Add certificate fetcher of ndns-appcert and ndns-cert
Validators are updated accordingly
Change-Id: Ibdee00b8f20243448a2ba3011ca87f85ce1ea516
diff --git a/src/clients/iterative-query-controller.hpp b/src/clients/iterative-query-controller.hpp
index b1a0995..83bf856 100644
--- a/src/clients/iterative-query-controller.hpp
+++ b/src/clients/iterative-query-controller.hpp
@@ -160,6 +160,11 @@
std::ostream&
operator<<(std::ostream& os, const IterativeQueryController::QueryStep step);
+// Used if you want the controller's lifetime equals to other object inherited
+// from TagHost. For example, in the CertificateFetcher, the queryController's
+// lifetime is equal to ValidationState.
+using IterativeQueryTag = SimpleTag<shared_ptr<IterativeQueryController>, 1086>;
+
} // namespace ndns
} // namespace ndn
diff --git a/src/mgmt/management-tool.cpp b/src/mgmt/management-tool.cpp
index d4d64e1..8d01211 100644
--- a/src/mgmt/management-tool.cpp
+++ b/src/mgmt/management-tool.cpp
@@ -125,7 +125,7 @@
dkey = m_keyChain.createKey(dkeyIdentity);
m_keyChain.deleteCertificate(dkey, dkey.getDefaultCertificate().getName());
- dkeyCert = CertHelper::createCertificate(m_keyChain, dkey, dkey, label::CERT_RR_TYPE.toUri(), time::days(90));
+ dkeyCert = CertHelper::createCertificate(m_keyChain, dkey, dkey, label::CERT_RR_TYPE.toUri(), certValidity);
dkeyCert.setFreshnessPeriod(cacheTtl);
m_keyChain.addCertificate(dkey, dkeyCert);
NDNS_LOG_INFO("Generated DKEY: " << dkeyCert.getName());
@@ -141,7 +141,7 @@
// delete automatically generated certificates,
// because its issue is 'self' instead of CERT_RR_TYPE
m_keyChain.deleteCertificate(ksk, ksk.getDefaultCertificate().getName());
- kskCert = CertHelper::createCertificate(m_keyChain, ksk, dkey, label::CERT_RR_TYPE.toUri(), time::days(90));
+ kskCert = CertHelper::createCertificate(m_keyChain, ksk, dkey, label::CERT_RR_TYPE.toUri(), certValidity);
kskCert.setFreshnessPeriod(cacheTtl);
m_keyChain.addCertificate(ksk, kskCert);
NDNS_LOG_INFO("Generated KSK: " << kskCert.getName());
@@ -298,10 +298,6 @@
void
ManagementTool::addRrset(Rrset& rrset)
{
- if (rrset.getLabel().size() > 1) {
- BOOST_THROW_EXCEPTION(Error("Cannot add rrset with label size > 1, should use addMultiLevelLabelRrset instead"));
- }
-
// check that it does not override existing AUTH
Rrset rrsetCopy = rrset;
rrsetCopy.setType(label::NS_RR_TYPE);
@@ -362,7 +358,11 @@
}
if (needResign) {
- m_keyChain.sign(*data, signingByCertificate(dskCertName));
+ // TODO validityPeriod should be able to be configured
+ SignatureInfo info;
+ info.setValidityPeriod(security::ValidityPeriod(time::system_clock::now(),
+ time::system_clock::now() + DEFAULT_CERT_TTL));
+ m_keyChain.sign(*data, signingByCertificate(dskCertName).setSignatureInfo(info));
}
// create response for the input data
diff --git a/src/mgmt/management-tool.hpp b/src/mgmt/management-tool.hpp
index 4c50c16..715ee18 100644
--- a/src/mgmt/management-tool.hpp
+++ b/src/mgmt/management-tool.hpp
@@ -148,9 +148,6 @@
/** @brief Add rrset to the NDNS local database
*
- * @throw Error if the @p rrset label size is larger than 1 or @p rrset will override an
- * existing AUTH record
- *
* @param rrset rrset
*/
void
diff --git a/src/util/cert-helper.hpp b/src/util/cert-helper.hpp
index 8e7297f..6fd5f20 100644
--- a/src/util/cert-helper.hpp
+++ b/src/util/cert-helper.hpp
@@ -63,7 +63,6 @@
const time::seconds& certValidity = time::days(10));
};
-
} // namespace ndns
} // namespace ndn
diff --git a/src/validator/certificate-fetcher-ndns-appcert.cpp b/src/validator/certificate-fetcher-ndns-appcert.cpp
new file mode 100644
index 0000000..28f81b5
--- /dev/null
+++ b/src/validator/certificate-fetcher-ndns-appcert.cpp
@@ -0,0 +1,126 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "certificate-fetcher-ndns-appcert.hpp"
+#include "certificate-fetcher-ndns-cert.hpp"
+#include "clients/iterative-query-controller.hpp"
+
+#include "validator.hpp"
+#include "clients/response.hpp"
+
+namespace ndn {
+namespace ndns {
+
+using security::v2::Certificate;
