security: In KeyChain constructor, added PolicyManager. Use in sign().
diff --git a/ndn-cpp/security/key-chain.cpp b/ndn-cpp/security/key-chain.cpp
index a39c4be..5bcc4c1 100644
--- a/ndn-cpp/security/key-chain.cpp
+++ b/ndn-cpp/security/key-chain.cpp
@@ -9,6 +9,7 @@
#include "../encoding/binary-xml-encoder.hpp"
#include "../sha256-with-rsa-signature.hpp"
#include "../util/logging.hpp"
+#include "policy/policy-manager.hpp"
#include "security-exception.hpp"
#include "key-chain.hpp"
@@ -31,8 +32,8 @@
};
#endif
-KeyChain::KeyChain(const shared_ptr<IdentityManager>& identityManager)
-: identityManager_(identityManager), face_(0), maxSteps_(100)
+KeyChain::KeyChain(const shared_ptr<IdentityManager>& identityManager, const shared_ptr<PolicyManager>& policyManager)
+: identityManager_(identityManager), policyManager_(policyManager), face_(0), maxSteps_(100)
{
}
@@ -98,31 +99,33 @@
}
void
-KeyChain::signData(Data& data, const Name& certificateNameIn, WireFormat& wireFormat)
+KeyChain::sign(Data& data, const Name& certificateName, WireFormat& wireFormat)
{
- Name inferredCertificateName;
- const Name* certificateName;
+ identityManager_->signByCertificate(data, certificateName, wireFormat);
+}
+
+void
+KeyChain::signByIdentity(Data& data, const Name& identityName, WireFormat& wireFormat)
+{
+ Name signingCertificateName;
- if (certificateNameIn.getComponentCount() == 0) {
-#if 0
- inferredCertificateName = identityManager_->getDefaultCertificateNameForIdentity(policyManager_->inferSigningIdentity(data.getName ()));
-#else
- inferredCertificateName = Name();
-#endif
- if (inferredCertificateName.getComponentCount() == 0)
- throw SecurityException("No qualified certificate name can be inferred");
-
- certificateName = &inferredCertificateName;
+ if (identityName.getComponentCount() == 0) {
+ Name inferredIdentity = policyManager_->inferSigningIdentity(data.getName());
+ if (inferredIdentity.getComponentCount() == 0)
+ signingCertificateName = identityManager_->getDefaultCertificateName();
+ else
+ signingCertificateName = identityManager_->getDefaultCertificateNameForIdentity(inferredIdentity);
}
else
- certificateName = &certificateNameIn;
-
-#if 0
- if (!policyManager_->checkSigningPolicy (data.getName (), certificateName))
+ signingCertificateName = identityManager_->getDefaultCertificateNameForIdentity(identityName);
+
+ if (signingCertificateName.getComponentCount() == 0)
+ throw SecurityException("No qualified certificate name found!");
+
+ if (!policyManager_->checkSigningPolicy(data.getName(), signingCertificateName))
throw SecurityException("Signing Cert name does not comply with signing policy");
-#endif
-
- identityManager_->signByCertificate(data, *certificateName, wireFormat);
+
+ identityManager_->signByCertificate(data, signingCertificateName);
}
void
@@ -140,7 +143,7 @@
#endif
onVerified(data);
else
- onVerifyFailed();
+ onVerifyFailed(data);
}
}
diff --git a/ndn-cpp/security/key-chain.hpp b/ndn-cpp/security/key-chain.hpp
index 3340908..ff54aa9 100644
--- a/ndn-cpp/security/key-chain.hpp
+++ b/ndn-cpp/security/key-chain.hpp
@@ -13,6 +13,8 @@
namespace ndn {
+class PolicyManager;
+
/**
* An OnVerified function object is used to pass a callback to verifyData to report a successful verification.
*/
@@ -21,7 +23,7 @@
/**
* An OnVerifyFailed function object is used to pass a callback to verifyData to report a failed verification.
*/
-typedef func_lib::function<void()> OnVerifyFailed;
+typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerifyFailed;
/**
* Keychain is main class of security library.
@@ -31,33 +33,8 @@
*/
class KeyChain {
public:
- KeyChain(const ptr_lib::shared_ptr<IdentityManager>& identityManager);
-
- /**
- * Get the default certificate name for the specified identity, which will be used when signing is performed based on identity.
- * @param identityName The name of the specified identity.
- * @return The requested certificate name.
- */
- Name
- getDefaultCertificateNameForIdentity(const Name& identityName)
- {
- return identityManager_->getDefaultCertificateNameForIdentity(identityName);
- }
-
- /**
- * Examine the data packet Name and infer the identity name for signing the content.
- * @param name The data packet name to examine.
- * @return A new identity name for signing a data packet.
- */
- Name
- inferSigningIdentity(const Name& name)
- {
-#if 0
- policyManager_->inferSigningIdentity(name)
-#else
- return Name();
-#endif
- }
+ KeyChain
+ (const ptr_lib::shared_ptr<IdentityManager>& identityManager, const ptr_lib::shared_ptr<PolicyManager>& policyManager);
/**
* Wire encode the Data object, sign it and set its signature.
@@ -68,14 +45,26 @@
* @param wireFormat A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat().
*/
void
- signData(Data& data, const Name& certificateName = Name(), WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
+ sign(Data& data, const Name& certificateName, WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
+
+ /**
+ * Wire encode the Data object, sign it and set its signature.
+ * Note: the caller must make sure the timestamp is correct, for example with
+ * data.getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0).
+ * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
+ * @param identityName The identity name for the key to use for signing. If omitted, infer the signing identity from the data packet name.
+ * @param wireFormat A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat().
+ */
+ void
+ signByIdentity(Data& data, const Name& identityName = Name(), WireFormat& wireFormat = *WireFormat::getDefaultWireFormat());
/**
* Check the signature on the Data object and call either onVerify or onVerifyFailed.
* We use callback functions because verify may fetch information to check the signature.
- * @param data
- * @param onVerified
- * @param onVerifyFailed
+ * @param data The Data object with the signature to check. It is an error if data does not have a wireEncoding.
+ * To set the wireEncoding, you can call data.wireDecode.
+ * @param onVerified If the signature is verified, this calls onVerified(data).
+ * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
*/
void
verifyData
@@ -90,6 +79,7 @@
private:
ptr_lib::shared_ptr<IdentityManager> identityManager_;
+ ptr_lib::shared_ptr<PolicyManager> policyManager_;
Face* face_;
const int maxSteps_;
};