security: adjusting class names and method names to the new ndn-cpp security api
diff --git a/src/sec-policy-sync.cc b/src/sec-policy-sync.cc
new file mode 100644
index 0000000..5a07b5c
--- /dev/null
+++ b/src/sec-policy-sync.cc
@@ -0,0 +1,462 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/*
+ * Copyright (c) 2013, Regents of the University of California
+ * Yingdi Yu
+ *
+ * BSD license, See the LICENSE file for more information
+ *
+ * Author: Yingdi Yu <yingdi@cs.ucla.edu>
+ */
+
+#include "sync-intro-certificate.h"
+#include "sync-logging.h"
+#include <ndn-cpp/security/verifier.hpp>
+#include <ndn-cpp/security/signature-sha256-with-rsa.hpp>
+
+#include "sec-policy-sync.h"
+
+using namespace ndn;
+using namespace ndn::ptr_lib;
+using namespace std;
+
+INIT_LOGGER("SecPolicySync");
+
+SecPolicySync::SecPolicySync(const Name& signingIdentity,
+ const Name& signingCertificateName,
+ const Name& syncPrefix,
+ shared_ptr<Face> face,
+ int stepLimit)
+ : m_signingIdentity(signingIdentity)
+ , m_signingCertificateName(signingCertificateName.getPrefix(signingCertificateName.size()-1))
+ , m_syncPrefix(syncPrefix)
+ , m_stepLimit(stepLimit)
+ , m_keyChain(new KeyChain())
+{
+ Name wotPrefix = syncPrefix;
+ wotPrefix.append("WOT");
+ m_syncPrefixRegex = Regex::fromName(syncPrefix);
+ m_wotPrefixRegex = Regex::fromName(wotPrefix);
+ m_chatDataPolicy = make_shared<SecRuleIdentity>("^[^<%F0.>]*<%F0.>([^<chronos>]*)<chronos><>",
+ "^([^<KEY>]*)<KEY>(<>*)[<dsk-.*><ksk-.*>]<ID-CERT>$",
+ "==", "\\1", "\\1", true);
+}
+
+SecPolicySync::~SecPolicySync()
+{}
+
+bool
+SecPolicySync::skipVerifyAndTrust (const Data& data)
+{ return false; }
+
+bool
+SecPolicySync::requireVerify (const Data& data)
+{ return true; }
+
+shared_ptr<ValidationRequest>
+SecPolicySync::checkVerificationPolicy(const shared_ptr<Data>& data,
+ int stepCount,
+ const OnVerified& onVerified,
+ const OnVerifyFailed& onVerifyFailed)
+{
+ if(stepCount > m_stepLimit)
+ {
+ onVerifyFailed(data);
+ return shared_ptr<ValidationRequest>();
+ }
+
+ try{
+ SignatureSha256WithRsa sig(data->getSignature());
+
+ const Name& keyLocatorName = sig.getKeyLocator().getName();
+
+ // if data is intro cert
+ if(m_wotPrefixRegex->match(data->getName()))
+ {
+ // _LOG_DEBUG("Intro Cert");
+ Name keyName = IdentityCertificate::certificateNameToPublicKeyName(keyLocatorName);
+ map<string, PublicKey>::const_iterator it = m_trustedIntroducers.find(keyName.toUri());
+ if(m_trustedIntroducers.end() != it)
+ {
+ if(Verifier::verifySignature(*data, sig, it->second))
+ onVerified(data);
+ else
+ onVerifyFailed(data);
+ return shared_ptr<ValidationRequest>();
+ }
+ else
+ return prepareRequest(keyName, true, data, stepCount, onVerified, onVerifyFailed);
+ }
+
+ // if data is sync data or chat data
+ if(m_syncPrefixRegex->match(data->getName()) || m_chatDataPolicy->satisfy(*data))
+ {
+ Name keyName = IdentityCertificate::certificateNameToPublicKeyName(keyLocatorName);
+
+ map<string, PublicKey>::const_iterator it = m_trustedIntroducers.find(keyName.toUri());
+ if(m_trustedIntroducers.end() != it)
+ {
+ if(Verifier::verifySignature(*data, sig, it->second))
+ onVerified(data);
+ else
+ onVerifyFailed(data);
+ return shared_ptr<ValidationRequest>();
+ }
+
+ it = m_trustedProducers.find(keyName.toUri());
+ if(m_trustedProducers.end() != it)
+ {
+ if(Verifier::verifySignature(*data, sig, it->second))
+ onVerified(data);