+
+CertificateFetcherAppCert::CertificateFetcherAppCert(Face& face,
+ size_t nsCacheSize,
+ size_t startComponentIndex)
+ : m_face(face)
+ , m_validator(NdnsValidatorBuilder::create(face, nsCacheSize, startComponentIndex))
+ , m_startComponentIndex(startComponentIndex)
+{
+ m_nsCache = dynamic_cast<CertificateFetcherNdnsCert&>(m_validator->getFetcher()).getNsCache();
+}
+
+void
+CertificateFetcherAppCert::doFetch(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ const Name& key = certRequest->m_interest.getName();
+ auto query = make_shared<IterativeQueryController>(key,
+ label::APPCERT_RR_TYPE,
+ certRequest->m_interest.getInterestLifetime(),
+ [=] (const Data& data, const Response& response) {
+ onQuerySuccessCallback(data, certRequest, state, continueValidation);
+ },
+ [=] (uint32_t errCode, const std::string& errMsg) {
+ onQueryFailCallback(errMsg, certRequest, state, continueValidation);
+ },
+ m_face,
+ nullptr,
+ m_nsCache);
+ query->setStartComponentIndex(m_startComponentIndex);
+ query->start();
+ state->setTag(make_shared<IterativeQueryTag>(query));
+}
+
+void
+CertificateFetcherAppCert::onQuerySuccessCallback(const Data& data,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ m_validator->validate(data,
+ [=] (const Data& data) {
+ onValidationSuccessCallback(data, certRequest, state, continueValidation);
+ },
+ [=] (const Data& data,
+ const security::v2::ValidationError& errStr) {
+ onValidationFailCallback(errStr, certRequest, state, continueValidation);
+ });
+}
+
+void
+CertificateFetcherAppCert::onQueryFailCallback(const std::string& errMsg,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ state->fail({security::v2::ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate due to " +
+ errMsg + " `" + certRequest->m_interest.getName().toUri() + "`"});
+}
+
+void
+CertificateFetcherAppCert::onValidationSuccessCallback(const Data& data,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ if (data.getContentType() == NDNS_NACK) {
+ state->fail({security::v2::ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate: get a Nack "
+ "in query `" + certRequest->m_interest.getName().toUri() + "`"});
+ return;
+ }
+
+ Certificate cert;
+ try {
+ cert = Certificate(data.getContent().blockFromValue());
+ }
+ catch (const ndn::tlv::Error& e) {
+ return state->fail({security::v2::ValidationError::Code::MALFORMED_CERT, "Fetched a malformed certificate "
+ "`" + data.getName().toUri() + "` (" + e.what() + ")"});
+ }
+ continueValidation(cert, state);
+}
+
+void
+CertificateFetcherAppCert::onValidationFailCallback(const security::v2::ValidationError& err,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ state->fail({security::v2::ValidationError::Code::CANNOT_RETRIEVE_CERT,
+ "Cannot fetch certificate due to NDNS validation error :"
+ + err.getInfo() + " `" + certRequest->m_interest.getName().toUri() + "`"});
+}
+
+} // namespace ndns
+} // namespace ndn
diff --git a/src/validator/certificate-fetcher-ndns-appcert.hpp b/src/validator/certificate-fetcher-ndns-appcert.hpp
new file mode 100644
index 0000000..2bd9305
--- /dev/null
+++ b/src/validator/certificate-fetcher-ndns-appcert.hpp
@@ -0,0 +1,103 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_APPCERT_HPP
+#define NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_APPCERT_HPP
+
+#include <ndn-cxx/ims/in-memory-storage.hpp>
+#include <ndn-cxx/security/v2/validator.hpp>
+
+namespace ndn {
+namespace ndns {
+
+/**
+ * @brief Fetch NDNS-stored application certificate(APPCERT type record)
+ * By an iterative-query process, it will retrieve the record, execute authentications,
+ * and de-encapsulate record to get application's certificate.
+ */
+class CertificateFetcherAppCert : public security::v2::CertificateFetcher
+{
+public:
+ explicit
+ CertificateFetcherAppCert(Face& face,
+ size_t nsCacheSize = 500,
+ size_t startComponentIndex = 0);
+
+protected:
+ /**
+ * @brief retrive appcert record, validate, and de-encapsulate
+ * This method will first retrive the record by an iterative query.
