security: add vectored API for verify and sign

Add vectored input for BufferSource transform refs #4804 Change-Id: I4949afe5ddb5a49ce6a956da6bc7931cf3719021
named-data · Jun 18, 2020 · 6d024ba · 6d024ba
1 parent 8afba42
commit 6d024ba
Show file tree

Hide file tree

Showing 15 changed files with 243 additions and 97 deletions.
diff --git a/ndn-cxx/security/security-common.hpp b/ndn-cxx/security/security-common.hpp
@@ -24,6 +24,8 @@
 
 #include "ndn-cxx/detail/common.hpp"
 
+#include <vector>
+
 namespace ndn {
 
 namespace signed_interest {
@@ -52,6 +54,9 @@ const size_t MIN_SIZE = 4;
 
 } // namespace command_interest
 
+/// Represents a range of distcontiguous buffers as input to a security operation
+typedef std::vector<std::pair<const uint8_t*, size_t>> InputBuffers;
+
 /**
  * @brief The type of KeyId component in a key name.
  */

diff --git a/ndn-cxx/security/tpm/impl/back-end-osx.cpp b/ndn-cxx/security/tpm/impl/back-end-osx.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2020 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -21,7 +21,10 @@
 
 #include "ndn-cxx/security/tpm/impl/back-end-osx.hpp"
 #include "ndn-cxx/security/tpm/impl/key-handle-osx.hpp"
+#include "ndn-cxx/security/transform/buffer-source.hpp"
+#include "ndn-cxx/security/transform/digest-filter.hpp"
 #include "ndn-cxx/security/transform/private-key.hpp"
+#include "ndn-cxx/security/transform/stream-sink.hpp"
 #include "ndn-cxx/detail/cf-string-osx.hpp"
 #include "ndn-cxx/encoding/buffer-stream.hpp"
 
@@ -246,21 +249,34 @@ BackEndOsx::unlockTpm(const char* pw, size_t pwLen) const
 }
 
 ConstBufferPtr
-BackEndOsx::sign(const KeyRefOsx& key, DigestAlgorithm digestAlgo, const uint8_t* buf, size_t size)
+BackEndOsx::sign(const KeyRefOsx& key, DigestAlgorithm digestAlgo, const InputBuffers& bufs)
 {
   CFReleaser<CFErrorRef> error;
   CFReleaser<SecTransformRef> signer = SecSignTransformCreate(key.get(), &error.get());
   if (signer == nullptr) {
     NDN_THROW(Error("Failed to create sign transform: " + getFailureReason(error.get())));
   }
 
+  // Generate digest
+  OBufferStream digestSink;
+  using namespace transform;
+  bufferSource(bufs) >> digestFilter(digestAlgo) >> streamSink(digestSink);
+
   // Set input
-  auto data = makeCFDataNoCopy(buf, size);
+  auto buffer = digestSink.buf();
+  BOOST_ASSERT(buffer->size() * 8 == static_cast<size_t>(getDigestSize(digestAlgo)));
+  auto data = makeCFDataNoCopy(buffer->data(), buffer->size());
   SecTransformSetAttribute(signer.get(), kSecTransformInputAttributeName, data.get(), &error.get());
   if (error != nullptr) {
     NDN_THROW(Error("Failed to configure input of sign transform: " + getFailureReason(error.get())));
   }
 
+  // Configure input as digest
+  SecTransformSetAttribute(signer.get(), kSecInputIsAttributeName, kSecInputIsDigest, &error.get());
+  if (error != nullptr) {
+    NDN_THROW(Error("Failed to configure sign transform input as digest: " + getFailureReason(error.get())));
+  }
+
   // Enable use of padding
   SecTransformSetAttribute(signer.get(), kSecPaddingKey, kSecPaddingPKCS1Key, &error.get());
   if (error != nullptr) {

diff --git a/ndn-cxx/security/tpm/impl/back-end-osx.hpp b/ndn-cxx/security/tpm/impl/back-end-osx.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2020 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -68,11 +68,14 @@ class BackEndOsx final : public BackEnd
 
 public: // crypto transformation
   /**
-   * @brief Sign @p buf with @p key using @p digestAlgorithm.
+   * @brief Sign @p bufs with @p key using @p digestAlgorithm.
    */
   static ConstBufferPtr
-  sign(const KeyRefOsx& key, DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size);
+  sign(const KeyRefOsx& key, DigestAlgorithm digestAlgorithm, const InputBuffers& bufs);
 
