Jeff Thompson | 25b4e61 | 2013-10-10 16:03:24 -0700 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */ |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 2 | /** |
Jeff Thompson | 7687dc0 | 2013-09-13 11:54:07 -0700 | [diff] [blame] | 3 | * Copyright (C) 2013 Regents of the University of California. |
Jeff Thompson | ba16b8f | 2013-12-16 13:11:47 -0800 | [diff] [blame] | 4 | * @author: Yingdi Yu <yingdi@cs.ucla.edu> |
Jeff Thompson | 7687dc0 | 2013-09-13 11:54:07 -0700 | [diff] [blame] | 5 | * @author: Jeff Thompson <jefft0@remap.ucla.edu> |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 6 | * See COPYING for copyright and distribution information. |
| 7 | */ |
| 8 | |
| 9 | #ifndef NDN_KEY_CHAIN_HPP |
Jeff Thompson | 2d27e2f | 2013-08-09 12:55:00 -0700 | [diff] [blame] | 10 | #define NDN_KEY_CHAIN_HPP |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 11 | |
Yingdi Yu | 4f32463 | 2014-01-15 18:10:03 -0800 | [diff] [blame] | 12 | #include "identity-certificate.hpp" |
| 13 | #include "public-key.hpp" |
| 14 | #include "signature-sha256-with-rsa.hpp" |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 15 | #include "../interest.hpp" |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 16 | #include "../encoding/tlv-security.hpp" |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 17 | |
Yingdi Yu | 0402092 | 2014-01-22 12:46:53 -0800 | [diff] [blame] | 18 | //PublicInfo |
Yingdi Yu | 4f32463 | 2014-01-15 18:10:03 -0800 | [diff] [blame] | 19 | #include "sec-public-info-sqlite3.hpp" |
| 20 | #include "sec-public-info-memory.hpp" |
Yingdi Yu | 0402092 | 2014-01-22 12:46:53 -0800 | [diff] [blame] | 21 | //TPM |
| 22 | #include "sec-tpm-file.hpp" |
Yingdi Yu | 4f32463 | 2014-01-15 18:10:03 -0800 | [diff] [blame] | 23 | #include "sec-tpm-memory.hpp" |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 24 | |
Yingdi Yu | 0402092 | 2014-01-22 12:46:53 -0800 | [diff] [blame] | 25 | #ifdef NDN_CPP_HAVE_OSX_SECURITY |
| 26 | #include "sec-tpm-osx.hpp" |
| 27 | #endif |
| 28 | |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 29 | |
| 30 | namespace ndn { |
| 31 | |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 32 | /** |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 33 | * KeyChain is one of the main classes of the security library. |
Jeff Thompson | ffa36f9 | 2013-09-20 08:42:41 -0700 | [diff] [blame] | 34 | * |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 35 | * The KeyChain class provides a set of interfaces of identity management and private key related operations. |
Jeff Thompson | ffa36f9 | 2013-09-20 08:42:41 -0700 | [diff] [blame] | 36 | */ |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 37 | template<class Info, class Tpm> |
| 38 | class KeyChainImpl : public Info, public Tpm |
| 39 | { |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 40 | typedef typename Info::Error InfoError; |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 41 | public: |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 42 | |
| 43 | /** |
| 44 | * Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK. |
| 45 | * @param identityName The name of the identity. |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 46 | * @return The name of the default certificate of the identity. |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 47 | */ |
| 48 | Name |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 49 | createIdentity(const Name& identityName) |
| 50 | { |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 51 | if (!Info::doesIdentityExist(identityName)) |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 52 | Info::addIdentity(identityName); |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 53 | |
| 54 | Name keyName = Info::getDefaultKeyNameForIdentity(identityName); |
| 55 | |
| 56 | if(keyName.empty()) |
| 57 | keyName = generateRSAKeyPairAsDefault(identityName, true); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 58 | |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 59 | Name certName = Info::getDefaultCertificateNameForKey(keyName); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 60 | |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 61 | if(certName.empty()) |
