24 #ifndef NDN_SECURITY_V1_KEY_CHAIN_HPP
25 #define NDN_SECURITY_V1_KEY_CHAIN_HPP
30 #include "../key-params.hpp"
31 #include "../signature-sha256-with-rsa.hpp"
32 #include "../signature-sha256-with-ecdsa.hpp"
33 #include "../digest-sha256.hpp"
34 #include "../signing-info.hpp"
36 #include "../../interest.hpp"
37 #include "../../util/crypto.hpp"
38 #include "../../util/random.hpp"
39 #include <initializer_list>
53 class Error :
public std::runtime_error
58 :
std::runtime_error(what)
77 typedef function<unique_ptr<SecPublicInfo> (
const std::string&)>
PibCreateFunc;
85 template<
class PibType>
87 registerPib(std::initializer_list<std::string> aliases);
94 template<
class TpmType>
96 registerTpm(std::initializer_list<std::string> aliases);
107 static unique_ptr<SecPublicInfo>
108 createPib(
const std::string& pibLocator);
119 static unique_ptr<SecTpm>
120 createTpm(
const std::string& tpmLocator);
142 KeyChain(
const std::string& pibLocator,
143 const std::string& tpmLocator,
144 bool allowReset =
false);
225 shared_ptr<IdentityCertificate>
227 const Name& signingIdentity,
230 const std::vector<CertificateSubjectDescription>& subjectDescription,
249 shared_ptr<IdentityCertificate>
252 const Name& signingIdentity,
255 const std::vector<CertificateSubjectDescription>& subjectDescription,
307 sign(
const uint8_t* buffer,
size_t bufferLength,
const SigningInfo& params);
319 sign(T& packet,
const Name& certificateName);
332 sign(
const uint8_t* buffer,
size_t bufferLength,
const Name& certificateName);
380 shared_ptr<IdentityCertificate>
427 shared_ptr<SecuredBag>
469 return m_pib->doesIdentityExist(identityName);
475 return m_pib->addIdentity(identityName);
481 return m_pib->doesPublicKeyExist(keyName);
487 return m_pib->addKey(keyName, publicKeyDer);
493 return m_pib->addKey(keyName, publicKeyDer);
496 shared_ptr<PublicKey>
499 return m_pib->getPublicKey(keyName);
505 return m_pib->doesCertificateExist(certificateName);
511 return m_pib->addCertificate(certificate);
514 shared_ptr<IdentityCertificate>
517 return m_pib->getCertificate(certificateName);
523 return m_pib->getDefaultIdentity();
529 return m_pib->getDefaultKeyNameForIdentity(identityName);
545 return m_pib->getDefaultCertificateNameForKey(keyName);
551 return m_pib->getAllIdentities(nameList, isDefault);
557 return m_pib->getAllKeyNames(nameList, isDefault);
563 return m_pib->getAllKeyNamesOfIdentity(identity, nameList, isDefault);
569 return m_pib->getAllCertificateNames(nameList, isDefault);
574 std::vector<Name>& nameList,
575 bool isDefault)
const
577 return m_pib->getAllCertificateNamesOfKey(keyName, nameList, isDefault);
583 return m_pib->deleteCertificateInfo(certificateName);
589 return m_pib->deletePublicKeyInfo(keyName);
595 return m_pib->deleteIdentityInfo(identity);
601 return m_pib->setDefaultIdentity(identityName);
607 return m_pib->setDefaultKeyNameForIdentity(keyName);
613 return m_pib->setDefaultCertificateNameForKey(certificateName);
619 return m_pib->getNewKeyName(identityName, useKsk);
625 return m_pib->getDefaultCertificateNameForIdentity(identityName);
631 return m_pib->getDefaultCertificateName();
637 return m_pib->addCertificateAsKeyDefault(certificate);
643 return m_pib->addCertificateAsIdentityDefault(certificate);
649 return m_pib->addCertificateAsSystemDefault(certificate);
652 shared_ptr<IdentityCertificate>
655 if (!static_cast<bool>(m_pib->getDefaultCertificate()))
656 const_cast<KeyChain*
>(
this)->setDefaultCertificateInternal();
658 return m_pib->getDefaultCertificate();
664 return m_pib->refreshDefaultCertificate();
674 return m_tpm->setTpmPassword(password, passwordLength);
680 return m_tpm->resetTpmPassword();
686 return m_tpm->setInTerminal(inTerminal);
692 return m_tpm->getInTerminal();
698 return m_tpm->isLocked();
702 unlockTpm(
const char* password,
size_t passwordLength,
bool usePassword)
704 return m_tpm->unlockTpm(password, passwordLength, usePassword);
710 return m_tpm->generateKeyPairInTpm(keyName, params);
716 return m_tpm->deleteKeyPairInTpm(keyName);
719 shared_ptr<PublicKey>
722 return m_tpm->getPublicKeyFromTpm(keyName);
730 return m_tpm->signInTpm(data, dataLength, keyName, digestAlgorithm);
734 decryptInTpm(
const uint8_t* data,
size_t dataLength,
const Name& keyName,
bool isSymmetric)
736 return m_tpm->decryptInTpm(data, dataLength, keyName, isSymmetric);
740 encryptInTpm(
const uint8_t* data,
size_t dataLength,
const Name& keyName,
bool isSymmetric)
742 return m_tpm->encryptInTpm(data, dataLength, keyName, isSymmetric);
748 return m_tpm->generateSymmetricKeyInTpm(keyName, params);
754 return m_tpm->doesKeyExistInTpm(keyName, keyClass);
760 return m_tpm->generateRandomBlock(res, size);
766 return m_tpm->addAppToAcl(keyName, keyClass, appPath, acl);
772 return m_tpm->exportPrivateKeyPkcs5FromTpm(keyName, password);
777 const uint8_t* buf,
size_t size,
778 const std::string& password)
780 return m_tpm->importPrivateKeyPkcs5IntoTpm(keyName, buf, size, password);
785 initialize(
const std::string& pibLocatorUri,
786 const std::string& tpmLocatorUri,
796 std::tuple<Name, SignatureInfo>
814 setDefaultCertificateInternal();
825 generateKeyPair(
const Name& identityName,
bool isKsk =
false,
859 pureSign(
const uint8_t* buf,
size_t size,
const Name& keyName,
DigestAlgorithm digestAlgorithm)
const;
862 registerPibImpl(
const std::string& canonicalName,
863 std::initializer_list<std::string> aliases,
PibCreateFunc createFunc);
866 registerTpmImpl(
const std::string& canonicalName,
867 std::initializer_list<std::string> aliases,
TpmCreateFunc createFunc);
883 std::unique_ptr<SecPublicInfo> m_pib;
884 std::unique_ptr<SecTpm> m_tpm;
885 time::milliseconds m_lastTimestamp;
890 KeyChain::signImpl(T& packet,
const SigningInfo& params)
894 std::tie(keyName, sigInfo) = prepareSignatureInfo(params);
896 signPacketWrapper(packet,
Signature(sigInfo),
914 template<
class PibType>
918 registerPibImpl(*aliases.begin(), aliases, [] (
const std::string& locator) {
919 return make_unique<PibType>(locator);
923 template<
class TpmType>
927 registerTpmImpl(*aliases.begin(), aliases, [] (
const std::string& locator) {
928 return make_unique<TpmType>(locator);
938 #define NDN_CXX_V1_KEYCHAIN_REGISTER_PIB(PibType, ...) \
939 static class NdnCxxAuto ## PibType ## PibRegistrationClass \
942 NdnCxxAuto ## PibType ## PibRegistrationClass() \
944 ::ndn::security::v1::KeyChain::registerPib<PibType>({__VA_ARGS__}); \
946 } ndnCxxAuto ## PibType ## PibRegistrationVariable
954 #define NDN_CXX_V1_KEYCHAIN_REGISTER_TPM(TpmType, ...) \
955 static class NdnCxxAuto ## TpmType ## TpmRegistrationClass \
958 NdnCxxAuto ## TpmType ## TpmRegistrationClass() \
960 ::ndn::security::v1::KeyChain::registerTpm<TpmType>({__VA_ARGS__}); \
962 } ndnCxxAuto ## TpmType ## TpmRegistrationVariable
968 #endif // NDN_SECURITY_V1_KEY_CHAIN_HPP
void setInTerminal(bool inTerminal)
void deleteIdentity(const Name &identity)
delete an identity.
