Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 1 | /** |
Jeff Thompson | 7687dc0 | 2013-09-13 11:54:07 -0700 | [diff] [blame] | 2 | * Copyright (C) 2013 Regents of the University of California. |
| 3 | * @author: Jeff Thompson <jefft0@remap.ucla.edu> |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 4 | * See COPYING for copyright and distribution information. |
| 5 | */ |
| 6 | |
| 7 | #ifndef NDN_KEY_CHAIN_HPP |
Jeff Thompson | 2d27e2f | 2013-08-09 12:55:00 -0700 | [diff] [blame] | 8 | #define NDN_KEY_CHAIN_HPP |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 9 | |
Jeff Thompson | 7a67cb6 | 2013-08-26 11:43:18 -0700 | [diff] [blame] | 10 | #include "../data.hpp" |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 11 | #include "../face.hpp" |
| 12 | #include "identity/identity-manager.hpp" |
Jeff Thompson | 79a2d5d | 2013-09-27 14:32:23 -0700 | [diff] [blame^] | 13 | #include "encryption/encryption-manager.hpp" |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 14 | |
| 15 | namespace ndn { |
| 16 | |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 17 | class PolicyManager; |
| 18 | |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 19 | /** |
| 20 | * An OnVerified function object is used to pass a callback to verifyData to report a successful verification. |
| 21 | */ |
| 22 | typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerified; |
| 23 | |
| 24 | /** |
| 25 | * An OnVerifyFailed function object is used to pass a callback to verifyData to report a failed verification. |
| 26 | */ |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 27 | typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>& data)> OnVerifyFailed; |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 28 | |
Jeff Thompson | ffa36f9 | 2013-09-20 08:42:41 -0700 | [diff] [blame] | 29 | /** |
Jeff Thompson | 79a2d5d | 2013-09-27 14:32:23 -0700 | [diff] [blame^] | 30 | * Keychain is the main class of the security library. |
Jeff Thompson | ffa36f9 | 2013-09-20 08:42:41 -0700 | [diff] [blame] | 31 | * |
| 32 | * The Keychain class provides a set of interfaces to the security library such as identity management, policy configuration |
| 33 | * and packet signing and verification. |
| 34 | */ |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 35 | class KeyChain { |
| 36 | public: |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 37 | KeyChain |
| 38 | (const ptr_lib::shared_ptr<IdentityManager>& identityManager, const ptr_lib::shared_ptr<PolicyManager>& policyManager); |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 39 | |
Jeff Thompson | 79a2d5d | 2013-09-27 14:32:23 -0700 | [diff] [blame^] | 40 | /***************************************** |
| 41 | * Identity Management * |
| 42 | *****************************************/ |
| 43 | |
| 44 | #if 0 |
| 45 | /** |
| 46 | * Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK. |
| 47 | * @param identityName The name of the identity. |
| 48 | * @return The key name of the auto-generated KSK of the identity. |
| 49 | */ |
| 50 | Name |
| 51 | createIdentity(const Name& identityName) |
| 52 | { |
| 53 | return identityManager_->createIdentity(identityName); |
| 54 | } |
| 55 | #endif |
| 56 | |
| 57 | /** |
| 58 | * Get the default identity. |
| 59 | * @return The default identity name. |
| 60 | */ |
| 61 | Name |
| 62 | getDefaultIdentity() |
| 63 | { |
| 64 | return identityManager_->getDefaultIdentity(); |
| 65 | } |
| 66 | |
| 67 | #if 0 |
| 68 | /** |
| 69 | * Generate a pair of RSA keys for the specified identity |
| 70 | * @param identity the name of the identity |
| 71 | * @param ksk create a KSK or not, true for KSK, false for DSK |
| 72 | * @param keySize the size of the key |
| 73 | * @return the generated key name |
| 74 | */ |
| 75 | Name |
| 76 | generateRSAKeyPair (const Name& identity, bool ksk = false, int keySize = 2048); |
| 77 | |
| 78 | /** |
| 79 | * Set a key as the default key of an identity |
| 80 | * @param keyName the name of the key |
| 81 | * @param identity the name of the identity, if not specified the identity name can be inferred from the keyName |
| 82 | */ |
| 83 | void |
| 84 | setDefaultKeyForIdentity (const Name& keyName, const Name& identity = Name()); |
| 85 | |
| 86 | /** |
| 87 | * Generate a pair of RSA keys for the specified identity and set it as default key of the identity |
| 88 | * @param identity the name of the identity |
| 89 | * @param ksk create a KSK or not, true for KSK, false for DSK |
| 90 | * @param keySize the size of the key |
| 91 | * @return the generated key name |
| 92 | */ |
| 93 | Name |
| 94 | generateRSAKeyPairAsDefault (const Name& identity, bool ksk = false, int keySize = 2048); |
| 95 | |
| 96 | /** |
| 97 | * Create a public key signing request |
| 98 | * @param keyName the name of the key |
| 99 | * @returns signing request blob |
| 100 | */ |
| 101 | Ptr<Blob> |
| 102 | createSigningRequest(const Name& keyName); |
| 103 | |
| 104 | /** |
| 105 | * Install a certificate into identity |
| 106 | * @param certificate the certificate in terms of Data packet |
| 107 | */ |
| 108 | void |
| 109 | installCertificate(Ptr<Certificate> certificate); |
| 110 | |
| 111 | /** |
| 112 | * Set a certificate as the default certificate name of the corresponding key |
| 113 | * @param certificateName the name of the certificate |
| 114 | */ |
| 115 | void |
| 116 | setDefaultCertificateForKey(const Name& certificateName); |
| 117 | |
| 118 | /** |
| 119 | * Get certificate |
| 120 | * @param certificateName name of the certificate |
| 121 | * @returns certificate that is valid |
| 122 | */ |
| 123 | Ptr<Certificate> |
| 124 | getCertificate(const Name& certificateName); |
| 125 | |
| 126 | /** |
| 127 | * Get certificate even if it is not valid |
| 128 | * @param certificateName name of the certificate |
| 129 | * @returns certificate that is valid |
| 130 | */ |
| 131 | Ptr<Certificate> |
| 132 | getAnyCertificate(const Name& certName); |
| 133 | |
| 134 | /** |
| 135 | * Revoke a key |
| 136 | * @param keyName the name of the key that will be revoked |
| 137 | */ |
| 138 | void |
| 139 | revokeKey(const Name & keyName); |
| 140 | |
| 141 | /** |
| 142 | * Revoke a certificate |
| 143 | * @param certificateName the name of the certificate that will be revoked |
| 144 | */ |
| 145 | void |
| 146 | revokeCertificate(const Name & certificateName); |
| 147 | #endif |
| 148 | |
| 149 | /***************************************** |
| 150 | * Policy Management * |
| 151 | *****************************************/ |
| 152 | |
| 153 | const ptr_lib::shared_ptr<PolicyManager>& |
| 154 | getPolicyManager() { return policyManager_; } |
| 155 | |
| 156 | /***************************************** |
| 157 | * Sign/Verify * |
| 158 | *****************************************/ |
| 159 | |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 160 | /** |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 161 | * Wire encode the Data object, sign it and set its signature. |
Jeff Thompson | ade5b1e | 2013-08-09 12:16:45 -0700 | [diff] [blame] | 162 | * Note: the caller must make sure the timestamp is correct, for example with |
Jeff Thompson | fec716d | 2013-09-11 13:54:36 -0700 | [diff] [blame] | 163 | * data.getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0). |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 164 | * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding. |
Jeff Thompson | 9296f0c | 2013-09-23 18:10:27 -0700 | [diff] [blame] | 165 | * @param certificateName The certificate name of the key to use for signing. If omitted, infer the signing identity from the data packet name. |
Jeff Thompson | 8d24fe1 | 2013-09-18 15:54:51 -0700 | [diff] [blame] | 166 | * @param wireFormat A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat(). |
Jeff Thompson | 3c73da4 | 2013-08-12 11:19:05 -0700 | [diff] [blame] | 167 | */ |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 168 | void |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 169 | sign(Data& data, const Name& certificateName, WireFormat& wireFormat = *WireFormat::getDefaultWireFormat()); |
Jeff Thompson | 79a2d5d | 2013-09-27 14:32:23 -0700 | [diff] [blame^] | 170 | |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 171 | /** |
| 172 | * Wire encode the Data object, sign it and set its signature. |
| 173 | * Note: the caller must make sure the timestamp is correct, for example with |
| 174 | * data.getMetaInfo().setTimestampMilliseconds(time(NULL) * 1000.0). |
| 175 | * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding. |
| 176 | * @param identityName The identity name for the key to use for signing. If omitted, infer the signing identity from the data packet name. |
| 177 | * @param wireFormat A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat(). |
| 178 | */ |
| 179 | void |
| 180 | signByIdentity(Data& data, const Name& identityName = Name(), WireFormat& wireFormat = *WireFormat::getDefaultWireFormat()); |
Jeff Thompson | 3c73da4 | 2013-08-12 11:19:05 -0700 | [diff] [blame] | 181 | |
| 182 | /** |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 183 | * Check the signature on the Data object and call either onVerify or onVerifyFailed. |
| 184 | * We use callback functions because verify may fetch information to check the signature. |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 185 | * @param data The Data object with the signature to check. It is an error if data does not have a wireEncoding. |
| 186 | * To set the wireEncoding, you can call data.wireDecode. |
| 187 | * @param onVerified If the signature is verified, this calls onVerified(data). |
| 188 | * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data). |
Jeff Thompson | 8efe5ad | 2013-08-20 17:36:38 -0700 | [diff] [blame] | 189 | */ |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 190 | void |
Jeff Thompson | 7c5d231 | 2013-09-25 16:07:15 -0700 | [diff] [blame] | 191 | verifyData |
| 192 | (const ptr_lib::shared_ptr<Data>& data, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed, int stepCount = 0); |
Jeff Thompson | 8efe5ad | 2013-08-20 17:36:38 -0700 | [diff] [blame] | 193 | |
Jeff Thompson | 79a2d5d | 2013-09-27 14:32:23 -0700 | [diff] [blame^] | 194 | /***************************************** |
| 195 | * Encrypt/Decrypt * |
| 196 | *****************************************/ |
| 197 | |
| 198 | /** |
| 199 | * Generate a symmetric key. |
| 200 | * @param keyName The name of the generated key. |
| 201 | * @param keyType The type of the key, e.g. KEY_TYPE_AES |
| 202 | */ |
| 203 | void |
| 204 | generateSymmetricKey(const Name& keyName, KeyType keyType) |
| 205 | { |
| 206 | encryptionManager_->createSymmetricKey(keyName, keyType); |
| 207 | } |
| 208 | |
| 209 | /** |
| 210 | * Encrypt a byte array. |
| 211 | * @param keyName The name of the encrypting key. |
| 212 | * @param data The byte array that will be encrypted. |
| 213 | * @param dataLength The length of data. |
| 214 | * @param useSymmetric If true then symmetric encryption is used, otherwise asymmetric encryption is used. |
| 215 | * @param encryptMode the encryption mode |
| 216 | * @return the encrypted data as an immutable Blob. |
| 217 | */ |
| 218 | Blob |
| 219 | encrypt(const Name &keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = true, |
| 220 | EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT) |
| 221 | { |
| 222 | return encryptionManager_->encrypt(keyName, data, dataLength, useSymmetric, encryptMode); |
| 223 | } |
| 224 | |
| 225 | /** |
| 226 | * Decrypt a byte array. |
| 227 | * @param keyName The name of the decrypting key. |
| 228 | * @param data The byte array that will be decrypted. |
| 229 | * @param dataLength The length of data. |
| 230 | * @param useSymmetric If true then symmetric encryption is used, otherwise asymmetric encryption is used. |
| 231 | * @param encryptMode the encryption mode |
| 232 | * @return the decrypted data as an immutable Blob. |
| 233 | */ |
| 234 | Blob |
| 235 | decrypt(const Name &keyName, const uint8_t* data, size_t dataLength, bool useSymmetric = true, |
| 236 | EncryptMode encryptMode = ENCRYPT_MODE_DEFAULT) |
| 237 | { |
| 238 | return encryptionManager_->decrypt(keyName, data, dataLength, useSymmetric, encryptMode); |
| 239 | } |
| 240 | |
Jeff Thompson | 8efe5ad | 2013-08-20 17:36:38 -0700 | [diff] [blame] | 241 | /** |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 242 | * Set the Face which will be used to fetch required certificates. |
| 243 | * @param face A pointer to the Face object. |
Jeff Thompson | 1e90d8c | 2013-08-12 16:09:25 -0700 | [diff] [blame] | 244 | */ |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 245 | void |
| 246 | setFace(Face* face) { face_ = face; } |
| 247 | |
| 248 | private: |
Jeff Thompson | 40f361a | 2013-09-25 13:12:48 -0700 | [diff] [blame] | 249 | ptr_lib::shared_ptr<IdentityManager> identityManager_; |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 250 | ptr_lib::shared_ptr<PolicyManager> policyManager_; |
Jeff Thompson | 79a2d5d | 2013-09-27 14:32:23 -0700 | [diff] [blame^] | 251 | ptr_lib::shared_ptr<EncryptionManager> encryptionManager_; |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 252 | Face* face_; |
| 253 | const int maxSteps_; |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 254 | }; |
| 255 | |
| 256 | } |
| 257 | |
| 258 | #endif |