NS-3 based Named Data Networking (NDN) simulator
ndnSIM 2.5: NDN, CCN, CCNx, content centric networks 		API Documentation
key-chain.cpp
Go to the documentation of this file.
1 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2 /*
3  * Copyright (c) 2013-2019 Regents of the University of California.
4  *
5  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6  *
7  * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8  * terms of the GNU Lesser General Public License as published by the Free Software
9  * Foundation, either version 3 of the License, or (at your option) any later version.
10  *
11  * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12  * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13  * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14  *
15  * You should have received copies of the GNU General Public License and GNU Lesser
16  * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17  * <http://www.gnu.org/licenses/>.
18  *
19  * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20  */
21 
22 #include "ndn-cxx/security/v2/key-chain.hpp"
23 
24 #include "ndn-cxx/encoding/buffer-stream.hpp"
25 #include "ndn-cxx/util/config-file.hpp"
26 #include "ndn-cxx/util/logger.hpp"
27 #include "ndn-cxx/util/sha256.hpp"
28 
29 #include "ndn-cxx/security/pib/impl/pib-memory.hpp"
30 #include "ndn-cxx/security/pib/impl/pib-sqlite3.hpp"
31 
32 #include "ndn-cxx/security/tpm/impl/back-end-file.hpp"
33 #include "ndn-cxx/security/tpm/impl/back-end-mem.hpp"
34 #ifdef NDN_CXX_HAVE_OSX_FRAMEWORKS
35 #include "ndn-cxx/security/tpm/impl/back-end-osx.hpp"
36 #endif // NDN_CXX_HAVE_OSX_FRAMEWORKS
37 
38 #include "ndn-cxx/security/transform/bool-sink.hpp"
39 #include "ndn-cxx/security/transform/buffer-source.hpp"
40 #include "ndn-cxx/security/transform/private-key.hpp"
41 #include "ndn-cxx/security/transform/public-key.hpp"
42 #include "ndn-cxx/security/transform/verifier-filter.hpp"
43 
44 #include <boost/lexical_cast.hpp>
45 
46 namespace ndn {
47 namespace security {
48 
49 // When static library is used, not everything is compiled into the resulting binary.
50 // Therefore, the following standard PIB and TPMs need to be registered here.
51 // http://stackoverflow.com/q/9459980/2150331
52 
53 namespace pib {
54 NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibSqlite3);
55 NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibMemory);
56 } // namespace pib
57 
58 namespace tpm {
59 #if defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
60 NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndOsx);
61 #endif // defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
62 NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndFile);
63 NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndMem);
64 } // namespace tpm
65 
66 namespace v2 {
67 
68 NDN_LOG_INIT(ndn.security.v2.KeyChain);
69 
70 std::string KeyChain::s_defaultPibLocator;
71 std::string KeyChain::s_defaultTpmLocator;
72 
73 KeyChain::PibFactories&
74 KeyChain::getPibFactories()
75 {
76  static PibFactories pibFactories;
77  return pibFactories;
78 }
79 
80 KeyChain::TpmFactories&
81 KeyChain::getTpmFactories()
82 {
83  static TpmFactories tpmFactories;
84  return tpmFactories;
85 }
86 
87 const std::string&
88 KeyChain::getDefaultPibScheme()
89 {
90  return pib::PibSqlite3::getScheme();
91 }
92 
93 const std::string&
94 KeyChain::getDefaultTpmScheme()
95 {
96 #if defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
97  return tpm::BackEndOsx::getScheme();
98 #else
99  return tpm::BackEndFile::getScheme();
100 #endif // defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
101 }
102 
103 const std::string&
104 KeyChain::getDefaultPibLocator()
105 {
106  if (!s_defaultPibLocator.empty())
107  return s_defaultPibLocator;
108 
109  if (getenv("NDN_CLIENT_PIB") != nullptr) {
110  s_defaultPibLocator = getenv("NDN_CLIENT_PIB");
111  }
112  else {
113  ConfigFile config;
114  s_defaultPibLocator = config.getParsedConfiguration().get<std::string>("pib", getDefaultPibScheme() + ":");
115  }
116 
117  std::string pibScheme, pibLocation;
118  std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(s_defaultPibLocator);
119  s_defaultPibLocator = pibScheme + ":" + pibLocation;
120 
121  return s_defaultPibLocator;
122 }
123 
124 const std::string&
125 KeyChain::getDefaultTpmLocator()
126 {
127  if (!s_defaultTpmLocator.empty())
128  return s_defaultTpmLocator;
129 
130  if (getenv("NDN_CLIENT_TPM") != nullptr) {
131  s_defaultTpmLocator = getenv("NDN_CLIENT_TPM");
132  }
133  else {
134  ConfigFile config;
135  s_defaultTpmLocator = config.getParsedConfiguration().get<std::string>("tpm", getDefaultTpmScheme() + ":");
136  }
137 
138  std::string tpmScheme, tpmLocation;
139  std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(s_defaultTpmLocator);
140  s_defaultTpmLocator = tpmScheme + ":" + tpmLocation;
141 
142  return s_defaultTpmLocator;
143 }
144 
145 
146 // Other defaults
147 
148 const SigningInfo&
149 KeyChain::getDefaultSigningInfo()
150 {
151  static SigningInfo signingInfo;
152  return signingInfo;
153 }
154 
155 const KeyParams&
156 KeyChain::getDefaultKeyParams()
157 {
158  static EcKeyParams keyParams;
159  return keyParams;
160 }
161 
162 //
163 
164 KeyChain::KeyChain()
165  : KeyChain(getDefaultPibLocator(), getDefaultTpmLocator(), true)
166 {
167 }
168 
169 KeyChain::KeyChain(const std::string& pibLocator, const std::string& tpmLocator, bool allowReset)
170 {
171  // PIB Locator
172  std::string pibScheme, pibLocation;
173  std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(pibLocator);
174  std::string canonicalPibLocator = pibScheme + ":" + pibLocation;
175 
176  // Create PIB
177  m_pib = createPib(canonicalPibLocator);
178  std::string oldTpmLocator;
179  try {
180  oldTpmLocator = m_pib->getTpmLocator();
181  }
182  catch (const Pib::Error&) {
183  // TPM locator is not set in PIB yet.
