commit 2acce25696483d7c8111330e134a16ccde34210a
author Davide Pesavento <davidepesa@gmail.com> Thu Sep 08 22:03:03 2022 -0400
committer Davide Pesavento <davidepesa@gmail.com> Wed Oct 05 21:18:07 2022 -0400
tree 46d14415f1c1de8bea439c9708a2f5b26688ee3f
parent ea5ce49651e4a417d38f0e591702d0309ca3e032

security: various enhancements to Interest and Data validation

 * Avoid decoding SignatureInfo multiple times while validating an Interest
 * Fix handling of signed Interests with malformed InterestSignatureInfo
 * Report a NO_SIGNATURE error when SignatureInfo is missing or malformed
 * Fail with POLICY_ERROR in ValidationPolicySimpleHierarchy when the
   signing identity violates the policy
 * Reduce code duplication
 * Expand unit test coverage

Change-Id: I1c9d532b2307d5df8f4bd75152af57a4e10835aa

tests/unit/security/validation-policy-simple-hierarchy.t.cpp

diff --git a/tests/unit/security/validation-policy-simple-hierarchy.t.cpp b/tests/unit/security/validation-policy-simple-hierarchy.t.cpp
index 70fb49e..38ab30c 100644
--- a/tests/unit/security/validation-policy-simple-hierarchy.t.cpp
+++ b/tests/unit/security/validation-policy-simple-hierarchy.t.cpp
@@ -43,10 +43,13 @@
 
   auto packet = Packet::makePacket(name);
   VALIDATE_FAILURE(packet, "Unsigned");
+  BOOST_TEST((lastError.getCode() == ValidationError::NO_SIGNATURE ||        // Interest
+              lastError.getCode() == ValidationError::INVALID_KEY_LOCATOR)); // Data
 
   packet = Packet::makePacket(name);
   m_keyChain.sign(packet, signingWithSha256());
   VALIDATE_FAILURE(packet, "Should not be accepted, name not prefix of /localhost/identity/digest-sha256");
+  BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR);
 
   packet = Packet::makePacket("/localhost/identity/digest-sha256/foobar");
   m_keyChain.sign(packet, signingWithSha256());
@@ -63,15 +66,17 @@
   packet = Packet::makePacket(name);
   m_keyChain.sign(packet, signingByIdentity(otherIdentity));
   VALIDATE_FAILURE(packet, "Should fail, as signed by the policy-violating cert");
+  BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR);
 
   packet = Packet::makePacket(name);
   m_keyChain.sign(packet, signingByIdentity(subSelfSignedIdentity));
   VALIDATE_FAILURE(packet, "Should fail, because subSelfSignedIdentity is not a trust anchor");
+  BOOST_TEST(lastError.getCode() == ValidationError::LOOP_DETECTED);
 
   // TODO add checks with malformed packets
 }
 
-BOOST_AUTO_TEST_CASE(NonKeyNameInsideLocator)
+BOOST_AUTO_TEST_CASE(CertNameInKeyLocator)
 {
 //  auto cert = identity.getDefaultKey().getDefaultCertificate().wireEncode();
 //  std::cerr << "Certificate idCert{\"" << toHex(cert) << "\"_block};" << std::endl;
@@ -107,14 +112,13 @@
       "483046022100BDD3E0EF2385658825EB73E87A02D1A16AA8ACE50840C1B91782836164AACA3B0221008007B3EBA9"
       "B7638BD204766B08AF6E4221CDB88156CC7DA13CD916610D6D3AED"_block};
 
+  BOOST_REQUIRE_EQUAL(packet.getKeyLocator().value().getName(),
+                      "/Security/ValidatorFixture/Sub1/KEY/%D7j1%B0%1E%14%09%2B/parent/%FD%00%00%01I%9DY%8C%A0");
+
   this->cache.insert(idCert);
   this->cache.insert(subIdCert);
   this->validator.loadAnchor("", std::move(idCert));
 
-  BOOST_REQUIRE(packet.getKeyLocator());
-  BOOST_CHECK_EQUAL(packet.getKeyLocator()->getName(),
-                    "/Security/ValidatorFixture/Sub1/KEY/%D7j1%B0%1E%14%09%2B/parent/%FD%00%00%01I%9DY%8C%A0");
-
   VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the policy-compliant cert");
 }