Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / fa30664a666e3d00b5469ee5204219e53eae0ba8 / . / disabled / verifier.cc
blob: 99599bd3f5cf8f886a146da63e2cdb4ce09a0740 [file] [log] [blame]
Jeff Thompsonfa306642013-06-17 15:06:57 -0700[diff] [blame^]1/* -*- Mode: C++; c-file-style: "gnu"; indent-tabs-mode:nil -*- */
2/*
3 * Copyright (c) 2013 University of California, Los Angeles
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation;
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17 *
18 * Author: Zhenkai Zhu <zhenkai@cs.ucla.edu>
19 * Alexander Afanasyev <alexander.afanasyev@ucla.edu>
20 */
21
22#include "verifier.h"
23#include "ndn.cxx/wrapper.h"
24#include "logging.h"
25
26INIT_LOGGER ("ndn.Verifier");
27namespace ndn {
28
29static const size_t ROOT_KEY_DIGEST_LEN = 32; // SHA-256
30static const unsigned char ROOT_KEY_DIGEST[ROOT_KEY_DIGEST_LEN] = {0xa7, 0xd9, 0x8b, 0x81, 0xde, 0x13, 0xfc,
310x56, 0xc5, 0xa6, 0x92, 0xb4, 0x44, 0x93, 0x6e, 0x56, 0x70, 0x9d, 0x52, 0x6f, 0x70,
320xed, 0x39, 0xef, 0xb5, 0xe2, 0x3, 0x29, 0xa5, 0x53, 0x3e, 0x68};
33
34Verifier::Verifier(Wrapper *ccnx)
35 : m_ccnx(ccnx)
36 , m_rootKeyDigest(ROOT_KEY_DIGEST, ROOT_KEY_DIGEST_LEN)
37{
38}
39
40Verifier::~Verifier()
41{
42}
43
44bool
45Verifier::verify(PcoPtr pco, double maxWait)
46{
47 _LOG_TRACE("Verifying content [" << pco->name() << "]");
48 HashPtr publisherPublicKeyDigest = pco->publisherPublicKeyDigest();
49
50 {
51 UniqueRecLock lock(m_cacheLock);
52 CertCache::iterator it = m_certCache.find(*publisherPublicKeyDigest);
53 if (it != m_certCache.end())
54 {
55 CertPtr cert = it->second;
56 if (cert->validity() == Cert::WITHIN_VALID_TIME_SPAN)
57 {
58 pco->verifySignature(cert);
59 return pco->verified();
60 }
61 else
62 {
63 // delete the invalid cert cache
64 m_certCache.erase(it);
65 }
66 }
67 }
68
69 // keyName is the name specified in key locator, i.e. without version and segment
70 Name keyName = pco->keyName();
71 int keyNameSize = keyName.size();
72
73 if (keyNameSize < 2)
74 {
75 _LOG_ERROR("Key name is empty or has too few components.");
76 return false;
77 }
78
79 // for keys, we have to make sure key name is strictly prefix of the content name
80 if (pco->type() == ParsedContentObject::KEY)
81 {
82 Name contentName = pco->name();
83 // when checking for prefix, do not include the hash in the key name (which is the last component)
84 Name keyNamePrefix = keyName.getPrefix (keyNameSize - 1);
85 if (keyNamePrefix.size() >= contentName.size() || contentName.getPrefix (keyNamePrefix.size()) != keyNamePrefix)
86 {
87 _LOG_ERROR("Key name prefix [" << keyNamePrefix << "] is not the prefix of content name [" << contentName << "]");
88 return false;
89 }
90 }
91 else
92 {
93 // for now, user can assign any data using his key
94 }
95
96 Name metaName;
97 metaName
98 .append (keyName.getPrefix (keyNameSize - 1))
99 .append ("info")
100 .append (keyName.getSubName (keyNameSize - 1));
101
102 Interest interest;
103 interest.setChildSelector (Interest::CHILD_RIGHT)
104 .setInterestLifetime(maxWait);
105
106 PcoPtr keyObject = m_ccnx->get(Interest (interest).setName (keyName), maxWait);
107 PcoPtr metaObject = m_ccnx->get(Interest (interest).setName (metaName), maxWait);
108 if (!keyObject || !metaObject )
109 {
110 _LOG_ERROR("can not fetch key or meta");
111 return false;
112 }
113
114 HashPtr publisherKeyHashInKeyObject = keyObject->publisherPublicKeyDigest();
115 HashPtr publisherKeyHashInMetaObject = metaObject->publisherPublicKeyDigest();
116
117 // make sure key and meta are signed using the same key
118 if (publisherKeyHashInKeyObject->IsZero() || ! (*publisherKeyHashInKeyObject == *publisherKeyHashInMetaObject))
119 {
120 _LOG_ERROR("Key and Meta not signed by the same publisher");
121 return false;
122 }
123
124 CertPtr cert = boost::make_shared<Cert>(keyObject, metaObject);
125 if (cert->validity() != Cert::WITHIN_VALID_TIME_SPAN)
126 {
127 _LOG_ERROR("Certificate is not valid, validity status is : " << cert->validity());
128 return false;
129 }
130
131 // check pco is actually signed by this key (i.e. we don't trust the publisherPublicKeyDigest given by ccnx c lib)
132 if (! (*pco->publisherPublicKeyDigest() == cert->keyDigest()))
133 {
134 _LOG_ERROR("key digest does not match the publisher public key digest of the content object");
135 return false;
136 }
137
138 // now we only need to make sure the key is trustworthy
139 if (cert->keyDigest() == m_rootKeyDigest)
140 {
141 // the key is the root key
142 // do nothing now
143 }
144 else
145 {
146 // can not verify key or can not verify meta
147 if (!verify(keyObject, maxWait) || !verify(metaObject, maxWait))
148 {
149 _LOG_ERROR("Can not verify key or meta");
150 return false;
151 }
152 }
153
154 // ok, keyObject verified, because metaObject is signed by the same parent key and integrity checked
155 // so metaObject is also verified
156 {
157 UniqueRecLock lock(m_cacheLock);
158 m_certCache.insert(std::make_pair(cert->keyDigest(), cert));
159 }
160
161 pco->verifySignature(cert);
162 if (pco->verified())
163 {
164 _LOG_TRACE("[" << pco->name() << "] VERIFIED.");
165 }
166 else
167 {
168 _LOG_ERROR("[" << pco->name() << "] CANNOT BE VERIFIED.");
169 }
170 return pco->verified();
171}
172
173} // ndn