| Zhenkai Zhu | dd1f14d | 2013-03-13 12:04:28 -0700 | [diff] [blame^] | 1 | /* -*- Mode: C++; c-file-style: "gnu"; indent-tabs-mode:nil -*- */ |
| 2 | /* |
| 3 | * Copyright (c) 2013 University of California, Los Angeles |
| 4 | * |
| 5 | * This program is free software; you can redistribute it and/or modify |
| 6 | * it under the terms of the GNU General Public License version 2 as |
| 7 | * published by the Free Software Foundation; |
| 8 | * |
| 9 | * This program is distributed in the hope that it will be useful, |
| 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | * GNU General Public License for more details. |
| 13 | * |
| 14 | * You should have received a copy of the GNU General Public License |
| 15 | * along with this program; if not, write to the Free Software |
| 16 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 17 | * |
| 18 | * Author: Zhenkai Zhu <zhenkai@cs.ucla.edu> |
| 19 | * Alexander Afanasyev <alexander.afanasyev@ucla.edu> |
| 20 | */ |
| 21 | |
| 22 | #include "ccnx-verifier.h" |
| 23 | |
| 24 | namespace Ccnx { |
| 25 | |
| 26 | static const size_t ROOT_KEY_DIGEST_LEN = 32; // SHA-256 |
| 27 | static const unsigned char ROOT_KEY_DIGEST[ROOT_KEY_DIGEST_LEN] = {0xa7, 0xd9, 0x8b, 0x81, 0xde, 0x13, 0xfc, |
| 28 | 0x56, 0xc5, 0xa6, 0x92, 0xb4, 0x44, 0x93, 0x6e, 0x56, 0x70, 0x9d, 0x52, 0x6f, 0x70, |
| 29 | 0xed, 0x39, 0xef, 0xb5, 0xe2, 0x3, 0x29, 0xa5, 0x53, 0x3e, 0x68}; |
| 30 | |
| 31 | Verifier::Verifier(CcnxWrapper *ccnx) |
| 32 | : m_ccnx(ccnx) |
| 33 | , m_rootKeyDigest(ROOT_KEY_DIGEST, ROOT_KEY_DIGEST_LEN) |
| 34 | { |
| 35 | } |
| 36 | |
| 37 | Verifier::~Verifier() |
| 38 | { |
| 39 | } |
| 40 | |
| 41 | bool |
| 42 | Verifier::verify(const PcoPtr &pco) |
| 43 | { |
| 44 | if (pco->integrityChecked()) |
| 45 | { |
| 46 | return false; |
| 47 | } |
| 48 | |
| 49 | HashPtr publisherPublicKeyDigest = pco->publisherPublicKeyDigest(); |
| 50 | KeyCache::iterator it = m_keyCache.find(*publisherPublicKeyDigest); |
| 51 | if (it != m_keyCache.end()) |
| 52 | { |
| 53 | KeyPtr key = it->second; |
| 54 | if (key->validity() == Key::WITHIN_VALID_TIME_SPAN) |
| 55 | { |
| 56 | // integrity checked, and the key is trustworthy |
| 57 | pco->setVerified(true); |
| 58 | return true; |
| 59 | } |
| 60 | else |
| 61 | { |
| 62 | // delete the invalid key cache |
| 63 | m_keyCache.erase(it); |
| 64 | } |
| 65 | } |
| 66 | |
| 67 | // keyName is the name specified in key locator, i.e. without version and segment |
| 68 | Name keyName = pco->keyName(); |
| 69 | int keyNameSize = keyName.size(); |
| 70 | |
| 71 | // for keys, we have to make sure key name is strictly prefix of the content name |
| 72 | if (pco->type() == ParsedContentObject::KEY) |
| 73 | { |
| 74 | Name contentName = pco->name(); |
| 75 | if (keyNameSize >= contentName.size() || contentName.getPartialName(0, keyNameSize) != keyName) |
| 76 | { |
| 77 | return false; |
| 78 | } |
| 79 | } |
| 80 | else |
| 81 | { |
| 82 | // for now, user can assign any data using his key |
| 83 | } |
| 84 | |
| 85 | Name metaName = keyName.getPartialName(0, keyNameSize - 1) + Name("/info") + keyName.getPartialName(keyNameSize - 1); |
| 86 | |
| 87 | Selectors selectors; |
| 88 | |
| 89 | selectors.childSelector(Selectors::RIGHT) |
| 90 | .interestLifetime(1.0); |
| 91 | |
| 92 | PcoPtr keyObject = m_ccnx->get(keyName, selectors); |
| 93 | PcoPtr metaObject = m_ccnx->get(metaName, selectors); |
| 94 | if (!keyObject || !metaObject || !keyObject->integrityChecked() || !metaObject->integrityChecked()) |
| 95 | { |
| 96 | return false; |
| 97 | } |
| 98 | |
| 99 | HashPtr publisherKeyHashInKeyObject = keyObject->publisherPublicKeyDigest(); |
| 100 | HashPtr publisherKeyHashInMetaObject = metaObject->publisherPublicKeyDigest(); |
| 101 | |
| 102 | // make sure key and meta are signed using the same key |
| 103 | if (publisherKeyHashInKeyObject->IsZero() || ! (*publisherKeyHashInKeyObject == *publisherKeyHashInMetaObject)) |
| 104 | { |
| 105 | return false; |
| 106 | } |
| 107 | |
| 108 | KeyPtr key = boost::make_shared<Key>(keyObject, metaObject); |
| 109 | if (key->validity() != Key::WITHIN_VALID_TIME_SPAN) |
| 110 | { |
| 111 | return false; |
| 112 | } |
| 113 | |
| 114 | // check pco is actually signed by this key (maybe redundant) |
| 115 | if (! (*pco->publisherPublicKeyDigest() == key->hash())) |
| 116 | { |
| 117 | return false; |
| 118 | } |
| 119 | |
| 120 | // now we only need to make sure the keyObject is trustworthy |
| 121 | if (key->hash() == m_rootKeyDigest) |
| 122 | { |
| 123 | // the key is the root key |
| 124 | // do nothing now |
| 125 | } |
| 126 | else |
| 127 | { |
| 128 | // can not verify key |
| 129 | if (!verify(keyObject)) |
| 130 | { |
| 131 | return false; |
| 132 | } |
| 133 | } |
| 134 | |
| 135 | // ok, keyObject verified, because metaObject is signed by the same parent key and integrity checked |
| 136 | // so metaObject is also verified |
| 137 | m_keyCache.insert(std::make_pair(key->hash(), key)); |
| 138 | |
| 139 | pco->setVerified(true); |
| 140 | return true; |
| 141 | } |
| 142 | |
| 143 | } // Ccnx |