24 #ifndef NDN_SECURITY_KEY_CHAIN_HPP 25 #define NDN_SECURITY_KEY_CHAIN_HPP 36 #include "../interest.hpp" 37 #include "../util/crypto.hpp" 38 #include "../util/random.hpp" 39 #include <initializer_list> 51 class Error :
public std::runtime_error
56 :
std::runtime_error(what)
75 typedef function<unique_ptr<SecPublicInfo> (
const std::string&)>
PibCreateFunc;
83 template<
class PibType>
85 registerPib(std::initializer_list<std::string> aliases);
92 template<
class TpmType>
94 registerTpm(std::initializer_list<std::string> aliases);
105 static unique_ptr<SecPublicInfo>
106 createPib(
const std::string& pibLocator);
117 static unique_ptr<SecTpm>
118 createTpm(
const std::string& tpmLocator);
140 KeyChain(
const std::string& pibLocator,
141 const std::string& tpmLocator,
142 bool allowReset =
false);
194 uint32_t keySize = 2048);
224 shared_ptr<IdentityCertificate>
226 const Name& signingIdentity,
229 const std::vector<CertificateSubjectDescription>& subjectDescription,
248 shared_ptr<IdentityCertificate>
251 const Name& signingIdentity,
254 const std::vector<CertificateSubjectDescription>& subjectDescription,
306 sign(
const uint8_t* buffer,
size_t bufferLength,
const SigningInfo& params);
318 sign(T& packet,
const Name& certificateName);
331 sign(
const uint8_t* buffer,
size_t bufferLength,
const Name& certificateName);
379 shared_ptr<IdentityCertificate>
426 shared_ptr<SecuredBag>
468 return m_pib->doesIdentityExist(identityName);
474 return m_pib->addIdentity(identityName);
480 return m_pib->doesPublicKeyExist(keyName);
486 return m_pib->addKey(keyName, publicKeyDer);
492 return m_pib->addKey(keyName, publicKeyDer);
495 shared_ptr<PublicKey>
498 return m_pib->getPublicKey(keyName);
504 return m_pib->doesCertificateExist(certificateName);
510 return m_pib->addCertificate(certificate);
513 shared_ptr<IdentityCertificate>
516 return m_pib->getCertificate(certificateName);
522 return m_pib->getDefaultIdentity();
528 return m_pib->getDefaultKeyNameForIdentity(identityName);
534 return m_pib->getDefaultCertificateNameForKey(keyName);
540 return m_pib->getAllIdentities(nameList, isDefault);
546 return m_pib->getAllKeyNames(nameList, isDefault);
552 return m_pib->getAllKeyNamesOfIdentity(identity, nameList, isDefault);
558 return m_pib->getAllCertificateNames(nameList, isDefault);
563 std::vector<Name>& nameList,
564 bool isDefault)
const 566 return m_pib->getAllCertificateNamesOfKey(keyName, nameList, isDefault);
572 return m_pib->deleteCertificateInfo(certificateName);
578 return m_pib->deletePublicKeyInfo(keyName);
584 return m_pib->deleteIdentityInfo(identity);
590 return m_pib->setDefaultIdentity(identityName);
596 return m_pib->setDefaultKeyNameForIdentity(keyName);
602 return m_pib->setDefaultCertificateNameForKey(certificateName);
608 return m_pib->getNewKeyName(identityName, useKsk);
614 return m_pib->getDefaultCertificateNameForIdentity(identityName);
620 return m_pib->getDefaultCertificateName();
626 return m_pib->addCertificateAsKeyDefault(certificate);
632 return m_pib->addCertificateAsIdentityDefault(certificate);
638 return m_pib->addCertificateAsSystemDefault(certificate);
641 shared_ptr<IdentityCertificate>
644 if (!static_cast<bool>(m_pib->getDefaultCertificate()))
645 const_cast<KeyChain*
>(
this)->setDefaultCertificateInternal();
653 return m_pib->refreshDefaultCertificate();
663 return m_tpm->setTpmPassword(password, passwordLength);
669 return m_tpm->resetTpmPassword();
675 return m_tpm->setInTerminal(inTerminal);
681 return m_tpm->getInTerminal();
687 return m_tpm->isLocked();
691 unlockTpm(
const char* password,
size_t passwordLength,
bool usePassword)
693 return m_tpm->unlockTpm(password, passwordLength, usePassword);
699 return m_tpm->generateKeyPairInTpm(keyName, params);
705 return m_tpm->deleteKeyPairInTpm(keyName);
708 shared_ptr<PublicKey>
711 return m_tpm->getPublicKeyFromTpm(keyName);
719 return m_tpm->signInTpm(data, dataLength, keyName, digestAlgorithm);
723 decryptInTpm(
const uint8_t* data,
size_t dataLength,
const Name& keyName,
bool isSymmetric)
725 return m_tpm->decryptInTpm(data, dataLength, keyName, isSymmetric);
729 encryptInTpm(
const uint8_t* data,
size_t dataLength,
const Name& keyName,
bool isSymmetric)
731 return m_tpm->encryptInTpm(data, dataLength, keyName, isSymmetric);
737 return m_tpm->generateSymmetricKeyInTpm(keyName, params);
743 return m_tpm->doesKeyExistInTpm(keyName, keyClass);
749 return m_tpm->generateRandomBlock(res, size);
755 return m_tpm->addAppToAcl(keyName, keyClass, appPath, acl);
761 return m_tpm->exportPrivateKeyPkcs5FromTpm(keyName, password);
766 const uint8_t* buf,
size_t size,
767 const std::string& password)
769 return m_tpm->importPrivateKeyPkcs5IntoTpm(keyName, buf, size, password);
774 initialize(
const std::string& pibLocatorUri,
775 const std::string& tpmLocatorUri,
786 std::tuple<Name, SignatureInfo>
804 setDefaultCertificateInternal();
815 generateKeyPair(
const Name& identityName,
bool isKsk =
false,
849 pureSign(
const uint8_t* buf,
size_t size,
const Name& keyName,
DigestAlgorithm digestAlgorithm)
const;
852 registerPibImpl(
const std::string& canonicalName,
853 std::initializer_list<std::string> aliases,
PibCreateFunc createFunc);
856 registerTpmImpl(
const std::string& canonicalName,
857 std::initializer_list<std::string> aliases,
TpmCreateFunc createFunc);
879 std::unique_ptr<SecPublicInfo> m_pib;
880 std::unique_ptr<SecTpm> m_tpm;
881 time::milliseconds m_lastTimestamp;
886 KeyChain::signImpl(T& packet,
const SigningInfo& params)
890 std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
892 signPacketWrapper(packet,
Signature(sigInfo),
910 template<
class PibType>
914 registerPibImpl(*aliases.begin(), aliases, [] (
const std::string& locator) {
915 return unique_ptr<SecPublicInfo>(
new PibType(locator));
919 template<
class TpmType>
923 registerTpmImpl(*aliases.begin(), aliases, [] (
const std::string& locator) {
924 return unique_ptr<SecTpm>(
new TpmType(locator));
934 #define NDN_CXX_KEYCHAIN_REGISTER_PIB(PibType, ...) \ 935 static class NdnCxxAuto ## PibType ## PibRegistrationClass \ 938 NdnCxxAuto ## PibType ## PibRegistrationClass() \ 940 ::ndn::KeyChain::registerPib<PibType>({__VA_ARGS__}); \ 942 } ndnCxxAuto ## PibType ## PibRegistrationVariable 950 #define NDN_CXX_KEYCHAIN_REGISTER_TPM(TpmType, ...) \ 951 static class NdnCxxAuto ## TpmType ## TpmRegistrationClass \ 954 NdnCxxAuto ## TpmType ## TpmRegistrationClass() \ 956 ::ndn::KeyChain::registerTpm<TpmType>({__VA_ARGS__}); \ 958 } ndnCxxAuto ## TpmType ## TpmRegistrationVariable 962 using security::KeyChain;
966 #endif // NDN_SECURITY_KEY_CHAIN_HPP static const RsaKeyParams DEFAULT_KEY_PARAMS
Name getNewKeyName(const Name &identityName, bool useKsk)
bool unlockTpm(const char *password, size_t passwordLength, bool usePassword)
Name getDefaultCertificateNameForIdentity(const Name &identityName) const
shared_ptr< IdentityCertificate > prepareUnsignedIdentityCertificate(const Name &keyName, const Name &signingIdentity, const time::system_clock::TimePoint ¬Before, const time::system_clock::TimePoint ¬After, const std::vector< CertificateSubjectDescription > &subjectDescription, const Name &certPrefix=DEFAULT_PREFIX)
prepare an unsigned identity certificate
MismatchError(const std::string &what)
Copyright (c) 2011-2015 Regents of the University of California.
function< unique_ptr< SecPublicInfo >const std::string &)> PibCreateFunc
void addIdentity(const Name &identityName)
bool generateRandomBlock(uint8_t *res, size_t size) const
shared_ptr< PublicKey > getPublicKey(const Name &keyName) const
shared_ptr< PublicKey > getPublicKeyFromTpm(const Name &keyName) const
void importIdentity(const SecuredBag &securedBag, const std::string &passwordStr)
import an identity.
void setDefaultIdentity(const Name &identityName)
static unique_ptr< SecPublicInfo > createPib(const std::string &pibLocator)
Create a PIB according to pibLocator.
void getAllKeyNamesOfIdentity(const Name &identity, std::vector< Name > &nameList, bool isDefault) const
void addCertificateAsKeyDefault(const IdentityCertificate &certificate)
The packet signing interface.
void signByIdentity(T &packet, const Name &identityName)
Sign packet using the default certificate of a particular identity.
void generateSymmetricKeyInTpm(const Name &keyName, const KeyParams ¶ms)
shared_ptr< IdentityCertificate > getDefaultCertificate() const
ConstBufferPtr encryptInTpm(const uint8_t *data, size_t dataLength, const Name &keyName, bool isSymmetric)
Error thrown when the supplied TPM locator to KeyChain constructor does not match the locator stored ...
Class representing a wire element of NDN-TLV packet format.
represents an Interest packet
Name getDefaultCertificateName() const
void deleteKeyPairInTpm(const Name &keyName)
void sign(Data &data, const SigningInfo ¶ms=DEFAULT_SIGNING_INFO)
Sign data according to the supplied signing information.
void getAllCertificateNames(std::vector< Name > &nameList, bool isDefault) const
const SecTpm & getTpm() const
void setTpmPassword(const uint8_t *password, size_t passwordLength)
const SecPublicInfo & getPib() const
Signing parameters passed to KeyChain.
shared_ptr< SecuredBag > exportIdentity(const Name &identity, const std::string &passwordStr)
export an identity.
void addCertificateAsSystemDefault(const IdentityCertificate &certificate)
bool doesCertificateExist(const Name &certificateName) const
shared_ptr< IdentityCertificate > getCertificate(const Name &certificateName) const
void getAllIdentities(std::vector< Name > &nameList, bool isDefault) const
static void registerPib(std::initializer_list< std::string > aliases)
Register a new PIB.
static const SigningInfo DEFAULT_SIGNING_INFO
void generateKeyPairInTpm(const Name &keyName, const KeyParams ¶ms)
Name createIdentity(const Name &identityName, const KeyParams ¶ms=DEFAULT_KEY_PARAMS)
Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed ce...
SecTpm is the base class of the TPM classes.
Name getDefaultCertificateNameForKey(const Name &keyName) const
function< unique_ptr< SecTpm >const std::string &)> TpmCreateFunc
static std::string getDefaultTpmLocator()
Get default TPM locator.
void addAppToAcl(const Name &keyName, KeyClass keyClass, const std::string &appPath, AclType acl)
void setInTerminal(bool inTerminal)
std::map< std::string, Block > SignParams
void deletePublicKeyInfo(const Name &keyName)
Block signInTpm(const uint8_t *data, size_t dataLength, const Name &keyName, DigestAlgorithm digestAlgorithm)
Name abstraction to represent an absolute name.
signer is a certificate, use it directly
void getAllCertificateNamesOfKey(const Name &keyName, std::vector< Name > &nameList, bool isDefault) const
void deleteIdentity(const Name &identity)
delete an identity.
void deleteIdentityInfo(const Name &identity)
Name generateRsaKeyPair(const Name &identityName, bool isKsk=false, uint32_t keySize=2048)
Generate a pair of RSA keys for the specified identity.
static tlv::SignatureTypeValue getSignatureType(KeyType keyType, DigestAlgorithm digestAlgorithm)
KeyChain()
Constructor to create KeyChain with default PIB and TPM.
static unique_ptr< SecTpm > createTpm(const std::string &tpmLocator)
Create a TPM according to tpmLocator.
bool doesIdentityExist(const Name &identityName) const
static std::string getDefaultPibLocator()
Get default PIB locator.
bool doesKeyExistInTpm(const Name &keyName, KeyClass keyClass) const
bool doesPublicKeyExist(const Name &keyName) const
shared_ptr< IdentityCertificate > selfSign(const Name &keyName)
Generate a self-signed certificate for a public key.
Name getDefaultIdentity() const
void addCertificate(const IdentityCertificate &certificate)
Base class of key parameters.
signer is an identity, use its default key and default certificate
bool getInTerminal() const
Name generateEcdsaKeyPair(const Name &identityName, bool isKsk=false, uint32_t keySize=256)
Generate a pair of ECDSA keys for the specified identity.
ConstBufferPtr decryptInTpm(const uint8_t *data, size_t dataLength, const Name &keyName, bool isSymmetric)
void setDefaultKeyNameForIdentity(const Name &keyName)
static const Name DEFAULT_PREFIX
void refreshDefaultCertificate()
void addPublicKey(const Name &keyName, KeyType keyType, const PublicKey &publicKeyDer)
void signWithSha256(Data &data)
Set Sha256 weak signature for data.
shared_ptr< const Buffer > ConstBufferPtr
void setDefaultCertificateNameForKey(const Name &certificateName)
Name generateEcdsaKeyPairAsDefault(const Name &identityName, bool isKsk, uint32_t keySize=256)
Generate a pair of ECDSA keys for the specified identity and set it as default key for the identity...
void getAllKeyNames(std::vector< Name > &nameList, bool isDefault) const
SimplePublicKeyParams is a template for public keys with only one parameter: size.
DigestAlgorithm getDigestAlgorithm() const
Name generateRsaKeyPairAsDefault(const Name &identityName, bool isKsk=false, uint32_t keySize=2048)
Generate a pair of RSA keys for the specified identity and set it as default key for the identity...
static const Name DIGEST_SHA256_IDENTITY
A localhost identity which indicates that signature is generated using SHA-256.
void deleteCertificateInfo(const Name &certificateName)
void deleteKey(const Name &keyName)
delete a key.
static void registerTpm(std::initializer_list< std::string > aliases)
Register a new TPM.
void addCertificateAsIdentityDefault(const IdentityCertificate &certificate)
ConstBufferPtr exportPrivateKeyPkcs5FromTpm(const Name &keyName, const std::string &password)
SecPublicInfo is a base class for the storage of public information.
void addKey(const Name &keyName, const PublicKey &publicKeyDer)
void deleteCertificate(const Name &certificateName)
delete a certificate.
bool importPrivateKeyPkcs5IntoTpm(const Name &keyName, const uint8_t *buf, size_t size, const std::string &password)
Name getDefaultKeyNameForIdentity(const Name &identityName) const
Error(const std::string &what)
A Signature is storage for the signature-related information (info and value) in a Data packet...