conf+security: accommodate certificate name in KeyLocator
refs #5195
Change-Id: I88709f891fe78fc9f2699bc021d35ca72ebc6850
diff --git a/src/conf-parameter.cpp b/src/conf-parameter.cpp
index e313b1f..205c67c 100644
--- a/src/conf-parameter.cpp
+++ b/src/conf-parameter.cpp
@@ -20,6 +20,7 @@
#include "conf-parameter.hpp"
#include "logger.hpp"
+#include <ndn-cxx/security/signing-helpers.hpp>
namespace nlsr {
@@ -118,69 +119,38 @@
m_prefixUpdateValidator.loadAnchor("Authoritative-Certificate", ndn::security::Certificate(cert));
}
-std::shared_ptr<ndn::security::Certificate>
+ndn::optional<ndn::security::Certificate>
ConfParameter::initializeKey()
{
+ using namespace ndn::security;
NLSR_LOG_DEBUG("Initializing Key ...");
- ndn::Name nlsrInstanceName(m_routerPrefix);
- nlsrInstanceName.append("nlsr");
-
+ Identity routerIdentity;
try {
- m_keyChain.deleteIdentity(m_keyChain.getPib().getIdentity(nlsrInstanceName));
+ routerIdentity = m_keyChain.getPib().getIdentity(m_routerPrefix);
}
- catch (const std::exception& e) {
- NLSR_LOG_WARN(e.what());
- }
-
- ndn::security::Identity nlsrInstanceIdentity;
- try {
- nlsrInstanceIdentity = m_keyChain.createIdentity(nlsrInstanceName);
- }
- catch (const std::exception& e) {
- NLSR_LOG_ERROR(e.what());
- NLSR_LOG_ERROR("Unable to create identity, NLSR will run without security!");
- NLSR_LOG_ERROR("Can be ignored if running in non-production environments.");
- return nullptr;
- }
- auto certificate = std::make_shared<ndn::security::Certificate>();
- auto nlsrInstanceKey = nlsrInstanceIdentity.getDefaultKey();
- ndn::Name certificateName = nlsrInstanceKey.getName();
- certificateName.append("NA");
- certificateName.appendVersion();
-
- certificate->setName(certificateName);
-
- // set metainfo
- certificate->setContentType(ndn::tlv::ContentType_Key);
- certificate->setFreshnessPeriod(365_days);
-
- // set content
- certificate->setContent(nlsrInstanceKey.getPublicKey());
-
- // set signature-info
- ndn::SignatureInfo signatureInfo;
- signatureInfo.setValidityPeriod(ndn::security::ValidityPeriod(ndn::time::system_clock::TimePoint(),
- ndn::time::system_clock::now()
- + 365_days));
-
- try {
- m_keyChain.sign(*certificate,
- ndn::security::SigningInfo(m_keyChain.getPib().getIdentity(m_routerPrefix))
- .setSignatureInfo(signatureInfo));
- }
- catch (const std::exception& e) {
- NLSR_LOG_ERROR("Router's " << e.what() << ", NLSR is running without security. " <<
+ catch (const Pib::Error&) {
+ NLSR_LOG_ERROR("Router identity " << m_routerPrefix << " not found. "
+ "NLSR is running without security. "
"If security is enabled in the configuration, NLSR will not converge.");
-
+ return ndn::nullopt;
}
- m_signingInfo = ndn::security::SigningInfo(ndn::security::SigningInfo::SIGNER_TYPE_ID,
- nlsrInstanceName);
+ auto instanceName = ndn::Name(m_routerPrefix).append("nlsr");
+ try {
+ m_keyChain.deleteIdentity(m_keyChain.getPib().getIdentity(instanceName));
+ }
+ catch (const Pib::Error&) {
+ // old instance identity does not exist
+ }
- loadCertToValidator(*certificate);
+ auto key = m_keyChain.createIdentity(instanceName).getDefaultKey();
+ auto cert = m_keyChain.makeCertificate(key, signingByIdentity(routerIdentity));
+ m_keyChain.setDefaultCertificate(key, cert);
- return certificate;
+ m_signingInfo = signingByCertificate(cert);
+ loadCertToValidator(cert);
+ return cert;
}
} // namespace nlsr
diff --git a/src/conf-parameter.hpp b/src/conf-parameter.hpp
index 57dd2c2..9989803 100644
--- a/src/conf-parameter.hpp
+++ b/src/conf-parameter.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2014-2021, The University of Memphis,
+ * Copyright (c) 2014-2022, The University of Memphis,
* Regents of the University of California,
* Arizona Board of Regents.
*
@@ -475,7 +475,7 @@
return m_keyChain;
}
- std::shared_ptr<ndn::security::Certificate>
+ ndn::optional<ndn::security::Certificate>
initializeKey();
void
diff --git a/src/security/certificate-store.cpp b/src/security/certificate-store.cpp
index 9fcaf84..f679fb1 100644
--- a/src/security/certificate-store.cpp
+++ b/src/security/certificate-store.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2014-2021, The University of Memphis,
+ * Copyright (c) 2014-2022, The University of Memphis,
* Regents of the University of California,
* Arizona Board of Regents.
*
@@ -55,12 +55,31 @@
}
const ndn::security::Certificate*
-CertificateStore::find(const ndn::Name& keyName) const
+CertificateStore::find(const ndn::Name& name) const
+{
+ if (ndn::security::Certificate::isValidName(name)) {
+ return findByCertName(name);
+ }
+ return findByKeyName(name);
+}
+
+const ndn::security::Certificate*
+CertificateStore::findByKeyName(const ndn::Name& keyName) const
{
auto it = m_certificates.find(keyName);
return it != m_certificates.end() ? &it->second : nullptr;
}
+const ndn::security::Certificate*
+CertificateStore::findByCertName(const ndn::Name& certName) const
+{
+ auto found = findByKeyName(ndn::security::extractKeyNameFromCertName(certName));
+ if (found == nullptr || found->getName() != certName) {
+ return nullptr;
+ }
+ return found;
+}
+
void
CertificateStore::clear()
{
@@ -113,7 +132,7 @@
}
void
-CertificateStore::onKeyInterest(const ndn::Name& name, const ndn::Interest& interest)
+CertificateStore::onKeyInterest(const ndn::Name&, const ndn::Interest& interest)
{
NLSR_LOG_DEBUG("Got interest for certificate. Interest: " << interest.getName());
diff --git a/src/security/certificate-store.hpp b/src/security/certificate-store.hpp
index 79a0cf7..2a47caa 100644
--- a/src/security/certificate-store.hpp
+++ b/src/security/certificate-store.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2014-2021, The University of Memphis,
+ * Copyright (c) 2014-2022, The University of Memphis,
* Regents of the University of California,
* Arizona Board of Regents.
*
@@ -44,23 +44,24 @@
*/
class CertificateStore
{
-
public:
CertificateStore(ndn::Face& face, ConfParameter& confParam, Lsdb& lsdb);
void
insert(const ndn::security::Certificate& certificate);
- /*! \brief Find a certificate
+ /*!
+ * \brief Find a certificate
+ * \param name Either key name or certificate name.
*
* Find a certificate that NLSR has. First it checks against the
* certificates this NLSR claims to be authoritative for, usually
* something like this specific router's certificate, and then
* checks the cache of certificates it has already fetched. If none
* can be found, it will return an null pointer.
- */
+ */
const ndn::security::Certificate*
- find(const ndn::Name& keyName) const;
+ find(const ndn::Name& name) const;
/*! \brief Retrieves the chain of certificates from Validator's cache and
* store them in Nlsr's own CertificateStore.
@@ -73,6 +74,12 @@
afterFetcherSignalEmitted(const ndn::Data& lsaSegment);
PUBLIC_WITH_TESTS_ELSE_PRIVATE:
+ const ndn::security::Certificate*
+ findByKeyName(const ndn::Name& keyName) const;
+
+ const ndn::security::Certificate*
+ findByCertName(const ndn::Name& certName) const;
+
void
clear();