blob: 5f9854ed7725e1f01df55ffdc4507b9a96ba9d30 [file] [log] [blame]
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
/**
* Copyright (C) 2013 Regents of the University of California.
* @author: Yingdi Yu <yingdi@cs.ucla.edu>
* @author: Jeff Thompson <jefft0@remap.ucla.edu>
* See COPYING for copyright and distribution information.
*/
#ifndef NDN_KEY_CHAIN_HPP
#define NDN_KEY_CHAIN_HPP
#include "certificate/identity-certificate.hpp"
#include "certificate/public-key.hpp"
#include "identity/identity-storage.hpp"
#include "identity/private-key-storage.hpp"
namespace ndn {
/**
* KeyChain is one of the main classes of the security library.
*
* The KeyChain class provides a set of interfaces of identity management and private key related operations.
*/
class KeyChain {
public:
struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
KeyChain(const ptr_lib::shared_ptr<IdentityStorage> &identityStorage = DefaultIdentityStorage,
const ptr_lib::shared_ptr<PrivateKeyStorage> &privateKeyStorage = DefaultPrivateKeyStorage);
inline IdentityStorage&
info();
inline const IdentityStorage&
info() const;
inline PrivateKeyStorage&
tpm();
inline const PrivateKeyStorage&
tpm() const;
/**
* Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.
* @param identityName The name of the identity.
* @return The key name of the auto-generated KSK of the identity.
*/
Name
createIdentity(const Name& identityName);
/**
* Generate a pair of RSA keys for the specified identity.
* @param identityName The name of the identity.
* @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
* @param keySize The size of the key.
* @return The generated key name.
*/
Name
generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048);
/**
* Set a key as the default key of an identity.
* @param keyName The name of the key.
* @param identityName the name of the identity. If not specified, the identity name is inferred from the keyName.
*/
void
setDefaultKeyForIdentity(const Name& keyName, const Name& identityName = Name())
{
info().setDefaultKeyNameForIdentity(keyName, identityName);
defaultCertificate_.reset();
}
/**
* Generate a pair of RSA keys for the specified identity and set it as default key for the identity.
* @param identityName The name of the identity.
* @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
* @param keySize The size of the key.
* @return The generated key name.
*/
Name
generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048);
/**
* Create an identity certificate for a public key managed by this IdentityManager.
* @param certificatePrefix The name of public key to be signed.
* @param signerCertificateName The name of signing certificate.
* @param notBefore The notBefore value in the validity field of the generated certificate.
* @param notAfter The notAfter vallue in validity field of the generated certificate.
* @return The name of generated identity certificate.
*/
ptr_lib::shared_ptr<IdentityCertificate>
createIdentityCertificate
(const Name& certificatePrefix,
const Name& signerCertificateName,
const MillisecondsSince1970& notBefore,
const MillisecondsSince1970& notAfter);
/**
* Create an identity certificate for a public key supplied by the caller.
* @param certificatePrefix The name of public key to be signed.
* @param publickey The public key to be signed.
* @param signerCertificateName The name of signing certificate.
* @param notBefore The notBefore value in the validity field of the generated certificate.
* @param notAfter The notAfter vallue in validity field of the generated certificate.
* @return The generated identity certificate.
*/
ptr_lib::shared_ptr<IdentityCertificate>
createIdentityCertificate
(const Name& certificatePrefix,
const PublicKey& publickey,
const Name& signerCertificateName,
const MillisecondsSince1970& notBefore,
const MillisecondsSince1970& notAfter);
/**
* Set the certificate as the default for its corresponding key.
* @param certificateName The certificate.
*/
void
setDefaultCertificateForKey(const IdentityCertificate& certificate);
/**
* Add a certificate into the public key identity storage and set the certificate as the default for its corresponding identity.
* @param certificate The certificate to be added. This makes a copy of the certificate.
*/
void
addCertificateAsIdentityDefault(const IdentityCertificate& certificate);
/**
* Add a certificate into the public key identity storage and set the certificate as the default of its corresponding key.
* @param certificate The certificate to be added. This makes a copy of the certificate.
*/
void
addCertificateAsDefault(const IdentityCertificate& certificate);
/**
* Get the default certificate name of the default identity, which will be used when signing is based on identity and
* the identity is not specified.
* @return The requested certificate name.
*/
Name
getDefaultCertificateName()
{
return info().getDefaultCertificateNameForIdentity(info().getDefaultIdentity());
}
void
sign(Data &data);
/**
* Wire encode the Data object, sign it and set its signature.
* @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
* @param certificateName The certificate name of the key to use for signing. If omitted, infer the signing identity from the data packet name.
*/
void
sign(Data& data, const Name& certificateName);
void
sign(Data& data, const IdentityCertificate& certificate);
/**
* Sign the byte array using a certificate name and return a Signature object.
* @param buffer The byte array to be signed.
* @param bufferLength the length of buffer.
* @param certificateName The certificate name used to get the signing key and which will be put into KeyLocator.
* @return The Signature.
*/
Signature
sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName);
/**
* Wire encode the Data object, sign it and set its signature.
* @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
* @param identityName The identity name for the key to use for signing. If omitted, infer the signing identity from the data packet name.
*/
void
signByIdentity(Data& data, const Name& identityName = Name());
/**
* Sign the byte array using an identity name and return a Signature object.
* @param buffer The byte array to be signed.
* @param bufferLength the length of buffer.
* @param identityName The identity name.
* @return The Signature.
*/
Signature
signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName = Name());
/**
* Generate a self-signed certificate for a public key.
* @param keyName The name of the public key.
* @return The generated certificate.
*/
ptr_lib::shared_ptr<IdentityCertificate>
selfSign(const Name& keyName);
/**
* @brief Self-sign the supplied identity certificate
*/
void
selfSign (IdentityCertificate& cert);
private:
/**
* Generate a key pair for the specified identity.
* @param identityName The name of the specified identity.
* @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
* @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
* @param keySize The size of the key pair.
* @return The name of the generated key.
*/
Name
generateKeyPair(const Name& identityName, bool isKsk = false, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048);
static Name
getKeyNameFromCertificatePrefix(const Name& certificatePrefix);
public:
static const ptr_lib::shared_ptr<IdentityStorage> DefaultIdentityStorage;
static const ptr_lib::shared_ptr<PrivateKeyStorage> DefaultPrivateKeyStorage;
private:
ptr_lib::shared_ptr<IdentityStorage> publicInfoStorage_;
ptr_lib::shared_ptr<PrivateKeyStorage> privateKeyStorage_;
ptr_lib::shared_ptr<IdentityCertificate> defaultCertificate_;
};
inline IdentityStorage&
KeyChain::info()
{
if (!publicInfoStorage_)
throw Error("IdentityStorage is not assigned to IdentityManager");
return *publicInfoStorage_;
}
inline const IdentityStorage&
KeyChain::info() const
{
if (!publicInfoStorage_)
throw Error("IdentityStorage is not assigned to IdentityManager");
return *publicInfoStorage_;
}
inline PrivateKeyStorage&
KeyChain::tpm()
{
if (!privateKeyStorage_)
throw Error("PrivateKeyStorage is not assigned to IdentityManager");
return *privateKeyStorage_;
}
inline const PrivateKeyStorage&
KeyChain::tpm() const
{
if (!privateKeyStorage_)
throw Error("PrivateKeyStorage is not assigned to IdentityManager");
return *privateKeyStorage_;
}
}
#endif