tools: Enable ndnsec-dsk-gen

Change-Id: I079882b60924d71cad989492eb5650c36b24e413
Refs: #2246
diff --git a/docs/manpages.rst b/docs/manpages.rst
index 1a75a14..d7fb610 100644
--- a/docs/manpages.rst
+++ b/docs/manpages.rst
@@ -8,6 +8,7 @@
     ndnsec-get-default  <manpages/ndnsec-get-default>
     ndnsec-set-default  <manpages/ndnsec-set-default>
     ndnsec-key-gen      <manpages/ndnsec-key-gen>
+    ndnsec-dsk-gen      <manpages/ndnsec-dsk-gen>
     ndnsec-sign-req     <manpages/ndnsec-sign-req>
     ndnsec-cert-gen     <manpages/ndnsec-cert-gen>
     ndnsec-cert-revoke  <manpages/ndnsec-cert-revoke>
diff --git a/docs/manpages/ndnsec-dsk-gen.rst b/docs/manpages/ndnsec-dsk-gen.rst
new file mode 100644
index 0000000..1b87669
--- /dev/null
+++ b/docs/manpages/ndnsec-dsk-gen.rst
@@ -0,0 +1,43 @@
+ndnsec-dsk-gen
+==============
+
+``ndnsec-dsk-gen`` is tool to generate a pair of Data-Signing-Key (DSK) for the specified ``identity``
+and sign the generated key using the corresponding Key-Signing-Key (KSK).
+The generated DSK will be set as the default key of the identity.
+
+Usage
+-----
+
+::
+
+    $ ndnsec-dsk-gen [-h] [-t keyType] identity
+
+Description
+-----------
+
+``ndnsec-dsk-gen`` creates a pair of Data-Signing-Key (DSK) for the specified ``identity``
+and sign the generated key using the corresponding Key-Signing-Key (KSK).
+The tool will first check the default KSK of the identity, and then generate a DSK
+and sign the DSK using the KSK.
+The information encoded in the DSK certificate is set the same as the KSK certificate.
+In the end, the DSK is set as the default key of the identity.
+
+Options
+-------
+
+``-t keyType``
+  Specify the key type, ``r`` (default) for RSA and ``e`` for ECDSA.
+
+Examples
+--------
+
+::
+
+    $ ndnsec-dsk-gen /ndn/test
+    OK: dsk certificate with name [/ndn/test/KEY/dsk-1417501749768/ID-CERT/%FD%00%00%01J%09%B02%8B] has been successfully installed
+    $ ndnsec-list -c
+    * /ndn/test
+      +->* /ndn/test/dsk-1417501749768
+           +->* /ndn/test/KEY/dsk-1417501749768/ID-CERT/%FD%00%00%01J%09%B02%8B
+      +->  /ndn/test/ksk-1417475325879
+           +->* /ndn/test/KEY/ksk-1417475325879/ID-CERT/%FD%00%00%01J%09%AE.Y
diff --git a/docs/manpages/ndnsec.rst b/docs/manpages/ndnsec.rst
index 1efc2e1..8641d01 100644
--- a/docs/manpages/ndnsec.rst
+++ b/docs/manpages/ndnsec.rst
@@ -39,6 +39,9 @@
 ndnsec-key-gen_
   Generate a Key-Signing-Key for an identity.
 
+ndnsec-dsk-gen_
+  Generate a Data-Signing-Key (DSK) for an identity and sign the DSK using the corresponding KSK.
+
 ndnsec-sign-req_
   Generate a certificate signing request.
 
@@ -73,6 +76,7 @@
 .. _ndnsec-get-default: ndnsec-get-default.html
 .. _ndnsec-set-default: ndnsec-set-default.html
 .. _ndnsec-key-gen: ndnsec-key-gen.html
+.. _ndnsec-dsk-gen: ndnsec-dsk-gen.html
 .. _ndnsec-sign-req: ndnsec-sign-req.html
 .. _ndnsec-cert-gen: ndnsec-cert-gen.html
 .. _ndnsec-cert-dump: ndnsec-cert-dump.html
diff --git a/tools/ndnsec-dsk-gen.hpp b/tools/ndnsec-dsk-gen.hpp
index 5288520..5c4f7f0 100644
--- a/tools/ndnsec-dsk-gen.hpp
+++ b/tools/ndnsec-dsk-gen.hpp
@@ -34,126 +34,151 @@
 
   std::string identityName;
   char keyType = 'r';
-  int keySize = 2048;
 