184  }
185 
186  // TPM Locator
187  std::string tpmScheme, tpmLocation;
188  std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(tpmLocator);
189  std::string canonicalTpmLocator = tpmScheme + ":" + tpmLocation;
190 
191  if (canonicalPibLocator == getDefaultPibLocator()) {
192  // Default PIB must use default TPM
193  if (!oldTpmLocator.empty() && oldTpmLocator != getDefaultTpmLocator()) {
194  m_pib->reset();
195  canonicalTpmLocator = getDefaultTpmLocator();
196  }
197  }
198  else {
199  // non-default PIB check consistency
200  if (!oldTpmLocator.empty() && oldTpmLocator != canonicalTpmLocator) {
201  if (allowReset)
202  m_pib->reset();
203  else
204  NDN_THROW(LocatorMismatchError("TPM locator supplied does not match TPM locator in PIB: " +
205  oldTpmLocator + " != " + canonicalTpmLocator));
206  }
207  }
208 
209  // note that key mismatch may still happen if the TPM locator is initially set to a
210  // wrong one or if the PIB was shared by more than one TPMs before. This is due to the
211  // old PIB does not have TPM info, new pib should not have this problem.
212  m_tpm = createTpm(canonicalTpmLocator);
213  m_pib->setTpmLocator(canonicalTpmLocator);
214 }
215 
216 KeyChain::~KeyChain() = default;
217 
218 // public: management
219 
220 Identity
221 KeyChain::createIdentity(const Name& identityName, const KeyParams& params)
222 {
223  Identity id = m_pib->addIdentity(identityName);
224 
225  Key key;
226  try {
227  key = id.getDefaultKey();
228  }
229  catch (const Pib::Error&) {
230  key = createKey(id, params);
231  }
232 
233  try {
234  key.getDefaultCertificate();
235  }
236  catch (const Pib::Error&) {
237  NDN_LOG_DEBUG("No default cert for " << key.getName() << ", requesting self-signing");
238  selfSign(key);
239  }
240 
241  return id;
242 }
243 
244 void
245 KeyChain::deleteIdentity(const Identity& identity)
246 {
247  BOOST_ASSERT(static_cast<bool>(identity));
248 
249  Name identityName = identity.getName();
250 
251  for (const auto& key : identity.getKeys()) {
252  m_tpm->deleteKey(key.getName());
253  }
254 
255  m_pib->removeIdentity(identityName);
256 }
257 
258 void
259 KeyChain::setDefaultIdentity(const Identity& identity)
260 {
261  BOOST_ASSERT(static_cast<bool>(identity));
262 
263  m_pib->setDefaultIdentity(identity.getName());
264 }
265 
266 Key
267 KeyChain::createKey(const Identity& identity, const KeyParams& params)
268 {
269  BOOST_ASSERT(static_cast<bool>(identity));
270 
271  // create key in TPM
272  Name keyName = m_tpm->createKey(identity.getName(), params);
273 
274  // set up key info in PIB
275  ConstBufferPtr pubKey = m_tpm->getPublicKey(keyName);
276  Key key = identity.addKey(pubKey->data(), pubKey->size(), keyName);
277 
278  NDN_LOG_DEBUG("Requesting self-signing for newly created key " << key.getName());
279  selfSign(key);
280 
281  return key;
282 }
283 
284 Name
285 KeyChain::createHmacKey(const Name& prefix, const HmacKeyParams& params)
286 {
287  return m_tpm->createKey(prefix, params);
288 }
289 
290 void
291 KeyChain::deleteKey(const Identity& identity, const Key& key)
292 {
293  BOOST_ASSERT(static_cast<bool>(identity));
294  BOOST_ASSERT(static_cast<bool>(key));
295 
296  Name keyName = key.getName();
297  if (identity.getName() != key.getIdentity()) {
298  NDN_THROW(std::invalid_argument("Identity `" + identity.getName().toUri() + "` "
299  "does not match key `" + keyName.toUri() + "`"));
300  }
301 
302  identity.removeKey(keyName);
303  m_tpm->deleteKey(keyName);
304 }
305 
306 void
307 KeyChain::setDefaultKey(const Identity& identity, const Key& key)
308 {
309  BOOST_ASSERT(static_cast<bool>(identity));
310  BOOST_ASSERT(static_cast<bool>(key));
311 
312  if (identity.getName() != key.getIdentity())
313  NDN_THROW(std::invalid_argument("Identity `" + identity.getName().toUri() + "` "
314  "does not match key `" + key.getName().toUri() + "`"));
315 
316  identity.setDefaultKey(key.getName());
317 }
318 
319 void
320 KeyChain::addCertificate(const Key& key, const Certificate& certificate)
321 {
322  BOOST_ASSERT(static_cast<bool>(key));
323 
324  if (key.getName() != certificate.getKeyName() ||
325  !std::equal(certificate.getContent().value_begin(), certificate.getContent().value_end(),
326  key.getPublicKey().begin()))
327  NDN_THROW(std::invalid_argument("Key `" + key.getName().toUri() + "` "
328  "does not match certificate `" + certificate.getName().toUri() + "`"));
329 
330  key.addCertificate(certificate);
331 }
332 
333 void
