Update validation related codes to security v2
Change-Id: I5467b87092820666c04f22623f0f1665ce9a1194
diff --git a/tools/ndns-add-rr.cpp b/tools/ndns-add-rr.cpp
index 23f5b90..e4047e2 100644
--- a/tools/ndns-add-rr.cpp
+++ b/tools/ndns-add-rr.cpp
@@ -1,5 +1,5 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
+/*
* Copyright (c) 2014-2017, Regents of the University of California.
*
* This file is part of NDNS (Named Data Networking Domain Name Service).
@@ -129,7 +129,8 @@
std::cerr << "Error: type must be specified" << std::endl;
return 1;
}
- } else {
+ }
+ else {
if (vm.count("resign")) {
needResign = true;
}
@@ -145,7 +146,7 @@
Name zoneName(zoneStr);
Name label(rrLabelStr);
name::Component type(rrTypeStr);
- ndn::KeyChain keyChain;
+ KeyChain keyChain;
time::seconds ttl;
if (ttlInt == -1)
@@ -179,17 +180,18 @@
Rrset rrset;
if (type == label::NS_RR_TYPE) {
- ndn::Link::DelegationSet delegations;
+ ndn::DelegationList delegations;
for (const auto& i : content) {
std::vector<string> data;
boost::split(data, i, boost::is_any_of(","));
- uint32_t priority = boost::lexical_cast<uint32_t>(data[0]);
- delegations.insert(std::make_pair(priority, data[1]));
+ uint64_t priority = boost::lexical_cast<uint64_t>(data[0]);
+ delegations.insert(priority, Name(data[1]));
}
rrset = rrsetFactory.generateNsRrset(label, type,
version, ttl, delegations);
- } else if (type == label::TXT_RR_TYPE) {
+ }
+ else if (type == label::TXT_RR_TYPE) {
rrset = rrsetFactory.generateTxtRrset(label, type,
version, ttl, content);
}
@@ -199,7 +201,8 @@
if (label.size() > 1) {
NDNS_LOG_TRACE("add multi-level label Rrset, using the same TTL as the Rrset");
tool.addMultiLevelLabelRrset(rrset, rrsetFactory, ttl);
- } else {
+ }
+ else {
tool.addRrset(rrset);
}
}
diff --git a/tools/ndns-create-zone.cpp b/tools/ndns-create-zone.cpp
index 99c70f7..4cc4eca 100644
--- a/tools/ndns-create-zone.cpp
+++ b/tools/ndns-create-zone.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2014, Regents of the University of California.
+/*
+ * Copyright (c) 2014-2017, Regents of the University of California.
*
* This file is part of NDNS (Named Data Networking Domain Name Service).
* See AUTHORS.md for complete list of NDNS authors and contributors.
@@ -38,6 +38,7 @@
string parentStr;
string dskStr;
string kskStr;
+ string dkeyStr;
string db;
try {
namespace po = boost::program_options;
@@ -53,7 +54,7 @@
po::options_description config("Zone Options");
config.add_options()
("cacheTtl,a", po::value<int>(&cacheTtlInt), "Set ttl of records of the zone and its "
- "DSK ID-CERT. Default: 3600 seconds")
+ "DSK CERT. Default: 3600 seconds")
("certTtl,e", po::value<int>(&certTtlInt), "Set ttl of DSK and KSK certificates. "
"Default: 365 days")
("parent,p", po::value<std::string>(&parentStr), "Set the parent zone of the zone to be "
@@ -62,6 +63,8 @@
"Default: generate new key and certificate")
("ksk,k", po::value<std::string>(&kskStr), "Set the name of KSK's certificate, "
"Default: generate new key and certificate")
+ ("dkey,g", po::value<std::string>(&dkeyStr), "Set the name of DKEY's certificate, "
+ "Default: generate new key and certificate")
;
options.add(config);
@@ -87,7 +90,7 @@
if (vm.count("help")) {
std::cout << "Usage: ndns-create-zone [-b db] zone [-a cacheTtl] [-e certTtl] [-p parent] "
- "[-d dskCert] [-k kskCert]" << std::endl;
+ "[-d dskCert] [-k kskCert] [-g dkeyCert]" << std::endl;
std::cout << options << std::endl;
return 0;
}
@@ -110,6 +113,7 @@
Name ksk(kskStr);
Name dsk(dskStr);
+ Name dkey(dkeyStr);
time::seconds cacheTtl;
time::seconds certTtl;
@@ -123,9 +127,12 @@
else
certTtl = time::seconds(certTtlInt);
- ndn::KeyChain keyChain;
+ KeyChain keyChain;
ndn::ndns::ManagementTool tool(db, keyChain);
- tool.createZone(zone, parent, cacheTtl, certTtl, ksk, dsk);
+ ndn::ndns::Zone createdZone = tool.createZone(zone, parent, cacheTtl, certTtl, ksk, dsk, dkey);
+ ndn::security::v2::Certificate dkeyCert = tool.getZoneDkey(createdZone);
+ std::cout << "Generated DKEY " << dkeyCert.getName() << std::endl;
+ ndn::io::save(dkeyCert, std::cout);
}
catch (const std::exception& ex) {
std::cerr << "Error: " << ex.what() << std::endl;
diff --git a/tools/ndns-daemon.cpp b/tools/ndns-daemon.cpp
index 65028ea..549cd34 100644
--- a/tools/ndns-daemon.cpp
+++ b/tools/ndns-daemon.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2014-2016, Regents of the University of California.
+/*
+ * Copyright (c) 2014-2017, Regents of the University of California.
*
* This file is part of NDNS (Named Data Networking Domain Name Service).
* See AUTHORS.md for complete list of NDNS authors and contributors.
@@ -22,7 +22,10 @@
#include "config.hpp"
#include "daemon/config-file.hpp"
#include "ndn-cxx/security/key-chain.hpp"
+#include "util/cert-helper.hpp"
+
#include <boost/program_options.hpp>
+#include <boost/filesystem.hpp>
namespace ndn {
namespace ndns {
@@ -54,7 +57,7 @@
config.parse(configFile, false);
}
- catch (boost::filesystem::filesystem_error& e) {
+ catch (const boost::filesystem::filesystem_error& e) {
if (e.code() == boost::system::errc::permission_denied) {
NDNS_LOG_FATAL("Permissions denied for " << e.path1());
}
@@ -75,7 +78,7 @@
using ndn::ndns::ConfigSection;
if (section.begin() == section.end()) {
- throw Error("zones section is empty");
+ BOOST_THROW_EXCEPTION(Error("zones section is empty"));
}
std::string dbFile = DEFAULT_DATABASE_PATH "/" "ndns.db";
@@ -92,7 +95,7 @@
validatorConfigFile = item->second.get_value<std::string>();
}
NDNS_LOG_INFO("ValidatorConfigFile = " << validatorConfigFile);
- m_validator = unique_ptr<Validator>(new Validator(m_validatorFace, validatorConfigFile));
+ m_validator = NdnsValidatorBuilder::create(m_validatorFace, validatorConfigFile);
for (const auto& option : section) {
Name name;
@@ -103,34 +106,30 @@
}
catch (const std::exception& e) {
NDNS_LOG_ERROR("Required `name' attribute missing in `zone' section");
- throw Error("Required `name' attribute missing in `zone' section");
+ BOOST_THROW_EXCEPTION(Error("Required `name' attribute missing in `zone' section"));
}
try {
cert = option.second.get<Name>("cert");
}
- catch (std::exception&) {
+ catch (const std::exception&) {
;
}
-
- if (!m_keyChain.doesIdentityExist(name)) {
- NDNS_LOG_FATAL("Identity: " << name << " does not exist in the KeyChain");
- throw Error("Identity does not exist in the KeyChain");
- }
-
if (cert.empty()) {
try {
- cert = m_keyChain.getDefaultCertificateNameForIdentity(name);
+ cert = CertHelper::getDefaultCertificateNameOfIdentity(m_keyChain, Name(name).append(label::NDNS_ITERATIVE_QUERY));
}
- catch (std::exception& e) {
+ catch (const std::exception& e) {
NDNS_LOG_FATAL("Identity: " << name << " does not have default certificate. "
<< e.what());
- throw Error("identity does not have default certificate");
+ BOOST_THROW_EXCEPTION(Error("identity does not have default certificate"));
}
}
else {
- if (!m_keyChain.doesCertificateExist(cert)) {
- throw Error("Certificate `" + cert.toUri() + "` does not exist in the KeyChain");
+ try {
+ CertHelper::getCertificate(m_keyChain, name, cert);
+ } catch (const std::exception& e) {
+ BOOST_THROW_EXCEPTION(Error("Certificate `" + cert.toUri() + "` does not exist in the KeyChain"));
}
}
NDNS_LOG_TRACE("name = " << name << " cert = " << cert);
@@ -143,7 +142,7 @@
private:
Face& m_face;
Face& m_validatorFace;
- unique_ptr<Validator> m_validator;
+ unique_ptr<security::v2::Validator> m_validator;
unique_ptr<DbMgr> m_dbMgr;
std::vector<shared_ptr<NameServer>> m_servers;
KeyChain m_keyChain;
@@ -211,13 +210,13 @@
// the validator cannot be forwarded to the name server itself
// For current, two faces are used here.
