Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ |
Davide Pesavento | 10b24be | 2017-07-12 23:23:46 -0400 | [diff] [blame] | 2 | /* |
Davide Pesavento | 0f83080 | 2018-01-16 23:58:58 -0500 | [diff] [blame] | 3 | * Copyright (c) 2013-2018 Regents of the University of California. |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 4 | * |
| 5 | * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). |
| 6 | * |
| 7 | * ndn-cxx library is free software: you can redistribute it and/or modify it under the |
| 8 | * terms of the GNU Lesser General Public License as published by the Free Software |
| 9 | * Foundation, either version 3 of the License, or (at your option) any later version. |
| 10 | * |
| 11 | * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY |
| 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A |
| 13 | * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. |
| 14 | * |
| 15 | * You should have received copies of the GNU General Public License and GNU Lesser |
| 16 | * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see |
| 17 | * <http://www.gnu.org/licenses/>. |
| 18 | * |
| 19 | * See AUTHORS.md for complete list of ndn-cxx authors and contributors. |
| 20 | */ |
| 21 | |
| 22 | #include "key-chain.hpp" |
| 23 | |
| 24 | #include "../../util/config-file.hpp" |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 25 | #include "../../util/logger.hpp" |
Junxiao Shi | 6938e34 | 2017-07-25 21:56:58 +0000 | [diff] [blame] | 26 | #include "../../util/sha256.hpp" |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 27 | |
| 28 | #include "../pib/pib-sqlite3.hpp" |
| 29 | #include "../pib/pib-memory.hpp" |
| 30 | |
Alexander Afanasyev | 0cf887d | 2017-03-26 16:58:59 -0500 | [diff] [blame] | 31 | #ifdef NDN_CXX_HAVE_OSX_FRAMEWORKS |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 32 | #include "../tpm/back-end-osx.hpp" |
Alexander Afanasyev | 0cf887d | 2017-03-26 16:58:59 -0500 | [diff] [blame] | 33 | #endif // NDN_CXX_HAVE_OSX_FRAMEWORKS |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 34 | |
| 35 | #include "../tpm/back-end-file.hpp" |
| 36 | #include "../tpm/back-end-mem.hpp" |
| 37 | |
| 38 | #include "../transform/bool-sink.hpp" |
| 39 | #include "../transform/buffer-source.hpp" |
| 40 | #include "../transform/private-key.hpp" |
Davide Pesavento | 8aad372 | 2017-09-16 20:57:28 -0400 | [diff] [blame] | 41 | #include "../transform/public-key.hpp" |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 42 | #include "../transform/verifier-filter.hpp" |
| 43 | #include "../../encoding/buffer-stream.hpp" |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 44 | |
| 45 | #include <boost/lexical_cast.hpp> |
| 46 | |
| 47 | namespace ndn { |
| 48 | namespace security { |
| 49 | |
| 50 | // When static library is used, not everything is compiled into the resulting binary. |
| 51 | // Therefore, the following standard PIB and TPMs need to be registered here. |
| 52 | // http://stackoverflow.com/q/9459980/2150331 |
| 53 | |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 54 | namespace pib { |
| 55 | NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibSqlite3); |
| 56 | NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibMemory); |
| 57 | } // namespace pib |
| 58 | |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 59 | namespace tpm { |
Alexander Afanasyev | 0cf887d | 2017-03-26 16:58:59 -0500 | [diff] [blame] | 60 | #if defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN) |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 61 | NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndOsx); |
Alexander Afanasyev | 0cf887d | 2017-03-26 16:58:59 -0500 | [diff] [blame] | 62 | #endif // defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN) |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 63 | |
| 64 | NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndFile); |
| 65 | NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndMem); |
| 66 | } // namespace tpm |
| 67 | |
| 68 | namespace v2 { |
| 69 | |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 70 | NDN_LOG_INIT(ndn.security.v2.KeyChain); |
| 71 | |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 72 | std::string KeyChain::s_defaultPibLocator; |
| 73 | std::string KeyChain::s_defaultTpmLocator; |
| 74 | |
| 75 | KeyChain::PibFactories& |
| 76 | KeyChain::getPibFactories() |
| 77 | { |
| 78 | static PibFactories pibFactories; |
| 79 | return pibFactories; |
| 80 | } |
| 81 | |
| 82 | KeyChain::TpmFactories& |
| 83 | KeyChain::getTpmFactories() |
| 84 | { |
| 85 | static TpmFactories tpmFactories; |
| 86 | return tpmFactories; |
| 87 | } |
| 88 | |
| 89 | const std::string& |
| 90 | KeyChain::getDefaultPibScheme() |
| 91 | { |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 92 | return pib::PibSqlite3::getScheme(); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 93 | } |
| 94 | |
| 95 | const std::string& |
| 96 | KeyChain::getDefaultTpmScheme() |
| 97 | { |
Alexander Afanasyev | 0cf887d | 2017-03-26 16:58:59 -0500 | [diff] [blame] | 98 | #if defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN) |
Davide Pesavento | 5ee8ec0 | 2018-09-01 19:06:12 -0400 | [diff] [blame] | 99 | return tpm::BackEndOsx::getScheme(); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 100 | #else |
| 101 | return tpm::BackEndFile::getScheme(); |
Alexander Afanasyev | 0cf887d | 2017-03-26 16:58:59 -0500 | [diff] [blame] | 102 | #endif // defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN) |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 103 | } |
| 104 | |
| 105 | const std::string& |
| 106 | KeyChain::getDefaultPibLocator() |
| 107 | { |
| 108 | if (!s_defaultPibLocator.empty()) |
| 109 | return s_defaultPibLocator; |
| 110 | |
| 111 | if (getenv("NDN_CLIENT_PIB") != nullptr) { |
| 112 | s_defaultPibLocator = getenv("NDN_CLIENT_PIB"); |
| 113 | } |
| 114 | else { |
| 115 | ConfigFile config; |
| 116 | s_defaultPibLocator = config.getParsedConfiguration().get<std::string>("pib", getDefaultPibScheme() + ":"); |
| 117 | } |
| 118 | |
Alexander Afanasyev | 57d02b6 | 2018-06-15 18:19:50 -0400 | [diff] [blame] | 119 | std::string pibScheme, pibLocation; |
| 120 | std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(s_defaultPibLocator); |
| 121 | s_defaultPibLocator = pibScheme + ":" + pibLocation; |
| 122 | |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 123 | return s_defaultPibLocator; |
| 124 | } |
| 125 | |
| 126 | const std::string& |
| 127 | KeyChain::getDefaultTpmLocator() |
| 128 | { |
| 129 | if (!s_defaultTpmLocator.empty()) |
| 130 | return s_defaultTpmLocator; |
| 131 | |
| 132 | if (getenv("NDN_CLIENT_TPM") != nullptr) { |
| 133 | s_defaultTpmLocator = getenv("NDN_CLIENT_TPM"); |
| 134 | } |
| 135 | else { |
| 136 | ConfigFile config; |
| 137 | s_defaultTpmLocator = config.getParsedConfiguration().get<std::string>("tpm", getDefaultTpmScheme() + ":"); |
| 138 | } |
| 139 | |
Alexander Afanasyev | 57d02b6 | 2018-06-15 18:19:50 -0400 | [diff] [blame] | 140 | std::string tpmScheme, tpmLocation; |
| 141 | std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(s_defaultTpmLocator); |
| 142 | s_defaultTpmLocator = tpmScheme + ":" + tpmLocation; |
| 143 | |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 144 | return s_defaultTpmLocator; |
| 145 | } |
| 146 | |
| 147 | |
| 148 | // Other defaults |
| 149 | |
| 150 | const SigningInfo& |
| 151 | KeyChain::getDefaultSigningInfo() |
| 152 | { |
| 153 | static SigningInfo signingInfo; |
| 154 | return signingInfo; |
| 155 | } |
| 156 | |
| 157 | const KeyParams& |
| 158 | KeyChain::getDefaultKeyParams() |
| 159 | { |
