format update
Change-Id: I8e15451d7229cad5fb4c6d5cf7464fcde9d6c56c
diff --git a/src/ca-module.cpp b/src/ca-module.cpp
index 7fdfb07..dda6dc7 100644
--- a/src/ca-module.cpp
+++ b/src/ca-module.cpp
@@ -293,7 +293,7 @@
// create new request instance
uint8_t requestIdData[32];
Block certNameTlv = clientCert->getName().wireEncode();
- ndn_compute_hmac_sha256(certNameTlv.wire(), certNameTlv.size(), m_requestIdGenKey, 32, requestIdData);
+ hmac_sha256(certNameTlv.wire(), certNameTlv.size(), m_requestIdGenKey, 32, requestIdData);
CaState requestState(m_config.m_caItem.m_caPrefix, toHex(requestIdData, 32),
requestType, Status::BEFORE_CHALLENGE, *clientCert,
makeBinaryBlock(tlv::ContentType_Key, aesKey, sizeof(aesKey)));
diff --git a/src/ca-state.hpp b/src/ca-state.hpp
index baf791c..7fc7de6 100644
--- a/src/ca-state.hpp
+++ b/src/ca-state.hpp
@@ -26,6 +26,9 @@
namespace ndn {
namespace ndncert {
+/**
+ * @brief The state maintained by the Challenge modules
+ */
struct ChallengeState {
ChallengeState(const std::string& challengeStatus, const system_clock::TimePoint& challengeTp,
size_t remainingTries, time::seconds remainingTime,
@@ -38,11 +41,9 @@
};
/**
- * @brief Represents a certificate request instance.
+ * @brief Represents a certificate request instance kept by the CA.
*
- * ChallengeModule should take use of m_challengeStatus, m_challengeInstruction and
- * m_challengeDefinedField to finish verification.
- *
+ * ChallengeModule should take use of ChallengeState to keep state.
*/
class CaState {
diff --git a/src/crypto-support/crypto-helper.cpp b/src/crypto-support/crypto-helper.cpp
index 76ae679..6cff255 100644
--- a/src/crypto-support/crypto-helper.cpp
+++ b/src/crypto-support/crypto-helper.cpp
@@ -191,7 +191,7 @@
}
int
-ndn_compute_hmac_sha256(const uint8_t* data, const unsigned data_length,
+hmac_sha256(const uint8_t* data, const unsigned data_length,
const uint8_t* key, const unsigned key_length,
uint8_t* result)
{
@@ -203,28 +203,28 @@
// avoid dependency on OpenSSL >= 1.1
int
-hkdf(const uint8_t* secret, int secretLen, const uint8_t* salt,
- int saltLen, uint8_t* okm, int okm_len,
+hkdf(const uint8_t* secret, int secret_len, const uint8_t* salt,
+ int salt_len, uint8_t* output, int output_len,
const uint8_t* info, int info_len)
{
namespace t = ndn::security::transform;
// hkdf generate prk
uint8_t prk[HASH_SIZE];
- if (saltLen == 0) {
+ if (salt_len == 0) {
uint8_t realSalt[HASH_SIZE] = {0};
- ndn_compute_hmac_sha256(secret, secretLen, realSalt, HASH_SIZE, prk);
+ hmac_sha256(secret, secret_len, realSalt, HASH_SIZE, prk);
}
else {
- ndn_compute_hmac_sha256(secret, secretLen, salt, saltLen, prk);
+ hmac_sha256(secret, secret_len, salt, salt_len, prk);
}
// hkdf expand
uint8_t prev[HASH_SIZE] = {0};
- int done_len = 0, dig_len = HASH_SIZE, n = okm_len / dig_len;
- if (okm_len % dig_len)
+ int done_len = 0, dig_len = HASH_SIZE, n = output_len / dig_len;
+ if (output_len % dig_len)
n++;
- if (n > 255 || okm == nullptr)
+ if (n > 255 || output == nullptr)
return 0;
for (int i = 1; i <= n; i++) {
@@ -246,8 +246,8 @@
auto result = os.buf();
memcpy(prev, result->data(), dig_len);
- copy_len = (done_len + dig_len > okm_len) ? okm_len - done_len : dig_len;
- memcpy(okm + done_len, prev, copy_len);
+ copy_len = (done_len + dig_len > output_len) ? output_len - done_len : dig_len;
+ memcpy(output + done_len, prev, copy_len);
done_len += copy_len;
}
return done_len;
diff --git a/src/crypto-support/crypto-helper.hpp b/src/crypto-support/crypto-helper.hpp
index 6b5f277..9ce7ce7 100644
--- a/src/crypto-support/crypto-helper.hpp
+++ b/src/crypto-support/crypto-helper.hpp
@@ -32,6 +32,11 @@
static const uint8_t INFO[] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9};
static const int AES_128_KEY_LEN = 16;
+class CryptoError : public std::runtime_error {
+public:
+ using std::runtime_error::runtime_error;
+};
+
struct ECDH_CTX {
int EC_NID;
EVP_PKEY_CTX* ctx_params;
