security: Add v2::Validator implementation
Based on the code originally written by Qiuhan Ding
Change-Id: Ib66e24f49d0b6fb2ae21ea1fca7b9ec62ecb753a
Refs: #3289, #1872
diff --git a/tests/unit-tests/security/v2/validation-error.t.cpp b/tests/unit-tests/security/v2/validation-error.t.cpp
new file mode 100644
index 0000000..aac7ca1
--- /dev/null
+++ b/tests/unit-tests/security/v2/validation-error.t.cpp
@@ -0,0 +1,61 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/v2/validation-error.hpp"
+
+#include "boost-test.hpp"
+#include <boost/lexical_cast.hpp>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(V2)
+BOOST_AUTO_TEST_SUITE(TestValidationError)
+
+BOOST_AUTO_TEST_CASE(Basic)
+{
+ ValidationError e1{ValidationError::Code::INVALID_SIGNATURE};
+ BOOST_CHECK_EQUAL(e1.getCode(), 1);
+ BOOST_CHECK_EQUAL(e1.getInfo(), "");
+ BOOST_CHECK_EQUAL(boost::lexical_cast<std::string>(e1), "Invalid signature");
+
+ ValidationError e2{ValidationError::Code::NO_SIGNATURE, "message"};
+ BOOST_CHECK_EQUAL(e2.getCode(), 2);
+ BOOST_CHECK_EQUAL(e2.getInfo(), "message");
+ BOOST_CHECK_EQUAL(boost::lexical_cast<std::string>(e2), "Missing signature (message)");
+
+ ValidationError e3{65535, "other message"};
+ BOOST_CHECK_EQUAL(e3.getCode(), 65535);
+ BOOST_CHECK_EQUAL(e3.getInfo(), "other message");
+ BOOST_CHECK_EQUAL(boost::lexical_cast<std::string>(e3), "Custom error code 65535 (other message)");
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestValidationError
+BOOST_AUTO_TEST_SUITE_END() // V2
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/tests/unit-tests/security/v2/validation-policy-accept-all.t.cpp b/tests/unit-tests/security/v2/validation-policy-accept-all.t.cpp
new file mode 100644
index 0000000..5cefa9b
--- /dev/null
+++ b/tests/unit-tests/security/v2/validation-policy-accept-all.t.cpp
@@ -0,0 +1,79 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/v2/validation-policy-accept-all.hpp"
+
+#include "boost-test.hpp"
+#include "validator-fixture.hpp"
+
+#include <boost/mpl/vector.hpp>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+using namespace ndn::tests;
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(V2)
+
+class ValidationPolicyAcceptAllFixture : public ValidatorFixture<ValidationPolicyAcceptAll>
+{
+public:
+ ValidationPolicyAcceptAllFixture()
+ {
+ identity = addIdentity("/Security/V2/TestValidationPolicyAcceptAll");
+ // don't add trust anchors
+ }
+
+public:
+ Identity identity;
+};
+
+BOOST_FIXTURE_TEST_SUITE(TestValidationPolicyAcceptAll, ValidationPolicyAcceptAllFixture)
+
+typedef boost::mpl::vector<Interest, Data> Packets;
+
+BOOST_AUTO_TEST_CASE_TEMPLATE(Validate, Packet, Packets)
+{
+ Packet unsignedPacket("/Security/V2/TestValidationPolicyAcceptAll/Sub/Packet");
+
+ Packet packet = unsignedPacket;
+ VALIDATE_SUCCESS(packet, "Should accept unsigned");
+
+ packet = unsignedPacket;
+ m_keyChain.sign(packet, signingWithSha256());
+ VALIDATE_SUCCESS(packet, "Should accept Sha256Digest signature");
+
+ packet = unsignedPacket;
+ m_keyChain.sign(packet, signingByIdentity(identity));
+ VALIDATE_SUCCESS(packet, "Should accept signature while no trust anchors configured");
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestValidationPolicyAcceptAll
+BOOST_AUTO_TEST_SUITE_END() // V2
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/tests/unit-tests/security/v2/validation-policy-simple-hierarchy.t.cpp b/tests/unit-tests/security/v2/validation-policy-simple-hierarchy.t.cpp
new file mode 100644
index 0000000..cd8c466
--- /dev/null
+++ b/tests/unit-tests/security/v2/validation-policy-simple-hierarchy.t.cpp
@@ -0,0 +1,80 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/v2/validation-policy-simple-hierarchy.hpp"
+
+#include "boost-test.hpp"
+#include "validator-fixture.hpp"
+
+#include <boost/mpl/vector.hpp>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+using namespace ndn::tests;
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(V2)
+BOOST_FIXTURE_TEST_SUITE(TestValidationPolicySimpleHierarchy,
+ HierarchicalValidatorFixture<ValidationPolicySimpleHierarchy>)
+
+typedef boost::mpl::vector<Interest, Data> Packets;
+
+BOOST_AUTO_TEST_CASE_TEMPLATE(Validate, Packet, Packets)
+{
+ Packet unsignedPacket("/Security/V2/ValidatorFixture/Sub1/Sub2/Packet");
+
+ Packet packet = unsignedPacket;
+ VALIDATE_FAILURE(packet, "Unsigned");
+
+ packet = unsignedPacket;
+ m_keyChain.sign(packet, signingWithSha256());
+ VALIDATE_FAILURE(packet, "Policy doesn't accept Sha256Digest signature");
+
+ packet = unsignedPacket;
+ m_keyChain.sign(packet, signingByIdentity(identity));
+ VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the anchor");
+
+ packet = unsignedPacket;
+ m_keyChain.sign(packet, signingByIdentity(subIdentity));
+ VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the policy-compliant cert");
+
+ packet = unsignedPacket;
+ m_keyChain.sign(packet, signingByIdentity(otherIdentity));
+ VALIDATE_FAILURE(packet, "Should fail, as signed by the policy-violating cert");
+
+ packet = unsignedPacket;
+ m_keyChain.sign(packet, signingByIdentity(subSelfSignedIdentity));
+ VALIDATE_FAILURE(packet, "Should fail, because subSelfSignedIdentity is not a trust anchor");
+
+ // TODO add checks with malformed packets
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestValidator
+BOOST_AUTO_TEST_SUITE_END() // V2
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/tests/unit-tests/security/v2/validator-fixture.hpp b/tests/unit-tests/security/v2/validator-fixture.hpp
new file mode 100644
index 0000000..8fac880
--- /dev/null
+++ b/tests/unit-tests/security/v2/validator-fixture.hpp
@@ -0,0 +1,133 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_TESTS_SECURITY_V2_VALIDATOR_FIXTURE_HPP
+#define NDN_TESTS_SECURITY_V2_VALIDATOR_FIXTURE_HPP
+
+#include "security/v2/validator.hpp"
+#include "util/dummy-client-face.hpp"
+
+#include "../../identity-management-time-fixture.hpp"
+
+#include <boost/lexical_cast.hpp>
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+template<class ValidationPolicy>
+class ValidatorFixture : public ndn::tests::IdentityManagementTimeFixture
+{
+public:
+ ValidatorFixture()
+ : face(io, {true, true})
+ , validator(make_unique<ValidationPolicy>(), &face)
+ , cache(time::days(100))
+ {
+ processInterest = [this] (const Interest& interest) {
+ auto cert = cache.find(interest);
+ if (cert != nullptr) {
+ face.receive(*cert);
+ }
+ };
+ }
+
+ virtual
+ ~ValidatorFixture() = default;
+
+ template<class Packet>
+ void
+ validate(const Packet& packet, const std::string& msg, bool expectSuccess, int line)
+ {
+ std::string detailedInfo = msg + " on line " + to_string(line);
+ size_t nCallbacks = 0;
+ this->validator.validate(packet,
+ [&] (const Packet&) {
+ ++nCallbacks;
+ BOOST_CHECK_MESSAGE(expectSuccess,
+ (expectSuccess ? "OK: " : "FAILED: ") + detailedInfo);
+ },
+ [&] (const Packet&, const ValidationError& error) {
+ ++nCallbacks;
+ BOOST_CHECK_MESSAGE(!expectSuccess,
+ (!expectSuccess ? "OK: " : "FAILED: ") + detailedInfo +
+ (expectSuccess ? " (" + boost::lexical_cast<std::string>(error) + ")" : ""));
+ });
+
+ mockNetworkOperations();
+ BOOST_CHECK_EQUAL(nCallbacks, 1);
+ }
+
+ void
+ mockNetworkOperations()
+ {
+ util::signal::ScopedConnection connection = face.onSendInterest.connect([this] (const Interest& interest) {
+ if (processInterest != nullptr) {
+ io.post(bind(processInterest, interest));
+ }
+ });
+ advanceClocks(time::milliseconds(250), 200);
+ }
+
+public:
+ util::DummyClientFace face;
+ std::function<void(const Interest& interest)> processInterest;
+ Validator validator;
+
+ CertificateCache cache;
+};
+
+template<class ValidationPolicy>
+class HierarchicalValidatorFixture : public ValidatorFixture<ValidationPolicy>
+{
+public:
+ HierarchicalValidatorFixture()
+ {
+ identity = this->addIdentity("/Security/V2/ValidatorFixture");
+ subIdentity = this->addSubCertificate("/Security/V2/ValidatorFixture/Sub1", identity);
+ subSelfSignedIdentity = this->addIdentity("/Security/V2/ValidatorFixture/Sub1/Sub2");
+ otherIdentity = this->addIdentity("/Security/V2/OtherIdentity");
+
+ this->validator.loadAnchor("", Certificate(identity.getDefaultKey().getDefaultCertificate()));
+
+ this->cache.insert(identity.getDefaultKey().getDefaultCertificate());
+ this->cache.insert(subIdentity.getDefaultKey().getDefaultCertificate());
+ this->cache.insert(subSelfSignedIdentity.getDefaultKey().getDefaultCertificate());
+ this->cache.insert(otherIdentity.getDefaultKey().getDefaultCertificate());
+ }
+
+public:
+ Identity identity;
+ Identity subIdentity;
+ Identity subSelfSignedIdentity;
+ Identity otherIdentity;
+};
+
+#define VALIDATE_SUCCESS(packet, message) this->template validate(packet, message, true, __LINE__)
+#define VALIDATE_FAILURE(packet, message) this->template validate(packet, message, false, __LINE__)
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_TESTS_SECURITY_V2_VALIDATOR_FIXTURE_HPP
diff --git a/tests/unit-tests/security/v2/validator.t.cpp b/tests/unit-tests/security/v2/validator.t.cpp
new file mode 100644
index 0000000..51ff7fa
--- /dev/null
+++ b/tests/unit-tests/security/v2/validator.t.cpp
@@ -0,0 +1,277 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/v2/validator.hpp"
+#include "security/v2/validation-policy-simple-hierarchy.hpp"
+
+#include "boost-test.hpp"
+#include "validator-fixture.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+using namespace ndn::tests;
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(V2)
+BOOST_FIXTURE_TEST_SUITE(TestValidator, HierarchicalValidatorFixture<ValidationPolicySimpleHierarchy>)
+
+BOOST_AUTO_TEST_CASE(Timeouts)
+{
+ processInterest = nullptr; // no response for all interests
+
+ Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+ m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+ VALIDATE_FAILURE(data, "Should fail to retrieve certificate");
+ BOOST_CHECK_GT(face.sentInterests.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(NackedInterests)
+{
+ processInterest = [this] (const Interest& interest) {
+ lp::Nack nack(interest);
+ nack.setReason(lp::NackReason::NO_ROUTE);
+ face.receive(nack);
+ };
+
+ Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+ m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+ VALIDATE_FAILURE(data, "All interests should get NACKed");
+ BOOST_CHECK_GT(face.sentInterests.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(MalformedCert)
+{
+ Data malformedCert = subIdentity.getDefaultKey().getDefaultCertificate();
+ malformedCert.setContentType(tlv::ContentType_Blob);
+ m_keyChain.sign(malformedCert, signingByIdentity(identity));
+ // wrong content type & missing ValidityPeriod
+ BOOST_REQUIRE_THROW(Certificate(malformedCert.wireEncode()), tlv::Error);
+
+ auto originalProcessInterest = processInterest;
+ processInterest = [this, &originalProcessInterest, &malformedCert] (const Interest& interest) {
+ if (interest.getName().isPrefixOf(malformedCert.getName())) {
+ face.receive(malformedCert);
+ }
+ else {
+ originalProcessInterest(interest);
+ }
+ };
+
+ Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+ m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+ VALIDATE_FAILURE(data, "Signed by a malformed certificate");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+}
+
+
+BOOST_AUTO_TEST_CASE(ExpiredCert)
+{
+ Data expiredCert = subIdentity.getDefaultKey().getDefaultCertificate();
+ SignatureInfo info;
+ info.setValidityPeriod(ValidityPeriod(time::system_clock::now() - time::hours(2),
+ time::system_clock::now() - time::hours(1)));
+ m_keyChain.sign(expiredCert, signingByIdentity(identity).setSignatureInfo(info));
+ BOOST_REQUIRE_NO_THROW(Certificate(expiredCert.wireEncode()));
+
+ auto originalProcessInterest = processInterest;
+ processInterest = [this, &originalProcessInterest, &expiredCert] (const Interest& interest) {
+ if (interest.getName().isPrefixOf(expiredCert.getName())) {
+ face.receive(expiredCert);
+ }
+ else {
+ processInterest(interest);
+ }
+ };
+
+ Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+ m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+ VALIDATE_FAILURE(data, "Signed by an expired certificate");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(TrustedCertCaching)
+{
+ Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+ m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+ VALIDATE_SUCCESS(data, "Should get accepted, as signed by the policy-compliant cert");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+ face.sentInterests.clear();
+
+ processInterest = nullptr; // disable data responses from mocked network
+
+ VALIDATE_SUCCESS(data, "Should get accepted, based on the cached trusted cert");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+ face.sentInterests.clear();
+
+ advanceClocks(time::hours(1), 2); // expire trusted cache
+
+ VALIDATE_FAILURE(data, "Should try and fail to retrieve certs");
+ BOOST_CHECK_GT(face.sentInterests.size(), 1);
+ face.sentInterests.clear();
+}
+
+BOOST_AUTO_TEST_CASE(UntrustedCertCaching)
+{
+ Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+ m_keyChain.sign(data, signingByIdentity(subSelfSignedIdentity));
+
+ VALIDATE_FAILURE(data, "Should fail, as signed by the policy-violating cert");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+ face.sentInterests.clear();
+
+ processInterest = nullptr; // disable data responses from mocked network
+
+ VALIDATE_FAILURE(data, "Should fail again, but no network operations expected");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+ face.sentInterests.clear();
+
+ advanceClocks(time::minutes(10), 2); // expire untrusted cache
+
+ VALIDATE_FAILURE(data, "Should try and fail to retrieve certs");
+ BOOST_CHECK_GT(face.sentInterests.size(), 1);
+ face.sentInterests.clear();
+}
+
+class ValidationPolicySimpleHierarchyForInterestOnly : public ValidationPolicySimpleHierarchy
+{
+public:
+ void
+ checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation) override
+ {
+ continueValidation(nullptr, state);
+ }
+};
+
+BOOST_FIXTURE_TEST_CASE(ValidateInterestsButBypassForData,
+ HierarchicalValidatorFixture<ValidationPolicySimpleHierarchyForInterestOnly>)
+{
+ Interest interest("/Security/V2/ValidatorFixture/Sub1/Sub2/Interest");
+ Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Interest");
+
+ VALIDATE_FAILURE(interest, "Unsigned");
+ VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+ face.sentInterests.clear();
+
+ interest = Interest("/Security/V2/ValidatorFixture/Sub1/Sub2/Interest");
+ m_keyChain.sign(interest, signingWithSha256());
+ m_keyChain.sign(data, signingWithSha256());
+ VALIDATE_FAILURE(interest, "Required KeyLocator/Name missing (not passed to policy)");
+ VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+ face.sentInterests.clear();
+
+ m_keyChain.sign(interest, signingByIdentity(identity));
+ m_keyChain.sign(data, signingByIdentity(identity));
+ VALIDATE_SUCCESS(interest, "Should get accepted, as signed by the anchor");
+ VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+ face.sentInterests.clear();
+
+ m_keyChain.sign(interest, signingByIdentity(subIdentity));
+ m_keyChain.sign(data, signingByIdentity(subIdentity));
+ VALIDATE_FAILURE(interest, "Should fail, as policy is not allowed to create new trust anchors");
+ VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+ face.sentInterests.clear();
+
+ m_keyChain.sign(interest, signingByIdentity(otherIdentity));
+ m_keyChain.sign(data, signingByIdentity(otherIdentity));
+ VALIDATE_FAILURE(interest, "Should fail, as signed by the policy-violating cert");
+ VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+ // no network operations expected, as certificate is not validated by the policy
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 0);
+ face.sentInterests.clear();
+
+ advanceClocks(time::hours(1), 2); // expire trusted cache
+
+ m_keyChain.sign(interest, signingByIdentity(subSelfSignedIdentity));
+ m_keyChain.sign(data, signingByIdentity(subSelfSignedIdentity));
+ VALIDATE_FAILURE(interest, "Should fail, as policy is not allowed to create new trust anchors");
+ VALIDATE_SUCCESS(data, "Policy requests validation bypassing for all data");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 1);
+ face.sentInterests.clear();
+}
+
+BOOST_AUTO_TEST_CASE(LoopingCert)
+{
+ processInterest = [this] (const Interest& interest) {
+ // create another key for the same identity and sign it properly
+ Key parentKey = m_keyChain.createKey(subIdentity);
+ Key requestedKey = subIdentity.getKey(interest.getName());
+
+ Name certificateName = requestedKey.getName();
+ certificateName
+ .append("looper")
+ .appendVersion();
+ v2::Certificate certificate;
+ certificate.setName(certificateName);
+
+ // set metainfo
+ certificate.setContentType(tlv::ContentType_Key);
+ certificate.setFreshnessPeriod(time::hours(1));
+
+ // set content
+ certificate.setContent(requestedKey.getPublicKey().buf(), requestedKey.getPublicKey().size());
+
+ // set signature-info
+ SignatureInfo info;
+ info.setValidityPeriod(security::ValidityPeriod(time::system_clock::now() - time::days(10),
+ time::system_clock::now() + time::days(10)));
+
+ m_keyChain.sign(certificate, signingByKey(parentKey).setSignatureInfo(info));
+ face.receive(certificate);
+ };
+
+ Data data("/Security/V2/ValidatorFixture/Sub1/Sub2/Data");
+ m_keyChain.sign(data, signingByIdentity(subIdentity));
+
+ validator.setMaxDepth(40);
+ BOOST_CHECK_EQUAL(validator.getMaxDepth(), 40);
+ VALIDATE_FAILURE(data, "Should fail, as certificate should be looped");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 40);
+ face.sentInterests.clear();
+
+ advanceClocks(time::hours(1), 5); // expire caches
+
+ validator.setMaxDepth(30);
+ BOOST_CHECK_EQUAL(validator.getMaxDepth(), 30);
+ VALIDATE_FAILURE(data, "Should fail, as certificate should be looped");
+ BOOST_CHECK_EQUAL(face.sentInterests.size(), 30);
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestValidator
+BOOST_AUTO_TEST_SUITE_END() // V2
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn