The interface of signing key management. More...
#include <key-chain.hpp>
Classes | |
class | Error |
class | InvalidSigningInfoError |
Error indicating that the supplied SigningInfo is invalid. More... | |
class | LocatorMismatchError |
Error indicating that the supplied TPM locator does not match the locator stored in PIB. More... | |
Public Member Functions | |
KeyChain () | |
Constructor to create KeyChain with default PIB and TPM. More... | |
KeyChain (const std::string &pibLocator, const std::string &tpmLocator, bool allowReset=false) | |
KeyChain constructor. More... | |
~KeyChain () | |
const Pib & | getPib () const |
const Tpm & | getTpm () const |
Identity | createIdentity (const Name &identityName, const KeyParams ¶ms=getDefaultKeyParams()) |
Create an identity identityName . More... | |
void | deleteIdentity (const Identity &identity) |
delete identity . More... | |
void | setDefaultIdentity (const Identity &identity) |
Set identity as the default identity. More... | |
Key | createKey (const Identity &identity, const KeyParams ¶ms=getDefaultKeyParams()) |
Create a new key for identity . More... | |
Name | createHmacKey (const Name &prefix=SigningInfo::getHmacIdentity(), const HmacKeyParams ¶ms=HmacKeyParams()) |
Create a new HMAC key. More... | |
void | deleteKey (const Identity &identity, const Key &key) |
Delete a key key of identity . More... | |
void | setDefaultKey (const Identity &identity, const Key &key) |
Set key as the default key of identity . More... | |
void | addCertificate (const Key &key, const Certificate &certificate) |
Add a certificate certificate for key . More... | |
void | deleteCertificate (const Key &key, const Name &certificateName) |
delete a certificate with name certificateName of key . More... | |
void | setDefaultCertificate (const Key &key, const Certificate &certificate) |
Set cert as the default certificate of key . More... | |
void | sign (Data &data, const SigningInfo ¶ms=getDefaultSigningInfo()) |
Sign data according to the supplied signing information. More... | |
void | sign (Interest &interest, const SigningInfo ¶ms=getDefaultSigningInfo()) |
Sign interest according to the supplied signing information. More... | |
Block | sign (const uint8_t *buffer, size_t bufferLength, const SigningInfo ¶ms=getDefaultSigningInfo()) |
Sign buffer according to the supplied signing information params . More... | |
shared_ptr< SafeBag > | exportSafeBag (const Certificate &certificate, const char *pw, size_t pwLen) |
Export a certificate and its corresponding private key. More... | |
void | importSafeBag (const SafeBag &safeBag, const char *pw, size_t pwLen) |
Import a certificate and its corresponding private key from a SafeBag. More... | |
void | importPrivateKey (const Name &keyName, shared_ptr< transform::PrivateKey > key) |
Import a private key into the TPM. More... | |
Static Public Member Functions | |
template<class PibBackendType > | |
static void | registerPibBackend (const std::string &scheme) |
Register a new PIB backend. More... | |
template<class TpmBackendType > | |
static void | registerTpmBackend (const std::string &scheme) |
Register a new TPM backend. More... | |
static const SigningInfo & | getDefaultSigningInfo () |
static const KeyParams & | getDefaultKeyParams () |
Public Attributes | |
NDN_CXX_PUBLIC_WITH_TESTS_ELSE_PRIVATE | __pad0__: static tlv::SignatureTypeValue getSignatureType(KeyType keyType |
NDN_CXX_PUBLIC_WITH_TESTS_ELSE_PRIVATE DigestAlgorithm | digestAlgorithm |
The interface of signing key management.
The KeyChain class provides an interface to manage entities related to packet signing, such as Identity, Key, and Certificates. It consists of two parts: a private key module (TPM) and a public key information base (PIB). Managing signing key and its related entities through KeyChain interface guarantees the consistency between TPM and PIB.
Definition at line 46 of file key-chain.hpp.
ndn::security::v2::KeyChain::KeyChain | ( | ) |
Constructor to create KeyChain with default PIB and TPM.
Default PIB and TPM are platform-dependent and can be overriden system-wide or individually for the user.
Definition at line 164 of file key-chain.cpp.
ndn::security::v2::KeyChain::KeyChain | ( | const std::string & | pibLocator, |
const std::string & | tpmLocator, | ||
bool | allowReset = false |
||
) |
KeyChain constructor.
pibLocator | PIB locator, e.g., pib-sqlite3:/example/dir |
tpmLocator | TPM locator, e.g., tpm-memory: |
allowReset | if true, the PIB will be reset when the supplied tpmLocator does not match the one in the PIB |
Definition at line 169 of file key-chain.cpp.
References NDN_THROW.
|
default |
|
inline |
Definition at line 100 of file key-chain.hpp.
Referenced by nfd::rib::HostToGatewayReadvertisePolicy::handleNewRoute().
|
inline |
Definition at line 106 of file key-chain.hpp.
Identity ndn::security::v2::KeyChain::createIdentity | ( | const Name & | identityName, |
const KeyParams & | params = getDefaultKeyParams() |
||
) |
Create an identity identityName
.
