security: Generalize signature verification to allow digest-sha256 This patch effectively enables use of DigestSha256 signatures in ValidatorConfig. Change-Id: I233c069935b617efb8a52cc45996f00307c86a2e

commit: aef53b6c269e10f38b789b2888d69bf424da8160 [log] [tgz]
author: Justin Labry <justin.labry@gmail.com> Wed Mar 10 06:07:27 2021 +0000
committer: Alexander Afanasyev <aa@cs.fiu.edu> Thu Mar 18 19:29:44 2021 -0400
tree: 32d7882df5ca05f4baabc6facb878b9cb8ef2b19
parent: 58b9e0fdc92cb4355d5e6981b9054fe1b610388d [diff]
diff --git a/tests/unit/security/validation-policy-config.t.cpp b/tests/unit/security/validation-policy-config.t.cpp
index 0ee5172..3c67315 100644
--- a/tests/unit/security/validation-policy-config.t.cpp
+++ b/tests/unit/security/validation-policy-config.t.cpp

@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2020 Regents of the University of California.
+ * Copyright (c) 2013-2021 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -382,7 +382,11 @@
 
   packet = unsignedPacket;
   this->m_keyChain.sign(packet, signingWithSha256());
-  VALIDATE_FAILURE(packet, "Policy doesn't accept Sha256Digest signature");
+  VALIDATE_FAILURE(packet, "Should not be accepted, doesn't pass checker /localhost/identity/digest-sha256");
+
+  packet = Packet("/localhost/identity/digest-sha256/foobar");
+  this->m_keyChain.sign(packet, signingWithSha256());
+  VALIDATE_FAILURE(packet, "Should not be accepted, no rule for the name /localhost/identity/digest-sha256");
 
   packet = unsignedPacket;
   this->m_keyChain.sign(packet, signingByIdentity(this->identity));
@@ -417,7 +421,11 @@
 
   packet = unsignedPacket;
   this->m_keyChain.sign(packet, signingWithSha256());
-  VALIDATE_FAILURE(packet, "Policy doesn't accept Sha256Digest signature");
+  VALIDATE_FAILURE(packet, "Should not be accepted, doesn't pass checker /localhost/identity/digest-sha256");
+
+  packet = Packet("/localhost/identity/digest-sha256/foobar");
+  this->m_keyChain.sign(packet, signingWithSha256());
+  VALIDATE_FAILURE(packet, "Should not be accepted, no rule for the name /localhost/identity/digest-sha256");
 
   packet = unsignedPacket;
   this->m_keyChain.sign(packet, signingByIdentity(this->identity));
@@ -436,6 +444,79 @@
   VALIDATE_FAILURE(packet, "Should fail, because subSelfSignedIdentity is not a trust anchor");
 }
 
+BOOST_FIXTURE_TEST_CASE(DigestSha256, HierarchicalValidatorFixture<ValidationPolicyConfig>)
+{
+  BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
+  this->policy.load(R"CONF(
+      rule
+      {
+        id test-rule-data-id
+        for data
+        filter
+        {
+          type name
+          name /localhost/identity/digest-sha256
+          relation is-prefix-of
+        }
+        checker
+        {
+          type customized
+          sig-type sha256
+          key-locator
+          {
+            type name
+            hyper-relation
+            {
+              k-regex ^(<>*)$
+              k-expand \\1
+              h-relation is-prefix-of
+              p-regex ^(<>*)$
+              p-expand \\1
+            }
+          }
+        }
+      }
+      rule
+      {
+        id test-rule-interest-id
+        for interest
+        filter
+        {
+          type name
+          name /localhost/identity/digest-sha256
+          relation is-prefix-of
+        }
+        checker
+        {
+          type customized
+          sig-type sha256
+          key-locator
+          {
+            type name
+            hyper-relation
+            {
+              k-regex ^(<>*)$
+              k-expand \\1
+              h-relation is-prefix-of
+              p-regex ^(<>*)$
+              p-expand \\1
+            }
+          }
+        }
+      }
+    )CONF", "test-config");
+
+
+  Interest interest("/localhost/identity/digest-sha256/foobar");
+  interest.setCanBePrefix(false);
+  this->m_keyChain.sign(interest, signingWithSha256());
+  VALIDATE_SUCCESS(interest, "Should be accepted");
+
+  Data data("/localhost/identity/digest-sha256/foobar");
+  this->m_keyChain.sign(data, signingWithSha256());
+  VALIDATE_SUCCESS(data, "Should be accepted");
+}
+
 BOOST_FIXTURE_TEST_CASE(Reload, HierarchicalValidatorFixture<ValidationPolicyConfig>)
 {
   BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);

diff --git a/tests/unit/security/validation-policy-simple-hierarchy.t.cpp b/tests/unit/security/validation-policy-simple-hierarchy.t.cpp
index c0729f4..d5734a8 100644
--- a/tests/unit/security/validation-policy-simple-hierarchy.t.cpp
+++ b/tests/unit/security/validation-policy-simple-hierarchy.t.cpp