334 KeyChain::deleteCertificate(const Key& key, const Name& certificateName)
335 {
336  BOOST_ASSERT(static_cast<bool>(key));
337 
338  if (!Certificate::isValidName(certificateName)) {
339  NDN_THROW(std::invalid_argument("Wrong certificate name `" + certificateName.toUri() + "`"));
340  }
341 
342  key.removeCertificate(certificateName);
343 }
344 
345 void
346 KeyChain::setDefaultCertificate(const Key& key, const Certificate& cert)
347 {
348  BOOST_ASSERT(static_cast<bool>(key));
349 
350  addCertificate(key, cert);
351  key.setDefaultCertificate(cert.getName());
352 }
353 
354 shared_ptr<SafeBag>
355 KeyChain::exportSafeBag(const Certificate& certificate, const char* pw, size_t pwLen)
356 {
357  Name identity = certificate.getIdentity();
358  Name keyName = certificate.getKeyName();
359 
360  ConstBufferPtr encryptedKey;
361  try {
362  encryptedKey = m_tpm->exportPrivateKey(keyName, pw, pwLen);
363  }
364  catch (const Tpm::Error&) {
365  NDN_THROW_NESTED(Error("Failed to export private key `" + keyName.toUri() + "`"));
366  }
367 
368  return make_shared<SafeBag>(certificate, *encryptedKey);
369 }
370 
371 void
372 KeyChain::importSafeBag(const SafeBag& safeBag, const char* pw, size_t pwLen)
373 {
374  Data certData = safeBag.getCertificate();
375  Certificate cert(std::move(certData));
376  Name identity = cert.getIdentity();
377  Name keyName = cert.getKeyName();
378  const Buffer publicKeyBits = cert.getPublicKey();
379 
380  if (m_tpm->hasKey(keyName)) {
381  NDN_THROW(Error("Private key `" + keyName.toUri() + "` already exists"));
382  }
383 
384  try {
385  Identity existingId = m_pib->getIdentity(identity);
386  existingId.getKey(keyName);
387  NDN_THROW(Error("Public key `" + keyName.toUri() + "` already exists"));
388  }
389  catch (const Pib::Error&) {
390  // Either identity or key doesn't exist. OK to import.
391  }
392 
393  try {
394  m_tpm->importPrivateKey(keyName,
395  safeBag.getEncryptedKeyBag().data(), safeBag.getEncryptedKeyBag().size(),
396  pw, pwLen);
397  }
398  catch (const Tpm::Error&) {
399  NDN_THROW_NESTED(Error("Failed to import private key `" + keyName.toUri() + "`"));
400  }
401 
402  // check the consistency of private key and certificate
403  const uint8_t content[] = {0x01, 0x02, 0x03, 0x04};
404  ConstBufferPtr sigBits;
405  try {
406  sigBits = m_tpm->sign(content, 4, keyName, DigestAlgorithm::SHA256);
407  }
408  catch (const std::runtime_error&) {
409  m_tpm->deleteKey(keyName);
410  NDN_THROW(Error("Invalid private key `" + keyName.toUri() + "`"));
411  }
412  bool isVerified = false;
413  {
414  using namespace transform;
415  PublicKey publicKey;
416  publicKey.loadPkcs8(publicKeyBits.data(), publicKeyBits.size());
417  bufferSource(content, sizeof(content)) >> verifierFilter(DigestAlgorithm::SHA256, publicKey,
418  sigBits->data(), sigBits->size())
419  >> boolSink(isVerified);
420  }
421  if (!isVerified) {
422  m_tpm->deleteKey(keyName);
423  NDN_THROW(Error("Certificate `" + cert.getName().toUri() + "` "
424  "and private key `" + keyName.toUri() + "` do not match"));
425  }
426 
427  Identity id = m_pib->addIdentity(identity);
428  Key key = id.addKey(cert.getPublicKey().data(), cert.getPublicKey().size(), keyName);
429  key.addCertificate(cert);
430 }
431 
432 void
433 KeyChain::importPrivateKey(const Name& keyName, shared_ptr<transform::PrivateKey> key)
434 {
435  if (m_tpm->hasKey(keyName)) {
436  NDN_THROW(Error("Private key `" + keyName.toUri() + "` already exists"));
437  }
438 
439  try {
440  m_tpm->importPrivateKey(keyName, std::move(key));
441  }
442  catch (const Tpm::Error&) {
443  NDN_THROW_NESTED(Error("Failed to import private key `" + keyName.toUri() + "`"));
444  }
445 }
446 
447 // public: signing
448 
449 void
450 KeyChain::sign(Data& data, const SigningInfo& params)
451 {
452  Name keyName;
453  SignatureInfo sigInfo;
454  std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
455 
456  data.setSignature(Signature(sigInfo));
457 
458  EncodingBuffer encoder;
459  data.wireEncode(encoder, true);
460 
461  Block sigValue = sign(encoder.buf(), encoder.size(), keyName, params.getDigestAlgorithm());
462 
463  data.wireEncode(encoder, sigValue);
464 }
465 
466 void
467 KeyChain::sign(Interest& interest, const SigningInfo& params)
468 {
469  Name keyName;
470  SignatureInfo sigInfo;
471  std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
472 
473  Name signedName = interest.getName();
474  signedName.append(sigInfo.wireEncode()); // signatureInfo
475 
