security: add signature verification support in TPM
Refs: #3075
Change-Id: Idb17ee0e3a071e133527b6e17d4ecc06d922a798
diff --git a/ndn-cxx/security/tpm/key-handle-mem.cpp b/ndn-cxx/security/tpm/key-handle-mem.cpp
index 486b412..a3f24ba 100644
--- a/ndn-cxx/security/tpm/key-handle-mem.cpp
+++ b/ndn-cxx/security/tpm/key-handle-mem.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2018 Regents of the University of California.
+ * Copyright (c) 2013-2019 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -20,10 +20,12 @@
*/
#include "ndn-cxx/security/tpm/key-handle-mem.hpp"
+#include "ndn-cxx/security/transform/bool-sink.hpp"
#include "ndn-cxx/security/transform/buffer-source.hpp"
#include "ndn-cxx/security/transform/private-key.hpp"
#include "ndn-cxx/security/transform/signer-filter.hpp"
#include "ndn-cxx/security/transform/stream-sink.hpp"
+#include "ndn-cxx/security/transform/verifier-filter.hpp"
#include "ndn-cxx/encoding/buffer-stream.hpp"
namespace ndn {
@@ -46,6 +48,18 @@
return sigOs.buf();
}
+bool
+KeyHandleMem::doVerify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size,
+ const uint8_t* sig, size_t sigLen) const
+{
+ using namespace transform;
+
+ bool result = false;
+ bufferSource(buf, size) >> verifierFilter(digestAlgorithm, *m_key, sig, sigLen)
+ >> boolSink(result);
+ return result;
+}
+
ConstBufferPtr
KeyHandleMem::doDecrypt(const uint8_t* cipherText, size_t cipherTextLen) const
{
diff --git a/ndn-cxx/security/tpm/key-handle-mem.hpp b/ndn-cxx/security/tpm/key-handle-mem.hpp
index 97cce7a..0417ebe 100644
--- a/ndn-cxx/security/tpm/key-handle-mem.hpp
+++ b/ndn-cxx/security/tpm/key-handle-mem.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2018 Regents of the University of California.
+ * Copyright (c) 2013-2019 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -46,6 +46,10 @@
ConstBufferPtr
doSign(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size) const final;
+ bool
+ doVerify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size,
+ const uint8_t* sig, size_t sigLen) const final;
+
ConstBufferPtr
doDecrypt(const uint8_t* cipherText, size_t cipherTextLen) const final;
diff --git a/ndn-cxx/security/tpm/key-handle-osx.cpp b/ndn-cxx/security/tpm/key-handle-osx.cpp
index 0421327..db45896 100644
--- a/ndn-cxx/security/tpm/key-handle-osx.cpp
+++ b/ndn-cxx/security/tpm/key-handle-osx.cpp
@@ -39,6 +39,13 @@
return BackEndOsx::sign(m_key, digestAlgorithm, buf, size);
}
+bool
+KeyHandleOsx::doVerify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size,
+ const uint8_t* sig, size_t sigLen) const
+{
+ NDN_THROW(Error("Signature verification is not supported with macOS Keychain-based TPM"));
+}
+
ConstBufferPtr
KeyHandleOsx::doDecrypt(const uint8_t* cipherText, size_t cipherTextLen) const
{
diff --git a/ndn-cxx/security/tpm/key-handle-osx.hpp b/ndn-cxx/security/tpm/key-handle-osx.hpp
index 0171d0c..87a8c56 100644
--- a/ndn-cxx/security/tpm/key-handle-osx.hpp
+++ b/ndn-cxx/security/tpm/key-handle-osx.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2018 Regents of the University of California.
+ * Copyright (c) 2013-2019 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -47,6 +47,10 @@
ConstBufferPtr
doSign(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size) const final;
+ bool
+ doVerify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size,
+ const uint8_t* sig, size_t sigLen) const final;
+
ConstBufferPtr
doDecrypt(const uint8_t* cipherText, size_t cipherTextLen) const final;
diff --git a/ndn-cxx/security/tpm/key-handle.cpp b/ndn-cxx/security/tpm/key-handle.cpp
index 1184450..d5cea11 100644
--- a/ndn-cxx/security/tpm/key-handle.cpp
+++ b/ndn-cxx/security/tpm/key-handle.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2018 Regents of the University of California.
+ * Copyright (c) 2013-2019 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -33,6 +33,13 @@
return doSign(digestAlgorithm, buf, size);
}
+bool
+KeyHandle::verify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t bufLen,
+ const uint8_t* sig, size_t sigLen) const
+{
+ return doVerify(digestAlgorithm, buf, bufLen, sig, sigLen);
+}
+
ConstBufferPtr
KeyHandle::decrypt(const uint8_t* cipherText, size_t cipherTextLen) const
{
diff --git a/ndn-cxx/security/tpm/key-handle.hpp b/ndn-cxx/security/tpm/key-handle.hpp
index a47b5d0..743dac5 100644
--- a/ndn-cxx/security/tpm/key-handle.hpp
+++ b/ndn-cxx/security/tpm/key-handle.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2018 Regents of the University of California.
+ * Copyright (c) 2013-2019 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -32,7 +32,7 @@
/**
* @brief Abstraction of TPM key handle.
*
- * Handle provides an interface to perform crypto operations with a key in TPM.
+ * KeyHandle provides an interface to perform crypto operations with a key stored in the TPM.
*/
class KeyHandle : noncopyable
{
@@ -54,6 +54,13 @@
sign(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size) const;
/**
+ * @brief Verify the signature @p sig created on @p buf using this key and @p digestAlgorithm.
+ */
+ bool
+ verify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t bufLen,
+ const uint8_t* sig, size_t sigLen) const;
+
+ /**
* @return plain text content decrypted from @p cipherText using this key.
*/
ConstBufferPtr
@@ -75,6 +82,10 @@
virtual ConstBufferPtr
doSign(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size) const = 0;
+ virtual bool
+ doVerify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t bufLen,
+ const uint8_t* sig, size_t sigLen) const = 0;
+
virtual ConstBufferPtr
doDecrypt(const uint8_t* cipherText, size_t cipherTextLen) const = 0;
diff --git a/ndn-cxx/security/tpm/tpm.cpp b/ndn-cxx/security/tpm/tpm.cpp
index 87c1c84..a4398e5 100644
--- a/ndn-cxx/security/tpm/tpm.cpp
+++ b/ndn-cxx/security/tpm/tpm.cpp
@@ -100,6 +100,18 @@
return key->sign(digestAlgorithm, buf, size);
}
+boost::logic::tribool
+Tpm::verify(const uint8_t* buf, size_t bufLen, const uint8_t* sig, size_t sigLen,
+ const Name& keyName, DigestAlgorithm digestAlgorithm) const
+{
+ const KeyHandle* key = findKey(keyName);
+
+ if (key == nullptr)
+ return boost::logic::indeterminate;
+ else
+ return key->verify(digestAlgorithm, buf, bufLen, sig, sigLen);
+}
+
ConstBufferPtr
Tpm::decrypt(const uint8_t* buf, size_t size, const Name& keyName) const
{
diff --git a/ndn-cxx/security/tpm/tpm.hpp b/ndn-cxx/security/tpm/tpm.hpp
index 2c0f800..419eae4 100644
--- a/ndn-cxx/security/tpm/tpm.hpp
+++ b/ndn-cxx/security/tpm/tpm.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2018 Regents of the University of California.
+ * Copyright (c) 2013-2019 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -27,6 +27,7 @@
#include "ndn-cxx/security/tpm/key-handle.hpp"
#include <unordered_map>
+#include <boost/logic/tribool.hpp>
namespace ndn {
namespace security {
@@ -102,6 +103,16 @@
sign(const uint8_t* buf, size_t size, const Name& keyName, DigestAlgorithm digestAlgorithm) const;
/**
+ * @brief Verify blob using the key with name @p keyName and using the digest @p digestAlgorithm.
+ *
+ * @return true if the signature is valid; false if the signature is not valid;
+ * `boost::logic::indeterminate` if the key does not exist.
+ */
+ boost::logic::tribool
+ verify(const uint8_t* buf, size_t bufLen, const uint8_t* sig, size_t sigLen,
+ const Name& keyName, DigestAlgorithm digestAlgorithm) const;
+
+ /**
* @brief Decrypt blob using the key with name @p keyName.
*
* @return The decrypted data, or nullptr if the key does not exist.
diff --git a/tests/unit/security/tpm/back-end.t.cpp b/tests/unit/security/tpm/back-end.t.cpp
index 4d39fbb..1ef374b 100644
--- a/tests/unit/security/tpm/back-end.t.cpp
+++ b/tests/unit/security/tpm/back-end.t.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2018 Regents of the University of California.
+ * Copyright (c) 2013-2019 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -93,12 +93,14 @@
BackEnd& tpm = wrapper.getTpm();
// create an RSA key
- Name identity("/Test/KeyName");
+ Name identity("/Test/RSA/KeyName");
unique_ptr<KeyHandle> key = tpm.createKey(identity, RsaKeyParams());
Name keyName = key->getKeyName();
const uint8_t content[] = {0x01, 0x02, 0x03, 0x04};
- Block sigBlock(tlv::SignatureValue, key->sign(DigestAlgorithm::SHA256, content, sizeof(content)));
+ auto sigValue = key->sign(DigestAlgorithm::SHA256, content, sizeof(content));
+ BOOST_REQUIRE(sigValue != nullptr);
+ Block sigBlock(tlv::SignatureValue, sigValue);
transform::PublicKey pubKey;
ConstBufferPtr pubKeyBits = key->derivePublicKey();
@@ -149,12 +151,14 @@
BackEnd& tpm = wrapper.getTpm();
// create an EC key
- Name identity("/Test/Ec/KeyName");
+ Name identity("/Test/EC/KeyName");
unique_ptr<KeyHandle> key = tpm.createKey(identity, EcKeyParams());
Name ecKeyName = key->getKeyName();
const uint8_t content[] = {0x01, 0x02, 0x03, 0x04};
- Block sigBlock(tlv::SignatureValue, key->sign(DigestAlgorithm::SHA256, content, sizeof(content)));
+ auto sigValue = key->sign(DigestAlgorithm::SHA256, content, sizeof(content));
+ BOOST_REQUIRE(sigValue != nullptr);
+ Block sigBlock(tlv::SignatureValue, sigValue);
transform::PublicKey pubKey;
ConstBufferPtr pubKeyBits = key->derivePublicKey();
@@ -163,9 +167,9 @@
bool result;
{
using namespace transform;
- bufferSource(content, sizeof(content)) >> verifierFilter(DigestAlgorithm::SHA256, pubKey,
- sigBlock.value(), sigBlock.value_size())
- >> boolSink(result);
+ bufferSource(content, sizeof(content)) >>
+ verifierFilter(DigestAlgorithm::SHA256, pubKey, sigBlock.value(), sigBlock.value_size()) >>
+ boolSink(result);
}
BOOST_CHECK_EQUAL(result, true);
@@ -173,6 +177,29 @@
BOOST_CHECK_EQUAL(tpm.hasKey(ecKeyName), false);
}
+BOOST_AUTO_TEST_CASE(HmacSigningAndVerifying)
+{
+ BackEndWrapperMem wrapper;
+ BackEnd& tpm = wrapper.getTpm();
+
+ // create an HMAC key
+ Name identity("/Test/HMAC/KeyName");
+ unique_ptr<KeyHandle> key = tpm.createKey(identity, HmacKeyParams());
+ Name hmacKeyName = key->getKeyName();
+
+ const uint8_t content[] = {0x01, 0x02, 0x03, 0x04};
+ auto sigValue = key->sign(DigestAlgorithm::SHA256, content, sizeof(content));
+ BOOST_REQUIRE(sigValue != nullptr);
+ Block sigBlock(tlv::SignatureValue, sigValue);
+
+ bool result = key->verify(DigestAlgorithm::SHA256, content, sizeof(content),
+ sigBlock.value(), sigBlock.value_size());
+ BOOST_CHECK_EQUAL(result, true);
+
+ tpm.deleteKey(hmacKeyName);
+ BOOST_CHECK_EQUAL(tpm.hasKey(hmacKeyName), false);
+}
+
BOOST_AUTO_TEST_CASE_TEMPLATE(ImportExport, T, TestBackEnds)
{
const std::string privKeyPkcs1 =