| 62 | { |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 63 | shared_ptr<IdentityCertificate> selfCert = selfSign(keyName); |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 64 | Info::addCertificateAsIdentityDefault(*selfCert); |
| 65 | certName = selfCert->getName(); |
| 66 | } |
| 67 | |
| 68 | return certName; |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 69 | } |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 70 | |
| 71 | /** |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 72 | * Generate a pair of RSA keys for the specified identity. |
| 73 | * @param identityName The name of the identity. |
| 74 | * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK). |
| 75 | * @param keySize The size of the key. |
| 76 | * @return The generated key name. |
| 77 | */ |
| 78 | Name |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 79 | generateRSAKeyPair(const Name& identityName, bool isKsk = false, int keySize = 2048) |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 80 | { |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 81 | return generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize); |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 82 | } |
Alexander Afanasyev | 64a3d81 | 2014-01-05 23:35:05 -0800 | [diff] [blame] | 83 | |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 84 | /** |
| 85 | * Generate a pair of RSA keys for the specified identity and set it as default key for the identity. |
| 86 | * @param identityName The name of the identity. |
| 87 | * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK). |
| 88 | * @param keySize The size of the key. |
| 89 | * @return The generated key name. |
| 90 | */ |
| 91 | Name |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 92 | generateRSAKeyPairAsDefault(const Name& identityName, bool isKsk = false, int keySize = 2048) |
| 93 | { |
| 94 | Name keyName = generateKeyPair(identityName, isKsk, KEY_TYPE_RSA, keySize); |
| 95 | |
| 96 | Info::setDefaultKeyNameForIdentity(keyName); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 97 | |
| 98 | return keyName; |
| 99 | } |
Jeff Thompson | 79a2d5d | 2013-09-27 14:32:23 -0700 | [diff] [blame] | 100 | |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 101 | /** |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 102 | * Create an identity certificate for a public key managed by this IdentityManager. |
| 103 | * @param certificatePrefix The name of public key to be signed. |
| 104 | * @param signerCertificateName The name of signing certificate. |
| 105 | * @param notBefore The notBefore value in the validity field of the generated certificate. |
| 106 | * @param notAfter The notAfter vallue in validity field of the generated certificate. |
| 107 | * @return The name of generated identity certificate. |
| 108 | */ |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 109 | shared_ptr<IdentityCertificate> |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 110 | createIdentityCertificate |
| 111 | (const Name& certificatePrefix, |
| 112 | const Name& signerCertificateName, |
| 113 | const MillisecondsSince1970& notBefore, |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 114 | const MillisecondsSince1970& notAfter) |
| 115 | { |
| 116 | Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix); |
| 117 | |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 118 | shared_ptr<PublicKey> pubKey = Info::getPublicKey(keyName); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 119 | if (!pubKey) |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 120 | throw InfoError("Requested public key [" + keyName.toUri() + "] doesn't exist"); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 121 | |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 122 | shared_ptr<IdentityCertificate> certificate = |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 123 | createIdentityCertificate(certificatePrefix, |
| 124 | *pubKey, |
| 125 | signerCertificateName, |
| 126 | notBefore, notAfter); |