476  Block sigValue = sign(signedName.wireEncode().value(), signedName.wireEncode().value_size(),
477  keyName, params.getDigestAlgorithm());
478 
479  sigValue.encode();
480  signedName.append(sigValue); // signatureValue
481  interest.setName(signedName);
482 }
483 
484 Block
485 KeyChain::sign(const uint8_t* buffer, size_t bufferLength, const SigningInfo& params)
486 {
487  Name keyName;
488  SignatureInfo sigInfo;
489  std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
490 
491  return sign(buffer, bufferLength, keyName, params.getDigestAlgorithm());
492 }
493 
494 // public: PIB/TPM creation helpers
495 
496 static inline std::tuple<std::string/*type*/, std::string/*location*/>
497 parseLocatorUri(const std::string& uri)
498 {
499  size_t pos = uri.find(':');
500  if (pos != std::string::npos) {
501  return std::make_tuple(uri.substr(0, pos), uri.substr(pos + 1));
502  }
503  else {
504  return std::make_tuple(uri, "");
505  }
506 }
507 
508 std::tuple<std::string/*type*/, std::string/*location*/>
509 KeyChain::parseAndCheckPibLocator(const std::string& pibLocator)
510 {
511  std::string pibScheme, pibLocation;
512  std::tie(pibScheme, pibLocation) = parseLocatorUri(pibLocator);
513 
514  if (pibScheme.empty()) {
515  pibScheme = getDefaultPibScheme();
516  }
517 
518  auto pibFactory = getPibFactories().find(pibScheme);
519  if (pibFactory == getPibFactories().end()) {
520  NDN_THROW(KeyChain::Error("PIB scheme `" + pibScheme + "` is not supported"));
521  }
522 
523  return std::make_tuple(pibScheme, pibLocation);
524 }
525 
526 unique_ptr<Pib>
527 KeyChain::createPib(const std::string& pibLocator)
528 {
529  std::string pibScheme, pibLocation;
530  std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(pibLocator);
531  auto pibFactory = getPibFactories().find(pibScheme);
532  BOOST_ASSERT(pibFactory != getPibFactories().end());
533  return unique_ptr<Pib>(new Pib(pibScheme, pibLocation, pibFactory->second(pibLocation)));
534 }
535 
536 std::tuple<std::string/*type*/, std::string/*location*/>
537 KeyChain::parseAndCheckTpmLocator(const std::string& tpmLocator)
538 {
539  std::string tpmScheme, tpmLocation;
540  std::tie(tpmScheme, tpmLocation) = parseLocatorUri(tpmLocator);
541 
542  if (tpmScheme.empty()) {
543  tpmScheme = getDefaultTpmScheme();
544  }
545  auto tpmFactory = getTpmFactories().find(tpmScheme);
546  if (tpmFactory == getTpmFactories().end()) {
547  NDN_THROW(KeyChain::Error("TPM scheme `" + tpmScheme + "` is not supported"));
548  }
549 
550  return std::make_tuple(tpmScheme, tpmLocation);
551 }
552 
553 unique_ptr<Tpm>
554 KeyChain::createTpm(const std::string& tpmLocator)
555 {
556  std::string tpmScheme, tpmLocation;
557  std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(tpmLocator);
558  auto tpmFactory = getTpmFactories().find(tpmScheme);
559  BOOST_ASSERT(tpmFactory != getTpmFactories().end());
560  return unique_ptr<Tpm>(new Tpm(tpmScheme, tpmLocation, tpmFactory->second(tpmLocation)));
561 }
562 
563 // private: signing
564 
565 Certificate
566 KeyChain::selfSign(Key& key)
567 {
568  Certificate certificate;
569 
570  // set name
571  Name certificateName = key.getName();
572  certificateName
573  .append("self")
574  .appendVersion();
575  certificate.setName(certificateName);
576 
577  // set metainfo
578  certificate.setContentType(tlv::ContentType_Key);
579  certificate.setFreshnessPeriod(1_h);
580 
581  // set content
582  certificate.setContent(key.getPublicKey().data(), key.getPublicKey().size());
583 
584  // set signature-info
585  SignatureInfo signatureInfo;
586  // Note time::system_clock::max() or other NotAfter date results in incorrect encoded value
587  // because of overflow during conversion to boost::posix_time::ptime (bug #3915).
588  signatureInfo.setValidityPeriod(ValidityPeriod(time::system_clock::TimePoint(),
589  time::system_clock::now() + 20 * 365_days));
590 
591  sign(certificate, SigningInfo(key).setSignatureInfo(signatureInfo));
592 
593  key.addCertificate(certificate);
594  return certificate;
595 }
596 
597 std::tuple<Name, SignatureInfo>
598 KeyChain::prepareSignatureInfo(const SigningInfo& params)
599 {
600  SignatureInfo sigInfo = params.getSignatureInfo();
601  pib::Identity identity;
602  pib::Key key;
603 
604  switch (params.getSignerType()) {
605  case SigningInfo::SIGNER_TYPE_NULL: {
606  try {
607  identity = m_pib->getDefaultIdentity();
608  }
609  catch (const Pib::Error&) { // no default identity, use sha256 for signing.
