blob: e22c4464b8cb574067fd836edcc1748a52f08157 [file] [log] [blame]
Yingdi Yu48e8c0c2014-03-19 12:01:55 -07001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
2/**
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -07003 * Copyright (c) 2013-2014, Regents of the University of California.
4 * All rights reserved.
5 *
6 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
7 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
8 *
9 * This file licensed under New BSD License. See COPYING for detailed information about
10 * ndn-cxx library copyright, permissions, and redistribution restrictions.
11 *
12 * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
Yingdi Yu48e8c0c2014-03-19 12:01:55 -070013 */
14
15#ifndef NDN_SECURITY_VALIDATOR_CONFIG_HPP
16#define NDN_SECURITY_VALIDATOR_CONFIG_HPP
17
18#include "validator.hpp"
19#include "certificate-cache.hpp"
20#include "conf/rule.hpp"
21#include "conf/common.hpp"
22
23namespace ndn {
24
25class ValidatorConfig : public Validator
26{
27public:
28 class Error : public Validator::Error
29 {
30 public:
31 explicit
32 Error(const std::string& what)
33 : Validator::Error(what)
34 {
35 }
36 };
37
38 static const shared_ptr<CertificateCache> DEFAULT_CERTIFICATE_CACHE;
39
Yingdi Yu96e64062014-04-15 19:57:33 -070040 explicit
41 ValidatorConfig(Face& face,
42 const shared_ptr<CertificateCache>& certificateCache = DEFAULT_CERTIFICATE_CACHE,
43 const int stepLimit = 10);
44
Yingdi Yu48e8c0c2014-03-19 12:01:55 -070045 virtual
46 ~ValidatorConfig()
47 {
48 }
49
50 void
51 load(const std::string& filename);
52
53 void
54 load(const std::string& input, const std::string& filename);
55
56 void
57 load(std::istream& input, const std::string& filename);
58
Yingdi Yudfa9d732014-04-09 09:53:01 -070059 void
60 load(const security::conf::ConfigSection& configSection,
61 const std::string& filename);
62
Yingdi Yu58f33712014-04-16 16:57:47 -070063 inline void
64 reset();
65
66 inline bool
67 isEmpty();
68
Yingdi Yu48e8c0c2014-03-19 12:01:55 -070069protected:
70 virtual void
71 checkPolicy(const Data& data,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -070072 int nSteps,
Yingdi Yu48e8c0c2014-03-19 12:01:55 -070073 const OnDataValidated& onValidated,
74 const OnDataValidationFailed& onValidationFailed,
75 std::vector<shared_ptr<ValidationRequest> >& nextSteps);
76
77 virtual void
78 checkPolicy(const Interest& interest,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -070079 int nSteps,
Yingdi Yu48e8c0c2014-03-19 12:01:55 -070080 const OnInterestValidated& onValidated,
81 const OnInterestValidationFailed& onValidationFailed,
82 std::vector<shared_ptr<ValidationRequest> >& nextSteps);
83
84private:
85 template<class Packet, class OnValidated, class OnFailed>
86 void
87 checkSignature(const Packet& packet,
88 const Signature& signature,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -070089 int nSteps,
Yingdi Yu48e8c0c2014-03-19 12:01:55 -070090 const OnValidated& onValidated,
91 const OnFailed& onValidationFailed,
92 std::vector<shared_ptr<ValidationRequest> >& nextSteps);
93
94 template<class Packet, class OnValidated, class OnFailed>
95 void
96 onCertValidated(const shared_ptr<const Data>& signCertificate,
97 const shared_ptr<const Packet>& packet,
98 const OnValidated& onValidated,
99 const OnFailed& onValidationFailed);
100
101 template<class Packet, class OnFailed>
102 void
103 onCertFailed(const shared_ptr<const Data>& signCertificate,
104 const std::string& failureInfo,
105 const shared_ptr<const Packet>& packet,
106 const OnFailed& onValidationFailed);
107
108 void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700109 onConfigRule(const security::conf::ConfigSection& section,
110 const std::string& filename);
111
112 void
113 onConfigTrustAnchor(const security::conf::ConfigSection& section,
114 const std::string& filename);
115
116private:
117 typedef security::conf::Rule<Interest> InterestRule;
118 typedef security::conf::Rule<Data> DataRule;
119 typedef std::vector<shared_ptr<InterestRule> > InterestRuleList;
120 typedef std::vector<shared_ptr<DataRule> > DataRuleList;
121 typedef std::map<Name, shared_ptr<IdentityCertificate> > AnchorList;
122
123 int m_stepLimit;
124 shared_ptr<CertificateCache> m_certificateCache;
125
126 InterestRuleList m_interestRules;
127 DataRuleList m_dataRules;
128 AnchorList m_anchors;
129};
130
Yingdi Yu58f33712014-04-16 16:57:47 -0700131inline void
132ValidatorConfig::reset()
133{
134 m_certificateCache->reset();
135 m_interestRules.clear();
136 m_dataRules.clear();
137 m_anchors.clear();
138}
139
140inline bool
141ValidatorConfig::isEmpty()
142{
143 if (m_certificateCache->isEmpty() &&
144 m_interestRules.empty() &&
145 m_dataRules.empty() &&
146 m_anchors.empty())
147 return true;
148 return false;
149}
150
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700151template<class Packet, class OnValidated, class OnFailed>
152void
153ValidatorConfig::checkSignature(const Packet& packet,
154 const Signature& signature,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700155 int nSteps,
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700156 const OnValidated& onValidated,
157 const OnFailed& onValidationFailed,
158 std::vector<shared_ptr<ValidationRequest> >& nextSteps)
159{
160 if (signature.getType() == Signature::Sha256)
161 {
162 SignatureSha256 sigSha256(signature);
163
164 if (verifySignature(packet, sigSha256))
165 return onValidated(packet.shared_from_this());
166 else
167 return onValidationFailed(packet.shared_from_this(),
168 "Sha256 Signature cannot be verified!");
169 }
170
171 if (signature.getType() == Signature::Sha256WithRsa)
172 {
173 SignatureSha256WithRsa sigSha256Rsa(signature);
174 Name keyLocatorName = sigSha256Rsa.getKeyLocator().getName();
175
176 shared_ptr<const Certificate> trustedCert;
177
178 AnchorList::const_iterator it = m_anchors.find(keyLocatorName);
179 if (m_anchors.end() == it)
180 trustedCert = m_certificateCache->getCertificate(keyLocatorName);
181 else
182 trustedCert = it->second;
183
184 if (static_cast<bool>(trustedCert))
185 {
186 if (verifySignature(packet, sigSha256Rsa, trustedCert->getPublicKeyInfo()))
187 return onValidated(packet.shared_from_this());
188 else
189 return onValidationFailed(packet.shared_from_this(),
190 "Cannot verify signature");
191 }
192 else
193 {
194 OnDataValidated onCertValidated =
195 bind(&ValidatorConfig::onCertValidated<Packet, OnValidated, OnFailed>,
196 this, _1, packet.shared_from_this(), onValidated, onValidationFailed);
197
198 OnDataValidationFailed onCertValidationFailed =
199 bind(&ValidatorConfig::onCertFailed<Packet, OnFailed>,
200 this, _1, _2, packet.shared_from_this(), onValidationFailed);
201
202 Interest certInterest(keyLocatorName);
203
204 shared_ptr<ValidationRequest> nextStep =
205 make_shared<ValidationRequest>(boost::cref(certInterest),
206 onCertValidated,
207 onCertValidationFailed,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700208 1, nSteps + 1);
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700209
210 nextSteps.push_back(nextStep);
211 return;
212 }
213 }
214 return onValidationFailed(packet.shared_from_this(), "Unsupported Signature Type!");
215}
216
217template<class Packet, class OnValidated, class OnFailed>
218void
219ValidatorConfig::onCertValidated(const shared_ptr<const Data>& signCertificate,
220 const shared_ptr<const Packet>& packet,
221 const OnValidated& onValidated,
222 const OnFailed& onValidationFailed)
223{
224 shared_ptr<IdentityCertificate> certificate =
225 make_shared<IdentityCertificate>(boost::cref(*signCertificate));
226
227 if (!certificate->isTooLate() && !certificate->isTooEarly())
228 {
229 m_certificateCache->insertCertificate(certificate);
230
231 if (verifySignature(*packet, certificate->getPublicKeyInfo()))
232 return onValidated(packet);
233 else
234 return onValidationFailed(packet,
235 "Cannot verify signature: " +
236 packet->getName().toUri());
237 }
238 else
239 {
240 return onValidationFailed(packet,
241 "Signing certificate " +
242 signCertificate->getName().toUri() +
243 " is no longer valid.");
244 }
245}
246
247template<class Packet, class OnFailed>
248void
249ValidatorConfig::onCertFailed(const shared_ptr<const Data>& signCertificate,
250 const std::string& failureInfo,
251 const shared_ptr<const Packet>& packet,
252 const OnFailed& onValidationFailed)
253{
254 onValidationFailed(packet, failureInfo);
255}
256
257} // namespace ndn
258
259#endif // NDN_SECURITY_VALIDATOR_CONFIG_HPP