Gitiles
Code Review Sign In
gerrit.named-data.net / ndncert / fc1678aae310ac2a3f342411efa244b4adf48706 / . / src / ca-module.cpp
blob: 9f9515796678a07557bae799bc569d4fee435539 [file] [log] [blame]
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
swa770de007bc2020-03-24 21:26:21 -0700[diff] [blame]2/**
Davide Pesaventob48bbda2020-07-27 19:41:37 -0400[diff] [blame]3 * Copyright (c) 2017-2020, Regents of the University of California.
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]4 *
5 * This file is part of ndncert, a certificate management system based on NDN.
6 *
7 * ndncert is free software: you can redistribute it and/or modify it under the terms
8 * of the GNU General Public License as published by the Free Software Foundation, either
9 * version 3 of the License, or (at your option) any later version.
10 *
11 * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License along with
16 * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
17 *
18 * See AUTHORS.md for complete list of ndncert authors and contributors.
19 */
20
21#include "ca-module.hpp"
22#include "challenge-module.hpp"
23#include "logging.hpp"
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]24#include "crypto-support/enc-tlv.hpp"
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]25#include "protocol-detail/info.hpp"
26#include "protocol-detail/probe.hpp"
27#include "protocol-detail/new.hpp"
28#include "protocol-detail/challenge.hpp"
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]29#include <ndn-cxx/util/io.hpp>
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]30#include <ndn-cxx/security/verification-helpers.hpp>
31#include <ndn-cxx/security/signing-helpers.hpp>
Junxiao Shi7c068032017-05-28 13:40:47 +0000[diff] [blame]32#include <ndn-cxx/util/random.hpp>
Zhiyi Zhangfc1678a2020-05-12 16:52:14 -0700[diff] [blame^]33#include <ndn-cxx/metadata-object.hpp>
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]34
35namespace ndn {
36namespace ndncert {
37
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]38static const int IS_SUBNAME_MIN_OFFSET = 5;
Zhiyi Zhang42e1cf32019-06-22 17:11:42 -0700[diff] [blame]39static const time::seconds DEFAULT_DATA_FRESHNESS_PERIOD = 1_s;
Zhiyi Zhang1a735bc2019-07-04 21:36:49 -0700[diff] [blame]40static const time::seconds REQUEST_VALIDITY_PERIOD_NOT_BEFORE_GRACE_PERIOD = 120_s;
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]41
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]42_LOG_INIT(ndncert.ca);
43
44CaModule::CaModule(Face& face, security::v2::KeyChain& keyChain,
45 const std::string& configPath, const std::string& storageType)
46 : m_face(face)
47 , m_keyChain(keyChain)
48{
Zhiyi Zhanga63b7372017-05-17 14:14:34 -0700[diff] [blame]49 // load the config and create storage
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]50 m_config.load(configPath);
51 m_storage = CaStorage::createCaStorage(storageType);
52
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]53 registerPrefix();
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]54}
55
56CaModule::~CaModule()
57{
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]58 for (auto handle : m_interestFilterHandles) {
59 handle.cancel();
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]60 }
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]61 for (auto handle : m_registeredPrefixHandles) {
62 handle.unregister();
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]63 }
64}
65
66void
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]67CaModule::registerPrefix()
68{
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]69 // register localhop discovery prefix
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]70 Name localhopInfoPrefix("/localhop/CA/INFO");
71 auto prefixId = m_face.setInterestFilter(InterestFilter(localhopInfoPrefix),
72 bind(&CaModule::onInfo, this, _2),
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]73 bind(&CaModule::onRegisterFailed, this, _2));
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]74 m_registeredPrefixHandles.push_back(prefixId);
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]75 _LOG_TRACE("Prefix " << localhopInfoPrefix << " got registered");
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]76
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]77 // register prefixes
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]78 Name prefix = m_config.m_caPrefix;
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]79 prefix.append("CA");
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]80
