src/requester-request.hpp

/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
 * Copyright (c) 2017-2023, Regents of the University of California.
 *
 * This file is part of ndncert, a certificate management system based on NDN.
 *
 * ndncert is free software: you can redistribute it and/or modify it under the terms
 * of the GNU General Public License as published by the Free Software Foundation, either
 * version 3 of the License, or (at your option) any later version.
 *
 * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 * PARTICULAR PURPOSE.  See the GNU General Public License for more details.
 *
 * You should have received copies of the GNU General Public License along with
 * ndncert, e.g., in COPYING.md file.  If not, see <http://www.gnu.org/licenses/>.
 *
 * See AUTHORS.md for complete list of ndncert authors and contributors.
 */

#ifndef NDNCERT_REQUESTER_REQUEST_HPP
#define NDNCERT_REQUESTER_REQUEST_HPP

#include "detail/ca-request-state.hpp"
#include "detail/crypto-helpers.hpp"
#include "detail/profile-storage.hpp"

#include <ndn-cxx/security/key-chain.hpp>

namespace ndncert::requester {

class Request : boost::noncopyable
{
public:
  /**
   * @brief Generates a CA profile discovery Interest following RDR protocol.
   *
   * @param caName The name prefix of the CA.
   * @return A shared pointer to an Interest ready to be sent.
   */
  static std::shared_ptr<Interest>
  genCaProfileDiscoveryInterest(const Name& caName);

  /**
   * @brief Generates a CA profile fetching Interest following RDR protocol.
   *
   * @param reply The Data packet replied from discovery Interest.
   * @return A shared pointer to an Interest ready to be sent.
   */
  static std::shared_ptr<Interest>
  genCaProfileInterestFromDiscoveryResponse(const Data& reply);

  /**
   * @brief Decodes the CA profile from the replied CA profile Data packet.
   *
   * Will first verify the signature of the packet using the key provided inside the profile.
   * The application should be cautious whether to add CaProfile into the ProfileStorage.
   *
   * @param reply The Data packet replied from CA profile fetching Interest.
   * @return the CaProfile if decoding is successful
   * @throw std::runtime_error if the decoding fails or receiving an error packet.
   */
  static std::optional<CaProfile>
  onCaProfileResponse(const Data& reply);

  /**
   * @brief Decodes the CA profile from the replied CA profile Data packet after the redirection.
   *
   * Will first verify the signature of the packet using the key provided inside the profile and
   * verify the certificate's digest matches the one obtained from the original CA.
   * The application should be cautious whether to add CaProfile into the ProfileStorage.
   *
   * @param reply The Data packet replied from CA profile fetching Interest.
   * @param caCertFullName The full name obtained from original CA's probe response.
   * @return the CaProfile if decoding is successful
   * @throw std::runtime_error if the decoding fails or receiving an error packet.
   */
  static std::optional<CaProfile>
  onCaProfileResponseAfterRedirection(const Data& reply, const Name& caCertFullName);

  /**
   * @brief Generates a PROBE interest to the CA (for suggested name assignments).
   *
   * @param ca The CA that interest is send to
   * @param probeInfo The requester information to carry to the CA
   * @return A shared pointer of to the encoded interest, ready to be sent.
   */
  static std::shared_ptr<Interest>
  genProbeInterest(const CaProfile& ca, std::multimap<std::string, std::string>&& probeInfo);

  /**
   * @brief Decodes the replied data for PROBE process from the CA.
   *
   * Will first verify the signature of the packet using the key provided inside the profile.
   *
   * @param reply The replied data packet
   * @param ca the profile of the CA that replies the packet
   * @param identityNames The vector to load the decoded identity names from the data.
   * @param otherCas The vector to load the decoded redirection CA prefixes from the data.
   * @throw std::runtime_error if the decoding fails or receiving an error packet.
   */
  static void
  onProbeResponse(const Data& reply, const CaProfile& ca,
                  std::vector<std::pair<Name, int>>& identityNames, std::vector<Name>& otherCas);

  explicit
  Request(ndn::KeyChain& keyChain, const CaProfile& profile, RequestType requestType);

  // NEW/REVOKE/RENEW related helpers
  /**
   * @brief Generates a NEW interest to the CA.
   *
   * @param state The current requester state for this request. Will be modified in the function.
   * @param keyName The key name to be requested.
   * @param notBefore The expected notBefore field for the certificate (starting time)
   * @param notAfter The expected notAfter field for the certificate (expiration time)
   * @return The shared pointer to the encoded interest.
   */
  std::shared_ptr<Interest>
  genNewInterest(const Name& keyName,
                 const time::system_clock::time_point& notBefore,
                 const time::system_clock::time_point& notAfter);

