security: Add new v2::KeyChain
Change-Id: I5fdf51ecd96b50db2a7cbf730c6e8b1d9fbe09e9
Refs: #2926
diff --git a/src/security/key-chain.cpp b/src/security/key-chain.cpp
index 827f9df..1896c7a 100644
--- a/src/security/key-chain.cpp
+++ b/src/security/key-chain.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -40,7 +40,6 @@
// Use a GUID as a magic number of KeyChain::DEFAULT_PREFIX identifier
const Name KeyChain::DEFAULT_PREFIX("/723821fd-f534-44b3-80d9-44bf5f58bbbb");
-const Name KeyChain::DIGEST_SHA256_IDENTITY("/localhost/identity/digest-sha256");
// Note: cannot use default constructor, as it depends on static variables which may or may not be
// initialized at this point
@@ -500,7 +499,7 @@
}
case SigningInfo::SIGNER_TYPE_SHA256: {
sigInfo.setSignatureType(tlv::DigestSha256);
- return std::make_tuple(DIGEST_SHA256_IDENTITY, sigInfo);
+ return std::make_tuple(SigningInfo::getDigestSha256Identity(), sigInfo);
}
default:
BOOST_THROW_EXCEPTION(Error("Unrecognized signer type"));
@@ -758,7 +757,7 @@
KeyChain::pureSign(const uint8_t* buf, size_t size,
const Name& keyName, DigestAlgorithm digestAlgorithm) const
{
- if (keyName == DIGEST_SHA256_IDENTITY)
+ if (keyName == SigningInfo::getDigestSha256Identity())
return Block(tlv::SignatureValue, crypto::computeSha256Digest(buf, size));
return m_tpm->signInTpm(buf, size, keyName, digestAlgorithm);
diff --git a/src/security/key-chain.hpp b/src/security/key-chain.hpp
index 796aa33..4f43139 100644
--- a/src/security/key-chain.hpp
+++ b/src/security/key-chain.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -871,12 +871,6 @@
static const Name DEFAULT_PREFIX;
static const SigningInfo DEFAULT_SIGNING_INFO;
- /**
- * @brief A localhost identity which indicates that signature is generated using SHA-256.
- * @todo Passing this as identity is not implemented.
- */
- static const Name DIGEST_SHA256_IDENTITY;
-
// RsaKeyParams is set to be default for backward compatibility.
static const RsaKeyParams DEFAULT_KEY_PARAMS;
diff --git a/src/security/pib/identity-container.hpp b/src/security/pib/identity-container.hpp
index 94cd370..9e45cf9 100644
--- a/src/security/pib/identity-container.hpp
+++ b/src/security/pib/identity-container.hpp
@@ -153,6 +153,7 @@
mutable std::unordered_map<Name, shared_ptr<detail::IdentityImpl>> m_identities;
shared_ptr<PibImpl> m_pibImpl;
+
friend class Pib;
};
diff --git a/src/security/pib/identity.cpp b/src/security/pib/identity.cpp
index 4797cb6..79cb090 100644
--- a/src/security/pib/identity.cpp
+++ b/src/security/pib/identity.cpp
@@ -40,13 +40,13 @@
}
Key
-Identity::addKey(const uint8_t* key, size_t keyLen, const Name& keyName)
+Identity::addKey(const uint8_t* key, size_t keyLen, const Name& keyName) const
{
return lock()->addKey(key, keyLen, keyName);
}
void
-Identity::removeKey(const Name& keyName)
+Identity::removeKey(const Name& keyName) const
{
return lock()->removeKey(keyName);
}
@@ -64,13 +64,13 @@
}
const Key&
-Identity::setDefaultKey(const Name& keyName)
+Identity::setDefaultKey(const Name& keyName) const
{
return lock()->setDefaultKey(keyName);
}
const Key&
-Identity::setDefaultKey(const uint8_t* key, size_t keyLen, const Name& keyName)
+Identity::setDefaultKey(const uint8_t* key, size_t keyLen, const Name& keyName) const
{
return lock()->setDefaultKey(key, keyLen, keyName);
}
diff --git a/src/security/pib/identity.hpp b/src/security/pib/identity.hpp
index 3d0117d..2bb1706 100644
--- a/src/security/pib/identity.hpp
+++ b/src/security/pib/identity.hpp
@@ -116,14 +116,14 @@
* @throw Pib::Error a key with the same name already exists
*/
Key
- addKey(const uint8_t* key, size_t keyLen, const Name& keyName);
+ addKey(const uint8_t* key, size_t keyLen, const Name& keyName) const;
/**
* @brief Remove a key with @p keyName
* @throw std::invalid_argument @p keyName does not match identity
*/
void
- removeKey(const Name& keyName);
+ removeKey(const Name& keyName) const;
/**
* @brief Set an existing key with @p keyName as the default key.
@@ -132,7 +132,7 @@
* @return The default key
*/
const Key&
- setDefaultKey(const Name& keyName);
+ setDefaultKey(const Name& keyName) const;
/**
* @brief Add a @p key of @p keyLen bytes with @p keyName and set it as the default key
@@ -141,7 +141,7 @@
* @return the default key
*/
const Key&
- setDefaultKey(const uint8_t* key, size_t keyLen, const Name& keyName);
+ setDefaultKey(const uint8_t* key, size_t keyLen, const Name& keyName) const;
private:
/**
@@ -154,6 +154,8 @@
private:
weak_ptr<detail::IdentityImpl> m_impl;
+
+ friend class v2::KeyChain;
};
} // namespace pib
diff --git a/src/security/pib/key.cpp b/src/security/pib/key.cpp
index b4e6daf..0d45140 100644
--- a/src/security/pib/key.cpp
+++ b/src/security/pib/key.cpp
@@ -59,13 +59,13 @@
}
void
-Key::addCertificate(const v2::Certificate& certificate)
+Key::addCertificate(const v2::Certificate& certificate) const
{
return lock()->addCertificate(certificate);
}
void
-Key::removeCertificate(const Name& certName)
+Key::removeCertificate(const Name& certName) const
{
return lock()->removeCertificate(certName);
}
@@ -83,13 +83,13 @@
}
const v2::Certificate&
-Key::setDefaultCertificate(const Name& certName)
+Key::setDefaultCertificate(const Name& certName) const
{
return lock()->setDefaultCertificate(certName);
}
const v2::Certificate&
-Key::setDefaultCertificate(const v2::Certificate& certificate)
+Key::setDefaultCertificate(const v2::Certificate& certificate) const
{
return lock()->setDefaultCertificate(certificate);
}
diff --git a/src/security/pib/key.hpp b/src/security/pib/key.hpp
index 69ceec8..4acc54a 100644
--- a/src/security/pib/key.hpp
+++ b/src/security/pib/key.hpp
@@ -28,7 +28,9 @@
namespace ndn {
namespace security {
+namespace v2 {
class KeyChain;
+} // namespace v2
namespace pib {
@@ -138,14 +140,14 @@
* @throw Pib::Error a certificate with the same name already exists
*/
void
- addCertificate(const v2::Certificate& certificate);
+ addCertificate(const v2::Certificate& certificate) const;
/**
* @brief Remove a certificate with @p certName
* @throw std::invalid_argument @p certName does not match key name
*/
void
- removeCertificate(const Name& certName);
+ removeCertificate(const Name& certName) const;
/**
* @brief Set an existing certificate with @p certName as the default certificate
@@ -154,7 +156,7 @@
* @return the default certificate
*/
const v2::Certificate&
- setDefaultCertificate(const Name& certName);
+ setDefaultCertificate(const Name& certName) const;
/**
* @brief Add @p certificate and set it as the default certificate of the key
@@ -163,7 +165,7 @@
* @return the default certificate
*/
const v2::Certificate&
- setDefaultCertificate(const v2::Certificate& certificate);
+ setDefaultCertificate(const v2::Certificate& certificate) const;
private:
/**
@@ -176,6 +178,8 @@
private:
weak_ptr<detail::KeyImpl> m_impl;
+
+ friend class v2::KeyChain;
};
} // namespace pib
diff --git a/src/security/pib/pib-memory.cpp b/src/security/pib/pib-memory.cpp
index aa93ba7..2d6aa7d 100644
--- a/src/security/pib/pib-memory.cpp
+++ b/src/security/pib/pib-memory.cpp
@@ -27,11 +27,18 @@
namespace security {
namespace pib {
-PibMemory::PibMemory()
+PibMemory::PibMemory(const std::string&)
: m_hasDefaultIdentity(false)
{
}
+const std::string&
+PibMemory::getScheme()
+{
+ static std::string scheme = "pib-memory";
+ return scheme;
+}
+
void
PibMemory::setTpmLocator(const std::string& tpmLocator)
{
diff --git a/src/security/pib/pib-memory.hpp b/src/security/pib/pib-memory.hpp
index 192f000..1252909 100644
--- a/src/security/pib/pib-memory.hpp
+++ b/src/security/pib/pib-memory.hpp
@@ -48,7 +48,15 @@
};
public:
- PibMemory();
+ /**
+ * @brief Create memory based PIB backend
+ * @param location Not used (required by the PIB-registration interface)
+ */
+ explicit
+ PibMemory(const std::string& location = "");
+
+ static const std::string&
+ getScheme();
public: // TpmLocator management
void
diff --git a/src/security/pib/pib-sqlite3.cpp b/src/security/pib/pib-sqlite3.cpp
index b19f32c..238a0f8 100644
--- a/src/security/pib/pib-sqlite3.cpp
+++ b/src/security/pib/pib-sqlite3.cpp
@@ -32,171 +32,171 @@
namespace security {
namespace pib {
-using std::string;
using util::Sqlite3Statement;
-static const string INITIALIZATION =
- "CREATE TABLE IF NOT EXISTS \n"
- " tpmInfo( \n"
- " tpm_locator BLOB \n"
- " ); \n"
- " \n"
- "CREATE TABLE IF NOT EXISTS \n"
- " identities( \n"
- " id INTEGER PRIMARY KEY,\n"
- " identity BLOB NOT NULL, \n"
- " is_default INTEGER DEFAULT 0 \n"
- " ); \n"
- " \n"
- "CREATE UNIQUE INDEX IF NOT EXISTS \n"
- " identityIndex ON identities(identity); \n"
- " \n"
- "CREATE TRIGGER IF NOT EXISTS \n"
- " identity_default_before_insert_trigger \n"
- " BEFORE INSERT ON identities \n"
- " FOR EACH ROW \n"
- " WHEN NEW.is_default=1 \n"
- " BEGIN \n"
- " UPDATE identities SET is_default=0; \n"
- " END; \n"
- " \n"
- "CREATE TRIGGER IF NOT EXISTS \n"
- " identity_default_after_insert_trigger \n"
- " AFTER INSERT ON identities \n"
- " FOR EACH ROW \n"
- " WHEN NOT EXISTS \n"
- " (SELECT id \n"
- " FROM identities \n"
- " WHERE is_default=1) \n"
- " BEGIN \n"
- " UPDATE identities \n"
- " SET is_default=1 \n"
- " WHERE identity=NEW.identity; \n"
- " END; \n"
- " \n"
- "CREATE TRIGGER IF NOT EXISTS \n"
- " identity_default_update_trigger \n"
- " BEFORE UPDATE ON identities \n"
- " FOR EACH ROW \n"
- " WHEN NEW.is_default=1 AND OLD.is_default=0 \n"
- " BEGIN \n"
- " UPDATE identities SET is_default=0; \n"
- " END; \n"
- " \n"
- " \n"
- "CREATE TABLE IF NOT EXISTS \n"
- " keys( \n"
- " id INTEGER PRIMARY KEY,\n"
- " identity_id INTEGER NOT NULL, \n"
- " key_name BLOB NOT NULL, \n"
- " key_bits BLOB NOT NULL, \n"
- " is_default INTEGER DEFAULT 0, \n"
- " FOREIGN KEY(identity_id) \n"
- " REFERENCES identities(id) \n"
- " ON DELETE CASCADE \n"
- " ON UPDATE CASCADE \n"
- " ); \n"
- " \n"
- "CREATE UNIQUE INDEX IF NOT EXISTS \n"
- " keyIndex ON keys(key_name); \n"
- " \n"
- "CREATE TRIGGER IF NOT EXISTS \n"
- " key_default_before_insert_trigger \n"
- " BEFORE INSERT ON keys \n"
- " FOR EACH ROW \n"
- " WHEN NEW.is_default=1 \n"
- " BEGIN \n"
- " UPDATE keys \n"
- " SET is_default=0 \n"
- " WHERE identity_id=NEW.identity_id; \n"
- " END; \n"
- " \n"
- "CREATE TRIGGER IF NOT EXISTS \n"
- " key_default_after_insert_trigger \n"
- " AFTER INSERT ON keys \n"
- " FOR EACH ROW \n"
- " WHEN NOT EXISTS \n"
- " (SELECT id \n"
- " FROM keys \n"
- " WHERE is_default=1 \n"
- " AND identity_id=NEW.identity_id) \n"
- " BEGIN \n"
- " UPDATE keys \n"
- " SET is_default=1 \n"
- " WHERE key_name=NEW.key_name; \n"
- " END; \n"
- " \n"
- "CREATE TRIGGER IF NOT EXISTS \n"
- " key_default_update_trigger \n"
- " BEFORE UPDATE ON keys \n"
- " FOR EACH ROW \n"
- " WHEN NEW.is_default=1 AND OLD.is_default=0 \n"
- " BEGIN \n"
- " UPDATE keys \n"
- " SET is_default=0 \n"
- " WHERE identity_id=NEW.identity_id; \n"
- " END; \n"
- " \n"
- " \n"
- "CREATE TABLE IF NOT EXISTS \n"
- " certificates( \n"
- " id INTEGER PRIMARY KEY,\n"
- " key_id INTEGER NOT NULL, \n"
- " certificate_name BLOB NOT NULL, \n"
- " certificate_data BLOB NOT NULL, \n"
- " is_default INTEGER DEFAULT 0, \n"
- " FOREIGN KEY(key_id) \n"
- " REFERENCES keys(id) \n"
- " ON DELETE CASCADE \n"
- " ON UPDATE CASCADE \n"
- " ); \n"
- " \n"
- "CREATE UNIQUE INDEX IF NOT EXISTS \n"
- " certIndex ON certificates(certificate_name);\n"
- " \n"
- "CREATE TRIGGER IF NOT EXISTS \n"
- " cert_default_before_insert_trigger \n"
- " BEFORE INSERT ON certificates \n"
- " FOR EACH ROW \n"
- " WHEN NEW.is_default=1 \n"
- " BEGIN \n"
- " UPDATE certificates \n"
- " SET is_default=0 \n"
- " WHERE key_id=NEW.key_id; \n"
- " END; \n"
- " \n"
- "CREATE TRIGGER IF NOT EXISTS \n"
- " cert_default_after_insert_trigger \n"
- " AFTER INSERT ON certificates \n"
- " FOR EACH ROW \n"
- " WHEN NOT EXISTS \n"
- " (SELECT id \n"
- " FROM certificates \n"
- " WHERE is_default=1 \n"
- " AND key_id=NEW.key_id) \n"
- " BEGIN \n"
- " UPDATE certificates \n"
- " SET is_default=1 \n"
- " WHERE certificate_name=NEW.certificate_name;\n"
- " END; \n"
- " \n"
- "CREATE TRIGGER IF NOT EXISTS \n"
- " cert_default_update_trigger \n"
- " BEFORE UPDATE ON certificates \n"
- " FOR EACH ROW \n"
- " WHEN NEW.is_default=1 AND OLD.is_default=0 \n"
- " BEGIN \n"
- " UPDATE certificates \n"
- " SET is_default=0 \n"
- " WHERE key_id=NEW.key_id; \n"
- " END; \n";
+static const std::string INITIALIZATION = R"SQL(
+CREATE TABLE IF NOT EXISTS
+ tpmInfo(
+ tpm_locator BLOB
+ );
-PibSqlite3::PibSqlite3(const string& dir)
+CREATE TABLE IF NOT EXISTS
+ identities(
+ id INTEGER PRIMARY KEY,
+ identity BLOB NOT NULL,
+ is_default INTEGER DEFAULT 0
+ );
+
+CREATE UNIQUE INDEX IF NOT EXISTS
+ identityIndex ON identities(identity);
+
+CREATE TRIGGER IF NOT EXISTS
+ identity_default_before_insert_trigger
+ BEFORE INSERT ON identities
+ FOR EACH ROW
+ WHEN NEW.is_default=1
+ BEGIN
+ UPDATE identities SET is_default=0;
+ END;
+
+CREATE TRIGGER IF NOT EXISTS
+ identity_default_after_insert_trigger
+ AFTER INSERT ON identities
+ FOR EACH ROW
+ WHEN NOT EXISTS
+ (SELECT id
+ FROM identities
+ WHERE is_default=1)
+ BEGIN
+ UPDATE identities
+ SET is_default=1
+ WHERE identity=NEW.identity;
+ END;
+
+CREATE TRIGGER IF NOT EXISTS
+ identity_default_update_trigger
+ BEFORE UPDATE ON identities
+ FOR EACH ROW
+ WHEN NEW.is_default=1 AND OLD.is_default=0
+ BEGIN
+ UPDATE identities SET is_default=0;
+ END;
+
+
+CREATE TABLE IF NOT EXISTS
+ keys(
+ id INTEGER PRIMARY KEY,
+ identity_id INTEGER NOT NULL,
+ key_name BLOB NOT NULL,
+ key_bits BLOB NOT NULL,
+ is_default INTEGER DEFAULT 0,
+ FOREIGN KEY(identity_id)
+ REFERENCES identities(id)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE
+ );
+
+CREATE UNIQUE INDEX IF NOT EXISTS
+ keyIndex ON keys(key_name);
+
+CREATE TRIGGER IF NOT EXISTS
+ key_default_before_insert_trigger
+ BEFORE INSERT ON keys
+ FOR EACH ROW
+ WHEN NEW.is_default=1
+ BEGIN
+ UPDATE keys
+ SET is_default=0
+ WHERE identity_id=NEW.identity_id;
+ END;
+
+CREATE TRIGGER IF NOT EXISTS
+ key_default_after_insert_trigger
+ AFTER INSERT ON keys
+ FOR EACH ROW
+ WHEN NOT EXISTS
+ (SELECT id
+ FROM keys
+ WHERE is_default=1
+ AND identity_id=NEW.identity_id)
+ BEGIN
+ UPDATE keys
+ SET is_default=1
+ WHERE key_name=NEW.key_name;
+ END;
+
+CREATE TRIGGER IF NOT EXISTS
+ key_default_update_trigger
+ BEFORE UPDATE ON keys
+ FOR EACH ROW
+ WHEN NEW.is_default=1 AND OLD.is_default=0
+ BEGIN
+ UPDATE keys
+ SET is_default=0
+ WHERE identity_id=NEW.identity_id;
+ END;
+
+
+CREATE TABLE IF NOT EXISTS
+ certificates(
+ id INTEGER PRIMARY KEY,
+ key_id INTEGER NOT NULL,
+ certificate_name BLOB NOT NULL,
+ certificate_data BLOB NOT NULL,
+ is_default INTEGER DEFAULT 0,
+ FOREIGN KEY(key_id)
+ REFERENCES keys(id)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE
+ );
+
+CREATE UNIQUE INDEX IF NOT EXISTS
+ certIndex ON certificates(certificate_name);
+
+CREATE TRIGGER IF NOT EXISTS
+ cert_default_before_insert_trigger
+ BEFORE INSERT ON certificates
+ FOR EACH ROW
+ WHEN NEW.is_default=1
+ BEGIN
+ UPDATE certificates
+ SET is_default=0
+ WHERE key_id=NEW.key_id;
+ END;
+
+CREATE TRIGGER IF NOT EXISTS
+ cert_default_after_insert_trigger
+ AFTER INSERT ON certificates
+ FOR EACH ROW
+ WHEN NOT EXISTS
+ (SELECT id
+ FROM certificates
+ WHERE is_default=1
+ AND key_id=NEW.key_id)
+ BEGIN
+ UPDATE certificates
+ SET is_default=1
+ WHERE certificate_name=NEW.certificate_name;
+ END;
+
+CREATE TRIGGER IF NOT EXISTS
+ cert_default_update_trigger
+ BEFORE UPDATE ON certificates
+ FOR EACH ROW
+ WHEN NEW.is_default=1 AND OLD.is_default=0
+ BEGIN
+ UPDATE certificates
+ SET is_default=0
+ WHERE key_id=NEW.key_id;
+ END;
+)SQL";
+
+PibSqlite3::PibSqlite3(const std::string& location)
{
// Determine the path of PIB DB
boost::filesystem::path dbDir;
- if (!dir.empty()) {
- dbDir = boost::filesystem::path(dir);
+ if (!location.empty()) {
+ dbDir = boost::filesystem::path(location);
}
#ifdef NDN_CXX_HAVE_TESTS
else if (getenv("TEST_HOME") != nullptr) {
@@ -222,7 +222,7 @@
);
if (result != SQLITE_OK) {
- BOOST_THROW_EXCEPTION(PibImpl::Error("PIB database cannot be opened/created in " + dir));
+ BOOST_THROW_EXCEPTION(PibImpl::Error("PIB database cannot be opened/created in " + location));
}
// enable foreign key
@@ -242,6 +242,13 @@
sqlite3_close(m_database);
}
+const std::string&
+PibSqlite3::getScheme()
+{
+ static std::string scheme = "pib-sqlite3";
+ return scheme;
+}
+
void
PibSqlite3::setTpmLocator(const std::string& tpmLocator)
{
diff --git a/src/security/pib/pib-sqlite3.hpp b/src/security/pib/pib-sqlite3.hpp
index 5571657..d27dab6 100644
--- a/src/security/pib/pib-sqlite3.hpp
+++ b/src/security/pib/pib-sqlite3.hpp
@@ -40,25 +40,28 @@
{
public:
/**
- * @brief Constructor of PibSqlite3
+ * @brief Create sqlite3-based PIB backed
*
- * This method will create a SQLite3 database file under the directory @p dir.
+ * This method will create a SQLite3 database file under the directory @p location.
* If the directory does not exist, it will be created automatically.
* It assumes that the directory does not contain a PIB database of an older version,
* It is user's responsibility to update the older version database or remove the database.
*
- * @param dir The directory where the database file is located. By default, it points to the
- * $HOME/.ndn directory.
+ * @param location The directory where the database file is located. By default, it points to the
+ * $HOME/.ndn directory.
* @throw PibImpl::Error when initialization fails.
*/
explicit
- PibSqlite3(const std::string& dir = "");
+ PibSqlite3(const std::string& location = "");
/**
* @brief Destruct and cleanup internal state
*/
~PibSqlite3();
+ static const std::string&
+ getScheme();
+
public: // TpmLocator management
void
setTpmLocator(const std::string& tpmLocator) final;
diff --git a/src/security/pib/pib.hpp b/src/security/pib/pib.hpp
index 47dbd5c..947e5a5 100644
--- a/src/security/pib/pib.hpp
+++ b/src/security/pib/pib.hpp
@@ -26,9 +26,6 @@
namespace ndn {
namespace security {
-
-class KeyChain;
-
namespace pib {
class PibImpl;
@@ -46,6 +43,10 @@
* the Pib class provides access to identities, and allows setting a default identity. Properties of
* an identity can be accessed after obtaining an Identity object.
*
+ * @note Pib instance is created and managed only by v2::KeyChain. v2::KeyChain::getPib()
+ * returns a const reference to the managed Pib instance, through which it is possible to
+ * retrieve information about identities, keys, and certificates.
+ *
* @throw PibImpl::Error when underlying implementation has non-semantic error.
*/
class Pib : noncopyable
@@ -184,7 +185,7 @@
shared_ptr<PibImpl> m_impl;
- friend class KeyChain;
+ friend class v2::KeyChain;
};
} // namespace pib
diff --git a/src/security/signing-info.cpp b/src/security/signing-info.cpp
index f8a7892..48b278a 100644
--- a/src/security/signing-info.cpp
+++ b/src/security/signing-info.cpp
@@ -20,13 +20,30 @@
*/
#include "signing-info.hpp"
-#include "key-chain.hpp"
namespace ndn {
namespace security {
-const Name SigningInfo::EMPTY_NAME;
-const SignatureInfo SigningInfo::EMPTY_SIGNATURE_INFO;
+const Name&
+SigningInfo::getEmptyName()
+{
+ static Name emptyName;
+ return emptyName;
+}
+
+const SignatureInfo&
+SigningInfo::getEmptySignatureInfo()
+{
+ static SignatureInfo emptySignatureInfo;
+ return emptySignatureInfo;
+}
+
+const Name&
+SigningInfo::getDigestSha256Identity()
+{
+ static Name digestSha256Identity("/localhost/identity/digest-sha256");
+ return digestSha256Identity;
+}
SigningInfo::SigningInfo(SignerType signerType,
const Name& signerName,
@@ -56,7 +73,7 @@
std::string nameArg = signingStr.substr(pos + 1);
if (scheme == "id") {
- if (nameArg == KeyChain::DIGEST_SHA256_IDENTITY.toUri()) {
+ if (nameArg == getDigestSha256Identity().toUri()) {
setSha256Signing();
}
else {
@@ -129,7 +146,7 @@
os << "cert:";
break;
case SigningInfo::SIGNER_TYPE_SHA256:
- os << "id:" << KeyChain::DIGEST_SHA256_IDENTITY;
+ os << "id:" << SigningInfo::getDigestSha256Identity();
return os;
default:
BOOST_THROW_EXCEPTION(std::invalid_argument("Unknown signer type"));
diff --git a/src/security/signing-info.hpp b/src/security/signing-info.hpp
index 375d9e8..499f25b 100644
--- a/src/security/signing-info.hpp
+++ b/src/security/signing-info.hpp
@@ -71,8 +71,8 @@
*/
explicit
SigningInfo(SignerType signerType = SIGNER_TYPE_NULL,
- const Name& signerName = EMPTY_NAME,
- const SignatureInfo& signatureInfo = EMPTY_SIGNATURE_INFO);
+ const Name& signerName = getEmptyName(),
+ const SignatureInfo& signatureInfo = getEmptySignatureInfo());
/**
* @brief Construct SigningInfo from its string representation
@@ -170,15 +170,22 @@
}
public:
- static const Name EMPTY_NAME;
- static const SignatureInfo EMPTY_SIGNATURE_INFO;
+ static const Name&
+ getEmptyName();
+
+ static const SignatureInfo&
+ getEmptySignatureInfo();
+
+ /**
+ * @brief A localhost identity to indicate that the signature is generated using SHA-256.
+ */
+ static const Name&
+ getDigestSha256Identity();
private:
SignerType m_type;
Name m_name;
-
DigestAlgorithm m_digestAlgorithm;
-
SignatureInfo m_info;
};
diff --git a/src/security/tpm/back-end-file.cpp b/src/security/tpm/back-end-file.cpp
index f16d7cf..1adcf1c 100644
--- a/src/security/tpm/back-end-file.cpp
+++ b/src/security/tpm/back-end-file.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -83,6 +83,13 @@
BackEndFile::~BackEndFile() = default;
+const std::string&
+BackEndFile::getScheme()
+{
+ static std::string scheme = "tpm-file";
+ return scheme;
+}
+
bool
BackEndFile::doHasKey(const Name& keyName) const
{
diff --git a/src/security/tpm/back-end-file.hpp b/src/security/tpm/back-end-file.hpp
index 02b575f..db58907 100644
--- a/src/security/tpm/back-end-file.hpp
+++ b/src/security/tpm/back-end-file.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -52,11 +52,18 @@
};
public:
+ /**
+ * @brief Create file-based TPM backend
+ * @param location Directory to store private keys
+ */
explicit
BackEndFile(const std::string& location = "");
~BackEndFile() override;
+ static const std::string&
+ getScheme();
+
private: // inherited from tpm::BackEnd
/**
* @return True if a key with name @p keyName exists in TPM.
@@ -87,14 +94,14 @@
/**
* @brief Delete a key with name @p keyName.
*
- * @throws Error if the deletion fails.
+ * @throw Error the deletion failed
*/
void
doDeleteKey(const Name& keyName) final;
/**
* @return A private key with name @p keyName in encrypted PKCS #8 format using password @p pw
- * @throws Error if the key cannot be exported, e.g., not enough privilege
+ * @throw Error the key cannot be exported, e.g., not enough privilege
*/
ConstBufferPtr
doExportKey(const Name& keyName, const char* pw, size_t pwLen) final;
@@ -107,7 +114,7 @@
* @param size The size of the key in encrypted PKCS #8 format
* @param pw The password to decrypt the key
* @param pwLen The length of the password
- * @throws Error if import fails.
+ * @throw Error import failed
*/
void
doImportKey(const Name& keyName, const uint8_t* buf, size_t size, const char* pw, size_t pwLen) final;
diff --git a/src/security/tpm/back-end-mem.cpp b/src/security/tpm/back-end-mem.cpp
index beac9db..9d051c6 100644
--- a/src/security/tpm/back-end-mem.cpp
+++ b/src/security/tpm/back-end-mem.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -37,13 +37,20 @@
std::unordered_map<Name, shared_ptr<PrivateKey>> keys;
};
-BackEndMem::BackEndMem()
+BackEndMem::BackEndMem(const std::string&)
: m_impl(new Impl)
{
}
BackEndMem::~BackEndMem() = default;
+const std::string&
+BackEndMem::getScheme()
+{
+ static std::string scheme = "tpm-memory";
+ return scheme;
+}
+
bool
BackEndMem::doHasKey(const Name& keyName) const
{
diff --git a/src/security/tpm/back-end-mem.hpp b/src/security/tpm/back-end-mem.hpp
index 4253b5e..4bfa212 100644
--- a/src/security/tpm/back-end-mem.hpp
+++ b/src/security/tpm/back-end-mem.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -45,11 +45,18 @@
};
public:
+ /**
+ * @brief Create memory-based TPM backend
+ * @param location Not used (required by the TPM-registration interface)
+ */
explicit
- BackEndMem();
+ BackEndMem(const std::string& location = "");
~BackEndMem() override;
+ static const std::string&
+ getScheme();
+
private: // inherited from tpm::BackEnd
/**
@@ -80,14 +87,14 @@
/**
* @brief Delete a key with name @p keyName.
*
- * @throws Error if the deletion fails.
+ * @throw Error the deletion failed
*/
void
doDeleteKey(const Name& keyName) final;
/**
* @return A private key with name @p keyName in encrypted PKCS #8 format using password @p pw
- * @throws Error if the key cannot be exported, e.g., not enough privilege
+ * @throw Error the key cannot be exported, e.g., not enough privilege
*/
ConstBufferPtr
doExportKey(const Name& keyName, const char* pw, size_t pwLen) final;
@@ -100,7 +107,7 @@
* @param size The size of the key in encrypted PKCS #8 format
* @param pw The password to decrypt the key
* @param pwLen The length of password
- * @throws Error if import fails.