+ else
+ onVerifyFailed(data);
+ return shared_ptr<ValidationRequest>();
+ }
+
+ return prepareRequest(keyName, false, data, stepCount, onVerified, onVerifyFailed);
+ }
+ }catch(SignatureSha256WithRsa::Error &e){
+ _LOG_DEBUG("SecPolicySync Error: " << e.what());
+ onVerifyFailed(data);
+ return shared_ptr<ValidationRequest>();
+ }catch(KeyLocator::Error &e){
+ _LOG_DEBUG("SecPolicySync Error: " << e.what());
+ onVerifyFailed(data);
+ return shared_ptr<ValidationRequest>();
+ }
+
+ onVerifyFailed(data);
+ return shared_ptr<ValidationRequest>();
+}
+
+bool
+SecPolicySync::checkSigningPolicy(const Name& dataName,
+ const Name& certificateName)
+{
+ return true;
+}
+
+Name
+SecPolicySync::inferSigningIdentity(const ndn::Name& dataName)
+{ return m_signingIdentity; }
+
+void
+SecPolicySync::addTrustAnchor(const IdentityCertificate& identityCertificate, bool isIntroducer)
+{
+ // _LOG_DEBUG("Add intro/producer: " << identityCertificate.getPublicKeyName());
+ if(isIntroducer)
+ m_trustedIntroducers.insert(pair <string, PublicKey > (identityCertificate.getPublicKeyName().toUri(),
+ identityCertificate.getPublicKeyInfo()));
+ else
+ m_trustedProducers.insert(pair <string, PublicKey > (identityCertificate.getPublicKeyName().toUri(),
+ identityCertificate.getPublicKeyInfo()));
+}
+
+void
+SecPolicySync::addChatDataRule(const Name& prefix,
+ const IdentityCertificate& identityCertificate,
+ bool isIntroducer)
+{
+ addTrustAnchor(identityCertificate, isIntroducer);
+}
+
+
+shared_ptr<const vector<Name> >
+SecPolicySync::getAllIntroducerName()
+{
+ shared_ptr<vector<Name> > nameList = make_shared<vector<Name> >();
+
+ map<string, PublicKey>::iterator it = m_trustedIntroducers.begin();
+ for(; it != m_trustedIntroducers.end(); it++)
+ nameList->push_back(Name(it->first));
+
+ return nameList;
+}
+
+shared_ptr<ValidationRequest>
+SecPolicySync::prepareRequest(const Name& keyName,
+ bool forIntroducer,
+ shared_ptr<Data> data,
+ const int & stepCount,
+ const OnVerified& onVerified,
+ const OnVerifyFailed& onVerifyFailed)
+{
+ shared_ptr<Name> interestPrefixName = make_shared<Name>(m_syncPrefix);
+ interestPrefixName->append("WOT").append(keyName).append("INTRO-CERT");
+
+ shared_ptr<const vector<Name> > nameList = getAllIntroducerName();
+ if(0 == nameList->size())
+ {
+ onVerifyFailed(data);
+ return shared_ptr<ValidationRequest>();
+ }
+
+ Name interestName = *interestPrefixName;
+ interestName.append(nameList->at(0));
+
+ if(forIntroducer)
+ interestName.append("INTRODUCER");
+
+ shared_ptr<ndn::Interest> interest = make_shared<ndn::Interest>(interestName);
+ // _LOG_DEBUG("send interest for intro cert: " << interest->getName());
+
+ OnVerified requestedCertVerifiedCallback = boost::bind(&SecPolicySync::onIntroCertVerified,
+ this,
+ _1,
+ forIntroducer,
+ data,
+ onVerified,
+ onVerifyFailed);
+
+ OnVerifyFailed requestedCertUnverifiedCallback = boost::bind(&SecPolicySync::onIntroCertVerifyFailed,
+ this,
+ _1,
+ interestPrefixName,
+ forIntroducer,
+ nameList,
+ 1,
+ data,
+ onVerified,
+ onVerifyFailed);
+
+
+ shared_ptr<ValidationRequest> nextStep = make_shared<ValidationRequest>(interest,
+ requestedCertVerifiedCallback,
+ requestedCertUnverifiedCallback,
+ 1,
+ m_stepLimit-1);
+ return nextStep;
+}
+
+void
+SecPolicySync::OnIntroCertInterest(const shared_ptr<const Name>& prefix,
+ const shared_ptr<const ndn::Interest>& interest,
+ Transport& transport,
+ uint64_t registeredPrefixId)
+{
+ map<string, Data>::const_iterator it = m_introCert.find(prefix->toUri());
+
+ if(m_introCert.end() != it)
+ m_face->put(it->second);
+}
+
+void
+SecPolicySync::OnIntroCertRegisterFailed(const shared_ptr<const Name>& prefix)
+{
+}
+
+void
+SecPolicySync::onIntroCertVerified(const shared_ptr<Data>& introCertificateData,
+ bool forIntroducer,
+ shared_ptr<Data> originalData,
+ const OnVerified& onVerified,
+ const OnVerifyFailed& onVerifyFailed)
+{
+ shared_ptr<SyncIntroCertificate> introCertificate = make_shared<SyncIntroCertificate>(*introCertificateData);
+ if(forIntroducer)
+ {
+ m_trustedIntroducers.insert(pair <string, PublicKey > (introCertificate->getPublicKeyName().toUri(),
+ introCertificate->getPublicKeyInfo()));
+ SyncIntroCertificate syncIntroCertificate(m_syncPrefix,
+ introCertificate->getPublicKeyName(),
+ m_keyChain->getDefaultKeyNameForIdentity(m_signingIdentity),
+ introCertificate->getNotBefore(),
+ introCertificate->getNotAfter(),
+ introCertificate->getPublicKeyInfo(),
+ SyncIntroCertificate::INTRODUCER);
+
+ Name certName = m_keyChain->getDefaultCertificateNameForIdentity(m_signingIdentity);
+ _LOG_DEBUG("Publish Intro Certificate on Verified: " << syncIntroCertificate.getName());
+ m_keyChain->sign(syncIntroCertificate, certName);
+
+ m_face->put(syncIntroCertificate);
+
+ // Name prefix = syncIntroCertificate.getName().getPrefix(syncIntroCertificate.getName().size()-1);
+
+ // map<string, Data>::const_iterator it = m_introCert.find(prefix.toEscapedString());
+ // if(m_introCert.end() != it)
+ // {
+ // it->second = syncIntroCertificate;
+ // }
+ // else
+ // {
+ // m_introCert.insert(pair <string, Data> (prefix.toEscapedString(), syncIntroCertificate));
+ // m_face->registerPrefix(prefix,
+ // boost::bind(&SecPolicySync::onIntroCertInterest, this, _1, _2, _3, _4),
+ // boost::bind(&SecPolicySync::onIntroCertRegisterFailed, this, _1));
+ // }
+ }
+ else
+ {
+ m_trustedProducers.insert(pair <string, PublicKey > (introCertificate->getPublicKeyName().toUri(),
+ introCertificate->getPublicKeyInfo()));
+ SyncIntroCertificate syncIntroCertificate(m_syncPrefix,
+ introCertificate->getPublicKeyName(),
+ m_keyChain->getDefaultKeyNameForIdentity(m_signingIdentity),
+ introCertificate->getNotBefore(),
+ introCertificate->getNotAfter(),
+ introCertificate->getPublicKeyInfo(),
+ SyncIntroCertificate::PRODUCER);
+
+ Name certName = m_keyChain->getDefaultCertificateNameForIdentity(m_signingIdentity);
+ _LOG_DEBUG("Publish Intro Certificate on Verified: " << syncIntroCertificate.getName());
+ m_keyChain->sign(syncIntroCertificate, certName);
+
+ m_face->put(syncIntroCertificate);
+
+ // Name prefix = syncIntroCertificate.getName().getPrefix(syncIntroCertificate.getName().size()-1);
+
+ // map<string, Data>::const_iterator it = m_introCert.find(prefix.toEscapedString());
+ // if(m_introCert.end() != it)
+ // {
+ // it->second = syncIntroCertificate;
+ // }
+ // else
+ // {
+ // m_introCert.insert(pair <string, Data> (prefix.toEscapedString(), syncIntroCertificate));
+ // m_face->registerPrefix(prefix,
+ // boost::bind(&SecPolicySync::onIntroCertInterest, this, _1, _2, _3, _4),
+ // boost::bind(&SecPolicySync::onIntroCertRegisterFailed, this, _1));
+ // }
+ }
+
+ try{
+ SignatureSha256WithRsa sig(originalData->getSignature());
+ if(Verifier::verifySignature(*originalData, sig, introCertificate->getPublicKeyInfo()))
+ onVerified(originalData);
+ else
+ onVerifyFailed(originalData);
+ }catch(SignatureSha256WithRsa::Error &e){
+ onVerifyFailed(originalData);
+ }catch(KeyLocator::Error &e){
+ onVerifyFailed(originalData);
+ }
+}
+
+void
+SecPolicySync::onIntroCertVerifyFailed(const shared_ptr<Data>& introCertificateData,
+ shared_ptr<Name> interestPrefixName,
+ bool forIntroducer,
+ shared_ptr<const vector<Name> > introNameList,
+ int nextIntroducerIndex,
+ shared_ptr<Data> originalData,
+ const OnVerified& onVerified,
+ const OnVerifyFailed& onVerifyFailed)
+{
+ Name interestName = *interestPrefixName;
+ if(nextIntroducerIndex < introNameList->size())
+ interestName.append(introNameList->at(nextIntroducerIndex));
+ else
+ onVerifyFailed(originalData);
+
+ if(forIntroducer)
+ interestName.append("INTRODUCER");
+
+ shared_ptr<ndn::Interest> interest = make_shared<ndn::Interest>(interestName);
+
+ OnVerified onRecursiveVerified = boost::bind(&SecPolicySync::onIntroCertVerified,
+ this,
+ _1,
+ forIntroducer,
+ originalData,
+ onVerified,
+ onVerifyFailed);
+
+ OnVerifyFailed onRecursiveVerifyFailed = boost::bind(&SecPolicySync::onIntroCertVerifyFailed,
+ this,
+ _1,
+ interestPrefixName,
+ forIntroducer,
+ introNameList,
+ nextIntroducerIndex + 1,
+ originalData,
+ onVerified,
+ onVerifyFailed);
+
+ m_face->expressInterest(*interest,
+ boost::bind(&SecPolicySync::onIntroCertData,
+ this,
+ _1,
+ _2,
+ m_stepLimit-1,
+ onRecursiveVerified,
+ onRecursiveVerifyFailed,
+ originalData,
+ onVerifyFailed),
+ boost::bind(&SecPolicySync::onIntroCertTimeout,
+ this,
+ _1,
+ 1,
+ m_stepLimit-1,
+ onRecursiveVerified,
+ onRecursiveVerifyFailed,
+ originalData,
+ onVerifyFailed));
+}
+
+void
+SecPolicySync::onIntroCertData(const shared_ptr<const ndn::Interest> &interest,
+ const shared_ptr<Data>& introCertificateData,
+ int stepCount,
+ const OnVerified& onRecursiveVerified,
+ const OnVerifyFailed& onRecursiveVerifyFailed,
+ shared_ptr<Data> originalData,
+ const OnVerifyFailed& onVerifyFailed)
+{
+ shared_ptr<ValidationRequest> nextStep = checkVerificationPolicy(introCertificateData, stepCount, onRecursiveVerified, onRecursiveVerifyFailed);
+ if (nextStep)
+ m_face->expressInterest
+ (*nextStep->interest_,
+ boost::bind(&SecPolicySync::onIntroCertData,
+ this,
+ _1,
+ _2,
+ nextStep->stepCount_,
+ nextStep->onVerified_,
+ nextStep->onVerifyFailed_,
+ introCertificateData,
+ onRecursiveVerifyFailed),
+ boost::bind(&SecPolicySync::onIntroCertTimeout,
+ this,
+ _1,
+ nextStep->retry_,
+ nextStep->stepCount_,
+ nextStep->onVerified_,
+ nextStep->onVerifyFailed_,
+ introCertificateData,
+ onRecursiveVerifyFailed));
+}
+
+void
+SecPolicySync::onIntroCertTimeout(const shared_ptr<const ndn::Interest>& interest,
+ int retry,
+ int stepCount,
+ const OnVerified& onRecursiveVerified,
+ const OnVerifyFailed& onRecursiveVerifyFailed,
+ shared_ptr<Data> originalData,
+ const OnVerifyFailed& onVerifyFailed)
+{
+ if(retry > 0)
+ {
+ m_face->expressInterest(*interest,
+ boost::bind(&SecPolicySync::onIntroCertData,
+ this,
+ _1,
+ _2,
+ stepCount,
+ onRecursiveVerified,
+ onRecursiveVerifyFailed,
+ originalData,
+ onVerifyFailed),
+ boost::bind(&SecPolicySync::onIntroCertTimeout,
+ this,
+ _1,
+ retry - 1,
+ stepCount,
+ onRecursiveVerified,
+ onRecursiveVerifyFailed,
+ originalData,
+ onVerifyFailed));
+ }
+ else
+ onVerifyFailed(originalData);
+}