blob: 5d5f6adde06b8271037578d4122af5b8c3e5b692 [file] [log] [blame]
Jeff Thompson25b4e612013-10-10 16:03:24 -07001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
Jeff Thompson47c93cf2013-08-09 00:38:48 -07002/**
Jeff Thompson7687dc02013-09-13 11:54:07 -07003 * Copyright (C) 2013 Regents of the University of California.
4 * @author: Jeff Thompson <jefft0@remap.ucla.edu>
Jeff Thompson47c93cf2013-08-09 00:38:48 -07005 * See COPYING for copyright and distribution information.
6 */
7
8#ifndef NDN_KEY_CHAIN_HPP
Jeff Thompson2d27e2f2013-08-09 12:55:00 -07009#define NDN_KEY_CHAIN_HPP
Jeff Thompson47c93cf2013-08-09 00:38:48 -070010
Jeff Thompson7a67cb62013-08-26 11:43:18 -070011#include "../data.hpp"
Jeff Thompson2ce8f492013-09-17 18:01:25 -070012#include "../face.hpp"
13#include "identity/identity-manager.hpp"
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070014#include "encryption/encryption-manager.hpp"
Jeff Thompson47c93cf2013-08-09 00:38:48 -070015
16namespace ndn {
17
Jeff Thompson29ce3102013-09-27 11:47:48 -070018class PolicyManager;
19
Jeff Thompson2ce8f492013-09-17 18:01:25 -070020/**
21 * An OnVerified function object is used to pass a callback to verifyData to report a successful verification.
22 */
23typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerified;
24
25/**
26 * An OnVerifyFailed function object is used to pass a callback to verifyData to report a failed verification.
27 */
Jeff Thompson29ce3102013-09-27 11:47:48 -070028typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerifyFailed;
Jeff Thompson2ce8f492013-09-17 18:01:25 -070029
Jeff Thompsonffa36f92013-09-20 08:42:41 -070030/**
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070031 * Keychain is the main class of the security library.
Jeff Thompsonffa36f92013-09-20 08:42:41 -070032 *
33 * The Keychain class provides a set of interfaces to the security library such as identity management, policy configuration
34 * and packet signing and verification.
35 */
Jeff Thompson47c93cf2013-08-09 00:38:48 -070036class KeyChain {
37public:
Jeff Thompson29ce3102013-09-27 11:47:48 -070038 KeyChain
39 (const ptr_lib::shared_ptr<IdentityManager>& identityManager, const ptr_lib::shared_ptr<PolicyManager>& policyManager);
Jeff Thompson2ce8f492013-09-17 18:01:25 -070040
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070041 /*****************************************
42 * Identity Management *
43 *****************************************/
44
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070045 /**
46 * Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.
47 * @param identityName The name of the identity.
48 * @return The key name of the auto-generated KSK of the identity.
49 */
50 Name
51 createIdentity(const Name& identityName)
52 {
53 return identityManager_->createIdentity(identityName);
54 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070055
56 /**
57 * Get the default identity.
58 * @return The default identity name.
59 */
60 Name
61 getDefaultIdentity()
62 {
63 return identityManager_->getDefaultIdentity();
64 }
65
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070066 /**
Jeff Thompsone7e069b2013-09-27 15:48:48 -070067 * Generate a pair of RSA keys for the specified identity.
68 * @param identityName The name of the identity.
69 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
70 * @param keySize The size of the key.
71 * @return The generated key name.
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070072 */
73 Name
Jeff Thompsone7e069b2013-09-27 15:48:48 -070074 generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048)
75 {
76 return identityManager_->generateRSAKeyPair(identityName, isKsk, keySize);
77 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070078
79 /**
Jeff Thompsone7e069b2013-09-27 15:48:48 -070080 * Set a key as the default key of an identity.
81 * @param keyName The name of the key.
82 * @param identityName the name of the identity. If not specified, the identity name is inferred from the keyName.
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070083 */
84 void
Jeff Thompsone7e069b2013-09-27 15:48:48 -070085 setDefaultKeyForIdentity(const Name& keyName, const Name& identityName = Name())
86 {
87 return identityManager_->setDefaultKeyForIdentity(keyName, identityName);
88 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070089
90 /**
Jeff Thompsone7e069b2013-09-27 15:48:48 -070091 * Generate a pair of RSA keys for the specified identity and set it as default key for the identity.
92 * @param identityName The name of the identity.
93 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
94 * @param keySize The size of the key.
95 * @return The generated key name.
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070096 */
97 Name
Jeff Thompsone7e069b2013-09-27 15:48:48 -070098 generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048)
99 {
100 return identityManager_->generateRSAKeyPairAsDefault(identityName, isKsk, keySize);
101 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700102
103 /**
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700104 * Create a public key signing request.
105 * @param keyName The name of the key.
106 * @returns The signing request data.
