security: Allow reloading ValidationPolicyConfig / ValidatorConfig
Change-Id: Idba53c0b4e2cf645d3d0e6c76c57a1b54995462a
Refs: #4261
diff --git a/src/security/v2/certificate-cache.cpp b/src/security/v2/certificate-cache.cpp
index b9d15aa..be2b084 100644
--- a/src/security/v2/certificate-cache.cpp
+++ b/src/security/v2/certificate-cache.cpp
@@ -1,5 +1,5 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
+/*
* Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
@@ -58,6 +58,12 @@
m_certs.insert(Entry(cert, removalTime));
}
+void
+CertificateCache::clear()
+{
+ m_certs.clear();
+}
+
const Certificate*
CertificateCache::find(const Name& certPrefix) const
{
diff --git a/src/security/v2/certificate-cache.hpp b/src/security/v2/certificate-cache.hpp
index f649776..a5109a8 100644
--- a/src/security/v2/certificate-cache.hpp
+++ b/src/security/v2/certificate-cache.hpp
@@ -1,5 +1,5 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
+/*
* Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
@@ -63,6 +63,12 @@
insert(const Certificate& cert);
/**
+ * @brief Remove all certificates from cache
+ */
+ void
+ clear();
+
+ /**
* @brief Get certificate given key name
* @param certPrefix Certificate prefix for searching the certificate.
* @return The found certificate, nullptr if not found.
diff --git a/src/security/v2/certificate-storage.cpp b/src/security/v2/certificate-storage.cpp
index 89869fa..d1638d9 100644
--- a/src/security/v2/certificate-storage.cpp
+++ b/src/security/v2/certificate-storage.cpp
@@ -1,5 +1,5 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
+/*
* Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
@@ -65,12 +65,24 @@
}
void
+CertificateStorage::resetAnchors()
+{
+ m_trustAnchors.clear();
+}
+
+void
CertificateStorage::cacheVerifiedCert(Certificate&& cert)
{
m_verifiedCertCache.insert(std::move(cert));
}
void
+CertificateStorage::resetVerifiedCerts()
+{
+ m_verifiedCertCache.clear();
+}
+
+void
CertificateStorage::cacheUnverifiedCert(Certificate&& cert)
{
m_unverifiedCertCache.insert(std::move(cert));
diff --git a/src/security/v2/certificate-storage.hpp b/src/security/v2/certificate-storage.hpp
index ff54ae2..5f3e608 100644
--- a/src/security/v2/certificate-storage.hpp
+++ b/src/security/v2/certificate-storage.hpp
@@ -1,5 +1,5 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
+/*
* Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
@@ -110,6 +110,12 @@
time::nanoseconds refreshPeriod, bool isDir = false);
/**
+ * @brief remove any previously loaded static or dynamic trust anchor
+ */
+ void
+ resetAnchors();
+
+ /**
* @brief Cache verified certificate a period of time (1 hour)
* @param cert The certificate packet
*
@@ -118,6 +124,12 @@
void
cacheVerifiedCert(Certificate&& cert);
+ /**
+ * @brief Remove any cached verified certificates
+ */
+ void
+ resetVerifiedCerts();
+
protected:
TrustAnchorContainer m_trustAnchors;
CertificateCache m_verifiedCertCache;
diff --git a/src/security/v2/trust-anchor-container.cpp b/src/security/v2/trust-anchor-container.cpp
index efb272f..80ef5cc 100644
--- a/src/security/v2/trust-anchor-container.cpp
+++ b/src/security/v2/trust-anchor-container.cpp
@@ -1,5 +1,5 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
+/*
* Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
@@ -40,6 +40,12 @@
}
void
+TrustAnchorContainer::AnchorContainer::clear()
+{
+ AnchorContainerBase::clear();
+}
+
+void
TrustAnchorContainer::insert(const std::string& groupId, Certificate&& cert)
{
auto group = m_groups.find(groupId);
@@ -64,6 +70,13 @@
m_groups.insert(make_shared<DynamicTrustAnchorGroup>(m_anchors, groupId, path, refreshPeriod, isDir));
}
+void
+TrustAnchorContainer::clear()
+{
+ m_groups.clear();
+ m_anchors.clear();
+}
+
const Certificate*
TrustAnchorContainer::find(const Name& keyName) const
{
diff --git a/src/security/v2/trust-anchor-container.hpp b/src/security/v2/trust-anchor-container.hpp
index 49e4999..f935571 100644
--- a/src/security/v2/trust-anchor-container.hpp
+++ b/src/security/v2/trust-anchor-container.hpp
@@ -1,5 +1,5 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
+/*
* Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
@@ -96,6 +96,12 @@
time::nanoseconds refreshPeriod, bool isDir = false);
/**
+ * @brief Remove all static or dynamic anchors
+ */
+ void
+ clear();
+
+ /**
* @brief Search for certificate across all groups (longest prefix match)
* @param keyName Key name prefix for searching the certificate.
* @return The found certificate, nullptr if not found.
@@ -155,6 +161,9 @@
void
remove(const Name& certName) final;
+
+ void
+ clear();
};
using GroupContainer = boost::multi_index::multi_index_container<
diff --git a/src/security/v2/validation-policy-config.cpp b/src/security/v2/validation-policy-config.cpp
index ba87a23..c41a47f 100644
--- a/src/security/v2/validation-policy-config.cpp
+++ b/src/security/v2/validation-policy-config.cpp
@@ -83,7 +83,12 @@
const std::string& filename)
{
if (m_isConfigured) {
- BOOST_THROW_EXCEPTION(std::logic_error("ValidationPolicyConfig can be configured only once"));
+ m_shouldBypass = false;
+ m_dataRules.clear();
+ m_interestRules.clear();
+
+ m_validator->resetAnchors();
+ m_validator->resetVerifiedCertificates();
}
m_isConfigured = true;
diff --git a/src/security/v2/validator.cpp b/src/security/v2/validator.cpp
index 638d12d..aa651b1 100644
--- a/src/security/v2/validator.cpp
+++ b/src/security/v2/validator.cpp
@@ -1,5 +1,5 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
+/*
* Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
@@ -195,11 +195,23 @@
}
void
+Validator::resetAnchors()
+{
+ CertificateStorage::resetAnchors();
+}
+
+void
Validator::cacheVerifiedCertificate(Certificate&& cert)
{
CertificateStorage::cacheVerifiedCert(std::move(cert));
}
+void
+Validator::resetVerifiedCertificates()
+{
+ CertificateStorage::resetVerifiedCerts();
+}
+
} // namespace v2
} // namespace security
} // namespace ndn
diff --git a/src/security/v2/validator.hpp b/src/security/v2/validator.hpp
index 6dfe8a8..14e9c7f 100644
--- a/src/security/v2/validator.hpp
+++ b/src/security/v2/validator.hpp
@@ -1,5 +1,5 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
+/*
* Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
@@ -137,6 +137,12 @@
time::nanoseconds refreshPeriod, bool isDir = false);
/**
+ * @brief remove any previously loaded static or dynamic trust anchor
+ */
+ void
+ resetAnchors();
+
+ /**
* @brief Cache verified @p cert a period of time (1 hour)
*
* @todo Add ability to customize time period
@@ -144,6 +150,12 @@
void
cacheVerifiedCertificate(Certificate&& cert);
+ /**
+ * @brief Remove any cached verified certificates
+ */
+ void
+ resetVerifiedCertificates();
+
private: // Common validator operations
/**
* @brief Recursive validation of the certificate in the certification chain