security: Integrate fetching certificates using Certificate Bundle
Change-Id: Iebac12a5cb9d1f4aa12aad09e8ef27f5b90a5d90
Refs: #3891
diff --git a/src/security/v2/certificate-bundle-fetcher.cpp b/src/security/v2/certificate-bundle-fetcher.cpp
new file mode 100644
index 0000000..e2fdab9
--- /dev/null
+++ b/src/security/v2/certificate-bundle-fetcher.cpp
@@ -0,0 +1,230 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "certificate-bundle-fetcher.hpp"
+#include "face.hpp"
+#include "util/logger.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+NDN_LOG_INIT(ndn.security.v2.CertificateBundleFetcher);
+
+#define NDN_LOG_DEBUG_DEPTH(x) NDN_LOG_DEBUG(std::string(state->getDepth() + 1, '>') << " " << x)
+#define NDN_LOG_TRACE_DEPTH(x) NDN_LOG_TRACE(std::string(state->getDepth() + 1, '>') << " " << x)
+
+CertificateBundleFetcher::CertificateBundleFetcher(unique_ptr<CertificateFetcher> inner,
+ Face& face)
+ : m_inner(std::move(inner))
+ , m_face(face)
+ , m_bundleInterestLifetime(1000)
+{
+ BOOST_ASSERT(m_inner != nullptr);
+}
+
+void
+CertificateBundleFetcher::setBundleInterestLifetime(time::milliseconds time)
+{
+ m_bundleInterestLifetime = time;
+}
+
+time::milliseconds
+CertificateBundleFetcher::getBundleInterestLifetime() const
+{
+ return m_bundleInterestLifetime;
+}
+
+void
+CertificateBundleFetcher::setCertificateStorage(CertificateStorage& certStorage)
+{
+ m_certStorage = &certStorage;
+ m_inner->setCertificateStorage(certStorage);
+}
+
+void
+CertificateBundleFetcher::doFetch(const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ auto dataValidationState = dynamic_pointer_cast<DataValidationState>(state);
+ if (dataValidationState == nullptr) {
+ return m_inner->fetch(certRequest, state, continueValidation);
+ }
+
+ // check if a bundle segment was fetched before
+ shared_ptr<BundleNameTag> bundleNameTag = state->getTag<BundleNameTag>();
+ if (bundleNameTag == nullptr) {
+ const Name& originalDataName = dataValidationState->getOriginalData().getName();
+ if (originalDataName.empty()) {
+ return m_inner->fetch(certRequest, state, continueValidation);
+ }
+ // derive certificate bundle name from original data name
+ Name bundleNamePrefix = deriveBundleName(originalDataName);
+ fetchFirstBundleSegment(bundleNamePrefix, certRequest, state, continueValidation);
+ }
+ else {
+ Name fullBundleName = bundleNameTag->get();
+ fetchNextBundleSegment(fullBundleName, fullBundleName.get(-1).getSuccessor(),
+ certRequest, state, continueValidation);
+ }
+}
+
+void
+CertificateBundleFetcher::fetchFirstBundleSegment(const Name& bundleNamePrefix,
+ const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ Interest bundleInterest = Interest(bundleNamePrefix);
+ bundleInterest.setInterestLifetime(m_bundleInterestLifetime);
+ bundleInterest.setMustBeFresh(true);
+ bundleInterest.setChildSelector(1);
+
+ m_face.expressInterest(bundleInterest,
+ [=] (const Interest& interest, const Data& data) {
+ dataCallback(data, true, certRequest, state, continueValidation);
+ },
+ [=] (const Interest& interest, const lp::Nack& nack) {
+ nackCallback(nack, certRequest, state, continueValidation, bundleNamePrefix);
+ },
+ [=] (const Interest& interest) {
+ timeoutCallback(certRequest, state, continueValidation, bundleNamePrefix);
+ });
+}
+
+void
+CertificateBundleFetcher::fetchNextBundleSegment(const Name& fullBundleName, const name::Component& segmentNo,
+ const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ shared_ptr<FinalBlockIdTag> finalBlockId = state->getTag<FinalBlockIdTag>();
+ if (finalBlockId != nullptr && segmentNo > finalBlockId->get()) {
+ return m_inner->fetch(certRequest, state, continueValidation);
+ }
+
+ Interest bundleInterest(fullBundleName.getPrefix(-1).append(segmentNo));
+ bundleInterest.setInterestLifetime(m_bundleInterestLifetime);
