blob: 1bbd84943ca02d042befec2b638627bc266cfbe5 [file] [log] [blame]
Yingdi Yu7989eb22013-10-31 17:38:22 -07001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
2/*
3 * Copyright (c) 2013, Regents of the University of California
4 * Yingdi Yu
5 *
6 * BSD license, See the LICENSE file for more information
7 *
8 * Author: Yingdi Yu <yingdi@cs.ucla.edu>
9 */
10
11#include "panel-policy-manager.h"
12
13#include <ndn.cxx/security/certificate/identity-certificate.h>
Yingdi Yu9b34b1f2013-11-01 17:37:51 -070014#include <ndn.cxx/security/cache/ttl-certificate-cache.h>
Yingdi Yu7989eb22013-10-31 17:38:22 -070015#include <boost/bind.hpp>
16
17#include "logging.h"
18
19using namespace std;
20using namespace ndn;
21using namespace ndn::security;
22
23INIT_LOGGER("PanelPolicyManager");
24
25PanelPolicyManager::PanelPolicyManager(const int & stepLimit,
Yingdi Yu9b34b1f2013-11-01 17:37:51 -070026 Ptr<CertificateCache> certificateCache)
Yingdi Yu7989eb22013-10-31 17:38:22 -070027 : m_stepLimit(stepLimit)
28 , m_certificateCache(certificateCache)
29 , m_localPrefixRegex(Ptr<Regex>(new Regex("^<local><ndn><prefix><><>$")))
30{
Yingdi Yu9b34b1f2013-11-01 17:37:51 -070031 if(NULL == m_certificateCache)
32 m_certificateCache = Ptr<security::CertificateCache>(new security::TTLCertificateCache());
33
Yingdi Yu7989eb22013-10-31 17:38:22 -070034 m_invitationDataSigningRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^<ndn><broadcast><chronos><invitation>([^<chatroom>]*)<chatroom>",
Yingdi Yu9b34b1f2013-11-01 17:37:51 -070035 "^([^<KEY>]*)<KEY>(<>*)<><ID-CERT><>$",
36 "==", "\\1", "\\1\\2", true));
Yingdi Yu7989eb22013-10-31 17:38:22 -070037
38 m_dskRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<KEY>]*)<KEY><dsk-.*><ID-CERT><>$",
39 "^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$",
40 "==", "\\1", "\\1\\2", true));
Yingdi Yub2e747d2013-11-05 23:06:43 -080041
42 m_endorseeRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<DNS>]*)<DNS><>*<ENDORSEE><>$",
43 "^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$",
44 "==", "\\1", "\\1\\2", true));
45
Yingdi Yu9b34b1f2013-11-01 17:37:51 -070046 m_kskRegex = Ptr<Regex>(new Regex("^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT><>$", "\\1\\2"));
Yingdi Yu7989eb22013-10-31 17:38:22 -070047
48 m_keyNameRegex = Ptr<Regex>(new Regex("^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT>$", "\\1\\2"));
49
50 m_signingCertificateRegex = Ptr<Regex>(new Regex("^<ndn><broadcast><chronos><invitation>([^<chatroom>]*)<chatroom>", "\\1"));
51}
52
53bool
54PanelPolicyManager::skipVerifyAndTrust (const Data & data)
55{
56 if(m_localPrefixRegex->match(data.getName()))
57 return true;
58
59 return false;
60}
61
62bool
63PanelPolicyManager::requireVerify (const Data & data)
64{
65 // if(m_invitationDataRule->matchDataName(data))
66 // return true;
Yingdi Yu9b34b1f2013-11-01 17:37:51 -070067 if(m_kskRegex->match(data.getName()))
68 return true;
Yingdi Yu7989eb22013-10-31 17:38:22 -070069 if(m_dskRule->matchDataName(data))
70 return true;
71
Yingdi Yub2e747d2013-11-05 23:06:43 -080072 if(m_endorseeRule->matchDataName(data))
73 return true;
74
75
Yingdi Yu7989eb22013-10-31 17:38:22 -070076 return false;
77}
78
79Ptr<ValidationRequest>
80PanelPolicyManager::checkVerificationPolicy(Ptr<Data> data,
81 const int & stepCount,
82 const DataCallback& verifiedCallback,
83 const UnverifiedCallback& unverifiedCallback)
84{
85 _LOG_DEBUG("checkVerificationPolicy");
86 if(m_stepLimit == stepCount)
87 {
88 _LOG_DEBUG("reach the maximum steps of verification");
89 unverifiedCallback(data);
90 return NULL;
91 }
92
