Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ |
| 2 | /** |
| 3 | * Copyright (c) 2013-2017 Regents of the University of California. |
| 4 | * |
| 5 | * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). |
| 6 | * |
| 7 | * ndn-cxx library is free software: you can redistribute it and/or modify it under the |
| 8 | * terms of the GNU Lesser General Public License as published by the Free Software |
| 9 | * Foundation, either version 3 of the License, or (at your option) any later version. |
| 10 | * |
| 11 | * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY |
| 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A |
| 13 | * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. |
| 14 | * |
| 15 | * You should have received copies of the GNU General Public License and GNU Lesser |
| 16 | * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see |
| 17 | * <http://www.gnu.org/licenses/>. |
| 18 | * |
| 19 | * See AUTHORS.md for complete list of ndn-cxx authors and contributors. |
| 20 | */ |
| 21 | |
| 22 | #include "key-chain.hpp" |
| 23 | |
| 24 | #include "../../util/config-file.hpp" |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 25 | #include "../../util/logger.hpp" |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 26 | |
| 27 | #include "../pib/pib-sqlite3.hpp" |
| 28 | #include "../pib/pib-memory.hpp" |
| 29 | |
| 30 | #ifdef NDN_CXX_HAVE_OSX_SECURITY |
| 31 | #include "../tpm/back-end-osx.hpp" |
| 32 | #endif // NDN_CXX_HAVE_OSX_SECURITY |
| 33 | |
| 34 | #include "../tpm/back-end-file.hpp" |
| 35 | #include "../tpm/back-end-mem.hpp" |
| 36 | |
| 37 | #include "../transform/bool-sink.hpp" |
| 38 | #include "../transform/buffer-source.hpp" |
| 39 | #include "../transform/private-key.hpp" |
| 40 | #include "../transform/verifier-filter.hpp" |
| 41 | #include "../../encoding/buffer-stream.hpp" |
| 42 | #include "../../util/crypto.hpp" |
| 43 | |
| 44 | #include <boost/lexical_cast.hpp> |
| 45 | |
| 46 | namespace ndn { |
| 47 | namespace security { |
| 48 | |
| 49 | // When static library is used, not everything is compiled into the resulting binary. |
| 50 | // Therefore, the following standard PIB and TPMs need to be registered here. |
| 51 | // http://stackoverflow.com/q/9459980/2150331 |
| 52 | |
| 53 | ///////// |
| 54 | // PIB // |
| 55 | ///////// |
| 56 | namespace pib { |
| 57 | NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibSqlite3); |
| 58 | NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibMemory); |
| 59 | } // namespace pib |
| 60 | |
| 61 | ///////// |
| 62 | // TPM // |
| 63 | ///////// |
| 64 | namespace tpm { |
| 65 | #if defined(NDN_CXX_HAVE_OSX_SECURITY) && defined(NDN_CXX_WITH_OSX_KEYCHAIN) |
| 66 | NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndOsx); |
| 67 | #endif // defined(NDN_CXX_HAVE_OSX_SECURITY) && defined(NDN_CXX_WITH_OSX_KEYCHAIN) |
| 68 | |
| 69 | NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndFile); |
| 70 | NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndMem); |
| 71 | } // namespace tpm |
| 72 | |
| 73 | namespace v2 { |
| 74 | |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 75 | NDN_LOG_INIT(ndn.security.v2.KeyChain); |
| 76 | |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 77 | std::string KeyChain::s_defaultPibLocator; |
| 78 | std::string KeyChain::s_defaultTpmLocator; |
| 79 | |
| 80 | KeyChain::PibFactories& |
| 81 | KeyChain::getPibFactories() |
| 82 | { |
| 83 | static PibFactories pibFactories; |
| 84 | return pibFactories; |
| 85 | } |
| 86 | |
| 87 | KeyChain::TpmFactories& |
| 88 | KeyChain::getTpmFactories() |
| 89 | { |
| 90 | static TpmFactories tpmFactories; |
| 91 | return tpmFactories; |
| 92 | } |
| 93 | |
| 94 | const std::string& |
| 95 | KeyChain::getDefaultPibScheme() |
| 96 | { |
| 97 | return pib::PibSqlite3::getScheme();; |
| 98 | } |
| 99 | |
| 100 | const std::string& |
| 101 | KeyChain::getDefaultTpmScheme() |
| 102 | { |
| 103 | #if defined(NDN_CXX_HAVE_OSX_SECURITY) && defined(NDN_CXX_WITH_OSX_KEYCHAIN) |
| 104 | return tpm::BackEndOsx::getScheme();; |
| 105 | #else |
| 106 | return tpm::BackEndFile::getScheme(); |
| 107 | #endif // defined(NDN_CXX_HAVE_OSX_SECURITY) && defined(NDN_CXX_WITH_OSX_KEYCHAIN) |
| 108 | } |
| 109 | |
| 110 | const std::string& |
| 111 | KeyChain::getDefaultPibLocator() |
| 112 | { |
| 113 | if (!s_defaultPibLocator.empty()) |
| 114 | return s_defaultPibLocator; |
| 115 | |
| 116 | if (getenv("NDN_CLIENT_PIB") != nullptr) { |
| 117 | s_defaultPibLocator = getenv("NDN_CLIENT_PIB"); |
| 118 | } |
| 119 | else { |
| 120 | ConfigFile config; |
| 121 | s_defaultPibLocator = config.getParsedConfiguration().get<std::string>("pib", getDefaultPibScheme() + ":"); |
| 122 | } |
| 123 | |
| 124 | return s_defaultPibLocator; |
| 125 | } |
| 126 | |
| 127 | const std::string& |
| 128 | KeyChain::getDefaultTpmLocator() |
| 129 | { |
| 130 | if (!s_defaultTpmLocator.empty()) |
| 131 | return s_defaultTpmLocator; |
| 132 | |
| 133 | if (getenv("NDN_CLIENT_TPM") != nullptr) { |
| 134 | s_defaultTpmLocator = getenv("NDN_CLIENT_TPM"); |
| 135 | } |
| 136 | else { |
| 137 | ConfigFile config; |
| 138 | s_defaultTpmLocator = config.getParsedConfiguration().get<std::string>("tpm", getDefaultTpmScheme() + ":"); |
| 139 | } |
| 140 | |
| 141 | return s_defaultTpmLocator; |
| 142 | } |
| 143 | |
| 144 | |
| 145 | // Other defaults |
| 146 | |
| 147 | const SigningInfo& |
| 148 | KeyChain::getDefaultSigningInfo() |
| 149 | { |
| 150 | static SigningInfo signingInfo; |
| 151 | return signingInfo; |
| 152 | } |
| 153 | |
| 154 | const KeyParams& |
| 155 | KeyChain::getDefaultKeyParams() |
| 156 | { |
Spyridon Mastorakis | 1ece2e3 | 2015-08-27 18:52:21 -0700 | [diff] [blame] | 157 | static EcKeyParams keyParams; |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 158 | return keyParams; |
| 159 | } |
| 160 | |
| 161 | // |
| 162 | |
| 163 | KeyChain::KeyChain() |
| 164 | : KeyChain(getDefaultPibLocator(), getDefaultTpmLocator(), true) |
| 165 | { |
| 166 | } |
| 167 | |
| 168 | KeyChain::KeyChain(const std::string& pibLocator, const std::string& tpmLocator, bool allowReset) |
| 169 | { |
| 170 | // PIB Locator |
| 171 | std::string pibScheme, pibLocation; |
| 172 | std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(pibLocator); |
| 173 | std::string canonicalPibLocator = pibScheme + ":" + pibLocation; |
| 174 | |
| 175 | // Create PIB |
| 176 | m_pib = createPib(canonicalPibLocator); |
| 177 | std::string oldTpmLocator; |
| 178 | try { |
| 179 | oldTpmLocator = m_pib->getTpmLocator(); |
| 180 | } |
| 181 | catch (const Pib::Error&) { |
| 182 | // TPM locator is not set in PIB yet. |
| 183 | } |
| 184 | |
| 185 | // TPM Locator |
| 186 | std::string tpmScheme, tpmLocation; |
| 187 | std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(tpmLocator); |
