Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / 48e8c0ca3bb33f4b4427124c738929be6748f0d2 / . / src / util / command-interest-validator.hpp
blob: ca65f27030162dd86b30367fc9dd937ea4a8677c [file] [log] [blame]
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
2/**
3 * Copyright (C) 2013 Regents of the University of California.
4 * See COPYING for copyright and distribution information.
5 */
6
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]7#ifndef NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP
8#define NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]9
10#include "../security/validator.hpp"
11#include "../security/identity-certificate.hpp"
12#include "../security/sec-rule-specific.hpp"
13
14namespace ndn {
15
16class CommandInterestValidator : public Validator
17{
18public:
19 enum {
20 POS_SIG_VALUE = -1,
21 POS_SIG_INFO = -2,
22 POS_RANDOM_VAL = -3,
23 POS_TIMESTAMP = -4,
24
25 GRACE_INTERVAL = 3000 // ms
26 };
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]27
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]28 CommandInterestValidator(const time::milliseconds& graceInterval =
29 time::milliseconds(static_cast<int>(GRACE_INTERVAL)))
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]30 : m_graceInterval(graceInterval < time::milliseconds::zero() ?
31 time::milliseconds(static_cast<int>(GRACE_INTERVAL)) : graceInterval)
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]32 {
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]33 }
34
35 virtual
36 ~CommandInterestValidator()
37 {
38 }
39
40 void
41 addInterestRule(const std::string& regex, const IdentityCertificate& certificate);
42
43 void
44 addInterestRule(const std::string& regex, const Name& keyName, const PublicKey& publicKey);
45
46protected:
47 virtual void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]48 checkPolicy(const Data& data,
49 int stepCount,
50 const OnDataValidated& onValidated,
51 const OnDataValidationFailed& onValidationFailed,
52 std::vector<shared_ptr<ValidationRequest> >& nextSteps)
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]53 {
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]54 onValidationFailed(data.shared_from_this(), "No policy for data checking");
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]55 }
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]56
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]57 virtual void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]58 checkPolicy(const Interest& interest,
59 int stepCount,
60 const OnInterestValidated& onValidated,
61 const OnInterestValidationFailed& onValidationFailed,
62 std::vector<shared_ptr<ValidationRequest> >& nextSteps);
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]63private:
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]64 time::milliseconds m_graceInterval; //ms
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]65 std::map<Name, PublicKey> m_trustAnchorsForInterest;
66 std::list<SecRuleSpecific> m_trustScopeForInterest;
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]67
68 typedef std::map<Name, time::system_clock::TimePoint> LastTimestampMap;
69 LastTimestampMap m_lastTimestamp;
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]70};
71
72inline void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]73CommandInterestValidator::addInterestRule(const std::string& regex,
74 const IdentityCertificate& certificate)
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]75{
76 Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificate.getName());
77 addInterestRule(regex, keyName, certificate.getPublicKeyInfo());
78}
79
80inline void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]81CommandInterestValidator::addInterestRule(const std::string& regex,
82 const Name& keyName,
83 const PublicKey& publicKey)
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]84{
85 m_trustAnchorsForInterest[keyName] = publicKey;
86 shared_ptr<Regex> interestRegex = make_shared<Regex>(regex);
87 shared_ptr<Regex> signerRegex = Regex::fromName(keyName, true);
88 m_trustScopeForInterest.push_back(SecRuleSpecific(interestRegex, signerRegex));
89}
90
91inline void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]92CommandInterestValidator::checkPolicy(const Interest& interest,
93 int stepCount,
94 const OnInterestValidated& onValidated,
95 const OnInterestValidationFailed& onValidationFailed,
96 std::vector<shared_ptr<ValidationRequest> >& nextSteps)
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]97{
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]98 const Name& interestName = interest.getName();
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]99
100 //Prepare
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]101 if (interestName.size() < 4)
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]102 return onValidationFailed(interest.shared_from_this(),
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]103 "Interest is not signed: " + interest.getName().toUri());
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]104
105 Signature signature(interestName[POS_SIG_INFO].blockFromValue(),
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]106 interestName[POS_SIG_VALUE].blockFromValue());
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]107
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]108 SignatureSha256WithRsa sig(signature);
109 const Name& keyLocatorName = sig.getKeyLocator().getName();
110 Name keyName = IdentityCertificate::certificateNameToPublicKeyName(keyLocatorName);
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]111
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]112 //Check if command is in the trusted scope
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]113 bool isInScope = false;
114 for (std::list<SecRuleSpecific>::iterator scopeIt = m_trustScopeForInterest.begin();
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]115 scopeIt != m_trustScopeForInterest.end();
116 ++scopeIt)
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]117 {
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]118 if (scopeIt->satisfy(interestName, keyName))
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]119 {
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]120 isInScope = true;
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]121 break;
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]122 }
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]123 }
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]124
125 if (isInScope == false)
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]126 return onValidationFailed(interest.shared_from_this(),
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]127 "Signer cannot be authorized for the command: " + keyName.toUri());
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]128
129 //Check if timestamp is valid
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]130 time::system_clock::TimePoint interestTime =
131 time::fromUnixTimestamp(time::milliseconds(interestName.get(POS_TIMESTAMP).toNumber()));
132
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]133 time::system_clock::TimePoint currentTime = time::system_clock::now();
134
135 LastTimestampMap::iterator timestampIt = m_lastTimestamp.find(keyName);
136 if (timestampIt == m_lastTimestamp.end())
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]137 {
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]138 if (!(currentTime - m_graceInterval <= interestTime &&
139 interestTime <= currentTime + m_graceInterval))
140 {
141 return onValidationFailed(interest.shared_from_this(),
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]142 "The command is not in grace interval: " +
143 interest.getName().toUri());
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]144 }
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]145 }
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]146 else
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]147 {
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]148 if(interestTime <= timestampIt->second)
149 return onValidationFailed(interest.shared_from_this(),
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]150 "The command is outdated: " + interest.getName().toUri());
151 }
152
153 //Check signature
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]154 if (!Validator::verifySignature(interestName.wireEncode().value(),
155 interestName.wireEncode().value_size() -
156 interestName[-1].size(),
157 sig, m_trustAnchorsForInterest[keyName]))
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]158 return onValidationFailed(interest.shared_from_this(),
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]159 "Signature cannot be validated: " + interest.getName().toUri());
160
161 //Update timestamp
Alexander Afanasyevaa0e7da2014-03-17 14:37:33 -0700[diff] [blame]162 if (timestampIt == m_lastTimestamp.end())
163 {
164 m_lastTimestamp[keyName] = interestTime;
165 }
166 else
167 {
168 timestampIt->second = interestTime;
169 }
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]170
171 return onValidated(interest.shared_from_this());
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]172}
173
Alexander Afanasyev9cbf70a2014-02-17 18:07:51 -0800[diff] [blame]174} // namespace ndn
175
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame^]176#endif // NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP