renaming: ndn-cpp to ndn-cpp-dev
Change-Id: Iff3e4ff53a0005b7dd35c57d03da76b347170d03
diff --git a/include/ndn-cpp-dev/security/certificate-extension.hpp b/include/ndn-cpp-dev/security/certificate-extension.hpp
new file mode 100644
index 0000000..61f7dd2
--- /dev/null
+++ b/include/ndn-cpp-dev/security/certificate-extension.hpp
@@ -0,0 +1,78 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_CERTIFICATE_EXTENSION_HPP
+#define NDN_CERTIFICATE_EXTENSION_HPP
+
+#include "../common.hpp"
+#include "../encoding/buffer.hpp"
+#include "../encoding/oid.hpp"
+
+namespace CryptoPP { class BufferedTransformation; }
+
+namespace ndn {
+
+/**
+ * A CertificateExtension represents the Extension entry in a certificate.
+ */
+class CertificateExtension
+{
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ CertificateExtension(CryptoPP::BufferedTransformation &in)
+ {
+ decode(in);
+ }
+
+ /**
+ * Create a new CertificateExtension.
+ * @param oid The oid of subject description entry.
+ * @param isCritical If true, the extension must be handled.
+ * @param value The extension value.
+ */
+ CertificateExtension(const OID& oid, const bool isCritical, const Buffer& value)
+ : extensionId_(oid), isCritical_(isCritical), extensionValue_(value)
+ {
+ }
+
+ CertificateExtension(const OID& oid, const bool isCritical, const uint8_t* value, size_t valueSize)
+ : extensionId_(oid), isCritical_(isCritical), extensionValue_(value, valueSize)
+ {
+ }
+
+ /**
+ * The virtual destructor.
+ */
+ virtual
+ ~CertificateExtension() {}
+
+ void
+ encode(CryptoPP::BufferedTransformation &out) const;
+
+ void
+ decode(CryptoPP::BufferedTransformation &in);
+
+ inline const OID&
+ getOid() const { return extensionId_; }
+
+ inline const bool
+ getIsCritical() const { return isCritical_; }
+
+ inline const Buffer&
+ getValue() const { return extensionValue_; }
+
+protected:
+ OID extensionId_;
+ bool isCritical_;
+ Buffer extensionValue_;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/certificate-subject-description.hpp b/include/ndn-cpp-dev/security/certificate-subject-description.hpp
new file mode 100644
index 0000000..fc26d37
--- /dev/null
+++ b/include/ndn-cpp-dev/security/certificate-subject-description.hpp
@@ -0,0 +1,64 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_CERTIFICATE_SUBJECT_DESCRIPTION_HPP
+#define NDN_CERTIFICATE_SUBJECT_DESCRIPTION_HPP
+
+#include "../common.hpp"
+#include "../encoding/oid.hpp"
+
+namespace CryptoPP { class BufferedTransformation; }
+
+namespace ndn {
+
+/**
+ * A CertificateSubjectDescription represents the SubjectDescription entry in a Certificate.
+ */
+class CertificateSubjectDescription {
+public:
+ CertificateSubjectDescription(CryptoPP::BufferedTransformation &in)
+ {
+ decode(in);
+ }
+
+ /**
+ * Create a new CertificateSubjectDescription.
+ * @param oid The oid of the subject description entry.
+ * @param value The value of the subject description entry.
+ */
+ CertificateSubjectDescription(const OID &oid, const std::string &value)
+ : oid_(oid), value_(value)
+ {
+ }
+
+ void
+ encode(CryptoPP::BufferedTransformation &out) const;
+
+ void
+ decode(CryptoPP::BufferedTransformation &in);
+
+ std::string
+ getOidString() const
+ {
+ return oid_.toString();
+ }
+
+ const std::string &
+ getValue() const
+ {
+ return value_;
+ }
+
+private:
+ OID oid_;
+ std::string value_;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/certificate.hpp b/include/ndn-cpp-dev/security/certificate.hpp
new file mode 100644
index 0000000..9871733
--- /dev/null
+++ b/include/ndn-cpp-dev/security/certificate.hpp
@@ -0,0 +1,156 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_CERTIFICATE_HPP
+#define NDN_CERTIFICATE_HPP
+
+#include "../data.hpp"
+#include "../common.hpp"
+
+#include "certificate-subject-description.hpp"
+#include "certificate-extension.hpp"
+#include "public-key.hpp"
+
+namespace ndn {
+
+class Certificate : public Data {
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ typedef std::vector<CertificateSubjectDescription> SubjectDescriptionList;
+ typedef std::vector<CertificateExtension> ExtensionList;
+
+ /**
+ * The default constructor.
+ */
+ Certificate();
+
+ /**
+ * Create a Certificate from the content in the data packet.
+ * @param data The data packet with the content to decode.
+ */
+ Certificate(const Data& data);
+
+ /**
+ * The virtual destructor.
+ */
+ virtual
+ ~Certificate();
+
+ inline void
+ wireDecode(const Block &wire);
+
+ /**
+ * encode certificate info into content
+ */
+ void
+ encode();
+
+ /**
+ * Add a subject description.
+ * @param description The description to be added.
+ */
+ void
+ addSubjectDescription(const CertificateSubjectDescription& description) { subjectDescriptionList_.push_back(description); }
+
+ const SubjectDescriptionList&
+ getSubjectDescriptionList() const { return subjectDescriptionList_; }
+
+ SubjectDescriptionList&
+ getSubjectDescriptionList() { return subjectDescriptionList_; }
+
+ /**
+ * Add a certificate extension.
+ * @param extension the extension to be added
+ */
+ void
+ addExtension(const CertificateExtension& extension) { extensionList_.push_back(extension); }
+
+ const ExtensionList&
+ getExtensionList() const { return extensionList_; }
+
+ ExtensionList&
+ getExtensionList() { return extensionList_; }
+
+ void
+ setNotBefore(const MillisecondsSince1970& notBefore) { notBefore_ = notBefore; }
+
+ MillisecondsSince1970&
+ getNotBefore() { return notBefore_; }
+
+ const MillisecondsSince1970&
+ getNotBefore() const { return notBefore_; }
+
+ void
+ setNotAfter(const MillisecondsSince1970& notAfter) { notAfter_ = notAfter; }
+
+ MillisecondsSince1970&
+ getNotAfter() { return notAfter_; }
+
+ const MillisecondsSince1970&
+ getNotAfter() const { return notAfter_; }
+
+ void
+ setPublicKeyInfo(const PublicKey& key) { key_ = key; }
+
+ PublicKey&
+ getPublicKeyInfo() { return key_; }
+
+ const PublicKey&
+ getPublicKeyInfo() const { return key_; }
+
+ // virtual Name
+ // getPublicKeyName() const = 0;
+
+ /**
+ * Check if the certificate is valid.
+ * @return True if the current time is earlier than notBefore.
+ */
+ bool
+ isTooEarly();
+
+ /**
+ * Check if the certificate is valid.
+ * @return True if the current time is later than notAfter.
+ */
+ bool
+ isTooLate();
+
+ void
+ printCertificate(std::ostream &os) const;
+
+protected:
+ void
+ decode();
+
+protected:
+ SubjectDescriptionList subjectDescriptionList_;
+ MillisecondsSince1970 notBefore_;
+ MillisecondsSince1970 notAfter_;
+ PublicKey key_;
+ ExtensionList extensionList_;
+};
+
+inline void
+Certificate::wireDecode(const Block &wire)
+{
+ Data::wireDecode(wire);
+ decode();
+}
+
+
+inline std::ostream&
+operator <<(std::ostream &os, const Certificate &cert)
+{
+ cert.printCertificate(os);
+ return os;
+}
+
+} // namespace ndn
+
+#endif
diff --git a/include/ndn-cpp-dev/security/encryption-manager.hpp b/include/ndn-cpp-dev/security/encryption-manager.hpp
new file mode 100644
index 0000000..44eafb7
--- /dev/null
+++ b/include/ndn-cpp-dev/security/encryption-manager.hpp
@@ -0,0 +1,34 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_ENCRYPTION_MANAGER_HPP
+#define NDN_ENCRYPTION_MANAGER_HPP
+
+#include "../../name.hpp"
+#include "../security-common.hpp"
+
+namespace ndn {
+
+class EncryptionManager {
+public:
+ virtual ~EncryptionManager() {}
+
+ virtual void
+ createSymmetricKey(const Name& keyName, KeyType keyType, const Name& signkeyName = Name(), bool isSymmetric = true) = 0;
+
+ virtual ConstBufferPtr
+ encrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = false,
+ EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT) = 0;
+
+ virtual ConstBufferPtr
+ decrypt(const Name& keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = false,
+ EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT) = 0;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/identity-certificate.hpp b/include/ndn-cpp-dev/security/identity-certificate.hpp
new file mode 100644
index 0000000..65b07af
--- /dev/null
+++ b/include/ndn-cpp-dev/security/identity-certificate.hpp
@@ -0,0 +1,112 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_IDENTITY_CERTIFICATE_HPP
+#define NDN_IDENTITY_CERTIFICATE_HPP
+
+#include "certificate.hpp"
+
+namespace ndn {
+
+class IdentityCertificate : public Certificate
+{
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ /**
+ * The default constructor.
+ */
+ inline
+ IdentityCertificate();
+
+ // Note: The copy constructor works because publicKeyName_ has a copy constructor.
+
+ /**
+ * Create an IdentityCertificate from the content in the data packet.
+ * @param data The data packet with the content to decode.
+ */
+ inline
+ IdentityCertificate(const Data& data);
+
+ /**
+ * The virtual destructor.
