security: Support ECDSA verification in all related classes.
This commit also addresses some old issues, such as "using namespace std".
Change-Id: I62b8ff97fb2b6f6cfe04b0ad5866bc0797e6e43b
Refs: #1660
diff --git a/docs/tutorials/security-validator-config.rst b/docs/tutorials/security-validator-config.rst
index b3b99dc..7abcc4c 100644
--- a/docs/tutorials/security-validator-config.rst
+++ b/docs/tutorials/security-validator-config.rst
@@ -215,13 +215,14 @@
}
}
-The property **sig-type** specifies the acceptable signature type. Right
-now two signature types have been defined: **rsa-sha256** (which is a
-strong signature type) and **sha256** (which is a weak signature type).
+The property **sig-type** specifies the acceptable signature type.
+Right now three signature types have been defined: **rsa-sha256** and
+**ecdsa-sha256** (which are strong signature types) and **sha256**
+(which is a weak signature type).
If sig-type is sha256, then **key-locator** will be ignored. Validator
will simply calculate the digest of a packet and compare it with the one
-in ``SignatureValue``. If sig-type is rsa-sha256, you have to further
-customize the checker with **key-locator**.
+in ``SignatureValue``. If sig-type is rsa-sha256 or ecdsa-sha256, you
+have to further customize the checker with **key-locator**.
The property **key-locator** which specifies the conditions on
``KeyLocator``. If the **key-locator** property is specified, it
diff --git a/src/security/certificate-extension.cpp b/src/security/certificate-extension.cpp
index 8275941..d215662 100644
--- a/src/security/certificate-extension.cpp
+++ b/src/security/certificate-extension.cpp
@@ -27,14 +27,13 @@
#include "certificate-extension.hpp"
#include "cryptopp.hpp"
-using namespace std;
-using namespace CryptoPP;
-
namespace ndn {
void
CertificateExtension::encode(CryptoPP::BufferedTransformation& out) const
{
+ using namespace CryptoPP;
+
// Extension ::= SEQUENCE {
// extnID OBJECT IDENTIFIER,
// critical BOOLEAN DEFAULT FALSE,
@@ -52,6 +51,8 @@
void
CertificateExtension::decode(CryptoPP::BufferedTransformation& in)
{
+ using namespace CryptoPP;
+
// Extension ::= SEQUENCE {
// extnID OBJECT IDENTIFIER,
// critical BOOLEAN DEFAULT FALSE,
diff --git a/src/security/certificate-subject-description.cpp b/src/security/certificate-subject-description.cpp
index 86ab52d..60f7dbb 100644
--- a/src/security/certificate-subject-description.cpp
+++ b/src/security/certificate-subject-description.cpp
@@ -29,14 +29,12 @@
#include "cryptopp.hpp"
-using namespace std;
-using namespace CryptoPP;
-
namespace ndn {
void
CertificateSubjectDescription::encode(CryptoPP::BufferedTransformation& out) const
{
+ using namespace CryptoPP;
// RelativeDistinguishedName ::=
// SET OF AttributeTypeAndValue
//
@@ -58,6 +56,7 @@
void
CertificateSubjectDescription::decode(CryptoPP::BufferedTransformation& in)
{
+ using namespace CryptoPP;
// RelativeDistinguishedName ::=
// SET OF AttributeTypeAndValue
//
diff --git a/src/security/certificate.cpp b/src/security/certificate.cpp
index 167992b..7173d52 100644
--- a/src/security/certificate.cpp
+++ b/src/security/certificate.cpp
@@ -31,8 +31,6 @@
#include "../encoding/cryptopp/asn_ext.hpp"
#include "../encoding/buffer-stream.hpp"
-using namespace std;
-
namespace ndn {
Certificate::Certificate()
@@ -79,13 +77,13 @@
// Content
// DER encoded idCert:
//
- // idCert ::= SEQUENCE {
+ // idCert ::= SEQUENCE {
// validity Validity,
- // subject Name,
- // subjectPubKeyInfo SubjectPublicKeyInfo,
- // extension Extensions OPTIONAL }
+ // subject Name,
+ // subjectPubKeyInfo SubjectPublicKeyInfo,
+ // extension Extensions OPTIONAL }
//
- // Validity ::= SEQUENCE {
+ // Validity ::= SEQUENCE {
// notBefore Time,
// notAfter Time }
//
@@ -97,7 +95,7 @@
// RelativeDistinguishedName ::=
// SET OF AttributeTypeAndValue
//
- // SubjectPublicKeyInfo ::= SEQUENCE {
+ // SubjectPublicKeyInfo ::= SEQUENCE {
// algorithm AlgorithmIdentifier
// keybits BIT STRING }
//
@@ -244,22 +242,22 @@
void
Certificate::printCertificate(std::ostream& os) const
{
- os << "Certificate name:" << endl;
- os << " " << getName() << endl;
- os << "Validity:" << endl;
+ os << "Certificate name:" << std::endl;
+ os << " " << getName() << std::endl;
+ os << "Validity:" << std::endl;
{
- os << " NotBefore: " << time::toIsoString(m_notBefore) << endl;
- os << " NotAfter: " << time::toIsoString(m_notAfter) << endl;
+ os << " NotBefore: " << time::toIsoString(m_notBefore) << std::endl;
+ os << " NotAfter: " << time::toIsoString(m_notAfter) << std::endl;
}
- os << "Subject Description:" << endl;
+ os << "Subject Description:" << std::endl;
for (SubjectDescriptionList::const_iterator it = m_subjectDescriptionList.begin();
it != m_subjectDescriptionList.end(); ++it)
{
- os << " " << it->getOidString() << ": " << it->getValue() << endl;
+ os << " " << it->getOidString() << ": " << it->getValue() << std::endl;
}
- os << "Public key bits:" << endl;
+ os << "Public key bits:" << std::endl;
CryptoPP::Base64Encoder encoder(new CryptoPP::FileSink(os), true, 64);
m_key.encode(encoder);
}
diff --git a/src/security/conf/checker.hpp b/src/security/conf/checker.hpp
index a9ab2a9..11f4da1 100644
--- a/src/security/conf/checker.hpp
+++ b/src/security/conf/checker.hpp
@@ -28,6 +28,7 @@
#include "key-locator-checker.hpp"
#include "../../util/io.hpp"
+#include "../validator.hpp"
#include <boost/algorithm/string.hpp>
#include <boost/filesystem.hpp>
@@ -41,10 +42,16 @@
{
public:
typedef function<void(const shared_ptr<const Interest>&)> OnInterestChecked;
- typedef function<void(const shared_ptr<const Interest>&, const std::string&)> OnInterestCheckFailed;
+ typedef function<void(const shared_ptr<const Interest>&,
+ const std::string&)> OnInterestCheckFailed;
typedef function<void(const shared_ptr<const Data>&)> OnDataChecked;
typedef function<void(const shared_ptr<const Data>&, const std::string&)> OnDataCheckFailed;
+ enum {
+ INTEREST_SIG_VALUE = -1,
+ INTEREST_SIG_INFO = -2
+ };
+
virtual
~Checker()
@@ -84,20 +91,27 @@
class CustomizedChecker : public Checker
{
- enum
- {
- INTEREST_SIG_VALUE = -1,
- INTEREST_SIG_INFO = -2
- };
-
public:
CustomizedChecker(uint32_t sigType,
shared_ptr<KeyLocatorChecker> keyLocatorChecker)
: m_sigType(sigType)
, m_keyLocatorChecker(keyLocatorChecker)
{
- if (m_sigType == Signature::Sha256WithRsa && !static_cast<bool>(m_keyLocatorChecker))
- throw Error("Strong signature requires KeyLocatorChecker");
+ switch (sigType)
+ {
+ case Tlv::SignatureSha256WithRsa:
+ case Tlv::SignatureSha256WithEcdsa:
+ {
+ if (!static_cast<bool>(m_keyLocatorChecker))
+ throw Error("Strong signature requires KeyLocatorChecker");
+
+ return;
+ }
+ case Tlv::DigestSha256:
+ return;
+ default:
+ throw Error("Unsupported signature type");
+ }
}
virtual int8_t
@@ -116,8 +130,8 @@
try
{
const Name& interestName = interest.getName();
- Signature signature(interestName[INTEREST_SIG_INFO].blockFromValue(),
- interestName[INTEREST_SIG_VALUE].blockFromValue());
+ Signature signature(interestName[Checker::INTEREST_SIG_INFO].blockFromValue(),
+ interestName[Checker::INTEREST_SIG_VALUE].blockFromValue());
return check(interest, signature, onValidated, onValidationFailed);
}
catch (Signature::Error& e)
@@ -149,39 +163,54 @@
return -1;
}
- switch (signature.getType())
- {
- case Signature::Sha256WithRsa:
- {
- try
- {
- SignatureSha256WithRsa sig(signature);
+ if (signature.getType() == Tlv::DigestSha256)
+ return 0;
- std::string failInfo;
- if (m_keyLocatorChecker->check(packet, sig.getKeyLocator(), failInfo))
- return 0;
- else
- {
- onValidationFailed(packet.shared_from_this(), failInfo);
- return -1;
- }
+ shared_ptr<SignatureWithPublicKey> publicKeySig;
+
+ try
+ {
+ switch (signature.getType())
+ {
+ case Tlv::SignatureSha256WithRsa:
+ {
+ publicKeySig = make_shared<SignatureSha256WithRsa>(signature);
+ break;
}
- catch (SignatureSha256WithRsa::Error& e)
+ case Tlv::SignatureSha256WithEcdsa:
+ {
+ publicKeySig = make_shared<SignatureSha256WithEcdsa>(signature);
+ break;
+ }
+ default:
{
onValidationFailed(packet.shared_from_this(),
- "Cannot decode Sha256WithRsa signature!");
+ "Unsupported signature type: " +
+ boost::lexical_cast<std::string>(signature.getType()));
return -1;
}
- }
- case Signature::Sha256:
- return 0;
- default:
- {
- onValidationFailed(packet.shared_from_this(),
- "Unsupported signature type: " +
- boost::lexical_cast<std::string>(signature.getType()));
- return -1;
- }
+ }
+ }
+ catch (Tlv::Error& e)
+ {
+ onValidationFailed(packet.shared_from_this(),
+ "Cannot decode signature");
+ return -1;
+ }
+ catch (KeyLocator::Error& e)
+ {
+ onValidationFailed(packet.shared_from_this(),
+ "Cannot decode KeyLocator");
+ return -1;
+ }
+
+ std::string failInfo;
+ if (m_keyLocatorChecker->check(packet, publicKeySig->getKeyLocator(), failInfo))
+ return 0;
+ else
+ {
+ onValidationFailed(packet.shared_from_this(), failInfo);
+ return -1;
}
}
@@ -206,11 +235,6 @@
class FixedSignerChecker : public Checker
{
- enum
- {
- INTEREST_SIG_VALUE = -1,
- INTEREST_SIG_INFO = -2
- };
public:
FixedSignerChecker(uint32_t sigType,
const std::vector<shared_ptr<IdentityCertificate> >& signers)
@@ -219,6 +243,13 @@
for (std::vector<shared_ptr<IdentityCertificate> >::const_iterator it = signers.begin();
it != signers.end(); it++)
m_signers[(*it)->getName().getPrefix(-1)] = (*it);
+
+ if (sigType != Tlv::SignatureSha256WithRsa &&
+ sigType != Tlv::SignatureSha256WithEcdsa)
+ {
+ throw Error("FixedSigner is only meaningful for strong signature type");
+ }
+
}
virtual int8_t
@@ -237,8 +268,8 @@
try
{
const Name& interestName = interest.getName();
- Signature signature(interestName[INTEREST_SIG_INFO].blockFromValue(),
- interestName[INTEREST_SIG_VALUE].blockFromValue());
+ Signature signature(interestName[Checker::INTEREST_SIG_INFO].blockFromValue(),
+ interestName[Checker::INTEREST_SIG_VALUE].blockFromValue());
return check(interest, signature, onValidated, onValidationFailed);
}
catch (Signature::Error& e)
@@ -263,69 +294,79 @@
if (m_sigType != signature.getType())
{
onValidationFailed(packet.shared_from_this(),
- "Signature type does not match: "
- + boost::lexical_cast<std::string>(m_sigType)
- + "!="
- + boost::lexical_cast<std::string>(signature.getType()));
+ "Signature type does not match: " +
+ boost::lexical_cast<std::string>(m_sigType) +
+ "!=" +
+ boost::lexical_cast<std::string>(signature.getType()));
return -1;
}
- switch (signature.getType())
+ if (signature.getType() == Tlv::DigestSha256)
{
- case Signature::Sha256WithRsa:
- {
- try
+ onValidationFailed(packet.shared_from_this(),
+ "FixedSigner does not allow Sha256 signature type");
+ return -1;
+ }
+
+ shared_ptr<SignatureWithPublicKey> publicKeySig;
+
+ try
+ {
+ switch (signature.getType())
+ {
+ case Tlv::SignatureSha256WithRsa:
{
- SignatureSha256WithRsa sig(signature);
-
- const Name& keyLocatorName = sig.getKeyLocator().getName();
- if (m_signers.find(keyLocatorName) == m_signers.end())
- {
- onValidationFailed(packet.shared_from_this(),
- "Signer is not in the fixed signer list: "
- + keyLocatorName.toUri());
- return -1;
- }
-
- if (Validator::verifySignature(packet, sig,
- m_signers[keyLocatorName]->getPublicKeyInfo()))
- {
- onValidated(packet.shared_from_this());
- return 1;
- }
- else
- {
- onValidationFailed(packet.shared_from_this(),
- "Signature cannot be validated!");
- return -1;
- }
+ publicKeySig = make_shared<SignatureSha256WithRsa>(signature);
+ break;
}
- catch (KeyLocator::Error& e)
+ case Tlv::SignatureSha256WithEcdsa:
+ {
+ publicKeySig = make_shared<SignatureSha256WithEcdsa>(signature);
+ break;
+ }
+ default:
{
onValidationFailed(packet.shared_from_this(),
- "KeyLocator does not have name!");
+ "Unsupported signature type: " +
+ boost::lexical_cast<std::string>(signature.getType()));
return -1;
}
- catch (SignatureSha256WithRsa::Error& e)
- {
- onValidationFailed(packet.shared_from_this(),
- "Cannot decode signature!");
- return -1;
- }
- }
- case Signature::Sha256:
- {
- onValidationFailed(packet.shared_from_this(),
- "FixedSigner does not allow Sha256 signature type!");
- return -1;
- }
- default:
- {
- onValidationFailed(packet.shared_from_this(),
- "Unsupported signature type: "
- + boost::lexical_cast<std::string>(signature.getType()));
- return -1;
- }
+ }
+
+ const Name& keyLocatorName = publicKeySig->getKeyLocator().getName();
+
+ if (m_signers.find(keyLocatorName) == m_signers.end())
+ {
+ onValidationFailed(packet.shared_from_this(),
+ "Signer is not in the fixed signer list: " +
+ keyLocatorName.toUri());
+ return -1;
+ }
+
+ if (Validator::verifySignature(packet, *publicKeySig,
+ m_signers[keyLocatorName]->getPublicKeyInfo()))
+ {
+ onValidated(packet.shared_from_this());
+ return 1;
+ }
+ else
+ {
+ onValidationFailed(packet.shared_from_this(),
+ "Signature cannot be validated");
+ return -1;
+ }
+ }
+ catch (KeyLocator::Error& e)
+ {
+ onValidationFailed(packet.shared_from_this(),
+ "KeyLocator does not have name");
+ return -1;
+ }
+ catch (Tlv::Error& e)
+ {
+ onValidationFailed(packet.shared_from_this(),
+ "Cannot decode signature");
+ return -1;
}
}
@@ -353,7 +394,7 @@
// Get checker.type
if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "type"))
- throw Error("Expect <checker.type>!");
+ throw Error("Expect <checker.type>");
std::string type = propertyIt->second.data();
@@ -377,21 +418,21 @@
// Get checker.sig-type
if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "sig-type"))
- throw Error("Expect <checker.sig-type>!");
+ throw Error("Expect <checker.sig-type>");
std::string sigType = propertyIt->second.data();
propertyIt++;
// Get checker.key-locator
if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "key-locator"))
- throw Error("Expect <checker.key-locator>!");
+ throw Error("Expect <checker.key-locator>");
shared_ptr<KeyLocatorChecker> keyLocatorChecker =
KeyLocatorCheckerFactory::create(propertyIt->second, configFilename);
propertyIt++;
if (propertyIt != configSection.end())
- throw Error("Expect the end of checker!");
+ throw Error("Expect the end of checker");
return make_shared<CustomizedChecker>(getSigType(sigType), keyLocatorChecker);
}
@@ -405,13 +446,13 @@
// Get checker.sig-type
if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "sig-type"))
- throw Error("Expect <checker.sig-type>!");
+ throw Error("Expect <checker.sig-type>");
std::string sigType = propertyIt->second.data();
propertyIt++;
if (propertyIt != configSection.end())
- throw Error("Expect the end of checker!");
+ throw Error("Expect the end of checker");
return make_shared<HierarchicalChecker>(getSigType(sigType));
}
@@ -425,7 +466,7 @@
// Get checker.sig-type
if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "sig-type"))
- throw Error("Expect <checker.sig-type>!");
+ throw Error("Expect <checker.sig-type>");
std::string sigType = propertyIt->second.data();
propertyIt++;
@@ -434,14 +475,14 @@
for (; propertyIt != configSection.end(); propertyIt++)
{
if (!boost::iequals(propertyIt->first, "signer"))
- throw Error("Expect <checker.signer> but get <checker."
- + propertyIt->first + ">");
+ throw Error("Expect <checker.signer> but get <checker." +
+ propertyIt->first + ">");
signers.push_back(getSigner(propertyIt->second, configFilename));
}
if (propertyIt != configSection.end())
- throw Error("Expect the end of checker!");
+ throw Error("Expect the end of checker");
return shared_ptr<FixedSignerChecker>(new FixedSignerChecker(getSigType(sigType),
signers));
@@ -456,7 +497,7 @@
// Get checker.signer.type
if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "type"))
- throw Error("Expect <checker.signer.type>!");
+ throw Error("Expect <checker.signer.type>");
std::string type = propertyIt->second.data();
propertyIt++;
@@ -465,7 +506,7 @@
{
// Get checker.signer.file-name
if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "file-name"))
- throw Error("Expect <checker.signer.file-name>!");
+ throw Error("Expect <checker.signer.file-name>");
path certfilePath = absolute(propertyIt->second.data(),
path(configFilename).parent_path());
@@ -480,15 +521,15 @@
if (static_cast<bool>(idCert))
return idCert;
else
- throw Error("Cannot read certificate from file: "
- + certfilePath.native());
+ throw Error("Cannot read certificate from file: " +
+ certfilePath.native());
}
else if (boost::iequals(type, "base64"))
{
// Get checker.signer.base64-string
if (propertyIt == configSection.end() ||
!boost::iequals(propertyIt->first, "base64-string"))
- throw Error("Expect <checker.signer.base64-string>!");
+ throw Error("Expect <checker.signer.base64-string>");
std::stringstream ss(propertyIt->second.data());
propertyIt++;
@@ -507,15 +548,17 @@
throw Error("Unsupported checker.signer type: " + type);
}
- static int32_t
+ static uint32_t
getSigType(const std::string& sigType)
{
if (boost::iequals(sigType, "rsa-sha256"))
- return Signature::Sha256WithRsa;
+ return Tlv::SignatureSha256WithRsa;
+ else if (boost::iequals(sigType, "ecdsa-sha256"))
+ return Tlv::SignatureSha256WithEcdsa;
else if (boost::iequals(sigType, "sha256"))
- return Signature::Sha256;
+ return Tlv::DigestSha256;
else
- return -1;
+ throw Error("Unsupported signature type");
}
};
@@ -523,4 +566,4 @@
} // namespace security
} // namespace ndn
-#endif // NDN_SECURITY_SEC_CONF_RULE_SIGNER_HPP
+#endif // NDN_SECURITY_CONF_CHECKER_HPP
diff --git a/src/security/conf/key-locator-checker.hpp b/src/security/conf/key-locator-checker.hpp
index ff9e5fc..7d5bb9c 100644
--- a/src/security/conf/key-locator-checker.hpp
+++ b/src/security/conf/key-locator-checker.hpp
@@ -27,6 +27,7 @@
#include "../../common.hpp"
#include "../../data.hpp"
#include "../../interest.hpp"
+#include "../../util/regex.hpp"
#include "../security-common.hpp"
#include <boost/algorithm/string.hpp>
@@ -50,12 +51,11 @@
class KeyLocatorChecker
{
public:
- enum Relation
- {
- RELATION_EQUAL,
- RELATION_IS_PREFIX_OF,
- RELATION_IS_STRICT_PREFIX_OF
- };
+ enum Relation {
+ RELATION_EQUAL,
+ RELATION_IS_PREFIX_OF,
+ RELATION_IS_STRICT_PREFIX_OF
+ };
virtual
~KeyLocatorChecker()
@@ -264,8 +264,8 @@
}
catch (Name::Error& e)
{
- throw Error("Invalid checker.key-locator.name: "
- + propertyIt->second.data());
+ throw Error("Invalid checker.key-locator.name: " +
+ propertyIt->second.data());
}
propertyIt++;
@@ -361,8 +361,7 @@
else if (boost::iequals(hRelation, "is-strict-prefix-of"))
relation = KeyLocatorChecker::RELATION_IS_STRICT_PREFIX_OF;
else
- throw Error("Unsupported checker.key-locator.hyper-relation.h-relation: "
- + hRelation);
+ throw Error("Unsupported checker.key-locator.hyper-relation.h-relation: " + hRelation);
try
{
diff --git a/src/security/digest-sha256.hpp b/src/security/digest-sha256.hpp
index 19833e1..6221ee6 100644
--- a/src/security/digest-sha256.hpp
+++ b/src/security/digest-sha256.hpp
@@ -47,7 +47,7 @@
{
m_info = Block(Tlv::SignatureInfo);
- m_type = Signature::Sha256;
+ m_type = Tlv::DigestSha256;
m_info.push_back(nonNegativeIntegerBlock(Tlv::SignatureType, Tlv::DigestSha256));
}
@@ -55,7 +55,7 @@
DigestSha256(const Signature& signature)
: Signature(signature)
{
- if (getType() != Signature::Sha256)
+ if (getType() != Tlv::DigestSha256)
throw Error("Incorrect signature type");
}
};
diff --git a/src/security/identity-certificate.cpp b/src/security/identity-certificate.cpp
index d4b0d38..685fa29 100644
--- a/src/security/identity-certificate.cpp
+++ b/src/security/identity-certificate.cpp
@@ -25,10 +25,10 @@
#include "identity-certificate.hpp"
-using namespace std;
-
namespace ndn {
+using std::string;
+
bool
IdentityCertificate::isCorrectName(const Name& name)
{
diff --git a/src/security/key-chain.cpp b/src/security/key-chain.cpp
index 69d5b48..9c5e000 100644
--- a/src/security/key-chain.cpp
+++ b/src/security/key-chain.cpp
@@ -122,6 +122,15 @@
throw Error("TPM type '" + tpmName + "' is not supported");
}
+KeyChain::~KeyChain()
+{
+ if (m_pib != 0)
+ delete m_pib;
+
+ if (m_tpm != 0)
+ delete m_tpm;
+}
+
Name
KeyChain::createIdentity(const Name& identityName, const KeyParams& params)
{
diff --git a/src/security/key-chain.hpp b/src/security/key-chain.hpp
index b6b9bbf..0a6c65c 100644
--- a/src/security/key-chain.hpp
+++ b/src/security/key-chain.hpp
@@ -75,14 +75,7 @@
const std::string& tpmName);
virtual
- ~KeyChain()
- {
- if (m_pib != 0)
- delete m_pib;
-
- if (m_tpm != 0)
- delete m_tpm;
- }
+ ~KeyChain();
/**
* @brief Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a
@@ -777,35 +770,20 @@
void
KeyChain::sign(T& packet, const IdentityCertificate& certificate)
{
- switch (certificate.getPublicKeyInfo().getKeyType())
- {
- case KEY_TYPE_RSA:
- {
- // For temporary usage, we support SHA256 only, but will support more.
- SignatureSha256WithRsa signature;
- // implicit conversion should take care
- signature.setKeyLocator(certificate.getName().getPrefix(-1));
- signPacketWrapper(packet, signature,
- certificate.getPublicKeyName(),
- DIGEST_ALGORITHM_SHA256);
- return;
- }
- case KEY_TYPE_ECDSA:
- {
- // For temporary usage, we support SHA256 only, but will support more.
- SignatureSha256WithEcdsa signature;
- // implicit conversion should take care
- signature.setKeyLocator(certificate.getName().getPrefix(-1));
+ shared_ptr<SignatureWithPublicKey> signature =
+ determineSignatureWithPublicKey(certificate.getPublicKeyInfo().getKeyType());
- signPacketWrapper(packet, signature,
- certificate.getPublicKeyName(),
- DIGEST_ALGORITHM_SHA256);
- return;
- }
- default:
- throw SecPublicInfo::Error("unknown key type!");
- }
+ if (!static_cast<bool>(signature))
+ throw SecPublicInfo::Error("unknown key type!");
+
+ signature->setKeyLocator(certificate.getName().getPrefix(-1));
+
+ signPacketWrapper(packet, *signature,
+ certificate.getPublicKeyName(),
+ DIGEST_ALGORITHM_SHA256);
+
+ return;
}
}
diff --git a/src/security/public-key.cpp b/src/security/public-key.cpp
index 212bc3a..bed8f81 100644
--- a/src/security/public-key.cpp
+++ b/src/security/public-key.cpp
@@ -27,9 +27,6 @@
#include "../encoding/oid.hpp"
#include "cryptopp.hpp"
-using namespace std;
-using namespace CryptoPP;
-
namespace ndn {
static OID RSA_OID("1.2.840.113549.1.1.1");
@@ -43,7 +40,7 @@
PublicKey::PublicKey(const uint8_t* keyDerBuf, size_t keyDerSize)
: m_type(KEY_TYPE_NULL)
{
- StringSource src(keyDerBuf, keyDerSize, true);
+ CryptoPP::StringSource src(keyDerBuf, keyDerSize, true);
decode(src);
}
@@ -64,6 +61,7 @@
// algorithm AlgorithmIdentifier
// keybits BIT STRING }
+ using namespace CryptoPP;
try
{
std::string out;
diff --git a/src/security/sec-public-info-sqlite3.cpp b/src/security/sec-public-info-sqlite3.cpp
index 7e86773..354c5aa 100644
--- a/src/security/sec-public-info-sqlite3.cpp
+++ b/src/security/sec-public-info-sqlite3.cpp
@@ -37,10 +37,11 @@
#include <fstream>
#include <boost/filesystem.hpp>
-using namespace std;
-
namespace ndn {
+using std::string;
+using std::vector;
+
static const string INIT_ID_TABLE = "\
CREATE TABLE IF NOT EXISTS \n \
Identity( \n \
@@ -104,7 +105,7 @@
SecPublicInfoSqlite3::SecPublicInfoSqlite3()
{
boost::filesystem::path identityDir = boost::filesystem::path(getenv("HOME")) / ".ndn";
- boost::filesystem::create_directories (identityDir);
+ boost::filesystem::create_directories(identityDir);
/// @todo Add define for windows/unix in wscript. The following may completely fail on windows
int res = sqlite3_open_v2((identityDir / "ndnsec-public-info.db").c_str(), &m_database,
@@ -656,8 +657,7 @@
sqlite3_bind_text(statement, 1, identityName.toUri(), SQLITE_TRANSIENT);
while (sqlite3_step(statement) == SQLITE_ROW)
- {
- }
+ ;
sqlite3_finalize(statement);
@@ -730,8 +730,7 @@
sqlite3_bind_text(statement, 2, keyId, SQLITE_TRANSIENT);
while (sqlite3_step(statement) == SQLITE_ROW)
- {
- }
+ ;
sqlite3_finalize(statement);
@@ -868,7 +867,7 @@
-1, &stmt, 0);
Name identity = keyName.getPrefix(-1);
- sqlite3_bind_text(stmt, 1, identity.toUri().c_str(), identity.toUri().size (), SQLITE_TRANSIENT);
+ sqlite3_bind_text(stmt, 1, identity.toUri().c_str(), identity.toUri().size(), SQLITE_TRANSIENT);
std::string baseKeyName = keyName.get(-1).toUri();
sqlite3_bind_text(stmt, 2, baseKeyName.c_str(), baseKeyName.size(), SQLITE_TRANSIENT);
@@ -888,7 +887,7 @@
sqlite3_stmt* stmt;
sqlite3_prepare_v2(m_database, "DELETE FROM Certificate WHERE cert_name=?", -1, &stmt, 0);
- sqlite3_bind_text(stmt, 1, certName.toUri().c_str(), certName.toUri().size (), SQLITE_TRANSIENT);
+ sqlite3_bind_text(stmt, 1, certName.toUri().c_str(), certName.toUri().size(), SQLITE_TRANSIENT);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
}
@@ -906,7 +905,7 @@
sqlite3_prepare_v2(m_database,
"DELETE FROM Certificate WHERE identity_name=? and key_identifier=?",
-1, &stmt, 0);
- sqlite3_bind_text(stmt, 1, identity.c_str(), identity.size (), SQLITE_TRANSIENT);
+ sqlite3_bind_text(stmt, 1, identity.c_str(), identity.size(), SQLITE_TRANSIENT);
sqlite3_bind_text(stmt, 2, keyId.c_str(), keyId.size(), SQLITE_TRANSIENT);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
@@ -914,7 +913,7 @@
sqlite3_prepare_v2(m_database,
"DELETE FROM Key WHERE identity_name=? and key_identifier=?",
-1, &stmt, 0);
- sqlite3_bind_text(stmt, 1, identity.c_str(), identity.size (), SQLITE_TRANSIENT);
+ sqlite3_bind_text(stmt, 1, identity.c_str(), identity.size(), SQLITE_TRANSIENT);
sqlite3_bind_text(stmt, 2, keyId.c_str(), keyId.size(), SQLITE_TRANSIENT);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
@@ -927,17 +926,17 @@
sqlite3_stmt* stmt;
sqlite3_prepare_v2(m_database, "DELETE FROM Certificate WHERE identity_name=?", -1, &stmt, 0);
- sqlite3_bind_text(stmt, 1, identity.c_str(), identity.size (), SQLITE_TRANSIENT);
+ sqlite3_bind_text(stmt, 1, identity.c_str(), identity.size(), SQLITE_TRANSIENT);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
sqlite3_prepare_v2(m_database, "DELETE FROM Key WHERE identity_name=?", -1, &stmt, 0);
- sqlite3_bind_text(stmt, 1, identity.c_str(), identity.size (), SQLITE_TRANSIENT);
+ sqlite3_bind_text(stmt, 1, identity.c_str(), identity.size(), SQLITE_TRANSIENT);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
sqlite3_prepare_v2(m_database, "DELETE FROM Identity WHERE identity_name=?", -1, &stmt, 0);
- sqlite3_bind_text(stmt, 1, identity.c_str(), identity.size (), SQLITE_TRANSIENT);
+ sqlite3_bind_text(stmt, 1, identity.c_str(), identity.size(), SQLITE_TRANSIENT);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
}
diff --git a/src/security/sec-rule-relative.cpp b/src/security/sec-rule-relative.cpp
index 197fa43..6350fd5 100644
--- a/src/security/sec-rule-relative.cpp
+++ b/src/security/sec-rule-relative.cpp
@@ -28,14 +28,14 @@
#include "signature-sha256-with-rsa.hpp"
#include "security-common.hpp"
-using namespace std;
-
namespace ndn {
-SecRuleRelative::SecRuleRelative (const string& dataRegex, const string& signerRegex,
- const string& op,
- const string& dataExpand, const string& signerExpand,
- bool isPositive)
+using std::string;
+
+SecRuleRelative::SecRuleRelative(const string& dataRegex, const string& signerRegex,
+ const string& op,
+ const string& dataExpand, const string& signerExpand,
+ bool isPositive)
: SecRule(isPositive),
m_dataRegex(dataRegex),
m_signerRegex(signerRegex),
@@ -54,23 +54,31 @@
}
bool
-SecRuleRelative::satisfy (const Data& data)
+SecRuleRelative::satisfy(const Data& data)
{
Name dataName = data.getName();
try
{
- SignatureSha256WithRsa sig(data.getSignature());
- Name signerName = sig.getKeyLocator().getName ();
- return satisfy (dataName, signerName);
+ SignatureWithPublicKey sig(data.getSignature());
+ Name signerName = sig.getKeyLocator().getName();
+ return satisfy(dataName, signerName);
}
- catch (std::runtime_error& e)
+ catch (Tlv::Error& e)
+ {
+ return false;
+ }
+ catch (KeyLocator::Error& e)
+ {
+ return false;
+ }
+ catch (RegexMatcher::Error& e)
{
return false;
}
}
bool
-SecRuleRelative::satisfy (const Name& dataName, const Name& signerName)
+SecRuleRelative::satisfy(const Name& dataName, const Name& signerName)
{
if (!m_dataNameRegex.match(dataName))
return false;
@@ -86,21 +94,29 @@
}
bool
-SecRuleRelative::matchDataName (const Data& data)
+SecRuleRelative::matchDataName(const Data& data)
{
return m_dataNameRegex.match(data.getName());
}
bool
-SecRuleRelative::matchSignerName (const Data& data)
+SecRuleRelative::matchSignerName(const Data& data)
{
try
{
- SignatureSha256WithRsa sig(data.getSignature());
- Name signerName = sig.getKeyLocator().getName ();
+ SignatureWithPublicKey sig(data.getSignature());
+ Name signerName = sig.getKeyLocator().getName();
return m_signerNameRegex.match(signerName);
}
- catch (std::runtime_error& e)
+ catch (Tlv::Error& e)
+ {
+ return false;
+ }
+ catch (KeyLocator::Error& e)
+ {
+ return false;
+ }
+ catch (RegexMatcher::Error& e)
{
return false;
}
@@ -112,12 +128,12 @@
if ((dataName == signerName) && ("==" == m_op || ">=" == m_op))
return true;
- Name::const_iterator i = dataName.begin ();
- Name::const_iterator j = signerName.begin ();
+ Name::const_iterator i = dataName.begin();
+ Name::const_iterator j = signerName.begin();
- for (; i != dataName.end () && j != signerName.end (); i++, j++)
+ for (; i != dataName.end() && j != signerName.end(); i++, j++)
{
- if ((i->compare(*j)) == 0)
+ if (i->compare(*j) == 0)
continue;
else
return false;
diff --git a/src/security/sec-rule-specific.cpp b/src/security/sec-rule-specific.cpp
index 6f4886c..75f45b9 100644
--- a/src/security/sec-rule-specific.cpp
+++ b/src/security/sec-rule-specific.cpp
@@ -26,8 +26,6 @@
#include "sec-rule-specific.hpp"
#include "signature-sha256-with-rsa.hpp"
-using namespace std;
-
namespace ndn {
SecRuleSpecific::SecRuleSpecific(shared_ptr<Regex> dataRegex,
@@ -68,11 +66,19 @@
try
{
- SignatureSha256WithRsa sig(data.getSignature());
+ SignatureWithPublicKey sig(data.getSignature());
Name signerName = sig.getKeyLocator().getName();
return m_signerRegex->match(signerName);
}
- catch (std::runtime_error& e)
+ catch (Tlv::Error& e)
+ {
+ return false;
+ }
+ catch (KeyLocator::Error& e)
+ {
+ return false;
+ }
+ catch (RegexMatcher::Error& e)
{
return false;
}
@@ -88,7 +94,7 @@
SecRuleSpecific::satisfy(const Name& dataName, const Name& signerName)
{
bool isSignerMatched = m_isExempted || m_signerRegex->match(signerName);
- return (m_dataRegex->match(dataName) && isSignerMatched);
+ return m_dataRegex->match(dataName) && isSignerMatched;
}
} // namespace ndn
diff --git a/src/security/sec-tpm.cpp b/src/security/sec-tpm.cpp
index 2011a95..3191095 100644
--- a/src/security/sec-tpm.cpp
+++ b/src/security/sec-tpm.cpp
@@ -27,10 +27,10 @@
#include "../encoding/buffer-stream.hpp"
#include "cryptopp.hpp"
-using namespace std;
-
namespace ndn {
+using std::string;
+
ConstBufferPtr
SecTpm::exportPrivateKeyPkcs5FromTpm(const Name& keyName, const string& passwordStr)
{
diff --git a/src/security/signature-sha256-with-ecdsa.hpp b/src/security/signature-sha256-with-ecdsa.hpp
index 84cbe51..5bf0500 100644
--- a/src/security/signature-sha256-with-ecdsa.hpp
+++ b/src/security/signature-sha256-with-ecdsa.hpp
@@ -51,7 +51,7 @@
SignatureSha256WithEcdsa(const Signature& signature)
: SignatureWithPublicKey(signature)
{
- if (getType() != Signature::Sha256WithEcdsa)
+ if (getType() != Tlv::SignatureSha256WithEcdsa)
throw Error("Incorrect signature type");
}
};
diff --git a/src/security/signature-sha256-with-rsa.hpp b/src/security/signature-sha256-with-rsa.hpp
index bd3fd32..fc60248 100644
--- a/src/security/signature-sha256-with-rsa.hpp
+++ b/src/security/signature-sha256-with-rsa.hpp
@@ -51,7 +51,7 @@
SignatureSha256WithRsa(const Signature& signature)
: SignatureWithPublicKey(signature)
{
- if (getType() != Signature::Sha256WithRsa)
+ if (getType() != Tlv::SignatureSha256WithRsa)
throw Error("Incorrect signature type");
}
};
diff --git a/src/security/validator-config.cpp b/src/security/validator-config.cpp
index 4589d82..b9b1bed 100644
--- a/src/security/validator-config.cpp
+++ b/src/security/validator-config.cpp
@@ -490,13 +490,9 @@
Signature signature(interestName[signed_interest::POS_SIG_INFO].blockFromValue(),
interestName[signed_interest::POS_SIG_VALUE].blockFromValue());
- if (signature.getType() != Signature::Sha256WithRsa)
- return onValidationFailed(interest.shared_from_this(),
- "Require SignatureSha256WithRsa");
+ SignatureWithPublicKey publicKeySig(signature);
- SignatureSha256WithRsa sig(signature);
-
- const KeyLocator& keyLocator = sig.getKeyLocator();
+ const KeyLocator& keyLocator = publicKeySig.getKeyLocator();
if (keyLocator.getType() != KeyLocator::KeyLocator_Name)
return onValidationFailed(interest.shared_from_this(),
@@ -527,7 +523,7 @@
if (checkResult == 0)
{
checkSignature<Interest, OnInterestValidated, OnInterestValidationFailed>
- (interest, signature, nSteps,
+ (interest, publicKeySig, nSteps,
bind(&ValidatorConfig::checkTimestamp, this, _1,
keyName, onValidated, onValidationFailed),
onValidationFailed,
diff --git a/src/security/validator-config.hpp b/src/security/validator-config.hpp
index f5882d6..4a2ce58 100644
--- a/src/security/validator-config.hpp
+++ b/src/security/validator-config.hpp
@@ -293,7 +293,7 @@
const OnFailed& onValidationFailed,
std::vector<shared_ptr<ValidationRequest> >& nextSteps)
{
- if (signature.getType() == Signature::Sha256)
+ if (signature.getType() == Tlv::DigestSha256)
{
DigestSha256 sigSha256(signature);
@@ -304,55 +304,81 @@
"Sha256 Signature cannot be verified!");
}
- if (signature.getType() == Signature::Sha256WithRsa)
- {
- SignatureSha256WithRsa sigSha256Rsa(signature);
- Name keyLocatorName = sigSha256Rsa.getKeyLocator().getName();
+ shared_ptr<SignatureWithPublicKey> publicKeySig;
- shared_ptr<const Certificate> trustedCert;
-
- refreshAnchors();
-
- AnchorList::const_iterator it = m_anchors.find(keyLocatorName);
- if (m_anchors.end() == it)
- trustedCert = m_certificateCache->getCertificate(keyLocatorName);
- else
- trustedCert = it->second;
-
- if (static_cast<bool>(trustedCert))
- {
- if (verifySignature(packet, sigSha256Rsa, trustedCert->getPublicKeyInfo()))
- return onValidated(packet.shared_from_this());
- else
- return onValidationFailed(packet.shared_from_this(),
- "Cannot verify signature");
- }
- else
- {
- if (m_stepLimit == nSteps)
- return onValidationFailed(packet.shared_from_this(),
- "Maximum steps of validation reached");
-
- OnDataValidated onCertValidated =
- bind(&ValidatorConfig::onCertValidated<Packet, OnValidated, OnFailed>,
- this, _1, packet.shared_from_this(), onValidated, onValidationFailed);
-
- OnDataValidationFailed onCertValidationFailed =
- bind(&ValidatorConfig::onCertFailed<Packet, OnFailed>,
- this, _1, _2, packet.shared_from_this(), onValidationFailed);
-
- Interest certInterest(keyLocatorName);
-
- shared_ptr<ValidationRequest> nextStep =
- make_shared<ValidationRequest>(certInterest,
- onCertValidated,
- onCertValidationFailed,
- 1, nSteps + 1);
-
- nextSteps.push_back(nextStep);
- return;
- }
+ try {
+ switch (signature.getType()) {
+ case Tlv::SignatureSha256WithRsa:
+ {
+ publicKeySig = make_shared<SignatureSha256WithRsa>(signature);
+ break;
+ }
+ case Tlv::SignatureSha256WithEcdsa:
+ {
+ publicKeySig = make_shared<SignatureSha256WithEcdsa>(signature);
+ break;
+ }
+ default:
+ return onValidationFailed(packet.shared_from_this(),
+ "Unsupported signature type");
}
+ }
+ catch (Tlv::Error& e) {
+ return onValidationFailed(packet.shared_from_this(),
+ "Cannot decode public key signature");
+ }
+ catch (KeyLocator::Error& e) {
+ return onValidationFailed(packet.shared_from_this(),
+ "Cannot decode KeyLocator in public key signature");
+ }
+
+
+ Name keyLocatorName = publicKeySig->getKeyLocator().getName();
+
+ shared_ptr<const Certificate> trustedCert;
+
+ refreshAnchors();
+
+ AnchorList::const_iterator it = m_anchors.find(keyLocatorName);
+ if (m_anchors.end() == it)
+ trustedCert = m_certificateCache->getCertificate(keyLocatorName);
+ else
+ trustedCert = it->second;
+
+ if (static_cast<bool>(trustedCert))
+ {
+ if (verifySignature(packet, *publicKeySig, trustedCert->getPublicKeyInfo()))
+ return onValidated(packet.shared_from_this());
+ else
+ return onValidationFailed(packet.shared_from_this(),
+ "Cannot verify signature");
+ }
+ else
+ {
+ if (m_stepLimit == nSteps)
+ return onValidationFailed(packet.shared_from_this(),
+ "Maximum steps of validation reached");
+
+ OnDataValidated onCertValidated =
+ bind(&ValidatorConfig::onCertValidated<Packet, OnValidated, OnFailed>,
+ this, _1, packet.shared_from_this(), onValidated, onValidationFailed);
+
+ OnDataValidationFailed onCertValidationFailed =
+ bind(&ValidatorConfig::onCertFailed<Packet, OnFailed>,
+ this, _1, _2, packet.shared_from_this(), onValidationFailed);
+
+ Interest certInterest(keyLocatorName);
+
+ shared_ptr<ValidationRequest> nextStep =
+ make_shared<ValidationRequest>(certInterest,
+ onCertValidated,
+ onCertValidationFailed,
+ 1, nSteps + 1);
+
+ nextSteps.push_back(nextStep);
+ return;
+ }
+
return onValidationFailed(packet.shared_from_this(), "Unsupported Signature Type!");
}
diff --git a/src/security/validator-regex.cpp b/src/security/validator-regex.cpp
index 0ae4da4..e998d8c 100644
--- a/src/security/validator-regex.cpp
+++ b/src/security/validator-regex.cpp
@@ -27,8 +27,6 @@
#include "signature-sha256-with-rsa.hpp"
#include "certificate-cache-ttl.hpp"
-using namespace std;
-
namespace ndn {
const shared_ptr<CertificateCache> ValidatorRegex::DEFAULT_CERTIFICATE_CACHE;
@@ -75,7 +73,7 @@
void
ValidatorRegex::onCertificateValidationFailed(const shared_ptr<const Data>& signCertificate,
- const string& failureInfo,
+ const std::string& failureInfo,
const shared_ptr<const Data>& data,
const OnDataValidationFailed& onValidationFailed)
{
@@ -87,7 +85,7 @@
int nSteps,
const OnDataValidated& onValidated,
const OnDataValidationFailed& onValidationFailed,
- vector<shared_ptr<ValidationRequest> >& nextSteps)
+ std::vector<shared_ptr<ValidationRequest> >& nextSteps)
{
if (m_stepLimit == nSteps)
return onValidationFailed(data.shared_from_this(),
@@ -110,7 +108,7 @@
{
try
{
