security: Merging SecPolicy into Validator (previously Verifier)
Change-Id: I469fc8f823406cb217bf85248d38d241c32f31f0
diff --git a/src/security/sec-policy-no-verify.cpp b/src/security/sec-policy-no-verify.cpp
deleted file mode 100644
index 3a45756..0000000
--- a/src/security/sec-policy-no-verify.cpp
+++ /dev/null
@@ -1,36 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
-/**
- * Copyright (C) 2013 Regents of the University of California.
- * @author: Yingdi Yu <yingdi@cs.ucla.edu>
- * @author: Jeff Thompson <jefft0@remap.ucla.edu>
- * See COPYING for copyright and distribution information.
- */
-
-#include "security/sec-policy-no-verify.hpp"
-
-using namespace std;
-
-namespace ndn {
-
-SecPolicyNoVerify::~SecPolicyNoVerify()
-{
-}
-
-ptr_lib::shared_ptr<ValidationRequest>
-SecPolicyNoVerify::checkVerificationPolicy
- (const ptr_lib::shared_ptr<const Data>& data, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed)
-{
- onVerified();
- return ptr_lib::shared_ptr<ValidationRequest>();
-}
-
-ptr_lib::shared_ptr<ValidationRequest>
-SecPolicyNoVerify::checkVerificationPolicy
- (const ptr_lib::shared_ptr<const Interest>& interest, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed)
-{
- onVerified();
- return ptr_lib::shared_ptr<ValidationRequest>();
-}
-
-
-}
diff --git a/src/security/sec-policy-no-verify.hpp b/src/security/sec-policy-no-verify.hpp
deleted file mode 100644
index 59dd615..0000000
--- a/src/security/sec-policy-no-verify.hpp
+++ /dev/null
@@ -1,55 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
-/**
- * Copyright (C) 2013 Regents of the University of California.
- * @author: Yingdi Yu <yingdi@cs.ucla.edu>
- * @author: Jeff Thompson <jefft0@remap.ucla.edu>
- * See COPYING for copyright and distribution information.
- */
-
-#ifndef NDN_SEC_POLICY_NO_VERIFY_HPP
-#define NDN_SEC_POLICY_NO_VERIFY_HPP
-
-#include "sec-policy.hpp"
-
-namespace ndn {
-
-class SecPolicyNoVerify : public SecPolicy {
-public:
- /**
- * The virtual destructor.
- */
- virtual
- ~SecPolicyNoVerify();
-
- /**
- * Check whether the received data packet complies with the verification policy, and get the indication of the next verification step.
- * If there is no next verification step, that imlies policy MUST have already made the verification decision.
- * i.e., either onVerified or onVerifyFailed callback is invoked.
- * @param data The Data object with the signature to check.
- * @param stepCount The number of verification steps that have been done, used to track the verification progress.
- * @param onVerified If the signature is verified, this calls onVerified(data).
- * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
- * @return the indication of next verification step, null if there is no further step.
- */
- virtual ptr_lib::shared_ptr<ValidationRequest>
- checkVerificationPolicy
- (const ptr_lib::shared_ptr<const Data>& data, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed);
-
- /**
- * Check whether the received interest packet complies with the verification policy, and get the indication of the next verification step.
- * If there is no next verification step, that implies policy MUST have already made the verification decision.
- * i.e., either onVerified or onVerifyFailed callback is invoked.
- * @param data The Data object with the signature to check.
- * @param stepCount The number of verification steps that have been done, used to track the verification progress.
- * @param onVerified If the signature is verified, this calls onVerified(data).
- * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
- * @return the indication of next verification step, null if there is no further step.
- */
- virtual ptr_lib::shared_ptr<ValidationRequest>
- checkVerificationPolicy
- (const ptr_lib::shared_ptr<const Interest>& interest, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed);
-};
-
-}
-
-#endif
diff --git a/src/security/sec-policy-regex.cpp b/src/security/sec-policy-regex.cpp
deleted file mode 100644
index 4b74132..0000000
--- a/src/security/sec-policy-regex.cpp
+++ /dev/null
@@ -1,151 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
-/**
- * Copyright (C) 2013 Regents of the University of California.
- * @author: Yingdi Yu <yingdi@cs.ucla.edu>
- * See COPYING for copyright and distribution information.
- */
-
-#include "sec-policy-regex.hpp"
-
-#include "verifier.hpp"
-#include "signature-sha256-with-rsa.hpp"
-
-#include "../util/logging.hpp"
-
-INIT_LOGGER("SecPolicyRegex");
-
-using namespace std;
-
-namespace ndn
-{
-
-SecPolicyRegex::SecPolicyRegex(shared_ptr<CertificateCache> certificateCache,
- const int stepLimit)
- : m_stepLimit(stepLimit)
- , m_certificateCache(certificateCache)
-{}
-
-void
-SecPolicyRegex::onCertificateVerified(shared_ptr<Data>signCertificate,
- shared_ptr<Data>data,
- const OnVerified& onVerified,
- const OnVerifyFailed& onVerifyFailed)
-{
- shared_ptr<IdentityCertificate> certificate = make_shared<IdentityCertificate>(*signCertificate);
-
- if(!certificate->isTooLate() && !certificate->isTooEarly())
- {
- m_certificateCache->insertCertificate(certificate);
-
- try{
- if(Verifier::verifySignature(*data, data->getSignature(), certificate->getPublicKeyInfo()))
- {
- onVerified();
- return;
- }
- }catch(Signature::Error &e){
- _LOG_DEBUG("SecPolicyRegex Error: " << e.what());
- onVerifyFailed();
- return;
- }
- }
- else
- {
- onVerifyFailed();
- return;
- }
-}
-
-void
-SecPolicyRegex::onCertificateVerifyFailed(shared_ptr<Data>signCertificate,
- shared_ptr<Data>data,
- const OnVerifyFailed& onVerifyFailed)
-{ onVerifyFailed(); }
-
-shared_ptr<ValidationRequest>
-SecPolicyRegex::checkVerificationPolicy(const shared_ptr<Data>& data,
- int stepCount,
- const OnVerified& onVerified,
- const OnVerifyFailed& onVerifyFailed)
-{
- if(m_stepLimit == stepCount){
- _LOG_DEBUG("reach the maximum steps of verification");
- onVerifyFailed();
- return shared_ptr<ValidationRequest>();
- }
-
- RuleList::iterator it = m_mustFailVerify.begin();
- for(; it != m_mustFailVerify.end(); it++)
- {
- if((*it)->satisfy(*data))
- {
- onVerifyFailed();
- return shared_ptr<ValidationRequest>();
- }
- }
-
- it = m_verifyPolicies.begin();
- for(; it != m_verifyPolicies.end(); it++)
- {
- if((*it)->satisfy(*data))
- {
- try{
- SignatureSha256WithRsa sig(data->getSignature());
-
- Name keyLocatorName = sig.getKeyLocator().getName();
- shared_ptr<const Certificate> trustedCert;
- if(m_trustAnchors.end() == m_trustAnchors.find(keyLocatorName))
- trustedCert = m_certificateCache->getCertificate(keyLocatorName);
- else
- trustedCert = m_trustAnchors[keyLocatorName];
-
- if(static_cast<bool>(trustedCert)){
- if(Verifier::verifySignature(*data, sig, trustedCert->getPublicKeyInfo()))
- onVerified();
- else
- onVerifyFailed();
-
- return shared_ptr<ValidationRequest>();
- }
- else{
- // _LOG_DEBUG("KeyLocator is not trust anchor");
- ValidationRequest::OnCertVerified onCertVerified = bind(&SecPolicyRegex::onCertificateVerified,
- this,
- _1,
- data,
- onVerified,
- onVerifyFailed);
-
- ValidationRequest::OnCertVerifyFailed onCertVerifyFailed = bind(&SecPolicyRegex::onCertificateVerifyFailed,
- this,
- _1,
- data,
- onVerifyFailed);
-
-
- shared_ptr<Interest> interest = make_shared<Interest>(boost::cref(sig.getKeyLocator().getName()));
-
- shared_ptr<ValidationRequest> nextStep = make_shared<ValidationRequest>(interest,
- onCertVerified,
- onCertVerifyFailed,
- 3,
- stepCount + 1);
- return nextStep;
- }
- }catch(SignatureSha256WithRsa::Error &e){
- _LOG_DEBUG("SecPolicyRegex Error: " << e.what());
- onVerifyFailed();
- return shared_ptr<ValidationRequest>();
- }catch(KeyLocator::Error &e){
- _LOG_DEBUG("SecPolicyRegex Error: " << e.what());
- onVerifyFailed();
- return shared_ptr<ValidationRequest>();
- }
- }
- }
-
- onVerifyFailed();
- return shared_ptr<ValidationRequest>();
-}
-
-}//ndn
diff --git a/src/security/sec-policy-regex.hpp b/src/security/sec-policy-regex.hpp
deleted file mode 100644
index a4d9190..0000000
--- a/src/security/sec-policy-regex.hpp
+++ /dev/null
@@ -1,87 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
-/**
- * Copyright (C) 2013 Regents of the University of California.
- * @author: Yingdi Yu <yingdi@cs.ucla.edu>
- * See COPYING for copyright and distribution information.
- */
-
-#ifndef NDN_SEC_POLICY_REGEX_HPP
-#define NDN_SEC_POLICY_REGEX_HPP
-
-#include "sec-policy.hpp"
-#include "identity-certificate.hpp"
-#include "sec-rule-relative.hpp"
-#include "certificate-cache.hpp"
-#include "../util/regex.hpp"
-
-#include <map>
-
-
-
-
-namespace ndn {
-
-class SecPolicyRegex : public SecPolicy
-{
-public:
- struct Error : public SecPolicy::Error { Error(const std::string &what) : SecPolicy::Error(what) {} };
-
- SecPolicyRegex(shared_ptr<CertificateCache> certificateCache, const int stepLimit = 10);
-
- virtual
- ~SecPolicyRegex() {}
-
- virtual shared_ptr<ValidationRequest>
- checkVerificationPolicy(const shared_ptr<Data>& data,
- int stepCount,
- const OnVerified& onVerified,
- const OnVerifyFailed& onVerifyFailed);
-
- /**
- * @brief add a rule to check whether the data name and signing certificate name comply with the policy
- * @param policy the verification policy
- */
- inline virtual void
- addVerificationPolicyRule (shared_ptr<SecRuleRelative> rule);
-
- /**
- * @brief add a trust anchor
- * @param certificate the trust anchor
- */
- inline virtual void
- addTrustAnchor(shared_ptr<IdentityCertificate> certificate);
-
-protected:
- virtual void
- onCertificateVerified(shared_ptr<Data> certificate,
- shared_ptr<Data> data,
- const OnVerified& onVerified,
- const OnVerifyFailed& onVerifyFailed);
-
- virtual void
- onCertificateVerifyFailed(shared_ptr<Data>signCertificate,
- shared_ptr<Data>data,
- const OnVerifyFailed& onVerifyFailed);
-
-protected:
- typedef std::vector< shared_ptr<SecRuleRelative> > RuleList;
- typedef std::vector< shared_ptr<Regex> > RegexList;
-
- int m_stepLimit;
- shared_ptr<CertificateCache> m_certificateCache;
- RuleList m_mustFailVerify;
- RuleList m_verifyPolicies;
- std::map<Name, shared_ptr<IdentityCertificate> > m_trustAnchors;
-};
-
-void
-SecPolicyRegex::addVerificationPolicyRule (shared_ptr<SecRuleRelative> rule)
-{ rule->isPositive() ? m_verifyPolicies.push_back(rule) : m_mustFailVerify.push_back(rule); }
-
-void
-SecPolicyRegex::addTrustAnchor(shared_ptr<IdentityCertificate> certificate)
-{ m_trustAnchors[certificate->getName().getPrefix(-1)] = certificate; }
-
-}//ndn
-
-#endif
diff --git a/src/security/sec-policy.hpp b/src/security/sec-policy.hpp
deleted file mode 100644
index 5158f61..0000000
--- a/src/security/sec-policy.hpp
+++ /dev/null
@@ -1,71 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
-/**
- * Copyright (C) 2013 Regents of the University of California.
- * @author: Yingdi Yu <yingdi@cs.ucla.edu>
- * @author: Jeff Thompson <jefft0@remap.ucla.edu>
- * See COPYING for copyright and distribution information.
- */
-
-#ifndef NDN_SEC_POLICY_HPP
-#define NDN_SEC_POLICY_HPP
-
-#include "../data.hpp"
-#include "verifier.hpp"
-#include "validation-request.hpp"
-
-namespace ndn {
-
-/**
- * A SecPolicy is an abstract base class to represent the policy for verifying data packets.
- * You must create an object of a subclass.
- */
-class SecPolicy {
-public:
- struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
-
- /**
- * The virtual destructor.
- */
- virtual
- ~SecPolicy() {}
-
- /**
- * Check whether the received data packet complies with the verification policy, and get the indication of the next verification step.
- * If there is no next verification step, that imlies policy MUST have already made the verification decision.
- * i.e., either onVerified or onVerifyFailed callback is invoked.
- * @param data The Data object with the signature to check.
- * @param stepCount The number of verification steps that have been done, used to track the verification progress.
- * @param onVerified If the signature is verified, this calls onVerified(data).
- * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
- * @return the indication of next verification step, null if there is no further step.
- */
- virtual ptr_lib::shared_ptr<ValidationRequest>
- checkVerificationPolicy
- (const ptr_lib::shared_ptr<const Data>& data, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed)
- {
- onVerifyFailed();
- return ptr_lib::shared_ptr<ValidationRequest>();
- }
-
- /**
- * Check whether the received interest packet complies with the verification policy, and get the indication of the next verification step.
- * If there is no next verification step, that implies policy MUST have already made the verification decision.
- * i.e., either onVerified or onVerifyFailed callback is invoked.
- * @param data The Data object with the signature to check.
- * @param stepCount The number of verification steps that have been done, used to track the verification progress.
- * @param onVerified If the signature is verified, this calls onVerified(data).
- * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
- * @return the indication of next verification step, null if there is no further step.
- */
- virtual ptr_lib::shared_ptr<ValidationRequest>
- checkVerificationPolicy
- (const ptr_lib::shared_ptr<const Interest>& interest, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed)
- {
- onVerifyFailed();
- return ptr_lib::shared_ptr<ValidationRequest>();
- }
-};
-
-}
-
-#endif
diff --git a/src/security/validation-request.hpp b/src/security/validation-request.hpp
index ad2a128..4dc3a11 100644
--- a/src/security/validation-request.hpp
+++ b/src/security/validation-request.hpp
@@ -12,35 +12,48 @@
#include "../interest.hpp"
namespace ndn {
+/**
+ * An OnVerified function object is used to pass a callback to report a successful Interest validation.
+ */
+typedef function< void (const shared_ptr<const Interest> &) > OnInterestValidated;
+
+/**
+ * An OnVerifyFailed function object is used to pass a callback to report a failed Interest validation.
+ */
+typedef function< void (const shared_ptr<const Interest> &) > OnInterestValidationFailed;
+
+/**
+ * An OnVerified function object is used to pass a callback to report a successful Data validation.
+ */
+typedef function< void (const shared_ptr<const Data> &) > OnDataValidated;
+
+/**
+ * An OnVerifyFailed function object is used to pass a callback to report a failed Data validation.
+ */
+typedef function< void (const shared_ptr<const Data> &) > OnDataValidationFailed;
+
class ValidationRequest {
public:
- /**
- * An OnCertVerified function object is used to pass a callback to to report a successful verification.
- */
- typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>&)> OnCertVerified;
-
- /**
- * An OnCertVerifyFailed function object is used to pass a callback to to report a failed verification.
- */
- typedef func_lib::function<void(const ptr_lib::shared_ptr<Data>&)> OnCertVerifyFailed;
-
-
- ValidationRequest
- (const ptr_lib::shared_ptr<Interest> &interest, const OnCertVerified& onVerified, const OnCertVerifyFailed& onVerifyFailed,
- int retry, int stepCount)
- : m_interest(interest), m_onVerified(onVerified), m_onVerifyFailed(onVerifyFailed), m_retry(retry), m_stepCount(stepCount)
- {
- }
+ ValidationRequest(const Interest &interest,
+ const OnDataValidated &onValidated,
+ const OnDataValidationFailed &onDataValidated,
+ int retry, int stepCount)
+ : m_interest(interest)
+ , m_onValidated(onValidated)
+ , m_onDataValidated(onDataValidated)
+ , m_retry(retry)
+ , m_stepCount(stepCount)
+ {}
virtual
~ValidationRequest() {}
- ptr_lib::shared_ptr<Interest> m_interest; // An interest packet to fetch the requested data.
- OnCertVerified m_onVerified; // A callback function if the requested certificate has been validated.
- OnCertVerifyFailed m_onVerifyFailed; // A callback function if the requested certificate cannot be validated.
+ Interest m_interest; // An interest packet to fetch the requested data.
+ OnDataValidated m_onValidated; // A callback function if the requested certificate is validated.
+ OnDataValidationFailed m_onDataValidated; // A callback function if the requested certificate validation fails.
int m_retry; // The number of retrials when there is an interest timeout.
- int m_stepCount;
+ int m_stepCount; // The stepCount of next step.
};
}
diff --git a/src/security/validator-null.hpp b/src/security/validator-null.hpp
new file mode 100644
index 0000000..90b5293
--- /dev/null
+++ b/src/security/validator-null.hpp
@@ -0,0 +1,42 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_VALIDATOR_NULL_HPP
+#define NDN_VALIDATOR_NULL_HPP
+
+#include "validator.hpp"
+
+namespace ndn {
+
+class ValidatorNull : public Validator {
+protected:
+
+ virtual
+ ~ValidatorNull()
+ {}
+
+ virtual void
+ checkPolicy (shared_ptr<const Data> data,
+ int stepCount,
+ const OnDataValidated &onValidated,
+ const OnDataValidationFailed &onValidationFailed,
+ std::vector<shared_ptr<ValidationRequest> > &nextSteps)
+ { onValidated(data); }
+
+ virtual void
+ checkPolicy (shared_ptr<const Interest> interest,
+ int stepCount,
+ const OnInterestValidated &onValidated,
+ const OnInterestValidationFailed &onValidationFailed,
+ std::vector<shared_ptr<ValidationRequest> > &nextSteps)
+ { onValidated(interest); }
+};
+
+}
+
+#endif
diff --git a/src/security/validator-regex.cpp b/src/security/validator-regex.cpp
new file mode 100644
index 0000000..63c49c4
--- /dev/null
+++ b/src/security/validator-regex.cpp
@@ -0,0 +1,151 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#include "validator-regex.hpp"
+#include "signature-sha256-with-rsa.hpp"
+#include "certificate-cache-ttl.hpp"
+
+#include "../util/logging.hpp"
+
+INIT_LOGGER("ndn::ValidatorRegex");
+
+using namespace std;
+
+namespace ndn
+{
+
+const shared_ptr<CertificateCache> ValidatorRegex::DefaultCertificateCache = shared_ptr<CertificateCache>();
+
+ValidatorRegex::ValidatorRegex(shared_ptr<Face> face,
+ shared_ptr<CertificateCache> certificateCache /* = DefaultCertificateCache */,
+ const int stepLimit /* = 3 */)
+ : Validator(face)
+ , m_stepLimit(stepLimit)
+ , m_certificateCache(certificateCache)
+{
+ if(!static_cast<bool>(face))
+ throw Error("Face is not set!");
+
+ if(!static_cast<bool>(m_certificateCache))
+ m_certificateCache = make_shared<CertificateCacheTtl>(m_face->ioService());
+}
+
+void
+ValidatorRegex::onCertificateValidated(const shared_ptr<const Data> &signCertificate,
+ const shared_ptr<const Data> &data,
+ const OnDataValidated &onValidated,
+ const OnDataValidationFailed &onValidationFailed)
+{
+ shared_ptr<IdentityCertificate> certificate = make_shared<IdentityCertificate>(*signCertificate);
+
+ if(!certificate->isTooLate() && !certificate->isTooEarly())
+ {
+ m_certificateCache->insertCertificate(certificate);
+
+ try{
+ if(verifySignature(*data, certificate->getPublicKeyInfo()))
+ {
+ onValidated(data);
+ return;
+ }
+ }catch(Signature::Error &e){
+ _LOG_DEBUG("ValidatorRegex Error: " << e.what());
+ onValidationFailed(data);
+ return;
+ }
+ }
+ else
+ {
+ _LOG_DEBUG("Wrong Invalidity: " << e.what());
+ onValidationFailed(data);
+ return;
+ }
+}
+
+void
+ValidatorRegex::onCertificateValidationFailed(const shared_ptr<const Data> &signCertificate,
+ const shared_ptr<const Data> &data,
+ const OnDataValidationFailed &onValidationFailed)
+{ onValidationFailed(data); }
+
+void
+ValidatorRegex::checkPolicy(const shared_ptr<const Data> &data,
+ int stepCount,
+ const OnDataValidated &onValidated,
+ const OnDataValidationFailed &onValidationFailed,