+ * @throw Error import failed
*/
void
doImportKey(const Name& keyName, const uint8_t* buf, size_t size, const char* pw, size_t pwLen) final;
diff --git a/src/security/tpm/back-end-osx.cpp b/src/security/tpm/back-end-osx.cpp
index d423b10..178ae55 100644
--- a/src/security/tpm/back-end-osx.cpp
+++ b/src/security/tpm/back-end-osx.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -117,7 +117,7 @@
}
}
-BackEndOsx::BackEndOsx()
+BackEndOsx::BackEndOsx(const std::string&)
: m_impl(new Impl)
{
SecKeychainSetUserInteractionAllowed(!m_impl->isTerminalMode);
@@ -131,11 +131,11 @@
BackEndOsx::~BackEndOsx() = default;
-void
-BackEndOsx::setTerminalMode(bool isTerminal)
+const std::string&
+BackEndOsx::getScheme()
{
- m_impl->isTerminalMode = isTerminal;
- SecKeychainSetUserInteractionAllowed(!isTerminal);
+ static std::string scheme = "tpm-osxkeychain";
+ return scheme;
}
bool
@@ -144,8 +144,15 @@
return m_impl->isTerminalMode;
}
+void
+BackEndOsx::setTerminalMode(bool isTerminal) const
+{
+ m_impl->isTerminalMode = isTerminal;
+ SecKeychainSetUserInteractionAllowed(!isTerminal);
+}
+
bool
-BackEndOsx::isLocked() const
+BackEndOsx::isTpmLocked() const
{
SecKeychainStatus keychainStatus;
@@ -157,22 +164,22 @@
}
bool
-BackEndOsx::unlockTpm(const char* password, size_t passwordLength)
+BackEndOsx::unlockTpm(const char* pw, size_t pwLen) const
{
// If the default key chain is already unlocked, return immediately.
- if (!isLocked())
+ if (!isTpmLocked())
return true;
if (m_impl->isTerminalMode) {
// Use the supplied password.
- SecKeychainUnlock(m_impl->keyChainRef, passwordLength, password, true);
+ SecKeychainUnlock(m_impl->keyChainRef, pwLen, pw, true);
}
else {
// If inTerminal is not set, get the password from GUI.
SecKeychainUnlock(m_impl->keyChainRef, 0, nullptr, false);
}
- return !isLocked();
+ return !isTpmLocked();
}
ConstBufferPtr
diff --git a/src/security/tpm/back-end-osx.hpp b/src/security/tpm/back-end-osx.hpp
index 0fcd49f..29465c8 100644
--- a/src/security/tpm/back-end-osx.hpp
+++ b/src/security/tpm/back-end-osx.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -34,7 +34,7 @@
namespace tpm {
/**
- * @brief The back-end implementation of TPM based on OS X KeyChain service.
+ * @brief The back-end implementation of TPM based on macOS Keychain Services.
*/
class BackEndOsx : public BackEnd
{
@@ -50,39 +50,30 @@
};
public:
- BackEndOsx();
+ /**
+ * @brief Create TPM backed based on macOS KeyChain service
+ * @param location Not used (required by the TPM-registration interface)
+ */
+ explicit
+ BackEndOsx(const std::string& location = "");
~BackEndOsx() override;
+ static const std::string&
+ getScheme();
+
public: // management
- /**
- * @brief Set the terminal mode of TPM.
- *
- * In terminal mode, TPM will not ask user permission from GUI.
- */
+ bool
+ isTerminalMode() const final;
+
void
- setTerminalMode(bool isTerminal);
+ setTerminalMode(bool isTerminal) const final;
- /**
- * @brief Check if TPM is in terminal mode
- */
bool
- isTerminalMode() const;
+ isTpmLocked() const final;
- /**
- * @return True if TPM is locked, otherwise false
- */
bool
- isLocked() const;
-
- /**
- * @brief Unlock TPM
- *
- * @param password The password to unlock TPM
- * @param passwordLength The password size.
- */
- bool
- unlockTpm(const char* password = nullptr, size_t passwordLength = 0);
+ unlockTpm(const char* pw, size_t pwLen) const final;
public: // crypto transformation
/**
@@ -125,14 +116,14 @@
/**
* @brief Delete a key with name @p keyName.
*
- * @throws Error if the deletion fails.
+ * @throw Error the deletion failed
*/
void
doDeleteKey(const Name& keyName) final;
/**
* @return A private key with name @p keyName in encrypted PKCS #8 format using password @p pw
- * @throws Error if the key cannot be exported, e.g., not enough privilege
+ * @throw Error the key cannot be exported, e.g., not enough privilege
*/
ConstBufferPtr
doExportKey(const Name& keyName, const char* pw, size_t pwLen) final;
@@ -145,7 +136,7 @@
* @param size The size of the key in encrypted PKCS #8 format
* @param pw The password to decrypt the private key
* @param pwLen The length of the password
- * @throws Error if import fails
+ * @throw Error import fails
*/
void
doImportKey(const Name& keyName, const uint8_t* buf, size_t size, const char* pw, size_t pwLen) final;
diff --git a/src/security/tpm/back-end.cpp b/src/security/tpm/back-end.cpp
index 18df659..72ef5fd 100644
--- a/src/security/tpm/back-end.cpp
+++ b/src/security/tpm/back-end.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -66,7 +66,7 @@
name::Component keyId;
do {
keyId = name::Component::fromNumber(random::generateSecureWord64());
- keyName = v2::constructKeyName(identity, params.getKeyId());
+ keyName = v2::constructKeyName(identity, keyId);
} while (hasKey(keyName));
const_cast<KeyParams&>(params).setKeyId(keyId);
@@ -133,6 +133,29 @@
keyHandle.setKeyName(v2::constructKeyName(identity, keyId));
}
+bool
+BackEnd::isTerminalMode() const
+{
+ return true;
+}
+
+void
+BackEnd::setTerminalMode(bool isTerminal) const
+{
+}
+
+bool
+BackEnd::isTpmLocked() const
+{
+ return false;
+}
+
+bool
+BackEnd::unlockTpm(const char* pw, size_t pwLen) const
+{
+ return !isTpmLocked();
+}
+
} // namespace tpm
} // namespace security
} // namespace ndn
diff --git a/src/security/tpm/back-end.hpp b/src/security/tpm/back-end.hpp
index 749b53d..4c55ab2 100644
--- a/src/security/tpm/back-end.hpp
+++ b/src/security/tpm/back-end.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -77,8 +77,8 @@
* The key name is set in the returned KeyHandle.
*
* @return The handle of the created key.
- * @throws Tpm::Error if @p params is invalid
- * @throws Error if the key cannot be created.
+ * @throw Tpm::Error @p params are invalid
+ * @throw Error the key cannot be created
*/
unique_ptr<KeyHandle>
createKey(const Name& identity, const KeyParams& params);
@@ -88,15 +88,15 @@
*
* Continuing to use existing KeyHandles on a deleted key results in undefined behavior.
*
- * @throws Error if the deletion fails.
+ * @throw Error if the deletion fails.
*/
void
deleteKey(const Name& keyName);
/**
* @return A private key with name @p keyName in encrypted PKCS #8 format using password @p pw
- * @throws Error if the key does not exist
- * @throws Error if the key cannot be exported, e.g., insufficient privilege
+ * @throw Error the key does not exist
+ * @throw Error the key cannot be exported, e.g., insufficient privilege
*/
ConstBufferPtr
exportKey(const Name& keyName, const char* pw, size_t pwLen);
@@ -109,11 +109,48 @@
* @param pkcs8Len The size of the key in encrypted PKCS #8 format
* @param pw The password to decrypt the private key
* @param pwLen The length of the password
- * @throws Error if import fails.
+ * @throw Error import failed
*/
void
importKey(const Name& keyName, const uint8_t* pkcs8, size_t pkcs8Len, const char* pw, size_t pwLen);
+ /**
+ * @brief Check if TPM is in terminal mode
+ *
+ * Default implementation always returns true.
+ */
+ virtual bool
+ isTerminalMode() const;
+
+ /**
+ * @brief Set the terminal mode of TPM.
+ *
+ * In terminal mode, TPM will not ask user permission from GUI.
+ *
+ * Default implementation does nothing.
+ */
+ virtual void
+ setTerminalMode(bool isTerminal) const;
+
+ /**
+ * @return True if TPM is locked, otherwise false
+ *
+ * Default implementation always returns false.
+ */
+ virtual bool
+ isTpmLocked() const;
+
+ /**
+ * @brief Unlock TPM
+ *
+ * @param pw The password to unlock TPM
+ * @param pwLen The password size.
+ *
+ * Default implementation always returns !isTpmLocked()
+ */
+ virtual bool
+ unlockTpm(const char* pw, size_t pwLen) const;
+
protected: // static helper method
/**
* @brief Set the key name in @p keyHandle according to @p identity and @p params
@@ -141,7 +178,7 @@
* The key name is set in the returned KeyHandle.
*
* @return The handle of the created key.
- * @throws Error when key cannot be created.
+ * @throw Error key cannot be created
*/
virtual unique_ptr<KeyHandle>
doCreateKey(const Name& identity, const KeyParams& params) = 0;
@@ -149,14 +186,14 @@
/**
* @brief Delete a key with name @p keyName.
*
- * @throws Error if the deletion fails.
+ * @throw Error the deletion failed
*/
virtual void
doDeleteKey(const Name& keyName) = 0;
/**
* @return A private key with name @p keyName in encrypted PKCS #8 format using password @p pw
- * @throws Error if the key cannot be exported, e.g., insufficient privilege
+ * @throw Error the key cannot be exported, e.g., insufficient privilege
*/
virtual ConstBufferPtr
doExportKey(const Name& keyName, const char* pw, size_t pwLen) = 0;
@@ -169,7 +206,7 @@
* @param pkcs8Len The size of the key in PKCS #8 format
* @param pw The password to decrypt the private key
* @param pwLen The length of the password
- * @throws Error if import fails.
+ * @throw Error import failed
*/
virtual void
doImportKey(const Name& keyName, const uint8_t* pkcs8, size_t pkcs8Len, const char* pw, size_t pwLen) = 0;
diff --git a/src/security/tpm/tpm.cpp b/src/security/tpm/tpm.cpp
index 234c48d..fad73b9 100644
--- a/src/security/tpm/tpm.cpp
+++ b/src/security/tpm/tpm.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -108,6 +108,30 @@
return key->decrypt(buf, size);
}
+bool
+Tpm::isTerminalMode() const
+{
+ return m_backEnd->isTerminalMode();
+}
+
+void
+Tpm::setTerminalMode(bool isTerminal) const
+{
+ m_backEnd->setTerminalMode(isTerminal);
+}
+
+bool
+Tpm::isTpmLocked() const
+{
+ return m_backEnd->isTpmLocked();
+}
+
+bool
+Tpm::unlockTpm(const char* password, size_t passwordLength) const
+{
+ return m_backEnd->unlockTpm(password, passwordLength);
+}
+
ConstBufferPtr
Tpm::exportPrivateKey(const Name& keyName, const char* pw, size_t pwLen)
{
diff --git a/src/security/tpm/tpm.hpp b/src/security/tpm/tpm.hpp
index 01b22ae..5c985f1 100644
--- a/src/security/tpm/tpm.hpp
+++ b/src/security/tpm/tpm.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -31,6 +31,11 @@
namespace ndn {
namespace security {
+
+namespace v2 {
+class KeyChain;
+} // namespace v2
+
namespace tpm {
class BackEnd;
@@ -48,14 +53,17 @@
* A TPM consists of a unified front-end interface and a back-end implementation. The front-end
* cache the handles of private keys which is provided by the back-end implementation.
*
- * @throw tpm::BackEnd::Error when underlying implementation has non-semantic error.
- * @throw Tpm::Error when there is an semantic error.
+ * @note Tpm instance is created and managed only by v2::KeyChain. v2::KeyChain::getTpm()
+ * returns a const reference to the managed Tpm instance, through which it is possible to
+ * check existence of private keys, get public keys for the private keys, sign, and decrypt
+ * the supplied buffers using managed private keys.
+ *
+ * @throw BackEnd::Error Failure with the underlying implementation having non-semantic errors
+ * @throw Tpm::Error Failure with semantic error in the underlying implementation
*/
class Tpm : noncopyable
{
public:
- friend class KeyChain;
-
class Error : public std::runtime_error
{
public:
@@ -106,6 +114,36 @@
ConstBufferPtr
decrypt(const uint8_t* buf, size_t size, const Name& keyName) const;
+public: // Management
+ /**
+ * @brief Check if TPM is in terminal mode
+ */
+ bool
+ isTerminalMode() const;
+
+ /**
+ * @brief Set the terminal mode of TPM.
+ *
+ * In terminal mode, TPM will not ask user permission from GUI.
+ */
+ void
+ setTerminalMode(bool isTerminal) const;
+
+ /**
+ * @return True if TPM is locked, otherwise false
+ */
+ bool
+ isTpmLocked() const;
+
+ /**
+ * @brief Unlock TPM
+ *
+ * @param password The password to unlock TPM
+ * @param passwordLength The password size.
+ */
+ bool
+ unlockTpm(const char* password, size_t passwordLength) const;
+
NDN_CXX_PUBLIC_WITH_TESTS_ELSE_PRIVATE:
/*
* @brief Create a new TPM instance with the specified @p location
@@ -128,7 +166,7 @@
* The created key is named as: /<identityName>/[keyId]/KEY
*
* @return the key name
- * @throws Tpm::Error if the key has already existed or the params is invalid
+ * @throw Tpm::Error the key has already existed or the params is invalid
*/
Name
createKey(const Name& identityName, const KeyParams& params);
@@ -179,7 +217,6 @@
}
private:
-
/**
* @brief Internal KeyHandle lookup
*
@@ -195,6 +232,8 @@
mutable std::unordered_map<Name, unique_ptr<KeyHandle>> m_keys;
unique_ptr<BackEnd> m_backEnd;
+
+ friend class v2::KeyChain;
};
} // namespace tpm
diff --git a/src/security/v2/key-chain.cpp b/src/security/v2/key-chain.cpp
new file mode 100644
index 0000000..0f3909e
--- /dev/null
+++ b/src/security/v2/key-chain.cpp
@@ -0,0 +1,698 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "key-chain.hpp"
+
+#include "../../util/config-file.hpp"
+
+#include "../pib/pib-sqlite3.hpp"
+#include "../pib/pib-memory.hpp"
+
+#ifdef NDN_CXX_HAVE_OSX_SECURITY
+#include "../tpm/back-end-osx.hpp"
+#endif // NDN_CXX_HAVE_OSX_SECURITY
+
+#include "../tpm/back-end-file.hpp"
+#include "../tpm/back-end-mem.hpp"
+
+#include "../transform/bool-sink.hpp"
+#include "../transform/buffer-source.hpp"
+#include "../transform/private-key.hpp"
+#include "../transform/verifier-filter.hpp"
+#include "../../encoding/buffer-stream.hpp"
+#include "../../util/crypto.hpp"
+
+#include <boost/lexical_cast.hpp>
+
+namespace ndn {
+namespace security {
+
+// When static library is used, not everything is compiled into the resulting binary.
+// Therefore, the following standard PIB and TPMs need to be registered here.
+// http://stackoverflow.com/q/9459980/2150331
+
+/////////
+// PIB //
+/////////
+namespace pib {
+NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibSqlite3);
+NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibMemory);
+} // namespace pib
+
+/////////
+// TPM //
+/////////
+namespace tpm {
+#if defined(NDN_CXX_HAVE_OSX_SECURITY) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
+NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndOsx);
+#endif // defined(NDN_CXX_HAVE_OSX_SECURITY) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
+
+NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndFile);
+NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndMem);
+} // namespace tpm
+
+namespace v2 {
+
+std::string KeyChain::s_defaultPibLocator;
+std::string KeyChain::s_defaultTpmLocator;
+
+KeyChain::PibFactories&
+KeyChain::getPibFactories()
+{
+ static PibFactories pibFactories;
+ return pibFactories;
+}
+
+KeyChain::TpmFactories&
+KeyChain::getTpmFactories()
+{
+ static TpmFactories tpmFactories;
+ return tpmFactories;
+}
+
+const std::string&
+KeyChain::getDefaultPibScheme()
+{
+ return pib::PibSqlite3::getScheme();;
+}
+
+const std::string&
+KeyChain::getDefaultTpmScheme()
+{
+#if defined(NDN_CXX_HAVE_OSX_SECURITY) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
+ return tpm::BackEndOsx::getScheme();;
+#else
+ return tpm::BackEndFile::getScheme();
+#endif // defined(NDN_CXX_HAVE_OSX_SECURITY) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
+}
+
+const std::string&
+KeyChain::getDefaultPibLocator()
+{
+ if (!s_defaultPibLocator.empty())
+ return s_defaultPibLocator;
+
+ if (getenv("NDN_CLIENT_PIB") != nullptr) {
+ s_defaultPibLocator = getenv("NDN_CLIENT_PIB");
+ }
+ else {
+ ConfigFile config;
+ s_defaultPibLocator = config.getParsedConfiguration().get<std::string>("pib", getDefaultPibScheme() + ":");
+ }
+
+ return s_defaultPibLocator;
+}
+
+const std::string&
+KeyChain::getDefaultTpmLocator()
+{
+ if (!s_defaultTpmLocator.empty())
+ return s_defaultTpmLocator;
+
+ if (getenv("NDN_CLIENT_TPM") != nullptr) {
+ s_defaultTpmLocator = getenv("NDN_CLIENT_TPM");
+ }
+ else {
+ ConfigFile config;
+ s_defaultTpmLocator = config.getParsedConfiguration().get<std::string>("tpm", getDefaultTpmScheme() + ":");
+ }
+
+ return s_defaultTpmLocator;
+}
+
+
+// Other defaults
+
+const SigningInfo&
+KeyChain::getDefaultSigningInfo()
+{
+ static SigningInfo signingInfo;
+ return signingInfo;
+}
+
+const KeyParams&
+KeyChain::getDefaultKeyParams()
+{
+ static EcdsaKeyParams keyParams;
+ return keyParams;
+}
+
+//
+
+KeyChain::KeyChain()
+ : KeyChain(getDefaultPibLocator(), getDefaultTpmLocator(), true)
+{
+}
+
+KeyChain::KeyChain(const std::string& pibLocator, const std::string& tpmLocator, bool allowReset)
+{
+ // PIB Locator
+ std::string pibScheme, pibLocation;
+ std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(pibLocator);
+ std::string canonicalPibLocator = pibScheme + ":" + pibLocation;
+
+ // Create PIB
+ m_pib = createPib(canonicalPibLocator);
+ std::string oldTpmLocator;
+ try {
+ oldTpmLocator = m_pib->getTpmLocator();
+ }
+ catch (const Pib::Error&) {
+ // TPM locator is not set in PIB yet.
+ }
+
+ // TPM Locator
+ std::string tpmScheme, tpmLocation;
+ std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(tpmLocator);
+ std::string canonicalTpmLocator = tpmScheme + ":" + tpmLocation;
+
+ if (canonicalPibLocator == getDefaultPibLocator()) {
+ // Default PIB must use default TPM
+ if (!oldTpmLocator.empty() && oldTpmLocator != getDefaultTpmLocator()) {
+ m_pib->reset();
+ canonicalTpmLocator = getDefaultTpmLocator();
+ }
+ }
+ else {
+ // non-default PIB check consistency
+ if (!oldTpmLocator.empty() && oldTpmLocator != canonicalTpmLocator) {
+ if (allowReset)
+ m_pib->reset();
+ else
+ BOOST_THROW_EXCEPTION(LocatorMismatchError("TPM locator supplied does not match TPM locator in PIB: " +
+ oldTpmLocator + " != " + canonicalTpmLocator));
+ }
+ }
+
+ // note that key mismatch may still happen if the TPM locator is initially set to a
+ // wrong one or if the PIB was shared by more than one TPMs before. This is due to the
+ // old PIB does not have TPM info, new pib should not have this problem.
