security: Added SelfVerifyPolicyManager.
diff --git a/Makefile.am b/Makefile.am
index fea544b..f1e5135 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -64,6 +64,7 @@
include/ndn-cpp/security/identity/private-key-storage.hpp \
include/ndn-cpp/security/policy/no-verify-policy-manager.hpp \
include/ndn-cpp/security/policy/policy-manager.hpp \
+ include/ndn-cpp/security/policy/self-verify-policy-manager.hpp \
include/ndn-cpp/transport/tcp-transport.hpp \
include/ndn-cpp/transport/transport.hpp \
include/ndn-cpp/transport/udp-transport.hpp \
@@ -143,6 +144,7 @@
src/security/identity/memory-private-key-storage.cpp \
src/security/identity/osx-private-key-storage.cpp \
src/security/policy/no-verify-policy-manager.cpp \
+ src/security/policy/self-verify-policy-manager.cpp \
src/transport/tcp-transport.cpp \
src/transport/transport.cpp \
src/transport/udp-transport.cpp \
diff --git a/Makefile.in b/Makefile.in
index 2f037b1..a07f09c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -205,6 +205,7 @@
src/security/identity/memory-private-key-storage.lo \
src/security/identity/osx-private-key-storage.lo \
src/security/policy/no-verify-policy-manager.lo \
+ src/security/policy/self-verify-policy-manager.lo \
src/transport/tcp-transport.lo src/transport/transport.lo \
src/transport/udp-transport.lo src/util/blob.lo \
src/util/changed-event.lo src/util/dynamic-uint8-vector.lo \
@@ -620,6 +621,7 @@
include/ndn-cpp/security/identity/private-key-storage.hpp \
include/ndn-cpp/security/policy/no-verify-policy-manager.hpp \
include/ndn-cpp/security/policy/policy-manager.hpp \
+ include/ndn-cpp/security/policy/self-verify-policy-manager.hpp \
include/ndn-cpp/transport/tcp-transport.hpp \
include/ndn-cpp/transport/transport.hpp \
include/ndn-cpp/transport/udp-transport.hpp \
@@ -701,6 +703,7 @@
src/security/identity/memory-private-key-storage.cpp \
src/security/identity/osx-private-key-storage.cpp \
src/security/policy/no-verify-policy-manager.cpp \
+ src/security/policy/self-verify-policy-manager.cpp \
src/transport/tcp-transport.cpp \
src/transport/transport.cpp \
src/transport/udp-transport.cpp \
@@ -997,6 +1000,9 @@
src/security/policy/no-verify-policy-manager.lo: \
src/security/policy/$(am__dirstamp) \
src/security/policy/$(DEPDIR)/$(am__dirstamp)
+src/security/policy/self-verify-policy-manager.lo: \
+ src/security/policy/$(am__dirstamp) \
+ src/security/policy/$(DEPDIR)/$(am__dirstamp)
src/transport/$(am__dirstamp):
@$(MKDIR_P) src/transport
@: > src/transport/$(am__dirstamp)
@@ -1172,6 +1178,7 @@
@AMDEP_TRUE@@am__include@ @am__quote@src/security/identity/$(DEPDIR)/memory-private-key-storage.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@src/security/identity/$(DEPDIR)/osx-private-key-storage.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@src/security/policy/$(DEPDIR)/no-verify-policy-manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@src/security/policy/$(DEPDIR)/self-verify-policy-manager.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@src/transport/$(DEPDIR)/tcp-transport.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@src/transport/$(DEPDIR)/transport.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@src/transport/$(DEPDIR)/udp-transport.Plo@am__quote@
diff --git a/include/ndn-cpp/security/policy/self-verify-policy-manager.hpp b/include/ndn-cpp/security/policy/self-verify-policy-manager.hpp
new file mode 100644
index 0000000..14da3c1
--- /dev/null
+++ b/include/ndn-cpp/security/policy/self-verify-policy-manager.hpp
@@ -0,0 +1,96 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#ifndef NDN_SELF_VERIFY_POLICY_MANAGER_HPP
+#define NDN_SELF_VERIFY_POLICY_MANAGER_HPP
+
+#include "policy-manager.hpp"
+
+namespace ndn {
+
+class IdentityManager;
+
+/**
+ * A SelfVerifyPolicyManager implements a PolicyManager to use the public key DER in the data packet's KeyLocator (if available)
+ * or look in the IdentityStorage for the public key with the name in the KeyLocator (if available) and use
+ * it to verify the data packet, without searching a certificate chain. If the public key can't be found, the
+ * verification fails.
+ */
+class SelfVerifyPolicyManager : public PolicyManager {
+public:
+ /**
+ * Create a new SelfVerifyPolicyManager which will look up the public key in the given identityManager.
+ * @param identityManager (optional) The IdentityManager for looking up the public key. This points to an object must which remain
+ * valid during the life of this SelfVerifyPolicyManager. If omitted, then don't look for a public key with the name
+ * in the KeyLocator and rely on the KeyLocator having the full public key DER.
+ */
+ SelfVerifyPolicyManager(IdentityStorage* identityStorage = 0)
+ : identityStorage_(identityStorage)
+ {
+ }
+
+ /**
+ * The virtual destructor.
+ */
+ virtual
+ ~SelfVerifyPolicyManager();
+
+ /**
+ * Never skip verification.
+ * @param data The received data packet.
+ * @return false.
+ */
+ virtual bool
+ skipVerifyAndTrust(const Data& data);
+
+ /**
+ * Always return true to use the self-verification rule for the received data.
+ * @param data The received data packet.
+ * @return true.
+ */
+ virtual bool
+ requireVerify(const Data& data);
+
+ /**
+ * Use the public key DER in the data packet's KeyLocator (if available) or look in the IdentityStorage for the
+ * public key with the name in the KeyLocator (if available) and use it to verify the data packet. If the public key can't
+ * be found, call onVerifyFailed.
+ * @param data The Data object with the signature to check.
+ * @param stepCount The number of verification steps that have been done, used to track the verification progress.
+ * (stepCount is ignored.)
+ * @param onVerified If the signature is verified, this calls onVerified(data).
+ * @param onVerifyFailed If the signature check fails or can't find the public key, this calls onVerifyFailed(data).
+ * @return null for no further step for looking up a certificate chain.
+ */
+ virtual ptr_lib::shared_ptr<ValidationRequest>
+ checkVerificationPolicy
+ (const ptr_lib::shared_ptr<Data>& data, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed);
+
+ /**
+ * Override to always indicate that the signing certificate name and data name satisfy the signing policy.
+ * @param dataName The name of data to be signed.
+ * @param certificateName The name of signing certificate.
+ * @return true to indicate that the signing certificate can be used to sign the data.
+ */
+ virtual bool
+ checkSigningPolicy(const Name& dataName, const Name& certificateName);
+
+ /**
+ * Override to indicate that the signing identity cannot be inferred.
+ * @param dataName The name of data to be signed.
+ * @return An empty name because cannot infer.
+ */
+ virtual Name
+ inferSigningIdentity(const Name& dataName);
+
+private:
+ IdentityStorage* identityStorage_;
+};
+
+}
+
+#endif
diff --git a/src/security/policy/self-verify-policy-manager.cpp b/src/security/policy/self-verify-policy-manager.cpp
new file mode 100644
index 0000000..778f612
--- /dev/null
+++ b/src/security/policy/self-verify-policy-manager.cpp
@@ -0,0 +1,129 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
+/**
+ * Copyright (C) 2013 Regents of the University of California.
+ * @author: Yingdi Yu <yingdi@cs.ucla.edu>
+ * @author: Jeff Thompson <jefft0@remap.ucla.edu>
+ * See COPYING for copyright and distribution information.
+ */
+
+#include "../../c/util/crypto.h"
+#include <ndn-cpp/sha256-with-rsa-signature.hpp>
+#include <ndn-cpp/security/security-exception.hpp>
+#include <ndn-cpp/security/identity/identity-storage.hpp>
+#include <ndn-cpp/security/policy/self-verify-policy-manager.hpp>
+
+using namespace std;
+using namespace ndn::ptr_lib;
+
+namespace ndn {
+
+/**
+ * Verify the signature on the data packet using the given public key. If there is no data.getDefaultWireEncoding(),
+ * this calls data.wireEncode() to set it.
+ * TODO: Move this general verification code to a more central location.
+ * @param data The data packet with the signed portion and the signature to verify. The data packet must have a
+ * Sha256WithRsaSignature.
+ * @param publicKeyDer The DER-encoded public key used to verify the signature.
+ * @return true if the signature verifies, false if not.
+ * @throw SecurityException if data does not have a Sha256WithRsaSignature.
+ */
+static bool
+verifySha256WithRsaSignature(const Data& data, const Blob& publicKeyDer)
+{
+ const Sha256WithRsaSignature *signature = dynamic_cast<const Sha256WithRsaSignature*>(data.getSignature());
+ if (!signature)
+ throw SecurityException("signature is not Sha256WithRsaSignature.");
+
+ // Set the data packet's default wire encoding if it is not already there.
+ if (signature->getDigestAlgorithm().size() != 0)
+ // TODO: Allow a non-default digest algorithm.
+ throw UnrecognizedDigestAlgorithmException("Cannot verify a data packet with a non-default digest algorithm.");
+ if (!data.getDefaultWireEncoding())
+ data.wireEncode();
+
+ // Set signedPortionDigest to the digest of the signed portion of the wire encoding.
