The main interface for signing key management. More...
#include <ndn-cxx/security/key-chain.hpp>
Classes | |
class | Error |
class | InvalidSigningInfoError |
Error indicating that the supplied SigningInfo is invalid. More... | |
class | LocatorMismatchError |
Error indicating that the supplied TPM locator does not match the locator stored in PIB. More... | |
Public Member Functions | |
KeyChain () | |
Constructor to create KeyChain with default PIB and TPM. More... | |
KeyChain (const std::string &pibLocator, const std::string &tpmLocator, bool allowReset=false) | |
KeyChain constructor. More... | |
~KeyChain () | |
void | addCertificate (const Key &key, const Certificate &cert) |
Add a certificate cert for key . More... | |
Name | createHmacKey (const Name &prefix=SigningInfo::getHmacIdentity(), const HmacKeyParams ¶ms=HmacKeyParams()) |
Create a new HMAC key. More... | |
Identity | createIdentity (const Name &identityName, const KeyParams ¶ms=getDefaultKeyParams()) |
Create an identity identityName . More... | |
Key | createKey (const Identity &identity, const KeyParams ¶ms=getDefaultKeyParams()) |
Create a new key for identity . More... | |
void | deleteCertificate (const Key &key, const Name &certName) |
Delete a certificate with name certName from key . More... | |
void | deleteIdentity (const Identity &identity) |
Delete identity from this KeyChain. More... | |
void | deleteKey (const Identity &identity, const Key &key) |
Delete key from identity . More... | |
shared_ptr< SafeBag > | exportSafeBag (const Certificate &certificate, const char *pw, size_t pwLen) |
Export a certificate and its corresponding private key. More... | |
const Pib & | getPib () const noexcept |
const Tpm & | getTpm () const noexcept |
void | importPrivateKey (const Name &keyName, shared_ptr< transform::PrivateKey > key) |
Import a private key into the TPM. More... | |
void | importSafeBag (const SafeBag &safeBag, const char *pw, size_t pwLen) |
Import a certificate and its corresponding private key from a SafeBag. More... | |
Certificate | makeCertificate (const Certificate &certRequest, const SigningInfo ¶ms=SigningInfo(), const MakeCertificateOptions &opts={}) |
Create and sign a certificate packet. More... | |
Certificate | makeCertificate (const pib::Key &publicKey, const SigningInfo ¶ms=SigningInfo(), const MakeCertificateOptions &opts={}) |
Create and sign a certificate packet. More... | |
void | setDefaultCertificate (const Key &key, const Certificate &cert) |
Set cert as the default certificate of key . More... | |
void | setDefaultIdentity (const Identity &identity) |
Set identity as the default identity. More... | |
void | setDefaultKey (const Identity &identity, const Key &key) |
Set key as the default key of identity . More... | |
void | sign (Data &data, const SigningInfo ¶ms=SigningInfo()) |
Sign a Data packet according to the supplied signing information. More... | |
void | sign (Interest &interest, const SigningInfo ¶ms=SigningInfo()) |
Sign an Interest according to the supplied signing information. More... | |
Static Public Member Functions | |
static const KeyParams & | getDefaultKeyParams () |
template<class PibBackendType > | |
static void | registerPibBackend (const std::string &scheme) |
Register a new PIB backend type. More... | |
template<class TpmBackendType > | |
static void | registerTpmBackend (const std::string &scheme) |
Register a new TPM backend type. More... | |
The main interface for signing key management.
The KeyChain class provides an interface to manage entities related to packet signing, such as Identity, Key, and Certificates. It consists of two parts: a private key module (TPM) and a public key information base (PIB). Managing signing keys and their related entities through the KeyChain interface guarantees the consistency between TPM and PIB.
Definition at line 86 of file key-chain.hpp.
ndn::security::v2::KeyChain::KeyChain | ( | ) |
Constructor to create KeyChain with default PIB and TPM.
The default PIB and TPM are platform-dependent and can be overridden system-wide or on a per-user or even per-application basis.
