blob: acc85f5c052bbf80a98fc1e7c90e7801da787023 [file] [log] [blame]
Yingdi Yu48e8c0c2014-03-19 12:01:55 -07001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
2/**
3 * Copyright (C) 2013 Regents of the University of California.
4 * See COPYING for copyright and distribution information.
5 */
6
7#ifndef NDN_SECURITY_VALIDATOR_CONFIG_HPP
8#define NDN_SECURITY_VALIDATOR_CONFIG_HPP
9
10#include "validator.hpp"
11#include "certificate-cache.hpp"
12#include "conf/rule.hpp"
13#include "conf/common.hpp"
14
15namespace ndn {
16
17class ValidatorConfig : public Validator
18{
19public:
20 class Error : public Validator::Error
21 {
22 public:
23 explicit
24 Error(const std::string& what)
25 : Validator::Error(what)
26 {
27 }
28 };
29
30 static const shared_ptr<CertificateCache> DEFAULT_CERTIFICATE_CACHE;
31
32 ValidatorConfig(shared_ptr<Face> face,
33 shared_ptr<CertificateCache> certificateCache = DEFAULT_CERTIFICATE_CACHE,
34 const int stepLimit = 10);
35
36 virtual
37 ~ValidatorConfig()
38 {
39 }
40
41 void
42 load(const std::string& filename);
43
44 void
45 load(const std::string& input, const std::string& filename);
46
47 void
48 load(std::istream& input, const std::string& filename);
49
50protected:
51 virtual void
52 checkPolicy(const Data& data,
53 int stepCount,
54 const OnDataValidated& onValidated,
55 const OnDataValidationFailed& onValidationFailed,
56 std::vector<shared_ptr<ValidationRequest> >& nextSteps);
57
58 virtual void
59 checkPolicy(const Interest& interest,
60 int stepCount,
61 const OnInterestValidated& onValidated,
62 const OnInterestValidationFailed& onValidationFailed,
63 std::vector<shared_ptr<ValidationRequest> >& nextSteps);
64
65private:
66 template<class Packet, class OnValidated, class OnFailed>
67 void
68 checkSignature(const Packet& packet,
69 const Signature& signature,
70 int stepCount,
71 const OnValidated& onValidated,
72 const OnFailed& onValidationFailed,
73 std::vector<shared_ptr<ValidationRequest> >& nextSteps);
74
75 template<class Packet, class OnValidated, class OnFailed>
76 void
77 onCertValidated(const shared_ptr<const Data>& signCertificate,
78 const shared_ptr<const Packet>& packet,
79 const OnValidated& onValidated,
80 const OnFailed& onValidationFailed);
81
82 template<class Packet, class OnFailed>
83 void
84 onCertFailed(const shared_ptr<const Data>& signCertificate,
85 const std::string& failureInfo,
86 const shared_ptr<const Packet>& packet,
87 const OnFailed& onValidationFailed);
88
89 void
90 process(const security::conf::ConfigSection& configSection,
91 const std::string& filename);
92
93 void
94 onConfigRule(const security::conf::ConfigSection& section,
95 const std::string& filename);
96
97 void
98 onConfigTrustAnchor(const security::conf::ConfigSection& section,
99 const std::string& filename);
100
101private:
102 typedef security::conf::Rule<Interest> InterestRule;
103 typedef security::conf::Rule<Data> DataRule;
104 typedef std::vector<shared_ptr<InterestRule> > InterestRuleList;
105 typedef std::vector<shared_ptr<DataRule> > DataRuleList;
106 typedef std::map<Name, shared_ptr<IdentityCertificate> > AnchorList;
107
108 int m_stepLimit;
109 shared_ptr<CertificateCache> m_certificateCache;
110
111 InterestRuleList m_interestRules;
112 DataRuleList m_dataRules;
113 AnchorList m_anchors;
114};
115
116template<class Packet, class OnValidated, class OnFailed>
