Gitiles
Code Review Sign In
gerrit.named-data.net / ndncert / 34a8d4336887c1ad2342cbe257d44dc4ed19a8ce / . / src / challenge-modules / challenge-credential.cpp
blob: 50a15c05711ae406590b8ef9630f1e378a878379 [file] [log] [blame]
Davide Pesaventob48bbda2020-07-27 19:41:37 -0400[diff] [blame]1/*
2 * Copyright (c) 2017-2020, Regents of the University of California.
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]3 *
4 * This file is part of ndncert, a certificate management system based on NDN.
5 *
6 * ndncert is free software: you can redistribute it and/or modify it under the terms
7 * of the GNU General Public License as published by the Free Software Foundation, either
8 * version 3 of the License, or (at your option) any later version.
9 *
10 * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
11 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
12 * PARTICULAR PURPOSE. See the GNU General Public License for more details.
13 *
14 * You should have received copies of the GNU General Public License along with
15 * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
16 *
17 * See AUTHORS.md for complete list of ndncert authors and contributors.
18 */
19
20#include "challenge-credential.hpp"
Zhiyi Zhang22998612020-09-25 14:43:23 -0700[diff] [blame]21#include <iostream>
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]22#include <ndn-cxx/security/verification-helpers.hpp>
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]23#include <ndn-cxx/security/signing-helpers.hpp>
24#include <ndn-cxx/security/transform/public-key.hpp>
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]25#include <ndn-cxx/util/io.hpp>
26
27namespace ndn {
28namespace ndncert {
29
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]30_LOG_INIT(ndncert.challenge.credential);
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]31NDNCERT_REGISTER_CHALLENGE(ChallengeCredential, "Credential");
32
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]33const std::string ChallengeCredential::PARAMETER_KEY_CREDENTIAL_CERT = "issued-cert";
34const std::string ChallengeCredential::PARAMETER_KEY_PROOF_OF_PRIVATE_KEY = "proof-of-private-key";
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]35
36ChallengeCredential::ChallengeCredential(const std::string& configPath)
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]37 : ChallengeModule("Credential", 1, time::seconds(1))
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]38{
Davide Pesaventob48bbda2020-07-27 19:41:37 -0400[diff] [blame]39 if (configPath.empty()) {
Zhiyi Zhang70fe2582017-05-19 15:01:03 -0700[diff] [blame]40 m_configFile = std::string(SYSCONFDIR) + "/ndncert/challenge-credential.conf";
41 }
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800[diff] [blame]42 else {
Zhiyi Zhang70fe2582017-05-19 15:01:03 -0700[diff] [blame]43 m_configFile = configPath;
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800[diff] [blame]44 }
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]45}
46
47void
48ChallengeCredential::parseConfigFile()
49{
50 JsonSection config;
51 try {
52 boost::property_tree::read_json(m_configFile, config);
53 }
54 catch (const boost::property_tree::info_parser_error& error) {
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]55 BOOST_THROW_EXCEPTION(std::runtime_error("Failed to parse configuration file " + m_configFile +
56 " " + error.message() + " line " + std::to_string(error.line())));
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]57 }
58
59 if (config.begin() == config.end()) {
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]60 BOOST_THROW_EXCEPTION(std::runtime_error("Error processing configuration file: " + m_configFile + " no data"));
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]61 }
62
63 m_trustAnchors.clear();
64 auto anchorList = config.get_child("anchor-list");
65 auto it = anchorList.begin();
66 for (; it != anchorList.end(); it++) {
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800[diff] [blame]67 std::istringstream ss(it->second.get("certificate", ""));
68 auto cert = io::load<security::v2::Certificate>(ss);
69 if (cert == nullptr) {
70 _LOG_ERROR("Cannot load the certificate from config file");
71 continue;
72 }
73 m_trustAnchors.push_back(*cert);
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]74 }
75}
76
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]77// For CA
Zhiyi Zhangaafc55e2020-09-28 17:54:48 -0700[diff] [blame]78std::tuple<ErrorCode, std::string>
Zhiyi Zhange232a742020-09-29 17:34:17 -0700[diff] [blame]79ChallengeCredential::handleChallengeRequest(const Block& params, RequestState& request)
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]80{
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]81 params.parse();
Zhiyi Zhang70fe2582017-05-19 15:01:03 -0700[diff] [blame]82 if (m_trustAnchors.empty()) {
83 parseConfigFile();
84 }
Zhiyi Zhang34a8d432020-10-03 22:14:25 -0700[diff] [blame^]85 security::v2::Certificate credential;
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]86 const uint8_t* signature;
87 size_t signatureLen;
88 const auto& elements = params.elements();
Zhiyi Zhang22998612020-09-25 14:43:23 -0700[diff] [blame]89 for (size_t i = 0; i < elements.size(); i++) {
90 if (elements[i].type() == tlv_parameter_key) {
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]91 if (readString(elements[i]) == PARAMETER_KEY_CREDENTIAL_CERT) {
Zhiyi Zhang34a8d432020-10-03 22:14:25 -0700[diff] [blame^]92 try {
93 credential.wireDecode(elements[i + 1].blockFromValue());
94 }
95 catch (const std::exception& e) {
96 _LOG_ERROR("Cannot load challenge parameter: credential " << e.what());
97 return returnWithError(request, ErrorCode::INVALID_PARAMETER, "Cannot challenge credential: credential." + std::string(e.what()));
Zhiyi Zhang22998612020-09-25 14:43:23 -0700[diff] [blame]98 }
99 }
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]100 else if (readString(elements[i]) == PARAMETER_KEY_PROOF_OF_PRIVATE_KEY) {
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]101 signature = elements[i + 1].value();
102 signatureLen = elements[i + 1].value_size();
Zhiyi Zhang22998612020-09-25 14:43:23 -0700[diff] [blame]103 }
104 }
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]105 }
