blob: ec630c93be7c9ed9122d789ab192feb45d18a189 [file] [log] [blame]
Alexander Afanasyev82c359c2017-01-04 14:48:07 -08001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Alexander Afanasyev464da532017-09-02 12:16:32 -04002/*
Davide Pesaventob310efb2019-04-11 22:10:24 -04003 * Copyright (c) 2013-2019 Regents of the University of California.
Alexander Afanasyev82c359c2017-01-04 14:48:07 -08004 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6 *
7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20 */
21
22#include "ndnsec.hpp"
23#include "util.hpp"
24
Davide Pesaventob310efb2019-04-11 22:10:24 -040025#include "ndn-cxx/security/transform/base64-encode.hpp"
26#include "ndn-cxx/security/transform/buffer-source.hpp"
27#include "ndn-cxx/security/transform/public-key.hpp"
28#include "ndn-cxx/security/transform/stream-sink.hpp"
Davide Pesavento5afbb0b2018-01-01 17:24:18 -050029
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080030namespace ndn {
31namespace ndnsec {
32
33int
34ndnsec_cert_gen(int argc, char** argv)
35{
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080036 namespace po = boost::program_options;
37
Davide Pesaventob310efb2019-04-11 22:10:24 -040038 std::string requestFile;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080039 std::string notBeforeStr;
40 std::string notAfterStr;
Alexander Afanasyev35109a12017-01-04 15:39:06 -080041 std::vector<std::string> infos;
Davide Pesaventob310efb2019-04-11 22:10:24 -040042 Name signId;
Alexander Afanasyev35109a12017-01-04 15:39:06 -080043 std::string issuerId;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080044
45 po::options_description description(
Davide Pesaventob310efb2019-04-11 22:10:24 -040046 "Usage: ndnsec cert-gen [-h] [-S TIMESTAMP] [-E TIMESTAMP] [-I INFO]...\n"
47 " [-s IDENTITY] [-i ISSUER] [-r] FILE\n"
48 "\n"
49 "Options");
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080050 description.add_options()
51 ("help,h", "produce help message")
Davide Pesaventob310efb2019-04-11 22:10:24 -040052 ("request,r", po::value<std::string>(&requestFile)->default_value("-"),
53 "request file name, '-' for stdin (the default)")
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080054 ("not-before,S", po::value<std::string>(&notBeforeStr),
Davide Pesaventob310efb2019-04-11 22:10:24 -040055 "certificate validity start date/time in YYYYMMDDhhmmss format (default: now)")
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080056 ("not-after,E", po::value<std::string>(&notAfterStr),
Davide Pesaventob310efb2019-04-11 22:10:24 -040057 "certificate validity end date/time in YYYYMMDDhhmmss format (default: "
58 "365 days after the --not-before timestamp)")
Alexander Afanasyev35109a12017-01-04 15:39:06 -080059 ("info,I", po::value<std::vector<std::string>>(&infos),
60 "key and value (must be separated by a single space) of the additional "
Davide Pesaventob310efb2019-04-11 22:10:24 -040061 "description to be included in the issued certificate (e.g., "
62 "\"affiliation University of California, Los Angeles\"); "
63 "this option may be repeated multiple times")
64 ("sign-id,s", po::value<Name>(&signId), "signing identity")
Alexander Afanasyev35109a12017-01-04 15:39:06 -080065 ("issuer-id,i", po::value<std::string>(&issuerId)->default_value("NA"),
Davide Pesaventob310efb2019-04-11 22:10:24 -040066 "issuer's ID to be included in the issued certificate name")
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080067 ;
68
69 po::positional_options_description p;
70 p.add("request", 1);
71
72 po::variables_map vm;
73 try {
74 po::store(po::command_line_parser(argc, argv).options(description).positional(p).run(), vm);
75 po::notify(vm);
76 }
77 catch (const std::exception& e) {
Davide Pesaventob310efb2019-04-11 22:10:24 -040078 std::cerr << "ERROR: " << e.what() << "\n\n"
79 << description << std::endl;
80 return 2;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080081 }
82
Davide Pesaventob310efb2019-04-11 22:10:24 -040083 if (vm.count("help") > 0) {
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080084 std::cout << description << std::endl;
85 return 0;
86 }
87
Alexander Afanasyev35109a12017-01-04 15:39:06 -080088 security::v2::AdditionalDescription additionalDescription;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080089
Alexander Afanasyev35109a12017-01-04 15:39:06 -080090 for (const auto& info : infos) {
Davide Pesaventob310efb2019-04-11 22:10:24 -040091 auto pos = info.find(" ");
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080092 if (pos == std::string::npos) {
Alexander Afanasyev35109a12017-01-04 15:39:06 -080093 std::cerr << "ERROR: incorrectly formatted info block [" << info << "]" << std::endl;
Davide Pesaventob310efb2019-04-11 22:10:24 -040094 return 2;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080095 }
Alexander Afanasyev35109a12017-01-04 15:39:06 -080096 std::string key = info.substr(0, pos);
97 std::string value = info.substr(pos + 1);
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080098
Alexander Afanasyev35109a12017-01-04 15:39:06 -080099 additionalDescription.set(key, value);
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800100 }
101
102 time::system_clock::TimePoint notBefore;
103 time::system_clock::TimePoint notAfter;
104
105 if (vm.count("not-before") == 0) {
106 notBefore = time::system_clock::now();
107 }
108 else {
109 notBefore = time::fromIsoString(notBeforeStr.substr(0, 8) + "T" + notBeforeStr.substr(8, 6));
110 }
111
112 if (vm.count("not-after") == 0) {
Davide Pesavento0f830802018-01-16 23:58:58 -0500113 notAfter = notBefore + 365_days;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800114 }
115 else {
116 notAfter = time::fromIsoString(notAfterStr.substr(0, 8) + "T" + notAfterStr.substr(8, 6));
117
118 if (notAfter < notBefore) {
Davide Pesaventob310efb2019-04-11 22:10:24 -0400119 std::cerr << "ERROR: '--not-before' cannot be later than '--not-after'" << std::endl;
120 return 2;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800121 }
122 }
123
Davide Pesaventob310efb2019-04-11 22:10:24 -0400124 security::v2::KeyChain keyChain;
125
126 security::v2::Certificate certRequest;
127 try {
128 certRequest = loadCertificate(requestFile);
129 }
130 catch (const CannotLoadCertificate&) {
131 std::cerr << "ERROR: Cannot load the request from `" << requestFile << "`" << std::endl;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800132 return 1;
133 }
134
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800135 // validate that the content is a public key
Davide Pesaventob310efb2019-04-11 22:10:24 -0400136 Buffer keyContent = certRequest.getPublicKey();
137 security::transform::PublicKey pubKey;
138 pubKey.loadPkcs8(keyContent.data(), keyContent.size());
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800139
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800140 Name certName = certRequest.getKeyName();
141 certName
142 .append(issuerId)
143 .appendVersion();
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800144
Davide Pesaventob310efb2019-04-11 22:10:24 -0400145 security::v2::Certificate cert;
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800146 cert.setName(certName);
147 cert.setContent(certRequest.getContent());
Davide Pesaventob310efb2019-04-11 22:10:24 -0400148 // TODO: add ability to customize
Davide Pesavento0f830802018-01-16 23:58:58 -0500149 cert.setFreshnessPeriod(1_h);
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800150
151 SignatureInfo signatureInfo;
152 signatureInfo.setValidityPeriod(security::ValidityPeriod(notBefore, notAfter));
Alexander Afanasyev464da532017-09-02 12:16:32 -0400153 if (!additionalDescription.empty()) {
154 signatureInfo.appendTypeSpecificTlv(additionalDescription.wireEncode());
155 }
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800156
157 security::Identity identity;
158 if (vm.count("sign-id") == 0) {
159 identity = keyChain.getPib().getDefaultIdentity();
160 }
161 else {
162 identity = keyChain.getPib().getIdentity(signId);
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800163 }
164
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800165 keyChain.sign(cert, security::SigningInfo(identity).setSignatureInfo(signatureInfo));
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800166
Davide Pesaventob310efb2019-04-11 22:10:24 -0400167 const Block& wire = cert.wireEncode();
168 {
169 using namespace security::transform;
170 bufferSource(wire.wire(), wire.size()) >> base64Encode(true) >> streamSink(std::cout);
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800171 }
172
173 return 0;
174}
175
176} // namespace ndnsec
177} // namespace ndn