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]81 prefixId = m_face.registerPrefix(prefix,
82 [&] (const Name& name) {
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]83 // register INFO prefix
84 auto filterId = m_face.setInterestFilter(Name(name).append("INFO"),
85 bind(&CaModule::onInfo, this, _2));
86 m_interestFilterHandles.push_back(filterId);
87
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]88 // register PROBE prefix
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]89 filterId = m_face.setInterestFilter(Name(name).append("PROBE"),
90 bind(&CaModule::onProbe, this, _2));
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]91 m_interestFilterHandles.push_back(filterId);
92
93 // register NEW prefix
swa770de007bc2020-03-24 21:26:21 -0700[diff] [blame]94 filterId = m_face.setInterestFilter(Name(name).append("NEW"),
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]95 bind(&CaModule::onNew, this, _2));
96 m_interestFilterHandles.push_back(filterId);
97
98 // register SELECT prefix
swa770de007bc2020-03-24 21:26:21 -0700[diff] [blame]99 filterId = m_face.setInterestFilter(Name(name).append("CHALLENGE"),
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]100 bind(&CaModule::onChallenge, this, _2));
101 m_interestFilterHandles.push_back(filterId);
102
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]103 _LOG_TRACE("Prefix " << name << " got registered");
104 },
105 bind(&CaModule::onRegisterFailed, this, _2));
106 m_registeredPrefixHandles.push_back(prefixId);
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]107}
108
Zhiyi Zhang343cdfb2018-01-17 12:04:28 -0800[diff] [blame]109bool
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]110CaModule::setProbeHandler(const ProbeHandler& handler)
Zhiyi Zhang7420cf52017-12-18 18:59:21 +0800[diff] [blame]111{
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]112 m_config.m_probeHandler = handler;
Zhiyi Zhang343cdfb2018-01-17 12:04:28 -0800[diff] [blame]113 return false;
Zhiyi Zhang7420cf52017-12-18 18:59:21 +0800[diff] [blame]114}
115
Zhiyi Zhang343cdfb2018-01-17 12:04:28 -0800[diff] [blame]116bool
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]117CaModule::setStatusUpdateCallback(const StatusUpdateCallback& onUpdateCallback)
Zhiyi Zhang7420cf52017-12-18 18:59:21 +0800[diff] [blame]118{
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]119 m_config.m_statusUpdateCallback = onUpdateCallback;
Zhiyi Zhang343cdfb2018-01-17 12:04:28 -0800[diff] [blame]120 return false;
Zhiyi Zhang7420cf52017-12-18 18:59:21 +0800[diff] [blame]121}
122
Zhiyi Zhangfc1678a2020-05-12 16:52:14 -0700[diff] [blame^]123shared_ptr<Data>
124CaModule::generateCaConfigMetaData()
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]125{
Zhiyi Zhangfc1678a2020-05-12 16:52:14 -0700[diff] [blame^]126 // @TODO
127 // make metadata a class member variable m_infoMetadata
128 // check whether the m_infoMetadata has the latest versioned name, if not, then generate a new one
129 // otherwise, directly reply m_infoMetadata.makeData
130
131 auto infoPacket = generateCaConfigData();
132 MetadataObject metadata;
133 metadata.setVersionedName(infoPacket->getName().getPrefix(-1));
134 Name discoveryInterestName(infoPacket->getName().getPrefix(-2));
135 name::Component metadataComponent(32, reinterpret_cast<const uint8_t*>("metadata"), std::strlen("metadata"));
136 discoveryInterestName.append(metadataComponent);
137 auto metadataData = metadata.makeData(discoveryInterestName, m_keyChain, signingByIdentity(m_config.m_caPrefix));
138 return make_shared<Data>(metadataData);
139}
140
141shared_ptr<Data>
142CaModule::generateCaConfigData()
143{
144 // @TODO
145 // make CaInfo Data packet a class member variable m_infoData
146 // check whether the m_infoData is still valid, if not, then generate a new one
147 // otherwise, directly reply m_infoData
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]148
149 const auto& pib = m_keyChain.getPib();
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]150 const auto& identity = pib.getIdentity(m_config.m_caPrefix);
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]151 const auto& cert = identity.getDefaultKey().getDefaultCertificate();
152 Block contentTLV = INFO::encodeContentFromCAConfig(m_config, cert);
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]153
Zhiyi Zhangfc1678a2020-05-12 16:52:14 -0700[diff] [blame^]154 Name infoPacketName(m_config.m_caPrefix);
155 infoPacketName.append("CA").append("INFO").appendVersion().appendSegment(0);
156 Data infoData(infoPacketName);
157 infoData.setContent(contentTLV);
158 infoData.setFreshnessPeriod(DEFAULT_DATA_FRESHNESS_PERIOD);
159 m_keyChain.sign(infoData, signingByIdentity(m_config.m_caPrefix));
160 return make_shared<Data>(infoData);
161}
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]162
Zhiyi Zhangfc1678a2020-05-12 16:52:14 -0700[diff] [blame^]163void
164CaModule::onInfo(const Interest& request)
165{
166 _LOG_TRACE("Received INFO request");
167
168 if (request.getName().get(-1).type() == 32) {
169 m_face.put(*generateCaConfigMetaData());
170 }
171 else {
172 m_face.put(*generateCaConfigData());
173 }
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]174
175 _LOG_TRACE("Handle INFO: send out the INFO response");
176}
177
178void
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]179CaModule::onProbe(const Interest& request)
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]180{
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]181 // PROBE Naming Convention: /<CA-Prefix>/CA/PROBE/[ParametersSha256DigestComponent]
182 _LOG_TRACE("Received PROBE request");
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]183
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]184 // process PROBE requests: find an available name
185 std::string availableId;
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]186 const auto& parameterTLV = request.getApplicationParameters();
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]187 parameterTLV.parse();
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]188 if (!parameterTLV.hasValue()) {
189 _LOG_ERROR("Empty TLV obtained from the Interest parameter.");
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]190 return;
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]191 }
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]192 //std::string probeInfoStr = parameterJson.get(JSON_CLIENT_PROBE_INFO, "");
193 if (m_config.m_probeHandler) {
194 try {
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]195 availableId = m_config.m_probeHandler(parameterTLV);
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]196 }
197 catch (const std::exception& e) {
198 _LOG_TRACE("Cannot find PROBE input from PROBE parameters: " << e.what());
Zhiyi Zhang547c8512019-06-18 23:46:14 -0700[diff] [blame]199 return;
200 }
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]201 }
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]202 else {
203 // if there is no app-specified name lookup, use a random name id
204 availableId = std::to_string(random::generateSecureWord64());
205 }
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]206 Name newIdentityName = m_config.m_caPrefix;
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]207 newIdentityName.append(availableId);
208 _LOG_TRACE("Handle PROBE: generate an identity " << newIdentityName);
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]209
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]210 Block contentTLV = PROBE::encodeDataContent(newIdentityName.toUri(), m_config.m_probe, parameterTLV);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]211
212 Data result;
213 result.setName(request.getName());
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]214 result.setContent(contentTLV);
Zhiyi Zhang42e1cf32019-06-22 17:11:42 -0700[diff] [blame]215 result.setFreshnessPeriod(DEFAULT_DATA_FRESHNESS_PERIOD);
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]216 m_keyChain.sign(result, signingByIdentity(m_config.m_caPrefix));
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]217 m_face.put(result);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]218 _LOG_TRACE("Handle PROBE: send out the PROBE response");
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]219}
220
221void
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]222CaModule::onNew(const Interest& request)
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]223{
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]224 // NEW Naming Convention: /<CA-prefix>/CA/NEW/[SignedInterestParameters_Digest]
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]225 // get ECDH pub key and cert request
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]226 const auto& parameterTLV = request.getApplicationParameters();
Suyong Won7968f7a2020-05-12 01:01:25 -0700[diff] [blame]227 parameterTLV.parse();
228
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]229 if (!parameterTLV.hasValue()) {
230 _LOG_ERROR("Empty TLV obtained from the Interest parameter.");
Zhiyi Zhang547c8512019-06-18 23:46:14 -0700[diff] [blame]231 return;
232 }
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]233
234 std::string peerKeyBase64 = readString(parameterTLV.get(tlv_ecdh_pub));
235
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]236 if (peerKeyBase64 == "") {
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]237 _LOG_ERROR("Empty ECDH PUB obtained from the Interest parameter.");
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]238 return;
239 }
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]240
241 // get server's ECDH pub key
242 auto myEcdhPubKeyBase64 = m_ecdh.getBase64PubKey();
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]243 try {
244 m_ecdh.deriveSecret(peerKeyBase64);
245 }
246 catch (const std::exception& e) {
247 _LOG_ERROR("Cannot derive a shared secret using the provided ECDH key: " << e.what());
248 return;
249 }
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]250 // generate salt for HKDF
251 auto saltInt = random::generateSecureWord64();
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]252 // hkdf
253 hkdf(m_ecdh.context->sharedSecret, m_ecdh.context->sharedSecretLen,
Zhiyi Zhang36706832019-07-04 21:33:03 -0700[diff] [blame]254 (uint8_t*)&saltInt, sizeof(saltInt), m_aesKey, sizeof(m_aesKey));
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]255
256 // parse certificate request
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]257 Block cert_req = parameterTLV.get(tlv_cert_request);
Suyong Won7968f7a2020-05-12 01:01:25 -0700[diff] [blame]258 cert_req.parse();
259
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]260 shared_ptr<security::v2::Certificate> clientCert = nullptr;
Suyong Won7968f7a2020-05-12 01:01:25 -0700[diff] [blame]261
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]262 try {
Suyong Won7968f7a2020-05-12 01:01:25 -0700[diff] [blame]263 security::v2::Certificate cert = security::v2::Certificate(cert_req.get(tlv::Data));
264 clientCert = make_shared<security::v2::Certificate>(cert);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]265 }
266 catch (const std::exception& e) {
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]267 _LOG_ERROR("Unrecognized certificate request: " << e.what());
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]268 return;
269 }
Zhiyi Zhang1a735bc2019-07-04 21:36:49 -0700[diff] [blame]270 // check the validity period
271 auto expectedPeriod = clientCert->getValidityPeriod().getPeriod();
272 auto currentTime = time::system_clock::now();
273 if (expectedPeriod.first < currentTime - REQUEST_VALIDITY_PERIOD_NOT_BEFORE_GRACE_PERIOD) {
274 _LOG_ERROR("Client requests a too old notBefore timepoint.");
275 return;
276 }
Suyong Won7968f7a2020-05-12 01:01:25 -0700[diff] [blame]277 if (expectedPeriod.second > currentTime + m_config.m_maxValidityPeriod ||
Zhiyi Zhang1a735bc2019-07-04 21:36:49 -0700[diff] [blame]278 expectedPeriod.second <= expectedPeriod.first) {
279 _LOG_ERROR("Client requests an invalid validity period or a notAfter timepoint beyond the allowed time period.");
280 return;
281 }
Zhiyi Zhang693c1272017-05-20 22:58:55 -0700[diff] [blame]282
Zhiyi Zhang5f749a22019-06-12 17:02:33 -0700[diff] [blame]283 // verify the self-signed certificate, the request, and the token
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]284 if (!m_config.m_caPrefix.isPrefixOf(clientCert->getName()) // under ca prefix
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]285 || !security::v2::Certificate::isValidName(clientCert->getName()) // is valid cert name
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]286 || clientCert->getName().size() != m_config.m_caPrefix.size() + IS_SUBNAME_MIN_OFFSET) {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]287 _LOG_ERROR("Invalid self-signed certificate name " << clientCert->getName());
288 return;
289 }
290 if (!security::verifySignature(*clientCert, *clientCert)) {
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]291 _LOG_ERROR("Cert request with bad signature.");
Zhiyi Zhang693c1272017-05-20 22:58:55 -0700[diff] [blame]292 return;
293 }
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]294 if (!security::verifySignature(request, *clientCert)) {
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]295 _LOG_ERROR("Interest with bad signature.");
Zhiyi Zhang693c1272017-05-20 22:58:55 -0700[diff] [blame]296 return;
297 }
298
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]299 // create new request instance
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]300 std::string requestId = std::to_string(random::generateWord64());
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]301 CertificateRequest certRequest(m_config.m_caPrefix, requestId, STATUS_BEFORE_CHALLENGE, *clientCert);
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]302
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]303 try {
304 m_storage->addRequest(certRequest);
305 }
306 catch (const std::exception& e) {
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]307 _LOG_ERROR("Cannot add new request instance into the storage: " << e.what());
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]308 return;
309 }
310
311 Data result;
312 result.setName(request.getName());
Zhiyi Zhang42e1cf32019-06-22 17:11:42 -0700[diff] [blame]313 result.setFreshnessPeriod(DEFAULT_DATA_FRESHNESS_PERIOD);
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]314 result.setContent(NEW::encodeDataContent(myEcdhPubKeyBase64,
315 std::to_string(saltInt),
316 certRequest,
317 m_config.m_supportedChallenges));
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]318 m_keyChain.sign(result, signingByIdentity(m_config.m_caPrefix));
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]319 m_face.put(result);
Zhiyi Zhanga63b7372017-05-17 14:14:34 -0700[diff] [blame]320
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]321 if (m_config.m_statusUpdateCallback) {
322 m_config.m_statusUpdateCallback(certRequest);
Zhiyi Zhang7420cf52017-12-18 18:59:21 +0800[diff] [blame]323 }
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]324}
325
326void
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]327CaModule::onChallenge(const Interest& request)
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]328{
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]329 // get certificate request state
330 CertificateRequest certRequest = getCertificateRequest(request);
331 if (certRequest.m_requestId == "") {
332 // cannot get the request state
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]333 _LOG_ERROR("Cannot find certificate request state from CA's storage.");
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]334 return;
335 }
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]336 // verify signature
337 if (!security::verifySignature(request, certRequest.m_cert)) {
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]338 _LOG_ERROR("Challenge Interest with bad signature.");
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]339 return;
340 }
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]341 // decrypt the parameters
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]342 Buffer paramTLVPayload;
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]343 try {
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]344 paramTLVPayload = decodeBlockWithAesGcm128(request.getApplicationParameters(), m_aesKey,
Zhiyi Zhangb8cb0472020-05-05 20:55:05 -0700[diff] [blame]345 (uint8_t*)"test", strlen("test"));
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]346 }
347 catch (const std::exception& e) {
348 _LOG_ERROR("Cannot successfully decrypt the Interest parameters: " << e.what());
349 return;
350 }
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]351 if (paramTLVPayload.size() == 0) {
Zhiyi Zhang42e1cf32019-06-22 17:11:42 -0700[diff] [blame]352 _LOG_ERROR("Got an empty buffer from content decryption.");
353 return;
354 }
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]355
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]356 Block paramTLV = makeBinaryBlock(tlv_encrypted_payload, paramTLVPayload.data(), paramTLVPayload.size());
357 paramTLV.parse();
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]358
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]359 // load the corresponding challenge module
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]360 std::string challengeType = readString(paramTLV.get(tlv_selected_challenge));
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]361 auto challenge = ChallengeModule::createChallengeModule(challengeType);
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]362
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]363 Block payload;
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]364
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]365 if (challenge == nullptr) {
366 _LOG_TRACE("Unrecognized challenge type " << challengeType);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]367 certRequest.m_status = STATUS_FAILURE;
368 certRequest.m_challengeStatus = CHALLENGE_STATUS_UNKNOWN_CHALLENGE;
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]369 payload = CHALLENGE::encodeDataPayload(certRequest);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]370 }
Zhiyi Zhanga9bda732017-05-20 22:58:55 -0700[diff] [blame]371 else {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]372 _LOG_TRACE("CHALLENGE module to be load: " << challengeType);
373 // let challenge module handle the request
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]374 challenge->handleChallengeRequest(paramTLV, certRequest);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]375 if (certRequest.m_status == STATUS_FAILURE) {
376 // if challenge failed
377 m_storage->deleteRequest(certRequest.m_requestId);
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]378 payload = CHALLENGE::encodeDataPayload(certRequest);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]379 _LOG_TRACE("Challenge failed");
Zhiyi Zhanga9bda732017-05-20 22:58:55 -0700[diff] [blame]380 }
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]381 else if (certRequest.m_status == STATUS_PENDING) {
382 // if challenge succeeded
383 auto issuedCert = issueCertificate(certRequest);
384 certRequest.m_cert = issuedCert;
385 certRequest.m_status = STATUS_SUCCESS;
386 try {
387 m_storage->addCertificate(certRequest.m_requestId, issuedCert);
388 m_storage->deleteRequest(certRequest.m_requestId);
389 _LOG_TRACE("New Certificate Issued " << issuedCert.getName());
390 }
391 catch (const std::exception& e) {
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]392 _LOG_ERROR("Cannot add issued cert and remove the request: " << e.what());
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]393 return;
394 }
395 if (m_config.m_statusUpdateCallback) {
396 m_config.m_statusUpdateCallback(certRequest);
397 }
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]398
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]399 payload = CHALLENGE::encodeDataPayload(certRequest);
400 payload.parse();
401 payload.push_back(makeNestedBlock(tlv_issued_cert_name, issuedCert.getName()));
402 payload.encode();
Suyong Won19fba4d2020-05-09 13:39:46 -0700[diff] [blame]403
404 //contentJson.add(JSON_CA_CERT_ID, readString(issuedCert.getName().at(-1)));
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]405 _LOG_TRACE("Challenge succeeded. Certificate has been issued");
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]406 }
407 else {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]408 try {
409 m_storage->updateRequest(certRequest);
410 }
411 catch (const std::exception& e) {
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]412 _LOG_TRACE("Cannot update request instance: " << e.what());
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]413 return;
414 }
Suyong Won44d0cce2020-05-10 04:07:43 -0700[diff] [blame]415 payload = CHALLENGE::encodeDataPayload(certRequest);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]416 _LOG_TRACE("No failure no success. Challenge moves on");
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]417 }
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]418 }
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]419
420 Data result;
421 result.setName(request.getName());
Zhiyi Zhang42e1cf32019-06-22 17:11:42 -0700[diff] [blame]422 result.setFreshnessPeriod(DEFAULT_DATA_FRESHNESS_PERIOD);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]423
424 // encrypt the content
Suyong Won7968f7a2020-05-12 01:01:25 -0700[diff] [blame]425 auto contentBlock = encodeBlockWithAesGcm128(tlv::Content, m_aesKey, payload.value(),
426 payload.value_size(), (uint8_t*)"test", strlen("test"));
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]427 result.setContent(contentBlock);
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]428 m_keyChain.sign(result, signingByIdentity(m_config.m_caPrefix));
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]429 m_face.put(result);
430
431 if (m_config.m_statusUpdateCallback) {
432 m_config.m_statusUpdateCallback(certRequest);
Zhiyi Zhang1c0bd372017-12-18 18:32:55 +0800[diff] [blame]433 }
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]434}
435
Zhiyi Zhang343cdfb2018-01-17 12:04:28 -0800[diff] [blame]436security::v2::Certificate
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]437CaModule::issueCertificate(const CertificateRequest& certRequest)
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]438{
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]439 auto expectedPeriod =
440 certRequest.m_cert.getValidityPeriod().getPeriod();
Zhiyi Zhang1a735bc2019-07-04 21:36:49 -0700[diff] [blame]441 security::ValidityPeriod period(expectedPeriod.first, expectedPeriod.second);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]442 security::v2::Certificate newCert;
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]443
444 Name certName = certRequest.m_cert.getKeyName();
445 certName.append("NDNCERT").append(std::to_string(random::generateSecureWord64()));
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]446 newCert.setName(certName);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]447 newCert.setContent(certRequest.m_cert.getContent());
448 _LOG_TRACE("cert request content " << certRequest.m_cert);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]449 SignatureInfo signatureInfo;
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]450 signatureInfo.setValidityPeriod(period);
Zhiyi Zhangad6cf932017-10-26 16:19:15 -0700[diff] [blame]451 security::SigningInfo signingInfo(security::SigningInfo::SIGNER_TYPE_ID,
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]452 m_config.m_caPrefix, signatureInfo);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]453
454 m_keyChain.sign(newCert, signingInfo);
Zhiyi Zhang693c1272017-05-20 22:58:55 -0700[diff] [blame]455 _LOG_TRACE("new cert got signed" << newCert);
Zhiyi Zhang343cdfb2018-01-17 12:04:28 -0800[diff] [blame]456 return newCert;
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]457}
458
459CertificateRequest
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]460CaModule::getCertificateRequest(const Interest& request)
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]461{
Davide Pesaventob48bbda2020-07-27 19:41:37 -0400[diff] [blame]462 std::string requestId;
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]463 CertificateRequest certRequest;
464 try {
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]465 requestId = readString(request.getName().at(m_config.m_caPrefix.size() + 2));
Zhiyi Zhang42e1cf32019-06-22 17:11:42 -0700[diff] [blame]466 }
467 catch (const std::exception& e) {
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]468 _LOG_ERROR("Cannot read the request ID out from the request: " << e.what());
Zhiyi Zhang42e1cf32019-06-22 17:11:42 -0700[diff] [blame]469 }
470 try {
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]471 _LOG_TRACE("Request Id to query the database " << requestId);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]472 certRequest = m_storage->getRequest(requestId);
473 }
474 catch (const std::exception& e) {
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]475 _LOG_ERROR("Cannot get certificate request record from the storage: " << e.what());
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]476 }
477 return certRequest;
478}
479
Zhiyi Zhangfc1678a2020-05-12 16:52:14 -0700[diff] [blame^]480<<<<<<< HEAD
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]481/**
482 * @brief Generate JSON file to response PROBE insterest
483 *
484 * PROBE response JSON format:
485 * {
Yufeng Zhang424d0362019-06-12 16:48:27 -0700[diff] [blame]486 * "name": "@p identifier"
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]487 * }
488 */
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]489JsonSection
Yufeng Zhang424d0362019-06-12 16:48:27 -0700[diff] [blame]490CaModule::genProbeResponseJson(const Name& identifier, const std::string& m_probe, const JsonSection& parameterJson)
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]491{
Zhiyi Zhang781a5602019-06-26 19:05:04 -0700[diff] [blame]492 std::vector<std::string> fields;
493 std::string delimiter = ":";
494 size_t last = 0;
495 size_t next = 0;
496 while ((next = m_probe.find(delimiter, last)) != std::string::npos) {
497 fields.push_back(m_probe.substr(last, next - last));
498 last = next + 1;
499 }
500 fields.push_back(m_probe.substr(last));
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]501 JsonSection root;
Yufeng Zhang424d0362019-06-12 16:48:27 -0700[diff] [blame]502
503 for (size_t i = 0; i < fields.size(); ++i) {
Zhiyi Zhang781a5602019-06-26 19:05:04 -0700[diff] [blame]504 root.put(fields.at(i), parameterJson.get(fields.at(i), ""));
Yufeng Zhang424d0362019-06-12 16:48:27 -0700[diff] [blame]505 }
506
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]507 root.put(JSON_CA_NAME, identifier.toUri());
508 return root;
509}
510
511/**
512 * @brief Generate JSON file to response NEW interest
513 *
514 * Target JSON format:
515 * {
516 * "ecdh-pub": "@p echdPub",
517 * "salt": "@p salt"
518 * "request-id": "@p requestId",
519 * "status": "@p status",
520 * "challenges": [
521 * {
522 * "challenge-id": ""
523 * },
524 * {
525 * "challenge-id": ""
526 * },
527 * ...