| 127 | |
| 128 | Info::addCertificate(*certificate); |
| 129 | |
| 130 | return certificate; |
| 131 | } |
| 132 | |
Jeff Thompson | 79a2d5d | 2013-09-27 14:32:23 -0700 | [diff] [blame] | 133 | |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 134 | /** |
| 135 | * Create an identity certificate for a public key supplied by the caller. |
| 136 | * @param certificatePrefix The name of public key to be signed. |
| 137 | * @param publickey The public key to be signed. |
| 138 | * @param signerCertificateName The name of signing certificate. |
| 139 | * @param notBefore The notBefore value in the validity field of the generated certificate. |
| 140 | * @param notAfter The notAfter vallue in validity field of the generated certificate. |
| 141 | * @return The generated identity certificate. |
| 142 | */ |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 143 | shared_ptr<IdentityCertificate> |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 144 | createIdentityCertificate |
| 145 | (const Name& certificatePrefix, |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 146 | const PublicKey& publicKey, |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 147 | const Name& signerCertificateName, |
| 148 | const MillisecondsSince1970& notBefore, |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 149 | const MillisecondsSince1970& notAfter) |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 150 | { |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 151 | shared_ptr<IdentityCertificate> certificate (new IdentityCertificate()); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 152 | Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix); |
| 153 | |
| 154 | Name certificateName = certificatePrefix; |
| 155 | certificateName.append("ID-CERT").appendVersion(); |
| 156 | |
| 157 | certificate->setName(certificateName); |
| 158 | certificate->setNotBefore(notBefore); |
| 159 | certificate->setNotAfter(notAfter); |
| 160 | certificate->setPublicKeyInfo(publicKey); |
| 161 | certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri())); |
| 162 | certificate->encode(); |
| 163 | |
| 164 | sign(*certificate, signerCertificateName); |
| 165 | |
| 166 | return certificate; |
Alexander Afanasyev | bf1a67a | 2014-01-05 23:36:13 -0800 | [diff] [blame] | 167 | } |
| 168 | |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 169 | void |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 170 | sign(Data &data) |
| 171 | { |
| 172 | if (!Info::defaultCertificate()) |
| 173 | { |
| 174 | Info::refreshDefaultCertificate(); |
| 175 | |
| 176 | if(!Info::defaultCertificate()) |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 177 | throw InfoError("Default IdentityCertificate cannot be determined"); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 178 | } |
| 179 | |
| 180 | sign(data, *Info::defaultCertificate()); |
| 181 | } |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 182 | |
| 183 | void |
| 184 | sign(Interest &interest) |
| 185 | { |
| 186 | if (!Info::defaultCertificate()) |
| 187 | { |
| 188 | Info::refreshDefaultCertificate(); |
| 189 | |
| 190 | if(!Info::defaultCertificate()) |
| 191 | throw InfoError("Default IdentityCertificate cannot be determined"); |
| 192 | } |
| 193 | |
| 194 | sign(interest, *Info::defaultCertificate()); |
| 195 | } |
Alexander Afanasyev | e64788e | 2014-01-05 22:38:21 -0800 | [diff] [blame] | 196 | |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 197 | /** |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 198 | * Wire encode the Data object, sign it and set its signature. |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 199 | * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding. |
Jeff Thompson | 9296f0c | 2013-09-23 18:10:27 -0700 | [diff] [blame] | 200 | * @param certificateName The certificate name of the key to use for signing. If omitted, infer the signing identity from the data packet name. |
Jeff Thompson | 3c73da4 | 2013-08-12 11:19:05 -0700 | [diff] [blame] | 201 | */ |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 202 | void |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 203 | sign(Data& data, const Name& certificateName) |
| 204 | { |
Yingdi Yu | 17bc301 | 2014-02-10 17:37:12 -0800 | [diff] [blame] | 205 | shared_ptr<IdentityCertificate> cert = Info::getCertificate(certificateName); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 206 | if (!cert) |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 207 | throw InfoError("Requested certificate [" + certificateName.toUri() + "] doesn't exist"); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 208 | |
| 209 | SignatureSha256WithRsa signature; |
| 210 | signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care |
| 211 | data.setSignature(signature); |
| 212 | |
| 213 | // For temporary usage, we support RSA + SHA256 only, but will support more. |
Yingdi Yu | 8726f65 | 2014-01-23 10:35:12 -0800 | [diff] [blame] | 214 | signDataInTpm(data, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 215 | } |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 216 | |
| 217 | void |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 218 | sign(Interest &interest, const Name &certificateName) |
| 219 | { |
Yingdi Yu | 17bc301 | 2014-02-10 17:37:12 -0800 | [diff] [blame] | 220 | shared_ptr<IdentityCertificate> cert = Info::getCertificate(certificateName); |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 221 | if(!static_cast<bool>(cert)) |
| 222 | throw InfoError("Requested certificate [" + certificateName.toUri() + "] doesn't exist"); |
| 223 | |
| 224 | SignatureSha256WithRsa signature; |
| 225 | signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care |
| 226 | |
Alexander Afanasyev | c348f83 | 2014-02-17 16:35:17 -0800 | [diff] [blame] | 227 | Name signedName = Name(interest.getName()).append(signature.getInfo()); |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 228 | |
Alexander Afanasyev | c348f83 | 2014-02-17 16:35:17 -0800 | [diff] [blame] | 229 | signature.setValue(Tpm::signInTpm(signedName.wireEncode().value(), |
| 230 | signedName.wireEncode().value_size(), |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 231 | cert->getPublicKeyName(), |
| 232 | DIGEST_ALGORITHM_SHA256)); |
Alexander Afanasyev | c348f83 | 2014-02-17 16:35:17 -0800 | [diff] [blame] | 233 | signedName.append(signature.getValue()); |
| 234 | interest.setName(signedName); |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 235 | } |
Jeff Thompson | 79a2d5d | 2013-09-27 14:32:23 -0700 | [diff] [blame] | 236 | |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 237 | /** |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 238 | * Sign the byte array using a certificate name and return a Signature object. |
| 239 | * @param buffer The byte array to be signed. |
| 240 | * @param bufferLength the length of buffer. |
| 241 | * @param certificateName The certificate name used to get the signing key and which will be put into KeyLocator. |
| 242 | * @return The Signature. |
| 243 | */ |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 244 | Signature |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 245 | sign(const uint8_t* buffer, size_t bufferLength, const Name& certificateName) |
| 246 | { |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 247 | shared_ptr<IdentityCertificate> cert = Info::getCertificate(certificateName); |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 248 | if (!static_cast<bool>(cert)) |
| 249 | throw InfoError("Requested certificate [" + certificateName.toUri() + "] doesn't exist"); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 250 | |
| 251 | SignatureSha256WithRsa signature; |
| 252 | signature.setKeyLocator(certificateName.getPrefix(-1)); // implicit conversion should take care |
| 253 | |
| 254 | // For temporary usage, we support RSA + SHA256 only, but will support more. |
Yingdi Yu | b4bb85a | 2014-01-16 10:11:04 -0800 | [diff] [blame] | 255 | signature.setValue(Tpm::signInTpm(buffer, bufferLength, cert->getPublicKeyName(), DIGEST_ALGORITHM_SHA256)); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 256 | return signature; |
| 257 | } |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 258 | |