- SignatureSha256WithRsa sig(data.getSignature());
+ SignatureWithPublicKey sig(data.getSignature());
Name keyLocatorName = sig.getKeyLocator().getName();
shared_ptr<const Certificate> trustedCert;
@@ -153,12 +151,17 @@
return;
}
}
- catch (SignatureSha256WithRsa::Error& e)
+ catch (SignatureWithPublicKey::Error& e)
{
return onValidationFailed(data.shared_from_this(),
- "Not SignatureSha256WithRsa signature: " +
+ "Require sub-class of SignatureWithPublicKey: " +
data.getName().toUri());
}
+ catch (Tlv::Error& e)
+ {
+ return onValidationFailed(data.shared_from_this(),
+ "Cannot decode signature");
+ }
catch (KeyLocator::Error& e)
{
return onValidationFailed(data.shared_from_this(),
diff --git a/src/security/validator.cpp b/src/security/validator.cpp
index 1b9d92a..5edb852 100644
--- a/src/security/validator.cpp
+++ b/src/security/validator.cpp
@@ -121,38 +121,16 @@
bool
Validator::verifySignature(const Data& data, const PublicKey& key)
{
- try
- {
- switch (data.getSignature().getType())
- {
- case Tlv::SignatureSha256WithRsa:
- {
- SignatureSha256WithRsa sigSha256Rsa(data.getSignature());
- return verifySignature(data.wireEncode().value(),
- data.wireEncode().value_size() -
- data.getSignature().getValue().size(),
- sigSha256Rsa, key);
- }
- case Tlv::SignatureSha256WithEcdsa:
- {
- SignatureSha256WithEcdsa sigSha256Ecdsa(data.getSignature());
- return verifySignature(data.wireEncode().value(),
- data.wireEncode().value_size() -
- data.getSignature().getValue().size(),
- sigSha256Ecdsa, key);
- }
- default:
- {
- // Unsupported sig type
- return false;
- }
- }
- }
- catch (Signature::Error& e)
- {
- return false;
- }
- return false;
+ shared_ptr<SignatureWithPublicKey> publicKeySig =
+ determineSignatureWithPublicKey(data.getSignature());
+
+ if (!static_cast<bool>(publicKeySig))
+ return false;
+
+ return verifySignature(data.wireEncode().value(),
+ data.wireEncode().value_size() -
+ data.getSignature().getValue().size(),
+ *publicKeySig, key);
}
bool
@@ -170,40 +148,19 @@
Signature sig(interestName[-2].blockFromValue(),
interestName[-1].blockFromValue());
- switch (sig.getType())
- {
- case Tlv::SignatureSha256WithRsa:
- {
- SignatureSha256WithRsa sigSha256Rsa(sig);
+ shared_ptr<SignatureWithPublicKey> publicKeySig = determineSignatureWithPublicKey(sig);
- return verifySignature(nameBlock.value(),
- nameBlock.value_size() - interestName[-1].size(),
- sigSha256Rsa, key);
- }
- case Tlv::SignatureSha256WithEcdsa:
- {
- SignatureSha256WithEcdsa sigSha256Ecdsa(sig);
+ if (!static_cast<bool>(publicKeySig))
+ return false;
- return verifySignature(nameBlock.value(),
- nameBlock.value_size() - interestName[-1].size(),
- sigSha256Ecdsa, key);
- }
- default:
- {
- // Unsupported sig type
- return false;
- }
- }
- }
- catch (Signature::Error& e)
- {
- return false;
+ return verifySignature(nameBlock.value(),
+ nameBlock.value_size() - interestName[-1].size(),
+ *publicKeySig, key);
}
catch (Block::Error& e)
{
return false;
}
- return false;
}
bool
@@ -329,6 +286,28 @@
}
}
+shared_ptr<SignatureWithPublicKey>
+Validator::determineSignatureWithPublicKey(const Signature& signature)
+{
+ try {
+ switch (signature.getType())
+ {
+ case Tlv::SignatureSha256WithRsa:
+ return make_shared<SignatureSha256WithRsa>(signature);
+ case Tlv::SignatureSha256WithEcdsa:
+ return make_shared<SignatureSha256WithEcdsa>(signature);
+ default:
+ return shared_ptr<SignatureWithPublicKey>();
+ }
+ }
+ catch (Tlv::Error& e) {
+ return shared_ptr<SignatureWithPublicKey>();
+ }
+ catch (KeyLocator::Error& e) {
+ return shared_ptr<SignatureWithPublicKey>();
+ }
+}
+
void
Validator::onTimeout(const Interest& interest,
int remainingRetries,
diff --git a/src/security/validator.hpp b/src/security/validator.hpp
index b95c5ad..e9bf37e 100644
--- a/src/security/validator.hpp
+++ b/src/security/validator.hpp
@@ -248,6 +248,9 @@
const OnInterestValidationFailed& onValidationFailed,
int nSteps);
+ static shared_ptr<SignatureWithPublicKey>
+ determineSignatureWithPublicKey(const Signature& signature);
+
/// Hooks
/**
diff --git a/src/signature.hpp b/src/signature.hpp
index 3546c4c..f7853dd 100644
--- a/src/signature.hpp
+++ b/src/signature.hpp
@@ -42,6 +42,7 @@
}
};
+ /// @deprecated use Tlv::SignatureTypeValue instead.
enum {
Sha256 = Tlv::DigestSha256,
Sha256WithRsa = Tlv::SignatureSha256WithRsa,
@@ -53,6 +54,7 @@
{
}
+ explicit
Signature(const Block& info, const Block& value = Block())
: m_value(value)
{
diff --git a/src/util/command-interest-validator.hpp b/src/util/command-interest-validator.hpp
index 9d8660e..7d179a0 100644
--- a/src/util/command-interest-validator.hpp
+++ b/src/util/command-interest-validator.hpp
@@ -168,7 +168,7 @@
Signature signature(interestName[POS_SIG_INFO].blockFromValue(),
interestName[POS_SIG_VALUE].blockFromValue());
- if (signature.getType() != Signature::Sha256WithRsa)
+ if (signature.getType() != Tlv::SignatureSha256WithRsa)
return onValidationFailed(interest.shared_from_this(),
"Require SignatureSha256WithRsa");
diff --git a/tests/integrated/test-validator-config.cpp b/tests/integrated/test-validator-config.cpp
index eb3f4bf..34f8fee 100644
--- a/tests/integrated/test-validator-config.cpp
+++ b/tests/integrated/test-validator-config.cpp
@@ -1544,6 +1544,107 @@
boost::filesystem::remove(CERT_PATH4);
}
+BOOST_AUTO_TEST_CASE(FixedSignerChecker2)
+{
+ KeyChain keyChain("sqlite3", "file");
+
+ Name rsaIdentity("/TestValidatorConfig/FixedSignerChecker2/Rsa");
+ Name rsaCertName = keyChain.createIdentity(rsaIdentity);
+
+ EcdsaKeyParams params;
+ Name ecdsaIdentity("/TestValidatorConfig/FixedSignerChecker2/Ecdsa");
+ Name ecdsaCertName = keyChain.createIdentity(ecdsaIdentity, params);
+ shared_ptr<IdentityCertificate> ecdsaCert = keyChain.getCertificate(ecdsaCertName);
+ io::save(*ecdsaCert, "trust-anchor-11.cert");
+
+
+ Name dataName("/TestValidatorConfig/FixedSignerChecker2");
+ shared_ptr<Data> dataRsa = make_shared<Data>(dataName);
+ keyChain.signByIdentity(*dataRsa, rsaIdentity);
+ shared_ptr<Data> dataEcdsa = make_shared<Data>(dataName);
+ keyChain.signByIdentity(*dataEcdsa, ecdsaIdentity);
+
+ shared_ptr<Interest> interestRsa = make_shared<Interest>(dataName);
+ keyChain.signByIdentity(*interestRsa, rsaIdentity);
+ shared_ptr<Interest> interestEcdsa = make_shared<Interest>(dataName);
+ keyChain.signByIdentity(*interestEcdsa, ecdsaIdentity);
+
+ const std::string CONFIG =
+ "rule\n"
+ "{\n"
+ " id \"FixedSignerChecker Data Rule\"\n"
+ " for data\n"
+ " filter"
+ " {\n"
+ " type name\n"
+ " name /TestValidatorConfig/FixedSignerChecker2\n"
+ " relation equal\n"
+ " }\n"
+ " checker\n"
+ " {\n"
+ " type fixed-signer\n"
+ " sig-type ecdsa-sha256\n"
+ " signer\n"
+ " {\n"
+ " type file\n"
+ " file-name \"trust-anchor-11.cert\"\n"
+ " }\n"
+ " }\n"
+ "}\n"
+ "rule\n"
+ "{\n"
+ " id \"FixedSignerChecker Interest Rule\"\n"
+ " for interest\n"
+ " filter"
+ " {\n"
+ " type name\n"
+ " name /TestValidatorConfig/FixedSignerChecker2\n"
+ " relation equal\n"
+ " }\n"
+ " checker\n"
+ " {\n"
+ " type fixed-signer\n"
+ " sig-type ecdsa-sha256\n"
+ " signer\n"
+ " {\n"
+ " type file\n"
+ " file-name \"trust-anchor-11.cert\"\n"
+ " }\n"
+ " }\n"
+ "}\n";
+ const boost::filesystem::path CONFIG_PATH =
+ (boost::filesystem::current_path() / std::string("unit-test.conf"));
+
+
+ Face face;
+ ValidatorConfig validator(face);
+ validator.load(CONFIG, CONFIG_PATH.native());
+
+ validator.validate(*dataEcdsa,
+ bind(&onValidated, _1),
+ bind(&onValidationFailed, _1, _2));
+
+ validator.validate(*dataRsa,
+ bind(&onIntentionalFailureValidated, _1),
+ bind(&onIntentionalFailureInvalidated, _1, _2));
+
+ validator.validate(*interestEcdsa,
+ bind(&onValidated2, _1),
+ bind(&onValidationFailed2, _1, _2));
+
+ validator.validate(*interestRsa,
+ bind(&onIntentionalFailureValidated2, _1),
+ bind(&onIntentionalFailureInvalidated2, _1, _2));
+
+
+ keyChain.deleteIdentity(rsaIdentity);
+ keyChain.deleteIdentity(ecdsaIdentity);
+
+ const boost::filesystem::path CERT_PATH =
+ (boost::filesystem::current_path() / std::string("trust-anchor-11.cert"));
+ boost::filesystem::remove(CERT_PATH);
+}
+
BOOST_AUTO_TEST_SUITE_END()
diff --git a/tests/unit-tests/security/test-conf-checker.cpp b/tests/unit-tests/security/test-conf-checker.cpp
new file mode 100644
index 0000000..9135a50
--- /dev/null
+++ b/tests/unit-tests/security/test-conf-checker.cpp
@@ -0,0 +1,552 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2014 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/conf/checker.hpp"
+#include "security/key-chain.hpp"
+#include "boost-test.hpp"
+
+namespace ndn {
+
+BOOST_AUTO_TEST_SUITE(SecurityTestConfChecker)
+
+void
