key-chain.cpp
Go to the documentation of this file.
1 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2 /*
3  * Copyright (c) 2013-2019 Regents of the University of California.
4  *
5  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6  *
7  * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8  * terms of the GNU Lesser General Public License as published by the Free Software
9  * Foundation, either version 3 of the License, or (at your option) any later version.
10  *
11  * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12  * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13  * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14  *
15  * You should have received copies of the GNU General Public License and GNU Lesser
16  * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17  * <http://www.gnu.org/licenses/>.
18  *
19  * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20  */
21 
22 #include "ndn-cxx/security/v2/key-chain.hpp"
23 
24 #include "ndn-cxx/encoding/buffer-stream.hpp"
25 #include "ndn-cxx/util/config-file.hpp"
26 #include "ndn-cxx/util/logger.hpp"
27 #include "ndn-cxx/util/sha256.hpp"
28 
29 #include "ndn-cxx/security/pib/pib-memory.hpp"
30 #include "ndn-cxx/security/pib/pib-sqlite3.hpp"
31 
32 #include "ndn-cxx/security/tpm/back-end-file.hpp"
33 #include "ndn-cxx/security/tpm/back-end-mem.hpp"
34 #ifdef NDN_CXX_HAVE_OSX_FRAMEWORKS
35 #include "ndn-cxx/security/tpm/back-end-osx.hpp"
36 #endif // NDN_CXX_HAVE_OSX_FRAMEWORKS
37 
38 #include "ndn-cxx/security/transform/bool-sink.hpp"
39 #include "ndn-cxx/security/transform/buffer-source.hpp"
40 #include "ndn-cxx/security/transform/private-key.hpp"
41 #include "ndn-cxx/security/transform/public-key.hpp"
42 #include "ndn-cxx/security/transform/verifier-filter.hpp"
43 
44 #include <boost/lexical_cast.hpp>
45 
46 namespace ndn {
47 namespace security {
48 
49 // When static library is used, not everything is compiled into the resulting binary.
50 // Therefore, the following standard PIB and TPMs need to be registered here.
51 // http://stackoverflow.com/q/9459980/2150331
52 
53 namespace pib {
54 NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibSqlite3);
55 NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibMemory);
56 } // namespace pib
57 
58 namespace tpm {
59 #if defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
60 NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndOsx);
61 #endif // defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
62 
63 NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndFile);
64 NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(BackEndMem);
65 } // namespace tpm
66 
67 namespace v2 {
68 
69 NDN_LOG_INIT(ndn.security.v2.KeyChain);
70 
71 std::string KeyChain::s_defaultPibLocator;
72 std::string KeyChain::s_defaultTpmLocator;
73 
74 KeyChain::PibFactories&
75 KeyChain::getPibFactories()
76 {
77  static PibFactories pibFactories;
78  return pibFactories;
79 }
80 
81 KeyChain::TpmFactories&
82 KeyChain::getTpmFactories()
83 {
84  static TpmFactories tpmFactories;
85  return tpmFactories;
86 }
87 
88 const std::string&
89 KeyChain::getDefaultPibScheme()
90 {
91  return pib::PibSqlite3::getScheme();
92 }
93 
94 const std::string&
95 KeyChain::getDefaultTpmScheme()
96 {
97 #if defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
98  return tpm::BackEndOsx::getScheme();
99 #else
100  return tpm::BackEndFile::getScheme();
101 #endif // defined(NDN_CXX_HAVE_OSX_FRAMEWORKS) && defined(NDN_CXX_WITH_OSX_KEYCHAIN)
102 }
103 
104 const std::string&
105 KeyChain::getDefaultPibLocator()
106 {
107  if (!s_defaultPibLocator.empty())
108  return s_defaultPibLocator;
109 
110  if (getenv("NDN_CLIENT_PIB") != nullptr) {
111  s_defaultPibLocator = getenv("NDN_CLIENT_PIB");
112  }
113  else {
114  ConfigFile config;
115  s_defaultPibLocator = config.getParsedConfiguration().get<std::string>("pib", getDefaultPibScheme() + ":");
116  }
117 
118  std::string pibScheme, pibLocation;
119  std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(s_defaultPibLocator);
120  s_defaultPibLocator = pibScheme + ":" + pibLocation;
121 
122  return s_defaultPibLocator;
123 }
124 
125 const std::string&
126 KeyChain::getDefaultTpmLocator()
127 {
128  if (!s_defaultTpmLocator.empty())
129  return s_defaultTpmLocator;
130 
131  if (getenv("NDN_CLIENT_TPM") != nullptr) {
132  s_defaultTpmLocator = getenv("NDN_CLIENT_TPM");
133  }
134  else {
135  ConfigFile config;
136  s_defaultTpmLocator = config.getParsedConfiguration().get<std::string>("tpm", getDefaultTpmScheme() + ":");
137  }
138 
139  std::string tpmScheme, tpmLocation;
140  std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(s_defaultTpmLocator);
141  s_defaultTpmLocator = tpmScheme + ":" + tpmLocation;
142 
143  return s_defaultTpmLocator;
144 }
145 
146 
147 // Other defaults
148 
149 const SigningInfo&
150 KeyChain::getDefaultSigningInfo()
151 {
152  static SigningInfo signingInfo;
153  return signingInfo;
154 }
155 
156 const KeyParams&
157 KeyChain::getDefaultKeyParams()
158 {
159  static EcKeyParams keyParams;
160  return keyParams;
161 }
162 
163 //
164 
165 KeyChain::KeyChain()
166  : KeyChain(getDefaultPibLocator(), getDefaultTpmLocator(), true)
167 {
168 }
169 
170 KeyChain::KeyChain(const std::string& pibLocator, const std::string& tpmLocator, bool allowReset)
171 {
172  // PIB Locator
173  std::string pibScheme, pibLocation;
174  std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(pibLocator);
175  std::string canonicalPibLocator = pibScheme + ":" + pibLocation;
176 
177  // Create PIB
178  m_pib = createPib(canonicalPibLocator);
179  std::string oldTpmLocator;
180  try {
181  oldTpmLocator = m_pib->getTpmLocator();
182  }
183  catch (const Pib::Error&) {
184  // TPM locator is not set in PIB yet.
