| Alexander Afanasyev | e96538a | 2018-06-13 20:32:53 -0400 | [diff] [blame^] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ |
| 2 | /** |
| 3 | * Copyright (c) 2014-2018, Regents of the University of California |
| 4 | * |
| 5 | * NAC library is free software: you can redistribute it and/or modify it under the |
| 6 | * terms of the GNU Lesser General Public License as published by the Free Software |
| 7 | * Foundation, either version 3 of the License, or (at your option) any later version. |
| 8 | * |
| 9 | * NAC library is distributed in the hope that it will be useful, but WITHOUT ANY |
| 10 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A |
| 11 | * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. |
| 12 | * |
| 13 | * You should have received copies of the GNU General Public License and GNU Lesser |
| 14 | * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see |
| 15 | * <http://www.gnu.org/licenses/>. |
| 16 | * |
| 17 | * See AUTHORS.md for complete list of NAC library authors and contributors. |
| 18 | */ |
| 19 | |
| 20 | #include "access-manager.hpp" |
| 21 | #include "encrypted-content.hpp" |
| 22 | |
| 23 | #include <ndn-cxx/util/logger.hpp> |
| 24 | |
| 25 | NDN_LOG_INIT(nac.AccessManager); |
| 26 | |
| 27 | namespace ndn { |
| 28 | namespace nac { |
| 29 | |
| 30 | AccessManager::AccessManager(const Identity& identity, const Name& dataset, |
| 31 | KeyChain& keyChain, Face& face) |
| 32 | : m_identity(identity) |
| 33 | , m_keyChain(keyChain) |
| 34 | , m_face(face) |
| 35 | { |
| 36 | // NAC Identity: <identity>/NAC/<dataset> |
| 37 | // generate NAC key |
| 38 | auto nacId = m_keyChain.createIdentity(Name(identity.getName()).append(NAC).append(dataset), RsaKeyParams()); |
| 39 | m_nacKey = nacId.getDefaultKey(); |
| 40 | if (m_nacKey.getKeyType() != KeyType::RSA) { |
| 41 | NDN_LOG_INFO("Cannot re-use existing KEK/KDK pair, as it is not an RSA key, regenerating"); |
| 42 | m_nacKey = m_keyChain.createKey(nacId, RsaKeyParams()); |
| 43 | } |
| 44 | auto nacKeyId = m_nacKey.getName().at(-1); |
| 45 | |
| 46 | auto kekPrefix = Name(m_nacKey.getIdentity()).append(KEK); |
| 47 | |
| 48 | auto kek = make_shared<Data>(m_nacKey.getDefaultCertificate()); |
| 49 | kek->setName(Name(kekPrefix).append(nacKeyId)); |
| 50 | m_keyChain.sign(*kek, signingByIdentity(m_identity)); |
| 51 | // kek looks like a cert, but doesn't have ValidityPeriod |
| 52 | m_ims.insert(*kek); |
| 53 | |
| 54 | auto serveFromIms = [this] (const Name& prefix, const Interest& interest) { |
| 55 | auto data = m_ims.find(interest); |
| 56 | if (data != nullptr) { |
| 57 | NDN_LOG_DEBUG("Serving " << data->getName() << " from InMemoryStorage"); |
| 58 | m_face.put(*data); |
| 59 | } |
| 60 | else { |
| 61 | NDN_LOG_DEBUG("Didn't find data for " << interest.getName()); |
| 62 | // send NACK? |
| 63 | } |
| 64 | }; |
| 65 | |
| 66 | auto handleError = [] (const Name& prefix, const std::string& msg) { |
| 67 | NDN_LOG_ERROR("Failed to register prefix " << prefix << ": " << msg); |
| 68 | }; |
| 69 | |
| 70 | m_kekRegId = m_face.setInterestFilter(kekPrefix, serveFromIms, handleError); |
| 71 | |
| 72 | auto kdkPrefix = Name(m_nacKey.getIdentity()).append(KDK).append(nacKeyId); |
| 73 | m_kdkRegId = m_face.setInterestFilter(kdkPrefix, serveFromIms, handleError); |
| 74 | } |
| 75 | |
| 76 | AccessManager::~AccessManager() |
| 77 | { |
| 78 | m_face.unsetInterestFilter(m_kekRegId); |
| 79 | m_face.unsetInterestFilter(m_kdkRegId); |
| 80 | } |
| 81 | |
| 82 | void |
| 83 | AccessManager::addMember(const Certificate& memberCert) |
| 84 | { |
| 85 | Name kdkName(m_nacKey.getIdentity()); |
| 86 | kdkName |
| 87 | .append(KDK) |
| 88 | .append(m_nacKey.getName().at(-1)) // key-id |
| 89 | .append(ENCRYPTED_BY) |
| 90 | .append(memberCert.getKeyName()); |
| 91 | |
| 92 | const size_t secretLength = 32; |
| 93 | uint8_t secret[secretLength + 1]; |
| 94 | random::generateSecureBytes(secret, secretLength); |
| 95 | // because of stupid bug in ndn-cxx, remove all \0 in generated secret, replace with 1 |
| 96 | for (size_t i = 0; i < secretLength; ++i) { |
| 97 | if (secret[i] == 0) { |
| 98 | secret[i] = 1; |
| 99 | } |
| 100 | } |
| 101 | secret[secretLength] = 0; |
| 102 | |
| 103 | auto kdkData = m_keyChain.exportSafeBag(m_nacKey.getDefaultCertificate(), |
| 104 | reinterpret_cast<const char*>(secret), secretLength); |
| 105 | |
| 106 | PublicKey memberKey; |
| 107 | memberKey.loadPkcs8(memberCert.getPublicKey().data(), memberCert.getPublicKey().size()); |
| 108 | |
| 109 | EncryptedContent content; |
| 110 | content.setPayload(kdkData->wireEncode()); |
| 111 | content.setPayloadKey(memberKey.encrypt(secret, secretLength)); |
| 112 | |
| 113 | auto kdk = make_shared<Data>(kdkName); |
| 114 | kdk->setContent(content.wireEncode()); |
| 115 | kdk->setFreshnessPeriod(1_h); // this can serve as soft access control for revoking access |
| 116 | m_keyChain.sign(*kdk, signingByIdentity(m_identity)); |
| 117 | |
| 118 | m_ims.insert(*kdk); |
| 119 | } |
| 120 | |
| 121 | void |
| 122 | AccessManager::removeMember(const Name& identity) |
| 123 | { |
| 124 | m_ims.erase(Name(m_nacKey.getName()).append(KDK).append(ENCRYPTED_BY).append(identity)); |
| 125 | } |
| 126 | |
| 127 | } // namespace nac |
| 128 | } // namespace ndn |