Gitiles
Code Review Sign In
gerrit.named-data.net / ChronoChat / b35b865123b4b1983b3aa320a55eee463686198d / . / src / panel-policy-manager.cpp
blob: 679a3c944591117dd75527875427ce5f25551ad6 [file] [log] [blame]
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
2/*
3 * Copyright (c) 2013, Regents of the University of California
4 * Yingdi Yu
5 *
6 * BSD license, See the LICENSE file for more information
7 *
8 * Author: Yingdi Yu <yingdi@cs.ucla.edu>
9 */
10
11#include "panel-policy-manager.h"
12
13#include <ndn.cxx/security/certificate/identity-certificate.h>
Yingdi Yued8cfc42013-11-01 17:37:51 -0700[diff] [blame]14#include <ndn.cxx/security/cache/ttl-certificate-cache.h>
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]15#include <boost/bind.hpp>
16
17#include "logging.h"
18
19using namespace std;
20using namespace ndn;
21using namespace ndn::security;
22
23INIT_LOGGER("PanelPolicyManager");
24
25PanelPolicyManager::PanelPolicyManager(const int & stepLimit,
Yingdi Yued8cfc42013-11-01 17:37:51 -0700[diff] [blame]26 Ptr<CertificateCache> certificateCache)
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]27 : m_stepLimit(stepLimit)
28 , m_certificateCache(certificateCache)
29 , m_localPrefixRegex(Ptr<Regex>(new Regex("^<local><ndn><prefix><><>$")))
30{
Yingdi Yued8cfc42013-11-01 17:37:51 -0700[diff] [blame]31 if(NULL == m_certificateCache)
32 m_certificateCache = Ptr<security::CertificateCache>(new security::TTLCertificateCache());
33
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]34 m_invitationDataSigningRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^<ndn><broadcast><chronos><invitation>([^<chatroom>]*)<chatroom>",
Yingdi Yued8cfc42013-11-01 17:37:51 -0700[diff] [blame]35 "^([^<KEY>]*)<KEY>(<>*)<><ID-CERT><>$",
36 "==", "\\1", "\\1\\2", true));
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]37
38 m_dskRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<KEY>]*)<KEY><dsk-.*><ID-CERT><>$",
39 "^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$",
40 "==", "\\1", "\\1\\2", true));
Yingdi Yu8dacdf22013-11-05 23:06:43 -0800[diff] [blame]41
42 m_endorseeRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<DNS>]*)<DNS><>*<ENDORSEE><>$",
43 "^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$",
44 "==", "\\1", "\\1\\2", true));
45
Yingdi Yued8cfc42013-11-01 17:37:51 -0700[diff] [blame]46 m_kskRegex = Ptr<Regex>(new Regex("^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT><>$", "\\1\\2"));
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]47
48 m_keyNameRegex = Ptr<Regex>(new Regex("^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT>$", "\\1\\2"));
49
50 m_signingCertificateRegex = Ptr<Regex>(new Regex("^<ndn><broadcast><chronos><invitation>([^<chatroom>]*)<chatroom>", "\\1"));
51}
52
53bool
54PanelPolicyManager::skipVerifyAndTrust (const Data & data)
55{
56 if(m_localPrefixRegex->match(data.getName()))
57 return true;
58
59 return false;
60}
61
62bool
63PanelPolicyManager::requireVerify (const Data & data)
64{
65 // if(m_invitationDataRule->matchDataName(data))
66 // return true;
Yingdi Yued8cfc42013-11-01 17:37:51 -0700[diff] [blame]67 if(m_kskRegex->match(data.getName()))
68 return true;
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]69 if(m_dskRule->matchDataName(data))
70 return true;
71
Yingdi Yu8dacdf22013-11-05 23:06:43 -0800[diff] [blame]72 if(m_endorseeRule->matchDataName(data))
73 return true;
74
75
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]76 return false;
77}
78
79Ptr<ValidationRequest>
80PanelPolicyManager::checkVerificationPolicy(Ptr<Data> data,
81 const int & stepCount,
82 const DataCallback& verifiedCallback,
83 const UnverifiedCallback& unverifiedCallback)
84{
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]85 if(m_stepLimit == stepCount)
86 {
Yingdi Yub35b8652013-11-07 11:32:40 -0800[diff] [blame^]87 _LOG_ERROR("Reach the maximum steps of verification!");
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]88 unverifiedCallback(data);
89 return NULL;
90 }
91
92 Ptr<const signature::Sha256WithRsa> sha256sig = boost::dynamic_pointer_cast<const signature::Sha256WithRsa> (data->getSignature());
93
94 if(KeyLocator::KEYNAME != sha256sig->getKeyLocator().getType())
95 {
Yingdi Yub35b8652013-11-07 11:32:40 -0800[diff] [blame^]96 _LOG_ERROR("Keylocator is not name!");
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]97 unverifiedCallback(data);
98 return NULL;
99 }
100
101 const Name & keyLocatorName = sha256sig->getKeyLocator().getKeyName();
102
Yingdi Yued8cfc42013-11-01 17:37:51 -0700[diff] [blame]103 if(m_kskRegex->match(data->getName()))
104 {
Yingdi Yued8cfc42013-11-01 17:37:51 -0700[diff] [blame]105 Name keyName = m_kskRegex->expand();
Yingdi Yued8cfc42013-11-01 17:37:51 -0700[diff] [blame]106 map<Name, Publickey>::iterator it = m_trustAnchors.find(keyName);
107 if(m_trustAnchors.end() != it)
108 {
109 _LOG_DEBUG("found key!");
110 Ptr<IdentityCertificate> identityCertificate = Ptr<IdentityCertificate>(new IdentityCertificate(*data));
111 if(it->second.getKeyBlob() == identityCertificate->getPublicKeyInfo().getKeyBlob())
112 {
Yingdi Yued8cfc42013-11-01 17:37:51 -0700[diff] [blame]113 verifiedCallback(data);
114 }
115 else
116 unverifiedCallback(data);
117 }
118 else
119 unverifiedCallback(data);
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]120
Yingdi Yued8cfc42013-11-01 17:37:51 -0700[diff] [blame]121 return NULL;
122 }
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]123
124 if(m_dskRule->satisfy(*data))
125 {
126 m_keyNameRegex->match(keyLocatorName);
127 Name keyName = m_keyNameRegex->expand();
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]128
129 if(m_trustAnchors.end() != m_trustAnchors.find(keyName))
130 if(verifySignature(*data, m_trustAnchors[keyName]))
131 verifiedCallback(data);
132 else
133 unverifiedCallback(data);
134 else
135 unverifiedCallback(data);
136
137 return NULL;
138 }
Yingdi Yu8dacdf22013-11-05 23:06:43 -0800[diff] [blame]139
Yingdi Yu8dacdf22013-11-05 23:06:43 -0800[diff] [blame]140 if(m_endorseeRule->satisfy(*data))
141 {
142 m_keyNameRegex->match(keyLocatorName);
143 Name keyName = m_keyNameRegex->expand();
Yingdi Yu8dacdf22013-11-05 23:06:43 -0800[diff] [blame]144 if(m_trustAnchors.end() != m_trustAnchors.find(keyName))
145 if(verifySignature(*data, m_trustAnchors[keyName]))
146 verifiedCallback(data);
147 else
148 unverifiedCallback(data);
149 else
150 unverifiedCallback(data);
151
152 return NULL;
153 }
154
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]155 _LOG_DEBUG("Unverified!");
156
157 unverifiedCallback(data);
158 return NULL;
159}
160
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]161bool
162PanelPolicyManager::checkSigningPolicy(const Name & dataName, const Name & certificateName)
163{
164 return m_invitationDataSigningRule->satisfy(dataName, certificateName);
165}
166
167Name
168PanelPolicyManager::inferSigningIdentity(const Name & dataName)
169{
170 if(m_signingCertificateRegex->match(dataName))
171 return m_signingCertificateRegex->expand();
172 else
173 return Name();
174}
175
176void
177PanelPolicyManager::addTrustAnchor(const EndorseCertificate& selfEndorseCertificate)
178{
Yingdi Yub35b8652013-11-07 11:32:40 -0800[diff] [blame^]179 // _LOG_DEBUG("Add Anchor: " << selfEndorseCertificate.getPublicKeyName().toUri());
Yingdi Yu42f66462013-10-31 17:38:22 -0700[diff] [blame]180 m_trustAnchors.insert(pair <Name, Publickey > (selfEndorseCertificate.getPublicKeyName(), selfEndorseCertificate.getPublicKeyInfo()));
181}