+ * Then it will pass it to validator.
+ * If validated, de-encapsulate and call continueValidation.
+ */
+ void
+ doFetch(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation) override;
+
+private:
+ /**
+ * @brief Callback invoked when rrset is retrived, including nack
+ */
+ void
+ onQuerySuccessCallback(const Data& data,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+
+ /**
+ * @brief Callback invoked when iterative query failed
+ *
+ * @todo retry for some amount of time
+ */
+ void
+ onQueryFailCallback(const std::string& errMsg,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+
+ /**
+ * @brief Callback invoked when rrset validation succeeded
+ */
+ void
+ onValidationSuccessCallback(const Data& data,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+
+ /**
+ * @brief Callback invoked when rrset validation failed
+ */
+ void
+ onValidationFailCallback(const security::v2::ValidationError& err,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+
+private:
+ Face& m_face;
+ unique_ptr<security::v2::Validator> m_validator;
+ InMemoryStorage* m_nsCache;
+ size_t m_startComponentIndex;
+};
+
+} // namespace ndns
+} // namespace ndn
+
+#endif // NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_APPCERT_HPP
\ No newline at end of file
diff --git a/src/validator/certificate-fetcher-ndns-cert.cpp b/src/validator/certificate-fetcher-ndns-cert.cpp
new file mode 100644
index 0000000..8131bea
--- /dev/null
+++ b/src/validator/certificate-fetcher-ndns-cert.cpp
@@ -0,0 +1,207 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "certificate-fetcher-ndns-cert.hpp"
+#include "clients/iterative-query-controller.hpp"
+#include "clients/response.hpp"
+#include "logger.hpp"
+
+#include <ndn-cxx/encoding/tlv.hpp>
+#include <ndn-cxx/ims/in-memory-storage-fifo.hpp>
+
+namespace ndn {
+namespace ndns {
+
+using security::v2::Certificate;
+
+NDNS_LOG_INIT("CertificateFetcherNdnsCert")
+
+CertificateFetcherNdnsCert::CertificateFetcherNdnsCert(Face& face,
+ size_t nsCacheSize,
+ size_t startComponentIndex)
+ : m_face(face)
+ , m_nsCache(make_unique<InMemoryStorageFifo>(nsCacheSize))
+ , m_startComponentIndex(startComponentIndex)
+{}
+
+void
+CertificateFetcherNdnsCert::doFetch(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ using IterativeQueryTag = SimpleTag<shared_ptr<IterativeQueryController>, 1086>;
+ const Name& key = certRequest->m_interest.getName();
+ Name domain = calculateDomain(key);
+ if (domain.size() == m_startComponentIndex) {
+ // NS record does not exist, since the domain is actually globally routable
+ nsFailCallback("[skipped] zone name " + domain.toUri()
+ + " is globally routable because startComponentIndex="
+ + std::to_string(m_startComponentIndex),
+ certRequest, state, continueValidation);
+ return ;
+ }
+
+ auto query = make_shared<IterativeQueryController>(domain,
+ label::NS_RR_TYPE,
+ certRequest->m_interest.getInterestLifetime(),
+ [=] (const Data& data, const Response& response) {
+ nsSuccessCallback(data, certRequest, state, continueValidation);
+ },
+ [=] (uint32_t errCode, const std::string& errMsg) {
+ nsFailCallback(errMsg, certRequest, state, continueValidation);
+ },
+ m_face,
+ nullptr,
+ m_nsCache.get());
+ query->setStartComponentIndex(m_startComponentIndex);
+ query->start();
+ auto queryTag = make_shared<IterativeQueryTag>(query);
+ state->setTag(queryTag);
+}
+
+void
+CertificateFetcherNdnsCert::nsSuccessCallback(const Data& data,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ Name interestName(certRequest->m_interest.getName());
+ interestName.append(label::CERT_RR_TYPE);
+ Interest interest(interestName);
+
+ if (data.getContentType() == NDNS_LINK) {
+ Link link(data.wireEncode());
+ if (!link.getDelegationList().empty()) {
+ interest.setForwardingHint(link.getDelegationList());
+ NDNS_LOG_INFO(" [* -> *] sending interest with LINK:" << interestName);
+ }
+ else {
+ NDNS_LOG_INFO(" [* -> *] sending interest without LINK (empty delegation set):" << interestName);
+ }
+ }
+ else {
+ NDNS_LOG_WARN("fail to get NS rrset of " << interestName << " , returned data type:" << data.getContentType());
+ }
+
+ m_face.expressInterest(interest,
+ [=] (const Interest& interest, const Data& data) {
+ dataCallback(data, certRequest, state, continueValidation);
+ },
+ [=] (const Interest& interest, const lp::Nack& nack) {
+ nackCallback(nack, certRequest, state, continueValidation);
+ },
+ [=] (const Interest& interest) {
+ timeoutCallback(certRequest, state, continueValidation);
+ });
+}
+
+void
+CertificateFetcherNdnsCert::nsFailCallback(const std::string& errMsg,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ NDNS_LOG_WARN("Cannot fetch link due to " +
+ errMsg + " `" + certRequest->m_interest.getName().toUri() + "`");
+
+ Name interestName(certRequest->m_interest.getName());
+ interestName.append(label::CERT_RR_TYPE);
+ Interest interest(interestName);
+ m_face.expressInterest(interest,
+ [=] (const Interest& interest, const Data& data) {
+ dataCallback(data, certRequest, state, continueValidation);
+ },
+ [=] (const Interest& interest, const lp::Nack& nack) {
+ nackCallback(nack, certRequest, state, continueValidation);
+ },
+ [=] (const Interest& interest) {
+ timeoutCallback(certRequest, state, continueValidation);
+ });
+}
+
+Name
+CertificateFetcherNdnsCert::calculateDomain(const Name& key)
+{
+ for (size_t i = 0; i < key.size(); i++) {
+ if (key[i] == label::NDNS_ITERATIVE_QUERY) {
+ return key.getPrefix(i);
+ }
+ }
+ BOOST_THROW_EXCEPTION(std::runtime_error(key.toUri() + " is not a legal NDNS certificate name"));
+}
+
+void
+CertificateFetcherNdnsCert::dataCallback(const Data& data,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ NDNS_LOG_DEBUG("Fetched certificate from network " << data.getName());
+
+ Certificate cert;
+ try {
+ cert = Certificate(data);
+ }
+ catch (const ndn::tlv::Error& e) {
+ return state->fail({security::v2::ValidationError::Code::MALFORMED_CERT, "Fetched a malformed certificate "
+ "`" + data.getName().toUri() + "` (" + e.what() + ")"});
+ }
+ continueValidation(cert, state);
+}
+
+void
+CertificateFetcherNdnsCert::nackCallback(const lp::Nack& nack,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ NDNS_LOG_DEBUG("NACK (" << nack.getReason() << ") while fetching certificate "
+ << certRequest->m_interest.getName());
+
+ --certRequest->m_nRetriesLeft;
+ if (certRequest->m_nRetriesLeft >= 0) {
+ // TODO implement delay for the the next fetch
+ fetch(certRequest, state, continueValidation);
+ }
+ else {
+ state->fail({security::v2::ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate after all "
+ "retries `" + certRequest->m_interest.getName().toUri() + "`"});
+ }
+}
+
+void
+CertificateFetcherNdnsCert::timeoutCallback(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation)
+{
+ NDNS_LOG_DEBUG("Timeout while fetching certificate " << certRequest->m_interest.getName()
+ << ", retrying");
+
+ --certRequest->m_nRetriesLeft;
+ if (certRequest->m_nRetriesLeft >= 0) {
+ fetch(certRequest, state, continueValidation);
+ }
+ else {
+ state->fail({security::v2::ValidationError::Code::CANNOT_RETRIEVE_CERT, "Cannot fetch certificate after all "
+ "retries `" + certRequest->m_interest.getName().toUri() + "`"});
+ }
+}
+
+} // namespace ndns
+} // namespace ndn
diff --git a/src/validator/certificate-fetcher-ndns-cert.hpp b/src/validator/certificate-fetcher-ndns-cert.hpp
new file mode 100644
index 0000000..a67e5b0
--- /dev/null
+++ b/src/validator/certificate-fetcher-ndns-cert.hpp
@@ -0,0 +1,123 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_CERT_HPP
+#define NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_CERT_HPP
+
+#include <ndn-cxx/face.hpp>
+#include <ndn-cxx/ims/in-memory-storage.hpp>
+#include <ndn-cxx/security/v2/certificate-fetcher.hpp>
+
+namespace ndn {
+namespace ndns {
+
+/**
+ * @brief Fetch NDNS-owned certificate by an iterative query process
+ */
+class CertificateFetcherNdnsCert : public security::v2::CertificateFetcher
+{
+public:
+ explicit
+ CertificateFetcherNdnsCert(Face& face,
+ size_t nsCacheSize = 100,
+ size_t startComponentIndex = 0);
+
+ InMemoryStorage*
+ getNsCache()
+ {
+ return m_nsCache.get();
+ }
+
+protected:
+ void
+ doFetch(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation) override;
+
+private:
+ /**
+ * @brief Callback invoked when NS rrset of the domain is retrived, including nack rrset
+ */
+ void
+ nsSuccessCallback(const Data& data,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+
+ /**
+ * @brief Callback invoked when iterative query failed
+ *
+ * @todo retry for some amount of time
+ */
+ void
+ nsFailCallback(const std::string& errMsg,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+
+ /**
+ * @brief get NDNS query's domainName and label name by parsing keylocator
+ *
+ * The return result is the name prefix before "/NDNS"
+ */
+ Name
+ calculateDomain(const Name& key);
+
+ /**
+ * @brief Callback invoked when certificate is retrieved.
