Update the NDNCERT library to version NDNCERT v2
spec:[https://github.com/named-data/ndncert/wiki/NDNCERT-Protocol-new]
Change-Id: Ia480a8e70c4b38ca170dfe2fcf50d1265ab65f46
diff --git a/src/crypto-support/crypto-helper.cpp b/src/crypto-support/crypto-helper.cpp
new file mode 100644
index 0000000..915f17c
--- /dev/null
+++ b/src/crypto-support/crypto-helper.cpp
@@ -0,0 +1,256 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2017-2019, Regents of the University of California.
+ *
+ * This file is part of ndncert, a certificate management system based on NDN.
+ *
+ * ndncert is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License along with
+ * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndncert authors and contributors.
+ */
+
+#include "crypto-helper.hpp"
+#include "../logging.hpp"
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <ndn-cxx/security/transform/block-cipher.hpp>
+#include <ndn-cxx/security/transform/base64-decode.hpp>
+#include <ndn-cxx/security/transform/base64-encode.hpp>
+#include <ndn-cxx/security/transform/buffer-source.hpp>
+#include <ndn-cxx/security/transform/step-source.hpp>
+#include <ndn-cxx/security/transform/stream-sink.hpp>
+#include <ndn-cxx/util/random.hpp>
+#include <ndn-cxx/encoding/buffer-stream.hpp>
+#include <ndn-cxx/security/transform/hmac-filter.hpp>
+
+namespace ndn {
+namespace ndncert {
+
+const size_t HASH_SIZE = 32;
+
+_LOG_INIT(crypto-support);
+
+ECDHState::ECDHState()
+{
+ OpenSSL_add_all_algorithms();
+ context = std::make_unique<ECDH_CTX>();
+ context->EC_NID = NID_X9_62_prime256v1;
+
+ // Create the context for parameter generation
+ if (nullptr == (context->ctx_params = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, nullptr))) {
+ handleErrors("Could not create context contexts.");
+ return;
+ }
+
+ // Initialise the parameter generation
+ if (EVP_PKEY_paramgen_init(context->ctx_params) != 1) {
+ handleErrors("Could not initialize parameter generation.");
+ return;
+ }
+
+ // We're going to use the ANSI X9.62 Prime 256v1 curve
+ if (1 != EVP_PKEY_CTX_set_ec_paramgen_curve_nid(context->ctx_params, context->EC_NID)) {
+ handleErrors("Likely unknown elliptical curve ID specified.");
+ return;
+ }
+
+ // Create the parameter object params
+ if (!EVP_PKEY_paramgen(context->ctx_params, &context->params)) {
+ // the generated key is written to context->params
+ handleErrors("Could not create parameter object parameters.");
+ return;
+ }
+
+ // Create the context for the key generation
+ if (nullptr == (context->ctx_keygen = EVP_PKEY_CTX_new(context->params, nullptr))) {
+ //The EVP_PKEY_CTX_new() function allocates public key algorithm context using
+ //the algorithm specified in pkey and ENGINE e (in this case nullptr).
+ handleErrors("Could not create the context for the key generation");
+ return;
+ }
+
+ // initializes a public key algorithm context
+ if (1 != EVP_PKEY_keygen_init(context->ctx_keygen)){
+ handleErrors("Could not init context for key generation.");
+ return;
+ }
+ if (1 != EVP_PKEY_keygen(context->ctx_keygen, &context->privkey)) {
+ //performs a key generation operation, the generated key is written to context->privkey.
+ handleErrors("Could not generate DHE keys in final step");
+ return;
+ }
+}
+
+ECDHState::~ECDHState()
+{
+ // Contexts
+ if(context->ctx_params != nullptr){
+ EVP_PKEY_CTX_free(context->ctx_params);
+ }
+ if(context->ctx_keygen != nullptr){
+ EVP_PKEY_CTX_free(context->ctx_keygen);
+ }
+
+ // Keys
+ if(context->privkey != nullptr){
+ EVP_PKEY_free(context->privkey);
+ }
+ if(context->peerkey != nullptr){
+ EVP_PKEY_free(context->peerkey);
+ }
+ if(context->params != nullptr){
+ EVP_PKEY_free(context->params);
+ }
+}
+
+uint8_t*
+ECDHState::getRawSelfPubKey()
+{
+ auto privECKey = EVP_PKEY_get1_EC_KEY(context->privkey);
+
+ if (privECKey == nullptr) {
+ handleErrors("Could not get referenced key when calling EVP_PKEY_get1_EC_KEY().");
+ return nullptr;
+ }
+
+ auto ecPoint = EC_KEY_get0_public_key(privECKey);
+ const EC_GROUP* group = EC_KEY_get0_group(privECKey);
+ context->publicKeyLen = EC_POINT_point2oct(group, ecPoint, POINT_CONVERSION_COMPRESSED,
+ context->publicKey, 256, nullptr);
+ EC_KEY_free(privECKey);
+ if (context->publicKeyLen == 0) {
+ handleErrors("Could not convert EC_POINTS to octet string when calling EC_POINT_point2oct.");
+ return nullptr;
+ }
+
+ return context->publicKey;
+}
+
+std::string
+ECDHState::getBase64PubKey()
+{
+ if (context->publicKeyLen == 0) {
+ this->getRawSelfPubKey();
+ }
+ std::stringstream os;
+ security::transform::bufferSource(context->publicKey, context->publicKeyLen)
+ >> security::transform::base64Encode() >> security::transform::streamSink(os);
+ return os.str();
+}
+
+uint8_t*
+ECDHState::deriveSecret(const uint8_t* peerkey, int peerKeySize)
+{
+ auto privECKey = EVP_PKEY_get1_EC_KEY(context->privkey);
+
+ if (privECKey == nullptr) {
+ handleErrors("Could not get referenced key when calling EVP_PKEY_get1_EC_KEY().");
+ return nullptr;
+ }
+
+ auto group = EC_KEY_get0_group(privECKey);
+ auto peerPoint = EC_POINT_new(group);
+ EC_POINT_oct2point(group, peerPoint, peerkey, peerKeySize, nullptr);
+
+ if (0 == (context->sharedSecretLen = ECDH_compute_key(context->sharedSecret, 256,
+ peerPoint, privECKey, nullptr))) {
+ EC_POINT_free(peerPoint);
+ EC_KEY_free(privECKey);
+ handleErrors("Cannot generate ECDH secret with ECDH_compute_key");
+ }
+ EC_POINT_free(peerPoint);
+ EC_KEY_free(privECKey);
+ return context->sharedSecret;
+}
+
+uint8_t*
+ECDHState::deriveSecret(const std::string& peerKeyStr)
+{
+ namespace t = ndn::security::transform;
+ OBufferStream os;
+ security::transform::bufferSource(peerKeyStr)
+ >> security::transform::base64Decode()
+ >> security::transform::streamSink(os);
+ ConstBufferPtr result = os.buf();
+ return this->deriveSecret(result->data(), result->size());
+}
+
+int ndn_compute_hmac_sha256 (const uint8_t *data, const unsigned data_length,
+ const uint8_t *key, const unsigned key_length,
+ uint8_t *prk) {
+ OBufferStream os;
+
+ security::transform::bufferSource(data, data_length) >>
+ security::transform::hmacFilter(
+ DigestAlgorithm::SHA256, key, key_length) >>
+ security::transform::streamSink(os);
+
+ auto result = os.buf();
+ memcpy(prk, result->data(), HASH_SIZE);
+ return 0;
+}
+
+//removed dependency of OpenSSL@1.1
+int
+hkdf(const uint8_t* secret, int secretLen, const uint8_t* salt,
+ int saltLen, uint8_t* okm, int okm_len,
+ const uint8_t* info, int info_len)
+{
+ // hkdf generate prk
+ uint8_t prk[HASH_SIZE];
+ ndn_compute_hmac_sha256(salt, saltLen, secret, secretLen, prk);
+
+ // hkdf expand
+ uint8_t prev[HASH_SIZE] = {0};
+ int done_len = 0, dig_len = HASH_SIZE, n = okm_len / dig_len;
+ if (okm_len % dig_len) n++;
+ if (n > 255 || okm == nullptr) return 0;
+ for (int i = 1; i <= n; i++) {
+ size_t copy_len;
+ const uint8_t ctr = i;
+ OBufferStream os;
+ security::transform::StepSource source;
+
+ source >> security::transform::hmacFilter(DigestAlgorithm::SHA256, prk, dig_len)
+ >> security::transform::streamSink(os);
+
+ if (i > 1) {
+ source.write(prev, dig_len);
+ }
+
+ source.write(info, info_len);
+ source.write(&ctr, 1);
+ source.end();
+
+ auto result = os.buf();
+ memcpy(prev, result->data(), dig_len);
+
+ copy_len = (done_len + dig_len > okm_len) ?
+ okm_len - done_len :
+ dig_len;
+
+ memcpy(okm + done_len, prev, copy_len);
+ done_len += copy_len;
+ }
+ return done_len;
+}
+
+void
+handleErrors(const std::string& errorInfo)
+{
+ _LOG_DEBUG("Error in CRYPTO SUPPORT " << errorInfo);
+ BOOST_THROW_EXCEPTION(CryptoError("Error in CRYPTO SUPPORT: " + errorInfo));
+}
+
+} // namespace ndncert
+} // namespace ndn