The interface of signing key management. More...

#include <key-chain.hpp>

Inheritance diagram for ndn::security::v2::KeyChain:

Collaboration diagram for ndn::security::v2::KeyChain:

Classes
class	Error

class	InvalidSigningInfoError
	Error indicating that the supplied SigningInfo is invalid. More...

class	LocatorMismatchError
	Error indicating that the supplied TPM locator does not match the locator stored in PIB. More...

Public Member Functions
	KeyChain ()
	Constructor to create KeyChain with default PIB and TPM. More...

	KeyChain (const std::string &pibLocator, const std::string &tpmLocator, bool allowReset=false)
	KeyChain constructor. More...

	~KeyChain ()

const Pib &	getPib () const noexcept

const Tpm &	getTpm () const noexcept

Identity	createIdentity (const Name &identityName, const KeyParams &params=getDefaultKeyParams())
	Create an identity `identityName`. More...

void	deleteIdentity (const Identity &identity)
	delete `identity`. More...

void	setDefaultIdentity (const Identity &identity)
	Set `identity` as the default identity. More...

Key	createKey (const Identity &identity, const KeyParams &params=getDefaultKeyParams())
	Create a new key for `identity`. More...

Name	createHmacKey (const Name &prefix=SigningInfo::getHmacIdentity(), const HmacKeyParams &params=HmacKeyParams())
	Create a new HMAC key. More...

void	deleteKey (const Identity &identity, const Key &key)
	Delete a key `key` of `identity`. More...

void	setDefaultKey (const Identity &identity, const Key &key)
	Set `key` as the default key of `identity`. More...

void	addCertificate (const Key &key, const Certificate &certificate)
	Add a certificate `certificate` for `key`. More...

void	deleteCertificate (const Key &key, const Name &certificateName)
	delete a certificate with name `certificateName` of `key`. More...

void	setDefaultCertificate (const Key &key, const Certificate &certificate)
	Set `cert` as the default certificate of `key`. More...

void	sign (Data &data, const SigningInfo &params=SigningInfo())
	Sign a Data packet according to the supplied signing information. More...

void	sign (Interest &interest, const SigningInfo &params=SigningInfo())
	Sign an Interest according to the supplied signing information. More...

Certificate	makeCertificate (const pib::Key &publicKey, const SigningInfo &params=SigningInfo(), const MakeCertificateOptions &opts={})
	Create and sign a certificate packet. More...

Certificate	makeCertificate (const Certificate &certRequest, const SigningInfo &params=SigningInfo(), const MakeCertificateOptions &opts={})
	Create and sign a certificate packet. More...

shared_ptr< SafeBag >	exportSafeBag (const Certificate &certificate, const char *pw, size_t pwLen)
	Export a certificate and its corresponding private key. More...

void	importSafeBag (const SafeBag &safeBag, const char *pw, size_t pwLen)
	Import a certificate and its corresponding private key from a SafeBag. More...

void	importPrivateKey (const Name &keyName, shared_ptr< transform::PrivateKey > key)
	Import a private key into the TPM. More...

Static Public Member Functions
static const KeyParams &	getDefaultKeyParams ()

template<class PibBackendType >
static void	registerPibBackend (const std::string &scheme)
	Register a new PIB backend. More...

template<class TpmBackendType >
static void	registerTpmBackend (const std::string &scheme)
	Register a new TPM backend. More...

Detailed Description

The interface of signing key management.

The KeyChain class provides an interface to manage entities related to packet signing, such as Identity, Key, and Certificates. It consists of two parts: a private key module (TPM) and a public key information base (PIB). Managing signing key and its related entities through KeyChain interface guarantees the consistency between TPM and PIB.

Definition at line 86 of file key-chain.hpp.

Constructor & Destructor Documentation

◆ KeyChain() [1/2]

ndn::security::v2::KeyChain::KeyChain ( )

Constructor to create KeyChain with default PIB and TPM.

Default PIB and TPM are platform-dependent and can be overriden system-wide or individually for the user.

See also: manpage ndn-client.conf

Todo:: Add detailed description about config file behavior here

Definition at line 157 of file key-chain.cpp.

