Gitiles
Code Review Sign In
gerrit.named-data.net / ndncert / a9bda73593b4ed073df9d2c8f512222fbc1b19bb / . / src / ca-module.cpp
blob: 9df838417d78cbf0e500b5ee986ace7d6a27103e [file] [log] [blame]
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2/**
3 * Copyright (c) 2017, Regents of the University of California.
4 *
5 * This file is part of ndncert, a certificate management system based on NDN.
6 *
7 * ndncert is free software: you can redistribute it and/or modify it under the terms
8 * of the GNU General Public License as published by the Free Software Foundation, either
9 * version 3 of the License, or (at your option) any later version.
10 *
11 * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License along with
16 * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
17 *
18 * See AUTHORS.md for complete list of ndncert authors and contributors.
19 */
20
21#include "ca-module.hpp"
22#include "challenge-module.hpp"
23#include "logging.hpp"
24#include <ndn-cxx/face.hpp>
25#include <ndn-cxx/security/verification-helpers.hpp>
26#include <ndn-cxx/security/signing-helpers.hpp>
27
28namespace ndn {
29namespace ndncert {
30
31_LOG_INIT(ndncert.ca);
32
33CaModule::CaModule(Face& face, security::v2::KeyChain& keyChain,
34 const std::string& configPath, const std::string& storageType)
35 : m_face(face)
36 , m_keyChain(keyChain)
37{
Zhiyi Zhanga63b7372017-05-17 14:14:34 -0700[diff] [blame]38 // load the config and create storage
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]39 m_config.load(configPath);
40 m_storage = CaStorage::createCaStorage(storageType);
41
Zhiyi Zhanga63b7372017-05-17 14:14:34 -0700[diff] [blame]42 // set default handler and callback
43 m_probeHandler = [&] (const std::string& probeInfo) {
44 return probeInfo;
45 };
46 m_requestUpdateCallback = [&] (const CertificateRequest& CertRequest) {
47 // do nothing
48 };
49
50 // register prefix
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]51 for (const auto& item : m_config.m_caItems) {
52 Name prefix = item.m_caName;
53 prefix.append("CA");
54 try {
55 const RegisteredPrefixId* prefixId = m_face.registerPrefix(prefix,
56 [&] (const Name& name) {
57 const InterestFilterId* filterId = m_face.setInterestFilter(Name(name).append("_PROBE"),
58 bind(&CaModule::handleProbe, this, _2, item));
59 m_interestFilterIds.push_back(filterId);
60
61 filterId = m_face.setInterestFilter(Name(name).append("_NEW"),
62 bind(&CaModule::handleNew, this, _2, item));
63 m_interestFilterIds.push_back(filterId);
64
65 filterId = m_face.setInterestFilter(Name(name).append("_SELECT"),
66 bind(&CaModule::handleSelect, this, _2, item));
67 m_interestFilterIds.push_back(filterId);
68
69 filterId = m_face.setInterestFilter(Name(name).append("_VALIDATE"),
70 bind(&CaModule::handleValidate, this, _2, item));
71 m_interestFilterIds.push_back(filterId);
72
73 filterId = m_face.setInterestFilter(Name(name).append("_STATUS"),
74 bind(&CaModule::handleStatus, this, _2, item));
75 m_interestFilterIds.push_back(filterId);
76
77 filterId = m_face.setInterestFilter(Name(name).append("_DOWNLOAD"),
78 bind(&CaModule::handleDownload, this, _2, item));
79 m_interestFilterIds.push_back(filterId);
80
81 _LOG_TRACE("Prefix " << name << " got registered");
82 },
83 bind(&CaModule::onRegisterFailed, this, _2));
84 m_registeredPrefixIds.push_back(prefixId);
85 }
86 catch (const std::exception& e) {
87 _LOG_TRACE("Error: " << e.what());
88 }
89 }
90}
91
92CaModule::~CaModule()
93{
94 for (auto prefixId : m_interestFilterIds) {
95 m_face.unsetInterestFilter(prefixId);
96 }
97 for (auto prefixId : m_registeredPrefixIds) {
98 m_face.unregisterPrefix(prefixId, nullptr, nullptr);
99 }
100}
101
102void
103CaModule::handleProbe(const Interest& request, const CaItem& caItem)
104{
Zhiyi Zhang4d89fe02017-04-28 18:51:51 -0700[diff] [blame]105 // PROBE Naming Convention: /CA-prefix/CA/_PROBE/<Probe Information>
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]106 _LOG_TRACE("Handle PROBE request");
107
108 std::string identifier;
109 try {
110 identifier = m_probeHandler(readString(request.getName().at(caItem.m_caName.size() + 2)));
111 }
112 catch (const std::exception& e) {
113 _LOG_TRACE("Cannot generate identifier for PROBE request " << e.what());
114 return;
115 }
116 Name identityName = caItem.m_caName;
117 identityName.append(identifier);
118
119 Data result;
120 result.setName(request.getName());
121 result.setContent(dataContentFromJson(genResponseProbeJson(identityName, "")));
122 m_keyChain.sign(result, signingByCertificate(caItem.m_anchor));
123 m_face.put(result);
124
125 _LOG_TRACE("Handle PROBE: generate identity " << identityName);
126}
127
128void
129CaModule::handleNew(const Interest& request, const CaItem& caItem)
130{
Zhiyi Zhang4d89fe02017-04-28 18:51:51 -0700[diff] [blame]131 // NEW Naming Convention: /CA-prefix/CA/_NEW/<certificate-request>/[signature]
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]132 _LOG_TRACE("Handle NEW request");
133
134 security::v2::Certificate clientCert;
135 try {
136 clientCert.wireDecode(request.getName().at(caItem.m_caName.size() + 2).blockFromValue());
137 }
138 catch (const std::exception& e) {
139 _LOG_TRACE("Unrecognized certificate request " << e.what());
140 return;
141 }
142 std::string requestId = std::to_string(random::generateWord64());
143 CertificateRequest certRequest(caItem.m_caName, requestId, clientCert);
Zhiyi Zhanga63b7372017-05-17 14:14:34 -0700[diff] [blame]144 certRequest.setStatus(ChallengeModule::WAIT_SELECTION);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]145 try {
146 m_storage->addRequest(certRequest);
147 }
148 catch (const std::exception& e) {
149 _LOG_TRACE("Cannot add new request instance " << e.what());
150 return;
151 }
152
153 Data result;
154 result.setName(request.getName());
Zhiyi Zhanga63b7372017-05-17 14:14:34 -0700[diff] [blame]155 result.setContent(dataContentFromJson(genResponseNewJson(requestId, certRequest.getStatus(),
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]156 caItem.m_supportedChallenges)));
157 m_keyChain.sign(result, signingByCertificate(caItem.m_anchor));
158 m_face.put(result);
Zhiyi Zhanga63b7372017-05-17 14:14:34 -0700[diff] [blame]159
160 m_requestUpdateCallback(certRequest);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]161}
162
163void
164CaModule::handleSelect(const Interest& request, const CaItem& caItem)
165{
Zhiyi Zhang4d89fe02017-04-28 18:51:51 -0700[diff] [blame]166 // SELECT Naming Convention: /CA-prefix/CA/_SELECT/{Request-ID JSON}/<ChallengeID>/
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]167 // {Param JSON}/[Signature components]
168 _LOG_TRACE("Handle SELECT request");
169
170 CertificateRequest certRequest = getCertificateRequest(request, caItem.m_caName);
171 if (certRequest.getRequestId().empty()) {
172 return;
173 }
174
175 if (!security::verifySignature(request, certRequest.getCert())) {
176 _LOG_TRACE("Error: Interest with bad signature.");
177 return;
178 }
179
180 std::string challengeType;
181 try {
182 challengeType = readString(request.getName().at(caItem.m_caName.size() + 3));
183 }
184 catch (const std::exception& e) {
185 _LOG_TRACE(e.what());
186 return;
187 }
Zhiyi Zhange30eb352017-04-13 15:26:14 -0700[diff] [blame]188 _LOG_TRACE("SELECT request choosing challenge " << challengeType);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]189 auto challenge = ChallengeModule::createChallengeModule(challengeType);
190 if (challenge == nullptr) {
191 _LOG_TRACE("Unrecognized challenge type " << challengeType);
192 return;
193 }
194 JsonSection contentJson = challenge->handleChallengeRequest(request, certRequest);
Zhiyi Zhanga9bda732017-05-20 22:58:55 -0700[diff] [blame^]195 if (certRequest.getStatus() == ChallengeModule::FAILURE) {
196 m_storage->deleteRequest(certRequest.getRequestId());
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]197 }
Zhiyi Zhanga9bda732017-05-20 22:58:55 -0700[diff] [blame^]198 else {
199 try {
200 m_storage->updateRequest(certRequest);
201 }
202 catch (const std::exception& e) {
203 _LOG_TRACE("Cannot update request instance " << e.what());
204 return;
205 }
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]206 }
207
208 Data result;
209 result.setName(request.getName());
210 result.setContent(dataContentFromJson(contentJson));
211 m_keyChain.sign(result, signingByCertificate(caItem.m_anchor));
212 m_face.put(result);
Zhiyi Zhanga63b7372017-05-17 14:14:34 -0700[diff] [blame]213
214 m_requestUpdateCallback(certRequest);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]215}
216
217void
218CaModule::handleValidate(const Interest& request, const CaItem& caItem)
219{
Zhiyi Zhang4d89fe02017-04-28 18:51:51 -0700[diff] [blame]220 // VALIDATE Naming Convention: /CA-prefix/CA/_VALIDATE/{Request-ID JSON}/<ChallengeID>/
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]221 // {Param JSON}/[Signature components]
222 _LOG_TRACE("Handle VALIDATE request");
223
224 CertificateRequest certRequest = getCertificateRequest(request, caItem.m_caName);
225 if (certRequest.getRequestId().empty()) {
226 return;
227 }
228
229 if (!security::verifySignature(request, certRequest.getCert())) {
230 _LOG_TRACE("Error: Interest with bad signature.");
231 return;
232 }
233
234 std::string challengeType = certRequest.getChallengeType();
235 auto challenge = ChallengeModule::createChallengeModule(challengeType);
236 if (challenge == nullptr) {
237 _LOG_TRACE("Unrecognized challenge type " << challengeType);
238 return;
239 }
240 JsonSection contentJson = challenge->handleChallengeRequest(request, certRequest);
Zhiyi Zhanga9bda732017-05-20 22:58:55 -0700[diff] [blame^]241 if (certRequest.getStatus() == ChallengeModule::FAILURE) {
242 m_storage->deleteRequest(certRequest.getRequestId());
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]243 }
Zhiyi Zhanga9bda732017-05-20 22:58:55 -0700[diff] [blame^]244 else {
245 try {
246 m_storage->updateRequest(certRequest);
247 }
248 catch (const std::exception& e) {
249 _LOG_TRACE("Cannot update request instance " << e.what());
250 return;
251 }
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]252 }
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]253 Data result;
254 result.setName(request.getName());
255 result.setContent(dataContentFromJson(contentJson));
256 m_keyChain.sign(result, signingByCertificate(caItem.m_anchor));
257 m_face.put(result);
258
Zhiyi Zhanga63b7372017-05-17 14:14:34 -0700[diff] [blame]259 m_requestUpdateCallback(certRequest);
260
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]261 if (certRequest.getStatus() == ChallengeModule::SUCCESS) {
262 issueCertificate(certRequest, caItem);
263 }
264}
265
266void
267CaModule::handleStatus(const Interest& request, const CaItem& caItem)
268{
Zhiyi Zhang4d89fe02017-04-28 18:51:51 -0700[diff] [blame]269 // STATUS Naming Convention: /CA-prefix/CA/_STATUS/{Request-ID JSON}/[Signature components]
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]270 _LOG_TRACE("Handle STATUS request");
271
272 CertificateRequest certRequest = getCertificateRequest(request, caItem.m_caName);
273 if (certRequest.getRequestId().empty()) {
274 return;
275 }
276
277 if (!security::verifySignature(request, certRequest.getCert())) {
278 _LOG_TRACE("Error: Interest with bad signature.");
279 return;
280 }
281
282 std::string challengeType = certRequest.getChallengeType();
283 auto challenge = ChallengeModule::createChallengeModule(challengeType);
284 if (challenge == nullptr) {