+ m_tpm = createTpm(canonicalTpmLocator);
+ m_pib->setTpmLocator(canonicalTpmLocator);
+}
+
+KeyChain::~KeyChain() = default;
+
+// public: management
+
+Identity
+KeyChain::createIdentity(const Name& identityName, const KeyParams& params)
+{
+ Identity id = m_pib->addIdentity(identityName);
+
+ Key key;
+ try {
+ key = id.getDefaultKey();
+ }
+ catch (const Pib::Error&) {
+ key = createKey(id, params);
+ }
+
+ try {
+ key.getDefaultCertificate();
+ }
+ catch (const Pib::Error&) {
+ selfSign(key);
+ }
+
+ return id;
+}
+
+void
+KeyChain::deleteIdentity(const Identity& identity)
+{
+ BOOST_ASSERT(static_cast<bool>(identity));
+
+ Name identityName = identity.getName();
+
+ for (const auto& key : identity.getKeys()) {
+ m_tpm->deleteKey(key.getName());
+ }
+
+ m_pib->removeIdentity(identityName);
+}
+
+void
+KeyChain::setDefaultIdentity(const Identity& identity)
+{
+ BOOST_ASSERT(static_cast<bool>(identity));
+
+ m_pib->setDefaultIdentity(identity.getName());
+}
+
+Key
+KeyChain::createKey(const Identity& identity, const KeyParams& params)
+{
+ BOOST_ASSERT(static_cast<bool>(identity));
+
+ // create key in TPM
+ Name keyName = m_tpm->createKey(identity.getName(), params);
+
+ // set up key info in PIB
+ ConstBufferPtr pubKey = m_tpm->getPublicKey(keyName);
+ Key key = identity.addKey(pubKey->buf(), pubKey->size(), keyName);
+ selfSign(key);
+
+ return key;
+}
+
+void
+KeyChain::deleteKey(const Identity& identity, const Key& key)
+{
+ BOOST_ASSERT(static_cast<bool>(identity));
+ BOOST_ASSERT(static_cast<bool>(key));
+
+ Name keyName = key.getName();
+ if (identity.getName() != key.getIdentity()) {
+ BOOST_THROW_EXCEPTION(std::invalid_argument("Identity `" + identity.getName().toUri() + "` "
+ "does match key `" + keyName.toUri() + "`"));
+ }
+
+ identity.removeKey(keyName);
+ m_tpm->deleteKey(keyName);
+}
+
+void
+KeyChain::setDefaultKey(const Identity& identity, const Key& key)
+{
+ BOOST_ASSERT(static_cast<bool>(identity));
+ BOOST_ASSERT(static_cast<bool>(key));
+
+ if (identity.getName() != key.getIdentity())
+ BOOST_THROW_EXCEPTION(std::invalid_argument("Identity `" + identity.getName().toUri() + "` "
+ "does match key `" + key.getName().toUri() + "`"));
+
+ identity.setDefaultKey(key.getName());
+}
+
+void
+KeyChain::addCertificate(const Key& key, const Certificate& certificate)
+{
+ BOOST_ASSERT(static_cast<bool>(key));
+
+ if (key.getName() != certificate.getKeyName() ||
+ !std::equal(certificate.getContent().value_begin(), certificate.getContent().value_end(),
+ key.getPublicKey().begin()))
+ BOOST_THROW_EXCEPTION(std::invalid_argument("Key `" + key.getName().toUri() + "` "
+ "does match certificate `" + certificate.getName().toUri() + "`"));
+
+ key.addCertificate(certificate);
+}
+
+void
+KeyChain::deleteCertificate(const Key& key, const Name& certificateName)
+{
+ BOOST_ASSERT(static_cast<bool>(key));
+
+ if (!Certificate::isValidName(certificateName)) {
+ BOOST_THROW_EXCEPTION(std::invalid_argument("Wrong certificate name `" + certificateName.toUri() + "`"));
+ }
+
+ key.removeCertificate(certificateName);
+}
+
+void
+KeyChain::setDefaultCertificate(const Key& key, const Certificate& cert)
+{
+ BOOST_ASSERT(static_cast<bool>(key));
+
+ try {
+ addCertificate(key, cert);
+ }
+ catch (const Pib::Error&) { // force to overwrite the existing certificates
+ key.removeCertificate(cert.getName());
+ addCertificate(key, cert);
+ }
+ key.setDefaultCertificate(cert.getName());
+}
+
+shared_ptr<SafeBag>
+KeyChain::exportSafeBag(const Certificate& certificate, const char* pw, size_t pwLen)
+{
+ Name identity = certificate.getIdentity();
+ Name keyName = certificate.getKeyName();
+
+ ConstBufferPtr encryptedKey;
+ try {
+ encryptedKey = m_tpm->exportPrivateKey(keyName, pw, pwLen);
+ }
+ catch (const tpm::BackEnd::Error&) {
+ BOOST_THROW_EXCEPTION(Error("Private `" + keyName.toUri() + "` key does not exist"));
+ }
+
+ return make_shared<SafeBag>(certificate, *encryptedKey);
+}
+
+void
+KeyChain::importSafeBag(const SafeBag& safeBag, const char* pw, size_t pwLen)
+{
+ Data certData = safeBag.getCertificate();
+ Certificate cert(std::move(certData));
+ Name identity = cert.getIdentity();
+ Name keyName = cert.getKeyName();
+ const Buffer publicKeyBits = cert.getPublicKey();
+
+ if (m_tpm->hasKey(keyName)) {
+ BOOST_THROW_EXCEPTION(Error("Private key `" + keyName.toUri() + "` already exists"));
+ }
+
+ try {
+ Identity existingId = m_pib->getIdentity(identity);
+ existingId.getKey(keyName);
+ BOOST_THROW_EXCEPTION(Error("Public key `" + keyName.toUri() + "` already exists"));
+ }
+ catch (const Pib::Error&) {
+ // Either identity or key doesn't exist. OK to import.
+ }
+
+ try {
+ m_tpm->importPrivateKey(keyName,
+ safeBag.getEncryptedKeyBag().buf(), safeBag.getEncryptedKeyBag().size(),
+ pw, pwLen);
+ }
+ catch (const std::runtime_error&) {
+ BOOST_THROW_EXCEPTION(Error("Fail to import private key `" + keyName.toUri() + "`"));
+ }
+
+ // check the consistency of private key and certificate
+ const uint8_t content[] = {0x01, 0x02, 0x03, 0x04};
+ ConstBufferPtr sigBits;
+ try {
+ sigBits = m_tpm->sign(content, 4, keyName, DigestAlgorithm::SHA256);
+ }
+ catch (const std::runtime_error&) {
+ m_tpm->deleteKey(keyName);
+ BOOST_THROW_EXCEPTION(Error("Invalid private key `" + keyName.toUri() + "`"));
+ }
+ bool isVerified = false;
+ {
+ using namespace transform;
+ PublicKey publicKey;
+ publicKey.loadPkcs8(publicKeyBits.buf(), publicKeyBits.size());
+ bufferSource(content, sizeof(content)) >> verifierFilter(DigestAlgorithm::SHA256, publicKey,
+ sigBits->buf(), sigBits->size())
+ >> boolSink(isVerified);
+ }
+ if (!isVerified) {
+ m_tpm->deleteKey(keyName);
+ BOOST_THROW_EXCEPTION(Error("Certificate `" + cert.getName().toUri() + "` "
+ "and private key `" + keyName.toUri() + "` do not match"));
+ }
+
+ Identity id = m_pib->addIdentity(identity);
+ Key key = id.addKey(cert.getPublicKey().buf(), cert.getPublicKey().size(), keyName);
+ key.addCertificate(cert);
+}
+
+
+// public: signing
+
+void
+KeyChain::sign(Data& data, const SigningInfo& params)
+{
+ Name keyName;
+ SignatureInfo sigInfo;
+ std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
+
+ data.setSignature(Signature(sigInfo));
+
+ EncodingBuffer encoder;
+ data.wireEncode(encoder, true);
+
+ Block sigValue = sign(encoder.buf(), encoder.size(), keyName, params.getDigestAlgorithm());
+
+ data.wireEncode(encoder, sigValue);
+}
+
+void
+KeyChain::sign(Interest& interest, const SigningInfo& params)
+{
+ Name keyName;
+ SignatureInfo sigInfo;
+ std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
+
+ Name signedName = interest.getName();
+ signedName.append(sigInfo.wireEncode()); // signatureInfo
+
+ Block sigValue = sign(signedName.wireEncode().value(), signedName.wireEncode().value_size(),
+ keyName, params.getDigestAlgorithm());
+
+ sigValue.encode();
+ signedName.append(sigValue); // signatureValue
+ interest.setName(signedName);
+}
+
+Block
+KeyChain::sign(const uint8_t* buffer, size_t bufferLength, const SigningInfo& params)
+{
+ Name keyName;
+ SignatureInfo sigInfo;
+ std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
+
+ return sign(buffer, bufferLength, keyName, params.getDigestAlgorithm());
+}
+
+// public: PIB/TPM creation helpers
+
+static inline std::tuple<std::string/*type*/, std::string/*location*/>
+parseLocatorUri(const std::string& uri)
+{
+ size_t pos = uri.find(':');
+ if (pos != std::string::npos) {
+ return std::make_tuple(uri.substr(0, pos), uri.substr(pos + 1));
+ }
+ else {
+ return std::make_tuple(uri, "");
+ }
+}
+
+std::tuple<std::string/*type*/, std::string/*location*/>
+KeyChain::parseAndCheckPibLocator(const std::string& pibLocator)
+{
+ std::string pibScheme, pibLocation;
+ std::tie(pibScheme, pibLocation) = parseLocatorUri(pibLocator);
+
+ if (pibScheme.empty()) {
+ pibScheme = getDefaultPibScheme();
+ }
+
+ auto pibFactory = getPibFactories().find(pibScheme);
+ if (pibFactory == getPibFactories().end()) {
+ BOOST_THROW_EXCEPTION(KeyChain::Error("PIB scheme `" + pibScheme + "` is not supported"));
+ }
+
+ return std::make_tuple(pibScheme, pibLocation);
+}
+
+unique_ptr<Pib>
+KeyChain::createPib(const std::string& pibLocator)
+{
+ std::string pibScheme, pibLocation;
+ std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(pibLocator);
+ auto pibFactory = getPibFactories().find(pibScheme);
+ BOOST_ASSERT(pibFactory != getPibFactories().end());
+ return unique_ptr<Pib>(new Pib(pibScheme, pibLocation, pibFactory->second(pibLocation)));
+}
+
+std::tuple<std::string/*type*/, std::string/*location*/>
+KeyChain::parseAndCheckTpmLocator(const std::string& tpmLocator)
+{
+ std::string tpmScheme, tpmLocation;
+ std::tie(tpmScheme, tpmLocation) = parseLocatorUri(tpmLocator);
+
+ if (tpmScheme.empty()) {
+ tpmScheme = getDefaultTpmScheme();
+ }
+ auto tpmFactory = getTpmFactories().find(tpmScheme);
+ if (tpmFactory == getTpmFactories().end()) {
+ BOOST_THROW_EXCEPTION(KeyChain::Error("TPM scheme `" + tpmScheme + "` is not supported"));
+ }
+
+ return std::make_tuple(tpmScheme, tpmLocation);
+}
+
+unique_ptr<Tpm>
+KeyChain::createTpm(const std::string& tpmLocator)
+{
+ std::string tpmScheme, tpmLocation;
+ std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(tpmLocator);
+ auto tpmFactory = getTpmFactories().find(tpmScheme);
+ BOOST_ASSERT(tpmFactory != getTpmFactories().end());
+ return unique_ptr<Tpm>(new Tpm(tpmScheme, tpmLocation, tpmFactory->second(tpmLocation)));
+}
+
+// private: signing
+
+Certificate
+KeyChain::selfSign(Key& key)
+{
+ Certificate certificate;
+
+ // set name
+ Name certificateName = key.getName();
+ certificateName
+ .append("self")
+ .appendVersion();
+ certificate.setName(certificateName);
+
+ // set metainfo
+ certificate.setContentType(tlv::ContentType_Key);
+ certificate.setFreshnessPeriod(time::hours(1));
+
+ // set content
+ certificate.setContent(key.getPublicKey().buf(), key.getPublicKey().size());
+
+ // set signature-info
+ SignatureInfo sigInfo;
+ sigInfo.setKeyLocator(key.getName());
+ sigInfo.setSignatureType(getSignatureType(key.getKeyType(), DigestAlgorithm::SHA256));
+ sigInfo.setValidityPeriod(ValidityPeriod(time::system_clock::now(),
+ time::system_clock::now() + time::days(1000 * 3365)));
+ certificate.setSignature(Signature(sigInfo));
+
+ EncodingBuffer encoder;
+ certificate.wireEncode(encoder, true);
+ Block sigValue = sign(encoder.buf(), encoder.size(), key.getName(), DigestAlgorithm::SHA256);
+ certificate.wireEncode(encoder, sigValue);
+
+ key.addCertificate(certificate);
+ return certificate;
+}
+
+std::tuple<Name, SignatureInfo>
+KeyChain::prepareSignatureInfo(const SigningInfo& params)
+{
+ SignatureInfo sigInfo = params.getSignatureInfo();
+
+ Name identityName;
+ name::Component keyId;
+ Name certificateName;
+
+ pib::Identity identity;
+ pib::Key key;
+
+ switch (params.getSignerType()) {
+ case SigningInfo::SIGNER_TYPE_NULL: {
+ try {
+ identity = m_pib->getDefaultIdentity();
+ }
+ catch (const Pib::Error&) { // no default identity, use sha256 for signing.
+ sigInfo.setSignatureType(tlv::DigestSha256);
+ return std::make_tuple(SigningInfo::getDigestSha256Identity(), sigInfo);
+ }
+ break;
+ }
+ case SigningInfo::SIGNER_TYPE_ID: {
+ try {
+ identity = m_pib->getIdentity(params.getSignerName());
+ }
+ catch (const Pib::Error&) {
+ BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing identity `" +
+ params.getSignerName().toUri() + "` does not exist"));
+ }
+ break;
+ }
+ case SigningInfo::SIGNER_TYPE_KEY: {
+ Name identityName = extractIdentityFromKeyName(params.getSignerName());
+
+ try {
+ identity = m_pib->getIdentity(identityName);
+ key = identity.getKey(params.getSignerName());
+ identity = Identity(); // we will use the PIB key instance, so reset identity;
+ }
+ catch (const Pib::Error&) {
+ BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing key `" +
+ params.getSignerName().toUri() + "` does not exist"));
+ }
+ break;
+ }
+ case SigningInfo::SIGNER_TYPE_CERT: {
+ Name identityName = extractIdentityFromCertName(params.getSignerName());
+ Name keyName = extractKeyNameFromCertName(params.getSignerName());
+
+ try {
+ identity = m_pib->getIdentity(identityName);
+ key = identity.getKey(keyName);
+ }
+ catch (const Pib::Error&) {
+ BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing certificate `" +
+ params.getSignerName().toUri() + "` does not exist"));
+ }
+
+ break;
+ }
+ case SigningInfo::SIGNER_TYPE_SHA256: {
+ sigInfo.setSignatureType(tlv::DigestSha256);
+ return std::make_tuple(SigningInfo::getDigestSha256Identity(), sigInfo);
+ }
+ default: {
+ BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Unrecognized signer type " +
+ boost::lexical_cast<std::string>(params.getSignerType())));
+ }
+ }
+
+ if (!identity && !key) {
+ BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Cannot determine signing parameters"));
+ }
+
+ if (identity && !key) {
+ try {
+ key = identity.getDefaultKey();
+ }
+ catch (const Pib::Error&) {
+ BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing identity `" + identity.getName().toUri() +
+ "` does not have default certificate"));
+ }
+ }
+
+ BOOST_ASSERT(key);
+
+ sigInfo.setSignatureType(getSignatureType(key.getKeyType(), params.getDigestAlgorithm()));
+ sigInfo.setKeyLocator(KeyLocator(key.getName()));
+ return std::make_tuple(key.getName(), sigInfo);
+}
+
+Block
+KeyChain::sign(const uint8_t* buf, size_t size,
+ const Name& keyName, DigestAlgorithm digestAlgorithm) const
+{
+ if (keyName == SigningInfo::getDigestSha256Identity())
+ return Block(tlv::SignatureValue, crypto::sha256(buf, size));
+
+ return Block(tlv::SignatureValue, m_tpm->sign(buf, size, keyName, digestAlgorithm));
+}
+
+tlv::SignatureTypeValue
+KeyChain::getSignatureType(KeyType keyType, DigestAlgorithm digestAlgorithm)
+{
+ switch (keyType) {
+ case KeyType::RSA:
+ return tlv::SignatureSha256WithRsa;
+ case KeyType::EC:
+ return tlv::SignatureSha256WithEcdsa;
+ default:
+ BOOST_THROW_EXCEPTION(Error("Unsupported key types"));
+ }
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/key-chain.hpp b/src/security/v2/key-chain.hpp
new file mode 100644
index 0000000..ca394a5
--- /dev/null
+++ b/src/security/v2/key-chain.hpp
@@ -0,0 +1,508 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_KEY_CHAIN_HPP
+#define NDN_SECURITY_V2_KEY_CHAIN_HPP
+
+#include "certificate.hpp"
+#include "../key-params.hpp"
+#include "../pib/pib.hpp"
+#include "../safe-bag.hpp"
+#include "../signing-info.hpp"
+#include "../tpm/tpm.hpp"
+#include "../../interest.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief The interface of signing key management.
+ *
+ * The KeyChain class provides an interface to manage entities related to packet signing,
+ * such as Identity, Key, and Certificates. It consists of two parts: a private key module
+ * (TPM) and a public key information base (PIB). Managing signing key and its related
+ * entities through KeyChain interface guarantees the consistency between TPM and PIB.
+ */
+class KeyChain : noncopyable
+{
+public:
+ class Error : public std::runtime_error
+ {
+ public:
+ explicit
+ Error(const std::string& what)
+ : std::runtime_error(what)
+ {
+ }
+ };
+
+ /**
+ * @brief Error indicating that the supplied TPM locator does not match the locator stored in PIB.
+ */
+ class LocatorMismatchError : public Error
+ {
+ public:
+ explicit
+ LocatorMismatchError(const std::string& what)
+ : Error(what)
+ {
+ }
+ };
+
+ /**
+ * @brief Error indicating that the supplied SigningInfo is invalid.
+ */
+ class InvalidSigningInfoError : public Error
+ {
+ public:
+ explicit
+ InvalidSigningInfoError(const std::string& what)
+ : Error(what)
+ {
+ }
+ };
+
+ /**
+ * @brief Constructor to create KeyChain with default PIB and TPM.
+ *
+ * Default PIB and TPM are platform-dependent and can be overriden system-wide or
+ * individually for the user.
+ *
+ * @sa manpage ndn-client.conf
+ *
+ * @todo Add detailed description about config file behavior here
+ */
+ KeyChain();
+
+ /**
+ * @brief KeyChain constructor
+ *
+ * @sa manpage ndn-client.conf
+ *
+ * @param pibLocator PIB locator, e.g., pib-sqlite3:/example/dir
+ * @param tpmLocator TPM locator, e.g., tpm-memory:
+ * @param allowReset if true, the PIB will be reset when the supplied tpmLocator
+ * mismatches the one in PIB
+ */
+ KeyChain(const std::string& pibLocator, const std::string& tpmLocator, bool allowReset = false);
+
+ ~KeyChain();
+
+ const Pib&
+ getPib() const
+ {
+ return *m_pib;
+ }
+
+ const Tpm&
+ getTpm() const
+ {
+ return *m_tpm;
+ }
+
+public: // Identity management
+ /**
+ * @brief Create an identity @p identityName.
+ *
+ * This method will check if the identity exists in PIB and whether the identity has a
+ * default key and default certificate. If the identity does not exist, this method will
+ * create the identity in PIB. If the identity's default key does not exist, this method
+ * will create a key pair and set it as the identity's default key. If the key's default
+ * certificate is missing, this method will create a self-signed certificate for the key.
+ *
+ * If @p identityName did not exist and no default identity was selected before, the created
+ * identity will be set as the default identity
+ *
+ * @param identityName The name of the identity.
+ * @param params The key parameters if a key needs to be created for the identity (default:
+ * ECDSA key with random key id)
+ * @return The created Identity instance.
+ */
+ Identity
+ createIdentity(const Name& identityName, const KeyParams& params = getDefaultKeyParams());
+
+ /**
+ * @brief delete @p identity.
+ *
+ * @pre @p identity must be valid.
+ * @post @p identity becomes invalid.
+ */
+ void
+ deleteIdentity(const Identity& identity);
+
+ /**
+ * @brief Set @p identity as the default identity.
+ * @pre @p identity must be valid.
+ */
+ void
+ setDefaultIdentity(const Identity& identity);
+
+public: // Key management
+ /**
+ * @brief Create a key for @p identity according to @p params.
+ *
+ * @param identity reference to a valid Identity object
+ * @param params The key parameters if a key needs to be created for the identity (default:
+ * ECDSA key with random key id)
+ *
+ * If @p identity had no default key selected, the created key will be set as the default for
+ * this identity.
+ *
+ * This method will also create a self-signed certificate for the created key.
+ * @pre @p identity must be valid.
+ */
+ Key
+ createKey(const Identity& identity, const KeyParams& params = getDefaultKeyParams());
+
+ /**
+ * @brief Delete a key @p key of @p identity.
+ *
+ * @pre @p identity must be valid.
+ * @pre @p key must be valid.
+ * @post @p key becomes invalid.
+ * @throw std::invalid_argument @p key does not belong to @p identity
+ */
+ void
+ deleteKey(const Identity& identity, const Key& key);
+
+ /**
+ * @brief Set @p key as the default key of @p identity.
+ *
+ * @pre @p identity must be valid.
+ * @pre @p key must be valid.
+ * @throw std::invalid_argument @p key does not belong to @p identity
+ */
+ void
+ setDefaultKey(const Identity& identity, const Key& key);
+
+public: // Certificate management
+ /**
+ * @brief Add a certificate @p certificate for @p key
+ *
+ * If @p key had no default certificate selected, the added certificate will be set as the
+ * default certificate for this key.
