tools: Enable ndnsec-dsk-gen
Change-Id: I079882b60924d71cad989492eb5650c36b24e413
Refs: #2246
diff --git a/docs/manpages.rst b/docs/manpages.rst
index 1a75a14..d7fb610 100644
--- a/docs/manpages.rst
+++ b/docs/manpages.rst
@@ -8,6 +8,7 @@
ndnsec-get-default <manpages/ndnsec-get-default>
ndnsec-set-default <manpages/ndnsec-set-default>
ndnsec-key-gen <manpages/ndnsec-key-gen>
+ ndnsec-dsk-gen <manpages/ndnsec-dsk-gen>
ndnsec-sign-req <manpages/ndnsec-sign-req>
ndnsec-cert-gen <manpages/ndnsec-cert-gen>
ndnsec-cert-revoke <manpages/ndnsec-cert-revoke>
diff --git a/docs/manpages/ndnsec-dsk-gen.rst b/docs/manpages/ndnsec-dsk-gen.rst
new file mode 100644
index 0000000..1b87669
--- /dev/null
+++ b/docs/manpages/ndnsec-dsk-gen.rst
@@ -0,0 +1,43 @@
+ndnsec-dsk-gen
+==============
+
+``ndnsec-dsk-gen`` is tool to generate a pair of Data-Signing-Key (DSK) for the specified ``identity``
+and sign the generated key using the corresponding Key-Signing-Key (KSK).
+The generated DSK will be set as the default key of the identity.
+
+Usage
+-----
+
+::
+
+ $ ndnsec-dsk-gen [-h] [-t keyType] identity
+
+Description
+-----------
+
+``ndnsec-dsk-gen`` creates a pair of Data-Signing-Key (DSK) for the specified ``identity``
+and sign the generated key using the corresponding Key-Signing-Key (KSK).
+The tool will first check the default KSK of the identity, and then generate a DSK
+and sign the DSK using the KSK.
+The information encoded in the DSK certificate is set the same as the KSK certificate.
+In the end, the DSK is set as the default key of the identity.
+
+Options
+-------
+
+``-t keyType``
+ Specify the key type, ``r`` (default) for RSA and ``e`` for ECDSA.
+
+Examples
+--------
+
+::
+
+ $ ndnsec-dsk-gen /ndn/test
+ OK: dsk certificate with name [/ndn/test/KEY/dsk-1417501749768/ID-CERT/%FD%00%00%01J%09%B02%8B] has been successfully installed
+ $ ndnsec-list -c
+ * /ndn/test
+ +->* /ndn/test/dsk-1417501749768
+ +->* /ndn/test/KEY/dsk-1417501749768/ID-CERT/%FD%00%00%01J%09%B02%8B
+ +-> /ndn/test/ksk-1417475325879
+ +->* /ndn/test/KEY/ksk-1417475325879/ID-CERT/%FD%00%00%01J%09%AE.Y
diff --git a/docs/manpages/ndnsec.rst b/docs/manpages/ndnsec.rst
index 1efc2e1..8641d01 100644
--- a/docs/manpages/ndnsec.rst
+++ b/docs/manpages/ndnsec.rst
@@ -39,6 +39,9 @@
ndnsec-key-gen_
Generate a Key-Signing-Key for an identity.
+ndnsec-dsk-gen_
+ Generate a Data-Signing-Key (DSK) for an identity and sign the DSK using the corresponding KSK.
+
ndnsec-sign-req_
Generate a certificate signing request.
@@ -73,6 +76,7 @@
.. _ndnsec-get-default: ndnsec-get-default.html
.. _ndnsec-set-default: ndnsec-set-default.html
.. _ndnsec-key-gen: ndnsec-key-gen.html
+.. _ndnsec-dsk-gen: ndnsec-dsk-gen.html
.. _ndnsec-sign-req: ndnsec-sign-req.html
.. _ndnsec-cert-gen: ndnsec-cert-gen.html
.. _ndnsec-cert-dump: ndnsec-cert-dump.html
diff --git a/tools/ndnsec-dsk-gen.hpp b/tools/ndnsec-dsk-gen.hpp
index 5288520..5c4f7f0 100644
--- a/tools/ndnsec-dsk-gen.hpp
+++ b/tools/ndnsec-dsk-gen.hpp
@@ -34,126 +34,151 @@
std::string identityName;
char keyType = 'r';
- int keySize = 2048;
- po::options_description description("General Usage\n ndnsec dsk-gen [-h] identity\nGeneral options");
+ po::options_description description("General Usage\n"
+ " ndnsec dsk-gen [-h] [-t keyType] identity\n"
+ "General options");
description.add_options()
("help,h", "produce help message")
- ("identity,i", po::value<std::string>(&identityName), "identity name, for example, /ndn/ucla.edu/alice")
- // ("type,t", po::value<char>(&keyType)->default_value('r'), "optional, key type, r for RSA key (default)")
- // ("size,s", po::value<int>(&keySize)->default_value(2048), "optional, key size, 2048 (default)")
+ ("identity,i", po::value<std::string>(&identityName),
+ "identity name, for example, /ndn/ucla.edu/alice")
+ ("type,t", po::value<char>(&keyType)->default_value('r'),
+ "optional, key type, r for RSA key (default), e for ECDSA key.")