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700107 */
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700108 Blob
109 createSigningRequest(const Name& keyName)
110 {
111 return identityManager_->getPublicKey(keyName)->getKeyDer();
112 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700113
114 /**
Jeff Thompsonb63abf52013-10-04 11:23:34 -0700115 * Install an identity certificate into the public key identity storage.
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700116 * @param certificate The certificate to to added.
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700117 */
118 void
Jeff Thompsonc69163b2013-10-12 13:49:50 -0700119 installIdentityCertificate(const IdentityCertificate& certificate)
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700120 {
121 identityManager_->addCertificate(certificate);
122 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700123
124 /**
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700125 * Set the certificate as the default for its corresponding key.
Jeff Thompson418b05a2013-10-22 17:48:54 -0700126 * @param certificateName The certificate.
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700127 */
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700128 void
Jeff Thompson418b05a2013-10-22 17:48:54 -0700129 setDefaultCertificateForKey(const IdentityCertificate& certificate)
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700130 {
Jeff Thompson418b05a2013-10-22 17:48:54 -0700131 identityManager_->setDefaultCertificateForKey(certificate);
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700132 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700133
134 /**
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700135 * Get a certificate with the specified name.
136 * @param certificateName The name of the requested certificate.
Jeff Thompsonc69163b2013-10-12 13:49:50 -0700137 * @return the requested certificate which is valid.
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700138 */
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700139 ptr_lib::shared_ptr<Certificate>
140 getCertificate(const Name& certificateName)
141 {
142 return identityManager_->getCertificate(certificateName);
143 }
144
145 /**
146 * Get a certificate even if the certificate is not valid anymore.
147 * @param certificateName The name of the requested certificate.
148 * @return the requested certificate.
149 */
150 ptr_lib::shared_ptr<Certificate>
151 getAnyCertificate(const Name& certificateName)
152 {
153 return identityManager_->getAnyCertificate(certificateName);
154 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700155
156 /**
Jeff Thompsonc69163b2013-10-12 13:49:50 -0700157 * Get an identity certificate with the specified name.
158 * @param certificateName The name of the requested certificate.
159 * @return the requested certificate which is valid.
160 */
161 ptr_lib::shared_ptr<IdentityCertificate>
162 getIdentityCertificate(const Name& certificateName)
163 {
164 return identityManager_->getCertificate(certificateName);
165 }
166
167 /**
168 * Get an identity certificate even if the certificate is not valid anymore.
169 * @param certificateName The name of the requested certificate.
170 * @return the requested certificate.
171 */
172 ptr_lib::shared_ptr<IdentityCertificate>
173 getAnyIdentityCertificate(const Name& certificateName)
174 {
175 return identityManager_->getAnyCertificate(certificateName);
176 }
177
178 /**
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700179 * Revoke a key
180 * @param keyName the name of the key that will be revoked
181 */
182 void
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700183 revokeKey(const Name & keyName)
184 {
185 //TODO: Implement
186 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700187
188 /**
189 * Revoke a certificate
190 * @param certificateName the name of the certificate that will be revoked
191 */
192 void
Jeff Thompsone7e069b2013-09-27 15:48:48 -0700193 revokeCertificate(const Name & certificateName)
194 {
195 //TODO: Implement
196 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700197
Jeff Thompson418b05a2013-10-22 17:48:54 -0700198 ptr_lib::shared_ptr<IdentityManager>
199 getIdentityManager() { return identityManager_; }
200
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700201 /*****************************************
202 * Policy Management *
203 *****************************************/
204
205 const ptr_lib::shared_ptr<PolicyManager>&
206 getPolicyManager() { return policyManager_; }
207
208 /*****************************************
209 * Sign/Verify *
210 *****************************************/
211
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700212 /**
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700213 * Wire encode the Data object, sign it and set its signature.
Jeff Thompsonade5b1e2013-08-09 12:16:45 -0700214 * Note: the caller must make sure the timestamp is correct, for example with
Jeff Thompsonfec716d2013-09-11 13:54:36 -0700215 * data.getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0).
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700216 * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
Jeff Thompson9296f0c2013-09-23 18:10:27 -0700217 * @param certificateName The certificate name of the key to use for signing. If omitted, infer the signing identity from the data packet name.
Jeff Thompson8d24fe12013-09-18 15:54:51 -0700218 * @param wireFormat A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat().
Jeff Thompson3c73da42013-08-12 11:19:05 -0700219 */
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700220 void
Jeff Thompson29ce3102013-09-27 11:47:48 -0700221 sign(Data& data, const Name& certificateName, WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700222
Jeff Thompson29ce3102013-09-27 11:47:48 -0700223 /**
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700224 * Sign the byte array using a certificate name and return a Signature object.
225 * @param buffer The byte array to be signed.
226 * @param bufferLength the length of buffer.
227 * @param certificateName The certificate name used to get the signing key and which will be put into KeyLocator.
228 * @return The Signature.
229 */
230 ptr_lib::shared_ptr<Signature>
231 sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName);
232
233 /**
234 * Sign the byte array using a certificate name and return a Signature object.
235 * @param buffer The byte array to be signed.
236 * @param certificateName The certificate name used to get the signing key and which will be put into KeyLocator.
237 * @return The Signature.
238 */
239 ptr_lib::shared_ptr<Signature>
240 sign(const std::vector<uint8_t>& buffer, const Name& certificateName)
241 {
242 return sign(&buffer[0], buffer.size(), certificateName);
243 }
244
245 /**
Jeff Thompson29ce3102013-09-27 11:47:48 -0700246 * Wire encode the Data object, sign it and set its signature.
247 * Note: the caller must make sure the timestamp is correct, for example with
248 * data.getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0).
249 * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
250 * @param identityName The identity name for the key to use for signing. If omitted, infer the signing identity from the data packet name.
251 * @param wireFormat A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat().
252 */
253 void
254 signByIdentity(Data& data, const Name& identityName = Name(), WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
Jeff Thompson3c73da42013-08-12 11:19:05 -0700255
256 /**
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700257 * Sign the byte array using an identity name and return a Signature object.
258 * @param buffer The byte array to be signed.
259 * @param bufferLength the length of buffer.
260 * @param identityName The identity name.
261 * @return The Signature.
262 */
263 ptr_lib::shared_ptr<Signature>
264 signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName);
265
266 /**
267 * Sign the byte array using an identity name and return a Signature object.
268 * @param buffer The byte array to be signed.
269 * @param identityName The identity name.
270 * @return The Signature.
271 */
272 ptr_lib::shared_ptr<Signature>
273 signByIdentity(const std::vector<uint8_t>& buffer, const Name& identityName)
274 {
275 return signByIdentity(&buffer[0], buffer.size(), identityName);
276 }
277
278 /**
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700279 * Check the signature on the Data object and call either onVerify or onVerifyFailed.
280 * We use callback functions because verify may fetch information to check the signature.
Jeff Thompson29ce3102013-09-27 11:47:48 -0700281 * @param data The Data object with the signature to check. It is an error if data does not have a wireEncoding.
282 * To set the wireEncoding, you can call data.wireDecode.
283 * @param onVerified If the signature is verified, this calls onVerified(data).
284 * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
Jeff Thompson8efe5ad2013-08-20 17:36:38 -0700285 */
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700286 void
Jeff Thompson7c5d2312013-09-25 16:07:15 -0700287 verifyData
288 (const ptr_lib::shared_ptr<Data>& data, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed, int stepCount = 0);
Jeff Thompson8efe5ad2013-08-20 17:36:38 -0700289
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700290 /*****************************************
291 * Encrypt/Decrypt *
292 *****************************************/
293
294 /**
295 * Generate a symmetric key.
296 * @param keyName The name of the generated key.
297 * @param keyType The type of the key, e.g. KEY_TYPE_AES
298 */
299 void
300 generateSymmetricKey(const Name& keyName, KeyType keyType)
301 {
302 encryptionManager_->createSymmetricKey(keyName, keyType);
303 }
304
305 /**
306 * Encrypt a byte array.
307 * @param keyName The name of the encrypting key.
308 * @param data The byte array that will be encrypted.
309 * @param dataLength The length of data.
310 * @param useSymmetric If true then symmetric encryption is used, otherwise asymmetric encryption is used.
311 * @param encryptMode the encryption mode
312 * @return the encrypted data as an immutable Blob.
313 */
314 Blob
315 encrypt(const Name &keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = true,
316 EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT)
317 {
318 return encryptionManager_->encrypt(keyName, data, dataLength, useSymmetric, encryptMode);
319 }
320
321 /**
322 * Decrypt a byte array.
323 * @param keyName The name of the decrypting key.
324 * @param data The byte array that will be decrypted.
325 * @param dataLength The length of data.
326 * @param useSymmetric If true then symmetric encryption is used, otherwise asymmetric encryption is used.
327 * @param encryptMode the encryption mode
328 * @return the decrypted data as an immutable Blob.
329 */
330 Blob
331 decrypt(const Name &keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = true,
332 EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT)
333 {
334 return encryptionManager_->decrypt(keyName, data, dataLength, useSymmetric, encryptMode);
335 }
336
Jeff Thompson8efe5ad2013-08-20 17:36:38 -0700337 /**
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700338 * Set the Face which will be used to fetch required certificates.
339 * @param face A pointer to the Face object.
Jeff Thompson1e90d8c2013-08-12 16:09:25 -0700340 */
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700341 void
342 setFace(Face* face) { face_ = face; }
343
344private:
Jeff Thompson40f361a2013-09-25 13:12:48 -0700345 ptr_lib::shared_ptr<IdentityManager> identityManager_;
Jeff Thompson29ce3102013-09-27 11:47:48 -0700346 ptr_lib::shared_ptr<PolicyManager> policyManager_;
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700347 ptr_lib::shared_ptr<EncryptionManager> encryptionManager_;
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700348 Face* face_;
349 const int maxSteps_;
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700350};
351
352}
353
354#endif