diff --git a/docs/manpages/ndnsec-unlock-tpm.rst b/docs/manpages/ndnsec-unlock-tpm.rst index 5e181088..858f0b69 100644 --- a/docs/manpages/ndnsec-unlock-tpm.rst +++ b/docs/manpages/ndnsec-unlock-tpm.rst @@ -9,5 +9,7 @@ Synopsis Description ----------- +**DEPRECATED** + This command can be used to (temporarily) unlock the local **Trusted Platform Module (TPM)** that manages the private keys. diff --git a/docs/manpages/ndnsec.rst b/docs/manpages/ndnsec.rst index edf948af..6f2064a6 100644 --- a/docs/manpages/ndnsec.rst +++ b/docs/manpages/ndnsec.rst @@ -56,9 +56,6 @@ The following commands are understood: :doc:`import ` Import an identity from a SafeBag. -:doc:`unlock-tpm ` - Unlock the TPM. - Exit Status ----------- diff --git a/ndn-cxx/security/tpm/back-end.cpp b/ndn-cxx/security/tpm/back-end.cpp index d336b0b2..ab374e68 100644 --- a/ndn-cxx/security/tpm/back-end.cpp +++ b/ndn-cxx/security/tpm/back-end.cpp @@ -1,6 +1,6 @@ /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ /* - * Copyright (c) 2013-2023 Regents of the University of California. + * Copyright (c) 2013-2024 Regents of the University of California. * * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). * @@ -145,27 +145,4 @@ BackEnd::constructHmacKeyName(const transform::PrivateKey& key, const Name& iden return Name(identity).append(name::Component(key.getKeyDigest(DigestAlgorithm::SHA256))); } -bool -BackEnd::isTerminalMode() const -{ - return true; -} - -void -BackEnd::setTerminalMode(bool isTerminal) const -{ -} - -bool -BackEnd::isTpmLocked() const -{ - return false; -} - -bool -BackEnd::unlockTpm(const char* pw, size_t pwLen) const -{ - return !isTpmLocked(); -} - } // namespace ndn::security::tpm diff --git a/ndn-cxx/security/tpm/back-end.hpp b/ndn-cxx/security/tpm/back-end.hpp index b66d267b..e83580ba 100644 --- a/ndn-cxx/security/tpm/back-end.hpp +++ b/ndn-cxx/security/tpm/back-end.hpp @@ -1,6 +1,6 @@ /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ /* - * Copyright (c) 2013-2023 Regents of the University of California. + * Copyright (c) 2013-2024 Regents of the University of California. * * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). * @@ -116,45 +116,59 @@ class BackEnd : noncopyable /** * @brief Check if the TPM is in terminal mode. + * @deprecated * * The default implementation always returns true. - * - * @return True if in terminal mode, false otherwise. */ + [[deprecated]] virtual bool - isTerminalMode() const; + isTerminalMode() const + { + return true; + } /** * @brief Set the terminal mode of the TPM. + * @deprecated * * In terminal mode, the TPM will not ask for a password from the GUI. * The default implementation does nothing. */ + [[deprecated]] virtual void - setTerminalMode(bool isTerminal) const; + setTerminalMode(bool isTerminal) const + { + } /** * @brief Check if the TPM is locked. + * @deprecated * * The default implementation always returns false. - * - * @return True if locked, false otherwise. */ + [[deprecated]] virtual bool - isTpmLocked() const; + isTpmLocked() const + { + return false; + } /** * @brief Unlock the TPM. + * @deprecated * - * The default implementation does nothing and returns `!isTpmLocked()`. + * The default implementation does nothing and always returns true. * * @param pw The password to unlock the TPM. * @param pwLen The length of the password. - * * @return True if the TPM was unlocked. */ + [[deprecated]] [[nodiscard]] virtual bool - unlockTpm(const char* pw, size_t pwLen) const; + unlockTpm(const char* pw, size_t pwLen) const + { + return true; + } protected: // helper methods /** diff --git a/ndn-cxx/security/tpm/impl/back-end-osx.cpp b/ndn-cxx/security/tpm/impl/back-end-osx.cpp index 0567655f..f94494ce 100644 --- a/ndn-cxx/security/tpm/impl/back-end-osx.cpp +++ b/ndn-cxx/security/tpm/impl/back-end-osx.cpp @@ -1,6 +1,6 @@ /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ /* - * Copyright (c) 2013-2023 Regents of the University of California. + * Copyright (c) 2013-2024 Regents of the University of California. * * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). * @@ -38,11 +38,9 @@ namespace ndn::security::tpm { namespace cfstring = ndn::detail::cfstring; using ndn::detail::CFReleaser; -class BackEndOsx::Impl +struct BackEndOsx::Impl { -public: SecKeychainRef keyChainRef; - bool isTerminalMode = false; }; static CFReleaser @@ -187,8 +185,6 @@ exportItem(const KeyRefOsx& keyRef, transform::PrivateKey& outKey) BackEndOsx::BackEndOsx(const std::string&) : m_impl(make_unique()) { - SecKeychainSetUserInteractionAllowed(!m_impl->isTerminalMode); - OSStatus res = SecKeychainCopyDefault(&m_impl->keyChainRef); if (res == errSecNoDefaultKeychain) { NDN_THROW(Error("No default keychain, create one first")); @@ -204,49 +200,6 @@ BackEndOsx::getScheme() return scheme; } -bool -BackEndOsx::isTerminalMode() const -{ - return m_impl->isTerminalMode; -} - -void -BackEndOsx::setTerminalMode(bool isTerminal) const -{ - m_impl->isTerminalMode = isTerminal; - SecKeychainSetUserInteractionAllowed(!isTerminal); -} - -bool -BackEndOsx::isTpmLocked() const -{ - SecKeychainStatus keychainStatus; - OSStatus res = SecKeychainGetStatus(m_impl->keyChainRef, &keychainStatus); - if (res != errSecSuccess) - return true; - else - return (kSecUnlockStateStatus & keychainStatus) == 0; -} - -bool -BackEndOsx::unlockTpm(const char* pw, size_t pwLen) const -{ - // If the default key chain is already unlocked, return immediately. - if (!isTpmLocked()) - return true; - - if (m_impl->isTerminalMode) { - // Use the supplied password. - SecKeychainUnlock(m_impl->keyChainRef, pwLen, pw, true); - } - else { - // If inTerminal is not set, get the password from GUI. - SecKeychainUnlock(m_impl->keyChainRef, 0, nullptr, false); - } - - return !isTpmLocked(); -} - ConstBufferPtr BackEndOsx::sign(const KeyRefOsx& key, DigestAlgorithm digestAlgo, const InputBuffers& bufs) { diff --git a/ndn-cxx/security/tpm/impl/back-end-osx.hpp b/ndn-cxx/security/tpm/impl/back-end-osx.hpp index 706bca4b..143abb97 100644 --- a/ndn-cxx/security/tpm/impl/back-end-osx.hpp +++ b/ndn-cxx/security/tpm/impl/back-end-osx.hpp @@ -1,6 +1,6 @@ /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ /* - * Copyright (c) 2013-2023 Regents of the University of California. + * Copyright (c) 2013-2024 Regents of the University of California. * * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). * @@ -51,19 +51,6 @@ class BackEndOsx final : public BackEnd static const std::string& getScheme(); -public: // management - bool - isTerminalMode() const final; - - void - setTerminalMode(bool isTerminal) const final; - - bool - isTpmLocked() const final; - - bool - unlockTpm(const char* pw, size_t pwLen) const final; - public: // crypto transformation /** * @brief Sign @p bufs with @p key using @p digestAlgorithm. @@ -103,7 +90,7 @@ class BackEndOsx final : public BackEnd doImportKey(const Name& keyName, shared_ptr key) final; private: - class Impl; + struct Impl; const unique_ptr m_impl; }; diff --git a/ndn-cxx/security/tpm/tpm.cpp b/ndn-cxx/security/tpm/tpm.cpp index 9e150dea..50ab3a41 100644 --- a/ndn-cxx/security/tpm/tpm.cpp +++ b/ndn-cxx/security/tpm/tpm.cpp @@ -1,6 +1,6 @@ /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ /* - * Copyright (c) 2013-2023 Regents of the University of California. + * Copyright (c) 2013-2024 Regents of the University of California. * * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). * @@ -91,6 +91,9 @@ Tpm::decrypt(span buf, const Name& keyName) const return key ? key->decrypt(buf) : nullptr; } +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" + bool Tpm::isTerminalMode() const { @@ -115,6 +118,8 @@ Tpm::unlockTpm(const char* password, size_t passwordLength) const return m_backEnd->unlockTpm(password, passwordLength); } +#pragma GCC diagnostic pop + ConstBufferPtr Tpm::exportPrivateKey(const Name& keyName, const char* pw, size_t pwLen) const { diff --git a/ndn-cxx/security/tpm/tpm.hpp b/ndn-cxx/security/tpm/tpm.hpp index feae7930..ef67fbde 100644 --- a/ndn-cxx/security/tpm/tpm.hpp +++ b/ndn-cxx/security/tpm/tpm.hpp @@ -1,6 +1,6 @@ /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ /* - * Copyright (c) 2013-2023 Regents of the University of California. + * Copyright (c) 2013-2024 Regents of the University of California. * * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). * @@ -129,30 +129,38 @@ class Tpm : noncopyable public: // Management /** * @brief Check if the TPM is in terminal mode. + * @deprecated */ + [[deprecated]] bool isTerminalMode() const; /** * @brief Set the terminal mode of the TPM. + * @deprecated * * When in terminal mode, the TPM will not ask user permission from GUI. */ + [[deprecated]] void setTerminalMode(bool isTerminal) const; /** * @return true if the TPM is locked, otherwise false. + * @deprecated */ + [[deprecated]] bool isTpmLocked() const; /** * @brief Unlock the TPM. + * @deprecated * * @param password The password to unlock the TPM. * @param passwordLength The password size. */ + [[deprecated]] [[nodiscard]] bool unlockTpm(const char* password, size_t passwordLength) const; diff --git a/tools/ndnsec/main.cpp b/tools/ndnsec/main.cpp index 76093451..aa6ce370 100644 --- a/tools/ndnsec/main.cpp +++ b/tools/ndnsec/main.cpp @@ -1,6 +1,6 @@ /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ /* - * Copyright (c) 2013-2023 Regents of the University of California. + * Copyright (c) 2013-2024 Regents of the University of California. * * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). * @@ -35,7 +35,6 @@ constexpr std::string_view NDNSEC_HELP_TEXT = R"STR(Usage: ndnsec COMMAND [OPTIO Available commands: help Print this help text - version Print program version list List all known identities/keys/certificates get-default Show the default identity/key/certificate set-default Change the default identity/key/certificate @@ -47,9 +46,9 @@ Available commands: cert-install Import a certificate from a file export Export an identity as a SafeBag import Import an identity from a SafeBag - unlock-tpm Unlock the TPM + version Print version information -Try 'ndnsec COMMAND --help' for more information on a command. +Run 'ndnsec COMMAND --help' for more information on a command. )STR"; int diff --git a/tools/ndnsec/unlock-tpm.cpp b/tools/ndnsec/unlock-tpm.cpp index 97cd7021..e76d7f19 100644 --- a/tools/ndnsec/unlock-tpm.cpp +++ b/tools/ndnsec/unlock-tpm.cpp @@ -1,6 +1,6 @@ /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ /* - * Copyright (c) 2013-2023 Regents of the University of California. + * Copyright (c) 2013-2024 Regents of the University of California. * * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). * @@ -33,6 +33,8 @@ namespace ndn::ndnsec { int ndnsec_unlock_tpm(int argc, char** argv) { + std::cerr << "DEPRECATION NOTICE: ndnsec-unlock-tpm is deprecated.\n"; + namespace po = boost::program_options; po::options_description description( @@ -68,7 +70,10 @@ ndnsec_unlock_tpm(int argc, char** argv) return 1; } +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" bool isUnlocked = keyChain.getTpm().unlockTpm(password, std::strlen(password)); +#pragma GCC diagnostic pop OPENSSL_cleanse(password, std::strlen(password)); if (isUnlocked) {