+ uint8_t signedPortionDigest[SHA256_DIGEST_LENGTH];
+ ndn_digestSha256(data.getDefaultWireEncoding().signedBuf(), data.getDefaultWireEncoding().signedSize(), signedPortionDigest);
+
+ // Verify the signedPortionDigest.
+ // Use a temporary pointer since d2i updates it.
+ const uint8_t *derPointer = publicKeyDer.buf();
+ RSA *rsaPublicKey = d2i_RSA_PUBKEY(NULL, &derPointer, publicKeyDer.size());
+ if (!rsaPublicKey)
+ throw UnrecognizedKeyFormatException("Error decoding public key in d2i_RSAPublicKey");
+ int success = RSA_verify
+ (NID_sha256, signedPortionDigest, sizeof(signedPortionDigest), (uint8_t *)signature->getSignature().buf(),
+ signature->getSignature().size(), rsaPublicKey);
+ // Free the public key before checking for success.
+ RSA_free(rsaPublicKey);
+
+ // RSA_verify returns 1 for a valid signature.
+ return (success == 1);
+}
+
+SelfVerifyPolicyManager::~SelfVerifyPolicyManager()
+{
+}
+
+bool
+SelfVerifyPolicyManager::skipVerifyAndTrust(const Data& data)
+{
+ return false;
+}
+
+bool
+SelfVerifyPolicyManager::requireVerify(const Data& data)
+{
+ return true;
+}
+
+shared_ptr<ValidationRequest>
+SelfVerifyPolicyManager::checkVerificationPolicy
+ (const shared_ptr<Data>& data, int stepCount, const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed)
+{
+ // Case to const Data* so that we use the const version of getSignature() and don't reset the default encoding.
+ const Sha256WithRsaSignature *signature = dynamic_cast<const Sha256WithRsaSignature*>(((const Data*)data.get())->getSignature());
+ if (!signature)
+ throw SecurityException("SelfVerifyPolicyManager: Signature is not Sha256WithRsaSignature.");
+
+ if (signature->getKeyLocator().getType() == ndn_KeyLocatorType_KEY) {
+ // Use the public key DER directly.
+ if (verifySha256WithRsaSignature(*data, signature->getKeyLocator().getKeyData()))
+ onVerified(data);
+ else
+ onVerifyFailed(data);
+ }
+ else if (signature->getKeyLocator().getType() == ndn_KeyLocatorType_KEYNAME && identityStorage_) {
+ // Assume the key name is a certificate name.
+ Blob publicKeyDer = identityStorage_->getKey
+ (IdentityCertificate::certificateNameToPublicKeyName(signature->getKeyLocator().getKeyName()));
+ if (!publicKeyDer)
+ // Can't find the public key with the name.
+ onVerifyFailed(data);
+
+ if (verifySha256WithRsaSignature(*data, publicKeyDer))
+ onVerified(data);
+ else
+ onVerifyFailed(data);
+ }
+ else
+ // Can't find a key to verify.
+ onVerifyFailed(data);
+
+ // No more steps, so return a null ValidationRequest.
+ return shared_ptr<ValidationRequest>();
+}
+
+bool
+SelfVerifyPolicyManager::checkSigningPolicy(const Name& dataName, const Name& certificateName)
+{
+ return true;
+}
+
+Name
+SelfVerifyPolicyManager::inferSigningIdentity(const Name& dataName)
+{
+ return Name();
+}
+
+}
diff --git a/tests/test-encode-decode-data.cpp b/tests/test-encode-decode-data.cpp
index 952e850..5791a84 100644
--- a/tests/test-encode-decode-data.cpp
+++ b/tests/test-encode-decode-data.cpp
@@ -12,7 +12,7 @@
#include <ndn-cpp/data.hpp>
#include <ndn-cpp/security/identity/memory-identity-storage.hpp>
#include <ndn-cpp/security/identity/memory-private-key-storage.hpp>
-#include <ndn-cpp/security/policy/no-verify-policy-manager.hpp>
+#include <ndn-cpp/security/policy/self-verify-policy-manager.hpp>
#include <ndn-cpp/security/key-chain.hpp>
#include <ndn-cpp/sha256-with-rsa-signature.hpp>
@@ -241,7 +241,8 @@
shared_ptr<MemoryIdentityStorage> identityStorage(new MemoryIdentityStorage());
shared_ptr<MemoryPrivateKeyStorage> privateKeyStorage(new MemoryPrivateKeyStorage());
KeyChain keyChain
- (make_shared<IdentityManager>(identityStorage, privateKeyStorage), make_shared<NoVerifyPolicyManager>());
+ (make_shared<IdentityManager>(identityStorage, privateKeyStorage),
+ make_shared<SelfVerifyPolicyManager>(identityStorage.get()));
// Initialize the storage.
Name keyName("/testname/DSK-123");