certificate.cpp
Go to the documentation of this file.
1 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2 /*
3  * Copyright (c) 2013-2022 Regents of the University of California.
4  *
5  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6  *
7  * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8  * terms of the GNU Lesser General Public License as published by the Free Software
9  * Foundation, either version 3 of the License, or (at your option) any later version.
10  *
11  * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12  * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13  * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14  *
15  * You should have received copies of the GNU General Public License and GNU Lesser
16  * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17  * <http://www.gnu.org/licenses/>.
18  *
19  * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20  *
21  * @author Zhiyi Zhang <dreamerbarrychang@gmail.com>
22  * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
23  */
24 
25 #include "ndn-cxx/security/certificate.hpp"
26 #include "ndn-cxx/security/additional-description.hpp"
27 #include "ndn-cxx/security/transform.hpp"
28 #include "ndn-cxx/util/indented-stream.hpp"
29 
30 namespace ndn {
31 namespace security {
32 inline namespace v2 {
33 
34 BOOST_CONCEPT_ASSERT((WireEncodable<Certificate>));
35 BOOST_CONCEPT_ASSERT((WireDecodable<Certificate>));
36 static_assert(std::is_base_of<Data::Error, Certificate::Error>::value,
37  "Certificate::Error must inherit from Data::Error");
38 
39 // /<IdentityName>/KEY/<KeyId>/<IssuerId>/<Version>
40 const ssize_t Certificate::VERSION_OFFSET = -1;
41 const ssize_t Certificate::ISSUER_ID_OFFSET = -2;
42 const ssize_t Certificate::KEY_ID_OFFSET = -3;
43 const ssize_t Certificate::KEY_COMPONENT_OFFSET = -4;
44 const size_t Certificate::MIN_CERT_NAME_LENGTH = 4;
45 const size_t Certificate::MIN_KEY_NAME_LENGTH = 2;
46 const name::Component Certificate::KEY_COMPONENT("KEY");
47 const name::Component Certificate::DEFAULT_ISSUER_ID("NA");
48 
49 Certificate::Certificate()
50 {
51  setContentType(tlv::ContentType_Key);
52  setFreshnessPeriod(1_h);
53 }
54 
55 Certificate::Certificate(Data&& data)
56  : Data(std::move(data))
57 {
58  if (!isValidName(getName())) {
59  NDN_THROW(Error("Certificate name does not follow the naming conventions"));
60  }
61  if (getContentType() != tlv::ContentType_Key) {
62  NDN_THROW(Error("Expecting ContentType=Key, got " + to_string(getContentType())));
63  }
64  if (getFreshnessPeriod() <= 0_ms) {
65  NDN_THROW(Error("Certificate FreshnessPeriod cannot be zero"));
66  }
67 }
68 
69 Certificate::Certificate(const Data& data)
70  : Certificate(Data(data))
71 {
72 }
73 
74 Certificate::Certificate(const Block& block)
75  : Certificate(Data(block))
76 {
77 }
78 
79 Name
80 Certificate::getIdentity() const
81 {
82  return getName().getPrefix(KEY_COMPONENT_OFFSET);
83 }
84 
85 Name
86 Certificate::getKeyName() const
87 {
88  return getName().getPrefix(KEY_ID_OFFSET + 1);
89 }
90 
91 name::Component
92 Certificate::getKeyId() const
93 {
94  return getName().at(KEY_ID_OFFSET);
95 }
96 
97 name::Component
98 Certificate::getIssuerId() const
99 {
100  return getName().at(ISSUER_ID_OFFSET);
101 }
102 
103 ValidityPeriod
104 Certificate::getValidityPeriod() const
105 {
106  return getSignatureInfo().getValidityPeriod();
107 }
108 
109 bool
110 Certificate::isValid(const time::system_clock::TimePoint& ts) const
111 {
112  return getSignatureInfo().getValidityPeriod().isValid(ts);
