security: don't crash if received segment lacks KeyLocator
And while at it:
* move afterSegmentValidated() to a lambda
* remove unused loopback parameter from setInterestFilter()
* delete unused clear() method
* improve logging
* prevent building without PSync if tests are enabled, since that
configuration is currently unsupported
Change-Id: I930744296d3fa295787c16e6829d1dc27b06a195
diff --git a/src/security/certificate-store.cpp b/src/security/certificate-store.cpp
index f679fb1..648be4b 100644
--- a/src/security/certificate-store.cpp
+++ b/src/security/certificate-store.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2014-2022, The University of Memphis,
+ * Copyright (c) 2014-2024, The University of Memphis,
* Regents of the University of California,
* Arizona Board of Regents.
*
@@ -22,6 +22,7 @@
#include "certificate-store.hpp"
#include "conf-parameter.hpp"
#include "logger.hpp"
+#include "lsdb.hpp"
#include <ndn-cxx/util/io.hpp>
#include <fstream>
@@ -43,15 +44,26 @@
registerKeyPrefixes();
- m_afterSegmentValidatedConnection = lsdb.afterSegmentValidatedSignal.connect(
- [this] (const ndn::Data& data) { afterFetcherSignalEmitted(data); });
+ m_afterSegmentValidatedConn = lsdb.afterSegmentValidatedSignal.connect([this] (const auto& data) {
+ const auto kl = data.getKeyLocator();
+ if (!kl || kl->getType() != ndn::tlv::Name) {
+ NLSR_LOG_TRACE("Cannot determine KeyLocator Name for: " << data.getName());
+ }
+ else if (const auto klName = kl->getName(); !find(klName)) {
+ NLSR_LOG_TRACE("Publishing certificate for: " << klName);
+ publishCertFromCache(klName);
+ }
+ else {
+ NLSR_LOG_TRACE("Certificate is already in the store: " << klName);
+ }
+ });
}
void
CertificateStore::insert(const ndn::security::Certificate& certificate)
{
m_certificates[certificate.getKeyName()] = certificate;
- NLSR_LOG_TRACE("Certificate inserted successfully");
+ NLSR_LOG_TRACE("Certificate inserted successfully\n" << certificate);
}
const ndn::security::Certificate*
@@ -81,15 +93,9 @@
}
void
-CertificateStore::clear()
+CertificateStore::setInterestFilter(const ndn::Name& prefix)
{
- m_certificates.clear();
-}
-
-void
-CertificateStore::setInterestFilter(const ndn::Name& prefix, bool loopback)
-{
- m_face.setInterestFilter(ndn::InterestFilter(prefix).allowLoopback(loopback),
+ m_face.setInterestFilter(ndn::InterestFilter(prefix).allowLoopback(false),
std::bind(&CertificateStore::onKeyInterest, this, _1, _2),
std::bind(&CertificateStore::onKeyPrefixRegSuccess, this, _1),
std::bind(&CertificateStore::registrationFailed, this, _1),
@@ -134,28 +140,28 @@
void
CertificateStore::onKeyInterest(const ndn::Name&, const ndn::Interest& interest)
{
- NLSR_LOG_DEBUG("Got interest for certificate. Interest: " << interest.getName());
+ NLSR_LOG_TRACE("Got certificate Interest: " << interest.getName());
const auto* cert = find(interest.getName());
-
if (!cert) {
- NLSR_LOG_TRACE("Certificate is not found for: " << interest);
+ NLSR_LOG_DEBUG("Certificate not found for: " << interest.getName());
return;
}
+
m_face.put(*cert);
}
void
CertificateStore::onKeyPrefixRegSuccess(const ndn::Name& name)
{
- NLSR_LOG_DEBUG("KEY prefix: " << name << " registration is successful");
+ NLSR_LOG_DEBUG("Prefix registered successfully: " << name);
}
void
CertificateStore::registrationFailed(const ndn::Name& name)
{
- NLSR_LOG_ERROR("Failed to register prefix " << name);
- NDN_THROW(std::runtime_error("Prefix registration failed"));
+ NLSR_LOG_ERROR("Failed to register prefix: " << name);
+ NDN_THROW(std::runtime_error("Prefix registration failed: " + name.toUri()));
}
void
@@ -165,7 +171,6 @@
if (cert) {
insert(*cert);
- NLSR_LOG_TRACE(*cert);
ndn::Name certName = ndn::security::extractKeyNameFromCertName(cert->getName());
NLSR_LOG_TRACE("Setting interest filter for: " << certName);
@@ -178,20 +183,7 @@
}
else {
// Happens for root cert
- NLSR_LOG_TRACE("Cert for " << keyName << " was not found in the Validator's cache. ");
- }
-}
-
-void
-CertificateStore::afterFetcherSignalEmitted(const ndn::Data& lsaSegment)
-{
- const auto keyName = lsaSegment.getSignatureInfo().getKeyLocator().getName();
- if (!find(keyName)) {
- NLSR_LOG_TRACE("Publishing certificate for: " << keyName);
- publishCertFromCache(keyName);
- }
- else {
- NLSR_LOG_TRACE("Certificate is already in the store: " << keyName);
+ NLSR_LOG_TRACE("Cert for " << keyName << " was not found in the Validator's cache");
}
}
diff --git a/src/security/certificate-store.hpp b/src/security/certificate-store.hpp
index 0c01bf0..a4708b4 100644
--- a/src/security/certificate-store.hpp
+++ b/src/security/certificate-store.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2014-2023, The University of Memphis,
+ * Copyright (c) 2014-2024, The University of Memphis,
* Regents of the University of California,
* Arizona Board of Regents.
*
@@ -22,20 +22,20 @@
#ifndef NLSR_CERTIFICATE_STORE_HPP
#define NLSR_CERTIFICATE_STORE_HPP
-#include "common.hpp"
-#include "test-access-control.hpp"
-#include "lsdb.hpp"
-
+#include <ndn-cxx/face.hpp>
#include <ndn-cxx/interest.hpp>
-#include <ndn-cxx/mgmt/nfd/controller.hpp>
#include <ndn-cxx/security/certificate.hpp>
#include <ndn-cxx/security/validator-config.hpp>
+#include <ndn-cxx/util/signal/scoped-connection.hpp>
namespace nlsr {
+
class ConfParameter;
+class Lsdb;
+
namespace security {
-/*! \brief Store certificates for names
+/*! \brief Store certificates for names.
*
* Stores certificates that this router claims to be authoritative
* for. That is, this stores only the certificates that we will reply
@@ -70,10 +70,7 @@
void
publishCertFromCache(const ndn::Name& keyName);
- void
- afterFetcherSignalEmitted(const ndn::Data& lsaSegment);
-
-PUBLIC_WITH_TESTS_ELSE_PRIVATE:
+private:
const ndn::security::Certificate*
findByKeyName(const ndn::Name& keyName) const;
@@ -81,10 +78,7 @@
findByCertName(const ndn::Name& certName) const;
void
- clear();
-
- void
- setInterestFilter(const ndn::Name& prefix, const bool loopback = false);
+ setInterestFilter(const ndn::Name& prefix);
void
registerKeyPrefixes();
@@ -99,12 +93,11 @@
registrationFailed(const ndn::Name& name);
private:
- typedef std::map<ndn::Name, ndn::security::Certificate> CertMap;
- CertMap m_certificates;
+ std::map<ndn::Name, ndn::security::Certificate> m_certificates;
ndn::Face& m_face;
ConfParameter& m_confParam;
ndn::security::ValidatorConfig& m_validator;
- ndn::signal::ScopedConnection m_afterSegmentValidatedConnection;
+ ndn::signal::ScopedConnection m_afterSegmentValidatedConn;
};
} // namespace security