blob: c5266549bb81dc80842e9660a50aba587a431e40 [file] [log] [blame]
Alexander Afanasyev82c359c2017-01-04 14:48:07 -08001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Alexander Afanasyev464da532017-09-02 12:16:32 -04002/*
Davide Pesavento25d4f1c2020-04-29 23:31:04 -04003 * Copyright (c) 2013-2020 Regents of the University of California.
Alexander Afanasyev82c359c2017-01-04 14:48:07 -08004 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6 *
7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20 */
21
22#include "ndnsec.hpp"
23#include "util.hpp"
24
Davide Pesaventob310efb2019-04-11 22:10:24 -040025#include "ndn-cxx/security/transform/base64-encode.hpp"
26#include "ndn-cxx/security/transform/buffer-source.hpp"
27#include "ndn-cxx/security/transform/public-key.hpp"
28#include "ndn-cxx/security/transform/stream-sink.hpp"
Davide Pesavento25d4f1c2020-04-29 23:31:04 -040029#include "ndn-cxx/security/v2/additional-description.hpp"
Davide Pesavento5afbb0b2018-01-01 17:24:18 -050030
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080031namespace ndn {
32namespace ndnsec {
33
34int
35ndnsec_cert_gen(int argc, char** argv)
36{
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080037 namespace po = boost::program_options;
38
Davide Pesaventob310efb2019-04-11 22:10:24 -040039 std::string requestFile;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080040 std::string notBeforeStr;
41 std::string notAfterStr;
Alexander Afanasyev35109a12017-01-04 15:39:06 -080042 std::vector<std::string> infos;
Davide Pesaventob310efb2019-04-11 22:10:24 -040043 Name signId;
Alexander Afanasyev35109a12017-01-04 15:39:06 -080044 std::string issuerId;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080045
46 po::options_description description(
Davide Pesaventob310efb2019-04-11 22:10:24 -040047 "Usage: ndnsec cert-gen [-h] [-S TIMESTAMP] [-E TIMESTAMP] [-I INFO]...\n"
48 " [-s IDENTITY] [-i ISSUER] [-r] FILE\n"
49 "\n"
50 "Options");
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080051 description.add_options()
52 ("help,h", "produce help message")
Davide Pesaventob310efb2019-04-11 22:10:24 -040053 ("request,r", po::value<std::string>(&requestFile)->default_value("-"),
54 "request file name, '-' for stdin (the default)")
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080055 ("not-before,S", po::value<std::string>(&notBeforeStr),
Davide Pesaventob310efb2019-04-11 22:10:24 -040056 "certificate validity start date/time in YYYYMMDDhhmmss format (default: now)")
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080057 ("not-after,E", po::value<std::string>(&notAfterStr),
Davide Pesaventob310efb2019-04-11 22:10:24 -040058 "certificate validity end date/time in YYYYMMDDhhmmss format (default: "
59 "365 days after the --not-before timestamp)")
Alexander Afanasyev35109a12017-01-04 15:39:06 -080060 ("info,I", po::value<std::vector<std::string>>(&infos),
61 "key and value (must be separated by a single space) of the additional "
Davide Pesaventob310efb2019-04-11 22:10:24 -040062 "description to be included in the issued certificate (e.g., "
63 "\"affiliation University of California, Los Angeles\"); "
64 "this option may be repeated multiple times")
65 ("sign-id,s", po::value<Name>(&signId), "signing identity")
Alexander Afanasyev35109a12017-01-04 15:39:06 -080066 ("issuer-id,i", po::value<std::string>(&issuerId)->default_value("NA"),
Davide Pesaventob310efb2019-04-11 22:10:24 -040067 "issuer's ID to be included in the issued certificate name")
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080068 ;
69
70 po::positional_options_description p;
71 p.add("request", 1);
72
73 po::variables_map vm;
74 try {
75 po::store(po::command_line_parser(argc, argv).options(description).positional(p).run(), vm);
76 po::notify(vm);
77 }
78 catch (const std::exception& e) {
Davide Pesaventob310efb2019-04-11 22:10:24 -040079 std::cerr << "ERROR: " << e.what() << "\n\n"
80 << description << std::endl;
81 return 2;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080082 }
83
Davide Pesaventob310efb2019-04-11 22:10:24 -040084 if (vm.count("help") > 0) {
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080085 std::cout << description << std::endl;
86 return 0;
87 }
88
Alexander Afanasyev35109a12017-01-04 15:39:06 -080089 security::v2::AdditionalDescription additionalDescription;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080090
