Adjust policies to accomodate dsk and ksk signing
diff --git a/src/chatdialog.cpp b/src/chatdialog.cpp
index fe7d7b5..4ecb7db 100644
--- a/src/chatdialog.cpp
+++ b/src/chatdialog.cpp
@@ -302,6 +302,7 @@
dskCertificate->getPublicKeyInfo(),
(isIntroducer ? SyncIntroCertificate::INTRODUCER : SyncIntroCertificate::PRODUCER));
ndn::Name certName = m_identityManager->getDefaultCertificateNameByIdentity(m_defaultIdentity);
+ _LOG_DEBUG("publishIntroCert: " << syncIntroCertificate.getName());
m_identityManager->signByCertificate(syncIntroCertificate, certName);
m_handler->putToNdnd(*syncIntroCertificate.encodeToWire());
}
diff --git a/src/chronos-invitation.cpp b/src/chronos-invitation.cpp
index 7ec0243..a36634b 100644
--- a/src/chronos-invitation.cpp
+++ b/src/chronos-invitation.cpp
@@ -9,6 +9,8 @@
*/
#include "chronos-invitation.h"
+
+#include <ndn.cxx/security/certificate/identity-certificate.h>
#include "exception.h"
#include "logging.h"
@@ -72,15 +74,9 @@
string signature = interestName.get(-1).toBlob();
m_signatureBits.insert(m_signatureBits.end(), signature.begin(), signature.end());
-
- string keyStr("KEY");
- int keyId = 0;
- for(; keyId < m_inviterCertificateName.size(); keyId++)
- if(m_inviterCertificateName.get(keyId).toUri() == keyStr)
- break;
- if(keyId >= m_inviterCertificateName.size())
- throw LnException("Wrong ChronosInvitation Name, no KEY tag in inviter Certificate Name");
- m_inviterNameSpace = m_inviterCertificateName.getSubName(0, keyId);
+
+ Name keyName = security::IdentityCertificate::certificateNameToPublicKeyName(m_inviterCertificateName, true);
+ m_inviterNameSpace = keyName.getPrefix(keyName.size()-1);
string signedName = interestName.getSubName(0, size - 1).toUri();
m_signedBlob.insert(m_signedBlob.end(), signedName.begin(), signedName.end());
diff --git a/src/contact-manager.cpp b/src/contact-manager.cpp
index 2f7536b..9bd8ca2 100644
--- a/src/contact-manager.cpp
+++ b/src/contact-manager.cpp
@@ -55,16 +55,16 @@
Ptr<Keychain> keychain = Ptr<Keychain>(new Keychain(identityManager, policyManager, encryptionManager));
policyManager->addVerificationPolicyRule(Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<DNS>]*)<DNS><PROFILE>",
- "^([^<KEY>]*)<KEY>(<>*)<><ID-CERT>",
+ "^([^<KEY>]*)<KEY>(<>*)[<ksk-.*><dsk-.*>]<ID-CERT>$",
"==", "\\1", "\\1\\2", true)));
policyManager->addVerificationPolicyRule(Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<PROFILE-CERT>]*)<PROFILE-CERT>",
- "^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT>",
+ "^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT>$",
"==", "\\1", "\\1\\2", true)));
policyManager->addVerificationPolicyRule(Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>",
- "^([^<KEY>]*)<KEY><dsk-.*><ID-CERT>",
+ "^([^<KEY>]*)<KEY><dsk-.*><ID-CERT>$",
">", "\\1\\2", "\\1", true)));
policyManager->addVerificationPolicyRule(Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<KEY>]*)<KEY><dsk-.*><ID-CERT>",
- "^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>",
+ "^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$",
"==", "\\1", "\\1\\2", true)));
policyManager->addSigningPolicyRule(Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<DNS>]*)<DNS><PROFILE>",
@@ -118,6 +118,7 @@
void
ContactManager::updateProfileData(const Name& identity)
{
+ _LOG_DEBUG("updateProfileData: " << identity.toUri());
// Get current profile;
Ptr<Profile> newProfile = m_contactStorage->getSelfProfile(identity);
if(NULL == newProfile)
@@ -198,15 +199,27 @@
Ptr<ProfileData> profileData = Ptr<ProfileData>(new ProfileData(identity, profile));
identityManager->signByCertificate(*profileData, certificateName);
- Ptr<security::IdentityCertificate> dskCert = identityManager->getCertificate(certificateName);
- Ptr<const signature::Sha256WithRsa> dskCertSig = DynamicCast<const signature::Sha256WithRsa>(dskCert->getSignature());
- // HACK! KSK certificate should be retrieved from network.