| 188 | std::string canonicalTpmLocator = tpmScheme + ":" + tpmLocation; |
| 189 | |
| 190 | if (canonicalPibLocator == getDefaultPibLocator()) { |
| 191 | // Default PIB must use default TPM |
| 192 | if (!oldTpmLocator.empty() && oldTpmLocator != getDefaultTpmLocator()) { |
| 193 | m_pib->reset(); |
| 194 | canonicalTpmLocator = getDefaultTpmLocator(); |
| 195 | } |
| 196 | } |
| 197 | else { |
| 198 | // non-default PIB check consistency |
| 199 | if (!oldTpmLocator.empty() && oldTpmLocator != canonicalTpmLocator) { |
| 200 | if (allowReset) |
| 201 | m_pib->reset(); |
| 202 | else |
| 203 | BOOST_THROW_EXCEPTION(LocatorMismatchError("TPM locator supplied does not match TPM locator in PIB: " + |
| 204 | oldTpmLocator + " != " + canonicalTpmLocator)); |
| 205 | } |
| 206 | } |
| 207 | |
| 208 | // note that key mismatch may still happen if the TPM locator is initially set to a |
| 209 | // wrong one or if the PIB was shared by more than one TPMs before. This is due to the |
| 210 | // old PIB does not have TPM info, new pib should not have this problem. |
| 211 | m_tpm = createTpm(canonicalTpmLocator); |
| 212 | m_pib->setTpmLocator(canonicalTpmLocator); |
| 213 | } |
| 214 | |
| 215 | KeyChain::~KeyChain() = default; |
| 216 | |
| 217 | // public: management |
| 218 | |
| 219 | Identity |
| 220 | KeyChain::createIdentity(const Name& identityName, const KeyParams& params) |
| 221 | { |
| 222 | Identity id = m_pib->addIdentity(identityName); |
| 223 | |
| 224 | Key key; |
| 225 | try { |
| 226 | key = id.getDefaultKey(); |
| 227 | } |
| 228 | catch (const Pib::Error&) { |
| 229 | key = createKey(id, params); |
| 230 | } |
| 231 | |
| 232 | try { |
| 233 | key.getDefaultCertificate(); |
| 234 | } |
| 235 | catch (const Pib::Error&) { |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 236 | NDN_LOG_DEBUG("No default cert for " << key.getName() << ", requesting self-signing"); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 237 | selfSign(key); |
| 238 | } |
| 239 | |
| 240 | return id; |
| 241 | } |
| 242 | |
| 243 | void |
| 244 | KeyChain::deleteIdentity(const Identity& identity) |
| 245 | { |
| 246 | BOOST_ASSERT(static_cast<bool>(identity)); |
| 247 | |
| 248 | Name identityName = identity.getName(); |
| 249 | |
| 250 | for (const auto& key : identity.getKeys()) { |
| 251 | m_tpm->deleteKey(key.getName()); |
| 252 | } |
| 253 | |
| 254 | m_pib->removeIdentity(identityName); |
| 255 | } |
| 256 | |
| 257 | void |
| 258 | KeyChain::setDefaultIdentity(const Identity& identity) |
| 259 | { |
| 260 | BOOST_ASSERT(static_cast<bool>(identity)); |
| 261 | |
| 262 | m_pib->setDefaultIdentity(identity.getName()); |
| 263 | } |
| 264 | |
| 265 | Key |
| 266 | KeyChain::createKey(const Identity& identity, const KeyParams& params) |
| 267 | { |
| 268 | BOOST_ASSERT(static_cast<bool>(identity)); |
| 269 | |
| 270 | // create key in TPM |
| 271 | Name keyName = m_tpm->createKey(identity.getName(), params); |
| 272 | |
| 273 | // set up key info in PIB |
| 274 | ConstBufferPtr pubKey = m_tpm->getPublicKey(keyName); |
| 275 | Key key = identity.addKey(pubKey->buf(), pubKey->size(), keyName); |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 276 | |
| 277 | NDN_LOG_DEBUG("Requesting self-signing for newly created key " << key.getName()); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 278 | selfSign(key); |
| 279 | |
| 280 | return key; |
| 281 | } |
| 282 | |
| 283 | void |
| 284 | KeyChain::deleteKey(const Identity& identity, const Key& key) |
| 285 | { |
| 286 | BOOST_ASSERT(static_cast<bool>(identity)); |
| 287 | BOOST_ASSERT(static_cast<bool>(key)); |
| 288 | |
| 289 | Name keyName = key.getName(); |
| 290 | if (identity.getName() != key.getIdentity()) { |
| 291 | BOOST_THROW_EXCEPTION(std::invalid_argument("Identity `" + identity.getName().toUri() + "` " |
| 292 | "does match key `" + keyName.toUri() + "`")); |
| 293 | } |
| 294 | |
| 295 | identity.removeKey(keyName); |
| 296 | m_tpm->deleteKey(keyName); |
| 297 | } |
| 298 | |
| 299 | void |
| 300 | KeyChain::setDefaultKey(const Identity& identity, const Key& key) |
| 301 | { |
| 302 | BOOST_ASSERT(static_cast<bool>(identity)); |
| 303 | BOOST_ASSERT(static_cast<bool>(key)); |
| 304 | |
| 305 | if (identity.getName() != key.getIdentity()) |
| 306 | BOOST_THROW_EXCEPTION(std::invalid_argument("Identity `" + identity.getName().toUri() + "` " |
| 307 | "does match key `" + key.getName().toUri() + "`")); |
| 308 | |
| 309 | identity.setDefaultKey(key.getName()); |
| 310 | } |
| 311 | |
| 312 | void |
| 313 | KeyChain::addCertificate(const Key& key, const Certificate& certificate) |
| 314 | { |
| 315 | BOOST_ASSERT(static_cast<bool>(key)); |
| 316 | |
| 317 | if (key.getName() != certificate.getKeyName() || |
| 318 | !std::equal(certificate.getContent().value_begin(), certificate.getContent().value_end(), |
| 319 | key.getPublicKey().begin())) |
| 320 | BOOST_THROW_EXCEPTION(std::invalid_argument("Key `" + key.getName().toUri() + "` " |
| 321 | "does match certificate `" + certificate.getName().toUri() + "`")); |
| 322 | |
| 323 | key.addCertificate(certificate); |
| 324 | } |
| 325 | |
| 326 | void |
| 327 | KeyChain::deleteCertificate(const Key& key, const Name& certificateName) |
| 328 | { |
| 329 | BOOST_ASSERT(static_cast<bool>(key)); |
| 330 | |
| 331 | if (!Certificate::isValidName(certificateName)) { |
| 332 | BOOST_THROW_EXCEPTION(std::invalid_argument("Wrong certificate name `" + certificateName.toUri() + "`")); |
| 333 | } |
| 334 | |
| 335 | key.removeCertificate(certificateName); |
| 336 | } |
| 337 | |
| 338 | void |
| 339 | KeyChain::setDefaultCertificate(const Key& key, const Certificate& cert) |
| 340 | { |
| 341 | BOOST_ASSERT(static_cast<bool>(key)); |
| 342 | |
| 343 | try { |
| 344 | addCertificate(key, cert); |
| 345 | } |
| 346 | catch (const Pib::Error&) { // force to overwrite the existing certificates |
| 347 | key.removeCertificate(cert.getName()); |
| 348 | addCertificate(key, cert); |
| 349 | } |
| 350 | key.setDefaultCertificate(cert.getName()); |
| 351 | } |
| 352 | |
| 353 | shared_ptr<SafeBag> |
| 354 | KeyChain::exportSafeBag(const Certificate& certificate, const char* pw, size_t pwLen) |
| 355 | { |
| 356 | Name identity = certificate.getIdentity(); |
| 357 | Name keyName = certificate.getKeyName(); |
| 358 | |
| 359 | ConstBufferPtr encryptedKey; |
| 360 | try { |
| 361 | encryptedKey = m_tpm->exportPrivateKey(keyName, pw, pwLen); |
| 362 | } |
| 363 | catch (const tpm::BackEnd::Error&) { |
| 364 | BOOST_THROW_EXCEPTION(Error("Private `" + keyName.toUri() + "` key does not exist")); |
| 365 | } |
| 366 | |
| 367 | return make_shared<SafeBag>(certificate, *encryptedKey); |
| 368 | } |
| 369 | |
| 370 | void |
| 371 | KeyChain::importSafeBag(const SafeBag& safeBag, const char* pw, size_t pwLen) |