+ vector<shared_ptr<ValidationRequest> > &nextSteps)
+{
+ if(m_stepLimit == stepCount){
+ _LOG_DEBUG("reach the maximum steps of verification");
+ onValidationFailed(data);
+ return;
+ }
+
+ RuleList::iterator it = m_mustFailVerify.begin();
+ for(; it != m_mustFailVerify.end(); it++)
+ if((*it)->satisfy(*data))
+ {
+ onValidationFailed(data);
+ return;
+ }
+
+ it = m_verifyPolicies.begin();
+ for(; it != m_verifyPolicies.end(); it++)
+ {
+ if((*it)->satisfy(*data))
+ {
+ try{
+ SignatureSha256WithRsa sig(data->getSignature());
+
+ Name keyLocatorName = sig.getKeyLocator().getName();
+ shared_ptr<const Certificate> trustedCert;
+ if(m_trustAnchors.end() == m_trustAnchors.find(keyLocatorName))
+ trustedCert = m_certificateCache->getCertificate(keyLocatorName);
+ else
+ trustedCert = m_trustAnchors[keyLocatorName];
+
+ if(static_cast<bool>(trustedCert)){
+ if(verifySignature(*data, sig, trustedCert->getPublicKeyInfo()))
+ onValidated(data);
+ else
+ onValidationFailed(data);
+
+ return;
+ }
+ else{
+ // _LOG_DEBUG("KeyLocator is not trust anchor");
+ OnDataValidated onKeyValidated = bind(&ValidatorRegex::onCertificateValidated, this,
+ _1, data, onValidated, onValidationFailed);
+
+ OnDataValidationFailed onKeyValidationFailed = bind(&ValidatorRegex::onCertificateValidationFailed, this,
+ _1, data, onValidationFailed);
+
+ shared_ptr<ValidationRequest> nextStep = make_shared<ValidationRequest>(Interest(boost::cref(sig.getKeyLocator().getName())),
+ onKeyValidated,
+ onKeyValidationFailed,
+ 3,
+ stepCount + 1);
+ nextSteps.push_back(nextStep);
+ return;
+ }
+ }catch(SignatureSha256WithRsa::Error &e){
+ _LOG_DEBUG("ValidatorRegex Error: " << e.what());
+ onValidationFailed(data);
+ return;
+ }catch(KeyLocator::Error &e){
+ _LOG_DEBUG("ValidatorRegex Error: " << e.what());
+ onValidationFailed(data);
+ return;
+ }
+ }
+ }
+
+ onValidationFailed(data);
+ return;
+}
+
+}//ndn
diff --git a/src/security/validator-regex.hpp b/src/security/validator-regex.hpp
new file mode 100644
index 0000000..e080ddf
--- /dev/null
+++ b/src/security/validator-regex.hpp
@@ -0,0 +1,92 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_VALIDATOR_REGEX_HPP
+#define NDN_VALIDATOR_REGEX_HPP
+
+#include "validator.hpp"
+#include "identity-certificate.hpp"
+#include "sec-rule-relative.hpp"
+#include "certificate-cache.hpp"
+#include "../util/regex.hpp"
+
+#include <map>
+
+
+namespace ndn {
+
+class ValidatorRegex : public Validator
+{
+public:
+ struct Error : public Validator::Error { Error(const std::string &what) : Validator::Error(what) {} };
+
+ static const shared_ptr<CertificateCache> DefaultCertificateCache;
+
+ ValidatorRegex(shared_ptr<Face> face,
+ shared_ptr<CertificateCache> certificateCache = DefaultCertificateCache,
+ const int stepLimit = 3);
+
+ virtual
+ ~ValidatorRegex() {}
+
+ /**
+ * @brief Add a rule for data verification.
+ *
+ * @param policy The verification rule
+ */
+ inline void
+ addDataVerificationRule (shared_ptr<SecRuleRelative> rule);
+
+ /**
+ * @brief Add a trust anchor
+ *
+ * @param certificate The trust anchor
+ */
+ inline void
+ addTrustAnchor(shared_ptr<IdentityCertificate> certificate);
+
+protected:
+ virtual void
+ checkPolicy (const shared_ptr<const Data> &data,
+ int stepCount,
+ const OnDataValidated &onValidated,
+ const OnDataValidationFailed &onValidationFailed,
+ std::vector<shared_ptr<ValidationRequest> > &nextSteps);
+
+ void
+ onCertificateValidated(const shared_ptr<const Data> &signCertificate,
+ const shared_ptr<const Data> &data,
+ const OnDataValidated &onValidated,
+ const OnDataValidationFailed &onValidationFailed);
+
+ void
+ onCertificateValidationFailed(const shared_ptr<const Data> &signCertificate,
+ const shared_ptr<const Data> &data,
+ const OnDataValidationFailed &onValidationFailed);
+
+protected:
+ typedef std::vector< shared_ptr<SecRuleRelative> > RuleList;
+ typedef std::vector< shared_ptr<Regex> > RegexList;
+
+ int m_stepLimit;
+ shared_ptr<CertificateCache> m_certificateCache;
+ RuleList m_mustFailVerify;
+ RuleList m_verifyPolicies;
+ std::map<Name, shared_ptr<IdentityCertificate> > m_trustAnchors;
+};
+
+void
+ValidatorRegex::addDataVerificationRule (shared_ptr<SecRuleRelative> rule)
+{ rule->isPositive() ? m_verifyPolicies.push_back(rule) : m_mustFailVerify.push_back(rule); }
+
+void
+ValidatorRegex::addTrustAnchor(shared_ptr<IdentityCertificate> certificate)
+{ m_trustAnchors[certificate->getName().getPrefix(-1)] = certificate; }
+
+}//ndn
+
+#endif
diff --git a/src/security/validator.cpp b/src/security/validator.cpp
new file mode 100644
index 0000000..9440d84
--- /dev/null
+++ b/src/security/validator.cpp
@@ -0,0 +1,272 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#if __clang__
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wreorder"
+#pragma clang diagnostic ignored "-Wtautological-compare"
+#pragma clang diagnostic ignored "-Wunused-variable"
+#pragma clang diagnostic ignored "-Wunused-function"
+#elif __GNUC__
+#pragma GCC diagnostic ignored "-Wreorder"
+#pragma GCC diagnostic ignored "-Wunused-variable"
+#pragma GCC diagnostic ignored "-Wunused-function"
+#endif
+
+#include "validator.hpp"
+#include "../util/logging.hpp"
+
+#include <cryptopp/rsa.h>
+
+using namespace std;
+
+INIT_LOGGER("ndn::Validator");
+
+namespace ndn {
+
+const shared_ptr<Face> Validator::DefaultFace = shared_ptr<Face>();
+
+Validator::Validator(shared_ptr<Face> face /* = DefaultFace */)
+ : m_face(face)
+{}
+
+void
+Validator::validate(const shared_ptr<const Interest> &interest,
+ const OnInterestValidated &onValidated,
+ const OnInterestValidationFailed &onValidationFailed,
+ int stepCount)
+{
+ vector<shared_ptr<ValidationRequest> > nextSteps;
+ checkPolicy(interest, stepCount, onValidated, onValidationFailed, nextSteps);
+
+ if (!nextSteps.empty())
+ {
+ if(!static_cast<bool>(m_face))
+ throw Error("Face should be set prior to verify method to call");
+
+ vector<shared_ptr<ValidationRequest> >::const_iterator it = nextSteps.begin();
+ OnFailure onFailure = bind(onValidationFailed, interest);
+ for(; it != nextSteps.end(); it++)
+ m_face->expressInterest((*it)->m_interest,
+ bind(&Validator::onData, this, _1, _2, *it),
+ bind(&Validator::onTimeout,
+ this, _1, (*it)->m_retry,
+ onFailure,
+ *it));
+ }
+ else
+ {
+ //If there is no nextStep, that means InterestPolicy has already been able to verify the Interest.
+ //No more further processes.
+ }
+}
+
+void
+Validator::validate(const shared_ptr<const Data> &data,
+ const OnDataValidated &onValidated,
+ const OnDataValidationFailed &onValidationFailed,
+ int stepCount)
+{
+ vector<shared_ptr<ValidationRequest> > nextSteps;
+ checkPolicy(data, stepCount, onValidated, onValidationFailed, nextSteps);
+
+ if (!nextSteps.empty())
+ {
+ if(!static_cast<bool>(m_face))
+ throw Error("Face should be set prior to verify method to call");
+
+ vector<shared_ptr<ValidationRequest> >::const_iterator it = nextSteps.begin();
+ OnFailure onFailure = bind(onValidationFailed, data);
+ for(; it != nextSteps.end(); it++)
+ m_face->expressInterest((*it)->m_interest,
+ bind(&Validator::onData, this, _1, _2, *it),
+ bind(&Validator::onTimeout,
+ this, _1, (*it)->m_retry,
+ onFailure,
+ *it));
+ }
+ else
+ {
+ //If there is no nextStep, that means InterestPolicy has already been able to verify the Interest.
+ //No more further processes.
+ }
+}
+
+void
+Validator::onData(const shared_ptr<const Interest> &interest,
+ const shared_ptr<const Data> &data,
+ shared_ptr<ValidationRequest> nextStep)
+{
+ validate(data, nextStep->m_onValidated, nextStep->m_onDataValidated, nextStep->m_stepCount);
+}
+
+void
+Validator::onTimeout(const shared_ptr<const Interest> &interest,
+ int retry,
+ const OnFailure &onFailure,
+ shared_ptr<ValidationRequest> nextStep)
+{
+ if (retry > 0)
+ // Issue the same expressInterest except decrement retry.
+ m_face->expressInterest(*interest,
+ bind(&Validator::onData, this, _1, _2, nextStep),
+ bind(&Validator::onTimeout, this, _1, retry - 1, onFailure, nextStep));
+ else
+ onFailure();
+}
+
+bool
+Validator::verifySignature(const Data& data, const PublicKey& key)
+{
+ try{
+ switch(data.getSignature().getType()){
+ case Signature::Sha256WithRsa:
+ {
+ SignatureSha256WithRsa sigSha256Rsa(data.getSignature());
+ return verifySignature(data, sigSha256Rsa, key);
+ }
+ default:
+ {
+ _LOG_DEBUG("verifySignature: Unknown signature type: " << sig.getType());
+ return false;
+ }
+ }
+ }catch(Signature::Error &e){
+ _LOG_DEBUG("verifySignature: " << e.what());
+ return false;
+ }
+ return false;
+}
+
+bool
+Validator::verifySignature(const Interest &interest, const PublicKey &key)
+{
+ const Name &interestName = interest.getName();
+
+ if(interestName.size() < 3)
+ return false;
+
+ try{
+ const Block &nameBlock = interestName.wireEncode();
+
+ if(nameBlock.getAll().size() != interestName.size()) //HACK!! we should change it when Name::Component is changed to derive from Block.
+ const_cast<Block&>(nameBlock).parse();
+
+ Signature sig((++nameBlock.getAll().rbegin())->blockFromValue(),
+ (nameBlock.getAll().rbegin())->blockFromValue());
+
+ switch(sig.getType()){
+ case Signature::Sha256WithRsa:
+ {
+ SignatureSha256WithRsa sigSha256Rsa(sig);
+
+ return verifySignature(nameBlock.value(),
+ nameBlock.value_size() - (nameBlock.getAll().rbegin())->size(),
+ sigSha256Rsa, key);
+ }
+ default:
+ {
+ _LOG_DEBUG("verifySignature: Unknown signature type: " << sig.getType());
+ return false;
+ }
+ }
+ }catch(Signature::Error &e){
+ _LOG_DEBUG("verifySignature: " << e.what());
+ return false;
+ }catch(Block::Error &e){
+ _LOG_DEBUG("verifySignature: " << e.what());
+ return false;
+ }
+ return false;
+}
+
+bool
+Validator::verifySignature(const Buffer &data, const Signature &sig, const PublicKey &key)
+{
+ try{
+ switch(sig.getType()){
+ case Signature::Sha256WithRsa:
+ {
+ SignatureSha256WithRsa sigSha256Rsa(sig);
+ return verifySignature(data, sigSha256Rsa, key);
+ }
+ default:
+ {
+ _LOG_DEBUG("verifySignature: Unknown signature type: " << sig.getType());
+ return false;
+ }
+ }
+ }catch(Signature::Error &e){
+ _LOG_DEBUG("verifySignature: " << e.what());
+ return false;
+ }
+ return false;
+}
+
+bool
+Validator::verifySignature(const Data& data, const SignatureSha256WithRsa& sig, const PublicKey& key)
+{
+ using namespace CryptoPP;
+
+ bool result = false;
+
+ RSA::PublicKey publicKey;
+ ByteQueue queue;
+
+ queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
+ publicKey.Load(queue);
+
+ RSASS<PKCS1v15, SHA256>::Verifier verifier (publicKey);
+ result = verifier.VerifyMessage(data.wireEncode().value(), data.wireEncode().value_size() - data.getSignature().getValue().size(),
+ sig.getValue().value(), sig.getValue().value_size());
+
+ _LOG_DEBUG("Signature verified? " << data.getName().toUri() << " " << boolalpha << result);
+
+ return result;
+}
+
+bool
+Validator::verifySignature(const Buffer& data, const SignatureSha256WithRsa& sig, const PublicKey& key)
+{
+ using namespace CryptoPP;
+
+ bool result = false;
+
+ RSA::PublicKey publicKey;
+ ByteQueue queue;
+
+ queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
+ publicKey.Load(queue);
+
+ RSASS<PKCS1v15, SHA256>::Verifier verifier (publicKey);
+ result = verifier.VerifyMessage(data.buf(), data.size(),
+ sig.getValue().value(), sig.getValue().value_size());
+
+ return result;
+}
+
+bool
+Validator::verifySignature(const uint8_t* buf, const size_t size, const SignatureSha256WithRsa &sig, const PublicKey &key)
+{
+ using namespace CryptoPP;
+
+ bool result = false;
+
+ RSA::PublicKey publicKey;
+ ByteQueue queue;
+
+ queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
+ publicKey.Load(queue);
+
+ RSASS<PKCS1v15, SHA256>::Verifier verifier (publicKey);
+ result = verifier.VerifyMessage(buf, size, sig.getValue().value(), sig.getValue().value_size());
+
+ return result;
+}
+
+}
diff --git a/src/security/validator.hpp b/src/security/validator.hpp
new file mode 100644
index 0000000..82f8e98
--- /dev/null
+++ b/src/security/validator.hpp
@@ -0,0 +1,157 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_VALIDATOR_HPP
+#define NDN_VALIDATOR_HPP
+
+#include "../data.hpp"
+#include "../face.hpp"
+#include "public-key.hpp"
+#include "signature-sha256-with-rsa.hpp"
+#include "validation-request.hpp"
+
+namespace ndn {
+/**
+ * Validator is one of the main classes of the security library.
+ *
+ * The Validator class provides the interfaces for packet validation.
+ */
+class Validator {
+public:
+ struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
+
+ static const shared_ptr<Face> DefaultFace;
+
+ Validator (shared_ptr<Face> face = DefaultFace);
+
+ /**
+ * @brief Validate Data and call either onValidated or onValidationFailed.
+ *
+ * @param data The Data with the signature to check.
+ * @param onValidated If the Data is validated, this calls onValidated(data).
+ * @param onValidationFailed If the Data validation fails, this calls onValidationFailed(data).
+ */
+ void
+ validate (const shared_ptr<const Data> &data, const OnDataValidated &onValidated, const OnDataValidationFailed &onValidationFailed)
+ { validate (data, onValidated, onValidationFailed, 0); }
+
+ /**
+ * @brief Validate Interest and call either onValidated or onValidationFailed.
+ *
+ * @param interest The Interest with the signature to check.
+ * @param onValidated If the Interest is validated, this calls onValidated(interest).
+ * @param onValidationFailed If the Interest validation fails, this calls onValidationFailed(interest).
+ */
+ void
+ validate (const shared_ptr<const Interest> &interest, const OnInterestValidated &onValidated, const OnInterestValidationFailed &onValidationFailed)
+ { validate (interest, onValidated, onValidationFailed, 0); }
+
+ /*****************************************
+ * verifySignature method set *
+ *****************************************/
+
+ /// @brief Verify the data using the publicKey.
+ static bool
+ verifySignature (const Data &data, const PublicKey &publicKey);
+
+ /// @brief Verify the signed Interest using the publicKey.
+ static bool
+ verifySignature (const Interest &interest, const PublicKey &publicKey);
+
+ /// @brief Verify the blob using the publicKey against the signature.
+ static bool
+ verifySignature (const Buffer &blob, const Signature &sig, const PublicKey &publicKey);
+
+ /// @brief Verify the data using the publicKey against the SHA256-RSA signature.
+ static bool
+ verifySignature (const Data& data, const SignatureSha256WithRsa& sig, const PublicKey& publicKey);
+
+ /// @brief Verify the blob using the publicKey against the SHA256-RSA signature.
+ static bool
+ verifySignature (const Buffer &blob, const SignatureSha256WithRsa &sig, const PublicKey &publicKey);
+
+ /// @brief Verify the blob using the publicKey against the SHA256-RSA signature.
+ static bool
+ verifySignature (const uint8_t* buf, const size_t size, const SignatureSha256WithRsa &sig, const PublicKey &publicKey);
+
+protected:
+ /**
+ * @brief Check the Data against validation policy and return the next validation step if necessary.
+ *
+ * If there is no next validation step, that validation MUST have been done.
+ * i.e., either onValidated or onValidationFailed callback is invoked.
+ *
+ * @param data The Data to check.
+ * @param stepCount The number of validation steps that have been done, used to track the validation progress.
+ * @param onDataValidated If the Data is validated, this calls onValidated(data).
+ * @param onDataValidationFailed If the Data validation fails, this calls onValidationFailed(data).
+ * @param nextSteps On return, contains the next validation step.
+ */
+ virtual void
+ checkPolicy (const shared_ptr<const Data> &data,
+ int stepCount,
+ const OnDataValidated &onValidated,
+ const OnDataValidationFailed &onValidationFailed,
+ std::vector<shared_ptr<ValidationRequest> > &nextSteps)
+ { onValidationFailed(data); }
+
+ /**
+ * @brief Check the Interest against validation policy and return the next validation step if necessary.
+ *
+ * If there is no next validation step, that validation MUST have been done.
+ * i.e., either onValidated or onValidationFailed callback is invoked.
+ *
+ * @param data The Interest to check.
+ * @param stepCount The number of validation steps that have been done, used to track the validation progress.
+ * @param OnInterestValidated If the Interest is validated, this calls onValidated(data).
+ * @param OnInterestValidationFailed If the Interest validation fails, this calls onValidationFailed(data).
+ * @return the indication of next validation step, null if there is no further step.
+ */
+ virtual void
+ checkPolicy (const shared_ptr<const Interest> &interest,
+ int stepCount,
+ const OnInterestValidated &onValidated,
+ const OnInterestValidationFailed &onValidationFailed,
+ std::vector<shared_ptr<ValidationRequest> > &nextSteps)
+ { onValidationFailed(interest); }
+
+private:
+ typedef function< void () > OnFailure;
+
+ /// @brief Process the received certificate.
+ void
+ onData (const shared_ptr<const Interest> &interest,
+ const shared_ptr<const Data> &data,
+ shared_ptr<ValidationRequest> nextStep);
+
+ /// @brief Re-express the interest if it times out.
+ void
+ onTimeout (const shared_ptr<const Interest> &interest,
+ int retry,
+ const OnFailure &onFailure,
+ shared_ptr<ValidationRequest> nextStep);
+
+ void
+ validate (const shared_ptr<const Data> &data,
+ const OnDataValidated &onValidated,
+ const OnDataValidationFailed &onValidationFailed,
+ int stepCount);
+
+ void
+ validate (const shared_ptr<const Interest> &interest,
+ const OnInterestValidated &onValidated,
+ const OnInterestValidationFailed &onValidationFailed,
+ int stepCount);
+
+protected:
+ shared_ptr<Face> m_face;
+};
+
+}
+
+#endif
diff --git a/src/security/verifier.cpp b/src/security/verifier.cpp
deleted file mode 100644
index 62f660d..0000000
--- a/src/security/verifier.cpp
+++ /dev/null
@@ -1,307 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
-/**
- * Copyright (C) 2013 Regents of the University of California.
- * @author: Yingdi Yu <yingdi@cs.ucla.edu>
- * @author: Jeff Thompson <jefft0@remap.ucla.edu>
- * See COPYING for copyright and distribution information.
- */
-
-#if __clang__
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wreorder"
-#pragma clang diagnostic ignored "-Wtautological-compare"
-#pragma clang diagnostic ignored "-Wunused-variable"
-#pragma clang diagnostic ignored "-Wunused-function"
-#elif __GNUC__
-#pragma GCC diagnostic ignored "-Wreorder"
-#pragma GCC diagnostic ignored "-Wunused-variable"
-#pragma GCC diagnostic ignored "-Wunused-function"
-#endif
-
-#include "security/verifier.hpp"
-
-#include "security/sec-policy.hpp"
-
-#include <cryptopp/rsa.h>
-
-#include "../util/logging.hpp"
-
-using namespace std;
-#if NDN_CPP_HAVE_CXX11
-// In the std library, the placeholders are in a different namespace than boost.
