Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / 5ee8ec032a9dac1f10d5331f8060757d452d7fd9 / . / src / security / v2 / validator.hpp
blob: 14e9c7f83a4e89587259e31e478a6c1bda335e72 [file] [log] [blame]
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]2/*
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]3 * Copyright (c) 2013-2017 Regents of the University of California.
4 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6 *
7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20 */
21
22#ifndef NDN_SECURITY_V2_VALIDATOR_HPP
23#define NDN_SECURITY_V2_VALIDATOR_HPP
24
Alexander Afanasyev7bc10fa2017-01-13 16:56:26 -0800[diff] [blame]25#include "certificate-fetcher.hpp"
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]26#include "certificate-request.hpp"
Alexander Afanasyev7bc10fa2017-01-13 16:56:26 -0800[diff] [blame]27#include "certificate-storage.hpp"
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]28#include "validation-callback.hpp"
29#include "validation-policy.hpp"
30#include "validation-state.hpp"
31
32namespace ndn {
33
34class Face;
35
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]36namespace security {
37namespace v2 {
38
39/**
40 * @brief Interface for validating data and interest packets.
41 *
42 * Every time a validation process initiated, it creates a ValidationState that exist until
43 * validation finishes with either success or failure. This state serves several purposes:
44 * - record Interest or Data packet being validated
45 * - record failure callback
46 * - record certificates in the certification chain for the Interest or Data packet being validated
47 * - record names of the requested certificates to detect loops in the certificate chain
48 * - keep track of the validation chain size (aka validation "depth")
49 *
Alexander Afanasyev7bc10fa2017-01-13 16:56:26 -0800[diff] [blame]50 * During validation, policy and/or key fetcher can augment validation state with policy- and
51 * fetcher-specific information using ndn::Tag's.
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]52 *
53 * A validator has a trust anchor cache to save static and dynamic trust anchors, a verified
54 * certificate cache for saving certificates that are already verified and an unverified
55 * certificate cache for saving prefetched but not yet verified certificates.
56 *
57 * @todo Limit the maximum time the validation process is allowed to run before declaring failure
58 * @todo Ability to customize maximum lifetime for trusted and untrusted certificate caches.
59 * Current implementation hard-codes them to be 1 hour and 5 minutes.
60 */
Alexander Afanasyev7bc10fa2017-01-13 16:56:26 -0800[diff] [blame]61class Validator : public CertificateStorage
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]62{
63public:
64 /**
65 * @brief Validator constructor.
66 *
Alexander Afanasyev7bc10fa2017-01-13 16:56:26 -0800[diff] [blame]67 * @param policy Validation policy to be associated with the validator
68 * @param certFetcher Certificate fetcher implementation.
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]69 */
Alexander Afanasyev7bc10fa2017-01-13 16:56:26 -0800[diff] [blame]70 Validator(unique_ptr<ValidationPolicy> policy, unique_ptr<CertificateFetcher> certFetcher);
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]71
72 ~Validator();
73
Alexander Afanasyevb54aa572017-03-21 19:40:49 -0500[diff] [blame]74 ValidationPolicy&
75 getPolicy();
76
77 CertificateFetcher&
78 getFetcher();
79
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]80 /**
81 * @brief Set the maximum depth of the certificate chain
82 */
83 void
84 setMaxDepth(size_t depth);
85
86 /**
87 * @return The maximum depth of the certificate chain
88 */
89 size_t
90 getMaxDepth() const;
91
92 /**
93 * @brief Asynchronously validate @p data
94 *
95 * @note @p successCb and @p failureCb must not be nullptr
96 */
97 void
98 validate(const Data& data,
99 const DataValidationSuccessCallback& successCb,
100 const DataValidationFailureCallback& failureCb);
101
102 /**
103 * @brief Asynchronously validate @p interest
104 *
105 * @note @p successCb and @p failureCb must not be nullptr
106 */
107 void
108 validate(const Interest& interest,
109 const InterestValidationSuccessCallback& successCb,
110 const InterestValidationFailureCallback& failureCb);
111
112public: // anchor management
113 /**
114 * @brief load static trust anchor.
115 *
116 * Static trust anchors are permanently associated with the validator and never expire.
117 *
118 * @param groupId Certificate group id.
119 * @param cert Certificate to load as a trust anchor.
120 */
121 void
122 loadAnchor(const std::string& groupId, Certificate&& cert);
123
124 /**
125 * @brief load dynamic trust anchors.
126 *
127 * Dynamic trust anchors are associated with the validator for as long as the underlying
128 * trust anchor file (set of files) exist(s).
129 *
130 * @param groupId Certificate group id, must not be empty.
131 * @param certfilePath Specifies the path to load the trust anchors.
132 * @param refreshPeriod Refresh period for the trust anchors, must be positive.
133 * @param isDir Tells whether the path is a directory or a single file.
134 */
135 void
136 loadAnchor(const std::string& groupId, const std::string& certfilePath,
137 time::nanoseconds refreshPeriod, bool isDir = false);
138
139 /**
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]140 * @brief remove any previously loaded static or dynamic trust anchor
141 */
142 void
143 resetAnchors();
144
145 /**
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]146 * @brief Cache verified @p cert a period of time (1 hour)
147 *
148 * @todo Add ability to customize time period
149 */
150 void
151 cacheVerifiedCertificate(Certificate&& cert);
152
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]153 /**
154 * @brief Remove any cached verified certificates
155 */
156 void
157 resetVerifiedCertificates();
158
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]159private: // Common validator operations
160 /**
161 * @brief Recursive validation of the certificate in the certification chain
162 *
163 * @param cert The certificate to check.
164 * @param state The current validation state.
165 */
166 void
167 validate(const Certificate& cert, const shared_ptr<ValidationState>& state);
168
169 /**
170 * @brief Request certificate for further validation.
171 *
172 * @param certRequest Certificate request.
173 * @param state The current validation state.
174 */
175 void
176 requestCertificate(const shared_ptr<CertificateRequest>& certRequest,
177 const shared_ptr<ValidationState>& state);
178
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]179private:
180 unique_ptr<ValidationPolicy> m_policy;
Alexander Afanasyev7bc10fa2017-01-13 16:56:26 -0800[diff] [blame]181 unique_ptr<CertificateFetcher> m_certFetcher;
Alexander Afanasyev7e721412017-01-11 13:36:08 -0800[diff] [blame]182 size_t m_maxDepth;
183};
184
185} // namespace v2
186} // namespace security
187} // namespace ndn
188
189#endif // NDN_SECURITY_V2_VALIDATOR_HPP