blob: 33717d5f4516d442a6824a224490cfc4de65488d [file] [log] [blame]
Yingdi Yu42f66462013-10-31 17:38:22 -07001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
2/*
3 * Copyright (c) 2013, Regents of the University of California
4 * Yingdi Yu
5 *
6 * BSD license, See the LICENSE file for more information
7 *
8 * Author: Yingdi Yu <yingdi@cs.ucla.edu>
9 */
10
11#include "panel-policy-manager.h"
12
13#include <ndn.cxx/security/certificate/identity-certificate.h>
Yingdi Yued8cfc42013-11-01 17:37:51 -070014#include <ndn.cxx/security/cache/ttl-certificate-cache.h>
Yingdi Yu42f66462013-10-31 17:38:22 -070015#include <boost/bind.hpp>
16
17#include "logging.h"
18
19using namespace std;
20using namespace ndn;
21using namespace ndn::security;
22
23INIT_LOGGER("PanelPolicyManager");
24
25PanelPolicyManager::PanelPolicyManager(const int & stepLimit,
Yingdi Yued8cfc42013-11-01 17:37:51 -070026 Ptr<CertificateCache> certificateCache)
Yingdi Yu42f66462013-10-31 17:38:22 -070027 : m_stepLimit(stepLimit)
28 , m_certificateCache(certificateCache)
29 , m_localPrefixRegex(Ptr<Regex>(new Regex("^<local><ndn><prefix><><>$")))
30{
Yingdi Yued8cfc42013-11-01 17:37:51 -070031 if(NULL == m_certificateCache)
32 m_certificateCache = Ptr<security::CertificateCache>(new security::TTLCertificateCache());
33
Yingdi Yu42f66462013-10-31 17:38:22 -070034 m_invitationDataSigningRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^<ndn><broadcast><chronos><invitation>([^<chatroom>]*)<chatroom>",
Yingdi Yued8cfc42013-11-01 17:37:51 -070035 "^([^<KEY>]*)<KEY>(<>*)<><ID-CERT><>$",
36 "==", "\\1", "\\1\\2", true));
Yingdi Yu42f66462013-10-31 17:38:22 -070037
38 m_dskRule = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<KEY>]*)<KEY><dsk-.*><ID-CERT><>$",
39 "^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>$",
40 "==", "\\1", "\\1\\2", true));
Yingdi Yued8cfc42013-11-01 17:37:51 -070041 m_kskRegex = Ptr<Regex>(new Regex("^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT><>$", "\\1\\2"));
Yingdi Yu42f66462013-10-31 17:38:22 -070042
43 m_keyNameRegex = Ptr<Regex>(new Regex("^([^<KEY>]*)<KEY>(<>*<ksk-.*>)<ID-CERT>$", "\\1\\2"));
44
45 m_signingCertificateRegex = Ptr<Regex>(new Regex("^<ndn><broadcast><chronos><invitation>([^<chatroom>]*)<chatroom>", "\\1"));
46}
47
48bool
49PanelPolicyManager::skipVerifyAndTrust (const Data & data)
50{
51 if(m_localPrefixRegex->match(data.getName()))
52 return true;
53
54 return false;
55}
56
57bool
58PanelPolicyManager::requireVerify (const Data & data)
59{
60 // if(m_invitationDataRule->matchDataName(data))
61 // return true;
62
Yingdi Yued8cfc42013-11-01 17:37:51 -070063 if(m_kskRegex->match(data.getName()))
64 return true;
Yingdi Yu42f66462013-10-31 17:38:22 -070065 if(m_dskRule->matchDataName(data))
66 return true;
67
68 return false;
69}
70
71Ptr<ValidationRequest>
72PanelPolicyManager::checkVerificationPolicy(Ptr<Data> data,
73 const int & stepCount,
74 const DataCallback& verifiedCallback,
75 const UnverifiedCallback& unverifiedCallback)
76{
77 _LOG_DEBUG("checkVerificationPolicy");
78 if(m_stepLimit == stepCount)
79 {
80 _LOG_DEBUG("reach the maximum steps of verification");