+ */
+ inline virtual
+ ~IdentityCertificate();
+
+ inline void
+ wireDecode(const Block &wire);
+
+ inline void
+ setName(const Name &name);
+
+ inline const Name &
+ getPublicKeyName () const;
+
+ static bool
+ isIdentityCertificate(const Certificate& certificate);
+
+ /**
+ * Get the public key name from the full certificate name.
+ * @param certificateName The full certificate name.
+ * @return The related public key name.
+ */
+ static Name
+ certificateNameToPublicKeyName(const Name& certificateName);
+
+private:
+ static bool
+ isCorrectName(const Name& name);
+
+ void
+ setPublicKeyName();
+
+protected:
+ Name publicKeyName_;
+};
+
+inline
+IdentityCertificate::IdentityCertificate()
+{
+}
+
+inline
+IdentityCertificate::IdentityCertificate(const Data& data)
+ : Certificate(data)
+{
+ setPublicKeyName();
+}
+
+inline
+IdentityCertificate::~IdentityCertificate()
+{
+}
+
+inline void
+IdentityCertificate::wireDecode(const Block &wire)
+{
+ Certificate::wireDecode(wire);
+ setPublicKeyName();
+}
+
+inline void
+IdentityCertificate::setName(const Name &name)
+{
+ Certificate::setName(name);
+ setPublicKeyName();
+}
+
+inline const Name &
+IdentityCertificate::getPublicKeyName () const
+{
+ return publicKeyName_;
+}
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/key-chain.hpp b/include/ndn-cpp-dev/security/key-chain.hpp
new file mode 100644
index 0000000..fffa05d
--- /dev/null
+++ b/include/ndn-cpp-dev/security/key-chain.hpp
@@ -0,0 +1,366 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_KEY_CHAIN_HPP
+#define NDN_KEY_CHAIN_HPP
+
+#include "identity-certificate.hpp"
+#include "public-key.hpp"
+#include "signature-sha256-with-rsa.hpp"
+
+#include "sec-public-info-sqlite3.hpp"
+#include "sec-public-info-memory.hpp"
+#include "sec-tpm-osx.hpp"
+#include "sec-tpm-memory.hpp"
+
+
+namespace ndn {
+
+/**
+ * KeyChain is one of the main classes of the security library.
+ *
+ * The KeyChain class provides a set of interfaces of identity management and private key related operations.
+ */
+template<class Info, class Tpm>
+class KeyChainImpl : public Info, public Tpm
+{
+public:
+ // struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ /**
+ * Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.
+ * @param identityName The name of the identity.
+ * @return The key name of the auto-generated KSK of the identity.
+ */
+ Name
+ createIdentity(const Name& identityName)
+ {
+ if (!Info::doesIdentityExist(identityName)) {
+ Info::addIdentity(identityName);
+
+ Name keyName = generateRSAKeyPairAsDefault(identityName, true);
+
+ ptr_lib::shared_ptr<IdentityCertificate> selfCert = selfSign(keyName);
+
+ Info::addCertificateAsDefault(*selfCert);
+
+ return keyName;
+ }
+ else
+ return Name();
+ }
+
+ /**
+ * Generate a pair of RSA keys for the specified identity.
+ * @param identityName The name of the identity.
+ * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+ * @param keySize The size of the key.
+ * @return The generated key name.
+ */
+ Name
+ generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048)
+ {
+ return generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize);
+ }
+
+ /**
+ * Generate a pair of RSA keys for the specified identity and set it as default key for the identity.
+ * @param identityName The name of the identity.
+ * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+ * @param keySize The size of the key.
+ * @return The generated key name.
+ */
+ Name
+ generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048)
+ {
+ Name keyName = generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize);
+
+ Info::setDefaultKeyNameForIdentity(keyName);
+
+ return keyName;
+ }
+
+ /**
+ * Create an identity certificate for a public key managed by this IdentityManager.
+ * @param certificatePrefix The name of public key to be signed.
+ * @param signerCertificateName The name of signing certificate.
+ * @param notBefore The notBefore value in the validity field of the generated certificate.
+ * @param notAfter The notAfter vallue in validity field of the generated certificate.
+ * @return The name of generated identity certificate.
+ */
+ ptr_lib::shared_ptr<IdentityCertificate>
+ createIdentityCertificate
+ (const Name& certificatePrefix,
+ const Name& signerCertificateName,
+ const MillisecondsSince1970& notBefore,
+ const MillisecondsSince1970& notAfter)
+ {
+ Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
+
+ ptr_lib::shared_ptr<PublicKey> pubKey = Info::getPublicKey(keyName);
+ if (!pubKey)
+ throw std::runtime_error("Requested public key [" + keyName.toUri() + "] doesn't exist");
+
+ ptr_lib::shared_ptr<IdentityCertificate> certificate =
+ createIdentityCertificate(certificatePrefix,
+ *pubKey,
+ signerCertificateName,
+ notBefore, notAfter);
+
+ Info::addCertificate(*certificate);
+
+ return certificate;
+ }
+
+
+ /**
+ * Create an identity certificate for a public key supplied by the caller.
+ * @param certificatePrefix The name of public key to be signed.
+ * @param publickey The public key to be signed.
+ * @param signerCertificateName The name of signing certificate.
+ * @param notBefore The notBefore value in the validity field of the generated certificate.
+ * @param notAfter The notAfter vallue in validity field of the generated certificate.
+ * @return The generated identity certificate.
+ */
+ ptr_lib::shared_ptr<IdentityCertificate>
+ createIdentityCertificate
+ (const Name& certificatePrefix,
+ const PublicKey& publicKey,
+ const Name& signerCertificateName,
+ const MillisecondsSince1970& notBefore,
+ const MillisecondsSince1970& notAfter)
+ {
+ ptr_lib::shared_ptr<IdentityCertificate> certificate (new IdentityCertificate());
+ Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
+
+ Name certificateName = certificatePrefix;
+ certificateName.append("ID-CERT").appendVersion();
+
+ certificate->setName(certificateName);
+ certificate->setNotBefore(notBefore);
+ certificate->setNotAfter(notAfter);
+ certificate->setPublicKeyInfo(publicKey);
+ certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri()));
+ certificate->encode();
+
+ sign(*certificate, signerCertificateName);
+
+ return certificate;
+ }
+
+ void
+ sign(Data &data)
+ {
+ if (!Info::defaultCertificate())
+ {
+ Info::refreshDefaultCertificate();
+
+ if(!Info::defaultCertificate())
+ throw std::runtime_error("Default IdentityCertificate cannot be determined");
+ }
+
+ sign(data, *Info::defaultCertificate());
+ }
+
+ /**
+ * Wire encode the Data object, sign it and set its signature.
+ * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
+ * @param certificateName The certificate name of the key to use for signing. If omitted, infer the signing identity from the data packet name.
+ */
+ void
+ sign(Data& data, const Name& certificateName)
+ {
+ ptr_lib::shared_ptr<IdentityCertificate> cert = Info::getCertificate(certificateName);
+ if (!cert)
+ throw std::runtime_error("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
+
+ SignatureSha256WithRsa signature;
+ signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
+ data.setSignature(signature);
+
+ // For temporary usage, we support RSA + SHA256 only, but will support more.
+ Tpm::signInTpm(data, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
+ }
+
+ void
+ sign(Data& data, const IdentityCertificate& certificate)
+ {
+ SignatureSha256WithRsa signature;
+ signature.setKeyLocator(certificate.getName().getPrefix(-1));
+ data.setSignature(signature);
+
+ // For temporary usage, we support RSA + SHA256 only, but will support more.
+ Tpm::signInTpm(data, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
+ }
+
+ /**
+ * Sign the byte array using a certificate name and return a Signature object.
+ * @param buffer The byte array to be signed.
+ * @param bufferLength the length of buffer.
+ * @param certificateName The certificate name used to get the signing key and which will be put into KeyLocator.
+ * @return The Signature.
+ */
+ Signature
+ sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName)
+ {
+ ptr_lib::shared_ptr<IdentityCertificate> cert = Info::getCertificate(certificateName);
+ if (!cert)
+ throw std::runtime_error("Requested certificate [" + certificateName.toUri() + "] doesn't exist");
+
+ SignatureSha256WithRsa signature;
+ signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care
+
+ // For temporary usage, we support RSA + SHA256 only, but will support more.
+ signature.setValue(Tpm::signInTpm(buffer, bufferLength, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256));
+ return signature;
+ }
+
+ /**
+ * Wire encode the Data object, sign it and set its signature.
+ * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding.
+ * @param identityName The identity name for the key to use for signing. If omitted, infer the signing identity from the data packet name.
+ */
+ void
+ signByIdentity(Data& data, const Name& identityName = Name())
+ {
+ Name signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName);
+
+ if (signingCertificateName.getComponentCount() == 0)
+ throw std::runtime_error("No qualified certificate name found!");
+
+ sign(data, signingCertificateName);
+ }
+
+ /**
+ * Sign the byte array using an identity name and return a Signature object.
+ * @param buffer The byte array to be signed.
+ * @param bufferLength the length of buffer.
+ * @param identityName The identity name.
+ * @return The Signature.
+ */
+ Signature
+ signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName = Name())
+ {
+ Name signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName);
+
+ if (signingCertificateName.size() == 0)
+ throw std::runtime_error("No qualified certificate name found!");
+
+ return sign(buffer, bufferLength, signingCertificateName);
+ }
+
+ /**
+ * Generate a self-signed certificate for a public key.
+ * @param keyName The name of the public key.
+ * @return The generated certificate.
