blob: 144034dfa9f27626aa5feee23aa5f7ce23928938 [file] [log] [blame]
Alexander Afanasyeve96538a2018-06-13 20:32:53 -04001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Davide Pesaventod51d9602019-07-20 23:33:06 -04002/*
Davide Pesaventoaf4e4e72024-01-26 14:30:11 -05003 * Copyright (c) 2014-2024, Regents of the University of California
Alexander Afanasyeve96538a2018-06-13 20:32:53 -04004 *
5 * NAC library is free software: you can redistribute it and/or modify it under the
6 * terms of the GNU Lesser General Public License as published by the Free Software
7 * Foundation, either version 3 of the License, or (at your option) any later version.
8 *
9 * NAC library is distributed in the hope that it will be useful, but WITHOUT ANY
10 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
11 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
12 *
13 * You should have received copies of the GNU General Public License and GNU Lesser
14 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
15 * <http://www.gnu.org/licenses/>.
16 *
17 * See AUTHORS.md for complete list of NAC library authors and contributors.
18 */
19
20#include "access-manager.hpp"
21#include "encrypted-content.hpp"
22
Davide Pesaventoc2649492020-12-22 21:43:35 -050023#include <ndn-cxx/security/signing-helpers.hpp>
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040024#include <ndn-cxx/util/logger.hpp>
Davide Pesavento2e5b7b12022-09-19 23:30:44 -040025#include <ndn-cxx/util/random.hpp>
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040026
Davide Pesaventobde084f2022-04-17 00:21:35 -040027namespace ndn::nac {
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040028
Davide Pesaventobde084f2022-04-17 00:21:35 -040029NDN_LOG_INIT(nac.AccessManager);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040030
31AccessManager::AccessManager(const Identity& identity, const Name& dataset,
32 KeyChain& keyChain, Face& face)
33 : m_identity(identity)
34 , m_keyChain(keyChain)
35 , m_face(face)
36{
37 // NAC Identity: <identity>/NAC/<dataset>
38 // generate NAC key
39 auto nacId = m_keyChain.createIdentity(Name(identity.getName()).append(NAC).append(dataset), RsaKeyParams());
40 m_nacKey = nacId.getDefaultKey();
41 if (m_nacKey.getKeyType() != KeyType::RSA) {
42 NDN_LOG_INFO("Cannot re-use existing KEK/KDK pair, as it is not an RSA key, regenerating");
43 m_nacKey = m_keyChain.createKey(nacId, RsaKeyParams());
44 }
45 auto nacKeyId = m_nacKey.getName().at(-1);
46
47 auto kekPrefix = Name(m_nacKey.getIdentity()).append(KEK);
48
Davide Pesaventoaf4e4e72024-01-26 14:30:11 -050049 auto kek = std::make_shared<Data>(m_nacKey.getDefaultCertificate());
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040050 kek->setName(Name(kekPrefix).append(nacKeyId));
Alexander Afanasyev1a21e102018-06-13 20:33:21 -040051 kek->setFreshnessPeriod(DEFAULT_KEK_FRESHNESS_PERIOD);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040052 m_keyChain.sign(*kek, signingByIdentity(m_identity));
53 // kek looks like a cert, but doesn't have ValidityPeriod
54 m_ims.insert(*kek);
55
Davide Pesaventod51d9602019-07-20 23:33:06 -040056 auto serveFromIms = [this] (const Name&, const Interest& interest) {
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040057 auto data = m_ims.find(interest);
58 if (data != nullptr) {
59 NDN_LOG_DEBUG("Serving " << data->getName() << " from InMemoryStorage");
60 m_face.put(*data);
61 }
62 else {
63 NDN_LOG_DEBUG("Didn't find data for " << interest.getName());
64 // send NACK?
65 }
66 };
67
68 auto handleError = [] (const Name& prefix, const std::string& msg) {
69 NDN_LOG_ERROR("Failed to register prefix " << prefix << ": " << msg);
70 };
71
Davide Pesaventod51d9602019-07-20 23:33:06 -040072 m_kekReg = m_face.setInterestFilter(kekPrefix, serveFromIms, handleError);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040073
74 auto kdkPrefix = Name(m_nacKey.getIdentity()).append(KDK).append(nacKeyId);
Davide Pesaventod51d9602019-07-20 23:33:06 -040075 m_kdkReg = m_face.setInterestFilter(kdkPrefix, serveFromIms, handleError);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040076}
77
Alexander Afanasyev2b57aeb2018-06-15 18:32:28 -040078Data
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040079AccessManager::addMember(const Certificate& memberCert)
80{
81 Name kdkName(m_nacKey.getIdentity());
82 kdkName
83 .append(KDK)
84 .append(m_nacKey.getName().at(-1)) // key-id
85 .append(ENCRYPTED_BY)
86 .append(memberCert.getKeyName());
87
88 const size_t secretLength = 32;
89 uint8_t secret[secretLength + 1];
Davide Pesavento714dba02022-03-17 20:46:28 -040090 random::generateSecureBytes({secret, secretLength});
Alexander Afanasyeve96538a2018-06-13 20:32:53 -040091 // because of stupid bug in ndn-cxx, remove all \0 in generated secret, replace with 1
92 for (size_t i = 0; i < secretLength; ++i) {
93 if (secret[i] == 0) {
94 secret[i] = 1;
95 }
96 }
97 secret[secretLength] = 0;
98
99 auto kdkData = m_keyChain.exportSafeBag(m_nacKey.getDefaultCertificate(),
100 reinterpret_cast<const char*>(secret), secretLength);
101
102 PublicKey memberKey;
Davide Pesavento714dba02022-03-17 20:46:28 -0400103 memberKey.loadPkcs8(memberCert.getPublicKey());
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400104
105 EncryptedContent content;
106 content.setPayload(kdkData->wireEncode());
Davide Pesavento714dba02022-03-17 20:46:28 -0400107 content.setPayloadKey(memberKey.encrypt({secret, secretLength}));
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400108
Davide Pesaventoaf4e4e72024-01-26 14:30:11 -0500109 auto kdk = std::make_shared<Data>(kdkName);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400110 kdk->setContent(content.wireEncode());
Alexander Afanasyev1a21e102018-06-13 20:33:21 -0400111 // FreshnessPeriod can serve as a soft access control for revoking access
112 kdk->setFreshnessPeriod(DEFAULT_KDK_FRESHNESS_PERIOD);
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400113 m_keyChain.sign(*kdk, signingByIdentity(m_identity));
114
115 m_ims.insert(*kdk);
Alexander Afanasyev2b57aeb2018-06-15 18:32:28 -0400116
117 return *kdk;
Alexander Afanasyeve96538a2018-06-13 20:32:53 -0400118}
119
120void
121AccessManager::removeMember(const Name& identity)
122{
123 m_ims.erase(Name(m_nacKey.getName()).append(KDK).append(ENCRYPTED_BY).append(identity));
124}
125
Davide Pesaventobde084f2022-04-17 00:21:35 -0400126} // namespace ndn::nac