Blame - src/encryptor.cpp - name-based-access-control

blob: 0472e1e7ebc16bd1115279a356e5c10bae3e18ca [file] [log] [blame]

Alexander Afanasyev	1a21e10	2018-06-13 20:33:21 -0400	[diff] [blame]	1	/* -- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -- */
				2	/**
				3	* Copyright (c) 2014-2018, Regents of the University of California
				4	*
				5	* NAC library is free software: you can redistribute it and/or modify it under the
				6	* terms of the GNU Lesser General Public License as published by the Free Software
				7	* Foundation, either version 3 of the License, or (at your option) any later version.
				8	*
				9	* NAC library is distributed in the hope that it will be useful, but WITHOUT ANY
				10	* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
				11	* PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
				12	*
				13	* You should have received copies of the GNU General Public License and GNU Lesser
				14	* General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
				15	* <http://www.gnu.org/licenses/>.
				16	*
				17	* See AUTHORS.md for complete list of NAC library authors and contributors.
				18	*/
				19
				20	#include "encryptor.hpp"
				21
				22	#include <ndn-cxx/util/logger.hpp>
				23	#include <boost/lexical_cast.hpp>
				24
				25	namespace ndn {
				26	namespace nac {
				27
				28	NDN_LOG_INIT(nac.Encryptor);
				29
				30	const size_t N_RETRIES = 3;
				31
				32	Encryptor::Encryptor(const Name& accessPrefix,
				33	const Name& ckPrefix, SigningInfo ckDataSigningInfo,
				34	const ErrorCallback& onFailure,
				35	Validator& validator, KeyChain& keyChain, Face& face)
				36	: m_accessPrefix{accessPrefix}
				37	, m_ckPrefix{ckPrefix}
				38	, m_ckBits{AES_KEY_SIZE}
				39	, m_ckDataSigningInfo{std::move(ckDataSigningInfo)}
				40	, m_isKekRetrievalInProgress(false)
Alexander Afanasyev	da366d8	2018-06-29 18:18:02 -0400	[diff] [blame^]	41	, m_onFailure(onFailure)
Alexander Afanasyev	1a21e10	2018-06-13 20:33:21 -0400	[diff] [blame]	42	, m_ckRegId{nullptr}
				43	, m_keyChain{keyChain}
				44	, m_face{face}
Alexander Afanasyev	da366d8	2018-06-29 18:18:02 -0400	[diff] [blame^]	45	, m_scheduler{face.getIoService()}
Alexander Afanasyev	1a21e10	2018-06-13 20:33:21 -0400	[diff] [blame]	46	{
Alexander Afanasyev	da366d8	2018-06-29 18:18:02 -0400	[diff] [blame^]	47	regenerateCk();
Alexander Afanasyev	1a21e10	2018-06-13 20:33:21 -0400	[diff] [blame]	48
				49	auto serveFromIms = [this] (const Name& prefix, const Interest& interest) {
				50	auto data = m_ims.find(interest);
				51	if (data != nullptr) {
				52	NDN_LOG_DEBUG("Serving " << data->getName() << " from InMemoryStorage");
				53	m_face.put(*data);
				54	}
				55	else {
				56	NDN_LOG_DEBUG("Didn't find CK data for " << interest.getName());
				57	// send NACK?
				58	}
				59	};
				60
				61	auto handleError = [] (const Name& prefix, const std::string& msg) {
				62	NDN_LOG_ERROR("Failed to register prefix " << prefix << ": " << msg);
				63	};
				64
				65	m_ckRegId = m_face.setInterestFilter(Name(ckPrefix).append(CK), serveFromIms, handleError);
				66	}
				67
				68	Encryptor::~Encryptor()
				69	{
				70	m_face.unsetInterestFilter(m_ckRegId);
				71	if (m_kekPendingInterest != nullptr) {
				72	m_face.removePendingInterest(m_kekPendingInterest);
				73	}
				74	}
				75
				76	void
Alexander Afanasyev	da366d8	2018-06-29 18:18:02 -0400	[diff] [blame^]	77	Encryptor::retryFetchingKek()
				78	{
				79	if (m_isKekRetrievalInProgress) {
				80	return;
				81	}
				82
				83	NDN_LOG_DEBUG("Retrying fetching of KEK");
				84	m_isKekRetrievalInProgress = true;
				85	fetchKekAndPublishCkData([&] {
				86	NDN_LOG_DEBUG("KEK retrieved and published");
				87	m_isKekRetrievalInProgress = false;
				88	},
				89	[=] (const ErrorCode& code, const std::string& msg) {
				90	NDN_LOG_ERROR("Failed to retrieved KEK: " + msg);
				91	m_isKekRetrievalInProgress = false;
				92	m_onFailure(code, msg);
				93	},
				94	N_RETRIES);
				95	}
				96
				97	void
				98	Encryptor::regenerateCk()
Alexander Afanasyev	1a21e10	2018-06-13 20:33:21 -0400	[diff] [blame]	99	{
				100	m_ckName = m_ckPrefix;
				101	m_ckName
				102	.append(CK)
				103	.appendVersion(); // version = ID of CK
Alexander Afanasyev	1a21e10	2018-06-13 20:33:21 -0400	[diff] [blame]	104	NDN_LOG_DEBUG("Generating new CK: " << m_ckName);
Alexander Afanasyev	da366d8	2018-06-29 18:18:02 -0400	[diff] [blame^]	105	random::generateSecureBytes(m_ckBits.data(), m_ckBits.size());
Alexander Afanasyev	1a21e10	2018-06-13 20:33:21 -0400	[diff] [blame]	106
				107	// one implication: if CK updated before KEK fetched, KDK for the old CK will not be published
				108	if (!m_kek) {
Alexander Afanasyev	da366d8	2018-06-29 18:18:02 -0400	[diff] [blame^]	109	retryFetchingKek();
Alexander Afanasyev	1a21e10	2018-06-13 20:33:21 -0400	[diff] [blame]	110	}
				111	else {
Alexander Afanasyev	da366d8	2018-06-29 18:18:02 -0400	[diff] [blame^]	112	makeAndPublishCkData(m_onFailure);
Alexander Afanasyev	1a21e10	2018-06-13 20:33:21 -0400	[diff] [blame]	113	}
				114	}
				115
				116	EncryptedContent
				117	Encryptor::encrypt(const uint8_t* data, size_t size)
				118	{
				119	// Generate initial vector
				120	auto iv = make_shared<Buffer>(AES_IV_SIZE);
				121	random::generateSecureBytes(iv->data(), iv->size());
				122
				123	OBufferStream os;
				124	security::transform::bufferSource(data, size)
				125	>> security::transform::blockCipher(BlockCipherAlgorithm::AES_CBC,
				126	CipherOperator::ENCRYPT,
				127	m_ckBits.data(), m_ckBits.size(), iv->data(), iv->size())
				128	>> security::transform::streamSink(os);
				129
				130	EncryptedContent content;
				131	content.setIv(iv);
				132	content.setPayload(os.buf());
				133	content.setKeyLocator(m_ckName);
				134
				135	return content;
				136	}
				137
				138	void
				139	Encryptor::fetchKekAndPublishCkData(const std::function<void()>& onReady,
				140	const ErrorCallback& onFailure,
				141	size_t nTriesLeft)
				142	{
				143	// interest for <access-prefix>/KEK to retrieve <access-prefix>/KEK/<key-id> KekData
				144
				145	NDN_LOG_DEBUG("Fetching KEK " << Name(m_accessPrefix).append(KEK));
				146
				147	BOOST_ASSERT(m_kekPendingInterest == nullptr);
				148	m_kekPendingInterest =
				149	m_face.expressInterest(Interest(Name(m_accessPrefix).append(KEK))
				150	.setMustBeFresh(true)
				151	.setCanBePrefix(true),
				152	[=] (const Interest&, const Data& kek) {
				153	m_kekPendingInterest = nullptr;
				154	// @todo verify if the key is legit
				155	m_kek = kek;
				156	makeAndPublishCkData(onFailure);
				157	// otherwise, failure has been already declared
				158	},
				159	[=] (const Interest& i, const lp::Nack& nack) {
				160	m_kekPendingInterest = nullptr;
Alexander Afanasyev	da366d8	2018-06-29 18:18:02 -0400	[diff] [blame^]	161	if (nTriesLeft > 1) {
				162	m_scheduler.scheduleEvent(RETRY_DELAY_AFTER_NACK, [=] {
				163	fetchKekAndPublishCkData(onReady, onFailure, nTriesLeft - 1);
				164	});
				165	}
				166	else {
				167	onFailure(ErrorCode::KekRetrievalFailure,
				168	"Retrieval of KEK [" + i.getName().toUri() + "] failed. "
				169	"Got NACK (" + boost::lexical_cast<std::string>(nack.getReason()) + ")");
				170	NDN_LOG_DEBUG("Scheduling retry from NACK");
				171	m_scheduler.scheduleEvent(RETRY_DELAY_KEK_RETRIEVAL, [=] {
				172	retryFetchingKek();
				173	});
				174	}
Alexander Afanasyev	1a21e10	2018-06-13 20:33:21 -0400	[diff] [blame]	175	},
				176	[=] (const Interest& i) {
				177	m_kekPendingInterest = nullptr;
				178	if (nTriesLeft > 1) {
				179	fetchKekAndPublishCkData(onReady, onFailure, nTriesLeft - 1);
				180	}
				181	else {
				182	onFailure(ErrorCode::KekRetrievalTimeout,
				183	"Retrieval of KEK [" + i.getName().toUri() + "] timed out");
Alexander Afanasyev	da366d8	2018-06-29 18:18:02 -0400	[diff] [blame^]	184	NDN_LOG_DEBUG("Scheduling retry after all timeouts");
				185	m_scheduler.scheduleEvent(RETRY_DELAY_KEK_RETRIEVAL, [=] {
				186	retryFetchingKek();
				187	});
Alexander Afanasyev	1a21e10	2018-06-13 20:33:21 -0400	[diff] [blame]	188	}
				189	});
				190	}
				191
				192	void
				193	Encryptor::makeAndPublishCkData(const ErrorCallback& onFailure)
				194	{
				195	try {
				196	PublicKey kek;
				197	kek.loadPkcs8(m_kek->getContent().value(), m_kek->getContent().value_size());
				198
				199	EncryptedContent content;
				200	content.setPayload(kek.encrypt(m_ckBits.data(), m_ckBits.size()));
				201
				202	auto ckData = make_shared<Data>(Name(m_ckName).append(ENCRYPTED_BY).append(m_kek->getName()));
				203	ckData->setContent(content.wireEncode());
				204	// FreshnessPeriod can serve as a soft access control for revoking access
				205	ckData->setFreshnessPeriod(DEFAULT_CK_FRESHNESS_PERIOD);
				206	m_keyChain.sign(*ckData, m_ckDataSigningInfo);
				207	m_ims.insert(*ckData);
				208
				209	NDN_LOG_DEBUG("Publishing CK data: " << ckData->getName());
				210	}
				211	catch (const std::runtime_error& error) {
				212	onFailure(ErrorCode::EncryptionFailure, "Failed to encrypt generated CK with KEK " + m_kek->getName().toUri());
				213	}
				214	}
				215
				216	} // namespace nac
				217	} // namespace ndn