Alexander Afanasyev | c169a81 | 2014-05-20 20:37:29 -0400 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 2 | /** |
Alexander Afanasyev | c169a81 | 2014-05-20 20:37:29 -0400 | [diff] [blame] | 3 | * Copyright (c) 2013-2014 Regents of the University of California. |
Alexander Afanasyev | dfa52c4 | 2014-04-24 21:10:11 -0700 | [diff] [blame] | 4 | * |
| 5 | * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). |
Alexander Afanasyev | dfa52c4 | 2014-04-24 21:10:11 -0700 | [diff] [blame] | 6 | * |
Alexander Afanasyev | c169a81 | 2014-05-20 20:37:29 -0400 | [diff] [blame] | 7 | * ndn-cxx library is free software: you can redistribute it and/or modify it under the |
| 8 | * terms of the GNU Lesser General Public License as published by the Free Software |
| 9 | * Foundation, either version 3 of the License, or (at your option) any later version. |
| 10 | * |
| 11 | * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY |
| 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A |
| 13 | * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. |
| 14 | * |
| 15 | * You should have received copies of the GNU General Public License and GNU Lesser |
| 16 | * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see |
| 17 | * <http://www.gnu.org/licenses/>. |
| 18 | * |
| 19 | * See AUTHORS.md for complete list of ndn-cxx authors and contributors. |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 20 | */ |
| 21 | |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 22 | #ifndef NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP |
| 23 | #define NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 24 | |
| 25 | #include "../security/validator.hpp" |
| 26 | #include "../security/identity-certificate.hpp" |
| 27 | #include "../security/sec-rule-specific.hpp" |
| 28 | |
Alexander Afanasyev | 258ec2b | 2014-05-14 16:15:37 -0700 | [diff] [blame] | 29 | #include <list> |
| 30 | |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 31 | namespace ndn { |
| 32 | |
Yingdi Yu | 50b1390 | 2014-07-09 15:05:46 -0700 | [diff] [blame^] | 33 | /** |
| 34 | * @brief Helper class to validate CommandInterests |
| 35 | * |
| 36 | * @deprecated Use ValidatorConfig instead. |
| 37 | * See http://redmine.named-data.net/projects/ndn-cxx/wiki/CommandValidatorConf |
| 38 | * for more details about the configuration format of ValidatorConfig. |
| 39 | * |
| 40 | * @see http://redmine.named-data.net/projects/nfd/wiki/Command_Interests |
| 41 | */ |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 42 | class CommandInterestValidator : public Validator |
| 43 | { |
| 44 | public: |
| 45 | enum { |
| 46 | POS_SIG_VALUE = -1, |
| 47 | POS_SIG_INFO = -2, |
| 48 | POS_RANDOM_VAL = -3, |
| 49 | POS_TIMESTAMP = -4, |
| 50 | |
Yingdi Yu | 449e114 | 2014-03-28 18:54:42 -0700 | [diff] [blame] | 51 | MIN_LENGTH = 4, |
| 52 | |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 53 | GRACE_INTERVAL = 3000 // ms |
| 54 | }; |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 55 | |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 56 | CommandInterestValidator(const time::milliseconds& graceInterval = |
| 57 | time::milliseconds(static_cast<int>(GRACE_INTERVAL))) |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 58 | : m_graceInterval(graceInterval < time::milliseconds::zero() ? |
| 59 | time::milliseconds(static_cast<int>(GRACE_INTERVAL)) : graceInterval) |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 60 | { |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 61 | } |
| 62 | |
| 63 | virtual |
| 64 | ~CommandInterestValidator() |
| 65 | { |
| 66 | } |
| 67 | |
Yingdi Yu | 0fc447c | 2014-04-29 19:38:32 -0700 | [diff] [blame] | 68 | /** |