- // refs: http://redmine.named-data.net/issues/2206
+ // refs: https://redmine.named-data.net/issues/2206
// @TODO enhance validator to get the certificate from the local db if it has
NdnsDaemon daemon(configFile, face, validatorFace);
face.processEvents();
}
- catch (std::exception& e) {
+ catch (const std::exception& e) {
NDNS_LOG_FATAL("ERROR: " << e.what());
return 1;
}
diff --git a/tools/ndns-delete-zone.cpp b/tools/ndns-delete-zone.cpp
index 141f498..254bf22 100644
--- a/tools/ndns-delete-zone.cpp
+++ b/tools/ndns-delete-zone.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2014, Regents of the University of California.
+/*
+ * Copyright (c) 2014-2017, Regents of the University of California.
*
* This file is part of NDNS (Named Data Networking Domain Name Service).
* See AUTHORS.md for complete list of NDNS authors and contributors.
@@ -78,7 +78,7 @@
try {
Name zone(zoneStr);
- ndn::KeyChain keyChain;
+ KeyChain keyChain;
ndn::ndns::ManagementTool tool(db, keyChain);
tool.deleteZone(zone);
}
diff --git a/tools/ndns-dig.cpp b/tools/ndns-dig.cpp
index 0497315..aebbdf1 100644
--- a/tools/ndns-dig.cpp
+++ b/tools/ndns-dig.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2014-2016, Regents of the University of California.
+/*
+ * Copyright (c) 2014-2017, Regents of the University of California.
*
* This file is part of NDNS (Named Data Networking Domain Name Service).
* See AUTHORS.md for complete list of NDNS authors and contributors.
@@ -32,8 +32,10 @@
#include <boost/filesystem.hpp>
#include <boost/noncopyable.hpp>
+#include <iostream>
#include <memory>
#include <string>
+#include <fstream>
NDNS_LOG_INIT("NdnsDig")
@@ -48,7 +50,7 @@
: m_dstLabel(dstLabel)
, m_rrType(rrType)
, m_interestLifetime(DEFAULT_INTEREST_LIFETIME)
- , m_validator(m_face)
+ , m_validator(NdnsValidatorBuilder::create(m_face))
, m_shouldValidateIntermediate(shouldValidateIntermediate)
, m_hasError(false)
{
@@ -57,7 +59,7 @@
(new IterativeQueryController(m_dstLabel, m_rrType, m_interestLifetime,
bind(&NdnsDig::onSucceed, this, _1, _2),
bind(&NdnsDig::onFail, this, _1, _2),
- m_face, &m_validator));
+ m_face, m_validator.get()));
else
m_ctr = std::unique_ptr<IterativeQueryController>
(new IterativeQueryController(m_dstLabel, m_rrType, m_interestLifetime,
@@ -78,7 +80,7 @@
m_ctr->start(); // non-block, may throw exception
m_face.processEvents();
}
- catch (std::exception& e) {
+ catch (const std::exception& e) {
std::cerr << "Error: " << e.what();
m_hasError = true;
}
@@ -116,7 +118,7 @@
NDNS_LOG_INFO("succeed to get the info from RR[" << i << "]"
"type=" << rr.type() << " content=" << msg);
}
- catch (std::exception& e) {
+ catch (const std::exception& e) {
NDNS_LOG_INFO("error to get the info from RR[" << i << "]"
"type=" << rr.type());
}
@@ -145,7 +147,7 @@
NDNS_LOG_INFO(response);
NDNS_LOG_TRACE("to verify the response");
- m_validator.validate(data,
+ m_validator->validate(data,
bind(&NdnsDig::onDataValidated, this, _1),
bind(&NdnsDig::onDataValidationFailed, this, _1, _2)
);
@@ -161,14 +163,14 @@
}
void
- onDataValidated(const shared_ptr<const Data>& data)
+ onDataValidated(const Data& data)
{
NDNS_LOG_INFO("final data pass verification");
this->stop();
}
void
- onDataValidationFailed(const shared_ptr<const Data>& data, const std::string& str)
+ onDataValidationFailed(const Data& data, const security::v2::ValidationError& err)
{
NDNS_LOG_INFO("final data does not pass verification");
m_hasError = true;
@@ -203,7 +205,7 @@
Face m_face;
- Validator m_validator;
+ unique_ptr<security::v2::Validator> m_validator;
bool m_shouldValidateIntermediate;
std::unique_ptr<QueryController> m_ctr;
@@ -319,10 +321,6 @@
else
return 0;
}
- catch (const ndn::ValidatorConfig::Error& e) {
- std::cerr << "Fail to create the validator: " << e.what() << std::endl;
- return 1;
- }
catch (const std::exception& e) {
std::cerr << "Error: " << e.what() << std::endl;
return 1;
diff --git a/tools/ndns-export-certificate.cpp b/tools/ndns-export-certificate.cpp
index e72a841..99f68cd 100644
--- a/tools/ndns-export-certificate.cpp
+++ b/tools/ndns-export-certificate.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2014, Regents of the University of California.