+ bundleInterest.setMustBeFresh(false);
+
+ m_face.expressInterest(bundleInterest,
+ [=] (const Interest& interest, const Data& data) {
+ dataCallback(data, false, certRequest, state, continueValidation);
+ },
+ [=] (const Interest& interest, const lp::Nack& nack) {
+ nackCallback(nack, certRequest, state, continueValidation, fullBundleName);
+ },
+ [=] (const Interest& interest) {
+ timeoutCallback(certRequest, state, continueValidation, fullBundleName);
+ });
+}
+
+void
+CertificateBundleFetcher::dataCallback(const Data& bundleData,
+ bool isSegmentZeroExpected,
+ const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ NDN_LOG_DEBUG_DEPTH("Fetched certificate bundle from network " << bundleData.getName());
+
+ name::Component currentSegment = bundleData.getName().get(-1);
+ if (!currentSegment.isSegment()) {
+ return m_inner->fetch(certRequest, state, continueValidation);
+ }
+
+ if (isSegmentZeroExpected && currentSegment.toSegment() != 0) {
+ // fetch segment zero
+ fetchNextBundleSegment(bundleData.getName(), name::Component::fromSegment(0),
+ certRequest, state, continueValidation);
+ }
+ else {
+ state->setTag(make_shared<BundleNameTag>(bundleData.getName()));
+
+ const name::Component& finalBlockId = bundleData.getMetaInfo().getFinalBlockId();
+ if (!finalBlockId.empty()) {
+ state->setTag(make_shared<FinalBlockIdTag>(finalBlockId));
+ }
+
+ Block bundleContent = bundleData.getContent();
+ bundleContent.parse();
+
+ // store all the certificates in unverified cache
+ for (const auto& block : bundleContent.elements()) {
+ m_certStorage->cacheUnverifiedCert(Certificate(block));
+ }
+
+ auto cert = m_certStorage->getUnverifiedCertCache().find(certRequest->m_interest);
+ continueValidation(*cert, state);
+ }
+}
+
+void
+CertificateBundleFetcher::nackCallback(const lp::Nack& nack,
+ const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation,
+ const Name& bundleName)
+{
+ NDN_LOG_DEBUG_DEPTH("NACK (" << nack.getReason() << ") while fetching certificate bundle"
+ << bundleName);
+
+ m_inner->fetch(certRequest, state, continueValidation);
+}
+
+void
+CertificateBundleFetcher::timeoutCallback(const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation,
+ const Name& bundleName)
+{
+ NDN_LOG_DEBUG_DEPTH("Timeout while fetching certificate bundle" << bundleName);
+
+ m_inner->fetch(certRequest, state, continueValidation);
+}
+
+Name
+CertificateBundleFetcher::deriveBundleName(const Name& name)
+{
+ name::Component lastComponent = name.at(-1);
+
+ Name bundleName = name;
+ if (lastComponent.isImplicitSha256Digest()) {
+ if (name.size() >= 2 && name.get(-2).isSegment()) {
+ bundleName = name.getPrefix(-2);
+ }
+ else {
+ bundleName = name.getPrefix(-1);
+ }
+ }
+ else if (lastComponent.isSegment()) {
+ bundleName = name.getPrefix(-1);
+ }
+ bundleName.append("_BUNDLE");
+ bundleName.appendNumber(00);
+
+ return bundleName;
+}
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
diff --git a/src/security/v2/certificate-bundle-fetcher.hpp b/src/security/v2/certificate-bundle-fetcher.hpp
new file mode 100644
index 0000000..bcd2f36
--- /dev/null
+++ b/src/security/v2/certificate-bundle-fetcher.hpp
@@ -0,0 +1,149 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#ifndef NDN_SECURITY_V2_CERTIFICATE_BUNDLE_FETCHER_HPP
+#define NDN_SECURITY_V2_CERTIFICATE_BUNDLE_FETCHER_HPP
+
+#include "certificate-fetcher-from-network.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+
+/**
+ * @brief Fetch certificate bundle from the network
+ *
+ * Currently bundle fetching is attempted only for Data validation. This may change in the
+ * future. Bundle fetching always goes to the infrastructure regardless of the inner
+ * fetcher. Inner fetcher is used when the bundle interest times out or returns a Nack or when
+ * additional certificates are needed for validation.
+ *
+ * @sa https://redmine.named-data.net/projects/ndn-cxx/wiki/Certificate_Bundle_Packet_Format
+ */
+class CertificateBundleFetcher : public CertificateFetcher
+{
+public:
+ explicit
+ CertificateBundleFetcher(unique_ptr<CertificateFetcher> inner,
+ Face& face);
+
+ /**
+ * @brief Set the lifetime of certificate bundle interest
+ */
+ void
+ setBundleInterestLifetime(time::milliseconds time);
+
+ /**
+ * @return The lifetime of certificate bundle interest
+ */
+ time::milliseconds
+ getBundleInterestLifetime() const;
+
+ /**
+ * Set the storage for this and inner certificate fetcher
+ */
+ void
+ setCertificateStorage(CertificateStorage& certStorage) override;
+
+protected:
+ void
+ doFetch(const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation) override;
+
+private:
+ /**
+ * @brief Fetch the first bundle segment.
+ *
+ * After deriving the bundle name prefix, the exact version of the bundle is not yet known.
+ * This method express Interest for the bundle prefix to (1) retrieve first segment of the bundle and
+ * (2) discover bundle version. The bundle version will be recorded in the validation state as BundleNameTag
+ * and will be used in subsequent @p fetchNextBundleSegment calls to fetch further bundle segments if needed.
+ */
+ void
+ fetchFirstBundleSegment(const Name& bundleNamePrefix,
+ const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+
+ /**
+ * @brief Fetch the specified bundle segment.
+ */
+ void
+ fetchNextBundleSegment(const Name& fullBundleName, const name::Component& segmentNo,
+ const shared_ptr<CertificateRequest>& certRequest,
+ const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+
+ /**
+ * @brief Derive bundle name from data name.
+ *
+ * Current naming conventions are as follows:
+ * /<derived(data_name)>/BUNDLE/<trust-model>/<version>/<seg>
+ *
+ * Current rules for derived(data_name):
+ * (1) If the last component is Implicit Digest AND the second last component is Segment number
+ * then derived(data_name) = data_name.getPrefix(-2)
+ * (2) If the last component is Implicit Digest
+ * then derived(data_name) = data_name.getPrefix(-1)
+ * (3) If the last component is Segment number
+ * then derived(data_name) = data_name.getPrefix(-1)
+ *
+ * <trust-model> component is "00" for single hierarchy trust models.
+ */
+ static Name
+ deriveBundleName(const Name& name);
+
+ /**
+ * @brief Callback invoked when certificate bundle is retrieved.
+ */
+ void
+ dataCallback(const Data& data, bool isSegmentZeroExpected,
+ const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+
+ /**
+ * @brief Callback invoked when interest for fetching certificate bundle gets NACKed.
+ */
+ void
+ nackCallback(const lp::Nack& nack,
+ const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation, const Name& bundleName);
+
+ /**
+ * @brief Callback invoked when interest for fetching certificate times out.
