Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / refs/tags/ndn-cxx-0.1.0 / . / tools / ndnsec-cert-gen.hpp
blob: 6a1a8646f79fac92d34bcd811e5150556d19ceba [file] [log] [blame]
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -0700[diff] [blame]2/**
3 * Copyright (c) 2013-2014, Regents of the University of California.
4 * All rights reserved.
5 *
6 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
7 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
8 *
9 * This file licensed under New BSD License. See COPYING for detailed information about
10 * ndn-cxx library copyright, permissions, and redistribution restrictions.
11 *
12 * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]13 */
14
Yingdi Yu8d7468f2014-02-21 14:49:45 -0800[diff] [blame]15#ifndef NDNSEC_CERT_GEN_HPP
16#define NDNSEC_CERT_GEN_HPP
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]17
Yingdi Yu8d7468f2014-02-21 14:49:45 -0800[diff] [blame]18#include "ndnsec-util.hpp"
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]19
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]20int
Yingdi Yu8d7468f2014-02-21 14:49:45 -0800[diff] [blame]21ndnsec_cert_gen(int argc, char** argv)
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]22{
Yingdi Yu8d7468f2014-02-21 14:49:45 -0800[diff] [blame]23 using boost::tokenizer;
24 using boost::escaped_list_separator;
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]25
Yingdi Yu8d7468f2014-02-21 14:49:45 -0800[diff] [blame]26 using namespace ndn;
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]27 using namespace ndn::time;
Yingdi Yu8d7468f2014-02-21 14:49:45 -0800[diff] [blame]28 namespace po = boost::program_options;
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]29
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]30 std::string notBeforeStr;
31 std::string notAfterStr;
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]32 std::string subjectName;
33 std::string requestFile("-");
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]34 std::string signId;
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]35 std::string subjectInfo;
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]36 bool hasSignId = false;
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]37 bool isNack = false;
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]38
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]39 po::options_description description("General Usage\n ndnsec cert-gen [-h] [-S date] [-E date] [-N subject-name] [-I subject-info] [-s sign-id] request\nGeneral options");
40 description.add_options()
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]41 ("help,h", "produce help message")
42 ("not-before,S", po::value<std::string>(&notBeforeStr), "certificate starting date, YYYYMMDDhhmmss")
43 ("not-after,E", po::value<std::string>(&notAfterStr), "certificate ending date, YYYYMMDDhhmmss")
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]44 ("subject-name,N", po::value<std::string>(&subjectName), "subject name")
45 ("subject-info,I", po::value<std::string>(&subjectInfo), "subject info, pairs of OID and string description: \"2.5.4.10 'University of California, Los Angeles'\"")
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]46 ("nack", "Generate revocation certificate (NACK)")
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]47 ("sign-id,s", po::value<std::string>(&signId), "signing Identity, system default identity if not specified")
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]48 ("request,r", po::value<std::string>(&requestFile), "request file name, - for stdin")
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]49 ;
50
51 po::positional_options_description p;
52 p.add("request", 1);
53
54 po::variables_map vm;
55 try
56 {
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]57 po::store(po::command_line_parser(argc, argv).options(description).positional(p).run(),
58 vm);
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]59 po::notify(vm);
60 }
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]61 catch (const std::exception& e)
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]62 {
63 std::cerr << "ERROR: " << e.what() << std::endl;
64 return 1;
65 }
66
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]67 if (vm.count("help") != 0)
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]68 {
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]69 std::cerr << description << std::endl;
Yingdi Yu8d7468f2014-02-21 14:49:45 -0800[diff] [blame]70 return 0;
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]71 }
72
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]73 if (vm.count("sign-id") != 0)
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]74 {
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]75 hasSignId = true;
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]76 }
77
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]78 if (vm.count("nack") != 0)
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]79 {
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]80 isNack = true;
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]81 }
82
83 std::vector<CertificateSubjectDescription> otherSubDescrypt;
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]84 tokenizer<escaped_list_separator<char> > subjectInfoItems
85 (subjectInfo, escaped_list_separator<char> ("\\", " \t", "'\""));
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]86
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]87 tokenizer<escaped_list_separator<char> >::iterator it =
88 subjectInfoItems.begin();
89
90 while (it != subjectInfoItems.end())
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]91 {
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]92 std::string oid = *it;
93
94 it++;
95 if (it == subjectInfoItems.end())
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]96 {
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]97 std::cerr << "ERROR: unmatched info for oid [" << oid << "]" << std::endl;
98 return 1;
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]99 }
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]100
101 std::string value = *it;
102
103 otherSubDescrypt.push_back(CertificateSubjectDescription(oid, value));
104
105 it++;
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]106 }
