security: Add CertificateCache
Change-Id: If7008877e9956c4e8964c99feac7ba34685106d7
Refs: #3317
diff --git a/docs/doxygen.conf.in b/docs/doxygen.conf.in
index d1ab057..4925781 100644
--- a/docs/doxygen.conf.in
+++ b/docs/doxygen.conf.in
@@ -1917,7 +1917,7 @@
# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
PREDEFINED = DOXYGEN \
- NFD_LOG_INIT \
+ NDN_LOG_INIT \
BOOST_CONCEPT_ASSERT \
PUBLIC_WITH_TESTS_ELSE_PROTECTED=protected \
PUBLIC_WITH_TESTS_ELSE_PRIVATE=private \
diff --git a/src/security/v2/certificate-cache.cpp b/src/security/v2/certificate-cache.cpp
new file mode 100644
index 0000000..b3b745d
--- /dev/null
+++ b/src/security/v2/certificate-cache.cpp
@@ -0,0 +1,110 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "certificate-cache.hpp"
+#include "util/logger.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+NDN_LOG_INIT(ndn.security.v2.CertificateCache);
+
+const time::nanoseconds&
+CertificateCache::getDefaultLifetime()
+{
+ static time::nanoseconds lifetime = time::seconds(3600);
+ return lifetime;
+}
+
+CertificateCache::CertificateCache(const time::nanoseconds& maxLifetime)
+ : m_certsByTime(m_certs.get<0>())
+ , m_certsByName(m_certs.get<1>())
+ , m_maxLifetime(maxLifetime)
+{
+}
+
+void
+CertificateCache::insert(const Certificate& cert)
+{
+ time::system_clock::TimePoint notAfterTime = cert.getValidityPeriod().getPeriod().second;
+ time::system_clock::TimePoint now = time::system_clock::now();
+ if (notAfterTime < now) {
+ NDN_LOG_DEBUG("Not adding " << cert.getName() << ": already expired at " << time::toIsoString(notAfterTime));
+ return;
+ }
+
+ time::system_clock::TimePoint removalTime = std::min(notAfterTime, now + m_maxLifetime);
+ NDN_LOG_DEBUG("Adding " << cert.getName() << ", will remove in "
+ << time::duration_cast<time::seconds>(removalTime - now));
+ m_certs.insert(Entry(cert, removalTime));
+}
+
+const Certificate*
+CertificateCache::find(const Name& keyName)
+{
+ refresh();
+ if (keyName.size() > 0 && keyName[-1].isImplicitSha256Digest()) {
+ NDN_LOG_INFO("Certificate search using name with the implicit digest is not yet supported");
+ }
+ auto itr = m_certsByName.lower_bound(keyName);
+ if (itr == m_certsByName.end() || !keyName.isPrefixOf(itr->getCertName()))
+ return nullptr;
+ return &itr->cert;
+}
+
+const Certificate*
+CertificateCache::find(const Interest& interest)
+{
+ if (interest.getChildSelector() >= 0) {
+ NDN_LOG_DEBUG("Certificate search using ChildSelector is not supported, search as if selector not specified");
+ }
+ if (interest.getName().size() > 0 && interest.getName()[-1].isImplicitSha256Digest()) {
+ NDN_LOG_INFO("Certificate search using name with the implicit digest is not yet supported");
+ }
+ refresh();
+
+ for (auto i = m_certsByName.lower_bound(interest.getName());
+ i != m_certsByName.end() && interest.getName().isPrefixOf(i->getCertName());
+ ++i) {
+ const auto& cert = i->cert;
+ if (interest.matchesData(cert)) {
+ return &cert;
+ }
+ }
+ return nullptr;
+}
+
+void
+CertificateCache::refresh()
+{
+ time::system_clock::TimePoint now = time::system_clock::now();
+
+ auto cIt = m_certsByTime.begin();
+ while (cIt != m_certsByTime.end() && cIt->removalTime < now) {
+ m_certsByTime.erase(cIt);
+ cIt = m_certsByTime.begin();
+ }
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/certificate-cache.hpp b/src/security/v2/certificate-cache.hpp
new file mode 100644
index 0000000..4bf9f3c
--- /dev/null
+++ b/src/security/v2/certificate-cache.hpp
@@ -0,0 +1,144 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_CERTIFICATE_CACHE_HPP
+#define NDN_SECURITY_V2_CERTIFICATE_CACHE_HPP
+
+#include "../../interest.hpp"
+#include "certificate.hpp"
+
+#include <boost/multi_index_container.hpp>
+#include <boost/multi_index/ordered_index.hpp>
+#include <boost/multi_index/mem_fun.hpp>
+#include <boost/multi_index/member.hpp>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Represents a container for verified certificates.
+ *
+ * A certificate is removed no later than its NotAfter time, or maxLifetime after it has been
+ * added to the cache.
+ */
+class CertificateCache : noncopyable
+{
+public:
+ /**
+ * @brief Create an object for certificate cache.
+ *
+ * @param maxLifetime the maximum time that certificates could live inside cache (default: 1 hour)
+ */
+ explicit
+ CertificateCache(const time::nanoseconds& maxLifetime = getDefaultLifetime());
+
+ /**
+ * @brief Insert certificate into cache.
+ *
+ * The inserted certificate will be removed no later than its NotAfter time, or maxLifetime
+ * defined during cache construction.
+ *
+ * @param cert the certificate packet.
+ */
+ void
+ insert(const Certificate& cert);
+
+ /**
+ * @brief Get certificate given key name
+ * @param keyName Key name for searching the certificate.
