Add credential based challenge using existing cert to request new cert
Change-Id: Iee18c64f55b42e73a3c1c201726d546096dcfef8
Refs: #4052
diff --git a/src/challenge-module/challenge-credential.cpp b/src/challenge-module/challenge-credential.cpp
new file mode 100644
index 0000000..0e5a053
--- /dev/null
+++ b/src/challenge-module/challenge-credential.cpp
@@ -0,0 +1,152 @@
+/**
+ * Copyright (c) 2017, Regents of the University of California.
+ *
+ * This file is part of ndncert, a certificate management system based on NDN.
+ *
+ * ndncert is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License along with
+ * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndncert authors and contributors.
+ */
+
+#include "challenge-credential.hpp"
+#include "../logging.hpp"
+#include <ndn-cxx/security/verification-helpers.hpp>
+#include <ndn-cxx/util/io.hpp>
+
+namespace ndn {
+namespace ndncert {
+
+_LOG_INIT(ndncert.ChallengeCredential);
+
+NDNCERT_REGISTER_CHALLENGE(ChallengeCredential, "Credential");
+
+const std::string ChallengeCredential::FAILURE_INVALID_FORMAT = "failure-invalid-format";
+const std::string ChallengeCredential::FAILURE_INVALID_CREDENTIAL = "failure-invalid-credential";
+
+const std::string ChallengeCredential::JSON_CREDENTIAL = "signed-cert";
+
+ChallengeCredential::ChallengeCredential(const std::string& configPath)
+ : ChallengeModule("CREDENTIAL")
+ , m_configFile(configPath)
+{
+ parseConfigFile();
+}
+
+void
+ChallengeCredential::parseConfigFile()
+{
+ JsonSection config;
+ try {
+ boost::property_tree::read_json(m_configFile, config);
+ }
+ catch (const boost::property_tree::info_parser_error& error) {
+ BOOST_THROW_EXCEPTION(Error("Failed to parse configuration file " + m_configFile +
+ " " + error.message() + " line " + std::to_string(error.line())));
+ }
+
+ if (config.begin() == config.end()) {
+ BOOST_THROW_EXCEPTION(Error("Error processing configuration file: " + m_configFile + " no data"));
+ }
+
+ m_trustAnchors.clear();
+ auto anchorList = config.get_child("anchor-list");
+ auto it = anchorList.begin();
+ for (; it != anchorList.end(); it++) {
+ std::istringstream ss(it->second.get<std::string>("certificate"));
+ security::v2::Certificate cert = *(io::load<security::v2::Certificate>(ss));
+ m_trustAnchors.push_back(cert);
+ }
+}
+
+JsonSection
+ChallengeCredential::processSelectInterest(const Interest& interest, CertificateRequest& request)
+{
+ // interest format: /caName/CA/_SELECT/{"request-id":"id"}/CREDENTIAL/{"credential":"..."}/<signature>
+ request.setChallengeType(CHALLENGE_TYPE);
+ JsonSection credentialJson = getJsonFromNameComponent(interest.getName(),
+ request.getCaName().size() + 4);
+ std::istringstream ss(credentialJson.get<std::string>(JSON_CREDENTIAL));
+
+ security::v2::Certificate credential;
+ try {
+ credential = *(io::load<security::v2::Certificate>(ss));
+ }
+ catch (const std::exception& e) {
+ _LOG_TRACE("Cannot load credential parameter" << e.what());
+ request.setStatus(FAILURE_INVALID_FORMAT);
+ return genResponseChallengeJson(request.getRequestId(), CHALLENGE_TYPE, FAILURE_INVALID_FORMAT);
+ }
+
+ if (credential.getContent() != request.getCert().getContent()
+ || credential.getKeyName() != request.getCert().getKeyName()) {
+ request.setStatus(FAILURE_INVALID_CREDENTIAL);
+ return genResponseChallengeJson(request.getRequestId(), CHALLENGE_TYPE, FAILURE_INVALID_CREDENTIAL);
+ }
+ Name signingKeyName = credential.getSignature().getKeyLocator().getName();
+
+ for (auto anchor : m_trustAnchors) {
+ if (anchor.getKeyName() == signingKeyName) {
+ if (security::verifySignature(credential, anchor)) {
+ request.setStatus(SUCCESS);
+ return genResponseChallengeJson(request.getRequestId(), CHALLENGE_TYPE, SUCCESS);
+ }
+ }
+ }
+ request.setStatus(FAILURE_INVALID_CREDENTIAL);
+ return genResponseChallengeJson(request.getRequestId(), CHALLENGE_TYPE, FAILURE_INVALID_CREDENTIAL);
+}
+
+JsonSection
+ChallengeCredential::processValidateInterest(const Interest& interest, CertificateRequest& request)
+{
+ // there is no validate request here, do nothing
+ return genResponseChallengeJson(request.getRequestId(), CHALLENGE_TYPE, FAILURE_INVALID_FORMAT);
+}
+
+std::list<std::string>
+ChallengeCredential::getSelectRequirements()
+{
+ std::list<std::string> result;
+ result.push_back("Please input the bytes of a same key certificate signed by trust anchor");
+ return result;
+}
+
+std::list<std::string>
+ChallengeCredential::getValidateRequirements(const std::string& status)
+{
+ // there is no validate request here, do nothing
+ std::list<std::string> result;
+ return result;
+}
+
+JsonSection
+ChallengeCredential::doGenSelectParamsJson(const std::string& status,
+ const std::list<std::string>& paramList)
+{
+ JsonSection result;
+ BOOST_ASSERT(status == WAIT_SELECTION);
+ BOOST_ASSERT(paramList.size() == 1);
+ result.put(JSON_CREDENTIAL, paramList.front());
+ return result;
+}
+
+JsonSection
+ChallengeCredential::doGenValidateParamsJson(const std::string& status,
+ const std::list<std::string>& paramList)
+{
+ JsonSection result;
+ BOOST_ASSERT(paramList.size() == 0);
+ return result;
+}
+
+} // namespace ndncert
+} // namespace ndn
diff --git a/src/challenge-module/challenge-credential.hpp b/src/challenge-module/challenge-credential.hpp
new file mode 100644
index 0000000..07f4b88
--- /dev/null
+++ b/src/challenge-module/challenge-credential.hpp
@@ -0,0 +1,85 @@
+/**
+ * Copyright (c) 2017, Regents of the University of California.
+ *
+ * This file is part of ndncert, a certificate management system based on NDN.
+ *
+ * ndncert is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License along with
+ * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndncert authors and contributors.
+ */
+
+#ifndef NDNCERT_CHALLENGE_CREDENTIAL_HPP
+#define NDNCERT_CHALLENGE_CREDENTIAL_HPP
+
+#include "../challenge-module.hpp"
+
+namespace ndn {
+namespace ndncert {
+
+/**
+ * @brief Provide Credential based challenge
+ *
+ * Credential here means the certificate issued by a trust anchor. Once the requester
+ * could proof his/her possession of an existing certificate from other certificate, th
+ * requester could finish the challenge.
+ *
+ * The main process of this challenge module is:
+ * 1. Requester provides a certificate signed by that trusted certificate as credential.
+ * 2. The challenge module will verify the signature of the credential.
+ *
+ * There are several challenge status in EMAIL challenge:
+ * FAILURE_INVALID_SIG: When the credential cannot be validated.
+ */
+class ChallengeCredential : public ChallengeModule
+{
+public:
+ ChallengeCredential(const std::string& configPath = "challenge-credential.conf");
+
+PUBLIC_WITH_TESTS_ELSE_PROTECTED:
+ JsonSection
+ processSelectInterest(const Interest& interest, CertificateRequest& request) override;
+
+ JsonSection
