identity
+ * @param ksk create a KSK or not, true for KSK, false for DSK
+ * @param keySize the size of the key
+ * @return the generated key name
+ */
+ Name
+ generateRSAKeyPairAsDefault(const Name& identityName, bool ksk = false, int keySize = 2048);
+
+ /**
+ * Get public key with the specified name
+ * @param keyName name of the key
+ * @return the public key
+ */
+ Ptr<Publickey>
+ getPublickey(const Name& keyName);
+
+ /**
+ * Add a certificate into the public storage
+ * @param certificate the certificate to to added
+ */
+ void
+ addCertificate(Ptr<Certificate> certificate);
+
+ /**
+ * Set the certificate as the default of its corresponding key
+ * @param certificateName name of the certificate
+ */
+ void
+ setDefaultCertificateForKey(const Name& certificateName);
+
+ /**
+ * Add a certificate into the public storage and set the certificate as the default of its corresponding identity
+ * @param certificate the certificate to be added
+ */
+ void
+ addCertificateAsIdentityDefault(const Certificate& certificate);
+
+ /**
+ * Add a certificate into the public storage and set the certificate as the default of its corresponding key
+ * certificate the certificate to be added
+ */
+ void
+ addCertificateAsDefault(const Certificate& certificate);
+
+ /**
+ * Get a certificate with the specified name
+ * @param certificateName name of the requested certificate
+ * @return the requested certificate
+ */
+ Ptr<Certificate>
+ getCertificate(const Name& certificateName);
+
+ /**
+ * Get a certificate even if the certificate is not valid anymore
+ * @param certificateName name of the requested certificate
+ * @return the requested certificate
+ */
+ Ptr<Certificate>
+ getAnyCertificate(const Name& certificateName);
+#endif
+
+ /**
+ * Get the default certificate name for the specified identity, which will be used when signing is performed based on identity.
+ * @param identityName The name of the specified identity.
+ * @return The requested certificate name.
+ */
+ Name
+ getDefaultCertificateNameForIdentity(const Name& identityName)
+ {
+ return identityStorage_->getDefaultCertificateNameForIdentity(identityName);
+ }
+
+ /**
+ * Get the default certificate name of the default identity, which will be used when signing is based on identity and
+ * the identity is not specified.
+ * @return The requested certificate name.
+ */
+ Name
+ getDefaultCertificateName()
+ {
+ return identityStorage_->getDefaultCertificateNameForIdentity(getDefaultIdentity());
+ }
+
+#if 0
+ /**
+ * Sign blob based on identity
+ * @param blob the blob to be signed
+ * @param identityName the signing identity name
+ * @return the generated signature
+ */
+ Ptr<Signature>
+ signByIdentity(const Blob& blob, const Name& identityName);
+
+ /**
+ * Sign data based on identity
+ * @param data the data packet to be signed, on return the Signature inside the data packet will be set
+ * @param identityName the signing identity name
+ */
+ void
+ signByIdentity(Data& data, const Name& identityName);
+
+ /**
+ * sign blob based on certificate name
+ * @param blob the blob to be signed
+ * @param certificateName the signing certificate name
+ * @return the generated signature
+ */
+ Ptr<Signature>
+ signByCertificate(const Blob& blob, const Name& certificateName);
+#endif
+
/**
* Sign data packet based on the certificate name.
* Note: the caller must make sure the timestamp in data is correct, for example with
@@ -35,6 +188,7 @@
signByCertificate(Data& data, const Name& certificateName, WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
private:
+ ptr_lib::shared_ptr<IdentityStorage> identityStorage_;
ptr_lib::shared_ptr<PrivateKeyStorage> privateKeyStorage_;
};
diff --git a/ndn-cpp/security/key-chain.cpp b/ndn-cpp/security/key-chain.cpp
index 6a7d502..85df172 100644
--- a/ndn-cpp/security/key-chain.cpp
+++ b/ndn-cpp/security/key-chain.cpp
@@ -4,11 +4,12 @@
* See COPYING for copyright and distribution information.
*/
-#include <stdexcept>
#include "../c/util/crypto.h"
#include "../c/encoding/binary-xml-data.h"
#include "../encoding/binary-xml-encoder.hpp"
#include "../sha256-with-rsa-signature.hpp"
+#include "../util/logging.hpp"
+#include "security-exception.hpp"
#include "key-chain.hpp"
using namespace std;
@@ -30,6 +31,11 @@
};
#endif
+KeyChain::KeyChain(const ptr_lib::shared_ptr<IdentityStorage>& identityStorage, const ptr_lib::shared_ptr<PrivateKeyStorage>& privateKeyStorage)
+: identityManager_(identityStorage, privateKeyStorage), face_(0), maxSteps_(100)
+{
+}
+
static bool
verifySignature(const Data& data /*, const Publickey& publickey */)
{
@@ -64,13 +70,14 @@
#else
const Sha256WithRsaSignature *signature = dynamic_cast<const Sha256WithRsaSignature*>(data.getSignature());
if (!signature)
- throw std::runtime_error("signature is not Sha256WithRsaSignature.");
+ throw SecurityException("signature is not Sha256WithRsaSignature.");
if (signature->getDigestAlgorithm().size() != 0)
// TODO: Allow a non-default digest algorithm.