  /**
   * @brief Generates a REVOKE interest to the CA.
   *
   * @param certificate The certificate to the revoked.
   * @return The shared pointer to the encoded interest.
   */
  std::shared_ptr<Interest>
  genRevokeInterest(const Certificate& certificate);

  /**
   * @brief Decodes the replied data of NEW, RENEW, or REVOKE interest from the CA.
   *
   * @param reply The replied data from the network
   * @return the list of challenge accepted by the CA, for CHALLENGE step.
   * @throw std::runtime_error if the decoding fails or receiving an error packet.
   */
  std::list<std::string>
  onNewRenewRevokeResponse(const Data& reply);

  // CHALLENGE helpers
  /**
   * @brief Generates the required parameter for the selected challenge for the request
   *
   * @param challengeSelected The selected challenge for the request.
   *                          Can use state.m_challengeType to continue.
   * @return The requirement list for the current stage of the challenge, in name, prompt mapping.
   * @throw std::runtime_error if the challenge is not supported.
   */
  std::multimap<std::string, std::string>
  selectOrContinueChallenge(const std::string& challengeSelected);

  /**
   * @brief Generates the CHALLENGE interest for the request.
   *
   * @param parameters The requirement list, in name, value mapping.
   * @return The shared pointer to the encoded interest
   * @throw std::runtime_error if the challenge is not selected or is not supported.
   */
  std::shared_ptr<Interest>
  genChallengeInterest(std::multimap<std::string, std::string>&& parameters);

  /**
   * @brief Decodes the responded data from the CHALLENGE interest.
   *
   * @param reply The response data.
   * @throw std::runtime_error if the decoding fails or receiving an error packet.
   */
  void
  onChallengeResponse(const Data& reply);

  /**
   * @brief Generate the interest to fetch the issued certificate
   *
   * @return The shared pointer to the encoded interest
   */
  std::shared_ptr<Interest>
  genCertFetchInterest() const;

  /**
   * @brief Decoded and installs the response certificate from the certificate fetch.
   *
   * @param reply The data replied from the certificate fetch interest.
   * @return The shared pointer to the certificate being fetched.
   */
  static std::shared_ptr<Certificate>
  onCertFetchResponse(const Data& reply);

private:
  static void
  processIfError(const Data& data);

public:
  /**
   * @brief The CA profile for this request.
   */
  CaProfile m_caProfile;
  /**
   * @brief The type of request. Either NEW, RENEW, or REVOKE.
   */
  RequestType m_type;
  /**
   * @brief The identity name for the requesting certificate.
   */
  Name m_identityName;
  /**
   * @brief The CA-generated request ID for the request.
   */
  RequestId m_requestId;
  /**
   * @brief The current status of the request.
   */
  Status m_status = Status::BEFORE_CHALLENGE;
  /**
   * @brief The type of challenge chosen.
   */
  std::string m_challengeType;
  /**
   * @brief The status of the current challenge.
   */
  std::string m_challengeStatus;
  /**
   * @brief The remaining number of tries left for the challenge
   */
  int m_remainingTries = 0;
  /**
   * @brief The time this challenge will remain fresh
   */
  time::system_clock::time_point m_freshBefore;
  /**
   * @brief the name of the certificate being issued.
   */
  Name m_issuedCertName;
  /**
   * @brief The optional forwarding hint.
   */
  Name m_forwardingHint;
  /**
   * @brief ecdh state.
   */
  ECDHState m_ecdh;
  /**
   * @brief AES key derived from the ecdh shared secret.
   */
  std::array<uint8_t, 16> m_aesKey = {};
  /**
   * @brief The last Initialization Vector used by the AES encryption.
   */
  std::vector<uint8_t> m_encryptionIv;
  /**
   * @brief The last Initialization Vector used by the other side's AES encryption.
   */
  std::vector<uint8_t> m_decryptionIv;
  /**
   * @brief Store Nonce for signature
   */
  std::array<uint8_t, 16> m_nonce = {};

private:
  /**
   * @brief The local keychain to generate and install identities, keys and certificates
   */
  ndn::KeyChain& m_keyChain;
  /**
   * @brief The keypair for the request.
   */
  ndn::security::Key m_keyPair;
};

} // namespace ndncert::requester

#endif // NDNCERT_REQUESTER_REQUEST_HPP