security: remove redundant overloads of verifySignature() and verifyDigest()
Change-Id: I5fe14876acea04fe979ffe0872855f1b5bbede24
diff --git a/ndn-cxx/security/verification-helpers.cpp b/ndn-cxx/security/verification-helpers.cpp
index 2f5927e..44519b4 100644
--- a/ndn-cxx/security/verification-helpers.cpp
+++ b/ndn-cxx/security/verification-helpers.cpp
@@ -80,13 +80,6 @@
}
bool
-verifySignature(const uint8_t* blob, size_t blobLen, const uint8_t* sig, size_t sigLen,
- const transform::PublicKey& key)
-{
- return verifySignature({{blob, blobLen}}, sig, sigLen, key);
-}
-
-bool
verifySignature(const InputBuffers& blobs, const uint8_t* sig, size_t sigLen,
const uint8_t* key, size_t keyLen)
{
@@ -101,13 +94,6 @@
return verifySignature(blobs, sig, sigLen, pKey);
}
-bool
-verifySignature(const uint8_t* blob, size_t blobLen, const uint8_t* sig, size_t sigLen,
- const uint8_t* key, size_t keyLen)
-{
- return verifySignature({{blob, blobLen}}, sig, sigLen, key, keyLen);
-}
-
static ParseResult
parse(const Data& data)
{
@@ -144,8 +130,8 @@
}
const Block& nameBlock = interestName.wireEncode();
- Block sigValue = interestName[signed_interest::POS_SIG_VALUE].blockFromValue();
SignatureInfo info(interestName[signed_interest::POS_SIG_INFO].blockFromValue());
+ Block sigValue(interestName[signed_interest::POS_SIG_VALUE].blockFromValue());
return ParseResult(info,
{{nameBlock.value(),
nameBlock.value_size() - interestName[signed_interest::POS_SIG_VALUE].size()}},
@@ -159,22 +145,60 @@
}
static bool
-verifySignature(ParseResult params, const transform::PublicKey& key)
+verifySignature(const ParseResult& params, const transform::PublicKey& key)
{
return !params.bufs.empty() && verifySignature(params.bufs, params.sig, params.sigLen, key);
}
static bool
-verifySignature(ParseResult params, const tpm::Tpm& tpm, const Name& keyName,
- DigestAlgorithm digestAlgorithm)
+verifySignature(const ParseResult& params, const uint8_t* key, size_t keyLen)
{
- return !params.bufs.empty() && bool(tpm.verify(params.bufs, params.sig, params.sigLen, keyName, digestAlgorithm));
+ return !params.bufs.empty() && verifySignature(params.bufs, params.sig, params.sigLen, key, keyLen);
}
static bool
-verifySignature(ParseResult params, const uint8_t* key, size_t keyLen)
+verifySignature(const ParseResult& params, const tpm::Tpm& tpm, const Name& keyName,
+ DigestAlgorithm digestAlgorithm)
{
- return !params.bufs.empty() && verifySignature(params.bufs, params.sig, params.sigLen, key, keyLen);
+ return !params.bufs.empty() && bool(tpm.verify(params.bufs, params.sig, params.sigLen, keyName,
+ digestAlgorithm));
+}
+
+static bool
+verifyDigest(const ParseResult& params, DigestAlgorithm algorithm)
+{
+ if (params.bufs.empty()) {
+ return false;
+ }
+
+ OBufferStream os;
+ try {
+ using namespace transform;
+ bufferSource(params.bufs) >> digestFilter(algorithm) >> streamSink(os);
+ }
+ catch (const transform::Error&) {
+ return false;
+ }
+ auto result = os.buf();
+
+ if (result->size() != params.sigLen) {
+ return false;
+ }
+
+ // constant-time buffer comparison to mitigate timing attacks
+ return CRYPTO_memcmp(result->data(), params.sig, params.sigLen) == 0;
+}
+
+bool
+verifySignature(const Data& data, const uint8_t* key, size_t keyLen)
+{
+ return verifySignature(parse(data), key, keyLen);
+}
+
+bool
+verifySignature(const Interest& interest, const uint8_t* key, size_t keyLen)
+{
+ return verifySignature(parse(interest), key, keyLen);
}
bool
@@ -202,32 +226,18 @@
}
bool
-verifySignature(const Data& data, const uint8_t* key, size_t keyLen)
-{
