security: Correctly handle Sha256-signed Command Interests
Change-Id: Ibcda11627a4be0498dfd894df8b976cb65da308a
Refs: #4635
diff --git a/src/security/v2/validation-policy.cpp b/src/security/v2/validation-policy.cpp
index 25fb1d2..0f609e1 100644
--- a/src/security/v2/validation-policy.cpp
+++ b/src/security/v2/validation-policy.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2013-2017 Regents of the University of California.
+/*
+ * Copyright (c) 2013-2018 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -20,6 +20,7 @@
*/
#include "validation-policy.hpp"
+#include "../signing-info.hpp"
namespace ndn {
namespace security {
@@ -62,6 +63,10 @@
static Name
getKeyLocatorName(const SignatureInfo& si, ValidationState& state)
{
+ if (si.getSignatureType() == tlv::DigestSha256) {
+ return SigningInfo::getDigestSha256Identity();
+ }
+
if (!si.hasKeyLocator()) {
state.fail({ValidationError::Code::INVALID_KEY_LOCATOR, "KeyLocator is missing"});
return Name();
diff --git a/src/security/v2/validation-policy.hpp b/src/security/v2/validation-policy.hpp
index d7a261b..20d4f0b 100644
--- a/src/security/v2/validation-policy.hpp
+++ b/src/security/v2/validation-policy.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2017 Regents of the University of California.
+ * Copyright (c) 2013-2018 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
diff --git a/tests/unit-tests/security/v2/validation-policy-command-interest.t.cpp b/tests/unit-tests/security/v2/validation-policy-command-interest.t.cpp
index 4a3365c..7bd42ea 100644
--- a/tests/unit-tests/security/v2/validation-policy-command-interest.t.cpp
+++ b/tests/unit-tests/security/v2/validation-policy-command-interest.t.cpp
@@ -90,10 +90,14 @@
{
auto i1 = makeCommandInterest(identity);
VALIDATE_SUCCESS(i1, "Should succeed (within grace period)");
+ VALIDATE_FAILURE(i1, "Should fail (replay attack)");
advanceClocks(5_ms);
auto i2 = makeCommandInterest(identity);
VALIDATE_SUCCESS(i2, "Should succeed (timestamp larger than previous)");
+
+ auto i3 = m_signer.makeCommandInterest(Name(identity.getName()).append("CMD"), signingWithSha256());
+ VALIDATE_FAILURE(i3, "Should fail (Sha256 signature violates policy)");
}
BOOST_AUTO_TEST_CASE(DataPassthru)
@@ -103,6 +107,20 @@
VALIDATE_SUCCESS(d1, "Should succeed (fallback on inner validation policy for data)");
}
+using ValidationPolicyAcceptAllCommands = ValidationPolicyCommandInterestFixture<DefaultOptions,
+ ValidationPolicyAcceptAll>;
+
+BOOST_FIXTURE_TEST_CASE(SignedWithSha256, ValidationPolicyAcceptAllCommands) // Bug 4635
+{
+ auto i1 = m_signer.makeCommandInterest("/hello/world/CMD", signingWithSha256());
+ VALIDATE_SUCCESS(i1, "Should succeed (within grace period)");
+ VALIDATE_FAILURE(i1, "Should fail (replay attack)");
+
+ advanceClocks(5_ms);
+ auto i2 = m_signer.makeCommandInterest("/hello/world/CMD", signingWithSha256());
+ VALIDATE_SUCCESS(i2, "Should succeed (timestamp larger than previous)");
+}
+
BOOST_AUTO_TEST_SUITE_END() // Accepts
BOOST_AUTO_TEST_SUITE(Rejects)
diff --git a/tests/unit-tests/security/validator-config.t.cpp b/tests/unit-tests/security/validator-config.t.cpp
index 7dd65f5..3e49d24 100644
--- a/tests/unit-tests/security/validator-config.t.cpp
+++ b/tests/unit-tests/security/validator-config.t.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2017 Regents of the University of California.
+ * Copyright (c) 2013-2018 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -20,6 +20,7 @@
*/
#include "security/validator-config.hpp"
+#include "security/command-interest-signer.hpp"
#include "security/v2/certificate-fetcher-offline.hpp"
#include "util/dummy-client-face.hpp"
@@ -126,6 +127,30 @@
BOOST_AUTO_TEST_SUITE_END() // Loads
+
+BOOST_FIXTURE_TEST_CASE(ValidateCommandInterestWithDigestSha256, ValidatorConfigFixture) // Bug 4635
+{
+ validator.load(configFile);
+
+ CommandInterestSigner signer(m_keyChain);
+ auto i = signer.makeCommandInterest("/hello/world/CMD", signingWithSha256());
+ size_t nValidated = 0, nFailed = 0;
+
+ validator.validate(i, [&] (auto&&...) { ++nValidated; }, [&] (auto&&...) { ++nFailed; });
+ BOOST_CHECK_EQUAL(nValidated, 1);
+ BOOST_CHECK_EQUAL(nFailed, 0);
+
+ validator.validate(i, [&] (auto&&...) { ++nValidated; }, [&] (auto&&...) { ++nFailed; });
+ BOOST_CHECK_EQUAL(nValidated, 1);
+ BOOST_CHECK_EQUAL(nFailed, 1);
+
+ i = signer.makeCommandInterest("/hello/world/CMD", signingWithSha256());
+ validator.validate(i, [&] (auto&&...) { ++nValidated; }, [&] (auto&&...) { ++nFailed; });
+ BOOST_CHECK_EQUAL(nValidated, 2);
+ BOOST_CHECK_EQUAL(nFailed, 1);
+}
+
+
BOOST_AUTO_TEST_SUITE_END() // TestValidatorConfig
BOOST_AUTO_TEST_SUITE_END() // Security