185  }
186 
187  // TPM Locator
188  std::string tpmScheme, tpmLocation;
189  std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(tpmLocator);
190  std::string canonicalTpmLocator = tpmScheme + ":" + tpmLocation;
191 
192  if (canonicalPibLocator == getDefaultPibLocator()) {
193  // Default PIB must use default TPM
194  if (!oldTpmLocator.empty() && oldTpmLocator != getDefaultTpmLocator()) {
195  m_pib->reset();
196  canonicalTpmLocator = getDefaultTpmLocator();
197  }
198  }
199  else {
200  // non-default PIB check consistency
201  if (!oldTpmLocator.empty() && oldTpmLocator != canonicalTpmLocator) {
202  if (allowReset)
203  m_pib->reset();
204  else
205  NDN_THROW(LocatorMismatchError("TPM locator supplied does not match TPM locator in PIB: " +
206  oldTpmLocator + " != " + canonicalTpmLocator));
207  }
208  }
209 
210  // note that key mismatch may still happen if the TPM locator is initially set to a
211  // wrong one or if the PIB was shared by more than one TPMs before. This is due to the
212  // old PIB does not have TPM info, new pib should not have this problem.
213  m_tpm = createTpm(canonicalTpmLocator);
214  m_pib->setTpmLocator(canonicalTpmLocator);
215 }
216 
217 KeyChain::~KeyChain() = default;
218 
219 // public: management
220 
221 Identity
222 KeyChain::createIdentity(const Name& identityName, const KeyParams& params)
223 {
224  Identity id = m_pib->addIdentity(identityName);
225 
226  Key key;
227  try {
228  key = id.getDefaultKey();
229  }
230  catch (const Pib::Error&) {
231  key = createKey(id, params);
232  }
233 
234  try {
235  key.getDefaultCertificate();
236  }
237  catch (const Pib::Error&) {
238  NDN_LOG_DEBUG("No default cert for " << key.getName() << ", requesting self-signing");
239  selfSign(key);
240  }
241 
242  return id;
243 }
244 
245 void
246 KeyChain::deleteIdentity(const Identity& identity)
247 {
248  BOOST_ASSERT(static_cast<bool>(identity));
249 
250  Name identityName = identity.getName();
251 
252  for (const auto& key : identity.getKeys()) {
253  m_tpm->deleteKey(key.getName());
254  }
255 
256  m_pib->removeIdentity(identityName);
257 }
258 
259 void
260 KeyChain::setDefaultIdentity(const Identity& identity)
261 {
262  BOOST_ASSERT(static_cast<bool>(identity));
263 
264  m_pib->setDefaultIdentity(identity.getName());
265 }
266 
267 Key
268 KeyChain::createKey(const Identity& identity, const KeyParams& params)
269 {
270  BOOST_ASSERT(static_cast<bool>(identity));
271 
272  // create key in TPM
273  Name keyName = m_tpm->createKey(identity.getName(), params);
274 
275  // set up key info in PIB
276  ConstBufferPtr pubKey = m_tpm->getPublicKey(keyName);
277  Key key = identity.addKey(pubKey->data(), pubKey->size(), keyName);
278 
279  NDN_LOG_DEBUG("Requesting self-signing for newly created key " << key.getName());
280  selfSign(key);
281 
282  return key;
283 }
284 
285 void
286 KeyChain::deleteKey(const Identity& identity, const Key& key)
287 {
288  BOOST_ASSERT(static_cast<bool>(identity));
289  BOOST_ASSERT(static_cast<bool>(key));
290 
291  Name keyName = key.getName();
292  if (identity.getName() != key.getIdentity()) {
293  NDN_THROW(std::invalid_argument("Identity `" + identity.getName().toUri() + "` "
294  "does not match key `" + keyName.toUri() + "`"));
295  }
296 
297  identity.removeKey(keyName);
298  m_tpm->deleteKey(keyName);
299 }
300 
301 void
302 KeyChain::setDefaultKey(const Identity& identity, const Key& key)
303 {
304  BOOST_ASSERT(static_cast<bool>(identity));
305  BOOST_ASSERT(static_cast<bool>(key));
306 
307  if (identity.getName() != key.getIdentity())
308  NDN_THROW(std::invalid_argument("Identity `" + identity.getName().toUri() + "` "
309  "does not match key `" + key.getName().toUri() + "`"));
310 
311  identity.setDefaultKey(key.getName());
312 }
313 
314 void
315 KeyChain::addCertificate(const Key& key, const Certificate& certificate)
316 {
317  BOOST_ASSERT(static_cast<bool>(key));
318 
319  if (key.getName() != certificate.getKeyName() ||
320  !std::equal(certificate.getContent().value_begin(), certificate.getContent().value_end(),
321  key.getPublicKey().begin()))
322  NDN_THROW(std::invalid_argument("Key `" + key.getName().toUri() + "` "
323  "does not match certificate `" + certificate.getName().toUri() + "`"));
324 
325  key.addCertificate(certificate);
326 }
327 
328 void
329 KeyChain::deleteCertificate(const Key& key, const Name& certificateName)
330 {
331  BOOST_ASSERT(static_cast<bool>(key));
332 
333  if (!Certificate::isValidName(certificateName)) {
334  NDN_THROW(std::invalid_argument("Wrong certificate name `" + certificateName.toUri() + "`"));
335  }
336 
337  key.removeCertificate(certificateName);
338 }
339 
340 void
341 KeyChain::setDefaultCertificate(const Key& key, const Certificate& cert)
342 {
343  BOOST_ASSERT(static_cast<bool>(key));
344 
345  addCertificate(key, cert);
346  key.setDefaultCertificate(cert.getName());
347 }
348 
349 shared_ptr<SafeBag>
350 KeyChain::exportSafeBag(const Certificate& certificate, const char* pw, size_t pwLen)
351 {
352  Name identity = certificate.getIdentity();
353  Name keyName = certificate.getKeyName();
354 
355  ConstBufferPtr encryptedKey;
356  try {
357  encryptedKey = m_tpm->exportPrivateKey(keyName, pw, pwLen);
358  }
359  catch (const tpm::BackEnd::Error&) {
360  NDN_THROW_NESTED(Error("Failed to export private key `" + keyName.toUri() + "`"));
361  }
362 
363  return make_shared<SafeBag>(certificate, *encryptedKey);
364 }
365 
366 void
367 KeyChain::importSafeBag(const SafeBag& safeBag, const char* pw, size_t pwLen)
368 {
369  Data certData = safeBag.getCertificate();
370  Certificate cert(std::move(certData));
371  Name identity = cert.getIdentity();
372  Name keyName = cert.getKeyName();
373  const Buffer publicKeyBits = cert.getPublicKey();
374 
375  if (m_tpm->hasKey(keyName)) {
376  NDN_THROW(Error("Private key `" + keyName.toUri() + "` already exists"));
377  }
378 
379  try {
380  Identity existingId = m_pib->getIdentity(identity);
381  existingId.getKey(keyName);
382  NDN_THROW(Error("Public key `" + keyName.toUri() + "` already exists"));
383  }
384  catch (const Pib::Error&) {
385  // Either identity or key doesn't exist. OK to import.
386  }
387 
388  try {
389  m_tpm->importPrivateKey(keyName,
390  safeBag.getEncryptedKeyBag().data(), safeBag.getEncryptedKeyBag().size(),
391  pw, pwLen);
392  }
393  catch (const tpm::BackEnd::Error&) {
394  NDN_THROW_NESTED(Error("Failed to import private key `" + keyName.toUri() + "`"));
395  }
396 
397  // check the consistency of private key and certificate
398  const uint8_t content[] = {0x01, 0x02, 0x03, 0x04};
399  ConstBufferPtr sigBits;
400  try {
401  sigBits = m_tpm->sign(content, 4, keyName, DigestAlgorithm::SHA256);
402  }
403  catch (const std::runtime_error&) {
404  m_tpm->deleteKey(keyName);
405  NDN_THROW(Error("Invalid private key `" + keyName.toUri() + "`"));
406  }
407  bool isVerified = false;
408  {
409  using namespace transform;
410  PublicKey publicKey;
411  publicKey.loadPkcs8(publicKeyBits.data(), publicKeyBits.size());
412  bufferSource(content, sizeof(content)) >> verifierFilter(DigestAlgorithm::SHA256, publicKey,
413  sigBits->data(), sigBits->size())
414  >> boolSink(isVerified);
415  }
416  if (!isVerified) {
417  m_tpm->deleteKey(keyName);
418  NDN_THROW(Error("Certificate `" + cert.getName().toUri() + "` "
419  "and private key `" + keyName.toUri() + "` do not match"));
420  }
421 
422  Identity id = m_pib->addIdentity(identity);
423  Key key = id.addKey(cert.getPublicKey().data(), cert.getPublicKey().size(), keyName);
424  key.addCertificate(cert);
425 }
426 
427 // public: signing
428 
429 void
430 KeyChain::sign(Data& data, const SigningInfo& params)
431 {
432  Name keyName;
433  SignatureInfo sigInfo;
434  std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
435 
436  data.setSignature(Signature(sigInfo));
437 
438  EncodingBuffer encoder;
439  data.wireEncode(encoder, true);
440 
441  Block sigValue = sign(encoder.buf(), encoder.size(), keyName, params.getDigestAlgorithm());
442 
443  data.wireEncode(encoder, sigValue);
444 }
445 
446 void
447 KeyChain::sign(Interest& interest, const SigningInfo& params)
448 {
449  Name keyName;
450  SignatureInfo sigInfo;
451  std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
452 
453  Name signedName = interest.getName();
454  signedName.append(sigInfo.wireEncode()); // signatureInfo
455 
456  Block sigValue = sign(signedName.wireEncode().value(), signedName.wireEncode().value_size(),
457  keyName, params.getDigestAlgorithm());
458 
459  sigValue.encode();
460  signedName.append(sigValue); // signatureValue
461  interest.setName(signedName);
462 }
463 
464 Block
465 KeyChain::sign(const uint8_t* buffer, size_t bufferLength, const SigningInfo& params)
466 {
467  Name keyName;
468  SignatureInfo sigInfo;
469  std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
470 
471  return sign(buffer, bufferLength, keyName, params.getDigestAlgorithm());
472 }
473 
474 // public: PIB/TPM creation helpers
475 
476 static inline std::tuple<std::string/*type*/, std::string/*location*/>
477 parseLocatorUri(const std::string& uri)
478 {
479  size_t pos = uri.find(':');
480  if (pos != std::string::npos) {
481  return std::make_tuple(uri.substr(0, pos), uri.substr(pos + 1));
482  }
483  else {
484  return std::make_tuple(uri, "");
485  }
486 }
487 
488 std::tuple<std::string/*type*/, std::string/*location*/>
489 KeyChain::parseAndCheckPibLocator(const std::string& pibLocator)
490 {
491  std::string pibScheme, pibLocation;
492  std::tie(pibScheme, pibLocation) = parseLocatorUri(pibLocator);
493 
494  if (pibScheme.empty()) {
495  pibScheme = getDefaultPibScheme();
496  }
497 
498  auto pibFactory = getPibFactories().find(pibScheme);
499  if (pibFactory == getPibFactories().end()) {
500  NDN_THROW(KeyChain::Error("PIB scheme `" + pibScheme + "` is not supported"));
501  }
502 
503  return std::make_tuple(pibScheme, pibLocation);
504 }
505 
506 unique_ptr<Pib>
507 KeyChain::createPib(const std::string& pibLocator)
508 {
509  std::string pibScheme, pibLocation;
510  std::tie(pibScheme, pibLocation) = parseAndCheckPibLocator(pibLocator);
511  auto pibFactory = getPibFactories().find(pibScheme);
512  BOOST_ASSERT(pibFactory != getPibFactories().end());
513  return unique_ptr<Pib>(new Pib(pibScheme, pibLocation, pibFactory->second(pibLocation)));
514 }
515 
516 std::tuple<std::string/*type*/, std::string/*location*/>
517 KeyChain::parseAndCheckTpmLocator(const std::string& tpmLocator)
518 {
519  std::string tpmScheme, tpmLocation;
520  std::tie(tpmScheme, tpmLocation) = parseLocatorUri(tpmLocator);
521 
522  if (tpmScheme.empty()) {
523  tpmScheme = getDefaultTpmScheme();
524  }
525  auto tpmFactory = getTpmFactories().find(tpmScheme);
526  if (tpmFactory == getTpmFactories().end()) {
527  NDN_THROW(KeyChain::Error("TPM scheme `" + tpmScheme + "` is not supported"));
528  }
529 
530  return std::make_tuple(tpmScheme, tpmLocation);
531 }
532 
533 unique_ptr<Tpm>
534 KeyChain::createTpm(const std::string& tpmLocator)
535 {
536  std::string tpmScheme, tpmLocation;
537  std::tie(tpmScheme, tpmLocation) = parseAndCheckTpmLocator(tpmLocator);
538  auto tpmFactory = getTpmFactories().find(tpmScheme);
539  BOOST_ASSERT(tpmFactory != getTpmFactories().end());
540  return unique_ptr<Tpm>(new Tpm(tpmScheme, tpmLocation, tpmFactory->second(tpmLocation)));
541 }
542 
543 // private: signing
544 
545 Certificate
546 KeyChain::selfSign(Key& key)
547 {
548  Certificate certificate;
549 
550  // set name
551  Name certificateName = key.getName();
552  certificateName
553  .append("self")
554  .appendVersion();
555  certificate.setName(certificateName);
556 
557  // set metainfo
558  certificate.setContentType(tlv::ContentType_Key);
559  certificate.setFreshnessPeriod(1_h);
560 
561  // set content
562  certificate.setContent(key.getPublicKey().data(), key.getPublicKey().size());
563 
564  // set signature-info
565  SignatureInfo signatureInfo;
566  // Note time::system_clock::max() or other NotAfter date results in incorrect encoded value
567  // because of overflow during conversion to boost::posix_time::ptime (bug #3915).
568  signatureInfo.setValidityPeriod(ValidityPeriod(time::system_clock::TimePoint(),
569  time::system_clock::now() + 20 * 365_days));
570 
571  sign(certificate, SigningInfo(key).setSignatureInfo(signatureInfo));
572 
573  key.addCertificate(certificate);
574  return certificate;
575 }
576 
577 std::tuple<Name, SignatureInfo>
578 KeyChain::prepareSignatureInfo(const SigningInfo& params)
579 {
580  SignatureInfo sigInfo = params.getSignatureInfo();
581  name::Component keyId;
582  Name certificateName;
583  pib::Identity identity;
584  pib::Key key;
585 
586  switch (params.getSignerType()) {
587  case SigningInfo::SIGNER_TYPE_NULL: {
588  try {
589  identity = m_pib->getDefaultIdentity();
590  }
591  catch (const Pib::Error&) { // no default identity, use sha256 for signing.
592  sigInfo.setSignatureType(tlv::DigestSha256);
593  return std::make_tuple(SigningInfo::getDigestSha256Identity(), sigInfo);
594  }
595  break;
596  }
597  case SigningInfo::SIGNER_TYPE_ID: {
598  identity = params.getPibIdentity();
599  if (!identity) {
600  try {
601  identity = m_pib->getIdentity(params.getSignerName());
602  }
603  catch (const Pib::Error&) {
604  NDN_THROW_NESTED(InvalidSigningInfoError("Signing identity `" +
605  params.getSignerName().toUri() + "` does not exist"));
606  }
607  }
608  break;
609  }
610  case SigningInfo::SIGNER_TYPE_KEY: {
611  key = params.getPibKey();
612  if (!key) {
613  Name identityName = extractIdentityFromKeyName(params.getSignerName());
614  try {
615  identity = m_pib->getIdentity(identityName);
616  key = identity.getKey(params.getSignerName());
617  identity = Identity(); // we will use the PIB key instance, so reset identity;
618  }
619  catch (const Pib::Error&) {
620  NDN_THROW_NESTED(InvalidSigningInfoError("Signing key `" +
621  params.getSignerName().toUri() + "` does not exist"));
622  }
623  }
624  break;
625  }
626  case SigningInfo::SIGNER_TYPE_CERT: {
627  Name identityName = extractIdentityFromCertName(params.getSignerName());
628  Name keyName = extractKeyNameFromCertName(params.getSignerName());
629  try {
630  identity = m_pib->getIdentity(identityName);
631  key = identity.getKey(keyName);
632  }
633  catch (const Pib::Error&) {
634  NDN_THROW_NESTED(InvalidSigningInfoError("Signing certificate `" +
635  params.getSignerName().toUri() + "` does not exist"));
636  }
637  break;
638  }
639  case SigningInfo::SIGNER_TYPE_SHA256: {
640  sigInfo.setSignatureType(tlv::DigestSha256);
641  return std::make_tuple(SigningInfo::getDigestSha256Identity(), sigInfo);
642  }
643  default: {
644  NDN_THROW(InvalidSigningInfoError("Unrecognized signer type " +
645  boost::lexical_cast<std::string>(params.getSignerType())));
646  }
647  }
648 
649  if (!identity && !key) {
650  NDN_THROW(InvalidSigningInfoError("Cannot determine signing parameters"));
651  }
652 
653  if (identity && !key) {
654  try {
655  key = identity.getDefaultKey();
656  }
657  catch (const Pib::Error&) {
658  NDN_THROW_NESTED(InvalidSigningInfoError("Signing identity `" + identity.getName().toUri() +
659  "` does not have a default certificate"));
660  }
661  }
662 
663  BOOST_ASSERT(key);
664 
665  sigInfo.setSignatureType(getSignatureType(key.getKeyType(), params.getDigestAlgorithm()));
666  sigInfo.setKeyLocator(KeyLocator(key.getName()));
667 
668  NDN_LOG_TRACE("Prepared signature info: " << sigInfo);
669  return std::make_tuple(key.getName(), sigInfo);
670 }
671 
672 Block
673 KeyChain::sign(const uint8_t* buf, size_t size,
674  const Name& keyName, DigestAlgorithm digestAlgorithm) const
675 {
676  if (keyName == SigningInfo::getDigestSha256Identity())
677  return Block(tlv::SignatureValue, util::Sha256::computeDigest(buf, size));
678 
679  return Block(tlv::SignatureValue, m_tpm->sign(buf, size, keyName, digestAlgorithm));
680 }
681 
682 tlv::SignatureTypeValue
683 KeyChain::getSignatureType(KeyType keyType, DigestAlgorithm)
684 {
685  switch (keyType) {
686  case KeyType::RSA:
687  return tlv::SignatureSha256WithRsa;
688  case KeyType::EC:
689  return tlv::SignatureSha256WithEcdsa;
690  default:
691  NDN_THROW(Error("Unsupported key type " + boost::lexical_cast<std::string>(keyType)));
692  }
693 }
694 
695 } // namespace v2
696 } // namespace security
697 } // namespace ndn
NDN_THROW_NESTED
#define NDN_THROW_NESTED(e)
Definition: exception.hpp:71
ndn::security::v2::KeyChain::deleteKey
void deleteKey(const Identity &identity, const Key &key)
Delete a key key of identity.