+ */
+ void
+ dataCallback(const Data& data,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+ /**
+ * @brief Callback invoked when interest for fetching certificate gets NACKed.
+ *
+ * It will retry if certRequest->m_nRetriesLeft > 0
+ *
+ * @todo Delay retry for some amount of time
+ */
+ void
+ nackCallback(const lp::Nack& nack,
+ const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+
+ /**
+ * @brief Callback invoked when interest for fetching certificate times out.
+ *
+ * It will retry if certRequest->m_nRetriesLeft > 0
+ */
+ void
+ timeoutCallback(const shared_ptr<security::v2::CertificateRequest>& certRequest,
+ const shared_ptr<security::v2::ValidationState>& state,
+ const ValidationContinuation& continueValidation);
+protected:
+ Face& m_face;
+ unique_ptr<InMemoryStorage> m_nsCache;
+
+private:
+ size_t m_startComponentIndex;
+};
+
+} // namespace ndns
+} // namespace ndn
+
+#endif // NDNS_VALIDATOR_CERTIFICATE_FETCHER_NDNS_CERT_HPP
\ No newline at end of file
diff --git a/src/validator/validator.cpp b/src/validator/validator.cpp
index 9eb9a2e..3497d20 100644
--- a/src/validator/validator.cpp
+++ b/src/validator/validator.cpp
@@ -18,11 +18,11 @@
*/
#include "validator.hpp"
-#include "logger.hpp"
#include "config.hpp"
+#include "certificate-fetcher-ndns-cert.hpp"
+#include "logger.hpp"
#include <ndn-cxx/security/v2/validation-policy-config.hpp>
-#include <ndn-cxx/security/v2/certificate-fetcher-from-network.hpp>
namespace ndn {
namespace ndns {
@@ -32,10 +32,15 @@
std::string NdnsValidatorBuilder::VALIDATOR_CONF_FILE = DEFAULT_CONFIG_PATH "/" "validator.conf";
unique_ptr<security::v2::Validator>
-NdnsValidatorBuilder::create(Face& face, const std::string& confFile)
+NdnsValidatorBuilder::create(Face& face,
+ size_t nsCacheSize,
+ size_t startComponentIndex,
+ const std::string& confFile)
{
auto validator = make_unique<security::v2::Validator>(make_unique<security::v2::ValidationPolicyConfig>(),
- make_unique<security::v2::CertificateFetcherFromNetwork>(face));
+ make_unique<CertificateFetcherNdnsCert>(face,
+ nsCacheSize,
+ startComponentIndex));
security::v2::ValidationPolicyConfig& policy = dynamic_cast<security::v2::ValidationPolicyConfig&>(validator->getPolicy());
policy.load(confFile);
NDNS_LOG_TRACE("Validator loads configuration: " << confFile);
diff --git a/src/validator/validator.hpp b/src/validator/validator.hpp
index da1cba1..92a4c09 100644
--- a/src/validator/validator.hpp
+++ b/src/validator/validator.hpp
@@ -34,7 +34,10 @@
static std::string VALIDATOR_CONF_FILE;
static unique_ptr<security::v2::Validator>
- create(Face& face, const std::string& confFile = VALIDATOR_CONF_FILE);
+ create(Face& face,
+ size_t nsCacheSize = 500,
+ size_t startComponentIndex = 0,
+ const std::string& confFile = VALIDATOR_CONF_FILE);
};
} // namespace ndns
diff --git a/tests/dummy-forwarder.cpp b/tests/dummy-forwarder.cpp
new file mode 100644
index 0000000..61526cb
--- /dev/null
+++ b/tests/dummy-forwarder.cpp
@@ -0,0 +1,79 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California,
+ * Arizona Board of Regents,
+ * Colorado State University,
+ * University Pierre & Marie Curie, Sorbonne University,
+ * Washington University in St. Louis,
+ * Beijing Institute of Technology,
+ * The University of Memphis.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service) and is
+ * based on the code written as part of NFD (Named Data Networking Daemon).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "dummy-forwarder.hpp"
+
+#include <boost/asio/io_service.hpp>
+
+namespace ndn {
+namespace ndns {
+namespace tests {
+
+DummyForwarder::DummyForwarder(boost::asio::io_service& io, KeyChain& keyChain)
+ : m_io(io)
+ , m_keyChain(keyChain)
+{
+}
+
+Face&
+DummyForwarder::addFace()
+{
+ auto face = std::make_shared<util::DummyClientFace>(m_io, m_keyChain, util::
+ DummyClientFace::Options{true, true});
+ face->onSendInterest.connect([this, face] (const Interest& interest) {
+ for (auto& otherFace : m_faces) {
+ if (&*face == &*otherFace) {
+ continue;
+ }
+ otherFace->receive(interest);
+ }
+ });
+
+ face->onSendData.connect([this, face] (const Data& data) {
+ for (auto& otherFace : m_faces) {
+ if (&*face == &*otherFace) {
+ continue;
+ }
+ otherFace->receive(data);
+ }
+ });
+
+ face->onSendNack.connect([this, face] (const lp::Nack& nack) {
+ for (auto& otherFace : m_faces) {
+ if (&*face == &*otherFace) {
+ continue;
+ }
+ otherFace->receive(nack);
+ }
+ });
+
+ m_faces.push_back(face);
+ return *face;
+}
+
+} // namespace tests
+} // namespace ndns
+} // namespace ndn
diff --git a/tests/dummy-forwarder.hpp b/tests/dummy-forwarder.hpp
new file mode 100644
index 0000000..481d257
--- /dev/null
+++ b/tests/dummy-forwarder.hpp
@@ -0,0 +1,70 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California,
+ * Arizona Board of Regents,
+ * Colorado State University,
+ * University Pierre & Marie Curie, Sorbonne University,
+ * Washington University in St. Louis,
+ * Beijing Institute of Technology,
+ * The University of Memphis.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service) and is
+ * based on the code written as part of NFD (Named Data Networking Daemon).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <ndn-cxx/interest.hpp>
+#include <ndn-cxx/data.hpp>
+#include <ndn-cxx/lp/nack.hpp>
+#include <ndn-cxx/util/dummy-client-face.hpp>
+#include <ndn-cxx/security/key-chain.hpp>
+
+#ifndef NDNS_TESTS_TEST_DUMMY_FORWARDER_HPP
+#define NDNS_TESTS_TEST_DUMMY_FORWARDER_HPP
+
+namespace ndn {
+namespace ndns {
+namespace tests {
+
+/**
+ * @brief Very basic implementation of the dummy forwarder
+ *
+ * Interests expressed by any added face, will be forwarded to all other faces.
+ * Similarly, any pushed data, will be pushed to all other faces.
+ */
+class DummyForwarder
+{
+public:
+ DummyForwarder(boost::asio::io_service& io, KeyChain& keyChain);
+
+ Face&
+ addFace();
+
+ Face&
+ getFace(size_t nFace)
+ {
+ return *m_faces.at(nFace);
+ }
+
+private:
+ boost::asio::io_service& m_io;
+ KeyChain& m_keyChain;
+ std::vector<shared_ptr<util::DummyClientFace>> m_faces;
+};
+
+} // namespace tests
+} // namespace ndns
+} // namespace ndn
+
+#endif // NDNS_TESTS_TEST_DUMMY_FORWARDER_HPP
diff --git a/tests/unit/daemon/name-server.cpp b/tests/unit/daemon/name-server.cpp
index 707ff95..a8dbd3b 100644
--- a/tests/unit/daemon/name-server.cpp
+++ b/tests/unit/daemon/name-server.cpp
@@ -44,6 +44,7 @@
{
// ensure prefix is registered
run();
+ advanceClocks(time::milliseconds(10), 1);
}
void
diff --git a/tests/unit/database-test-data.cpp b/tests/unit/database-test-data.cpp
index ea55948..92865d4 100644
--- a/tests/unit/database-test-data.cpp
+++ b/tests/unit/database-test-data.cpp
@@ -43,7 +43,10 @@
}
DbTestData::DbTestData()
- : m_session(TEST_DATABASE.string())
+ : m_session(TEST_DATABASE.string()),
+ m_testName("/test19"),
+ m_netName("/test19/net"),
+ m_ndnsimName("/test19/net/ndnsim")
{
NDNS_LOG_TRACE("start creating test data");
@@ -63,13 +66,13 @@
true);
};
- Name testName(TEST_IDENTITY_NAME);
+ Name testName(m_testName);
m_test = tool.createZone(testName, ROOT_ZONE);
// m_test's DKEY is not added to parent zone
- Name netName = Name(testName).append("net");
+ Name netName(m_netName);
m_net = tool.createZone(netName, testName);
addDkeyCertToParent(m_net, m_test);
- Name ndnsimName = Name(netName).append("ndnsim");
+ Name ndnsimName(m_ndnsimName);
m_ndnsim = tool.createZone(ndnsimName, netName);
addDkeyCertToParent(m_ndnsim, m_net);
diff --git a/tests/unit/database-test-data.hpp b/tests/unit/database-test-data.hpp
index 0db768c..f1ff278 100644
--- a/tests/unit/database-test-data.hpp
+++ b/tests/unit/database-test-data.hpp
@@ -31,7 +31,7 @@
namespace ndns {
namespace tests {
-class DbTestData : public IdentityManagementFixture
+class DbTestData : public IdentityManagementFixture, public UnitTestTimeFixture
{
public:
static const boost::filesystem::path TEST_DATABASE;
@@ -48,6 +48,7 @@
addRrset(Zone& zone, const Name& label, const name::Component& type,
const time::seconds& ttl, const name::Component& version,
const name::Component& qType, NdnsContentType contentType, const std::string& msg);
+
public:
class PreviousStateCleaner
{
@@ -65,8 +66,16 @@
Zone m_net;
Zone m_ndnsim;
DbMgr m_session;
+
+ // test zone identity
Identity m_identity;
+
+ // test zone dsk
Certificate m_cert;
+
+ Name m_testName;
+ Name m_netName;
+ Name m_ndnsimName;
};
} // namespace tests
diff --git a/tests/unit/mgmt/management-tool.cpp b/tests/unit/mgmt/management-tool.cpp
index 72e079d..f0a6c7d 100644
--- a/tests/unit/mgmt/management-tool.cpp
+++ b/tests/unit/mgmt/management-tool.cpp
@@ -564,9 +564,6 @@
BOOST_CHECK_NO_THROW(m_tool.addRrset(rrset1));
Rrset rrset2 = findRrSet(zone, "/l1", label::NS_RR_TYPE);
BOOST_CHECK_EQUAL(rrset1, rrset2);
-
- Rrset rrset3 = rf.generateNsRrset("/l1/l2/l3", 7654, ttl2, DelegationList());
- BOOST_CHECK_THROW(m_tool.addRrset(rrset3), ndns::ManagementTool::Error);
}
BOOST_AUTO_TEST_CASE(AddMultiLevelLabelRrset)
diff --git a/tests/unit/validator/certificate-fetcher-ndns-app-cert.cpp b/tests/unit/validator/certificate-fetcher-ndns-app-cert.cpp
new file mode 100644
index 0000000..2efe67c
--- /dev/null
+++ b/tests/unit/validator/certificate-fetcher-ndns-app-cert.cpp
@@ -0,0 +1,142 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "validator/validator.hpp"
+#include "validator/certificate-fetcher-ndns-appcert.hpp"
+#include "ndns-label.hpp"
+#include "util/cert-helper.hpp"
+#include "daemon/name-server.hpp"
+#include "daemon/rrset-factory.hpp"
+#include "mgmt/management-tool.hpp"
+
+#include "test-common.hpp"
+#include "dummy-forwarder.hpp"
+#include "unit/database-test-data.hpp"
+
+#include <ndn-cxx/util/io.hpp>
+#include <ndn-cxx/security/v2/validation-policy-simple-hierarchy.hpp>
+
+namespace ndn {
+namespace ndns {
+namespace tests {
+
+NDNS_LOG_INIT("AppCertFetcher")
+
+BOOST_AUTO_TEST_SUITE(AppCertFetcher)
+
+unique_ptr<security::v2::Validator>
+CreateValidatorAppCert(Face& face)
+{
+ return make_unique<security::v2::Validator>(make_unique<::ndn::security::v2::ValidationPolicySimpleHierarchy>(),
+ make_unique<CertificateFetcherAppCert>(face));
+}
+
+class AppCertFetcherFixture : public DbTestData
+{
+public:
+ AppCertFetcherFixture()
+ : m_forwarder(m_io, m_keyChain)
+ , m_face(m_forwarder.addFace())
+ , m_validator(CreateValidatorAppCert(m_face))
+ {
+ // build the data and certificate for this test
+ buildAppCertAndData();
+