+ // ("size,s", po::value<int>(&keySize)->default_value(2048),
+ // "optional, key size, 2048 (default)")
;
po::positional_options_description p;
p.add("identity", 1);
po::variables_map vm;
- try
- {
- po::store(po::command_line_parser(argc, argv).options(description).positional(p).run(),
- vm);
- po::notify(vm);
- }
- catch (const std::exception& e)
- {
- std::cerr << "ERROR: " << e.what() << std::endl;
- std::cerr << description << std::endl;
- return 1;
- }
+ try {
+ po::store(po::command_line_parser(argc, argv).options(description).positional(p).run(), vm);
+ po::notify(vm);
+ }
+ catch (const std::exception& e) {
+ std::cerr << "ERROR: " << e.what() << std::endl;
+ std::cerr << description << std::endl;
+ return 1;
+ }
- if (vm.count("help") != 0)
- {
- std::cerr << description << std::endl;
- return 0;
- }
+ if (vm.count("help") != 0) {
+ std::cerr << description << std::endl;
+ return 0;
+ }
- if (vm.count("identity") == 0)
- {
- std::cerr << "identity must be specified" << std::endl;
- std::cerr << description << std::endl;
- return 1;
- }
+ if (vm.count("identity") == 0) {
+ std::cerr << "identity must be specified" << std::endl;
+ std::cerr << description << std::endl;
+ return 1;
+ }
shared_ptr<IdentityCertificate> kskCert;
Name signingCertName;
KeyChain keyChain;
- Name defaultCertName = keyChain.getDefaultCertificateNameForIdentity(identityName);
- bool isDefaultDsk = false;
- if (defaultCertName.get(-3).toUri().substr(0,4) == "dsk-")
- isDefaultDsk = true;
-
- if (isDefaultDsk)
- {
- shared_ptr<IdentityCertificate> dskCert = keyChain.getCertificate(defaultCertName);
- SignatureSha256WithRsa sha256sig(dskCert->getSignature());
-
- Name keyLocatorName = sha256sig.getKeyLocator().getName(); // will throw exception if keylocator is absent or it is not a name
-
- Name kskName = IdentityCertificate::certificateNameToPublicKeyName(keyLocatorName);
- Name kskCertName = keyChain.getDefaultCertificateNameForKey(kskName);
- signingCertName = kskCertName;
- kskCert = keyChain.getCertificate(kskCertName);
+ try {
+ Name defaultCertName = keyChain.getDefaultCertificateNameForIdentity(identityName);
+ bool isDefaultDsk = false;
+ std::string keyUsageTag = defaultCertName.get(-3).toUri().substr(0,4);
+ if (keyUsageTag == "ksk-")
+ isDefaultDsk = false;
+ else if (keyUsageTag == "dsk-")
+ isDefaultDsk = true;
+ else {
+ std::cerr << "ERROR: Unknown key usage tag: " << keyUsageTag << std::endl;
+ return 1;
}
- else
- {
+
+ if (isDefaultDsk) {
+ shared_ptr<IdentityCertificate> dskCert = keyChain.getCertificate(defaultCertName);
+
+ if (static_cast<bool>(dskCert)) {
+ SignatureSha256WithRsa sha256sig(dskCert->getSignature());
+
+ Name keyLocatorName = sha256sig.getKeyLocator().getName();
+
+ Name kskName = IdentityCertificate::certificateNameToPublicKeyName(keyLocatorName);
+ Name kskCertName = keyChain.getDefaultCertificateNameForKey(kskName);
+ signingCertName = kskCertName;
+ kskCert = keyChain.getCertificate(kskCertName);
+ }
+ else {
+ std::cerr << "ERROR: The default certificate is missing." << std::endl;
+ return 1;
+ }
+ }
+ else {
signingCertName = defaultCertName;
kskCert = keyChain.getCertificate(defaultCertName);
}
- if (!static_cast<bool>(kskCert))
- {
- std::cerr << "ERROR: no KSK certificate." << std::endl;
+ if (!static_cast<bool>(kskCert)) {
+ std::cerr << "ERROR: KSK certificate is missing." << std::endl;
return 1;
}
- Name newKeyName;
- switch (keyType)
- {
+ Name newKeyName;
+ switch (keyType) {
case 'r':
{
- newKeyName = keyChain.generateRsaKeyPair(Name(identityName), false, keySize);
- if (0 == newKeyName.size())
