blob: 3ab89f0415be7c3ad54db64bd762ebd7514b3c04 [file] [log] [blame]
Alexander Afanasyeve96538a2018-06-13 20:32:53 -04001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2/**
3 * Copyright (c) 2014-2018, Regents of the University of California
4 *
5 * NAC library is free software: you can redistribute it and/or modify it under the
6 * terms of the GNU Lesser General Public License as published by the Free Software
7 * Foundation, either version 3 of the License, or (at your option) any later version.
8 *
9 * NAC library is distributed in the hope that it will be useful, but WITHOUT ANY
10 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
11 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
12 *
13 * You should have received copies of the GNU General Public License and GNU Lesser
14 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
15 * <http://www.gnu.org/licenses/>.
16 *
17 * See AUTHORS.md for complete list of NAC library authors and contributors.
18 */
19
20#include "access-manager.hpp"
21#include "encrypted-content.hpp"
22
23#include <ndn-cxx/util/logger.hpp>
24
25NDN_LOG_INIT(nac.AccessManager);
26
27namespace ndn {
28namespace nac {
29
30AccessManager::AccessManager(const Identity& identity, const Name& dataset,
31 KeyChain& keyChain, Face& face)
32 : m_identity(identity)
33 , m_keyChain(keyChain)
34 , m_face(face)
35{
36 // NAC Identity: <identity>/NAC/<dataset>
37 // generate NAC key
38 auto nacId = m_keyChain.createIdentity(Name(identity.getName()).append(NAC).append(dataset), RsaKeyParams());
39 m_nacKey = nacId.getDefaultKey();
40 if (m_nacKey.getKeyType() != KeyType::RSA) {
41 NDN_LOG_INFO("Cannot re-use existing KEK/KDK pair, as it is not an RSA key, regenerating");
42 m_nacKey = m_keyChain.createKey(nacId, RsaKeyParams());
43 }
44 auto nacKeyId = m_nacKey.getName().at(-1);
45
46 auto kekPrefix = Name(m_nacKey.getIdentity()).append(KEK);
47
48 auto kek = make_shared<Data>(m_nacKey.getDefaultCertificate());
49 kek->setName(Name(kekPrefix).append(nacKeyId));
Alexander Afanasyev1a21e102018-06-13 20:33:21 -040050 kek->setFreshnessPeriod(DEFAULT_KEK_FRESHNESS_PERIOD);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040051 m_keyChain.sign(*kek, signingByIdentity(m_identity));
52 // kek looks like a cert, but doesn't have ValidityPeriod
53 m_ims.insert(*kek);
54
55 auto serveFromIms = [this] (const Name& prefix, const Interest& interest) {
56 auto data = m_ims.find(interest);
57 if (data != nullptr) {
58 NDN_LOG_DEBUG("Serving " << data->getName() << " from InMemoryStorage");
59 m_face.put(*data);
60 }
61 else {
62 NDN_LOG_DEBUG("Didn't find data for " << interest.getName());
63 // send NACK?
64 }
65 };
66
67 auto handleError = [] (const Name& prefix, const std::string& msg) {
68 NDN_LOG_ERROR("Failed to register prefix " << prefix << ": " << msg);
69 };
70
71 m_kekRegId = m_face.setInterestFilter(kekPrefix, serveFromIms, handleError);
72
73 auto kdkPrefix = Name(m_nacKey.getIdentity()).append(KDK).append(nacKeyId);
74 m_kdkRegId = m_face.setInterestFilter(kdkPrefix, serveFromIms, handleError);
75}
76
77AccessManager::~AccessManager()
78{
79 m_face.unsetInterestFilter(m_kekRegId);
80 m_face.unsetInterestFilter(m_kdkRegId);
81}
82
83void
84AccessManager::addMember(const Certificate& memberCert)
85{
86 Name kdkName(m_nacKey.getIdentity());
87 kdkName
88 .append(KDK)
89 .append(m_nacKey.getName().at(-1)) // key-id
90 .append(ENCRYPTED_BY)
91 .append(memberCert.getKeyName());
92
93 const size_t secretLength = 32;
94 uint8_t secret[secretLength + 1];
95 random::generateSecureBytes(secret, secretLength);
96 // because of stupid bug in ndn-cxx, remove all \0 in generated secret, replace with 1
97 for (size_t i = 0; i < secretLength; ++i) {
98 if (secret[i] == 0) {
99 secret[i] = 1;
100 }
101 }
102 secret[secretLength] = 0;
103
104 auto kdkData = m_keyChain.exportSafeBag(m_nacKey.getDefaultCertificate(),
105 reinterpret_cast<const char*>(secret), secretLength);
106
107 PublicKey memberKey;
108 memberKey.loadPkcs8(memberCert.getPublicKey().data(), memberCert.getPublicKey().size());
109
110 EncryptedContent content;
111 content.setPayload(kdkData->wireEncode());
112 content.setPayloadKey(memberKey.encrypt(secret, secretLength));
113
114 auto kdk = make_shared<Data>(kdkName);
115 kdk->setContent(content.wireEncode());
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400116 // FreshnessPeriod can serve as a soft access control for revoking access
117 kdk->setFreshnessPeriod(DEFAULT_KDK_FRESHNESS_PERIOD);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400118 m_keyChain.sign(*kdk, signingByIdentity(m_identity));
119
120 m_ims.insert(*kdk);
121}
122
123void
124AccessManager::removeMember(const Name& identity)
125{
126 m_ims.erase(Name(m_nacKey.getName()).append(KDK).append(ENCRYPTED_BY).append(identity));
127}
128
129} // namespace nac
130} // namespace ndn