81 unverifiedCallback(data);
82 return NULL;
83 }
84
85 Ptr<const signature::Sha256WithRsa> sha256sig = boost::dynamic_pointer_cast<const signature::Sha256WithRsa> (data->getSignature());
86
87 if(KeyLocator::KEYNAME != sha256sig->getKeyLocator().getType())
88 {
89 unverifiedCallback(data);
90 return NULL;
91 }
92
93 const Name & keyLocatorName = sha256sig->getKeyLocator().getKeyName();
94
Yingdi Yued8cfc42013-11-01 17:37:51 -070095 if(m_kskRegex->match(data->getName()))
96 {
97 _LOG_DEBUG("is ksk");
98 Name keyName = m_kskRegex->expand();
99 _LOG_DEBUG("ksk name: " << keyName.toUri());
100 map<Name, Publickey>::iterator it = m_trustAnchors.find(keyName);
101 if(m_trustAnchors.end() != it)
102 {
103 _LOG_DEBUG("found key!");
104 Ptr<IdentityCertificate> identityCertificate = Ptr<IdentityCertificate>(new IdentityCertificate(*data));
105 if(it->second.getKeyBlob() == identityCertificate->getPublicKeyInfo().getKeyBlob())
106 {
107 _LOG_DEBUG("same key!");
108 verifiedCallback(data);
109 }
110 else
111 unverifiedCallback(data);
112 }
113 else
114 unverifiedCallback(data);
Yingdi Yu42f66462013-10-31 17:38:22 -0700115
Yingdi Yued8cfc42013-11-01 17:37:51 -0700116 return NULL;
117 }
Yingdi Yu42f66462013-10-31 17:38:22 -0700118
119 if(m_dskRule->satisfy(*data))
120 {
121 m_keyNameRegex->match(keyLocatorName);
122 Name keyName = m_keyNameRegex->expand();
Yingdi Yu42f66462013-10-31 17:38:22 -0700123
124 if(m_trustAnchors.end() != m_trustAnchors.find(keyName))
125 if(verifySignature(*data, m_trustAnchors[keyName]))
126 verifiedCallback(data);
127 else
128 unverifiedCallback(data);
129 else
130 unverifiedCallback(data);
131
132 return NULL;
133 }
134 _LOG_DEBUG("Unverified!");
135
136 unverifiedCallback(data);
137 return NULL;
138}
139
140// void
141// PanelPolicyManager::onCertificateVerified(Ptr<Data> certData,
142// Ptr<Data> originalData,
143// const DataCallback& verifiedCallback,
144// const UnverifiedCallback& unverifiedCallback)
145// {
146// IdentityCertificate certificate(*certData);
147
148// if(verifySignature(*originalData, certificate.getPublicKeyInfo()))
149// verifiedCallback(originalData);
150// else
151// unverifiedCallback(originalData);
152// }
153
154// void
155// PanelPolicyManager::onCertificateUnverified(Ptr<Data> certData,
156// Ptr<Data> originalData,
157// const UnverifiedCallback& unverifiedCallback)
158// { unverifiedCallback(originalData); }
159
160bool
161PanelPolicyManager::checkSigningPolicy(const Name & dataName, const Name & certificateName)
162{
163 return m_invitationDataSigningRule->satisfy(dataName, certificateName);
164}
165
166Name
167PanelPolicyManager::inferSigningIdentity(const Name & dataName)
168{
169 if(m_signingCertificateRegex->match(dataName))
170 return m_signingCertificateRegex->expand();
171 else
172 return Name();
173}
174
175void
176PanelPolicyManager::addTrustAnchor(const EndorseCertificate& selfEndorseCertificate)
177{
178 _LOG_DEBUG(selfEndorseCertificate.getPublicKeyName().toUri());
179 m_trustAnchors.insert(pair <Name, Publickey > (selfEndorseCertificate.getPublicKeyName(), selfEndorseCertificate.getPublicKeyInfo()));
180}