Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / 99b2a001df2fcc273a4074d7d0f0e9a946ba19e9 / . / src / security / validator.cpp
blob: 488d0d7ddafa4367de70fa7eb9ffe7a1d9f39b40 [file] [log] [blame]
Alexander Afanasyevc169a812014-05-20 20:37:29 -0400[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]2/**
Teng Liange6f87512016-07-26 22:14:19 -0700[diff] [blame]3 * Copyright (c) 2013-2016 Regents of the University of California.
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -0700[diff] [blame]4 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -0700[diff] [blame]6 *
Alexander Afanasyevc169a812014-05-20 20:37:29 -0400[diff] [blame]7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -0700[diff] [blame]20 *
21 * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
22 * @author Jeff Thompson <jefft0@remap.ucla.edu>
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]23 */
24
Alexander Afanasyeve2dcdfd2014-02-07 15:53:28 -0800[diff] [blame]25#include "common.hpp"
26
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]27#include "validator.hpp"
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]28#include "../util/crypto.hpp"
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]29
Junxiao Shi482ccc52014-03-31 13:05:24 -0700[diff] [blame]30#include "cryptopp.hpp"
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]31
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]32namespace ndn {
33
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]34static OID SECP256R1("1.2.840.10045.3.1.7");
35static OID SECP384R1("1.3.132.0.34");
36
Yingdi Yu4e9b0692014-11-04 16:13:56 -0800[diff] [blame]37Validator::Validator(Face* face)
38 : m_face(face)
Yingdi Yu96e64062014-04-15 19:57:33 -0700[diff] [blame]39{
40}
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]41
Yingdi Yu96e64062014-04-15 19:57:33 -0700[diff] [blame]42Validator::Validator(Face& face)
Yingdi Yu4e9b0692014-11-04 16:13:56 -0800[diff] [blame]43 : m_face(&face)
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]44{
45}
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]46
47void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]48Validator::validate(const Interest& interest,
49 const OnInterestValidated& onValidated,
50 const OnInterestValidationFailed& onValidationFailed,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]51 int nSteps)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]52{
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]53 std::vector<shared_ptr<ValidationRequest> > nextSteps;
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]54 checkPolicy(interest, nSteps, onValidated, onValidationFailed, nextSteps);
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]55
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]56 if (nextSteps.empty()) {
57 // If there is no nextStep,
58 // that means InterestPolicy has already been able to verify the Interest.
59 // No more further processes.
60 return;
61 }
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]62
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]63 OnFailure onFailure = bind(onValidationFailed, interest.shared_from_this(), _1);
64 afterCheckPolicy(nextSteps, onFailure);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]65}
66
67void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]68Validator::validate(const Data& data,
69 const OnDataValidated& onValidated,
70 const OnDataValidationFailed& onValidationFailed,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]71 int nSteps)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]72{
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]73 std::vector<shared_ptr<ValidationRequest> > nextSteps;
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]74 checkPolicy(data, nSteps, onValidated, onValidationFailed, nextSteps);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]75
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]76 if (nextSteps.empty()) {
77 // If there is no nextStep,
78 // that means Data Policy has already been able to verify the Interest.
79 // No more further processes.
80 return;
81 }
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]82
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]83 OnFailure onFailure = bind(onValidationFailed, data.shared_from_this(), _1);
84 afterCheckPolicy(nextSteps, onFailure);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]85}
86
87void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]88Validator::onData(const Interest& interest,
89 const Data& data,
Alexander Afanasyev0222fba2014-02-09 23:16:02 -0800[diff] [blame]90 const shared_ptr<ValidationRequest>& nextStep)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]91{
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]92 shared_ptr<const Data> certificateData = preCertificateValidation(data);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]93
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]94 if (!static_cast<bool>(certificateData))
95 return nextStep->m_onDataValidationFailed(data.shared_from_this(),
96 "Cannot decode cert: " + data.getName().toUri());
97
98 validate(*certificateData,
99 nextStep->m_onDataValidated, nextStep->m_onDataValidationFailed,
100 nextStep->m_nSteps);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]101}
102
103bool
104Validator::verifySignature(const Data& data, const PublicKey& key)
105{
Yingdi Yu4a557052014-07-09 16:40:37 -0700[diff] [blame]106 if (!data.getSignature().hasKeyLocator())
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700[diff] [blame]107 return false;
108
109 return verifySignature(data.wireEncode().value(),
110 data.wireEncode().value_size() -
111 data.getSignature().getValue().size(),
Yingdi Yu4a557052014-07-09 16:40:37 -0700[diff] [blame]112 data.getSignature(), key);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]113}
114
115bool
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]116Validator::verifySignature(const Interest& interest, const PublicKey& key)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]117{
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]118 const Name& interestName = interest.getName();
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]119
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]120 if (interestName.size() < 2)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]121 return false;
122
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]123 try {
124 const Block& nameBlock = interestName.wireEncode();
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]125
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]126 Signature sig(interestName[signed_interest::POS_SIG_INFO].blockFromValue(),
127 interestName[signed_interest::POS_SIG_VALUE].blockFromValue());
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]128
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]129 if (!sig.hasKeyLocator())
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]130 return false;
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]131
132 return verifySignature(nameBlock.value(),
133 nameBlock.value_size() - interestName[signed_interest::POS_SIG_VALUE].size(),
134 sig, key);
135 }
136 catch (const Block::Error& e) {
137 return false;
138 }
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]139}
140
141bool
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]142Validator::verifySignature(const uint8_t* buf,
143 const size_t size,
Yingdi Yu4a557052014-07-09 16:40:37 -0700[diff] [blame]144 const Signature& sig,
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]145 const PublicKey& key)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]146{
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]147 try {
148 using namespace CryptoPP;
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]149
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]150 switch (sig.getType()) {
151 case tlv::SignatureSha256WithRsa: {
152 if (key.getKeyType() != KeyType::RSA)
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]153 return false;
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]154
155 RSA::PublicKey publicKey;
156 ByteQueue queue;
157
158 queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
159 publicKey.Load(queue);
160
161 RSASS<PKCS1v15, SHA256>::Verifier verifier(publicKey);
162 return verifier.VerifyMessage(buf, size,
163 sig.getValue().value(), sig.getValue().value_size());
164 }
165
166 case tlv::SignatureSha256WithEcdsa: {
167 if (key.getKeyType() != KeyType::EC)
168 return false;
169
170 ECDSA<ECP, SHA256>::PublicKey publicKey;
171 ByteQueue queue;
172
173 queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
174 publicKey.Load(queue);
175
176 ECDSA<ECP, SHA256>::Verifier verifier(publicKey);
177
178 uint32_t length = 0;
179 StringSource src(key.get().buf(), key.get().size(), true);
180 BERSequenceDecoder subjectPublicKeyInfo(src);
181 {
182 BERSequenceDecoder algorithmInfo(subjectPublicKeyInfo);
183 {
184 OID algorithm;
185 algorithm.decode(algorithmInfo);
186
187 OID curveId;
188 curveId.decode(algorithmInfo);
189
190 if (curveId == SECP256R1)
191 length = 256;
192 else if (curveId == SECP384R1)
193 length = 384;
194 else
195 return false;
196 }
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]197 }
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]198
199 switch (length) {
200 case 256: {
201 uint8_t buffer[64];
202 size_t usedSize = DSAConvertSignatureFormat(buffer, sizeof(buffer), DSA_P1363,
203 sig.getValue().value(),
204 sig.getValue().value_size(),
205 DSA_DER);
206 return verifier.VerifyMessage(buf, size, buffer, usedSize);
207 }
208
209 case 384: {
210 uint8_t buffer[96];
211 size_t usedSize = DSAConvertSignatureFormat(buffer, sizeof(buffer), DSA_P1363,
212 sig.getValue().value(),
213 sig.getValue().value_size(),
214 DSA_DER);
215 return verifier.VerifyMessage(buf, size, buffer, usedSize);
216 }
217
218 default:
219 return false;
220 }
221 }
222
223 default:
224 // Unsupported sig type
225 return false;
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]226 }
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]227 }
228 catch (const CryptoPP::Exception& e) {
229 return false;
230 }
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]231}
232
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]233bool
Yingdi Yubf6a2812014-06-17 15:32:11 -0700[diff] [blame]234Validator::verifySignature(const uint8_t* buf, const size_t size, const DigestSha256& sig)
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]235{
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]236 try {
237 ConstBufferPtr buffer = crypto::sha256(buf, size);
238 const Block& sigValue = sig.getValue();
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]239
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]240 if (buffer != nullptr &&
241 buffer->size() == sigValue.value_size() &&
242 buffer->size() == crypto::SHA256_DIGEST_SIZE) {
243 const uint8_t* p1 = buffer->buf();
244 const uint8_t* p2 = sigValue.value();
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]245
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]246 return 0 == memcmp(p1, p2, crypto::SHA256_DIGEST_SIZE);
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]247 }
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]248 else
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]249 return false;
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]250 }
251 catch (const CryptoPP::Exception& e) {
252 return false;
253 }
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]254}
255
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]256void
Teng Liange6f87512016-07-26 22:14:19 -0700[diff] [blame]257Validator::onNack(const Interest& interest,
258 const lp::Nack& nack,
259 int remainingRetries,
260 const OnFailure& onFailure,
261 const shared_ptr<ValidationRequest>& validationRequest)
262{
263 if (remainingRetries > 0) {
264 Interest newInterest = Interest(interest);
265 newInterest.refreshNonce();
266
267 //Express the same interest with different nonce and decremented remainingRetries.
268 m_face->expressInterest(newInterest,
269 bind(&Validator::onData, this, _1, _2, validationRequest),
270 bind(&Validator::onNack, this, _1, _2,
271 remainingRetries - 1, onFailure, validationRequest),
272 bind(&Validator::onTimeout, this, _1,
273 remainingRetries - 1, onFailure, validationRequest));
274 }
275 else {
276 onFailure("Cannot fetch cert: " + interest.getName().toUri());
277 }
278}
279
280void
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]281Validator::onTimeout(const Interest& interest,
282 int remainingRetries,
283 const OnFailure& onFailure,
284 const shared_ptr<ValidationRequest>& validationRequest)
285{
Teng Liange6f87512016-07-26 22:14:19 -0700[diff] [blame]286 if (remainingRetries > 0) {
287 Interest newInterest = Interest(interest);
288 newInterest.refreshNonce();
289
290 // Express the same interest with different nonce and decremented remainingRetries.
291 m_face->expressInterest(newInterest,
Yingdi Yu4e9b0692014-11-04 16:13:56 -0800[diff] [blame]292 bind(&Validator::onData, this, _1, _2, validationRequest),
Teng Liange6f87512016-07-26 22:14:19 -0700[diff] [blame]293 bind(&Validator::onNack, this, _1, _2,
294 remainingRetries - 1, onFailure, validationRequest),
Yingdi Yu4e9b0692014-11-04 16:13:56 -0800[diff] [blame]295 bind(&Validator::onTimeout, this, _1,
296 remainingRetries - 1, onFailure, validationRequest));
Teng Liange6f87512016-07-26 22:14:19 -0700[diff] [blame]297 }
298 else {
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]299 onFailure("Cannot fetch cert: " + interest.getName().toUri());
Teng Liange6f87512016-07-26 22:14:19 -0700[diff] [blame]300 }
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]301}
302
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]303void
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]304Validator::afterCheckPolicy(const std::vector<shared_ptr<ValidationRequest>>& nextSteps,
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]305 const OnFailure& onFailure)
306{
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]307 if (m_face == nullptr) {
308 onFailure("Require more information to validate the packet!");
309 return;
310 }
Yingdi Yu4e9b0692014-11-04 16:13:56 -0800[diff] [blame]311
Yingdi Yu99b2a002015-08-12 12:47:44 -0700[diff] [blame^]312 for (shared_ptr<ValidationRequest> step : nextSteps) {
313 m_face->expressInterest(step->m_interest,
314 bind(&Validator::onData, this, _1, _2, step),
315 bind(&Validator::onNack, this, _1, _2,
316 step->m_nRetries, onFailure, step),
317 bind(&Validator::onTimeout,
318 this, _1, step->m_nRetries,
319 onFailure,
320 step));
321 }
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]322}
323
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]324} // namespace ndn