some update
Change-Id: I91acb87febd9c74521a5afc20024229bd92438df
diff --git a/src/ca-module.cpp b/src/ca-module.cpp
index f04d3df..e378314 100644
--- a/src/ca-module.cpp
+++ b/src/ca-module.cpp
@@ -252,12 +252,6 @@
"Cannot derive a shared secret using the provided ECDH key."));
return;
}
- // generate salt for HKDF
- std::array<uint8_t, 32> salt;
- random::generateSecureBytes(salt.data(), salt.size());
- // hkdf
- std::array<uint8_t, 16> aesKey;
- hkdf(sharedSecret.data(), sharedSecret.size(), salt.data(), salt.size(), aesKey.data(), aesKey.size());
// verify identity name
if (!m_config.caProfile.caPrefix.isPrefixOf(clientCert->getIdentity())
@@ -334,6 +328,13 @@
requestState.requestId = id;
requestState.requestType = requestType;
requestState.cert = *clientCert;
+ // generate salt for HKDF
+ std::array<uint8_t, 32> salt;
+ random::generateSecureBytes(salt.data(), salt.size());
+ // hkdf
+ std::array<uint8_t, 16> aesKey;
+ hkdf(sharedSecret.data(), sharedSecret.size(), salt.data(), salt.size(),
+ aesKey.data(), aesKey.size(), id.data(), id.size());
requestState.encryptionKey = aesKey;
try {
m_storage->addRequest(requestState);
diff --git a/src/detail/challenge-encoder.cpp b/src/detail/challenge-encoder.cpp
index 083fa61..3870c95 100644
--- a/src/detail/challenge-encoder.cpp
+++ b/src/detail/challenge-encoder.cpp
@@ -53,25 +53,25 @@
void
challengetlv::decodeDataContent(const Block& contentBlock, requester::Request& state)
{
- auto result = decodeBlockWithAesGcm128(contentBlock, state.aesKey.data(),
- state.requestId.data(), state.requestId.size(),
- state.decryptionIv);
+ auto result = decodeBlockWithAesGcm128(contentBlock, state.m_aesKey.data(),
+ state.m_requestId.data(), state.m_requestId.size(),
+ state.m_decryptionIv);
auto data = makeBinaryBlock(tlv::EncryptedPayload, result.data(), result.size());
data.parse();
- state.status = statusFromBlock(data.get(tlv::Status));
+ state.m_status = statusFromBlock(data.get(tlv::Status));
if (data.find(tlv::ChallengeStatus) != data.elements_end()) {
- state.challengeStatus = readString(data.get(tlv::ChallengeStatus));
+ state.m_challengeStatus = readString(data.get(tlv::ChallengeStatus));
}
if (data.find(tlv::RemainingTries) != data.elements_end()) {
- state.remainingTries = readNonNegativeInteger(data.get(tlv::RemainingTries));
+ state.m_remainingTries = readNonNegativeInteger(data.get(tlv::RemainingTries));
}
if (data.find(tlv::RemainingTime) != data.elements_end()) {
- state.freshBefore = time::system_clock::now() +
- time::seconds(readNonNegativeInteger(data.get(tlv::RemainingTime)));
+ state.m_freshBefore = time::system_clock::now() +
+ time::seconds(readNonNegativeInteger(data.get(tlv::RemainingTime)));
}
if (data.find(tlv::IssuedCertName) != data.elements_end()) {
Block issuedCertNameBlock = data.get(tlv::IssuedCertName);
- state.issuedCertName = Name(issuedCertNameBlock.blockFromValue());
+ state.m_issuedCertName = Name(issuedCertNameBlock.blockFromValue());
}
if (data.find(tlv::ParameterKey) != data.elements_end() &&
readString(data.get(tlv::ParameterKey)) == "nonce") {
@@ -82,7 +82,7 @@
if (nonceBlock.value_size() != 16) {
NDN_THROW(std::runtime_error("Wrong nonce length"));
}
- memcpy(state.nonce.data(), nonceBlock.value(), 16);
+ memcpy(state.m_nonce.data(), nonceBlock.value(), 16);
}
}
diff --git a/src/requester-request.cpp b/src/requester-request.cpp
index 72f7162..5929794 100644
--- a/src/requester-request.cpp
+++ b/src/requester-request.cpp
@@ -121,8 +121,8 @@
}
Request::Request(security::KeyChain& keyChain, const CaProfile& profile, RequestType requestType)
- : caProfile(profile)
- , type(requestType)
+ : m_caProfile(profile)
+ , m_type(requestType)
, m_keyChain(keyChain)
{}
@@ -131,26 +131,26 @@
const time::system_clock::TimePoint& notBefore,
const time::system_clock::TimePoint& notAfter)
{
- if (!caProfile.caPrefix.isPrefixOf(newIdentityName)) {
+ if (!m_caProfile.caPrefix.isPrefixOf(newIdentityName)) {
return nullptr;
}
if (newIdentityName.empty()) {
NDN_LOG_TRACE("Randomly create a new name because newIdentityName is empty and the param is empty.");
- identityName = caProfile.caPrefix;
- identityName.append(std::to_string(random::generateSecureWord64()));
+ m_identityName = m_caProfile.caPrefix;
+ m_identityName.append(std::to_string(random::generateSecureWord64()));
}
else {
- identityName = newIdentityName;
+ m_identityName = newIdentityName;
}
// generate a newly key pair or use an existing key
const auto& pib = m_keyChain.getPib();
security::pib::Identity identity;
try {
- identity = pib.getIdentity(identityName);
+ identity = pib.getIdentity(m_identityName);
}
catch (const security::Pib::Error& e) {
- identity = m_keyChain.createIdentity(identityName);
+ identity = m_keyChain.createIdentity(m_identityName);
m_isNewlyCreatedIdentity = true;
m_isNewlyCreatedKey = true;
}
@@ -173,13 +173,13 @@
m_keyChain.sign(certRequest, signingByKey(keyName).setSignatureInfo(signatureInfo));
// generate Interest packet
- Name interestName = caProfile.caPrefix;
+ Name interestName = m_caProfile.caPrefix;
interestName.append("CA").append("NEW");
auto interest =std::make_shared<Interest>(interestName);
interest->setMustBeFresh(true);
interest->setCanBePrefix(false);
interest->setApplicationParameters(
- requesttlv::encodeApplicationParameters(RequestType::NEW, ecdh.getSelfPubKey(), certRequest));
+ requesttlv::encodeApplicationParameters(RequestType::NEW, m_ecdh.getSelfPubKey(), certRequest));
// sign the Interest packet
m_keyChain.sign(*interest, signingByKey(keyName));
@@ -189,24 +189,24 @@
shared_ptr<Interest>
Request::genRevokeInterest(const security::Certificate& certificate)
{
- if (!caProfile.caPrefix.isPrefixOf(certificate.getName())) {
+ if (!m_caProfile.caPrefix.isPrefixOf(certificate.getName())) {
return nullptr;
}
// generate Interest packet
- Name interestName = caProfile.caPrefix;
+ Name interestName = m_caProfile.caPrefix;
interestName.append("CA").append("REVOKE");
auto interest =std::make_shared<Interest>(interestName);
interest->setMustBeFresh(true);
interest->setCanBePrefix(false);
interest->setApplicationParameters(
- requesttlv::encodeApplicationParameters(RequestType::REVOKE, ecdh.getSelfPubKey(), certificate));
+ requesttlv::encodeApplicationParameters(RequestType::REVOKE, m_ecdh.getSelfPubKey(), certificate));
return interest;
}
std::list<std::string>
Request::onNewRenewRevokeResponse(const Data& reply)
{
- if (!security::verifySignature(reply, *caProfile.cert)) {
+ if (!security::verifySignature(reply, *m_caProfile.cert)) {
NDN_LOG_ERROR("Cannot verify replied Data packet signature.");
NDN_THROW(std::runtime_error("Cannot verify replied Data packet signature."));
}
@@ -215,12 +215,13 @@
const auto& contentTLV = reply.getContent();
std::vector<uint8_t> ecdhKey;
std::array<uint8_t, 32> salt;
- auto challenges = requesttlv::decodeDataContent(contentTLV, ecdhKey, salt, requestId);
+ auto challenges = requesttlv::decodeDataContent(contentTLV, ecdhKey, salt, m_requestId);
// ECDH and HKDF
- auto sharedSecret = ecdh.deriveSecret(ecdhKey);
+ auto sharedSecret = m_ecdh.deriveSecret(ecdhKey);
hkdf(sharedSecret.data(), sharedSecret.size(),
- salt.data(), salt.size(), aesKey.data(), aesKey.size());
+ salt.data(), salt.size(), m_aesKey.data(), m_aesKey.size(),
+ m_requestId.data(), m_requestId.size());
// update state
return challenges;
@@ -233,33 +234,33 @@
if (challenge == nullptr) {
NDN_THROW(std::runtime_error("The challenge selected is not supported by your current version of NDNCERT."));
}
- challengeType = challengeSelected;
- return challenge->getRequestedParameterList(status, challengeStatus);
+ m_challengeType = challengeSelected;
+ return challenge->getRequestedParameterList(m_status, m_challengeStatus);
}
shared_ptr<Interest>
Request::genChallengeInterest(std::multimap<std::string, std::string>&& parameters)
{
- if (challengeType == "") {
+ if (m_challengeType == "") {
NDN_THROW(std::runtime_error("The challenge has not been selected."));
}
- auto challenge = ChallengeModule::createChallengeModule(challengeType);
+ auto challenge = ChallengeModule::createChallengeModule(m_challengeType);
if (challenge == nullptr) {
NDN_THROW(std::runtime_error("The challenge selected is not supported by your current version of NDNCERT."));
}
- auto challengeParams = challenge->genChallengeRequestTLV(status, challengeStatus, std::move(parameters));
+ auto challengeParams = challenge->genChallengeRequestTLV(m_status, m_challengeStatus, std::move(parameters));
