blob: e40e392bab1d956d97e47af59e6495c6f234c8f1 [file] [log] [blame]
Yingdi Yue6bfab22014-02-06 16:01:19 -08001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
2/*
3 * Copyright (c) 2013, Regents of the University of California
4 * Yingdi Yu
5 *
6 * BSD license, See the LICENSE file for more information
7 *
8 * Author: Yingdi Yu <yingdi@cs.ucla.edu>
9 */
10
11#include <iostream>
12#include <fstream>
13
14#include <boost/program_options/options_description.hpp>
15#include <boost/program_options/variables_map.hpp>
16#include <boost/program_options/parsers.hpp>
17#include <boost/date_time/posix_time/posix_time.hpp>
18#include <boost/regex.hpp>
19#include <cryptopp/base64.h>
20#include <cryptopp/files.h>
21
22#include <boost/tokenizer.hpp>
23using boost::tokenizer;
24using boost::escaped_list_separator;
25
26#include "security/key-chain.hpp"
27
28namespace ndn {
29typedef boost::posix_time::ptime Time;
30typedef boost::posix_time::time_duration TimeInterval;
31namespace time {
32const Time UNIX_EPOCH_TIME = Time (boost::gregorian::date (1970, boost::gregorian::Jan, 1));
33} // namespace time
34} // namespace ndn
35
36using namespace ndn;
37namespace po = boost::program_options;
38
39shared_ptr<IdentityCertificate>
40getSelfSignedCertificate(const std::string& fileName)
41{
42 std::istream* ifs;
43 if(fileName == "-")
44 ifs = &std::cin;
45 else
46 ifs = new std::ifstream(fileName.c_str());
47
48 std::string decoded;
49 CryptoPP::FileSource ss2(*ifs, true,
50 new CryptoPP::Base64Decoder(new CryptoPP::StringSink(decoded)));
51
52 shared_ptr<IdentityCertificate> identityCertificate = make_shared<IdentityCertificate>();
53 identityCertificate->wireDecode(Block(make_shared<Buffer>(decoded.c_str(), decoded.size())));
54
55 return identityCertificate;
56}
57
58int main(int argc, char** argv)
59{
60 std::string notBeforeStr;
61 std::string notAfterStr;
62 std::string sName;
63 std::string reqFile;
64 std::string signId;
65 std::string subInfo;
66 bool isSelfSigned = false;
67 bool nack = false;
68
69 po::options_description desc("General Usage\n ndn-certgen [-h] [-S date] [-E date] [-N subject-name] [-I subject-info] [-s sign-id] request\nGeneral options");
70 desc.add_options()
71 ("help,h", "produce help message")
72 ("not-before,S", po::value<std::string>(&notBeforeStr), "certificate starting date, YYYYMMDDhhmmss")
73 ("not-after,E", po::value<std::string>(&notAfterStr), "certificate ending date, YYYYMMDDhhmmss")
74 ("subject-name,N", po::value<std::string>(&sName), "subject name")
75 ("subject-info,I", po::value<std::string>(&subInfo), "subject info, pairs of OID and string description: \"2.5.4.10 'University of California, Los Angeles'\"")
76 ("nack", "Generate revocation certificate (NACK)")
77 ("sign-id,s", po::value<std::string>(&signId), "signing Identity, self-signed if not specified")
78 ("request,r", po::value<std::string>(&reqFile), "request file name, - for stdin")
79 ;
80
81 po::positional_options_description p;
82 p.add("request", 1);
83
84 po::variables_map vm;
85 try
86 {
87 po::store(po::command_line_parser(argc, argv).options(desc).positional(p).run(), vm);
88 po::notify(vm);
89 }
90 catch (std::exception &e)
91 {
92 std::cerr << "ERROR: " << e.what() << std::endl;
93 return 1;
94 }
95
96 if (vm.count("help"))
97 {
98 std::cerr << desc << std::endl;
99 return 1;
100 }
101
102 if (0 == vm.count("sign-id"))
103 {
104 isSelfSigned = true;
105 }
106
107 if (vm.count("nack"))
108 {
109 nack = true;
110 }
111
112 std::vector<CertificateSubjectDescription> otherSubDescrypt;
113 tokenizer<escaped_list_separator<char> > subInfoItems(subInfo, escaped_list_separator<char> ("\\", " \t", "'\""));
114
115 tokenizer<escaped_list_separator<char> >::iterator it = subInfoItems.begin();
116 try
117 {
118 while (it != subInfoItems.end())
119 {
120 std::string oid = *it;
121
122 it++;
123 if (it == subInfoItems.end ())
124 {
125 std::cerr << "ERROR: unmatched info for oid [" << oid << "]" << std::endl;
126 return 1;
127 }
128
129 std::string value = *it;
130
131 otherSubDescrypt.push_back (CertificateSubjectDescription(oid, value));
132
133 it++;
134 }
135 }
136 catch (std::exception &e)
137 {
138 std::cerr << "error in parsing subject info" << std::endl;
139 return 1;
140 }
141
142 Time notBefore;
143 Time notAfter;
144 try{
145 if (0 == vm.count("not-before"))
146 {
147 notBefore = boost::posix_time::second_clock::universal_time();
148 }
149 else
150 {
151 notBefore = boost::posix_time::from_iso_string(notBeforeStr.substr(0, 8) + "T" + notBeforeStr.substr(8, 6));
152 }
153
154
155 if (0 == vm.count("not-after"))
156 {
157 notAfter = notBefore + boost::posix_time::hours(24*365);
158 }
159 else
160 {
161 notAfter = boost::posix_time::from_iso_string(notAfterStr.substr(0, 8) + "T" + notAfterStr.substr(8, 6));
162 if(notAfter < notBefore)
163 {
164 std::cerr << "not-before is later than not-after" << std::endl;
165 return 1;
166 }
167 }
168 }catch(std::exception & e){
169 std::cerr << "Error in converting validity timestamp!" << std::endl;
170 return 1;
171 }
172
173 if (0 == vm.count("request"))
174 {
175 std::cerr << "request file must be specified" << std::endl;
176 return 1;
177 }
178
179 shared_ptr<IdentityCertificate> selfSignedCertificate;
180 try
181 {
182 selfSignedCertificate = getSelfSignedCertificate(reqFile);
183 }
184 catch(...)
185 {
186 std::cerr << "ERROR: input error" << std::endl;
187 return 1;
188 }
189
190 Name keyName = selfSignedCertificate->getPublicKeyName();
191 Name signIdName;
192 Name certName;
193
194 if(isSelfSigned)
195 {
196 certName = keyName.getPrefix(keyName.size()-1);
197 certName.append("KEY").append(keyName.get(-1)).append("ID-CERT").appendVersion();
198 }
199 else
200 {
201 signIdName = Name(signId);
202
203 Name::const_iterator i = keyName.begin();
204 Name::const_iterator j = signIdName.begin();
205 int count = 0;
206 for(; i != keyName.end() && j != signIdName.end(); i++, j++, count++)
207 {
208 if(*i != *j)
209 break;
210 }
211
212 if(j != signIdName.end() || i == keyName.end())
213 {
214 std::cerr << "wrong signing identity!" << std::endl;
215 return 1;
216 }
217
218 certName = keyName.getSubName(0, count);
219 certName.append("KEY").append(keyName.getSubName(count, keyName.size()-count));
220 certName.append("ID-CERT").appendVersion ();
221 }
222
223 Block wire;
224
225 if (!nack)
226 {
227 if (0 == vm.count("subject-name"))
228 {
229 std::cerr << "subject_name must be specified" << std::endl;
230 return 1;
231 }
232
233 try
234 {
235 CertificateSubjectDescription subDescryptName("2.5.4.41", sName);
236 IdentityCertificate certificate;
237 certificate.setName(certName);
238 certificate.setNotBefore((notBefore-ndn::time::UNIX_EPOCH_TIME).total_milliseconds());
239 certificate.setNotAfter((notAfter-ndn::time::UNIX_EPOCH_TIME).total_milliseconds());
240 certificate.setPublicKeyInfo(selfSignedCertificate->getPublicKeyInfo());
241 certificate.addSubjectDescription(subDescryptName);
242 for(int i = 0; i < otherSubDescrypt.size(); i++)
243 certificate.addSubjectDescription(otherSubDescrypt[i]);
244 certificate.encode();
245
246 KeyChain keyChain;
247
248 if(isSelfSigned)
249 keyChain.selfSign(certificate);
250 else
251 {
252 Name signingCertificateName = keyChain.getDefaultCertificateNameForIdentity(Name(signId));
253
254 keyChain.sign(certificate, signingCertificateName);
255 }
256 wire = certificate.wireEncode();
257 }
258 catch(std::exception &e)
259 {
260 std::cerr << "ERROR: " << e.what() << std::endl;
261 return 1;
262 }
263 }
264 else
265 {
266 Data revocationCert;
267 // revocationCert.setContent(void*, 0); // empty content
268 revocationCert.setName(certName);
269
270 KeyChain keyChain;
Yingdi Yube4150e2014-02-18 13:02:46 -0800271
Yingdi Yue6bfab22014-02-06 16:01:19 -0800272 Name signingCertificateName = keyChain.getDefaultCertificateNameForIdentity(Name(signId));
273
274 keyChain.sign (revocationCert, signingCertificateName);
275 wire = revocationCert.wireEncode();
276 }
277
278 CryptoPP::StringSource ss(reinterpret_cast<const unsigned char *>(wire.wire()), wire.size(),
279 true,
280 new CryptoPP::Base64Encoder(new CryptoPP::FileSink(std::cout), true, 64));
281
282 return 0;
283}