Jeff Thompson | 25b4e61 | 2013-10-10 16:03:24 -0700 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */ |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 2 | /** |
Jeff Thompson | 7687dc0 | 2013-09-13 11:54:07 -0700 | [diff] [blame] | 3 | * Copyright (C) 2013 Regents of the University of California. |
| 4 | * @author: Jeff Thompson <jefft0@remap.ucla.edu> |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 5 | * See COPYING for copyright and distribution information. |
| 6 | */ |
| 7 | |
Jeff Thompson | 7a67cb6 | 2013-08-26 11:43:18 -0700 | [diff] [blame] | 8 | #include "../c/util/crypto.h" |
| 9 | #include "../c/encoding/binary-xml-data.h" |
| 10 | #include "../encoding/binary-xml-encoder.hpp" |
Jeff Thompson | 25b4e61 | 2013-10-10 16:03:24 -0700 | [diff] [blame] | 11 | #include <ndn-cpp/sha256-with-rsa-signature.hpp> |
Jeff Thompson | 9296f0c | 2013-09-23 18:10:27 -0700 | [diff] [blame] | 12 | #include "../util/logging.hpp" |
Jeff Thompson | 25b4e61 | 2013-10-10 16:03:24 -0700 | [diff] [blame] | 13 | #include <ndn-cpp/security/security-exception.hpp> |
| 14 | #include <ndn-cpp/security/policy/policy-manager.hpp> |
| 15 | #include <ndn-cpp/security/key-chain.hpp> |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 16 | |
| 17 | using namespace std; |
Jeff Thompson | d4144fe | 2013-09-18 15:59:57 -0700 | [diff] [blame] | 18 | using namespace ndn::ptr_lib; |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 19 | |
| 20 | namespace ndn { |
| 21 | |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 22 | #if 1 |
Jeff Thompson | 10ad12a | 2013-09-24 16:19:11 -0700 | [diff] [blame] | 23 | static uint8_t DEFAULT_PUBLIC_KEY_DER[] = { |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 24 | 0x30, 0x81, 0x9F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, |
| 25 | 0x8D, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xE1, 0x7D, 0x30, 0xA7, 0xD8, 0x28, 0xAB, 0x1B, 0x84, 0x0B, 0x17, |
| 26 | 0x54, 0x2D, 0xCA, 0xF6, 0x20, 0x7A, 0xFD, 0x22, 0x1E, 0x08, 0x6B, 0x2A, 0x60, 0xD1, 0x6C, 0xB7, 0xF5, 0x44, 0x48, 0xBA, |
| 27 | 0x9F, 0x3F, 0x08, 0xBC, 0xD0, 0x99, 0xDB, 0x21, 0xDD, 0x16, 0x2A, 0x77, 0x9E, 0x61, 0xAA, 0x89, 0xEE, 0xE5, 0x54, 0xD3, |
| 28 | 0xA4, 0x7D, 0xE2, 0x30, 0xBC, 0x7A, 0xC5, 0x90, 0xD5, 0x24, 0x06, 0x7C, 0x38, 0x98, 0xBB, 0xA6, 0xF5, 0xDC, 0x43, 0x60, |
| 29 | 0xB8, 0x45, 0xED, 0xA4, 0x8C, 0xBD, 0x9C, 0xF1, 0x26, 0xA7, 0x23, 0x44, 0x5F, 0x0E, 0x19, 0x52, 0xD7, 0x32, 0x5A, 0x75, |
| 30 | 0xFA, 0xF5, 0x56, 0x14, 0x4F, 0x9A, 0x98, 0xAF, 0x71, 0x86, 0xB0, 0x27, 0x86, 0x85, 0xB8, 0xE2, 0xC0, 0x8B, 0xEA, 0x87, |
| 31 | 0x17, 0x1B, 0x4D, 0xEE, 0x58, 0x5C, 0x18, 0x28, 0x29, 0x5B, 0x53, 0x95, 0xEB, 0x4A, 0x17, 0x77, 0x9F, 0x02, 0x03, 0x01, |
| 32 | 0x00, 01 |
| 33 | }; |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 34 | #endif |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 35 | |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 36 | KeyChain::KeyChain(const shared_ptr<IdentityManager>& identityManager, const shared_ptr<PolicyManager>& policyManager) |
| 37 | : identityManager_(identityManager), policyManager_(policyManager), face_(0), maxSteps_(100) |
Jeff Thompson | 9296f0c | 2013-09-23 18:10:27 -0700 | [diff] [blame] | 38 | { |
| 39 | } |
| 40 | |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 41 | static bool |
| 42 | verifySignature(const Data& data /*, const Publickey& publickey */) |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 43 | { |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 44 | #if 0 |
| 45 | using namespace CryptoPP; |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 46 | |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 47 | Blob unsignedData(data.getSignedBlob()->signed_buf(), data.getSignedBlob()->signed_size()); |
| 48 | bool result = false; |
| 49 | |
| 50 | // Temporarily hardwire. It should be assigned by Signature.getAlgorithm(). |
| 51 | DigestAlgorithm digestAlg = DIGEST_SHA256; |
| 52 | // Temporarily hardwire. It should be assigned by Publickey.getKeyType(). |
| 53 | KeyType keyType = KEY_TYPE_RSA; |
| 54 | if (keyType == KEY_TYPE_RSA) { |
| 55 | RSA::PublicKey pubKey; |
| 56 | ByteQueue queue; |
Jeff Thompson | 3df8137 | 2013-08-09 12:02:37 -0700 | [diff] [blame] | 57 | |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 58 | queue.Put((const byte*)publickey.getKeyBlob ().buf (), publickey.getKeyBlob ().size ()); |
| 59 | pubKey.Load(queue); |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 60 | |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 61 | if (DIGEST_SHA256 == digestAlg) { |
| 62 | Ptr<const signature::Sha256WithRsa> sigPtr = boost::dynamic_pointer_cast<const signature::Sha256WithRsa> (data.getSignature()); |
| 63 | const Blob & sigBits = sigPtr->getSignatureBits(); |
Jeff Thompson | 3c73da4 | 2013-08-12 11:19:05 -0700 | [diff] [blame] | 64 | |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 65 | RSASS<PKCS1v15, SHA256>::Verifier verifier (pubKey); |
| 66 | result = verifier.VerifyMessage((const byte*) unsignedData.buf(), unsignedData.size(), (const byte*)sigBits.buf(), sigBits.size()); |
| 67 | _LOG_DEBUG("Signature verified? " << data.getName() << " " << boolalpha << result); |
| 68 | } |
| 69 | } |
| 70 | |
| 71 | return result; |
| 72 | #else |
| 73 | const Sha256WithRsaSignature *signature = dynamic_cast<const Sha256WithRsaSignature*>(data.getSignature()); |
Jeff Thompson | 20af073 | 2013-09-12 17:01:45 -0700 | [diff] [blame] | 74 | if (!signature) |
Jeff Thompson | 9296f0c | 2013-09-23 18:10:27 -0700 | [diff] [blame] | 75 | throw SecurityException("signature is not Sha256WithRsaSignature."); |
Jeff Thompson | 20af073 | 2013-09-12 17:01:45 -0700 | [diff] [blame] | 76 | |
| 77 | if (signature->getDigestAlgorithm().size() != 0) |
Jeff Thompson | 1e90d8c | 2013-08-12 16:09:25 -0700 | [diff] [blame] | 78 | // TODO: Allow a non-default digest algorithm. |
Jeff Thompson | 9296f0c | 2013-09-23 18:10:27 -0700 | [diff] [blame] | 79 | throw UnrecognizedDigestAlgorithmException("Cannot verify a data packet with a non-default digest algorithm."); |
Jeff Thompson | f1ffba8 | 2013-10-19 17:57:12 -0700 | [diff] [blame] | 80 | if (!data.getDefaultWireEncoding()) |
| 81 | data.wireEncode(); |
| 82 | uint8_t signedPortionDigest[SHA256_DIGEST_LENGTH]; |
| 83 | ndn_digestSha256(data.getDefaultWireEncoding().signedBuf(), data.getDefaultWireEncoding().signedSize(), signedPortionDigest); |
Jeff Thompson | 1e90d8c | 2013-08-12 16:09:25 -0700 | [diff] [blame] | 84 | |
Jeff Thompson | 9c66170 | 2013-09-13 14:35:44 -0700 | [diff] [blame] | 85 | // Verify the signedPortionDigest. |
Jeff Thompson | 192e86b | 2013-08-13 11:34:24 -0700 | [diff] [blame] | 86 | // Use a temporary pointer since d2i updates it. |
Jeff Thompson | 10ad12a | 2013-09-24 16:19:11 -0700 | [diff] [blame] | 87 | const uint8_t *derPointer = DEFAULT_PUBLIC_KEY_DER; |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 88 | RSA *publicKey = d2i_RSA_PUBKEY(NULL, &derPointer, sizeof(DEFAULT_PUBLIC_KEY_DER)); |
Jeff Thompson | 1e90d8c | 2013-08-12 16:09:25 -0700 | [diff] [blame] | 89 | if (!publicKey) |
Jeff Thompson | 9296f0c | 2013-09-23 18:10:27 -0700 | [diff] [blame] | 90 | throw UnrecognizedKeyFormatException("Error decoding public key in d2i_RSAPublicKey"); |
Jeff Thompson | 1e90d8c | 2013-08-12 16:09:25 -0700 | [diff] [blame] | 91 | int success = RSA_verify |
Jeff Thompson | 10ad12a | 2013-09-24 16:19:11 -0700 | [diff] [blame] | 92 | (NID_sha256, signedPortionDigest, sizeof(signedPortionDigest), (uint8_t *)signature->getSignature().buf(), |
Jeff Thompson | 20af073 | 2013-09-12 17:01:45 -0700 | [diff] [blame] | 93 | signature->getSignature().size(), publicKey); |
Jeff Thompson | 1e90d8c | 2013-08-12 16:09:25 -0700 | [diff] [blame] | 94 | // Free the public key before checking for success. |
| 95 | RSA_free(publicKey); |
| 96 | |
| 97 | return (success == 1); |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 98 | #endif |
| 99 | } |
| 100 | |
| 101 | void |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 102 | KeyChain::sign(Data& data, const Name& certificateName, WireFormat& wireFormat) |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 103 | { |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 104 | identityManager_->signByCertificate(data, certificateName, wireFormat); |
| 105 | } |
| 106 | |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 107 | shared_ptr<Signature> |
| 108 | KeyChain::sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName) |
| 109 | { |
| 110 | return identityManager_->signByCertificate(buffer, bufferLength, certificateName); |
| 111 | } |
| 112 | |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 113 | void |
| 114 | KeyChain::signByIdentity(Data& data, const Name& identityName, WireFormat& wireFormat) |
| 115 | { |
| 116 | Name signingCertificateName; |
Jeff Thompson | 9296f0c | 2013-09-23 18:10:27 -0700 | [diff] [blame] | 117 | |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 118 | if (identityName.getComponentCount() == 0) { |
| 119 | Name inferredIdentity = policyManager_->inferSigningIdentity(data.getName()); |
| 120 | if (inferredIdentity.getComponentCount() == 0) |
| 121 | signingCertificateName = identityManager_->getDefaultCertificateName(); |
| 122 | else |
| 123 | signingCertificateName = identityManager_->getDefaultCertificateNameForIdentity(inferredIdentity); |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 124 | } |
Jeff Thompson | 9296f0c | 2013-09-23 18:10:27 -0700 | [diff] [blame] | 125 | else |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 126 | signingCertificateName = identityManager_->getDefaultCertificateNameForIdentity(identityName); |
| 127 | |
| 128 | if (signingCertificateName.getComponentCount() == 0) |
| 129 | throw SecurityException("No qualified certificate name found!"); |
| 130 | |
| 131 | if (!policyManager_->checkSigningPolicy(data.getName(), signingCertificateName)) |
Jeff Thompson | 9296f0c | 2013-09-23 18:10:27 -0700 | [diff] [blame] | 132 | throw SecurityException("Signing Cert name does not comply with signing policy"); |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 133 | |
Jeff Thompson | 56e6265 | 2013-10-31 16:13:25 -0700 | [diff] [blame^] | 134 | identityManager_->signByCertificate(data, signingCertificateName, wireFormat); |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 135 | } |
| 136 | |
Jeff Thompson | e9ffe79 | 2013-10-22 10:58:48 -0700 | [diff] [blame] | 137 | shared_ptr<Signature> |
| 138 | KeyChain::signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName) |
| 139 | { |
| 140 | Name signingCertificateName = identityManager_->getDefaultCertificateNameForIdentity(identityName); |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 141 | |
Jeff Thompson | e9ffe79 | 2013-10-22 10:58:48 -0700 | [diff] [blame] | 142 | if (signingCertificateName.size() == 0) |
| 143 | throw SecurityException("No qualified certificate name found!"); |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 144 | |
Jeff Thompson | e9ffe79 | 2013-10-22 10:58:48 -0700 | [diff] [blame] | 145 | return identityManager_->signByCertificate(buffer, bufferLength, signingCertificateName); |
| 146 | } |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 147 | |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 148 | void |
Jeff Thompson | 7c5d231 | 2013-09-25 16:07:15 -0700 | [diff] [blame] | 149 | KeyChain::verifyData |
| 150 | (const shared_ptr<Data>& data, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed, int stepCount) |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 151 | { |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 152 | _LOG_TRACE("Enter Verify"); |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 153 | |
| 154 | #if 0 |
| 155 | if (m_policyManager->requireVerify(*dataPtr)) |
Jeff Thompson | 7ff36fe | 2013-10-16 15:30:13 -0700 | [diff] [blame] | 156 | stepVerify(dataPtr, true, maxStep_, onVerified, onVerifyFailed); |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 157 | else if(m_policyManager->skipVerify(*dataPtr)) |
| 158 | #else |
| 159 | if (verifySignature(*data)) |
| 160 | #endif |
| 161 | onVerified(data); |
| 162 | else |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 163 | onVerifyFailed(data); |
Jeff Thompson | 1e90d8c | 2013-08-12 16:09:25 -0700 | [diff] [blame] | 164 | } |
| 165 | |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 166 | } |