Add challenge module base class and PIN code challenge
Change-Id: I75c59bf1de921fad36563acdd37c1b4e80a29a3e
diff --git a/src/challenge-module/challenge-pin.cpp b/src/challenge-module/challenge-pin.cpp
new file mode 100644
index 0000000..8c19c97
--- /dev/null
+++ b/src/challenge-module/challenge-pin.cpp
@@ -0,0 +1,169 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2017, Regents of the University of California.
+ *
+ * This file is part of ndncert, a certificate management system based on NDN.
+ *
+ * ndncert is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License along with
+ * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndncert authors and contributors.
+ */
+
+#include "challenge-pin.hpp"
+#include "json-helper.hpp"
+#include <ndn-cxx/util/random.hpp>
+
+namespace ndn {
+namespace ndncert {
+
+NDNCERT_REGISTER_CHALLENGE(ChallengePin, "PIN");
+
+const std::string ChallengePin::NEED_CODE = "need-code";
+const std::string ChallengePin::WRONG_CODE = "wrong-code";
+const std::string ChallengePin::FAILURE_TIMEOUT = "failure-timeout";
+const std::string ChallengePin::FAILURE_MAXRETRY = "failure-max-retry";
+
+const std::string ChallengePin::JSON_CODE_TP = "code-timepoint";
+const std::string ChallengePin::JSON_PIN_CODE = "code";
+const std::string ChallengePin::JSON_ATTEMPT_TIMES = "attempt-times";
+
+ChallengePin::ChallengePin(const size_t& maxAttemptTimes, const time::seconds& secretLifetime)
+ : ChallengeModule("PIN")
+ , m_secretLifetime(secretLifetime)
+ , m_maxAttemptTimes(maxAttemptTimes)
+{
+}
+
+JsonSection
+ChallengePin::processSelectInterest(const Interest& interest, CertificateRequest& request)
+{
+ // interest format: /CA/_SELECT/{"request-id":"id"}/PIN/<signature>
+ request.setStatus(NEED_CODE);
+ request.setChallengeType(CHALLENGE_TYPE);
+ request.setChallengeSecrets(generateStoredSecrets(time::system_clock::now(),
+ generateSecureSecretCode(),
+ m_maxAttemptTimes));
+ return genResponseChallengeJson(request.getRequestId(), CHALLENGE_TYPE, NEED_CODE);
+}
+
+JsonSection
+ChallengePin::processValidateInterest(const Interest& interest, CertificateRequest& request)
+{
+ // interest format: /CA/_VALIDATION/{"request-id":"id"}/PIN/{"code":"code"}/<signature>
+ JsonSection infoJson = getJsonFromNameComponent(interest.getName(), request.getCaName().size() + 3);
+ std::string givenCode = infoJson.get<std::string>(JSON_PIN_CODE);
+
+ const auto parsedSecret = parseStoredSecrets(request.getChallengeSecrets());
+ if (time::system_clock::now() - std::get<0>(parsedSecret) >= m_secretLifetime) {
+ // secret expires
+ request.setStatus(FAILURE_TIMEOUT);
+ request.setChallengeSecrets(JsonSection());
+ return genResponseChallengeJson(request.getRequestId(), CHALLENGE_TYPE, FAILURE_TIMEOUT);
+ }
+ else if (givenCode == std::get<1>(parsedSecret)) {
+ request.setStatus(SUCCESS);
+ request.setChallengeSecrets(JsonSection());
+ Name downloadName = genDownloadName(request.getCaName(), request.getRequestId());
+ return genResponseChallengeJson(request.getRequestId(), CHALLENGE_TYPE, SUCCESS, downloadName);
+ }
+ else {
+ // check rest attempt times
+ if (std::get<2>(parsedSecret) > 1) {
+ int restAttemptTimes = std::get<2>(parsedSecret) - 1;
+ request.setChallengeSecrets(generateStoredSecrets(std::get<0>(parsedSecret),
+ std::get<1>(parsedSecret),
+ restAttemptTimes));
+ return genResponseChallengeJson(request.getRequestId(), CHALLENGE_TYPE, WRONG_CODE);
+ }
+ else {
+ // run out times
+ request.setStatus(FAILURE_MAXRETRY);
+ request.setChallengeSecrets(JsonSection());
+ return genResponseChallengeJson(request.getRequestId(), CHALLENGE_TYPE, FAILURE_MAXRETRY);
+ }
+ }
+}
+
+std::list<std::string>
+ChallengePin::getSelectRequirements()
+{
+ std::list<std::string> result;
+ return result;
+}
+
+std::list<std::string>
+ChallengePin::getValidateRequirements(const std::string& status)
+{
+ std::list<std::string> result;
+ if (status == NEED_CODE) {
+ result.push_back("Please input your verification code:");
+ }
+ else if (status == WRONG_CODE) {
+ result.push_back("Incorrect PIN code, please input your verification code:");
+ }
+ return result;
+}
+
+JsonSection
+ChallengePin::genChallengeInfo(const std::string& interestType, const std::string& status,
+ const std::list<std::string>& paramList)
+{
+ JsonSection result;
+ if (interestType == "_SELECT") {
+ BOOST_ASSERT(paramList.size() == 0);
+ }
+ else if (interestType == "_VALIDATE") {
