security: Add NDN Certificate 2.0
Change-Id: I7d779554f53a613e67f283ca44718e57f2f1c771
Refs: #3103
diff --git a/src/security/v2/certificate.cpp b/src/security/v2/certificate.cpp
new file mode 100644
index 0000000..75ee53c
--- /dev/null
+++ b/src/security/v2/certificate.cpp
@@ -0,0 +1,137 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2016 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ *
+ * @author Zhiyi Zhang <dreamerbarrychang@gmail.com>
+ * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
+ */
+
+#include "certificate.hpp"
+#include "../../encoding/block-helpers.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+BOOST_CONCEPT_ASSERT((WireEncodable<Certificate>));
+BOOST_CONCEPT_ASSERT((WireDecodable<Certificate>));
+
+// /<NameSpace>/KEY/[KeyId]/[IssuerId]/[Version]
+
+const ssize_t Certificate::VERSION_OFFSET = -1;
+const ssize_t Certificate::ISSUER_ID_OFFSET = -2;
+const ssize_t Certificate::KEY_ID_OFFSET = -3;
+const ssize_t Certificate::KEY_COMPONENT_OFFSET = -4;
+const size_t Certificate::MIN_CERT_NAME_LENGTH = 4;
+const size_t Certificate::MIN_KEY_NAME_LENGTH = 2;
+const name::Component Certificate::KEY_COMPONENT("KEY");
+
+Certificate::Certificate()
+{
+ setContentType(tlv::ContentTypeValue::ContentType_Key);
+}
+
+Certificate::Certificate(Data&& data)
+ : Data(data)
+{
+ if (!isValidName(getName())) {
+ BOOST_THROW_EXCEPTION(Data::Error("Name does not follow the naming convention for certificate"));
+ }
+ if (getContentType() != tlv::ContentTypeValue::ContentType_Key) {
+ BOOST_THROW_EXCEPTION(Data::Error("ContentType is not KEY"));
+ }
+ if (getFreshnessPeriod() < time::seconds::zero()) {
+ BOOST_THROW_EXCEPTION(Data::Error("FreshnessPeriod is not set"));
+ }
+ if (getContent().value_size() == 0) {
+ BOOST_THROW_EXCEPTION(Data::Error("Content is empty"));
+ }
+}
+
+Certificate::Certificate(const Data& data)
+ : Certificate(Data(data))
+{
+}
+
+Certificate::Certificate(const Block& block)
+ : Certificate(Data(block))
+{
+}
+
+Name
+Certificate::getKeyName() const
+{
+ return getName().getPrefix(KEY_ID_OFFSET + 1);
+}
+
+Name
+Certificate::getIdentity() const
+{
+ return getName().getPrefix(KEY_COMPONENT_OFFSET);
+}
+
+name::Component
+Certificate::getKeyId() const
+{
+ return getName().at(KEY_ID_OFFSET);
+}
+
+name::Component
+Certificate::getIssuerId() const
+{
+ return getName().at(ISSUER_ID_OFFSET);
+}
+
+const Buffer
+Certificate::getPublicKey() const
+{
+ if (getContent().value_size() == 0)
+ BOOST_THROW_EXCEPTION(Data::Error("Content is empty"));
+ return Buffer(getContent().value(), getContent().value_size());
+}
+
+ValidityPeriod
+Certificate::getValidityPeriod() const
+{
+ return getSignature().getSignatureInfo().getValidityPeriod();
+}
+
+bool
+Certificate::isValid(const time::system_clock::TimePoint& ts) const
+{
+ return getSignature().getSignatureInfo().getValidityPeriod().isValid(ts);
+}
+
+const Block&
+Certificate::getExtension(uint32_t type) const
+{
+ return getSignature().getSignatureInfo().getTypeSpecificTlv(type);
+}
+
+bool
+Certificate::isValidName(const Name& certName)
+{
+ // /<NameSpace>/KEY/[KeyId]/[IssuerId]/[Version]
+ return (certName.size() >= Certificate::MIN_CERT_NAME_LENGTH &&
+ certName.get(Certificate::KEY_COMPONENT_OFFSET) == Certificate::KEY_COMPONENT);
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/certificate.hpp b/src/security/v2/certificate.hpp
new file mode 100644
index 0000000..19d377c
--- /dev/null
+++ b/src/security/v2/certificate.hpp
@@ -0,0 +1,179 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2016 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ *
+ * @author Zhiyi Zhang <dreamerbarrychang@gmail.com>
+ * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
+ */
+
+#ifndef NDN_SECURITY_V2_CERTIFICATE_HPP
+#define NDN_SECURITY_V2_CERTIFICATE_HPP
+
+#include "../../data.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief The certificate following the certificate format naming convention
+ *
+ * Overview of NDN certificate format:
+ *
+ * CertificateV2 ::= DATA-TLV TLV-LENGTH
+ * Name (= /<NameSpace>/KEY/[KeyId]/[IssuerId]/[Version])
+ * MetaInfo (.ContentType = KEY)
+ * Content (= X509PublicKeyContent)
+ * SignatureInfo (= CertificateV2SignatureInfo)
+ * SignatureValue
+ *
+ * X509PublicKeyContent ::= CONTENT-TLV TLV-LENGTH
+ * BYTE+ (= public key bits in PKCS#8 format)
+ *
+ * CertificateV2SignatureInfo ::= SIGNATURE-INFO-TYPE TLV-LENGTH
+ * SignatureType
+ * KeyLocator
+ * ValidityPeriod
+ * ... optional critical or non-critical extension blocks ...
+ *
+ * An example of NDN certificate name:
+ *
+ * /edu/ucla/cs/yingdi/KEY/%03%CD...%F1/%9F%D3...%B7/%FD%d2...%8E
+ * \_________________/ \___________/ \___________/\___________/
+ * Certificate Namespace Key Id Issuer Id Version
+ * (Identity)
+ * \__________________________________/
+ * Key Name
+ *
+ * Notes:
+ *
+ * - `Key Id` is opaque name component to identify an instance of the public key for the
+ * certificate namespace. The value of `Key ID` is controlled by the namespace owner. The
+ * library includes helpers for generation of key IDs using 8-byte random number, SHA-256
+ * digest of the public key, timestamp, and the specified numerical identifiers.
+ *
+ * - `Issuer Id` is opaque name component to identify issuer of the certificate. The value is
+ * controlled by the issuer. The library includes helpers to set issuer ID to a 8-byte
+ * random number, SHA-256 digest of the issuer's public key, and the specified numerical
+ * identifiers.
+ *
+ * - `Key Name` is a logical name of the key used for management pursposes. Key Name includes
+ * the certificate namespace, keyword `KEY`, and `KeyId` components.
+ *
+ * @see doc/specs/certificate-format.rst
+ */
+class Certificate : public Data
+{
+public:
+ Certificate();
+
+ /**
+ * @brief Construct certificate from a data object
+ * @throw tlv::Error if data does not follow certificate format
+ */
+ explicit
+ Certificate(Data&& data);
+
+ /**
+ * @brief Construct certificate from a data object
+ * @throw tlv::Error if data does not follow certificate format
+ */
+ explicit
+ Certificate(const Data& data);
+
+ /**
+ * @brief Construct certificate from a wire encoding
+ * @throw tlv::Error if wire encoding is invalid or does not follow certificate format
+ */
+ explicit
+ Certificate(const Block& block);
+
+ /**
+ * @brief Get key name
+ */
+ Name
+ getKeyName() const;
+
+ /**
+ * @brief Get identity name
+ */
+ Name
+ getIdentity() const;
+
+ /**
+ * @brief Get key ID
+ */
+ name::Component
+ getKeyId() const;
+
+ /**
+ * @brief Get issuer ID
+ */
+ name::Component
+ getIssuerId() const;
+
+ /**
+ * @brief Get public key bits (in PKCS#8 format)
+ * @throw Error If content is empty
+ */
+ const Buffer
+ getPublicKey() const;
+
+ /**
+ * @brief Get validity period of the certificate
+ */
+ ValidityPeriod
+ getValidityPeriod() const;
+
+ /**
+ * @brief Check if the certificate is valid at @p ts.
+ */
+ bool
+ isValid(const time::system_clock::TimePoint& ts = time::system_clock::now()) const;
+
+ /**
+ * @brief Get extension with TLV @p type
+ * @throw ndn::SignatureInfo::Error if the specified block type does not exist
+ */
+ const Block&
+ getExtension(uint32_t type) const;
+
+ // @TODO Implement extension enumeration (Issue #3907)
+public:
+ /**
+ * @brief Check if the specified name follows the naming convention for the certificate
+ */
+ static bool
+ isValidName(const Name& certName);
+
+public:
+ static const ssize_t VERSION_OFFSET;
+ static const ssize_t ISSUER_ID_OFFSET;
+ static const ssize_t KEY_COMPONENT_OFFSET;
+ static const ssize_t KEY_ID_OFFSET;
+ static const size_t MIN_CERT_NAME_LENGTH;
+ static const size_t MIN_KEY_NAME_LENGTH;
+ static const name::Component KEY_COMPONENT;
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_CERTIFICATE_HPP