security: introduce KeyChain::makeCertificate
KeyChain::makeCertificate() captures a common routine of creating and
signing a certificate. Having it in the library allows deduplicating
similar code elsewhere.
Also add "find by certificate name" tests for CertificateCache and
TrustAnchorContainer.
refs #5112
Change-Id: I954587e1c03d6b372e3b4f04e702339d1ff1533e
diff --git a/tools/ndnsec/cert-gen.cpp b/tools/ndnsec/cert-gen.cpp
index e44d063..49b0362 100644
--- a/tools/ndnsec/cert-gen.cpp
+++ b/tools/ndnsec/cert-gen.cpp
@@ -63,8 +63,10 @@
"\"affiliation University of California, Los Angeles\"); "
"this option may be repeated multiple times")
("sign-id,s", po::value<Name>(&signId), "signing identity")
- ("issuer-id,i", po::value<std::string>(&issuerId)->default_value("NA"),
- "issuer's ID to be included in the issued certificate name")
+ ("issuer-id,i", po::value<std::string>(&issuerId),
+ ("issuer's ID to be included in the issued certificate name, interpreted as "
+ "name component in URI format (default: \"" +
+ security::Certificate::DEFAULT_ISSUER_ID.toUri() + "\")").data())
;
po::positional_options_description p;
@@ -124,39 +126,24 @@
KeyChain keyChain;
- auto certRequest = loadFromFile<security::Certificate>(requestFile);
+ auto request = loadFromFile<security::Certificate>(requestFile);
- // validate that the content is a public key
- auto keyContent = certRequest.getPublicKey();
- security::transform::PublicKey pubKey;
- pubKey.loadPkcs8(keyContent);
-
- Name certName = certRequest.getKeyName();
- certName
- .append(issuerId)
- .appendVersion();
-
- security::Certificate cert;
- cert.setName(certName);
- cert.setContent(certRequest.getContent());
- // TODO: add ability to customize
- cert.setFreshnessPeriod(1_h);
-
- SignatureInfo signatureInfo;
- signatureInfo.setValidityPeriod(security::ValidityPeriod(notBefore, notAfter));
+ security::SigningInfo signer;
+ if (vm.count("sign-id") > 0) {
+ signer.setSigningIdentity(signId);
+ }
if (!additionalDescription.empty()) {
- signatureInfo.addCustomTlv(additionalDescription.wireEncode());
+ SignatureInfo sigInfo;
+ sigInfo.addCustomTlv(additionalDescription.wireEncode());
+ signer.setSignatureInfo(sigInfo);
}
- security::Identity identity;
- if (vm.count("sign-id") == 0) {
- identity = keyChain.getPib().getDefaultIdentity();
+ security::MakeCertificateOptions opts;
+ if (vm.count("issuer-id") > 0) {
+ opts.issuerId = name::Component::fromEscapedString(issuerId);
}
- else {
- identity = keyChain.getPib().getIdentity(signId);
- }
-
- keyChain.sign(cert, security::SigningInfo(identity).setSignatureInfo(signatureInfo));
+ opts.validity.emplace(notBefore, notAfter);
+ auto cert = keyChain.makeCertificate(request, signer, opts);
{
using namespace security::transform;
diff --git a/tools/ndnsec/sign-req.cpp b/tools/ndnsec/sign-req.cpp
index f4655af..e202bc5 100644
--- a/tools/ndnsec/sign-req.cpp
+++ b/tools/ndnsec/sign-req.cpp
@@ -22,6 +22,8 @@
#include "ndnsec.hpp"
#include "util.hpp"
+#include "ndn-cxx/security/signing-helpers.hpp"
+
namespace ndn {
namespace ndnsec {
@@ -81,28 +83,10 @@
}
// Create signing request (similar to self-signed certificate)
- security::Certificate certificate;
-
- // set name
- Name certificateName = key.getName();
- certificateName
- .append("cert-request")
- .appendVersion();
- certificate.setName(certificateName);
-
- // set metainfo
- certificate.setContentType(tlv::ContentType_Key);
- certificate.setFreshnessPeriod(1_h);
-
- // set content
- certificate.setContent(key.getPublicKey());
-
- // set signature-info
- SignatureInfo signatureInfo;
- auto now = time::system_clock::now();
- signatureInfo.setValidityPeriod(security::ValidityPeriod(now, now + 10_days));
-
- keyChain.sign(certificate, security::SigningInfo(key).setSignatureInfo(signatureInfo));
+ security::MakeCertificateOptions opts;
+ opts.issuerId = name::Component::fromEscapedString("cert-request");
+ opts.validity = security::ValidityPeriod::makeRelative(-1_s, 10_days);
+ auto certificate = keyChain.makeCertificate(key, security::signingByKey(key), opts);
io::save(certificate, std::cout);