security: Enable validator fetch cert directly from interest sender
Change-Id: I8fab50145a9a053c85c1b2c6be752ba71b0120ef
Refs: #2237
diff --git a/src/security/validation-request.hpp b/src/security/validation-request.hpp
index 000f61b..a48e365 100644
--- a/src/security/validation-request.hpp
+++ b/src/security/validation-request.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -17,8 +17,6 @@
* <http://www.gnu.org/licenses/>.
*
* See AUTHORS.md for complete list of ndn-cxx authors and contributors.
- *
- * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
*/
#ifndef NDN_SECURITY_VALIDATION_REQUEST_HPP
@@ -58,17 +56,14 @@
ValidationRequest(const Interest& interest,
const OnDataValidated& onDataValidated,
const OnDataValidationFailed& onDataValidationFailed,
- int nRetries, int nSteps)
+ int nRetries, int nSteps,
+ uint64_t requesterFaceId = 0)
: m_interest(interest)
, m_onDataValidated(onDataValidated)
, m_onDataValidationFailed(onDataValidationFailed)
, m_nRetries(nRetries)
, m_nSteps(nSteps)
- {
- }
-
- virtual
- ~ValidationRequest()
+ , m_requesterFaceId(requesterFaceId)
{
}
@@ -82,6 +77,8 @@
int m_nRetries;
/// @brief the number of validation steps that have been performed.
int m_nSteps;
+ /// @brief the incoming face id of the origin packet.
+ uint64_t m_requesterFaceId;
};
} // namespace security
diff --git a/src/security/validator-config.cpp b/src/security/validator-config.cpp
index 13bcc73..64c0187 100644
--- a/src/security/validator-config.cpp
+++ b/src/security/validator-config.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -17,14 +17,12 @@
* <http://www.gnu.org/licenses/>.
*
* See AUTHORS.md for complete list of ndn-cxx authors and contributors.
- *
- * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
- * @author Zhiyi Zhang <zhangzhiyi1919@gmail.com>
*/
#include "validator-config.hpp"
#include "certificate-cache-ttl.hpp"
#include "../util/io.hpp"
+#include "../lp/tags.hpp"
#include <boost/filesystem.hpp>
#include <boost/property_tree/info_parser.hpp>
@@ -722,10 +720,16 @@
Interest certInterest(keyLocatorName);
+ uint64_t incomingFaceId = 0;
+ auto incomingFaceIdTag = packet.template getTag<lp::IncomingFaceIdTag>();
+ if (incomingFaceIdTag != nullptr) {
+ incomingFaceId = incomingFaceIdTag->get();
+ }
auto nextStep = make_shared<ValidationRequest>(certInterest,
onCertValidated,
onCertValidationFailed,
- 1, nSteps + 1);
+ 1, nSteps + 1,
+ incomingFaceId);
nextSteps.push_back(nextStep);
return;
diff --git a/src/security/validator-config.hpp b/src/security/validator-config.hpp
index 2a5fac9..47d536e 100644
--- a/src/security/validator-config.hpp
+++ b/src/security/validator-config.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -17,9 +17,6 @@
* <http://www.gnu.org/licenses/>.
*
* See AUTHORS.md for complete list of ndn-cxx authors and contributors.
- *
- * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
- * @author Zhiyi Zhang <zhangzhiyi1919@gmail.com>
*/
#ifndef NDN_SECURITY_VALIDATOR_CONFIG_HPP
diff --git a/src/security/validator.cpp b/src/security/validator.cpp
index 84aaa0f..d3af387 100644
--- a/src/security/validator.cpp
+++ b/src/security/validator.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -17,13 +17,11 @@
* <http://www.gnu.org/licenses/>.
*
* See AUTHORS.md for complete list of ndn-cxx authors and contributors.
- *
- * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
- * @author Jeff Thompson <jefft0@remap.ucla.edu>
*/
#include "validator.hpp"
#include "../util/crypto.hpp"
+#include "../lp/tags.hpp"
#include "v1/cryptopp.hpp"
@@ -35,11 +33,12 @@
Validator::Validator(Face* face)
: m_face(face)
+ , m_wantDirectCertFetch(false)
{
}
Validator::Validator(Face& face)
- : m_face(&face)
+ : Validator(&face)
{
}
@@ -311,6 +310,12 @@
}
for (shared_ptr<ValidationRequest> step : nextSteps) {
+ if (m_wantDirectCertFetch && step->m_requesterFaceId != 0) {
+ Interest directFetchInterest(step->m_interest);
+ directFetchInterest.refreshNonce();
+ directFetchInterest.setTag(make_shared<lp::NextHopFaceIdTag>(step->m_requesterFaceId));
+ m_face->expressInterest(directFetchInterest, nullptr, nullptr, nullptr);
+ }
m_face->expressInterest(step->m_interest,
bind(&Validator::onData, this, _1, _2, step),
bind(&Validator::onNack, this, _1, _2,
@@ -322,5 +327,11 @@
}
}
+void
+Validator::setDirectCertFetchEnabled(bool isEnabled)
+{
+ m_wantDirectCertFetch = isEnabled;
+}
+
} // namespace security
} // namespace ndn
diff --git a/src/security/validator.hpp b/src/security/validator.hpp
index edc0365..bb401b9 100644
--- a/src/security/validator.hpp
+++ b/src/security/validator.hpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
- * Copyright (c) 2013-2016 Regents of the University of California.
+ * Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -17,9 +17,6 @@
* <http://www.gnu.org/licenses/>.
*
* See AUTHORS.md for complete list of ndn-cxx authors and contributors.
- *
- * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
- * @author Jeff Thompson <jefft0@remap.ucla.edu>
*/
#ifndef NDN_SECURITY_VALIDATOR_HPP
@@ -100,6 +97,27 @@
validate(interest, onValidated, onValidationFailed, 0);
}
+ /**
+ * @brief Enable or disable the direct certificate fetch feature.
+ *
+ * When enabled, the validator will attempt to fetch the certificate that signs an Interest from
+ * the sender of that Interest, as identified by IncomingFaceId field, in addition to fetching
+ * from the infrastructure.
+ *
+ * Prior to enabling this feature, the application must enable NextHopFaceId privilege on the face
+ * used by this validator.
+ *
+ * @note Current implementation can only fetch the Interest signer certificate from the
+ * Interest sender; the issuer certificate of that certificate is only fetched from the
+ * infrastructure.
+ *
+ * @note Currently, this feature can only be used with ValidatorConfig.
+ *
+ * @param isEnabled Set true to enable the feature or false to disable.
+ */
+ void
+ setDirectCertFetchEnabled(bool isEnabled);
+
/*****************************************
* verifySignature method set *
*****************************************/
@@ -329,6 +347,7 @@
protected:
Face* m_face;
+ bool m_wantDirectCertFetch;
};
} // namespace security