@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2020 Regents of the University of California.
+ * Copyright (c) 2013-2021 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -46,7 +46,11 @@
 
   packet = Packet::makePacket(name);
   m_keyChain.sign(packet, signingWithSha256());
-  VALIDATE_FAILURE(packet, "Policy doesn't accept Sha256Digest signature");
+  VALIDATE_FAILURE(packet, "Should not be accepted, name not prefix of /localhost/identity/digest-sha256");
+
+  packet = Packet::makePacket("/localhost/identity/digest-sha256/foobar");
+  m_keyChain.sign(packet, signingWithSha256());
+  VALIDATE_SUCCESS(packet, "Should be accepted, as name is prefix of /localhost/identity/digest-sha256");
 
   packet = Packet::makePacket(name);
   m_keyChain.sign(packet, signingByIdentity(identity));

diff --git a/tests/unit/security/validator-fixture.hpp b/tests/unit/security/validator-fixture.hpp
index 343e363..c56a014 100644
--- a/tests/unit/security/validator-fixture.hpp
+++ b/tests/unit/security/validator-fixture.hpp

@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2020 Regents of the University of California.
+ * Copyright (c) 2013-2021 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -159,7 +159,7 @@
 
 private:
   void
-  verifyOriginalPacket(const Certificate&) override
+  verifyOriginalPacket(const optional<Certificate>&) override
   {
     // do nothing
   }

diff --git a/tests/unit/security/verification-helpers.t.cpp b/tests/unit/security/verification-helpers.t.cpp
index 476bbe3..d930281 100644
--- a/tests/unit/security/verification-helpers.t.cpp
+++ b/tests/unit/security/verification-helpers.t.cpp

@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2020 Regents of the University of California.
+ * Copyright (c) 2013-2021 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -640,14 +640,21 @@
   Interest badSigInterestOldFormat(Block(dataset.badSigInterestOldFormat.data(),
                                          dataset.badSigInterestOldFormat.size()));
 
+  BOOST_CHECK(verifySignature(data, nullopt));
   BOOST_CHECK(verifyDigest(data, DigestAlgorithm::SHA256));
+  BOOST_CHECK(verifySignature(interest, nullopt));
   BOOST_CHECK(verifyDigest(interest, DigestAlgorithm::SHA256));
+  BOOST_CHECK(verifySignature(interestOldFormat, nullopt));
   BOOST_CHECK(verifyDigest(interestOldFormat, DigestAlgorithm::SHA256));
 
   BOOST_CHECK(!verifyDigest(badSigData, DigestAlgorithm::SHA256));
   BOOST_CHECK(!verifyDigest(badSigInterest, DigestAlgorithm::SHA256));
   BOOST_CHECK(!verifyDigest(badSigInterestOldFormat, DigestAlgorithm::SHA256));
 
+  BOOST_CHECK(!verifySignature(badSigData, nullopt));
+  BOOST_CHECK(!verifySignature(badSigInterest, nullopt));
+  BOOST_CHECK(!verifySignature(badSigInterestOldFormat, nullopt));
+
   Data unsignedData("/some/data");
   Interest unsignedInterest1("/some/interest/with/several/name/components");
   unsignedInterest1.setCanBePrefix(false);
@@ -658,6 +665,10 @@
   BOOST_CHECK(!verifyDigest(unsignedInterest1, DigestAlgorithm::SHA256));
   BOOST_CHECK(!verifyDigest(unsignedInterest2, DigestAlgorithm::SHA256));
 
+  BOOST_CHECK(!verifySignature(unsignedData, nullopt));
+  BOOST_CHECK(!verifySignature(unsignedInterest1, nullopt));
+  BOOST_CHECK(!verifySignature(unsignedInterest2, nullopt));
+
   // - base version of verifyDigest is tested transitively
 }
commit	aef53b6c269e10f38b789b2888d69bf424da8160	[log] [tgz]
author	Justin Labry <justin.labry@gmail.com>	Wed Mar 10 06:07:27 2021 +0000
committer	Alexander Afanasyev <aa@cs.fiu.edu>	Thu Mar 18 19:29:44 2021 -0400
tree	32d7882df5ca05f4baabc6facb878b9cb8ef2b19
parent	58b9e0fdc92cb4355d5e6981b9054fe1b610388d [diff]