blob: af8c796d724e45bd47333b1ddfbf43256cb2fdf5 [file] [log] [blame]
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
/**
* Copyright (C) 2013 Regents of the University of California.
* See COPYING for copyright and distribution information.
*/
#ifndef NDN_HELPERS_COMMAND_INTEREST_VALIDATOR_HPP
#define NDN_HELPERS_COMMAND_INTEREST_VALIDATOR_HPP
#include "../security/validator.hpp"
#include "../security/identity-certificate.hpp"
#include "../security/sec-rule-specific.hpp"
namespace ndn {
class CommandInterestValidator : public Validator
{
public:
enum {
POS_SIG_VALUE = -1,
POS_SIG_INFO = -2,
POS_RANDOM_VAL = -3,
POS_TIMESTAMP = -4,
GRACE_INTERVAL = 3000 // ms
};
CommandInterestValidator(int64_t graceInterval = GRACE_INTERVAL/*ms*/)
{
m_graceInterval = (graceInterval < 0 ? GRACE_INTERVAL : graceInterval);
}
virtual
~CommandInterestValidator()
{
}
void
addInterestRule(const std::string& regex, const IdentityCertificate& certificate);
void
addInterestRule(const std::string& regex, const Name& keyName, const PublicKey& publicKey);
protected:
virtual void
checkPolicy (const Data& data,
int stepCount,
const OnDataValidated &onValidated,
const OnDataValidationFailed &onValidationFailed,
std::vector<shared_ptr<ValidationRequest> > &nextSteps)
{
onValidationFailed(data.shared_from_this(), "No policy for data checking");
}
virtual void
checkPolicy (const Interest& interest,
int stepCount,
const OnInterestValidated &onValidated,
const OnInterestValidationFailed &onValidationFailed,
std::vector<shared_ptr<ValidationRequest> > &nextSteps);
private:
int64_t m_graceInterval; //ms
std::map<Name, PublicKey> m_trustAnchorsForInterest;
std::list<SecRuleSpecific> m_trustScopeForInterest;
std::map<Name, uint64_t> m_lastTimestamp;
};
inline void
CommandInterestValidator::addInterestRule(const std::string& regex, const IdentityCertificate& certificate)
{
Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificate.getName());
addInterestRule(regex, keyName, certificate.getPublicKeyInfo());
}
inline void
CommandInterestValidator::addInterestRule(const std::string& regex, const Name& keyName, const PublicKey& publicKey)
{
m_trustAnchorsForInterest[keyName] = publicKey;
shared_ptr<Regex> interestRegex = make_shared<Regex>(regex);
shared_ptr<Regex> signerRegex = Regex::fromName(keyName, true);
m_trustScopeForInterest.push_back(SecRuleSpecific(interestRegex, signerRegex));
}
inline void
CommandInterestValidator::checkPolicy (const Interest& interest,
int stepCount,
const OnInterestValidated &onValidated,
const OnInterestValidationFailed &onValidationFailed,
std::vector<shared_ptr<ValidationRequest> > &nextSteps)
{
const Name& interestName = interest.getName();
//Prepare
if (interestName.size() < 4)
return onValidationFailed(interest.shared_from_this(),
"Interest is not signed: " + interest.getName().toUri());
Signature signature(interestName[POS_SIG_INFO].blockFromValue(),
interestName[POS_SIG_VALUE].blockFromValue());
SignatureSha256WithRsa sig(signature);
const Name& keyLocatorName = sig.getKeyLocator().getName();
Name keyName = IdentityCertificate::certificateNameToPublicKeyName(keyLocatorName);
//Check if command is in the trusted scope
bool inScope = false;
for(std::list<SecRuleSpecific>::iterator scopeIt = m_trustScopeForInterest.begin();
scopeIt != m_trustScopeForInterest.end();
++scopeIt)
{
if(scopeIt->satisfy(interestName, keyName))
{
inScope = true;
break;
}
}
if(inScope == false)
return onValidationFailed(interest.shared_from_this(),
"Signer cannot be authorized for the command: " + keyName.toUri());
//Check if timestamp is valid
uint64_t timestamp = interestName.get(POS_TIMESTAMP).toNumber();
uint64_t current = static_cast<uint64_t>(time::now()/1000000);
std::map<Name, uint64_t>::const_iterator timestampIt = m_lastTimestamp.find(keyName);
if(timestampIt == m_lastTimestamp.end())
{
if(timestamp > (current + m_graceInterval) || (timestamp + m_graceInterval) < current)
return onValidationFailed(interest.shared_from_this(),
"The command is not in grace interval: " + interest.getName().toUri());
}
else
{
if(m_lastTimestamp[keyName] >= timestamp)
return onValidationFailed(interest.shared_from_this(),
"The command is outdated: " + interest.getName().toUri());
}
//Check signature
if(!Validator::verifySignature(interestName.wireEncode().value(),
interestName.wireEncode().value_size() - interestName[-1].size(),
sig, m_trustAnchorsForInterest[keyName]))
return onValidationFailed(interest.shared_from_this(),
"Signature cannot be validated: " + interest.getName().toUri());
//Update timestamp
m_lastTimestamp[keyName] = timestamp;
return onValidated(interest.shared_from_this());
}
} // namespace ndn
#endif // NDN_HELPERS_COMMAND_INTEREST_VALIDATOR_HPP