security: various enhancements to Interest and Data validation
* Avoid decoding SignatureInfo multiple times while validating an Interest
* Fix handling of signed Interests with malformed InterestSignatureInfo
* Report a NO_SIGNATURE error when SignatureInfo is missing or malformed
* Fail with POLICY_ERROR in ValidationPolicySimpleHierarchy when the
signing identity violates the policy
* Reduce code duplication
* Expand unit test coverage
Change-Id: I1c9d532b2307d5df8f4bd75152af57a4e10835aa
diff --git a/tests/unit/security/validation-policy-simple-hierarchy.t.cpp b/tests/unit/security/validation-policy-simple-hierarchy.t.cpp
index 70fb49e..38ab30c 100644
--- a/tests/unit/security/validation-policy-simple-hierarchy.t.cpp
+++ b/tests/unit/security/validation-policy-simple-hierarchy.t.cpp
@@ -43,10 +43,13 @@
auto packet = Packet::makePacket(name);
VALIDATE_FAILURE(packet, "Unsigned");
+ BOOST_TEST((lastError.getCode() == ValidationError::NO_SIGNATURE || // Interest
+ lastError.getCode() == ValidationError::INVALID_KEY_LOCATOR)); // Data
packet = Packet::makePacket(name);
m_keyChain.sign(packet, signingWithSha256());
VALIDATE_FAILURE(packet, "Should not be accepted, name not prefix of /localhost/identity/digest-sha256");
+ BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR);
packet = Packet::makePacket("/localhost/identity/digest-sha256/foobar");
m_keyChain.sign(packet, signingWithSha256());
@@ -63,15 +66,17 @@
packet = Packet::makePacket(name);
m_keyChain.sign(packet, signingByIdentity(otherIdentity));
VALIDATE_FAILURE(packet, "Should fail, as signed by the policy-violating cert");
+ BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR);
packet = Packet::makePacket(name);
m_keyChain.sign(packet, signingByIdentity(subSelfSignedIdentity));
VALIDATE_FAILURE(packet, "Should fail, because subSelfSignedIdentity is not a trust anchor");
+ BOOST_TEST(lastError.getCode() == ValidationError::LOOP_DETECTED);
// TODO add checks with malformed packets
}
-BOOST_AUTO_TEST_CASE(NonKeyNameInsideLocator)
+BOOST_AUTO_TEST_CASE(CertNameInKeyLocator)
{
// auto cert = identity.getDefaultKey().getDefaultCertificate().wireEncode();
// std::cerr << "Certificate idCert{\"" << toHex(cert) << "\"_block};" << std::endl;
@@ -107,14 +112,13 @@
"483046022100BDD3E0EF2385658825EB73E87A02D1A16AA8ACE50840C1B91782836164AACA3B0221008007B3EBA9"
"B7638BD204766B08AF6E4221CDB88156CC7DA13CD916610D6D3AED"_block};
+ BOOST_REQUIRE_EQUAL(packet.getKeyLocator().value().getName(),
+ "/Security/ValidatorFixture/Sub1/KEY/%D7j1%B0%1E%14%09%2B/parent/%FD%00%00%01I%9DY%8C%A0");
+
this->cache.insert(idCert);
this->cache.insert(subIdCert);
this->validator.loadAnchor("", std::move(idCert));
- BOOST_REQUIRE(packet.getKeyLocator());
- BOOST_CHECK_EQUAL(packet.getKeyLocator()->getName(),
- "/Security/ValidatorFixture/Sub1/KEY/%D7j1%B0%1E%14%09%2B/parent/%FD%00%00%01I%9DY%8C%A0");
-
VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the policy-compliant cert");
}