117void
118ValidatorConfig::checkSignature(const Packet& packet,
119 const Signature& signature,
120 int stepCount,
121 const OnValidated& onValidated,
122 const OnFailed& onValidationFailed,
123 std::vector<shared_ptr<ValidationRequest> >& nextSteps)
124{
125 if (signature.getType() == Signature::Sha256)
126 {
127 SignatureSha256 sigSha256(signature);
128
129 if (verifySignature(packet, sigSha256))
130 return onValidated(packet.shared_from_this());
131 else
132 return onValidationFailed(packet.shared_from_this(),
133 "Sha256 Signature cannot be verified!");
134 }
135
136 if (signature.getType() == Signature::Sha256WithRsa)
137 {
138 SignatureSha256WithRsa sigSha256Rsa(signature);
139 Name keyLocatorName = sigSha256Rsa.getKeyLocator().getName();
140
141 shared_ptr<const Certificate> trustedCert;
142
143 AnchorList::const_iterator it = m_anchors.find(keyLocatorName);
144 if (m_anchors.end() == it)
145 trustedCert = m_certificateCache->getCertificate(keyLocatorName);
146 else
147 trustedCert = it->second;
148
149 if (static_cast<bool>(trustedCert))
150 {
151 if (verifySignature(packet, sigSha256Rsa, trustedCert->getPublicKeyInfo()))
152 return onValidated(packet.shared_from_this());
153 else
154 return onValidationFailed(packet.shared_from_this(),
155 "Cannot verify signature");
156 }
157 else
158 {
159 OnDataValidated onCertValidated =
160 bind(&ValidatorConfig::onCertValidated<Packet, OnValidated, OnFailed>,
161 this, _1, packet.shared_from_this(), onValidated, onValidationFailed);
162
163 OnDataValidationFailed onCertValidationFailed =
164 bind(&ValidatorConfig::onCertFailed<Packet, OnFailed>,
165 this, _1, _2, packet.shared_from_this(), onValidationFailed);
166
167 Interest certInterest(keyLocatorName);
168
169 shared_ptr<ValidationRequest> nextStep =
170 make_shared<ValidationRequest>(boost::cref(certInterest),
171 onCertValidated,
172 onCertValidationFailed,
173 1, stepCount + 1);
174
175 nextSteps.push_back(nextStep);
176 return;
177 }
178 }
179 return onValidationFailed(packet.shared_from_this(), "Unsupported Signature Type!");
180}
181
182template<class Packet, class OnValidated, class OnFailed>
183void
184ValidatorConfig::onCertValidated(const shared_ptr<const Data>& signCertificate,
185 const shared_ptr<const Packet>& packet,
186 const OnValidated& onValidated,
187 const OnFailed& onValidationFailed)
188{
189 shared_ptr<IdentityCertificate> certificate =
190 make_shared<IdentityCertificate>(boost::cref(*signCertificate));
191
192 if (!certificate->isTooLate() && !certificate->isTooEarly())
193 {
194 m_certificateCache->insertCertificate(certificate);
195
196 if (verifySignature(*packet, certificate->getPublicKeyInfo()))
197 return onValidated(packet);
198 else
199 return onValidationFailed(packet,
200 "Cannot verify signature: " +
201 packet->getName().toUri());
202 }
203 else
204 {
205 return onValidationFailed(packet,
206 "Signing certificate " +
207 signCertificate->getName().toUri() +
208 " is no longer valid.");
209 }
210}
211
212template<class Packet, class OnFailed>
213void
214ValidatorConfig::onCertFailed(const shared_ptr<const Data>& signCertificate,
215 const std::string& failureInfo,
216 const shared_ptr<const Packet>& packet,
217 const OnFailed& onValidationFailed)
218{
219 onValidationFailed(packet, failureInfo);
220}
221
222} // namespace ndn
223
224#endif // NDN_SECURITY_VALIDATOR_CONFIG_HPP