+ */
+ ptr_lib::shared_ptr<IdentityCertificate>
+ selfSign(const Name& keyName)
+ {
+ if(keyName.empty())
+ throw std::runtime_error("Incorrect key name: " + keyName.toUri());
+
+ ptr_lib::shared_ptr<IdentityCertificate> certificate = ptr_lib::make_shared<IdentityCertificate>();
+
+ Name certificateName = keyName.getPrefix(-1);
+ certificateName.append("KEY").append(keyName.get(-1)).append("ID-CERT").appendVersion();
+
+ ptr_lib::shared_ptr<PublicKey> pubKey = Info::getPublicKey(keyName);
+ if (!pubKey)
+ throw std::runtime_error("Requested public key [" + keyName.toUri() + "] doesn't exist");
+
+ certificate->setName(certificateName);
+ certificate->setNotBefore(getNow());
+ certificate->setNotAfter(getNow() + 630720000 /* 20 years*/);
+ certificate->setPublicKeyInfo(*pubKey);
+ certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri()));
+ certificate->encode();
+
+ selfSign(*certificate);
+ return certificate;
+ }
+
+ /**
+ * @brief Self-sign the supplied identity certificate
+ */
+ void
+ selfSign (IdentityCertificate& cert)
+ {
+ SignatureSha256WithRsa signature;
+ signature.setKeyLocator(cert.getName().getPrefix(-1)); // implicit conversion should take care
+ cert.setSignature(signature);
+
+ // For temporary usage, we support RSA + SHA256 only, but will support more.
+ Tpm::signInTpm(cert, cert.getPublicKeyName(), DIGEST_ALGORITHM_SHA256);
+ }
+
+
+private:
+ /**
+ * Generate a key pair for the specified identity.
+ * @param identityName The name of the specified identity.
+ * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).
+ * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+ * @param keySize The size of the key pair.
+ * @return The name of the generated key.
+ */
+ Name
+ generateKeyPair(const Name& identityName, bool isKsk = false, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048)
+ {
+ Name keyName = Info::getNewKeyName(identityName, isKsk);
+
+ Tpm::generateKeyPairInTpm(keyName.toUri(), keyType, keySize);
+
+ ptr_lib::shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri());
+ Info::addPublicKey(keyName, keyType, *pubKey);
+
+ return keyName;
+ }
+
+ static Name
+ getKeyNameFromCertificatePrefix(const Name& certificatePrefix)
+ {
+ Name result;
+
+ std::string keyString("KEY");
+ int i = 0;
+ for(; i < certificatePrefix.size(); i++) {
+ if (certificatePrefix.get(i).toEscapedString() == keyString)
+ break;
+ }
+
+ if (i >= certificatePrefix.size())
+ throw std::runtime_error("Identity Certificate Prefix does not have a KEY component");
+
+ result.append(certificatePrefix.getSubName(0, i));
+ result.append(certificatePrefix.getSubName(i + 1, certificatePrefix.size()-i-1));
+
+ return result;
+ }
+
+};
+
+}
+
+#ifdef NDN_CPP_HAVE_OSX_SECURITY
+
+namespace ndn
+{
+typedef KeyChainImpl<SecPublicInfoSqlite3, SecTpmOsx> KeyChain;
+};
+
+#else
+
+namespace ndn
+{
+typedef KeyChainImpl<SecPublicInfoMemory, SecTpmMemory> KeyChain;
+};
+
+#endif //NDN_CPP_HAVE_OSX_SECURITY
+
+#endif
diff --git a/include/ndn-cpp-dev/security/public-key.hpp b/include/ndn-cpp-dev/security/public-key.hpp
new file mode 100644
index 0000000..5a70e38
--- /dev/null
+++ b/include/ndn-cpp-dev/security/public-key.hpp
@@ -0,0 +1,84 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_PUBLIC_KEY_HPP
+#define NDN_PUBLIC_KEY_HPP
+
+#include <stdexcept>
+#include "../encoding/oid.hpp"
+#include "../encoding/buffer.hpp"
+#include "security-common.hpp"
+
+namespace ndn {
+
+class PublicKey {
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ /**
+ * The default constructor.
+ */
+ PublicKey();
+
+ /**
+ * Create a new PublicKey with the given values.
+ * @param algorithm The algorithm of the public key.
+ * @param keyDer The blob of the PublicKeyInfo in terms of DER.
+ *
+ * @throws PublicKey::Error If algorithm is not supported or keyDer cannot be decoded
+ */
+ PublicKey(const uint8_t *keyDerBuf, size_t keyDerSize);
+
+ inline const Buffer&
+ get() const
+ {
+ return key_;
+ }
+
+ inline void
+ set(const uint8_t *keyDerBuf, size_t keyDerSize)
+ {
+ Buffer buf(keyDerBuf, keyDerSize);
+ key_.swap(buf);
+ }
+
+ void
+ encode(CryptoPP::BufferedTransformation &out) const;
+
+ void
+ decode(CryptoPP::BufferedTransformation &in);
+
+ // /*
+ // * Get the digest of the public key.
+ // * @param digestAlgorithm The digest algorithm. If omitted, use DIGEST_ALGORITHM_SHA256 by default.
+ // */
+ // Blob
+ // getDigest(DigestAlgorithm digestAlgorithm = DIGEST_ALGORITHM_SHA256) const;
+
+ inline bool
+ operator ==(const PublicKey &key) const
+ {
+ return key_ == key.key_;
+ }
+
+ inline bool
+ operator !=(const PublicKey &key) const
+ {
+ return key_ != key.key_;
+ }
+
+private:
+ Buffer key_;
+};
+
+std::ostream &
+operator <<(std::ostream &os, const PublicKey &key);
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-policy-no-verify.hpp b/include/ndn-cpp-dev/security/sec-policy-no-verify.hpp
new file mode 100644
index 0000000..1d2927e
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-policy-no-verify.hpp
@@ -0,0 +1,72 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_POLICY_NO_VERIFY_HPP
+#define NDN_SEC_POLICY_NO_VERIFY_HPP
+
+#include "sec-policy.hpp"
+
+namespace ndn {
+
+class SecPolicyNoVerify : public SecPolicy {
+public:
+ /**
+ * The virtual destructor.
+ */
+ virtual
+ ~SecPolicyNoVerify();
+
+ /**
+ * Override to always skip verification and trust as valid.
+ * @param data The received data packet.
+ * @return true.
+ */
+ virtual bool
+ skipVerifyAndTrust(const Data& data);
+
+ /**
+ * Override to return false for no verification rule for the received data.
+ * @param data The received data packet.
+ * @return false.
+ */
+ virtual bool
+ requireVerify(const Data& data);
+
+ /**
+ * Override to call onVerified(data) and to indicate no further verification step.
+ * @param data The Data object with the signature to check.
+ * @param stepCount The number of verification steps that have been done, used to track the verification progress.
+ * @param onVerified This does override to call onVerified(data).
+ * @param onVerifyFailed Override to ignore this.
+ * @return null for no further step.
+ */
+ virtual ptr_lib::shared_ptr<ValidationRequest>
+ checkVerificationPolicy
+ (const ptr_lib::shared_ptr<Data>& data, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed);
+
+ /**
+ * Override to always indicate that the signing certificate name and data name satisfy the signing policy.
+ * @param dataName The name of data to be signed.
+ * @param certificateName The name of signing certificate.
+ * @return true to indicate that the signing certificate can be used to sign the data.
+ */
+ virtual bool
+ checkSigningPolicy(const Name& dataName, const Name& certificateName);
+
+ /**
+ * Override to indicate that the signing identity cannot be inferred.
+ * @param dataName The name of data to be signed.
+ * @return An empty name because cannot infer.
+ */
+ virtual Name
+ inferSigningIdentity(const Name& dataName);
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-policy-self-verify.hpp b/include/ndn-cpp-dev/security/sec-policy-self-verify.hpp
new file mode 100644
index 0000000..111b61a
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-policy-self-verify.hpp
@@ -0,0 +1,91 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_POLICY_SELF_VERIFY_HPP
+#define NDN_SEC_POLICY_SELF_VERIFY_HPP
+
+#include "sec-policy.hpp"
+
+namespace ndn {
+
+/**
+ * A SecPolicySelfVerify implements a PolicyManager to use the public key DER in the data packet's KeyLocator (if available)
+ * or look in the IdentityStorage for the public key with the name in the KeyLocator (if available) and use
+ * it to verify the data packet, without searching a certificate chain. If the public key can't be found, the
+ * verification fails.
+ */
+class SecPolicySelfVerify : public SecPolicy {
+public:
+ /**
+ * Create a new SecPolicySelfVerify which will look up the public key in the given identityManager.
+ * @param identityManager (optional) The IdentityManager for looking up the public key. This points to an object must which remain
+ * valid during the life of this SecPolicySelfVerify. If omitted, then don't look for a public key with the name
+ * in the KeyLocator and rely on the KeyLocator having the full public key DER.
+ */
+ SecPolicySelfVerify()
+ {
+ }
+
+ /**
+ * The virtual destructor.
+ */
+ virtual
+ ~SecPolicySelfVerify();
+
+ /**
+ * Never skip verification.
+ * @param data The received data packet.
+ * @return false.
+ */
+ virtual bool
+ skipVerifyAndTrust(const Data& data);
+
+ /**
+ * Always return true to use the self-verification rule for the received data.
+ * @param data The received data packet.
+ * @return true.
+ */
+ virtual bool
+ requireVerify(const Data& data);
+
+ /**
+ * Use the public key DER in the data packet's KeyLocator (if available) or look in the IdentityStorage for the
+ * public key with the name in the KeyLocator (if available) and use it to verify the data packet. If the public key can't
+ * be found, call onVerifyFailed.