◆ KeyChain() [2/2]

ndn::security::v2::KeyChain::KeyChain	(	const std::string &	pibLocator,
		const std::string &	tpmLocator,
		bool	allowReset = `false`
	)

KeyChain constructor.

See also: manpage ndn-client.conf

Parameters

pibLocator	PIB locator, e.g., `pib-sqlite3:/example/dir`
tpmLocator	TPM locator, e.g., `tpm-memory:`
allowReset	if true, the PIB will be reset when the supplied `tpmLocator` does not match the one in the PIB

Definition at line 162 of file key-chain.cpp.

References NDN_THROW, and ~KeyChain().

◆ ~KeyChain()

ndn::security::v2::KeyChain::~KeyChain ( )

default

Referenced by KeyChain().

Member Function Documentation

◆ getPib()

const Pib& ndn::security::v2::KeyChain::getPib ( ) const

inlinenoexcept

Definition at line 140 of file key-chain.hpp.

◆ getTpm()

const Tpm& ndn::security::v2::KeyChain::getTpm ( ) const

inlinenoexcept

Definition at line 146 of file key-chain.hpp.

References ndn::security::SigningInfo::getHmacIdentity().

◆ getDefaultKeyParams()

const KeyParams & ndn::security::v2::KeyChain::getDefaultKeyParams ( )

static

Definition at line 149 of file key-chain.cpp.

◆ createIdentity()

Identity ndn::security::v2::KeyChain::createIdentity	(	const Name &	identityName,
		const KeyParams &	params = `getDefaultKeyParams()`
	)

Create an identity identityName.

This method will check if the identity exists in PIB and whether the identity has a default key and default certificate. If the identity does not exist, this method will create the identity in PIB. If the identity's default key does not exist, this method will create a key pair and set it as the identity's default key. If the key's default certificate is missing, this method will create a self-signed certificate for the key.

If identityName did not exist and no default identity was selected before, the created identity will be set as the default identity

Parameters

identityName	The name of the identity.
params	The key parameters if a key needs to be created for the identity (default: EC key with random key id)

Returns: The created Identity instance.

Definition at line 214 of file key-chain.cpp.

References createKey(), ndn::security::pib::Key::getDefaultCertificate(), ndn::security::pib::Key::getName(), and NDN_LOG_DEBUG.

◆ deleteIdentity()

void ndn::security::v2::KeyChain::deleteIdentity ( const Identity & identity )

delete identity.

Precondition: identity must be valid.

Postcondition: identity becomes invalid.

Definition at line 238 of file key-chain.cpp.

References ndn::security::pib::Identity::getKeys(), and ndn::security::pib::Identity::getName().

◆ setDefaultIdentity()

void ndn::security::v2::KeyChain::setDefaultIdentity ( const Identity & identity )

Set identity as the default identity.

Precondition: identity must be valid.

Definition at line 252 of file key-chain.cpp.

References ndn::security::pib::Identity::getName().

◆ createKey()

Key ndn::security::v2::KeyChain::createKey	(	const Identity &	identity,
		const KeyParams &	params = `getDefaultKeyParams()`
	)

Create a new key for identity.

Parameters

identity	Reference to a valid Identity object
params	Key creation parameters (default: EC key with random key id)

Precondition: identity must be valid.

If identity had no default key selected, the created key will be set as the default for this identity.

This method will also create a self-signed certificate for the created key.

Definition at line 260 of file key-chain.cpp.

References ndn::security::pib::Identity::getName(), ndn::security::pib::Key::getName(), and NDN_LOG_DEBUG.

Referenced by createIdentity().

◆ createHmacKey()

Name ndn::security::v2::KeyChain::createHmacKey	(	const Name &	prefix = `SigningInfo::getHmacIdentity()`,
		const HmacKeyParams &	params = `HmacKeyParams()`
	)

Create a new HMAC key.

Parameters

prefix	Prefix used to construct the key name (default: `/localhost/identity/hmac`); the full key name will include additional components according to `params`
params	Key creation parameters

Returns: A name that can be subsequently used to reference the created key.

The newly created key will be inserted in the TPM. HMAC keys don't have any PIB entries.

Definition at line 277 of file key-chain.cpp.

◆ deleteKey()

void ndn::security::v2::KeyChain::deleteKey	(	const Identity &	identity,
		const Key &	key
	)

Delete a key key of identity.

Precondition: identity must be valid.; key must be valid.

Postcondition: key becomes invalid.

Exceptions

std::invalid_argument key does not belong to identity

Definition at line 283 of file key-chain.cpp.

References ndn::security::pib::Key::getIdentity(), ndn::security::pib::Identity::getName(), ndn::security::pib::Key::getName(), NDN_THROW, ndn::security::pib::Identity::removeKey(), and ndn::Name::toUri().

◆ setDefaultKey()

void ndn::security::v2::KeyChain::setDefaultKey	(	const Identity &	identity,
		const Key &	key
	)

Set key as the default key of identity.

Precondition: identity must be valid.; key must be valid.

Exceptions

std::invalid_argument key does not belong to identity

Definition at line 299 of file key-chain.cpp.

References ndn::security::pib::Key::getIdentity(), ndn::security::pib::Identity::getName(), ndn::security::pib::Key::getName(), NDN_THROW, ndn::security::pib::Identity::setDefaultKey(), and ndn::Name::toUri().

◆ addCertificate()

void ndn::security::v2::KeyChain::addCertificate	(	const Key &	key,
		const Certificate &	certificate
	)

Add a certificate certificate for key.

If key had no default certificate selected, the added certificate will be set as the default certificate for this key.

Note: This method overwrites certificate with the same name, without considering the implicit digest.

Precondition: key must be valid.

Exceptions

std::invalid_argument key does not match certificate

Definition at line 312 of file key-chain.cpp.

References ndn::Data::getContent(), ndn::security::v2::Certificate::getKeyName(), ndn::security::pib::Key::getName(), ndn::Data::getName(), ndn::security::pib::Key::getPublicKey(), NDN_THROW, and ndn::Name::toUri().

Referenced by setDefaultCertificate().

◆ deleteCertificate()

void ndn::security::v2::KeyChain::deleteCertificate	(	const Key &	key,
		const Name &	certificateName
	)

delete a certificate with name certificateName of key.

If the certificate certificateName does not exist, this method has no effect.

Precondition: key must be valid.

Exceptions

std::invalid_argument certificateName does not follow certificate naming convention.

Definition at line 331 of file key-chain.cpp.

References ndn::security::v2::Certificate::isValidName(), NDN_THROW, ndn::security::pib::Key::removeCertificate(), and ndn::Name::toUri().

◆ setDefaultCertificate()

void ndn::security::v2::KeyChain::setDefaultCertificate	(	const Key &	key,
		const Certificate &	certificate
	)

Set cert as the default certificate of key.

The certificate cert will be added to the key, potentially overriding existing certificate if it has the same name (without considering implicit digest).

Precondition: key must be valid.

Exceptions

std::invalid_argument key does not match certificate

Definition at line 343 of file key-chain.cpp.

References addCertificate(), ndn::Data::getName(), and ndn::security::pib::Key::setDefaultCertificate().

◆ sign() [1/2]

void ndn::security::v2::KeyChain::sign	(	Data &	data,
		const SigningInfo &	params = `SigningInfo()`
	)

Sign a Data packet according to the supplied signing information.

This method uses the supplied signing information in params to sign data as follows:

It selects a private key and its associated certificate to sign the packet.
It generates a KeyLocator based upon the certificate name.
Using the SignatureInfo in params as a base, it generates the final SignatureInfo block for data.
It adds the generated SignatureInfo block to data.
It generates a signature for data and adds it as the SignatureValue block of data.

Parameters

data	The data to sign
params	The signing parameters

Exceptions

Error	Signing failed
InvalidSigningInfoError	Invalid `params` was specified or the specified identity, key, or certificate does not exist

See also: SigningInfo; SignatureInfo

Definition at line 444 of file key-chain.cpp.

References ndn::security::SigningInfo::getDigestAlgorithm(), ndn::Data::setSignatureInfo(), and ndn::Data::wireEncode().

Referenced by ndn::security::v2::parseLocatorUri(), and sign().

◆ sign() [2/2]

void ndn::security::v2::KeyChain::sign	(	Interest &	interest,
		const SigningInfo &	params = `SigningInfo()`
	)

Sign an Interest according to the supplied signing information.