-using namespace ndn::func_lib::placeholders;
-#endif
-
-INIT_LOGGER("ndn.Verifier");
-
-namespace ndn {
-const ptr_lib::shared_ptr<SecPolicy> Verifier::DefaultPolicy = ptr_lib::shared_ptr<SecPolicy>();
-
-Verifier::Verifier(const ptr_lib::shared_ptr<SecPolicy> &policy /* = DefaultPolicy */)
- : m_policy(policy)
-{
- if (m_policy == DefaultPolicy)
- {
- // #ifdef USE_SIMPLE_POLICY_MANAGER
- // Ptr<SimplePolicyManager> policyManager = Ptr<SimplePolicyManager>(new SimplePolicyManager());
- // Ptr<IdentityPolicyRule> rule1 = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>",
- // "^([^<KEY>]*)<KEY><dsk-.*><ID-CERT>",
- // ">", "\\1\\2", "\\1", true));
- // Ptr<IdentityPolicyRule> rule2 = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^([^<KEY>]*)<KEY><dsk-.*><ID-CERT>",
- // "^([^<KEY>]*)<KEY>(<>*)<ksk-.*><ID-CERT>",
- // "==", "\\1", "\\1\\2", true));
- // Ptr<IdentityPolicyRule> rule3 = Ptr<IdentityPolicyRule>(new IdentityPolicyRule("^(<>*)$",
- // "^([^<KEY>]*)<KEY><dsk-.*><ID-CERT>",
- // ">", "\\1", "\\1", true));
- // policyManager->addVerificationPolicyRule(rule1);
- // policyManager->addVerificationPolicyRule(rule2);
- // policyManager->addVerificationPolicyRule(rule3);
-
- // policyManager->addSigningPolicyRule(rule3);
-
- // m_policyManager = policyManager;
- //
- // #else
- // policy_ = new NoVerifyPolicyManager();
- // #endif
- }
-}
-
-void
-Verifier::verify(const ptr_lib::shared_ptr<const Interest> &interest,
- const OnVerified &onVerified,
- const OnVerifyFailed &onVerifyFailed,
- int stepCount)
-{
- //It does not make sense to verify Interest without specified policy, verification must fail!
- if(!static_cast<bool>(m_policy))
- onVerifyFailed();
- else
- {
- //check verification policy
- ptr_lib::shared_ptr<ValidationRequest> nextStep = m_policy->checkVerificationPolicy(interest, stepCount, onVerified, onVerifyFailed);
- if (static_cast<bool>(nextStep))
- {
- if(!m_face)
- throw Error("Face should be set prior to verify method to call");
-
- m_face->expressInterest
- (*nextStep->m_interest,
- func_lib::bind(&Verifier::onCertificateData, this, _1, _2, nextStep),
- func_lib::bind(&Verifier::onCertificateInterestTimeout, this, _1, nextStep->m_retry, onVerifyFailed, nextStep));
- }
- else
- {
- //If there is no nextStep, that means InterestPolicy has already been able to verify the Interest.
- //No more further processes.
- }
- }
-}
-
-void
-Verifier::verify(const ptr_lib::shared_ptr<const Data> &data,
- const OnVerified &onVerified,
- const OnVerifyFailed &onVerifyFailed,
- int stepCount)
-{
- //It does not make sense to verify Interest without specified policy, verification must fail!
- if(!static_cast<bool>(m_policy))
- onVerifyFailed();
- else
- {
- //check verification policy
- ptr_lib::shared_ptr<ValidationRequest> nextStep = m_policy->checkVerificationPolicy(data, stepCount, onVerified, onVerifyFailed);
- if (static_cast<bool>(nextStep))
- {
- if(!m_face)
- throw Error("Face should be set prior to verify method to call");
-
- m_face->expressInterest
- (*nextStep->m_interest,
- func_lib::bind(&Verifier::onCertificateData, this, _1, _2, nextStep),
- func_lib::bind(&Verifier::onCertificateInterestTimeout, this, _1, nextStep->m_retry, onVerifyFailed, nextStep));
- }
- else
- {
- //If there is no nextStep, that means InterestPolicy has already been able to verify the Interest.
- //No more further processes.
- }
- }
-}
-
-void
-Verifier::onCertificateData(const ptr_lib::shared_ptr<const Interest> &interest,
- const ptr_lib::shared_ptr<Data> &data,
- ptr_lib::shared_ptr<ValidationRequest> nextStep)
-{
- // Try to verify the certificate (data) according to the parameters in nextStep.
- verify(data,
- func_lib::bind(nextStep->m_onVerified, data),
- func_lib::bind(nextStep->m_onVerifyFailed, data),
- nextStep->m_stepCount);
-}
-
-void
-Verifier::onCertificateInterestTimeout
- (const ptr_lib::shared_ptr<const Interest> &interest, int retry, const OnVerifyFailed& onVerifyFailed, ptr_lib::shared_ptr<ValidationRequest> nextStep)
-{
- if (retry > 0)
- // Issue the same expressInterest as in verifyData except decrement retry.
- m_face->expressInterest
- (*interest,
- func_lib::bind(&Verifier::onCertificateData, this, _1, _2, nextStep),
- func_lib::bind(&Verifier::onCertificateInterestTimeout, this, _1, retry - 1, onVerifyFailed, nextStep));
- else
- onVerifyFailed();
-}
-
-bool
-Verifier::verifySignature(const Data& data, const Signature& sig, const PublicKey& key)
-{
- try{
- switch(sig.getType()){
- case Signature::Sha256WithRsa:
- {
- SignatureSha256WithRsa sigSha256Rsa(sig);
- return verifySignature(data, sigSha256Rsa, key);
- }
- default:
- {
- _LOG_DEBUG("verifySignature: Unknown signature type: " << sig.getType());
- return false;
- }
- }
- }catch(Signature::Error &e){
- _LOG_DEBUG("verifySignature: " << e.what());
- return false;
- }
- return false;
-}
-
-bool
-Verifier::verifySignature(const Interest &interest, const PublicKey &key)
-{
- const Name &interestName = interest.getName();
-
- if(interestName.size() < 3)
- return false;
-
- try{
- const Block &nameBlock = interestName.wireEncode();
-
- if(nameBlock.getAll().size() != interestName.size()) //HACK!! we should change it when Name::Component is changed to derive from Block.
- const_cast<Block&>(nameBlock).parse();
-
- Signature sig((++nameBlock.getAll().rbegin())->blockFromValue(),
- (nameBlock.getAll().rbegin())->blockFromValue());
-
- switch(sig.getType()){
- case Signature::Sha256WithRsa:
- {
- SignatureSha256WithRsa sigSha256Rsa(sig);
-
- return verifySignature(nameBlock.value(),
- nameBlock.value_size() - (nameBlock.getAll().rbegin())->size(),
- sigSha256Rsa, key);
- }
- default:
- {
- _LOG_DEBUG("verifySignature: Unknown signature type: " << sig.getType());
- return false;
- }
- }
- }catch(Signature::Error &e){
- _LOG_DEBUG("verifySignature: " << e.what());
- return false;
- }catch(Block::Error &e){
- _LOG_DEBUG("verifySignature: " << e.what());
- return false;
- }
- return false;
-}
-
-bool
-Verifier::verifySignature(const Buffer &data, const Signature &sig, const PublicKey &key)
-{
- try{
- switch(sig.getType()){
- case Signature::Sha256WithRsa:
- {
- SignatureSha256WithRsa sigSha256Rsa(sig);
- return verifySignature(data, sigSha256Rsa, key);
- }
- default:
- {
- _LOG_DEBUG("verifySignature: Unknown signature type: " << sig.getType());
- return false;
- }
- }
- }catch(Signature::Error &e){
- _LOG_DEBUG("verifySignature: " << e.what());
- return false;
- }
- return false;
-}
-
-bool
-Verifier::verifySignature(const Data& data, const SignatureSha256WithRsa& sig, const PublicKey& key)
-{
- using namespace CryptoPP;
-
- bool result = false;
-
- RSA::PublicKey publicKey;
- ByteQueue queue;
-
- queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
- publicKey.Load(queue);
-
- RSASS<PKCS1v15, SHA256>::Verifier verifier (publicKey);
- result = verifier.VerifyMessage(data.wireEncode().value(), data.wireEncode().value_size() - data.getSignature().getValue().size(),
- sig.getValue().value(), sig.getValue().value_size());
-
- _LOG_DEBUG("Signature verified? " << data.getName().toUri() << " " << boolalpha << result);
-
- return result;
-}
-
-bool
-Verifier::verifySignature(const Buffer& data, const SignatureSha256WithRsa& sig, const PublicKey& key)
-{
- using namespace CryptoPP;
-
- bool result = false;
-
- RSA::PublicKey publicKey;
- ByteQueue queue;
-
- queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
- publicKey.Load(queue);
-
- RSASS<PKCS1v15, SHA256>::Verifier verifier (publicKey);
- result = verifier.VerifyMessage(data.buf(), data.size(),
- sig.getValue().value(), sig.getValue().value_size());
-
- return result;
-}
-
-bool
-Verifier::verifySignature(const uint8_t* buf, const size_t size, const SignatureSha256WithRsa &sig, const PublicKey &key)
-{
- using namespace CryptoPP;
-
- bool result = false;
-
- RSA::PublicKey publicKey;
- ByteQueue queue;
-
- queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
- publicKey.Load(queue);
-
- RSASS<PKCS1v15, SHA256>::Verifier verifier (publicKey);
- result = verifier.VerifyMessage(buf, size, sig.getValue().value(), sig.getValue().value_size());
-
- return result;
-}
-
-}
diff --git a/src/security/verifier.hpp b/src/security/verifier.hpp
deleted file mode 100644
index a9bded4..0000000
--- a/src/security/verifier.hpp
+++ /dev/null
@@ -1,124 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
-/**
- * Copyright (C) 2013 Regents of the University of California.
- * @author: Yingdi Yu <yingdi@cs.ucla.edu>
- * @author: Jeff Thompson <jefft0@remap.ucla.edu>
- * See COPYING for copyright and distribution information.
- */
-
-#ifndef NDN_VERIFIER_HPP
-#define NDN_VERIFIER_HPP
-
-#include "../data.hpp"
-#include "../face.hpp"
-#include "validation-request.hpp"
-#include "public-key.hpp"
-#include "signature-sha256-with-rsa.hpp"
-
-namespace ndn {
-
-class SecPolicy;
-
-/**
- * An OnVerified function object is used to pass a callback to verifyData to report a successful verification.
- */
-typedef func_lib::function<void()> OnVerified;
-
-/**
- * An OnVerifyFailed function object is used to pass a callback to verifyData to report a failed verification.
- */
-typedef func_lib::function<void()> OnVerifyFailed;
-
-
-/**
- * Verifier is one of the main classes of the security librar .
- *
- * The Verifier class provides the interfaces for packet verification.
- */
-class Verifier {
-public:
- struct Error : public std::runtime_error { Error(const std::string &what) : std::runtime_error(what) {} };
-
- Verifier(const ptr_lib::shared_ptr<SecPolicy> &policy = DefaultPolicy);
-
- /**
- * @brief Set the Face which will be used to fetch required certificates.
- * @param face A pointer to the Face object.
- *
- * Setting face is necessary for verifier operation that involve fetching data.
- */
- void
- setFace(const ptr_lib::shared_ptr<Face> &face) { m_face = face; }
-
- /**
- * @brief Get the policy.
- * @return The Policy.
- */
- inline SecPolicy&
- policy()
- {
- if (static_cast<bool>(m_policy))
- throw Error("policy is not assigned to the KeyChain");
-
- return *m_policy;
- }
-
-
- /**
- * Check the signature on the Data object and call either onVerify or onVerifyFailed.
- * We use callback functions because verify may fetch information to check the signature.
- * @param data The Data object with the signature to check. It is an error if data does not have a wireEncoding.
- * To set the wireEncoding, you can call data.wireDecode.
- * @param onVerified If the signature is verified, this calls onVerified(data).
- * @param onVerifyFailed If the signature check fails, this calls onVerifyFailed(data).
- */
- void
- verify
- (const ptr_lib::shared_ptr<const Data> &data, const OnVerified &onVerified, const OnVerifyFailed &onVerifyFailed, int stepCount = 0);
-
- void
- verify
- (const ptr_lib::shared_ptr<const Interest> &Interest, const OnVerified &onVerified, const OnVerifyFailed &onVerifyFailed, int stepCount = 0);
-
- /*****************************************
- * verifySignature method set *
- *****************************************/
- static bool
- verifySignature(const Data &data, const Signature &sig, const PublicKey &publicKey);
-
- static bool
- verifySignature(const Interest &interest, const PublicKey &publicKey);
-
- static bool
- verifySignature(const Buffer &data, const Signature &sig, const PublicKey &publicKey);
-
- static bool
- verifySignature(const Data& data, const SignatureSha256WithRsa& sig, const PublicKey& publicKey);
-
- static bool
- verifySignature(const Buffer &data, const SignatureSha256WithRsa &sig, const PublicKey &publicKey);
-
- static bool
- verifySignature(const uint8_t* buf, const size_t size, const SignatureSha256WithRsa &sig, const PublicKey &publicKey);
-
-
-public:
- static const ptr_lib::shared_ptr<SecPolicy> DefaultPolicy;
-
-private:
- void
- onCertificateData
- (const ptr_lib::shared_ptr<const Interest> &interest, const ptr_lib::shared_ptr<Data> &data, ptr_lib::shared_ptr<ValidationRequest> nextStep);
-
- void
- onCertificateInterestTimeout
- (const ptr_lib::shared_ptr<const Interest> &interest, int retry, const OnVerifyFailed& onVerifyFailed, ptr_lib::shared_ptr<ValidationRequest> nextStep);
-
-private:
- ptr_lib::shared_ptr<SecPolicy> m_policy;
- ptr_lib::shared_ptr<Face> m_face;
-};
-
-}
-
-#endif