113 }
114 
115 Block
116 Certificate::getExtension(uint32_t type) const
117 {
118  auto block = getSignatureInfo().getCustomTlv(type);
119  if (!block) {
120  NDN_THROW(Error("TLV-TYPE " + to_string(type) + " sub-element does not exist in SignatureInfo"));
121  }
122  return *block;
123 }
124 
125 bool
126 Certificate::isValidName(const Name& certName)
127 {
128  // /<IdentityName>/KEY/<KeyId>/<IssuerId>/<Version>
129  return certName.size() >= Certificate::MIN_CERT_NAME_LENGTH &&
130  certName[Certificate::KEY_COMPONENT_OFFSET] == Certificate::KEY_COMPONENT;
131 }
132 
133 std::ostream&
134 operator<<(std::ostream& os, const Certificate& cert)
135 {
136  os << "Certificate Name:\n"
137  << " " << cert.getName() << "\n";
138 
139  auto optAddlDesc = cert.getSignatureInfo().getCustomTlv(tlv::AdditionalDescription);
140  if (optAddlDesc) {
141  os << "Additional Description:\n";
142  try {
143  AdditionalDescription additionalDesc(*optAddlDesc);
144  for (const auto& item : additionalDesc) {
145  os << " " << item.first << ": " << item.second << "\n";
146  }
147  }
148  catch (const tlv::Error&) {
149  using namespace transform;
150  util::IndentedStream os2(os, " ");
151  bufferSource(optAddlDesc->value_bytes()) >> base64Encode() >> streamSink(os2);
152  }
153  }
154 
155  os << "Public Key:\n";
156  {
157  using namespace transform;
158 
159  os << " Key Type: ";
160  try {
161  PublicKey key;
162  key.loadPkcs8(cert.getPublicKey());
163  os << key.getKeySize() << "-bit " << key.getKeyType();
164  }
165  catch (const std::runtime_error&) {
166  os << "Unknown (" << cert.getPublicKey().size() << " bytes)";
167  }
168  os << "\n";
169 
170  if (!cert.getPublicKey().empty()) {
171  util::IndentedStream os2(os, " ");
172  bufferSource(cert.getPublicKey()) >> base64Encode() >> streamSink(os2);
173  }
174  }
175 
176  try {
177  const auto& validityPeriod = cert.getValidityPeriod().getPeriod();
178  os << "Validity:\n"
179  << " Not Before: " << time::toIsoExtendedString(validityPeriod.first) << "\n"
180  << " Not After: " << time::toIsoExtendedString(validityPeriod.second) << "\n";
181  }
182  catch (const tlv::Error&) {
183  // ignore
184  }
185 
186  os << "Signature Information:\n"
187  << " Signature Type: " << static_cast<tlv::SignatureTypeValue>(cert.getSignatureType()) << "\n";
188 
189  auto keyLoc = cert.getKeyLocator();
190  if (keyLoc) {
191  os << " Key Locator: " << *keyLoc << "\n";
192  if (keyLoc->getType() == tlv::Name && keyLoc->getName() == cert.getKeyName()) {
193  os << " Self-Signed: yes\n";
194  }
195  }
196 
197  return os;
198 }
199 
200 Name
201 extractIdentityFromCertName(const Name& certName)
202 {
203  if (!Certificate::isValidName(certName)) {
204  NDN_THROW(std::invalid_argument("Certificate name `" + certName.toUri() + "` "
205  "does not respect the naming conventions"));
206  }
207 
208  return certName.getPrefix(Certificate::KEY_COMPONENT_OFFSET); // trim everything after and including "KEY"
209 }
210 
211 Name
212 extractKeyNameFromCertName(const Name& certName)
213 {
214  if (!Certificate::isValidName(certName)) {
215  NDN_THROW(std::invalid_argument("Certificate name `" + certName.toUri() + "` "
216  "does not respect the naming conventions"));
217  }
218 
219  return certName.getPrefix(Certificate::KEY_ID_OFFSET + 1); // trim everything after key id
220 }
221 
222 } // inline namespace v2
223 } // namespace security
224 } // namespace ndn
ndn::Block
Represents a TLV element of the NDN packet format.
Definition: block.hpp:45
ndn::Data
Represents a Data packet.
Definition: data.hpp:39
ndn::Data::getSignatureType
int32_t getSignatureType() const noexcept
Get the SignatureType.
Definition: data.hpp:317
ndn::Data::getKeyLocator
optional< KeyLocator > getKeyLocator() const noexcept
Get the KeyLocator element.
Definition: data.hpp:326
ndn::Data::setFreshnessPeriod
Data & setFreshnessPeriod(time::milliseconds freshnessPeriod)
Definition: data.cpp:344
ndn::Data::getSignatureInfo
const SignatureInfo & getSignatureInfo() const noexcept
Get the SignatureInfo element.
Definition: data.hpp:224
ndn::Data::getName
const Name & getName() const noexcept
Get the data name.
Definition: data.hpp:129
ndn::Data::getFreshnessPeriod
time::milliseconds getFreshnessPeriod() const
Definition: data.hpp:294
ndn::Data::getContentType
uint32_t getContentType() const
Definition: data.hpp:285
ndn::Data::setContentType
Data & setContentType(uint32_t type)
Definition: data.cpp:334
ndn::Name
Represents an absolute name.
Definition: name.hpp:44
ndn::Name::getPrefix
PartialName getPrefix(ssize_t nComponents) const
Returns a prefix of the name.
Definition: name.hpp:216
ndn::Name::size
size_t size() const noexcept
Returns the number of components.
Definition: name.hpp:155
ndn::Name::at
const Component & at(ssize_t i) const
Returns an immutable reference to the component at the specified index, with bounds checking.
Definition: name.cpp:171
ndn::Name::toUri
void toUri(std::ostream &os, name::UriFormat format=name::UriFormat::DEFAULT) const
Write URI representation of the name to the output stream.
Definition: name.cpp:349
ndn::SignatureInfo::getValidityPeriod
security::ValidityPeriod getValidityPeriod() const
Get the ValidityPeriod element.
Definition: signature-info.cpp:209
ndn::SignatureInfo::getCustomTlv
optional< Block > getCustomTlv(uint32_t type) const
Get first custom TLV element with the specified TLV-TYPE.
Definition: signature-info.cpp:298
ndn::name::Component
Represents a name component.
Definition: name-component.hpp:114
ndn::security::ValidityPeriod
Represents a ValidityPeriod TLV element.
Definition: validity-period.hpp:37
ndn::security::ValidityPeriod::isValid
bool isValid(const time::system_clock::TimePoint &now=time::system_clock::now()) const
Check if now falls within the validity period.
Definition: validity-period.cpp:154
ndn::security::ValidityPeriod::getPeriod
std::pair< time::system_clock::TimePoint, time::system_clock::TimePoint > getPeriod() const
Get the stored validity period.
Definition: validity-period.cpp:148
ndn::security::AdditionalDescription
Represents an AdditionalDescription TLV element.
Definition: additional-description.hpp:39
ndn::security::v2::Certificate
Represents an NDN certificate.
Definition: certificate.hpp:60
ndn::security::v2::Certificate::isValid
bool isValid(const time::system_clock::TimePoint &ts=time::system_clock::now()) const
Check if the certificate is valid at ts.
Definition: certificate.cpp:110
ndn::security::v2::Certificate::getIssuerId
name::Component getIssuerId() const
Get issuer ID.
Definition: certificate.cpp:98
ndn::security::v2::Certificate::KEY_COMPONENT
static const name::Component KEY_COMPONENT
Definition: certificate.hpp:159
ndn::security::v2::Certificate::getKeyName
Name getKeyName() const
Get key name.
Definition: certificate.cpp:86
ndn::security::v2::Certificate::DEFAULT_ISSUER_ID
static const name::Component DEFAULT_ISSUER_ID
Definition: certificate.hpp:160
ndn::security::v2::Certificate::getIdentity
Name getIdentity() const
Get identity name.
Definition: certificate.cpp:80
ndn::security::v2::Certificate::getValidityPeriod
ValidityPeriod getValidityPeriod() const
Get validity period of the certificate.
Definition: certificate.cpp:104
ndn::security::v2::Certificate::KEY_COMPONENT_OFFSET
static const ssize_t KEY_COMPONENT_OFFSET
Definition: certificate.hpp:155
ndn::security::v2::Certificate::MIN_KEY_NAME_LENGTH
static const size_t MIN_KEY_NAME_LENGTH
Definition: certificate.hpp:158
ndn::security::v2::Certificate::isValidName
static bool isValidName(const Name &certName)
Check if the specified name follows the naming convention for the certificate.
Definition: certificate.cpp:126
ndn::security::v2::Certificate::getKeyId
name::Component getKeyId() const
Get key ID.
Definition: certificate.cpp:92
ndn::security::v2::Certificate::MIN_CERT_NAME_LENGTH
static const size_t MIN_CERT_NAME_LENGTH
Definition: certificate.hpp:157
ndn::security::v2::Certificate::ISSUER_ID_OFFSET
static const ssize_t ISSUER_ID_OFFSET
Definition: certificate.hpp:154
ndn::security::v2::Certificate::getPublicKey
span< const uint8_t > getPublicKey() const noexcept
Return the public key as a DER-encoded SubjectPublicKeyInfo structure, i.e., exactly as it appears in...
Definition: certificate.hpp:120
ndn::security::v2::Certificate::VERSION_OFFSET
static const ssize_t VERSION_OFFSET
Definition: certificate.hpp:153
ndn::security::v2::Certificate::KEY_ID_OFFSET
static const ssize_t KEY_ID_OFFSET
Definition: certificate.hpp:156
ndn::security::v2::Certificate::getExtension
Block getExtension(uint32_t type) const
Get extension with TLV type.
Definition: certificate.cpp:116
ndn::time::system_clock::TimePoint
time_point TimePoint
Definition: time.hpp:203
ndn::tlv::Error
Represents an error in TLV encoding or decoding.
Definition: tlv.hpp:54
ndn::util::IndentedStream
Output to stream with specified indent or prefix.
Definition: indented-stream.hpp:55
NDN_THROW
#define NDN_THROW(e)
Definition: exception.hpp:61
ndn::exception::to_string
std::string to_string(const errinfo_stacktrace &x)
Definition: exception.cpp:31
ndn::security::transform::streamSink
unique_ptr< Sink > streamSink(std::ostream &os)
Definition: stream-sink.cpp:53
ndn::security::transform::base64Encode
unique_ptr< Transform > base64Encode(bool needBreak)
Definition: base64-encode.cpp:129
ndn::security::v2::operator<<
std::ostream & operator<<(std::ostream &os, const AdditionalDescription &desc)
Definition: additional-description.cpp:167
ndn::security::v2::extractKeyNameFromCertName
Name extractKeyNameFromCertName(const Name &certName)
Extract key name from the certificate name certName.
Definition: certificate.cpp:212
ndn::security::v2::extractIdentityFromCertName
Name extractIdentityFromCertName(const Name &certName)
Extract identity namespace from the certificate name certName.
Definition: certificate.cpp:201
ndn::time::toIsoExtendedString
std::string toIsoExtendedString(const system_clock::time_point &timePoint)
Convert to the ISO 8601 string representation, extended format (YYYY-MM-DDTHH:MM:SS,...
Definition: time.cpp:149
ndn::tlv::Name
@ Name
Definition: tlv.hpp:71
ndn::tlv::AdditionalDescription
@ AdditionalDescription
Definition: tlv.hpp:110
ndn::tlv::ContentType_Key
@ ContentType_Key
public key, certificate
Definition: tlv.hpp:147
ndn::tlv::SignatureTypeValue
SignatureTypeValue
SignatureType values.
Definition: tlv.hpp:127
ndn
Definition: data.cpp:25