blob: 65821fad1726b40c5774a3fa6a690ed56c88ca62 [file] [log] [blame]
Alexander Afanasyev4c9a3d52017-01-03 17:45:19 -08001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2/**
3 * Copyright (c) 2013-2017 Regents of the University of California.
4 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6 *
7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20 *
21 * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
22 */
23
24#ifndef NDN_SECURITY_V1_KEY_CHAIN_HPP
25#define NDN_SECURITY_V1_KEY_CHAIN_HPP
26
27#include "sec-public-info.hpp"
28#include "sec-tpm.hpp"
29#include "secured-bag.hpp"
30#include "../key-params.hpp"
31#include "../signature-sha256-with-rsa.hpp"
32#include "../signature-sha256-with-ecdsa.hpp"
33#include "../digest-sha256.hpp"
34#include "../signing-info.hpp"
35
36#include "../../interest.hpp"
37#include "../../util/crypto.hpp"
38#include "../../util/random.hpp"
39#include <initializer_list>
40
41namespace ndn {
42namespace security {
43namespace v1 {
44
45/**
46 * @brief The packet signing interface.
47 *
48 * @deprecated Use v2::KeyChain
49 */
50class KeyChain : noncopyable
51{
52public:
53 class Error : public std::runtime_error
54 {
55 public:
56 explicit
57 Error(const std::string& what)
58 : std::runtime_error(what)
59 {
60 }
61 };
62
63 /**
64 * @brief Error thrown when the supplied TPM locator to KeyChain constructor does not match
65 * the locator stored in PIB
66 */
67 class MismatchError : public Error
68 {
69 public:
70 explicit
71 MismatchError(const std::string& what)
72 : Error(what)
73 {
74 }
75 };
76
77 typedef function<unique_ptr<SecPublicInfo> (const std::string&)> PibCreateFunc;
78 typedef function<unique_ptr<SecTpm>(const std::string&)> TpmCreateFunc;
79
80 /**
81 * @brief Register a new PIB
82 * @param aliases List of schemes with which this PIB will be associated.
83 * The first alias in the list is considered a canonical name of the PIB instance.
84 */
85 template<class PibType>
86 static void
87 registerPib(std::initializer_list<std::string> aliases);
88
89 /**
90 * @brief Register a new TPM
91 * @param aliases List of schemes with which this TPM will be associated
92 * The first alias in the list is considered a canonical name of the TPM instance.
93 */
94 template<class TpmType>
95 static void
96 registerTpm(std::initializer_list<std::string> aliases);
97
98 /**
99 * @brief Get default PIB locator
100 */
101 static std::string
102 getDefaultPibLocator();
103
104 /**
105 * @brief Create a PIB according to @p pibLocator
106 */
107 static unique_ptr<SecPublicInfo>
108 createPib(const std::string& pibLocator);
109
110 /**
111 * @brief Get default TPM locator
112 */
113 static std::string
114 getDefaultTpmLocator();
115
116 /**
117 * @brief Create a TPM according to @p tpmLocator
118 */
119 static unique_ptr<SecTpm>
120 createTpm(const std::string& tpmLocator);
121
122 /**
123 * @brief Constructor to create KeyChain with default PIB and TPM
124 *
125 * Default PIB and TPM are platform-dependent and can be overriden system-wide or on
126 * per-use basis.
127 *
128 * @todo Add detailed description about config file behavior here
129 */
130 KeyChain();
131
132 /**
133 * @brief KeyChain constructor
134 *
135 * @sa http://redmine.named-data.net/issues/2260
136 *
137 * @param pibLocator PIB locator
138 * @param tpmLocator TPM locator
139 * @param allowReset if true, the PIB will be reset when the supplied tpmLocator
140 * mismatches the one in PIB
141 */
142 KeyChain(const std::string& pibLocator,
143 const std::string& tpmLocator,
144 bool allowReset = false);
145
146 virtual
147 ~KeyChain();
148
149 /**
150 * @brief Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a
151 * self-signed certificate of the KSK.
152 *
153 * @param identityName The name of the identity.
154 * @param params The key parameter if a key needs to be generated for the identity.
155 * @return The name of the default certificate of the identity.
156 */
157 Name
158 createIdentity(const Name& identityName, const KeyParams& params = DEFAULT_KEY_PARAMS);
159
160 /**
161 * @brief Generate a pair of RSA keys for the specified identity.
162 *
163 * @param identityName The name of the identity.
164 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
165 * @param keySize The size of the key.
166 * @return The generated key name.
Spyridon Mastorakis1ece2e32015-08-27 18:52:21 -0700167 * @see generateEcKeyPair
Alexander Afanasyev4c9a3d52017-01-03 17:45:19 -0800168 */
169 Name
170 generateRsaKeyPair(const Name& identityName, bool isKsk = false, uint32_t keySize = 2048);
171
172 /**
Spyridon Mastorakis1ece2e32015-08-27 18:52:21 -0700173 * @brief Generate a pair of EC keys for the specified identity.
Alexander Afanasyev4c9a3d52017-01-03 17:45:19 -0800174 *
175 * @param identityName The name of the identity.
176 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
177 * @param keySize The size of the key.
178 * @return The generated key name.
179 * @see generateRsaKeyPair
180 */
181 Name
Spyridon Mastorakis1ece2e32015-08-27 18:52:21 -0700182 generateEcKeyPair(const Name& identityName, bool isKsk = false, uint32_t keySize = 256);
Alexander Afanasyev4c9a3d52017-01-03 17:45:19 -0800183
184 /**
185 * @brief Generate a pair of RSA keys for the specified identity and set it as default key for
186 * the identity.
187 *
188 * @param identityName The name of the identity.
189 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
190 * @param keySize The size of the key.
191 * @return The generated key name.
Spyridon Mastorakis1ece2e32015-08-27 18:52:21 -0700192 * @see generateRsaKeyPair, generateEcKeyPair, generateEcKeyPairAsDefault
Alexander Afanasyev4c9a3d52017-01-03 17:45:19 -0800193 */
194 Name
195 generateRsaKeyPairAsDefault(const Name& identityName, bool isKsk = false, uint32_t keySize = 2048);
196
197 /**
Spyridon Mastorakis1ece2e32015-08-27 18:52:21 -0700198 * @brief Generate a pair of EC keys for the specified identity and set it as default key for
Alexander Afanasyev4c9a3d52017-01-03 17:45:19 -0800199 * the identity.
200 *
201 * @param identityName The name of the identity.
202 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
203 * @param keySize The size of the key.
204 * @return The generated key name.
Spyridon Mastorakis1ece2e32015-08-27 18:52:21 -0700205 * @see generateRsaKeyPair, generateEcKeyPair, generateRsaKeyPairAsDefault
Alexander Afanasyev4c9a3d52017-01-03 17:45:19 -0800206 */
207 Name
Spyridon Mastorakis1ece2e32015-08-27 18:52:21 -0700208 generateEcKeyPairAsDefault(const Name& identityName, bool isKsk = false, uint32_t keySize = 256);
Alexander Afanasyev4c9a3d52017-01-03 17:45:19 -0800209
210 /**
211 * @brief prepare an unsigned identity certificate
212 *
213 * @param keyName Key name, e.g., `/<identity_name>/ksk-123456`.
214 * @param signingIdentity The signing identity.
215 * @param notBefore Refer to IdentityCertificate.
216 * @param notAfter Refer to IdentityCertificate.
217 * @param subjectDescription Refer to IdentityCertificate.
218 * @param certPrefix Prefix before `KEY` component. By default, KeyChain will infer the
219 * certificate name according to the relation between the signingIdentity and
220 * the subject identity. If signingIdentity is a prefix of the subject identity,
221 * `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted
222 * after subject identity (i.e., before `ksk-....`).
223 * @return IdentityCertificate.
