security: Add configuration based validator
configuration file format can be found at: http://redmine.named-data.net/projects/ndn-cpp-dev/wiki/CommandValidatorConf
Change-Id: Icc2725f349aed7513f35f2cccdcd4463fadeef31
diff --git a/src/security/validator.cpp b/src/security/validator.cpp
index f1d8035..cb5be23 100644
--- a/src/security/validator.cpp
+++ b/src/security/validator.cpp
@@ -21,47 +21,49 @@
namespace ndn {
-const shared_ptr<Face> Validator::DefaultFace = shared_ptr<Face>();
+const shared_ptr<Face> Validator::DEFAULT_FACE;
-Validator::Validator(shared_ptr<Face> face /* = DefaultFace */)
+Validator::Validator(shared_ptr<Face> face /* = DefaultFace */)
: m_face(face)
-{}
+{
+}
void
-Validator::validate(const Interest& interest,
- const OnInterestValidated &onValidated,
- const OnInterestValidationFailed &onValidationFailed,
+Validator::validate(const Interest& interest,
+ const OnInterestValidated& onValidated,
+ const OnInterestValidationFailed& onValidationFailed,
int stepCount)
{
vector<shared_ptr<ValidationRequest> > nextSteps;
checkPolicy(interest, stepCount, onValidated, onValidationFailed, nextSteps);
-
+
if (!nextSteps.empty())
{
- if(!static_cast<bool>(m_face))
- throw Error("Face should be set prior to verify method to call");
-
+ if (!static_cast<bool>(m_face))
+ throw Error("Face should be set before calling validate method");
+
vector<shared_ptr<ValidationRequest> >::const_iterator it = nextSteps.begin();
OnFailure onFailure = bind(onValidationFailed, interest.shared_from_this(), _1);
- for(; it != nextSteps.end(); it++)
+ for (; it != nextSteps.end(); it++)
m_face->expressInterest((*it)->m_interest,
- bind(&Validator::onData, this, _1, _2, *it),
- bind(&Validator::onTimeout,
- this, _1, (*it)->m_retry,
- onFailure,
+ bind(&Validator::onData, this, _1, _2, *it),
+ bind(&Validator::onTimeout,
+ this, _1, (*it)->m_retry,
+ onFailure,
*it));
}
else
{
- //If there is no nextStep, that means InterestPolicy has already been able to verify the Interest.
- //No more further processes.
+ // If there is no nextStep,
+ // that means InterestPolicy has already been able to verify the Interest.
+ // No more further processes.
}
}
void
-Validator::validate(const Data& data,
- const OnDataValidated &onValidated,
- const OnDataValidationFailed &onValidationFailed,
+Validator::validate(const Data& data,
+ const OnDataValidated& onValidated,
+ const OnDataValidationFailed& onValidationFailed,
int stepCount)
{
vector<shared_ptr<ValidationRequest> > nextSteps;
@@ -69,44 +71,45 @@
if (!nextSteps.empty())
{
- if(!static_cast<bool>(m_face))
+ if (!static_cast<bool>(m_face))
throw Error("Face should be set prior to verify method to call");
vector<shared_ptr<ValidationRequest> >::const_iterator it = nextSteps.begin();
OnFailure onFailure = bind(onValidationFailed, data.shared_from_this(), _1);
- for(; it != nextSteps.end(); it++)
+ for (; it != nextSteps.end(); it++)
m_face->expressInterest((*it)->m_interest,
- bind(&Validator::onData, this, _1, _2, *it),
- bind(&Validator::onTimeout,
- this, _1, (*it)->m_retry,
+ bind(&Validator::onData, this, _1, _2, *it),
+ bind(&Validator::onTimeout,
+ this, _1, (*it)->m_retry,
onFailure,
*it));
}
else
{
- //If there is no nextStep, that means InterestPolicy has already been able to verify the Interest.
- //No more further processes.
+ // If there is no nextStep,
+ // that means Data Policy has already been able to verify the Interest.
+ // No more further processes.
}
}
void
-Validator::onData(const Interest& interest,
- Data& data,
+Validator::onData(const Interest& interest,
+ const Data& data,
const shared_ptr<ValidationRequest>& nextStep)
{
validate(data, nextStep->m_onValidated, nextStep->m_onDataValidated, nextStep->m_stepCount);
}
void
-Validator::onTimeout(const Interest& interest,
- int retry,
- const OnFailure &onFailure,
+Validator::onTimeout(const Interest& interest,
+ int retry,
+ const OnFailure& onFailure,
const shared_ptr<ValidationRequest>& nextStep)
{
if (retry > 0)
// Issue the same expressInterest except decrement retry.