- throw std::runtime_error("Cannot verify a data packet with a non-default digest algorithm.");
+ throw UnrecognizedDigestAlgorithmException("Cannot verify a data packet with a non-default digest algorithm.");
if (!data.getWireEncoding())
- throw std::runtime_error("The Data wireEncoding is null.");
+ // Don't expect this to happen
+ throw SecurityException("The Data wireEncoding is null.");
unsigned char signedPortionDigest[SHA256_DIGEST_LENGTH];
ndn_digestSha256(data.getWireEncoding().signedBuf(), data.getWireEncoding().signedSize(), signedPortionDigest);
@@ -79,7 +86,7 @@
const unsigned char *derPointer = DEFAULT_PUBLIC_KEY_DER;
RSA *publicKey = d2i_RSA_PUBKEY(NULL, &derPointer, sizeof(DEFAULT_PUBLIC_KEY_DER));
if (!publicKey)
- throw std::runtime_error("Error decoding public key in d2i_RSAPublicKey");
+ throw UnrecognizedKeyFormatException("Error decoding public key in d2i_RSAPublicKey");
int success = RSA_verify
(NID_sha256, signedPortionDigest, sizeof(signedPortionDigest), (unsigned char *)signature->getSignature().buf(),
signature->getSignature().size(), publicKey);
@@ -91,36 +98,37 @@
}
void
-KeyChain::signData(Data& data, const Name& signerName, bool byKeyName, WireFormat& wireFormat)
+KeyChain::signData(Data& data, const Name& certificateNameIn, WireFormat& wireFormat)
{
- Name certificateName;
-
+ Name inferredCertificateName;
+ const Name* certificateName;
+
+ if (certificateNameIn.getComponentCount() == 0) {
#if 0
- if(signerName.getComponentCount() == 0)
- certificateName = m_identityManager->getDefaultCertificateNameByIdentity(m_policyManager->inferSigningIdentity (data.getName ()));
- else {
- if (byKeyName)
- certificateName = m_identityManager->getDefaultCertificateNameByIdentity(signerName);
- else
- certificateName = signerName;
+ inferredCertificateName = identityManager_.getDefaultCertificateNameForIdentity(policyManager_->inferSigningIdentity(data.getName ()));
+#else
+ inferredCertificateName = Name();
+#endif
+ if (inferredCertificateName.getComponentCount() == 0)
+ throw SecurityException("No qualified certificate name can be inferred");
+
+ certificateName = &inferredCertificateName;
}
-
- if (certificateName.getComponentCount() == 0)
- throw std::runtime_error("No qualified certificate name found!");
-
- if (!m_policyManager->checkSigningPolicy (data.getName (), certificateName))
- throw std::runtime_error("Signing Cert name does not comply with signing policy");
+ else
+ certificateName = &certificateNameIn;
+
+#if 0
+ if (!policyManager_->checkSigningPolicy (data.getName (), certificateName))
+ throw SecurityException("Signing Cert name does not comply with signing policy");
#endif
- identityManager_->signByCertificate(data, certificateName, wireFormat);
+ identityManager_.signByCertificate(data, *certificateName, wireFormat);
}
void
KeyChain::verifyData(const shared_ptr<Data>& data, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed)
{
-#if 0
_LOG_TRACE("Enter Verify");
-#endif
#if 0
if (m_policyManager->requireVerify(*dataPtr))
diff --git a/ndn-cpp/security/key-chain.hpp b/ndn-cpp/security/key-chain.hpp
index de85b98..d0357ef 100644
--- a/ndn-cpp/security/key-chain.hpp
+++ b/ndn-cpp/security/key-chain.hpp
@@ -31,9 +31,32 @@
*/
class KeyChain {
public:
- KeyChain(ptr_lib::shared_ptr<IdentityManager> identityManager)
- : identityManager_(identityManager), face_(0), maxSteps_(100)
- {
+ KeyChain(const ptr_lib::shared_ptr<IdentityStorage>& identityStorage, const ptr_lib::shared_ptr<PrivateKeyStorage>& privateKeyStorage);
+
+ /**
+ * Get the default certificate name for the specified identity, which will be used when signing is performed based on identity.
+ * @param identityName The name of the specified identity.
+ * @return The requested certificate name.
+ */
+ Name
+ getDefaultCertificateNameForIdentity(const Name& identityName)
+ {
+ return identityManager_.getDefaultCertificateNameForIdentity(identityName);
+ }
+
+ /**
+ * Examine the data packet Name and infer the identity name for signing the content.
+ * @param name The data packet name to examine.
+ * @return A new identity name for signing a data packet.
+ */
+ Name
+ inferSigningIdentity(const Name& name)
+ {
+#if 0
+ policyManager_->inferSigningIdentity(name)
+#else
+ return Name();
+#endif
}
/**
@@ -41,12 +64,11 @@
* Note: the caller must make sure the timestamp is correct, for example with
* data.getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0).
* @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
- * @param signerName The signing identity or certificate name, depending on byKeyName. If omitted, infer the certificate name from data.getName().
- * @param byKeyName If true, the signerName is the key name, otherwise it is the certificate name. If omitted, the default is true.
+ * @param certificateName The certificate name of the key to use for signing. If omitted, infer the signing identity from the data packet name.
* @param wireFormat A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat().
*/
void
- signData(Data& data, const Name& signerName = Name(), bool byKeyName = true, WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
+ signData(Data& data, const Name& certificateName = Name(), WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
/**
* Check the signature on the Data object and call either onVerify or onVerifyFailed.
@@ -66,7 +88,7 @@
setFace(Face* face) { face_ = face; }
private:
- ptr_lib::shared_ptr<IdentityManager> identityManager_;
+ IdentityManager identityManager_;
Face* face_;
const int maxSteps_;
};