blob: 44ff1defa7190f27432bc735c031f654a96f9428 [file] [log] [blame]
Alexander Afanasyevc169a812014-05-20 20:37:29 -04001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Jeff Thompson47c93cf2013-08-09 00:38:48 -07002/**
Alexander Afanasyevc169a812014-05-20 20:37:29 -04003 * Copyright (c) 2013-2014 Regents of the University of California.
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -07004 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -07006 *
Alexander Afanasyevc169a812014-05-20 20:37:29 -04007 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -070020 *
21 * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
Jeff Thompson47c93cf2013-08-09 00:38:48 -070022 */
23
Yingdi Yufc40d872014-02-18 12:56:04 -080024#ifndef NDN_SECURITY_KEY_CHAIN_HPP
25#define NDN_SECURITY_KEY_CHAIN_HPP
Jeff Thompson47c93cf2013-08-09 00:38:48 -070026
Yingdi Yuf56c68f2014-04-24 21:50:13 -070027#include "sec-public-info.hpp"
28#include "sec-tpm.hpp"
Yingdi Yu7036ce22014-06-19 18:53:37 -070029#include "key-params.hpp"
Yingdi Yuf56c68f2014-04-24 21:50:13 -070030#include "secured-bag.hpp"
Yingdi Yu4f324632014-01-15 18:10:03 -080031#include "signature-sha256-with-rsa.hpp"
Yingdi Yubf6a2812014-06-17 15:32:11 -070032#include "digest-sha256.hpp"
Yingdi Yuf56c68f2014-04-24 21:50:13 -070033
Yingdi Yu4270f202014-01-28 14:19:16 -080034#include "../interest.hpp"
Yingdi Yu21157162014-02-28 13:02:34 -080035#include "../util/crypto.hpp"
Yingdi Yu0f5fb692014-06-10 12:07:28 -070036#include "../util/random.hpp"
Yingdi Yu31b4af22014-01-14 14:13:00 -080037
Jeff Thompson47c93cf2013-08-09 00:38:48 -070038
39namespace ndn {
40
Yingdi Yuf56c68f2014-04-24 21:50:13 -070041template<class TypePib, class TypeTpm>
42class KeyChainTraits
Yingdi Yu31b4af22014-01-14 14:13:00 -080043{
Jeff Thompson47c93cf2013-08-09 00:38:48 -070044public:
Yingdi Yuf56c68f2014-04-24 21:50:13 -070045 typedef TypePib Pib;
46 typedef TypeTpm Tpm;
47};
48
Alexander Afanasyev45a37132014-04-28 16:54:57 -070049class KeyChain : noncopyable
Yingdi Yuf56c68f2014-04-24 21:50:13 -070050{
51public:
52 class Error : public std::runtime_error
53 {
54 public:
55 explicit
56 Error(const std::string& what)
57 : std::runtime_error(what)
58 {
59 }
60 };
61
Yingdi Yu0eb5d722014-06-10 15:06:25 -070062 static const Name DEFAULT_PREFIX;
63
Yingdi Yu7036ce22014-06-19 18:53:37 -070064 // RsaKeyParams is set to be default for backward compatibility.
65 static const RsaKeyParams DEFAULT_KEY_PARAMS;
66
Yingdi Yuf56c68f2014-04-24 21:50:13 -070067 KeyChain();
68
69 template<class KeyChainTraits>
Alexander Afanasyeva4297a62014-06-19 13:29:34 -070070 explicit
Yingdi Yuf56c68f2014-04-24 21:50:13 -070071 KeyChain(KeyChainTraits traits);
72
73 KeyChain(const std::string& pibName,
74 const std::string& tpmName);
75
76 virtual
77 ~KeyChain()
78 {
79 if (m_pib != 0)
80 delete m_pib;
81
82 if (m_tpm != 0)
83 delete m_tpm;
84 }
85
Yingdi Yube4150e2014-02-18 13:02:46 -080086 /**
Yingdi Yu4b8c6a22014-04-15 23:00:54 -070087 * @brief Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a
88 * self-signed certificate of the KSK.
Yingdi Yube4150e2014-02-18 13:02:46 -080089 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -080090 * @param identityName The name of the identity.
Yingdi Yu7036ce22014-06-19 18:53:37 -070091 * @param params The key parameter if a key needs to be generated for the identity.
Yingdi Yu28fd32f2014-01-28 19:03:03 -080092 * @return The name of the default certificate of the identity.
Yingdi Yu2abd73f2014-01-08 23:34:11 -080093 */
Yingdi Yu7036ce22014-06-19 18:53:37 -070094 Name
95 createIdentity(const Name& identityName, const KeyParams& params = DEFAULT_KEY_PARAMS);
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -070096
Yingdi Yu2abd73f2014-01-08 23:34:11 -080097 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -080098 * @brief Generate a pair of RSA keys for the specified identity.
99 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800100 * @param identityName The name of the identity.
101 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
102 * @param keySize The size of the key.
103 * @return The generated key name.
104 */
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700105 inline Name
106 generateRsaKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048);
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700107
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800108 /**
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700109 * @brief Generate a pair of RSA keys for the specified identity and set it as default key for
110 * the identity.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800111 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800112 * @param identityName The name of the identity.
113 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
114 * @param keySize The size of the key.
115 * @return The generated key name.
116 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700117 Name
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700118 generateRsaKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048);
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700119
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800120 /**
Yingdi Yuc55680b2014-02-26 12:31:35 -0800121 * @brief prepare an unsigned identity certificate
122 *
Alexander Afanasyev770827c2014-05-13 17:42:55 -0700123 * @param keyName Key name, e.g., `/<identity_name>/ksk-123456`.
Yingdi Yuc55680b2014-02-26 12:31:35 -0800124 * @param signingIdentity The signing identity.
125 * @param notBefore Refer to IdentityCertificate.
126 * @param notAfter Refer to IdentityCertificate.
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700127 * @param subjectDescription Refer to IdentityCertificate.
Yingdi Yu0eb5d722014-06-10 15:06:25 -0700128 * @param certPrefix Prefix before `KEY` component. By default, KeyChain will infer the
129 * certificate name according to the relation between the signingIdentity and
130 * the subject identity. If signingIdentity is a prefix of the subject identity,
131 * `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted
132 * after subject identity (i.e., before `ksk-....`).
Yingdi Yuc55680b2014-02-26 12:31:35 -0800133 * @return IdentityCertificate.
134 */
135 shared_ptr<IdentityCertificate>
136 prepareUnsignedIdentityCertificate(const Name& keyName,
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700137 const Name& signingIdentity,
138 const time::system_clock::TimePoint& notBefore,
139 const time::system_clock::TimePoint& notAfter,
Yingdi Yu0eb5d722014-06-10 15:06:25 -0700140 const std::vector<CertificateSubjectDescription>& subjectDescription,
141 const Name& certPrefix = DEFAULT_PREFIX);
142
143 /**
144 * @brief prepare an unsigned identity certificate
145 *
146 * @param keyName Key name, e.g., `/<identity_name>/ksk-123456`.
147 * @param publicKey Public key to sign.
148 * @param signingIdentity The signing identity.
149 * @param notBefore Refer to IdentityCertificate.
150 * @param notAfter Refer to IdentityCertificate.
151 * @param subjectDescription Refer to IdentityCertificate.
152 * @param certPrefix Prefix before `KEY` component. By default, KeyChain will infer the
153 * certificate name according to the relation between the signingIdentity and
154 * the subject identity. If signingIdentity is a prefix of the subject identity,
155 * `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted
156 * after subject identity (i.e., before `ksk-....`).
157 * @return IdentityCertificate.
158 */
159 shared_ptr<IdentityCertificate>
160 prepareUnsignedIdentityCertificate(const Name& keyName,
161 const PublicKey& publicKey,
162 const Name& signingIdentity,
163 const time::system_clock::TimePoint& notBefore,
164 const time::system_clock::TimePoint& notAfter,
165 const std::vector<CertificateSubjectDescription>& subjectDescription,
166 const Name& certPrefix = DEFAULT_PREFIX);
Yingdi Yuc55680b2014-02-26 12:31:35 -0800167
168 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800169 * @brief Sign packet with default identity
170 *
Yingdi Yu60bd7082014-03-25 18:18:54 -0700171 * On return, signatureInfo and signatureValue in the packet are set.
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700172 * If default identity does not exist,
Yingdi Yu60bd7082014-03-25 18:18:54 -0700173 * a temporary identity will be created and set as default.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800174 *
175 * @param packet The packet to be signed
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800176 */
Yingdi Yu2e57a582014-02-20 23:34:43 -0800177 template<typename T>
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800178 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700179 sign(T& packet);
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700180
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700181 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800182 * @brief Sign packet with a particular certificate.
183 *
184 * @param packet The packet to be signed.
185 * @param certificateName The certificate name of the key to use for signing.
186 * @throws SecPublicInfo::Error if certificate does not exist.
Jeff Thompson3c73da42013-08-12 11:19:05 -0700187 */
Yingdi Yu2e57a582014-02-20 23:34:43 -0800188 template<typename T>
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700189 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700190 sign(T& packet, const Name& certificateName);
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700191
Jeff Thompson29ce3102013-09-27 11:47:48 -0700192 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800193 * @brief Sign the byte array using a particular certificate.
194 *
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700195 * @param buffer The byte array to be signed.
196 * @param bufferLength the length of buffer.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800197 * @param certificateName The certificate name of the signing key.
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700198 * @return The Signature.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800199 * @throws SecPublicInfo::Error if certificate does not exist.
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700200 */
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800201 Signature
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700202 sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName);
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700203
204 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800205 * @brief Sign packet using the default certificate of a particular identity.
206 *
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700207 * If there is no default certificate of that identity, this method will create a self-signed
208 * certificate.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800209 *
210 * @param packet The packet to be signed.
211 * @param identityName The signing identity name.
Jeff Thompson29ce3102013-09-27 11:47:48 -0700212 */
Yingdi Yu2e57a582014-02-20 23:34:43 -0800213 template<typename T>
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700214 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700215 signByIdentity(T& packet, const Name& identityName);
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700216
Jeff Thompson3c73da42013-08-12 11:19:05 -0700217 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800218 * @brief Sign the byte array using the default certificate of a particular identity.
219 *
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700220 * @param buffer The byte array to be signed.
221 * @param bufferLength the length of buffer.
222 * @param identityName The identity name.
223 * @return The Signature.
224 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700225 Signature
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700226 signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName);
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700227
228 /**
Alexander Afanasyev770827c2014-05-13 17:42:55 -0700229 * @brief Set Sha256 weak signature for @param data
Yingdi Yu21157162014-02-28 13:02:34 -0800230 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700231 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700232 signWithSha256(Data& data);
Yingdi Yu21157162014-02-28 13:02:34 -0800233
234 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800235 * @brief Generate a self-signed certificate for a public key.
236 *
Alexander Afanasyev770827c2014-05-13 17:42:55 -0700237 * @param keyName The name of the public key
238 * @return The generated certificate, shared_ptr<IdentityCertificate>() if selfSign fails
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800239 */
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800240 shared_ptr<IdentityCertificate>
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700241 selfSign(const Name& keyName);
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800242
243 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800244 * @brief Self-sign the supplied identity certificate.
245 *
246 * @param cert The supplied cert.
247 * @throws SecTpm::Error if the private key does not exist.
Jeff Thompson8efe5ad2013-08-20 17:36:38 -0700248 */
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700249 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700250 selfSign(IdentityCertificate& cert);
Yingdi Yu31b4af22014-01-14 14:13:00 -0800251
Yingdi Yu2e57a582014-02-20 23:34:43 -0800252 /**
253 * @brief delete a certificate.
254 *
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700255 * If the certificate to be deleted is current default system default,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800256 * the method will not delete the certificate and return immediately.
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700257 *
Yingdi Yu2e57a582014-02-20 23:34:43 -0800258 * @param certificateName The certificate to be deleted.
259 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700260 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700261 deleteCertificate(const Name& certificateName);
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800262
Yingdi Yu2e57a582014-02-20 23:34:43 -0800263 /**
264 * @brief delete a key.
265 *
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700266 * If the key to be deleted is current default system default,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800267 * the method will not delete the key and return immediately.
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700268 *
Yingdi Yu2e57a582014-02-20 23:34:43 -0800269 * @param keyName The key to be deleted.
270 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700271 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700272 deleteKey(const Name& keyName);
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800273
Yingdi Yu2e57a582014-02-20 23:34:43 -0800274 /**
275 * @brief delete an identity.
276 *
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700277 * If the identity to be deleted is current default system default,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800278 * the method will not delete the identity and return immediately.
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700279 *
Yingdi Yu2e57a582014-02-20 23:34:43 -0800280 * @param identity The identity to be deleted.
281 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700282 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700283 deleteIdentity(const Name& identity);
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800284
Yingdi Yu2e57a582014-02-20 23:34:43 -0800285 /**
286 * @brief export an identity.
287 *
288 * @param identity The identity to export.
289 * @param passwordStr The password to secure the private key.
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800290 * @return The encoded export data.
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700291 * @throws SecPublicInfo::Error if anything goes wrong in exporting.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800292 */
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800293 shared_ptr<SecuredBag>
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700294 exportIdentity(const Name& identity, const std::string& passwordStr);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800295
Yingdi Yu2e57a582014-02-20 23:34:43 -0800296 /**
297 * @brief import an identity.
298 *
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800299 * @param securedBag The encoded import data.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800300 * @param passwordStr The password to secure the private key.
301 */
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800302 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700303 importIdentity(const SecuredBag& securedBag, const std::string& passwordStr);
304
305 SecPublicInfo&
306 getPib()
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800307 {
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700308 return *m_pib;
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800309 }
310
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700311 const SecPublicInfo&
312 getPib() const
313 {
314 return *m_pib;
315 }
316
317 SecTpm&
318 getTpm()
319 {
320 return *m_tpm;
321 }
322
323 const SecTpm&
324 getTpm() const
325 {
326 return *m_tpm;
327 }
328
329 /*******************************
330 * Wrapper of SecPublicInfo *
331 *******************************/
332 bool
333 doesIdentityExist(const Name& identityName) const
334 {
335 return m_pib->doesIdentityExist(identityName);
336 }
337
338 void
339 addIdentity(const Name& identityName)
340 {
341 return m_pib->addIdentity(identityName);
342 }
343
344 bool
345 doesPublicKeyExist(const Name& keyName) const
346 {
347 return m_pib->doesPublicKeyExist(keyName);
348 }
349
350 void
351 addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer)
352 {
353 return m_pib->addPublicKey(keyName, keyType, publicKeyDer);
354 }
355
Yingdi Yu7036ce22014-06-19 18:53:37 -0700356 void
357 addKey(const Name& keyName, const PublicKey& publicKeyDer)
358 {
359 return m_pib->addKey(keyName, publicKeyDer);
360 }
361
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700362 shared_ptr<PublicKey>
363 getPublicKey(const Name& keyName) const
364 {
365 return m_pib->getPublicKey(keyName);
366 }
367
368 bool
369 doesCertificateExist(const Name& certificateName) const
370 {
371 return m_pib->doesCertificateExist(certificateName);
372 }
373
374 void
375 addCertificate(const IdentityCertificate& certificate)
376 {
377 return m_pib->addCertificate(certificate);
378 }
379
380 shared_ptr<IdentityCertificate>
381 getCertificate(const Name& certificateName) const
382 {
383 return m_pib->getCertificate(certificateName);
384 }
385
386 Name
387 getDefaultIdentity() const
388 {
389 return m_pib->getDefaultIdentity();
390 }
391
392 Name
393 getDefaultKeyNameForIdentity(const Name& identityName) const
394 {
395 return m_pib->getDefaultKeyNameForIdentity(identityName);
396 }
397
398 Name
399 getDefaultCertificateNameForKey(const Name& keyName) const
400 {
401 return m_pib->getDefaultCertificateNameForKey(keyName);
402 }
403
404 void
405 getAllIdentities(std::vector<Name>& nameList, bool isDefault) const
406 {
407 return m_pib->getAllIdentities(nameList, isDefault);
408 }
409
410 void
411 getAllKeyNames(std::vector<Name>& nameList, bool isDefault) const
412 {
413 return m_pib->getAllKeyNames(nameList, isDefault);
414 }
415
416 void
417 getAllKeyNamesOfIdentity(const Name& identity, std::vector<Name>& nameList, bool isDefault) const
418 {
419 return m_pib->getAllKeyNamesOfIdentity(identity, nameList, isDefault);
420 }
421
422 void
423 getAllCertificateNames(std::vector<Name>& nameList, bool isDefault) const
424 {
425 return m_pib->getAllCertificateNames(nameList, isDefault);
426 }
427
428 void
429 getAllCertificateNamesOfKey(const Name& keyName,
430 std::vector<Name>& nameList,
431 bool isDefault) const
432 {
433 return m_pib->getAllCertificateNamesOfKey(keyName, nameList, isDefault);
434 }
435
436 void
437 deleteCertificateInfo(const Name& certificateName)
438 {
439 return m_pib->deleteCertificateInfo(certificateName);
440 }
441
442 void
443 deletePublicKeyInfo(const Name& keyName)
444 {
445 return m_pib->deletePublicKeyInfo(keyName);
446 }
447
448 void
449 deleteIdentityInfo(const Name& identity)
450 {
451 return m_pib->deleteIdentityInfo(identity);
452 }
453
454 void
455 setDefaultIdentity(const Name& identityName)
456 {
457 return m_pib->setDefaultIdentity(identityName);
458 }
459
460 void
461 setDefaultKeyNameForIdentity(const Name& keyName)
462 {
463 return m_pib->setDefaultKeyNameForIdentity(keyName);
464 }
465
466 void
467 setDefaultCertificateNameForKey(const Name& certificateName)
468 {
469 return m_pib->setDefaultCertificateNameForKey(certificateName);
470 }
471
472 Name
473 getNewKeyName(const Name& identityName, bool useKsk)
474 {
475 return m_pib->getNewKeyName(identityName, useKsk);
476 }
477
478 Name
479 getDefaultCertificateNameForIdentity(const Name& identityName) const
480 {
481 return m_pib->getDefaultCertificateNameForIdentity(identityName);
482 }
483
484 Name
485 getDefaultCertificateName() const
486 {
487 return m_pib->getDefaultCertificateName();
488 }
489
490 void
491 addCertificateAsKeyDefault(const IdentityCertificate& certificate)
492 {
493 return m_pib->addCertificateAsKeyDefault(certificate);
494 }
495
496 void
497 addCertificateAsIdentityDefault(const IdentityCertificate& certificate)
498 {
499 return m_pib->addCertificateAsIdentityDefault(certificate);
500 }
501
502 void
503 addCertificateAsSystemDefault(const IdentityCertificate& certificate)
504 {
505 return m_pib->addCertificateAsSystemDefault(certificate);
506 }
507
508 shared_ptr<IdentityCertificate>
509 getDefaultCertificate() const
510 {
511 return m_pib->defaultCertificate();
512 }
513
514 void
515 refreshDefaultCertificate()
516 {
517 return m_pib->refreshDefaultCertificate();
518 }
519
520 /*******************************
521 * Wrapper of SecTpm *
522 *******************************/
523
524 void
525 setTpmPassword(const uint8_t* password, size_t passwordLength)
526 {
527 return m_tpm->setTpmPassword(password, passwordLength);
528 }
529
530 void
531 resetTpmPassword()
532 {
533 return m_tpm->resetTpmPassword();
534 }
535
536 void
537 setInTerminal(bool inTerminal)
538 {
539 return m_tpm->setInTerminal(inTerminal);
540 }
541
542 bool
543 getInTerminal() const
544 {
545 return m_tpm->getInTerminal();
546 }
547
548 bool
549 isLocked() const
550 {
551 return m_tpm->isLocked();
552 }
553
554 bool
555 unlockTpm(const char* password, size_t passwordLength, bool usePassword)
556 {
557 return m_tpm->unlockTpm(password, passwordLength, usePassword);
558 }
559
560 void
Yingdi Yu7036ce22014-06-19 18:53:37 -0700561 generateKeyPairInTpm(const Name& keyName, const KeyParams& params)
