blob: fffa05d82a9047db19819866cf64a69b4ba1b88d [file] [log] [blame]
Jeff Thompson25b4e612013-10-10 16:03:24 -07001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
Jeff Thompson47c93cf2013-08-09 00:38:48 -07002/**
Jeff Thompson7687dc02013-09-13 11:54:07 -07003 * Copyright (C) 2013 Regents of the University of California.
Jeff Thompsonba16b8f2013-12-16 13:11:47 -08004 * @author: Yingdi Yu <yingdi@cs.ucla.edu>
Jeff Thompson7687dc02013-09-13 11:54:07 -07005 * @author: Jeff Thompson <jefft0@remap.ucla.edu>
Jeff Thompson47c93cf2013-08-09 00:38:48 -07006 * See COPYING for copyright and distribution information.
7 */
8
9#ifndef NDN_KEY_CHAIN_HPP
Jeff Thompson2d27e2f2013-08-09 12:55:00 -070010#define NDN_KEY_CHAIN_HPP
Jeff Thompson47c93cf2013-08-09 00:38:48 -070011
Yingdi Yu4f324632014-01-15 18:10:03 -080012#include "identity-certificate.hpp"
13#include "public-key.hpp"
14#include "signature-sha256-with-rsa.hpp"
Yingdi Yu31b4af22014-01-14 14:13:00 -080015
Yingdi Yu4f324632014-01-15 18:10:03 -080016#include "sec-public-info-sqlite3.hpp"
17#include "sec-public-info-memory.hpp"
18#include "sec-tpm-osx.hpp"
19#include "sec-tpm-memory.hpp"
Yingdi Yu2abd73f2014-01-08 23:34:11 -080020
Jeff Thompson47c93cf2013-08-09 00:38:48 -070021
22namespace ndn {
23
Jeff Thompson2ce8f492013-09-17 18:01:25 -070024/**
Yingdi Yu2abd73f2014-01-08 23:34:11 -080025 * KeyChain is one of the main classes of the security library.
Jeff Thompsonffa36f92013-09-20 08:42:41 -070026 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -080027 * The KeyChain class provides a set of interfaces of identity management and private key related operations.
Jeff Thompsonffa36f92013-09-20 08:42:41 -070028 */
Yingdi Yu31b4af22014-01-14 14:13:00 -080029template<class Info, class Tpm>
30class KeyChainImpl : public Info, public Tpm
31{
Jeff Thompson47c93cf2013-08-09 00:38:48 -070032public:
Yingdi Yu31b4af22014-01-14 14:13:00 -080033 // struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
Yingdi Yu2abd73f2014-01-08 23:34:11 -080034
35 /**
36 * Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.
37 * @param identityName The name of the identity.
38 * @return The key name of the auto-generated KSK of the identity.
39 */
40 Name
Yingdi Yu31b4af22014-01-14 14:13:00 -080041 createIdentity(const Name& identityName)
42 {
43 if (!Info::doesIdentityExist(identityName)) {
44 Info::addIdentity(identityName);
45
46 Name keyName = generateRSAKeyPairAsDefault(identityName, true);
47
48 ptr_lib::shared_ptr<IdentityCertificate> selfCert = selfSign(keyName);
49
50 Info::addCertificateAsDefault(*selfCert);
51
52 return keyName;
53 }
54 else
55 return Name();
56 }
Yingdi Yu2abd73f2014-01-08 23:34:11 -080057
58 /**
Yingdi Yu2abd73f2014-01-08 23:34:11 -080059 * Generate a pair of RSA keys for the specified identity.
60 * @param identityName The name of the identity.
61 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
62 * @param keySize The size of the key.
63 * @return The generated key name.
64 */
65 Name
Yingdi Yu31b4af22014-01-14 14:13:00 -080066 generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048)
Yingdi Yu2abd73f2014-01-08 23:34:11 -080067 {
Yingdi Yu31b4af22014-01-14 14:13:00 -080068 return generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize);
Yingdi Yu2abd73f2014-01-08 23:34:11 -080069 }
Alexander Afanasyev64a3d812014-01-05 23:35:05 -080070
Yingdi Yu2abd73f2014-01-08 23:34:11 -080071 /**
72 * Generate a pair of RSA keys for the specified identity and set it as default key for the identity.
73 * @param identityName The name of the identity.
74 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
75 * @param keySize The size of the key.
76 * @return The generated key name.
77 */
78 Name
Yingdi Yu31b4af22014-01-14 14:13:00 -080079 generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048)
80 {
81 Name keyName = generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize);
82
83 Info::setDefaultKeyNameForIdentity(keyName);
Yingdi Yu31b4af22014-01-14 14:13:00 -080084
85 return keyName;
86 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -070087
Yingdi Yu2abd73f2014-01-08 23:34:11 -080088 /**
Yingdi Yu2abd73f2014-01-08 23:34:11 -080089 * Create an identity certificate for a public key managed by this IdentityManager.
90 * @param certificatePrefix The name of public key to be signed.
91 * @param signerCertificateName The name of signing certificate.
92 * @param notBefore The notBefore value in the validity field of the generated certificate.
93 * @param notAfter The notAfter vallue in validity field of the generated certificate.
94 * @return The name of generated identity certificate.
95 */
96 ptr_lib::shared_ptr<IdentityCertificate>
97 createIdentityCertificate
98 (const Name& certificatePrefix,
99 const Name& signerCertificateName,
100 const MillisecondsSince1970& notBefore,
Yingdi Yu31b4af22014-01-14 14:13:00 -0800101 const MillisecondsSince1970& notAfter)
102 {
103 Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
104
105 ptr_lib::shared_ptr<PublicKey> pubKey = Info::getPublicKey(keyName);
106 if (!pubKey)
107 throw std::runtime_error("Requested public key [" + keyName.toUri() + "] doesn't exist");
108
109 ptr_lib::shared_ptr<IdentityCertificate> certificate =
110 createIdentityCertificate(certificatePrefix,
111 *pubKey,
112 signerCertificateName,
113 notBefore, notAfter);
114
115 Info::addCertificate(*certificate);
116
117 return certificate;
118 }
119
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700120
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800121 /**
122 * Create an identity certificate for a public key supplied by the caller.
123 * @param certificatePrefix The name of public key to be signed.
124 * @param publickey The public key to be signed.
125 * @param signerCertificateName The name of signing certificate.
126 * @param notBefore The notBefore value in the validity field of the generated certificate.
127 * @param notAfter The notAfter vallue in validity field of the generated certificate.
128 * @return The generated identity certificate.
129 */
130 ptr_lib::shared_ptr<IdentityCertificate>
131 createIdentityCertificate
132 (const Name& certificatePrefix,
Yingdi Yu31b4af22014-01-14 14:13:00 -0800133 const PublicKey& publicKey,
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800134 const Name& signerCertificateName,
135 const MillisecondsSince1970& notBefore,
Yingdi Yu31b4af22014-01-14 14:13:00 -0800136 const MillisecondsSince1970& notAfter)
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800137 {
Yingdi Yu31b4af22014-01-14 14:13:00 -0800138 ptr_lib::shared_ptr<IdentityCertificate> certificate (new IdentityCertificate());
139 Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
140
141 Name certificateName = certificatePrefix;
142 certificateName.append("ID-CERT").appendVersion();
143
144 certificate->setName(certificateName);
145 certificate->setNotBefore(notBefore);
146 certificate->setNotAfter(notAfter);
147 certificate->setPublicKeyInfo(publicKey);
148 certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri()));
149 certificate->encode();
150
151 sign(*certificate, signerCertificateName);
152
153 return certificate;
Alexander Afanasyevbf1a67a2014-01-05 23:36:13 -0800154 }
155
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800156 void
Yingdi Yu31b4af22014-01-14 14:13:00 -0800157 sign(Data &data)
158 {
159 if (!Info::defaultCertificate())
160 {
161 Info::refreshDefaultCertificate();
162
163 if(!Info::defaultCertificate())
164 throw std::runtime_error("Default IdentityCertificate cannot be determined");
165 }
166
167 sign(data, *Info::defaultCertificate());
168 }
Alexander Afanasyeve64788e2014-01-05 22:38:21 -0800169
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700170 /**
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700171 * Wire encode the Data object, sign it and set its signature.
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700172 * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
Jeff Thompson9296f0c2013-09-23 18:10:27 -0700173 * @param certificateName The certificate name of the key to use for signing. If omitted, infer the signing identity from the data packet name.
Jeff Thompson3c73da42013-08-12 11:19:05 -0700174 */
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800175 void
Yingdi Yu31b4af22014-01-14 14:13:00 -0800176 sign(Data& data, const Name& certificateName)
177 {
178 ptr_lib::shared_ptr<IdentityCertificate> cert = Info::getCertificate(certificateName);
179 if (!cert)
180 throw std::runtime_error("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
181
182 SignatureSha256WithRsa signature;
183 signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
184 data.setSignature(signature);
185
186 // For temporary usage, we support RSA + SHA256 only, but will support more.
Yingdi Yub4bb85a2014-01-16 10:11:04 -0800187 Tpm::signInTpm(data, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
Yingdi Yu31b4af22014-01-14 14:13:00 -0800188 }
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800189
190 void
Yingdi Yu31b4af22014-01-14 14:13:00 -0800191 sign(Data& data, const IdentityCertificate& certificate)
192 {
193 SignatureSha256WithRsa signature;
194 signature.setKeyLocator(certificate.getName().getPrefix(-1));
195 data.setSignature(signature);
196
197 // For temporary usage, we support RSA + SHA256 only, but will support more.
Yingdi Yub4bb85a2014-01-16 10:11:04 -0800198 Tpm::signInTpm(data, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
Yingdi Yu31b4af22014-01-14 14:13:00 -0800199 }
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700200
Jeff Thompson29ce3102013-09-27 11:47:48 -0700201 /**
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700202 * Sign the byte array using a certificate name and return a Signature object.
203 * @param buffer The byte array to be signed.
204 * @param bufferLength the length of buffer.
205 * @param certificateName The certificate name used to get the signing key and which will be put into KeyLocator.
206 * @return The Signature.
207 */
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800208 Signature
Yingdi Yu31b4af22014-01-14 14:13:00 -0800209 sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName)
210 {
211 ptr_lib::shared_ptr<IdentityCertificate> cert = Info::getCertificate(certificateName);
212 if (!cert)
213 throw std::runtime_error("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
214
215 SignatureSha256WithRsa signature;
216 signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
217
218 // For temporary usage, we support RSA + SHA256 only, but will support more.
Yingdi Yub4bb85a2014-01-16 10:11:04 -0800219 signature.setValue(Tpm::signInTpm(buffer, bufferLength, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256));
Yingdi Yu31b4af22014-01-14 14:13:00 -0800220 return signature;
221 }
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700222
223 /**
Jeff Thompson29ce3102013-09-27 11:47:48 -0700224 * Wire encode the Data object, sign it and set its signature.
Jeff Thompson29ce3102013-09-27 11:47:48 -0700225 * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
226 * @param identityName The identity name for the key to use for signing. If omitted, infer the signing identity from the data packet name.
Jeff Thompson29ce3102013-09-27 11:47:48 -0700227 */
228 void
Yingdi Yu31b4af22014-01-14 14:13:00 -0800229 signByIdentity(Data& data, const Name& identityName = Name())
230 {
231 Name signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName);
232
233 if (signingCertificateName.getComponentCount() == 0)
234 throw std::runtime_error("No qualified certificate name found!");
235
236 sign(data, signingCertificateName);
237 }
Jeff Thompson3c73da42013-08-12 11:19:05 -0700238
239 /**
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700240 * Sign the byte array using an identity name and return a Signature object.
241 * @param buffer The byte array to be signed.
242 * @param bufferLength the length of buffer.
243 * @param identityName The identity name.
244 * @return The Signature.
245 */
Alexander Afanasyev64a3d812014-01-05 23:35:05 -0800246 Signature
Yingdi Yu31b4af22014-01-14 14:13:00 -0800247 signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName = Name())
248 {
249 Name signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName);
250
251 if (signingCertificateName.size() == 0)
252 throw std::runtime_error("No qualified certificate name found!");
253
254 return sign(buffer, bufferLength, signingCertificateName);
255 }
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700256
257 /**
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800258 * Generate a self-signed certificate for a public key.
259 * @param keyName The name of the public key.
260 * @return The generated certificate.
261 */
262 ptr_lib::shared_ptr<IdentityCertificate>
Yingdi Yu31b4af22014-01-14 14:13:00 -0800263 selfSign(const Name& keyName)
264 {
Yingdi Yu7ea69502014-01-15 17:21:29 -0800265 if(keyName.empty())
266 throw std::runtime_error("Incorrect key name: " + keyName.toUri());
267
Yingdi Yu31b4af22014-01-14 14:13:00 -0800268 ptr_lib::shared_ptr<IdentityCertificate> certificate = ptr_lib::make_shared<IdentityCertificate>();
269
270 Name certificateName = keyName.getPrefix(-1);
271 certificateName.append("KEY").append(keyName.get(-1)).append("ID-CERT").appendVersion();
272
273 ptr_lib::shared_ptr<PublicKey> pubKey = Info::getPublicKey(keyName);
274 if (!pubKey)
275 throw std::runtime_error("Requested public key [" + keyName.toUri() + "] doesn't exist");
276
277 certificate->setName(certificateName);
278 certificate->setNotBefore(getNow());
279 certificate->setNotAfter(getNow() + 630720000 /* 20 years*/);
280 certificate->setPublicKeyInfo(*pubKey);
281 certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri()));
282 certificate->encode();
283
284 selfSign(*certificate);
285 return certificate;
286 }
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800287
288 /**
289 * @brief Self-sign the supplied identity certificate
Jeff Thompson8efe5ad2013-08-20 17:36:38 -0700290 */
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700291 void
Yingdi Yu31b4af22014-01-14 14:13:00 -0800292 selfSign (IdentityCertificate& cert)
293 {
294 SignatureSha256WithRsa signature;
295 signature.setKeyLocator(cert.getName().getPrefix(-1)); // implicit conversion should take care
296 cert.setSignature(signature);
297
298 // For temporary usage, we support RSA + SHA256 only, but will support more.