285 _LOG_TRACE("Unrecognized challenge type " << challengeType);
286 return;
287 }
288 JsonSection contentJson = challenge->handleChallengeRequest(request, certRequest);
289
290 Data result;
291 result.setName(request.getName());
292 result.setContent(dataContentFromJson(contentJson));
293 m_keyChain.sign(result, signingByCertificate(caItem.m_anchor));
294 m_face.put(result);
295}
296
297void
298CaModule::handleDownload(const Interest& request, const CaItem& caItem)
299{
Zhiyi Zhang4d89fe02017-04-28 18:51:51 -0700[diff] [blame]300 // DOWNLOAD Naming Convention: /CA-prefix/CA/_DOWNLOAD/{Request-ID JSON}
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]301 _LOG_TRACE("Handle DOWNLOAD request");
302
303 JsonSection requestIdJson = jsonFromNameComponent(request.getName(), caItem.m_caName.size() + 2);
304 std::string requestId = requestIdJson.get(JSON_REQUEST_ID, "");
305 security::v2::Certificate signedCert;
306 try {
307 signedCert = m_storage->getCertificate(requestId);
308 }
309 catch (const std::exception& e) {
310 _LOG_TRACE("Error: " << e.what());
311 return;
312 }
313
314 Data result;
315 result.setName(request.getName());
316 result.setContent(signedCert.wireEncode());
Zhiyi Zhang4d89fe02017-04-28 18:51:51 -0700[diff] [blame]317 m_keyChain.sign(result, signingByCertificate(caItem.m_anchor));
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]318 m_face.put(result);
319}
320
321void
322CaModule::issueCertificate(const CertificateRequest& certRequest, const CaItem& caItem)
323{
324 Name certName = certRequest.getCert().getKeyName();
325 certName.append("NDNCERT").appendVersion();
326 security::v2::Certificate newCert;
327 newCert.setName(certName);
328 newCert.setContent(certRequest.getCert().getContent());
329 SignatureInfo signatureInfo;
330 security::ValidityPeriod period(time::system_clock::now(),
331 time::system_clock::now() + caItem.m_validityPeriod);
332 signatureInfo.setValidityPeriod(period);
333 security::SigningInfo signingInfo(security::SigningInfo::SIGNER_TYPE_CERT,
334 caItem.m_anchor, signatureInfo);
335 newCert.setFreshnessPeriod(caItem.m_freshnessPeriod);
336
337 m_keyChain.sign(newCert, signingInfo);
338 try {
339 m_storage->addCertificate(certRequest.getRequestId(), newCert);
340 m_storage->deleteRequest(certRequest.getRequestId());
341 _LOG_TRACE("New Certificate Issued " << certName);
342 }
343 catch (const std::exception& e) {
344 _LOG_TRACE("Error: Cannot add issued cert and remove the request " << e.what());
345 return;
346 }
347}
348
349CertificateRequest
350CaModule::getCertificateRequest(const Interest& request, const Name& caName)
351{
352 JsonSection requestIdJson = jsonFromNameComponent(request.getName(), caName.size() + 2);
353 std::string requestId = requestIdJson.get(JSON_REQUEST_ID, "");
354 CertificateRequest certRequest;
355 try {
356 certRequest = m_storage->getRequest(requestId);
357 }
358 catch (const std::exception& e) {
359 _LOG_TRACE("Error: " << e.what());
360 }
361 return certRequest;
362}
363
364void
365CaModule::onRegisterFailed(const std::string& reason)
366{
367 _LOG_TRACE("Error: failed to register prefix in local hub's daemon, REASON: " << reason);
368}
369
370Block
371CaModule::dataContentFromJson(const JsonSection& jsonSection)
372{
373 std::stringstream ss;
374 boost::property_tree::write_json(ss, jsonSection);
375 return makeStringBlock(ndn::tlv::Content, ss.str());
376}
377
378JsonSection
379CaModule::jsonFromNameComponent(const Name& name, int pos)
380{
381 std::string jsonString;
382 try {
383 jsonString = encoding::readString(name.at(pos));
384 }
385 catch (const std::exception& e) {
386 _LOG_TRACE(e.what());
387 return JsonSection();
388 }
389 std::istringstream ss(jsonString);
390 JsonSection json;
391 boost::property_tree::json_parser::read_json(ss, json);
392 return json;
393}
394
395} // namespace ndncert
396} // namespace ndn