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700562 {
Yingdi Yu7036ce22014-06-19 18:53:37 -0700563 return m_tpm->generateKeyPairInTpm(keyName, params);
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700564 }
565
566 void
567 deleteKeyPairInTpm(const Name& keyName)
568 {
569 return m_tpm->deleteKeyPairInTpm(keyName);
570 }
571
572 shared_ptr<PublicKey>
573 getPublicKeyFromTpm(const Name& keyName) const
574 {
575 return m_tpm->getPublicKeyFromTpm(keyName);
576 }
577
578 Block
579 signInTpm(const uint8_t* data, size_t dataLength,
580 const Name& keyName,
581 DigestAlgorithm digestAlgorithm)
582 {
583 return m_tpm->signInTpm(data, dataLength, keyName, digestAlgorithm);
584 }
585
586 ConstBufferPtr
587 decryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool isSymmetric)
588 {
589 return m_tpm->decryptInTpm(data, dataLength, keyName, isSymmetric);
590 }
591
592 ConstBufferPtr
593 encryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool isSymmetric)
594 {
595 return m_tpm->encryptInTpm(data, dataLength, keyName, isSymmetric);
596 }
597
598 void
Yingdi Yu7036ce22014-06-19 18:53:37 -0700599 generateSymmetricKeyInTpm(const Name& keyName, const KeyParams& params)
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700600 {
Yingdi Yu7036ce22014-06-19 18:53:37 -0700601 return m_tpm->generateSymmetricKeyInTpm(keyName, params);
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700602 }
603
604 bool
605 doesKeyExistInTpm(const Name& keyName, KeyClass keyClass) const
606 {
607 return m_tpm->doesKeyExistInTpm(keyName, keyClass);
608 }
609
610 bool
611 generateRandomBlock(uint8_t* res, size_t size) const
612 {
613 return m_tpm->generateRandomBlock(res, size);
614 }
615
616 void
617 addAppToAcl(const Name& keyName, KeyClass keyClass, const std::string& appPath, AclType acl)
618 {
619 return m_tpm->addAppToAcl(keyName, keyClass, appPath, acl);
620 }
621
622 ConstBufferPtr
623 exportPrivateKeyPkcs5FromTpm(const Name& keyName, const std::string& password)
624 {
625 return m_tpm->exportPrivateKeyPkcs5FromTpm(keyName, password);
626 }
627
628 bool
629 importPrivateKeyPkcs5IntoTpm(const Name& keyName,
630 const uint8_t* buf, size_t size,
631 const std::string& password)
632 {
633 return m_tpm->importPrivateKeyPkcs5IntoTpm(keyName, buf, size, password);
634 }
Jeff Thompson8efe5ad2013-08-20 17:36:38 -0700635
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800636private:
Yingdi Yu2e57a582014-02-20 23:34:43 -0800637 /**
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700638 * @brief Set default certificate if it is not initialized
639 */
640 void
641 setDefaultCertificateInternal();
642
643 /**
644 * @brief Sign a packet using a pariticular certificate.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800645 *
646 * @param packet The packet to be signed.
647 * @param certificate The signing certificate.
648 */
649 template<typename T>
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800650 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700651 sign(T& packet, const IdentityCertificate& certificate);
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800652
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800653 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800654 * @brief Generate a key pair for the specified identity.
655 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800656 * @param identityName The name of the specified identity.
657 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
Yingdi Yu7036ce22014-06-19 18:53:37 -0700658 * @param params The parameter of the key.
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800659 * @return The name of the generated key.
660 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700661 Name
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700662 generateKeyPair(const Name& identityName, bool isKsk = false,
Yingdi Yu7036ce22014-06-19 18:53:37 -0700663 const KeyParams& params = DEFAULT_KEY_PARAMS);
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800664
Yingdi Yu8726f652014-01-23 10:35:12 -0800665 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800666 * @brief Sign the data using a particular key.
667 *
668 * @param data Reference to the data packet.
669 * @param signature Signature to be added.
Yingdi Yu8726f652014-01-23 10:35:12 -0800670 * @param keyName The name of the signing key.
671 * @param digestAlgorithm the digest algorithm.
672 * @throws Tpm::Error
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700673 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700674 void
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700675 signPacketWrapper(Data& data, const SignatureSha256WithRsa& signature,
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700676 const Name& keyName, DigestAlgorithm digestAlgorithm);
Yingdi Yu8726f652014-01-23 10:35:12 -0800677
Yingdi Yu2e57a582014-02-20 23:34:43 -0800678 /**
679 * @brief Sign the interest using a particular key.
680 *
681 * @param interest Reference to the interest packet.
682 * @param signature Signature to be added.
683 * @param keyName The name of the signing key.
684 * @param digestAlgorithm the digest algorithm.
685 * @throws Tpm::Error
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700686 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700687 void
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700688 signPacketWrapper(Interest& interest, const SignatureSha256WithRsa& signature,
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700689 const Name& keyName, DigestAlgorithm digestAlgorithm);
Yingdi Yu2e57a582014-02-20 23:34:43 -0800690
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700691
692private:
693 SecPublicInfo* m_pib;
694 SecTpm* m_tpm;
Yingdi Yu0f5fb692014-06-10 12:07:28 -0700695 time::milliseconds m_lastTimestamp;
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700696};
697
698template<class T>
699inline
700KeyChain::KeyChain(T)
701 : m_pib(new typename T::Pib)
702 , m_tpm(new typename T::Tpm)
Yingdi Yu0f5fb692014-06-10 12:07:28 -0700703 , m_lastTimestamp(time::toUnixTimestamp(time::system_clock::now()))
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700704{
705}
706
707inline Name
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700708KeyChain::generateRsaKeyPair(const Name& identityName, bool isKsk, int keySize)
709{
Yingdi Yu7036ce22014-06-19 18:53:37 -0700710 RsaKeyParams params(keySize);
711 return generateKeyPair(identityName, isKsk, params);
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700712}
713
714template<typename T>
715void
716KeyChain::sign(T& packet)
717{
718 if (!static_cast<bool>(m_pib->defaultCertificate()))
719 setDefaultCertificateInternal();
720
721 sign(packet, *m_pib->defaultCertificate());
722}
723
724template<typename T>
725void
726KeyChain::sign(T& packet, const Name& certificateName)
727{
728 if (!m_pib->doesCertificateExist(certificateName))
729 throw SecPublicInfo::Error("Requested certificate [" +
730 certificateName.toUri() + "] doesn't exist");
731
732 SignatureSha256WithRsa signature;
733 // implicit conversion should take care
734 signature.setKeyLocator(certificateName.getPrefix(-1));
735
736 // For temporary usage, we support RSA + SHA256 only, but will support more.
737 signPacketWrapper(packet, signature,
738 IdentityCertificate::certificateNameToPublicKeyName(certificateName),
739 DIGEST_ALGORITHM_SHA256);
740}
741
742template<typename T>
743void
744KeyChain::signByIdentity(T& packet, const Name& identityName)
745{
746 Name signingCertificateName;
747 try
748 {
749 signingCertificateName = m_pib->getDefaultCertificateNameForIdentity(identityName);
750 }
751 catch (SecPublicInfo::Error& e)
752 {
753 signingCertificateName = createIdentity(identityName);
754 // Ideally, no exception will be thrown out, unless something goes wrong in the TPM, which
755 // is a fatal error.
756 }
757
758 // We either get or create the signing certificate, sign packet! (no exception unless fatal
759 // error in TPM)
760 sign(packet, signingCertificateName);
761}
762
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700763template<typename T>
764void
765KeyChain::sign(T& packet, const IdentityCertificate& certificate)
766{
767 SignatureSha256WithRsa signature;
768 signature.setKeyLocator(certificate.getName().getPrefix(-1));
769
770 // For temporary usage, we support RSA + SHA256 only, but will support more.
771 signPacketWrapper(packet, signature, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
772}
773
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700774}
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700775
Alexander Afanasyev766cea72014-04-24 19:16:42 -0700776#endif // NDN_SECURITY_KEY_CHAIN_HPP