add validity check on new
Change-Id: I96c10650bd85c2acb305ef8e1512e084a093db08
diff --git a/src/ca-module.cpp b/src/ca-module.cpp
index 0593610..2b9fcb8 100644
--- a/src/ca-module.cpp
+++ b/src/ca-module.cpp
@@ -195,6 +195,16 @@
void
CaModule::onNewRenewRevoke(const Interest& request, RequestType requestType)
{
+
+ //verify ca cert validity
+ const auto& caCert = m_keyChain.getPib().getIdentity( m_config.caProfile.caPrefix).getDefaultKey().getDefaultCertificate();
+ if (!caCert.isValid()) {
+ NDN_LOG_ERROR("Server certificate invalid/expired");
+ m_face.put(generateErrorDataPacket(request.getName(), ErrorCode::BAD_VALIDITY_PERIOD,
+ "Server certificate invalid/expired"));
+ return;
+ }
+
// NEW Naming Convention: /<CA-prefix>/CA/NEW/[SignedInterestParameters_Digest]
// REVOKE Naming Convention: /<CA-prefix>/CA/REVOKE/[SignedInterestParameters_Digest]
// get ECDH pub key and cert request
@@ -292,8 +302,7 @@
}
else if (requestType == RequestType::REVOKE) {
//verify cert is from this CA
- const auto& cert = m_keyChain.getPib().getIdentity( m_config.caProfile.caPrefix).getDefaultKey().getDefaultCertificate();
- if (!security::verifySignature(*clientCert, cert)) {
+ if (!security::verifySignature(*clientCert, caCert)) {
NDN_LOG_ERROR("Invalid signature in the certificate to revoke.");
m_face.put(generateErrorDataPacket(request.getName(), ErrorCode::BAD_SIGNATURE,
"Invalid signature in the certificate to revoke."));
diff --git a/tests/unit-tests/ca-module.t.cpp b/tests/unit-tests/ca-module.t.cpp
index 76dc1b8..3c4dbb4 100644
--- a/tests/unit-tests/ca-module.t.cpp
+++ b/tests/unit-tests/ca-module.t.cpp
@@ -302,6 +302,47 @@
advanceClocks(time::milliseconds(20), 60);
}
+BOOST_AUTO_TEST_CASE(HandleNewWithServerBadValidity)
+{
+ auto identity = addIdentity(Name("/ndn"));
+ auto key = identity.getDefaultKey();
+
+ //build expired cert
+ security::Certificate cert;
+ cert.setName(Name(key.getName()).append("self-sign").appendVersion());
+ cert.setContentType(ndn::tlv::ContentType_Key);
+ cert.setContent(key.getPublicKey().data(), key.getPublicKey().size());
+ SignatureInfo signatureInfo;
+ signatureInfo.setValidityPeriod(security::ValidityPeriod(time::system_clock::now() - time::days(1), time::system_clock::now() - time::seconds(1)));
+ m_keyChain.sign(cert, signingByKey(key.getName()).setSignatureInfo(signatureInfo));
+ m_keyChain.setDefaultCertificate(key, cert);
+
+ util::DummyClientFace face(io, m_keyChain, {true, true});
+ CaModule ca(face, m_keyChain, "tests/unit-tests/config-files/config-ca-1", "ca-storage-memory");
+ advanceClocks(time::milliseconds(20), 60);
+
+ CaProfile item;
+ item.caPrefix = Name("/ndn");
+ item.cert = std::make_shared<security::Certificate>(cert);
+ requester::Request state(m_keyChain, item, RequestType::NEW);
+ auto interest = state.genNewInterest(Name("/ndn/zhiyi"),
+ time::system_clock::now(),
+ time::system_clock::now() + time::days(1));
+
+ int count = 0;
+ face.onSendData.connect([&](const Data& response) {
+ auto contentTlv = response.getContent();
+ contentTlv.parse();
+ auto errorCode = static_cast<ErrorCode>(readNonNegativeInteger(contentTlv.get(tlv::ErrorCode)));
+ BOOST_CHECK(errorCode != ErrorCode::NO_ERROR);
+ count ++;
+ });
+ face.receive(*interest);
+
+ advanceClocks(time::milliseconds(20), 60);
+ BOOST_CHECK_EQUAL(count, 1);
+}
+
BOOST_AUTO_TEST_CASE(HandleNewWithLongSuffix)
{
auto identity = addIdentity(Name("/ndn"));