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]106
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]107 // verify the credential and the self-signed cert
Zhiyi Zhang34a8d432020-10-03 22:14:25 -0700[diff] [blame^]108 Name signingKeyName = credential.getSignature().getKeyLocator().getName();
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]109 security::transform::PublicKey key;
Zhiyi Zhang34a8d432020-10-03 22:14:25 -0700[diff] [blame^]110 const auto& pubKeyBuffer = credential.getPublicKey();
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]111 key.loadPkcs8(pubKeyBuffer.data(), pubKeyBuffer.size());
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]112 for (auto anchor : m_trustAnchors) {
113 if (anchor.getKeyName() == signingKeyName) {
Zhiyi Zhang34a8d432020-10-03 22:14:25 -0700[diff] [blame^]114 if (security::verifySignature(credential, anchor) &&
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]115 security::verifySignature((uint8_t*)request.m_requestId.c_str(), request.m_requestId.size(), signature, signatureLen, key)) {
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]116 return returnWithSuccess(request);
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]117 }
118 }
119 }
Zhiyi Zhang70fe2582017-05-19 15:01:03 -0700[diff] [blame]120
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]121 _LOG_TRACE("Cannot verify the proof of private key against credential");
Zhiyi Zhangaafc55e2020-09-28 17:54:48 -0700[diff] [blame]122 return returnWithError(request, ErrorCode::INVALID_PARAMETER, "Cannot verify the proof of private key against credential.");
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]123}
124
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]125// For Client
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]126std::vector<std::tuple<std::string, std::string>>
127ChallengeCredential::getRequestedParameterList(Status status, const std::string& challengeStatus)
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]128{
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]129 std::vector<std::tuple<std::string, std::string>> result;
130 if (status == Status::BEFORE_CHALLENGE) {
131 result.push_back(std::make_tuple(PARAMETER_KEY_CREDENTIAL_CERT, "Please provide the certificate issued by a trusted CA."));
132 result.push_back(std::make_tuple(PARAMETER_KEY_PROOF_OF_PRIVATE_KEY, "Please sign a Data packet with request ID as the content."));
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]133 return result;
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]134 }
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]135 BOOST_THROW_EXCEPTION(std::runtime_error("Unexpected status or challenge status."));
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]136}
137
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]138Block
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]139ChallengeCredential::genChallengeRequestTLV(Status status, const std::string& challengeStatus,
140 std::vector<std::tuple<std::string, std::string>>&& params)
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]141{
142 Block request = makeEmptyBlock(tlv_encrypted_payload);
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]143 if (status == Status::BEFORE_CHALLENGE) {
144 if (params.size() != 2) {
145 BOOST_THROW_EXCEPTION(std::runtime_error("Wrong parameter provided."));
146 }
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]147 request.push_back(makeStringBlock(tlv_selected_challenge, CHALLENGE_TYPE));
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]148 for (const auto& item : params) {
149 if (std::get<0>(item) == PARAMETER_KEY_CREDENTIAL_CERT) {
150 request.push_back(makeStringBlock(tlv_parameter_key, PARAMETER_KEY_CREDENTIAL_CERT));
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]151 Block valueBlock = makeEmptyBlock(tlv_parameter_value);
152 auto& certTlvStr = std::get<1>(item);
153 valueBlock.push_back(Block((uint8_t*)certTlvStr.c_str(), certTlvStr.size()));
154 request.push_back(valueBlock);
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]155 }
156 else if (std::get<0>(item) == PARAMETER_KEY_PROOF_OF_PRIVATE_KEY) {
157 request.push_back(makeStringBlock(tlv_parameter_key, PARAMETER_KEY_PROOF_OF_PRIVATE_KEY));
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]158 auto& sigTlvStr = std::get<1>(item);
159 Block valueBlock = makeBinaryBlock(tlv_parameter_value, (uint8_t*)sigTlvStr.c_str(), sigTlvStr.size());
160 request.push_back(valueBlock);
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]161 }
162 else {
163 BOOST_THROW_EXCEPTION(std::runtime_error("Wrong parameter provided."));
164 }
165 }
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]166 }
167 else {
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]168 BOOST_THROW_EXCEPTION(std::runtime_error("Unexpected status or challenge status."));
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]169 }
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]170 request.encode();
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]171 return request;
172}
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]173
174void
175ChallengeCredential::fulfillParameters(std::vector<std::tuple<std::string, std::string>>& params,
176 KeyChain& keyChain, const Name& issuedCertName, const std::string& requestId)
177{
178 auto& pib = keyChain.getPib();
179 auto id = pib.getIdentity(security::v2::extractIdentityFromCertName(issuedCertName));
180 auto issuedCert = id.getKey(security::v2::extractKeyNameFromCertName(issuedCertName)).getCertificate(issuedCertName);
181 auto issuedCertTlv = issuedCert.wireEncode();
182 auto signatureTlv = keyChain.sign((uint8_t*)requestId.c_str(), requestId.length(), security::signingByCertificate(issuedCertName));
183 for (auto& item : params) {
184 if (std::get<0>(item) == PARAMETER_KEY_CREDENTIAL_CERT) {
185 std::get<1>(item) = std::string((char*)issuedCertTlv.wire(), issuedCertTlv.size());
186 }
187 else if (std::get<0>(item) == PARAMETER_KEY_PROOF_OF_PRIVATE_KEY) {
188 std::get<1>(item) = std::string((char*)signatureTlv.value(), signatureTlv.value_size());
189 }
190 }
191 return;
192}
193
Zhiyi Zhang22998612020-09-25 14:43:23 -0700[diff] [blame]194} // namespace ndncert
195} // namespace ndn