Alexander Afanasyev35109a12017-01-04 15:39:06 -080091 for (const auto& info : infos) {
Davide Pesaventob310efb2019-04-11 22:10:24 -040092 auto pos = info.find(" ");
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080093 if (pos == std::string::npos) {
Alexander Afanasyev35109a12017-01-04 15:39:06 -080094 std::cerr << "ERROR: incorrectly formatted info block [" << info << "]" << std::endl;
Davide Pesaventob310efb2019-04-11 22:10:24 -040095 return 2;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080096 }
Alexander Afanasyev35109a12017-01-04 15:39:06 -080097 std::string key = info.substr(0, pos);
98 std::string value = info.substr(pos + 1);
Alexander Afanasyev82c359c2017-01-04 14:48:07 -080099
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800100 additionalDescription.set(key, value);
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800101 }
102
103 time::system_clock::TimePoint notBefore;
104 time::system_clock::TimePoint notAfter;
105
106 if (vm.count("not-before") == 0) {
107 notBefore = time::system_clock::now();
108 }
109 else {
110 notBefore = time::fromIsoString(notBeforeStr.substr(0, 8) + "T" + notBeforeStr.substr(8, 6));
111 }
112
113 if (vm.count("not-after") == 0) {
Davide Pesavento0f830802018-01-16 23:58:58 -0500114 notAfter = notBefore + 365_days;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800115 }
116 else {
117 notAfter = time::fromIsoString(notAfterStr.substr(0, 8) + "T" + notAfterStr.substr(8, 6));
118
119 if (notAfter < notBefore) {
Davide Pesaventob310efb2019-04-11 22:10:24 -0400120 std::cerr << "ERROR: '--not-before' cannot be later than '--not-after'" << std::endl;
121 return 2;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800122 }
123 }
124
Davide Pesaventob310efb2019-04-11 22:10:24 -0400125 security::v2::KeyChain keyChain;
126
127 security::v2::Certificate certRequest;
128 try {
129 certRequest = loadCertificate(requestFile);
130 }
131 catch (const CannotLoadCertificate&) {
132 std::cerr << "ERROR: Cannot load the request from `" << requestFile << "`" << std::endl;
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800133 return 1;
134 }
135
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800136 // validate that the content is a public key
Davide Pesaventob310efb2019-04-11 22:10:24 -0400137 Buffer keyContent = certRequest.getPublicKey();
138 security::transform::PublicKey pubKey;
139 pubKey.loadPkcs8(keyContent.data(), keyContent.size());
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800140
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800141 Name certName = certRequest.getKeyName();
142 certName
143 .append(issuerId)
144 .appendVersion();
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800145
Davide Pesaventob310efb2019-04-11 22:10:24 -0400146 security::v2::Certificate cert;
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800147 cert.setName(certName);
148 cert.setContent(certRequest.getContent());
Davide Pesaventob310efb2019-04-11 22:10:24 -0400149 // TODO: add ability to customize
Davide Pesavento0f830802018-01-16 23:58:58 -0500150 cert.setFreshnessPeriod(1_h);
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800151
152 SignatureInfo signatureInfo;
153 signatureInfo.setValidityPeriod(security::ValidityPeriod(notBefore, notAfter));
Alexander Afanasyev464da532017-09-02 12:16:32 -0400154 if (!additionalDescription.empty()) {
Eric Newberryf165bb42020-05-22 11:28:45 -0700155 signatureInfo.addCustomTlv(additionalDescription.wireEncode());
Alexander Afanasyev464da532017-09-02 12:16:32 -0400156 }
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800157
158 security::Identity identity;
159 if (vm.count("sign-id") == 0) {
160 identity = keyChain.getPib().getDefaultIdentity();
161 }
162 else {
163 identity = keyChain.getPib().getIdentity(signId);
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800164 }
165
Alexander Afanasyev35109a12017-01-04 15:39:06 -0800166 keyChain.sign(cert, security::SigningInfo(identity).setSignatureInfo(signatureInfo));
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800167
Davide Pesaventob310efb2019-04-11 22:10:24 -0400168 const Block& wire = cert.wireEncode();
169 {
170 using namespace security::transform;
171 bufferSource(wire.wire(), wire.size()) >> base64Encode(true) >> streamSink(std::cout);
Alexander Afanasyev82c359c2017-01-04 14:48:07 -0800172 }
173
174 return 0;
175}
176
177} // namespace ndnsec
178} // namespace ndn