+  /**
+   * @brief Decrypt @p cipherText with @p key.
+   */
   static ConstBufferPtr
   decrypt(const KeyRefOsx& key, const uint8_t* cipherText, size_t cipherSize);
 

diff --git a/ndn-cxx/security/tpm/impl/key-handle-mem.cpp b/ndn-cxx/security/tpm/impl/key-handle-mem.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2020 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -39,24 +39,23 @@ KeyHandleMem::KeyHandleMem(shared_ptr<transform::PrivateKey> key)
 }
 
 ConstBufferPtr
-KeyHandleMem::doSign(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size) const
+KeyHandleMem::doSign(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs) const
 {
   using namespace transform;
 
   OBufferStream sigOs;
-  bufferSource(buf, size) >> signerFilter(digestAlgorithm, *m_key) >> streamSink(sigOs);
+  bufferSource(bufs) >> signerFilter(digestAlgorithm, *m_key) >> streamSink(sigOs);
   return sigOs.buf();
 }
 
 bool
-KeyHandleMem::doVerify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size,
+KeyHandleMem::doVerify(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs,
                        const uint8_t* sig, size_t sigLen) const
 {
   using namespace transform;
 
   bool result = false;
-  bufferSource(buf, size) >> verifierFilter(digestAlgorithm, *m_key, sig, sigLen)
-                          >> boolSink(result);
+  bufferSource(bufs) >> verifierFilter(digestAlgorithm, *m_key, sig, sigLen) >> boolSink(result);
   return result;
 }
 

diff --git a/ndn-cxx/security/tpm/impl/key-handle-mem.hpp b/ndn-cxx/security/tpm/impl/key-handle-mem.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2020 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -44,10 +44,10 @@ class KeyHandleMem : public KeyHandle
 
 private:
   ConstBufferPtr
-  doSign(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size) const final;
+  doSign(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs) const final;
 
   bool
-  doVerify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size,
+  doVerify(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs,
            const uint8_t* sig, size_t sigLen) const final;
 
   ConstBufferPtr

diff --git a/ndn-cxx/security/tpm/impl/key-handle-osx.cpp b/ndn-cxx/security/tpm/impl/key-handle-osx.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2020 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -34,13 +34,13 @@ KeyHandleOsx::KeyHandleOsx(const KeyRefOsx& key)
 }
 
 ConstBufferPtr
-KeyHandleOsx::doSign(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size) const
+KeyHandleOsx::doSign(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs) const
 {
-  return BackEndOsx::sign(m_key, digestAlgorithm, buf, size);
+  return BackEndOsx::sign(m_key, digestAlgorithm, bufs);
 }
 
 bool
-KeyHandleOsx::doVerify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size,
+KeyHandleOsx::doVerify(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs,
                        const uint8_t* sig, size_t sigLen) const
 {
   NDN_THROW(Error("Signature verification is not supported with macOS Keychain-based TPM"));

diff --git a/ndn-cxx/security/tpm/impl/key-handle-osx.hpp b/ndn-cxx/security/tpm/impl/key-handle-osx.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2020 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -45,10 +45,10 @@ class KeyHandleOsx : public KeyHandle
 
 private:
   ConstBufferPtr
-  doSign(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size) const final;
+  doSign(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs) const final;
 
   bool
-  doVerify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size,
+  doVerify(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs,
            const uint8_t* sig, size_t sigLen) const final;
 
   ConstBufferPtr

diff --git a/ndn-cxx/security/tpm/key-handle.cpp b/ndn-cxx/security/tpm/key-handle.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2020 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -27,17 +27,30 @@ namespace tpm {
 
 KeyHandle::~KeyHandle() = default;
 
+ConstBufferPtr
+KeyHandle::sign(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs) const
+{
+  return doSign(digestAlgorithm, bufs);
+}
+
 ConstBufferPtr
 KeyHandle::sign(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size) const
 {
-  return doSign(digestAlgorithm, buf, size);
+  return doSign(digestAlgorithm, {{buf, size}});
+}
+
+bool
+KeyHandle::verify(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs,
+                  const uint8_t* sig, size_t sigLen) const
+{
+  return doVerify(digestAlgorithm, bufs, sig, sigLen);
 }
 
 bool
 KeyHandle::verify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t bufLen,
                   const uint8_t* sig, size_t sigLen) const
 {
-  return doVerify(digestAlgorithm, buf, bufLen, sig, sigLen);
+  return doVerify(digestAlgorithm, {{buf, bufLen}}, sig, sigLen);
 }
 
 ConstBufferPtr

diff --git a/ndn-cxx/security/tpm/key-handle.hpp b/ndn-cxx/security/tpm/key-handle.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2020 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -48,20 +48,33 @@ class KeyHandle : noncopyable
   ~KeyHandle();
 
   /**
-   * @return a digital signature created on @p buf using this key with @p digestAlgorithm.
+   * @brief Generate a digital signature for @p bufs using this key with @p digestAlgorithm.
+   */
+  ConstBufferPtr
+  sign(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs) const;
+
+  /**
+   * @brief Generate a digital signature for @p buf using this key with @p digestAlgorithm.
    */
   ConstBufferPtr
   sign(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size) const;
 
   /**
-   * @brief Verify the signature @p sig created on @p buf using this key and @p digestAlgorithm.
+   * @brief Verify the signature @p sig for @p bufs using this key and @p digestAlgorithm.
+   */
+  bool
+  verify(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs,
+         const uint8_t* sig, size_t sigLen) const;
+
+  /**
+   * @brief Verify the signature @p sig for @p buf using this key and @p digestAlgorithm.
    */
   bool
   verify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t bufLen,
          const uint8_t* sig, size_t sigLen) const;
 
   /**
-   * @return plain text content decrypted from @p cipherText using this key.
+   * @brief Return plain text content decrypted from @p cipherText using this key.
    */
   ConstBufferPtr
   decrypt(const uint8_t* cipherText, size_t cipherTextLen) const;
@@ -86,10 +99,10 @@ class KeyHandle : noncopyable
 
 private:
   virtual ConstBufferPtr
-  doSign(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t size) const = 0;
+  doSign(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs) const = 0;
 
   virtual bool
-  doVerify(DigestAlgorithm digestAlgorithm, const uint8_t* buf, size_t bufLen,
+  doVerify(DigestAlgorithm digestAlgorithm, const InputBuffers& bufs,
            const uint8_t* sig, size_t sigLen) const = 0;
 
   virtual ConstBufferPtr

diff --git a/ndn-cxx/security/tpm/tpm.cpp b/ndn-cxx/security/tpm/tpm.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2020 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -81,26 +81,30 @@ Tpm::getPublicKey(const Name& keyName) const
 }
 
 ConstBufferPtr
-Tpm::sign(const uint8_t* buf, size_t size, const Name& keyName, DigestAlgorithm digestAlgorithm) const
+Tpm::sign(const InputBuffers& bufs, const Name& keyName, DigestAlgorithm digestAlgorithm) const
 {
   const KeyHandle* key = findKey(keyName);
 
-  if (key == nullptr)
+  if (key == nullptr) {
     return nullptr;
-  else
-    return key->sign(digestAlgorithm, buf, size);
+  }
+  else {
+    return key->sign(digestAlgorithm, bufs);
+  }
 }
 
 boost::logic::tribool
-Tpm::verify(const uint8_t* buf, size_t bufLen, const uint8_t* sig, size_t sigLen,
-            const Name& keyName, DigestAlgorithm digestAlgorithm) const
+Tpm::verify(const InputBuffers& bufs, const uint8_t* sig, size_t sigLen, const Name& keyName,
+            DigestAlgorithm digestAlgorithm) const
 {
   const KeyHandle* key = findKey(keyName);
 
-  if (key == nullptr)
+  if (key == nullptr) {
     return boost::logic::indeterminate;
-  else
-    return key->verify(digestAlgorithm, buf, bufLen, sig, sigLen);
+  }
+  else {
+    return key->verify(digestAlgorithm, bufs, sig, sigLen);
+  }
 }
 
 ConstBufferPtr