610  sigInfo.setSignatureType(tlv::DigestSha256);
611  NDN_LOG_TRACE("Prepared signature info: " << sigInfo);
612  return std::make_tuple(SigningInfo::getDigestSha256Identity(), sigInfo);
613  }
614  break;
615  }
616  case SigningInfo::SIGNER_TYPE_ID: {
617  identity = params.getPibIdentity();
618  if (!identity) {
619  try {
620  identity = m_pib->getIdentity(params.getSignerName());
621  }
622  catch (const Pib::Error&) {
623  NDN_THROW_NESTED(InvalidSigningInfoError("Signing identity `" +
624  params.getSignerName().toUri() + "` does not exist"));
625  }
626  }
627  break;
628  }
629  case SigningInfo::SIGNER_TYPE_KEY: {
630  key = params.getPibKey();
631  if (!key) {
632  Name identityName = extractIdentityFromKeyName(params.getSignerName());
633  try {
634  key = m_pib->getIdentity(identityName).getKey(params.getSignerName());
635  }
636  catch (const Pib::Error&) {
637  NDN_THROW_NESTED(InvalidSigningInfoError("Signing key `" +
638  params.getSignerName().toUri() + "` does not exist"));
639  }
640  }
641  break;
642  }
643  case SigningInfo::SIGNER_TYPE_CERT: {
644  Name identityName = extractIdentityFromCertName(params.getSignerName());
645  Name keyName = extractKeyNameFromCertName(params.getSignerName());
646  try {
647  identity = m_pib->getIdentity(identityName);
648  key = identity.getKey(keyName);
649  }
650  catch (const Pib::Error&) {
651  NDN_THROW_NESTED(InvalidSigningInfoError("Signing certificate `" +
652  params.getSignerName().toUri() + "` does not exist"));
653  }
654  break;
655  }
656  case SigningInfo::SIGNER_TYPE_SHA256: {
657  sigInfo.setSignatureType(tlv::DigestSha256);
658  NDN_LOG_TRACE("Prepared signature info: " << sigInfo);
659  return std::make_tuple(SigningInfo::getDigestSha256Identity(), sigInfo);
660  }
661  case SigningInfo::SIGNER_TYPE_HMAC: {
662  const Name& keyName = params.getSignerName();
663  if (!m_tpm->hasKey(keyName)) {
664  m_tpm->importPrivateKey(keyName, params.getHmacKey());
665  }
666  sigInfo.setSignatureType(getSignatureType(KeyType::HMAC, params.getDigestAlgorithm()));
667  sigInfo.setKeyLocator(keyName);
668  NDN_LOG_TRACE("Prepared signature info: " << sigInfo);
669  return std::make_tuple(keyName, sigInfo);
670  }
671  default: {
672  NDN_THROW(InvalidSigningInfoError("Unrecognized signer type " +
673  boost::lexical_cast<std::string>(params.getSignerType())));
674  }
675  }
676 
677  if (!key) {
678  if (!identity) {
679  NDN_THROW(InvalidSigningInfoError("Cannot determine signing parameters"));
680  }
681  try {
682  key = identity.getDefaultKey();
683  }
684  catch (const Pib::Error&) {
685  NDN_THROW_NESTED(InvalidSigningInfoError("Signing identity `" + identity.getName().toUri() +
686  "` does not have a default certificate"));
687  }
688  }
689 
690  BOOST_ASSERT(key);
691 
692  sigInfo.setSignatureType(getSignatureType(key.getKeyType(), params.getDigestAlgorithm()));
693  sigInfo.setKeyLocator(key.getName());
694 
695  NDN_LOG_TRACE("Prepared signature info: " << sigInfo);
696  return std::make_tuple(key.getName(), sigInfo);
697 }
698 
699 Block
700 KeyChain::sign(const uint8_t* buf, size_t size,
701  const Name& keyName, DigestAlgorithm digestAlgorithm) const
702 {
703  if (keyName == SigningInfo::getDigestSha256Identity())
704  return Block(tlv::SignatureValue, util::Sha256::computeDigest(buf, size));
705 
706  return Block(tlv::SignatureValue, m_tpm->sign(buf, size, keyName, digestAlgorithm));
707 }
708 
709 tlv::SignatureTypeValue
710 KeyChain::getSignatureType(KeyType keyType, DigestAlgorithm)
711 {
712  switch (keyType) {
713  case KeyType::RSA:
714  return tlv::SignatureSha256WithRsa;
715  case KeyType::EC:
716  return tlv::SignatureSha256WithEcdsa;
717  case KeyType::HMAC:
718  return tlv::SignatureHmacWithSha256;
719  default:
720  NDN_THROW(Error("Unsupported key type " + boost::lexical_cast<std::string>(keyType)));
721  }
722 }
723 
724 } // namespace v2
725 } // namespace security
726 } // namespace ndn
ndn::tlv::ValidityPeriod
@ ValidityPeriod
Definition: tlv.hpp:143
ndn::tlv::ContentType_Key
@ ContentType_Key
public key, certificate
Definition: tlv.hpp:159
buf
const uint8_t * buf
Definition: verification-helpers.cpp:47
ndn::security::tpm::BackEndOsx::getScheme
static const std::string & getScheme()
Definition: back-end-osx.cpp:199
ndn::KeyType
KeyType
The type of a cryptographic key.
Definition: security-common.hpp:85
ndn::security::v2::KeyChain::Error
Definition: key-chain.hpp:50
ndn::security::tpm::Tpm::Error
Definition: tpm.hpp:69
NDN_LOG_INIT
#define NDN_LOG_INIT(name)
declare a log module
Definition: logger.hpp:81
ndn::KeyParams
Base class for key parameters.
Definition: key-params.hpp:36
ndn::security::tpm::BackEndMem
The back-end implementation of an in-memory TPM.
Definition: back-end-mem.hpp:35
ndn::security::pib::NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND
NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibSqlite3)
ndn::security::SafeBag
a secured container for sensitive information(certificate, private key)
Definition: safe-bag.hpp:38
ndn::time::system_clock::TimePoint
time_point TimePoint
Definition: time.hpp:195
ndn::security::pib::Key::setDefaultCertificate
const v2::Certificate & setDefaultCertificate(const Name &certName) const
Set an existing certificate with certName as the default certificate.
Definition: key.cpp:86
ndn::security::v2::KeyChain::deleteIdentity
void deleteIdentity(const Identity &identity)
delete identity.
Definition: key-chain.cpp:245
ndn::security::v2::KeyChain::~KeyChain
~KeyChain()
buffer-source.hpp
ndn::security::v2::Certificate::getIdentity
Name getIdentity() const
Get identity name.
Definition: certificate.cpp:87
transform
nonstd::optional_lite::std11::move
T & move(T &t)
Definition: optional.hpp:421
ndn::security::v2::Certificate::isValidName
static bool isValidName(const Name &certName)
Check if the specified name follows the naming convention for the certificate.
Definition: certificate.cpp:131
ndn::security::v2::KeyChain::createKey
Key createKey(const Identity &identity, const KeyParams &params=getDefaultKeyParams())
Create a new key for identity.
Definition: key-chain.cpp:267
ndn::security::pib::Key::getDefaultCertificate
const v2::Certificate & getDefaultCertificate() const
Get the default certificate for this Key.
Definition: key.cpp:98
verifier-filter.hpp
bool-sink.hpp
ndn::security::v2::KeyChain::deleteCertificate
void deleteCertificate(const Key &key, const Name &certificateName)
delete a certificate with name certificateName of key.
Definition: key-chain.cpp:334
ndn::security::pib::Pib
ndn security pib Pib
Definition: pib.cpp:30
ndn::Buffer
General-purpose automatically managed/resized buffer.
Definition: buffer.hpp:41
ndn::DigestAlgorithm::SHA256
@ SHA256
ndn::security::v2::KeyChain::deleteKey
void deleteKey(const Identity &identity, const Key &key)
Delete a key key of identity.
Definition: key-chain.cpp:291
ndn::security::v2::KeyChain::setDefaultKey
void setDefaultKey(const Identity &identity, const Key &key)
Set key as the default key of identity.
Definition: key-chain.cpp:307
ndn::security::pib::PibSqlite3::getScheme
static const std::string & getScheme()
Definition: pib-sqlite3.cpp:247
ndn::security::v2::Certificate::getKeyName
Name getKeyName() const
Get key name.
Definition: certificate.cpp:81
ndn::security::v2::KeyChain::digestAlgorithm
NDN_CXX_PUBLIC_WITH_TESTS_ELSE_PRIVATE DigestAlgorithm digestAlgorithm
Definition: key-chain.hpp:348
ndn::security::v2::KeyChain::createIdentity
Identity createIdentity(const Name &identityName, const KeyParams &params=getDefaultKeyParams())
Create an identity identityName.
Definition: key-chain.cpp:221
ndn::security::SigningInfo
Signing parameters passed to KeyChain.
Definition: signing-info.hpp:42
ndn::time::system_clock::now
static time_point now() noexcept
Definition: time.cpp:46
public-key.hpp
ndn::Data::getContent
const Block & getContent() const
Get Content.
Definition: data.cpp:232
ndn::security::v2::Certificate::getPublicKey
Buffer getPublicKey() const
Get public key bits (in PKCS#8 format)
Definition: certificate.cpp:105
pib-sqlite3.hpp
ndn::security::v2::KeyChain::importPrivateKey
void importPrivateKey(const Name &keyName, shared_ptr< transform::PrivateKey > key)
Import a private key into the TPM.
Definition: key-chain.cpp:433
ndn::security::transform::bufferSource
BufferSource bufferSource
Definition: buffer-source.hpp:73
ndn::Data::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder, bool wantUnsignedPortionOnly=false) const
Prepend wire encoding to encoder in NDN Packet Format v0.2.
Definition: data.cpp:48
ndn::Data::getName
const Name & getName() const
Get name.
Definition: data.hpp:124
ndn::security::pib::Identity::getName
const Name & getName() const
Get the name of the identity.
Definition: identity.cpp:37
ndn::security::v2::KeyChain::setDefaultCertificate
void setDefaultCertificate(const Key &key, const Certificate &certificate)
Set cert as the default certificate of key.
Definition: key-chain.cpp:346
ndn::Block::value_end
Buffer::const_iterator value_end() const
Get end iterator of TLV-VALUE.
Definition: block.hpp:305
ndn::security::v2::extractIdentityFromKeyName
Name extractIdentityFromKeyName(const Name &keyName)
Extract identity namespace from the key name keyName.
Definition: key.cpp:160
NDN_THROW_NESTED
#define NDN_THROW_NESTED(e)
Definition: exception.hpp:71
ndn::security::tpm::BackEndFile
The back-end implementation of a file-based TPM.
Definition: back-end-file.hpp:43
ndn::security::v2::KeyChain::getDefaultSigningInfo
static const SigningInfo & getDefaultSigningInfo()
Definition: key-chain.cpp:149
ndn::KeyType::EC
@ EC
Elliptic Curve key (e.g. for ECDSA), supports sign/verify operations.
ndn::security::v2::KeyChain::setDefaultIdentity
void setDefaultIdentity(const Identity &identity)
Set identity as the default identity.
Definition: key-chain.cpp:259
ndn::DigestAlgorithm
DigestAlgorithm
Definition: security-common.hpp:96
ndn::tlv::SignatureValue
@ SignatureValue
Definition: tlv.hpp:81
ndn::tlv::SignatureSha256WithEcdsa
@ SignatureSha256WithEcdsa
Definition: tlv.hpp:132
ndn::Name
Represents an absolute name.
Definition: name.hpp:44
ns3::ndn::Name
Name
Definition: ndn-common.cpp:25
ndn::security::pib::Identity::removeKey
void removeKey(const Name &keyName) const
Remove a key with keyName.
Definition: identity.cpp:49
ndn::security::v2::Certificate
The certificate following the certificate format naming convention.
Definition: certificate.hpp:82
ndn::security::v2::KeyChain::importSafeBag
void importSafeBag(const SafeBag &safeBag, const char *pw, size_t pwLen)
Import a certificate and its corresponding private key from a SafeBag.
Definition: key-chain.cpp:372
ndn::tlv::DigestSha256
@ DigestSha256
Definition: tlv.hpp:130
ndn::security::v2::KeyChain::createHmacKey
Name createHmacKey(const Name &prefix=SigningInfo::getHmacIdentity(), const HmacKeyParams &params=HmacKeyParams())
Create a new HMAC key.
Definition: key-chain.cpp:285
ndn::Block::value_begin
Buffer::const_iterator value_begin() const
Get begin iterator of TLV-VALUE.
Definition: block.hpp:296
ndn::security::v2::KeyChain
The interface of signing key management.
Definition: key-chain.hpp:47
ndn::security::SigningInfo::SIGNER_TYPE_ID
@ SIGNER_TYPE_ID
Signer is an identity, use its default key and default certificate.
Definition: signing-info.hpp:54
ndn::Name::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder) const
Fast encoding or block size estimation.
Definition: name.cpp:117
private-key.hpp
NDN_THROW
#define NDN_THROW(e)
Definition: exception.hpp:61
ndn::Name::append
Name & append(const Component &component)
Append a component.
Definition: name.hpp:277
ndn::security::pib::Pib::Error
represents a semantic error
Definition: pib.hpp:57
ndn::security::SafeBag::getEncryptedKeyBag
const Buffer & getEncryptedKeyBag() const
Get the private key in PKCS#8 from safe bag.
Definition: safe-bag.hpp:105
ndn::SignatureInfo
Represents a SignatureInfo TLV element.
Definition: signature-info.hpp:35
ndn::Signature
Holds SignatureInfo and SignatureValue in a Data packet.
Definition: signature.hpp:38
pib-memory.hpp
ndn::security::v2::KeyChain::getDefaultKeyParams
static const KeyParams & getDefaultKeyParams()
Definition: key-chain.cpp:156
ndn::KeyType::HMAC
@ HMAC
HMAC key, supports sign/verify operations.
ndn::security::SigningInfo::SIGNER_TYPE_KEY
@ SIGNER_TYPE_KEY
Signer is a key, use its default certificate.
Definition: signing-info.hpp:56
ndn::tlv::SignatureSha256WithRsa
@ SignatureSha256WithRsa
Definition: tlv.hpp:131
ndn::tlv::SignatureTypeValue
SignatureTypeValue
SignatureType values.
Definition: tlv.hpp:129
ndn::security::pib::Key::removeCertificate
void removeCertificate(const Name &certName) const
Remove a certificate with certName.
Definition: key.cpp:68
config-file.hpp
ndn::security::v2::extractKeyNameFromCertName
Name extractKeyNameFromCertName(const Name &certName)
Extract key name from the certificate name certName.
Definition: certificate.cpp:196
ndn::security::v2::extractIdentityFromCertName
Name extractIdentityFromCertName(const Name &certName)
Extract identity namespace from the certificate name certName.
Definition: certificate.cpp:185
ndn::Interest
Represents an Interest packet.
Definition: interest.hpp:44
ndn::Name::toUri
void toUri(std::ostream &os, name::UriFormat format=name::UriFormat::DEFAULT) const
Write URI representation of the name to the output stream.
Definition: name.cpp:348
ndn::util::Sha256::computeDigest
ConstBufferPtr computeDigest()
Finalize and return the digest based on all previously supplied inputs.
Definition: sha256.cpp:63
back-end-osx.hpp
logger.hpp
ndn::Data
Represents a Data packet.
Definition: data.hpp:36
ndn::Data::setSignature
Data & setSignature(const Signature &signature)
Set Signature.
Definition: data.cpp:272
ndn::SimplePublicKeyParams
SimplePublicKeyParams is a template for public keys with only one parameter: size.
Definition: key-params.hpp:150
ndn::security::v2::KeyChain::exportSafeBag
shared_ptr< SafeBag > exportSafeBag(const Certificate &certificate, const char *pw, size_t pwLen)
Export a certificate and its corresponding private key.
Definition: key-chain.cpp:355
ndn::security::pib::Identity::getKey
Key getKey(const Name &keyName) const
Get a key with id keyName.
Definition: identity.cpp:55
NDN_LOG_DEBUG
#define NDN_LOG_DEBUG(expression)
Definition: logger.hpp:99
ndn::security
Definition: dummy-keychain.cpp:28
ndn::Interest::setName
Interest & setName(const Name &name)
Set the Interest's name.
Definition: interest.cpp:375
ndn::tlv::SignatureHmacWithSha256
@ SignatureHmacWithSha256
Definition: tlv.hpp:133
ndn::Block
Represents a TLV element of NDN packet format.
Definition: block.hpp:43
ndn::security::pib::Key::getName
const Name & getName() const
Get key name.
Definition: key.cpp:38
key-chain.hpp
ndn::security::pib::Key
A frontend handle of a key instance.
Definition: key.hpp:50
ndn::security::SigningInfo::SIGNER_TYPE_CERT
@ SIGNER_TYPE_CERT
Signer is a certificate, use it directly.
Definition: signing-info.hpp:58
ndn::security::v2::parseLocatorUri
static std::tuple< std::string, std::string > parseLocatorUri(const std::string &uri)
Definition: key-chain.cpp:497
ndn::security::SigningInfo::SIGNER_TYPE_HMAC
@ SIGNER_TYPE_HMAC
Signer is a HMAC key.
Definition: signing-info.hpp:62
ndn::security::pib::Key::getIdentity
const Name & getIdentity() const
Get the name of the belonging identity.
Definition: key.cpp:44
ndn::security::pib::PibMemory
An in-memory implementation of Pib.
Definition: pib-memory.hpp:38
ndn::SignatureInfo::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder) const
Fast encoding or block size estimation.
Definition: signature-info.cpp:61
ndn::security::pib::Identity
A frontend handle of an Identity.
Definition: identity.hpp:43
ndn::SimpleSymmetricKeyParams
SimpleSymmetricKeyParams is a template for symmetric keys with only one parameter: size.
Definition: key-params.hpp:257
ndn::Interest::getName
const Name & getName() const noexcept
Definition: interest.hpp:121
ndn::security::pib::Key::getPublicKey
const Buffer & getPublicKey() const
Get public key bits.
Definition: key.cpp:56
ndn::security::v2
Definition: command-authenticator.hpp:35
NDN_LOG_TRACE
#define NDN_LOG_TRACE(expression)
Definition: logger.hpp:98
buffer-stream.hpp
back-end-file.hpp
ndn::security::SigningInfo::getDigestAlgorithm
DigestAlgorithm getDigestAlgorithm() const
Definition: signing-info.hpp:219
ndn::security::transform::verifierFilter
unique_ptr< Transform > verifierFilter(DigestAlgorithm algo, const PublicKey &key, const uint8_t *sig, size_t sigLen)
Definition: verifier-filter.cpp:130
ndn::security::v2::KeyChain::KeyChain
KeyChain()
Constructor to create KeyChain with default PIB and TPM.
Definition: key-chain.cpp:164
ndn::security::transform::boolSink
unique_ptr< Sink > boolSink(bool &value)
Definition: bool-sink.cpp:51
ndn::security::SigningInfo::getDigestSha256Identity
static const Name & getDigestSha256Identity()
A localhost identity to indicate that the signature is generated using SHA-256.
Definition: signing-info.cpp:48
ndn::security::v2::KeyChain::addCertificate
void addCertificate(const Key &key, const Certificate &certificate)
Add a certificate certificate for key.
Definition: key-chain.cpp:320
ndn::Block::encode
void encode()
Encode sub-elements into TLV-VALUE.
Definition: block.cpp:353
ndn::security::v2::KeyChain::sign
void sign(Data &data, const SigningInfo &params=getDefaultSigningInfo())
Sign data according to the supplied signing information.
Definition: key-chain.cpp:450
ndn::security::v2::KeyChain::LocatorMismatchError
Error indicating that the supplied TPM locator does not match the locator stored in PIB.
Definition: key-chain.hpp:59
ndn::security::pib::PibSqlite3
Pib backend implementation based on SQLite3 database.
Definition: pib-sqlite3.hpp:40
ndn::security::pib::Identity::getKeys
const KeyContainer & getKeys() const
Get all keys for this identity.
Definition: identity.cpp:61
ndn::KeyType::RSA
@ RSA
RSA key, supports sign/verify and encrypt/decrypt operations.
ndn::ConstBufferPtr
shared_ptr< const Buffer > ConstBufferPtr
Definition: buffer.hpp:126
ndn::security::tpm::NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND
NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndFile)
ndn::security::tpm::BackEndFile::getScheme
static const std::string & getScheme()
Definition: back-end-file.cpp:93
ndn
Copyright (c) 2011-2015 Regents of the University of California.
Definition: ndn-strategy-choice-helper.hpp:34
ndn::encoding::EncodingBuffer
EncodingImpl< EncoderTag > EncodingBuffer
Definition: encoding-buffer-fwd.hpp:38
ndn::security::pib::Identity::setDefaultKey
const Key & setDefaultKey(const Name &keyName) const
Set an existing key with keyName as the default key.
Definition: identity.cpp:67
ndn::security::SafeBag::getCertificate
const Data & getCertificate() const
Get the certificate data packet from safe bag.
Definition: safe-bag.hpp:96
ndn::tlv::SignatureInfo
@ SignatureInfo
Definition: tlv.hpp:80
back-end-mem.hpp
sha256.hpp
ndn::security::SigningInfo::SIGNER_TYPE_NULL
@ SIGNER_TYPE_NULL
No signer is specified, use default setting or follow the trust schema.
Definition: signing-info.hpp:52
ndn::security::SigningInfo::SIGNER_TYPE_SHA256
@ SIGNER_TYPE_SHA256
Use a SHA-256 digest only, no signer needs to be specified.
Definition: signing-info.hpp:60