Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / 5c785d670f2ce63254539456429f9f376b48450e / . / src / security / validator-regex.cpp
blob: 1eea45e1d2fa12c70936bee0d5d0edba14fd665e [file] [log] [blame]
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
2/**
3 * Copyright (C) 2013 Regents of the University of California.
4 * @author: Yingdi Yu <yingdi@cs.ucla.edu>
5 * See COPYING for copyright and distribution information.
6 */
7
Alexander Afanasyeve2dcdfd2014-02-07 15:53:28 -0800[diff] [blame]8#include "common.hpp"
9
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]10#include "validator-regex.hpp"
11#include "signature-sha256-with-rsa.hpp"
12#include "certificate-cache-ttl.hpp"
13
14#include "../util/logging.hpp"
15
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]16INIT_LOGGER("ndn.ValidatorRegex");
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]17
18using namespace std;
19
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]20namespace ndn {
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]21
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]22const shared_ptr<CertificateCache> ValidatorRegex::DEFAULT_CERTIFICATE_CACHE;
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]23
Yingdi Yu96e64062014-04-15 19:57:33 -0700[diff] [blame]24ValidatorRegex::ValidatorRegex(Face& face,
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]25 shared_ptr<CertificateCache> certificateCache,
26 const int stepLimit)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]27 : Validator(face)
28 , m_stepLimit(stepLimit)
29 , m_certificateCache(certificateCache)
30{
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]31 if (!static_cast<bool>(m_certificateCache))
Yingdi Yu96e64062014-04-15 19:57:33 -0700[diff] [blame]32 m_certificateCache = make_shared<CertificateCacheTtl>(m_face.ioService());
33}
34
35ValidatorRegex::ValidatorRegex(const shared_ptr<Face>& face,
36 shared_ptr<CertificateCache> certificateCache,
37 const int stepLimit)
38 : Validator(*face)
39 , m_stepLimit(stepLimit)
40 , m_certificateCache(certificateCache)
41{
42 if (!static_cast<bool>(m_certificateCache))
43 m_certificateCache = make_shared<CertificateCacheTtl>(m_face.ioService());
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]44}
45
46void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]47ValidatorRegex::onCertificateValidated(const shared_ptr<const Data>& signCertificate,
48 const shared_ptr<const Data>& data,
49 const OnDataValidated& onValidated,
50 const OnDataValidationFailed& onValidationFailed)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]51{
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]52 shared_ptr<IdentityCertificate> certificate =
53 make_shared<IdentityCertificate>(boost::cref(*signCertificate));
54
55 if (!certificate->isTooLate() && !certificate->isTooEarly())
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]56 {
57 m_certificateCache->insertCertificate(certificate);
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]58
59 if (verifySignature(*data, certificate->getPublicKeyInfo()))
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]60 return onValidated(data);
61 else
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]62 return onValidationFailed(data,
63 "Cannot verify signature: " +
64 data->getName().toUri());
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]65 }
66 else
67 {
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]68 _LOG_DEBUG("Wrong validity:");
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]69 return onValidationFailed(data,
70 "Signing certificate " +
71 signCertificate->getName().toUri() +
72 " is no longer valid.");
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]73 }
74}
75
76void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]77ValidatorRegex::onCertificateValidationFailed(const shared_ptr<const Data>& signCertificate,
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]78 const string& failureInfo,
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]79 const shared_ptr<const Data>& data,
80 const OnDataValidationFailed& onValidationFailed)
81{
82 onValidationFailed(data, failureInfo);
83}
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]84
85void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]86ValidatorRegex::checkPolicy(const Data& data,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]87 int nSteps,
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]88 const OnDataValidated& onValidated,
89 const OnDataValidationFailed& onValidationFailed,
90 vector<shared_ptr<ValidationRequest> >& nextSteps)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]91{
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]92 if (m_stepLimit == nSteps)
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]93 return onValidationFailed(data.shared_from_this(),
94 "Maximum steps of validation reached: " +
95 data.getName().toUri());
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]96
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]97 for (RuleList::iterator it = m_mustFailVerify.begin();
98 it != m_mustFailVerify.end();
99 it++)
100 if ((*it)->satisfy(data))
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]101 return onValidationFailed(data.shared_from_this(),
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]102 "Comply with mustFail policy: " +
103 data.getName().toUri());
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]104
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]105 for (RuleList::iterator it = m_verifyPolicies.begin();
106 it != m_verifyPolicies.end();
107 it++)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]108 {
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]109 if ((*it)->satisfy(data))
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]110 {
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]111 try
112 {
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]113 SignatureSha256WithRsa sig(data.getSignature());
114
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]115 Name keyLocatorName = sig.getKeyLocator().getName();
116 shared_ptr<const Certificate> trustedCert;
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]117 if (m_trustAnchors.end() == m_trustAnchors.find(keyLocatorName))
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]118 trustedCert = m_certificateCache->getCertificate(keyLocatorName);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]119 else
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]120 trustedCert = m_trustAnchors[keyLocatorName];
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]121
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]122 if (static_cast<bool>(trustedCert))
123 {
124 if (verifySignature(data, sig, trustedCert->getPublicKeyInfo()))
125 return onValidated(data.shared_from_this());
126 else
127 return onValidationFailed(data.shared_from_this(),
128 "Cannot verify signature: " +
129 data.getName().toUri());
130 }
131 else
132 {
133 // _LOG_DEBUG("KeyLocator is not trust anchor");
134 OnDataValidated onKeyValidated =
135 bind(&ValidatorRegex::onCertificateValidated, this, _1,
136 data.shared_from_this(), onValidated, onValidationFailed);
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]137
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]138 OnDataValidationFailed onKeyValidationFailed =
139 bind(&ValidatorRegex::onCertificateValidationFailed, this, _1, _2,
140 data.shared_from_this(), onValidationFailed);
141
142 Interest interest(sig.getKeyLocator().getName());
143 shared_ptr<ValidationRequest> nextStep =
144 make_shared<ValidationRequest>(boost::cref(interest),
145 onKeyValidated,
146 onKeyValidationFailed,
147 3,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]148 nSteps + 1);
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]149
150 nextSteps.push_back(nextStep);
151
152 return;
153 }
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]154 }
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]155 catch (const SignatureSha256WithRsa::Error& e)
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]156 {
157 return onValidationFailed(data.shared_from_this(),
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]158 "Not SignatureSha256WithRsa signature: " +
159 data.getName().toUri());
160 }
161 catch (const KeyLocator::Error& e)
162 {
163 return onValidationFailed(data.shared_from_this(),
164 "Key Locator is not a name: " +
165 data.getName().toUri());
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]166 }
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]167 }
168 }
169
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]170 return onValidationFailed(data.shared_from_this(),
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]171 "No policy found for data: " + data.getName().toUri());
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]172}
173
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]174} // namespace ndn