Spyridon Mastorakis | 1ece2e3 | 2015-08-27 18:52:21 -0700 | [diff] [blame] | 160 | static EcKeyParams keyParams; |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 161 | return keyParams; |
| 162 | } |
| 163 | |
| 164 | // |
| 165 | |
| 166 | KeyChain::KeyChain() |
| 167 | : KeyChain(getDefaultPibLocator(), getDefaultTpmLocator(), true) |
| 168 | { |
| 169 | } |
| 170 | |
| 171 | KeyChain::KeyChain(const std::string& pibLocator, const std::string& tpmLocator, bool allowReset) |
| 172 | { |
| 173 | // PIB Locator |
| 174 | std::string pibScheme, pibLocation; |
| 175 | std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(pibLocator); |
| 176 | std::string canonicalPibLocator = pibScheme + ":" + pibLocation; |
| 177 | |
| 178 | // Create PIB |
| 179 | m_pib = createPib(canonicalPibLocator); |
| 180 | std::string oldTpmLocator; |
| 181 | try { |
| 182 | oldTpmLocator = m_pib->getTpmLocator(); |
| 183 | } |
| 184 | catch (const Pib::Error&) { |
| 185 | // TPM locator is not set in PIB yet. |
| 186 | } |
| 187 | |
| 188 | // TPM Locator |
| 189 | std::string tpmScheme, tpmLocation; |
| 190 | std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(tpmLocator); |
| 191 | std::string canonicalTpmLocator = tpmScheme + ":" + tpmLocation; |
| 192 | |
| 193 | if (canonicalPibLocator == getDefaultPibLocator()) { |
| 194 | // Default PIB must use default TPM |
| 195 | if (!oldTpmLocator.empty() && oldTpmLocator != getDefaultTpmLocator()) { |
| 196 | m_pib->reset(); |
| 197 | canonicalTpmLocator = getDefaultTpmLocator(); |
| 198 | } |
| 199 | } |
| 200 | else { |
| 201 | // non-default PIB check consistency |
| 202 | if (!oldTpmLocator.empty() && oldTpmLocator != canonicalTpmLocator) { |
| 203 | if (allowReset) |
| 204 | m_pib->reset(); |
| 205 | else |
| 206 | BOOST_THROW_EXCEPTION(LocatorMismatchError("TPM locator supplied does not match TPM locator in PIB: " + |
| 207 | oldTpmLocator + " != " + canonicalTpmLocator)); |
| 208 | } |
| 209 | } |
| 210 | |
| 211 | // note that key mismatch may still happen if the TPM locator is initially set to a |
| 212 | // wrong one or if the PIB was shared by more than one TPMs before. This is due to the |
| 213 | // old PIB does not have TPM info, new pib should not have this problem. |
| 214 | m_tpm = createTpm(canonicalTpmLocator); |
| 215 | m_pib->setTpmLocator(canonicalTpmLocator); |
| 216 | } |
| 217 | |
| 218 | KeyChain::~KeyChain() = default; |
| 219 | |
| 220 | // public: management |
| 221 | |
| 222 | Identity |
| 223 | KeyChain::createIdentity(const Name& identityName, const KeyParams& params) |
| 224 | { |
| 225 | Identity id = m_pib->addIdentity(identityName); |
| 226 | |
| 227 | Key key; |
| 228 | try { |
| 229 | key = id.getDefaultKey(); |
| 230 | } |
| 231 | catch (const Pib::Error&) { |
| 232 | key = createKey(id, params); |
| 233 | } |
| 234 | |
| 235 | try { |
| 236 | key.getDefaultCertificate(); |
| 237 | } |
| 238 | catch (const Pib::Error&) { |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 239 | NDN_LOG_DEBUG("No default cert for " << key.getName() << ", requesting self-signing"); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 240 | selfSign(key); |
| 241 | } |
| 242 | |
| 243 | return id; |
| 244 | } |
| 245 | |
| 246 | void |
| 247 | KeyChain::deleteIdentity(const Identity& identity) |
| 248 | { |
| 249 | BOOST_ASSERT(static_cast<bool>(identity)); |
| 250 | |
| 251 | Name identityName = identity.getName(); |
| 252 | |
| 253 | for (const auto& key : identity.getKeys()) { |
| 254 | m_tpm->deleteKey(key.getName()); |
| 255 | } |
| 256 | |
| 257 | m_pib->removeIdentity(identityName); |
| 258 | } |
| 259 | |
| 260 | void |
| 261 | KeyChain::setDefaultIdentity(const Identity& identity) |
| 262 | { |
| 263 | BOOST_ASSERT(static_cast<bool>(identity)); |
| 264 | |
| 265 | m_pib->setDefaultIdentity(identity.getName()); |
| 266 | } |
| 267 | |
| 268 | Key |
| 269 | KeyChain::createKey(const Identity& identity, const KeyParams& params) |
| 270 | { |
| 271 | BOOST_ASSERT(static_cast<bool>(identity)); |
| 272 | |
| 273 | // create key in TPM |
| 274 | Name keyName = m_tpm->createKey(identity.getName(), params); |
| 275 | |
| 276 | // set up key info in PIB |
| 277 | ConstBufferPtr pubKey = m_tpm->getPublicKey(keyName); |
Davide Pesavento | 5d0b010 | 2017-10-07 13:43:16 -0400 | [diff] [blame] | 278 | Key key = identity.addKey(pubKey->data(), pubKey->size(), keyName); |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 279 | |
| 280 | NDN_LOG_DEBUG("Requesting self-signing for newly created key " << key.getName()); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 281 | selfSign(key); |
| 282 | |
| 283 | return key; |
| 284 | } |
| 285 | |
| 286 | void |
| 287 | KeyChain::deleteKey(const Identity& identity, const Key& key) |
| 288 | { |
| 289 | BOOST_ASSERT(static_cast<bool>(identity)); |
| 290 | BOOST_ASSERT(static_cast<bool>(key)); |
| 291 | |
| 292 | Name keyName = key.getName(); |
| 293 | if (identity.getName() != key.getIdentity()) { |
| 294 | BOOST_THROW_EXCEPTION(std::invalid_argument("Identity `" + identity.getName().toUri() + "` " |
Muktadir Chowdhury | cab1696 | 2017-06-12 12:19:43 -0500 | [diff] [blame] | 295 | "does not match key `" + keyName.toUri() + "`")); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 296 | } |
| 297 | |
| 298 | identity.removeKey(keyName); |
| 299 | m_tpm->deleteKey(keyName); |
| 300 | } |
| 301 | |
| 302 | void |
| 303 | KeyChain::setDefaultKey(const Identity& identity, const Key& key) |
| 304 | { |
| 305 | BOOST_ASSERT(static_cast<bool>(identity)); |
| 306 | BOOST_ASSERT(static_cast<bool>(key)); |
| 307 | |
| 308 | if (identity.getName() != key.getIdentity()) |
| 309 | BOOST_THROW_EXCEPTION(std::invalid_argument("Identity `" + identity.getName().toUri() + "` " |
Muktadir Chowdhury | cab1696 | 2017-06-12 12:19:43 -0500 | [diff] [blame] | 310 | "does not match key `" + key.getName().toUri() + "`")); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 311 | |
| 312 | identity.setDefaultKey(key.getName()); |
| 313 | } |
| 314 | |
| 315 | void |
| 316 | KeyChain::addCertificate(const Key& key, const Certificate& certificate) |
| 317 | { |
| 318 | BOOST_ASSERT(static_cast<bool>(key)); |
| 319 | |
| 320 | if (key.getName() != certificate.getKeyName() || |
| 321 | !std::equal(certificate.getContent().value_begin(), certificate.getContent().value_end(), |
| 322 | key.getPublicKey().begin())) |
| 323 | BOOST_THROW_EXCEPTION(std::invalid_argument("Key `" + key.getName().toUri() + "` " |
Muktadir Chowdhury | cab1696 | 2017-06-12 12:19:43 -0500 | [diff] [blame] | 324 | "does not match certificate `" + certificate.getName().toUri() + "`")); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 325 | |
| 326 | key.addCertificate(certificate); |
| 327 | } |
| 328 | |
| 329 | void |
| 330 | KeyChain::deleteCertificate(const Key& key, const Name& certificateName) |
| 331 | { |
| 332 | BOOST_ASSERT(static_cast<bool>(key)); |
| 333 | |
| 334 | if (!Certificate::isValidName(certificateName)) { |
| 335 | BOOST_THROW_EXCEPTION(std::invalid_argument("Wrong certificate name `" + certificateName.toUri() + "`")); |
| 336 | } |
| 337 | |
| 338 | key.removeCertificate(certificateName); |
| 339 | } |
| 340 | |
| 341 | void |
| 342 | KeyChain::setDefaultCertificate(const Key& key, const Certificate& cert) |
| 343 | { |
| 344 | BOOST_ASSERT(static_cast<bool>(key)); |
| 345 | |
Davide Pesavento | 3ce6d4e | 2017-10-05 01:48:24 -0400 | [diff] [blame] | 346 | addCertificate(key, cert); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 347 | key.setDefaultCertificate(cert.getName()); |
| 348 | } |
| 349 | |
| 350 | shared_ptr<SafeBag> |
| 351 | KeyChain::exportSafeBag(const Certificate& certificate, const char* pw, size_t pwLen) |
| 352 | { |
| 353 | Name identity = certificate.getIdentity(); |
| 354 | Name keyName = certificate.getKeyName(); |
| 355 | |
| 356 | ConstBufferPtr encryptedKey; |
| 357 | try { |
| 358 | encryptedKey = m_tpm->exportPrivateKey(keyName, pw, pwLen); |
| 359 | } |
Davide Pesavento | 82d6a4c | 2017-12-23 19:47:20 -0500 | [diff] [blame] | 360 | catch (const tpm::BackEnd::Error& e) { |
| 361 | BOOST_THROW_EXCEPTION(Error("Failed to export private key `" + keyName.toUri() + "`: " + e.what())); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 362 | } |
| 363 | |
| 364 | return make_shared<SafeBag>(certificate, *encryptedKey); |
| 365 | } |
| 366 | |
| 367 | void |
| 368 | KeyChain::importSafeBag(const SafeBag& safeBag, const char* pw, size_t pwLen) |
| 369 | { |
| 370 | Data certData = safeBag.getCertificate(); |
| 371 | Certificate cert(std::move(certData)); |
| 372 | Name identity = cert.getIdentity(); |
| 373 | Name keyName = cert.getKeyName(); |
| 374 | const Buffer publicKeyBits = cert.getPublicKey(); |
| 375 | |
| 376 | if (m_tpm->hasKey(keyName)) { |
| 377 | BOOST_THROW_EXCEPTION(Error("Private key `" + keyName.toUri() + "` already exists")); |
| 378 | } |
| 379 | |
| 380 | try { |
| 381 | Identity existingId = m_pib->getIdentity(identity); |
| 382 | existingId.getKey(keyName); |
| 383 | BOOST_THROW_EXCEPTION(Error("Public key `" + keyName.toUri() + "` already exists")); |
| 384 | } |
| 385 | catch (const Pib::Error&) { |
| 386 | // Either identity or key doesn't exist. OK to import. |
| 387 | } |
| 388 | |
| 389 | try { |
| 390 | m_tpm->importPrivateKey(keyName, |
Davide Pesavento | 5d0b010 | 2017-10-07 13:43:16 -0400 | [diff] [blame] | 391 | safeBag.getEncryptedKeyBag().data(), safeBag.getEncryptedKeyBag().size(), |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 392 | pw, pwLen); |
| 393 | } |
Davide Pesavento | 82d6a4c | 2017-12-23 19:47:20 -0500 | [diff] [blame] | 394 | catch (const tpm::BackEnd::Error& e) { |
| 395 | BOOST_THROW_EXCEPTION(Error("Failed to import private key `" + keyName.toUri() + "`: " + e.what())); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 396 | } |
| 397 | |
| 398 | // check the consistency of private key and certificate |
| 399 | const uint8_t content[] = {0x01, 0x02, 0x03, 0x04}; |
| 400 | ConstBufferPtr sigBits; |
| 401 | try { |
| 402 | sigBits = m_tpm->sign(content, 4, keyName, DigestAlgorithm::SHA256); |
| 403 | } |
| 404 | catch (const std::runtime_error&) { |
| 405 | m_tpm->deleteKey(keyName); |
| 406 | BOOST_THROW_EXCEPTION(Error("Invalid private key `" + keyName.toUri() + "`")); |
| 407 | } |
| 408 | bool isVerified = false; |
| 409 | { |
| 410 | using namespace transform; |
| 411 | PublicKey publicKey; |
Davide Pesavento | 5d0b010 | 2017-10-07 13:43:16 -0400 | [diff] [blame] | 412 | publicKey.loadPkcs8(publicKeyBits.data(), publicKeyBits.size()); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 413 | bufferSource(content, sizeof(content)) >> verifierFilter(DigestAlgorithm::SHA256, publicKey, |
Davide Pesavento | 5d0b010 | 2017-10-07 13:43:16 -0400 | [diff] [blame] | 414 | sigBits->data(), sigBits->size()) |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 415 | >> boolSink(isVerified); |
| 416 | } |
| 417 | if (!isVerified) { |
| 418 | m_tpm->deleteKey(keyName); |
| 419 | BOOST_THROW_EXCEPTION(Error("Certificate `" + cert.getName().toUri() + "` " |
| 420 | "and private key `" + keyName.toUri() + "` do not match")); |
| 421 | } |
| 422 | |
| 423 | Identity id = m_pib->addIdentity(identity); |
Davide Pesavento | 5d0b010 | 2017-10-07 13:43:16 -0400 | [diff] [blame] | 424 | Key key = id.addKey(cert.getPublicKey().data(), cert.getPublicKey().size(), keyName); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 425 | key.addCertificate(cert); |
| 426 | } |
| 427 | |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 428 | // public: signing |
| 429 | |
| 430 | void |
| 431 | KeyChain::sign(Data& data, const SigningInfo& params) |
| 432 | { |
| 433 | Name keyName; |
| 434 | SignatureInfo sigInfo; |
| 435 | std::tie(keyName, sigInfo) = prepareSignatureInfo(params); |
| 436 | |
| 437 | data.setSignature(Signature(sigInfo)); |
| 438 | |
| 439 | EncodingBuffer encoder; |
| 440 | data.wireEncode(encoder, true); |
| 441 | |
| 442 | Block sigValue = sign(encoder.buf(), encoder.size(), keyName, params.getDigestAlgorithm()); |
| 443 | |
| 444 | data.wireEncode(encoder, sigValue); |
| 445 | } |
| 446 | |
| 447 | void |
| 448 | KeyChain::sign(Interest& interest, const SigningInfo& params) |
| 449 | { |
| 450 | Name keyName; |
| 451 | SignatureInfo sigInfo; |
| 452 | std::tie(keyName, sigInfo) = prepareSignatureInfo(params); |
| 453 | |
| 454 | Name signedName = interest.getName(); |
| 455 | signedName.append(sigInfo.wireEncode()); // signatureInfo |
| 456 | |
| 457 | Block sigValue = sign(signedName.wireEncode().value(), signedName.wireEncode().value_size(), |
| 458 | keyName, params.getDigestAlgorithm()); |
| 459 | |
| 460 | sigValue.encode(); |
| 461 | signedName.append(sigValue); // signatureValue |
| 462 | interest.setName(signedName); |
| 463 | } |
| 464 | |
| 465 | Block |
| 466 | KeyChain::sign(const uint8_t* buffer, size_t bufferLength, const SigningInfo& params) |
| 467 | { |
| 468 | Name keyName; |
| 469 | SignatureInfo sigInfo; |
| 470 | std::tie(keyName, sigInfo) = prepareSignatureInfo(params); |
| 471 | |
| 472 | return sign(buffer, bufferLength, keyName, params.getDigestAlgorithm()); |
| 473 | } |
| 474 | |
| 475 | // public: PIB/TPM creation helpers |
| 476 | |
| 477 | static inline std::tuple<std::string/*type*/, std::string/*location*/> |
| 478 | parseLocatorUri(const std::string& uri) |
| 479 | { |
| 480 | size_t pos = uri.find(':'); |
| 481 | if (pos != std::string::npos) { |
| 482 | return std::make_tuple(uri.substr(0, pos), uri.substr(pos + 1)); |
| 483 | } |
| 484 | else { |
| 485 | return std::make_tuple(uri, ""); |
| 486 | } |
| 487 | } |
| 488 | |
| 489 | std::tuple<std::string/*type*/, std::string/*location*/> |
| 490 | KeyChain::parseAndCheckPibLocator(const std::string& pibLocator) |
| 491 | { |
| 492 | std::string pibScheme, pibLocation; |
| 493 | std::tie(pibScheme, pibLocation) = parseLocatorUri(pibLocator); |
| 494 | |
| 495 | if (pibScheme.empty()) { |
| 496 | pibScheme = getDefaultPibScheme(); |
| 497 | } |
| 498 | |
| 499 | auto pibFactory = getPibFactories().find(pibScheme); |
| 500 | if (pibFactory == getPibFactories().end()) { |
| 501 | BOOST_THROW_EXCEPTION(KeyChain::Error("PIB scheme `" + pibScheme + "` is not supported")); |
| 502 | } |
| 503 | |
| 504 | return std::make_tuple(pibScheme, pibLocation); |
| 505 | } |
| 506 | |
| 507 | unique_ptr<Pib> |
| 508 | KeyChain::createPib(const std::string& pibLocator) |
| 509 | { |
| 510 | std::string pibScheme, pibLocation; |
| 511 | std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(pibLocator); |
| 512 | auto pibFactory = getPibFactories().find(pibScheme); |
| 513 | BOOST_ASSERT(pibFactory != getPibFactories().end()); |
| 514 | return unique_ptr<Pib>(new Pib(pibScheme, pibLocation, pibFactory->second(pibLocation))); |
| 515 | } |
| 516 | |
| 517 | std::tuple<std::string/*type*/, std::string/*location*/> |
| 518 | KeyChain::parseAndCheckTpmLocator(const std::string& tpmLocator) |
| 519 | { |
| 520 | std::string tpmScheme, tpmLocation; |
| 521 | std::tie(tpmScheme, tpmLocation) = parseLocatorUri(tpmLocator); |
| 522 | |
| 523 | if (tpmScheme.empty()) { |
| 524 | tpmScheme = getDefaultTpmScheme(); |
| 525 | } |
| 526 | auto tpmFactory = getTpmFactories().find(tpmScheme); |
| 527 | if (tpmFactory == getTpmFactories().end()) { |
| 528 | BOOST_THROW_EXCEPTION(KeyChain::Error("TPM scheme `" + tpmScheme + "` is not supported")); |
| 529 | } |
| 530 | |
| 531 | return std::make_tuple(tpmScheme, tpmLocation); |
| 532 | } |
| 533 | |
| 534 | unique_ptr<Tpm> |
| 535 | KeyChain::createTpm(const std::string& tpmLocator) |
| 536 | { |
| 537 | std::string tpmScheme, tpmLocation; |
| 538 | std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(tpmLocator); |
| 539 | auto tpmFactory = getTpmFactories().find(tpmScheme); |
| 540 | BOOST_ASSERT(tpmFactory != getTpmFactories().end()); |
| 541 | return unique_ptr<Tpm>(new Tpm(tpmScheme, tpmLocation, tpmFactory->second(tpmLocation))); |
| 542 | } |
| 543 | |
| 544 | // private: signing |
| 545 | |
| 546 | Certificate |
| 547 | KeyChain::selfSign(Key& key) |
| 548 | { |
| 549 | Certificate certificate; |
| 550 | |
| 551 | // set name |
| 552 | Name certificateName = key.getName(); |
| 553 | certificateName |
| 554 | .append("self") |
| 555 | .appendVersion(); |
| 556 | certificate.setName(certificateName); |
| 557 | |
| 558 | // set metainfo |
| 559 | certificate.setContentType(tlv::ContentType_Key); |
Davide Pesavento | 0f83080 | 2018-01-16 23:58:58 -0500 | [diff] [blame] | 560 | certificate.setFreshnessPeriod(1_h); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 561 | |
| 562 | // set content |
Davide Pesavento | 5d0b010 | 2017-10-07 13:43:16 -0400 | [diff] [blame] | 563 | certificate.setContent(key.getPublicKey().data(), key.getPublicKey().size()); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 564 | |
| 565 | // set signature-info |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 566 | SignatureInfo signatureInfo; |
Alexander Afanasyev | f837917 | 2017-01-11 16:56:04 -0800 | [diff] [blame] | 567 | // Note time::system_clock::max() or other NotAfter date results in incorrect encoded value |
| 568 | // because of overflow during conversion to boost::posix_time::ptime (bug #3915). |
| 569 | signatureInfo.setValidityPeriod(ValidityPeriod(time::system_clock::TimePoint(), |
Davide Pesavento | 0f83080 | 2018-01-16 23:58:58 -0500 | [diff] [blame] | 570 | time::system_clock::now() + 20 * 365_days)); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 571 | |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 572 | sign(certificate, SigningInfo(key).setSignatureInfo(signatureInfo)); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 573 | |
| 574 | key.addCertificate(certificate); |
| 575 | return certificate; |
| 576 | } |
| 577 | |
| 578 | std::tuple<Name, SignatureInfo> |
| 579 | KeyChain::prepareSignatureInfo(const SigningInfo& params) |
| 580 | { |
| 581 | SignatureInfo sigInfo = params.getSignatureInfo(); |
| 582 | |
| 583 | Name identityName; |
| 584 | name::Component keyId; |
| 585 | Name certificateName; |
| 586 | |
| 587 | pib::Identity identity; |
| 588 | pib::Key key; |
| 589 | |
| 590 | switch (params.getSignerType()) { |
| 591 | case SigningInfo::SIGNER_TYPE_NULL: { |
| 592 | try { |
| 593 | identity = m_pib->getDefaultIdentity(); |
| 594 | } |
| 595 | catch (const Pib::Error&) { // no default identity, use sha256 for signing. |
| 596 | sigInfo.setSignatureType(tlv::DigestSha256); |
| 597 | return std::make_tuple(SigningInfo::getDigestSha256Identity(), sigInfo); |
| 598 | } |
| 599 | break; |
| 600 | } |
| 601 | case SigningInfo::SIGNER_TYPE_ID: { |
Junxiao Shi | fe1239a | 2017-01-27 20:36:12 +0000 | [diff] [blame] | 602 | identity = params.getPibIdentity(); |
| 603 | if (!identity) { |
| 604 | try { |
| 605 | identity = m_pib->getIdentity(params.getSignerName()); |
| 606 | } |
| 607 | catch (const Pib::Error&) { |
| 608 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing identity `" + |
| 609 | params.getSignerName().toUri() + "` does not exist")); |
| 610 | } |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 611 | } |
| 612 | break; |
| 613 | } |
| 614 | case SigningInfo::SIGNER_TYPE_KEY: { |
Junxiao Shi | fe1239a | 2017-01-27 20:36:12 +0000 | [diff] [blame] | 615 | key = params.getPibKey(); |
| 616 | if (!key) { |