| 259 | /** |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 260 | * Wire encode the Data object, sign it and set its signature. |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 261 | * @param data The Data object to be signed. This updates its signature and key locator field and wireEncoding. |
| 262 | * @param identityName The identity name for the key to use for signing. If omitted, infer the signing identity from the data packet name. |
Jeff Thompson | 29ce310 | 2013-09-27 11:47:48 -0700 | [diff] [blame] | 263 | */ |
| 264 | void |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 265 | signByIdentity(Data& data, const Name& identityName) |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 266 | { |
| 267 | Name signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName); |
| 268 | |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 269 | if (signingCertificateName.empty()) |
| 270 | signingCertificateName = createIdentity(identityName); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 271 | |
| 272 | sign(data, signingCertificateName); |
| 273 | } |
Jeff Thompson | 3c73da4 | 2013-08-12 11:19:05 -0700 | [diff] [blame] | 274 | |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 275 | void |
| 276 | signByIdentity(Interest& interest, const Name& identityName) |
| 277 | { |
| 278 | Name signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName); |
| 279 | |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 280 | if (signingCertificateName.empty()) |
| 281 | signingCertificateName = createIdentity(identityName); |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 282 | |
| 283 | sign(interest, signingCertificateName); |
| 284 | } |
| 285 | |
| 286 | |
Jeff Thompson | 3c73da4 | 2013-08-12 11:19:05 -0700 | [diff] [blame] | 287 | /** |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 288 | * Sign the byte array using an identity name and return a Signature object. |
| 289 | * @param buffer The byte array to be signed. |
| 290 | * @param bufferLength the length of buffer. |
| 291 | * @param identityName The identity name. |
| 292 | * @return The Signature. |
| 293 | */ |
Alexander Afanasyev | 64a3d81 | 2014-01-05 23:35:05 -0800 | [diff] [blame] | 294 | Signature |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 295 | signByIdentity(const uint8_t* buffer, size_t bufferLength, const Name& identityName) |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 296 | { |
| 297 | Name signingCertificateName = Info::getDefaultCertificateNameForIdentity(identityName); |
| 298 | |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 299 | if (signingCertificateName.empty()) |
| 300 | signingCertificateName = createIdentity(identityName); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 301 | |
| 302 | return sign(buffer, bufferLength, signingCertificateName); |
| 303 | } |
Jeff Thompson | c01e178 | 2013-10-21 14:08:42 -0700 | [diff] [blame] | 304 | |
| 305 | /** |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 306 | * Generate a self-signed certificate for a public key. |
| 307 | * @param keyName The name of the public key. |
| 308 | * @return The generated certificate. |
| 309 | */ |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 310 | shared_ptr<IdentityCertificate> |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 311 | selfSign(const Name& keyName) |
| 312 | { |
Yingdi Yu | 7ea6950 | 2014-01-15 17:21:29 -0800 | [diff] [blame] | 313 | if(keyName.empty()) |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 314 | throw InfoError("Incorrect key name: " + keyName.toUri()); |
Yingdi Yu | 7ea6950 | 2014-01-15 17:21:29 -0800 | [diff] [blame] | 315 | |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 316 | shared_ptr<IdentityCertificate> certificate = make_shared<IdentityCertificate>(); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 317 | |
| 318 | Name certificateName = keyName.getPrefix(-1); |
| 319 | certificateName.append("KEY").append(keyName.get(-1)).append("ID-CERT").appendVersion(); |
| 320 | |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 321 | shared_ptr<PublicKey> pubKey = Info::getPublicKey(keyName); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 322 | if (!pubKey) |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 323 | throw InfoError("Requested public key [" + keyName.toUri() + "] doesn't exist"); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 324 | |
| 325 | certificate->setName(certificateName); |
| 326 | certificate->setNotBefore(getNow()); |
| 327 | certificate->setNotAfter(getNow() + 630720000 /* 20 years*/); |
| 328 | certificate->setPublicKeyInfo(*pubKey); |
| 329 | certificate->addSubjectDescription(CertificateSubjectDescription("2.5.4.41", keyName.toUri())); |
| 330 | certificate->encode(); |
| 331 | |
| 332 | selfSign(*certificate); |
| 333 | return certificate; |
| 334 | } |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 335 | |
| 336 | /** |
| 337 | * @brief Self-sign the supplied identity certificate |
Jeff Thompson | 8efe5ad | 2013-08-20 17:36:38 -0700 | [diff] [blame] | 338 | */ |
Jeff Thompson | 2ce8f49 | 2013-09-17 18:01:25 -0700 | [diff] [blame] | 339 | void |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 340 | selfSign (IdentityCertificate& cert) |
| 341 | { |
| 342 | SignatureSha256WithRsa signature; |
| 343 | signature.setKeyLocator(cert.getName().getPrefix(-1)); // implicit conversion should take care |
| 344 | cert.setSignature(signature); |
| 345 | |
| 346 | // For temporary usage, we support RSA + SHA256 only, but will support more. |
Yingdi Yu | 8726f65 | 2014-01-23 10:35:12 -0800 | [diff] [blame] | 347 | signDataInTpm(cert, cert.getPublicKeyName(), DIGEST_ALGORITHM_SHA256); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 348 | } |
| 349 | |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 350 | void |
| 351 | deleteCertificate (const Name &certificateName) |
| 352 | { |
| 353 | if(Info::getDefaultIdentity() == IdentityCertificate::certificateNameToPublicKeyName(certificateName).getPrefix(-1)) |
| 354 | return; |
| 355 | |
| 356 | Info::deleteCertificateInfo(certificateName); |
| 357 | } |
| 358 | |
| 359 | void |
| 360 | deleteKey (const Name &keyName) |
| 361 | { |
| 362 | if(Info::getDefaultIdentity() == keyName.getPrefix(-1)) |
| 363 | return; |
| 364 | |
| 365 | Info::deletePublicKeyInfo(keyName); |
| 366 | Tpm::deleteKeyPairInTpm(keyName); |
| 367 | } |
| 368 | |
| 369 | void |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 370 | deleteIdentity (const Name& identity) |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 371 | { |
| 372 | if(Info::getDefaultIdentity() == identity) |
| 373 | return; |
| 374 | |
| 375 | std::vector<Name> nameList; |
| 376 | Info::getAllKeyNamesOfIdentity(identity, nameList, true); |
| 377 | Info::getAllKeyNamesOfIdentity(identity, nameList, false); |
| 378 | |
| 379 | Info::deleteIdentityInfo(identity); |
| 380 | |
| 381 | std::vector<Name>::const_iterator it = nameList.begin(); |
| 382 | for(; it != nameList.end(); it++) |
| 383 | Tpm::deleteKeyPairInTpm(*it); |
| 384 | } |
| 385 | |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 386 | Block |
| 387 | exportIdentity(const Name& identity, bool inTerminal = true, std::string passwordStr = "") |
| 388 | { |
| 389 | if (!Info::doesIdentityExist(identity)) |
| 390 | throw InfoError("Identity does not exist!"); |
| 391 | |
| 392 | Name keyName = Info::getDefaultKeyNameForIdentity(identity); |
| 393 | |
| 394 | if(keyName.empty()) |
| 395 | throw InfoError("Default key does not exist!"); |
| 396 | |
| 397 | ConstBufferPtr pkcs8 = Tpm::exportPrivateKeyPkcs8FromTpm(keyName, inTerminal, passwordStr); |
| 398 | Block wireKey(tlv::security::KeyPackage, pkcs8); |
| 399 | |
| 400 | Name certName = Info::getDefaultCertificateNameForKey(keyName); |
| 401 | |
| 402 | if(certName.empty()) |
| 403 | { |
| 404 | shared_ptr<IdentityCertificate> selfCert = selfSign(keyName); |
| 405 | Info::addCertificateAsIdentityDefault(*selfCert); |
| 406 | certName = selfCert->getName(); |
| 407 | } |
| 408 | |
| 409 | shared_ptr<IdentityCertificate> cert = Info::getCertificate(certName); |
| 410 | Block wireCert(tlv::security::CertificatePackage, cert->wireEncode()); |
| 411 | |
| 412 | Block wire(tlv::security::IdentityPackage); |
| 413 | wire.push_back(wireCert); |
| 414 | wire.push_back(wireKey); |
| 415 | |
| 416 | return wire; |
| 417 | } |
| 418 | |
| 419 | void |
| 420 | importIdentity(const Block& block, bool inTerminal = true, std::string passwordStr = "") |
| 421 | { |
| 422 | block.parse(); |
| 423 | |
| 424 | Data data; |
| 425 | data.wireDecode(block.get(tlv::security::CertificatePackage).blockFromValue()); |
| 426 | shared_ptr<IdentityCertificate> cert = make_shared<IdentityCertificate>(data); |
| 427 | |
| 428 | Name keyName = IdentityCertificate::certificateNameToPublicKeyName(cert->getName()); |
| 429 | Name identity = keyName.getPrefix(-1); |
| 430 | |
| 431 | // Add identity |
| 432 | if (Info::doesIdentityExist(identity)) |
| 433 | deleteIdentity(identity); |
| 434 | Info::addIdentity(identity); |
| 435 | |
| 436 | // Add key |
| 437 | Block wireKey = block.get(tlv::security::KeyPackage); |
| 438 | if (Tpm::doesKeyExistInTpm(keyName, KEY_CLASS_PRIVATE)) |
| 439 | deleteKey(keyName); |
| 440 | Tpm::importPrivateKeyPkcs8IntoTpm(keyName, wireKey.value(), wireKey.value_size(), inTerminal, passwordStr); |
| 441 | shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri()); |
| 442 | Info::addPublicKey(keyName, KEY_TYPE_RSA, *pubKey); // HACK! We should set key type according to the pkcs8 info. |
| 443 | Info::setDefaultKeyNameForIdentity(keyName); |
| 444 | |
| 445 | // Add cert |
| 446 | if (Info::doesCertificateExist(cert->getName())) |
| 447 | deleteCertificate(cert->getName()); |
| 448 | Info::addCertificateAsIdentityDefault(*cert); |
| 449 | } |
| 450 | |
Jeff Thompson | 8efe5ad | 2013-08-20 17:36:38 -0700 | [diff] [blame] | 451 | |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 452 | private: |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 453 | |
| 454 | void |
| 455 | sign(Data &data, const IdentityCertificate& certificate) |
| 456 | { |
| 457 | SignatureSha256WithRsa signature; |
| 458 | signature.setKeyLocator(certificate.getName().getPrefix(-1)); |
| 459 | data.setSignature(signature); |
| 460 | |
| 461 | // For temporary usage, we support RSA + SHA256 only, but will support more. |
| 462 | signDataInTpm(data, certificate.getPublicKeyName(), DIGEST_ALGORITHM_SHA256); |
| 463 | } |
| 464 | |
| 465 | void |
| 466 | sign(Interest &interest, const IdentityCertificate& certificate) |
| 467 | { |
| 468 | SignatureSha256WithRsa signature; |
| 469 | signature.setKeyLocator(certificate.getName().getPrefix(-1)); // implicit conversion should take care |
| 470 | |
Alexander Afanasyev | c348f83 | 2014-02-17 16:35:17 -0800 | [diff] [blame] | 471 | Name signedName = Name(interest.getName()).append(signature.getInfo()); |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 472 | |
Alexander Afanasyev | c348f83 | 2014-02-17 16:35:17 -0800 | [diff] [blame] | 473 | signature.setValue(Tpm::signInTpm(signedName.wireEncode().value(), |
| 474 | signedName.wireEncode().value_size(), |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 475 | certificate.getPublicKeyName(), |
| 476 | DIGEST_ALGORITHM_SHA256)); |
| 477 | |
Alexander Afanasyev | c348f83 | 2014-02-17 16:35:17 -0800 | [diff] [blame] | 478 | signedName.append(signature.getValue()); |
| 479 | interest.setName(signedName); |
Yingdi Yu | 28fd32f | 2014-01-28 19:03:03 -0800 | [diff] [blame] | 480 | } |
| 481 | |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 482 | /** |
| 483 | * Generate a key pair for the specified identity. |
| 484 | * @param identityName The name of the specified identity. |
| 485 | * @param isKsk true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK). |
| 486 | * @param keyType The type of the key pair, e.g. KEY_TYPE_RSA. |
| 487 | * @param keySize The size of the key pair. |
| 488 | * @return The name of the generated key. |
| 489 | */ |
| 490 | Name |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 491 | generateKeyPair(const Name& identityName, bool isKsk = false, KeyType keyType = KEY_TYPE_RSA, int keySize = 2048) |
| 492 | { |
| 493 | Name keyName = Info::getNewKeyName(identityName, isKsk); |