+ */
+ void
+ timeoutCallback(const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state,
+ const ValidationContinuation& continueValidation, const Name& bundleName);
+
+private:
+ unique_ptr<CertificateFetcher> m_inner;
+ Face& m_face;
+ using BundleNameTag = SimpleTag<Name, 1000>;
+ using FinalBlockIdTag = SimpleTag<name::Component, 1001>;
+ time::milliseconds m_bundleInterestLifetime;
+};
+
+} // namespace v2
+} // namespace security
+} // namespace ndn
+
+#endif // NDN_SECURITY_V2_CERTIFICATE_BUNDLE_FETCHER_HPP
diff --git a/src/security/v2/certificate-fetcher.hpp b/src/security/v2/certificate-fetcher.hpp
index 7abc5f5..cbf221b 100644
--- a/src/security/v2/certificate-fetcher.hpp
+++ b/src/security/v2/certificate-fetcher.hpp
@@ -51,7 +51,7 @@
* @brief Assign certificate storage to check known certificate and to cache unverified ones
* @note The supplied @p certStorage should be valid for the lifetime of CertificateFetcher
*/
- void
+ virtual void
setCertificateStorage(CertificateStorage& certStorage);
/**
diff --git a/tests/unit-tests/security/v2/certificate-bundle-fetcher.t.cpp b/tests/unit-tests/security/v2/certificate-bundle-fetcher.t.cpp
new file mode 100644
index 0000000..b837339
--- /dev/null
+++ b/tests/unit-tests/security/v2/certificate-bundle-fetcher.t.cpp
@@ -0,0 +1,191 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2013-2017 Regents of the University of California.
+ *
+ * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
+ *
+ * ndn-cxx library is free software: you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free Software
+ * Foundation, either version 3 of the License, or (at your option) any later version.
+ *
+ * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License and GNU Lesser
+ * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
+ */
+
+#include "security/v2/certificate-bundle-fetcher.hpp"
+#include "security/v2/validation-policy-simple-hierarchy.hpp"
+#include "util/regex/regex-pattern-list-matcher.hpp"
+#include "lp/nack.hpp"
+
+#include "boost-test.hpp"
+#include "validator-fixture.hpp"
+
+namespace ndn {
+namespace security {
+namespace v2 {
+namespace tests {
+
+using namespace ndn::tests;
+
+BOOST_AUTO_TEST_SUITE(Security)
+BOOST_AUTO_TEST_SUITE(V2)
+BOOST_AUTO_TEST_SUITE(TestCertificateBundleFetcher)
+
+class CertificateBundleFetcherWrapper : public CertificateBundleFetcher
+{
+public:
+ CertificateBundleFetcherWrapper(Face& face)
+ : CertificateBundleFetcher(make_unique<CertificateFetcherFromNetwork>(face), face)
+ {
+ }
+};
+
+class Bundle
+{
+};
+
+class Cert
+{
+};
+
+class Timeout
+{
+};
+
+class Nack
+{
+};
+
+template<class Response>
+class CertificateBundleFetcherFixture : public HierarchicalValidatorFixture<ValidationPolicySimpleHierarchy,
+ CertificateBundleFetcherWrapper>
+{
+public:
+ CertificateBundleFetcherFixture()
+ : data("/Security/V2/ValidatorFixture/Sub1/Sub3/Data")
+ {
+ subSubIdentity = addSubCertificate("/Security/V2/ValidatorFixture/Sub1/Sub3", subIdentity);
+ cache.insert(subSubIdentity.getDefaultKey().getDefaultCertificate());
+
+ m_keyChain.sign(data, signingByIdentity(subSubIdentity));
+ bundleRegexMatcher = make_shared<RegexPatternListMatcher>("<>*<_BUNDLE><>*", nullptr);
+ processInterest = [this] (const Interest& interest) {
+ // check if the interest is for Bundle or individual certificates
+ if (bundleRegexMatcher->match(interest.getName(), 0, interest.getName().size())) {
+ makeResponse(interest);
+ }
+ else {
+ auto cert = cache.find(interest);
+ if (cert == nullptr) {
+ return;
+ }
+ face.receive(*cert);
+ }
+ };
+ }
+
+ void
+ makeResponse(const Interest& interest);
+
+public:
+ Data data;
+ Identity subSubIdentity;
+ shared_ptr<RegexPatternListMatcher> bundleRegexMatcher;
+};
+
+template<>
+void
+CertificateBundleFetcherFixture<Bundle>::makeResponse(const Interest& interest)
+{
+ Block certList = Block(tlv::Content);
+ Name bundleName(interest.getName());
+
+ if (!bundleName.get(-1).isSegment() || bundleName.get(-1).toSegment() == 0) {
+ Block subSubCert = subSubIdentity.getDefaultKey().getDefaultCertificate().wireEncode();
+ certList.push_back(subSubCert);
+
+ if (!bundleName.get(-1).isSegment()) {
+ bundleName
+ .appendVersion()
+ .appendSegment(0);
+ }
+ }
+ else {
+ Block subCert = subIdentity.getDefaultKey().getDefaultCertificate().wireEncode();
+ Block anchor = identity.getDefaultKey().getDefaultCertificate().wireEncode();
+ certList.push_back(subCert);
+ certList.push_back(anchor);
+ }
+
+ shared_ptr<Data> certBundle = make_shared<Data>();
+ certBundle->setName(bundleName);
+ certBundle->setFreshnessPeriod(time::seconds(100));
+ certBundle->setContent(certList);
+ certBundle->setFinalBlockId(name::Component::fromSegment(1));
+
+ m_keyChain.sign(*certBundle, signingWithSha256());
+
+ face.receive(*certBundle);
+}
+
+template<>
+void
+CertificateBundleFetcherFixture<Timeout>::makeResponse(const Interest& interest)
+{
+ this->advanceClocks(time::seconds(200));
+}
+
+template<>
+void
+CertificateBundleFetcherFixture<Nack>::makeResponse(const Interest& interest)
+{
+ lp::Nack nack(interest);
+ nack.setHeader(lp::NackHeader().setReason(lp::NackReason::NO_ROUTE));
+ face.receive(nack);
+}
+
+BOOST_FIXTURE_TEST_CASE(ValidateSuccessWithBundle, CertificateBundleFetcherFixture<Bundle>)
+{
+ VALIDATE_SUCCESS(this->data, "Should get accepted, as interest brings the bundle segments");
+ BOOST_CHECK_EQUAL(this->face.sentInterests.size(), 2); // produced bundle has 2 segments
+
+ for (const auto& sentInterest : this->face.sentInterests) {
+ BOOST_CHECK(this->bundleRegexMatcher->match(sentInterest.getName(), 0, sentInterest.getName().size()));
+ }
+}
+
+using SuccessWithoutBundle = boost::mpl::vector<Nack, Timeout>;
+
+BOOST_FIXTURE_TEST_CASE_TEMPLATE(ValidateSuccessWithoutBundle, T, SuccessWithoutBundle, CertificateBundleFetcherFixture<T>)
+{
+ VALIDATE_SUCCESS(this->data, "Should get accepted, as interest brings the certs");
+ BOOST_CHECK_EQUAL(this->face.sentInterests.size(), 4); // since interest for Bundle fails, each cert is retrieved
+
+ bool toggle = true;
+ for (const auto& sentInterest : this->face.sentInterests) {
+ if (toggle) {
+ // every alternate interest is going to be that of a bundle
+ BOOST_CHECK(this->bundleRegexMatcher->match(sentInterest.getName(), 0, sentInterest.getName().size()));
+ }
+ else {
+ BOOST_CHECK(!this->bundleRegexMatcher->match(sentInterest.getName(), 0, sentInterest.getName().size()));
+ }
+ toggle = !toggle;
+ }
+}
+
+BOOST_AUTO_TEST_SUITE_END() // TestCertificateBundleFetcher
+BOOST_AUTO_TEST_SUITE_END() // V2
+BOOST_AUTO_TEST_SUITE_END() // Security
+
+} // namespace tests
+} // namespace v2
+} // namespace security
+} // namespace ndn