Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / 47ce2eed3ad667074c2a6a39f1cb5b866459dae5 / . / tests / unit / security / validator.t.cpp
blob: c56db6af8b19739ab620dbdf43d0c9671cbf91e5 [file] [log] [blame]
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]2/*
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame^]3 * Copyright (c) 2013-2023 Regents of the University of California.
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]4 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6 *
7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20 */
21
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]22#include "ndn-cxx/security/validator.hpp"
23#include "ndn-cxx/security/validation-policy-simple-hierarchy.hpp"
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]24
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]25#include "tests/test-common.hpp"
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]26#include "tests/unit/security/validator-fixture.hpp"
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]27
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame^]28namespace ndn::tests {
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]29
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame^]30using namespace ndn::security;
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]31
32BOOST_AUTO_TEST_SUITE(Security)
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]33BOOST_FIXTURE_TEST_SUITE(TestValidator, HierarchicalValidatorFixture<ValidationPolicySimpleHierarchy>)
34
Alexander Afanasyevb54aa572017-03-21 19:40:49 -0500[diff] [blame]35BOOST_AUTO_TEST_CASE(ConstructorSetValidator)
36{
37 auto middlePolicy = make_unique<ValidationPolicySimpleHierarchy>();
38 auto innerPolicy = make_unique<ValidationPolicySimpleHierarchy>();
39
40 validator.getPolicy().setInnerPolicy(std::move(middlePolicy));
41 validator.getPolicy().setInnerPolicy(std::move(innerPolicy));
42
43 BOOST_CHECK(validator.getPolicy().m_validator != nullptr);
44 BOOST_CHECK(validator.getPolicy().getInnerPolicy().m_validator != nullptr);
45 BOOST_CHECK(validator.getPolicy().getInnerPolicy().getInnerPolicy().m_validator != nullptr);
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]46
47 BOOST_CHECK_THROW(validator.getPolicy().setInnerPolicy(nullptr), std::invalid_argument);
Alexander Afanasyevb54aa572017-03-21 19:40:49 -0500[diff] [blame]48}
49
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]50BOOST_AUTO_TEST_CASE(BadSignatureInfo)
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]51{
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]52 Interest interest("/Security/ValidatorFixture/Sub1/Sub2/Interest");
53 m_keyChain.sign(interest, signingByIdentity(subIdentity)
54 .setSignedInterestFormat(SignedInterestFormat::V03));
55
56 // add an unrecognized critical element inside InterestSignatureInfo
57 auto si = interest.getSignatureInfo().value();
58 si.addCustomTlv("7F00"_block);
59 interest.setSignatureInfo(si);
60 BOOST_REQUIRE_THROW(interest.getSignatureInfo(), tlv::Error);
61 BOOST_REQUIRE_NO_THROW(interest.getSignatureValue());
62
63 VALIDATE_FAILURE(interest, "InterestSignatureInfo decoding should fail");
Davide Pesavento637ea3b2022-09-10 00:11:34 -0400[diff] [blame]64 BOOST_TEST(lastError.getCode() == ValidationError::MALFORMED_SIGNATURE);
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]65 BOOST_TEST(face.sentInterests.size() == 0);
66}
67
68BOOST_AUTO_TEST_CASE(BadSignatureValue)
69{
70 const uint8_t sv[] = {0x12, 0x34, 0x56, 0x78};
71
72 Interest interest("/Security/ValidatorFixture/Sub1/Sub2/Interest");
73 m_keyChain.sign(interest, signingByIdentity(subIdentity)
74 .setSignedInterestFormat(SignedInterestFormat::V03));
75 interest.setSignatureValue(sv);
76
77 VALIDATE_FAILURE(interest, "Signature check should fail");
78 BOOST_TEST(lastError.getCode() == ValidationError::INVALID_SIGNATURE);
79 BOOST_TEST(face.sentInterests.size() == 1);
80
81 Data data("/Security/ValidatorFixture/Sub1/Sub2/Data");
82 m_keyChain.sign(data, signingByIdentity(subIdentity));
83 data.setSignatureValue(sv);
84
85 VALIDATE_FAILURE(data, "Signature check should fail");
86 BOOST_TEST(lastError.getCode() == ValidationError::INVALID_SIGNATURE);
87 BOOST_TEST(face.sentInterests.size() == 1);
88}
89
90BOOST_AUTO_TEST_CASE(Timeout)
91{
92 processInterest = nullptr; // no response for any interest
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]93
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]94 Data data("/Security/ValidatorFixture/Sub1/Sub2/Data");