224 */
225 shared_ptr<IdentityCertificate>
226 prepareUnsignedIdentityCertificate(const Name& keyName,
227 const Name& signingIdentity,
228 const time::system_clock::TimePoint& notBefore,
229 const time::system_clock::TimePoint& notAfter,
230 const std::vector<CertificateSubjectDescription>& subjectDescription,
231 const Name& certPrefix = DEFAULT_PREFIX);
232
233 /**
234 * @brief prepare an unsigned identity certificate
235 *
236 * @param keyName Key name, e.g., `/<identity_name>/ksk-123456`.
237 * @param publicKey Public key to sign.
238 * @param signingIdentity The signing identity.
239 * @param notBefore Refer to IdentityCertificate.
240 * @param notAfter Refer to IdentityCertificate.
241 * @param subjectDescription Refer to IdentityCertificate.
242 * @param certPrefix Prefix before `KEY` component. By default, KeyChain will infer the
243 * certificate name according to the relation between the signingIdentity and
244 * the subject identity. If signingIdentity is a prefix of the subject identity,
245 * `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted
246 * after subject identity (i.e., before `ksk-....`).
247 * @return IdentityCertificate.
248 */
249 shared_ptr<IdentityCertificate>
250 prepareUnsignedIdentityCertificate(const Name& keyName,
251 const PublicKey& publicKey,
252 const Name& signingIdentity,
253 const time::system_clock::TimePoint& notBefore,
254 const time::system_clock::TimePoint& notAfter,
255 const std::vector<CertificateSubjectDescription>& subjectDescription,
256 const Name& certPrefix = DEFAULT_PREFIX);
257
258 /**
259 * @brief Sign data according to the supplied signing information
260 *
261 * This method uses the supplied signing information @p params to create the SignatureInfo block:
262 * - it selects a private key and its certificate to sign the packet
263 * - sets the KeyLocator field with the certificate name, and
264 * - adds other requested information to the SignatureInfo block).
265 *
266 * After that, the method assigns the created SignatureInfo to the data packets, generate a
267 * signature and sets as part of the SignatureValue block.
268 *
269 * @param data The data to sign
270 * @param params The signing parameters.
271 * @throws Error if signing fails.
272 * @see SigningInfo
273 */
274 void
275 sign(Data& data, const SigningInfo& params = DEFAULT_SIGNING_INFO);
276
277 /**
278 * @brief Sign interest according to the supplied signing information
279 *
280 * This method uses the supplied signing information @p params to create the SignatureInfo block:
281 * - it selects a private key and its certificate to sign the packet
282 * - sets the KeyLocator field with the certificate name, and
283 * - adds other requested information to the SignatureInfo block).
284 *
285 * After that, the method appends the created SignatureInfo to the interest name, generate a
286 * signature and appends it as part of the SignatureValue block to the interest name.
287 *
288 * @param interest The interest to sign
289 * @param params The signing parameters.
290 * @throws Error if signing fails.
291 * @see SigningInfo
292 */
293 void
294 sign(Interest& interest, const SigningInfo& params = DEFAULT_SIGNING_INFO);
295
296 /**
297 * @brief Sign buffer according to the supplied signing information
298 *
299 * @param buffer The buffer to sign
300 * @param bufferLength The buffer size
301 * @param params The signing parameters.
302 * @return a SignatureValue TLV block
303 * @throws Error if signing fails.
304 * @see SigningInfo
305 */
306 Block
307 sign(const uint8_t* buffer, size_t bufferLength, const SigningInfo& params);
308
309 /**
310 * @deprecated use sign sign(T&, const SigningInfo&)
311 * @brief Sign packet with a particular certificate.
312 *
313 * @param packet The packet to be signed.
314 * @param certificateName The certificate name of the key to use for signing.
315 * @throws SecPublicInfo::Error if certificate does not exist.