@@ -57,42 +62,54 @@
deriveSecret(const std::string& peerKeyStr);
unique_ptr<ECDH_CTX> context;
- PUBLIC_WITH_TESTS_ELSE_PRIVATE :
- uint8_t*
- deriveSecret(const uint8_t* peerkey, int peerKeySize);
+ PUBLIC_WITH_TESTS_ELSE_PRIVATE : uint8_t*
+ deriveSecret(const uint8_t* peerkey, int peerKeySize);
uint8_t*
getRawSelfPubKey();
};
+/**
+ * HMAC based key derivation function (HKDF)
+ * @p secret, intput, the input to the HKDF
+ * @p secretLen, intput, the length of the secret
+ * @p salt, intput, the salt used in HKDF
+ * @p saltLen, intput, the length of the salt
+ * @p output, output, the output of the HKDF
+ * @p output_len, intput, the length of expected output
+ * @p info, intput, the additional information used in HKDF
+ * @p info_len, intput, the additional information used in HKDF
+ * @return the length of the derived key if successful, -1 if failed
+ */
int
-hkdf(const uint8_t* secret, int secretLen, const uint8_t* salt,
- int saltLen, uint8_t* okm, int okm_len,
+hkdf(const uint8_t* secret, int secret_len,
+ const uint8_t* salt, int salt_len,
+ uint8_t* output, int output_len,
const uint8_t* info = INFO, int info_len = INFO_LEN);
/**
- * HMAC SHA 256 keyed hash function
- * @param key the key for the function
- * @param key_len the length of the key
- * @param data the array to hmac
- * @param data_length the length of the array
- * @param result result. Enough memory (32 Bytes) must be allocated beforehand
+ * HMAC based on SHA-256
+ * @p data, intput, the array to hmac
+ * @p data_length, intput, the length of the array
+ * @p key, intput, the key for the function
+ * @p key_len, intput, the length of the key
+ * @p result, output, result of the HMAC. Enough memory (32 Bytes) must be allocated beforehands
* @return 0 if successful, -1 if failed
*/
int
-ndn_compute_hmac_sha256(const uint8_t* data, const unsigned data_length,
- const uint8_t* key, const unsigned key_length,
- uint8_t* result);
+hmac_sha256(const uint8_t* data, const unsigned data_length,
+ const uint8_t* key, const unsigned key_length,
+ uint8_t* result);
/**
- * Authentication GCM 128 Encryption
+ * Authenticated GCM 128 Encryption with associated data
* @p plaintext, input, plaintext
* @p plaintext_len, input, size of plaintext
* @p associated, input, associated authentication data
* @p associated_len, input, size of associated authentication data
* @p key, input, 16 bytes AES key
* @p iv, input, 12 bytes IV
- * @p ciphertext, output
+ * @p ciphertext, output, enough memory must be allocated beforehands
* @p tag, output, 16 bytes tag
* @return the size of ciphertext
* @throw CryptoError when there is an error in the process of encryption
@@ -102,7 +119,7 @@
const uint8_t* key, const uint8_t* iv, uint8_t* ciphertext, uint8_t* tag);
/**
- * Authentication GCM 128 Decryption
+ * Authenticated GCM 128 Decryption with associated data
* @p ciphertext, input, ciphertext
* @p ciphertext_len, input, size of ciphertext
* @p associated, input, associated authentication data
@@ -110,7 +127,7 @@
* @p tag, input, 16 bytes tag
* @p key, input, 16 bytes AES key
* @p iv, input, 12 bytes IV
- * @p plaintext, output
+ * @p plaintext, output, enough memory must be allocated beforehands
* @return the size of plaintext or -1 if the verification fails
* @throw CryptoError when there is an error in the process of encryption
*/
@@ -118,29 +135,9 @@
aes_gcm_128_decrypt(const uint8_t* ciphertext, size_t ciphertext_len, const uint8_t* associated, size_t associated_len,
const uint8_t* tag, const uint8_t* key, const uint8_t* iv, uint8_t* plaintext);
-/**
- * HMAC SHA 256 keyed hash function
- * @param key the key for the function
- * @param key_len the length of the key
- * @param cleartext the cleartext array to be hashed
- * @param cleartext_len the length of the array
- * @param output the output array
- * @param output_len the longest output len possible (changed to actual on return).
- * @return 0 if successful, -1 if failed
- */
-int
-hmac_sha_256(const uint8_t* key, size_t key_len,
- const uint8_t* cleartext, size_t cleartext_len,
- uint8_t* output, size_t* output_len);
-
void
handleErrors(const std::string& errorInfo);
-class CryptoError : public std::runtime_error {
-public:
- using std::runtime_error::runtime_error;
-};
-
} // namespace ndncert
} // namespace ndn
diff --git a/src/crypto-support/enc-tlv.cpp b/src/crypto-support/enc-tlv.cpp
index 4213129..aead782 100644
--- a/src/crypto-support/enc-tlv.cpp
+++ b/src/crypto-support/enc-tlv.cpp
@@ -20,7 +20,6 @@
#include "enc-tlv.hpp"
#include "crypto-helper.hpp"
-#include <ndn-cxx/encoding/block-helpers.hpp>
#include <ndn-cxx/encoding/buffer-stream.hpp>
#include <ndn-cxx/security/transform/block-cipher.hpp>
#include <ndn-cxx/security/transform/buffer-source.hpp>
diff --git a/src/crypto-support/enc-tlv.hpp b/src/crypto-support/enc-tlv.hpp
index 030be07..9e207c0 100644
--- a/src/crypto-support/enc-tlv.hpp
+++ b/src/crypto-support/enc-tlv.hpp
@@ -26,12 +26,31 @@
namespace ndn {
namespace ndncert {
+/**
+ * Encode the payload into TLV block with Authenticated GCM 128 Encryption
+ * @p tlv_type, intput, the TLV TYPE of the encoded block, either ApplicationParameters or Content
+ * @p key, intput, 16 Bytes, the AES key used for encryption
+ * @p payload, input, the plaintext payload
+ * @p payloadSize, input, the size of the plaintext payload
+ * @p associatedData, input, associated data used for authentication
+ * @p associatedDataSize, input, the size of associated data
+ * @return the TLV block with @p tlv_type TLV TYPE
+ */
Block
encodeBlockWithAesGcm128(uint32_t tlv_type, const uint8_t* key, const uint8_t* payload, size_t payloadSize,
const uint8_t* associatedData, size_t associatedDataSize);
+/**
+ * Decode the payload from TLV block with Authenticated GCM 128 Encryption
+ * @p block, intput, the TLV block in the format of NDNCERT protocol
+ * @p key, intput, 16 Bytes, the AES key used for encryption
+ * @p associatedData, input, associated data used for authentication
+ * @p associatedDataSize, input, the size of associated data
+ * @return the plaintext buffer
+ */
Buffer
-decodeBlockWithAesGcm128(const Block& block, const uint8_t* key, const uint8_t* associatedData, size_t associatedDataSize);
+decodeBlockWithAesGcm128(const Block& block, const uint8_t* key,
+ const uint8_t* associatedData, size_t associatedDataSize);
} // namespace ndncert
} // namespace ndn
diff --git a/src/ndncert-common.hpp b/src/ndncert-common.hpp
index 9bee44a..cf2643f 100644
--- a/src/ndncert-common.hpp
+++ b/src/ndncert-common.hpp
@@ -41,6 +41,7 @@
#include <ndn-cxx/encoding/tlv.hpp>
#include <ndn-cxx/data.hpp>
#include <ndn-cxx/encoding/block.hpp>
+#include <ndn-cxx/encoding/block-helpers.hpp>
#include <ndn-cxx/face.hpp>
#include <ndn-cxx/interest.hpp>
#include <ndn-cxx/link.hpp>
diff --git a/src/requester.hpp b/src/requester.hpp
index 2b6c3c3..4f1bb80 100644
--- a/src/requester.hpp
+++ b/src/requester.hpp
@@ -35,7 +35,7 @@
public:
/**
* Generates a CA profile discovery Interest following RDR protocol.
- * @param caName, the name prefix of the CA.
+ * @p caName, the name prefix of the CA.
* @return A shared pointer to an Interest ready to be sent.
*/
static shared_ptr<Interest>
@@ -43,7 +43,7 @@
/**
* Generates a CA profile fetching Interest following RDR protocol.
- * @param reply, the Data packet replied from discovery Interest.
+ * @p reply, the Data packet replied from discovery Interest.
* @return A shared pointer to an Interest ready to be sent.
*/
static shared_ptr<Interest>
@@ -53,7 +53,7 @@
* Decodes the CA profile from the replied CA profile Data packet.
* Will first verify the signature of the packet using the key provided inside the profile.
* The application should be cautious whether to add CaProfile into the RequesterCaCache.
- * @param reply, the Data packet replied from CA profile fetching Interest.
+ * @p reply, the Data packet replied from CA profile fetching Interest.
* @return the CaProfile if decoding is successful
* @throw std::runtime_error if the decoding fails or receiving an error packet.
*/
@@ -65,8 +65,8 @@
* Will first verify the signature of the packet using the key provided inside the profile and
* verify the certificate's digest matches the one obtained from the original CA.
* The application should be cautious whether to add CaProfile into the RequesterCaCache.
- * @param reply, the Data packet replied from CA profile fetching Interest.
- * @param caCertFullName, the full name obtained from original CA's probe response.
+ * @p reply, the Data packet replied from CA profile fetching Interest.
+ * @p caCertFullName, the full name obtained from original CA's probe response.
* @return the CaProfile if decoding is successful
* @throw std::runtime_error if the decoding fails or receiving an error packet.
*/
@@ -75,8 +75,8 @@
/**
* Generates a PROBE interest to the CA (for suggested name assignments).
- * @param ca, the CA that interest is send to
- * @param probeInfo, the requester information to carry to the CA
+ * @p ca, the CA that interest is send to
+ * @p probeInfo, the requester information to carry to the CA
* @return A shared pointer of to the encoded interest, ready to be sent.
*/
static shared_ptr<Interest>
@@ -85,10 +85,10 @@
/**
* Decodes the replied data for PROBE process from the CA.
* Will first verify the signature of the packet using the key provided inside the profile.
- * @param reply, The replied data packet
- * @param ca, the profile of the CA that replies the packet
- * @param identityNames, The vector to load the decoded identity names from the data.
- * @param otherCas, The vector to load the decoded redirection CA prefixes from the data.
+ * @p reply, The replied data packet
+ * @p ca, the profile of the CA that replies the packet
+ * @p identityNames, The vector to load the decoded identity names from the data.
+ * @p otherCas, The vector to load the decoded redirection CA prefixes from the data.
* @throw std::runtime_error if the decoding fails or receiving an error packet.
*/
static void
@@ -98,10 +98,10 @@
// NEW/REVOKE/RENEW related helpers
/**
* Generates a NEW interest to the CA.
- * @param state, The current requester state for this request. Will be modified in the function.
- * @param identityName, The identity name to be requested.
- * @param notBefore, The expected notBefore field for the certificate (starting time)
- * @param notAfter, The expected notAfter field for the certificate (expiration time)
+ * @p state, The current requester state for this request. Will be modified in the function.
+ * @p identityName, The identity name to be requested.
+ * @p notBefore, The expected notBefore field for the certificate (starting time)
+ * @p notAfter, The expected notAfter field for the certificate (expiration time)
* @return The shared pointer to the encoded interest.
*/
static shared_ptr<Interest>
@@ -111,8 +111,8 @@
/**
* Generates a REVOKE interest to the CA.
- * @param state, The current requester state for this request. Will be modified in the function.
- * @param certificate, the certificate to the revoked.
+ * @p state, The current requester state for this request. Will be modified in the function.
+ * @p certificate, the certificate to the revoked.
* @return The shared pointer to the encoded interest.
*/
static shared_ptr<Interest>
@@ -120,8 +120,8 @@
/**
* Decodes the replied data of NEW, RENEW, or REVOKE interest from the CA.
- * @param state, the current requester state for the request. Will be updated in the function.
- * @param reply, the replied data from the network
+ * @p state, the current requester state for the request. Will be updated in the function.
+ * @p reply, the replied data from the network
* @return the list of challenge accepted by the CA, for CHALLENGE step.
* @throw std::runtime_error if the decoding fails or receiving an error packet.
*/
@@ -131,8 +131,8 @@
// CHALLENGE helpers
/**
* Generates the required parameter for the selected challenge for the request
- * @param state, The requester state of the request.Will be updated in the function.
- * @param challengeSelected, The selected challenge for the request.
+ * @p state, The requester state of the request.Will be updated in the function.
+ * @p challengeSelected, The selected challenge for the request.
* Can use state.m_challengeType to continue.
* @return The requirement list for the current stage of the challenge, in name, prompt mapping.
*/
@@ -141,8 +141,8 @@
/**
* Generates the CHALLENGE interest for the request.
- * @param state, The requester state of the request.
- * @param parameters, The requirement list, in name, value mapping.
+ * @p state, The requester state of the request.
+ * @p parameters, The requirement list, in name, value mapping.
* @return The shared pointer to the encoded interest
*/
static shared_ptr<Interest>
@@ -151,8 +151,8 @@
/**
* Decodes the responded data from the CHALLENGE interest.
- * @param state, the corresponding requester state of the request. Will be modified.
- * @param reply, the response data.
+ * @p state, the corresponding requester state of the request. Will be modified.
+ * @p reply, the response data.
* @throw std::runtime_error if the decoding fails or receiving an error packet.
*/
static void
@@ -160,7 +160,7 @@
/**
* Generate the interest to fetch the issued certificate
- * @param state, the state of the request.
+ * @p state, the state of the request.
* @return The shared pointer to the encoded interest
*/
static shared_ptr<Interest>
@@ -168,7 +168,7 @@
/**
* Decoded and installs the response certificate from the certificate fetch.
- * @param reply, the data replied from the certificate fetch interest.
+ * @p reply, the data replied from the certificate fetch interest.
* @return The shared pointer to the certificate being fetched.
*/
static shared_ptr<security::Certificate>
@@ -176,7 +176,7 @@
/**
* End the current request session and performs cleanup if necessary.
- * @param state, the requester state for the request.
+ * @p state, the requester state for the request.
*/
static void
endSession(RequesterState& state);
diff --git a/tests/identity-management-fixture.hpp b/tests/identity-management-fixture.hpp
index 063c7ae..f0125a5 100644
--- a/tests/identity-management-fixture.hpp
+++ b/tests/identity-management-fixture.hpp
@@ -64,8 +64,8 @@
/**
* @brief Save identity certificate to a file
- * @param identity identity
- * @param filename file name, should be writable
+ * @p identity identity
+ * @p filename file name, should be writable
* @return whether successful
*/
bool
diff --git a/tests/unit-tests/crypto-helper.t.cpp b/tests/unit-tests/crypto-helper.t.cpp
index 28fbe63..9138701 100644
--- a/tests/unit-tests/crypto-helper.t.cpp
+++ b/tests/unit-tests/crypto-helper.t.cpp
@@ -92,7 +92,7 @@
0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
uint8_t result[32];
- ndn_compute_hmac_sha256(ikm, sizeof(ikm), salt, sizeof(salt), result);
+ hmac_sha256(ikm, sizeof(ikm), salt, sizeof(salt), result);
BOOST_CHECK_EQUAL_COLLECTIONS(result, result + sizeof(result), expected,
expected + sizeof(expected));
}