blob: ecb03b101997e77884a77421e368386075f24707 [file] [log] [blame]
Yingdi Yu42f66462013-10-31 17:38:22 -07001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
2/*
3 * Copyright (c) 2013, Regents of the University of California
4 * Yingdi Yu
5 *
6 * BSD license, See the LICENSE file for more information
7 *
8 * Author: Yingdi Yu <yingdi@cs.ucla.edu>
9 */
10
11#include "panel-policy-manager.h"
12
13#include <ndn.cxx/security/certificate/identity-certificate.h>
Yingdi Yued8cfc42013-11-01 17:37:51 -070014#include <ndn.cxx/security/cache/ttl-certificate-cache.h>
Yingdi Yu42f66462013-10-31 17:38:22 -070015#include <boost/bind.hpp>
16
17#include "logging.h"
18
19using namespace std;
20using namespace ndn;
21using namespace ndn::security;
22
23INIT_LOGGER("PanelPolicyManager");
24
25PanelPolicyManager::PanelPolicyManager(const int & stepLimit,
Yingdi Yued8cfc42013-11-01 17:37:51 -070026 Ptr<CertificateCache> certificateCache)
Yingdi Yu42f66462013-10-31 17:38:22 -070027 : m_stepLimit(stepLimit)
28 , m_certificateCache(certificateCache)
29 , m_localPrefixRegex(Ptr<Regex>(new Regex("^<local><ndn><prefix><><>$")))
30{
Yingdi Yued8cfc42013-11-01 17:37:51 -070031 if(NULL == m_certificateCache)
32 m_certificateCache = Ptr<security::CertificateCache>(new security::TTLCertificateCache());
33
Yingdi Yu42f66462013-10-31 17:38:22 -070034 m_invitationDataSigningRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^<ndn><broadcast><chronos><invitation>([^<chatroom>]*)<chatroom>",
Yingdi Yued8cfc42013-11-01 17:37:51 -070035 "^([^<KEY>]*)<KEY>(<>*)<><ID-CERT><>$",
36 "==", "\\1", "\\1\\2", true));
Yingdi Yu42f66462013-10-31 17:38:22 -070037
38 m_dskRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<KEY>]*)<KEY><dsk-.*><ID-CERT><>$",
39 "^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$",
40 "==", "\\1", "\\1\\2", true));
Yingdi Yu8dacdf22013-11-05 23:06:43 -080041
42 m_endorseeRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<DNS>]*)<DNS><>*<ENDORSEE><>$",
43 "^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$",
44 "==", "\\1", "\\1\\2", true));
45
Yingdi Yued8cfc42013-11-01 17:37:51 -070046 m_kskRegex = Ptr<Regex>(new Regex("^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT><>$", "\\1\\2"));
Yingdi Yu42f66462013-10-31 17:38:22 -070047
48 m_keyNameRegex = Ptr<Regex>(new Regex("^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT>$", "\\1\\2"));
49
50 m_signingCertificateRegex = Ptr<Regex>(new Regex("^<ndn><broadcast><chronos><invitation>([^<chatroom>]*)<chatroom>", "\\1"));
51}
52
53bool
54PanelPolicyManager::skipVerifyAndTrust (const Data & data)
55{
56 if(m_localPrefixRegex->match(data.getName()))
57 return true;
58
59 return false;
60}
61
62bool
63PanelPolicyManager::requireVerify (const Data & data)
64{
65 // if(m_invitationDataRule->matchDataName(data))
66 // return true;
Yingdi Yued8cfc42013-11-01 17:37:51 -070067 if(m_kskRegex->match(data.getName()))
68 return true;
Yingdi Yu42f66462013-10-31 17:38:22 -070069 if(m_dskRule->matchDataName(data))
70 return true;
71
Yingdi Yu8dacdf22013-11-05 23:06:43 -080072 if(m_endorseeRule->matchDataName(data))
73 return true;
74
75
Yingdi Yu42f66462013-10-31 17:38:22 -070076 return false;
77}
78
79Ptr<ValidationRequest>
80PanelPolicyManager::checkVerificationPolicy(Ptr<Data> data,
81 const int & stepCount,
82 const DataCallback& verifiedCallback,
83 const UnverifiedCallback& unverifiedCallback)
84{
Yingdi Yu42f66462013-10-31 17:38:22 -070085 if(m_stepLimit == stepCount)
86 {
Yingdi Yub35b8652013-11-07 11:32:40 -080087 _LOG_ERROR("Reach the maximum steps of verification!");
Yingdi Yu42f66462013-10-31 17:38:22 -070088 unverifiedCallback(data);
89 return NULL;
90 }
91