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]95 m_keyChain.sign(data, signingByIdentity(subIdentity));
96
97 VALIDATE_FAILURE(data, "Should fail to retrieve certificate");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]98 BOOST_TEST(lastError.getCode() == ValidationError::CANNOT_RETRIEVE_CERT);
99 BOOST_TEST(face.sentInterests.size() == 4);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]100}
101
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]102BOOST_AUTO_TEST_CASE(Nack)
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]103{
104 processInterest = [this] (const Interest& interest) {
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]105 face.receive(makeNack(interest, lp::NackReason::NO_ROUTE));
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]106 };
107
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]108 Data data("/Security/ValidatorFixture/Sub1/Sub2/Data");
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]109 m_keyChain.sign(data, signingByIdentity(subIdentity));
110
111 VALIDATE_FAILURE(data, "All interests should get NACKed");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]112 BOOST_TEST(lastError.getCode() == ValidationError::CANNOT_RETRIEVE_CERT);
Ashlesh Gawande3e39a4d2018-08-30 16:49:13 -0500[diff] [blame]113 // 1 for the first interest, 3 for the retries on nack
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]114 BOOST_TEST(face.sentInterests.size() == 4);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]115}
116
117BOOST_AUTO_TEST_CASE(MalformedCert)
118{
119 Data malformedCert = subIdentity.getDefaultKey().getDefaultCertificate();
120 malformedCert.setContentType(tlv::ContentType_Blob);
121 m_keyChain.sign(malformedCert, signingByIdentity(identity));
122 // wrong content type & missing ValidityPeriod
123 BOOST_REQUIRE_THROW(Certificate(malformedCert.wireEncode()), tlv::Error);
124
125 auto originalProcessInterest = processInterest;
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]126 processInterest = [&] (const Interest& interest) {
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]127 if (interest.getName().isPrefixOf(malformedCert.getName())) {
128 face.receive(malformedCert);
129 }
130 else {
131 originalProcessInterest(interest);
132 }
133 };
134
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]135 Data data("/Security/ValidatorFixture/Sub1/Sub2/Data");
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]136 m_keyChain.sign(data, signingByIdentity(subIdentity));
137
138 VALIDATE_FAILURE(data, "Signed by a malformed certificate");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]139 BOOST_TEST(lastError.getCode() == ValidationError::MALFORMED_CERT);
140 BOOST_TEST(face.sentInterests.size() == 1);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]141}
142
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]143BOOST_AUTO_TEST_CASE(ExpiredCert)
144{
145 Data expiredCert = subIdentity.getDefaultKey().getDefaultCertificate();
146 SignatureInfo info;
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]147 info.setValidityPeriod(ValidityPeriod::makeRelative(-2_h, -1_h));
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]148 m_keyChain.sign(expiredCert, signingByIdentity(identity).setSignatureInfo(info));
149 BOOST_REQUIRE_NO_THROW(Certificate(expiredCert.wireEncode()));
150
151 auto originalProcessInterest = processInterest;
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]152 processInterest = [&] (const Interest& interest) {
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]153 if (interest.getName().isPrefixOf(expiredCert.getName())) {
154 face.receive(expiredCert);
155 }
156 else {
Davide Pesaventob88c6bf2017-09-11 20:15:28 -0400[diff] [blame]157 originalProcessInterest(interest);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]158 }
159 };
160
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]161 Data data("/Security/ValidatorFixture/Sub1/Sub2/Data");
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]162 m_keyChain.sign(data, signingByIdentity(subIdentity));
163
164 VALIDATE_FAILURE(data, "Signed by an expired certificate");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]165 BOOST_TEST(lastError.getCode() == ValidationError::EXPIRED_CERT);
166 BOOST_TEST(face.sentInterests.size() == 1);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]167}
168
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]169BOOST_AUTO_TEST_CASE(ResetAnchors)
170{
171 validator.resetAnchors();
172
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]173 Data data("/Security/ValidatorFixture/Sub1/Sub2/Data");
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]174 m_keyChain.sign(data, signingByIdentity(subIdentity));
175 VALIDATE_FAILURE(data, "Should fail, as no anchors configured");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]176 BOOST_TEST(lastError.getCode() == ValidationError::LOOP_DETECTED);
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]177}
178
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]179BOOST_AUTO_TEST_CASE(TrustedCertCaching)
180{
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]181 Data data("/Security/ValidatorFixture/Sub1/Sub2/Data");
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]182 m_keyChain.sign(data, signingByIdentity(subIdentity));
183
184 VALIDATE_SUCCESS(data, "Should get accepted, as signed by the policy-compliant cert");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]185 BOOST_TEST(face.sentInterests.size() == 1);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]186 face.sentInterests.clear();
187
188 processInterest = nullptr; // disable data responses from mocked network
189
190 VALIDATE_SUCCESS(data, "Should get accepted, based on the cached trusted cert");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]191 BOOST_TEST(face.sentInterests.size() == 0);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]192 face.sentInterests.clear();
193
Davide Pesavento0f830802018-01-16 23:58:58 -0500[diff] [blame]194 advanceClocks(1_h, 2); // expire trusted cache
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]195
196 VALIDATE_FAILURE(data, "Should try and fail to retrieve certs");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]197 BOOST_TEST(lastError.getCode() == ValidationError::CANNOT_RETRIEVE_CERT);
198 BOOST_TEST(face.sentInterests.size() > 1);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]199}
200
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]201BOOST_AUTO_TEST_CASE(ResetVerifiedCerts)
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]202{
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]203 Data data("/Security/ValidatorFixture/Sub1/Sub2/Data");
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]204 m_keyChain.sign(data, signingByIdentity(subIdentity));
205 VALIDATE_SUCCESS(data, "Should get accepted, as signed by the policy-compliant cert");
206
207 // reset anchors
208 validator.resetAnchors();
209 VALIDATE_SUCCESS(data, "Should get accepted, as signed by the cert in trusted cache");
210
211 // reset trusted cache
212 validator.resetVerifiedCertificates();
213 VALIDATE_FAILURE(data, "Should fail, as no trusted cache or anchors");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]214 BOOST_TEST(lastError.getCode() == ValidationError::LOOP_DETECTED);
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]215}
216
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]217BOOST_AUTO_TEST_CASE(UntrustedCertCaching)
218{
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]219 Data data("/Security/ValidatorFixture/Sub1/Sub2/Data");
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]220 m_keyChain.sign(data, signingByIdentity(subSelfSignedIdentity));
221
222 VALIDATE_FAILURE(data, "Should fail, as signed by the policy-violating cert");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]223 BOOST_TEST(lastError.getCode() == ValidationError::LOOP_DETECTED);
224 BOOST_TEST(face.sentInterests.size() == 1);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]225 face.sentInterests.clear();
226
227 processInterest = nullptr; // disable data responses from mocked network
228
229 VALIDATE_FAILURE(data, "Should fail again, but no network operations expected");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]230 BOOST_TEST(lastError.getCode() == ValidationError::LOOP_DETECTED);
231 BOOST_TEST(face.sentInterests.size() == 0);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]232 face.sentInterests.clear();
233
Davide Pesavento0f830802018-01-16 23:58:58 -0500[diff] [blame]234 advanceClocks(10_min, 2); // expire untrusted cache
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]235
236 VALIDATE_FAILURE(data, "Should try and fail to retrieve certs");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]237 BOOST_TEST(lastError.getCode() == ValidationError::CANNOT_RETRIEVE_CERT);
238 BOOST_TEST(face.sentInterests.size() > 1);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]239}
240
241class ValidationPolicySimpleHierarchyForInterestOnly : public ValidationPolicySimpleHierarchy
242{
243public:
244 void
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]245 checkPolicy(const Data&, const shared_ptr<ValidationState>& state,
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]246 const ValidationContinuation& continueValidation) override
247 {
248 continueValidation(nullptr, state);
249 }
250};
251
252BOOST_FIXTURE_TEST_CASE(ValidateInterestsButBypassForData,
253 HierarchicalValidatorFixture<ValidationPolicySimpleHierarchyForInterestOnly>)
254{
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]255 Interest interest("/Security/ValidatorFixture/Sub1/Sub2/Interest");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]256 Data data("/Security/ValidatorFixture/Sub1/Sub2/Data");
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]257
258 VALIDATE_FAILURE(interest, "Unsigned");
Davide Pesavento637ea3b2022-09-10 00:11:34 -0400[diff] [blame]259 BOOST_TEST(lastError.getCode() == ValidationError::MALFORMED_SIGNATURE);
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]260 VALIDATE_SUCCESS(data, "Policy bypasses validation for all data");
261 BOOST_TEST(face.sentInterests.size() == 0);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]262 face.sentInterests.clear();
263
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]264 interest = Interest("/Security/ValidatorFixture/Sub1/Sub2/Interest");
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]265 m_keyChain.sign(interest, signingWithSha256());
266 m_keyChain.sign(data, signingWithSha256());
267 VALIDATE_FAILURE(interest, "Required KeyLocator/Name missing (not passed to policy)");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]268 BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR);
269 VALIDATE_SUCCESS(data, "Policy bypasses validation for all data");
270 BOOST_TEST(face.sentInterests.size() == 0);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]271 face.sentInterests.clear();
272
273 m_keyChain.sign(interest, signingByIdentity(identity));
274 m_keyChain.sign(data, signingByIdentity(identity));
275 VALIDATE_SUCCESS(interest, "Should get accepted, as signed by the anchor");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]276 VALIDATE_SUCCESS(data, "Policy bypasses validation for all data");
277 BOOST_TEST(face.sentInterests.size() == 0);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]278 face.sentInterests.clear();
279
280 m_keyChain.sign(interest, signingByIdentity(subIdentity));
281 m_keyChain.sign(data, signingByIdentity(subIdentity));
282 VALIDATE_FAILURE(interest, "Should fail, as policy is not allowed to create new trust anchors");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]283 BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR);
284 VALIDATE_SUCCESS(data, "Policy bypasses validation for all data");
285 BOOST_TEST(face.sentInterests.size() == 1);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]286 face.sentInterests.clear();
287
288 m_keyChain.sign(interest, signingByIdentity(otherIdentity));
289 m_keyChain.sign(data, signingByIdentity(otherIdentity));
290 VALIDATE_FAILURE(interest, "Should fail, as signed by the policy-violating cert");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]291 BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR);
292 VALIDATE_SUCCESS(data, "Policy bypasses validation for all data");
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]293 // no network operations expected, as certificate is not validated by the policy
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]294 BOOST_TEST(face.sentInterests.size() == 0);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]295 face.sentInterests.clear();
296
Davide Pesavento0f830802018-01-16 23:58:58 -0500[diff] [blame]297 advanceClocks(1_h, 2); // expire trusted cache
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]298
299 m_keyChain.sign(interest, signingByIdentity(subSelfSignedIdentity));
300 m_keyChain.sign(data, signingByIdentity(subSelfSignedIdentity));
301 VALIDATE_FAILURE(interest, "Should fail, as policy is not allowed to create new trust anchors");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]302 BOOST_TEST(lastError.getCode() == ValidationError::POLICY_ERROR);
303 VALIDATE_SUCCESS(data, "Policy bypasses validation for all data");
304 BOOST_TEST(face.sentInterests.size() == 1);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]305 face.sentInterests.clear();
306}
307
Alexander Afanasyev5af04a72017-01-30 22:41:23 -0800[diff] [blame]308BOOST_AUTO_TEST_CASE(InfiniteCertChain)
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]309{
310 processInterest = [this] (const Interest& interest) {
311 // create another key for the same identity and sign it properly
312 Key parentKey = m_keyChain.createKey(subIdentity);
313 Key requestedKey = subIdentity.getKey(interest.getName());
Junxiao Shi9ee770b2022-04-25 23:33:33 +0000[diff] [blame]314
315 SignatureInfo sigInfo;
316 sigInfo.setKeyLocator(parentKey.getName());
317 auto si = signingByKey(parentKey).setSignatureInfo(sigInfo);
318
319 auto cert = m_keyChain.makeCertificate(requestedKey, si);
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]320 face.receive(cert);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]321 };
322
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]323 Data data("/Security/ValidatorFixture/Sub1/Sub2/Data");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]324 m_keyChain.sign(data, signingByIdentity(subIdentity)
325 .setSignatureInfo(SignatureInfo()
326 .setKeyLocator(subIdentity.getDefaultKey().getName())));
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]327
328 validator.setMaxDepth(40);
329 BOOST_CHECK_EQUAL(validator.getMaxDepth(), 40);
330 VALIDATE_FAILURE(data, "Should fail, as certificate should be looped");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]331 BOOST_TEST(lastError.getCode() == ValidationError::EXCEEDED_DEPTH_LIMIT);
332 BOOST_TEST(face.sentInterests.size() == 40);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]333 face.sentInterests.clear();
334
Davide Pesavento0f830802018-01-16 23:58:58 -0500[diff] [blame]335 advanceClocks(1_h, 5); // expire caches
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]336
337 validator.setMaxDepth(30);
338 BOOST_CHECK_EQUAL(validator.getMaxDepth(), 30);
Alexander Afanasyev5af04a72017-01-30 22:41:23 -0800[diff] [blame]339 VALIDATE_FAILURE(data, "Should fail, as certificate chain is infinite");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]340 BOOST_TEST(lastError.getCode() == ValidationError::EXCEEDED_DEPTH_LIMIT);
341 BOOST_TEST(face.sentInterests.size() == 30);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]342}
343
Alexander Afanasyev5af04a72017-01-30 22:41:23 -0800[diff] [blame]344BOOST_AUTO_TEST_CASE(LoopedCertChain)
345{
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]346 auto s1 = m_keyChain.createIdentity("/loop");
Alexander Afanasyev5af04a72017-01-30 22:41:23 -0800[diff] [blame]347 auto k1 = m_keyChain.createKey(s1, RsaKeyParams(name::Component("key1")));
348 auto k2 = m_keyChain.createKey(s1, RsaKeyParams(name::Component("key2")));
349 auto k3 = m_keyChain.createKey(s1, RsaKeyParams(name::Component("key3")));
350
Junxiao Shi7d728682022-04-01 01:21:13 +0000[diff] [blame]351 auto makeLoopCert = [this] (Key& key, const Key& signer) {
Junxiao Shi9ee770b2022-04-25 23:33:33 +0000[diff] [blame]352 SignatureInfo sigInfo;
353 sigInfo.setKeyLocator(signer.getName());
354 auto si = signingByKey(signer).setSignatureInfo(sigInfo);
355
356 auto cert = m_keyChain.makeCertificate(key, si);
Junxiao Shi7d728682022-04-01 01:21:13 +0000[diff] [blame]357 m_keyChain.setDefaultCertificate(key, cert);
358 cache.insert(cert);
Alexander Afanasyev5af04a72017-01-30 22:41:23 -0800[diff] [blame]359 };
360
Junxiao Shi7d728682022-04-01 01:21:13 +0000[diff] [blame]361 makeLoopCert(k1, k2);
362 makeLoopCert(k2, k3);
363 makeLoopCert(k3, k1);
Alexander Afanasyev5af04a72017-01-30 22:41:23 -0800[diff] [blame]364
365 Data data("/loop/Data");
366 m_keyChain.sign(data, signingByKey(k1));
367 VALIDATE_FAILURE(data, "Should fail, as certificate chain loops");
Davide Pesavento2acce252022-09-08 22:03:03 -0400[diff] [blame]368 BOOST_TEST(lastError.getCode() == ValidationError::LOOP_DETECTED);
369 BOOST_TEST_REQUIRE(face.sentInterests.size() == 3);
Junxiao Shi7d728682022-04-01 01:21:13 +0000[diff] [blame]370 BOOST_CHECK_EQUAL(face.sentInterests[0].getName(), k1.getDefaultCertificate().getName());
371 BOOST_CHECK_EQUAL(face.sentInterests[1].getName(), k2.getName());
372 BOOST_CHECK_EQUAL(face.sentInterests[2].getName(), k3.getName());
Alexander Afanasyev5af04a72017-01-30 22:41:23 -0800[diff] [blame]373}
374
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]375BOOST_AUTO_TEST_SUITE_END() // TestValidator
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]376BOOST_AUTO_TEST_SUITE_END() // Security
377
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame^]378} // namespace ndn::tests