+/*
+ * Copyright (c) 2014-2017, Regents of the University of California.
*
* This file is part of NDNS (Named Data Networking Domain Name Service).
* See AUTHORS.md for complete list of NDNS authors and contributors.
@@ -93,7 +93,7 @@
try {
Name certName(certStr);
- ndn::KeyChain keyChain;
+ KeyChain keyChain;
ndn::ndns::ManagementTool tool(db, keyChain);
tool.exportCertificate(certName, output);
}
diff --git a/tools/ndns-get-rr.cpp b/tools/ndns-get-rr.cpp
index 8e655fd..2f7e03f 100644
--- a/tools/ndns-get-rr.cpp
+++ b/tools/ndns-get-rr.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2014, Regents of the University of California.
+/*
+ * Copyright (c) 2014-2017, Regents of the University of California.
*
* This file is part of NDNS (Named Data Networking Domain Name Service).
* See AUTHORS.md for complete list of NDNS authors and contributors.
@@ -99,7 +99,7 @@
Name label(rrLabelStr);
name::Component type(rrTypeStr);
- ndn::KeyChain keyChain;
+ KeyChain keyChain;
ndn::ndns::ManagementTool tool(db, keyChain);
tool.getRrSet(zoneName, label, type, std::cout);
}
diff --git a/tools/ndns-list-all-zones.cpp b/tools/ndns-list-all-zones.cpp
index 6e80512..e00d258 100644
--- a/tools/ndns-list-all-zones.cpp
+++ b/tools/ndns-list-all-zones.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2014, Regents of the University of California.
+/*
+ * Copyright (c) 2014-2017, Regents of the University of California.
*
* This file is part of NDNS (Named Data Networking Domain Name Service).
* See AUTHORS.md for complete list of NDNS authors and contributors.
@@ -70,7 +70,7 @@
}
try {
- ndn::KeyChain keyChain;
+ KeyChain keyChain;
ndn::ndns::ManagementTool tool(db, keyChain);
tool.listAllZones(std::cout);
}
diff --git a/tools/ndns-list-zone.cpp b/tools/ndns-list-zone.cpp
index 18d3a57..487e99d 100644
--- a/tools/ndns-list-zone.cpp
+++ b/tools/ndns-list-zone.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2014, Regents of the University of California.
+/*
+ * Copyright (c) 2014-2017, Regents of the University of California.
*
* This file is part of NDNS (Named Data Networking Domain Name Service).
* See AUTHORS.md for complete list of NDNS authors and contributors.
@@ -97,7 +97,7 @@
try {
Name zoneName(zoneStr);
- ndn::KeyChain keyChain;
+ KeyChain keyChain;
ndn::ndns::ManagementTool tool(db, keyChain);
tool.listZone(zoneName, std::cout, printRaw);
}
diff --git a/tools/ndns-remove-rr.cpp b/tools/ndns-remove-rr.cpp
index d6159f6..fe4730c 100644
--- a/tools/ndns-remove-rr.cpp
+++ b/tools/ndns-remove-rr.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2014, Regents of the University of California.
+/*
+ * Copyright (c) 2014-2017, Regents of the University of California.
*
* This file is part of NDNS (Named Data Networking Domain Name Service).
* See AUTHORS.md for complete list of NDNS authors and contributors.
@@ -102,7 +102,7 @@
Name label(rrLabelStr);
name::Component type(rrTypeStr);
- ndn::KeyChain keyChain;
+ KeyChain keyChain;
ndn::ndns::ManagementTool tool(db, keyChain);
tool.removeRrSet(zoneName, label, type);
diff --git a/tools/ndns-update.cpp b/tools/ndns-update.cpp
index 881e0e7..743ca5e 100644
--- a/tools/ndns-update.cpp
+++ b/tools/ndns-update.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2014-2016, Regents of the University of California.
+/*
+ * Copyright (c) 2014-2017, Regents of the University of California.
*
* This file is part of NDNS (Named Data Networking Domain Name Service).
* See AUTHORS.md for complete list of NDNS authors and contributors.
@@ -26,10 +26,13 @@
#include "logger.hpp"
#include "daemon/db-mgr.hpp"
#include "util/util.hpp"
+#include "util/cert-helper.hpp"
#include <ndn-cxx/security/key-chain.hpp>
+#include <ndn-cxx/security/signing-helpers.hpp>
#include <ndn-cxx/data.hpp>
#include <ndn-cxx/util/io.hpp>
+#include <ndn-cxx/util/regex.hpp>
#include <ndn-cxx/encoding/block.hpp>
#include <ndn-cxx/encoding/block-helpers.hpp>
#include <boost/noncopyable.hpp>
@@ -52,7 +55,7 @@
: m_zone(zone)
, m_interestLifetime(DEFAULT_INTEREST_LIFETIME)
, m_face(face)
- , m_validator(face)
+ , m_validator(NdnsValidatorBuilder::create(face))
, m_update(update)
, m_hasError(false)
{
@@ -102,7 +105,7 @@
}
NDNS_LOG_INFO("to verify the response");
- m_validator.validate(data,
+ m_validator->validate(data,
bind(&NdnsUpdate::onDataValidated, this, _1),
bind(&NdnsUpdate::onDataValidationFailed, this, _1, _2)
);
@@ -154,14 +157,14 @@
}
void
- onDataValidated(const shared_ptr<const Data>& data)
+ onDataValidated(const Data& data)
{
NDNS_LOG_INFO("data pass verification");
this->stop();
}
void
- onDataValidationFailed(const shared_ptr<const Data>& data, const std::string& str)
+ onDataValidationFailed(const Data& data, const security::v2::ValidationError& str)
{
NDNS_LOG_INFO("data does not pass verification");
m_hasError = true;
@@ -188,7 +191,7 @@
time::milliseconds m_interestLifetime;
Face& m_face;
- Validator m_validator;
+ unique_ptr<security::v2::Validator> m_validator;
KeyChain m_keyChain;
shared_ptr<Data> m_update;
@@ -288,12 +291,12 @@
// choosing the longest match of the identity who also have default certificate
for (size_t i = name.size() + 1; i > 0; --i) { // i >=0 will present warnning
Name tmp = name.getPrefix(i - 1);
- if (keyChain.doesIdentityExist(tmp)) {
+ if (CertHelper::doesIdentityExist(keyChain, tmp)) {
try {
- certName = keyChain.getDefaultCertificateNameForIdentity(tmp);
+ certName = CertHelper::getDefaultCertificateNameOfIdentity(keyChain, tmp);
break;
}
- catch (std::exception&) {
+ catch (const std::exception&) {
// If it cannot get a default certificate from one identity,
// just ignore this one try next identity.
;
@@ -307,12 +310,6 @@
return 1;
}
}
- else {
- if (!keyChain.doesCertificateExist(certName)) {
- std::cerr << "certificate: " << certName << " does not exist" << std::endl;
- return 1;
- }
- }
NdnsContentType contentType = toNdnsContentType(contentTypeStr);
@@ -324,7 +321,7 @@
Response re;
re.setZone(zone);
re.setRrLabel(rrLabel);
- name::Component qType = (rrType == "ID-CERT" ?
+ name::Component qType = (rrType == "CERT" ?
ndns::label::NDNS_CERT_QUERY : ndns::label::NDNS_ITERATIVE_QUERY);
re.setQueryType(qType);
@@ -338,7 +335,7 @@
}
update = re.toData();
- keyChain.sign(*update, certName);
+ keyChain.sign(*update, security::signingByCertificate(certName));
}
else {
try {
@@ -353,7 +350,7 @@
try {
// must check the Data is a legal Response with right name
- shared_ptr<Regex> regex = make_shared<Regex>("(<>*)<KEY>(<>+)<ID-CERT><>*");
+ shared_ptr<Regex> regex = make_shared<Regex>("(<>*)<KEY>(<>+)<CERT><>*");
shared_ptr<Regex> regex2 = make_shared<Regex>("(<>*)<NDNS>(<>+)");
Name zone2;
@@ -418,10 +415,6 @@
else
return 0;
}
- catch (const ndn::ValidatorConfig::Error& e) {
- std::cerr << "Fail to create the validator: " << e.what() << std::endl;
- return 1;
- }
catch (const std::exception& e) {
std::cerr << "Error: " << e.what() << std::endl;
return 1;