- Name interestName = caProfile.caPrefix;
- interestName.append("CA").append("CHALLENGE").append(requestId.data(), requestId.size());
+ Name interestName = m_caProfile.caPrefix;
+ interestName.append("CA").append("CHALLENGE").append(m_requestId.data(), m_requestId.size());
auto interest =std::make_shared<Interest>(interestName);
interest->setMustBeFresh(true);
interest->setCanBePrefix(false);
// encrypt the Interest parameters
- auto paramBlock = encodeBlockWithAesGcm128(ndn::tlv::ApplicationParameters, aesKey.data(),
+ auto paramBlock = encodeBlockWithAesGcm128(ndn::tlv::ApplicationParameters, m_aesKey.data(),
challengeParams.value(), challengeParams.value_size(),
- requestId.data(), requestId.size(),
- encryptionIv);
+ m_requestId.data(), m_requestId.size(),
+ m_encryptionIv);
interest->setApplicationParameters(paramBlock);
m_keyChain.sign(*interest, signingByKey(m_keyPair.getName()));
return interest;
@@ -268,7 +269,7 @@
void
Request::onChallengeResponse(const Data& reply)
{
- if (!security::verifySignature(reply, *caProfile.cert)) {
+ if (!security::verifySignature(reply, *m_caProfile.cert)) {
NDN_LOG_ERROR("Cannot verify replied Data packet signature.");
NDN_THROW(std::runtime_error("Cannot verify replied Data packet signature."));
}
@@ -279,7 +280,7 @@
shared_ptr<Interest>
Request::genCertFetchInterest() const
{
- Name interestName = issuedCertName;
+ Name interestName = m_issuedCertName;
auto interest =std::make_shared<Interest>(interestName);
interest->setMustBeFresh(false);
interest->setCanBePrefix(false);
@@ -302,17 +303,17 @@
void
Request::endSession()
{
- if (status == Status::SUCCESS) {
+ if (m_status == Status::SUCCESS) {
return;
}
if (m_isNewlyCreatedIdentity) {
// put the identity into the if scope is because it may cause an error
// outside since when endSession is called, identity may not have been created yet.
- auto identity = m_keyChain.getPib().getIdentity(identityName);
+ auto identity = m_keyChain.getPib().getIdentity(m_identityName);
m_keyChain.deleteIdentity(identity);
}
else if (m_isNewlyCreatedKey) {
- auto identity = m_keyChain.getPib().getIdentity(identityName);
+ auto identity = m_keyChain.getPib().getIdentity(m_identityName);
m_keyChain.deleteKey(identity, m_keyPair);
}
}
diff --git a/src/requester-request.hpp b/src/requester-request.hpp
index f27c873..a1817ea 100644
--- a/src/requester-request.hpp
+++ b/src/requester-request.hpp
@@ -211,63 +211,63 @@
/**
* @brief The CA profile for this request.
*/
- CaProfile caProfile;
+ CaProfile m_caProfile;
/**
* @brief The type of request. Either NEW, RENEW, or REVOKE.
*/
- RequestType type;
+ RequestType m_type;
/**
* @brief The identity name for the requesting certificate.
*/
- Name identityName;
+ Name m_identityName;
/**
* @brief The CA-generated request ID for the request.
*/
- RequestId requestId;
+ RequestId m_requestId;
/**
* @brief The current status of the request.
*/
- Status status = Status::BEFORE_CHALLENGE;
+ Status m_status = Status::BEFORE_CHALLENGE;
/**
* @brief The type of challenge chosen.
*/
- std::string challengeType;
+ std::string m_challengeType;
/**
* @brief The status of the current challenge.
*/
- std::string challengeStatus;
+ std::string m_challengeStatus;
/**
* @brief The remaining number of tries left for the challenge
*/
- int remainingTries = 0;
+ int m_remainingTries = 0;
/**
* @brief The time this challenge will remain fresh
*/
- time::system_clock::TimePoint freshBefore;
+ time::system_clock::TimePoint m_freshBefore;
/**
* @brief the name of the certificate being issued.
*/
- Name issuedCertName;
+ Name m_issuedCertName;
/**
* @brief ecdh state.
*/
- ECDHState ecdh;
+ ECDHState m_ecdh;
/**
* @brief AES key derived from the ecdh shared secret.
*/
- std::array<uint8_t, 16> aesKey = {};
+ std::array<uint8_t, 16> m_aesKey = {};
/**
* @brief The last Initialization Vector used by the AES encryption.
*/
- std::vector<uint8_t> encryptionIv;
+ std::vector<uint8_t> m_encryptionIv;
/**
* @brief The last Initialization Vector used by the other side's AES encryption.
*/
- std::vector<uint8_t> decryptionIv;
+ std::vector<uint8_t> m_decryptionIv;
/**
* @brief Store Nonce for signature
*/
- std::array<uint8_t, 16> nonce = {};
+ std::array<uint8_t, 16> m_nonce = {};
private:
/**