| 494 | |
| 495 | Tpm::generateKeyPairInTpm(keyName.toUri(), keyType, keySize); |
| 496 | |
Yingdi Yu | 8dceb1d | 2014-02-18 12:45:10 -0800 | [diff] [blame^] | 497 | shared_ptr<PublicKey> pubKey = Tpm::getPublicKeyFromTpm(keyName.toUri()); |
Yingdi Yu | ef26ee3 | 2014-01-15 16:41:14 -0800 | [diff] [blame] | 498 | Info::addPublicKey(keyName, keyType, *pubKey); |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 499 | |
| 500 | return keyName; |
| 501 | } |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 502 | |
| 503 | static Name |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 504 | getKeyNameFromCertificatePrefix(const Name& certificatePrefix) |
| 505 | { |
| 506 | Name result; |
Alexander Afanasyev | bf1a67a | 2014-01-05 23:36:13 -0800 | [diff] [blame] | 507 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 508 | std::string keyString("KEY"); |
| 509 | int i = 0; |
| 510 | for(; i < certificatePrefix.size(); i++) { |
| 511 | if (certificatePrefix.get(i).toEscapedString() == keyString) |
| 512 | break; |
| 513 | } |
Alexander Afanasyev | bf1a67a | 2014-01-05 23:36:13 -0800 | [diff] [blame] | 514 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 515 | if (i >= certificatePrefix.size()) |
Yingdi Yu | 4270f20 | 2014-01-28 14:19:16 -0800 | [diff] [blame] | 516 | throw InfoError("Identity Certificate Prefix does not have a KEY component"); |
Alexander Afanasyev | bd5ba40 | 2014-01-05 22:41:09 -0800 | [diff] [blame] | 517 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 518 | result.append(certificatePrefix.getSubName(0, i)); |
| 519 | result.append(certificatePrefix.getSubName(i + 1, certificatePrefix.size()-i-1)); |
| 520 | |
| 521 | return result; |
| 522 | } |
| 523 | |
Yingdi Yu | 8726f65 | 2014-01-23 10:35:12 -0800 | [diff] [blame] | 524 | /** |
| 525 | * Fetch the private key for keyName and sign the data, and set the signature block of the data packet. |
| 526 | * @param data Reference to the input data packet. |
| 527 | * @param keyName The name of the signing key. |
| 528 | * @param digestAlgorithm the digest algorithm. |
| 529 | * @throws Tpm::Error |
| 530 | */ |
| 531 | void |
| 532 | signDataInTpm(Data &data, const Name& keyName, DigestAlgorithm digestAlgorithm) |
| 533 | { |
| 534 | data.setSignatureValue |
| 535 | (Tpm::signInTpm(data.wireEncode().value(), |
| 536 | data.wireEncode().value_size() - data.getSignature().getValue().size(), |
| 537 | keyName, digestAlgorithm)); |
| 538 | } |
| 539 | |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 540 | }; |
| 541 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 542 | } |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 543 | |
Yingdi Yu | 0402092 | 2014-01-22 12:46:53 -0800 | [diff] [blame] | 544 | |
| 545 | |
Alexander Afanasyev | 3e08d5d | 2014-02-12 19:24:28 -0800 | [diff] [blame] | 546 | #if defined(NDN_CPP_HAVE_OSX_SECURITY) and defined(NDN_CPP_WITH_OSX_KEYCHAIN) |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 547 | |
| 548 | namespace ndn |
Alexander Afanasyev | e64788e | 2014-01-05 22:38:21 -0800 | [diff] [blame] | 549 | { |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 550 | typedef KeyChainImpl<SecPublicInfoSqlite3, SecTpmOsx> KeyChain; |
| 551 | }; |
Yingdi Yu | 2abd73f | 2014-01-08 23:34:11 -0800 | [diff] [blame] | 552 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 553 | #else |
Alexander Afanasyev | e64788e | 2014-01-05 22:38:21 -0800 | [diff] [blame] | 554 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 555 | namespace ndn |
Alexander Afanasyev | e64788e | 2014-01-05 22:38:21 -0800 | [diff] [blame] | 556 | { |
Yingdi Yu | 0402092 | 2014-01-22 12:46:53 -0800 | [diff] [blame] | 557 | typedef KeyChainImpl<SecPublicInfoSqlite3, SecTpmFile> KeyChain; |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 558 | }; |
Alexander Afanasyev | e64788e | 2014-01-05 22:38:21 -0800 | [diff] [blame] | 559 | |
Yingdi Yu | 31b4af2 | 2014-01-14 14:13:00 -0800 | [diff] [blame] | 560 | #endif //NDN_CPP_HAVE_OSX_SECURITY |
Jeff Thompson | 47c93cf | 2013-08-09 00:38:48 -0700 | [diff] [blame] | 561 | |
| 562 | #endif |