security: In KeyChain::verifyData, actually check policyManager_->requireVerify and skipVerifyAndTrust. Use of ValidationRequest is still not implemented
diff --git a/src/security/key-chain.cpp b/src/security/key-chain.cpp
index 37c1513..9350850 100644
--- a/src/security/key-chain.cpp
+++ b/src/security/key-chain.cpp
@@ -12,6 +12,7 @@
#include "../util/logging.hpp"
#include <ndn-cpp/security/security-exception.hpp>
#include <ndn-cpp/security/policy/policy-manager.hpp>
+#include "policy/validation-request.hpp"
#include <ndn-cpp/security/key-chain.hpp>
using namespace std;
@@ -38,66 +39,6 @@
{
}
-static bool
-verifySignature(const Data& data /*, const Publickey& publickey */)
-{
-#if 0
- using namespace CryptoPP;
-
- Blob unsignedData(data.getSignedBlob()->signed_buf(), data.getSignedBlob()->signed_size());
- bool result = false;
-
- // Temporarily hardwire. It should be assigned by Signature.getAlgorithm().
- DigestAlgorithm digestAlg = DIGEST_SHA256;
- // Temporarily hardwire. It should be assigned by Publickey.getKeyType().
- KeyType keyType = KEY_TYPE_RSA;
- if (keyType == KEY_TYPE_RSA) {
- RSA::PublicKey pubKey;
- ByteQueue queue;
-
- queue.Put((const byte*)publickey.getKeyBlob ().buf (), publickey.getKeyBlob ().size ());
- pubKey.Load(queue);
-
- if (DIGEST_SHA256 == digestAlg) {
- Ptr<const signature::Sha256WithRsa> sigPtr = boost::dynamic_pointer_cast<const signature::Sha256WithRsa> (data.getSignature());
- const Blob & sigBits = sigPtr->getSignatureBits();
-
- RSASS<PKCS1v15, SHA256>::Verifier verifier (pubKey);
- result = verifier.VerifyMessage((const byte*) unsignedData.buf(), unsignedData.size(), (const byte*)sigBits.buf(), sigBits.size());
- _LOG_DEBUG("Signature verified? " << data.getName() << " " << boolalpha << result);
- }
- }
-
- return result;
-#else
- const Sha256WithRsaSignature *signature = dynamic_cast<const Sha256WithRsaSignature*>(data.getSignature());
- if (!signature)
- throw SecurityException("signature is not Sha256WithRsaSignature.");
-
- if (signature->getDigestAlgorithm().size() != 0)
- // TODO: Allow a non-default digest algorithm.
- throw UnrecognizedDigestAlgorithmException("Cannot verify a data packet with a non-default digest algorithm.");
- if (!data.getDefaultWireEncoding())
- data.wireEncode();
- uint8_t signedPortionDigest[SHA256_DIGEST_LENGTH];
- ndn_digestSha256(data.getDefaultWireEncoding().signedBuf(), data.getDefaultWireEncoding().signedSize(), signedPortionDigest);
-
- // Verify the signedPortionDigest.
- // Use a temporary pointer since d2i updates it.
- const uint8_t *derPointer = DEFAULT_PUBLIC_KEY_DER;
- RSA *publicKey = d2i_RSA_PUBKEY(NULL, &derPointer, sizeof(DEFAULT_PUBLIC_KEY_DER));
- if (!publicKey)
- throw UnrecognizedKeyFormatException("Error decoding public key in d2i_RSAPublicKey");
- int success = RSA_verify
- (NID_sha256, signedPortionDigest, sizeof(signedPortionDigest), (uint8_t *)signature->getSignature().buf(),
- signature->getSignature().size(), publicKey);
- // Free the public key before checking for success.
- RSA_free(publicKey);
-
- return (success == 1);
-#endif
-}
-
void
KeyChain::sign(Data& data, const Name& certificateName, WireFormat& wireFormat)
{
@@ -151,13 +92,30 @@
{
_LOG_TRACE("Enter Verify");
-#if 0
- if (m_policyManager->requireVerify(*dataPtr))
- stepVerify(dataPtr, true, maxStep_, onVerified, onVerifyFailed);
- else if(m_policyManager->skipVerify(*dataPtr))
+ if (policyManager_->requireVerify(*data)) {
+ shared_ptr<ValidationRequest> nextStep = policyManager_->checkVerificationPolicy
+ (data, stepCount, onVerified, onVerifyFailed);
+ if (nextStep) {
+#if 0 // TODO: implement
+ Ptr<Closure> closure = Ptr<Closure> (new Closure(nextStep->m_verifiedCallback,
+ boost::bind(&Keychain::onCertificateInterestTimeout,
+ this,
+ _1,
+ _2,
+ nextStep->m_retry,
+ unverifiedCallback,
+ data),
+ nextStep->m_unverifiedCallback,
+ nextStep->m_stepCount)
+ );
+
+ face_->expressInterest(nextStep->m_interest, closure);
#else
- if (verifySignature(*data))
+ throw SecurityException("KeyChain::verifyData: Use of ValidationRequest not implemented.");
#endif
+ }
+ }
+ else if (policyManager_->skipVerifyAndTrust(*data))
onVerified(data);
else
onVerifyFailed(data);
diff --git a/src/security/policy/validation-request.hpp b/src/security/policy/validation-request.hpp
new file mode 100644
index 0000000..d9facc9
--- /dev/null
+++ b/src/security/policy/validation-request.hpp
@@ -0,0 +1,37 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_VALIDATION_REQUEST_HPP
+#define NDN_VALIDATION_REQUEST_HPP
+
+#include <ndn-cpp/security/key-chain.hpp>
+
+namespace ndn {
+
+class ValidationRequest {
+public:
+ ValidationRequest
+ (const ptr_lib::shared_ptr<Interest> &interest, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed,
+ const int& retry, const int& stepCount)
+ : interest_(interest), onVerified_(onVerified), onVerifyFailed_(onVerifyFailed), retry_(retry), stepCount_(stepCount)
+ {
+ }
+
+ virtual
+ ~ValidationRequest() {}
+
+ ptr_lib::shared_ptr<Interest> interest_; // An interest packet to fetch the requested data.
+ OnVerified onVerified_; // A callback function if the requested certificate has been validated.
+ OnVerifyFailed onVerifyFailed_; // A callback function if the requested certificate cannot be validated.
+ int retry_; // The number of retrials when there is an interest timeout.
+ int stepCount_;
+};
+
+}
+
+#endif