inline void CommandInterestValidator::addInterestRule(const std::string& regex, const IdentityCertificate& certificate) { Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificate.getName()); addInterestRule(regex, keyName, certificate.getPublicKeyInfo()); }
TEST_F(TestConfigPolicyManager, Refresh10s) { ifstream dataFile((policyConfigDirectory_ + "/testData").c_str()); stringstream encodedData; encodedData << dataFile.rdbuf(); vector<uint8_t> dataBlob; fromBase64(encodedData.str(), dataBlob); ptr_lib::shared_ptr<Data> data(new Data()); data->wireDecode(dataBlob); // This test is needed, since the KeyChain will express interests in unknown // certificates. VerificationResult vr = doVerify(*policyManager_, data); ASSERT_TRUE(vr.hasFurtherSteps_) << "ConfigPolicyManager did not create ValidationRequest for unknown certificate"; ASSERT_EQ(vr.successCount_, 0) << "ConfigPolicyManager called success callback with pending ValidationRequest"; ASSERT_EQ(vr.failureCount_, 0) << "ConfigPolicyManager called failure callback with pending ValidationRequest"; // Now save the cert data to our anchor directory, and wait. // We have to sign it with the current identity or the policy manager will // create an interest for the signing certificate. IdentityCertificate cert; vector<uint8_t> certData; fromBase64(CERT_DUMP, certData); cert.wireDecode(Blob(certData)); keyChain_->signByIdentity(cert, identityName_); Blob signedCertBlob = cert.wireEncode(); string encodedCert = toBase64(signedCertBlob.buf(), signedCertBlob.size(), true); { ofstream certFile(testCertFile_.c_str()); certFile << encodedCert; } // Still too early for refresh to pick it up. vr = doVerify(*policyManager_, data); ASSERT_TRUE(vr.hasFurtherSteps_) << "ConfigPolicyManager refresh occured sooner than specified"; ASSERT_EQ(vr.successCount_, 0) << "ConfigPolicyManager called success callback with pending ValidationRequest"; ASSERT_EQ(vr.failureCount_, 0) << "ConfigPolicyManager called failure callback with pending ValidationRequest"; usleep(6000000); // Now we should find it. vr = doVerify(*policyManager_, data); ASSERT_FALSE(vr.hasFurtherSteps_) << "ConfigPolicyManager did not refresh certificate store"; ASSERT_EQ(vr.successCount_, 1) << "Verification success called " << vr.successCount_ << " times instead of 1"; ASSERT_EQ(vr.failureCount_, 0) << "ConfigPolicyManager did not verify valid signed data"; }
void IdentityManager::setDefaultCertificateForKey(const IdentityCertificate& certificate) { Name keyName = certificate.getPublicKeyName(); if(!identityStorage_->doesKeyExist(keyName)) throw SecurityException("No corresponding Key record for certificate!"); identityStorage_->setDefaultCertificateNameForKey(keyName, certificate.getName()); }
void SecPublicInfoMemory::addCertificate(const IdentityCertificate& certificate) { const Name& certificateName = certificate.getName(); const Name& keyName = certificate.getPublicKeyName(); const Name& identity = keyName.getPrefix(-1); addIdentity(identity); addPublicKey(keyName, KEY_TYPE_RSA, certificate.getPublicKeyInfo()); m_certificateStore[certificateName.toUri()] = make_shared<IdentityCertificate>(certificate); }
inline void SecPublicInfo::addCertificateAsKeyDefault(const IdentityCertificate& certificate) { addCertificate(certificate); setDefaultCertificateNameForKeyInternal(certificate.getName()); refreshDefaultCertificate(); }
void SecPublicInfo::addCertificateAsIdentityDefault(const IdentityCertificate& certificate) { addCertificate(certificate); Name certName = certificate.getName(); setDefaultKeyNameForIdentityInternal(IdentityCertificate::certificateNameToPublicKeyName(certName)); setDefaultCertificateNameForKeyInternal(certName); refreshDefaultCertificate(); }
SecuredBag::SecuredBag(const IdentityCertificate& cert, ConstBufferPtr key) : m_cert(cert) , m_key(key) , m_wire(tlv::security::IdentityPackage) { Block wireKey(tlv::security::KeyPackage, m_key); Block wireCert(tlv::security::CertificatePackage, cert.wireEncode()); m_wire.push_back(wireCert); m_wire.push_back(wireKey); }
inline void SecPublicInfo::addCertificateAsSystemDefault(const IdentityCertificate& certificate) { addCertificate(certificate); Name certName = certificate.getName(); Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certName); setDefaultIdentityInternal(keyName.getPrefix(-1)); setDefaultKeyNameForIdentityInternal(keyName); setDefaultCertificateNameForKeyInternal(certName); refreshDefaultCertificate(); }
void IdentityManager::addCertificateAsIdentityDefault(const IdentityCertificate& certificate) { identityStorage_->addCertificate(certificate); Name keyName = certificate.getPublicKeyName(); setDefaultKeyForIdentity(keyName); setDefaultCertificateForKey(certificate); }
void SecPublicInfoMemory::addCertificate(const IdentityCertificate& certificate) { const Name& certificateName = certificate.getName(); const Name& keyName = certificate.getPublicKeyName(); if (!doesPublicKeyExist(keyName)) throw Error("No corresponding Key record for certificate! " + keyName.toUri() + " " + certificateName.toUri()); // Check if certificate has already existed! if (doesCertificateExist(certificateName)) throw Error("Certificate has already been installed!"); // Check if the public key of certificate is the same as the key record. ptr_lib::shared_ptr<PublicKey> pubKey = getPublicKey(keyName); if (!pubKey || (*pubKey) != certificate.getPublicKeyInfo()) throw Error("Certificate does not match the public key!"); // Insert the certificate. certificateStore_[certificateName.toUri()] = ptr_lib::make_shared<IdentityCertificate> (certificate); }
void MemoryIdentityStorage::addCertificate(const IdentityCertificate& certificate) { const Name& certificateName = certificate.getName(); Name keyName = certificate.getPublicKeyName(); if (!doesKeyExist(keyName)) throw SecurityException("No corresponding Key record for certificate! " + keyName.toUri() + " " + certificateName.toUri()); // Check if certificate already exists. if (doesCertificateExist(certificateName)) throw SecurityException("Certificate has already been installed!"); // Check if the public key of certificate is the same as the key record. Blob keyBlob = getKey(keyName); if (!keyBlob || (*keyBlob) != *(certificate.getPublicKeyInfo().getKeyDer())) throw SecurityException("Certificate does not match the public key!"); // Insert the certificate. // wireEncode returns the cached encoding if available. certificateStore_[certificateName.toUri()] = certificate.wireEncode(); }
int64_t PibDb::addCertificate(const IdentityCertificate& certificate) { const Name& certName = certificate.getName(); const Name& keyName = certificate.getPublicKeyName(); if (!hasKey(keyName)) addKey(keyName, certificate.getPublicKeyInfo()); sqlite3_stmt* statement; sqlite3_prepare_v2(m_database, "INSERT INTO certificates \ (key_id, certificate_name, certificate_data) \ values ((SELECT id FROM keys WHERE key_name=?), ?, ?)", -1, &statement, nullptr); sqlite3_bind_block(statement, 1, keyName.wireEncode(), SQLITE_TRANSIENT); sqlite3_bind_block(statement, 2, certName.wireEncode(), SQLITE_TRANSIENT); sqlite3_bind_block(statement, 3, certificate.wireEncode(), SQLITE_STATIC); sqlite3_step(statement); sqlite3_finalize(statement); return sqlite3_last_insert_rowid(m_database); }
void PibDb::updateMgmtCertificate(const IdentityCertificate& certificate) { const Name& keyName = certificate.getPublicKeyName(); // Name of mgmt key should be "/localhost/pib/[UserName]/mgmt/[KeyID]" if (keyName.size() != 5 || keyName.compare(0, 2, LOCALHOST_PIB) || keyName.get(3) != MGMT_LABEL) throw Error("PibDb::updateMgmtCertificate: certificate does not follow the naming convention"); string owner = keyName.get(2).toUri(); sqlite3_stmt* statement; if (!m_owner.empty()) { if (m_owner != owner) throw Error("PibDb::updateMgmtCertificate: owner name does not match"); else { sqlite3_prepare_v2(m_database, "UPDATE mgmt SET local_management_cert=? WHERE owner=?", -1, &statement, nullptr); } } else { sqlite3_prepare_v2(m_database, "INSERT INTO mgmt (local_management_cert, owner) VALUES (?, ?)", -1, &statement, nullptr); } sqlite3_bind_block(statement, 1, certificate.wireEncode(), SQLITE_TRANSIENT); sqlite3_bind_string(statement, 2, owner, SQLITE_TRANSIENT); sqlite3_step(statement); sqlite3_finalize(statement); m_owner = owner; mgmtCertificateChanged(); }
void InMemoryPibImpl::addCertificate(const IdentityCertificate& certificate) { m_certs[certificate.getName()] = certificate; }
int ndnsec_cert_gen(int argc, char** argv) { using boost::tokenizer; using boost::escaped_list_separator; using namespace ndn; using namespace ndn::time; namespace po = boost::program_options; std::string notBeforeStr; std::string notAfterStr; std::string subjectName; std::string requestFile("-"); std::string signId; std::string subjectInfo; bool hasSignId = false; bool isNack = false; po::options_description description("General Usage\n ndnsec cert-gen [-h] [-S date] [-E date] [-N subject-name] [-I subject-info] [-s sign-id] request\nGeneral options"); description.add_options() ("help,h", "produce help message") ("not-before,S", po::value<std::string>(¬BeforeStr), "certificate starting date, YYYYMMDDhhmmss") ("not-after,E", po::value<std::string>(¬AfterStr), "certificate ending date, YYYYMMDDhhmmss") ("subject-name,N", po::value<std::string>(&subjectName), "subject name") ("subject-info,I", po::value<std::string>(&subjectInfo), "subject info, pairs of OID and string description: \"2.5.4.10 'University of California, Los Angeles'\"") ("nack", "Generate revocation certificate (NACK)") ("sign-id,s", po::value<std::string>(&signId), "signing Identity, system default identity if not specified") ("request,r", po::value<std::string>(&requestFile), "request file name, - for stdin") ; po::positional_options_description p; p.add("request", 1); po::variables_map vm; try { po::store(po::command_line_parser(argc, argv).options(description).positional(p).run(), vm); po::notify(vm); } catch (const std::exception& e) { std::cerr << "ERROR: " << e.what() << std::endl; return 1; } if (vm.count("help") != 0) { std::cerr << description << std::endl; return 0; } if (vm.count("sign-id") != 0) { hasSignId = true; } if (vm.count("nack") != 0) { isNack = true; } std::vector<CertificateSubjectDescription> otherSubDescrypt; tokenizer<escaped_list_separator<char> > subjectInfoItems (subjectInfo, escaped_list_separator<char> ("\\", " \t", "'\"")); tokenizer<escaped_list_separator<char> >::iterator it = subjectInfoItems.begin(); while (it != subjectInfoItems.end()) { std::string oid = *it; it++; if (it == subjectInfoItems.end()) { std::cerr << "ERROR: unmatched info for oid [" << oid << "]" << std::endl; return 1; } std::string value = *it; otherSubDescrypt.push_back(CertificateSubjectDescription(oid, value)); it++; } system_clock::TimePoint notBefore; system_clock::TimePoint notAfter; if (vm.count("not-before") == 0) { notBefore = system_clock::now(); } else { notBefore = fromIsoString(notBeforeStr.substr(0, 8) + "T" + notBeforeStr.substr(8, 6)); } if (vm.count("not-after") == 0) { notAfter = notBefore + days(365); } else { notAfter = fromIsoString(notAfterStr.substr(0, 8) + "T" + notAfterStr.substr(8, 6)); if (notAfter < notBefore) { std::cerr << "not-before is later than not-after" << std::endl; return 1; } } if (vm.count("request") == 0) { std::cerr << "request file must be specified" << std::endl; return 1; } shared_ptr<IdentityCertificate> selfSignedCertificate = getIdentityCertificate(requestFile); if (!static_cast<bool>(selfSignedCertificate)) { std::cerr << "ERROR: input error" << std::endl; return 1; } KeyChain keyChain; Name keyName = selfSignedCertificate->getPublicKeyName(); Name signIdName; Name certName; if (!hasSignId) signIdName = keyChain.getDefaultIdentity(); else signIdName = Name(signId); if (signIdName.isPrefixOf(keyName)) { // if signee's namespace is a sub-namespace of signer, for example, signer's namespace is // /ndn/test, signee's namespace is /ndn/test/alice, the generated certificate name is // /ndn/test/KEY/alice/ksk-1234/ID-CERT/%01%02 certName.append(signIdName) .append("KEY") .append(keyName.getSubName(signIdName.size())) .append("ID-CERT") .appendVersion(); } else { // if signee's namespace is not a sub-namespace of signer, for example, signer's namespace is // /ndn/test, signee's namespace is /ndn/ucla/bob, the generated certificate name is // /ndn/ucla/bob/KEY/ksk-1234/ID-CERT/%01%02 certName.append(keyName.getPrefix(-1)) .append("KEY") .append(keyName.get(-1)) .append("ID-CERT") .appendVersion(); } Block wire; if (!isNack) { if (vm.count("subject-name") == 0) { std::cerr << "subject_name must be specified" << std::endl; return 1; } CertificateSubjectDescription subDescryptName("2.5.4.41", subjectName); IdentityCertificate certificate; certificate.setName(certName); certificate.setNotBefore(notBefore); certificate.setNotAfter(notAfter); certificate.setPublicKeyInfo(selfSignedCertificate->getPublicKeyInfo()); certificate.addSubjectDescription(subDescryptName); for (size_t i = 0; i < otherSubDescrypt.size(); i++) certificate.addSubjectDescription(otherSubDescrypt[i]); certificate.encode(); keyChain.createIdentity(signIdName); Name signingCertificateName = keyChain.getDefaultCertificateNameForIdentity(signIdName); keyChain.sign(certificate, signingCertificateName); wire = certificate.wireEncode(); } else { Data revocationCert; // revocationCert.setContent(void*, 0); // empty content revocationCert.setName(certName); keyChain.createIdentity(signIdName); Name signingCertificateName = keyChain.getDefaultCertificateNameForIdentity(signIdName); keyChain.sign(revocationCert, signingCertificateName); wire = revocationCert.wireEncode(); } try { using namespace CryptoPP; StringSource ss(wire.wire(), wire.size(), true, new Base64Encoder(new FileSink(std::cout), true, 64)); } catch (const CryptoPP::Exception& e) { std::cerr << "ERROR: " << e.what() << std::endl; return 1; } return 0; }