- {
- std::cerr << "fail to generate key!" << std::endl;
- return 1;
- }
+ RsaKeyParams params;
+ newKeyName = keyChain.generateRsaKeyPair(Name(identityName), false, params.getKeySize());
+ if (0 == newKeyName.size()) {
+ std::cerr << "ERROR: Fail to generate RSA key!" << std::endl;
+ return 1;
+ }
+ break;
+ }
+ case 'e':
+ {
+ EcdsaKeyParams params;
+ newKeyName = keyChain.generateEcdsaKeyPair(Name(identityName), false, params.getKeySize());
+ if (0 == newKeyName.size()) {
+ std::cerr << "ERROR: Fail to generate ECDSA key!" << std::endl;
+ return 1;
+ }
break;
}
default:
- std::cerr << "Unrecongized key type" << "\n";
+ std::cerr << "ERROR: Unrecongized key type" << "\n";
std::cerr << description << std::endl;
return 1;
}
- Name certName = newKeyName.getPrefix(-1);
- certName.append("KEY")
- .append(newKeyName.get(-1))
- .append("ID-CERT")
- .appendVersion();
+ Name certName = newKeyName.getPrefix(-1);
+ certName.append("KEY")
+ .append(newKeyName.get(-1))
+ .append("ID-CERT")
+ .appendVersion();
- shared_ptr<IdentityCertificate> certificate = make_shared<IdentityCertificate>();
- certificate->setName(certName);
- certificate->setNotBefore(kskCert->getNotBefore());
- certificate->setNotAfter(kskCert->getNotAfter());
+ shared_ptr<IdentityCertificate> certificate =
+ keyChain.prepareUnsignedIdentityCertificate(newKeyName,
+ Name(identityName),
+ kskCert->getNotBefore(),
+ kskCert->getNotAfter(),
+ kskCert->getSubjectDescriptionList());
- certificate->setPublicKeyInfo(*keyChain.getPublicKey(newKeyName));
+ if (static_cast<bool>(certificate))
+ certificate->encode();
+ else {
+ std::cerr << "ERROR: Cannot format the certificate of the requested dsk." << "\n";
+ return 1;
+ }
- const std::vector<CertificateSubjectDescription>& subList =
- kskCert->getSubjectDescriptionList();
+ keyChain.sign(*certificate, signingCertName);
- for (std::vector<CertificateSubjectDescription>::const_iterator it = subList.begin();
- it != subList.end(); it++)
- certificate->addSubjectDescription(*it);
+ keyChain.addCertificateAsIdentityDefault(*certificate);
- certificate->encode();
-
- keyChain.sign(*certificate, signingCertName);
-
- keyChain.addCertificateAsIdentityDefault(*certificate);
-
- return 0;
+ std::cerr << "OK: dsk certificate with name [" << certificate->getName() <<
+ "] has been successfully installed\n";
+ return 0;
+ }
+ catch (std::runtime_error& e) {
+ std::cerr << "ERROR: other runtime errors: " << e.what() << "\n";
+ return 1;
+ }
}
#endif //NDNSEC_DSK_GEN_HPP
diff --git a/tools/ndnsec.cpp b/tools/ndnsec.cpp
index 23bc332..25aee99 100644
--- a/tools/ndnsec.cpp
+++ b/tools/ndnsec.cpp
@@ -50,6 +50,7 @@
get-default Get default setting info.\n\
set-default Configure default setting.\n\
key-gen Generate a Key-Signing-Key for an identity.\n\
+ dsk-gen Generate a Data-Signing-Key for an identity.\n\
sign-req Generate a certificate signing request.\n\
cert-gen Generate an identity certificate.\n\
cert-revoke Revoke an identity certificate.\n\
@@ -84,6 +85,7 @@
else if (command == "get-default") { return ndnsec_get_default(argc - 1, argv + 1); }
else if (command == "set-default") { return ndnsec_set_default(argc - 1, argv + 1); }
else if (command == "key-gen") { return ndnsec_key_gen(argc - 1, argv + 1); }
+ else if (command == "dsk-gen") { return ndnsec_dsk_gen(argc - 1, argv + 1); }
else if (command == "sign-req") { return ndnsec_sign_req(argc - 1, argv + 1); }
else if (command == "cert-gen") { return ndnsec_cert_gen(argc - 1, argv + 1); }
else if (command == "cert-revoke") { return ndnsec_cert_revoke(argc - 1, argv + 1); }