Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / d36dd55e3b14ca2cb7ff085db1f5b450ebfa8254 / . / src / security / validator.cpp
blob: 5edb85230b5e6f9f7514dce246fc526e6774b072 [file] [log] [blame]
Alexander Afanasyevc169a812014-05-20 20:37:29 -0400[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]2/**
Alexander Afanasyevc169a812014-05-20 20:37:29 -0400[diff] [blame]3 * Copyright (c) 2013-2014 Regents of the University of California.
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -0700[diff] [blame]4 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -0700[diff] [blame]6 *
Alexander Afanasyevc169a812014-05-20 20:37:29 -0400[diff] [blame]7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
Alexander Afanasyevdfa52c42014-04-24 21:10:11 -0700[diff] [blame]20 *
21 * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
22 * @author Jeff Thompson <jefft0@remap.ucla.edu>
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]23 */
24
Alexander Afanasyeve2dcdfd2014-02-07 15:53:28 -0800[diff] [blame]25#include "common.hpp"
26
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]27#include "validator.hpp"
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]28#include "../util/crypto.hpp"
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]29
Junxiao Shi482ccc52014-03-31 13:05:24 -0700[diff] [blame]30#include "cryptopp.hpp"
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]31
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]32namespace ndn {
33
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]34static OID SECP256R1("1.2.840.10045.3.1.7");
35static OID SECP384R1("1.3.132.0.34");
36
Yingdi Yu96e64062014-04-15 19:57:33 -0700[diff] [blame]37Validator::Validator()
38 : m_hasFace(false)
39 , m_face(*static_cast<Face*>(0))
40{
41}
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]42
Yingdi Yu96e64062014-04-15 19:57:33 -0700[diff] [blame]43Validator::Validator(Face& face)
44 : m_hasFace(true)
45 , m_face(face)
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]46{
47}
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]48
49void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]50Validator::validate(const Interest& interest,
51 const OnInterestValidated& onValidated,
52 const OnInterestValidationFailed& onValidationFailed,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]53 int nSteps)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]54{
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]55 std::vector<shared_ptr<ValidationRequest> > nextSteps;
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]56 checkPolicy(interest, nSteps, onValidated, onValidationFailed, nextSteps);
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]57
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]58 if (nextSteps.empty())
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]59 {
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]60 // If there is no nextStep,
61 // that means InterestPolicy has already been able to verify the Interest.
62 // No more further processes.
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]63 return;
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]64 }
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]65
66 if (!m_hasFace)
67 {
68 onValidationFailed(interest.shared_from_this(),
69 "Require more information to validate the interest!");
70 return;
71 }
72
73 OnFailure onFailure = bind(onValidationFailed, interest.shared_from_this(), _1);
74 afterCheckPolicy(nextSteps, onFailure);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]75}
76
77void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]78Validator::validate(const Data& data,
79 const OnDataValidated& onValidated,
80 const OnDataValidationFailed& onValidationFailed,
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]81 int nSteps)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]82{
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]83 std::vector<shared_ptr<ValidationRequest> > nextSteps;
Yingdi Yu4b8c6a22014-04-15 23:00:54 -0700[diff] [blame]84 checkPolicy(data, nSteps, onValidated, onValidationFailed, nextSteps);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]85
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]86 if (nextSteps.empty())
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]87 {
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]88 // If there is no nextStep,
89 // that means Data Policy has already been able to verify the Interest.
90 // No more further processes.
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]91 return;
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]92 }
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]93
94 if (!m_hasFace)
95 {
96 onValidationFailed(data.shared_from_this(),
97 "Require more information to validate the data!");
98 return;
99 }
100
101 OnFailure onFailure = bind(onValidationFailed, data.shared_from_this(), _1);
102 afterCheckPolicy(nextSteps, onFailure);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]103}
104
105void
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]106Validator::onData(const Interest& interest,
107 const Data& data,
Alexander Afanasyev0222fba2014-02-09 23:16:02 -0800[diff] [blame]108 const shared_ptr<ValidationRequest>& nextStep)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]109{
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]110 shared_ptr<const Data> certificateData = preCertificateValidation(data);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]111
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]112 if (!static_cast<bool>(certificateData))
113 return nextStep->m_onDataValidationFailed(data.shared_from_this(),
114 "Cannot decode cert: " + data.getName().toUri());
115
116 validate(*certificateData,
117 nextStep->m_onDataValidated, nextStep->m_onDataValidationFailed,
118 nextStep->m_nSteps);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]119}
120
121bool
122Validator::verifySignature(const Data& data, const PublicKey& key)
123{
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700[diff] [blame]124 shared_ptr<SignatureWithPublicKey> publicKeySig =
125 determineSignatureWithPublicKey(data.getSignature());
126
127 if (!static_cast<bool>(publicKeySig))
128 return false;
129
130 return verifySignature(data.wireEncode().value(),
131 data.wireEncode().value_size() -
132 data.getSignature().getValue().size(),
133 *publicKeySig, key);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]134}
135
136bool
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]137Validator::verifySignature(const Interest& interest, const PublicKey& key)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]138{
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]139 const Name& interestName = interest.getName();
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]140
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]141 if (interestName.size() < 2)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]142 return false;
143
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]144 try
145 {
146 const Block& nameBlock = interestName.wireEncode();
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]147
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]148 Signature sig(interestName[-2].blockFromValue(),
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]149 interestName[-1].blockFromValue());
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]150
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700[diff] [blame]151 shared_ptr<SignatureWithPublicKey> publicKeySig = determineSignatureWithPublicKey(sig);
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]152
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700[diff] [blame]153 if (!static_cast<bool>(publicKeySig))
154 return false;
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]155
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700[diff] [blame]156 return verifySignature(nameBlock.value(),
157 nameBlock.value_size() - interestName[-1].size(),
158 *publicKeySig, key);
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]159 }
Alexander Afanasyev2a7f7202014-04-23 14:25:29 -0700[diff] [blame]160 catch (Block::Error& e)
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]161 {
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]162 return false;
163 }
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]164}
165
166bool
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]167Validator::verifySignature(const uint8_t* buf,
168 const size_t size,
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]169 const SignatureWithPublicKey& sig,
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]170 const PublicKey& key)
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]171{
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]172 try
173 {
174 using namespace CryptoPP;
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]175
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]176 switch (sig.getType())
177 {
178 case Tlv::SignatureSha256WithRsa:
179 {
180 if (key.getKeyType() != KEY_TYPE_RSA)
181 return false;
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]182
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]183 RSA::PublicKey publicKey;
184 ByteQueue queue;
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]185
Yingdi Yuc8f883c2014-06-20 23:25:22 -0700[diff] [blame]186 queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
187 publicKey.Load(queue);
188
189 RSASS<PKCS1v15, SHA256>::Verifier verifier(publicKey);
190 return verifier.VerifyMessage(buf, size,
191 sig.getValue().value(), sig.getValue().value_size());
192 }
193 case Tlv::SignatureSha256WithEcdsa:
194 {
195 if (key.getKeyType() != KEY_TYPE_ECDSA)
196 return false;
197
198 ECDSA<ECP, SHA256>::PublicKey publicKey;
199 ByteQueue queue;
200
201 queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
202 publicKey.Load(queue);
203
204 ECDSA<ECP, SHA256>::Verifier verifier(publicKey);
205
206 uint32_t length = 0;
207 StringSource src(key.get().buf(), key.get().size(), true);
208 BERSequenceDecoder subjectPublicKeyInfo(src);
209 {
210 BERSequenceDecoder algorithmInfo(subjectPublicKeyInfo);
211 {
212 OID algorithm;
213 algorithm.decode(algorithmInfo);
214
215 OID curveId;
216 curveId.decode(algorithmInfo);
217
218 if (curveId == SECP256R1)
219 length = 256;
220 else if (curveId == SECP384R1)
221 length = 384;
222 else
223 return false;
224 }
225 }
226
227 switch (length)
228 {
229 case 256:
230 {
231 uint8_t buffer[64];
232 size_t usedSize = DSAConvertSignatureFormat(buffer, 64, DSA_P1363,
233 sig.getValue().value(),
234 sig.getValue().value_size(),
235 DSA_DER);
236 return verifier.VerifyMessage(buf, size, buffer, usedSize);
237 }
238 case 384:
239 {
240 uint8_t buffer[96];
241 size_t usedSize = DSAConvertSignatureFormat(buffer, 96, DSA_P1363,
242 sig.getValue().value(),
243 sig.getValue().value_size(),
244 DSA_DER);
245 return verifier.VerifyMessage(buf, size, buffer, usedSize);
246 }
247 default:
248 return false;
249 }
250 }
251 default:
252 // Unsupported sig type
253 return false;
254 }
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]255 }
Alexander Afanasyev2a7f7202014-04-23 14:25:29 -0700[diff] [blame]256 catch (CryptoPP::Exception& e)
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]257 {
Yingdi Yu40587c02014-02-21 16:40:48 -0800[diff] [blame]258 return false;
259 }
Yingdi Yu6ac97982014-01-30 14:49:21 -0800[diff] [blame]260}
261
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]262bool
Yingdi Yubf6a2812014-06-17 15:32:11 -0700[diff] [blame]263Validator::verifySignature(const uint8_t* buf, const size_t size, const DigestSha256& sig)
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]264{
265 try
266 {
267 ConstBufferPtr buffer = crypto::sha256(buf, size);
268 const Block& sigValue = sig.getValue();
269
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]270 if (static_cast<bool>(buffer) &&
271 buffer->size() == sigValue.value_size() &&
272 buffer->size() == crypto::SHA256_DIGEST_SIZE)
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]273 {
274
275 const uint8_t* p1 = buffer->buf();
276 const uint8_t* p2 = sigValue.value();
277
Yingdi Yu48e8c0c2014-03-19 12:01:55 -0700[diff] [blame]278 return 0 == memcmp(p1, p2, crypto::SHA256_DIGEST_SIZE);
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]279 }
280 else
281 return false;
282 }
Alexander Afanasyev2a7f7202014-04-23 14:25:29 -0700[diff] [blame]283 catch (CryptoPP::Exception& e)
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]284 {
Yingdi Yu21157162014-02-28 13:02:34 -0800[diff] [blame]285 return false;
286 }
287}
288
Yingdi Yu5ec0ee32014-06-24 16:26:09 -0700[diff] [blame]289shared_ptr<SignatureWithPublicKey>
290Validator::determineSignatureWithPublicKey(const Signature& signature)
291{
292 try {
293 switch (signature.getType())
294 {
295 case Tlv::SignatureSha256WithRsa:
296 return make_shared<SignatureSha256WithRsa>(signature);
297 case Tlv::SignatureSha256WithEcdsa:
298 return make_shared<SignatureSha256WithEcdsa>(signature);
299 default:
300 return shared_ptr<SignatureWithPublicKey>();
301 }
302 }
303 catch (Tlv::Error& e) {
304 return shared_ptr<SignatureWithPublicKey>();
305 }
306 catch (KeyLocator::Error& e) {
307 return shared_ptr<SignatureWithPublicKey>();
308 }
309}
310
Yingdi Yud9006e72014-06-23 19:10:44 -0700[diff] [blame]311void
312Validator::onTimeout(const Interest& interest,
313 int remainingRetries,
314 const OnFailure& onFailure,
315 const shared_ptr<ValidationRequest>& validationRequest)
316{
317 if (remainingRetries > 0)
318 // Issue the same expressInterest except decrement nRetrials.
319 m_face.expressInterest(interest,
320 bind(&Validator::onData, this, _1, _2, validationRequest),
321 bind(&Validator::onTimeout, this, _1,
322 remainingRetries - 1, onFailure, validationRequest));
323 else
324 onFailure("Cannot fetch cert: " + interest.getName().toUri());
325}
326
327
328void
329Validator::afterCheckPolicy(const std::vector<shared_ptr<ValidationRequest> >& nextSteps,
330 const OnFailure& onFailure)
331{
332 for (std::vector<shared_ptr<ValidationRequest> >::const_iterator it = nextSteps.begin();
333 it != nextSteps.end(); it++)
334 {
335 m_face.expressInterest((*it)->m_interest,
336 bind(&Validator::onData, this, _1, _2, *it),
337 bind(&Validator::onTimeout,
338 this, _1, (*it)->m_nRetries,
339 onFailure,
340 *it));
341 }
342}
343
Yingdi Yufc40d872014-02-18 12:56:04 -0800[diff] [blame]344} // namespace ndn