blob: bb04f5ca948ada39098599a00175b0ffd25af753 [file] [log] [blame]
Alexander Afanasyevc169a812014-05-20 20:37:29 -04001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Jeff Thompson47c93cf2013-08-09 00:38:48 -07002/**
Alexander Afanasyevc169a812014-05-20 20:37:29 -04003 * Copyright (c) 2013-2014 Regents of the University of California.
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -07004 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -07006 *
Alexander Afanasyevc169a812014-05-20 20:37:29 -04007 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -070020 *
21 * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
Jeff Thompson47c93cf2013-08-09 00:38:48 -070022 */
23
Yingdi Yufc40d872014-02-18 12:56:04 -080024#ifndef NDN_SECURITY_KEY_CHAIN_HPP
25#define NDN_SECURITY_KEY_CHAIN_HPP
Jeff Thompson47c93cf2013-08-09 00:38:48 -070026
Yingdi Yuf56c68f2014-04-24 21:50:13 -070027#include "sec-public-info.hpp"
28#include "sec-tpm.hpp"
Yingdi Yu7036ce22014-06-19 18:53:37 -070029#include "key-params.hpp"
Yingdi Yuf56c68f2014-04-24 21:50:13 -070030#include "secured-bag.hpp"
Yingdi Yu4f324632014-01-15 18:10:03 -080031#include "signature-sha256-with-rsa.hpp"
Yingdi Yuc8f883c2014-06-20 23:25:22 -070032#include "signature-sha256-with-ecdsa.hpp"
Yingdi Yubf6a2812014-06-17 15:32:11 -070033#include "digest-sha256.hpp"
Yingdi Yuf56c68f2014-04-24 21:50:13 -070034
Yingdi Yu4270f202014-01-28 14:19:16 -080035#include "../interest.hpp"
Yingdi Yu21157162014-02-28 13:02:34 -080036#include "../util/crypto.hpp"
Yingdi Yu0f5fb692014-06-10 12:07:28 -070037#include "../util/random.hpp"
Yingdi Yu31b4af22014-01-14 14:13:00 -080038
Jeff Thompson47c93cf2013-08-09 00:38:48 -070039
40namespace ndn {
41
Yingdi Yuf56c68f2014-04-24 21:50:13 -070042template<class TypePib, class TypeTpm>
43class KeyChainTraits
Yingdi Yu31b4af22014-01-14 14:13:00 -080044{
Jeff Thompson47c93cf2013-08-09 00:38:48 -070045public:
Yingdi Yuf56c68f2014-04-24 21:50:13 -070046 typedef TypePib Pib;
47 typedef TypeTpm Tpm;
48};
49
Alexander Afanasyev45a37132014-04-28 16:54:57 -070050class KeyChain : noncopyable
Yingdi Yuf56c68f2014-04-24 21:50:13 -070051{
52public:
53 class Error : public std::runtime_error
54 {
55 public:
56 explicit
57 Error(const std::string& what)
58 : std::runtime_error(what)
59 {
60 }
61 };
62
Yingdi Yu0eb5d722014-06-10 15:06:25 -070063 static const Name DEFAULT_PREFIX;
64
Yingdi Yu7036ce22014-06-19 18:53:37 -070065 // RsaKeyParams is set to be default for backward compatibility.
66 static const RsaKeyParams DEFAULT_KEY_PARAMS;
67
Yingdi Yuf56c68f2014-04-24 21:50:13 -070068 KeyChain();
69
70 template<class KeyChainTraits>
Alexander Afanasyeva4297a62014-06-19 13:29:34 -070071 explicit
Yingdi Yuf56c68f2014-04-24 21:50:13 -070072 KeyChain(KeyChainTraits traits);
73
74 KeyChain(const std::string& pibName,
75 const std::string& tpmName);
76
77 virtual
Yingdi Yu5ec0ee32014-06-24 16:26:09 -070078 ~KeyChain();
Yingdi Yuf56c68f2014-04-24 21:50:13 -070079
Yingdi Yube4150e2014-02-18 13:02:46 -080080 /**
Yingdi Yu4b8c6a22014-04-15 23:00:54 -070081 * @brief Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a
82 * self-signed certificate of the KSK.
Yingdi Yube4150e2014-02-18 13:02:46 -080083 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -080084 * @param identityName The name of the identity.
Yingdi Yu7036ce22014-06-19 18:53:37 -070085 * @param params The key parameter if a key needs to be generated for the identity.
Yingdi Yu28fd32f2014-01-28 19:03:03 -080086 * @return The name of the default certificate of the identity.
Yingdi Yu2abd73f2014-01-08 23:34:11 -080087 */
Yingdi Yu7036ce22014-06-19 18:53:37 -070088 Name
89 createIdentity(const Name& identityName, const KeyParams& params = DEFAULT_KEY_PARAMS);
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -070090
Yingdi Yu2abd73f2014-01-08 23:34:11 -080091 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -080092 * @brief Generate a pair of RSA keys for the specified identity.
93 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -080094 * @param identityName The name of the identity.
95 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
96 * @param keySize The size of the key.
97 * @return The generated key name.
98 */
Yingdi Yuf56c68f2014-04-24 21:50:13 -070099 inline Name
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700100 generateRsaKeyPair(const Name& identityName, bool isKsk = false, uint32_t keySize = 2048);
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700101
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700102 inline Name
103 generateEcdsaKeyPair(const Name& identityName, bool isKsk = false, uint32_t keySize = 256);
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800104 /**
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700105 * @brief Generate a pair of RSA keys for the specified identity and set it as default key for
106 * the identity.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800107 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800108 * @param identityName The name of the identity.
109 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
110 * @param keySize The size of the key.
111 * @return The generated key name.
112 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700113 Name
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700114 generateRsaKeyPairAsDefault(const Name& identityName, bool isKsk = false,
115 uint32_t keySize = 2048);
116
117 Name
118 generateEcdsaKeyPairAsDefault(const Name& identityName, bool isKsk, uint32_t keySize = 256);
Jeff Thompson79a2d5d2013-09-27 14:32:23 -0700119
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800120 /**
Yingdi Yuc55680b2014-02-26 12:31:35 -0800121 * @brief prepare an unsigned identity certificate
122 *
Alexander Afanasyev770827c2014-05-13 17:42:55 -0700123 * @param keyName Key name, e.g., `/<identity_name>/ksk-123456`.
Yingdi Yuc55680b2014-02-26 12:31:35 -0800124 * @param signingIdentity The signing identity.
125 * @param notBefore Refer to IdentityCertificate.
126 * @param notAfter Refer to IdentityCertificate.
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700127 * @param subjectDescription Refer to IdentityCertificate.
Yingdi Yu0eb5d722014-06-10 15:06:25 -0700128 * @param certPrefix Prefix before `KEY` component. By default, KeyChain will infer the
129 * certificate name according to the relation between the signingIdentity and
130 * the subject identity. If signingIdentity is a prefix of the subject identity,
131 * `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted
132 * after subject identity (i.e., before `ksk-....`).
Yingdi Yuc55680b2014-02-26 12:31:35 -0800133 * @return IdentityCertificate.
134 */
135 shared_ptr<IdentityCertificate>
136 prepareUnsignedIdentityCertificate(const Name& keyName,
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700137 const Name& signingIdentity,
138 const time::system_clock::TimePoint& notBefore,
139 const time::system_clock::TimePoint& notAfter,
Yingdi Yu0eb5d722014-06-10 15:06:25 -0700140 const std::vector<CertificateSubjectDescription>& subjectDescription,
141 const Name& certPrefix = DEFAULT_PREFIX);
142
143 /**
144 * @brief prepare an unsigned identity certificate
145 *
146 * @param keyName Key name, e.g., `/<identity_name>/ksk-123456`.
147 * @param publicKey Public key to sign.
148 * @param signingIdentity The signing identity.
149 * @param notBefore Refer to IdentityCertificate.
150 * @param notAfter Refer to IdentityCertificate.
151 * @param subjectDescription Refer to IdentityCertificate.
152 * @param certPrefix Prefix before `KEY` component. By default, KeyChain will infer the
153 * certificate name according to the relation between the signingIdentity and
154 * the subject identity. If signingIdentity is a prefix of the subject identity,
155 * `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted
156 * after subject identity (i.e., before `ksk-....`).
157 * @return IdentityCertificate.
158 */
159 shared_ptr<IdentityCertificate>
160 prepareUnsignedIdentityCertificate(const Name& keyName,
161 const PublicKey& publicKey,
162 const Name& signingIdentity,
163 const time::system_clock::TimePoint& notBefore,
164 const time::system_clock::TimePoint& notAfter,
165 const std::vector<CertificateSubjectDescription>& subjectDescription,
166 const Name& certPrefix = DEFAULT_PREFIX);
Yingdi Yuc55680b2014-02-26 12:31:35 -0800167
168 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800169 * @brief Sign packet with default identity
170 *
Yingdi Yu60bd7082014-03-25 18:18:54 -0700171 * On return, signatureInfo and signatureValue in the packet are set.
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700172 * If default identity does not exist,
Yingdi Yu60bd7082014-03-25 18:18:54 -0700173 * a temporary identity will be created and set as default.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800174 *
175 * @param packet The packet to be signed
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800176 */
Yingdi Yu2e57a582014-02-20 23:34:43 -0800177 template<typename T>
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800178 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700179 sign(T& packet);
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700180
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700181 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800182 * @brief Sign packet with a particular certificate.
183 *
184 * @param packet The packet to be signed.
185 * @param certificateName The certificate name of the key to use for signing.
186 * @throws SecPublicInfo::Error if certificate does not exist.
Jeff Thompson3c73da42013-08-12 11:19:05 -0700187 */
Yingdi Yu2e57a582014-02-20 23:34:43 -0800188 template<typename T>
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700189 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700190 sign(T& packet, const Name& certificateName);
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700191
Jeff Thompson29ce3102013-09-27 11:47:48 -0700192 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800193 * @brief Sign the byte array using a particular certificate.
194 *
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700195 * @param buffer The byte array to be signed.
196 * @param bufferLength the length of buffer.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800197 * @param certificateName The certificate name of the signing key.
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700198 * @return The Signature.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800199 * @throws SecPublicInfo::Error if certificate does not exist.
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700200 */
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800201 Signature
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700202 sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName);
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700203
204 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800205 * @brief Sign packet using the default certificate of a particular identity.
206 *
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700207 * If there is no default certificate of that identity, this method will create a self-signed
208 * certificate.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800209 *
210 * @param packet The packet to be signed.
211 * @param identityName The signing identity name.
Jeff Thompson29ce3102013-09-27 11:47:48 -0700212 */
Yingdi Yu2e57a582014-02-20 23:34:43 -0800213 template<typename T>
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700214 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700215 signByIdentity(T& packet, const Name& identityName);
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700216
Jeff Thompson3c73da42013-08-12 11:19:05 -0700217 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800218 * @brief Sign the byte array using the default certificate of a particular identity.
219 *
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700220 * @param buffer The byte array to be signed.
221 * @param bufferLength the length of buffer.
222 * @param identityName The identity name.
223 * @return The Signature.
224 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700225 Signature
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700226 signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName);
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700227
228 /**
Alexander Afanasyev770827c2014-05-13 17:42:55 -0700229 * @brief Set Sha256 weak signature for @param data
Yingdi Yu21157162014-02-28 13:02:34 -0800230 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700231 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700232 signWithSha256(Data& data);
Yingdi Yu21157162014-02-28 13:02:34 -0800233
234 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800235 * @brief Generate a self-signed certificate for a public key.
236 *
Alexander Afanasyev770827c2014-05-13 17:42:55 -0700237 * @param keyName The name of the public key
238 * @return The generated certificate, shared_ptr<IdentityCertificate>() if selfSign fails
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800239 */
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800240 shared_ptr<IdentityCertificate>
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700241 selfSign(const Name& keyName);
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800242
243 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800244 * @brief Self-sign the supplied identity certificate.
245 *
246 * @param cert The supplied cert.
247 * @throws SecTpm::Error if the private key does not exist.
Jeff Thompson8efe5ad2013-08-20 17:36:38 -0700248 */
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700249 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700250 selfSign(IdentityCertificate& cert);
Yingdi Yu31b4af22014-01-14 14:13:00 -0800251
Yingdi Yu2e57a582014-02-20 23:34:43 -0800252 /**
253 * @brief delete a certificate.
254 *
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700255 * If the certificate to be deleted is current default system default,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800256 * the method will not delete the certificate and return immediately.
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700257 *
Yingdi Yu2e57a582014-02-20 23:34:43 -0800258 * @param certificateName The certificate to be deleted.
259 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700260 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700261 deleteCertificate(const Name& certificateName);
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800262
Yingdi Yu2e57a582014-02-20 23:34:43 -0800263 /**
264 * @brief delete a key.
265 *
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700266 * If the key to be deleted is current default system default,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800267 * the method will not delete the key and return immediately.
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700268 *
Yingdi Yu2e57a582014-02-20 23:34:43 -0800269 * @param keyName The key to be deleted.
270 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700271 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700272 deleteKey(const Name& keyName);
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800273
Yingdi Yu2e57a582014-02-20 23:34:43 -0800274 /**
275 * @brief delete an identity.
276 *
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700277 * If the identity to be deleted is current default system default,
Yingdi Yu2e57a582014-02-20 23:34:43 -0800278 * the method will not delete the identity and return immediately.
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700279 *
Yingdi Yu2e57a582014-02-20 23:34:43 -0800280 * @param identity The identity to be deleted.
281 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700282 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700283 deleteIdentity(const Name& identity);
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800284
Yingdi Yu2e57a582014-02-20 23:34:43 -0800285 /**
286 * @brief export an identity.
287 *
288 * @param identity The identity to export.
289 * @param passwordStr The password to secure the private key.
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800290 * @return The encoded export data.
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700291 * @throws SecPublicInfo::Error if anything goes wrong in exporting.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800292 */
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800293 shared_ptr<SecuredBag>
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700294 exportIdentity(const Name& identity, const std::string& passwordStr);
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800295
Yingdi Yu2e57a582014-02-20 23:34:43 -0800296 /**
297 * @brief import an identity.
298 *
Yingdi Yu64c3fb42014-02-26 17:30:04 -0800299 * @param securedBag The encoded import data.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800300 * @param passwordStr The password to secure the private key.
301 */
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800302 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700303 importIdentity(const SecuredBag& securedBag, const std::string& passwordStr);
304
305 SecPublicInfo&
306 getPib()
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800307 {
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700308 return *m_pib;
Yingdi Yu8dceb1d2014-02-18 12:45:10 -0800309 }
310
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700311 const SecPublicInfo&
312 getPib() const
313 {
314 return *m_pib;
315 }
316
317 SecTpm&
318 getTpm()
319 {
320 return *m_tpm;
321 }
322
323 const SecTpm&
324 getTpm() const
325 {
326 return *m_tpm;
327 }
328
329 /*******************************
330 * Wrapper of SecPublicInfo *
331 *******************************/
332 bool
333 doesIdentityExist(const Name& identityName) const
334 {
335 return m_pib->doesIdentityExist(identityName);
336 }
337
338 void
339 addIdentity(const Name& identityName)
340 {
341 return m_pib->addIdentity(identityName);
342 }
343
344 bool
345 doesPublicKeyExist(const Name& keyName) const
346 {
347 return m_pib->doesPublicKeyExist(keyName);
348 }
349
350 void
351 addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer)
352 {
353 return m_pib->addPublicKey(keyName, keyType, publicKeyDer);
354 }
355
Yingdi Yu7036ce22014-06-19 18:53:37 -0700356 void
357 addKey(const Name& keyName, const PublicKey& publicKeyDer)
358 {
359 return m_pib->addKey(keyName, publicKeyDer);
360 }
361
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700362 shared_ptr<PublicKey>
363 getPublicKey(const Name& keyName) const
364 {
365 return m_pib->getPublicKey(keyName);
366 }
367
368 bool
369 doesCertificateExist(const Name& certificateName) const
370 {
371 return m_pib->doesCertificateExist(certificateName);
372 }
373
374 void
375 addCertificate(const IdentityCertificate& certificate)
376 {
377 return m_pib->addCertificate(certificate);
378 }
379
380 shared_ptr<IdentityCertificate>
381 getCertificate(const Name& certificateName) const
382 {
383 return m_pib->getCertificate(certificateName);
384 }
385
386 Name
387 getDefaultIdentity() const
388 {
389 return m_pib->getDefaultIdentity();
390 }
391
392 Name
393 getDefaultKeyNameForIdentity(const Name& identityName) const
394 {
395 return m_pib->getDefaultKeyNameForIdentity(identityName);
396 }
397
398 Name
399 getDefaultCertificateNameForKey(const Name& keyName) const
400 {
401 return m_pib->getDefaultCertificateNameForKey(keyName);
402 }
403
404 void
405 getAllIdentities(std::vector<Name>& nameList, bool isDefault) const
406 {
407 return m_pib->getAllIdentities(nameList, isDefault);
408 }
409
410 void
411 getAllKeyNames(std::vector<Name>& nameList, bool isDefault) const
412 {
413 return m_pib->getAllKeyNames(nameList, isDefault);
414 }
415
416 void
417 getAllKeyNamesOfIdentity(const Name& identity, std::vector<Name>& nameList, bool isDefault) const
418 {
419 return m_pib->getAllKeyNamesOfIdentity(identity, nameList, isDefault);
420 }
421
422 void
423 getAllCertificateNames(std::vector<Name>& nameList, bool isDefault) const
424 {
425 return m_pib->getAllCertificateNames(nameList, isDefault);
426 }
427
428 void
429 getAllCertificateNamesOfKey(const Name& keyName,
430 std::vector<Name>& nameList,
431 bool isDefault) const
432 {
433 return m_pib->getAllCertificateNamesOfKey(keyName, nameList, isDefault);
434 }
435
436 void
437 deleteCertificateInfo(const Name& certificateName)
438 {
439 return m_pib->deleteCertificateInfo(certificateName);
440 }
441
442 void
443 deletePublicKeyInfo(const Name& keyName)
444 {
445 return m_pib->deletePublicKeyInfo(keyName);
446 }
447
448 void
449 deleteIdentityInfo(const Name& identity)
450 {
451 return m_pib->deleteIdentityInfo(identity);
452 }
453
454 void
455 setDefaultIdentity(const Name& identityName)
456 {
457 return m_pib->setDefaultIdentity(identityName);
458 }
459
460 void
461 setDefaultKeyNameForIdentity(const Name& keyName)
462 {
463 return m_pib->setDefaultKeyNameForIdentity(keyName);
464 }
465
466 void
467 setDefaultCertificateNameForKey(const Name& certificateName)
468 {
469 return m_pib->setDefaultCertificateNameForKey(certificateName);
470 }
471
472 Name
473 getNewKeyName(const Name& identityName, bool useKsk)
474 {
475 return m_pib->getNewKeyName(identityName, useKsk);
476 }
477
478 Name
479 getDefaultCertificateNameForIdentity(const Name& identityName) const
480 {
481 return m_pib->getDefaultCertificateNameForIdentity(identityName);
482 }
483
484 Name
485 getDefaultCertificateName() const
486 {
487 return m_pib->getDefaultCertificateName();
488 }
489
490 void
491 addCertificateAsKeyDefault(const IdentityCertificate& certificate)
492 {
493 return m_pib->addCertificateAsKeyDefault(certificate);
494 }
495
496 void
497 addCertificateAsIdentityDefault(const IdentityCertificate& certificate)
498 {
499 return m_pib->addCertificateAsIdentityDefault(certificate);
500 }
501
502 void
503 addCertificateAsSystemDefault(const IdentityCertificate& certificate)
504 {
505 return m_pib->addCertificateAsSystemDefault(certificate);
506 }
507
508 shared_ptr<IdentityCertificate>
509 getDefaultCertificate() const
510 {
Alexander Afanasyevaab79662014-07-07 17:35:34 -0700511 if (!static_cast<bool>(m_pib->getDefaultCertificate()))
512 const_cast<KeyChain*>(this)->setDefaultCertificateInternal();
513
514 return m_pib->getDefaultCertificate();
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700515 }
516
517 void
518 refreshDefaultCertificate()
519 {
520 return m_pib->refreshDefaultCertificate();
521 }
522
523 /*******************************
524 * Wrapper of SecTpm *
525 *******************************/
526
527 void
528 setTpmPassword(const uint8_t* password, size_t passwordLength)
529 {
530 return m_tpm->setTpmPassword(password, passwordLength);
531 }
532
533 void
534 resetTpmPassword()
535 {
536 return m_tpm->resetTpmPassword();
537 }
538
539 void
540 setInTerminal(bool inTerminal)
541 {
542 return m_tpm->setInTerminal(inTerminal);
543 }
544
545 bool
546 getInTerminal() const
547 {
548 return m_tpm->getInTerminal();
549 }
550
551 bool
552 isLocked() const
553 {
554 return m_tpm->isLocked();
555 }
556
557 bool
558 unlockTpm(const char* password, size_t passwordLength, bool usePassword)
559 {
560 return m_tpm->unlockTpm(password, passwordLength, usePassword);
561 }
562
563 void
Yingdi Yu7036ce22014-06-19 18:53:37 -0700564 generateKeyPairInTpm(const Name& keyName, const KeyParams& params)
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700565 {
Yingdi Yu7036ce22014-06-19 18:53:37 -0700566 return m_tpm->generateKeyPairInTpm(keyName, params);
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700567 }
568
569 void
570 deleteKeyPairInTpm(const Name& keyName)
571 {
572 return m_tpm->deleteKeyPairInTpm(keyName);
573 }
574
575 shared_ptr<PublicKey>
576 getPublicKeyFromTpm(const Name& keyName) const
577 {
578 return m_tpm->getPublicKeyFromTpm(keyName);
579 }
580
581 Block
582 signInTpm(const uint8_t* data, size_t dataLength,
583 const Name& keyName,
584 DigestAlgorithm digestAlgorithm)
585 {
586 return m_tpm->signInTpm(data, dataLength, keyName, digestAlgorithm);
587 }
588
589 ConstBufferPtr
590 decryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool isSymmetric)
591 {
592 return m_tpm->decryptInTpm(data, dataLength, keyName, isSymmetric);
593 }
594
595 ConstBufferPtr
596 encryptInTpm(const uint8_t* data, size_t dataLength, const Name& keyName, bool isSymmetric)
597 {
598 return m_tpm->encryptInTpm(data, dataLength, keyName, isSymmetric);
599 }
600
601 void
Yingdi Yu7036ce22014-06-19 18:53:37 -0700602 generateSymmetricKeyInTpm(const Name& keyName, const KeyParams& params)
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700603 {
Yingdi Yu7036ce22014-06-19 18:53:37 -0700604 return m_tpm->generateSymmetricKeyInTpm(keyName, params);
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700605 }
606
607 bool
608 doesKeyExistInTpm(const Name& keyName, KeyClass keyClass) const
609 {
610 return m_tpm->doesKeyExistInTpm(keyName, keyClass);
611 }
612
613 bool
614 generateRandomBlock(uint8_t* res, size_t size) const
615 {
616 return m_tpm->generateRandomBlock(res, size);
617 }
618
619 void
620 addAppToAcl(const Name& keyName, KeyClass keyClass, const std::string& appPath, AclType acl)
621 {
622 return m_tpm->addAppToAcl(keyName, keyClass, appPath, acl);
623 }
624
625 ConstBufferPtr
626 exportPrivateKeyPkcs5FromTpm(const Name& keyName, const std::string& password)
627 {
628 return m_tpm->exportPrivateKeyPkcs5FromTpm(keyName, password);
629 }
630
631 bool
632 importPrivateKeyPkcs5IntoTpm(const Name& keyName,
633 const uint8_t* buf, size_t size,
634 const std::string& password)
635 {
636 return m_tpm->importPrivateKeyPkcs5IntoTpm(keyName, buf, size, password);
637 }
Jeff Thompson8efe5ad2013-08-20 17:36:38 -0700638
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800639private:
Yingdi Yu2e57a582014-02-20 23:34:43 -0800640 /**
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700641 * @brief Determine signature type
642 *
643 * An empty pointer will be returned if there is no valid signature.
644 */
645 shared_ptr<SignatureWithPublicKey>
646 determineSignatureWithPublicKey(KeyType keyType,
647 DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256);
648
649 /**
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700650 * @brief Set default certificate if it is not initialized
651 */
652 void
653 setDefaultCertificateInternal();
654
655 /**
656 * @brief Sign a packet using a pariticular certificate.
Yingdi Yu2e57a582014-02-20 23:34:43 -0800657 *
658 * @param packet The packet to be signed.
659 * @param certificate The signing certificate.
660 */
661 template<typename T>
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800662 void
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700663 sign(T& packet, const IdentityCertificate& certificate);
Yingdi Yu28fd32f2014-01-28 19:03:03 -0800664
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800665 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800666 * @brief Generate a key pair for the specified identity.
667 *
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800668 * @param identityName The name of the specified identity.
669 * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
Yingdi Yu7036ce22014-06-19 18:53:37 -0700670 * @param params The parameter of the key.
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800671 * @return The name of the generated key.
672 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700673 Name
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700674 generateKeyPair(const Name& identityName, bool isKsk = false,
Yingdi Yu7036ce22014-06-19 18:53:37 -0700675 const KeyParams& params = DEFAULT_KEY_PARAMS);
Yingdi Yu2abd73f2014-01-08 23:34:11 -0800676
Yingdi Yu8726f652014-01-23 10:35:12 -0800677 /**
Yingdi Yu2e57a582014-02-20 23:34:43 -0800678 * @brief Sign the data using a particular key.
679 *
680 * @param data Reference to the data packet.
681 * @param signature Signature to be added.
Yingdi Yu8726f652014-01-23 10:35:12 -0800682 * @param keyName The name of the signing key.
683 * @param digestAlgorithm the digest algorithm.
684 * @throws Tpm::Error
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700685 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700686 void
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700687 signPacketWrapper(Data& data, const Signature& signature,
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700688 const Name& keyName, DigestAlgorithm digestAlgorithm);
Yingdi Yu8726f652014-01-23 10:35:12 -0800689
Yingdi Yu2e57a582014-02-20 23:34:43 -0800690 /**
691 * @brief Sign the interest using a particular key.
692 *
693 * @param interest Reference to the interest packet.
694 * @param signature Signature to be added.
695 * @param keyName The name of the signing key.
696 * @param digestAlgorithm the digest algorithm.
697 * @throws Tpm::Error
Alexander Afanasyevb78bc4d2014-04-09 21:20:52 -0700698 */
Yingdi Yu7036ce22014-06-19 18:53:37 -0700699 void
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700700 signPacketWrapper(Interest& interest, const Signature& signature,
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700701 const Name& keyName, DigestAlgorithm digestAlgorithm);
Yingdi Yu2e57a582014-02-20 23:34:43 -0800702
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700703
704private:
705 SecPublicInfo* m_pib;
706 SecTpm* m_tpm;
Yingdi Yu0f5fb692014-06-10 12:07:28 -0700707 time::milliseconds m_lastTimestamp;
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700708};
709
710template<class T>
711inline
712KeyChain::KeyChain(T)
713 : m_pib(new typename T::Pib)
714 , m_tpm(new typename T::Tpm)
Yingdi Yu0f5fb692014-06-10 12:07:28 -0700715 , m_lastTimestamp(time::toUnixTimestamp(time::system_clock::now()))
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700716{
717}
718
719inline Name
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700720KeyChain::generateRsaKeyPair(const Name& identityName, bool isKsk, uint32_t keySize)
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700721{
Yingdi Yu7036ce22014-06-19 18:53:37 -0700722 RsaKeyParams params(keySize);
723 return generateKeyPair(identityName, isKsk, params);
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700724}
725
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700726inline Name
727KeyChain::generateEcdsaKeyPair(const Name& identityName, bool isKsk, uint32_t keySize)
728{
729 EcdsaKeyParams params(keySize);
730 return generateKeyPair(identityName, isKsk, params);
731}
732
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700733template<typename T>
734void
735KeyChain::sign(T& packet)
736{
Alexander Afanasyevaab79662014-07-07 17:35:34 -0700737 if (!static_cast<bool>(m_pib->getDefaultCertificate()))
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700738 setDefaultCertificateInternal();
739
Alexander Afanasyevaab79662014-07-07 17:35:34 -0700740 sign(packet, *m_pib->getDefaultCertificate());
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700741}
742
743template<typename T>
744void
745KeyChain::sign(T& packet, const Name& certificateName)
746{
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700747 shared_ptr<IdentityCertificate> certificate = m_pib->getCertificate(certificateName);
748 sign(packet, *certificate);
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700749}
750
751template<typename T>
752void
753KeyChain::signByIdentity(T& packet, const Name& identityName)
754{
755 Name signingCertificateName;
756 try
757 {
758 signingCertificateName = m_pib->getDefaultCertificateNameForIdentity(identityName);
759 }
760 catch (SecPublicInfo::Error& e)
761 {
762 signingCertificateName = createIdentity(identityName);
763 // Ideally, no exception will be thrown out, unless something goes wrong in the TPM, which
764 // is a fatal error.
765 }
766
767 // We either get or create the signing certificate, sign packet! (no exception unless fatal
768 // error in TPM)
769 sign(packet, signingCertificateName);
770}
771
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700772template<typename T>
773void
774KeyChain::sign(T& packet, const IdentityCertificate& certificate)
775{
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700776
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700777 shared_ptr<SignatureWithPublicKey> signature =
778 determineSignatureWithPublicKey(certificate.getPublicKeyInfo().getKeyType());
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700779
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700780 if (!static_cast<bool>(signature))
781 throw SecPublicInfo::Error("unknown key type!");
782
783 signature->setKeyLocator(certificate.getName().getPrefix(-1));
784
785 signPacketWrapper(packet, *signature,
786 certificate.getPublicKeyName(),
787 DIGEST_ALGORITHM_SHA256);
788
789 return;
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700790}
791
Yingdi Yuf56c68f2014-04-24 21:50:13 -0700792}
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700793
Alexander Afanasyev766cea72014-04-24 19:16:42 -0700794#endif // NDN_SECURITY_KEY_CHAIN_HPP