Copyright (c) 2013-2016 Regents of the University of California.
static unique_ptr< SecTpm > createTpm(const std::string &tpmLocator)
Create a TPM according to tpmLocator.
static void registerTpm(std::initializer_list< std::string > aliases)
Register a new TPM.
void addKey(const Name &keyName, const PublicKey &publicKeyDer)
Block signInTpm(const uint8_t *data, size_t dataLength, const Name &keyName, DigestAlgorithm digestAlgorithm)
void getAllCertificateNames(std::vector< Name > &nameList, bool isDefault) const
MismatchError(const std::string &what)
Name createIdentity(const Name &identityName, const KeyParams ¶ms=DEFAULT_KEY_PARAMS)
Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed ce...
static tlv::SignatureTypeValue getSignatureType(KeyType keyType, DigestAlgorithm digestAlgorithm)
bool doesCertificateExist(const Name &certificateName) const
void setDefaultKeyNameForIdentity(const Name &keyName)
static const Name DEFAULT_PREFIX
const SecTpm & getTpm() const
Name generateEcKeyPair(const Name &identityName, bool isKsk=false, uint32_t keySize=256)
Generate a pair of EC keys for the specified identity.
ConstBufferPtr encryptInTpm(const uint8_t *data, size_t dataLength, const Name &keyName, bool isSymmetric)
Class representing a wire element of NDN-TLV packet format.
void addCertificateAsKeyDefault(const IdentityCertificate &certificate)
void sign(Data &data, const SigningInfo ¶ms=DEFAULT_SIGNING_INFO)
Sign data according to the supplied signing information.
represents an Interest packet
shared_ptr< PublicKey > getPublicKey(const Name &keyName) const
Name getDefaultCertificateNameForKey(const Name &keyName) const
bool getInTerminal() const
void getAllCertificateNamesOfKey(const Name &keyName, std::vector< Name > &nameList, bool isDefault) const
bool generateRandomBlock(uint8_t *res, size_t size) const
void signByIdentity(T &packet, const Name &identityName)
Sign packet using the default certificate of a particular identity.
Signing parameters passed to KeyChain.
void addCertificateAsIdentityDefault(const IdentityCertificate &certificate)
ConstBufferPtr exportPrivateKeyPkcs5FromTpm(const Name &keyName, const std::string &password)
Name getNewKeyName(const Name &identityName, bool useKsk)
const KeyParams & getDefaultKeyParamsForIdentity(const Name &identityName) const
Get default key parameters for the specified identity.
Name getDefaultCertificateName() const
Name generateRsaKeyPairAsDefault(const Name &identityName, bool isKsk=false, uint32_t keySize=2048)
Generate a pair of RSA keys for the specified identity and set it as default key for the identity...
void addAppToAcl(const Name &keyName, KeyClass keyClass, const std::string &appPath, AclType acl)
shared_ptr< IdentityCertificate > prepareUnsignedIdentityCertificate(const Name &keyName, const Name &signingIdentity, const time::system_clock::TimePoint ¬Before, const time::system_clock::TimePoint ¬After, const std::vector< CertificateSubjectDescription > &subjectDescription, const Name &certPrefix=DEFAULT_PREFIX)
prepare an unsigned identity certificate
void signWithSha256(Data &data)
Set Sha256 weak signature for data.
shared_ptr< SecuredBag > exportIdentity(const Name &identity, const std::string &passwordStr)
export an identity.
bool doesKeyExistInTpm(const Name &keyName, KeyClass keyClass) const
void deleteIdentityInfo(const Name &identity)
void deleteKeyPairInTpm(const Name &keyName)
void setDefaultCertificateNameForKey(const Name &certificateName)
void importIdentity(const SecuredBag &securedBag, const std::string &passwordStr)
import an identity.
