blob: 0093d575e2b013914852976b78df9393a4d47b78 [file] [log] [blame]
Alexander Afanasyeve96538a2018-06-13 20:32:53 -04001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Davide Pesaventod51d9602019-07-20 23:33:06 -04002/*
Davide Pesavento714dba02022-03-17 20:46:28 -04003 * Copyright (c) 2014-2022, Regents of the University of California
Alexander Afanasyeve96538a2018-06-13 20:32:53 -04004 *
5 * NAC library is free software: you can redistribute it and/or modify it under the
6 * terms of the GNU Lesser General Public License as published by the Free Software
7 * Foundation, either version 3 of the License, or (at your option) any later version.
8 *
9 * NAC library is distributed in the hope that it will be useful, but WITHOUT ANY
10 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
11 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
12 *
13 * You should have received copies of the GNU General Public License and GNU Lesser
14 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
15 * <http://www.gnu.org/licenses/>.
16 *
17 * See AUTHORS.md for complete list of NAC library authors and contributors.
18 */
19
20#include "access-manager.hpp"
21#include "encrypted-content.hpp"
22
Davide Pesaventoc2649492020-12-22 21:43:35 -050023#include <ndn-cxx/security/signing-helpers.hpp>
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040024#include <ndn-cxx/util/logger.hpp>
25
Davide Pesaventobde084f2022-04-17 00:21:35 -040026namespace ndn::nac {
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040027
Davide Pesaventobde084f2022-04-17 00:21:35 -040028NDN_LOG_INIT(nac.AccessManager);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040029
30AccessManager::AccessManager(const Identity& identity, const Name& dataset,
31 KeyChain& keyChain, Face& face)
32 : m_identity(identity)
33 , m_keyChain(keyChain)
34 , m_face(face)
35{
36 // NAC Identity: <identity>/NAC/<dataset>
37 // generate NAC key
38 auto nacId = m_keyChain.createIdentity(Name(identity.getName()).append(NAC).append(dataset), RsaKeyParams());
39 m_nacKey = nacId.getDefaultKey();
40 if (m_nacKey.getKeyType() != KeyType::RSA) {
41 NDN_LOG_INFO("Cannot re-use existing KEK/KDK pair, as it is not an RSA key, regenerating");
42 m_nacKey = m_keyChain.createKey(nacId, RsaKeyParams());
43 }
44 auto nacKeyId = m_nacKey.getName().at(-1);
45
46 auto kekPrefix = Name(m_nacKey.getIdentity()).append(KEK);
47
48 auto kek = make_shared<Data>(m_nacKey.getDefaultCertificate());
49 kek->setName(Name(kekPrefix).append(nacKeyId));
Alexander Afanasyev1a21e102018-06-13 20:33:21 -040050 kek->setFreshnessPeriod(DEFAULT_KEK_FRESHNESS_PERIOD);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040051 m_keyChain.sign(*kek, signingByIdentity(m_identity));
52 // kek looks like a cert, but doesn't have ValidityPeriod
53 m_ims.insert(*kek);
54
Davide Pesaventod51d9602019-07-20 23:33:06 -040055 auto serveFromIms = [this] (const Name&, const Interest& interest) {
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040056 auto data = m_ims.find(interest);
57 if (data != nullptr) {
58 NDN_LOG_DEBUG("Serving " << data->getName() << " from InMemoryStorage");
59 m_face.put(*data);
60 }
61 else {
62 NDN_LOG_DEBUG("Didn't find data for " << interest.getName());
63 // send NACK?
64 }
65 };
66
67 auto handleError = [] (const Name& prefix, const std::string& msg) {
68 NDN_LOG_ERROR("Failed to register prefix " << prefix << ": " << msg);
69 };
70
Davide Pesaventod51d9602019-07-20 23:33:06 -040071 m_kekReg = m_face.setInterestFilter(kekPrefix, serveFromIms, handleError);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040072
73 auto kdkPrefix = Name(m_nacKey.getIdentity()).append(KDK).append(nacKeyId);
Davide Pesaventod51d9602019-07-20 23:33:06 -040074 m_kdkReg = m_face.setInterestFilter(kdkPrefix, serveFromIms, handleError);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040075}
76
Alexander Afanasyev2b57aeb2018-06-15 18:32:28 -040077Data
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040078AccessManager::addMember(const Certificate& memberCert)
79{
80 Name kdkName(m_nacKey.getIdentity());
81 kdkName
82 .append(KDK)
83 .append(m_nacKey.getName().at(-1)) // key-id
84 .append(ENCRYPTED_BY)
85 .append(memberCert.getKeyName());
86
87 const size_t secretLength = 32;
88 uint8_t secret[secretLength + 1];
Davide Pesavento714dba02022-03-17 20:46:28 -040089 random::generateSecureBytes({secret, secretLength});
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040090 // because of stupid bug in ndn-cxx, remove all \0 in generated secret, replace with 1
91 for (size_t i = 0; i < secretLength; ++i) {
92 if (secret[i] == 0) {
93 secret[i] = 1;
94 }
95 }
96 secret[secretLength] = 0;
97
98 auto kdkData = m_keyChain.exportSafeBag(m_nacKey.getDefaultCertificate(),
99 reinterpret_cast<const char*>(secret), secretLength);
100
101 PublicKey memberKey;
Davide Pesavento714dba02022-03-17 20:46:28 -0400102 memberKey.loadPkcs8(memberCert.getPublicKey());
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400103
104 EncryptedContent content;
105 content.setPayload(kdkData->wireEncode());
Davide Pesavento714dba02022-03-17 20:46:28 -0400106 content.setPayloadKey(memberKey.encrypt({secret, secretLength}));
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400107
108 auto kdk = make_shared<Data>(kdkName);
109 kdk->setContent(content.wireEncode());
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400110 // FreshnessPeriod can serve as a soft access control for revoking access
111 kdk->setFreshnessPeriod(DEFAULT_KDK_FRESHNESS_PERIOD);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400112 m_keyChain.sign(*kdk, signingByIdentity(m_identity));
113
114 m_ims.insert(*kdk);
Alexander Afanasyev2b57aeb2018-06-15 18:32:28 -0400115
116 return *kdk;
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400117}
118
119void
120AccessManager::removeMember(const Name& identity)
121{
122 m_ims.erase(Name(m_nacKey.getName()).append(KDK).append(ENCRYPTED_BY).append(identity));
123}
124
Davide Pesaventobde084f2022-04-17 00:21:35 -0400125} // namespace ndn::nac