Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / 60bd7086f26cb659b798d139940ec47fca738f65 / . / src / security / key-chain.hpp
blob: cbc1f2a3246f4a116efe2dc18477ed069388fde0 [file] [log] [blame]
Jeff Thompson25b4e612013-10-10 16:03:24 -0700[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700[diff] [blame]2/**
Jeff Thompson7687dc02013-09-13 11:54:07 -0700[diff] [blame]3 * Copyright (C) 2013 Regents of the University of California.
Jeff Thompsonba16b8f2013-12-16 13:11:47 -0800[diff] [blame]4 * @author: Yingdi Yu <yingdi@cs.ucla.edu>
Jeff Thompson7687dc02013-09-13 11:54:07 -0700[diff] [blame]5 * @author: Jeff Thompson <jefft0@remap.ucla.edu>
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700[diff] [blame]6 * See COPYING for copyright and distribution information.
7 */
8
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]9#ifndef NDN_SECURITY_KEY_CHAIN_HPP
10#define NDN_SECURITY_KEY_CHAIN_HPP
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700[diff] [blame]11
Yingdi Yu4f324632014-01-15 18:10:03 -0800[diff] [blame]12#include "identity-certificate.hpp"
13#include "public-key.hpp"
14#include "signature-sha256-with-rsa.hpp"
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]15#include "signature-sha256.hpp"
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800[diff] [blame]16#include "secured-bag.hpp"
Yingdi Yu4270f202014-01-28 14:19:16 -0800[diff] [blame]17#include "../interest.hpp"
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]18#include "../util/random.hpp"
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]19#include "../util/crypto.hpp"
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]20
Yingdi Yu04020922014-01-22 12:46:53 -0800[diff] [blame]21//PublicInfo
Yingdi Yu4f324632014-01-15 18:10:03 -0800[diff] [blame]22#include "sec-public-info-sqlite3.hpp"
23#include "sec-public-info-memory.hpp"
Yingdi Yu04020922014-01-22 12:46:53 -0800[diff] [blame]24//TPM
25#include "sec-tpm-file.hpp"
Yingdi Yu4f324632014-01-15 18:10:03 -0800[diff] [blame]26#include "sec-tpm-memory.hpp"
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]27
Yingdi Yu04020922014-01-22 12:46:53 -0800[diff] [blame]28#ifdef NDN_CPP_HAVE_OSX_SECURITY
29#include "sec-tpm-osx.hpp"
30#endif
31
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700[diff] [blame]32
33namespace ndn {
34
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700[diff] [blame]35/**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]36 * @brief KeyChain is one of the main classes of the security library.
Jeff Thompsonffa36f92013-09-20 08:42:41 -0700[diff] [blame]37 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]38 * The KeyChain class provides a set of interfaces of identity management and private key related operations.
Jeff Thompsonffa36f92013-09-20 08:42:41 -0700[diff] [blame]39 */
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]40template<class Info, class Tpm>
41class KeyChainImpl : public Info, public Tpm
42{
Yingdi Yuf8fc8de2014-02-25 15:45:39 -0800[diff] [blame]43 typedef SecPublicInfo::Error InfoError;
44 typedef SecTpm::Error TpmError;
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700[diff] [blame]45public:
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]46 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]47 * @brief Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]48 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]49 * @param identityName The name of the identity.
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]50 * @return The name of the default certificate of the identity.
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]51 */
52 Name
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]53 createIdentity(const Name& identityName)
54 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]55 Info::addIdentity(identityName);
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]56
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]57 Name keyName;
58 try
59 {
60 keyName = Info::getDefaultKeyNameForIdentity(identityName);
61 }
62 catch(InfoError& e)
63 {
64 keyName = generateRSAKeyPairAsDefault(identityName, true);
65 }
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]66
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]67 Name certName;
68 try
69 {
70 certName = Info::getDefaultCertificateNameForKey(keyName);
71 }
72 catch(InfoError& e)
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]73 {
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]74 shared_ptr<IdentityCertificate> selfCert = selfSign(keyName);
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]75 Info::addCertificateAsIdentityDefault(*selfCert);
76 certName = selfCert->getName();
77 }
78
79 return certName;
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]80 }
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]81
82 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]83 * @brief Generate a pair of RSA keys for the specified identity.
84 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]85 * @param identityName The name of the identity.
86 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
87 * @param keySize The size of the key.
88 * @return The generated key name.
89 */
90 Name
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]91 generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048)
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]92 {
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]93 return generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize);
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]94 }
Alexander Afanasyev64a3d812014-01-05 23:35:05 -0800[diff] [blame]95
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]96 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]97 * @brief Generate a pair of RSA keys for the specified identity and set it as default key for the identity.
98 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]99 * @param identityName The name of the identity.
100 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
101 * @param keySize The size of the key.
102 * @return The generated key name.
103 */
104 Name
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]105 generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048)
106 {
107 Name keyName = generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize);
108
109 Info::setDefaultKeyNameForIdentity(keyName);
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]110
111 return keyName;
112 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700[diff] [blame]113
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]114 /**
Yingdi Yuc55680b2014-02-26 12:31:35 -0800[diff] [blame]115 * @brief prepare an unsigned identity certificate
116 *
117 * @param keyName Key name, e.g., /<identity_name>/ksk-123456.
118 * @param signingIdentity The signing identity.
119 * @param notBefore Refer to IdentityCertificate.
120 * @param notAfter Refer to IdentityCertificate.
121 * @param subjectDescription Refer to IdentityCertificate.
122 * @return IdentityCertificate.
123 */
124 shared_ptr<IdentityCertificate>
125 prepareUnsignedIdentityCertificate(const Name& keyName,
126 const Name& signingIdentity,
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]127 const time::system_clock::TimePoint& notBefore,
128 const time::system_clock::TimePoint& notAfter,
Yingdi Yuc55680b2014-02-26 12:31:35 -0800[diff] [blame]129 const std::vector<CertificateSubjectDescription>& subjectDescription)
130
131 {
132 if(keyName.size() < 1)
133 return shared_ptr<IdentityCertificate>();
134
135 std::string keyIdPrefix = keyName.get(-1).toEscapedString().substr(0, 4);
136 if(keyIdPrefix != "ksk-" && keyIdPrefix != "dsk-")
137 return shared_ptr<IdentityCertificate>();
138
139 shared_ptr<IdentityCertificate> certificate = make_shared<IdentityCertificate>();
140 Name certName;
141
142 if(signingIdentity.isPrefixOf(keyName))
143 {
144 certName.append(signingIdentity).append("KEY").append(keyName.getSubName(signingIdentity.size())).append("ID-CERT").appendVersion();
145 }
146 else
147 {
148 certName.append(keyName.getPrefix(-1)).append("KEY").append(keyName.get(-1)).append("ID-CERT").appendVersion();
149 }
150
151 certificate->setName(certName);
152 certificate->setNotBefore(notBefore);
153 certificate->setNotAfter(notAfter);
154
155 shared_ptr<PublicKey> publicKey;
156 try
157 {
158 publicKey = Info::getPublicKey(keyName);
159 }
160 catch(InfoError& e)
161 {
162 return shared_ptr<IdentityCertificate>();
163 }
164 certificate->setPublicKeyInfo(*publicKey);
165
166 if(subjectDescription.empty())
167 {
168 CertificateSubjectDescription subDescryptName("2.5.4.41", keyName.getPrefix(-1).toUri());
169 certificate->addSubjectDescription(subDescryptName);
170 }
171 else
172 {
173 std::vector<CertificateSubjectDescription>::const_iterator sdIt = subjectDescription.begin();
174 std::vector<CertificateSubjectDescription>::const_iterator sdEnd = subjectDescription.end();
175 for(; sdIt != sdEnd; sdIt++)
176 certificate->addSubjectDescription(*sdIt);
177 }
178
179 certificate->encode();
180
181 return certificate;
182 }
183
184 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]185 * @brief Sign packet with default identity
186 *
Yingdi Yu60bd7082014-03-25 18:18:54 -0700[diff] [blame^]187 * On return, signatureInfo and signatureValue in the packet are set.
188 * If default identity does not exist,
189 * a temporary identity will be created and set as default.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]190 *
191 * @param packet The packet to be signed
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]192 */
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]193 template<typename T>
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]194 void
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]195 sign(T& packet)
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]196 {
Yingdi Yu60bd7082014-03-25 18:18:54 -0700[diff] [blame^]197 if (!static_cast<bool>(Info::defaultCertificate()))
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]198 {
199 Info::refreshDefaultCertificate();
200
Yingdi Yu60bd7082014-03-25 18:18:54 -0700[diff] [blame^]201 if (!static_cast<bool>(Info::defaultCertificate()))
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]202 {
203 Name defaultIdentity;
204 try
205 {
206 defaultIdentity = Info::getDefaultIdentity();
207 }
Yingdi Yu60bd7082014-03-25 18:18:54 -0700[diff] [blame^]208 catch (InfoError& e)
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]209 {
210 uint32_t random = random::generateWord32();
Yingdi Yu60bd7082014-03-25 18:18:54 -0700[diff] [blame^]211 defaultIdentity.append("tmp-identity")
212 .append(reinterpret_cast<uint8_t*>(&random), 4);
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]213 }
214 createIdentity(defaultIdentity);
Yingdi Yu60bd7082014-03-25 18:18:54 -0700[diff] [blame^]215 Info::setDefaultIdentity(defaultIdentity);
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]216 Info::refreshDefaultCertificate();
217 }
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]218 }
219
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]220 sign(packet, *Info::defaultCertificate());
Yingdi Yu4270f202014-01-28 14:19:16 -0800[diff] [blame]221 }
Alexander Afanasyeve64788e2014-01-05 22:38:21 -0800[diff] [blame]222
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700[diff] [blame]223 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]224 * @brief Sign packet with a particular certificate.
225 *
226 * @param packet The packet to be signed.
227 * @param certificateName The certificate name of the key to use for signing.
228 * @throws SecPublicInfo::Error if certificate does not exist.
Jeff Thompson3c73da42013-08-12 11:19:05 -0700[diff] [blame]229 */
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]230 template<typename T>
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]231 void
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]232 sign(T& packet, const Name& certificateName)
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]233 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]234 if (!Info::doesCertificateExist(certificateName))
Yingdi Yu4270f202014-01-28 14:19:16 -0800[diff] [blame]235 throw InfoError("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]236
237 SignatureSha256WithRsa signature;
238 signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]239
240 // For temporary usage, we support RSA + SHA256 only, but will support more.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]241 signPacketWrapper(packet, signature,
242 IdentityCertificate::certificateNameToPublicKeyName(certificateName),
243 DIGEST_ALGORITHM_SHA256);
Yingdi Yu4270f202014-01-28 14:19:16 -0800[diff] [blame]244 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700[diff] [blame]245
Jeff Thompson29ce3102013-09-27 11:47:48 -0700[diff] [blame]246 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]247 * @brief Sign the byte array using a particular certificate.
248 *
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700[diff] [blame]249 * @param buffer The byte array to be signed.
250 * @param bufferLength the length of buffer.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]251 * @param certificateName The certificate name of the signing key.
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700[diff] [blame]252 * @return The Signature.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]253 * @throws SecPublicInfo::Error if certificate does not exist.
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700[diff] [blame]254 */
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]255 Signature
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]256 sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName)
257 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]258 if (!Info::doesCertificateExist(certificateName))
Yingdi Yu4270f202014-01-28 14:19:16 -0800[diff] [blame]259 throw InfoError("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]260
261 SignatureSha256WithRsa signature;
262 signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
263
264 // For temporary usage, we support RSA + SHA256 only, but will support more.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]265 signature.setValue(Tpm::signInTpm(buffer, bufferLength,
266 IdentityCertificate::certificateNameToPublicKeyName(certificateName),
267 DIGEST_ALGORITHM_SHA256));
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]268 return signature;
269 }
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700[diff] [blame]270
271 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]272 * @brief Sign packet using the default certificate of a particular identity.
273 *
274 * If there is no default certificate of that identity, this method will create a self-signed certificate.
275 *
276 * @param packet The packet to be signed.
277 * @param identityName The signing identity name.
Jeff Thompson29ce3102013-09-27 11:47:48 -0700[diff] [blame]278 */
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]279 template<typename T>
Jeff Thompson29ce3102013-09-27 11:47:48 -0700[diff] [blame]280 void
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]281 signByIdentity(T& packet, const Name& identityName)
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]282 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]283 Name signingCertificateName;
284 try
285 {
286 signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName);
287 }
288 catch(InfoError& e)
289 {
290 signingCertificateName = createIdentity(identityName);
291 // Ideally, no exception will be thrown out, unless something goes wrong in the TPM, which is a fatal error.
292 }
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]293
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]294 // We either get or create the signing certificate, sign packet! (no exception unless fatal error in TPM)
295 sign(packet, signingCertificateName);
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]296 }
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]297
Jeff Thompson3c73da42013-08-12 11:19:05 -0700[diff] [blame]298 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]299 * @brief Sign the byte array using the default certificate of a particular identity.
300 *
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700[diff] [blame]301 * @param buffer The byte array to be signed.
302 * @param bufferLength the length of buffer.
303 * @param identityName The identity name.
304 * @return The Signature.
305 */
Alexander Afanasyev64a3d812014-01-05 23:35:05 -0800[diff] [blame]306 Signature
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]307 signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName)
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]308 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]309 Name signingCertificateName;
310 try
311 {
312 signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName);
313 }
314 catch(InfoError& e)
315 {
316 signingCertificateName = createIdentity(identityName);
317 // Ideally, no exception will be thrown out, unless something goes wrong in the TPM, which is a fatal error.
318 }
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]319
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]320 // We either get or create the signing certificate, sign data! (no exception unless fatal error in TPM)
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]321 return sign(buffer, bufferLength, signingCertificateName);
322 }
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700[diff] [blame]323
324 /**
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]325 * @brief Set Sha256 weak signature.
326 *
327 * @param data.
328 */
329 void
330 signWithSha256(Data& data)
331 {
332 SignatureSha256 sig;
333 data.setSignature(sig);
334
335 Block sigValue(Tlv::SignatureValue,
336 crypto::sha256(data.wireEncode().value(),
337 data.wireEncode().value_size() - data.getSignature().getValue().size()));
338 data.setSignatureValue(sigValue);
339
340 }
341
342 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]343 * @brief Generate a self-signed certificate for a public key.
344 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]345 * @param keyName The name of the public key.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]346 * @return The generated certificate, NULL if selfSign fails.
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]347 */
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]348 shared_ptr<IdentityCertificate>
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]349 selfSign(const Name& keyName)
350 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]351 shared_ptr<PublicKey> pubKey;
352 try
353 {
354 pubKey = Info::getPublicKey(keyName); // may throw an exception.
355 }
356 catch(InfoError& e)
357 {
358 return shared_ptr<IdentityCertificate>();
359 }
Yingdi Yu7ea69502014-01-15 17:21:29 -0800[diff] [blame]360
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]361 shared_ptr<IdentityCertificate> certificate = make_shared<IdentityCertificate>();
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]362
363 Name certificateName = keyName.getPrefix(-1);
364 certificateName.append("KEY").append(keyName.get(-1)).append("ID-CERT").appendVersion();
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]365
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]366 certificate->setName(certificateName);
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]367 certificate->setNotBefore(time::system_clock::now());
368 certificate->setNotAfter(time::system_clock::now() + time::days(7300)/* ~20 years*/);
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]369 certificate->setPublicKeyInfo(*pubKey);
370 certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri()));
371 certificate->encode();
372
373 selfSign(*certificate);
374 return certificate;
375 }
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]376
377 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]378 * @brief Self-sign the supplied identity certificate.
379 *
380 * @param cert The supplied cert.
381 * @throws SecTpm::Error if the private key does not exist.
Jeff Thompson8efe5ad2013-08-20 17:36:38 -0700[diff] [blame]382 */
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700[diff] [blame]383 void
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]384 selfSign (IdentityCertificate& cert)
385 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]386 Name keyName = IdentityCertificate::certificateNameToPublicKeyName(cert.getName());
387 if(!Tpm::doesKeyExistInTpm(keyName, KEY_CLASS_PRIVATE))
388 throw TpmError("private key does not exist!");
389
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]390 SignatureSha256WithRsa signature;
391 signature.setKeyLocator(cert.getName().getPrefix(-1)); // implicit conversion should take care
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]392
393 // For temporary usage, we support RSA + SHA256 only, but will support more.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]394 signPacketWrapper(cert, signature, keyName, DIGEST_ALGORITHM_SHA256);
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]395 }
396
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]397 /**
398 * @brief delete a certificate.
399 *
400 * If the certificate to be deleted is current default system default,
401 * the method will not delete the certificate and return immediately.
402 *
403 * @param certificateName The certificate to be deleted.
404 */
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]405 void
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]406 deleteCertificate (const Name& certificateName)
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]407 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]408 try
409 {
410 if(Info::getDefaultCertificateName() == certificateName)
411 return;
412 }
413 catch(InfoError& e)
414 {
415 // Not a real error, just try to delete the certificate
416 }
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]417
418 Info::deleteCertificateInfo(certificateName);
419 }
420
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]421 /**
422 * @brief delete a key.
423 *
424 * If the key to be deleted is current default system default,
425 * the method will not delete the key and return immediately.
426 *
427 * @param keyName The key to be deleted.
428 */
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]429 void
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]430 deleteKey (const Name& keyName)
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]431 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]432 try
433 {
434 if(Info::getDefaultKeyNameForIdentity(Info::getDefaultIdentity()) == keyName)
435 return;
436 }
437 catch(InfoError& e)
438 {
439 // Not a real error, just try to delete the key
440 }
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]441
442 Info::deletePublicKeyInfo(keyName);
443 Tpm::deleteKeyPairInTpm(keyName);
444 }
445
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]446 /**
447 * @brief delete an identity.
448 *
449 * If the identity to be deleted is current default system default,
450 * the method will not delete the identity and return immediately.
451 *
452 * @param identity The identity to be deleted.
453 */
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]454 void
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]455 deleteIdentity (const Name& identity)
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]456 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]457 try
458 {
459 if(Info::getDefaultIdentity() == identity)
460 return;
461 }
462 catch(InfoError& e)
463 {
464 // Not a real error, just try to delete the identity
465 }
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]466
467 std::vector<Name> nameList;
468 Info::getAllKeyNamesOfIdentity(identity, nameList, true);
469 Info::getAllKeyNamesOfIdentity(identity, nameList, false);
470
471 Info::deleteIdentityInfo(identity);
472
473 std::vector<Name>::const_iterator it = nameList.begin();
474 for(; it != nameList.end(); it++)
475 Tpm::deleteKeyPairInTpm(*it);
476 }
477
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]478 /**
479 * @brief export an identity.
480 *
481 * @param identity The identity to export.
482 * @param passwordStr The password to secure the private key.
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800[diff] [blame]483 * @return The encoded export data.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]484 * @throws InfoError if anything goes wrong in exporting.
485 */
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800[diff] [blame]486 shared_ptr<SecuredBag>
Yingdi Yube4150e2014-02-18 13:02:46 -0800[diff] [blame]487 exportIdentity(const Name& identity, const std::string& passwordStr)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]488 {
489 if (!Info::doesIdentityExist(identity))
490 throw InfoError("Identity does not exist!");
491
492 Name keyName = Info::getDefaultKeyNameForIdentity(identity);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]493
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]494 ConstBufferPtr pkcs8;
495 try
496 {
497 pkcs8 = Tpm::exportPrivateKeyPkcs8FromTpm(keyName, passwordStr);
498 }
499 catch(TpmError& e)
500 {
501 throw InfoError("Fail to export PKCS8 of private key");
502 }
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]503
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]504 shared_ptr<IdentityCertificate> cert;
505 try
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]506 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]507 cert = Info::getCertificate(Info::getDefaultCertificateNameForKey(keyName));
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]508 }
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]509 catch(InfoError& e)
510 {
511 cert = selfSign(keyName);
512 Info::addCertificateAsIdentityDefault(*cert);
513 }
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]514
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800[diff] [blame]515 shared_ptr<SecuredBag> secureBag = make_shared<SecuredBag>(boost::cref(*cert), boost::cref(pkcs8));
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]516
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800[diff] [blame]517 return secureBag;
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]518 }
519
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]520 /**
521 * @brief import an identity.
522 *
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800[diff] [blame]523 * @param securedBag The encoded import data.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]524 * @param passwordStr The password to secure the private key.
525 */
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]526 void
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800[diff] [blame]527 importIdentity(const SecuredBag& securedBag, const std::string& passwordStr)
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]528 {
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800[diff] [blame]529 Name keyName = IdentityCertificate::certificateNameToPublicKeyName(securedBag.getCertificate().getName());
530 Name identity = keyName.getPrefix(-1);
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]531
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800[diff] [blame]532 // Add identity
533 Info::addIdentity(identity);
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]534
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800[diff] [blame]535 // Add key
536 Tpm::importPrivateKeyPkcs8IntoTpm(keyName, securedBag.getKey()->buf(), securedBag.getKey()->size(), passwordStr);
537 shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri());
538 Info::addPublicKey(keyName, KEY_TYPE_RSA, *pubKey); // HACK! We should set key type according to the pkcs8 info.
539 Info::setDefaultKeyNameForIdentity(keyName);
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]540
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800[diff] [blame]541 // Add cert
542 Info::addCertificateAsIdentityDefault(securedBag.getCertificate());
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]543 }
544
Jeff Thompson8efe5ad2013-08-20 17:36:38 -0700[diff] [blame]545
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]546private:
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]547 /**
548 * @brief sign a packet using a pariticular certificate.
549 *
550 * @param packet The packet to be signed.
551 * @param certificate The signing certificate.
552 */
553 template<typename T>
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]554 void
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]555 sign(T& packet, const IdentityCertificate& certificate)
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]556 {
557 SignatureSha256WithRsa signature;
558 signature.setKeyLocator(certificate.getName().getPrefix(-1));
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]559
560 // For temporary usage, we support RSA + SHA256 only, but will support more.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]561 signPacketWrapper(packet, signature, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800[diff] [blame]562 }
563
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]564 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]565 * @brief Generate a key pair for the specified identity.
566 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]567 * @param identityName The name of the specified identity.
568 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
569 * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
570 * @param keySize The size of the key pair.
571 * @return The name of the generated key.
572 */
573 Name
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]574 generateKeyPair(const Name& identityName, bool isKsk = false, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048)
575 {
576 Name keyName = Info::getNewKeyName(identityName, isKsk);
577
578 Tpm::generateKeyPairInTpm(keyName.toUri(), keyType, keySize);
579
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800[diff] [blame]580 shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri());
Yingdi Yuef26ee32014-01-15 16:41:14 -0800[diff] [blame]581 Info::addPublicKey(keyName, keyType, *pubKey);
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]582
583 return keyName;
584 }
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]585
Yingdi Yu8726f652014-01-23 10:35:12 -0800[diff] [blame]586 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]587 * @brief Sign the data using a particular key.
588 *
589 * @param data Reference to the data packet.
590 * @param signature Signature to be added.
Yingdi Yu8726f652014-01-23 10:35:12 -0800[diff] [blame]591 * @param keyName The name of the signing key.
592 * @param digestAlgorithm the digest algorithm.
593 * @throws Tpm::Error
594 */
595 void
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]596 signPacketWrapper(Data& data, const SignatureSha256WithRsa& signature, const Name& keyName, DigestAlgorithm digestAlgorithm)
Yingdi Yu8726f652014-01-23 10:35:12 -0800[diff] [blame]597 {
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]598 data.setSignature(signature);
Yingdi Yu8726f652014-01-23 10:35:12 -0800[diff] [blame]599 data.setSignatureValue
600 (Tpm::signInTpm(data.wireEncode().value(),
601 data.wireEncode().value_size() - data.getSignature().getValue().size(),
602 keyName, digestAlgorithm));
603 }
604
Yingdi Yu2e57a582014-02-20 23:34:43 -0800[diff] [blame]605 /**
606 * @brief Sign the interest using a particular key.
607 *
608 * @param interest Reference to the interest packet.
609 * @param signature Signature to be added.
610 * @param keyName The name of the signing key.
611 * @param digestAlgorithm the digest algorithm.
612 * @throws Tpm::Error
613 */
614 void
615 signPacketWrapper(Interest& interest, const SignatureSha256WithRsa& signature, const Name& keyName, DigestAlgorithm digestAlgorithm)
616 {
617 Name signedName = Name(interest.getName()).append(signature.getInfo());
618
619 Block sigValue = Tpm::signInTpm(signedName.wireEncode().value(),
620 signedName.wireEncode().value_size(),
621 keyName,
622 DIGEST_ALGORITHM_SHA256);
623 sigValue.encode();
624 signedName.append(sigValue);
625 interest.setName(signedName);
626 }
627
628
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700[diff] [blame]629};
630
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]631} // namespace ndn
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]632
Yingdi Yu04020922014-01-22 12:46:53 -0800[diff] [blame]633
634
Alexander Afanasyev3e08d5d2014-02-12 19:24:28 -0800[diff] [blame]635#if defined(NDN_CPP_HAVE_OSX_SECURITY) and defined(NDN_CPP_WITH_OSX_KEYCHAIN)
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]636
637namespace ndn
Alexander Afanasyeve64788e2014-01-05 22:38:21 -0800[diff] [blame]638{
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]639typedef KeyChainImpl<SecPublicInfoSqlite3, SecTpmOsx> KeyChain;
640};
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800[diff] [blame]641
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]642#else
Alexander Afanasyeve64788e2014-01-05 22:38:21 -0800[diff] [blame]643
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]644namespace ndn
Alexander Afanasyeve64788e2014-01-05 22:38:21 -0800[diff] [blame]645{
Yingdi Yu04020922014-01-22 12:46:53 -0800[diff] [blame]646typedef KeyChainImpl<SecPublicInfoSqlite3, SecTpmFile> KeyChain;
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]647};
Alexander Afanasyeve64788e2014-01-05 22:38:21 -0800[diff] [blame]648
Yingdi Yu31b4af22014-01-14 14:13:00 -0800[diff] [blame]649#endif //NDN_CPP_HAVE_OSX_SECURITY
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700[diff] [blame]650
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]651#endif //NDN_SECURITY_KEY_CHAIN_HPP