+interestChecked(const shared_ptr<const Interest>& interest)
+{
+ BOOST_CHECK(true);
+}
+
+void
+interestCheckFailed(const shared_ptr<const Interest>& interest,
+ const std::string& failureInfo)
+{
+ std::cerr << failureInfo << std::endl;
+ BOOST_CHECK(false);
+}
+
+void
+interestCheckedFalse(const shared_ptr<const Interest>& interest)
+{
+ BOOST_CHECK(false);
+}
+
+void
+interestCheckFailedFalse(const shared_ptr<const Interest>& interest,
+ const std::string& failureInfo)
+{
+ BOOST_CHECK(true);
+}
+
+void
+dataChecked(const shared_ptr<const Data>& interest)
+{
+ BOOST_CHECK(true);
+}
+
+void
+dataCheckFailed(const shared_ptr<const Data>& interest,
+ const std::string& failureInfo)
+{
+ std::cerr << failureInfo << std::endl;
+ BOOST_CHECK(false);
+}
+
+void
+dataCheckedFalse(const shared_ptr<const Data>& interest)
+{
+ BOOST_CHECK(false);
+}
+
+void
+dataCheckFailedFalse(const shared_ptr<const Data>& interest,
+ const std::string& failureInfo)
+{
+ BOOST_CHECK(true);
+}
+
+
+BOOST_AUTO_TEST_CASE(CustomizedCheckerTest1)
+{
+ using security::conf::CustomizedChecker;
+ using security::conf::KeyLocatorChecker;
+ using security::conf::RelationKeyLocatorNameChecker;
+
+ KeyChain keyChain("sqlite3", "file");
+
+ Name identity("/SecurityTestConfChecker/CustomizedCheckerTest1");
+ Name certName = keyChain.createIdentity(identity);
+
+ Name identity2("/SecurityTestConfChecker/CustomizedCheckerTest1Wrong");
+ Name certName2 = keyChain.createIdentity(identity2);
+
+ Name packetName("/SecurityTestConfChecker/CustomizedCheckerTest1/Data");
+ shared_ptr<Data> data1 = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*data1, identity);
+
+ shared_ptr<Data> data2 = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*data2, identity2);
+
+ shared_ptr<Interest> interest1 = make_shared<Interest>(packetName);
+ keyChain.signByIdentity(*interest1, identity);
+
+ shared_ptr<Interest> interest2 = make_shared<Interest>(packetName);
+ keyChain.signByIdentity(*interest2, identity2);
+
+ int8_t result = 0;
+
+
+ shared_ptr<RelationKeyLocatorNameChecker> keyLocatorCheckerEqual1 =
+ make_shared<RelationKeyLocatorNameChecker>(certName.getPrefix(-1),
+ KeyLocatorChecker::RELATION_EQUAL);
+ CustomizedChecker checker1(Tlv::SignatureSha256WithRsa, keyLocatorCheckerEqual1);
+
+ result = checker1.check(*data1,
+ bind(dataChecked, _1),
+ bind(dataCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker1.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker1.check(*interest1,
+ bind(interestChecked, _1),
+ bind(interestCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker1.check(*interest2,
+ bind(interestCheckedFalse, _1),
+ bind(interestCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ shared_ptr<RelationKeyLocatorNameChecker> keyLocatorCheckerEqual2 =
+ make_shared<RelationKeyLocatorNameChecker>(identity,
+ KeyLocatorChecker::RELATION_EQUAL);
+ CustomizedChecker checker2(Tlv::SignatureSha256WithRsa, keyLocatorCheckerEqual2);
+
+ result = checker2.check(*data1,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker2.check(*interest1,
+ bind(interestCheckedFalse, _1),
+ bind(interestCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ shared_ptr<RelationKeyLocatorNameChecker> keyLocatorCheckerPrefix1 =
+ make_shared<RelationKeyLocatorNameChecker>(certName.getPrefix(-1),
+ KeyLocatorChecker::RELATION_IS_PREFIX_OF);
+ CustomizedChecker checker3(Tlv::SignatureSha256WithRsa, keyLocatorCheckerPrefix1);
+
+ result = checker3.check(*data1,
+ bind(dataChecked, _1),
+ bind(dataCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker3.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ shared_ptr<RelationKeyLocatorNameChecker> keyLocatorCheckerPrefix2 =
+ make_shared<RelationKeyLocatorNameChecker>(identity,
+ KeyLocatorChecker::RELATION_IS_PREFIX_OF);
+ CustomizedChecker checker4(Tlv::SignatureSha256WithRsa, keyLocatorCheckerPrefix2);
+
+ result = checker4.check(*data1,
+ bind(dataChecked, _1),
+ bind(dataCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker4.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ shared_ptr<RelationKeyLocatorNameChecker> keyLocatorCheckerStrict1 =
+ make_shared<RelationKeyLocatorNameChecker>(certName.getPrefix(-1),
+ KeyLocatorChecker::RELATION_IS_STRICT_PREFIX_OF);
+ CustomizedChecker checker5(Tlv::SignatureSha256WithRsa, keyLocatorCheckerStrict1);
+
+ result = checker5.check(*data1,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker5.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ shared_ptr<RelationKeyLocatorNameChecker> keyLocatorCheckerStrict2 =
+ make_shared<RelationKeyLocatorNameChecker>(identity,
+ KeyLocatorChecker::RELATION_IS_STRICT_PREFIX_OF);
+ CustomizedChecker checker6(Tlv::SignatureSha256WithRsa, keyLocatorCheckerStrict2);
+
+ result = checker6.check(*data1,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker6.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ keyChain.deleteIdentity(identity);
+ keyChain.deleteIdentity(identity2);
+}
+
+BOOST_AUTO_TEST_CASE(CustomizedCheckerTest2)
+{
+ using security::conf::CustomizedChecker;
+ using security::conf::KeyLocatorChecker;
+ using security::conf::RegexKeyLocatorNameChecker;
+
+ KeyChain keyChain("sqlite3", "file");
+
+ Name identity("/SecurityTestConfChecker/CustomizedCheckerTest2");
+ Name certName = keyChain.createIdentity(identity);
+
+ Name identity2("/SecurityTestConfChecker/CustomizedCheckerTest2Wrong");
+ Name certName2 = keyChain.createIdentity(identity2);
+
+ Name packetName("/SecurityTestConfChecker/CustomizedCheckerTest2/Data");
+ shared_ptr<Data> data1 = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*data1, identity);
+
+ shared_ptr<Data> data2 = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*data2, identity2);
+
+ shared_ptr<Interest> interest1 = make_shared<Interest>(packetName);
+ keyChain.signByIdentity(*interest1, identity);
+
+ shared_ptr<Interest> interest2 = make_shared<Interest>(packetName);
+ keyChain.signByIdentity(*interest2, identity2);
+
+ int8_t result = 0;
+
+
+ shared_ptr<RegexKeyLocatorNameChecker> keyLocatorCheckerRegex1 =
+ make_shared<RegexKeyLocatorNameChecker>(
+ Regex("^<SecurityTestConfChecker><CustomizedCheckerTest2>"));
+ CustomizedChecker checker1(Tlv::SignatureSha256WithRsa, keyLocatorCheckerRegex1);
+
+ result = checker1.check(*data1,
+ bind(dataChecked, _1),
+ bind(dataCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker1.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker1.check(*interest1,
+ bind(interestChecked, _1),
+ bind(interestCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker1.check(*interest2,
+ bind(interestCheckedFalse, _1),
+ bind(interestCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ keyChain.deleteIdentity(identity);
+ keyChain.deleteIdentity(identity2);
+}
+
+BOOST_AUTO_TEST_CASE(CustomizedCheckerTest3)
+{
+ using security::conf::CustomizedChecker;
+ using security::conf::KeyLocatorChecker;
+ using security::conf::RegexKeyLocatorNameChecker;
+
+ KeyChain keyChain("sqlite3", "file");
+
+ EcdsaKeyParams params;
+
+ Name identity("/SecurityTestConfChecker/CustomizedCheckerTest3");
+ Name certName = keyChain.createIdentity(identity, params);
+
+ Name identity2("/SecurityTestConfChecker/CustomizedCheckerTest3Wrong");
+ Name certName2 = keyChain.createIdentity(identity2, params);
+
+ Name packetName("/SecurityTestConfChecker/CustomizedCheckerTest3/Data");
+ shared_ptr<Data> data1 = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*data1, identity);
+
+ shared_ptr<Data> data2 = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*data2, identity2);
+
+ shared_ptr<Interest> interest1 = make_shared<Interest>(packetName);
+ keyChain.signByIdentity(*interest1, identity);
+
+ shared_ptr<Interest> interest2 = make_shared<Interest>(packetName);
+ keyChain.signByIdentity(*interest2, identity2);
+
+ int8_t result = 0;
+
+
+ shared_ptr<RegexKeyLocatorNameChecker> keyLocatorCheckerRegex1 =
+ make_shared<RegexKeyLocatorNameChecker>(
+ Regex("^<SecurityTestConfChecker><CustomizedCheckerTest3>"));
+ CustomizedChecker checker1(Tlv::SignatureSha256WithEcdsa, keyLocatorCheckerRegex1);
+
+ result = checker1.check(*data1,
+ bind(dataChecked, _1),
+ bind(dataCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker1.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker1.check(*interest1,
+ bind(interestChecked, _1),
+ bind(interestCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker1.check(*interest2,
+ bind(interestCheckedFalse, _1),
+ bind(interestCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ CustomizedChecker checker2(Tlv::SignatureSha256WithRsa, keyLocatorCheckerRegex1);
+