| 372 | { |
| 373 | Data certData = safeBag.getCertificate(); |
| 374 | Certificate cert(std::move(certData)); |
| 375 | Name identity = cert.getIdentity(); |
| 376 | Name keyName = cert.getKeyName(); |
| 377 | const Buffer publicKeyBits = cert.getPublicKey(); |
| 378 | |
| 379 | if (m_tpm->hasKey(keyName)) { |
| 380 | BOOST_THROW_EXCEPTION(Error("Private key `" + keyName.toUri() + "` already exists")); |
| 381 | } |
| 382 | |
| 383 | try { |
| 384 | Identity existingId = m_pib->getIdentity(identity); |
| 385 | existingId.getKey(keyName); |
| 386 | BOOST_THROW_EXCEPTION(Error("Public key `" + keyName.toUri() + "` already exists")); |
| 387 | } |
| 388 | catch (const Pib::Error&) { |
| 389 | // Either identity or key doesn't exist. OK to import. |
| 390 | } |
| 391 | |
| 392 | try { |
| 393 | m_tpm->importPrivateKey(keyName, |
| 394 | safeBag.getEncryptedKeyBag().buf(), safeBag.getEncryptedKeyBag().size(), |
| 395 | pw, pwLen); |
| 396 | } |
| 397 | catch (const std::runtime_error&) { |
| 398 | BOOST_THROW_EXCEPTION(Error("Fail to import private key `" + keyName.toUri() + "`")); |
| 399 | } |
| 400 | |
| 401 | // check the consistency of private key and certificate |
| 402 | const uint8_t content[] = {0x01, 0x02, 0x03, 0x04}; |
| 403 | ConstBufferPtr sigBits; |
| 404 | try { |
| 405 | sigBits = m_tpm->sign(content, 4, keyName, DigestAlgorithm::SHA256); |
| 406 | } |
| 407 | catch (const std::runtime_error&) { |
| 408 | m_tpm->deleteKey(keyName); |
| 409 | BOOST_THROW_EXCEPTION(Error("Invalid private key `" + keyName.toUri() + "`")); |
| 410 | } |
| 411 | bool isVerified = false; |
| 412 | { |
| 413 | using namespace transform; |
| 414 | PublicKey publicKey; |
| 415 | publicKey.loadPkcs8(publicKeyBits.buf(), publicKeyBits.size()); |
| 416 | bufferSource(content, sizeof(content)) >> verifierFilter(DigestAlgorithm::SHA256, publicKey, |
| 417 | sigBits->buf(), sigBits->size()) |
| 418 | >> boolSink(isVerified); |
| 419 | } |
| 420 | if (!isVerified) { |
| 421 | m_tpm->deleteKey(keyName); |
| 422 | BOOST_THROW_EXCEPTION(Error("Certificate `" + cert.getName().toUri() + "` " |
| 423 | "and private key `" + keyName.toUri() + "` do not match")); |
| 424 | } |
| 425 | |
| 426 | Identity id = m_pib->addIdentity(identity); |
| 427 | Key key = id.addKey(cert.getPublicKey().buf(), cert.getPublicKey().size(), keyName); |
| 428 | key.addCertificate(cert); |
| 429 | } |
| 430 | |
| 431 | |
| 432 | // public: signing |
| 433 | |
| 434 | void |
| 435 | KeyChain::sign(Data& data, const SigningInfo& params) |
| 436 | { |
| 437 | Name keyName; |
| 438 | SignatureInfo sigInfo; |
| 439 | std::tie(keyName, sigInfo) = prepareSignatureInfo(params); |
| 440 | |
| 441 | data.setSignature(Signature(sigInfo)); |
| 442 | |
| 443 | EncodingBuffer encoder; |
| 444 | data.wireEncode(encoder, true); |
| 445 | |
| 446 | Block sigValue = sign(encoder.buf(), encoder.size(), keyName, params.getDigestAlgorithm()); |
| 447 | |
| 448 | data.wireEncode(encoder, sigValue); |
| 449 | } |
| 450 | |
| 451 | void |
| 452 | KeyChain::sign(Interest& interest, const SigningInfo& params) |
| 453 | { |
| 454 | Name keyName; |
| 455 | SignatureInfo sigInfo; |
| 456 | std::tie(keyName, sigInfo) = prepareSignatureInfo(params); |
| 457 | |
| 458 | Name signedName = interest.getName(); |
| 459 | signedName.append(sigInfo.wireEncode()); // signatureInfo |
| 460 | |
| 461 | Block sigValue = sign(signedName.wireEncode().value(), signedName.wireEncode().value_size(), |
| 462 | keyName, params.getDigestAlgorithm()); |
| 463 | |
| 464 | sigValue.encode(); |
| 465 | signedName.append(sigValue); // signatureValue |
| 466 | interest.setName(signedName); |
| 467 | } |
| 468 | |
| 469 | Block |
| 470 | KeyChain::sign(const uint8_t* buffer, size_t bufferLength, const SigningInfo& params) |
| 471 | { |
| 472 | Name keyName; |
| 473 | SignatureInfo sigInfo; |
| 474 | std::tie(keyName, sigInfo) = prepareSignatureInfo(params); |
| 475 | |
| 476 | return sign(buffer, bufferLength, keyName, params.getDigestAlgorithm()); |
| 477 | } |
| 478 | |
| 479 | // public: PIB/TPM creation helpers |
| 480 | |
| 481 | static inline std::tuple<std::string/*type*/, std::string/*location*/> |
| 482 | parseLocatorUri(const std::string& uri) |
| 483 | { |
| 484 | size_t pos = uri.find(':'); |
| 485 | if (pos != std::string::npos) { |
| 486 | return std::make_tuple(uri.substr(0, pos), uri.substr(pos + 1)); |
| 487 | } |
| 488 | else { |
| 489 | return std::make_tuple(uri, ""); |
| 490 | } |
| 491 | } |
| 492 | |
| 493 | std::tuple<std::string/*type*/, std::string/*location*/> |
| 494 | KeyChain::parseAndCheckPibLocator(const std::string& pibLocator) |
| 495 | { |
| 496 | std::string pibScheme, pibLocation; |
| 497 | std::tie(pibScheme, pibLocation) = parseLocatorUri(pibLocator); |
| 498 | |
| 499 | if (pibScheme.empty()) { |
| 500 | pibScheme = getDefaultPibScheme(); |
| 501 | } |
| 502 | |
| 503 | auto pibFactory = getPibFactories().find(pibScheme); |
| 504 | if (pibFactory == getPibFactories().end()) { |
| 505 | BOOST_THROW_EXCEPTION(KeyChain::Error("PIB scheme `" + pibScheme + "` is not supported")); |
| 506 | } |
| 507 | |
| 508 | return std::make_tuple(pibScheme, pibLocation); |
| 509 | } |
| 510 | |
| 511 | unique_ptr<Pib> |
| 512 | KeyChain::createPib(const std::string& pibLocator) |
| 513 | { |
| 514 | std::string pibScheme, pibLocation; |
| 515 | std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(pibLocator); |
| 516 | auto pibFactory = getPibFactories().find(pibScheme); |
| 517 | BOOST_ASSERT(pibFactory != getPibFactories().end()); |
| 518 | return unique_ptr<Pib>(new Pib(pibScheme, pibLocation, pibFactory->second(pibLocation))); |
| 519 | } |
| 520 | |
| 521 | std::tuple<std::string/*type*/, std::string/*location*/> |
| 522 | KeyChain::parseAndCheckTpmLocator(const std::string& tpmLocator) |
| 523 | { |
| 524 | std::string tpmScheme, tpmLocation; |
| 525 | std::tie(tpmScheme, tpmLocation) = parseLocatorUri(tpmLocator); |
| 526 | |
| 527 | if (tpmScheme.empty()) { |
| 528 | tpmScheme = getDefaultTpmScheme(); |
| 529 | } |
| 530 | auto tpmFactory = getTpmFactories().find(tpmScheme); |
| 531 | if (tpmFactory == getTpmFactories().end()) { |
| 532 | BOOST_THROW_EXCEPTION(KeyChain::Error("TPM scheme `" + tpmScheme + "` is not supported")); |
| 533 | } |
| 534 | |
| 535 | return std::make_tuple(tpmScheme, tpmLocation); |
| 536 | } |
| 537 | |
| 538 | unique_ptr<Tpm> |
| 539 | KeyChain::createTpm(const std::string& tpmLocator) |
| 540 | { |
| 541 | std::string tpmScheme, tpmLocation; |
| 542 | std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(tpmLocator); |
| 543 | auto tpmFactory = getTpmFactories().find(tpmScheme); |
| 544 | BOOST_ASSERT(tpmFactory != getTpmFactories().end()); |
| 545 | return unique_ptr<Tpm>(new Tpm(tpmScheme, tpmLocation, tpmFactory->second(tpmLocation))); |
| 546 | } |
| 547 | |
| 548 | // private: signing |
| 549 | |
| 550 | Certificate |
| 551 | KeyChain::selfSign(Key& key) |
| 552 | { |
| 553 | Certificate certificate; |
| 554 | |
| 555 | // set name |
| 556 | Name certificateName = key.getName(); |
| 557 | certificateName |
| 558 | .append("self") |
| 559 | .appendVersion(); |
| 560 | certificate.setName(certificateName); |
| 561 | |
| 562 | // set metainfo |
| 563 | certificate.setContentType(tlv::ContentType_Key); |
| 564 | certificate.setFreshnessPeriod(time::hours(1)); |
| 565 | |
| 566 | // set content |
| 567 | certificate.setContent(key.getPublicKey().buf(), key.getPublicKey().size()); |
| 568 | |
| 569 | // set signature-info |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 570 | SignatureInfo signatureInfo; |
Alexander Afanasyev | f837917 | 2017-01-11 16:56:04 -0800 | [diff] [blame] | 571 | // Note time::system_clock::max() or other NotAfter date results in incorrect encoded value |
| 572 | // because of overflow during conversion to boost::posix_time::ptime (bug #3915). |
| 573 | signatureInfo.setValidityPeriod(ValidityPeriod(time::system_clock::TimePoint(), |
| 574 | time::system_clock::now() + time::days(20 * 365))); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 575 | |
Alexander Afanasyev | 83eb1cc | 2017-01-04 17:34:34 -0800 | [diff] [blame] | 576 | sign(certificate, SigningInfo(key).setSignatureInfo(signatureInfo)); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 577 | |
| 578 | key.addCertificate(certificate); |
| 579 | return certificate; |
| 580 | } |
| 581 | |
| 582 | std::tuple<Name, SignatureInfo> |
| 583 | KeyChain::prepareSignatureInfo(const SigningInfo& params) |
| 584 | { |
| 585 | SignatureInfo sigInfo = params.getSignatureInfo(); |
| 586 | |
| 587 | Name identityName; |
| 588 | name::Component keyId; |
| 589 | Name certificateName; |
| 590 | |
| 591 | pib::Identity identity; |
| 592 | pib::Key key; |
| 593 | |
| 594 | switch (params.getSignerType()) { |
| 595 | case SigningInfo::SIGNER_TYPE_NULL: { |
| 596 | try { |
| 597 | identity = m_pib->getDefaultIdentity(); |
| 598 | } |
| 599 | catch (const Pib::Error&) { // no default identity, use sha256 for signing. |
| 600 | sigInfo.setSignatureType(tlv::DigestSha256); |
| 601 | return std::make_tuple(SigningInfo::getDigestSha256Identity(), sigInfo); |
| 602 | } |
| 603 | break; |
| 604 | } |
| 605 | case SigningInfo::SIGNER_TYPE_ID: { |
Junxiao Shi | fe1239a | 2017-01-27 20:36:12 +0000 | [diff] [blame^] | 606 | identity = params.getPibIdentity(); |
| 607 | if (!identity) { |
| 608 | try { |
| 609 | identity = m_pib->getIdentity(params.getSignerName()); |
| 610 | } |
| 611 | catch (const Pib::Error&) { |
| 612 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing identity `" + |
| 613 | params.getSignerName().toUri() + "` does not exist")); |
| 614 | } |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 615 | } |
| 616 | break; |
| 617 | } |
| 618 | case SigningInfo::SIGNER_TYPE_KEY: { |
Junxiao Shi | fe1239a | 2017-01-27 20:36:12 +0000 | [diff] [blame^] | 619 | key = params.getPibKey(); |
| 620 | if (!key) { |
| 621 | Name identityName = extractIdentityFromKeyName(params.getSignerName()); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 622 | |
Junxiao Shi | fe1239a | 2017-01-27 20:36:12 +0000 | [diff] [blame^] | 623 | try { |
| 624 | identity = m_pib->getIdentity(identityName); |
| 625 | key = identity.getKey(params.getSignerName()); |
| 626 | identity = Identity(); // we will use the PIB key instance, so reset identity; |
| 627 | } |
| 628 | catch (const Pib::Error&) { |
| 629 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing key `" + |
| 630 | params.getSignerName().toUri() + "` does not exist")); |
| 631 | } |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 632 | } |
| 633 | break; |
| 634 | } |
| 635 | case SigningInfo::SIGNER_TYPE_CERT: { |
| 636 | Name identityName = extractIdentityFromCertName(params.getSignerName()); |
| 637 | Name keyName = extractKeyNameFromCertName(params.getSignerName()); |
| 638 | |
| 639 | try { |
| 640 | identity = m_pib->getIdentity(identityName); |
| 641 | key = identity.getKey(keyName); |
| 642 | } |
| 643 | catch (const Pib::Error&) { |
| 644 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing certificate `" + |
| 645 | params.getSignerName().toUri() + "` does not exist")); |
| 646 | } |
| 647 | |
| 648 | break; |
| 649 | } |
| 650 | case SigningInfo::SIGNER_TYPE_SHA256: { |
| 651 | sigInfo.setSignatureType(tlv::DigestSha256); |
| 652 | return std::make_tuple(SigningInfo::getDigestSha256Identity(), sigInfo); |
| 653 | } |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 654 | default: { |
| 655 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Unrecognized signer type " + |
| 656 | boost::lexical_cast<std::string>(params.getSignerType()))); |
| 657 | } |
| 658 | } |
| 659 | |
| 660 | if (!identity && !key) { |
| 661 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Cannot determine signing parameters")); |
| 662 | } |
| 663 | |
| 664 | if (identity && !key) { |
| 665 | try { |
| 666 | key = identity.getDefaultKey(); |
| 667 | } |
| 668 | catch (const Pib::Error&) { |
| 669 | BOOST_THROW_EXCEPTION(InvalidSigningInfoError("Signing identity `" + identity.getName().toUri() + |
| 670 | "` does not have default certificate")); |
| 671 | } |
| 672 | } |
| 673 | |
| 674 | BOOST_ASSERT(key); |
| 675 | |
| 676 | sigInfo.setSignatureType(getSignatureType(key.getKeyType(), params.getDigestAlgorithm())); |
| 677 | sigInfo.setKeyLocator(KeyLocator(key.getName())); |
Alexander Afanasyev | 7e72141 | 2017-01-11 13:36:08 -0800 | [diff] [blame] | 678 | |
| 679 | NDN_LOG_TRACE("Prepared signature info: " << sigInfo); |
Yingdi Yu | fe4733a | 2015-10-22 14:24:12 -0700 | [diff] [blame] | 680 | return std::make_tuple(key.getName(), sigInfo); |
| 681 | } |
| 682 | |
| 683 | Block |
| 684 | KeyChain::sign(const uint8_t* buf, size_t size, |
| 685 | const Name& keyName, DigestAlgorithm digestAlgorithm) const |
| 686 | { |
| 687 | if (keyName == SigningInfo::getDigestSha256Identity()) |
| 688 | return Block(tlv::SignatureValue, crypto::sha256(buf, size)); |
| 689 | |
| 690 | return Block(tlv::SignatureValue, m_tpm->sign(buf, size, keyName, digestAlgorithm)); |
| 691 | } |
| 692 | |
| 693 | tlv::SignatureTypeValue |
| 694 | KeyChain::getSignatureType(KeyType keyType, DigestAlgorithm digestAlgorithm) |
| 695 | { |
| 696 | switch (keyType) { |
| 697 | case KeyType::RSA: |
| 698 | return tlv::SignatureSha256WithRsa; |
| 699 | case KeyType::EC: |
| 700 | return tlv::SignatureSha256WithEcdsa; |
| 701 | default: |
| 702 | BOOST_THROW_EXCEPTION(Error("Unsupported key types")); |
| 703 | } |
| 704 | } |
| 705 | |
| 706 | } // namespace v2 |
| 707 | } // namespace security |
| 708 | } // namespace ndn |