- m_face->expressInterest(interest,
- bind(&Validator::onData, this, _1, _2, nextStep),
+ m_face->expressInterest(interest,
+ bind(&Validator::onData, this, _1, _2, nextStep),
bind(&Validator::onTimeout, this, _1, retry - 1, onFailure, nextStep));
else
onFailure("Cannot fetch cert: " + interest.getName().toUri());
@@ -117,20 +120,21 @@
{
try
{
- switch(data.getSignature().getType()){
- case Signature::Sha256WithRsa:
+ switch (data.getSignature().getType())
{
- SignatureSha256WithRsa sigSha256Rsa(data.getSignature());
- return verifySignature(data, sigSha256Rsa, key);
+ case Signature::Sha256WithRsa:
+ {
+ SignatureSha256WithRsa sigSha256Rsa(data.getSignature());
+ return verifySignature(data, sigSha256Rsa, key);
+ }
+ default:
+ {
+ _LOG_DEBUG("verifySignature: Unknown signature type: " << data.getSignature().getType());
+ return false;
+ }
}
- default:
- {
- _LOG_DEBUG("verifySignature: Unknown signature type: " << data.getSignature().getType());
- return false;
- }
- }
}
- catch(Signature::Error &e)
+ catch (const Signature::Error& e)
{
_LOG_DEBUG("verifySignature: " << e.what());
return false;
@@ -141,40 +145,41 @@
bool
Validator::verifySignature(const Interest& interest, const PublicKey& key)
{
- const Name &interestName = interest.getName();
+ const Name& interestName = interest.getName();
- if(interestName.size() < 2)
+ if (interestName.size() < 2)
return false;
try
{
const Block& nameBlock = interestName.wireEncode();
- Signature sig(interestName[-2].blockFromValue(),
+ Signature sig(interestName[-2].blockFromValue(),
interestName[-1].blockFromValue());
- switch(sig.getType()){
- case Signature::Sha256WithRsa:
+ switch (sig.getType())
{
- SignatureSha256WithRsa sigSha256Rsa(sig);
+ case Signature::Sha256WithRsa:
+ {
+ SignatureSha256WithRsa sigSha256Rsa(sig);
- return verifySignature(nameBlock.value(),
- nameBlock.value_size() - interestName[-1].size(),
- sigSha256Rsa, key);
+ return verifySignature(nameBlock.value(),
+ nameBlock.value_size() - interestName[-1].size(),
+ sigSha256Rsa, key);
+ }
+ default:
+ {
+ _LOG_DEBUG("verifySignature: Unknown signature type: " << sig.getType());
+ return false;
+ }
}
- default:
- {
- _LOG_DEBUG("verifySignature: Unknown signature type: " << sig.getType());
- return false;
- }
- }
}
- catch(Signature::Error &e)
+ catch (const Signature::Error& e)
{
_LOG_DEBUG("verifySignature: " << e.what());
return false;
}
- catch(Block::Error &e)
+ catch (const Block::Error& e)
{
_LOG_DEBUG("verifySignature: " << e.what());
return false;
@@ -187,20 +192,21 @@
{
try
{
- switch(sig.getType()){
- case Signature::Sha256WithRsa:
+ switch (sig.getType())
{
- SignatureSha256WithRsa sigSha256Rsa(sig);
- return verifySignature(data, sigSha256Rsa, key);
+ case Signature::Sha256WithRsa:
+ {
+ SignatureSha256WithRsa sigSha256Rsa(sig);
+ return verifySignature(data, sigSha256Rsa, key);
+ }
+ default:
+ {
+ _LOG_DEBUG("verifySignature: Unknown signature type: " << sig.getType());
+ return false;
+ }
}
- default:
- {
- _LOG_DEBUG("verifySignature: Unknown signature type: " << sig.getType());
- return false;
- }
- }
}
- catch(Signature::Error &e)
+ catch (const Signature::Error& e)
{
_LOG_DEBUG("verifySignature: " << e.what());
return false;
@@ -209,7 +215,10 @@
}
bool
-Validator::verifySignature(const uint8_t* buf, const size_t size, const SignatureSha256WithRsa& sig, const PublicKey& key)
+Validator::verifySignature(const uint8_t* buf,
+ const size_t size,
+ const SignatureSha256WithRsa& sig,
+ const PublicKey& key)
{
try
{
@@ -221,10 +230,12 @@
queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
publicKey.Load(queue);
- RSASS<PKCS1v15, SHA256>::Verifier verifier (publicKey);
- return verifier.VerifyMessage(buf, size, sig.getValue().value(), sig.getValue().value_size());
+ RSASS<PKCS1v15, SHA256>::Verifier verifier(publicKey);
+ return verifier.VerifyMessage(buf, size,
+ sig.getValue().value(),
+ sig.getValue().value_size());
}
- catch(CryptoPP::Exception& e)
+ catch (const CryptoPP::Exception& e)
{
_LOG_DEBUG("verifySignature: " << e.what());
return false;
@@ -239,23 +250,20 @@
ConstBufferPtr buffer = crypto::sha256(buf, size);
const Block& sigValue = sig.getValue();
- if(static_cast<bool>(buffer)
- && buffer->size() == sigValue.value_size()
- && buffer->size() == crypto::SHA256_DIGEST_SIZE)
+ if (static_cast<bool>(buffer) &&
+ buffer->size() == sigValue.value_size() &&
+ buffer->size() == crypto::SHA256_DIGEST_SIZE)
{
const uint8_t* p1 = buffer->buf();
const uint8_t* p2 = sigValue.value();
- for(size_t i = 0; i < crypto::SHA256_DIGEST_SIZE; i++)
- if(p1[i] != p2[i])
- return false;
- return true;
+ return 0 == memcmp(p1, p2, crypto::SHA256_DIGEST_SIZE);
}
else
return false;
}
- catch(CryptoPP::Exception& e)
+ catch (const CryptoPP::Exception& e)
{
_LOG_DEBUG("verifySignature: " << e.what());
return false;