security+tools: deprecate TPM unlock functionality
And remove the implementation in the tpm-osxkeychain backend
Refs: #4754
Change-Id: I6d61b7aab83aba2c9128b524e178c71de8635b75
diff --git a/docs/manpages/ndnsec-unlock-tpm.rst b/docs/manpages/ndnsec-unlock-tpm.rst
index 5e18108..858f0b6 100644
--- a/docs/manpages/ndnsec-unlock-tpm.rst
+++ b/docs/manpages/ndnsec-unlock-tpm.rst
@@ -9,5 +9,7 @@
Description
-----------
+**DEPRECATED**
+
This command can be used to (temporarily) unlock the local
**Trusted Platform Module (TPM)** that manages the private keys.
diff --git a/docs/manpages/ndnsec.rst b/docs/manpages/ndnsec.rst
index edf948a..6f2064a 100644
--- a/docs/manpages/ndnsec.rst
+++ b/docs/manpages/ndnsec.rst
@@ -56,9 +56,6 @@
:doc:`import <ndnsec-import>`
Import an identity from a SafeBag.
-:doc:`unlock-tpm <ndnsec-unlock-tpm>`
- Unlock the TPM.
-
Exit Status
-----------
diff --git a/ndn-cxx/security/tpm/back-end.cpp b/ndn-cxx/security/tpm/back-end.cpp
index d336b0b..ab374e6 100644
--- a/ndn-cxx/security/tpm/back-end.cpp
+++ b/ndn-cxx/security/tpm/back-end.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2023 Regents of the University of California.
+ * Copyright (c) 2013-2024 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -145,27 +145,4 @@
return Name(identity).append(name::Component(key.getKeyDigest(DigestAlgorithm::SHA256)));
}
-bool
-BackEnd::isTerminalMode() const
-{
- return true;
-}
-
-void
-BackEnd::setTerminalMode(bool isTerminal) const
-{
-}
-
-bool
-BackEnd::isTpmLocked() const
-{
- return false;
-}
-
-bool
-BackEnd::unlockTpm(const char* pw, size_t pwLen) const
-{
- return !isTpmLocked();
-}
-
} // namespace ndn::security::tpm
diff --git a/ndn-cxx/security/tpm/back-end.hpp b/ndn-cxx/security/tpm/back-end.hpp
index b66d267..e83580b 100644
--- a/ndn-cxx/security/tpm/back-end.hpp
+++ b/ndn-cxx/security/tpm/back-end.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2023 Regents of the University of California.
+ * Copyright (c) 2013-2024 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -116,45 +116,59 @@
/**
* @brief Check if the TPM is in terminal mode.
+ * @deprecated
*
* The default implementation always returns true.
- *
- * @return True if in terminal mode, false otherwise.
*/
+ [[deprecated]]
virtual bool
- isTerminalMode() const;
+ isTerminalMode() const
+ {
+ return true;
+ }
/**
* @brief Set the terminal mode of the TPM.
+ * @deprecated
*
* In terminal mode, the TPM will not ask for a password from the GUI.
* The default implementation does nothing.
*/
+ [[deprecated]]
virtual void
- setTerminalMode(bool isTerminal) const;
+ setTerminalMode(bool isTerminal) const
+ {
+ }
/**
* @brief Check if the TPM is locked.
+ * @deprecated
*
* The default implementation always returns false.
- *
- * @return True if locked, false otherwise.
*/
+ [[deprecated]]
virtual bool
- isTpmLocked() const;
+ isTpmLocked() const
+ {
+ return false;
+ }
/**
* @brief Unlock the TPM.
+ * @deprecated
*
- * The default implementation does nothing and returns `!isTpmLocked()`.
+ * The default implementation does nothing and always returns true.
*
* @param pw The password to unlock the TPM.
* @param pwLen The length of the password.
- *
* @return True if the TPM was unlocked.
*/
+ [[deprecated]]
[[nodiscard]] virtual bool
- unlockTpm(const char* pw, size_t pwLen) const;
+ unlockTpm(const char* pw, size_t pwLen) const
+ {
+ return true;
+ }
protected: // helper methods
/**
diff --git a/ndn-cxx/security/tpm/impl/back-end-osx.cpp b/ndn-cxx/security/tpm/impl/back-end-osx.cpp
index 0567655..f94494c 100644
--- a/ndn-cxx/security/tpm/impl/back-end-osx.cpp
+++ b/ndn-cxx/security/tpm/impl/back-end-osx.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2023 Regents of the University of California.
+ * Copyright (c) 2013-2024 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -38,11 +38,9 @@
namespace cfstring = ndn::detail::cfstring;
using ndn::detail::CFReleaser;
-class BackEndOsx::Impl
+struct BackEndOsx::Impl
{
-public:
SecKeychainRef keyChainRef;
- bool isTerminalMode = false;
};
static CFReleaser<CFDataRef>
@@ -187,8 +185,6 @@
BackEndOsx::BackEndOsx(const std::string&)
: m_impl(make_unique<Impl>())
{
- SecKeychainSetUserInteractionAllowed(!m_impl->isTerminalMode);
-
OSStatus res = SecKeychainCopyDefault(&m_impl->keyChainRef);
if (res == errSecNoDefaultKeychain) {
NDN_THROW(Error("No default keychain, create one first"));
@@ -204,49 +200,6 @@
return scheme;
}
-bool
-BackEndOsx::isTerminalMode() const
-{
- return m_impl->isTerminalMode;
-}
-
-void
-BackEndOsx::setTerminalMode(bool isTerminal) const
-{
- m_impl->isTerminalMode = isTerminal;
- SecKeychainSetUserInteractionAllowed(!isTerminal);
-}
-
-bool
-BackEndOsx::isTpmLocked() const
-{
- SecKeychainStatus keychainStatus;
- OSStatus res = SecKeychainGetStatus(m_impl->keyChainRef, &keychainStatus);
- if (res != errSecSuccess)
- return true;
- else
- return (kSecUnlockStateStatus & keychainStatus) == 0;
-}
-
-bool
-BackEndOsx::unlockTpm(const char* pw, size_t pwLen) const
-{
- // If the default key chain is already unlocked, return immediately.
- if (!isTpmLocked())
- return true;
-
- if (m_impl->isTerminalMode) {
- // Use the supplied password.
- SecKeychainUnlock(m_impl->keyChainRef, pwLen, pw, true);
- }
- else {
- // If inTerminal is not set, get the password from GUI.
- SecKeychainUnlock(m_impl->keyChainRef, 0, nullptr, false);
- }
-
- return !isTpmLocked();
-}
-
ConstBufferPtr
BackEndOsx::sign(const KeyRefOsx& key, DigestAlgorithm digestAlgo, const InputBuffers& bufs)
{
diff --git a/ndn-cxx/security/tpm/impl/back-end-osx.hpp b/ndn-cxx/security/tpm/impl/back-end-osx.hpp
index 706bca4..143abb9 100644
--- a/ndn-cxx/security/tpm/impl/back-end-osx.hpp
+++ b/ndn-cxx/security/tpm/impl/back-end-osx.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2023 Regents of the University of California.
+ * Copyright (c) 2013-2024 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -51,19 +51,6 @@
static const std::string&
getScheme();
-public: // management
- bool
- isTerminalMode() const final;
-
- void
- setTerminalMode(bool isTerminal) const final;
-
- bool
- isTpmLocked() const final;
-
- bool
- unlockTpm(const char* pw, size_t pwLen) const final;
-
public: // crypto transformation
/**
* @brief Sign @p bufs with @p key using @p digestAlgorithm.
@@ -103,7 +90,7 @@
doImportKey(const Name& keyName, shared_ptr<transform::PrivateKey> key) final;
private:
- class Impl;
+ struct Impl;
const unique_ptr<Impl> m_impl;
};
diff --git a/ndn-cxx/security/tpm/tpm.cpp b/ndn-cxx/security/tpm/tpm.cpp
index 9e150de..50ab3a4 100644
--- a/ndn-cxx/security/tpm/tpm.cpp
+++ b/ndn-cxx/security/tpm/tpm.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2023 Regents of the University of California.
+ * Copyright (c) 2013-2024 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -91,6 +91,9 @@
return key ? key->decrypt(buf) : nullptr;
}
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+
bool
Tpm::isTerminalMode() const
{
@@ -115,6 +118,8 @@
return m_backEnd->unlockTpm(password, passwordLength);
}
+#pragma GCC diagnostic pop
+
ConstBufferPtr
Tpm::exportPrivateKey(const Name& keyName, const char* pw, size_t pwLen) const
{
diff --git a/ndn-cxx/security/tpm/tpm.hpp b/ndn-cxx/security/tpm/tpm.hpp
index feae793..ef67fbd 100644
--- a/ndn-cxx/security/tpm/tpm.hpp
+++ b/ndn-cxx/security/tpm/tpm.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2023 Regents of the University of California.
+ * Copyright (c) 2013-2024 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -129,30 +129,38 @@
public: // Management
/**
* @brief Check if the TPM is in terminal mode.
+ * @deprecated
*/
+ [[deprecated]]
bool
isTerminalMode() const;
/**
* @brief Set the terminal mode of the TPM.
+ * @deprecated
*
* When in terminal mode, the TPM will not ask user permission from GUI.
*/
+ [[deprecated]]
void
setTerminalMode(bool isTerminal) const;
/**
* @return true if the TPM is locked, otherwise false.
+ * @deprecated
*/
+ [[deprecated]]
bool
isTpmLocked() const;
/**
* @brief Unlock the TPM.
+ * @deprecated
*
* @param password The password to unlock the TPM.
* @param passwordLength The password size.
*/
+ [[deprecated]]
[[nodiscard]] bool
unlockTpm(const char* password, size_t passwordLength) const;
diff --git a/tools/ndnsec/main.cpp b/tools/ndnsec/main.cpp
index 7609345..aa6ce37 100644
--- a/tools/ndnsec/main.cpp
+++ b/tools/ndnsec/main.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2023 Regents of the University of California.
+ * Copyright (c) 2013-2024 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -35,7 +35,6 @@
Available commands:
help Print this help text
- version Print program version
list List all known identities/keys/certificates
get-default Show the default identity/key/certificate
set-default Change the default identity/key/certificate
@@ -47,9 +46,9 @@
cert-install Import a certificate from a file
export Export an identity as a SafeBag
import Import an identity from a SafeBag
- unlock-tpm Unlock the TPM
+ version Print version information
-Try 'ndnsec COMMAND --help' for more information on a command.
+Run 'ndnsec COMMAND --help' for more information on a command.
)STR";
int
diff --git a/tools/ndnsec/unlock-tpm.cpp b/tools/ndnsec/unlock-tpm.cpp
index 97cd702..e76d7f1 100644
--- a/tools/ndnsec/unlock-tpm.cpp
+++ b/tools/ndnsec/unlock-tpm.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2023 Regents of the University of California.
+ * Copyright (c) 2013-2024 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -33,6 +33,8 @@
int
ndnsec_unlock_tpm(int argc, char** argv)
{
+ std::cerr << "DEPRECATION NOTICE: ndnsec-unlock-tpm is deprecated.\n";
+
namespace po = boost::program_options;
po::options_description description(
@@ -68,7 +70,10 @@
return 1;
}
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
bool isUnlocked = keyChain.getTpm().unlockTpm(password, std::strlen(password));
+#pragma GCC diagnostic pop
OPENSSL_cleanse(password, std::strlen(password));
if (isUnlocked) {