Gitiles
Code Review Sign In
gerrit.named-data.net / ndncert / dd3599170497a25e9855a5d0bd86f6acd03fcd14 / . / src / identity-challenge / challenge-credential.cpp
blob: da47469c2a85d7cead490b312dbee66a14564915 [file] [log] [blame]
Davide Pesaventob48bbda2020-07-27 19:41:37 -0400[diff] [blame]1/*
2 * Copyright (c) 2017-2020, Regents of the University of California.
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]3 *
4 * This file is part of ndncert, a certificate management system based on NDN.
5 *
6 * ndncert is free software: you can redistribute it and/or modify it under the terms
7 * of the GNU General Public License as published by the Free Software Foundation, either
8 * version 3 of the License, or (at your option) any later version.
9 *
10 * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
11 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
12 * PARTICULAR PURPOSE. See the GNU General Public License for more details.
13 *
14 * You should have received copies of the GNU General Public License along with
15 * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
16 *
17 * See AUTHORS.md for complete list of ndncert authors and contributors.
18 */
19
20#include "challenge-credential.hpp"
Zhiyi Zhang22998612020-09-25 14:43:23 -0700[diff] [blame]21#include <iostream>
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]22#include <ndn-cxx/security/verification-helpers.hpp>
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]23#include <ndn-cxx/security/signing-helpers.hpp>
24#include <ndn-cxx/security/transform/public-key.hpp>
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]25#include <ndn-cxx/util/io.hpp>
26
27namespace ndn {
28namespace ndncert {
29
Zhiyi Zhangd61b4a82020-10-10 15:18:43 -0700[diff] [blame]30NDN_LOG_INIT(ndncert.challenge.credential);
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]31NDNCERT_REGISTER_CHALLENGE(ChallengeCredential, "Credential");
32
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]33const std::string ChallengeCredential::PARAMETER_KEY_CREDENTIAL_CERT = "issued-cert";
34const std::string ChallengeCredential::PARAMETER_KEY_PROOF_OF_PRIVATE_KEY = "proof-of-private-key";
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]35
36ChallengeCredential::ChallengeCredential(const std::string& configPath)
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]37 : ChallengeModule("Credential", 1, time::seconds(1))
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]38{
Davide Pesaventob48bbda2020-07-27 19:41:37 -0400[diff] [blame]39 if (configPath.empty()) {
Zhiyi Zhang70fe2582017-05-19 15:01:03 -0700[diff] [blame]40 m_configFile = std::string(SYSCONFDIR) + "/ndncert/challenge-credential.conf";
41 }
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800[diff] [blame]42 else {
Zhiyi Zhang70fe2582017-05-19 15:01:03 -0700[diff] [blame]43 m_configFile = configPath;
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800[diff] [blame]44 }
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]45}
46
47void
48ChallengeCredential::parseConfigFile()
49{
50 JsonSection config;
51 try {
52 boost::property_tree::read_json(m_configFile, config);
53 }
54 catch (const boost::property_tree::info_parser_error& error) {
tylerliu41c11532020-10-10 16:14:45 -0700[diff] [blame]55 NDN_THROW(std::runtime_error("Failed to parse configuration file " + m_configFile +
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]56 " " + error.message() + " line " + std::to_string(error.line())));
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]57 }
58
59 if (config.begin() == config.end()) {
tylerliu41c11532020-10-10 16:14:45 -0700[diff] [blame]60 NDN_THROW(std::runtime_error("Error processing configuration file: " + m_configFile + " no data"));
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]61 }
62
63 m_trustAnchors.clear();
64 auto anchorList = config.get_child("anchor-list");
65 auto it = anchorList.begin();
66 for (; it != anchorList.end(); it++) {
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800[diff] [blame]67 std::istringstream ss(it->second.get("certificate", ""));
tylerliua7bea662020-10-08 18:51:02 -0700[diff] [blame]68 auto cert = io::load<security::Certificate>(ss);
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800[diff] [blame]69 if (cert == nullptr) {
Zhiyi Zhangd61b4a82020-10-10 15:18:43 -0700[diff] [blame]70 NDN_LOG_ERROR("Cannot load the certificate from config file");
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800[diff] [blame]71 continue;
72 }
73 m_trustAnchors.push_back(*cert);
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]74 }
75}
76
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]77// For CA
Zhiyi Zhangaafc55e2020-09-28 17:54:48 -0700[diff] [blame]78std::tuple<ErrorCode, std::string>
tylerliu8704d032020-06-23 10:18:15 -0700[diff] [blame]79ChallengeCredential::handleChallengeRequest(const Block& params, CaState& request)
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]80{
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]81 params.parse();
Zhiyi Zhang70fe2582017-05-19 15:01:03 -0700[diff] [blame]82 if (m_trustAnchors.empty()) {
83 parseConfigFile();
84 }
tylerliua7bea662020-10-08 18:51:02 -0700[diff] [blame]85 security::Certificate credential;
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]86 const uint8_t* signature;
87 size_t signatureLen;
88 const auto& elements = params.elements();
Zhiyi Zhang22998612020-09-25 14:43:23 -0700[diff] [blame]89 for (size_t i = 0; i < elements.size(); i++) {
tylerliu50d679e2020-10-14 14:08:39 -0700[diff] [blame]90 if (elements[i].type() == tlv::ParameterKey) {
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]91 if (readString(elements[i]) == PARAMETER_KEY_CREDENTIAL_CERT) {
Zhiyi Zhang34a8d432020-10-03 22:14:25 -0700[diff] [blame]92 try {
93 credential.wireDecode(elements[i + 1].blockFromValue());
94 }
95 catch (const std::exception& e) {
Zhiyi Zhangd61b4a82020-10-10 15:18:43 -0700[diff] [blame]96 NDN_LOG_ERROR("Cannot load challenge parameter: credential " << e.what());
Zhiyi Zhang34a8d432020-10-03 22:14:25 -0700[diff] [blame]97 return returnWithError(request, ErrorCode::INVALID_PARAMETER, "Cannot challenge credential: credential." + std::string(e.what()));
Zhiyi Zhang22998612020-09-25 14:43:23 -0700[diff] [blame]98 }
99 }
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]100 else if (readString(elements[i]) == PARAMETER_KEY_PROOF_OF_PRIVATE_KEY) {
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]101 signature = elements[i + 1].value();
102 signatureLen = elements[i + 1].value_size();
Zhiyi Zhang22998612020-09-25 14:43:23 -0700[diff] [blame]103 }
104 }
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]105 }
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]106
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]107 // verify the credential and the self-signed cert
tylerliua7bea662020-10-08 18:51:02 -0700[diff] [blame]108 Name signingKeyName = credential.getSignatureInfo().getKeyLocator().getName();
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]109 security::transform::PublicKey key;
Zhiyi Zhang34a8d432020-10-03 22:14:25 -0700[diff] [blame]110 const auto& pubKeyBuffer = credential.getPublicKey();
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]111 key.loadPkcs8(pubKeyBuffer.data(), pubKeyBuffer.size());
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]112 for (auto anchor : m_trustAnchors) {
113 if (anchor.getKeyName() == signingKeyName) {
Zhiyi Zhang34a8d432020-10-03 22:14:25 -0700[diff] [blame]114 if (security::verifySignature(credential, anchor) &&
Zhiyi Zhang8fdb36b2020-10-18 11:58:51 -0700[diff] [blame]115 security::verifySignature(request.m_requestId.data(), request.m_requestId.size(), signature, signatureLen, key)) {
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]116 return returnWithSuccess(request);
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]117 }
118 }
119 }
Zhiyi Zhangd61b4a82020-10-10 15:18:43 -0700[diff] [blame]120 NDN_LOG_TRACE("Cannot verify the proof of private key against credential");
Zhiyi Zhangaafc55e2020-09-28 17:54:48 -0700[diff] [blame]121 return returnWithError(request, ErrorCode::INVALID_PARAMETER, "Cannot verify the proof of private key against credential.");
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]122}
123
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]124// For Client
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]125std::vector<std::tuple<std::string, std::string>>
126ChallengeCredential::getRequestedParameterList(Status status, const std::string& challengeStatus)
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]127{
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]128 std::vector<std::tuple<std::string, std::string>> result;
129 if (status == Status::BEFORE_CHALLENGE) {
130 result.push_back(std::make_tuple(PARAMETER_KEY_CREDENTIAL_CERT, "Please provide the certificate issued by a trusted CA."));
131 result.push_back(std::make_tuple(PARAMETER_KEY_PROOF_OF_PRIVATE_KEY, "Please sign a Data packet with request ID as the content."));
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]132 return result;
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]133 }
tylerliu41c11532020-10-10 16:14:45 -0700[diff] [blame]134 NDN_THROW(std::runtime_error("Unexpected status or challenge status."));
Zhiyi Zhang0a89b722017-04-28 17:56:01 -0700[diff] [blame]135}
136
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]137Block
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]138ChallengeCredential::genChallengeRequestTLV(Status status, const std::string& challengeStatus,
139 std::vector<std::tuple<std::string, std::string>>&& params)
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]140{
tylerliu50d679e2020-10-14 14:08:39 -0700[diff] [blame]141 Block request = makeEmptyBlock(tlv::EncryptedPayload);
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]142 if (status == Status::BEFORE_CHALLENGE) {
143 if (params.size() != 2) {
tylerliu41c11532020-10-10 16:14:45 -0700[diff] [blame]144 NDN_THROW(std::runtime_error("Wrong parameter provided."));
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]145 }
tylerliu50d679e2020-10-14 14:08:39 -0700[diff] [blame]146 request.push_back(makeStringBlock(tlv::SelectedChallenge, CHALLENGE_TYPE));
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]147 for (const auto& item : params) {
148 if (std::get<0>(item) == PARAMETER_KEY_CREDENTIAL_CERT) {
tylerliu50d679e2020-10-14 14:08:39 -0700[diff] [blame]149 request.push_back(makeStringBlock(tlv::ParameterKey, PARAMETER_KEY_CREDENTIAL_CERT));
150 Block valueBlock = makeEmptyBlock(tlv::ParameterValue);
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]151 auto& certTlvStr = std::get<1>(item);
152 valueBlock.push_back(Block((uint8_t*)certTlvStr.c_str(), certTlvStr.size()));
153 request.push_back(valueBlock);
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]154 }
155 else if (std::get<0>(item) == PARAMETER_KEY_PROOF_OF_PRIVATE_KEY) {
tylerliu50d679e2020-10-14 14:08:39 -0700[diff] [blame]156 request.push_back(makeStringBlock(tlv::ParameterKey, PARAMETER_KEY_PROOF_OF_PRIVATE_KEY));
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]157 auto& sigTlvStr = std::get<1>(item);
tylerliu50d679e2020-10-14 14:08:39 -0700[diff] [blame]158 Block valueBlock = makeBinaryBlock(tlv::ParameterValue, (uint8_t*)sigTlvStr.c_str(), sigTlvStr.size());
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]159 request.push_back(valueBlock);
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]160 }
161 else {
tylerliu41c11532020-10-10 16:14:45 -0700[diff] [blame]162 NDN_THROW(std::runtime_error("Wrong parameter provided."));
Zhiyi Zhang46049832020-09-28 17:08:12 -0700[diff] [blame]163 }
164 }
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]165 }
166 else {
tylerliu41c11532020-10-10 16:14:45 -0700[diff] [blame]167 NDN_THROW(std::runtime_error("Unexpected status or challenge status."));
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]168 }
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]169 request.encode();
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]170 return request;
171}
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]172
173void
174ChallengeCredential::fulfillParameters(std::vector<std::tuple<std::string, std::string>>& params,
Zhiyi Zhang8fdb36b2020-10-18 11:58:51 -0700[diff] [blame]175 KeyChain& keyChain, const Name& issuedCertName, const RequestID& requestId)
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]176{
177 auto& pib = keyChain.getPib();
tylerliua7bea662020-10-08 18:51:02 -0700[diff] [blame]178 auto id = pib.getIdentity(security::extractIdentityFromCertName(issuedCertName));
179 auto issuedCert = id.getKey(security::extractKeyNameFromCertName(issuedCertName)).getCertificate(issuedCertName);
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]180 auto issuedCertTlv = issuedCert.wireEncode();
Zhiyi Zhang8fdb36b2020-10-18 11:58:51 -0700[diff] [blame]181 auto signatureTlv = keyChain.sign(requestId.data(), requestId.size(), security::signingByCertificate(issuedCertName));
Zhiyi Zhangead9f002020-10-03 15:42:52 -0700[diff] [blame]182 for (auto& item : params) {
183 if (std::get<0>(item) == PARAMETER_KEY_CREDENTIAL_CERT) {
184 std::get<1>(item) = std::string((char*)issuedCertTlv.wire(), issuedCertTlv.size());
185 }
186 else if (std::get<0>(item) == PARAMETER_KEY_PROOF_OF_PRIVATE_KEY) {
187 std::get<1>(item) = std::string((char*)signatureTlv.value(), signatureTlv.value_size());
188 }
189 }
190 return;
191}
192
Zhiyi Zhange4891b72020-10-10 15:11:57 -0700[diff] [blame]193} // namespace ndncert
194} // namespace ndn