+ *
+ * @note This method overwrites certificate with the same name, without considering the
+ * implicit digest.
+ *
+ * @pre @p key must be valid.
+ * @throw std::invalid_argument @p key does not match @p certificate
+ * @throw Pib::Error a certificate with the same name already exists
+ */
+ void
+ addCertificate(const Key& key, const Certificate& certificate);
+
+ /**
+ * @brief delete a certificate with name @p certificateName of @p key.
+ *
+ * If the certificate @p certificateName does not exist, this method has no effect.
+ *
+ * @pre @p key must be valid.
+ * @throw std::invalid_argument @p certificateName does not follow certificate naming convention.
+ */
+ void
+ deleteCertificate(const Key& key, const Name& certificateName);
+
+ /**
+ * @brief Set @p cert as the default certificate of @p key.
+ *
+ * The certificate @p cert will be added to the @p key, potentially overriding existing
+ * certificate if it has the same name (without considering implicit digest).
+ *
+ * @pre @p key must be valid.
+ */
+ void
+ setDefaultCertificate(const Key& key, const Certificate& cert);
+
+public: // signing
+ /**
+ * @brief Sign data according to the supplied signing information.
+ *
+ * This method uses the supplied signing information @p params to create the SignatureInfo block:
+ * - it selects a private key and its certificate to sign the packet
+ * - sets the KeyLocator field with the certificate name, and
+ * - adds other requested information to the SignatureInfo block.
+ *
+ * After that, the method assigns the created SignatureInfo to the data packets, generate a
+ * signature and sets as part of the SignatureValue block.
+ *
+ * @note The exception throwing semantics has changed from v1::KeyChain.
+ * If the requested identity/key/certificate does not exist, it will **not** be created
+ * and exception will be thrown.
+ *
+ * @param data The data to sign
+ * @param params The signing parameters.
+ * @throw Error signing fails
+ * @throw InvalidSigningInfoError invalid @p params is specified or specified identity, key,
+ * or certificate does not exist
+ * @see SigningInfo
+ */
+ void
+ sign(Data& data, const SigningInfo& params = getDefaultSigningInfo());
+
+ /**
+ * @brief Sign interest according to the supplied signing information
+ *
+ * This method uses the supplied signing information @p params to create the SignatureInfo block:
+ * - it selects a private key and its certificate to sign the packet
+ * - sets the KeyLocator field with the certificate name, and
+ * - adds other requested information to the SignatureInfo block.
+ *
+ * After that, the method appends the created SignatureInfo to the interest name, generate a
+ * signature and appends it as part of the SignatureValue block to the interest name.
+ *
+ * @note The exception throwing semantics has changed from v1::KeyChain. If the requested
+ * identity/key/certificate does not exist, it will **not** be created and exception
+ * will be thrown.
+ *
+ * @param interest The interest to sign
+ * @param params The signing parameters.
+ * @throw Error signing fails
+ * @throw InvalidSigningInfoError invalid @p params is specified or specified identity, key,
+ * or certificate does not exist
+ * @see SigningInfo
+ * @see docs/specs/signed-interest.rst
+ */
+ void
+ sign(Interest& interest, const SigningInfo& params = getDefaultSigningInfo());
+
+ /**
+ * @brief Sign buffer according to the supplied signing information @p params
+ *
+ * If @p params refers to an identity, the method selects the default key of the identity.
+ * If @p params refers to a key or certificate, the method select the corresponding key.
+ *
+ * @param buffer The buffer to sign
+ * @param bufferLength The buffer size
+ * @param params The signing parameters.
+ * @return a SignatureValue TLV block
+ * @throw Error signing fails
+ * @see SigningInfo
+ */
+ Block
+ sign(const uint8_t* buffer, size_t bufferLength, const SigningInfo& params = getDefaultSigningInfo());
+
+public: // export & import
+ /**
+ * @brief export a certificate of name @p certificateName and its corresponding private key.
+ *
+ * @param certificate The certificate to export.
+ * @param pw The password to secure the private key.
+ * @param pwLen The length of password.
+ * @return A SafeBag carrying the certificate and encrypted private key.
+ * @throw Error the certificate or private key does not exist
+ */
+ shared_ptr<SafeBag>
+ exportSafeBag(const Certificate& certificate, const char* pw, size_t pwLen);
+
+ /**
+ * @brief Import a pair of certificate and its corresponding private key encapsulated in a SafeBag.
+ *
+ * If the certificate and key are imported properly, the default setting will be updated as if
+ * a new key and certificate is added into KeyChain.
+ *
+ * @param safeBag The encoded data to import.
+ * @param pw The password to secure the private key.
+ * @param pwLen The length of password.
+ * @throw Error any of following conditions:
+ * - the safebag cannot be decoded or its content does not match;
+ * - private key cannot be imported;
+ * - a private/public key of the same name already exists;
+ * - a certificate of the same name already exists.
+ */
+ void
+ importSafeBag(const SafeBag& safeBag, const char* pw, size_t pwLen);
+
+NDN_CXX_PUBLIC_WITH_TESTS_ELSE_PRIVATE:
+ /**
+ * @brief Derive SignatureTypeValue according to key type and digest algorithm.
+ */
+ static tlv::SignatureTypeValue
+ getSignatureType(KeyType keyType, DigestAlgorithm digestAlgorithm);
+
+public: // PIB & TPM backend registry
+ /**
+ * @brief Register a new PIB backend
+ * @param scheme Name for the registered PIB backend scheme
+ *
+ * @note This interface is implementation detail and may change without notice.
+ */
+ template<class PibBackendType>
+ static void
+ registerPibBackend(const std::string& scheme);
+
+ /**
+ * @brief Register a new TPM backend
+ * @param scheme Name for the registered TPM backend scheme
+ *
+ * @note This interface is implementation detail and may change without notice.
+ */
+ template<class TpmBackendType>
+ static void
+ registerTpmBackend(const std::string& scheme);
+
+private:
+ typedef std::map<std::string, function<unique_ptr<pib::PibImpl>(const std::string& location)>> PibFactories;
+ typedef std::map<std::string, function<unique_ptr<tpm::BackEnd>(const std::string& location)>> TpmFactories;
+
+ static PibFactories&
+ getPibFactories();
+
+ static TpmFactories&
+ getTpmFactories();
+
+ static std::tuple<std::string/*type*/, std::string/*location*/>
+ parseAndCheckPibLocator(const std::string& pibLocator);
+
+ static std::tuple<std::string/*type*/, std::string/*location*/>
+ parseAndCheckTpmLocator(const std::string& tpmLocator);
+
+ static const std::string&
+ getDefaultPibScheme();
+
+ static const std::string&
+ getDefaultTpmScheme();
+
+ /**
+ * @brief Create a PIB according to @p pibLocator
+ */
+ static unique_ptr<Pib>
+ createPib(const std::string& pibLocator);
+
+ /**
+ * @brief Create a TPM according to @p tpmLocator
+ */
+ static unique_ptr<Tpm>
+ createTpm(const std::string& tpmLocator);
+
+NDN_CXX_PUBLIC_WITH_TESTS_ELSE_PRIVATE:
+ static const std::string&
+ getDefaultPibLocator();
+
+ static const std::string&
+ getDefaultTpmLocator();
+
+private: // signing
+ /**
+ * @brief Generate a self-signed certificate for a public key.
+ *
+ * The self-signed certificate will also be added into PIB
+ *
+ * @param keyName The name of the public key
+ * @return The generated certificate
+ */
+ Certificate
+ selfSign(Key& key);
+
+ /**
+ * @brief Prepare a SignatureInfo TLV according to signing information and return the signing
+ * key name
+ *
+ * @param sigInfo The SignatureInfo to prepare.
+ * @param params The signing parameters.
+ * @return The signing key name and prepared SignatureInfo.
+ * @throw InvalidSigningInfoError when the requested signing method cannot be satisfied.
+ */
+ std::tuple<Name, SignatureInfo>
+ prepareSignatureInfo(const SigningInfo& params);
+
+ /**
+ * @brief Generate a SignatureValue block for a buffer @p buf with size @p size using
+ * a key with name @p keyName and digest algorithm @p digestAlgorithm.
+ */
+ Block
+ sign(const uint8_t* buf, size_t size, const Name& keyName, DigestAlgorithm digestAlgorithm) const;
+
+public:
+ static const SigningInfo&
+ getDefaultSigningInfo();
+
+ static const KeyParams&
+ getDefaultKeyParams();
+
+private:
+ std::unique_ptr<Pib> m_pib;
+ std::unique_ptr<Tpm> m_tpm;
+
+ static std::string s_defaultPibLocator;
+ static std::string s_defaultTpmLocator;
+};
+
+template<class PibType>
+inline void
+KeyChain::registerPibBackend(const std::string& scheme)
+{
+ getPibFactories().emplace(scheme, [] (const std::string& locator) {
+ return unique_ptr<pib::PibImpl>(new PibType(locator));
+ });
+}
+
+template<class TpmType>
+inline void
+KeyChain::registerTpmBackend(const std::string& scheme)
+{
+ getTpmFactories().emplace(scheme, [] (const std::string& locator) {
+ return unique_ptr<tpm::BackEnd>(new TpmType(locator));
+ });
+}
+
+/**
+ * @brief Register Pib backend class in KeyChain
+ *
+ * This macro should be placed once in the implementation file of the
+ * Pib backend class within the namespace where the type is declared.
+ *
+ * @note This interface is implementation detail and may change without notice.
+ */
+#define NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibType) \
+static class NdnCxxAuto ## PibType ## PibRegistrationClass \
+{ \
+public: \
+ NdnCxxAuto ## PibType ## PibRegistrationClass() \
+ { \
+ ::ndn::security::v2::KeyChain::registerPibBackend<PibType>(PibType::getScheme()); \
+ } \
+} ndnCxxAuto ## PibType ## PibRegistrationVariable
+
+/**
+ * @brief Register Tpm backend class in KeyChain
+ *
+ * This macro should be placed once in the implementation file of the
+ * Tpm backend class within the namespace where the type is declared.
+ *
+ * @note This interface is implementation detail and may change without notice.
+ */
+#define NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(TpmType) \
+static class NdnCxxAuto ## TpmType ## TpmRegistrationClass \
+{ \
+public: \
+ NdnCxxAuto ## TpmType ## TpmRegistrationClass() \
+ { \
+ ::ndn::security::v2::KeyChain::registerTpmBackend<TpmType>(TpmType::getScheme()); \
+ } \
+} ndnCxxAuto ## TpmType ## TpmRegistrationVariable
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_KEY_CHAIN_HPP