+ result = checker2.check(*data1,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ keyChain.deleteIdentity(identity);
+ keyChain.deleteIdentity(identity2);
+}
+
+BOOST_AUTO_TEST_CASE(HierarchicalCheckerTest1)
+{
+ using security::conf::HierarchicalChecker;
+
+ KeyChain keyChain("sqlite3", "file");
+
+ EcdsaKeyParams params;
+
+ Name identity("/SecurityTestConfChecker/HierarchicalCheckerTest1");
+ Name certName = keyChain.createIdentity(identity, params);
+
+ Name identity2("/SecurityTestConfChecker/HierarchicalCheckerTest1/Data");
+ Name certName2 = keyChain.createIdentity(identity2);
+
+ Name packetName("/SecurityTestConfChecker/HierarchicalCheckerTest1/Data");
+ Name packetName2("/SecurityTestConfChecker");
+ Name packetName3("/SecurityTestConfChecker/HierarchicalCheckerTest1");
+
+ shared_ptr<Data> data1 = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*data1, identity);
+
+ shared_ptr<Data> data2 = make_shared<Data>(packetName2);
+ keyChain.signByIdentity(*data2, identity);
+
+ shared_ptr<Data> data3 = make_shared<Data>(packetName3);
+ keyChain.signByIdentity(*data3, identity);
+
+ shared_ptr<Data> data4 = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*data4, identity2);
+
+ shared_ptr<Data> data5 = make_shared<Data>(packetName2);
+ keyChain.signByIdentity(*data5, identity2);
+
+ shared_ptr<Data> data6 = make_shared<Data>(packetName3);
+ keyChain.signByIdentity(*data6, identity2);
+
+ int8_t result = 0;
+
+ HierarchicalChecker checker1(Tlv::SignatureSha256WithEcdsa);
+
+ result = checker1.check(*data1,
+ bind(dataChecked, _1),
+ bind(dataCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker1.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker1.check(*data3,
+ bind(dataChecked, _1),
+ bind(dataCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker1.check(*data4,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker1.check(*data5,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker1.check(*data6,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ HierarchicalChecker checker2(Tlv::SignatureSha256WithRsa);
+
+ result = checker2.check(*data1,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker2.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker2.check(*data3,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker2.check(*data4,
+ bind(dataChecked, _1),
+ bind(dataCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 0);
+
+ result = checker2.check(*data5,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker2.check(*data6,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ keyChain.deleteIdentity(identity);
+ keyChain.deleteIdentity(identity2);
+}
+
+BOOST_AUTO_TEST_CASE(FixedSignerCheckerTest1)
+{
+ using security::conf::FixedSignerChecker;
+
+ KeyChain keyChain("sqlite3", "file");
+
+ EcdsaKeyParams params;
+
+ Name identity("/SecurityTestConfChecker/FixedSignerCheckerTest1");
+ Name certName = keyChain.createIdentity(identity, params);
+ shared_ptr<IdentityCertificate> cert1 = keyChain.getCertificate(certName);
+
+ Name identity2("/SecurityTestConfChecker/FixedSignerCheckerTest1Wrong");
+ Name certName2 = keyChain.createIdentity(identity2);
+ shared_ptr<IdentityCertificate> cert2 = keyChain.getCertificate(certName2);
+
+ Name packetName("/Test/Data");
+
+ shared_ptr<Data> data1 = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*data1, identity);
+
+ shared_ptr<Data> data2 = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*data2, identity2);
+
+ std::vector<shared_ptr<IdentityCertificate> > certSet1;
+ certSet1.push_back(cert1);
+
+ std::vector<shared_ptr<IdentityCertificate> > certSet2;
+ certSet2.push_back(cert2);
+
+
+ int8_t result = 0;
+
+ FixedSignerChecker checker1(Tlv::SignatureSha256WithEcdsa, certSet1);
+
+ result = checker1.check(*data1,
+ bind(dataChecked, _1),
+ bind(dataCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 1);
+
+ result = checker1.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ FixedSignerChecker checker2(Tlv::SignatureSha256WithRsa, certSet1);
+
+ result = checker2.check(*data1,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker2.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ FixedSignerChecker checker3(Tlv::SignatureSha256WithEcdsa, certSet2);
+
+ result = checker3.check(*data1,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker3.check(*data2,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+
+ FixedSignerChecker checker4(Tlv::SignatureSha256WithRsa, certSet2);
+
+ result = checker4.check(*data1,
+ bind(dataCheckedFalse, _1),
+ bind(dataCheckFailedFalse, _1, _2));
+ BOOST_CHECK_EQUAL(result, -1);
+
+ result = checker4.check(*data2,
+ bind(dataChecked, _1),
+ bind(dataCheckFailed, _1, _2));
+ BOOST_CHECK_EQUAL(result, 1);
+
+
+ keyChain.deleteIdentity(identity);
+ keyChain.deleteIdentity(identity2);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
+
+} // namespace ndn
diff --git a/tests/unit-tests/security/test-keychain.cpp b/tests/unit-tests/security/test-keychain.cpp
index 1149dce..dad7e75 100644
--- a/tests/unit-tests/security/test-keychain.cpp
+++ b/tests/unit-tests/security/test-keychain.cpp
@@ -24,11 +24,11 @@
#include "boost-test.hpp"
-using namespace std;
-
namespace ndn {
namespace tests {
+using std::vector;
+
class KeychainConfigFileFixture
{
public:
@@ -116,29 +116,29 @@
keyChain.deleteIdentity(identity);
- BOOST_REQUIRE(keyChain.doesIdentityExist(identity) == false);
- BOOST_REQUIRE(keyChain.doesPublicKeyExist(keyName) == false);
- BOOST_REQUIRE(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PRIVATE) == false);
- BOOST_REQUIRE(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PUBLIC) == false);
- BOOST_REQUIRE(keyChain.doesCertificateExist(certName) == false);
+ BOOST_CHECK_EQUAL(keyChain.doesIdentityExist(identity), false);
+ BOOST_CHECK_EQUAL(keyChain.doesPublicKeyExist(keyName), false);
+ BOOST_CHECK_EQUAL(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PRIVATE), false);
+ BOOST_CHECK_EQUAL(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PUBLIC), false);
+ BOOST_CHECK_EQUAL(keyChain.doesCertificateExist(certName), false);
SecuredBag imported;
imported.wireDecode(block);
keyChain.importIdentity(imported, "1234");
- BOOST_REQUIRE(keyChain.doesIdentityExist(identity));
- BOOST_REQUIRE(keyChain.doesPublicKeyExist(keyName));
- BOOST_REQUIRE(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PRIVATE));
- BOOST_REQUIRE(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PUBLIC));
- BOOST_REQUIRE(keyChain.doesCertificateExist(certName));
+ BOOST_CHECK(keyChain.doesIdentityExist(identity));
+ BOOST_CHECK(keyChain.doesPublicKeyExist(keyName));
+ BOOST_CHECK(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PRIVATE));
+ BOOST_CHECK(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PUBLIC));
+ BOOST_CHECK(keyChain.doesCertificateExist(certName));
keyChain.deleteIdentity(identity);
- BOOST_REQUIRE(keyChain.doesIdentityExist(identity) == false);
- BOOST_REQUIRE(keyChain.doesPublicKeyExist(keyName) == false);
- BOOST_REQUIRE(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PRIVATE) == false);
- BOOST_REQUIRE(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PUBLIC) == false);
- BOOST_REQUIRE(keyChain.doesCertificateExist(certName) == false);
+ BOOST_CHECK_EQUAL(keyChain.doesIdentityExist(identity), false);
+ BOOST_CHECK_EQUAL(keyChain.doesPublicKeyExist(keyName), false);
+ BOOST_CHECK_EQUAL(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PRIVATE), false);
+ BOOST_CHECK_EQUAL(keyChain.doesKeyExistInTpm(keyName, KEY_CLASS_PUBLIC), false);
+ BOOST_CHECK_EQUAL(keyChain.doesCertificateExist(certName), false);
}
BOOST_AUTO_TEST_CASE(PrepareIdentityCertificate)
@@ -154,14 +154,14 @@
Name lowerIdentity = identity;
lowerIdentity.append("Lower").appendVersion();
Name lowerKeyName = keyChain.generateRsaKeyPair(lowerIdentity, true);
- shared_ptr<IdentityCertificate> idCert
- = keyChain.prepareUnsignedIdentityCertificate(lowerKeyName, identity,
- time::system_clock::now(),
- time::system_clock::now() + time::days(365),
- subjectDescription);
+ shared_ptr<IdentityCertificate> idCert =
+ keyChain.prepareUnsignedIdentityCertificate(lowerKeyName, identity,
+ time::system_clock::now(),
+ time::system_clock::now() + time::days(365),
+ subjectDescription);
BOOST_CHECK(static_cast<bool>(idCert));
- BOOST_CHECK(idCert->getName().getPrefix(5) ==
- Name().append(identity).append("KEY").append("Lower"));
+ BOOST_CHECK_EQUAL(idCert->getName().getPrefix(5),
+ Name().append(identity).append("KEY").append("Lower"));
shared_ptr<IdentityCertificate> idCert11 =
keyChain.prepareUnsignedIdentityCertificate(lowerKeyName, identity,
@@ -170,46 +170,46 @@
subjectDescription,
lowerIdentity);
BOOST_CHECK(static_cast<bool>(idCert11));
- BOOST_CHECK(idCert11->getName().getPrefix(6) ==
+ BOOST_CHECK_EQUAL(idCert11->getName().getPrefix(6),
Name().append(lowerIdentity).append("KEY"));
Name anotherIdentity("/TestKeyChain/PrepareIdentityCertificate/Another/");
anotherIdentity.appendVersion();
Name anotherKeyName = keyChain.generateRsaKeyPair(anotherIdentity, true);
- shared_ptr<IdentityCertificate> idCert2
- = keyChain.prepareUnsignedIdentityCertificate(anotherKeyName, identity,
- time::system_clock::now(),
- time::system_clock::now() + time::days(365),
- subjectDescription);
+ shared_ptr<IdentityCertificate> idCert2 =
+ keyChain.prepareUnsignedIdentityCertificate(anotherKeyName, identity,
+ time::system_clock::now(),
+ time::system_clock::now() + time::days(365),
+ subjectDescription);
BOOST_CHECK(static_cast<bool>(idCert2));
- BOOST_CHECK(idCert2->getName().getPrefix(5) == Name().append(anotherIdentity).append("KEY"));
+ BOOST_CHECK_EQUAL(idCert2->getName().getPrefix(5), Name().append(anotherIdentity).append("KEY"));
Name wrongKeyName1;
- shared_ptr<IdentityCertificate> idCert3
- = keyChain.prepareUnsignedIdentityCertificate(wrongKeyName1, identity,
- time::system_clock::now(),
- time::system_clock::now() + time::days(365),
- subjectDescription);
- BOOST_CHECK(!static_cast<bool>(idCert3));
+ shared_ptr<IdentityCertificate> idCert3 =
+ keyChain.prepareUnsignedIdentityCertificate(wrongKeyName1, identity,
+ time::system_clock::now(),
+ time::system_clock::now() + time::days(365),
+ subjectDescription);
+ BOOST_CHECK_EQUAL(static_cast<bool>(idCert3), false);
Name wrongKeyName2("/TestKeyChain/PrepareIdentityCertificate");
- shared_ptr<IdentityCertificate> idCert4
- = keyChain.prepareUnsignedIdentityCertificate(wrongKeyName2, identity,
- time::system_clock::now(),
- time::system_clock::now() + time::days(365),
- subjectDescription);
- BOOST_CHECK(!static_cast<bool>(idCert4));
+ shared_ptr<IdentityCertificate> idCert4 =
+ keyChain.prepareUnsignedIdentityCertificate(wrongKeyName2, identity,
+ time::system_clock::now(),
+ time::system_clock::now() + time::days(365),
+ subjectDescription);
+ BOOST_CHECK_EQUAL(static_cast<bool>(idCert4), false);
Name wrongKeyName3("/TestKeyChain/PrepareIdentityCertificate/ksk-1234");
- shared_ptr<IdentityCertificate> idCert5
- = keyChain.prepareUnsignedIdentityCertificate(wrongKeyName3, identity,
- time::system_clock::now(),
- time::system_clock::now() + time::days(365),
- subjectDescription);
- BOOST_CHECK(!static_cast<bool>(idCert5));
+ shared_ptr<IdentityCertificate> idCert5 =
+ keyChain.prepareUnsignedIdentityCertificate(wrongKeyName3, identity,
+ time::system_clock::now(),
+ time::system_clock::now() + time::days(365),
+ subjectDescription);
+ BOOST_CHECK_EQUAL(static_cast<bool>(idCert5), false);
keyChain.deleteIdentity(identity);
keyChain.deleteIdentity(lowerIdentity);
diff --git a/tests/unit-tests/security/test-sec-rule.cpp b/tests/unit-tests/security/test-sec-rule.cpp
new file mode 100644
index 0000000..8686b2d
--- /dev/null
+++ b/tests/unit-tests/security/test-sec-rule.cpp
@@ -0,0 +1,101 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2014 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/sec-rule-specific.hpp"
+#include "security/sec-rule-relative.hpp"
+#include "security/key-chain.hpp"
+
+#include "boost-test.hpp"
+
+namespace ndn {
+
+BOOST_AUTO_TEST_SUITE(SecurityTestSecRule)
+
+BOOST_AUTO_TEST_CASE(SecRuleSpecificTest)
+{
+ KeyChain keyChain("sqlite3", "file");
+
+ Name rsaIdentity("/SecurityTestSecRule/Basic/Rsa");
+ keyChain.createIdentity(rsaIdentity);
+ Name ecdsaIdentity("/SecurityTestSecRule/Basic/Ecdsa");
+ keyChain.createIdentity(ecdsaIdentity);
+
+ Name dataName("SecurityTestSecRule/Basic");
+ Data rsaData(dataName);
+ keyChain.signByIdentity(rsaData, rsaIdentity);
+ Data ecdsaData(dataName);
+ keyChain.signByIdentity(ecdsaData, ecdsaIdentity);
+ Data sha256Data(dataName);
+ keyChain.signWithSha256(sha256Data);
+
+ shared_ptr<Regex> dataRegex =
+ make_shared<Regex>("^<SecurityTestSecRule><Basic>$");
+ shared_ptr<Regex> signerRegex =
+ make_shared<Regex>("^<SecurityTestSecRule><Basic><><KEY><><>$");
+
+ SecRuleSpecific rule(dataRegex, signerRegex);
+ BOOST_CHECK(rule.satisfy(rsaData));
+ BOOST_CHECK(rule.satisfy(ecdsaData));
+ BOOST_CHECK_EQUAL(rule.satisfy(sha256Data), false);
+
+ BOOST_CHECK(rule.matchSignerName(rsaData));
+ BOOST_CHECK(rule.matchSignerName(ecdsaData));
+ BOOST_CHECK_EQUAL(rule.matchSignerName(sha256Data), false);
+
+ keyChain.deleteIdentity(rsaIdentity);
+ keyChain.deleteIdentity(ecdsaIdentity);
+}
+
+BOOST_AUTO_TEST_CASE(SecRuleRelativeTest)
+{
+ KeyChain keyChain("sqlite3", "file");
+
+ Name rsaIdentity("/SecurityTestSecRule/Basic/Rsa");
+ keyChain.createIdentity(rsaIdentity);
+ Name ecdsaIdentity("/SecurityTestSecRule/Basic/Ecdsa");
+ keyChain.createIdentity(ecdsaIdentity);
+
+ Name dataName("SecurityTestSecRule/Basic");
+ Data rsaData(dataName);
+ keyChain.signByIdentity(rsaData, rsaIdentity);
+ Data ecdsaData(dataName);
+ keyChain.signByIdentity(ecdsaData, ecdsaIdentity);
+ Data sha256Data(dataName);
+ keyChain.signWithSha256(sha256Data);
+
+ SecRuleRelative rule("^(<SecurityTestSecRule><Basic>)$",
+ "^(<SecurityTestSecRule><Basic>)<><KEY><><>$",
+ "==", "\\1", "\\1", true);
+ BOOST_CHECK(rule.satisfy(rsaData));
+ BOOST_CHECK(rule.satisfy(ecdsaData));
+ BOOST_CHECK_EQUAL(rule.satisfy(sha256Data), false);
+
+ BOOST_CHECK(rule.matchSignerName(rsaData));
+ BOOST_CHECK(rule.matchSignerName(ecdsaData));
+ BOOST_CHECK_EQUAL(rule.matchSignerName(sha256Data), false);
+
+ keyChain.deleteIdentity(rsaIdentity);
+ keyChain.deleteIdentity(ecdsaIdentity);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
+
+} // namespace ndn
diff --git a/tests/unit-tests/security/test-validator.cpp b/tests/unit-tests/security/test-validator.cpp
index bd91280..f917ae7 100644
--- a/tests/unit-tests/security/test-validator.cpp
+++ b/tests/unit-tests/security/test-validator.cpp
@@ -25,10 +25,10 @@
#include "boost-test.hpp"
-using namespace std;
-
namespace ndn {
+using std::string;
+
BOOST_AUTO_TEST_SUITE(SecurityTestValidator)
void
@@ -204,6 +204,52 @@
keyChain.deleteIdentity(identity2);
}
+BOOST_AUTO_TEST_CASE(EcdsaSignatureVerification2)
+{
+ KeyChain keyChain("sqlite3", "file");
+
+ EcdsaKeyParams params;
+
+ Name ecdsaIdentity("/SecurityTestValidator/EcdsaSignatureVerification2/ecdsa");
+ Name ecdsaCertName = keyChain.createIdentity(ecdsaIdentity, params);
+ shared_ptr<IdentityCertificate> ecdsaCert = keyChain.getCertificate(ecdsaCertName);
+
+ Name rsaIdentity("/SecurityTestValidator/EcdsaSignatureVerification2/rsa");
+ Name rsaCertName = keyChain.createIdentity(rsaIdentity);
+ shared_ptr<IdentityCertificate> rsaCert = keyChain.getCertificate(rsaCertName);
+
+ Name packetName("/Test/Packet/Name");
+
+ shared_ptr<Data> testDataRsa = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*testDataRsa, rsaIdentity);
+ shared_ptr<Data> testDataEcdsa = make_shared<Data>(packetName);
+ keyChain.signByIdentity(*testDataEcdsa, ecdsaIdentity);
+ shared_ptr<Interest> testInterestRsa = make_shared<Interest>(packetName);
+ keyChain.signByIdentity(*testInterestRsa, rsaIdentity);
+ shared_ptr<Interest> testInterestEcdsa = make_shared<Interest>(packetName);
+ keyChain.signByIdentity(*testInterestEcdsa, ecdsaIdentity);
+
+ BOOST_CHECK(Validator::verifySignature(*ecdsaCert, ecdsaCert->getPublicKeyInfo()));
+ BOOST_CHECK_EQUAL(Validator::verifySignature(*ecdsaCert, rsaCert->getPublicKeyInfo()), false);
+ BOOST_CHECK_EQUAL(Validator::verifySignature(*rsaCert, ecdsaCert->getPublicKeyInfo()), false);
+ BOOST_CHECK(Validator::verifySignature(*rsaCert, rsaCert->getPublicKeyInfo()));
+
+ BOOST_CHECK(Validator::verifySignature(*testDataEcdsa, ecdsaCert->getPublicKeyInfo()));
+ BOOST_CHECK_EQUAL(Validator::verifySignature(*testDataEcdsa, rsaCert->getPublicKeyInfo()), false);
+ BOOST_CHECK_EQUAL(Validator::verifySignature(*testDataRsa, ecdsaCert->getPublicKeyInfo()), false);
+ BOOST_CHECK(Validator::verifySignature(*testDataRsa, rsaCert->getPublicKeyInfo()));
+
+ BOOST_CHECK(Validator::verifySignature(*testInterestEcdsa, ecdsaCert->getPublicKeyInfo()));
+ BOOST_CHECK_EQUAL(Validator::verifySignature(*testInterestEcdsa, rsaCert->getPublicKeyInfo()),
+ false);
+ BOOST_CHECK_EQUAL(Validator::verifySignature(*testInterestRsa, ecdsaCert->getPublicKeyInfo()),
+ false);
+ BOOST_CHECK(Validator::verifySignature(*testInterestRsa, rsaCert->getPublicKeyInfo()));
+
+ keyChain.deleteIdentity(ecdsaIdentity);
+ keyChain.deleteIdentity(rsaIdentity);
+}
+
BOOST_AUTO_TEST_SUITE_END()
} // namespace ndn