316 */
317 template<typename T>
318 void
319 sign(T& packet, const Name& certificateName);
320
321 /**
322 * @deprecated Use sign(const uint8_t*, size_t, const SigningInfo&) instead
323 * @brief Sign the byte array using a particular certificate.
324 *
325 * @param buffer The byte array to be signed.
326 * @param bufferLength the length of buffer.
327 * @param certificateName The certificate name of the signing key.
328 * @return The Signature.
329 * @throws SecPublicInfo::Error if certificate does not exist.
330 */
331 Signature
332 sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName);
333
334 /**
335 * @deprecated use sign sign(T&, const SigningInfo&)
336 * @brief Sign packet using the default certificate of a particular identity.
337 *
338 * If there is no default certificate of that identity, this method will create a self-signed
339 * certificate.
340 *
341 * @param packet The packet to be signed.
342 * @param identityName The signing identity name.
343 */
344 template<typename T>
345 void
346 signByIdentity(T& packet, const Name& identityName);
347
348 /**
349 * @deprecated use sign(const uint8_t*, size_t, const SigningInfo&) instead
350 * @brief Sign the byte array using the default certificate of a particular identity.
351 *
352 * @param buffer The byte array to be signed.
353 * @param bufferLength the length of buffer.
354 * @param identityName The identity name.
355 * @return The Signature.
356 */
357 Signature
358 signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName);
359
360 /**
361 * @deprecated use sign(Data&, SigningInfo(SigningInfo::SIGNER_TYPE_SHA256))
362 * @brief Set Sha256 weak signature for @p data
363 */
364 void
365 signWithSha256(Data& data);
366
367 /**
368 * @deprecated use sign(Interest&, SigningInfo(SigningInfo::SIGNER_TYPE_SHA256))
369 * @brief Set Sha256 weak signature for @p interest
370 */
371 void
372 signWithSha256(Interest& interest);
373
374 /**
375 * @brief Generate a self-signed certificate for a public key.
376 *
377 * @param keyName The name of the public key
378 * @return The generated certificate, shared_ptr<IdentityCertificate>() if selfSign fails
379 */
380 shared_ptr<IdentityCertificate>
381 selfSign(const Name& keyName);
382
383 /**
384 * @brief Self-sign the supplied identity certificate.
385 *
386 * @param cert The supplied cert.
387 * @throws SecTpm::Error if the private key does not exist.
388 */
389 void
390 selfSign(IdentityCertificate& cert);
391
392 /**
393 * @brief delete a certificate.
394 *
395 * @param certificateName The certificate to be deleted.
396 * @throws KeyChain::Error if certificate cannot be deleted.
397 */
398 void
399 deleteCertificate(const Name& certificateName);
400
401 /**
402 * @brief delete a key.
403 *
404 * @param keyName The key to be deleted.
405 * @throws KeyChain::Error if key cannot be deleted.
406 */
407 void
408 deleteKey(const Name& keyName);
409
410 /**
411 * @brief delete an identity.
412 *
413 * @param identity The identity to be deleted.
414 * @throws KeyChain::Error if identity cannot be deleted.
415 */
416 void
417 deleteIdentity(const Name& identity);
418
419 /**
420 * @brief export an identity.
421 *
422 * @param identity The identity to export.
423 * @param passwordStr The password to secure the private key.
424 * @return The encoded export data.
425 * @throws SecPublicInfo::Error if anything goes wrong in exporting.
426 */
427 shared_ptr<SecuredBag>
428 exportIdentity(const Name& identity, const std::string& passwordStr);
429
430 /**
431 * @brief import an identity.
432 *
433 * @param securedBag The encoded import data.
434 * @param passwordStr The password to secure the private key.
435 */
436 void
437 importIdentity(const SecuredBag& securedBag, const std::string& passwordStr);
438
439 SecPublicInfo&
440 getPib()
441 {
442 return *m_pib;
443 }
444
445 const SecPublicInfo&
446 getPib() const
447 {
448 return *m_pib;
449 }
450
451 SecTpm&
452 getTpm()
453 {
454 return *m_tpm;
455 }
456
457 const SecTpm&
458 getTpm() const
459 {
460 return *m_tpm;
461 }
462
463 /*******************************
464 * Wrapper of SecPublicInfo *
465 *******************************/
466 bool
467 doesIdentityExist(const Name& identityName) const
468 {
469 return m_pib->doesIdentityExist(identityName);
470 }
471
472 void
473 addIdentity(const Name& identityName)
474 {
475 return m_pib->addIdentity(identityName);
476 }
477
478 bool
479 doesPublicKeyExist(const Name& keyName) const
480 {
481 return m_pib->doesPublicKeyExist(keyName);
482 }
483
484 void
485 addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer)
486 {
487 return m_pib->addKey(keyName, publicKeyDer);
488 }
489
490 void
491 addKey(const Name& keyName, const PublicKey& publicKeyDer)
492 {
493 return m_pib->addKey(keyName, publicKeyDer);
494 }
495
496 shared_ptr<PublicKey>
497 getPublicKey(const Name& keyName) const
498 {
499 return m_pib->getPublicKey(keyName);
500 }
501
502 bool
503 doesCertificateExist(const Name& certificateName) const
504 {
505 return m_pib->doesCertificateExist(certificateName);
506 }
507
508 void
509 addCertificate(const IdentityCertificate& certificate)
510 {
511 return m_pib->addCertificate(certificate);
512 }
513
514 shared_ptr<IdentityCertificate>
515 getCertificate(const Name& certificateName) const
516 {
517 return m_pib->getCertificate(certificateName);
518 }
519
520 Name
521 getDefaultIdentity() const
522 {
523 return m_pib->getDefaultIdentity();
524 }
525
526 Name
527 getDefaultKeyNameForIdentity(const Name& identityName) const
528 {
529 return m_pib->getDefaultKeyNameForIdentity(identityName);
530 }
531
532 /**
533 * @brief Get default key parameters for the specified identity
534 *
535 * If identity has a previously generated key, the returned parameters
536 * will include the same type of the key. If there are no existing
537 * keys, DEFAULT_KEY_PARAMS is used.
538 */
539 const KeyParams&
540 getDefaultKeyParamsForIdentity(const Name& identityName) const;
541
542 Name
543 getDefaultCertificateNameForKey(const Name& keyName) const
544 {
545 return m_pib->getDefaultCertificateNameForKey(keyName);
546 }
547
548 void
549 getAllIdentities(std::vector<Name>& nameList, bool isDefault) const
550 {
551 return m_pib->getAllIdentities(nameList, isDefault);
552 }
553
554 void
555 getAllKeyNames(std::vector<Name>& nameList, bool isDefault) const
556 {
557 return m_pib->getAllKeyNames(nameList, isDefault);
558 }
559
560 void
561 getAllKeyNamesOfIdentity(const Name& identity, std::vector<Name>& nameList, bool isDefault) const
562 {
563 return m_pib->getAllKeyNamesOfIdentity(identity, nameList, isDefault);
564 }
565
566 void
567 getAllCertificateNames(std::vector<Name>& nameList, bool isDefault) const
568 {
569 return m_pib->getAllCertificateNames(nameList, isDefault);
570 }
571
572 void
573 getAllCertificateNamesOfKey(const Name& keyName,
574 std::vector<Name>& nameList,
575 bool isDefault) const
576 {
577 return m_pib->getAllCertificateNamesOfKey(keyName, nameList, isDefault);
578 }
579
580 void
581 deleteCertificateInfo(const Name& certificateName)
582 {
583 return m_pib->deleteCertificateInfo(certificateName);
584 }
585
586 void
587 deletePublicKeyInfo(const Name& keyName)
588 {
589 return m_pib->deletePublicKeyInfo(keyName);
590 }
591
592 void
593 deleteIdentityInfo(const Name& identity)
594 {
595 return m_pib->deleteIdentityInfo(identity);
596 }
597
598 void
599 setDefaultIdentity(const Name& identityName)
600 {
601 return m_pib->setDefaultIdentity(identityName);
602 }
603
604 void
605 setDefaultKeyNameForIdentity(const Name& keyName)
606 {
607 return m_pib->setDefaultKeyNameForIdentity(keyName);
608 }
609
610 void
611 setDefaultCertificateNameForKey(const Name& certificateName)
612 {
613 return m_pib->setDefaultCertificateNameForKey(certificateName);
614 }
615
616 Name
617 getNewKeyName(const Name& identityName, bool useKsk)
618 {
619 return m_pib->getNewKeyName(identityName, useKsk);
620 }
621
622 Name
623 getDefaultCertificateNameForIdentity(const Name& identityName) const
624 {
625 return m_pib->getDefaultCertificateNameForIdentity(identityName);
626 }
627
628 Name
629 getDefaultCertificateName() const
630 {
631 return m_pib->getDefaultCertificateName();
632 }
633
634 void
635 addCertificateAsKeyDefault(const IdentityCertificate& certificate)
636 {
637 return m_pib->addCertificateAsKeyDefault(certificate);
638 }
639
640 void
641 addCertificateAsIdentityDefault(const IdentityCertificate& certificate)
642 {
643 return m_pib->addCertificateAsIdentityDefault(certificate);
644 }
645
646 void
647 addCertificateAsSystemDefault(const IdentityCertificate& certificate)
648 {
649 return m_pib->addCertificateAsSystemDefault(certificate);
650 }
651
652 shared_ptr<IdentityCertificate>
653 getDefaultCertificate() const
654 {
655 if (!static_cast<bool>(m_pib->getDefaultCertificate()))
656 const_cast<KeyChain*>(this)->setDefaultCertificateInternal();
657
658 return m_pib->getDefaultCertificate();
659 }
660
661 void
662 refreshDefaultCertificate()
663 {
664 return m_pib->refreshDefaultCertificate();
665 }
666
667 /*******************************
668 * Wrapper of SecTpm *
669 *******************************/
670
671 void
672 setTpmPassword(const uint8_t* password, size_t passwordLength)
673 {
674 return m_tpm->setTpmPassword(password, passwordLength);
675 }
676
677 void
678 resetTpmPassword()
679 {
680 return m_tpm->resetTpmPassword();
681 }
682
683 void
684 setInTerminal(bool inTerminal)
685 {
686 return m_tpm->setInTerminal(inTerminal);
687 }
688
689 bool
690 getInTerminal() const
691 {
692 return m_tpm->getInTerminal();
693 }
694
695 bool
696 isLocked() const
697 {
698 return m_tpm->isLocked();
699 }
700
701 bool
702 unlockTpm(const char* password, size_t passwordLength, bool usePassword)
703 {
704 return m_tpm->unlockTpm(password, passwordLength, usePassword);
705 }
706
707 void
708 generateKeyPairInTpm(const Name& keyName, const KeyParams& params)
709 {
710 return m_tpm->generateKeyPairInTpm(keyName, params);
711 }
712
713 void
714 deleteKeyPairInTpm(const Name& keyName)
715 {
716 return m_tpm->deleteKeyPairInTpm(keyName);
717 }
718
719 shared_ptr<PublicKey>
720 getPublicKeyFromTpm(const Name& keyName) const
721 {
722 return m_tpm->getPublicKeyFromTpm(keyName);
723 }
724
725 Block
726 signInTpm(const uint8_t* data, size_t dataLength,
727 const Name& keyName,
728 DigestAlgorithm digestAlgorithm)
729 {
730 return m_tpm->signInTpm(data, dataLength, keyName, digestAlgorithm);
731 }
732
733 ConstBufferPtr
734 decryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool isSymmetric)
735 {
736 return m_tpm->decryptInTpm(data, dataLength, keyName, isSymmetric);
737 }
738
739 ConstBufferPtr
740 encryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool isSymmetric)
741 {
742 return m_tpm->encryptInTpm(data, dataLength, keyName, isSymmetric);
743 }
744
745 void
746 generateSymmetricKeyInTpm(const Name& keyName, const KeyParams& params)
747 {
748 return m_tpm->generateSymmetricKeyInTpm(keyName, params);
749 }
750
751 bool
752 doesKeyExistInTpm(const Name& keyName, KeyClass keyClass) const
753 {
754 return m_tpm->doesKeyExistInTpm(keyName, keyClass);
755 }
756
757 bool
758 generateRandomBlock(uint8_t* res, size_t size) const
759 {
760 return m_tpm->generateRandomBlock(res, size);
761 }
762
763 void
764 addAppToAcl(const Name& keyName, KeyClass keyClass, const std::string& appPath, AclType acl)
765 {
766 return m_tpm->addAppToAcl(keyName, keyClass, appPath, acl);
767 }
768
769 ConstBufferPtr
770 exportPrivateKeyPkcs5FromTpm(const Name& keyName, const std::string& password)
771 {
772 return m_tpm->exportPrivateKeyPkcs5FromTpm(keyName, password);
773 }
774
775 bool
776 importPrivateKeyPkcs5IntoTpm(const Name& keyName,
777 const uint8_t* buf, size_t size,
778 const std::string& password)
779 {
780 return m_tpm->importPrivateKeyPkcs5IntoTpm(keyName, buf, size, password);
781 }
782
783private:
784 void
785 initialize(const std::string& pibLocatorUri,
786 const std::string& tpmLocatorUri,
787 bool needReset);
788
789 /**
790 * @brief Prepare a SignatureInfo TLV according to signing information and return the signing key name
791 *
792 * @param params The signing parameters.
793 * @return The signing key name and prepared SignatureInfo.
794 * @throw Error when the requested signing method cannot be satisfied.
795 */
796 std::tuple<Name, SignatureInfo>
797 prepareSignatureInfo(const SigningInfo& params);
798
799 /**
800 * @brief Internal abstraction of packet signing.
801 *
802 * @param packet The packet to sign
803 * @param params The signing parameters.
804 * @throw Error when the signing fails.
805 */
806 template<typename T>
807 void
808 signImpl(T& packet, const SigningInfo& params);
809
810 /**
811 * @brief Set default certificate if it is not initialized
812 */
813 void
814 setDefaultCertificateInternal();
815
816 /**
817 * @brief Generate a key pair for the specified identity.
818 *
819 * @param identityName The name of the specified identity.
820 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
821 * @param params The parameter of the key.
822 * @return The name of the generated key.
823 */
824 Name
825 generateKeyPair(const Name& identityName, bool isKsk = false,
826 const KeyParams& params = DEFAULT_KEY_PARAMS);
827
828 /**
829 * @brief Sign the data using a particular key.
830 *
831 * @param data Reference to the data packet.
832 * @param signature Signature to be added.
833 * @param keyName The name of the signing key.
834 * @param digestAlgorithm the digest algorithm.
835 * @throws Tpm::Error
836 */
837 void
838 signPacketWrapper(Data& data, const Signature& signature,
839 const Name& keyName, DigestAlgorithm digestAlgorithm);
840
841 /**
842 * @brief Sign the interest using a particular key.
843 *
844 * @param interest Reference to the interest packet.
845 * @param signature Signature to be added.
846 * @param keyName The name of the signing key.
847 * @param digestAlgorithm the digest algorithm.
848 * @throws Tpm::Error
849 */
850 void
851 signPacketWrapper(Interest& interest, const Signature& signature,
852 const Name& keyName, DigestAlgorithm digestAlgorithm);
853
854 /**
855 * @brief Generate a SignatureValue block for a buffer @p buf with size @p size using
856 * a key with name @p keyName and digest algorithm @p digestAlgorithm.
857 */
858 Block
859 pureSign(const uint8_t* buf, size_t size, const Name& keyName, DigestAlgorithm digestAlgorithm) const;
860
861 static void
862 registerPibImpl(const std::string& canonicalName,
863 std::initializer_list<std::string> aliases, PibCreateFunc createFunc);
864
865 static void
866 registerTpmImpl(const std::string& canonicalName,
867 std::initializer_list<std::string> aliases, TpmCreateFunc createFunc);
868
869public:
870 static tlv::SignatureTypeValue
871 getSignatureType(KeyType keyType, DigestAlgorithm digestAlgorithm);
872
873public:
874 static const Name DEFAULT_PREFIX;
875 static const SigningInfo DEFAULT_SIGNING_INFO;
876
877 // RsaKeyParams is set to be default for backward compatibility.
878 static const RsaKeyParams DEFAULT_KEY_PARAMS;
879
880 typedef std::map<std::string, Block> SignParams;
881
882private:
883 std::unique_ptr<SecPublicInfo> m_pib;
884 std::unique_ptr<SecTpm> m_tpm;
885 time::milliseconds m_lastTimestamp;
886};
887
888template<typename T>
889void
890KeyChain::signImpl(T& packet, const SigningInfo& params)
891{
892 Name keyName;
893 SignatureInfo sigInfo;
894 std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
895
896 signPacketWrapper(packet, Signature(sigInfo),
897 keyName, params.getDigestAlgorithm());
898}
899
900template<typename T>
901void
902KeyChain::sign(T& packet, const Name& certificateName)
903{
904 signImpl(packet, SigningInfo(SigningInfo::SIGNER_TYPE_CERT, certificateName));
905}
906
907template<typename T>
908void
909KeyChain::signByIdentity(T& packet, const Name& identityName)
910{
911 signImpl(packet, SigningInfo(SigningInfo::SIGNER_TYPE_ID, identityName));
912}
913
914template<class PibType>
915inline void
916KeyChain::registerPib(std::initializer_list<std::string> aliases)
917{
918 registerPibImpl(*aliases.begin(), aliases, [] (const std::string& locator) {
919 return make_unique<PibType>(locator);
920 });
921}
922
923template<class TpmType>
924inline void
925KeyChain::registerTpm(std::initializer_list<std::string> aliases)
926{
927 registerTpmImpl(*aliases.begin(), aliases, [] (const std::string& locator) {
928 return make_unique<TpmType>(locator);
929 });
930}
931
932/**
933 * \brief Register SecPib class in ndn-cxx KeyChain
934 *
935 * This macro should be placed once in the implementation file of the
936 * SecPib type within the namespace where the type is declared.
937 */
938#define NDN_CXX_V1_KEYCHAIN_REGISTER_PIB(PibType, ...) \
939static class NdnCxxAuto ## PibType ## PibRegistrationClass \
940{ \
941public: \
942 NdnCxxAuto ## PibType ## PibRegistrationClass() \
943 { \
944 ::ndn::security::v1::KeyChain::registerPib<PibType>({__VA_ARGS__}); \
945 } \
946} ndnCxxAuto ## PibType ## PibRegistrationVariable
947
948/**
949 * \brief Register SecTpm class in ndn-cxx KeyChain
950 *
951 * This macro should be placed once in the implementation file of the
952 * SecTpm type within the namespace where the type is declared.
953 */
954#define NDN_CXX_V1_KEYCHAIN_REGISTER_TPM(TpmType, ...) \
955static class NdnCxxAuto ## TpmType ## TpmRegistrationClass \
956{ \
957public: \
958 NdnCxxAuto ## TpmType ## TpmRegistrationClass() \
959 { \
960 ::ndn::security::v1::KeyChain::registerTpm<TpmType>({__VA_ARGS__}); \
961 } \
962} ndnCxxAuto ## TpmType ## TpmRegistrationVariable
963
964} // namespace v1
965} // namespace security
966} // namespace ndn
967
968#endif // NDN_SECURITY_V1_KEY_CHAIN_HPP