This method uses the supplied signing information in params to sign interest as follows:

It selects a private key and its associated certificate to sign the packet.
It generates a KeyLocator based upon the certificate name.
Using the SignatureInfo in params as a base, it generates the final SignatureInfo block for interest.
It adds the generated SignatureInfo element to interest. If Packet Specification v0.3 formatting is desired, this block will be appended to interest as a separate InterestSignatureInfo element. Otherwise, it will be appended to the end of the name of interest as a SignatureInfo block.
It generates a signature for interest. If Packet Specification v0.3 formatting is desired, this block will be added to interest as a separate InterestSignatureValue element. Otherwise, it will be appended to the end of the name of interest as a SignatureValue block.

Parameters

interest	The interest to sign
params	The signing parameters

Exceptions

Error	Signing failed
InvalidSigningInfoError	Invalid `params` was specified or the specified identity, key, or certificate does not exist

See also: SigningInfo; SignatureInfo; https://named-data.net/doc/NDN-packet-spec/0.3/signed-interest.html

Definition at line 460 of file key-chain.cpp.

References ndn::Name::append(), ndn::SignatureInfo::Data, ndn::Block::encode(), ndn::Interest::extractSignedRanges(), ndn::security::SigningInfo::getDigestAlgorithm(), ndn::Interest::getName(), ndn::security::SigningInfo::getSignedInterestFormat(), nonstd::optional_lite::std11::move(), ndn::Interest::setName(), ndn::Interest::setSignatureInfo(), ndn::Interest::setSignatureValue(), sign(), ndn::tlv::SignatureValue, ndn::security::V03, ndn::SignatureInfo::wireEncode(), and ndn::Name::wireEncode().

◆ makeCertificate() [1/2]

Certificate ndn::security::v2::KeyChain::makeCertificate	(	const pib::Key &	publicKey,
		const SigningInfo &	params = `SigningInfo()`,
		const MakeCertificateOptions &	opts = `{}`
	)

Create and sign a certificate packet.

Parameters

publicKey	Public key being certified. It does not need to exist in this KeyChain.
params	Signing parameters. The referenced key must exist in this KeyChain. It may contain SignatureInfo for customizing KeyLocator and CustomTlv (including AdditionalDescription), but ValidityPeriod will be overwritten.
opts	Optional arguments.

Returns: A certificate of publicKey signed by a key from this KeyChain found by params .

Exceptions

std::invalid_argument	`opts.freshnessPeriod` is not positive.
Error	Certificate signing failure.

Definition at line 490 of file key-chain.cpp.

References ndn::security::pib::Key::getName(), and ndn::security::pib::Key::getPublicKey().

Referenced by makeCertificate(), and ndn::security::v2::parseLocatorUri().

◆ makeCertificate() [2/2]

Certificate ndn::security::v2::KeyChain::makeCertificate	(	const Certificate &	certRequest,
		const SigningInfo &	params = `SigningInfo()`,
		const MakeCertificateOptions &	opts = `{}`
	)

Create and sign a certificate packet.

Parameters

certRequest	Certificate request enclosing the public key being certified. It does not need to exist in this KeyChain.
params	Signing parameters. The referenced key must exist in this KeyChain. It may contain SignatureInfo for customizing KeyLocator and CustomTlv (including AdditionalDescription), but ValidityPeriod will be overwritten.
opts	Optional arguments.

Returns: A certificate of the public key enclosed in certRequest signed by a key from this KeyChain found by params .

Exceptions

std::invalid_argument	`opts.freshnessPeriod` is not positive.
std::invalid_argument	`certRequest` contains invalid public key.
Error	Certificate signing failure.

Definition at line 497 of file key-chain.cpp.

References ndn::security::v2::extractKeyNameFromCertName(), ndn::Data::getContent(), ndn::Data::getName(), ndn::security::transform::PublicKey::loadPkcs8(), makeCertificate(), NDN_THROW_NESTED, and ndn::Block::value_bytes().

◆ exportSafeBag()

shared_ptr< SafeBag > ndn::security::v2::KeyChain::exportSafeBag	(	const Certificate &	certificate,
		const char *	pw,
		size_t	pwLen
	)

Export a certificate and its corresponding private key.

Parameters

certificate	The certificate to export.
pw	The password to secure the private key.
pwLen	The length of password.

Returns: A SafeBag carrying the certificate and encrypted private key.

Exceptions

Error the certificate or private key does not exist

Definition at line 352 of file key-chain.cpp.

References ndn::security::v2::Certificate::getIdentity(), ndn::security::v2::Certificate::getKeyName(), NDN_THROW_NESTED, and ndn::Name::toUri().

◆ importSafeBag()

void ndn::security::v2::KeyChain::importSafeBag	(	const SafeBag &	safeBag,
		const char *	pw,
		size_t	pwLen
	)

Import a certificate and its corresponding private key from a SafeBag.

If the certificate and key are imported properly, the default setting will be updated as if a new key and certificate is added into KeyChain.

Parameters

safeBag	The encoded data to import.
pw	The password to secure the private key.
pwLen	The length of password.

Exceptions

Error

any of following conditions:

the safebag cannot be decoded or its content does not match;
private key cannot be imported;
a private/public key of the same name already exists;
a certificate of the same name already exists.

Definition at line 369 of file key-chain.cpp.

References ndn::security::transform::boolSink(), ndn::security::SafeBag::getCertificate(), ndn::security::SafeBag::getEncryptedKey(), ndn::security::v2::Certificate::getIdentity(), ndn::security::pib::Identity::getKey(), ndn::security::v2::Certificate::getKeyName(), ndn::Data::getName(), ndn::security::v2::Certificate::getPublicKey(), nonstd::optional_lite::std11::move(), NDN_THROW, NDN_THROW_NESTED, ndn::SHA256, ndn::Name::toUri(), and ndn::security::transform::verifierFilter().

◆ importPrivateKey()

void ndn::security::v2::KeyChain::importPrivateKey	(	const Name &	keyName,
		shared_ptr< transform::PrivateKey >	key
	)

Import a private key into the TPM.

Definition at line 427 of file key-chain.cpp.

References nonstd::optional_lite::std11::move(), NDN_THROW, NDN_THROW_NESTED, and ndn::Name::toUri().

◆ registerPibBackend()

template<class PibBackendType >

static void ndn::security::v2::KeyChain::registerPibBackend ( const std::string & scheme )

inlinestatic

Register a new PIB backend.

Parameters

scheme Name for the registered PIB backend scheme

Note: This interface is implementation detail and may change without notice.

Definition at line 412 of file key-chain.hpp.

◆ registerTpmBackend()

template<class TpmBackendType >

static void ndn::security::v2::KeyChain::registerTpmBackend ( const std::string & scheme )

inlinestatic

Register a new TPM backend.

Parameters

scheme Name for the registered TPM backend scheme

Note: This interface is implementation detail and may change without notice.

Definition at line 427 of file key-chain.hpp.

References bufs, NDN_CXX_PUBLIC_WITH_TESTS_ELSE_PRIVATE, and nonstd::optional_lite::nullopt.

The documentation for this class was generated from the following files:

ndnSIM/ndn-cxx/ndn-cxx/security/key-chain.hpp
ndnSIM/ndn-cxx/ndn-cxx/security/key-chain.cpp

Classes

Public Member Functions

Static Public Member Functions

Detailed Description

Constructor & Destructor Documentation

◆ KeyChain() [1/2]

◆ KeyChain() [2/2]

◆ ~KeyChain()

Member Function Documentation

◆ getPib()

◆ getTpm()

◆ getDefaultKeyParams()

◆ createIdentity()

◆ deleteIdentity()

◆ setDefaultIdentity()

◆ createKey()

◆ createHmacKey()

◆ deleteKey()

◆ setDefaultKey()

◆ addCertificate()

◆ deleteCertificate()

◆ setDefaultCertificate()

◆ sign() [1/2]

◆ sign() [2/2]

◆ makeCertificate() [1/2]

◆ makeCertificate() [2/2]

◆ exportSafeBag()

◆ importSafeBag()

◆ importPrivateKey()

◆ registerPibBackend()

◆ registerTpmBackend()