+ BOOST_ASSERT(paramList.size() == 1);
+ result.put(JSON_PIN_CODE, paramList.front());
+ }
+ return result;
+}
+
+std::tuple<time::system_clock::TimePoint, std::string, int>
+ChallengePin::parseStoredSecrets(const JsonSection& storedSecrets)
+{
+ auto tp = time::fromIsoString(storedSecrets.get<std::string>(JSON_CODE_TP));
+ std::string rightCode= storedSecrets.get<std::string>(JSON_PIN_CODE);
+ int attemptTimes = std::stoi(storedSecrets.get<std::string>(JSON_ATTEMPT_TIMES));
+
+ return std::make_tuple(tp, rightCode, attemptTimes);
+}
+
+JsonSection
+ChallengePin::generateStoredSecrets(const time::system_clock::TimePoint& tp,
+ const std::string& secretCode, int attempTimes)
+{
+ JsonSection json;
+ json.put(JSON_CODE_TP, time::toIsoString(tp));
+ json.put(JSON_PIN_CODE, secretCode);
+ json.put(JSON_ATTEMPT_TIMES, std::to_string(attempTimes));
+ return json;
+}
+
+std::string
+ChallengePin::generateSecureSecretCode()
+{
+ uint32_t securityCode = 0;
+ do {
+ securityCode = random::generateSecureWord32();
+ }
+ while (securityCode >= 4294000000);
+ securityCode /= 4294;
+ std::string result = std::to_string(securityCode);
+ while (result.length() < 6) {
+ result = "0" + result;
+ }
+ return result;
+}
+
+} // namespace ndncert
+} // namespace ndn
diff --git a/src/challenge-module/challenge-pin.hpp b/src/challenge-module/challenge-pin.hpp
new file mode 100644
index 0000000..b3e9e2e
--- /dev/null
+++ b/src/challenge-module/challenge-pin.hpp
@@ -0,0 +1,98 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2017, Regents of the University of California.
+ *
+ * This file is part of ndncert, a certificate management system based on NDN.
+ *
+ * ndncert is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received copies of the GNU General Public License along with
+ * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * See AUTHORS.md for complete list of ndncert authors and contributors.
+ */
+
+#ifndef NDNCERT_CHALLENGE_PIN_HPP
+#define NDNCERT_CHALLENGE_PIN_HPP
+
+#include "../challenge-module.hpp"
+#include <ndn-cxx/util/time.hpp>
+
+namespace ndn {
+namespace ndncert {
+
+/**
+ * @brief Provide PIN code based challenge
+ *
+ * @sa https://github.com/named-data/ndncert/wiki/NDN-Certificate-Management-Protocol
+ *
+ * The main process of this challenge module is:
+ * 1. End entity provides empty string. The first POLL is only for selection.
+ * 2. The challenge module will generate a PIN code in ChallengeDefinedField.
+ * 3. End entity provides the verification code from some way to challenge module.
+ *
+ * There are four specific status defined in this challenge:
+ * NEED_CODE: When selection is made.
+ * WRONG_CODE: Get wrong verification code but still with secret lifetime and max retry times.
+ * FAILURE_TIMEOUT: When secret is out-dated.
+ * FAILURE_MAXRETRY: When requester tries too many times.
+ */
+class ChallengePin : public ChallengeModule
+{
+public:
+ ChallengePin(const size_t& maxAttemptTimes = 3,
+ const time::seconds& secretLifetime = time::seconds(3600));
+
+PUBLIC_WITH_TESTS_ELSE_PROTECTED:
+ JsonSection
+ processSelectInterest(const Interest& interest, CertificateRequest& request) override;
+
+ JsonSection
+ processValidateInterest(const Interest& interest, CertificateRequest& request) override;
+
+ std::list<std::string>
+ getSelectRequirements() override;
+
+ std::list<std::string>
+ getValidateRequirements(const std::string& status) override;
+
+ JsonSection
+ genChallengeInfo(const std::string& interestType, const std::string& status,
+ const std::list<std::string>& paramList) override;
+
+PUBLIC_WITH_TESTS_ELSE_PRIVATE:
+ static std::tuple<time::system_clock::TimePoint, std::string, int>
+ parseStoredSecrets(const JsonSection& storedSecret);
+
+ static JsonSection
+ generateStoredSecrets(const time::system_clock::TimePoint& tp, const std::string& secretCode,
+ int attempTimes);
+
+ static std::string
+ generateSecureSecretCode();
+
+PUBLIC_WITH_TESTS_ELSE_PRIVATE:
+ static const std::string NEED_CODE;
+ static const std::string WRONG_CODE;
+ static const std::string FAILURE_TIMEOUT;
+ static const std::string FAILURE_MAXRETRY;
+
+ static const std::string JSON_CODE_TP;
+ static const std::string JSON_PIN_CODE;
+ static const std::string JSON_ATTEMPT_TIMES;
+
+private:
+ time::seconds m_secretLifetime;
+ int m_maxAttemptTimes;
+};
+
+} // namespace ndncert
+} // namespace ndn
+
+#endif // NDNCERT_CHALLENGE_PIN_HPP