-  po::options_description description("General Usage\n  ndnsec dsk-gen [-h] identity\nGeneral options");
+  po::options_description description("General Usage\n"
+                                      "  ndnsec dsk-gen [-h] [-t keyType] identity\n"
+                                      "General options");
   description.add_options()
     ("help,h", "produce help message")
-    ("identity,i", po::value<std::string>(&identityName), "identity name, for example, /ndn/ucla.edu/alice")
-    // ("type,t", po::value<char>(&keyType)->default_value('r'), "optional, key type, r for RSA key (default)")
-    // ("size,s", po::value<int>(&keySize)->default_value(2048), "optional, key size, 2048 (default)")
+    ("identity,i", po::value<std::string>(&identityName),
+     "identity name, for example, /ndn/ucla.edu/alice")
+    ("type,t", po::value<char>(&keyType)->default_value('r'),
+     "optional, key type, r for RSA key (default), e for ECDSA key.")
+    // ("size,s", po::value<int>(&keySize)->default_value(2048),
+    //  "optional, key size, 2048 (default)")
     ;
 
   po::positional_options_description p;
   p.add("identity", 1);
 
   po::variables_map vm;
-  try
-    {
-      po::store(po::command_line_parser(argc, argv).options(description).positional(p).run(),
-                vm);
-      po::notify(vm);
-    }
-  catch (const std::exception& e)
-    {
-      std::cerr << "ERROR: " << e.what() << std::endl;
-      std::cerr << description << std::endl;
-      return 1;
-    }
+  try {
+    po::store(po::command_line_parser(argc, argv).options(description).positional(p).run(), vm);
+    po::notify(vm);
+  }
+  catch (const std::exception& e) {
+    std::cerr << "ERROR: " << e.what() << std::endl;
+    std::cerr << description << std::endl;
+    return 1;
+  }
 
-  if (vm.count("help") != 0)
-    {
-      std::cerr << description << std::endl;
-      return 0;
-    }
+  if (vm.count("help") != 0) {
+    std::cerr << description << std::endl;
+    return 0;
+  }
 
-  if (vm.count("identity") == 0)
-    {
-      std::cerr << "identity must be specified" << std::endl;
-      std::cerr << description << std::endl;
-      return 1;
-    }
+  if (vm.count("identity") == 0) {
+    std::cerr << "identity must be specified" << std::endl;
+    std::cerr << description << std::endl;
+    return 1;
+  }
 
   shared_ptr<IdentityCertificate> kskCert;
   Name signingCertName;
 
   KeyChain keyChain;
 
-  Name defaultCertName = keyChain.getDefaultCertificateNameForIdentity(identityName);
-  bool isDefaultDsk = false;
-  if (defaultCertName.get(-3).toUri().substr(0,4) == "dsk-")
-    isDefaultDsk = true;
-
-  if (isDefaultDsk)
-    {
-      shared_ptr<IdentityCertificate> dskCert = keyChain.getCertificate(defaultCertName);
-      SignatureSha256WithRsa sha256sig(dskCert->getSignature());
-
-      Name keyLocatorName = sha256sig.getKeyLocator().getName(); // will throw exception if keylocator is absent or it is not a name
-
-      Name kskName = IdentityCertificate::certificateNameToPublicKeyName(keyLocatorName);
-      Name kskCertName = keyChain.getDefaultCertificateNameForKey(kskName);
-      signingCertName = kskCertName;
-      kskCert = keyChain.getCertificate(kskCertName);
+  try {
+    Name defaultCertName = keyChain.getDefaultCertificateNameForIdentity(identityName);
+    bool isDefaultDsk = false;
+    std::string keyUsageTag = defaultCertName.get(-3).toUri().substr(0,4);
+    if (keyUsageTag == "ksk-")
+      isDefaultDsk = false;
+    else if (keyUsageTag == "dsk-")
+      isDefaultDsk = true;
+    else {
+      std::cerr << "ERROR: Unknown key usage tag: " << keyUsageTag << std::endl;
+      return 1;
     }
-  else
-    {
+
+    if (isDefaultDsk) {
+      shared_ptr<IdentityCertificate> dskCert = keyChain.getCertificate(defaultCertName);
+
+      if (static_cast<bool>(dskCert)) {
+        SignatureSha256WithRsa sha256sig(dskCert->getSignature());
+
+        Name keyLocatorName = sha256sig.getKeyLocator().getName();
+
+        Name kskName = IdentityCertificate::certificateNameToPublicKeyName(keyLocatorName);
+        Name kskCertName = keyChain.getDefaultCertificateNameForKey(kskName);
+        signingCertName = kskCertName;
+        kskCert = keyChain.getCertificate(kskCertName);
+      }
+      else {
+        std::cerr << "ERROR: The default certificate is missing." << std::endl;
+        return 1;
+      }
+    }
+    else {
       signingCertName = defaultCertName;
       kskCert = keyChain.getCertificate(defaultCertName);
     }
 
-  if (!static_cast<bool>(kskCert))
-    {
-      std::cerr << "ERROR: no KSK certificate." << std::endl;
+    if (!static_cast<bool>(kskCert)) {
+      std::cerr << "ERROR: KSK certificate is missing." << std::endl;
       return 1;
     }
 
-  Name newKeyName;
-  switch (keyType)
-    {
+    Name newKeyName;
+    switch (keyType) {
     case 'r':
       {
-        newKeyName = keyChain.generateRsaKeyPair(Name(identityName), false, keySize);
-        if (0 == newKeyName.size())
-          {
-            std::cerr << "fail to generate key!" << std::endl;
-            return 1;
-          }
+        RsaKeyParams params;
+        newKeyName = keyChain.generateRsaKeyPair(Name(identityName), false, params.getKeySize());
+        if (0 == newKeyName.size()) {
+          std::cerr << "ERROR: Fail to generate RSA key!" << std::endl;
+          return 1;
+        }
+        break;
+      }
+    case 'e':
+      {
+        EcdsaKeyParams params;
+        newKeyName = keyChain.generateEcdsaKeyPair(Name(identityName), false, params.getKeySize());
+        if (0 == newKeyName.size()) {
+          std::cerr << "ERROR: Fail to generate ECDSA key!" << std::endl;
+          return 1;
+        }
         break;
       }
     default:
-      std::cerr << "Unrecongized key type" << "\n";
+      std::cerr << "ERROR: Unrecongized key type" << "\n";
       std::cerr << description << std::endl;
       return 1;
     }
 
-  Name certName = newKeyName.getPrefix(-1);
-  certName.append("KEY")
-    .append(newKeyName.get(-1))
-    .append("ID-CERT")
-    .appendVersion();
+    Name certName = newKeyName.getPrefix(-1);
+    certName.append("KEY")
+      .append(newKeyName.get(-1))
+      .append("ID-CERT")
+      .appendVersion();
 
-  shared_ptr<IdentityCertificate> certificate = make_shared<IdentityCertificate>();
-  certificate->setName(certName);
-  certificate->setNotBefore(kskCert->getNotBefore());
-  certificate->setNotAfter(kskCert->getNotAfter());
+    shared_ptr<IdentityCertificate> certificate =
+      keyChain.prepareUnsignedIdentityCertificate(newKeyName,
+                                                  Name(identityName),
+                                                  kskCert->getNotBefore(),
+                                                  kskCert->getNotAfter(),
+                                                  kskCert->getSubjectDescriptionList());
 
-  certificate->setPublicKeyInfo(*keyChain.getPublicKey(newKeyName));
+    if (static_cast<bool>(certificate))
+      certificate->encode();
+    else {
+      std::cerr << "ERROR: Cannot format the certificate of the requested dsk." << "\n";
+      return 1;
+    }
 
-  const std::vector<CertificateSubjectDescription>& subList =
-    kskCert->getSubjectDescriptionList();
+    keyChain.sign(*certificate, signingCertName);
 
-  for (std::vector<CertificateSubjectDescription>::const_iterator it = subList.begin();
-       it != subList.end(); it++)
-    certificate->addSubjectDescription(*it);
+    keyChain.addCertificateAsIdentityDefault(*certificate);
 
-  certificate->encode();
-
-  keyChain.sign(*certificate, signingCertName);
-
-  keyChain.addCertificateAsIdentityDefault(*certificate);
-
-  return 0;
+    std::cerr << "OK: dsk certificate with name [" << certificate->getName() <<
+      "] has been successfully installed\n";
+    return 0;
+  }
+  catch (std::runtime_error& e) {
+    std::cerr << "ERROR: other runtime errors: " << e.what() << "\n";
+    return 1;
+  }
 }
 
 #endif //NDNSEC_DSK_GEN_HPP
diff --git a/tools/ndnsec.cpp b/tools/ndnsec.cpp
index 23bc332..25aee99 100644
--- a/tools/ndnsec.cpp
+++ b/tools/ndnsec.cpp
@@ -50,6 +50,7 @@
   get-default  Get default setting info.\n\
   set-default  Configure default setting.\n\
   key-gen      Generate a Key-Signing-Key for an identity.\n\
+  dsk-gen      Generate a Data-Signing-Key for an identity.\n\
   sign-req     Generate a certificate signing request.\n\
   cert-gen     Generate an identity certificate.\n\
   cert-revoke  Revoke an identity certificate.\n\
@@ -84,6 +85,7 @@
       else if (command == "get-default")  { return ndnsec_get_default(argc - 1, argv + 1); }
       else if (command == "set-default")  { return ndnsec_set_default(argc - 1, argv + 1); }
       else if (command == "key-gen")      { return ndnsec_key_gen(argc - 1, argv + 1); }
+      else if (command == "dsk-gen")      { return ndnsec_dsk_gen(argc - 1, argv + 1); }
       else if (command == "sign-req")     { return ndnsec_sign_req(argc - 1, argv + 1); }
       else if (command == "cert-gen")     { return ndnsec_cert_gen(argc - 1, argv + 1); }
       else if (command == "cert-revoke")  { return ndnsec_cert_revoke(argc - 1, argv + 1); }