Gitiles
Code Review Sign In
gerrit.named-data.net / ndncert / e5b43699cdc4b2b2c95a89ef5fa5bfeaac4b7928 / . / src / challenge / challenge-possession.cpp
blob: ef93d256b38ce932365665223713275db79c16a6 [file] [log] [blame]
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]1/*
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]2 * Copyright (c) 2017-2021, Regents of the University of California.
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]3 *
4 * This file is part of ndncert, a certificate management system based on NDN.
5 *
6 * ndncert is free software: you can redistribute it and/or modify it under the terms
7 * of the GNU General Public License as published by the Free Software Foundation, either
8 * version 3 of the License, or (at your option) any later version.
9 *
10 * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
11 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
12 * PARTICULAR PURPOSE. See the GNU General Public License for more details.
13 *
14 * You should have received copies of the GNU General Public License along with
15 * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
16 *
17 * See AUTHORS.md for complete list of ndncert authors and contributors.
18 */
19
20#include "challenge-possession.hpp"
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]21
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]22#include <ndn-cxx/security/signing-helpers.hpp>
23#include <ndn-cxx/security/transform/public-key.hpp>
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]24#include <ndn-cxx/security/verification-helpers.hpp>
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]25#include <ndn-cxx/util/io.hpp>
26#include <ndn-cxx/util/random.hpp>
27
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]28#include <boost/property_tree/json_parser.hpp>
29
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]30namespace ndn {
31namespace ndncert {
32
33NDN_LOG_INIT(ndncert.challenge.possession);
tylerliuf26d41b2021-10-12 16:50:16 -0700[diff] [blame]34NDNCERT_REGISTER_CHALLENGE(ChallengePossession, "possession");
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]35
36const std::string ChallengePossession::PARAMETER_KEY_CREDENTIAL_CERT = "issued-cert";
37const std::string ChallengePossession::PARAMETER_KEY_NONCE = "nonce";
38const std::string ChallengePossession::PARAMETER_KEY_PROOF = "proof";
39const std::string ChallengePossession::NEED_PROOF = "need-proof";
40
41ChallengePossession::ChallengePossession(const std::string& configPath)
42 : ChallengeModule("Possession", 1, time::seconds(60))
43{
44 if (configPath.empty()) {
45 m_configFile = std::string(NDNCERT_SYSCONFDIR) + "/ndncert/challenge-credential.conf";
46 }
47 else {
48 m_configFile = configPath;
49 }
50}
51
52void
53ChallengePossession::parseConfigFile()
54{
55 JsonSection config;
56 try {
57 boost::property_tree::read_json(m_configFile, config);
58 }
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]59 catch (const boost::property_tree::file_parser_error& error) {
60 NDN_THROW(std::runtime_error("Failed to parse configuration file " + m_configFile + ": " +
61 error.message() + " on line " + std::to_string(error.line())));
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]62 }
63
64 if (config.begin() == config.end()) {
65 NDN_THROW(std::runtime_error("Error processing configuration file: " + m_configFile + " no data"));
66 }
67
68 m_trustAnchors.clear();
69 auto anchorList = config.get_child("anchor-list");
70 auto it = anchorList.begin();
71 for (; it != anchorList.end(); it++) {
72 std::istringstream ss(it->second.get("certificate", ""));
73 auto cert = io::load<security::Certificate>(ss);
74 if (cert == nullptr) {
75 NDN_LOG_ERROR("Cannot load the certificate from config file");
76 continue;
77 }
78 m_trustAnchors.push_back(*cert);
79 }
80}
81
82// For CA
83std::tuple<ErrorCode, std::string>
84ChallengePossession::handleChallengeRequest(const Block& params, ca::RequestState& request)
85{
86 params.parse();
87 if (m_trustAnchors.empty()) {
88 parseConfigFile();
89 }
90 security::Certificate credential;
91 const uint8_t* signature = nullptr;
92 size_t signatureLen = 0;
93 const auto& elements = params.elements();
94 for (size_t i = 0; i < elements.size() - 1; i++) {
95 if (elements[i].type() == tlv::ParameterKey && elements[i + 1].type() == tlv::ParameterValue) {
96 if (readString(elements[i]) == PARAMETER_KEY_CREDENTIAL_CERT) {
97 try {
98 credential.wireDecode(elements[i + 1].blockFromValue());
99 }
100 catch (const std::exception& e) {
101 NDN_LOG_ERROR("Cannot load challenge parameter: credential " << e.what());
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]102 return returnWithError(request, ErrorCode::INVALID_PARAMETER,
103 "Cannot challenge credential: credential."s + e.what());
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]104 }
105 }
106 else if (readString(elements[i]) == PARAMETER_KEY_PROOF) {
107 signature = elements[i + 1].value();
108 signatureLen = elements[i + 1].value_size();
109 }
110 }
111 }
112
113 // verify the credential and the self-signed cert
114 if (request.status == Status::BEFORE_CHALLENGE) {
115 NDN_LOG_TRACE("Challenge Interest arrives. Check certificate and init the challenge");
116 // check the certificate
117 bool checkOK = false;
118 if (credential.hasContent() && signatureLen == 0) {
119 Name signingKeyName = credential.getSignatureInfo().getKeyLocator().getName();
120 security::transform::PublicKey key;
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]121 const auto& pubKeyBuffer = credential.getPublicKey();
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]122 key.loadPkcs8(pubKeyBuffer.data(), pubKeyBuffer.size());
123 for (auto anchor : m_trustAnchors) {
124 if (anchor.getKeyName() == signingKeyName) {
125 if (security::verifySignature(credential, anchor)) {
126 checkOK = true;
127 }
128 }
129 }
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]130 }
131 else {
132 return returnWithError(request, ErrorCode::BAD_INTEREST_FORMAT, "Cannot find certificate");
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]133 }
134 if (!checkOK) {
135 return returnWithError(request, ErrorCode::INVALID_PARAMETER, "Certificate cannot be verified");
136 }
137
138 // for the first time, init the challenge
139 std::array<uint8_t, 16> secretCode{};
140 random::generateSecureBytes(secretCode.data(), 16);
141 JsonSection secretJson;
142 secretJson.add(PARAMETER_KEY_NONCE, toHex(secretCode.data(), 16));
143 auto credential_block = credential.wireEncode();
144 secretJson.add(PARAMETER_KEY_CREDENTIAL_CERT, toHex(credential_block.wire(), credential_block.size()));
145 NDN_LOG_TRACE("Secret for request " << toHex(request.requestId.data(), request.requestId.size())
146 << " : " << toHex(secretCode.data(), 16));
147 return returnWithNewChallengeStatus(request, NEED_PROOF, std::move(secretJson), m_maxAttemptTimes, m_secretLifetime);
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]148 }
149 else if (request.challengeState && request.challengeState->challengeStatus == NEED_PROOF) {
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]150 NDN_LOG_TRACE("Challenge Interest (proof) arrives. Check the proof");
151 //check the format and load credential
152 if (credential.hasContent() || signatureLen == 0) {
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]153 return returnWithError(request, ErrorCode::BAD_INTEREST_FORMAT, "Cannot find certificate");
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]154 }
155 credential = security::Certificate(Block(fromHex(request.challengeState->secrets.get(PARAMETER_KEY_CREDENTIAL_CERT, ""))));
156 auto secretCode = *fromHex(request.challengeState->secrets.get(PARAMETER_KEY_NONCE, ""));
157
158 //check the proof
159 security::transform::PublicKey key;
160 const auto& pubKeyBuffer = credential.getPublicKey();
161 key.loadPkcs8(pubKeyBuffer.data(), pubKeyBuffer.size());
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]162 if (security::verifySignature({{secretCode.data(), secretCode.size()}}, signature, signatureLen, key)) {
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]163 return returnWithSuccess(request);
164 }
165 return returnWithError(request, ErrorCode::INVALID_PARAMETER,
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]166 "Cannot verify the proof of private key against credential.");
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]167 }
168 NDN_LOG_TRACE("Proof of possession: bad state");
169 return returnWithError(request, ErrorCode::INVALID_PARAMETER, "Fail to recognize the request.");
170}
171
172// For Client
173std::multimap<std::string, std::string>
174ChallengePossession::getRequestedParameterList(Status status, const std::string& challengeStatus)
175{
176 std::multimap<std::string, std::string> result;
177 if (status == Status::BEFORE_CHALLENGE) {
178 result.emplace(PARAMETER_KEY_CREDENTIAL_CERT, "Please provide the certificate issued by a trusted CA.");
179 return result;
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]180 }
181 else if (status == Status::CHALLENGE && challengeStatus == NEED_PROOF) {
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]182 result.emplace(PARAMETER_KEY_PROOF, "Please sign a Data packet with request ID as the content.");
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]183 }
184 else {
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]185 NDN_THROW(std::runtime_error("Unexpected status or challenge status."));
186 }
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]187 return result;
188}
189
190Block
191ChallengePossession::genChallengeRequestTLV(Status status, const std::string& challengeStatus,
192 const std::multimap<std::string, std::string>& params)
193{
194 Block request(tlv::EncryptedPayload);
195 if (status == Status::BEFORE_CHALLENGE) {
196 if (params.size() != 1) {
197 NDN_THROW(std::runtime_error("Wrong parameter provided."));
198 }
199 request.push_back(makeStringBlock(tlv::SelectedChallenge, CHALLENGE_TYPE));
200 for (const auto& item : params) {
201 if (std::get<0>(item) == PARAMETER_KEY_CREDENTIAL_CERT) {
202 request.push_back(makeStringBlock(tlv::ParameterKey, PARAMETER_KEY_CREDENTIAL_CERT));
203 Block valueBlock(tlv::ParameterValue);
204 auto& certTlvStr = std::get<1>(item);
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]205 valueBlock.push_back(Block(reinterpret_cast<const uint8_t*>(certTlvStr.data()), certTlvStr.size()));
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]206 request.push_back(valueBlock);
207 }
208 else {
209 NDN_THROW(std::runtime_error("Wrong parameter provided."));
210 }
211 }
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]212 }
213 else if (status == Status::CHALLENGE && challengeStatus == NEED_PROOF){
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]214 if (params.size() != 1) {
215 NDN_THROW(std::runtime_error("Wrong parameter provided."));
216 }
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]217 for (const auto& item : params) {
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]218 if (std::get<0>(item) == PARAMETER_KEY_PROOF) {
219 request.push_back(makeStringBlock(tlv::ParameterKey, PARAMETER_KEY_PROOF));
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]220 auto& sigTlvStr = std::get<1>(item);
221 Block valueBlock = makeBinaryBlock(tlv::ParameterValue,
222 reinterpret_cast<const uint8_t*>(sigTlvStr.data()),
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]223 sigTlvStr.size());
224 request.push_back(valueBlock);
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]225 }
226 else {
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]227 NDN_THROW(std::runtime_error("Wrong parameter provided."));
228 }
229 }
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]230 }
231 else {
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]232 NDN_THROW(std::runtime_error("Unexpected status or challenge status."));
233 }
234 request.encode();
235 return request;
236}
237
238void
239ChallengePossession::fulfillParameters(std::multimap<std::string, std::string>& params,
240 KeyChain& keyChain, const Name& issuedCertName,
241 const std::array<uint8_t, 16>& nonce)
242{
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]243 auto keyName = security::extractKeyNameFromCertName(issuedCertName);
244 auto id = keyChain.getPib().getIdentity(security::extractIdentityFromCertName(issuedCertName));
245 auto issuedCert = id.getKey(keyName).getCertificate(issuedCertName);
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]246 auto issuedCertTlv = issuedCert.wireEncode();
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]247 auto signature = keyChain.getTpm().sign({{nonce.data(), nonce.size()}}, keyName, DigestAlgorithm::SHA256);
248
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]249 for (auto& item : params) {
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]250 if (item.first == PARAMETER_KEY_CREDENTIAL_CERT) {
251 item.second = std::string(reinterpret_cast<const char*>(issuedCertTlv.wire()), issuedCertTlv.size());
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]252 }
Davide Pesaventoe5b43692021-11-15 22:05:03 -0500[diff] [blame^]253 else if (item.first == PARAMETER_KEY_PROOF) {
254 item.second = std::string(signature->get<char>(), signature->size());
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]255 }
256 }
tylerliuf51e3162020-12-20 19:22:59 -0800[diff] [blame]257}
258
259} // namespace ndncert
260} // namespace ndn