This method will check if the identity exists in PIB and whether the identity has a default key and default certificate. If the identity does not exist, this method will create the identity in PIB. If the identity's default key does not exist, this method will create a key pair and set it as the identity's default key. If the key's default certificate is missing, this method will create a self-signed certificate for the key.
If identityName
did not exist and no default identity was selected before, the created identity will be set as the default identity
identityName | The name of the identity. |
params | The key parameters if a key needs to be created for the identity (default: EC key with random key id) |
Definition at line 221 of file key-chain.cpp.
References createKey(), ndn::security::pib::Key::getDefaultCertificate(), ndn::security::pib::Key::getName(), and NDN_LOG_DEBUG.
void ndn::security::v2::KeyChain::deleteIdentity | ( | const Identity & | identity | ) |
delete identity
.
identity
must be valid. identity
becomes invalid. Definition at line 245 of file key-chain.cpp.
References ndn::security::pib::Identity::getKeys(), and ndn::security::pib::Identity::getName().
void ndn::security::v2::KeyChain::setDefaultIdentity | ( | const Identity & | identity | ) |
Set identity
as the default identity.
identity
must be valid. Definition at line 259 of file key-chain.cpp.
References ndn::security::pib::Identity::getName().
Key ndn::security::v2::KeyChain::createKey | ( | const Identity & | identity, |
const KeyParams & | params = getDefaultKeyParams() |
||
) |
Create a new key for identity
.
identity | Reference to a valid Identity object |
params | Key creation parameters (default: EC key with random key id) |
identity
must be valid.If identity
had no default key selected, the created key will be set as the default for this identity.
This method will also create a self-signed certificate for the created key.
Definition at line 267 of file key-chain.cpp.
References ndn::security::pib::Identity::getName(), ndn::security::pib::Key::getName(), and NDN_LOG_DEBUG.
Referenced by createIdentity().
Name ndn::security::v2::KeyChain::createHmacKey | ( | const Name & | prefix = SigningInfo::getHmacIdentity() , |
const HmacKeyParams & | params = HmacKeyParams() |
||
) |
Create a new HMAC key.
prefix | Prefix used to construct the key name (default: /localhost/identity/hmac ); the full key name will include additional components according to params |
params | Key creation parameters |
The newly created key will be inserted in the TPM. HMAC keys don't have any PIB entries.
Definition at line 285 of file key-chain.cpp.
Delete a key key
of identity
.
identity
must be valid. key
must be valid. key
becomes invalid. std::invalid_argument | key does not belong to identity |
Definition at line 291 of file key-chain.cpp.
References ndn::security::pib::Key::getIdentity(), ndn::security::pib::Identity::getName(), ndn::security::pib::Key::getName(), NDN_THROW, ndn::security::pib::Identity::removeKey(), and ndn::Name::toUri().
Set key
as the default key of identity
.
identity
must be valid. key
must be valid. std::invalid_argument | key does not belong to identity |
Definition at line 307 of file key-chain.cpp.
References ndn::security::pib::Key::getIdentity(), ndn::security::pib::Identity::getName(), ndn::security::pib::Key::getName(), NDN_THROW, ndn::security::pib::Identity::setDefaultKey(), and ndn::Name::toUri().
void ndn::security::v2::KeyChain::addCertificate | ( | const Key & | key, |
const Certificate & | certificate | ||
) |
Add a certificate certificate
for key
.
If key
had no default certificate selected, the added certificate will be set as the default certificate for this key.
key
must be valid. std::invalid_argument | key does not match certificate |
Definition at line 320 of file key-chain.cpp.
References ndn::Data::getContent(), ndn::security::v2::Certificate::getKeyName(), ndn::security::pib::Key::getName(), ndn::Data::getName(), ndn::security::pib::Key::getPublicKey(), NDN_THROW, ndn::Name::toUri(), ndn::Block::value_begin(), and ndn::Block::value_end().
Referenced by setDefaultCertificate().
void ndn::security::v2::KeyChain::deleteCertificate | ( | const Key & | key, |
const Name & | certificateName | ||
) |
delete a certificate with name certificateName
of key
.
If the certificate certificateName
does not exist, this method has no effect.
key
must be valid. std::invalid_argument | certificateName does not follow certificate naming convention. |
Definition at line 334 of file key-chain.cpp.
References ndn::security::v2::Certificate::isValidName(), NDN_THROW, ndn::security::pib::Key::removeCertificate(), and ndn::Name::toUri().
void ndn::security::v2::KeyChain::setDefaultCertificate | ( | const Key & | key, |
const Certificate & | certificate | ||
) |
Set cert
as the default certificate of key
.
The certificate cert
will be added to the key
, potentially overriding existing certificate if it has the same name (without considering implicit digest).
key
must be valid. std::invalid_argument | key does not match certificate |
Definition at line 346 of file key-chain.cpp.
References addCertificate(), ndn::Data::getName(), and ndn::security::pib::Key::setDefaultCertificate().
void ndn::security::v2::KeyChain::sign | ( | Data & | data, |
const SigningInfo & | params = getDefaultSigningInfo() |
||
) |
Sign data according to the supplied signing information.