| 617 | Name identityName = extractIdentityFromKeyName(params.getSignerName()); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 618 | |
Junxiao Shi | fe1239a | 2017-01-27 20:36:12 +0000 | [diff] [blame] | 619 | try { |
| 620 | identity = m_pib->getIdentity(identityName); |
| 621 | key = identity.getKey(params.getSignerName()); |
| 622 | identity = Identity(); // we will use the PIB key instance, so reset identity; |
| 623 | } |
| 624 | catch (const Pib::Error&) { |
| 625 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing key `" + |
| 626 | params.getSignerName().toUri() + "` does not exist")); |
| 627 | } |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 628 | } |
| 629 | break; |
| 630 | } |
| 631 | case SigningInfo::SIGNER_TYPE_CERT: { |
| 632 | Name identityName = extractIdentityFromCertName(params.getSignerName()); |
| 633 | Name keyName = extractKeyNameFromCertName(params.getSignerName()); |
| 634 | |
| 635 | try { |
| 636 | identity = m_pib->getIdentity(identityName); |
| 637 | key = identity.getKey(keyName); |
| 638 | } |
| 639 | catch (const Pib::Error&) { |
| 640 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing certificate `" + |
| 641 | params.getSignerName().toUri() + "` does not exist")); |
| 642 | } |
| 643 | |
| 644 | break; |
| 645 | } |
| 646 | case SigningInfo::SIGNER_TYPE_SHA256: { |
| 647 | sigInfo.setSignatureType(tlv::DigestSha256); |
| 648 | return std::make_tuple(SigningInfo::getDigestSha256Identity(), sigInfo); |
| 649 | } |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 650 | default: { |
| 651 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Unrecognized signer type " + |
| 652 | boost::lexical_cast<std::string>(params.getSignerType()))); |
| 653 | } |
| 654 | } |
| 655 | |
| 656 | if (!identity && !key) { |
| 657 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Cannot determine signing parameters")); |
| 658 | } |
| 659 | |
| 660 | if (identity && !key) { |
| 661 | try { |
| 662 | key = identity.getDefaultKey(); |
| 663 | } |
| 664 | catch (const Pib::Error&) { |
| 665 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing identity `" + identity.getName().toUri() + |
Davide Pesavento | 82d6a4c | 2017-12-23 19:47:20 -0500 | [diff] [blame] | 666 | "` does not have a default certificate")); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 667 | } |
| 668 | } |
| 669 | |
| 670 | BOOST_ASSERT(key); |
| 671 | |
| 672 | sigInfo.setSignatureType(getSignatureType(key.getKeyType(), params.getDigestAlgorithm())); |
| 673 | sigInfo.setKeyLocator(KeyLocator(key.getName())); |
Alexander Afanasyev | 7e72141 | 2017-01-11 13:36:08 -0800 | [diff] [blame] | 674 | |
| 675 | NDN_LOG_TRACE("Prepared signature info: " << sigInfo); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 676 | return std::make_tuple(key.getName(), sigInfo); |
| 677 | } |
| 678 | |
| 679 | Block |
| 680 | KeyChain::sign(const uint8_t* buf, size_t size, |
| 681 | const Name& keyName, DigestAlgorithm digestAlgorithm) const |
| 682 | { |
| 683 | if (keyName == SigningInfo::getDigestSha256Identity()) |
Davide Pesavento | 10b24be | 2017-07-12 23:23:46 -0400 | [diff] [blame] | 684 | return Block(tlv::SignatureValue, util::Sha256::computeDigest(buf, size)); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 685 | |
| 686 | return Block(tlv::SignatureValue, m_tpm->sign(buf, size, keyName, digestAlgorithm)); |
| 687 | } |
| 688 | |
| 689 | tlv::SignatureTypeValue |
| 690 | KeyChain::getSignatureType(KeyType keyType, DigestAlgorithm digestAlgorithm) |
| 691 | { |
| 692 | switch (keyType) { |
| 693 | case KeyType::RSA: |
| 694 | return tlv::SignatureSha256WithRsa; |
| 695 | case KeyType::EC: |
| 696 | return tlv::SignatureSha256WithEcdsa; |
| 697 | default: |
| 698 | BOOST_THROW_EXCEPTION(Error("Unsupported key types")); |
| 699 | } |
| 700 | } |
| 701 | |
| 702 | } // namespace v2 |
| 703 | } // namespace security |
| 704 | } // namespace ndn |