Alexander Afanasyev | c169a81 | 2014-05-20 20:37:29 -0400 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 2 | /** |
Alexander Afanasyev | c169a81 | 2014-05-20 20:37:29 -0400 | [diff] [blame] | 3 | * Copyright (c) 2013-2014 Regents of the University of California. |
Alexander Afanasyev | dfa52c4 | 2014-04-24 21:10:11 -0700 | [diff] [blame] | 4 | * |
| 5 | * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions). |
Alexander Afanasyev | dfa52c4 | 2014-04-24 21:10:11 -0700 | [diff] [blame] | 6 | * |
Alexander Afanasyev | c169a81 | 2014-05-20 20:37:29 -0400 | [diff] [blame] | 7 | * ndn-cxx library is free software: you can redistribute it and/or modify it under the |
| 8 | * terms of the GNU Lesser General Public License as published by the Free Software |
| 9 | * Foundation, either version 3 of the License, or (at your option) any later version. |
| 10 | * |
| 11 | * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY |
| 12 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A |
| 13 | * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. |
| 14 | * |
| 15 | * You should have received copies of the GNU General Public License and GNU Lesser |
| 16 | * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see |
| 17 | * <http://www.gnu.org/licenses/>. |
| 18 | * |
| 19 | * See AUTHORS.md for complete list of ndn-cxx authors and contributors. |
Alexander Afanasyev | dfa52c4 | 2014-04-24 21:10:11 -0700 | [diff] [blame] | 20 | * |
| 21 | * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/> |
| 22 | * @author Jeff Thompson <jefft0@remap.ucla.edu> |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 23 | */ |
| 24 | |
Yingdi Yu | fc40d87 | 2014-02-18 12:56:04 -0800 | [diff] [blame] | 25 | #ifndef NDN_SECURITY_VALIDATOR_HPP |
| 26 | #define NDN_SECURITY_VALIDATOR_HPP |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 27 | |
Alexander Afanasyev | e2dcdfd | 2014-02-07 15:53:28 -0800 | [diff] [blame] | 28 | #include "../common.hpp" |
| 29 | |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 30 | #include "../data.hpp" |
| 31 | #include "../face.hpp" |
| 32 | #include "public-key.hpp" |
| 33 | #include "signature-sha256-with-rsa.hpp" |
Yingdi Yu | c8f883c | 2014-06-20 23:25:22 -0700 | [diff] [blame] | 34 | #include "signature-sha256-with-ecdsa.hpp" |
Yingdi Yu | bf6a281 | 2014-06-17 15:32:11 -0700 | [diff] [blame] | 35 | #include "digest-sha256.hpp" |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 36 | #include "validation-request.hpp" |
| 37 | |
| 38 | namespace ndn { |
| 39 | /** |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 40 | * @brief Validator is one of the main classes of the security library. |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 41 | * |
| 42 | * The Validator class provides the interfaces for packet validation. |
| 43 | */ |
Alexander Afanasyev | 2a7f720 | 2014-04-23 14:25:29 -0700 | [diff] [blame] | 44 | class Validator |
| 45 | { |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 46 | public: |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 47 | class Error : public std::runtime_error |
| 48 | { |
| 49 | public: |
| 50 | explicit |
| 51 | Error(const std::string& what) |
| 52 | : std::runtime_error(what) |
| 53 | { |
| 54 | } |
| 55 | }; |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 56 | |
Yingdi Yu | 96e6406 | 2014-04-15 19:57:33 -0700 | [diff] [blame] | 57 | Validator(); |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 58 | |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 59 | explicit |
Yingdi Yu | 96e6406 | 2014-04-15 19:57:33 -0700 | [diff] [blame] | 60 | Validator(Face& face); |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 61 | |
| 62 | /** |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 63 | * @brief Validate Data and call either onValidated or onValidationFailed. |
| 64 | * |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 65 | * @param data The Data with the signature to check. |
| 66 | * @param onValidated If the Data is validated, this calls onValidated(data). |
Yingdi Yu | 4b8c6a2 | 2014-04-15 23:00:54 -0700 | [diff] [blame] | 67 | * @param onValidationFailed If validation fails, this calls onValidationFailed(data). |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 68 | */ |
| 69 | void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 70 | validate(const Data& data, |
| 71 | const OnDataValidated& onValidated, |
| 72 | const OnDataValidationFailed& onValidationFailed) |
| 73 | { |
| 74 | validate(data, onValidated, onValidationFailed, 0); |