+ * @param data The Data object with the signature to check.
+ * @param stepCount The number of verification steps that have been done, used to track the verification progress.
+ * (stepCount is ignored.)
+ * @param onVerified If the signature is verified, this calls onVerified(data).
+ * @param onVerifyFailed If the signature check fails or can't find the public key, this calls onVerifyFailed(data).
+ * @return null for no further step for looking up a certificate chain.
+ */
+ virtual ptr_lib::shared_ptr<ValidationRequest>
+ checkVerificationPolicy
+ (const ptr_lib::shared_ptr<Data>& data, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed);
+
+ /**
+ * Override to always indicate that the signing certificate name and data name satisfy the signing policy.
+ * @param dataName The name of data to be signed.
+ * @param certificateName The name of signing certificate.
+ * @return true to indicate that the signing certificate can be used to sign the data.
+ */
+ virtual bool
+ checkSigningPolicy(const Name& dataName, const Name& certificateName);
+
+ /**
+ * Override to indicate that the signing identity cannot be inferred.
+ * @param dataName The name of data to be signed.
+ * @return An empty name because cannot infer.
+ */
+ virtual Name
+ inferSigningIdentity(const Name& dataName);
+
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-policy.hpp b/include/ndn-cpp-dev/security/sec-policy.hpp
new file mode 100644
index 0000000..e3879bb
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-policy.hpp
@@ -0,0 +1,79 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_POLICY_HPP
+#define NDN_SEC_POLICY_HPP
+
+#include "../data.hpp"
+#include "validation-request.hpp"
+
+namespace ndn {
+
+/**
+ * A SecPolicy is an abstract base class to represent the policy for verifying data packets.
+ * You must create an object of a subclass.
+ */
+class SecPolicy {
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ /**
+ * The virtual destructor.
+ */
+ virtual
+ ~SecPolicy() {}
+
+ /**
+ * Check if the received data packet can escape from verification and be trusted as valid.
+ * @param data The received data packet.
+ * @return true if the data does not need to be verified to be trusted as valid, otherwise false.
+ */
+ virtual bool
+ skipVerifyAndTrust(const Data& data) = 0;
+
+ /**
+ * Check if this SecPolicy has a verification rule for the received data.
+ * @param data The received data packet.
+ * @return true if the data must be verified, otherwise false.
+ */
+ virtual bool
+ requireVerify(const Data& data) = 0;
+
+ /**
+ * Check whether the received data packet complies with the verification policy, and get the indication of the next verification step.
+ * @param data The Data object with the signature to check.
+ * @param stepCount The number of verification steps that have been done, used to track the verification progress.
+ * @param onVerified If the signature is verified, this calls onVerified(data).
+ * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
+ * @return the indication of next verification step, null if there is no further step.
+ */
+ virtual ptr_lib::shared_ptr<ValidationRequest>
+ checkVerificationPolicy
+ (const ptr_lib::shared_ptr<Data>& data, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed) = 0;
+
+ /**
+ * Check if the signing certificate name and data name satisfy the signing policy.
+ * @param dataName The name of data to be signed.
+ * @param certificateName The name of signing certificate.
+ * @return true if the signing certificate can be used to sign the data, otherwise false.
+ */
+ virtual bool
+ checkSigningPolicy(const Name& dataName, const Name& certificateName) = 0;
+
+ /**
+ * Infer the signing identity name according to the policy. If the signing identity cannot be inferred, return an empty name.
+ * @param dataName The name of data to be signed.
+ * @return The signing identity or an empty name if cannot infer.
+ */
+ virtual Name
+ inferSigningIdentity(const Name& dataName) = 0;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-public-info-memory.hpp b/include/ndn-cpp-dev/security/sec-public-info-memory.hpp
new file mode 100644
index 0000000..c991f1a
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-public-info-memory.hpp
@@ -0,0 +1,217 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_PUBLIC_INFO_MEMORY_HPP
+#define NDN_SEC_PUBLIC_INFO_MEMORY_HPP
+
+#include <vector>
+#include <map>
+#include "sec-public-info.hpp"
+
+namespace ndn {
+
+/**
+ * MemoryKeyMetaInfo extends IdentityStorage and implements its methods to store identity, public key and certificate objects in memory.
+ * The application must get the objects through its own means and add the objects to the MemoryKeyMetaInfo object.
+ * To use permanent file-based storage, see BasicKeyMetaInfo.
+ */
+class SecPublicInfoMemory : public SecPublicInfo {
+public:
+ struct Error : public SecPublicInfo::Error { Error(const std::string &what) : SecPublicInfo::Error(what) {} };
+
+ /**
+ * The virtual Destructor.
+ */
+ virtual
+ ~SecPublicInfoMemory();
+
+ /**
+ * Check if the specified identity already exists.
+ * @param identityName The identity name.
+ * @return true if the identity exists, otherwise false.
+ */
+ virtual bool
+ doesIdentityExist(const Name& identityName);
+
+ /**
+ * Add a new identity. An exception will be thrown if the identity already exists.
+ * @param identityName The identity name to be added.
+ */
+ virtual void
+ addIdentity(const Name& identityName);
+
+ /**
+ * Revoke the identity.
+ * @return true if the identity was revoked, false if not.
+ */
+ virtual bool
+ revokeIdentity();
+
+ /**
+ * Check if the specified key already exists.
+ * @param keyName The name of the key.
+ * @return true if the key exists, otherwise false.
+ */
+ virtual bool
+ doesPublicKeyExist(const Name& keyName);
+
+ /**
+ * Add a public key to the identity storage.
+ * @param keyName The name of the public key to be added.
+ * @param keyType Type of the public key to be added.
+ * @param publicKeyDer A blob of the public key DER to be added.
+ */
+ virtual void
+ addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer);
+
+ /**
+ * Get the public key DER blob from the identity storage.
+ * @param keyName The name of the requested public key.
+ * @return The DER Blob. If not found, return a Blob with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKey(const Name& keyName);
+
+ /**
+ * Activate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ activatePublicKey(const Name& keyName);
+
+ /**
+ * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ deactivatePublicKey(const Name& keyName);
+
+ /**
+ * Check if the specified certificate already exists.
+ * @param certificateName The name of the certificate.
+ * @return true if the certificate exists, otherwise false.
+ */
+ virtual bool
+ doesCertificateExist(const Name& certificateName);
+
+ /**
+ * Add a certificate to the identity storage.
+ * @param certificate The certificate to be added. This makes a copy of the certificate.
+ */
+ virtual void
+ addCertificate(const IdentityCertificate& certificate);
+
+ /**
+ * Get a certificate from the identity storage.
+ * @param certificateName The name of the requested certificate.
+ * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
+ * @return The requested certificate. If not found, return a shared_ptr with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<IdentityCertificate>
+ getCertificate(const Name &certificateName);
+
+
+ /*****************************************
+ * Get/Set Default *
+ *****************************************/
+
+ /**
+ * Get the default identity.
+ * @param return The name of default identity, or an empty name if there is no default.
+ */
+ virtual Name
+ getDefaultIdentity();
+
+ /**
+ * Get the default key name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default key name.
+ */
+ virtual Name
+ getDefaultKeyNameForIdentity(const Name& identityName);
+
+ /**
+ * Get the default certificate name for the specified key.
+ * @param keyName The key name.
+ * @return The default certificate name.
+ */
+ virtual Name
+ getDefaultCertificateNameForKey(const Name& keyName);
+
+ virtual std::vector<Name>
+ getAllIdentities(bool isDefault);
+
+ virtual std::vector<Name>
+ getAllKeyNames(bool isDefault);
+
+ virtual std::vector<Name>
+ getAllKeyNamesOfIdentity(const Name& identity, bool isDefault);
+
+ virtual std::vector<Name>
+ getAllCertificateNames(bool isDefault);
+
+ virtual std::vector<Name>
+ getAllCertificateNamesOfKey(const Name& keyName, bool isDefault);
+
+protected:
+ /**
+ * Set the default identity. If the identityName does not exist, then clear the default identity
+ * so that getDefaultIdentity() returns an empty name.
+ * @param identityName The default identity name.
+ */
+ virtual void
+ setDefaultIdentityInternal(const Name& identityName);
+
+ /**
+ * Set the default key name for the specified identity.
+ * @param keyName The key name.
+ * @param identityNameCheck (optional) The identity name to check the keyName.
+ */
+ virtual void
+ setDefaultKeyNameForIdentityInternal(const Name& keyName);
+
+ /**
+ * Set the default key name for the specified identity.
+ * @param keyName The key name.
+ * @param certificateName The certificate name.
+ */
+ virtual void
+ setDefaultCertificateNameForKeyInternal(const Name& certificateName);
+
+
+private:
+ class KeyRecord {
+ public:
+ KeyRecord(KeyType keyType, const PublicKey &key)
+ : keyType_(keyType), key_(key)
+ {
+ }
+
+ const KeyType getKeyType() const { return keyType_; }
+
+ const PublicKey& getKey() { return key_; }
+
+ private:
+ KeyType keyType_;
+ PublicKey key_;
+ };
+
+ std::vector<std::string> identityStore_; /**< A list of name URI. */
+ std::string defaultIdentity_; /**< The default identity in identityStore_, or "" if not defined. */
+ Name defaultKeyName_;
+ Name defaultCert_;
+
+ typedef std::map< std::string, ptr_lib::shared_ptr<KeyRecord> > KeyStore; /**< The map key is the keyName.toUri() */
+ typedef std::map< std::string, ptr_lib::shared_ptr<IdentityCertificate> > CertificateStore; /**< The map key is the certificateName.toUri() */
+
+ KeyStore keyStore_;
+ CertificateStore certificateStore_;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-public-info-sqlite3.hpp b/include/ndn-cpp-dev/security/sec-public-info-sqlite3.hpp
new file mode 100644
index 0000000..f83c27e
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-public-info-sqlite3.hpp
@@ -0,0 +1,223 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_PUBLIC_INFO_SQLITE3_HPP
+#define NDN_SEC_PUBLIC_INFO_SQLITE3_HPP
+
+// Only compile if ndn-cpp-config.h defines NDN_CPP_HAVE_SQLITE3.
+#include <ndn-cpp-dev/ndn-cpp-config.h>
+#ifdef NDN_CPP_HAVE_SQLITE3
+
+#include <sqlite3.h>
+#include "../common.hpp"
+#include "sec-public-info.hpp"
+
+namespace ndn
+{
+
+/**
+ * BasicIdentityStorage extends IdentityStorage to implement a basic storage of identity, public keys and certificates
+ * using SQLite.
+ */
+class SecPublicInfoSqlite3 : public SecPublicInfo {
+public:
+ struct Error : public SecPublicInfo::Error { Error(const std::string &what) : SecPublicInfo::Error(what) {} };
+
+ SecPublicInfoSqlite3();
+
+ /**
+ * The virtual Destructor.
+ */
+ virtual
+ ~SecPublicInfoSqlite3();
+
+ // from SecPublicInfo
+ /**
+ * Check if the specified identity already exists.
+ * @param identityName The identity name.
+ * @return true if the identity exists, otherwise false.
+ */
+ virtual bool
+ doesIdentityExist(const Name& identityName);
+
+ /**
+ * Add a new identity. An exception will be thrown if the identity already exists.
+ * @param identityName The identity name to be added.
+ */
+ virtual void
+ addIdentity(const Name& identityName);
+
+ /**
+ * Revoke the identity.
+ * @return true if the identity was revoked, false if not.
+ */
+ virtual bool
+ revokeIdentity();
+
+ /**
+ * Check if the specified key already exists.
+ * @param keyName The name of the key.
+ * @return true if the key exists, otherwise false.
+ */
+ virtual bool
+ doesPublicKeyExist(const Name& keyName);
+
+ /**
+ * Add a public key to the identity storage.
+ * @param keyName The name of the public key to be added.
+ * @param keyType Type of the public key to be added.
+ * @param publicKeyDer A blob of the public key DER to be added.
+ */
+ virtual void
+ addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer);
+
+ /**
+ * Get the public key DER blob from the identity storage.
+ * @param keyName The name of the requested public key.
+ * @return The DER Blob. If not found, return a Blob with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKey(const Name& keyName);
+
+ /**
+ * Activate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual inline void
+ activatePublicKey(const Name& keyName);
+
+ /**
+ * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual inline void
+ deactivatePublicKey(const Name& keyName);
+
+ /**
+ * Check if the specified certificate already exists.
+ * @param certificateName The name of the certificate.
+ * @return true if the certificate exists, otherwise false.
+ */
+ virtual bool
+ doesCertificateExist(const Name& certificateName);
+
+ /**
+ * Add a certificate in to the identity storage without checking if the identity and key exists.
+ * @param certificate The certificate to be added.
+ */
+ virtual void
+ addAnyCertificate (const IdentityCertificate& certificate);
+
+ /**
+ * Add a certificate to the identity storage.
+ * @param certificate The certificate to be added. This makes a copy of the certificate.
+ */
+ virtual void
+ addCertificate(const IdentityCertificate& certificate);
+
+ /**
+ * Get a certificate from the identity storage.
+ * @param certificateName The name of the requested certificate.
+ * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
+ * @return The requested certificate. If not found, return a shared_ptr with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<IdentityCertificate>
+ getCertificate(const Name &certificateName);
+
+
+ /*****************************************
+ * Default Getter *
+ *****************************************/
+
+ /**
+ * Get the default identity.
+ * @param return The name of default identity, or an empty name if there is no default.
+ */
+ virtual Name
+ getDefaultIdentity();
+
+ /**
+ * Get the default key name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default key name.
+ */
+ virtual Name
+ getDefaultKeyNameForIdentity(const Name& identityName);
+
+ /**
+ * Get the default certificate name for the specified key.
+ * @param keyName The key name.
+ * @return The default certificate name.
+ */
+ virtual Name
+ getDefaultCertificateNameForKey(const Name& keyName);
+
+ virtual std::vector<Name>
+ getAllIdentities(bool isDefault);
+
+ virtual std::vector<Name>
+ getAllKeyNames(bool isDefault);
+
+ virtual std::vector<Name>
+ getAllKeyNamesOfIdentity(const Name& identity, bool isDefault);
+
+ virtual std::vector<Name>
+ getAllCertificateNames(bool isDefault);
+
+ virtual std::vector<Name>
+ getAllCertificateNamesOfKey(const Name& keyName, bool isDefault);
+
+protected:
+ /**
+ * Set the default identity. If the identityName does not exist, then clear the default identity
+ * so that getDefaultIdentity() returns an empty name.
+ * @param identityName The default identity name.
+ */
+ virtual void
+ setDefaultIdentityInternal(const Name& identityName);
+
+ /**
+ * Set the default key name for the specified identity.
+ * @param keyName The key name.
+ * @param identityNameCheck (optional) The identity name to check the keyName.
+ */
+ virtual void
+ setDefaultKeyNameForIdentityInternal(const Name& keyName);
+
+ /**
+ * Set the default key name for the specified identity.
+ * @param keyName The key name.
+ * @param certificateName The certificate name.
+ */
+ virtual void
+ setDefaultCertificateNameForKeyInternal(const Name& certificateName);
+
+private:
+ void
+ updateKeyStatus(const Name& keyName, bool isActive);
+
+ sqlite3 *database_;
+};
+
+void
+SecPublicInfoSqlite3::activatePublicKey(const Name& keyName)
+{
+ updateKeyStatus(keyName, true);
+}
+
+void
+SecPublicInfoSqlite3::deactivatePublicKey(const Name& keyName)
+{
+ updateKeyStatus(keyName, false);
+}
+
+}
+
+#endif // NDN_CPP_HAVE_SQLITE3
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-public-info.hpp b/include/ndn-cpp-dev/security/sec-public-info.hpp
new file mode 100644
index 0000000..7cd7230
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-public-info.hpp
@@ -0,0 +1,380 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_PUBLIC_INFO_HPP
+#define NDN_SEC_PUBLIC_INFO_HPP
+
+#include "../name.hpp"
+#include "security-common.hpp"
+#include "public-key.hpp"
+#include "identity-certificate.hpp"
+
+
+namespace ndn {
+
+/**
+ * SecPublicInfo is a base class for the storage of identity, public keys and certificates.
+ * Private keys are stored in SecTpm.
+ * This is an abstract base class. A subclass must implement the methods.
+ */
+class SecPublicInfo {
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ /**
+ * The virtual Destructor.
+ */
+ virtual
+ ~SecPublicInfo() {}
+
+ /**
+ * Check if the specified identity already exists.
+ * @param identityName The identity name.
+ * @return true if the identity exists, otherwise false.
+ */
+ virtual bool
+ doesIdentityExist(const Name& identityName) = 0;
+
+ /**
+ * Add a new identity. An exception will be thrown if the identity already exists.
+ * @param identityName The identity name to be added.
+ */
+ virtual void
+ addIdentity(const Name& identityName) = 0;
+
+ /**
+ * Revoke the identity.
+ * @return true if the identity was revoked, false if not.
+ */
+ virtual bool
+ revokeIdentity() = 0;
+
+ /**
+ * Check if the specified key already exists.
+ * @param keyName The name of the key.
+ * @return true if the key exists, otherwise false.
+ */
+ virtual bool
+ doesPublicKeyExist(const Name& keyName) = 0;
+
+ /**
+ * Add a public key to the identity storage.
+ * @param keyName The name of the public key to be added.
+ * @param keyType Type of the public key to be added.
+ * @param publicKeyDer A blob of the public key DER to be added.
+ */
+ virtual void
+ addPublicKey(const Name& keyName, KeyType keyType, const PublicKey& publicKeyDer) = 0;
+
+ /**
+ * Get the public key DER blob from the identity storage.
+ * @param keyName The name of the requested public key.
+ * @return The DER Blob. If not found, return a Blob with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKey(const Name& keyName) = 0;
+
+ /**
+ * Activate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ activatePublicKey(const Name& keyName) = 0;
+
+ /**
+ * Deactivate a key. If a key is marked as inactive, its private part will not be used in packet signing.
+ * @param keyName name of the key
+ */
+ virtual void
+ deactivatePublicKey(const Name& keyName) = 0;
+
+ /**
+ * Check if the specified certificate already exists.
+ * @param certificateName The name of the certificate.
+ * @return true if the certificate exists, otherwise false.
+ */
+ virtual bool
+ doesCertificateExist(const Name& certificateName) = 0;
+
+ /**
+ * Add a certificate to the identity storage.
+ * @param certificate The certificate to be added. This makes a copy of the certificate.
+ */
+ virtual void
+ addCertificate(const IdentityCertificate& certificate) = 0;
+
+ /**
+ * Get a certificate from the identity storage.
+ * @param certificateName The name of the requested certificate.
+ * @param allowAny If false, only a valid certificate will be returned, otherwise validity is disregarded.
+ * @return The requested certificate. If not found, return a shared_ptr with a null pointer.
+ */
+ virtual ptr_lib::shared_ptr<IdentityCertificate>
+ getCertificate(const Name &certificateName) = 0;
+
+
+ /*****************************************
+ * Default Getter *
+ *****************************************/
+
+ /**
+ * Get the default identity.