This method uses the supplied signing information params
to create the SignatureInfo block:
After that, the method assigns the created SignatureInfo to the data packets, generate a signature and sets as part of the SignatureValue block.
data | The data to sign |
params | The signing parameters. |
Error | signing fails |
InvalidSigningInfoError | invalid params is specified or specified identity, key, or certificate does not exist |
Definition at line 450 of file key-chain.cpp.
References ndn::security::SigningInfo::getDigestAlgorithm(), ndn::Data::setSignature(), and ndn::Data::wireEncode().
Referenced by ndn::security::CommandInterestSigner::makeCommandInterest(), ndn::MetadataObject::makeData(), ndn::util::NotificationStream< Notification >::postNotification(), sign(), and ndn::PrefixAnnouncement::toData().
void ndn::security::v2::KeyChain::sign | ( | Interest & | interest, |
const SigningInfo & | params = getDefaultSigningInfo() |
||
) |
Sign interest according to the supplied signing information.
This method uses the supplied signing information params
to create the SignatureInfo block:
After that, the method appends the created SignatureInfo to the interest name, generate a signature and appends it as part of the SignatureValue block to the interest name.
interest | The interest to sign |
params | The signing parameters. |
Error | signing fails |
InvalidSigningInfoError | invalid params is specified or specified identity, key, or certificate does not exist |
Definition at line 467 of file key-chain.cpp.
References ndn::Name::append(), ndn::Block::encode(), ndn::security::SigningInfo::getDigestAlgorithm(), ndn::Interest::getName(), ndn::Interest::setName(), sign(), ndn::SignatureInfo::wireEncode(), and ndn::Name::wireEncode().
Block ndn::security::v2::KeyChain::sign | ( | const uint8_t * | buffer, |
size_t | bufferLength, | ||
const SigningInfo & | params = getDefaultSigningInfo() |
||
) |
Sign buffer according to the supplied signing information params
.
If params
refers to an identity, the method selects the default key of the identity. If params
refers to a key or certificate, the method select the corresponding key.
buffer | The buffer to sign |
bufferLength | The buffer size |
params | The signing parameters. |
Error | signing fails |
Definition at line 485 of file key-chain.cpp.
References ndn::security::SigningInfo::getDigestAlgorithm(), and sign().
shared_ptr< SafeBag > ndn::security::v2::KeyChain::exportSafeBag | ( | const Certificate & | certificate, |
const char * | pw, | ||
size_t | pwLen | ||
) |
Export a certificate and its corresponding private key.
certificate | The certificate to export. |
pw | The password to secure the private key. |
pwLen | The length of password. |
Error | the certificate or private key does not exist |
Definition at line 355 of file key-chain.cpp.
References ndn::security::v2::Certificate::getIdentity(), ndn::security::v2::Certificate::getKeyName(), NDN_THROW_NESTED, and ndn::Name::toUri().
void ndn::security::v2::KeyChain::importSafeBag | ( | const SafeBag & | safeBag, |
const char * | pw, | ||
size_t | pwLen | ||
) |
Import a certificate and its corresponding private key from a SafeBag.
If the certificate and key are imported properly, the default setting will be updated as if a new key and certificate is added into KeyChain.
safeBag | The encoded data to import. |
pw | The password to secure the private key. |
pwLen | The length of password. |
Error | any of following conditions:
|
Definition at line 372 of file key-chain.cpp.
References ndn::security::transform::boolSink(), ndn::security::SafeBag::getCertificate(), ndn::security::SafeBag::getEncryptedKeyBag(), ndn::security::v2::Certificate::getIdentity(), ndn::security::pib::Identity::getKey(), ndn::security::v2::Certificate::getKeyName(), ndn::Data::getName(), ndn::security::v2::Certificate::getPublicKey(), nonstd::optional_lite::std11::move(), NDN_THROW, NDN_THROW_NESTED, ndn::SHA256, ndn::Name::toUri(), and ndn::security::transform::verifierFilter().
void ndn::security::v2::KeyChain::importPrivateKey | ( | const Name & | keyName, |
shared_ptr< transform::PrivateKey > | key | ||
) |
Import a private key into the TPM.
Definition at line 433 of file key-chain.cpp.
References nonstd::optional_lite::std11::move(), NDN_THROW, NDN_THROW_NESTED, and ndn::Name::toUri().
|
inlinestatic |
Register a new PIB backend.
scheme | Name for the registered PIB backend scheme |
Definition at line 456 of file key-chain.hpp.
|
inlinestatic |
Register a new TPM backend.
scheme | Name for the registered TPM backend scheme |
Definition at line 465 of file key-chain.hpp.
|
static |
Definition at line 149 of file key-chain.cpp.
|
static |
Definition at line 156 of file key-chain.cpp.
NDN_CXX_PUBLIC_WITH_TESTS_ELSE_PRIVATE ndn::security::v2::KeyChain::__pad0__ |
Definition at line 343 of file key-chain.hpp.
NDN_CXX_PUBLIC_WITH_TESTS_ELSE_PRIVATE DigestAlgorithm ndn::security::v2::KeyChain::digestAlgorithm |
Definition at line 348 of file key-chain.hpp.