| 75 | } |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 76 | |
| 77 | /** |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 78 | * @brief Validate Interest and call either onValidated or onValidationFailed. |
| 79 | * |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 80 | * @param interest The Interest with the signature to check. |
| 81 | * @param onValidated If the Interest is validated, this calls onValidated(interest). |
Yingdi Yu | 4b8c6a2 | 2014-04-15 23:00:54 -0700 | [diff] [blame] | 82 | * @param onValidationFailed If validation fails, this calls onValidationFailed(interest). |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 83 | */ |
| 84 | void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 85 | validate(const Interest& interest, |
| 86 | const OnInterestValidated& onValidated, |
| 87 | const OnInterestValidationFailed& onValidationFailed) |
| 88 | { |
| 89 | validate(interest, onValidated, onValidationFailed, 0); |
| 90 | } |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 91 | |
| 92 | /***************************************** |
| 93 | * verifySignature method set * |
| 94 | *****************************************/ |
| 95 | |
| 96 | /// @brief Verify the data using the publicKey. |
| 97 | static bool |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 98 | verifySignature(const Data& data, const PublicKey& publicKey); |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 99 | |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 100 | /** |
| 101 | * @brief Verify the signed Interest using the publicKey. |
| 102 | * |
| 103 | * (Note the signature covers the first n-2 name components). |
| 104 | */ |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 105 | static bool |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 106 | verifySignature(const Interest& interest, const PublicKey& publicKey); |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 107 | |
| 108 | /// @brief Verify the blob using the publicKey against the signature. |
| 109 | static bool |
Yingdi Yu | c8f883c | 2014-06-20 23:25:22 -0700 | [diff] [blame] | 110 | verifySignature(const Buffer& blob, const SignatureWithPublicKey& sig, const PublicKey& publicKey) |
| 111 | { |
| 112 | return verifySignature(blob.buf(), blob.size(), sig, publicKey); |
| 113 | } |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 114 | |
| 115 | /// @brief Verify the data using the publicKey against the SHA256-RSA signature. |
| 116 | static bool |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 117 | verifySignature(const Data& data, |
Yingdi Yu | c8f883c | 2014-06-20 23:25:22 -0700 | [diff] [blame] | 118 | const SignatureWithPublicKey& sig, |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 119 | const PublicKey& publicKey) |
| 120 | { |
| 121 | return verifySignature(data.wireEncode().value(), |
| 122 | data.wireEncode().value_size() - data.getSignature().getValue().size(), |
| 123 | sig, publicKey); |
| 124 | } |
| 125 | |
| 126 | /** @brief Verify the interest using the publicKey against the SHA256-RSA signature. |
| 127 | * |
| 128 | * (Note the signature covers the first n-2 name components). |
| 129 | */ |
| 130 | static bool |
| 131 | verifySignature(const Interest& interest, |
Yingdi Yu | c8f883c | 2014-06-20 23:25:22 -0700 | [diff] [blame] | 132 | const SignatureWithPublicKey& sig, |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 133 | const PublicKey& publicKey) |
| 134 | { |
| 135 | if (interest.getName().size() < 2) |
| 136 | return false; |
| 137 | |
Yingdi Yu | 3cca4ab | 2014-04-11 12:46:53 -0700 | [diff] [blame] | 138 | const Name& name = interest.getName(); |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 139 | |
Yingdi Yu | 3cca4ab | 2014-04-11 12:46:53 -0700 | [diff] [blame] | 140 | return verifySignature(name.wireEncode().value(), |
| 141 | name.wireEncode().value_size() - name[-1].size(), |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 142 | sig, publicKey); |
| 143 | } |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 144 | |
| 145 | /// @brief Verify the blob using the publicKey against the SHA256-RSA signature. |
| 146 | static bool |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 147 | verifySignature(const uint8_t* buf, |
| 148 | const size_t size, |
Yingdi Yu | c8f883c | 2014-06-20 23:25:22 -0700 | [diff] [blame] | 149 | const SignatureWithPublicKey& sig, |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 150 | const PublicKey& publicKey); |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 151 | |
Yingdi Yu | 2115716 | 2014-02-28 13:02:34 -0800 | [diff] [blame] | 152 | |
| 153 | /// @brief Verify the data against the SHA256 signature. |
| 154 | static bool |
Yingdi Yu | bf6a281 | 2014-06-17 15:32:11 -0700 | [diff] [blame] | 155 | verifySignature(const Data& data, const DigestSha256& sig) |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 156 | { |
| 157 | return verifySignature(data.wireEncode().value(), |
| 158 | data.wireEncode().value_size() - |
| 159 | data.getSignature().getValue().size(), |
| 160 | sig); |
| 161 | } |
| 162 | |
| 163 | /** @brief Verify the interest against the SHA256 signature. |
| 164 | * |
| 165 | * (Note the signature covers the first n-2 name components). |
| 166 | */ |
| 167 | static bool |
Yingdi Yu | bf6a281 | 2014-06-17 15:32:11 -0700 | [diff] [blame] | 168 | verifySignature(const Interest& interest, const DigestSha256& sig) |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 169 | { |
| 170 | if (interest.getName().size() < 2) |
| 171 | return false; |
| 172 | |
| 173 | Name signedName = interest.getName().getPrefix(-2); |
| 174 | |
| 175 | return verifySignature(signedName.wireEncode().value(), |
| 176 | signedName.wireEncode().value_size(), |
| 177 | sig); |
| 178 | } |
Yingdi Yu | 2115716 | 2014-02-28 13:02:34 -0800 | [diff] [blame] | 179 | |
| 180 | /// @brief Verify the blob against the SHA256 signature. |
| 181 | static bool |
Yingdi Yu | bf6a281 | 2014-06-17 15:32:11 -0700 | [diff] [blame] | 182 | verifySignature(const Buffer& blob, const DigestSha256& sig) |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 183 | { |
| 184 | return verifySignature (blob.buf(), blob.size(), sig); |
| 185 | } |
| 186 | |
Yingdi Yu | 2115716 | 2014-02-28 13:02:34 -0800 | [diff] [blame] | 187 | /// @brief Verify the blob against the SHA256 signature. |
| 188 | static bool |
Yingdi Yu | bf6a281 | 2014-06-17 15:32:11 -0700 | [diff] [blame] | 189 | verifySignature(const uint8_t* buf, const size_t size, const DigestSha256& sig); |
Yingdi Yu | 2115716 | 2014-02-28 13:02:34 -0800 | [diff] [blame] | 190 | |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 191 | protected: |
| 192 | /** |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 193 | * @brief Check the Data against policy and return the next validation step if necessary. |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 194 | * |
| 195 | * If there is no next validation step, that validation MUST have been done. |
| 196 | * i.e., either onValidated or onValidationFailed callback is invoked. |
| 197 | * |
Alexander Afanasyev | 770827c | 2014-05-13 17:42:55 -0700 | [diff] [blame] | 198 | * @param data The Data to check. |
| 199 | * @param nSteps The number of validation steps that have been done. |
| 200 | * @param onValidated If the Data is validated, this calls onValidated(data) |
| 201 | * @param onValidationFailed If validation fails, this calls onValidationFailed(data) |
| 202 | * @param nextSteps On return, contains the next validation step |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 203 | */ |
| 204 | virtual void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 205 | checkPolicy(const Data& data, |
Yingdi Yu | 4b8c6a2 | 2014-04-15 23:00:54 -0700 | [diff] [blame] | 206 | int nSteps, |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 207 | const OnDataValidated& onValidated, |
| 208 | const OnDataValidationFailed& onValidationFailed, |
| 209 | std::vector<shared_ptr<ValidationRequest> >& nextSteps) = 0; |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 210 | |
| 211 | /** |
Yingdi Yu | 4b8c6a2 | 2014-04-15 23:00:54 -0700 | [diff] [blame] | 212 | * @brief Check the Interest against validation policy and return the next validation step |
| 213 | * if necessary. |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 214 | * |
| 215 | * If there is no next validation step, that validation MUST have been done. |
| 216 | * i.e., either onValidated or onValidationFailed callback is invoked. |
| 217 | * |
Alexander Afanasyev | 770827c | 2014-05-13 17:42:55 -0700 | [diff] [blame] | 218 | * @param interest The Interest to check. |
| 219 | * @param nSteps The number of validation steps that have been done. |
| 220 | * @param onValidated If the Interest is validated, this calls onValidated(data) |
| 221 | * @param onValidationFailed If validation fails, this calls onValidationFailed(data) |
| 222 | * @param nextSteps On return, contains the next validation step |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 223 | */ |
| 224 | virtual void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 225 | checkPolicy(const Interest& interest, |
Yingdi Yu | 4b8c6a2 | 2014-04-15 23:00:54 -0700 | [diff] [blame] | 226 | int nSteps, |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 227 | const OnInterestValidated& onValidated, |
| 228 | const OnInterestValidationFailed& onValidationFailed, |
| 229 | std::vector<shared_ptr<ValidationRequest> >& nextSteps) = 0; |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 230 | |
Yingdi Yu | 4b8c6a2 | 2014-04-15 23:00:54 -0700 | [diff] [blame] | 231 | typedef function<void(const std::string&)> OnFailure; |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 232 | |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 233 | /// @brief Process the received certificate. |
| 234 | void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 235 | onData(const Interest& interest, |
| 236 | const Data& data, |
| 237 | const shared_ptr<ValidationRequest>& nextStep); |
| 238 | |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 239 | void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 240 | validate(const Data& data, |
| 241 | const OnDataValidated& onValidated, |
| 242 | const OnDataValidationFailed& onValidationFailed, |
Yingdi Yu | 4b8c6a2 | 2014-04-15 23:00:54 -0700 | [diff] [blame] | 243 | int nSteps); |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 244 | |
| 245 | void |
Yingdi Yu | 48e8c0c | 2014-03-19 12:01:55 -0700 | [diff] [blame] | 246 | validate(const Interest& interest, |
| 247 | const OnInterestValidated& onValidated, |
| 248 | const OnInterestValidationFailed& onValidationFailed, |
Yingdi Yu | 4b8c6a2 | 2014-04-15 23:00:54 -0700 | [diff] [blame] | 249 | int nSteps); |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 250 | |
Yingdi Yu | d9006e7 | 2014-06-23 19:10:44 -0700 | [diff] [blame^] | 251 | /// Hooks |
| 252 | |
| 253 | /** |
| 254 | * @brief trigger before validating requested certificate. |
| 255 | * |
| 256 | * The Data: |
| 257 | * - matches the interest in the validation-request. |
| 258 | * - may be certificate or a data encapsulating certificate. |
| 259 | * |
| 260 | * This method returns a data (actually certificate) that is will be passed as Data into: |
| 261 | * Validator::validate(const Data& data, |
| 262 | * const OnDataValidated& onValidated, |
| 263 | * const OnDataValidationFailed& onValidationFailed, |
| 264 | * int nSteps); |
| 265 | */ |
| 266 | virtual shared_ptr<const Data> |
| 267 | preCertificateValidation(const Data& data) |
| 268 | { |
| 269 | return data.shared_from_this(); |
| 270 | } |
| 271 | |
| 272 | /** |
| 273 | * @brief trigger when interest for certificate times out. |
| 274 | * |
| 275 | * Validator can decide how to handle the timeout, either call onFailure, or retry. |
| 276 | * |
| 277 | * @param interest The interest that times out. |
| 278 | * @param nRemainingRetries The number of retries left. |
| 279 | * @param onFailure Failure callback when there is no more retries remaining. |
| 280 | * @param validationRequest The validationRequest containing the context of the interest. |
| 281 | */ |
| 282 | |
| 283 | virtual void |
| 284 | onTimeout(const Interest& interest, |
| 285 | int nRemainingRetries, |
| 286 | const OnFailure& onFailure, |
| 287 | const shared_ptr<ValidationRequest>& validationRequest); |
| 288 | |
| 289 | /** |
| 290 | * @brief trigger after checkPolicy is done. |
| 291 | * |
| 292 | * Validator can decide how to handle the set of validation requests according to |
| 293 | * the trust model. |
| 294 | * |
| 295 | * @param nextSteps A set of validation request made by checkPolicy. |
| 296 | * @param onFailure Failure callback when errors happen in processing nextSteps. |
| 297 | */ |
| 298 | virtual void |
| 299 | afterCheckPolicy(const std::vector<shared_ptr<ValidationRequest> >& nextSteps, |
| 300 | const OnFailure& onFailure); |
| 301 | |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 302 | protected: |
Yingdi Yu | 96e6406 | 2014-04-15 19:57:33 -0700 | [diff] [blame] | 303 | bool m_hasFace; |
| 304 | Face& m_face; |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 305 | }; |
| 306 | |
Yingdi Yu | fc40d87 | 2014-02-18 12:56:04 -0800 | [diff] [blame] | 307 | } // namespace ndn |
Yingdi Yu | 6ac9798 | 2014-01-30 14:49:21 -0800 | [diff] [blame] | 308 | |
Yingdi Yu | fc40d87 | 2014-02-18 12:56:04 -0800 | [diff] [blame] | 309 | #endif //NDN_SECURITY_VALIDATOR_HPP |