blob: 37c15132f5cf9526b2f63fe5d83599c55f7624f1 [file] [log] [blame]
Jeff Thompson25b4e612013-10-10 16:03:24 -07001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
Jeff Thompson47c93cf2013-08-09 00:38:48 -07002/**
Jeff Thompson7687dc02013-09-13 11:54:07 -07003 * Copyright (C) 2013 Regents of the University of California.
4 * @author: Jeff Thompson <jefft0@remap.ucla.edu>
Jeff Thompson47c93cf2013-08-09 00:38:48 -07005 * See COPYING for copyright and distribution information.
6 */
7
Jeff Thompson7a67cb62013-08-26 11:43:18 -07008#include "../c/util/crypto.h"
9#include "../c/encoding/binary-xml-data.h"
10#include "../encoding/binary-xml-encoder.hpp"
Jeff Thompson25b4e612013-10-10 16:03:24 -070011#include <ndn-cpp/sha256-with-rsa-signature.hpp>
Jeff Thompson9296f0c2013-09-23 18:10:27 -070012#include "../util/logging.hpp"
Jeff Thompson25b4e612013-10-10 16:03:24 -070013#include <ndn-cpp/security/security-exception.hpp>
14#include <ndn-cpp/security/policy/policy-manager.hpp>
15#include <ndn-cpp/security/key-chain.hpp>
Jeff Thompson47c93cf2013-08-09 00:38:48 -070016
17using namespace std;
Jeff Thompsond4144fe2013-09-18 15:59:57 -070018using namespace ndn::ptr_lib;
Jeff Thompson47c93cf2013-08-09 00:38:48 -070019
20namespace ndn {
21
Jeff Thompson2ce8f492013-09-17 18:01:25 -070022#if 1
Jeff Thompson10ad12a2013-09-24 16:19:11 -070023static uint8_t DEFAULT_PUBLIC_KEY_DER[] = {
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700240x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81,
250x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xE1, 0x7D, 0x30, 0xA7, 0xD8, 0x28, 0xAB, 0x1B, 0x84, 0x0B, 0x17,
260x54, 0x2D, 0xCA, 0xF6, 0x20, 0x7A, 0xFD, 0x22, 0x1E, 0x08, 0x6B, 0x2A, 0x60, 0xD1, 0x6C, 0xB7, 0xF5, 0x44, 0x48, 0xBA,
270x9F, 0x3F, 0x08, 0xBC, 0xD0, 0x99, 0xDB, 0x21, 0xDD, 0x16, 0x2A, 0x77, 0x9E, 0x61, 0xAA, 0x89, 0xEE, 0xE5, 0x54, 0xD3,
280xA4, 0x7D, 0xE2, 0x30, 0xBC, 0x7A, 0xC5, 0x90, 0xD5, 0x24, 0x06, 0x7C, 0x38, 0x98, 0xBB, 0xA6, 0xF5, 0xDC, 0x43, 0x60,
290xB8, 0x45, 0xED, 0xA4, 0x8C, 0xBD, 0x9C, 0xF1, 0x26, 0xA7, 0x23, 0x44, 0x5F, 0x0E, 0x19, 0x52, 0xD7, 0x32, 0x5A, 0x75,
300xFA, 0xF5, 0x56, 0x14, 0x4F, 0x9A, 0x98, 0xAF, 0x71, 0x86, 0xB0, 0x27, 0x86, 0x85, 0xB8, 0xE2, 0xC0, 0x8B, 0xEA, 0x87,
310x17, 0x1B, 0x4D, 0xEE, 0x58, 0x5C, 0x18, 0x28, 0x29, 0x5B, 0x53, 0x95, 0xEB, 0x4A, 0x17, 0x77, 0x9F, 0x02, 0x03, 0x01,
320x00, 01
33};
Jeff Thompson2ce8f492013-09-17 18:01:25 -070034#endif
Jeff Thompson47c93cf2013-08-09 00:38:48 -070035
Jeff Thompson29ce3102013-09-27 11:47:48 -070036KeyChain::KeyChain(const shared_ptr<IdentityManager>& identityManager, const shared_ptr<PolicyManager>& policyManager)
37: identityManager_(identityManager), policyManager_(policyManager), face_(0), maxSteps_(100)
Jeff Thompson9296f0c2013-09-23 18:10:27 -070038{
39}
40
Jeff Thompson2ce8f492013-09-17 18:01:25 -070041static bool
42verifySignature(const Data& data /*, const Publickey& publickey */)
Jeff Thompson47c93cf2013-08-09 00:38:48 -070043{
Jeff Thompson2ce8f492013-09-17 18:01:25 -070044#if 0
45 using namespace CryptoPP;
Jeff Thompson47c93cf2013-08-09 00:38:48 -070046
Jeff Thompson2ce8f492013-09-17 18:01:25 -070047 Blob unsignedData(data.getSignedBlob()->signed_buf(), data.getSignedBlob()->signed_size());
48 bool result = false;
49
50 // Temporarily hardwire. It should be assigned by Signature.getAlgorithm().
51 DigestAlgorithm digestAlg = DIGEST_SHA256;
52 // Temporarily hardwire. It should be assigned by Publickey.getKeyType().
53 KeyType keyType = KEY_TYPE_RSA;
54 if (keyType == KEY_TYPE_RSA) {
55 RSA::PublicKey pubKey;
56 ByteQueue queue;
Jeff Thompson3df81372013-08-09 12:02:37 -070057
Jeff Thompson2ce8f492013-09-17 18:01:25 -070058 queue.Put((const byte*)publickey.getKeyBlob ().buf (), publickey.getKeyBlob ().size ());
59 pubKey.Load(queue);
Jeff Thompson47c93cf2013-08-09 00:38:48 -070060
Jeff Thompson2ce8f492013-09-17 18:01:25 -070061 if (DIGEST_SHA256 == digestAlg) {
62 Ptr<const signature::Sha256WithRsa> sigPtr = boost::dynamic_pointer_cast<const signature::Sha256WithRsa> (data.getSignature());
63 const Blob & sigBits = sigPtr->getSignatureBits();
Jeff Thompson3c73da42013-08-12 11:19:05 -070064
Jeff Thompson2ce8f492013-09-17 18:01:25 -070065 RSASS<PKCS1v15, SHA256>::Verifier verifier (pubKey);
66 result = verifier.VerifyMessage((const byte*) unsignedData.buf(), unsignedData.size(), (const byte*)sigBits.buf(), sigBits.size());
67 _LOG_DEBUG("Signature verified? " << data.getName() << " " << boolalpha << result);
68 }
69 }
70
71 return result;
72#else
73 const Sha256WithRsaSignature *signature = dynamic_cast<const Sha256WithRsaSignature*>(data.getSignature());
Jeff Thompson20af0732013-09-12 17:01:45 -070074 if (!signature)
Jeff Thompson9296f0c2013-09-23 18:10:27 -070075 throw SecurityException("signature is not Sha256WithRsaSignature.");
Jeff Thompson20af0732013-09-12 17:01:45 -070076
77 if (signature->getDigestAlgorithm().size() != 0)
Jeff Thompson1e90d8c2013-08-12 16:09:25 -070078 // TODO: Allow a non-default digest algorithm.
Jeff Thompson9296f0c2013-09-23 18:10:27 -070079 throw UnrecognizedDigestAlgorithmException("Cannot verify a data packet with a non-default digest algorithm.");
Jeff Thompsonf1ffba82013-10-19 17:57:12 -070080 if (!data.getDefaultWireEncoding())
81 data.wireEncode();
82 uint8_t signedPortionDigest[SHA256_DIGEST_LENGTH];
83 ndn_digestSha256(data.getDefaultWireEncoding().signedBuf(), data.getDefaultWireEncoding().signedSize(), signedPortionDigest);
Jeff Thompson1e90d8c2013-08-12 16:09:25 -070084
Jeff Thompson9c661702013-09-13 14:35:44 -070085 // Verify the signedPortionDigest.
Jeff Thompson192e86b2013-08-13 11:34:24 -070086 // Use a temporary pointer since d2i updates it.
Jeff Thompson10ad12a2013-09-24 16:19:11 -070087 const uint8_t *derPointer = DEFAULT_PUBLIC_KEY_DER;
Jeff Thompson2ce8f492013-09-17 18:01:25 -070088 RSA *publicKey = d2i_RSA_PUBKEY(NULL, &derPointer, sizeof(DEFAULT_PUBLIC_KEY_DER));
Jeff Thompson1e90d8c2013-08-12 16:09:25 -070089 if (!publicKey)
Jeff Thompson9296f0c2013-09-23 18:10:27 -070090 throw UnrecognizedKeyFormatException("Error decoding public key in d2i_RSAPublicKey");
Jeff Thompson1e90d8c2013-08-12 16:09:25 -070091 int success = RSA_verify
Jeff Thompson10ad12a2013-09-24 16:19:11 -070092 (NID_sha256, signedPortionDigest, sizeof(signedPortionDigest), (uint8_t *)signature->getSignature().buf(),
Jeff Thompson20af0732013-09-12 17:01:45 -070093 signature->getSignature().size(), publicKey);
Jeff Thompson1e90d8c2013-08-12 16:09:25 -070094 // Free the public key before checking for success.
95 RSA_free(publicKey);
96
97 return (success == 1);
Jeff Thompson2ce8f492013-09-17 18:01:25 -070098#endif
99}
100
101void
Jeff Thompson29ce3102013-09-27 11:47:48 -0700102KeyChain::sign(Data& data, const Name& certificateName, WireFormat& wireFormat)
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700103{
Jeff Thompson29ce3102013-09-27 11:47:48 -0700104 identityManager_->signByCertificate(data, certificateName, wireFormat);
105}
106
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700107shared_ptr<Signature>
108KeyChain::sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName)
109{
110 return identityManager_->signByCertificate(buffer, bufferLength, certificateName);
111}
112
Jeff Thompson29ce3102013-09-27 11:47:48 -0700113void
114KeyChain::signByIdentity(Data& data, const Name& identityName, WireFormat& wireFormat)
115{
116 Name signingCertificateName;
Jeff Thompson9296f0c2013-09-23 18:10:27 -0700117
Jeff Thompson29ce3102013-09-27 11:47:48 -0700118 if (identityName.getComponentCount() == 0) {
119 Name inferredIdentity = policyManager_->inferSigningIdentity(data.getName());
120 if (inferredIdentity.getComponentCount() == 0)
121 signingCertificateName = identityManager_->getDefaultCertificateName();
122 else
123 signingCertificateName = identityManager_->getDefaultCertificateNameForIdentity(inferredIdentity);
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700124 }
Jeff Thompson9296f0c2013-09-23 18:10:27 -0700125 else
Jeff Thompson29ce3102013-09-27 11:47:48 -0700126 signingCertificateName = identityManager_->getDefaultCertificateNameForIdentity(identityName);
127
128 if (signingCertificateName.getComponentCount() == 0)
129 throw SecurityException("No qualified certificate name found!");
130
131 if (!policyManager_->checkSigningPolicy(data.getName(), signingCertificateName))
Jeff Thompson9296f0c2013-09-23 18:10:27 -0700132 throw SecurityException("Signing Cert name does not comply with signing policy");
Jeff Thompson29ce3102013-09-27 11:47:48 -0700133
Jeff Thompson56e62652013-10-31 16:13:25 -0700134 identityManager_->signByCertificate(data, signingCertificateName, wireFormat);
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700135}
136
Jeff Thompsone9ffe792013-10-22 10:58:48 -0700137shared_ptr<Signature>
138KeyChain::signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName)
139{
140 Name signingCertificateName = identityManager_->getDefaultCertificateNameForIdentity(identityName);
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700141
Jeff Thompsone9ffe792013-10-22 10:58:48 -0700142 if (signingCertificateName.size() == 0)
143 throw SecurityException("No qualified certificate name found!");
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700144
Jeff Thompsone9ffe792013-10-22 10:58:48 -0700145 return identityManager_->signByCertificate(buffer, bufferLength, signingCertificateName);
146}
Jeff Thompsonc01e1782013-10-21 14:08:42 -0700147
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700148void
Jeff Thompson7c5d2312013-09-25 16:07:15 -0700149KeyChain::verifyData
150 (const shared_ptr<Data>& data, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed, int stepCount)
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700151{
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700152 _LOG_TRACE("Enter Verify");
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700153
154#if 0
155 if (m_policyManager->requireVerify(*dataPtr))
Jeff Thompson7ff36fe2013-10-16 15:30:13 -0700156 stepVerify(dataPtr, true, maxStep_, onVerified, onVerifyFailed);
Jeff Thompson2ce8f492013-09-17 18:01:25 -0700157 else if(m_policyManager->skipVerify(*dataPtr))
158#else
159 if (verifySignature(*data))
160#endif
161 onVerified(data);
162 else
Jeff Thompson29ce3102013-09-27 11:47:48 -0700163 onVerifyFailed(data);
Jeff Thompson1e90d8c2013-08-12 16:09:25 -0700164}
165
Jeff Thompson47c93cf2013-08-09 00:38:48 -0700166}