Definition: key-chain.cpp:286
ndn::Data::setContentType
Data & setContentType(uint32_t type)
Definition: data.cpp:288
ndn::Interest::getName
const Name & getName() const
Definition: interest.hpp:134
ndn::security::pib::Key::getName
const Name & getName() const
Get key name.
Definition: key.cpp:38
ndn
Definition: data.cpp:26
ndn::SignatureInfo::setSignatureType
void setSignatureType(tlv::SignatureTypeValue type)
Set SignatureType.
Definition: signature-info.cpp:145
ndn::security::pib::Identity::getDefaultKey
const Key & getDefaultKey() const
Get the default key for this Identity.
Definition: identity.cpp:79
ndn::security::v2::Certificate
The certificate following the certificate format naming convention.
Definition: certificate.hpp:81
ndn::security::v2::Certificate::getKeyName
Name getKeyName() const
Get key name.
Definition: certificate.cpp:81
ndn::SignatureInfo
Represents a SignatureInfo TLV element.
Definition: signature-info.hpp:34
ndn::security::v2::KeyChain
The interface of signing key management.
Definition: key-chain.hpp:46
ndn::security::v2::KeyChain::addCertificate
void addCertificate(const Key &key, const Certificate &certificate)
Add a certificate certificate for key.
Definition: key-chain.cpp:315
ndn::security::v2::KeyChain::createKey
Key createKey(const Identity &identity, const KeyParams &params=getDefaultKeyParams())
Create a key for identity according to params.
Definition: key-chain.cpp:268
ndn::Data::setSignature
Data & setSignature(const Signature &signature)
Set Signature.
Definition: data.cpp:272
nonstd::optional_lite::std11::move
T & move(T &t)
Definition: optional.hpp:421
ndn::Data::setName
Data & setName(const Name &name)
Set name.
Definition: data.cpp:216
ndn::security::SigningInfo::getSignerName
const Name & getSignerName() const
Definition: signing-info.hpp:159
ndn::tlv::ContentType_Key
public key, certificate
Definition: tlv.hpp:159
ndn::security::v2::extractKeyNameFromCertName
Name extractKeyNameFromCertName(const Name &certName)
Extract key name from the certificate name certName.
Definition: certificate.cpp:196
ndn::security::v2::parseLocatorUri
static std::tuple< std::string, std::string > parseLocatorUri(const std::string &uri)
Definition: key-chain.cpp:477
ndn::KeyType::RSA
RSA key, supports sign/verify and encrypt/decrypt operations.
ndn::security::v2::KeyChain::KeyChain
KeyChain()
Constructor to create KeyChain with default PIB and TPM.
Definition: key-chain.cpp:165
ndn::Data::setContent
Data & setContent(const Block &block)
Set Content from a block.
Definition: data.cpp:241
ndn::Name::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder) const
Fast encoding or block size estimation.
Definition: name.cpp:125
ndn::Block
Represents a TLV element of NDN packet format.
Definition: block.hpp:42
ndn::security::v2::KeyChain::LocatorMismatchError
Error indicating that the supplied TPM locator does not match the locator stored in PIB...
Definition: key-chain.hpp:58
ndn::Interest
Represents an Interest packet.
Definition: interest.hpp:44
NDN_LOG_DEBUG
#define NDN_LOG_DEBUG(expression)
Log at DEBUG level.
Definition: logger.hpp:262
ndn::security::SigningInfo::SIGNER_TYPE_SHA256
use sha256 digest, no signer needs to be specified
Definition: signing-info.hpp:59
NDN_LOG_INIT
#define NDN_LOG_INIT(name)
Define a non-member log module.
Definition: logger.hpp:163
ndn::time::system_clock::now
static time_point now() noexcept
Definition: time.cpp:46
ndn::Name::append
Name & append(const Component &component)
Append a component.
Definition: name.hpp:249
ndn::Block::value_begin
Buffer::const_iterator value_begin() const
Get begin iterator of TLV-VALUE.
Definition: block.hpp:296
ndn::Block::value_end
Buffer::const_iterator value_end() const
Get end iterator of TLV-VALUE.
Definition: block.hpp:305
ndn::security::SigningInfo
Signing parameters passed to KeyChain.
Definition: signing-info.hpp:40
ndn::security::v2::KeyChain::deleteCertificate
void deleteCertificate(const Key &key, const Name &certificateName)
delete a certificate with name certificateName of key.
Definition: key-chain.cpp:329
ndn::Name::appendVersion
Name & appendVersion(optional< uint64_t > version=nullopt)
Append a version component.
Definition: name.cpp:214
NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND
#define NDN_CXX_V2_KEYCHAIN_REGISTER_PIB_BACKEND(PibType)
Register Pib backend class in KeyChain.
Definition: key-chain.hpp:465
NDN_THROW
#define NDN_THROW(e)
Definition: exception.hpp:61
ndn::security::v2::KeyChain::createIdentity
Identity createIdentity(const Name &identityName, const KeyParams &params=getDefaultKeyParams())
Create an identity identityName.
Definition: key-chain.cpp:222
ndn::security::v2::KeyChain::importSafeBag
void importSafeBag(const SafeBag &safeBag, const char *pw, size_t pwLen)
Import a pair of certificate and its corresponding private key encapsulated in a SafeBag.
Definition: key-chain.cpp:367
ndn::KeyType
KeyType
The type of a cryptographic key.
Definition: security-common.hpp:85
ndn::security::tpm::BackEndOsx::getScheme
static const std::string & getScheme()
Definition: back-end-osx.cpp:198
ndn::SignatureInfo::setKeyLocator
void setKeyLocator(const KeyLocator &keyLocator)
Set KeyLocator.
Definition: signature-info.cpp:161
ndn::Name::toUri
std::string toUri() const
Get URI representation of the name.
Definition: name.cpp:116
ndn::Data::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder, bool wantUnsignedPortionOnly=false) const
Prepend wire encoding to encoder in NDN Packet Format v0.2.
Definition: data.cpp:48
ndn::security::v2::KeyChain::exportSafeBag
shared_ptr< SafeBag > exportSafeBag(const Certificate &certificate, const char *pw, size_t pwLen)
Export a certificate and its corresponding private key.
Definition: key-chain.cpp:350
ndn::security::SigningInfo::getPibIdentity
const Identity & getPibIdentity() const
Definition: signing-info.hpp:170
ndn::security::pib::Key
A frontend handle of a key instance.
Definition: key.hpp:49
ndn::security::pib::PibSqlite3::getScheme
static const std::string & getScheme()
Definition: pib-sqlite3.cpp:246
ndn::Interest::setName
Interest & setName(const Name &name)
Definition: interest.hpp:140
ndn::security::SigningInfo::SIGNER_TYPE_NULL
no signer is specified, use default setting or follow the trust schema
Definition: signing-info.hpp:51
ndn::security::tpm::BackEndFile::getScheme
static const std::string & getScheme()
Definition: back-end-file.cpp:89
ndn::security::v2::KeyChain::setDefaultCertificate
void setDefaultCertificate(const Key &key, const Certificate &certificate)
Set cert as the default certificate of key.
Definition: key-chain.cpp:341
ndn::security::pib::Key::getKeyType
KeyType getKeyType() const
Get key type.
Definition: key.cpp:50
ndn::security::SigningInfo::getSignatureInfo
const SignatureInfo & getSignatureInfo() const
Definition: signing-info.hpp:216
ndn::security::v2::KeyChain::setDefaultIdentity
void setDefaultIdentity(const Identity &identity)
Set identity as the default identity.
Definition: key-chain.cpp:260
ndn::KeyType::EC
Elliptic Curve key (e.g. for ECDSA), supports sign/verify operations.
ndn::security::SigningInfo::getDigestSha256Identity
static const Name & getDigestSha256Identity()
A localhost identity to indicate that the signature is generated using SHA-256.
Definition: signing-info.cpp:42
ndn::SignatureInfo::setValidityPeriod
void setValidityPeriod(const security::ValidityPeriod &validityPeriod)
Set ValidityPeriod.
Definition: signature-info.cpp:187
ndn::KeyIdType::SHA256
Use the SHA256 hash of the public key as the key id.
ndn::security::v2::Certificate::getIdentity
Name getIdentity() const
Get identity name.
Definition: certificate.cpp:87
ndn::Name
Represents an absolute name.
Definition: name.hpp:43
ndn::security::SigningInfo::SIGNER_TYPE_CERT
signer is a certificate, use it directly
Definition: signing-info.hpp:57
ndn::security::transform::verifierFilter
unique_ptr< Transform > verifierFilter(DigestAlgorithm algo, const PublicKey &key, const uint8_t *sig, size_t sigLen)
Definition: verifier-filter.cpp:88
ndn::security::pib::Identity::getKey
Key getKey(const Name &keyName) const
Get a key with id keyName.
Definition: identity.cpp:55
ndn::security::v2::Certificate::getPublicKey
Buffer getPublicKey() const
Get public key bits (in PKCS#8 format)
Definition: certificate.cpp:105
ndn::tlv::SignatureTypeValue
SignatureTypeValue
SignatureType values.
Definition: tlv.hpp:129
ndn::security::SigningInfo::SIGNER_TYPE_KEY
signer is a key, use its default certificate
Definition: signing-info.hpp:55
ndn::security::SafeBag::getEncryptedKeyBag
const Buffer & getEncryptedKeyBag() const
Get the private key in PKCS#8 from safe bag.
Definition: safe-bag.hpp:105
ndn::time::system_clock::TimePoint
time_point TimePoint
Definition: time.hpp:195
ndn::security::v2::KeyChain::sign
void sign(Data &data, const SigningInfo &params=getDefaultSigningInfo())
Sign data according to the supplied signing information.
Definition: key-chain.cpp:430
ndn::SignatureInfo::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder) const
Fast encoding or block size estimation.
Definition: signature-info.cpp:61
ndn::Data::getName
const Name & getName() const
Get name.
Definition: data.hpp:124
ndn::name::Component
Represents a name component.
Definition: name-component.hpp:84
ndn::security::v2::KeyChain::deleteIdentity
void deleteIdentity(const Identity &identity)
delete identity.
Definition: key-chain.cpp:246
ndn::security::v2::Certificate::isValidName
static bool isValidName(const Name &certName)
Check if the specified name follows the naming convention for the certificate.
Definition: certificate.cpp:131
ndn::security::SafeBag
a secured container for sensitive information(certificate, private key)
Definition: safe-bag.hpp:37
ndn::Data::setFreshnessPeriod
Data & setFreshnessPeriod(time::milliseconds freshnessPeriod)
Definition: data.cpp:296
ndn::security::v2::KeyChain::setDefaultKey
void setDefaultKey(const Identity &identity, const Key &key)
Set key as the default key of identity.
Definition: key-chain.cpp:302
ndn::Block::encode
void encode()
Encode sub-elements into TLV-VALUE.
Definition: block.cpp:352
ndn::Data::getContent
const Block & getContent() const
Get Content.
Definition: data.cpp:232
ndn::security::pib::Identity::getName
const Name & getName() const
Get the name of the identity.
Definition: identity.cpp:37
ndn::security::SafeBag::getCertificate
const Data & getCertificate() const
Get the certificate data packet from safe bag.
Definition: safe-bag.hpp:96
ndn::KeyParams
Base class of key parameters.
Definition: key-params.hpp:35
ndn::security::SigningInfo::SIGNER_TYPE_ID
signer is an identity, use its default key and default certificate
Definition: signing-info.hpp:53
ndn::security::pib::Identity
A frontend handle of an Identity.
Definition: identity.hpp:42
ndn::util::Sha256::computeDigest
ConstBufferPtr computeDigest()
Finalize and return the digest based on all previously supplied inputs.
Definition: sha256.cpp:63
ndn::security::SigningInfo::getPibKey
const Key & getPibKey() const
Definition: signing-info.hpp:181
NDN_LOG_TRACE
#define NDN_LOG_TRACE(expression)
Log at TRACE level.
Definition: logger.hpp:257
ndn::Data
Represents a Data packet.
Definition: data.hpp:35
ndn::SimplePublicKeyParams
SimplePublicKeyParams is a template for public keys with only one parameter: size.
Definition: key-params.hpp:149
ndn::security::SigningInfo::getDigestAlgorithm
DigestAlgorithm getDigestAlgorithm() const
Definition: signing-info.hpp:201
ndn::security::v2::extractIdentityFromKeyName
Name extractIdentityFromKeyName(const Name &keyName)
Extract identity namespace from the key name keyName.
Definition: key.cpp:160
ndn::Buffer
General-purpose automatically managed/resized buffer.
Definition: buffer.hpp:40
ndn::security::transform::boolSink
unique_ptr< Sink > boolSink(bool &value)
Definition: bool-sink.cpp:51
ndn::encoding::EncodingBuffer
EncodingImpl< EncoderTag > EncodingBuffer
Definition: encoding-buffer-fwd.hpp:38
NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND
#define NDN_CXX_V2_KEYCHAIN_REGISTER_TPM_BACKEND(TpmType)
Register Tpm backend class in KeyChain.
Definition: key-chain.hpp:483
ndn::security::SigningInfo::getSignerType
SignerType getSignerType() const
Definition: signing-info.hpp:150
ndn::Signature
Holds SignatureInfo and SignatureValue in a Data packet.
Definition: signature.hpp:37
ndn::ConstBufferPtr
shared_ptr< const Buffer > ConstBufferPtr
Definition: buffer.hpp:126
ndn::security::v2::extractIdentityFromCertName
Name extractIdentityFromCertName(const Name &certName)
Extract identity namespace from the certificate name certName.
Definition: certificate.cpp:185