Definition at line 145 of file key-chain.cpp.
ndn::security::v2::KeyChain::KeyChain | ( | const std::string & | pibLocator, |
const std::string & | tpmLocator, | ||
bool | allowReset = false |
||
) |
KeyChain constructor.
pibLocator | PIB locator, e.g., pib-sqlite3:/example/dir |
tpmLocator | TPM locator, e.g., tpm-memory: |
allowReset | if true, the PIB will be reset when the supplied tpmLocator does not match the one in the PIB |
Definition at line 150 of file key-chain.cpp.
|
default |
void ndn::security::v2::KeyChain::addCertificate | ( | const Key & | key, |
const Certificate & | cert | ||
) |
Add a certificate cert
for key
.
If key
had no default certificate selected, the added certificate will be set as the default certificate for this key.
This method will overwrite a certificate with the same name (without considering the implicit digest).
key
must be valid. std::invalid_argument | The certificate does not match the key. |
Definition at line 296 of file key-chain.cpp.
Name ndn::security::v2::KeyChain::createHmacKey | ( | const Name & | prefix = SigningInfo::getHmacIdentity() , |
const HmacKeyParams & | params = HmacKeyParams() |
||
) |
Create a new HMAC key.
The newly created key will be inserted in the TPM. HMAC keys don't have any PIB entries.
prefix | Prefix used to construct the key name (default: /localhost/identity/hmac ); the full key name will include additional components according to params . |
params | Key creation parameters. |
Definition at line 268 of file key-chain.cpp.
Identity ndn::security::v2::KeyChain::createIdentity | ( | const Name & | identityName, |
const KeyParams & | params = getDefaultKeyParams() |
||
) |
Create an identity identityName
.
This method will check if the identity exists in the PIB and whether the identity has a default key and default certificate. If the identity does not exist, this method will create it. If the identity's default key does not exist, this method will create a key pair and set it as the identity's default key. If the key's default certificate is missing, this method will create a self-signed certificate for the key.
If identityName
did not exist and no default identity was selected before, the created identity will be set as the default identity.
identityName | The name of the identity. |
params | The key parameters if a key needs to be created for the identity (default: EC key with random key id). |
Definition at line 201 of file key-chain.cpp.
Key ndn::security::v2::KeyChain::createKey | ( | const Identity & | identity, |
const KeyParams & | params = getDefaultKeyParams() |
||
) |
Create a new key for identity
.
If identity
had no default key selected, the created key will be set as the default for this identity.
This method will also create a self-signed certificate for the created key.
identity | The identity that will own the created key; must be valid. |
params | Key creation parameters (default: EC key with random key id). |
Definition at line 251 of file key-chain.cpp.
Delete a certificate with name certName
from key
.
If the certificate does not exist, this method has no effect.
key
must be valid. std::invalid_argument | The certificate name is invalid or does not match the key name. |
Definition at line 304 of file key-chain.cpp.
void ndn::security::v2::KeyChain::deleteIdentity | ( | const Identity & | identity | ) |
Delete identity
from this KeyChain.
Attempting to delete an invalid identity has no effect.
Definition at line 226 of file key-chain.cpp.
Delete key
from identity
.
Attempting to delete an invalid key has no effect.
identity
must be valid. std::invalid_argument | key does not belong to identity . |
Definition at line 274 of file key-chain.cpp.
shared_ptr< SafeBag > ndn::security::v2::KeyChain::exportSafeBag | ( | const Certificate & | certificate, |
const char * | pw, | ||
size_t | pwLen | ||
) |
Export a certificate and its corresponding private key.
certificate | The certificate to export. |
pw | The password to secure the private key. |
pwLen | The length of password. |
Error | the certificate or private key does not exist |
Definition at line 320 of file key-chain.cpp.
|
static |
Definition at line 106 of file key-chain.cpp.
|
inlinenoexcept |
Definition at line 138 of file key-chain.hpp.
|
inlinenoexcept |
Definition at line 144 of file key-chain.hpp.
void ndn::security::v2::KeyChain::importPrivateKey | ( | const Name & | keyName, |
shared_ptr< transform::PrivateKey > | key | ||
) |
Import a private key into the TPM.
Definition at line 386 of file key-chain.cpp.
void ndn::security::v2::KeyChain::importSafeBag | ( | const SafeBag & | safeBag, |
const char * | pw, | ||
size_t | pwLen | ||
) |
Import a certificate and its corresponding private key from a SafeBag.
If the certificate and key are imported properly, the default setting will be updated as if a new key and certificate is added into KeyChain.
safeBag | The encoded data to import. |
pw | The password to secure the private key. |
pwLen | The length of password. |
Error | any of following conditions:
|
Definition at line 336 of file key-chain.cpp.