- return verifySignature(parse(data), key, keyLen);
-}
-
-bool
-verifySignature(const Interest& interest, const uint8_t* key, size_t keyLen)
-{
- return verifySignature(parse(interest), key, keyLen);
-}
-
-bool
verifySignature(const Data& data, const optional<Certificate>& cert)
{
auto parsed = parse(data);
if (cert) {
return verifySignature(parsed, cert->getContent().value(), cert->getContent().value_size());
}
+ else if (parsed.info.getSignatureType() == tlv::SignatureTypeValue::DigestSha256) {
+ return verifyDigest(parsed, DigestAlgorithm::SHA256);
+ }
+ // Add any other self-verifying signatures here (if any)
else {
- if (parsed.info.getSignatureType() == tlv::SignatureTypeValue::DigestSha256) {
- return verifyDigest(data, DigestAlgorithm::SHA256);
- }
- // Add any other self-verifying signatures here (if any)
- else {
- return false;
- }
+ return false;
}
}
@@ -238,14 +248,12 @@
if (cert) {
return verifySignature(parsed, cert->getContent().value(), cert->getContent().value_size());
}
+ else if (parsed.info.getSignatureType() == tlv::SignatureTypeValue::DigestSha256) {
+ return verifyDigest(parsed, DigestAlgorithm::SHA256);
+ }
+ // Add any other self-verifying signatures here (if any)
else {
- if (parsed.info.getSignatureType() == tlv::SignatureTypeValue::DigestSha256) {
- return verifyDigest(interest, DigestAlgorithm::SHA256);
- }
- // Add any other self-verifying signatures here (if any)
- else {
- return false;
- }
+ return false;
}
}
@@ -263,53 +271,5 @@
return verifySignature(parse(interest), tpm, keyName, digestAlgorithm);
}
-///////////////////////////////////////////////////////////////////////
-
-bool
-verifyDigest(const InputBuffers& bufs, const uint8_t* digest, size_t digestLen,
- DigestAlgorithm algorithm)
-{
- using namespace transform;
-
- OBufferStream os;
- try {
- bufferSource(bufs) >> digestFilter(algorithm) >> streamSink(os);
- }
- catch (const transform::Error&) {
- return false;
- }
- ConstBufferPtr result = os.buf();
-
- if (result->size() != digestLen) {
- return false;
- }
-
- // constant-time buffer comparison to mitigate timing attacks
- return CRYPTO_memcmp(result->data(), digest, digestLen) == 0;
-}
-
-bool
-verifyDigest(const uint8_t* blob, size_t blobLen, const uint8_t* digest, size_t digestLen,
- DigestAlgorithm algorithm)
-{
- return verifyDigest({{blob, blobLen}}, digest, digestLen, algorithm);
-}
-
-bool
-verifyDigest(const Data& data, DigestAlgorithm algorithm)
-{
- ParseResult parseResult = parse(data);
- return !parseResult.bufs.empty() && verifyDigest(parseResult.bufs, parseResult.sig,
- parseResult.sigLen, algorithm);
-}
-
-bool
-verifyDigest(const Interest& interest, DigestAlgorithm algorithm)
-{
- ParseResult parseResult = parse(interest);
- return !parseResult.bufs.empty() && verifyDigest(parseResult.bufs, parseResult.sig,
- parseResult.sigLen, algorithm);
-}
-
} // namespace security
} // namespace ndn
diff --git a/ndn-cxx/security/verification-helpers.hpp b/ndn-cxx/security/verification-helpers.hpp
index 09b7b57..65ca8c5 100644
--- a/ndn-cxx/security/verification-helpers.hpp
+++ b/ndn-cxx/security/verification-helpers.hpp
@@ -56,13 +56,6 @@
const transform::PublicKey& key);
/**
- * @brief Verify @p blob using @p key against @p sig.
- */
-bool
-verifySignature(const uint8_t* blob, size_t blobLen, const uint8_t* sig, size_t sigLen,
- const transform::PublicKey& key);
-
-/**
* @brief Verify @p blobs using @p key against @p sig.
* @note @p key must be a public key in PKCS #8 format.
*/
@@ -71,14 +64,6 @@
const uint8_t* key, size_t keyLen);
/**
- * @brief Verify @p blob using @p key against @p sig.
- * @note @p key must be a public key in PKCS #8 format.
- */
-bool
-verifySignature(const uint8_t* blob, size_t blobLen, const uint8_t* sig, size_t sigLen,
- const uint8_t* key, size_t keyLen);
-
-/**
* @brief Verify @p data using @p key.
* @note @p key must be a public key in PKCS #8 format.
*/
@@ -156,36 +141,6 @@
verifySignature(const Interest& interest, const tpm::Tpm& tpm, const Name& keyName,
DigestAlgorithm digestAlgorithm);
-//////////////////////////////////////////////////////////////////
-
-/**
- * @brief Verify @p blobs against @p digest using @p algorithm.
- */
-bool
-verifyDigest(const InputBuffers& blobs, const uint8_t* digest, size_t digestLen,
- DigestAlgorithm algorithm);
-
-/**
- * @brief Verify @p blob against @p digest using @p algorithm.
- */
-bool
-verifyDigest(const uint8_t* blob, size_t blobLen, const uint8_t* digest, size_t digestLen,
- DigestAlgorithm algorithm);
-
-/**
- * @brief Verify @p data against digest @p algorithm.
- */
-bool
-verifyDigest(const Data& data, DigestAlgorithm algorithm);
-
-/**
- * @brief Verify @p interest against digest @p algorithm.
- * @note This method verifies only signature of the signed interest.
- * @sa docs/specs/signed-interest.rst
- */
-bool
-verifyDigest(const Interest& interest, DigestAlgorithm algorithm);
-
} // namespace security
} // namespace ndn
diff --git a/tests/unit/security/key-chain.t.cpp b/tests/unit/security/key-chain.t.cpp
index d3fb67e..1aa76b8 100644
--- a/tests/unit/security/key-chain.t.cpp
+++ b/tests/unit/security/key-chain.t.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2020 Regents of the University of California.
+ * Copyright (c) 2013-2021 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -526,7 +526,7 @@
bool
verify(const SigningInfo&) const
{
- return verifyDigest(this->packet, DigestAlgorithm::SHA256);
+ return verifySignature(this->packet, nullopt);
}
};
@@ -544,7 +544,9 @@
Sha256Signing<InterestV02Pkt>,
Sha256Signing<InterestV03Pkt>,
SigningWithNonDefaultIdentity<DataPkt>,
- SigningWithNonDefaultKey<DataPkt>
+ SigningWithNonDefaultIdentity<InterestV03Pkt>,
+ SigningWithNonDefaultKey<DataPkt>,
+ SigningWithNonDefaultKey<InterestV03Pkt>
>;
BOOST_FIXTURE_TEST_CASE_TEMPLATE(SigningInterface, T, SigningTests, T)
diff --git a/tests/unit/security/transform/signer-filter.t.cpp b/tests/unit/security/transform/signer-filter.t.cpp
index 4f3fa04..4f84582 100644
--- a/tests/unit/security/transform/signer-filter.t.cpp
+++ b/tests/unit/security/transform/signer-filter.t.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2021 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -92,7 +92,7 @@
bufferSource(DATA, sizeof(DATA)) >> signerFilter(DigestAlgorithm::SHA256, sKey) >> streamSink(os2);
auto sig = os2.buf();
- BOOST_CHECK(verifySignature(DATA, sizeof(DATA), sig->data(), sig->size(), pubKey->data(), pubKey->size()));
+ BOOST_TEST(verifySignature({{DATA, sizeof(DATA)}}, sig->data(), sig->size(), pubKey->data(), pubKey->size()));
}
BOOST_AUTO_TEST_CASE(Ecdsa)
@@ -128,7 +128,7 @@
bufferSource(DATA, sizeof(DATA)) >> signerFilter(DigestAlgorithm::SHA256, sKey) >> streamSink(os2);
auto sig = os2.buf();
- BOOST_CHECK(verifySignature(DATA, sizeof(DATA), sig->data(), sig->size(), pubKey->data(), pubKey->size()));
+ BOOST_TEST(verifySignature({{DATA, sizeof(DATA)}}, sig->data(), sig->size(), pubKey->data(), pubKey->size()));
}
BOOST_AUTO_TEST_SUITE(Hmac)
diff --git a/tests/unit/security/verification-helpers.t.cpp b/tests/unit/security/verification-helpers.t.cpp
index 74ffbe0..f35f93f 100644
--- a/tests/unit/security/verification-helpers.t.cpp
+++ b/tests/unit/security/verification-helpers.t.cpp
@@ -41,7 +41,7 @@
// BOOST_FIXTURE_TEST_CASE(Generator, KeyChainFixture)
// {
// Identity wrongIdentity = m_keyChain.createIdentity("/Security/TestVerificationHelpers/Wrong");
-// std::map<std::string, SigningInfo> identities = {
+// const std::map<std::string, SigningInfo> identities = {
// {"Ecdsa", signingByIdentity(m_keyChain.createIdentity("/Security/TestVerificationHelpers/EC", EcKeyParams()))},
// {"Rsa", signingByIdentity(m_keyChain.createIdentity("/Security/TestVerificationHelpers/RSA", RsaKeyParams()))},
// {"Sha256", signingWithSha256()}
@@ -545,7 +545,7 @@
BOOST_AUTO_TEST_CASE_TEMPLATE(VerifySignature, Dataset, SignatureDatasets)
{
- Dataset dataset;
+ const Dataset dataset;
Certificate cert(Block(dataset.cert.data(), dataset.cert.size()));
Buffer keyRaw = cert.getPublicKey();
transform::PublicKey key;
@@ -630,7 +630,7 @@
BOOST_AUTO_TEST_CASE_TEMPLATE(VerifyDigest, Dataset, DigestDatasets)
{
- Dataset dataset;
+ const Dataset dataset;
Data data(Block(dataset.goodData.data(), dataset.goodData.size()));
Data badSigData(Block(dataset.badSigData.data(), dataset.badSigData.size()));
Interest interest(Block(dataset.goodInterest.data(), dataset.goodInterest.size()));
@@ -641,15 +641,8 @@
dataset.badSigInterestOldFormat.size()));
BOOST_CHECK(verifySignature(data, nullopt));
- BOOST_CHECK(verifyDigest(data, DigestAlgorithm::SHA256));
BOOST_CHECK(verifySignature(interest, nullopt));
- BOOST_CHECK(verifyDigest(interest, DigestAlgorithm::SHA256));
BOOST_CHECK(verifySignature(interestOldFormat, nullopt));
- BOOST_CHECK(verifyDigest(interestOldFormat, DigestAlgorithm::SHA256));
-
- BOOST_CHECK(!verifyDigest(badSigData, DigestAlgorithm::SHA256));
- BOOST_CHECK(!verifyDigest(badSigInterest, DigestAlgorithm::SHA256));
- BOOST_CHECK(!verifyDigest(badSigInterestOldFormat, DigestAlgorithm::SHA256));
BOOST_CHECK(!verifySignature(badSigData, nullopt));
BOOST_CHECK(!verifySignature(badSigInterest, nullopt));
@@ -661,15 +654,9 @@
Interest unsignedInterest2("/interest-with-one-name-component");
unsignedInterest2.setCanBePrefix(false);
- BOOST_CHECK(!verifyDigest(unsignedData, DigestAlgorithm::SHA256));
- BOOST_CHECK(!verifyDigest(unsignedInterest1, DigestAlgorithm::SHA256));
- BOOST_CHECK(!verifyDigest(unsignedInterest2, DigestAlgorithm::SHA256));
-
BOOST_CHECK(!verifySignature(unsignedData, nullopt));
BOOST_CHECK(!verifySignature(unsignedInterest1, nullopt));
BOOST_CHECK(!verifySignature(unsignedInterest2, nullopt));
-
- // - base version of verifyDigest is tested transitively
}
const uint8_t sha256DataUnrecognizedElements[] = {
@@ -696,8 +683,8 @@
Data data(Block(sha256DataUnrecognizedElements, sizeof(sha256DataUnrecognizedElements)));
Interest interest(Block(sha256InterestUnrecognizedElements, sizeof(sha256InterestUnrecognizedElements)));
- BOOST_CHECK(verifyDigest(data, DigestAlgorithm::SHA256));
- BOOST_CHECK(verifyDigest(interest, DigestAlgorithm::SHA256));
+ BOOST_CHECK(verifySignature(data, nullopt));
+ BOOST_CHECK(verifySignature(interest, nullopt));
}
BOOST_AUTO_TEST_SUITE_END() // TestVerificationHelpers