Name generateRsaKeyPair(const Name &identityName, bool isKsk=false, uint32_t keySize=2048)
Generate a pair of RSA keys for the specified identity.
void addPublicKey(const Name &keyName, KeyType keyType, const PublicKey &publicKeyDer)
void addCertificate(const IdentityCertificate &certificate)
SecPublicInfo is a base class for the storage of public information.
shared_ptr< PublicKey > getPublicKeyFromTpm(const Name &keyName) const
void setDefaultIdentity(const Name &identityName)
void setTpmPassword(const uint8_t *password, size_t passwordLength)
std::map< std::string, Block > SignParams
Name abstraction to represent an absolute name.
bool doesPublicKeyExist(const Name &keyName) const
signer is a certificate, use it directly
bool unlockTpm(const char *password, size_t passwordLength, bool usePassword)
static const RsaKeyParams DEFAULT_KEY_PARAMS
void deleteCertificateInfo(const Name &certificateName)
static std::string getDefaultPibLocator()
Get default PIB locator.
Name generateEcKeyPairAsDefault(const Name &identityName, bool isKsk=false, uint32_t keySize=256)
Generate a pair of EC keys for the specified identity and set it as default key for the identity...
void deleteCertificate(const Name &certificateName)
delete a certificate.
KeyChain()
Constructor to create KeyChain with default PIB and TPM.
void getAllIdentities(std::vector< Name > &nameList, bool isDefault) const
SecTpm is the base class of the TPM classes.
Name getDefaultCertificateNameForIdentity(const Name &identityName) const
The packet signing interface.
Error thrown when the supplied TPM locator to KeyChain constructor does not match the locator stored ...
Name getDefaultKeyNameForIdentity(const Name &identityName) const
ConstBufferPtr decryptInTpm(const uint8_t *data, size_t dataLength, const Name &keyName, bool isSymmetric)
const SecPublicInfo & getPib() const
Name getDefaultIdentity() const
void addCertificateAsSystemDefault(const IdentityCertificate &certificate)
shared_ptr< IdentityCertificate > getCertificate(const Name &certificateName) const
Base class of key parameters.
signer is an identity, use its default key and default certificate
Error(const std::string &what)
void getAllKeyNamesOfIdentity(const Name &identity, std::vector< Name > &nameList, bool isDefault) const
static const SigningInfo DEFAULT_SIGNING_INFO
bool doesIdentityExist(const Name &identityName) const
shared_ptr< IdentityCertificate > selfSign(const Name &keyName)
Generate a self-signed certificate for a public key.
void generateKeyPairInTpm(const Name &keyName, const KeyParams ¶ms)
shared_ptr< const Buffer > ConstBufferPtr
void deleteKey(const Name &keyName)
delete a key.
void getAllKeyNames(std::vector< Name > &nameList, bool isDefault) const
void deletePublicKeyInfo(const Name &keyName)
SimplePublicKeyParams is a template for public keys with only one parameter: size.
DigestAlgorithm getDigestAlgorithm() const
bool importPrivateKeyPkcs5IntoTpm(const Name &keyName, const uint8_t *buf, size_t size, const std::string &password)
function< unique_ptr< SecTpm >const std::string &)> TpmCreateFunc
function< unique_ptr< SecPublicInfo >const std::string &)> PibCreateFunc
shared_ptr< IdentityCertificate > getDefaultCertificate() const
void generateSymmetricKeyInTpm(const Name &keyName, const KeyParams ¶ms)
static unique_ptr< SecPublicInfo > createPib(const std::string &pibLocator)
Create a PIB according to pibLocator.
static std::string getDefaultTpmLocator()
Get default TPM locator.
static void registerPib(std::initializer_list< std::string > aliases)
Register a new PIB.
A Signature is storage for the signature-related information (info and value) in a Data packet...
void refreshDefaultCertificate()
void addIdentity(const Name &identityName)