+ * @return The found certificate, nullptr if not found.
+ *
+ * @note The returned value may be invalidated after next call to one of find methods.
+ */
+ const Certificate*
+ find(const Name& keyName);
+
+ /**
+ * @brief Find certificate given interest
+ * @param interest The input interest packet.
+ * @return The found certificate that matches the interest, nullptr if not found.
+ *
+ * @note ChildSelector is not supported.
+ *
+ * @note The returned value may be invalidated after next call to one of find methods.
+ */
+ const Certificate*
+ find(const Interest& interest);
+
+private:
+ class Entry
+ {
+ public:
+ Entry(const Certificate& cert, const time::system_clock::TimePoint& removalTime)
+ : cert(cert)
+ , removalTime(removalTime)
+ {
+ }
+
+ const Name&
+ getCertName() const
+ {
+ return cert.getName();
+ }
+
+ public:
+ Certificate cert;
+ time::system_clock::TimePoint removalTime;
+ };
+
+ /**
+ * @brief Remove all outdated certificate entries.
+ */
+ void
+ refresh();
+
+public:
+ static const time::nanoseconds&
+ getDefaultLifetime();
+
+private:
+ /// @todo Switch to InMemoryStorateTimeout after it is available (task #3917)
+ typedef boost::multi_index::multi_index_container<
+ Entry,
+ boost::multi_index::indexed_by<
+ boost::multi_index::ordered_non_unique<
+ boost::multi_index::member<Entry, const time::system_clock::TimePoint, &Entry::removalTime>
+ >,
+ boost::multi_index::ordered_unique<
+ boost::multi_index::const_mem_fun<Entry, const Name&, &Entry::getCertName>
+ >
+ >
+ > CertIndex;
+
+ typedef CertIndex::nth_index<0>::type CertIndexByTime;
+ typedef CertIndex::nth_index<1>::type CertIndexByName;
+ CertIndex m_certs;
+ CertIndexByTime& m_certsByTime;
+ CertIndexByName& m_certsByName;
+ time::nanoseconds m_maxLifetime;
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_CERTIFICATE_CACHE_HPP
diff --git a/tests/unit-tests/security/v2/certificate-cache.t.cpp b/tests/unit-tests/security/v2/certificate-cache.t.cpp
new file mode 100644
index 0000000..56c7dd0
--- /dev/null
+++ b/tests/unit-tests/security/v2/certificate-cache.t.cpp
@@ -0,0 +1,108 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/v2/certificate-cache.hpp"
+
+#include "../../identity-management-time-fixture.hpp"
+#include "boost-test.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(V2)
+
+class CertificateCacheFixture : public ndn::tests::IdentityManagementTimeFixture
+{
+public:
+ CertificateCacheFixture()
+ : certCache(time::seconds(10))
+ {
+ identity = addIdentity("/TestCertificateCache/");
+ cert = identity.getDefaultKey().getDefaultCertificate();
+ }
+
+public:
+ CertificateCache certCache;
+ Identity identity;
+ Certificate cert;
+};
+
+BOOST_FIXTURE_TEST_SUITE(TestCertificateCache, CertificateCacheFixture)
+
+BOOST_AUTO_TEST_CASE(RemovalTime)
+{
+ // Cache lifetime is capped to 10 seconds during cache construction
+
+ BOOST_CHECK_NO_THROW(certCache.insert(cert));
+ BOOST_CHECK(certCache.find(cert.getName()) != nullptr);
+
+ advanceClocks(time::seconds(11), 1);
+ BOOST_CHECK(certCache.find(cert.getName()) == nullptr);
+
+ BOOST_CHECK_NO_THROW(certCache.insert(cert));
+ BOOST_CHECK(certCache.find(cert.getName()) != nullptr);
+
+ advanceClocks(time::seconds(5));
+ BOOST_CHECK(certCache.find(cert.getName()) != nullptr);
+
+ advanceClocks(time::seconds(15));
+ BOOST_CHECK(certCache.find(cert.getName()) == nullptr);
+}
+
+BOOST_AUTO_TEST_CASE(FindByInterest)
+{
+ BOOST_CHECK_NO_THROW(certCache.insert(cert));
+
+ // Find by interest
+ BOOST_CHECK(certCache.find(Interest(cert.getIdentity())) != nullptr);
+ BOOST_CHECK(certCache.find(Interest(cert.getKeyName())) != nullptr);
+ BOOST_CHECK(certCache.find(Interest(Name(cert.getName()).appendVersion())) == nullptr);
+
+ advanceClocks(time::seconds(12));
+ BOOST_CHECK(certCache.find(Interest(cert.getIdentity())) == nullptr);
+
+ Certificate cert3 = addCertificate(identity.getDefaultKey(), "3");
+ Certificate cert4 = addCertificate(identity.getDefaultKey(), "4");
+ Certificate cert5 = addCertificate(identity.getDefaultKey(), "5");
+
+ certCache.insert(cert3);
+ certCache.insert(cert4);
+ certCache.insert(cert5);
+
+ Interest interest4(cert3.getKeyName());
+ interest4.setExclude(Exclude().excludeOne(cert3.getName().at(Certificate::ISSUER_ID_OFFSET)));
+ BOOST_CHECK(certCache.find(interest4) != nullptr);
+ BOOST_CHECK_NE(certCache.find(interest4)->getName(), cert3.getName());
+
+ // TODO cover more cases with different interests
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestCertificateCache
+BOOST_AUTO_TEST_SUITE_END() // V2
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn