security: Enforce sig-type check in ValidatorConfig
Change-Id: Ia58e19bbe7453095cb83b3b05dee29ae58d64522
Refs: #4524
diff --git a/tests/unit/security/validation-policy-config.t.cpp b/tests/unit/security/validation-policy-config.t.cpp
index 3c67315..7b5fc56 100644
--- a/tests/unit/security/validation-policy-config.t.cpp
+++ b/tests/unit/security/validation-policy-config.t.cpp
@@ -108,7 +108,7 @@
checker
{
type hierarchical
- sig-type rsa-sha256
+ sig-type ecdsa-sha256
}
}
)CONF";
@@ -455,6 +455,55 @@
filter
{
type name
+ name /Security/ValidatorFixture
+ relation is-prefix-of
+ }
+ checker
+ {
+ type customized
+ sig-type sha256
+ }
+ }
+ rule
+ {
+ id test-rule-interest-id
+ for interest
+ filter
+ {
+ type name
+ name /Security/ValidatorFixture
+ relation is-prefix-of
+ }
+ checker
+ {
+ type customized
+ sig-type sha256
+ }
+ }
+ )CONF", "test-config");
+
+
+ Interest interest("/Security/ValidatorFixture/Sub1/Sub2/Packet");
+ interest.setCanBePrefix(false);
+ this->m_keyChain.sign(interest, signingWithSha256());
+ VALIDATE_SUCCESS(interest, "Should be accepted");
+
+ Data data("/Security/ValidatorFixture/Sub1/Sub2/Packet");
+ this->m_keyChain.sign(data, signingWithSha256());
+ VALIDATE_SUCCESS(data, "Should be accepted");
+}
+
+BOOST_FIXTURE_TEST_CASE(DigestSha256WithKeyLocator, HierarchicalValidatorFixture<ValidationPolicyConfig>)
+{
+ BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
+ this->policy.load(R"CONF(
+ rule
+ {
+ id test-rule-data-id
+ for data
+ filter
+ {
+ type name
name /localhost/identity/digest-sha256
relation is-prefix-of
}
@@ -517,6 +566,79 @@
VALIDATE_SUCCESS(data, "Should be accepted");
}
+BOOST_FIXTURE_TEST_CASE(SigTypeCheck, HierarchicalValidatorFixture<ValidationPolicyConfig>)
+{
+ BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
+ this->policy.load(R"CONF(
+ rule
+ {
+ id test-rule-data-id
+ for data
+ filter
+ {
+ type name
+ name /localhost/identity/digest-sha256
+ relation is-prefix-of
+ }
+ checker
+ {
+ type customized
+ sig-type ecdsa-sha256
+ key-locator
+ {
+ type name
+ hyper-relation
+ {
+ k-regex ^(<>*)$
+ k-expand \\1
+ h-relation is-prefix-of
+ p-regex ^(<>*)$
+ p-expand \\1
+ }
+ }
+ }
+ }
+ rule
+ {
+ id test-rule-interest-id
+ for interest
+ filter
+ {
+ type name
+ name /localhost/identity/digest-sha256
+ relation is-prefix-of
+ }
+ checker
+ {
+ type customized
+ sig-type ecdsa-sha256
+ key-locator
+ {
+ type name
+ hyper-relation
+ {
+ k-regex ^(<>*)$
+ k-expand \\1
+ h-relation is-prefix-of
+ p-regex ^(<>*)$
+ p-expand \\1
+ }
+ }
+ }
+ }
+ )CONF", "test-config");
+
+
+ Interest interest("/localhost/identity/digest-sha256/foobar");
+ interest.setCanBePrefix(false);
+ this->m_keyChain.sign(interest, signingWithSha256());
+ VALIDATE_FAILURE(interest, "Signature type check should fail");
+
+ Data data("/localhost/identity/digest-sha256/foobar");
+ this->m_keyChain.sign(data, signingWithSha256());
+ VALIDATE_FAILURE(data, "Signature type check should fail");
+}
+
BOOST_FIXTURE_TEST_CASE(Reload, HierarchicalValidatorFixture<ValidationPolicyConfig>)
{
BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
@@ -534,7 +656,7 @@
checker
{
type hierarchical