+ processValidateInterest(const Interest& interest, CertificateRequest& request) override;
+
+ std::list<std::string>
+ getSelectRequirements() override;
+
+ std::list<std::string>
+ getValidateRequirements(const std::string& status) override;
+
+ JsonSection
+ doGenSelectParamsJson(const std::string& status,
+ const std::list<std::string>& paramList) override;
+
+ JsonSection
+ doGenValidateParamsJson(const std::string& status,
+ const std::list<std::string>& paramList) override;
+
+PUBLIC_WITH_TESTS_ELSE_PRIVATE:
+ void
+ parseConfigFile();
+
+PUBLIC_WITH_TESTS_ELSE_PRIVATE:
+ static const std::string FAILURE_INVALID_CREDENTIAL;
+ static const std::string FAILURE_INVALID_FORMAT;
+ static const std::string JSON_CREDENTIAL;
+
+PUBLIC_WITH_TESTS_ELSE_PRIVATE:
+ std::list<security::v2::Certificate> m_trustAnchors;
+ std::string m_configFile;
+};
+
+} // namespace ndncert
+} // namespace ndn
+
+#endif // NDNCERT_CHALLENGE_CREDENTIAL_HPP
diff --git a/src/challenge-module/challenge-email.cpp b/src/challenge-module/challenge-email.cpp
index 59f471d..036ccd2 100644
--- a/src/challenge-module/challenge-email.cpp
+++ b/src/challenge-module/challenge-email.cpp
@@ -139,6 +139,7 @@
const std::list<std::string>& paramList)
{
JsonSection result;
+ BOOST_ASSERT(status == WAIT_SELECTION);
BOOST_ASSERT(paramList.size() == 1);
result.put(JSON_EMAIL, paramList.front());
return result;
diff --git a/src/challenge-module/challenge-pin.cpp b/src/challenge-module/challenge-pin.cpp
index 8507bcf..94ea3e7 100644
--- a/src/challenge-module/challenge-pin.cpp
+++ b/src/challenge-module/challenge-pin.cpp
@@ -124,6 +124,7 @@
const std::list<std::string>& paramList)
{
JsonSection result;
+ BOOST_ASSERT(status == WAIT_SELECTION);
BOOST_ASSERT(paramList.size() == 0);
return result;
}
diff --git a/tests/unit-tests/challenge-credential.conf.test b/tests/unit-tests/challenge-credential.conf.test
new file mode 100644
index 0000000..1efa2f5
--- /dev/null
+++ b/tests/unit-tests/challenge-credential.conf.test
@@ -0,0 +1,8 @@
+{
+ "anchor-list":
+ [
+ {
+ "certificate": "Bv0CJAcsCANuZG4IBXNpdGUxCANLRVkICBG8IvRjFf8XCARzZWxmCAn9AAABWcgU2aUUCRgBAhkEADbugBX9AU8wggFLMIIBAwYHKoZIzj0CATCB9wIBATAsBgcqhkjOPQEBAiEA/////wAAAAEAAAAAAAAAAAAAAAD///////////////8wWwQg/////wAAAAEAAAAAAAAAAAAAAAD///////////////wEIFrGNdiqOpPns+u9VXaYhrxlHQawzFOw9jvOPD4n0mBLAxUAxJ02CIbnBJNqZnjhE50mt4GffpAEQQRrF9Hy4SxCR/i85uVjpEDydwN9gS3rM6D0oTlF2JjClk/jQuL+Gn+bjufrSnwPnhYrzjNXazFezsu2QGg3v1H1AiEA/////wAAAAD//////////7zm+q2nF56E87nKwvxjJVECAQEDQgAES9Cb9iANUNYmwt5bjwNW1mZgjzIkDJb6FTCdiYWnkMMIVxh2YDllphoWDEAPS6kqJczzCuhnGYpZCp9tTaYKGxZMGwEDHB0HGwgDbmRuCAVzaXRlMQgDS0VZCAgRvCL0YxX/F/0A/Sb9AP4PMTk3MDAxMDFUMDAwMDAw/QD/DzIwMzcwMTE3VDIxMjg0NhdIMEYCIQDXkR1hF3GiP7yLXq+0JBJfi9QC+hhAu/1Bykx+MWz6RAIhANwelBTxxZr2C5bD15mjfhWudK4I1tOb4b/9xWCHyM7F"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/tests/unit-tests/challenge-credential.t.cpp b/tests/unit-tests/challenge-credential.t.cpp
new file mode 100644
index 0000000..8a0cfe5
--- /dev/null
+++ b/tests/unit-tests/challenge-credential.t.cpp
@@ -0,0 +1,99 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2017, Regents of the University of California.
+ *
+ * This file is part of ndncert, a certificate management system based on NDN.
+ *
+ * ndncert is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License along with
+ * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndncert authors and contributors.
+ */
+
+#include "identity-management-fixture.hpp"
+#include "challenge-module/challenge-credential.hpp"
+#include <ndn-cxx/security/signing-helpers.hpp>
+#include <ndn-cxx/util/io.hpp>
+
+namespace ndn {
+namespace ndncert {
+namespace tests {
+
+BOOST_FIXTURE_TEST_SUITE(TestChallengeCredential, IdentityManagementV2Fixture)
+
+BOOST_AUTO_TEST_CASE(LoadConfig)
+{
+ ChallengeCredential challenge("./tests/unit-tests/challenge-credential.conf.test");
+ BOOST_CHECK_EQUAL(challenge.CHALLENGE_TYPE, "CREDENTIAL");
+
+ BOOST_CHECK_EQUAL(challenge.m_trustAnchors.size(), 1);
+ auto cert = challenge.m_trustAnchors.front();
+ BOOST_CHECK_EQUAL(cert.getName(),
+ "/ndn/site1/KEY/%11%BC%22%F4c%15%FF%17/self/%FD%00%00%01Y%C8%14%D9%A5");
+}
+
+BOOST_AUTO_TEST_CASE(HandleSelect)
+{
+ // create trust anchor
+ ChallengeCredential challenge("./tests/unit-tests/challenge-credential.conf.test");
+ auto identity0 = addIdentity(Name("/trust"));
+ auto key0 = identity0.getDefaultKey();
+ auto trustAnchor = key0.getDefaultCertificate();
+ challenge.m_trustAnchors.front() = trustAnchor;
+
+ // create certificate request
+ auto identity = addIdentity(Name("/example"));
+ auto key = identity.getDefaultKey();
+ auto cert = key.getDefaultCertificate();
+ CertificateRequest request(Name("/example"), "123", cert);
+
+ // using trust anchor to sign cert request to get credential
+ Name credentialName = cert.getKeyName();
+ credentialName.append("Credential").appendVersion();
+ security::v2::Certificate credential = cert;
+ credential.setName(credentialName);
+ credential.setContent(cert.getContent());
+ m_keyChain.sign(credential, signingByCertificate(trustAnchor));
+
+ // generate SELECT interest
+ std::stringstream ss;
+ io::save<security::v2::Certificate>(credential, ss);
+ auto checkCert = *(io::load<security::v2::Certificate>(ss));
+ BOOST_CHECK_EQUAL(checkCert, credential);
+ ss.str("");
+ ss.clear();
+
+ io::save<security::v2::Certificate>(credential, ss);
+ std::list<std::string> paramList;
+ std::string jsonString = ss.str();
+ paramList.push_back(jsonString);
+ JsonSection credentialJson = challenge.genSelectParamsJson(ChallengeModule::WAIT_SELECTION, paramList);
+ BOOST_CHECK_EQUAL(credentialJson.get<std::string>(ChallengeCredential::JSON_CREDENTIAL), jsonString);
+ ss.str("");
+ ss.clear();
+
+ boost::property_tree::write_json(ss, credentialJson);
+ Block jsonContent = makeStringBlock(ndn::tlv::NameComponent, ss.str());
+
+ Name interestName("/example/CA");
+ interestName.append("_SELECT").append("Fake-Request-ID").append("CREDENTIAL").append(jsonContent);
+ Interest interest(interestName);
+
+ challenge.processSelectInterest(interest, request);
+ BOOST_CHECK_EQUAL(request.getStatus(), ChallengeModule::SUCCESS);
+ BOOST_CHECK_EQUAL(request.getChallengeSecrets().empty(), true);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
+
+} // namespace tests
+} // namespace ndncert
+} // namespace ndn
diff --git a/tests/unit-tests/challenge-email.t.cpp b/tests/unit-tests/challenge-email.t.cpp
index 00106ea..c53e47e 100644
--- a/tests/unit-tests/challenge-email.t.cpp
+++ b/tests/unit-tests/challenge-email.t.cpp
@@ -65,7 +65,6 @@
emailJson.put(ChallengeEmail::JSON_EMAIL, "zhiyi@cs.ucla.edu");
std::stringstream ss;
boost::property_tree::write_json(ss, emailJson);
- std::string jsonString = ss.str();
Block jsonContent = makeStringBlock(ndn::tlv::NameComponent, ss.str());
Name interestName("/ndn/site1/CA");
@@ -90,7 +89,6 @@
emailJson.put(ChallengeEmail::JSON_EMAIL, "zhiyi@cs");
std::stringstream ss;
boost::property_tree::write_json(ss, emailJson);
- std::string jsonString = ss.str();
Block jsonContent = makeStringBlock(ndn::tlv::NameComponent, ss.str());
Name interestName("/ndn/site1/CA");
@@ -125,7 +123,6 @@
infoJson.put(ChallengeEmail::JSON_CODE, "4567");
std::stringstream ss;
boost::property_tree::write_json(ss, infoJson);
- std::string jsonString = ss.str();
Block jsonContent = makeStringBlock(ndn::tlv::NameComponent, ss.str());
Name interestName("/ndn/site1/CA");
@@ -160,7 +157,6 @@
infoJson.put(ChallengeEmail::JSON_CODE, "1234");
std::stringstream ss;
boost::property_tree::write_json(ss, infoJson);
- std::string jsonString = ss.str();
Block jsonContent = makeStringBlock(ndn::tlv::NameComponent, ss.str());
Name interestName("/ndn/site1/CA");