security: Include timestamp and nonce in signed interest and provide timestamp checking in ValidatorConf
Change-Id: I0adebd5c06b2d8d35ba13c5c03828b03334b7cec
Refs: #1642
diff --git a/src/security/key-chain.hpp b/src/security/key-chain.hpp
index 191eeda..043f437 100644
--- a/src/security/key-chain.hpp
+++ b/src/security/key-chain.hpp
@@ -32,6 +32,7 @@
#include "../interest.hpp"
#include "../util/crypto.hpp"
+#include "../util/random.hpp"
namespace ndn {
@@ -680,6 +681,7 @@
private:
SecPublicInfo* m_pib;
SecTpm* m_tpm;
+ time::milliseconds m_lastTimestamp;
};
template<class T>
@@ -687,6 +689,7 @@
KeyChain::KeyChain(T)
: m_pib(new typename T::Pib)
, m_tpm(new typename T::Tpm)
+ , m_lastTimestamp(time::toUnixTimestamp(time::system_clock::now()))
{
}
@@ -917,15 +920,24 @@
KeyChain::signPacketWrapper(Interest& interest, const SignatureSha256WithRsa& signature,
const Name& keyName, DigestAlgorithm digestAlgorithm)
{
+ time::milliseconds timestamp = time::toUnixTimestamp(time::system_clock::now());
+ if (timestamp <= m_lastTimestamp)
+ {
+ timestamp = m_lastTimestamp + time::milliseconds(1);
+ }
+
Name signedName = interest.getName();
- signedName.append(signature.getInfo());
+ signedName
+ .append(name::Component::fromNumber(timestamp.count())) // timestamp
+ .append(name::Component::fromNumber(random::generateWord64())) // nonce
+ .append(signature.getInfo()); // signatureInfo
Block sigValue = m_tpm->signInTpm(signedName.wireEncode().value(),
signedName.wireEncode().value_size(),
keyName,
digestAlgorithm);
sigValue.encode();
- signedName.append(sigValue);
+ signedName.append(sigValue); // signatureValue
interest.setName(signedName);
}