- sig-type rsa-sha256
+ sig-type ecdsa-sha256
}
}
rule
@@ -550,7 +672,7 @@
checker
{
type hierarchical
- sig-type rsa-sha256
+ sig-type ecdsa-sha256
}
}
trust-anchor
diff --git a/tests/unit/security/validator-config/checker.t.cpp b/tests/unit/security/validator-config/checker.t.cpp
index 84901ec..d098b11 100644
--- a/tests/unit/security/validator-config/checker.t.cpp
+++ b/tests/unit/security/validator-config/checker.t.cpp
@@ -68,11 +68,11 @@
template<typename PktType, typename C>
static void
- testChecker(C& checker, const Name& pktName, const Name& klName, bool expectedOutcome)
+ testChecker(C& checker, tlv::SignatureTypeValue sigType, const Name& pktName, const Name& klName, bool expectedOutcome)
{
BOOST_TEST_CONTEXT("pkt=" << pktName << " kl=" << klName) {
auto state = PktType::makeState();
- auto result = checker.check(PktType::getType(), pktName, klName, *state);
+ auto result = checker.check(PktType::getType(), sigType, pktName, klName, *state);
BOOST_CHECK_EQUAL(bool(result), expectedOutcome);
BOOST_CHECK(boost::logic::indeterminate(state->getOutcome()));
if (!result) {
@@ -88,7 +88,7 @@
class NameRelationEqual : public CheckerFixture
{
public:
- NameRelationChecker checker{"/foo/bar", NameRelation::EQUAL};
+ NameRelationChecker checker{tlv::SignatureSha256WithRsa, "/foo/bar", NameRelation::EQUAL};
std::vector<std::vector<bool>> outcomes = {{true, false, false, false},
{true, false, false, false},
{true, false, false, false},
@@ -98,7 +98,7 @@
class NameRelationIsPrefixOf : public CheckerFixture
{
public:
- NameRelationChecker checker{"/foo/bar", NameRelation::IS_PREFIX_OF};
+ NameRelationChecker checker{tlv::SignatureSha256WithRsa, "/foo/bar", NameRelation::IS_PREFIX_OF};
std::vector<std::vector<bool>> outcomes = {{true, true, false, false},
{true, true, false, false},
{true, true, false, false},
@@ -108,7 +108,7 @@
class NameRelationIsStrictPrefixOf : public CheckerFixture
{
public:
- NameRelationChecker checker{"/foo/bar", NameRelation::IS_STRICT_PREFIX_OF};
+ NameRelationChecker checker{tlv::SignatureSha256WithRsa, "/foo/bar", NameRelation::IS_STRICT_PREFIX_OF};
std::vector<std::vector<bool>> outcomes = {{false, true, false, false},
{false, true, false, false},
{false, true, false, false},
@@ -118,7 +118,7 @@
class RegexEqual : public CheckerFixture
{
public:
- RegexChecker checker{Regex("^<foo><bar><KEY><>{1,3}$")};
+ RegexChecker checker{tlv::SignatureSha256WithRsa, Regex("^<foo><bar><KEY><>{1,3}$")};
std::vector<std::vector<bool>> outcomes = {{true, false, false, false},
{true, false, false, false},
{true, false, false, false},
@@ -128,7 +128,7 @@
class RegexIsPrefixOf : public CheckerFixture
{
public:
- RegexChecker checker{Regex("^<foo><bar><>*<KEY><>{1,3}$")};
+ RegexChecker checker{tlv::SignatureSha256WithRsa, Regex("^<foo><bar><>*<KEY><>{1,3}$")};
std::vector<std::vector<bool>> outcomes = {{true, true, false, false},
{true, true, false, false},
{true, true, false, false},
@@ -138,7 +138,7 @@
class RegexIsStrictPrefixOf : public CheckerFixture
{
public:
- RegexChecker checker{Regex("^<foo><bar><>+<KEY><>{1,3}$")};
+ RegexChecker checker{tlv::SignatureSha256WithRsa, Regex("^<foo><bar><>+<KEY><>{1,3}$")};
std::vector<std::vector<bool>> outcomes = {{false, true, false, false},
{false, true, false, false},
{false, true, false, false},
@@ -148,7 +148,8 @@
class HyperRelationEqual : public CheckerFixture
{
public:
- HyperRelationChecker checker{"^(<>+)$", "\\1", "^(<>+)<KEY><>{1,3}$", "\\1", NameRelation::EQUAL};
+ HyperRelationChecker checker{tlv::SignatureSha256WithRsa,
+ "^(<>+)$", "\\1", "^(<>+)<KEY><>{1,3}$", "\\1", NameRelation::EQUAL};
std::vector<std::vector<bool>> outcomes = {{true, false, false, false},
{false, true, false, false},
{false, false, true, false},
@@ -158,7 +159,8 @@
class HyperRelationIsPrefixOf : public CheckerFixture
{
public:
- HyperRelationChecker checker{"^(<>+)$", "\\1", "^(<>+)<KEY><>{1,3}$", "\\1", NameRelation::IS_PREFIX_OF};
+ HyperRelationChecker checker{tlv::SignatureSha256WithRsa,
+ "^(<>+)$", "\\1", "^(<>+)<KEY><>{1,3}$", "\\1", NameRelation::IS_PREFIX_OF};
std::vector<std::vector<bool>> outcomes = {{true, false, true, false},
{true, true, true, false},
{false, false, true, false},
@@ -168,7 +170,8 @@
class HyperRelationIsStrictPrefixOf : public CheckerFixture
{
public:
- HyperRelationChecker checker{"^(<>+)$", "\\1", "^(<>+)<KEY><>{1,3}$", "\\1", NameRelation::IS_STRICT_PREFIX_OF};
+ HyperRelationChecker checker{tlv::SignatureSha256WithRsa,
+ "^(<>+)$", "\\1", "^(<>+)<KEY><>{1,3}$", "\\1", NameRelation::IS_STRICT_PREFIX_OF};
std::vector<std::vector<bool>> outcomes = {{false, false, true, false},
{true, false, true, false},
{false, false, false, false},
@@ -326,10 +329,13 @@
bool expectedOutcome = this->outcomes[i][j];
auto klName = this->makeKeyLocatorKeyName(this->names[j]);
- this->template testChecker<PktType>(this->checker, pktName, klName, expectedOutcome);
+ this->template testChecker<PktType>(this->checker, tlv::SignatureSha256WithRsa, pktName, klName, expectedOutcome);
+ this->template testChecker<PktType>(this->checker, tlv::SignatureSha256WithEcdsa, pktName, klName, false);
+
klName = this->makeKeyLocatorCertName(this->names[j]);
- this->template testChecker<PktType>(this->checker, pktName, klName, expectedOutcome);
+ this->template testChecker<PktType>(this->checker, tlv::SignatureSha256WithRsa, pktName, klName, expectedOutcome);
+ this->template testChecker<PktType>(this->checker, tlv::SignatureSha256WithEcdsa, pktName, klName, false);
}
}
}
diff --git a/tests/unit/security/validator-config/rule.t.cpp b/tests/unit/security/validator-config/rule.t.cpp
index 0410d9f..8b846ff 100644
--- a/tests/unit/security/validator-config/rule.t.cpp
+++ b/tests/unit/security/validator-config/rule.t.cpp
@@ -64,7 +64,8 @@
BOOST_FIXTURE_TEST_CASE(Errors, RuleFixture<DataPkt>)
{
BOOST_CHECK_THROW(rule.match(tlv::Interest, this->pktName, state), Error);
- BOOST_CHECK_THROW(rule.check(tlv::Interest, this->pktName, "/foo/bar", state), Error);
+ BOOST_CHECK_THROW(rule.check(tlv::Interest, tlv::SignatureSha256WithRsa,
+ this->pktName, "/foo/bar", state), Error);
}
BOOST_FIXTURE_TEST_CASE_TEMPLATE(Constructor, PktType, PktTypes, RuleFixture<PktType>)
@@ -76,7 +77,8 @@
BOOST_FIXTURE_TEST_CASE_TEMPLATE(EmptyRule, PktType, PktTypes, RuleFixture<PktType>)
{
BOOST_CHECK_EQUAL(this->rule.match(PktType::getType(), this->pktName, this->state), true);
- BOOST_CHECK_EQUAL(this->rule.check(PktType::getType(), this->pktName, "/foo/bar", this->state), false);
+ BOOST_CHECK_EQUAL(this->rule.check(PktType::getType(), tlv::SignatureSha256WithRsa,
+ this->pktName, "/foo/bar", this->state), false);
}
BOOST_FIXTURE_TEST_CASE_TEMPLATE(Filters, PktType, PktTypes, RuleFixture<PktType>)
@@ -91,7 +93,8 @@
BOOST_CHECK_EQUAL(this->rule.match(PktType::getType(), this->pktName, this->state), true);
BOOST_CHECK_EQUAL(this->rule.match(PktType::getType(), "/not" + this->pktName.toUri(), this->state), true);
- BOOST_CHECK_EQUAL(this->rule.check(PktType::getType(), this->pktName, "/foo/bar", this->state), false);
+ BOOST_CHECK_EQUAL(this->rule.check(PktType::getType(), tlv::SignatureSha256WithRsa,
+ this->pktName, "/foo/bar", this->state), false);
}
BOOST_FIXTURE_TEST_CASE_TEMPLATE(Checkers, PktType, PktTypes, RuleFixture<PktType>)
@@ -99,7 +102,8 @@
auto testChecker = [this] (const Name& klName, bool expectedOutcome) {
BOOST_TEST_CONTEXT(klName << " expected=" << expectedOutcome) {
this->state = PktType::makeState(); // reset state
- BOOST_CHECK_EQUAL(this->rule.check(PktType::getType(), this->pktName, klName, this->state),
+ BOOST_CHECK_EQUAL(this->rule.check(PktType::getType(), tlv::SignatureSha256WithRsa,
+ this->pktName, klName, this->state),
expectedOutcome);
auto outcome = this->state->getOutcome();
@@ -113,14 +117,16 @@
}
};
- this->rule.addChecker(make_unique<HyperRelationChecker>("^(<>+)$", "\\1",
+ this->rule.addChecker(make_unique<HyperRelationChecker>(tlv::SignatureSha256WithRsa,
+ "^(<>+)$", "\\1",
"^<always>(<>+)$", "\\1",
NameRelation::EQUAL));
testChecker("/always/foo/bar", true);
testChecker("/seldomly/foo/bar", false);
testChecker("/never/foo/bar", false);
- this->rule.addChecker(make_unique<HyperRelationChecker>("^(<>+)$", "\\1",
+ this->rule.addChecker(make_unique<HyperRelationChecker>(tlv::SignatureSha256WithRsa,
+ "^(<>+)$", "\\1",
"^<seldomly>(<>+)$", "\\1",
NameRelation::EQUAL));
testChecker("/always/foo/bar", true);
@@ -189,13 +195,14 @@
)CONF";
auto rule = Rule::create(makeSection(config), "test-config");
- BOOST_CHECK_EQUAL(rule->match(PktType::getType(), this->pktName, this->state), true);
- BOOST_CHECK_EQUAL(rule->match(PktType::getType(), "/not" + this->pktName.toUri(), this->state), false);
+ BOOST_CHECK(rule->match(PktType::getType(), this->pktName, this->state));
+ BOOST_CHECK(!rule->match(PktType::getType(), "/not" + this->pktName.toUri(), this->state));
- BOOST_CHECK_EQUAL(rule->check(PktType::getType(), this->pktName, "/foo/bar", this->state), true);
+ BOOST_CHECK(rule->check(PktType::getType(), tlv::SignatureSha256WithRsa, this->pktName, "/foo/bar", this->state));
+ BOOST_CHECK(!rule->check(PktType::getType(), tlv::SignatureSha256WithEcdsa, this->pktName, "/foo/bar", this->state));
this->state = PktType::makeState(); // reset state
- BOOST_CHECK_EQUAL(rule->check(PktType::getType(), this->pktName, "/not/foo/bar", this->state), false);
+ BOOST_CHECK(!rule->check(PktType::getType(), tlv::SignatureSha256WithRsa, this->pktName, "/not/foo/bar", this->state));
}
BOOST_AUTO_TEST_SUITE_END() // Create