| 69 | * @brief add an Interest rule that allows a specific certificate |
| 70 | * |
| 71 | * @param regex NDN Regex to match Interest Name |
| 72 | * @param certificate trusted certificate |
| 73 | */ |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 74 | void |
| 75 | addInterestRule(const std::string& regex, const IdentityCertificate& certificate); |
| 76 | |
Yingdi Yu | 0fc447c | 2014-04-29 19:38:32 -0700 | [diff] [blame] | 77 | /** |
| 78 | * @brief add an Interest rule that allows a specific public key |
| 79 | * |
| 80 | * @param regex NDN Regex to match Interest Name |
| 81 | * @param keyName KeyLocator.Name |
| 82 | * @param publicKey public key |
| 83 | */ |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 84 | void |
| 85 | addInterestRule(const std::string& regex, const Name& keyName, const PublicKey& publicKey); |
| 86 | |
Yingdi Yu | 0fc447c | 2014-04-29 19:38:32 -0700 | [diff] [blame] | 87 | /** |
| 88 | * @brief add an Interest rule that allows any signer |
| 89 | * |
| 90 | * @param regex NDN Regex to match Interest Name |
| 91 | * @note Command Interest matched by regex that is signed by any key will be accepted. |
| 92 | */ |
| 93 | void |
| 94 | addInterestBypassRule(const std::string& regex); |
| 95 | |
Alexander Afanasyev | 285c2cf | 2014-06-02 19:22:10 +0300 | [diff] [blame] | 96 | /** |
| 97 | * @brief Remove all installed Interest rules (e.g., when reinitialization needed) |
| 98 | */ |
| 99 | void |
| 100 | reset(); |
| 101 | |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 102 | protected: |
| 103 | virtual void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 104 | checkPolicy(const Data& data, |
| 105 | int stepCount, |
| 106 | const OnDataValidated& onValidated, |
| 107 | const OnDataValidationFailed& onValidationFailed, |
| 108 | std::vector<shared_ptr<ValidationRequest> >& nextSteps) |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 109 | { |
Yingdi Yu | 40587c0 | 2014-02-21 16:40:48 -0800 | [diff] [blame] | 110 | onValidationFailed(data.shared_from_this(), "No policy for data checking"); |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 111 | } |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 112 | |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 113 | virtual void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 114 | checkPolicy(const Interest& interest, |
| 115 | int stepCount, |
| 116 | const OnInterestValidated& onValidated, |
| 117 | const OnInterestValidationFailed& onValidationFailed, |
| 118 | std::vector<shared_ptr<ValidationRequest> >& nextSteps); |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 119 | private: |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 120 | time::milliseconds m_graceInterval; //ms |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 121 | std::map<Name, PublicKey> m_trustAnchorsForInterest; |
| 122 | std::list<SecRuleSpecific> m_trustScopeForInterest; |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 123 | |
| 124 | typedef std::map<Name, time::system_clock::TimePoint> LastTimestampMap; |
| 125 | LastTimestampMap m_lastTimestamp; |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 126 | }; |
| 127 | |
| 128 | inline void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 129 | CommandInterestValidator::addInterestRule(const std::string& regex, |
| 130 | const IdentityCertificate& certificate) |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 131 | { |
| 132 | Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificate.getName()); |
| 133 | addInterestRule(regex, keyName, certificate.getPublicKeyInfo()); |
| 134 | } |
| 135 | |
| 136 | inline void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 137 | CommandInterestValidator::addInterestRule(const std::string& regex, |
| 138 | const Name& keyName, |
| 139 | const PublicKey& publicKey) |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 140 | { |
| 141 | m_trustAnchorsForInterest[keyName] = publicKey; |
| 142 | shared_ptr<Regex> interestRegex = make_shared<Regex>(regex); |
| 143 | shared_ptr<Regex> signerRegex = Regex::fromName(keyName, true); |
| 144 | m_trustScopeForInterest.push_back(SecRuleSpecific(interestRegex, signerRegex)); |
| 145 | } |
| 146 | |
| 147 | inline void |
Yingdi Yu | 0fc447c | 2014-04-29 19:38:32 -0700 | [diff] [blame] | 148 | CommandInterestValidator::addInterestBypassRule(const std::string& regex) |
| 149 | { |
| 150 | shared_ptr<Regex> interestRegex = make_shared<Regex>(regex); |
| 151 | m_trustScopeForInterest.push_back(SecRuleSpecific(interestRegex)); |
| 152 | } |
| 153 | |
| 154 | inline void |
Alexander Afanasyev | 285c2cf | 2014-06-02 19:22:10 +0300 | [diff] [blame] | 155 | CommandInterestValidator::reset() |
| 156 | { |
| 157 | m_trustAnchorsForInterest.clear(); |
| 158 | m_trustScopeForInterest.clear(); |
| 159 | } |
| 160 | |
| 161 | inline void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 162 | CommandInterestValidator::checkPolicy(const Interest& interest, |
| 163 | int stepCount, |
| 164 | const OnInterestValidated& onValidated, |
| 165 | const OnInterestValidationFailed& onValidationFailed, |
| 166 | std::vector<shared_ptr<ValidationRequest> >& nextSteps) |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 167 | { |
Yingdi Yu | 40587c0 | 2014-02-21 16:40:48 -0800 | [diff] [blame] | 168 | const Name& interestName = interest.getName(); |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 169 | |
| 170 | //Prepare |
Yingdi Yu | 449e114 | 2014-03-28 18:54:42 -0700 | [diff] [blame] | 171 | if (interestName.size() < MIN_LENGTH) |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 172 | return onValidationFailed(interest.shared_from_this(), |
Yingdi Yu | 40587c0 | 2014-02-21 16:40:48 -0800 | [diff] [blame] | 173 | "Interest is not signed: " + interest.getName().toUri()); |
Yingdi Yu | 449e114 | 2014-03-28 18:54:42 -0700 | [diff] [blame] | 174 | Name keyName; |
| 175 | try |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 176 | { |
Yingdi Yu | 449e114 | 2014-03-28 18:54:42 -0700 | [diff] [blame] | 177 | Signature signature(interestName[POS_SIG_INFO].blockFromValue(), |
| 178 | interestName[POS_SIG_VALUE].blockFromValue()); |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 179 | |
Yingdi Yu | 5ec0ee3 | 2014-06-24 16:26:09 -0700 | [diff] [blame] | 180 | if (signature.getType() != Tlv::SignatureSha256WithRsa) |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 181 | return onValidationFailed(interest.shared_from_this(), |
Yingdi Yu | 449e114 | 2014-03-28 18:54:42 -0700 | [diff] [blame] | 182 | "Require SignatureSha256WithRsa"); |
Yingdi Yu | 40587c0 | 2014-02-21 16:40:48 -0800 | [diff] [blame] | 183 | |
Yingdi Yu | 449e114 | 2014-03-28 18:54:42 -0700 | [diff] [blame] | 184 | SignatureSha256WithRsa sig(signature); |
Yingdi Yu | 40587c0 | 2014-02-21 16:40:48 -0800 | [diff] [blame] | 185 | |
Yingdi Yu | 449e114 | 2014-03-28 18:54:42 -0700 | [diff] [blame] | 186 | const KeyLocator& keyLocator = sig.getKeyLocator(); |
| 187 | |
| 188 | if (keyLocator.getType() != KeyLocator::KeyLocator_Name) |
| 189 | return onValidationFailed(interest.shared_from_this(), |
| 190 | "Key Locator is not a name"); |
| 191 | |
| 192 | keyName = IdentityCertificate::certificateNameToPublicKeyName(keyLocator.getName()); |
| 193 | |
| 194 | //Check if command is in the trusted scope |
| 195 | bool isInScope = false; |
| 196 | for (std::list<SecRuleSpecific>::iterator scopeIt = m_trustScopeForInterest.begin(); |
| 197 | scopeIt != m_trustScopeForInterest.end(); |
| 198 | ++scopeIt) |
| 199 | { |
| 200 | if (scopeIt->satisfy(interestName, keyName)) |
| 201 | { |
Yingdi Yu | 0fc447c | 2014-04-29 19:38:32 -0700 | [diff] [blame] | 202 | if (scopeIt->isExempted()) |
| 203 | { |
| 204 | return onValidated(interest.shared_from_this()); |
| 205 | } |
| 206 | |
Yingdi Yu | 449e114 | 2014-03-28 18:54:42 -0700 | [diff] [blame] | 207 | isInScope = true; |
| 208 | break; |
| 209 | } |
| 210 | } |
| 211 | if (isInScope == false) |
| 212 | return onValidationFailed(interest.shared_from_this(), |
| 213 | "Signer cannot be authorized for the command: " + |
| 214 | keyName.toUri()); |
| 215 | |
| 216 | //Check signature |
| 217 | if (!Validator::verifySignature(interestName.wireEncode().value(), |
| 218 | interestName.wireEncode().value_size() - |
| 219 | interestName[-1].size(), |
| 220 | sig, m_trustAnchorsForInterest[keyName])) |
| 221 | return onValidationFailed(interest.shared_from_this(), |
| 222 | "Signature cannot be validated: " + |
| 223 | interest.getName().toUri()); |
| 224 | |
| 225 | //Check if timestamp is valid |
| 226 | time::system_clock::TimePoint interestTime = |
| 227 | time::fromUnixTimestamp(time::milliseconds(interestName.get(POS_TIMESTAMP).toNumber())); |
| 228 | |
| 229 | time::system_clock::TimePoint currentTime = time::system_clock::now(); |
| 230 | |
| 231 | LastTimestampMap::iterator timestampIt = m_lastTimestamp.find(keyName); |
| 232 | if (timestampIt == m_lastTimestamp.end()) |
| 233 | { |
| 234 | if (!(currentTime - m_graceInterval <= interestTime && |
| 235 | interestTime <= currentTime + m_graceInterval)) |
| 236 | return onValidationFailed(interest.shared_from_this(), |
| 237 | "The command is not in grace interval: " + |
| 238 | interest.getName().toUri()); |
| 239 | } |
| 240 | else |
| 241 | { |
| 242 | if (interestTime <= timestampIt->second) |
| 243 | return onValidationFailed(interest.shared_from_this(), |
| 244 | "The command is outdated: " + |
| 245 | interest.getName().toUri()); |
| 246 | } |
| 247 | |
| 248 | //Update timestamp |
| 249 | if (timestampIt == m_lastTimestamp.end()) |
| 250 | { |
| 251 | m_lastTimestamp[keyName] = interestTime; |
| 252 | } |
| 253 | else |
| 254 | { |
| 255 | timestampIt->second = interestTime; |
| 256 | } |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 257 | } |
Alexander Afanasyev | 2a7f720 | 2014-04-23 14:25:29 -0700 | [diff] [blame] | 258 | catch (Signature::Error& e) |
Yingdi Yu | 449e114 | 2014-03-28 18:54:42 -0700 | [diff] [blame] | 259 | { |
| 260 | return onValidationFailed(interest.shared_from_this(), |
| 261 | "No valid signature"); |
| 262 | } |
Alexander Afanasyev | 2a7f720 | 2014-04-23 14:25:29 -0700 | [diff] [blame] | 263 | catch (IdentityCertificate::Error& e) |
Yingdi Yu | 449e114 | 2014-03-28 18:54:42 -0700 | [diff] [blame] | 264 | { |
| 265 | return onValidationFailed(interest.shared_from_this(), |
| 266 | "Cannot locate the signing key"); |
Alexander Afanasyev | aa0e7da | 2014-03-17 14:37:33 -0700 | [diff] [blame] | 267 | } |
Alexander Afanasyev | 2a7f720 | 2014-04-23 14:25:29 -0700 | [diff] [blame] | 268 | catch (Tlv::Error& e) |
| 269 | { |
| 270 | return onValidationFailed(interest.shared_from_this(), |
| 271 | "Cannot decode signature related TLVs"); |
| 272 | } |
Yingdi Yu | 40587c0 | 2014-02-21 16:40:48 -0800 | [diff] [blame] | 273 | |
| 274 | return onValidated(interest.shared_from_this()); |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 275 | } |
| 276 | |
Alexander Afanasyev | 9cbf70a | 2014-02-17 18:07:51 -0800 | [diff] [blame] | 277 | } // namespace ndn |
| 278 | |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 279 | #endif // NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP |