Jeff Thompson | 25b4e61 | 2013-10-10 16:03:24 -0700 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */ |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 2 | /** |
Jeff Thompson | 7687dc0 | 2013-09-13 11:54:07 -0700 | [diff] [blame] | 3 | * Copyright (C) 2013 Regents of the University of California. |
Jeff Thompson | ba16b8f | 2013-12-16 13:11:47 -0800 | [diff] [blame] | 4 | * @author: Yingdi Yu <yingdi@cs.ucla.edu> |
Jeff Thompson | 7687dc0 | 2013-09-13 11:54:07 -0700 | [diff] [blame] | 5 | * @author: Jeff Thompson <jefft0@remap.ucla.edu> |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 6 | * See COPYING for copyright and distribution information. |
| 7 | */ |
| 8 | |
Yingdi Yu | fc40d87 | 2014-02-18 12:56:04 -0800 | [diff] [blame] | 9 | #ifndef NDN_SECURITY_KEY_CHAIN_HPP |
| 10 | #define NDN_SECURITY_KEY_CHAIN_HPP |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 11 | |
Yingdi Yu | 4f32463 | 2014-01-15 18:10:03 -0800 | [diff] [blame] | 12 | #include "identity-certificate.hpp" |
| 13 | #include "public-key.hpp" |
| 14 | #include "signature-sha256-with-rsa.hpp" |
Yingdi Yu | 2115716 | 2014-02-28 13:02:34 -0800 | [diff] [blame] | 15 | #include "signature-sha256.hpp" |
Yingdi Yu | 64c3fb4 | 2014-02-26 17:30:04 -0800 | [diff] [blame] | 16 | #include "secured-bag.hpp" |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 17 | #include "../interest.hpp" |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 18 | #include "../util/random.hpp" |
Yingdi Yu | 2115716 | 2014-02-28 13:02:34 -0800 | [diff] [blame] | 19 | #include "../util/crypto.hpp" |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 20 | |
Yingdi Yu | 0402092 | 2014-01-22 12:46:53 -0800 | [diff] [blame] | 21 | //PublicInfo |
Yingdi Yu | 4f32463 | 2014-01-15 18:10:03 -0800 | [diff] [blame] | 22 | #include "sec-public-info-sqlite3.hpp" |
| 23 | #include "sec-public-info-memory.hpp" |
Yingdi Yu | 0402092 | 2014-01-22 12:46:53 -0800 | [diff] [blame] | 24 | //TPM |
| 25 | #include "sec-tpm-file.hpp" |
Yingdi Yu | 4f32463 | 2014-01-15 18:10:03 -0800 | [diff] [blame] | 26 | #include "sec-tpm-memory.hpp" |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 27 | |
Yingdi Yu | 0402092 | 2014-01-22 12:46:53 -0800 | [diff] [blame] | 28 | #ifdef NDN_CPP_HAVE_OSX_SECURITY |
| 29 | #include "sec-tpm-osx.hpp" |
| 30 | #endif |
| 31 | |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 32 | |
| 33 | namespace ndn { |
| 34 | |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 35 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 36 | * @brief KeyChain is one of the main classes of the security library. |
Jeff Thompson | ffa36f9 | 2013-09-20 08:42:41 -0700 | [diff] [blame] | 37 | * |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 38 | * The KeyChain class provides a set of interfaces of identity management and private key related operations. |
Jeff Thompson | ffa36f9 | 2013-09-20 08:42:41 -0700 | [diff] [blame] | 39 | */ |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 40 | template<class Info, class Tpm> |
| 41 | class KeyChainImpl : public Info, public Tpm |
| 42 | { |
Yingdi Yu | f8fc8de | 2014-02-25 15:45:39 -0800 | [diff] [blame] | 43 | typedef SecPublicInfo::Error InfoError; |
| 44 | typedef SecTpm::Error TpmError; |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 45 | public: |
Yingdi Yu | be4150e | 2014-02-18 13:02:46 -0800 | [diff] [blame] | 46 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 47 | * @brief Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK. |
Yingdi Yu | be4150e | 2014-02-18 13:02:46 -0800 | [diff] [blame] | 48 | * |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 49 | * @param identityName The name of the identity. |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 50 | * @return The name of the default certificate of the identity. |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 51 | */ |
| 52 | Name |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 53 | createIdentity(const Name& identityName) |
| 54 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 55 | Info::addIdentity(identityName); |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 56 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 57 | Name keyName; |
| 58 | try |
| 59 | { |
| 60 | keyName = Info::getDefaultKeyNameForIdentity(identityName); |
| 61 | } |
| 62 | catch(InfoError& e) |
| 63 | { |
| 64 | keyName = generateRSAKeyPairAsDefault(identityName, true); |
| 65 | } |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 66 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 67 | Name certName; |
| 68 | try |
| 69 | { |
| 70 | certName = Info::getDefaultCertificateNameForKey(keyName); |
| 71 | } |
| 72 | catch(InfoError& e) |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 73 | { |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 74 | shared_ptr<IdentityCertificate> selfCert = selfSign(keyName); |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 75 | Info::addCertificateAsIdentityDefault(*selfCert); |
| 76 | certName = selfCert->getName(); |
| 77 | } |
| 78 | |
| 79 | return certName; |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 80 | } |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 81 | |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 82 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 83 | * @brief Generate a pair of RSA keys for the specified identity. |
| 84 | * |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 85 | * @param identityName The name of the identity. |
| 86 | * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK). |
| 87 | * @param keySize The size of the key. |
| 88 | * @return The generated key name. |
| 89 | */ |
| 90 | Name |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 91 | generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048) |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 92 | { |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 93 | return generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize); |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 94 | } |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 95 | |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 96 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 97 | * @brief Generate a pair of RSA keys for the specified identity and set it as default key for the identity. |
| 98 | * |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 99 | * @param identityName The name of the identity. |
| 100 | * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK). |
| 101 | * @param keySize The size of the key. |
| 102 | * @return The generated key name. |
| 103 | */ |
| 104 | Name |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 105 | generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048) |
| 106 | { |
| 107 | Name keyName = generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize); |
| 108 | |
| 109 | Info::setDefaultKeyNameForIdentity(keyName); |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 110 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 111 | return keyName; |
| 112 | } |
Jeff Thompson | 79a2d5d | 2013-09-27 14:32:23 -0700 | [diff] [blame] | 113 | |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 114 | /** |
Yingdi Yu | c55680b | 2014-02-26 12:31:35 -0800 | [diff] [blame] | 115 | * @brief prepare an unsigned identity certificate |
| 116 | * |
| 117 | * @param keyName Key name, e.g., /<identity_name>/ksk-123456. |
| 118 | * @param signingIdentity The signing identity. |
| 119 | * @param notBefore Refer to IdentityCertificate. |
| 120 | * @param notAfter Refer to IdentityCertificate. |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 121 | * @param subjectDescription Refer to IdentityCertificate. |
Yingdi Yu | c55680b | 2014-02-26 12:31:35 -0800 | [diff] [blame] | 122 | * @return IdentityCertificate. |
| 123 | */ |
| 124 | shared_ptr<IdentityCertificate> |
| 125 | prepareUnsignedIdentityCertificate(const Name& keyName, |
| 126 | const Name& signingIdentity, |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 127 | const time::system_clock::TimePoint& notBefore, |
| 128 | const time::system_clock::TimePoint& notAfter, |
Yingdi Yu | c55680b | 2014-02-26 12:31:35 -0800 | [diff] [blame] | 129 | const std::vector<CertificateSubjectDescription>& subjectDescription) |
| 130 | |
| 131 | { |
| 132 | if(keyName.size() < 1) |
| 133 | return shared_ptr<IdentityCertificate>(); |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 134 | |
Yingdi Yu | c55680b | 2014-02-26 12:31:35 -0800 | [diff] [blame] | 135 | std::string keyIdPrefix = keyName.get(-1).toEscapedString().substr(0, 4); |
| 136 | if(keyIdPrefix != "ksk-" && keyIdPrefix != "dsk-") |
| 137 | return shared_ptr<IdentityCertificate>(); |
| 138 | |
| 139 | shared_ptr<IdentityCertificate> certificate = make_shared<IdentityCertificate>(); |
| 140 | Name certName; |
| 141 | |
| 142 | if(signingIdentity.isPrefixOf(keyName)) |
| 143 | { |
| 144 | certName.append(signingIdentity).append("KEY").append(keyName.getSubName(signingIdentity.size())).append("ID-CERT").appendVersion(); |
| 145 | } |
| 146 | else |
| 147 | { |
| 148 | certName.append(keyName.getPrefix(-1)).append("KEY").append(keyName.get(-1)).append("ID-CERT").appendVersion(); |
| 149 | } |
| 150 | |
| 151 | certificate->setName(certName); |
| 152 | certificate->setNotBefore(notBefore); |
| 153 | certificate->setNotAfter(notAfter); |
| 154 | |
| 155 | shared_ptr<PublicKey> publicKey; |
| 156 | try |
| 157 | { |
| 158 | publicKey = Info::getPublicKey(keyName); |
| 159 | } |
| 160 | catch(InfoError& e) |
| 161 | { |
| 162 | return shared_ptr<IdentityCertificate>(); |
| 163 | } |
| 164 | certificate->setPublicKeyInfo(*publicKey); |
| 165 | |
| 166 | if(subjectDescription.empty()) |
| 167 | { |
| 168 | CertificateSubjectDescription subDescryptName("2.5.4.41", keyName.getPrefix(-1).toUri()); |
| 169 | certificate->addSubjectDescription(subDescryptName); |
| 170 | } |
| 171 | else |
| 172 | { |
| 173 | std::vector<CertificateSubjectDescription>::const_iterator sdIt = subjectDescription.begin(); |
| 174 | std::vector<CertificateSubjectDescription>::const_iterator sdEnd = subjectDescription.end(); |
| 175 | for(; sdIt != sdEnd; sdIt++) |
| 176 | certificate->addSubjectDescription(*sdIt); |
| 177 | } |
| 178 | |
| 179 | certificate->encode(); |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 180 | |
Yingdi Yu | c55680b | 2014-02-26 12:31:35 -0800 | [diff] [blame] | 181 | return certificate; |
| 182 | } |
| 183 | |
| 184 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 185 | * @brief Sign packet with default identity |
| 186 | * |
Yingdi Yu | 60bd708 | 2014-03-25 18:18:54 -0700 | [diff] [blame] | 187 | * On return, signatureInfo and signatureValue in the packet are set. |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 188 | * If default identity does not exist, |
Yingdi Yu | 60bd708 | 2014-03-25 18:18:54 -0700 | [diff] [blame] | 189 | * a temporary identity will be created and set as default. |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 190 | * |
| 191 | * @param packet The packet to be signed |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 192 | */ |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 193 | template<typename T> |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 194 | void |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 195 | sign(T& packet) |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 196 | { |
Yingdi Yu | 60bd708 | 2014-03-25 18:18:54 -0700 | [diff] [blame] | 197 | if (!static_cast<bool>(Info::defaultCertificate())) |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 198 | { |
| 199 | Info::refreshDefaultCertificate(); |
| 200 | |
Yingdi Yu | 60bd708 | 2014-03-25 18:18:54 -0700 | [diff] [blame] | 201 | if (!static_cast<bool>(Info::defaultCertificate())) |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 202 | { |
| 203 | Name defaultIdentity; |
| 204 | try |
| 205 | { |
| 206 | defaultIdentity = Info::getDefaultIdentity(); |
| 207 | } |
Yingdi Yu | 60bd708 | 2014-03-25 18:18:54 -0700 | [diff] [blame] | 208 | catch (InfoError& e) |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 209 | { |
| 210 | uint32_t random = random::generateWord32(); |
Yingdi Yu | 60bd708 | 2014-03-25 18:18:54 -0700 | [diff] [blame] | 211 | defaultIdentity.append("tmp-identity") |
| 212 | .append(reinterpret_cast<uint8_t*>(&random), 4); |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 213 | } |
| 214 | createIdentity(defaultIdentity); |
Yingdi Yu | 60bd708 | 2014-03-25 18:18:54 -0700 | [diff] [blame] | 215 | Info::setDefaultIdentity(defaultIdentity); |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 216 | Info::refreshDefaultCertificate(); |
| 217 | } |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 218 | } |
| 219 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 220 | sign(packet, *Info::defaultCertificate()); |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 221 | } |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 222 | |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 223 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 224 | * @brief Sign packet with a particular certificate. |
| 225 | * |
| 226 | * @param packet The packet to be signed. |
| 227 | * @param certificateName The certificate name of the key to use for signing. |
| 228 | * @throws SecPublicInfo::Error if certificate does not exist. |
Jeff Thompson | 3c73da4 | 2013-08-12 11:19:05 -0700 | [diff] [blame] | 229 | */ |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 230 | template<typename T> |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 231 | void |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 232 | sign(T& packet, const Name& certificateName) |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 233 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 234 | if (!Info::doesCertificateExist(certificateName)) |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 235 | throw InfoError("Requested certificate [" + certificateName.toUri() + "] doesn't exist"); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 236 | |
| 237 | SignatureSha256WithRsa signature; |
| 238 | signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 239 | |
| 240 | // For temporary usage, we support RSA + SHA256 only, but will support more. |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 241 | signPacketWrapper(packet, signature, |
| 242 | IdentityCertificate::certificateNameToPublicKeyName(certificateName), |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 243 | DIGEST_ALGORITHM_SHA256); |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 244 | } |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 245 | |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 246 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 247 | * @brief Sign the byte array using a particular certificate. |
| 248 | * |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 249 | * @param buffer The byte array to be signed. |
| 250 | * @param bufferLength the length of buffer. |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 251 | * @param certificateName The certificate name of the signing key. |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 252 | * @return The Signature. |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 253 | * @throws SecPublicInfo::Error if certificate does not exist. |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 254 | */ |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 255 | Signature |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 256 | sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName) |
| 257 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 258 | if (!Info::doesCertificateExist(certificateName)) |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 259 | throw InfoError("Requested certificate [" + certificateName.toUri() + "] doesn't exist"); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 260 | |
| 261 | SignatureSha256WithRsa signature; |
| 262 | signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 263 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 264 | // For temporary usage, we support RSA + SHA256 only, but will support more. |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 265 | signature.setValue(Tpm::signInTpm(buffer, bufferLength, |
| 266 | IdentityCertificate::certificateNameToPublicKeyName(certificateName), |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 267 | DIGEST_ALGORITHM_SHA256)); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 268 | return signature; |
| 269 | } |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 270 | |
| 271 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 272 | * @brief Sign packet using the default certificate of a particular identity. |
| 273 | * |
| 274 | * If there is no default certificate of that identity, this method will create a self-signed certificate. |
| 275 | * |
| 276 | * @param packet The packet to be signed. |
| 277 | * @param identityName The signing identity name. |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 278 | */ |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 279 | template<typename T> |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 280 | void |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 281 | signByIdentity(T& packet, const Name& identityName) |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 282 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 283 | Name signingCertificateName; |
| 284 | try |
| 285 | { |
| 286 | signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName); |
| 287 | } |
| 288 | catch(InfoError& e) |
| 289 | { |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 290 | signingCertificateName = createIdentity(identityName); |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 291 | // Ideally, no exception will be thrown out, unless something goes wrong in the TPM, which is a fatal error. |
| 292 | } |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 293 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 294 | // We either get or create the signing certificate, sign packet! (no exception unless fatal error in TPM) |
| 295 | sign(packet, signingCertificateName); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 296 | } |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 297 | |
Jeff Thompson | 3c73da4 | 2013-08-12 11:19:05 -0700 | [diff] [blame] | 298 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 299 | * @brief Sign the byte array using the default certificate of a particular identity. |
| 300 | * |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 301 | * @param buffer The byte array to be signed. |
| 302 | * @param bufferLength the length of buffer. |
| 303 | * @param identityName The identity name. |
| 304 | * @return The Signature. |
| 305 | */ |
Alexander Afanasyev | 64a3d81 | 2014-01-05 23:35:05 -0800 | [diff] [blame] | 306 | Signature |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 307 | signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName) |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 308 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 309 | Name signingCertificateName; |
| 310 | try |
| 311 | { |
| 312 | signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName); |
| 313 | } |
| 314 | catch(InfoError& e) |
| 315 | { |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 316 | signingCertificateName = createIdentity(identityName); |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 317 | // Ideally, no exception will be thrown out, unless something goes wrong in the TPM, which is a fatal error. |
| 318 | } |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 319 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 320 | // We either get or create the signing certificate, sign data! (no exception unless fatal error in TPM) |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 321 | return sign(buffer, bufferLength, signingCertificateName); |
| 322 | } |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 323 | |
| 324 | /** |
Yingdi Yu | 2115716 | 2014-02-28 13:02:34 -0800 | [diff] [blame] | 325 | * @brief Set Sha256 weak signature. |
| 326 | * |
| 327 | * @param data. |
| 328 | */ |
| 329 | void |
| 330 | signWithSha256(Data& data) |
| 331 | { |
| 332 | SignatureSha256 sig; |
| 333 | data.setSignature(sig); |
| 334 | |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 335 | Block sigValue(Tlv::SignatureValue, |
| 336 | crypto::sha256(data.wireEncode().value(), |
Yingdi Yu | 2115716 | 2014-02-28 13:02:34 -0800 | [diff] [blame] | 337 | data.wireEncode().value_size() - data.getSignature().getValue().size())); |
| 338 | data.setSignatureValue(sigValue); |
| 339 | |
| 340 | } |
| 341 | |
| 342 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 343 | * @brief Generate a self-signed certificate for a public key. |
| 344 | * |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 345 | * @param keyName The name of the public key. |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 346 | * @return The generated certificate, NULL if selfSign fails. |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 347 | */ |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 348 | shared_ptr<IdentityCertificate> |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 349 | selfSign(const Name& keyName) |
| 350 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 351 | shared_ptr<PublicKey> pubKey; |
| 352 | try |
| 353 | { |
| 354 | pubKey = Info::getPublicKey(keyName); // may throw an exception. |
| 355 | } |
| 356 | catch(InfoError& e) |
| 357 | { |
| 358 | return shared_ptr<IdentityCertificate>(); |
| 359 | } |
Yingdi Yu | 7ea6950 | 2014-01-15 17:21:29 -0800 | [diff] [blame] | 360 | |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 361 | shared_ptr<IdentityCertificate> certificate = make_shared<IdentityCertificate>(); |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 362 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 363 | Name certificateName = keyName.getPrefix(-1); |
| 364 | certificateName.append("KEY").append(keyName.get(-1)).append("ID-CERT").appendVersion(); |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 365 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 366 | certificate->setName(certificateName); |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 367 | certificate->setNotBefore(time::system_clock::now()); |
| 368 | certificate->setNotAfter(time::system_clock::now() + time::days(7300)/* ~20 years*/); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 369 | certificate->setPublicKeyInfo(*pubKey); |
| 370 | certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri())); |
| 371 | certificate->encode(); |
| 372 | |
| 373 | selfSign(*certificate); |
| 374 | return certificate; |
| 375 | } |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 376 | |
| 377 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 378 | * @brief Self-sign the supplied identity certificate. |
| 379 | * |
| 380 | * @param cert The supplied cert. |
| 381 | * @throws SecTpm::Error if the private key does not exist. |
Jeff Thompson | 8efe5ad | 2013-08-20 17:36:38 -0700 | [diff] [blame] | 382 | */ |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 383 | void |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 384 | selfSign (IdentityCertificate& cert) |
| 385 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 386 | Name keyName = IdentityCertificate::certificateNameToPublicKeyName(cert.getName()); |
| 387 | if(!Tpm::doesKeyExistInTpm(keyName, KEY_CLASS_PRIVATE)) |
| 388 | throw TpmError("private key does not exist!"); |
| 389 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 390 | SignatureSha256WithRsa signature; |
| 391 | signature.setKeyLocator(cert.getName().getPrefix(-1)); // implicit conversion should take care |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 392 | |
| 393 | // For temporary usage, we support RSA + SHA256 only, but will support more. |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 394 | signPacketWrapper(cert, signature, keyName, DIGEST_ALGORITHM_SHA256); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 395 | } |
| 396 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 397 | /** |
| 398 | * @brief delete a certificate. |
| 399 | * |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 400 | * If the certificate to be deleted is current default system default, |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 401 | * the method will not delete the certificate and return immediately. |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 402 | * |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 403 | * @param certificateName The certificate to be deleted. |
| 404 | */ |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 405 | void |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 406 | deleteCertificate (const Name& certificateName) |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 407 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 408 | try |
| 409 | { |
| 410 | if(Info::getDefaultCertificateName() == certificateName) |
| 411 | return; |
| 412 | } |
| 413 | catch(InfoError& e) |
| 414 | { |
| 415 | // Not a real error, just try to delete the certificate |
| 416 | } |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 417 | |
| 418 | Info::deleteCertificateInfo(certificateName); |
| 419 | } |
| 420 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 421 | /** |
| 422 | * @brief delete a key. |
| 423 | * |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 424 | * If the key to be deleted is current default system default, |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 425 | * the method will not delete the key and return immediately. |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 426 | * |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 427 | * @param keyName The key to be deleted. |
| 428 | */ |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 429 | void |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 430 | deleteKey (const Name& keyName) |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 431 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 432 | try |
| 433 | { |
| 434 | if(Info::getDefaultKeyNameForIdentity(Info::getDefaultIdentity()) == keyName) |
| 435 | return; |
| 436 | } |
| 437 | catch(InfoError& e) |
| 438 | { |
| 439 | // Not a real error, just try to delete the key |
| 440 | } |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 441 | |
| 442 | Info::deletePublicKeyInfo(keyName); |
| 443 | Tpm::deleteKeyPairInTpm(keyName); |
| 444 | } |
| 445 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 446 | /** |
| 447 | * @brief delete an identity. |
| 448 | * |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 449 | * If the identity to be deleted is current default system default, |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 450 | * the method will not delete the identity and return immediately. |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 451 | * |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 452 | * @param identity The identity to be deleted. |
| 453 | */ |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 454 | void |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 455 | deleteIdentity (const Name& identity) |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 456 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 457 | try |
| 458 | { |
| 459 | if(Info::getDefaultIdentity() == identity) |
| 460 | return; |
| 461 | } |
| 462 | catch(InfoError& e) |
| 463 | { |
| 464 | // Not a real error, just try to delete the identity |
| 465 | } |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 466 | |
| 467 | std::vector<Name> nameList; |
| 468 | Info::getAllKeyNamesOfIdentity(identity, nameList, true); |
| 469 | Info::getAllKeyNamesOfIdentity(identity, nameList, false); |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 470 | |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 471 | Info::deleteIdentityInfo(identity); |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 472 | |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 473 | std::vector<Name>::const_iterator it = nameList.begin(); |
| 474 | for(; it != nameList.end(); it++) |
| 475 | Tpm::deleteKeyPairInTpm(*it); |
| 476 | } |
| 477 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 478 | /** |
| 479 | * @brief export an identity. |
| 480 | * |
| 481 | * @param identity The identity to export. |
| 482 | * @param passwordStr The password to secure the private key. |
Yingdi Yu | 64c3fb4 | 2014-02-26 17:30:04 -0800 | [diff] [blame] | 483 | * @return The encoded export data. |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 484 | * @throws InfoError if anything goes wrong in exporting. |
| 485 | */ |
Yingdi Yu | 64c3fb4 | 2014-02-26 17:30:04 -0800 | [diff] [blame] | 486 | shared_ptr<SecuredBag> |
Yingdi Yu | be4150e | 2014-02-18 13:02:46 -0800 | [diff] [blame] | 487 | exportIdentity(const Name& identity, const std::string& passwordStr) |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 488 | { |
| 489 | if (!Info::doesIdentityExist(identity)) |
| 490 | throw InfoError("Identity does not exist!"); |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 491 | |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 492 | Name keyName = Info::getDefaultKeyNameForIdentity(identity); |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 493 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 494 | ConstBufferPtr pkcs8; |
| 495 | try |
| 496 | { |
| 497 | pkcs8 = Tpm::exportPrivateKeyPkcs8FromTpm(keyName, passwordStr); |
| 498 | } |
| 499 | catch(TpmError& e) |
| 500 | { |
| 501 | throw InfoError("Fail to export PKCS8 of private key"); |
| 502 | } |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 503 | |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 504 | shared_ptr<IdentityCertificate> cert; |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 505 | try |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 506 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 507 | cert = Info::getCertificate(Info::getDefaultCertificateNameForKey(keyName)); |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 508 | } |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 509 | catch(InfoError& e) |
| 510 | { |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 511 | cert = selfSign(keyName); |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 512 | Info::addCertificateAsIdentityDefault(*cert); |
| 513 | } |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 514 | |
Yingdi Yu | 64c3fb4 | 2014-02-26 17:30:04 -0800 | [diff] [blame] | 515 | shared_ptr<SecuredBag> secureBag = make_shared<SecuredBag>(boost::cref(*cert), boost::cref(pkcs8)); |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 516 | |
Yingdi Yu | 64c3fb4 | 2014-02-26 17:30:04 -0800 | [diff] [blame] | 517 | return secureBag; |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 518 | } |
| 519 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 520 | /** |
| 521 | * @brief import an identity. |
| 522 | * |
Yingdi Yu | 64c3fb4 | 2014-02-26 17:30:04 -0800 | [diff] [blame] | 523 | * @param securedBag The encoded import data. |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 524 | * @param passwordStr The password to secure the private key. |
| 525 | */ |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 526 | void |
Yingdi Yu | 64c3fb4 | 2014-02-26 17:30:04 -0800 | [diff] [blame] | 527 | importIdentity(const SecuredBag& securedBag, const std::string& passwordStr) |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 528 | { |
Yingdi Yu | 64c3fb4 | 2014-02-26 17:30:04 -0800 | [diff] [blame] | 529 | Name keyName = IdentityCertificate::certificateNameToPublicKeyName(securedBag.getCertificate().getName()); |
| 530 | Name identity = keyName.getPrefix(-1); |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 531 | |
Yingdi Yu | 64c3fb4 | 2014-02-26 17:30:04 -0800 | [diff] [blame] | 532 | // Add identity |
| 533 | Info::addIdentity(identity); |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 534 | |
Yingdi Yu | 64c3fb4 | 2014-02-26 17:30:04 -0800 | [diff] [blame] | 535 | // Add key |
| 536 | Tpm::importPrivateKeyPkcs8IntoTpm(keyName, securedBag.getKey()->buf(), securedBag.getKey()->size(), passwordStr); |
| 537 | shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri()); |
| 538 | Info::addPublicKey(keyName, KEY_TYPE_RSA, *pubKey); // HACK! We should set key type according to the pkcs8 info. |
| 539 | Info::setDefaultKeyNameForIdentity(keyName); |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 540 | |
Yingdi Yu | 64c3fb4 | 2014-02-26 17:30:04 -0800 | [diff] [blame] | 541 | // Add cert |
| 542 | Info::addCertificateAsIdentityDefault(securedBag.getCertificate()); |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 543 | } |
| 544 | |
Jeff Thompson | 8efe5ad | 2013-08-20 17:36:38 -0700 | [diff] [blame] | 545 | |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 546 | private: |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 547 | /** |
| 548 | * @brief sign a packet using a pariticular certificate. |
| 549 | * |
| 550 | * @param packet The packet to be signed. |
| 551 | * @param certificate The signing certificate. |
| 552 | */ |
| 553 | template<typename T> |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 554 | void |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 555 | sign(T& packet, const IdentityCertificate& certificate) |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 556 | { |
| 557 | SignatureSha256WithRsa signature; |
| 558 | signature.setKeyLocator(certificate.getName().getPrefix(-1)); |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 559 | |
| 560 | // For temporary usage, we support RSA + SHA256 only, but will support more. |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 561 | signPacketWrapper(packet, signature, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256); |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 562 | } |
| 563 | |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 564 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 565 | * @brief Generate a key pair for the specified identity. |
| 566 | * |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 567 | * @param identityName The name of the specified identity. |
| 568 | * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK). |
| 569 | * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA. |
| 570 | * @param keySize The size of the key pair. |
| 571 | * @return The name of the generated key. |
| 572 | */ |
| 573 | Name |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 574 | generateKeyPair(const Name& identityName, bool isKsk = false, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048) |
| 575 | { |
| 576 | Name keyName = Info::getNewKeyName(identityName, isKsk); |
| 577 | |
| 578 | Tpm::generateKeyPairInTpm(keyName.toUri(), keyType, keySize); |
| 579 | |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame] | 580 | shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri()); |
Yingdi Yu | ef26ee3 | 2014-01-15 16:41:14 -0800 | [diff] [blame] | 581 | Info::addPublicKey(keyName, keyType, *pubKey); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 582 | |
| 583 | return keyName; |
| 584 | } |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 585 | |
Yingdi Yu | 8726f65 | 2014-01-23 10:35:12 -0800 | [diff] [blame] | 586 | /** |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 587 | * @brief Sign the data using a particular key. |
| 588 | * |
| 589 | * @param data Reference to the data packet. |
| 590 | * @param signature Signature to be added. |
Yingdi Yu | 8726f65 | 2014-01-23 10:35:12 -0800 | [diff] [blame] | 591 | * @param keyName The name of the signing key. |
| 592 | * @param digestAlgorithm the digest algorithm. |
| 593 | * @throws Tpm::Error |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 594 | */ |
Yingdi Yu | 8726f65 | 2014-01-23 10:35:12 -0800 | [diff] [blame] | 595 | void |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 596 | signPacketWrapper(Data& data, const SignatureSha256WithRsa& signature, const Name& keyName, DigestAlgorithm digestAlgorithm) |
Yingdi Yu | 8726f65 | 2014-01-23 10:35:12 -0800 | [diff] [blame] | 597 | { |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 598 | data.setSignature(signature); |
Yingdi Yu | 8726f65 | 2014-01-23 10:35:12 -0800 | [diff] [blame] | 599 | data.setSignatureValue |
| 600 | (Tpm::signInTpm(data.wireEncode().value(), |
| 601 | data.wireEncode().value_size() - data.getSignature().getValue().size(), |
| 602 | keyName, digestAlgorithm)); |
| 603 | } |
| 604 | |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 605 | /** |
| 606 | * @brief Sign the interest using a particular key. |
| 607 | * |
| 608 | * @param interest Reference to the interest packet. |
| 609 | * @param signature Signature to be added. |
| 610 | * @param keyName The name of the signing key. |
| 611 | * @param digestAlgorithm the digest algorithm. |
| 612 | * @throws Tpm::Error |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 613 | */ |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 614 | void |
| 615 | signPacketWrapper(Interest& interest, const SignatureSha256WithRsa& signature, const Name& keyName, DigestAlgorithm digestAlgorithm) |
| 616 | { |
| 617 | Name signedName = Name(interest.getName()).append(signature.getInfo()); |
| 618 | |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 619 | Block sigValue = Tpm::signInTpm(signedName.wireEncode().value(), |
| 620 | signedName.wireEncode().value_size(), |
Yingdi Yu | 2e57a58 | 2014-02-20 23:34:43 -0800 | [diff] [blame] | 621 | keyName, |
| 622 | DIGEST_ALGORITHM_SHA256); |
| 623 | sigValue.encode(); |
| 624 | signedName.append(sigValue); |
| 625 | interest.setName(signedName); |
| 626 | } |
| 627 | |
| 628 | |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 629 | }; |
| 630 | |
Yingdi Yu | fc40d87 | 2014-02-18 12:56:04 -0800 | [diff] [blame] | 631 | } // namespace ndn |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 632 | |
Yingdi Yu | 0402092 | 2014-01-22 12:46:53 -0800 | [diff] [blame] | 633 | |
| 634 | |
Alexander Afanasyev | 3e08d5d | 2014-02-12 19:24:28 -0800 | [diff] [blame] | 635 | #if defined(NDN_CPP_HAVE_OSX_SECURITY) and defined(NDN_CPP_WITH_OSX_KEYCHAIN) |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 636 | |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 637 | namespace ndn { |
| 638 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 639 | typedef KeyChainImpl<SecPublicInfoSqlite3, SecTpmOsx> KeyChain; |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 640 | |
| 641 | } // namespace ndn |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 642 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 643 | #else |
Alexander Afanasyev | e64788e | 2014-01-05 22:38:21 -0800 | [diff] [blame] | 644 | |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 645 | namespace ndn { |
| 646 | |
Yingdi Yu | 0402092 | 2014-01-22 12:46:53 -0800 | [diff] [blame] | 647 | typedef KeyChainImpl<SecPublicInfoSqlite3, SecTpmFile> KeyChain; |
Alexander Afanasyev | b78bc4d | 2014-04-09 21:20:52 -0700 | [diff] [blame^] | 648 | |
| 649 | } // namespace ndn |
Alexander Afanasyev | e64788e | 2014-01-05 22:38:21 -0800 | [diff] [blame] | 650 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 651 | #endif //NDN_CPP_HAVE_OSX_SECURITY |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 652 | |
Yingdi Yu | fc40d87 | 2014-02-18 12:56:04 -0800 | [diff] [blame] | 653 | #endif //NDN_SECURITY_KEY_CHAIN_HPP |