Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ |
| 2 | /* |
Davide Pesavento | 47ce2ee | 2023-05-09 01:33:33 -0400 | [diff] [blame] | 3 | * Copyright (c) 2013-2023 Regents of the University of California. |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 4 | * |
| 5 | * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). |
| 6 | * |
| 7 | * ndn-cxx library is free software: you can redistribute it and/or modify it under the |
| 8 | * terms of the GNU Lesser General Public License as published by the Free Software |
| 9 | * Foundation, either version 3 of the License, or (at your option) any later version. |
| 10 | * |
| 11 | * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY |
| 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A |
| 13 | * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. |
| 14 | * |
| 15 | * You should have received copies of the GNU General Public License and GNU Lesser |
| 16 | * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see |
| 17 | * <http://www.gnu.org/licenses/>. |
| 18 | * |
| 19 | * See AUTHORS.md for complete list of ndn-cxx authors and contributors. |
| 20 | */ |
| 21 | |
| 22 | #include "ndn-cxx/security/validation-policy-signed-interest.hpp" |
Davide Pesavento | 4c1ad4c | 2020-11-16 21:12:02 -0500 | [diff] [blame] | 23 | |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 24 | #include "ndn-cxx/security/interest-signer.hpp" |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 25 | #include "ndn-cxx/security/validation-policy-accept-all.hpp" |
| 26 | #include "ndn-cxx/security/validation-policy-simple-hierarchy.hpp" |
| 27 | |
Davide Pesavento | 4c1ad4c | 2020-11-16 21:12:02 -0500 | [diff] [blame] | 28 | #include "tests/test-common.hpp" |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 29 | #include "tests/unit/security/validator-fixture.hpp" |
| 30 | |
Davide Pesavento | 49e1e87 | 2023-11-11 00:45:23 -0500 | [diff] [blame] | 31 | #include <boost/mp11/list.hpp> |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 32 | |
Davide Pesavento | 47ce2ee | 2023-05-09 01:33:33 -0400 | [diff] [blame] | 33 | namespace ndn::tests { |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 34 | |
Davide Pesavento | 47ce2ee | 2023-05-09 01:33:33 -0400 | [diff] [blame] | 35 | using namespace ndn::security; |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 36 | |
| 37 | BOOST_AUTO_TEST_SUITE(Security) |
| 38 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 39 | struct SignedInterestDefaultOptions |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 40 | { |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 41 | static ValidationPolicySignedInterest::Options |
| 42 | getOptions() |
| 43 | { |
| 44 | return {}; |
| 45 | } |
| 46 | }; |
| 47 | |
| 48 | template<class T, class InnerPolicy> |
| 49 | class SignedInterestPolicyWrapper : public ValidationPolicySignedInterest |
| 50 | { |
| 51 | public: |
| 52 | SignedInterestPolicyWrapper() |
| 53 | : ValidationPolicySignedInterest(make_unique<InnerPolicy>(), T::getOptions()) |
| 54 | { |
| 55 | } |
| 56 | }; |
| 57 | |
| 58 | template<class T, class InnerPolicy = ValidationPolicySimpleHierarchy> |
| 59 | class ValidationPolicySignedInterestFixture |
| 60 | : public HierarchicalValidatorFixture<SignedInterestPolicyWrapper<T, InnerPolicy>> |
| 61 | { |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 62 | protected: |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 63 | Interest |
| 64 | makeSignedInterest(const Identity& identity, |
| 65 | uint32_t signingFlags = InterestSigner::WantNonce | InterestSigner::WantTime) |
| 66 | { |
| 67 | Interest i(Name(identity.getName()).append("CMD")); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 68 | m_signer.makeSignedInterest(i, signingByIdentity(identity), signingFlags); |
| 69 | return i; |
| 70 | } |
| 71 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 72 | protected: |
| 73 | InterestSigner m_signer{this->m_keyChain}; |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 74 | |
| 75 | static constexpr uint32_t WantAll = InterestSigner::WantNonce | |
| 76 | InterestSigner::WantTime | |
| 77 | InterestSigner::WantSeqNum; |
| 78 | }; |
| 79 | |
| 80 | BOOST_FIXTURE_TEST_SUITE(TestValidationPolicySignedInterest, |
| 81 | ValidationPolicySignedInterestFixture<SignedInterestDefaultOptions>) |
| 82 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 83 | BOOST_AUTO_TEST_CASE(Basic) |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 84 | { |
| 85 | auto i1 = makeSignedInterest(identity, WantAll); |
| 86 | VALIDATE_SUCCESS(i1, "Should succeed (within grace period)"); |
| 87 | VALIDATE_FAILURE(i1, "Should fail (replay attack)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 88 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 89 | |
| 90 | advanceClocks(5_ms); |
| 91 | auto i2 = makeSignedInterest(identity, WantAll); |
| 92 | VALIDATE_SUCCESS(i2, "Should succeed (timestamp and sequence number larger than previous)"); |
| 93 | |
| 94 | Interest i3(Name(identity.getName()).append("CMD")); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 95 | m_signer.makeSignedInterest(i3, signingWithSha256()); |
| 96 | VALIDATE_FAILURE(i3, "Should fail (Sha256 signature violates policy)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 97 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 98 | } |
| 99 | |
| 100 | BOOST_AUTO_TEST_CASE(DataPassthrough) |
| 101 | { |
| 102 | Data d1("/Security/ValidatorFixture/Sub1"); |
| 103 | m_keyChain.sign(d1); |
| 104 | VALIDATE_SUCCESS(d1, "Should succeed (fallback on inner validation policy for data)"); |
| 105 | } |
| 106 | |
| 107 | BOOST_AUTO_TEST_CASE(InnerPolicyReject) |
| 108 | { |
| 109 | auto i1 = makeSignedInterest(otherIdentity); |
| 110 | VALIDATE_FAILURE(i1, "Should fail (inner policy should reject)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 111 | BOOST_TEST(lastError.getCode() == ValidationError::LOOP_DETECTED); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 112 | } |
| 113 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 114 | template<ssize_t count> |
| 115 | struct MaxRecordCount |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 116 | { |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 117 | static ValidationPolicySignedInterest::Options |
| 118 | getOptions() |
| 119 | { |
| 120 | ValidationPolicySignedInterest::Options options; |
| 121 | options.timestampGracePeriod = 15_s; |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 122 | options.maxRecordCount = count; |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 123 | return options; |
| 124 | } |
| 125 | }; |
| 126 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 127 | BOOST_FIXTURE_TEST_CASE(LimitedRecords, ValidationPolicySignedInterestFixture<MaxRecordCount<3>>) |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 128 | { |
| 129 | Identity id1 = addSubCertificate("/Security/ValidatorFixture/Sub1", identity); |
| 130 | cache.insert(id1.getDefaultKey().getDefaultCertificate()); |
| 131 | Identity id2 = addSubCertificate("/Security/ValidatorFixture/Sub2", identity); |
| 132 | cache.insert(id2.getDefaultKey().getDefaultCertificate()); |
| 133 | Identity id3 = addSubCertificate("/Security/ValidatorFixture/Sub3", identity); |
| 134 | cache.insert(id3.getDefaultKey().getDefaultCertificate()); |
| 135 | Identity id4 = addSubCertificate("/Security/ValidatorFixture/Sub4", identity); |
| 136 | cache.insert(id4.getDefaultKey().getDefaultCertificate()); |
| 137 | |
| 138 | auto i1 = makeSignedInterest(id2); |
| 139 | auto i2 = makeSignedInterest(id3); |
| 140 | auto i3 = makeSignedInterest(id4); |
| 141 | auto i00 = makeSignedInterest(id1); // signed at 0s |
| 142 | advanceClocks(1_s); |
| 143 | auto i01 = makeSignedInterest(id1); // signed at 1s |
| 144 | advanceClocks(1_s); |
| 145 | auto i02 = makeSignedInterest(id1); // signed at 2s |
| 146 | |
| 147 | VALIDATE_SUCCESS(i00, "Should succeed"); |
| 148 | rewindClockAfterValidation(); |
| 149 | |
| 150 | VALIDATE_SUCCESS(i02, "Should succeed"); |
| 151 | rewindClockAfterValidation(); |
| 152 | |
| 153 | VALIDATE_SUCCESS(i1, "Should succeed"); |
| 154 | rewindClockAfterValidation(); |
| 155 | |
| 156 | VALIDATE_SUCCESS(i2, "Should succeed"); |
| 157 | rewindClockAfterValidation(); |
| 158 | |
| 159 | VALIDATE_SUCCESS(i3, "Should succeed, forgets identity id1"); |
| 160 | rewindClockAfterValidation(); |
| 161 | |
| 162 | VALIDATE_SUCCESS(i01, "Should succeed despite timestamp is reordered, because record has been evicted"); |
| 163 | } |
| 164 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 165 | BOOST_FIXTURE_TEST_CASE(UnlimitedRecords, ValidationPolicySignedInterestFixture<MaxRecordCount<-1>>) |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 166 | { |
| 167 | std::vector<Identity> identities; |
Davide Pesavento | 4c1ad4c | 2020-11-16 21:12:02 -0500 | [diff] [blame] | 168 | for (size_t i = 0; i < 20; ++i) { |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 169 | Identity id = addSubCertificate("/Security/ValidatorFixture/Sub" + to_string(i), identity); |
| 170 | cache.insert(id.getDefaultKey().getDefaultCertificate()); |
| 171 | identities.push_back(id); |
| 172 | } |
| 173 | |
| 174 | auto i1 = makeSignedInterest(identities.at(0)); // signed at 0s |
| 175 | advanceClocks(1_s); |
Davide Pesavento | 4c1ad4c | 2020-11-16 21:12:02 -0500 | [diff] [blame] | 176 | for (size_t i = 0; i < 20; ++i) { |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 177 | auto i2 = makeSignedInterest(identities.at(i)); // signed at +1s |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 178 | VALIDATE_SUCCESS(i2, "Should succeed"); |
| 179 | rewindClockAfterValidation(); |
| 180 | } |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 181 | |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 182 | VALIDATE_FAILURE(i1, "Should fail (timestamp reorder)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 183 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 184 | } |
| 185 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 186 | BOOST_FIXTURE_TEST_CASE(ZeroRecords, ValidationPolicySignedInterestFixture<MaxRecordCount<0>>) |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 187 | { |
| 188 | auto i1 = makeSignedInterest(identity); // signed at 0s |
| 189 | advanceClocks(1_s); |
| 190 | auto i2 = makeSignedInterest(identity); // signed at +1s |
| 191 | VALIDATE_SUCCESS(i2, "Should succeed"); |
| 192 | rewindClockAfterValidation(); |
| 193 | |
| 194 | VALIDATE_SUCCESS(i1, "Should succeed despite timestamp reordering, as records aren't kept"); |
| 195 | } |
| 196 | |
| 197 | BOOST_AUTO_TEST_SUITE(TimestampValidation) |
| 198 | |
| 199 | BOOST_AUTO_TEST_CASE(MissingTimestamp) |
| 200 | { |
| 201 | auto i1 = makeSignedInterest(identity, InterestSigner::WantSeqNum); |
| 202 | VALIDATE_FAILURE(i1, "Should fail (timestamp missing)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 203 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 204 | } |
| 205 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 206 | struct DisabledTimestampValidationOptions |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 207 | { |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 208 | static ValidationPolicySignedInterest::Options |
| 209 | getOptions() |
| 210 | { |
| 211 | ValidationPolicySignedInterest::Options options; |
| 212 | options.shouldValidateTimestamps = false; |
| 213 | return options; |
| 214 | } |
| 215 | }; |
| 216 | |
| 217 | BOOST_FIXTURE_TEST_CASE(Disabled, |
| 218 | ValidationPolicySignedInterestFixture<DisabledTimestampValidationOptions>) |
| 219 | { |
| 220 | auto i1 = makeSignedInterest(identity); // signed at 0ms |
| 221 | advanceClocks(100_ms); |
| 222 | VALIDATE_SUCCESS(i1, "Should succeed"); |
| 223 | |
| 224 | auto i2 = makeSignedInterest(identity); // signed at +100ms |
| 225 | // Set i2 to have same timestamp as i1 |
| 226 | auto si2 = i2.getSignatureInfo(); |
| 227 | si2->setTime(i2.getSignatureInfo()->getTime()); |
| 228 | i2.setSignatureInfo(*si2); |
| 229 | VALIDATE_SUCCESS(i2, "Should succeed"); |
| 230 | } |
| 231 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 232 | template<int secs> |
| 233 | struct GracePeriodSeconds |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 234 | { |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 235 | static ValidationPolicySignedInterest::Options |
| 236 | getOptions() |
| 237 | { |
| 238 | ValidationPolicySignedInterest::Options options; |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 239 | options.timestampGracePeriod = time::seconds(secs); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 240 | return options; |
| 241 | } |
| 242 | }; |
| 243 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 244 | BOOST_FIXTURE_TEST_CASE(TimestampTooOld, ValidationPolicySignedInterestFixture<GracePeriodSeconds<15>>) |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 245 | { |
| 246 | auto i1 = makeSignedInterest(identity); // signed at 0s |
| 247 | advanceClocks(16_s); // verifying at +16s |
| 248 | VALIDATE_FAILURE(i1, "Should fail (timestamp outside the grace period)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 249 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 250 | rewindClockAfterValidation(); |
| 251 | |
| 252 | auto i2 = makeSignedInterest(identity); // signed at +16s |
| 253 | VALIDATE_SUCCESS(i2, "Should succeed"); |
| 254 | } |
| 255 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 256 | BOOST_FIXTURE_TEST_CASE(TimestampTooNew, ValidationPolicySignedInterestFixture<GracePeriodSeconds<15>>) |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 257 | { |
| 258 | auto i1 = makeSignedInterest(identity); // signed at 0s |
| 259 | advanceClocks(1_s); |
| 260 | auto i2 = makeSignedInterest(identity); // signed at +1s |
| 261 | advanceClocks(1_s); |
| 262 | auto i3 = makeSignedInterest(identity); // signed at +2s |
| 263 | |
Davide Pesavento | 4c1ad4c | 2020-11-16 21:12:02 -0500 | [diff] [blame] | 264 | m_systemClock->advance(-18_s); // verifying at -16s |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 265 | VALIDATE_FAILURE(i1, "Should fail (timestamp outside the grace period)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 266 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 267 | rewindClockAfterValidation(); |
| 268 | |
| 269 | // SignedInterestValidator should not remember i1's timestamp |
| 270 | VALIDATE_FAILURE(i2, "Should fail (timestamp outside the grace period)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 271 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 272 | rewindClockAfterValidation(); |
| 273 | |
| 274 | // SignedInterestValidator should not remember i2's timestamp, and should treat i3 as initial |
| 275 | advanceClocks(18_s); // verifying at +2s |
| 276 | VALIDATE_SUCCESS(i3, "Should succeed"); |
| 277 | } |
| 278 | |
| 279 | BOOST_AUTO_TEST_CASE(TimestampReorderEqual) |
| 280 | { |
| 281 | auto i1 = makeSignedInterest(identity); // signed at 0s |
| 282 | VALIDATE_SUCCESS(i1, "Should succeed"); |
| 283 | |
| 284 | auto i2 = makeSignedInterest(identity); // signed at 0s |
| 285 | auto si2 = i2.getSignatureInfo(); |
| 286 | si2->setTime(i1.getSignatureInfo()->getTime()); |
| 287 | i2.setSignatureInfo(*si2); |
| 288 | VALIDATE_FAILURE(i2, "Should fail (timestamp reordered)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 289 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 290 | |
| 291 | advanceClocks(2_s); |
| 292 | auto i3 = makeSignedInterest(identity); // signed at +2s |
| 293 | VALIDATE_SUCCESS(i3, "Should succeed"); |
| 294 | } |
| 295 | |
| 296 | BOOST_AUTO_TEST_CASE(TimestampReorderNegative) |
| 297 | { |
| 298 | auto i2 = makeSignedInterest(identity); // signed at 0ms |
| 299 | advanceClocks(200_ms); |
| 300 | auto i3 = makeSignedInterest(identity); // signed at +200ms |
| 301 | advanceClocks(900_ms); |
| 302 | auto i1 = makeSignedInterest(identity); // signed at +1100ms |
| 303 | advanceClocks(300_ms); |
| 304 | auto i4 = makeSignedInterest(identity); // signed at +1400ms |
| 305 | |
Davide Pesavento | 4c1ad4c | 2020-11-16 21:12:02 -0500 | [diff] [blame] | 306 | m_systemClock->advance(-300_ms); // verifying at +1100ms |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 307 | VALIDATE_SUCCESS(i1, "Should succeed"); |
| 308 | rewindClockAfterValidation(); |
| 309 | |
Davide Pesavento | 4c1ad4c | 2020-11-16 21:12:02 -0500 | [diff] [blame] | 310 | m_systemClock->advance(-1100_ms); // verifying at 0ms |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 311 | VALIDATE_FAILURE(i2, "Should fail (timestamp reordered)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 312 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 313 | rewindClockAfterValidation(); |
| 314 | |
| 315 | // SignedInterestValidator should not remember i2's timestamp |
| 316 | advanceClocks(200_ms); // verifying at +200ms |
| 317 | VALIDATE_FAILURE(i3, "Should fail (timestamp reordered)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 318 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 319 | rewindClockAfterValidation(); |
| 320 | |
| 321 | advanceClocks(1200_ms); // verifying at 1400ms |
| 322 | VALIDATE_SUCCESS(i4, "Should succeed"); |
| 323 | } |
| 324 | |
Davide Pesavento | 49e1e87 | 2023-11-11 00:45:23 -0500 | [diff] [blame] | 325 | using NonPositiveGracePeriods = boost::mp11::mp_list<GracePeriodSeconds<0>, GracePeriodSeconds<-1>>; |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 326 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 327 | BOOST_FIXTURE_TEST_CASE_TEMPLATE(GraceNonPositive, GracePeriod, NonPositiveGracePeriods, |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 328 | ValidationPolicySignedInterestFixture<GracePeriod>) |
| 329 | { |
| 330 | auto i1 = this->makeSignedInterest(this->identity); // signed at 0ms |
| 331 | auto i2 = this->makeSignedInterest(this->subIdentity); // signed at 0ms |
| 332 | // ensure timestamps are exactly 0ms |
| 333 | for (auto interest : {&i1, &i2}) { |
| 334 | auto si = interest->getSignatureInfo(); |
| 335 | si->setTime(time::system_clock::now()); |
| 336 | interest->setSignatureInfo(*si); |
| 337 | } |
| 338 | |
| 339 | VALIDATE_SUCCESS(i1, "Should succeed when validating at 0ms"); |
| 340 | this->rewindClockAfterValidation(); |
| 341 | |
| 342 | this->advanceClocks(1_ms); |
| 343 | VALIDATE_FAILURE(i2, "Should fail when validating at 1ms"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 344 | BOOST_TEST(this->lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 345 | } |
| 346 | |
| 347 | BOOST_AUTO_TEST_SUITE_END() // TimestampValidation |
| 348 | |
| 349 | BOOST_AUTO_TEST_SUITE(SeqNumValidation) |
| 350 | |
| 351 | // By default, sequence number validation is disabled |
| 352 | BOOST_AUTO_TEST_CASE(Disabled) |
| 353 | { |
| 354 | auto i1 = makeSignedInterest(identity, WantAll); // signed at 0ms |
| 355 | VALIDATE_SUCCESS(i1, "Should succeed"); |
| 356 | |
| 357 | auto i2 = makeSignedInterest(identity, WantAll); // signed at +100ms |
| 358 | // Set i2 to have same seq num as i1 |
| 359 | auto si2 = i2.getSignatureInfo(); |
| 360 | si2->setSeqNum(i2.getSignatureInfo()->getSeqNum()); |
| 361 | i2.setSignatureInfo(*si2); |
| 362 | VALIDATE_SUCCESS(i2, "Should succeed"); |
| 363 | } |
| 364 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 365 | struct SeqNumValidationOptions |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 366 | { |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 367 | static ValidationPolicySignedInterest::Options |
| 368 | getOptions() |
| 369 | { |
| 370 | ValidationPolicySignedInterest::Options options; |
| 371 | options.shouldValidateSeqNums = true; |
| 372 | return options; |
| 373 | } |
| 374 | }; |
| 375 | |
| 376 | BOOST_FIXTURE_TEST_CASE(MissingSeqNum, |
| 377 | ValidationPolicySignedInterestFixture<SeqNumValidationOptions>) |
| 378 | { |
| 379 | auto i1 = makeSignedInterest(identity, InterestSigner::WantTime); |
| 380 | VALIDATE_FAILURE(i1, "Should fail (sequence number missing"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 381 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 382 | } |
| 383 | |
| 384 | BOOST_FIXTURE_TEST_CASE(SeqNumReorder, |
| 385 | ValidationPolicySignedInterestFixture<SeqNumValidationOptions>) |
| 386 | { |
| 387 | auto i1 = makeSignedInterest(identity, WantAll); // seq num is i |
| 388 | VALIDATE_SUCCESS(i1, "Should succeed"); |
| 389 | |
| 390 | auto i2 = makeSignedInterest(identity, WantAll); // seq num is i+1 |
| 391 | auto si2 = i2.getSignatureInfo(); |
| 392 | si2->setSeqNum(i1.getSignatureInfo()->getSeqNum()); |
| 393 | i2.setSignatureInfo(*si2); |
| 394 | VALIDATE_FAILURE(i2, "Should fail (sequence number reordered)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 395 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 396 | |
| 397 | auto i3 = makeSignedInterest(identity, WantAll); // seq num is i+2 |
| 398 | VALIDATE_SUCCESS(i3, "Should succeed"); |
| 399 | } |
| 400 | |
| 401 | BOOST_AUTO_TEST_SUITE_END() // SeqNumValidation |
| 402 | |
| 403 | BOOST_AUTO_TEST_SUITE(NonceValidation) |
| 404 | |
| 405 | BOOST_AUTO_TEST_CASE(MissingNonce) |
| 406 | { |
| 407 | auto i1 = makeSignedInterest(identity, InterestSigner::WantTime); // Specifically exclude nonce |
| 408 | VALIDATE_FAILURE(i1, "Should fail (nonce missing)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 409 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 410 | } |
| 411 | |
| 412 | BOOST_AUTO_TEST_CASE(DuplicateNonce) |
| 413 | { |
| 414 | auto i1 = makeSignedInterest(identity, WantAll); |
| 415 | VALIDATE_SUCCESS(i1, "Should succeed"); |
| 416 | |
| 417 | auto i2 = makeSignedInterest(identity, WantAll); |
| 418 | auto si2 = i2.getSignatureInfo(); |
| 419 | si2->setNonce(i1.getSignatureInfo()->getNonce()); |
| 420 | i2.setSignatureInfo(*si2); |
| 421 | VALIDATE_FAILURE(i2, "Should fail (duplicate nonce)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 422 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 423 | |
| 424 | auto i3 = makeSignedInterest(identity, WantAll); |
| 425 | // On the off chance that the generated nonce is identical to i1 |
| 426 | while (i3.getSignatureInfo()->getNonce() == i1.getSignatureInfo()->getNonce()) { |
| 427 | i3 = makeSignedInterest(identity, WantAll); |
| 428 | } |
| 429 | VALIDATE_SUCCESS(i3, "Should succeed"); |
| 430 | } |
| 431 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 432 | struct DisabledNonceValidationOptions |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 433 | { |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 434 | static ValidationPolicySignedInterest::Options |
| 435 | getOptions() |
| 436 | { |
| 437 | ValidationPolicySignedInterest::Options options; |
| 438 | options.shouldValidateNonces = false; |
| 439 | return options; |
| 440 | } |
| 441 | }; |
| 442 | |
| 443 | BOOST_FIXTURE_TEST_CASE(Disabled, |
| 444 | ValidationPolicySignedInterestFixture<DisabledNonceValidationOptions>) |
| 445 | { |
| 446 | auto i1 = makeSignedInterest(identity, WantAll ^ InterestSigner::WantNonce); |
| 447 | VALIDATE_SUCCESS(i1, "Should succeed"); |
| 448 | |
| 449 | // Ensure still works when a nonce is present |
| 450 | auto i2 = makeSignedInterest(identity, WantAll); |
| 451 | VALIDATE_SUCCESS(i2, "Should succeed"); |
| 452 | |
| 453 | // Ensure a duplicate still succeeds |
| 454 | auto i3 = makeSignedInterest(identity, WantAll); |
| 455 | auto si3 = i3.getSignatureInfo(); |
| 456 | si3->setNonce(i2.getSignatureInfo()->getNonce()); |
| 457 | i3.setSignatureInfo(*si3); |
| 458 | m_keyChain.sign(i3, signingByIdentity(identity).setSignedInterestFormat(SignedInterestFormat::V03) |
| 459 | .setSignatureInfo(*si3)); |
| 460 | VALIDATE_SUCCESS(i3, "Should succeed"); |
| 461 | } |
| 462 | |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 463 | struct NonceLimit2Options |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 464 | { |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 465 | static ValidationPolicySignedInterest::Options |
| 466 | getOptions() |
| 467 | { |
| 468 | ValidationPolicySignedInterest::Options options; |
| 469 | options.shouldValidateTimestamps = false; |
| 470 | options.shouldValidateSeqNums = false; |
| 471 | options.maxNonceRecordCount = 2; |
| 472 | return options; |
| 473 | } |
| 474 | }; |
| 475 | |
| 476 | BOOST_FIXTURE_TEST_CASE(NonceRecordLimit, |
| 477 | ValidationPolicySignedInterestFixture<NonceLimit2Options>) |
| 478 | { |
| 479 | auto i1 = makeSignedInterest(identity, WantAll); |
| 480 | VALIDATE_SUCCESS(i1, "Should succeed"); |
| 481 | |
| 482 | auto i2 = makeSignedInterest(identity, WantAll); |
| 483 | // On the off chance that the generated nonce is identical to i1 |
| 484 | while (i2.getSignatureInfo()->getNonce() == i1.getSignatureInfo()->getNonce()) { |
| 485 | i2 = makeSignedInterest(identity, WantAll); |
| 486 | } |
| 487 | VALIDATE_SUCCESS(i2, "Should succeed"); |
| 488 | |
| 489 | auto i3 = makeSignedInterest(identity, WantAll); |
| 490 | auto si3 = i3.getSignatureInfo(); |
| 491 | si3->setNonce(i1.getSignatureInfo()->getNonce()); |
| 492 | i3.setSignatureInfo(*si3); |
| 493 | m_keyChain.sign(i3, signingByIdentity(identity).setSignedInterestFormat(SignedInterestFormat::V03) |
| 494 | .setSignatureInfo(*si3)); |
| 495 | VALIDATE_FAILURE(i3, "Should fail (duplicate nonce)"); |
Davide Pesavento | 2acce25 | 2022-09-08 22:03:03 -0400 | [diff] [blame] | 496 | BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR); |
Eric Newberry | 1caa634 | 2020-08-23 19:29:08 -0700 | [diff] [blame] | 497 | |
| 498 | // Pop i1's nonce off the list |
| 499 | auto i4 = makeSignedInterest(identity, WantAll); |
| 500 | // On the off chance that the generated nonce is identical to i1 or i2 |
| 501 | while (i4.getSignatureInfo()->getNonce() == i1.getSignatureInfo()->getNonce() || |
| 502 | i4.getSignatureInfo()->getNonce() == i2.getSignatureInfo()->getNonce()) { |
| 503 | i4 = makeSignedInterest(identity, WantAll); |
| 504 | } |
| 505 | VALIDATE_SUCCESS(i4, "Should succeed"); |
| 506 | |
| 507 | // Now i3 should succeed because i1's nonce has been popped off the list |
| 508 | auto i5 = makeSignedInterest(identity, WantAll); |
| 509 | auto si5 = i5.getSignatureInfo(); |
| 510 | si5->setNonce(i1.getSignatureInfo()->getNonce()); |
| 511 | i5.setSignatureInfo(*si5); |
| 512 | m_keyChain.sign(i5, signingByIdentity(identity).setSignedInterestFormat(SignedInterestFormat::V03) |
| 513 | .setSignatureInfo(*si5)); |
| 514 | VALIDATE_SUCCESS(i5, "Should succeed"); |
| 515 | } |
| 516 | |
| 517 | BOOST_AUTO_TEST_SUITE_END() // NonceValidation |
| 518 | |
| 519 | BOOST_AUTO_TEST_SUITE_END() // TestValidationPolicySignedInterest |
| 520 | BOOST_AUTO_TEST_SUITE_END() // Security |
| 521 | |
Davide Pesavento | 47ce2ee | 2023-05-09 01:33:33 -0400 | [diff] [blame] | 522 | } // namespace ndn::tests |