Certificate ndn::security::v2::KeyChain::makeCertificate | ( | const Certificate & | certRequest, |
const SigningInfo & | params = SigningInfo() , |
||
const MakeCertificateOptions & | opts = {} |
||
) |
Create and sign a certificate packet.
certRequest | Certificate request enclosing the public key being certified. It does not need to exist in this KeyChain. |
params | Signing parameters. The referenced key must exist in this KeyChain. It may contain SignatureInfo for customizing KeyLocator and CustomTlv (including AdditionalDescription), but ValidityPeriod will be overwritten. |
opts | Optional arguments. |
certRequest
signed by a key from this KeyChain found by params
. std::invalid_argument | opts.freshnessPeriod is not positive. |
std::invalid_argument | certRequest contains invalid public key. |
Error | Certificate signing failure. |
Definition at line 456 of file key-chain.cpp.
Certificate ndn::security::v2::KeyChain::makeCertificate | ( | const pib::Key & | publicKey, |
const SigningInfo & | params = SigningInfo() , |
||
const MakeCertificateOptions & | opts = {} |
||
) |
Create and sign a certificate packet.
publicKey | Public key being certified. It does not need to exist in this KeyChain. |
params | Signing parameters. The referenced key must exist in this KeyChain. It may contain SignatureInfo for customizing KeyLocator and CustomTlv (including AdditionalDescription), but ValidityPeriod will be overwritten. |
opts | Optional arguments. |
publicKey
signed by a key from this KeyChain found by params
. std::invalid_argument | opts.freshnessPeriod is not positive. |
Error | Certificate signing failure. |
Definition at line 449 of file key-chain.cpp.
|
inlinestatic |
Register a new PIB backend type.
scheme | Unique identifier for the registered PIB backend type. |
Definition at line 408 of file key-chain.hpp.
|
inlinestatic |
Register a new TPM backend type.
scheme | Unique identifier for the registered TPM backend type. |
Definition at line 421 of file key-chain.hpp.
void ndn::security::v2::KeyChain::setDefaultCertificate | ( | const Key & | key, |
const Certificate & | cert | ||
) |
Set cert
as the default certificate of key
.
The certificate cert
will be added to key
, potentially overwriting an existing certificate with the same name (without considering the implicit digest).
key
must be valid. std::invalid_argument | The certificate does not match the key. |
Definition at line 312 of file key-chain.cpp.
void ndn::security::v2::KeyChain::setDefaultIdentity | ( | const Identity & | identity | ) |
Set identity
as the default identity.
identity
must be valid. Definition at line 243 of file key-chain.cpp.
Set key
as the default key of identity
.
identity
must be valid. key
must be valid. std::invalid_argument | key does not belong to identity . |
Definition at line 287 of file key-chain.cpp.
void ndn::security::v2::KeyChain::sign | ( | Data & | data, |
const SigningInfo & | params = SigningInfo() |
||
) |
Sign a Data packet according to the supplied signing information.
This method uses the supplied signing information in params
to sign data
as follows:
params
as a base, it generates the final SignatureInfo block for data
.data
.data
and adds it as the SignatureValue block of data
.data | The data to sign |
params | The signing parameters |
Error | Signing failed |
InvalidSigningInfoError | Invalid params was specified or the specified identity, key, or certificate does not exist |
Definition at line 403 of file key-chain.cpp.
void ndn::security::v2::KeyChain::sign | ( | Interest & | interest, |
const SigningInfo & | params = SigningInfo() |
||
) |
Sign an Interest according to the supplied signing information.
This method uses the supplied signing information in params
to sign interest
as follows:
params
as a base, it generates the final SignatureInfo block for interest
.interest
. If Packet Specification v0.3 formatting is desired, this block will be appended to interest
as a separate InterestSignatureInfo element. Otherwise, it will be appended to the end of the name of interest
as a SignatureInfo block.interest
. If Packet Specification v0.3 formatting is desired, this block will be added to interest
as a separate InterestSignatureValue element. Otherwise, it will be appended to the end of the name of interest
as a SignatureValue block.interest | The interest to sign |
params | The signing parameters |
Error | Signing failed |
InvalidSigningInfoError | Invalid params was specified or the specified identity, key, or certificate does not exist |
Definition at line 419 of file key-chain.cpp.