commit c8f883c91933e84889f4a93ec315726d3467626a
author Yingdi Yu <yuyingdi@gmail.com> Fri Jun 20 23:25:22 2014 -0700
committer Yingdi Yu <yuyingdi@gmail.com> Tue Jun 24 12:41:43 2014 -0700
tree 408afc7217d797b63d56b73986792c98ef778342
parent 7036ce2cbf05b60f660b3093652d8dcb4f05c9e5

security: Add ECDSA signature signing and validation

Change-Id: I2f193e9d643498a68579ae59a7f524ff446dcb9e
Refs: #1660

src/security/key-chain.hpp

diff --git a/src/security/key-chain.hpp b/src/security/key-chain.hpp
index 44ff1de..b6b9bbf 100644
--- a/src/security/key-chain.hpp
+++ b/src/security/key-chain.hpp
@@ -29,6 +29,7 @@
 #include "key-params.hpp"
 #include "secured-bag.hpp"
 #include "signature-sha256-with-rsa.hpp"
+#include "signature-sha256-with-ecdsa.hpp"
 #include "digest-sha256.hpp"
 
 #include "../interest.hpp"
@@ -103,8 +104,10 @@
    * @return The generated key name.
    */
   inline Name
-  generateRsaKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048);
+  generateRsaKeyPair(const Name& identityName, bool isKsk = false, uint32_t keySize = 2048);
 
+  inline Name
+  generateEcdsaKeyPair(const Name& identityName, bool isKsk = false, uint32_t keySize = 256);
   /**
    * @brief Generate a pair of RSA keys for the specified identity and set it as default key for
    *        the identity.
@@ -115,7 +118,11 @@
    * @return The generated key name.
    */
   Name
-  generateRsaKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048);
+  generateRsaKeyPairAsDefault(const Name& identityName, bool isKsk = false,
+                              uint32_t keySize = 2048);
+
+  Name
+  generateEcdsaKeyPairAsDefault(const Name& identityName, bool isKsk, uint32_t keySize = 256);
 
   /**
    * @brief prepare an unsigned identity certificate
@@ -635,6 +642,15 @@
 
 private:
   /**
+   * @brief Determine signature type
+   *
+   * An empty pointer will be returned if there is no valid signature.
+   */
+  shared_ptr<SignatureWithPublicKey>
+  determineSignatureWithPublicKey(KeyType keyType,
+                                  DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256);
+
+  /**
    * @brief Set default certificate if it is not initialized
    */
   void
@@ -672,7 +688,7 @@
    * @throws Tpm::Error
    */
   void
-  signPacketWrapper(Data& data, const SignatureSha256WithRsa& signature,
+  signPacketWrapper(Data& data, const Signature& signature,
                     const Name& keyName, DigestAlgorithm digestAlgorithm);
 
   /**
@@ -685,7 +701,7 @@
    * @throws Tpm::Error
    */
   void
-  signPacketWrapper(Interest& interest, const SignatureSha256WithRsa& signature,
+  signPacketWrapper(Interest& interest, const Signature& signature,
                     const Name& keyName, DigestAlgorithm digestAlgorithm);
 
 
@@ -705,12 +721,19 @@
 }
 
 inline Name
-KeyChain::generateRsaKeyPair(const Name& identityName, bool isKsk, int keySize)
+KeyChain::generateRsaKeyPair(const Name& identityName, bool isKsk, uint32_t keySize)
 {
   RsaKeyParams params(keySize);
   return generateKeyPair(identityName, isKsk, params);
 }
 
+inline Name
+KeyChain::generateEcdsaKeyPair(const Name& identityName, bool isKsk, uint32_t keySize)
+{
+  EcdsaKeyParams params(keySize);
+  return generateKeyPair(identityName, isKsk, params);
+}
+
 template<typename T>
 void
 KeyChain::sign(T& packet)
@@ -725,18 +748,8 @@
 void
 KeyChain::sign(T& packet, const Name& certificateName)
 {
-  if (!m_pib->doesCertificateExist(certificateName))
-    throw SecPublicInfo::Error("Requested certificate [" +
-                               certificateName.toUri() + "] doesn't exist");
-
-  SignatureSha256WithRsa signature;
-  // implicit conversion should take care
-  signature.setKeyLocator(certificateName.getPrefix(-1));
-
-  // For temporary usage, we support RSA + SHA256 only, but will support more.
-  signPacketWrapper(packet, signature,
-                    IdentityCertificate::certificateNameToPublicKeyName(certificateName),
-                    DIGEST_ALGORITHM_SHA256);
+  shared_ptr<IdentityCertificate> certificate = m_pib->getCertificate(certificateName);
+  sign(packet, *certificate);
 }
 
 template<typename T>
@@ -764,11 +777,35 @@
 void
 KeyChain::sign(T& packet, const IdentityCertificate& certificate)
 {
-  SignatureSha256WithRsa signature;
-  signature.setKeyLocator(certificate.getName().getPrefix(-1));
+  switch (certificate.getPublicKeyInfo().getKeyType())
+    {
+    case KEY_TYPE_RSA:
+      {
+        // For temporary usage, we support SHA256 only, but will support more.
+        SignatureSha256WithRsa signature;
+        // implicit conversion should take care
+        signature.setKeyLocator(certificate.getName().getPrefix(-1));
 
-  // For temporary usage, we support RSA + SHA256 only, but will support more.
-  signPacketWrapper(packet, signature, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
+        signPacketWrapper(packet, signature,
+                          certificate.getPublicKeyName(),
+                          DIGEST_ALGORITHM_SHA256);
+        return;
+      }
+    case KEY_TYPE_ECDSA:
+      {
+        // For temporary usage, we support SHA256 only, but will support more.
+        SignatureSha256WithEcdsa signature;
+        // implicit conversion should take care
+        signature.setKeyLocator(certificate.getName().getPrefix(-1));
+
+        signPacketWrapper(packet, signature,
+                          certificate.getPublicKeyName(),
+                          DIGEST_ALGORITHM_SHA256);
+        return;
+      }
+    default:
+      throw SecPublicInfo::Error("unknown key type!");
+    }
 }
 
 }