+ * @param return The name of default identity, or an empty name if there is no default.
+ */
+ virtual Name
+ getDefaultIdentity() = 0;
+
+ /**
+ * Get the default key name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default key name.
+ */
+ virtual Name
+ getDefaultKeyNameForIdentity(const Name& identityName) = 0;
+
+ /**
+ * Get the default certificate name for the specified key.
+ * @param keyName The key name.
+ * @return The default certificate name.
+ */
+ virtual Name
+ getDefaultCertificateNameForKey(const Name& keyName) = 0;
+
+ virtual std::vector<Name>
+ getAllIdentities(bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllKeyNames(bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllKeyNamesOfIdentity(const Name& identity, bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllCertificateNames(bool isDefault) = 0;
+
+ virtual std::vector<Name>
+ getAllCertificateNamesOfKey(const Name& keyName, bool isDefault) = 0;
+
+protected:
+
+ /*****************************************
+ * Default Setter *
+ *****************************************/
+
+ /**
+ * Set the default identity. If the identityName does not exist, then clear the default identity
+ * so that getDefaultIdentity() returns an empty name.
+ * @param identityName The default identity name.
+ */
+ virtual void
+ setDefaultIdentityInternal(const Name& identityName) = 0;
+
+ /**
+ * Set the default key name for the corresponding identity.
+ * @param keyName The key name.
+ */
+ virtual void
+ setDefaultKeyNameForIdentityInternal(const Name& keyName) = 0;
+
+ /**
+ * Set the default certificate name for the corresponding key.
+ * @param certificateName The certificate name.
+ */
+ virtual void
+ setDefaultCertificateNameForKeyInternal(const Name& certificateName) = 0;
+
+public:
+
+ /*****************************************
+ * Helper Methods *
+ *****************************************/
+
+ /**
+ * Set the default identity. If the identityName does not exist, then clear the default identity
+ * so that getDefaultIdentity() returns an empty name.
+ * @param identityName The default identity name.
+ */
+ inline void
+ setDefaultIdentity(const Name& identityName);
+
+ /**
+ * Set the default key name for the corresponding identity.
+ * @param keyName The key name.
+ */
+ inline void
+ setDefaultKeyNameForIdentity(const Name& keyName);
+
+ /**
+ * Set the default certificate name for the corresponding key.
+ * @param certificateName The certificate name.
+ */
+ inline void
+ setDefaultCertificateNameForKey(const Name& certificateName);
+
+ /**
+ * Generate a name for a new key belonging to the identity.
+ * @param identityName The identity name.
+ * @param useKsk If true, generate a KSK name, otherwise a DSK name.
+ * @return The generated key name.
+ */
+ inline Name
+ getNewKeyName(const Name& identityName, bool useKsk);
+
+ /**
+ * Get the default certificate name for the specified identity.
+ * @param identityName The identity name.
+ * @return The default certificate name.
+ */
+ inline Name
+ getDefaultCertificateNameForIdentity(const Name& identityName);
+
+ /**
+ * Get the default certificate name of the default identity, which will be used when signing is based on identity and
+ * the identity is not specified.
+ * @return The requested certificate name.
+ */
+ inline Name
+ getDefaultCertificateName();
+
+ /**
+ * Add a certificate and set the certificate as the default of its corresponding key.
+ * @param certificate The certificate to be added. This makes a copy of the certificate.
+ */
+ inline void
+ addCertificateAsKeyDefault(const IdentityCertificate& certificate);
+
+ /**
+ * Add a certificate into the public key identity storage and set the certificate as the default for its corresponding identity.
+ * @param certificate The certificate to be added. This makes a copy of the certificate.
+ */
+ inline void
+ addCertificateAsIdentityDefault(const IdentityCertificate& certificate);
+
+ inline void
+ addCertificateAsSystemDefault(const IdentityCertificate& certificate);
+
+ inline ptr_lib::shared_ptr<IdentityCertificate>
+ defaultCertificate();
+
+ inline void
+ refreshDefaultCertificate();
+
+protected:
+ ptr_lib::shared_ptr<IdentityCertificate> defaultCertificate_;
+
+};
+
+void
+SecPublicInfo::setDefaultIdentity(const Name& identityName)
+{
+ setDefaultIdentityInternal(identityName);
+ refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::setDefaultKeyNameForIdentity(const Name& keyName)
+{
+ setDefaultKeyNameForIdentityInternal(keyName);
+ refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::setDefaultCertificateNameForKey(const Name& certificateName)
+{
+ setDefaultCertificateNameForKeyInternal(certificateName);
+ refreshDefaultCertificate();
+}
+
+Name
+SecPublicInfo::getDefaultCertificateNameForIdentity(const Name& identityName)
+{
+ return getDefaultCertificateNameForKey(getDefaultKeyNameForIdentity(identityName));
+}
+
+Name
+SecPublicInfo::getNewKeyName (const Name& identityName, bool useKsk)
+{
+ std::ostringstream oss;
+
+ if (useKsk)
+ oss << "ksk-";
+ else
+ oss << "dsk-";
+
+ oss << static_cast<int>(getNow()/1000);
+
+ Name keyName = Name(identityName).append(oss.str());
+
+ if (doesPublicKeyExist(keyName))
+ throw Error("Key name already exists");
+
+ return keyName;
+}
+
+Name
+SecPublicInfo::getDefaultCertificateName()
+{
+ if(!static_cast<bool>(defaultCertificate_))
+ refreshDefaultCertificate();
+
+ if(!static_cast<bool>(defaultCertificate_))
+ return Name();
+
+ return defaultCertificate_->getName();
+}
+
+void
+SecPublicInfo::addCertificateAsKeyDefault(const IdentityCertificate& certificate)
+{
+ addCertificate(certificate);
+ setDefaultCertificateNameForKeyInternal(certificate.getName());
+ refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::addCertificateAsIdentityDefault(const IdentityCertificate& certificate)
+{
+ addCertificate(certificate);
+ Name certName = certificate.getName();
+ setDefaultKeyNameForIdentityInternal(IdentityCertificate::certificateNameToPublicKeyName(certName));
+ setDefaultCertificateNameForKeyInternal(certName);
+ refreshDefaultCertificate();
+}
+
+void
+SecPublicInfo::addCertificateAsSystemDefault(const IdentityCertificate& certificate)
+{
+ addCertificate(certificate);
+ Name certName = certificate.getName();
+ Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certName);
+ setDefaultIdentityInternal(keyName.getPrefix(-1));
+ setDefaultKeyNameForIdentityInternal(keyName);
+ setDefaultCertificateNameForKeyInternal(certName);
+ refreshDefaultCertificate();
+}
+
+ptr_lib::shared_ptr<IdentityCertificate>
+SecPublicInfo::defaultCertificate()
+{
+ return defaultCertificate_;
+}
+
+void
+SecPublicInfo::refreshDefaultCertificate()
+{
+ Name certName = getDefaultCertificateNameForIdentity(getDefaultIdentity());
+ if(certName.empty())
+ defaultCertificate_.reset();
+ else
+ defaultCertificate_ = getCertificate(certName);
+}
+
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-tpm-memory.hpp b/include/ndn-cpp-dev/security/sec-tpm-memory.hpp
new file mode 100644
index 0000000..8203272
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-tpm-memory.hpp
@@ -0,0 +1,127 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_TPM_MEMORY_HPP
+#define NDN_SEC_TPM_MEMORY_HPP
+
+#include <map>
+#include "sec-tpm.hpp"
+
+struct rsa_st;
+
+namespace ndn {
+
+/**
+ * MemoryPrivateKeyStorage extends PrivateKeyStorage to implement a simple in-memory private key store. You should
+ * initialize by calling setKeyPairForKeyName.
+ */
+class SecTpmMemory : public SecTpm {
+public:
+ struct Error : public SecTpm::Error { Error(const std::string &what) : SecTpm::Error(what) {} };
+
+ /**
+ * The virtual destructor
+ */
+ virtual
+ ~SecTpmMemory();
+
+ /**
+ * Set the public and private key for the keyName.
+ * @param keyName The key name.
+ * @param publicKeyDer The public key DER byte array.
+ * @param publicKeyDerLength The length of publicKeyDer.
+ * @param privateKeyDer The private key DER byte array.
+ * @param privateKeyDerLength The length of privateKeyDer.
+ */
+ void setKeyPairForKeyName(const Name& keyName,
+ uint8_t *publicKeyDer, size_t publicKeyDerLength,
+ uint8_t *privateKeyDer, size_t privateKeyDerLength);
+
+ /**
+ * Generate a pair of asymmetric keys.
+ * @param keyName The name of the key pair.
+ * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+ * @param keySize The size of the key pair.
+ */
+ virtual void
+ generateKeyPairInTpm(const Name& keyName, KeyType keyType, int keySize);
+
+ /**
+ * Get the public key
+ * @param keyName The name of public key.
+ * @return The public key.
+ */
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKeyFromTpm(const Name& keyName);
+
+ /**
+ * Fetch the private key for keyName and sign the data, returning a signature Blob.
+ * @param data Pointer to the input byte array.
+ * @param dataLength The length of data.
+ * @param keyName The name of the signing key.
+ * @param digestAlgorithm the digest algorithm.
+ * @return The signature, or a null pointer if signing fails.
+ */
+ virtual Block
+ signInTpm(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm);
+
+ virtual void
+ signInTpm(Data &data, const Name& keyName, DigestAlgorithm digestAlgorithm);
+
+ /**
+ * Decrypt data.
+ * @param keyName The name of the decrypting key.
+ * @param data The byte to be decrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The decrypted data.
+ */
+ virtual ConstBufferPtr
+ decryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric);
+
+ /**
+ * Encrypt data.
+ * @param keyName The name of the encrypting key.
+ * @param data The byte to be encrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The encrypted data.
+ */
+ virtual ConstBufferPtr
+ encryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric);
+
+ /**
+ * @brief Generate a symmetric key.
+ * @param keyName The name of the key.
+ * @param keyType The type of the key, e.g. KEY_TYPE_AES.
+ * @param keySize The size of the key.
+ */
+ virtual void
+ generateSymmetricKeyInTpm(const Name& keyName, KeyType keyType, int keySize);
+
+ /**
+ * Check if a particular key exists.
+ * @param keyName The name of the key.
+ * @param keyClass The class of the key, e.g. KEY_CLASS_PUBLIC, KEY_CLASS_PRIVATE, or KEY_CLASS_SYMMETRIC.
+ * @return True if the key exists, otherwise false.
+ */
+ virtual bool
+ doesKeyExistInTpm(const Name& keyName, KeyClass keyClass);
+
+private:
+ class RsaPrivateKey;
+
+ typedef std::map<std::string, ptr_lib::shared_ptr<PublicKey> > PublicKeyStore;
+ typedef std::map<std::string, ptr_lib::shared_ptr<RsaPrivateKey> > PrivateKeyStore;
+
+ PublicKeyStore publicKeyStore_; /**< The map key is the keyName.toUri() */
+ PrivateKeyStore privateKeyStore_; /**< The map key is the keyName.toUri() */
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-tpm-osx.hpp b/include/ndn-cpp-dev/security/sec-tpm-osx.hpp
new file mode 100644
index 0000000..4839e3d
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-tpm-osx.hpp
@@ -0,0 +1,127 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_TPM_OSX_HPP
+#define NDN_SEC_TPM_OSX_HPP
+
+// Only compile if ndn-cpp-config.h defines NDN_CPP_HAVE_OSX_SECURITY 1.
+#include <ndn-cpp-dev/ndn-cpp-config.h>
+#if NDN_CPP_HAVE_OSX_SECURITY
+
+#include "../common.hpp"
+#include "sec-tpm.hpp"
+
+namespace ndn
+{
+
+class SecTpmOsx : public SecTpm {
+public:
+ struct Error : public SecTpm::Error { Error(const std::string &what) : SecTpm::Error(what) {} };
+
+ /**
+ * constructor of OSXKeyChainTpm
+ * @param keychainName the name of keychain
+ */
+ SecTpmOsx(const std::string & keychainName = "");
+
+ /**
+ * destructor of OSXKeyChainTpm
+ */
+ virtual
+ ~SecTpmOsx();
+
+
+ // From TrustedPlatformModule
+ virtual void
+ generateKeyPairInTpm(const Name& keyName, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048);
+
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKeyFromTpm(const Name& keyName);
+
+ virtual Block
+ signInTpm(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm);
+
+ virtual void
+ signInTpm(Data &data, const Name& keyName, DigestAlgorithm digestAlgorithm);
+
+ /**
+ * Decrypt data.
+ * @param keyName The name of the decrypting key.
+ * @param data The byte to be decrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The decrypted data.
+ */
+ virtual ConstBufferPtr
+ decryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric);
+
+ /**
+ * Encrypt data.
+ * @param keyName The name of the encrypting key.
+ * @param data The byte to be encrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric decryption is used.
+ * @return The encrypted data.
+ */
+ virtual ConstBufferPtr
+ encryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric);
+
+ /**
+ * Generate a symmetric key.
+ * @param keyName The name of the key.
+ * @param keyType The type of the key, e.g. KEY_TYPE_AES.
+ * @param keySize The size of the key.
+ */
+ virtual void
+ generateSymmetricKeyInTpm(const Name& keyName, KeyType keyType, int keySize);
+
+ /**
+ * Check if a particular key exists.
+ * @param keyName The name of the key.
+ * @param keyClass The class of the key, e.g. KEY_CLASS_PUBLIC, KEY_CLASS_PRIVATE, or KEY_CLASS_SYMMETRIC.
+ * @return True if the key exists, otherwise false.
+ */
+ virtual bool
+ doesKeyExistInTpm(const Name& keyName, KeyClass keyClass);
+
+
+ ////////////////////////////////////////////////////////////////////////////////////
+ // OSX-specifics
+ ////////////////////////////////////////////////////////////////////////////////////
+
+ /**
+ * configure ACL of a particular key
+ * @param keyName the name of key
+ * @param keyClass the class of key, e.g. Private Key
+ * @param acl the new acl of the key
+ * @param appPath the absolute path to the application
+ * @returns true if setting succeeds
+ */
+ bool
+ setACL(const Name & keyName, KeyClass keyClass, int acl, const std::string & appPath);
+
+ // /**
+ // * verify data (test only)
+ // * @param keyName the name of key
+ // * @param pData the data to be verified
+ // * @param pSig the signature associated with the data
+ // * @param digestAlgo digest algorithm
+ // * @return true if signature can be verified, otherwise false
+ // */
+ // bool
+ // verifyData(const Name & keyName, const Blob & pData, const Blob & pSig, DigestAlgorithm digestAlgo = DIGEST_ALGORITHM_SHA256);
+
+ private:
+ class Impl;
+ std::auto_ptr<Impl> impl_;
+};
+
+}
+
+#endif // NDN_CPP_HAVE_OSX_SECURITY
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sec-tpm.hpp b/include/ndn-cpp-dev/security/sec-tpm.hpp
new file mode 100644
index 0000000..c6b5328
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sec-tpm.hpp
@@ -0,0 +1,104 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SEC_TPM_HPP
+#define NDN_SEC_TPM_HPP
+
+#include <string>
+#include "security-common.hpp"
+#include "../name.hpp"
+#include "../data.hpp"
+#include "public-key.hpp"
+
+namespace ndn {
+
+class SecTpm {
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ /**
+ * The virtual destructor.
+ */
+ virtual
+ ~SecTpm() {}
+
+ /**
+ * Generate a pair of asymmetric keys.
+ * @param keyName The name of the key pair.
+ * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA.
+ * @param keySize The size of the key pair.
+ */
+ virtual void
+ generateKeyPairInTpm(const Name& keyName, KeyType keyType, int keySize) = 0;
+
+ /**
+ * Get the public key
+ * @param keyName The name of public key.
+ * @return The public key.
+ */
+ virtual ptr_lib::shared_ptr<PublicKey>
+ getPublicKeyFromTpm(const Name& keyName) = 0;
+
+ /**
+ * Fetch the private key for keyName and sign the data, returning a signature Blob.
+ * @param data Pointer to the input byte array.
+ * @param dataLength The length of data.
+ * @param keyName The name of the signing key.
+ * @param digestAlgorithm the digest algorithm.
+ * @return The signature, or a null pointer if signing fails.
+ */
+ virtual Block
+ signInTpm(const uint8_t *data, size_t dataLength, const Name& keyName, DigestAlgorithm digestAlgorithm) = 0;
+
+ virtual void
+ signInTpm(Data &data, const Name& keyName, DigestAlgorithm digestAlgorithm) = 0;
+
+ /**
+ * Decrypt data.
+ * @param keyName The name of the decrypting key.
+ * @param data The byte to be decrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric encryption is used.
+ * @return The decrypted data.
+ */
+ virtual ConstBufferPtr
+ decryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric) = 0;
+
+ /**
+ * Encrypt data.
+ * @param keyName The name of the encrypting key.
+ * @param data The byte to be encrypted.
+ * @param dataLength the length of data.
+ * @param isSymmetric If true symmetric encryption is used, otherwise asymmetric encryption is used.
+ * @return The encrypted data.
+ */
+ virtual ConstBufferPtr
+ encryptInTpm(const Name& keyName, const uint8_t* data, size_t dataLength, bool isSymmetric) = 0;
+
+ /**
+ * @brief Generate a symmetric key.
+ * @param keyName The name of the key.
+ * @param keyType The type of the key, e.g. KEY_TYPE_AES.
+ * @param keySize The size of the key.
+ */
+ virtual void
+ generateSymmetricKeyInTpm(const Name& keyName, KeyType keyType, int keySize) = 0;
+
+ /**
+ * Check if a particular key exists.
+ * @param keyName The name of the key.
+ * @param keyClass The class of the key, e.g. KEY_CLASS_PUBLIC, KEY_CLASS_PRIVATE, or KEY_CLASS_SYMMETRIC.
+ * @return True if the key exists, otherwise false.
+ */
+ virtual bool
+ doesKeyExistInTpm(const Name& keyName, KeyClass keyClass) = 0;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/security-common.hpp b/include/ndn-cpp-dev/security/security-common.hpp
new file mode 100644
index 0000000..9ce4599
--- /dev/null
+++ b/include/ndn-cpp-dev/security/security-common.hpp
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SECURITY_COMMON_HPP
+#define NDN_SECURITY_COMMON_HPP
+
+namespace ndn {
+
+enum KeyType {
+ KEY_TYPE_RSA,
+ // KEY_TYPE_DSA,
+ KEY_TYPE_AES,
+ // KEY_TYPE_DES,
+ // KEY_TYPE_RC4,
+ // KEY_TYPE_RC2
+};
+
+enum KeyClass {
+ KEY_CLASS_PUBLIC,
+ KEY_CLASS_PRIVATE,
+ KEY_CLASS_SYMMETRIC
+};
+
+enum DigestAlgorithm {
+ // DIGEST_ALGORITHM_MD2,
+ // DIGEST_ALGORITHM_MD5,
+ // DIGEST_ALGORITHM_SHA1,
+ DIGEST_ALGORITHM_SHA256
+};
+
+enum EncryptMode {
+ ENCRYPT_MODE_DEFAULT,
+ ENCRYPT_MODE_CFB_AES,
+ // ENCRYPT_MODE_CBC_AES
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/security-exception.hpp b/include/ndn-cpp-dev/security/security-exception.hpp
new file mode 100644
index 0000000..daf1d61
--- /dev/null
+++ b/include/ndn-cpp-dev/security/security-exception.hpp
@@ -0,0 +1,49 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SECURITY_EXCEPTION_HPP
+#define NDN_SECURITY_EXCEPTION_HPP
+
+#include <exception>
+#include <string>
+
+namespace ndn {
+
+class SecurityException : public std::exception {
+public:
+ SecurityException(const std::string& errorMessage) throw();
+
+ virtual ~SecurityException() throw();
+
+ std::string Msg() { return errorMessage_; }
+
+ virtual const char* what() const throw() { return errorMessage_.c_str(); }
+
+private:
+ const std::string errorMessage_;
+};
+
+class UnrecognizedKeyFormatException : public SecurityException {
+public:
+ UnrecognizedKeyFormatException(const std::string& errorMessage)
+ : SecurityException(errorMessage)
+ {
+ }
+};
+
+class UnrecognizedDigestAlgorithmException : public SecurityException {
+public:
+ UnrecognizedDigestAlgorithmException(const std::string& errorMessage)
+ : SecurityException(errorMessage)
+ {
+ }
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/sha256-with-rsa-handler.hpp b/include/ndn-cpp-dev/security/sha256-with-rsa-handler.hpp
new file mode 100644
index 0000000..6627f02
--- /dev/null
+++ b/include/ndn-cpp-dev/security/sha256-with-rsa-handler.hpp
@@ -0,0 +1,38 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SHA256_RSA_HANDLER_HPP
+#define NDN_SHA256_RSA_HANDLER_HPP
+
+#include "../../data.hpp"
+#include "../certificate/public-key.hpp"
+
+namespace ndn{
+
+class Sha256WithRsaHandler {
+public:
+ Sha256WithRsaHandler() {}
+
+ virtual
+ ~Sha256WithRsaHandler() {}
+
+ /**
+ * Verify the signature on the data packet using the given public key. If there is no data.getDefaultWireEncoding(),
+ * this calls data.wireEncode() to set it.
+ * @param data The data packet with the signed portion and the signature to verify. The data packet must have a
+ * Sha256WithRsaSignature.
+ * @param publicKey The public key used to verify the signature.
+ * @return true if the signature verifies, false if not.
+ * @throw SecurityException if data does not have a Sha256WithRsaSignature.
+ */
+ static bool
+ verifySignature(const Data& data, const PublicKey& publicKey);
+
+};
+
+}
+#endif
diff --git a/include/ndn-cpp-dev/security/signature-sha256-with-rsa.hpp b/include/ndn-cpp-dev/security/signature-sha256-with-rsa.hpp
new file mode 100644
index 0000000..b59c765
--- /dev/null
+++ b/include/ndn-cpp-dev/security/signature-sha256-with-rsa.hpp
@@ -0,0 +1,64 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SIGNATURE_SHA256_WITH_RSA_HPP
+#define NDN_SIGNATURE_SHA256_WITH_RSA_HPP
+
+#include "../data.hpp"
+
+namespace ndn {
+
+/**
+ * Representing of SHA256-with-RSA signature in a data packet.
+ */
+class SignatureSha256WithRsa : public Signature {
+public:
+ SignatureSha256WithRsa()
+ {
+ info_ = Block(Tlv::SignatureInfo);
+
+ type_ = Signature::Sha256WithRsa;
+ info_.push_back(nonNegativeIntegerBlock(Tlv::SignatureType, Tlv::SignatureSha256WithRsa));
+ info_.push_back(keyLocator_.wireEncode());
+ }
+
+ SignatureSha256WithRsa(const Signature &signature)
+ : Signature(signature)
+ {
+ if (getType() != Signature::Sha256WithRsa)
+ throw Signature::Error("Incorrect signature type");
+
+ info_.parse();
+ Block::element_iterator i = info_.find(Tlv::KeyLocator);
+ if (i != info_.getAll().end())
+ {
+ keyLocator_.wireDecode(*i);
+ }
+ }
+
+ const KeyLocator&
+ getKeyLocator() const
+ {
+ return keyLocator_;
+ }
+
+ void
+ setKeyLocator(const KeyLocator& keyLocator)
+ {
+ keyLocator_ = keyLocator;
+
+ info_.remove(ndn::Tlv::KeyLocator);
+ info_.push_back(keyLocator_.wireEncode());
+ }
+
+private:
+ KeyLocator keyLocator_;
+};
+
+} // namespace ndn
+
+#endif
diff --git a/include/ndn-cpp-dev/security/validation-request.hpp b/include/ndn-cpp-dev/security/validation-request.hpp
new file mode 100644
index 0000000..7471065
--- /dev/null
+++ b/include/ndn-cpp-dev/security/validation-request.hpp
@@ -0,0 +1,48 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_VALIDATION_REQUEST_HPP
+#define NDN_VALIDATION_REQUEST_HPP
+
+#include "../interest.hpp"
+
+namespace ndn {
+
+/**
+ * An OnVerified function object is used to pass a callback to verifyData to report a successful verification.
+ */
+typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerified;
+
+/**
+ * An OnVerifyFailed function object is used to pass a callback to verifyData to report a failed verification.
+ */
+typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerifyFailed;
+
+
+class ValidationRequest {
+public:
+ ValidationRequest
+ (const ptr_lib::shared_ptr<Interest> &interest, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed,
+ int retry, int stepCount)
+ : interest_(interest), onVerified_(onVerified), onVerifyFailed_(onVerifyFailed), retry_(retry), stepCount_(stepCount)
+ {
+ }
+
+ virtual
+ ~ValidationRequest() {}
+
+ ptr_lib::shared_ptr<Interest> interest_; // An interest packet to fetch the requested data.
+ OnVerified onVerified_; // A callback function if the requested certificate has been validated.
+ OnVerifyFailed onVerifyFailed_; // A callback function if the requested certificate cannot be validated.
+ int retry_; // The number of retrials when there is an interest timeout.
+ int stepCount_;
+};
+
+}
+
+#endif
diff --git a/include/ndn-cpp-dev/security/verifier.hpp b/include/ndn-cpp-dev/security/verifier.hpp
new file mode 100644
index 0000000..2dbd995
--- /dev/null
+++ b/include/ndn-cpp-dev/security/verifier.hpp
@@ -0,0 +1,102 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_VERIFIER_HPP
+#define NDN_VERIFIER_HPP
+
+#include "../data.hpp"
+#include "../face.hpp"
+#include "sec-policy.hpp"
+#include "validation-request.hpp"
+#include "public-key.hpp"
+#include "signature-sha256-with-rsa.hpp"
+
+namespace ndn {
+
+/**
+ * Verifier is one of the main classes of the security librar .
+ *
+ * The Verifier class provides the interfaces for packet verification.
+ */
+class Verifier {
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ Verifier(const ptr_lib::shared_ptr<SecPolicy> &policy = DefaultPolicy);
+
+ /**
+ * @brief Set the Face which will be used to fetch required certificates.
+ * @param face A pointer to the Face object.
+ *
+ * Setting face is necessary for verifier operation that involve fetching data.
+ */
+ void
+ setFace(const ptr_lib::shared_ptr<Face> &face) { face_ = face; }
+
+ /**
+ * @brief Get the policy.
+ * @return The Policy.
+ */
+ inline SecPolicy&
+ policy()
+ {
+ if (!policy_)
+ throw Error("policy is not assigned to the KeyChain");
+
+ return *policy_;
+ }
+
+
+ /**
+ * Check the signature on the Data object and call either onVerify or onVerifyFailed.
+ * We use callback functions because verify may fetch information to check the signature.
+ * @param data The Data object with the signature to check. It is an error if data does not have a wireEncoding.
+ * To set the wireEncoding, you can call data.wireDecode.
+ * @param onVerified If the signature is verified, this calls onVerified(data).
+ * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
+ */
+ void
+ verifyData
+ (const ptr_lib::shared_ptr<Data>& data, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed, int stepCount = 0);
+
+ /*****************************************
+ * verifySignature method set *
+ *****************************************/
+ static bool
+ verifySignature(const Data &data, const Signature &sig, const PublicKey &publicKey);
+
+ static bool
+ verifySignature(const Buffer &data, const Signature &sig, const PublicKey &publicKey);
+
+ static bool
+ verifySignature(const Data& data, const SignatureSha256WithRsa& sig, const PublicKey& publicKey);
+
+ static bool
+ verifySignature(const Buffer &data, const SignatureSha256WithRsa &sig, const PublicKey &publicKey);
+
+public:
+ static const ptr_lib::shared_ptr<SecPolicy> DefaultPolicy;
+
+private:
+ void
+ onCertificateData
+ (const ptr_lib::shared_ptr<const Interest> &interest, const ptr_lib::shared_ptr<Data> &data, ptr_lib::shared_ptr<ValidationRequest> nextStep);
+
+ void
+ onCertificateInterestTimeout
+ (const ptr_lib::shared_ptr<const Interest> &interest, int retry, const OnVerifyFailed& onVerifyFailed,
+ const ptr_lib::shared_ptr<Data> &data, ptr_lib::shared_ptr<ValidationRequest> nextStep);
+
+private:
+ ptr_lib::shared_ptr<SecPolicy> policy_;
+ ptr_lib::shared_ptr<Face> face_;
+};
+
+}
+
+#endif