- _LOG_DEBUG("keyLocator: " << dskCertSig->getKeyLocator().getKeyName());
- Name keyName = security::IdentityCertificate::certificateNameToPublicKeyName(dskCertSig->getKeyLocator().getKeyName());
- _LOG_DEBUG("keyName: " << keyName.toUri());
- Name kskCertName = identityManager->getPublicStorage()->getDefaultCertificateNameForKey(keyName);
- _LOG_DEBUG("ksk cert name: " << kskCertName);
- Ptr<security::IdentityCertificate> kskCert = identityManager->getCertificate(kskCertName);
+ Ptr<security::IdentityCertificate> signingCert = identityManager->getCertificate(certificateName);
+ Name signingKeyName = security::IdentityCertificate::certificateNameToPublicKeyName(signingCert->getName(), true);
+
+ Ptr<security::IdentityCertificate> kskCert;
+ if(signingKeyName.get(-1).toUri().substr(0,4) == string("dsk-"))
+ {
+ Ptr<const signature::Sha256WithRsa> dskCertSig = DynamicCast<const signature::Sha256WithRsa>(signingCert->getSignature());
+ // HACK! KSK certificate should be retrieved from network.
+ _LOG_DEBUG("keyLocator: " << dskCertSig->getKeyLocator().getKeyName());
+ Name keyName = security::IdentityCertificate::certificateNameToPublicKeyName(dskCertSig->getKeyLocator().getKeyName());
+ _LOG_DEBUG("keyName: " << keyName.toUri());
+ Name kskCertName = identityManager->getPublicStorage()->getDefaultCertificateNameForKey(keyName);
+ _LOG_DEBUG("ksk cert name: " << kskCertName);
+ kskCert = identityManager->getCertificate(kskCertName);
+
+ }
+ else
+ {
+ kskCert = signingCert;
+ _LOG_DEBUG("ksk cert name: " << kskCert->getName().toUri());
+ }
vector<string> endorseList;
Profile::const_iterator it = profile.begin();
diff --git a/src/contactpanel.cpp b/src/contactpanel.cpp
index 0ce0694..0407d8f 100644
--- a/src/contactpanel.cpp
+++ b/src/contactpanel.cpp
@@ -19,11 +19,7 @@
#ifndef Q_MOC_RUN
#include <ndn.cxx/security/keychain.h>
-#include <ndn.cxx/security/identity/osx-privatekey-storage.h>
#include <ndn.cxx/security/identity/identity-manager.h>
-#include <ndn.cxx/security/identity/basic-identity-storage.h>
-#include <ndn.cxx/security/cache/ttl-certificate-cache.h>
-#include <ndn.cxx/security/encryption/basic-encryption-manager.h>
#include <ndn.cxx/common.h>
#include <boost/filesystem.hpp>
#include <boost/random/random_device.hpp>
@@ -147,16 +143,16 @@
void
ContactPanel::setKeychain()
{
- Ptr<security::IdentityManager> identityManager = Ptr<security::IdentityManager>::Create();
- Ptr<security::CertificateCache> certificateCache = Ptr<security::CertificateCache>(new security::TTLCertificateCache());
- Ptr<PanelPolicyManager> policyManager = Ptr<PanelPolicyManager>(new PanelPolicyManager(10, certificateCache));
+ m_panelPolicyManager = Ptr<PanelPolicyManager>::Create();
// Ptr<security::EncryptionManager> encryptionManager = Ptr<security::EncryptionManager>(new security::BasicEncryptionManager(privateStorage, "/tmp/encryption.db"));
vector<Ptr<ContactItem> >::const_iterator it = m_contactList.begin();
for(; it != m_contactList.end(); it++)
- policyManager->addTrustAnchor((*it)->getSelfEndorseCertificate());
+ m_panelPolicyManager->addTrustAnchor((*it)->getSelfEndorseCertificate());
- m_keychain = Ptr<security::Keychain>(new security::Keychain(identityManager, policyManager, NULL));
+ m_keychain = Ptr<security::Keychain>(new security::Keychain(Ptr<security::IdentityManager>::Create(),
+ m_panelPolicyManager,
+ NULL));
}
void
@@ -207,23 +203,20 @@
void
ContactPanel::onInvitationCertVerified(Ptr<Data> data,
- const Name& interestName,
- int inviterIndex)
+ Ptr<ChronosInvitation> invitation)
{
Ptr<security::IdentityCertificate> certificate = Ptr<security::IdentityCertificate>(new security::IdentityCertificate(*data));
- Ptr<ChronosInvitation> invitation = Ptr<ChronosInvitation>(new ChronosInvitation(interestName));
if(security::PolicyManager::verifySignature(invitation->getSignedBlob(), invitation->getSignatureBits(), certificate->getPublicKeyInfo()))
{
Name keyName = certificate->getPublicKeyName();
Name inviterNameSpace = keyName.getSubName(0, keyName.size() - 1);
- popChatInvitation(invitation, inviterIndex, inviterNameSpace, certificate);
+ popChatInvitation(invitation, inviterNameSpace, certificate);
}
}
void
ContactPanel::popChatInvitation(Ptr<ChronosInvitation> invitation,
- int inviterIndex,
const Name& inviterNameSpace,
Ptr<security::IdentityCertificate> certificate)
{
@@ -278,48 +271,14 @@
{
_LOG_DEBUG("receive interest!" << interest->getName().toUri());
const Name& interestName = interest->getName();
- const int end = interestName.size();
-
- string inviter("inviter");
- int j = end-2;
- for(; j >= 0; j--)
- if(interestName.get(j).toUri() == inviter)
- break;
- //No certificate name found
- if(j < 0)
- return;
-
- Name certName = interestName.getSubName(j+1, end-2-j);
- string keyString("KEY");
- string idString("ID-CERT");
- int m = certName.size() - 1;
- int keyIndex = -1;
- int idIndex = -1;
- for(; m >= 0; m--)
- if(certName.get(m).toUri() == idString)
- {
- idIndex = m;
- break;
- }
+ Ptr<ChronosInvitation> invitation = Ptr<ChronosInvitation>(new ChronosInvitation(interestName));
- for(; m >=0; m--)
- if(certName.get(m).toUri() == keyString)
- {
- keyIndex = m;
- break;
- }
-
- //Not a qualified certificate name
- if(keyIndex < 0 && idIndex < 0)
- return;
-
- Ptr<Interest> newInterest = Ptr<Interest>(new Interest(certName));
+ Ptr<Interest> newInterest = Ptr<Interest>(new Interest(invitation->getInviterCertificateName()));
Ptr<Closure> closure = Ptr<Closure>(new Closure(boost::bind(&ContactPanel::onInvitationCertVerified,
this,
_1,
- interestName,
- j),
+ invitation),
boost::bind(&ContactPanel::onTimeout,
this,
_1,
diff --git a/src/contactpanel.h b/src/contactpanel.h
index 5f595b0..d6c0787 100644
--- a/src/contactpanel.h
+++ b/src/contactpanel.h
@@ -27,6 +27,7 @@
#ifndef Q_MOC_RUN
#include "contact-manager.h"
#include "chronos-invitation.h"
+#include "panel-policy-manager.h"
#endif
@@ -73,15 +74,13 @@
void
onInvitationCertVerified(ndn::Ptr<ndn::Data> data,
- const ndn::Name& interestName,
- int inviterIndex);
+ ndn::Ptr<ChronosInvitation> invitation);
std::string
getRandomString();
void
popChatInvitation(ndn::Ptr<ChronosInvitation> invitation,
- int inviterIndex,
const ndn::Name& inviterNameSpace,
ndn::Ptr<ndn::security::IdentityCertificate> certificate);
@@ -150,6 +149,7 @@
QAction* m_menuAlias;
std::vector<ndn::Ptr<ContactItem> > m_contactList;
+ ndn::Ptr<PanelPolicyManager> m_panelPolicyManager;
ndn::Ptr<ndn::security::Keychain> m_keychain;
ndn::Ptr<ndn::Wrapper> m_handler;
diff --git a/src/invitation-policy-manager.cpp b/src/invitation-policy-manager.cpp
index 10929e3..ca4ae5b 100644
--- a/src/invitation-policy-manager.cpp
+++ b/src/invitation-policy-manager.cpp
@@ -31,8 +31,10 @@
m_certificateCache = Ptr<TTLCertificateCache>(new TTLCertificateCache());
m_invitationPolicyRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^<ndn><broadcast><chronos><invitation>([^<chatroom>]*)<chatroom>",
- "^([^<KEY>]*)<KEY><dsk-.*><ID-CERT>$",
- "==", "\\1", "\\1", true));
+ "^([^<KEY>]*)<KEY>(<>*)[<dsk-.*><ksk-.*>]<ID-CERT>$",
+ "==", "\\1", "\\1\\2", true));
+
+ m_kskRegex = Ptr<Regex>(new Regex("^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT><>$", "\\1\\2"));
m_dskRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<KEY>]*)<KEY><dsk-.*><ID-CERT><>$",
"^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$",
@@ -77,6 +79,18 @@
if(m_invitationPolicyRule->satisfy(*data))
{
+ // Name keyName = IdentityCertificate::certificateNameToPublicKeyName(keyLocatorName);
+ // map<Name, Publickey>::iterator it = m_trustAnchors.find(keyName);
+ // if(m_trustAnchors.end() != it)
+ // {
+ // if(verifySignature(*data, it->second))
+ // verifiedCallback(data);
+ // else
+ // unverifiedCallback(data);
+
+ // return NULL;
+ // }
+
Ptr<const IdentityCertificate> trustedCert = m_certificateCache->getCertificate(keyLocatorName);
if(NULL != trustedCert){
@@ -87,33 +101,56 @@
return NULL;
}
- else{
- _LOG_DEBUG("KeyLocator has not been cached and validated!");
- DataCallback recursiveVerifiedCallback = boost::bind(&InvitationPolicyManager::onDskCertificateVerified,
- this,
- _1,
- data,
- verifiedCallback,
- unverifiedCallback);
+ _LOG_DEBUG("KeyLocator has not been cached and validated!");
- UnverifiedCallback recursiveUnverifiedCallback = boost::bind(&InvitationPolicyManager::onDskCertificateUnverified,
- this,
- _1,
- data,
- unverifiedCallback);
+ DataCallback recursiveVerifiedCallback = boost::bind(&InvitationPolicyManager::onDskCertificateVerified,
+ this,
+ _1,
+ data,
+ verifiedCallback,
+ unverifiedCallback);
+
+ UnverifiedCallback recursiveUnverifiedCallback = boost::bind(&InvitationPolicyManager::onDskCertificateUnverified,
+ this,
+ _1,
+ data,
+ unverifiedCallback);
- Ptr<Interest> interest = Ptr<Interest>(new Interest(keyLocatorName));
-
- Ptr<ValidationRequest> nextStep = Ptr<ValidationRequest>(new ValidationRequest(interest,
- recursiveVerifiedCallback,
- recursiveUnverifiedCallback,
- 0,
- stepCount + 1)
- );
- return nextStep;
- }
+ Ptr<Interest> interest = Ptr<Interest>(new Interest(keyLocatorName));
+
+ Ptr<ValidationRequest> nextStep = Ptr<ValidationRequest>(new ValidationRequest(interest,
+ recursiveVerifiedCallback,
+ recursiveUnverifiedCallback,
+ 0,
+ stepCount + 1)
+ );
+ return nextStep;
+ }
+
+ if(m_kskRegex->match(data->getName()))
+ {
+ _LOG_DEBUG("is ksk");
+ Name keyName = m_kskRegex->expand();
+ _LOG_DEBUG("ksk name: " << keyName.toUri());
+ map<Name, Publickey>::iterator it = m_trustAnchors.find(keyName);
+ if(m_trustAnchors.end() != it)
+ {
+ _LOG_DEBUG("found key!");
+ Ptr<IdentityCertificate> identityCertificate = Ptr<IdentityCertificate>(new IdentityCertificate(*data));
+ if(it->second.getKeyBlob() == identityCertificate->getPublicKeyInfo().getKeyBlob())
+ {
+ _LOG_DEBUG("same key!");
+ verifiedCallback(data);
+ }
+ else
+ unverifiedCallback(data);
+ }
+ else
+ unverifiedCallback(data);
+
+ return NULL;
}
if(m_dskRule->satisfy(*data))
diff --git a/src/invitation-policy-manager.h b/src/invitation-policy-manager.h
index 85afa53..cc37d7b 100644
--- a/src/invitation-policy-manager.h
+++ b/src/invitation-policy-manager.h
@@ -82,6 +82,7 @@
ndn::Ptr<ndn::security::IdentityPolicyRule> m_dskRule;
std::map<ndn::Name, ChatPolicyRule> m_chatDataRules;
+ ndn::Ptr<ndn::Regex> m_kskRegex;
ndn::Ptr<ndn::Regex> m_keyNameRegex;
std::map<ndn::Name, ndn::security::Publickey> m_trustAnchors;
diff --git a/src/panel-policy-manager.cpp b/src/panel-policy-manager.cpp
index d3c7260..33717d5 100644
--- a/src/panel-policy-manager.cpp
+++ b/src/panel-policy-manager.cpp
@@ -11,6 +11,7 @@
#include "panel-policy-manager.h"
#include <ndn.cxx/security/certificate/identity-certificate.h>
+#include <ndn.cxx/security/cache/ttl-certificate-cache.h>
#include <boost/bind.hpp>
#include "logging.h"
@@ -22,18 +23,22 @@
INIT_LOGGER("PanelPolicyManager");
PanelPolicyManager::PanelPolicyManager(const int & stepLimit,
- Ptr<CertificateCache> certificateCache)
+ Ptr<CertificateCache> certificateCache)
: m_stepLimit(stepLimit)
, m_certificateCache(certificateCache)
, m_localPrefixRegex(Ptr<Regex>(new Regex("^<local><ndn><prefix><><>$")))
{
+ if(NULL == m_certificateCache)
+ m_certificateCache = Ptr<security::CertificateCache>(new security::TTLCertificateCache());
+
m_invitationDataSigningRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^<ndn><broadcast><chronos><invitation>([^<chatroom>]*)<chatroom>",
- "^([^<KEY>]*)<KEY><dsk-.*><ID-CERT><>$",
- "==", "\\1", "\\1", true));
+ "^([^<KEY>]*)<KEY>(<>*)<><ID-CERT><>$",
+ "==", "\\1", "\\1\\2", true));
m_dskRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<KEY>]*)<KEY><dsk-.*><ID-CERT><>$",
"^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$",
"==", "\\1", "\\1\\2", true));
+ m_kskRegex = Ptr<Regex>(new Regex("^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT><>$", "\\1\\2"));
m_keyNameRegex = Ptr<Regex>(new Regex("^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT>$", "\\1\\2"));
@@ -55,6 +60,8 @@
// if(m_invitationDataRule->matchDataName(data))
// return true;
+ if(m_kskRegex->match(data.getName()))
+ return true;
if(m_dskRule->matchDataName(data))
return true;
@@ -85,52 +92,34 @@
const Name & keyLocatorName = sha256sig->getKeyLocator().getKeyName();
- // if(m_invitationDataRule->satisfy(*data))
- // {
- // Ptr<const IdentityCertificate> trustedCert = m_certificateCache->getCertificate(keyLocatorName);
-
- // if(NULL != trustedCert){
- // if(verifySignature(*data, trustedCert->getPublicKeyInfo()))
- // verifiedCallback(data);
- // else
- // unverifiedCallback(data);
+ if(m_kskRegex->match(data->getName()))
+ {
+ _LOG_DEBUG("is ksk");
+ Name keyName = m_kskRegex->expand();
+ _LOG_DEBUG("ksk name: " << keyName.toUri());
+ map<Name, Publickey>::iterator it = m_trustAnchors.find(keyName);
+ if(m_trustAnchors.end() != it)
+ {
+ _LOG_DEBUG("found key!");
+ Ptr<IdentityCertificate> identityCertificate = Ptr<IdentityCertificate>(new IdentityCertificate(*data));
+ if(it->second.getKeyBlob() == identityCertificate->getPublicKeyInfo().getKeyBlob())
+ {
+ _LOG_DEBUG("same key!");
+ verifiedCallback(data);
+ }
+ else
+ unverifiedCallback(data);
+ }
+ else
+ unverifiedCallback(data);
- // return NULL;
- // }
- // else{
- // _LOG_DEBUG("KeyLocator has not been cached and validated!");
-
- // DataCallback recursiveVerifiedCallback = boost::bind(&PanelPolicyManager::onCertificateVerified,
- // this,
- // _1,
- // data,
- // verifiedCallback,
- // unverifiedCallback);
-
- // UnverifiedCallback recursiveUnverifiedCallback = boost::bind(&PanelPolicyManager::onCertificateUnverified,
- // this,
- // _1,
- // data,
- // unverifiedCallback);
-
-
- // Ptr<Interest> interest = Ptr<Interest>(new Interest(sha256sig->getKeyLocator().getKeyName()));
-
- // Ptr<ValidationRequest> nextStep = Ptr<ValidationRequest>(new ValidationRequest(interest,
- // recursiveVerifiedCallback,
- // recursiveUnverifiedCallback,
- // 0,
- // stepCount + 1)
- // );
- // return nextStep;
- // }
- // }
+ return NULL;
+ }
if(m_dskRule->satisfy(*data))
{
m_keyNameRegex->match(keyLocatorName);
Name keyName = m_keyNameRegex->expand();
- _LOG_DEBUG(keyName.toUri());
if(m_trustAnchors.end() != m_trustAnchors.find(keyName))
if(verifySignature(*data, m_trustAnchors[keyName]))
diff --git a/src/panel-policy-manager.h b/src/panel-policy-manager.h
index 85fd2d9..7ac8b10 100644
--- a/src/panel-policy-manager.h
+++ b/src/panel-policy-manager.h
@@ -22,7 +22,7 @@
{
public:
PanelPolicyManager(const int & stepLimit = 10,
- ndn::Ptr<ndn::security::CertificateCache> certificateCache = NULL);
+ ndn::Ptr<ndn::security::CertificateCache> certificateCache = NULL);
~PanelPolicyManager()
{}
@@ -96,6 +96,7 @@
ndn::Ptr<ndn::security::CertificateCache> m_certificateCache;
ndn::Ptr<ndn::Regex> m_localPrefixRegex;
ndn::Ptr<ndn::security::IdentityPolicyRule> m_invitationDataSigningRule;
+ ndn::Ptr<ndn::Regex> m_kskRegex;
ndn::Ptr<ndn::security::IdentityPolicyRule> m_dskRule;
ndn::Ptr<ndn::Regex> m_keyNameRegex;
ndn::Ptr<ndn::Regex> m_signingCertificateRegex;