Yingdi Yub4bb85a2014-01-16 10:11:04 -0800299 Tpm::signInTpm(cert, cert.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
Yingdi Yu31b4af22014-01-14 14:13:00 -0800300 }
301
Jeff Thompson8efe5ad2013-08-20 17:36:38 -0700302
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800303private:
304 /**
305 * Generate a key pair for the specified identity.
306 * @param identityName The name of the specified identity.
307 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
308 * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
309 * @param keySize The size of the key pair.
310 * @return The name of the generated key.
311 */
312 Name
Yingdi Yu31b4af22014-01-14 14:13:00 -0800313 generateKeyPair(const Name& identityName, bool isKsk = false, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048)
314 {
315 Name keyName = Info::getNewKeyName(identityName, isKsk);
316
317 Tpm::generateKeyPairInTpm(keyName.toUri(), keyType, keySize);
318
319 ptr_lib::shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri());
Yingdi Yuef26ee32014-01-15 16:41:14 -0800320 Info::addPublicKey(keyName, keyType, *pubKey);
Yingdi Yu31b4af22014-01-14 14:13:00 -0800321
322 return keyName;
323 }
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800324
325 static Name
Yingdi Yu31b4af22014-01-14 14:13:00 -0800326 getKeyNameFromCertificatePrefix(const Name& certificatePrefix)
327 {
328 Name result;
Alexander Afanasyevbf1a67a2014-01-05 23:36:13 -0800329
Yingdi Yu31b4af22014-01-14 14:13:00 -0800330 std::string keyString("KEY");
331 int i = 0;
332 for(; i < certificatePrefix.size(); i++) {
333 if (certificatePrefix.get(i).toEscapedString() == keyString)
334 break;
335 }
Alexander Afanasyevbf1a67a2014-01-05 23:36:13 -0800336
Yingdi Yu31b4af22014-01-14 14:13:00 -0800337 if (i >= certificatePrefix.size())
338 throw std::runtime_error("Identity Certificate Prefix does not have a KEY component");
Alexander Afanasyevbd5ba402014-01-05 22:41:09 -0800339
Yingdi Yu31b4af22014-01-14 14:13:00 -0800340 result.append(certificatePrefix.getSubName(0, i));
341 result.append(certificatePrefix.getSubName(i + 1, certificatePrefix.size()-i-1));
342
343 return result;
344 }
345
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700346};
347
Yingdi Yu31b4af22014-01-14 14:13:00 -0800348}
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800349
Yingdi Yu31b4af22014-01-14 14:13:00 -0800350#ifdef NDN_CPP_HAVE_OSX_SECURITY
351
352namespace ndn
Alexander Afanasyeve64788e2014-01-05 22:38:21 -0800353{
Yingdi Yu31b4af22014-01-14 14:13:00 -0800354typedef KeyChainImpl<SecPublicInfoSqlite3, SecTpmOsx> KeyChain;
355};
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800356
Yingdi Yu31b4af22014-01-14 14:13:00 -0800357#else
Alexander Afanasyeve64788e2014-01-05 22:38:21 -0800358
Yingdi Yu31b4af22014-01-14 14:13:00 -0800359namespace ndn
Alexander Afanasyeve64788e2014-01-05 22:38:21 -0800360{
Yingdi Yu31b4af22014-01-14 14:13:00 -0800361typedef KeyChainImpl<SecPublicInfoMemory, SecTpmMemory> KeyChain;
362};
Alexander Afanasyeve64788e2014-01-05 22:38:21 -0800363
Yingdi Yu31b4af22014-01-14 14:13:00 -0800364#endif //NDN_CPP_HAVE_OSX_SECURITY
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700365
366#endif