blob: bb8ffda0446de26d844f1b66d0af49649ec29865 [file] [log] [blame]
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
* Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
* ndn-cxx library is free software: you can redistribute it and/or modify it under the
* terms of the GNU Lesser General Public License as published by the Free Software
* Foundation, either version 3 of the License, or (at your option) any later version.
*
* ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
* PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
*
* You should have received copies of the GNU General Public License and GNU Lesser
* General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
* <http://www.gnu.org/licenses/>.
*
* See AUTHORS.md for complete list of ndn-cxx authors and contributors.
*/
#include "validator.hpp"
#include "../lp/tags.hpp"
#include "../util/sha256.hpp"
#include "v1/cryptopp.hpp"
namespace ndn {
namespace security {
static Oid SECP256R1("1.2.840.10045.3.1.7");
static Oid SECP384R1("1.3.132.0.34");
Validator::Validator(Face* face)
: m_face(face)
, m_wantDirectCertFetch(false)
{
}
Validator::Validator(Face& face)
: Validator(&face)
{
}
Validator::~Validator() = default;
void
Validator::validate(const Interest& interest,
const OnInterestValidated& onValidated,
const OnInterestValidationFailed& onValidationFailed,
int nSteps)
{
std::vector<shared_ptr<ValidationRequest> > nextSteps;
checkPolicy(interest, nSteps, onValidated, onValidationFailed, nextSteps);
if (nextSteps.empty()) {
// If there is no nextStep,
// that means InterestPolicy has already been able to verify the Interest.
// No more further processes.
return;
}
OnFailure onFailure = bind(onValidationFailed, interest.shared_from_this(), _1);
afterCheckPolicy(nextSteps, onFailure);
}
void
Validator::validate(const Data& data,
const OnDataValidated& onValidated,
const OnDataValidationFailed& onValidationFailed,
int nSteps)
{
std::vector<shared_ptr<ValidationRequest> > nextSteps;
checkPolicy(data, nSteps, onValidated, onValidationFailed, nextSteps);
if (nextSteps.empty()) {
// If there is no nextStep,
// that means Data Policy has already been able to verify the Interest.
// No more further processes.
return;
}
OnFailure onFailure = bind(onValidationFailed, data.shared_from_this(), _1);
afterCheckPolicy(nextSteps, onFailure);
}
void
Validator::onData(const Interest& interest,
const Data& data,
const shared_ptr<ValidationRequest>& nextStep)
{
shared_ptr<const Data> certificateData = preCertificateValidation(data);
if (!static_cast<bool>(certificateData))
return nextStep->m_onDataValidationFailed(data.shared_from_this(),
"Cannot decode cert: " + data.getName().toUri());
validate(*certificateData,
nextStep->m_onDataValidated, nextStep->m_onDataValidationFailed,
nextStep->m_nSteps);
}
bool
Validator::verifySignature(const Data& data, const v1::PublicKey& key)
{
if (!data.getSignature().hasKeyLocator())
return false;
return verifySignature(data.wireEncode().value(),
data.wireEncode().value_size() -
data.getSignature().getValue().size(),
data.getSignature(), key);
}
bool
Validator::verifySignature(const Interest& interest, const v1::PublicKey& key)
{
const Name& name = interest.getName();
if (name.size() < signed_interest::MIN_SIZE)
return false;
Signature sig;
try {
sig.setInfo(name[signed_interest::POS_SIG_INFO].blockFromValue());
sig.setValue(name[signed_interest::POS_SIG_VALUE].blockFromValue());
}
catch (const tlv::Error&) {
return false;
}
if (!sig.hasKeyLocator())
return false;
const Block& nameWire = name.wireEncode();
return verifySignature(nameWire.value(),
nameWire.value_size() - name[signed_interest::POS_SIG_VALUE].size(),
sig, key);
}
bool
Validator::verifySignature(const uint8_t* buf,
const size_t size,
const Signature& sig,
const v1::PublicKey& key)
{
try {
using namespace CryptoPP;
switch (sig.getType()) {
case tlv::SignatureSha256WithRsa: {
if (key.getKeyType() != KeyType::RSA)
return false;
RSA::PublicKey publicKey;
ByteQueue queue;
queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
publicKey.Load(queue);
RSASS<PKCS1v15, SHA256>::Verifier verifier(publicKey);
return verifier.VerifyMessage(buf, size,
sig.getValue().value(), sig.getValue().value_size());
}
case tlv::SignatureSha256WithEcdsa: {
if (key.getKeyType() != KeyType::EC)
return false;
ECDSA<ECP, SHA256>::PublicKey publicKey;
ByteQueue queue;
queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
publicKey.Load(queue);
ECDSA<ECP, SHA256>::Verifier verifier(publicKey);
uint32_t length = 0;
StringSource src(key.get().buf(), key.get().size(), true);
BERSequenceDecoder subjectPublicKeyInfo(src);
{
BERSequenceDecoder algorithmInfo(subjectPublicKeyInfo);
{
Oid algorithm;
algorithm.decode(algorithmInfo);
Oid curveId;
curveId.decode(algorithmInfo);
if (curveId == SECP256R1)
length = 256;
else if (curveId == SECP384R1)
length = 384;
else
return false;
}
}
switch (length) {
case 256: {
uint8_t buffer[64];
size_t usedSize = DSAConvertSignatureFormat(buffer, sizeof(buffer), DSA_P1363,
sig.getValue().value(),
sig.getValue().value_size(),
DSA_DER);
return verifier.VerifyMessage(buf, size, buffer, usedSize);
}
case 384: {
uint8_t buffer[96];
size_t usedSize = DSAConvertSignatureFormat(buffer, sizeof(buffer), DSA_P1363,
sig.getValue().value(),
sig.getValue().value_size(),
DSA_DER);
return verifier.VerifyMessage(buf, size, buffer, usedSize);
}
default:
return false;
}
}
default:
// Unsupported sig type
return false;
}
}
catch (const CryptoPP::Exception& e) {
return false;
}
}
bool
Validator::verifySignature(const uint8_t* buf, const size_t size, const DigestSha256& sig)
{
try {
ConstBufferPtr buffer = util::Sha256::computeDigest(buf, size);
const Block& sigValue = sig.getValue();
if (buffer->size() == sigValue.value_size() &&
buffer->size() == util::Sha256::DIGEST_SIZE) {
const uint8_t* p1 = buffer->buf();
const uint8_t* p2 = sigValue.value();
return 0 == memcmp(p1, p2, util::Sha256::DIGEST_SIZE);
}
else
return false;
}
catch (const util::Sha256::Error&) {
return false;
}
}
void
Validator::onNack(const Interest& interest,
const lp::Nack& nack,
int remainingRetries,
const OnFailure& onFailure,
const shared_ptr<ValidationRequest>& validationRequest)
{
if (remainingRetries > 0) {
Interest newInterest = Interest(interest);
newInterest.refreshNonce();
//Express the same interest with different nonce and decremented remainingRetries.
m_face->expressInterest(newInterest,
bind(&Validator::onData, this, _1, _2, validationRequest),
bind(&Validator::onNack, this, _1, _2,
remainingRetries - 1, onFailure, validationRequest),
bind(&Validator::onTimeout, this, _1,
remainingRetries - 1, onFailure, validationRequest));
}
else {
onFailure("Cannot fetch cert: " + interest.getName().toUri());
}
}
void
Validator::onTimeout(const Interest& interest,
int remainingRetries,
const OnFailure& onFailure,
const shared_ptr<ValidationRequest>& validationRequest)
{
if (remainingRetries > 0) {
Interest newInterest = Interest(interest);
newInterest.refreshNonce();
// Express the same interest with different nonce and decremented remainingRetries.
m_face->expressInterest(newInterest,
bind(&Validator::onData, this, _1, _2, validationRequest),
bind(&Validator::onNack, this, _1, _2,
remainingRetries - 1, onFailure, validationRequest),
bind(&Validator::onTimeout, this, _1,
remainingRetries - 1, onFailure, validationRequest));
}
else {
onFailure("Cannot fetch cert: " + interest.getName().toUri());
}
}
void
Validator::afterCheckPolicy(const std::vector<shared_ptr<ValidationRequest>>& nextSteps,
const OnFailure& onFailure)
{
if (m_face == nullptr) {
onFailure("Require more information to validate the packet!");
return;
}
for (shared_ptr<ValidationRequest> step : nextSteps) {
if (m_wantDirectCertFetch && step->m_requesterFaceId != 0) {
Interest directFetchInterest(step->m_interest);
directFetchInterest.refreshNonce();
directFetchInterest.setTag(make_shared<lp::NextHopFaceIdTag>(step->m_requesterFaceId));
m_face->expressInterest(directFetchInterest, nullptr, nullptr, nullptr);
}
m_face->expressInterest(step->m_interest,
bind(&Validator::onData, this, _1, _2, step),
bind(&Validator::onNack, this, _1, _2,
step->m_nRetries, onFailure, step),
bind(&Validator::onTimeout,
this, _1, step->m_nRetries,
onFailure,
step));
}
}
void
Validator::setDirectCertFetchEnabled(bool isEnabled)
{
m_wantDirectCertFetch = isEnabled;
}
} // namespace security
} // namespace ndn