93 Ptr<const signature::Sha256WithRsa> sha256sig = boost::dynamic_pointer_cast<const signature::Sha256WithRsa> (data->getSignature());
94
95 if(KeyLocator::KEYNAME != sha256sig->getKeyLocator().getType())
96 {
97 unverifiedCallback(data);
98 return NULL;
99 }
100
101 const Name & keyLocatorName = sha256sig->getKeyLocator().getKeyName();
102
Yingdi Yu9b34b1f2013-11-01 17:37:51 -0700103 if(m_kskRegex->match(data->getName()))
104 {
105 _LOG_DEBUG("is ksk");
106 Name keyName = m_kskRegex->expand();
107 _LOG_DEBUG("ksk name: " << keyName.toUri());
108 map<Name, Publickey>::iterator it = m_trustAnchors.find(keyName);
109 if(m_trustAnchors.end() != it)
110 {
111 _LOG_DEBUG("found key!");
112 Ptr<IdentityCertificate> identityCertificate = Ptr<IdentityCertificate>(new IdentityCertificate(*data));
113 if(it->second.getKeyBlob() == identityCertificate->getPublicKeyInfo().getKeyBlob())
114 {
115 _LOG_DEBUG("same key!");
116 verifiedCallback(data);
117 }
118 else
119 unverifiedCallback(data);
120 }
121 else
122 unverifiedCallback(data);
Yingdi Yu7989eb22013-10-31 17:38:22 -0700123
Yingdi Yu9b34b1f2013-11-01 17:37:51 -0700124 return NULL;
125 }
Yingdi Yu7989eb22013-10-31 17:38:22 -0700126
127 if(m_dskRule->satisfy(*data))
128 {
129 m_keyNameRegex->match(keyLocatorName);
130 Name keyName = m_keyNameRegex->expand();
Yingdi Yu7989eb22013-10-31 17:38:22 -0700131
132 if(m_trustAnchors.end() != m_trustAnchors.find(keyName))
133 if(verifySignature(*data, m_trustAnchors[keyName]))
134 verifiedCallback(data);
135 else
136 unverifiedCallback(data);
137 else
138 unverifiedCallback(data);
139
140 return NULL;
141 }
Yingdi Yub2e747d2013-11-05 23:06:43 -0800142
143 _LOG_DEBUG("KEY Locator: " << keyLocatorName.toUri());
144 if(m_endorseeRule->satisfy(*data))
145 {
146 m_keyNameRegex->match(keyLocatorName);
147 Name keyName = m_keyNameRegex->expand();
148 _LOG_DEBUG("data name: " << data->getName());
149 _LOG_DEBUG("keyName: " << keyName.toUri());
150 if(m_trustAnchors.end() != m_trustAnchors.find(keyName))
151 if(verifySignature(*data, m_trustAnchors[keyName]))
152 verifiedCallback(data);
153 else
154 unverifiedCallback(data);
155 else
156 unverifiedCallback(data);
157
158 return NULL;
159 }
160
Yingdi Yu7989eb22013-10-31 17:38:22 -0700161 _LOG_DEBUG("Unverified!");
162
163 unverifiedCallback(data);
164 return NULL;
165}
166
167// void
168// PanelPolicyManager::onCertificateVerified(Ptr<Data> certData,
169// Ptr<Data> originalData,
170// const DataCallback& verifiedCallback,
171// const UnverifiedCallback& unverifiedCallback)
172// {
173// IdentityCertificate certificate(*certData);
174
175// if(verifySignature(*originalData, certificate.getPublicKeyInfo()))
176// verifiedCallback(originalData);
177// else
178// unverifiedCallback(originalData);
179// }
180
181// void
182// PanelPolicyManager::onCertificateUnverified(Ptr<Data> certData,
183// Ptr<Data> originalData,
184// const UnverifiedCallback& unverifiedCallback)
185// { unverifiedCallback(originalData); }
186
187bool
188PanelPolicyManager::checkSigningPolicy(const Name & dataName, const Name & certificateName)
189{
190 return m_invitationDataSigningRule->satisfy(dataName, certificateName);
191}
192
193Name
194PanelPolicyManager::inferSigningIdentity(const Name & dataName)
195{
196 if(m_signingCertificateRegex->match(dataName))
197 return m_signingCertificateRegex->expand();
198 else
199 return Name();
200}
201
202void
203PanelPolicyManager::addTrustAnchor(const EndorseCertificate& selfEndorseCertificate)
204{
205 _LOG_DEBUG(selfEndorseCertificate.getPublicKeyName().toUri());
206 m_trustAnchors.insert(pair <Name, Publickey > (selfEndorseCertificate.getPublicKeyName(), selfEndorseCertificate.getPublicKeyInfo()));
207}