92 Ptr<const signature::Sha256WithRsa> sha256sig = boost::dynamic_pointer_cast<const signature::Sha256WithRsa> (data->getSignature());
93
94 if(KeyLocator::KEYNAME != sha256sig->getKeyLocator().getType())
95 {
Yingdi Yub35b8652013-11-07 11:32:40 -080096 _LOG_ERROR("Keylocator is not name!");
Yingdi Yu42f66462013-10-31 17:38:22 -070097 unverifiedCallback(data);
98 return NULL;
99 }
100
101 const Name & keyLocatorName = sha256sig->getKeyLocator().getKeyName();
102
Yingdi Yued8cfc42013-11-01 17:37:51 -0700103 if(m_kskRegex->match(data->getName()))
104 {
Yingdi Yued8cfc42013-11-01 17:37:51 -0700105 Name keyName = m_kskRegex->expand();
Yingdi Yued8cfc42013-11-01 17:37:51 -0700106 map<Name, Publickey>::iterator it = m_trustAnchors.find(keyName);
107 if(m_trustAnchors.end() != it)
108 {
Yingdi Yu6b56f092013-11-10 11:54:02 -0800109 // _LOG_DEBUG("found key!");
Yingdi Yued8cfc42013-11-01 17:37:51 -0700110 Ptr<IdentityCertificate> identityCertificate = Ptr<IdentityCertificate>(new IdentityCertificate(*data));
111 if(it->second.getKeyBlob() == identityCertificate->getPublicKeyInfo().getKeyBlob())
112 {
Yingdi Yued8cfc42013-11-01 17:37:51 -0700113 verifiedCallback(data);
114 }
115 else
116 unverifiedCallback(data);
117 }
118 else
119 unverifiedCallback(data);
Yingdi Yu42f66462013-10-31 17:38:22 -0700120
Yingdi Yued8cfc42013-11-01 17:37:51 -0700121 return NULL;
122 }
Yingdi Yu42f66462013-10-31 17:38:22 -0700123
124 if(m_dskRule->satisfy(*data))
125 {
126 m_keyNameRegex->match(keyLocatorName);
127 Name keyName = m_keyNameRegex->expand();
Yingdi Yu42f66462013-10-31 17:38:22 -0700128
129 if(m_trustAnchors.end() != m_trustAnchors.find(keyName))
130 if(verifySignature(*data, m_trustAnchors[keyName]))
131 verifiedCallback(data);
132 else
133 unverifiedCallback(data);
134 else
135 unverifiedCallback(data);
136
137 return NULL;
138 }
Yingdi Yu8dacdf22013-11-05 23:06:43 -0800139
Yingdi Yu8dacdf22013-11-05 23:06:43 -0800140 if(m_endorseeRule->satisfy(*data))
141 {
142 m_keyNameRegex->match(keyLocatorName);
143 Name keyName = m_keyNameRegex->expand();
Yingdi Yu8dacdf22013-11-05 23:06:43 -0800144 if(m_trustAnchors.end() != m_trustAnchors.find(keyName))
145 if(verifySignature(*data, m_trustAnchors[keyName]))
146 verifiedCallback(data);
147 else
148 unverifiedCallback(data);
149 else
150 unverifiedCallback(data);
151
152 return NULL;
153 }
154
Yingdi Yu42f66462013-10-31 17:38:22 -0700155 _LOG_DEBUG("Unverified!");
156
157 unverifiedCallback(data);
158 return NULL;
159}
160
Yingdi Yu42f66462013-10-31 17:38:22 -0700161bool
162PanelPolicyManager::checkSigningPolicy(const Name & dataName, const Name & certificateName)
163{
164 return m_invitationDataSigningRule->satisfy(dataName, certificateName);
165}
166
167Name
168PanelPolicyManager::inferSigningIdentity(const Name & dataName)
169{
170 if(m_signingCertificateRegex->match(dataName))
171 return m_signingCertificateRegex->expand();
172 else
173 return Name();
174}
175
176void
177PanelPolicyManager::addTrustAnchor(const EndorseCertificate& selfEndorseCertificate)
178{
Yingdi Yub35b8652013-11-07 11:32:40 -0800179 // _LOG_DEBUG("Add Anchor: " << selfEndorseCertificate.getPublicKeyName().toUri());
Yingdi Yu42f66462013-10-31 17:38:22 -0700180 m_trustAnchors.insert(pair <Name, Publickey > (selfEndorseCertificate.getPublicKeyName(), selfEndorseCertificate.getPublicKeyInfo()));
181}
Yingdi Yu6b56f092013-11-10 11:54:02 -0800182
183Ptr<Publickey>
184PanelPolicyManager::getTrustedKey(const ndn::Name& inviterCertName)
185{
186 Name keyLocatorName = inviterCertName.getPrefix(inviterCertName.size()-1);
187 m_keyNameRegex->match(keyLocatorName);
188 Name keyName = m_keyNameRegex->expand();
189
190 if(m_trustAnchors.end() != m_trustAnchors.find(keyName))
191 return Ptr<Publickey>(new Publickey(m_trustAnchors[keyName]));
192 return NULL;
193}