528 * ]
529 * }
530 */
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]531JsonSection
532CaModule::genInfoResponseJson()
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]533{
534 JsonSection root;
535 // ca-prefix
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]536 Name caName = m_config.m_caPrefix;
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]537 root.put("ca-prefix", caName.toUri());
538
539 // ca-info
540 const auto& pib = m_keyChain.getPib();
Suyong Won256c9062020-05-11 02:45:56 -0700[diff] [blame]541 const auto& identity = pib.getIdentity(m_config.m_caPrefix);
Zhiyi Zhang42e1cf32019-06-22 17:11:42 -0700[diff] [blame]542 const auto& cert = identity.getDefaultKey().getDefaultCertificate();
Davide Pesaventob48bbda2020-07-27 19:41:37 -0400[diff] [blame]543 std::string caInfo;
544 if (m_config.m_caInfo.empty()) {
545 caInfo = "Issued by " + cert.getSignatureInfo().getKeyLocator().getName().toUri();
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]546 }
547 else {
548 caInfo = m_config.m_caInfo;
549 }
550 root.put("ca-info", caInfo);
551
552 // probe
553 root.put("probe", m_config.m_probe);
554
555 // certificate
556 std::stringstream ss;
557 io::save(cert, ss);
558 root.put("certificate", ss.str());
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]559 return root;
560}
561
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]562JsonSection
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]563CaModule::genNewResponseJson(const std::string& ecdhKey, const std::string& salt,
564 const CertificateRequest& request,
565 const std::list<std::string>& challenges)
566{
567 JsonSection root;
568 JsonSection challengesSection;
569 root.put(JSON_CA_ECDH, ecdhKey);
570 root.put(JSON_CA_SALT, salt);
Zhiyi Zhangff4bcb62019-09-08 12:57:42 -0700[diff] [blame]571 root.put(JSON_CA_REQUEST_ID, request.m_requestId);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]572 root.put(JSON_CA_STATUS, std::to_string(request.m_status));
573
574 for (const auto& entry : challenges) {
575 JsonSection challenge;
576 challenge.put(JSON_CA_CHALLENGE_ID, entry);
577 challengesSection.push_back(std::make_pair("", challenge));
578 }
579 root.add_child(JSON_CA_CHALLENGES, challengesSection);
580 return root;
581}
582
swa77020643ac2020-03-26 02:24:45 -0700[diff] [blame]583JsonSection
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]584CaModule::genChallengeResponseJson(const CertificateRequest& request)
585{
586 JsonSection root;
587 JsonSection challengesSection;
588 root.put(JSON_CA_STATUS, request.m_status);
589 root.put(JSON_CHALLENGE_STATUS, request.m_challengeStatus);
590 root.put(JSON_CHALLENGE_REMAINING_TRIES, std::to_string(request.m_remainingTries));
591 root.put(JSON_CHALLENGE_REMAINING_TIME, std::to_string(request.m_remainingTime));
592 return root;
593}
594
Zhiyi Zhangfc1678a2020-05-12 16:52:14 -0700[diff] [blame^]595=======
596>>>>>>> add two functions for CA Info Packet and Metadata Packet
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]597void
598CaModule::onRegisterFailed(const std::string& reason)
599{
Zhiyi Zhang693c1272017-05-20 22:58:55 -0700[diff] [blame]600 _LOG_ERROR("Failed to register prefix in local hub's daemon, REASON: " << reason);
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]601}
602
603Block
604CaModule::dataContentFromJson(const JsonSection& jsonSection)
605{
606 std::stringstream ss;
607 boost::property_tree::write_json(ss, jsonSection);
608 return makeStringBlock(ndn::tlv::Content, ss.str());
609}
610
611JsonSection
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]612CaModule::jsonFromBlock(const Block& block)
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]613{
614 std::string jsonString;
615 try {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700[diff] [blame]616 jsonString = encoding::readString(block);
Zhiyi Zhang42e1cf32019-06-22 17:11:42 -0700[diff] [blame]617 std::istringstream ss(jsonString);
618 JsonSection json;
619 boost::property_tree::json_parser::read_json(ss, json);
620 return json;
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]621 }
622 catch (const std::exception& e) {
Zhiyi Zhangbc2d4122019-09-10 12:10:54 -0700[diff] [blame]623 _LOG_ERROR("Cannot read JSON string from TLV Value: " << e.what());
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]624 return JsonSection();
625 }
Zhiyi Zhangf5246c42017-01-26 09:39:20 -0800[diff] [blame]626}
627
628} // namespace ndncert
629} // namespace ndn