107
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]108 system_clock::TimePoint notBefore;
109 system_clock::TimePoint notAfter;
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]110
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]111 if (vm.count("not-before") == 0)
112 {
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]113 notBefore = system_clock::now();
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]114 }
115 else
116 {
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]117 notBefore = fromIsoString(notBeforeStr.substr(0, 8) + "T" +
118 notBeforeStr.substr(8, 6));
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]119 }
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]120
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]121 if (vm.count("not-after") == 0)
122 {
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]123 notAfter = notBefore + days(365);
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]124 }
125 else
126 {
Alexander Afanasyevb1db7c62014-04-03 14:57:25 -0700[diff] [blame]127 notAfter = fromIsoString(notAfterStr.substr(0, 8) + "T" +
128 notAfterStr.substr(8, 6));
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]129
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]130 if (notAfter < notBefore)
131 {
132 std::cerr << "not-before is later than not-after" << std::endl;
133 return 1;
134 }
135 }
136
137 if (vm.count("request") == 0)
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]138 {
139 std::cerr << "request file must be specified" << std::endl;
140 return 1;
141 }
142
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]143 shared_ptr<IdentityCertificate> selfSignedCertificate
144 = getIdentityCertificate(requestFile);
145
146 if (!static_cast<bool>(selfSignedCertificate))
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]147 {
148 std::cerr << "ERROR: input error" << std::endl;
149 return 1;
150 }
151
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]152 KeyChain keyChain;
153
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]154 Name keyName = selfSignedCertificate->getPublicKeyName();
155 Name signIdName;
156 Name certName;
157
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]158 if (!hasSignId)
159 signIdName = keyChain.getDefaultIdentity();
160 else
161 signIdName = Name(signId);
162
163
164 if (signIdName.isPrefixOf(keyName))
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]165 {
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]166 // if signee's namespace is a sub-namespace of signer, for example, signer's namespace is
167 // /ndn/test, signee's namespace is /ndn/test/alice, the generated certificate name is
168 // /ndn/test/KEY/alice/ksk-1234/ID-CERT/%01%02
169 certName.append(signIdName)
170 .append("KEY")
171 .append(keyName.getSubName(signIdName.size()))
172 .append("ID-CERT")
173 .appendVersion();
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]174 }
175 else
176 {
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]177 // if signee's namespace is not a sub-namespace of signer, for example, signer's namespace is
178 // /ndn/test, signee's namespace is /ndn/ucla/bob, the generated certificate name is
179 // /ndn/ucla/bob/KEY/ksk-1234/ID-CERT/%01%02
180 certName.append(keyName.getPrefix(-1))
181 .append("KEY")
182 .append(keyName.get(-1))
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]183 .append("ID-CERT")
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]184 .appendVersion();
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]185 }
186
187 Block wire;
188
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]189 if (!isNack)
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]190 {
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]191 if (vm.count("subject-name") == 0)
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]192 {
193 std::cerr << "subject_name must be specified" << std::endl;
194 return 1;
195 }
196
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]197 CertificateSubjectDescription subDescryptName("2.5.4.41", subjectName);
198 IdentityCertificate certificate;
199 certificate.setName(certName);
200 certificate.setNotBefore(notBefore);
201 certificate.setNotAfter(notAfter);
202 certificate.setPublicKeyInfo(selfSignedCertificate->getPublicKeyInfo());
203 certificate.addSubjectDescription(subDescryptName);
204 for (size_t i = 0; i < otherSubDescrypt.size(); i++)
205 certificate.addSubjectDescription(otherSubDescrypt[i]);
206 certificate.encode();
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]207
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]208 keyChain.createIdentity(signIdName);
209 Name signingCertificateName = keyChain.getDefaultCertificateNameForIdentity(signIdName);
210 keyChain.sign(certificate, signingCertificateName);
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]211
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]212 wire = certificate.wireEncode();
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]213 }
214 else
215 {
216 Data revocationCert;
217 // revocationCert.setContent(void*, 0); // empty content
218 revocationCert.setName(certName);
219
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]220 keyChain.createIdentity(signIdName);
221 Name signingCertificateName = keyChain.getDefaultCertificateNameForIdentity(signIdName);
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]222 keyChain.sign(revocationCert, signingCertificateName);
Yingdi Yu05842f22014-04-15 19:21:56 -0700[diff] [blame]223
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]224 wire = revocationCert.wireEncode();
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]225 }
226
Yingdi Yu8d7468f2014-02-21 14:49:45 -0800[diff] [blame]227 try
228 {
229 using namespace CryptoPP;
230 StringSource ss(wire.wire(), wire.size(), true,
231 new Base64Encoder(new FileSink(std::cout), true, 64));
232 }
Yingdi Yub61f5402014-02-26 17:46:11 -0800[diff] [blame]233 catch (const CryptoPP::Exception& e)
Yingdi Yu8d7468f2014-02-21 14:49:45 -0800[diff] [blame]234 {
235 std::cerr << "ERROR: " << e.what() << std::endl;
236 return 1;
237 }
Yingdi Yue6bfab22014-02-06 16:01:19 -0800[diff] [blame]238
239 return 0;
240}
Yingdi Yu8d7468f2014-02-21 14:49:45 -0800[diff] [blame]241
242#endif //NDNSEC_CERT_GEN_HPP