+ auto validatorOnlyForConstructServer = NdnsValidatorBuilder::create(m_face, 10, 0, TEST_CONFIG_PATH "/" "validator.conf");
+ // initlize all servers
+ auto addServer = [&] (const Name& zoneName) {
+ Face& face = m_forwarder.addFace();
+ // validator is used only for check update signature
+ // no updates tested here, so validator will not be used
+ // passing m_validator is only for construct server
+ Name certName = CertHelper::getDefaultCertificateNameOfIdentity(m_keyChain,
+ Name(zoneName).append("NDNS"));
+ auto server = make_shared<NameServer>(zoneName, certName, face,
+ m_session, m_keyChain, *validatorOnlyForConstructServer);
+ m_servers.push_back(server);
+ };
+ addServer(m_testName);
+ addServer(m_netName);
+ addServer(m_ndnsimName);
+ advanceClocks(time::milliseconds(10), 1);
+ }
+
+ ~AppCertFetcherFixture()
+ {
+ m_face.getIoService().stop();
+ m_face.shutdown();
+ }
+
+private:
+ void
+ buildAppCertAndData()
+ {
+ // create NDNS-stored certificate and the signed data
+ Identity ndnsimIdentity = addIdentity(m_ndnsimName);
+ Key randomKey = m_keyChain.createKey(ndnsimIdentity);
+ Certificate ndnsStoredAppCert = randomKey.getDefaultCertificate();
+ RrsetFactory rf(TEST_DATABASE.string(), m_ndnsimName, m_keyChain,
+ CertHelper::getIdentity(m_keyChain, Name(m_ndnsimName).append(label::NDNS_ITERATIVE_QUERY))
+ .getDefaultKey()
+ .getDefaultCertificate()
+ .getName());
+ rf.onlyCheckZone();
+ Rrset appCertRrset = rf.generateCertRrset(randomKey.getName().getSubName(-2),
+ VERSION_USE_UNIX_TIMESTAMP, DEFAULT_RR_TTL,
+ ndnsStoredAppCert);
+ ManagementTool tool(TEST_DATABASE.string(), m_keyChain);
+ tool.addRrset(appCertRrset);
+
+ m_appCertSignedData = Data(Name(m_ndnsimName).append("randomData"));
+ m_keyChain.sign(m_appCertSignedData, signingByCertificate(ndnsStoredAppCert));
+
+ // load this certificate as the trust anchor
+ m_validator->loadAnchor("", std::move(ndnsStoredAppCert));
+ }
+
+public:
+ DummyForwarder m_forwarder;
+ ndn::Face& m_face;
+ unique_ptr<security::v2::Validator> m_validator;
+ std::vector<shared_ptr<ndns::NameServer>> m_servers;
+ Data m_appCertSignedData;
+};
+
+
+BOOST_FIXTURE_TEST_CASE(Basic, AppCertFetcherFixture)
+{
+ bool hasValidated = false;
+ m_validator->validate(m_appCertSignedData,
+ [&] (const Data& data) {
+ hasValidated = true;
+ BOOST_CHECK(true);
+ },
+ [&] (const Data& data, const security::v2::ValidationError& str) {
+ hasValidated = true;
+ BOOST_CHECK(false);
+ });
+ advanceClocks(time::milliseconds(10), 1000);
+ BOOST_CHECK_EQUAL(hasValidated, true);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
+
+} // namespace tests
+} // namespace ndns
+} // namespace ndn
diff --git a/tests/unit/validator/validator.cpp b/tests/unit/validator/validator.cpp
index 54d1dd8..3434916 100644
--- a/tests/unit/validator/validator.cpp
+++ b/tests/unit/validator/validator.cpp
@@ -18,9 +18,13 @@
*/
#include "validator/validator.hpp"
+#include "ndns-label.hpp"
+#include "util/cert-helper.hpp"
+#include "daemon/name-server.hpp"
#include "test-common.hpp"
-#include "util/cert-helper.hpp"
+#include "dummy-forwarder.hpp"
+#include "unit/database-test-data.hpp"
#include <ndn-cxx/util/io.hpp>
@@ -32,179 +36,135 @@
BOOST_AUTO_TEST_SUITE(Validator)
-class Fixture : public IdentityManagementFixture
+class ValidatorTestFixture : public DbTestData
{
public:
- Fixture()
- : m_testId1("/test02")
- , m_testId2("/test02/ndn")
- , m_testId3("/test02/ndn/edu")
- , m_randomId("/test03")
- , m_face(m_keyChain, {false, true})
+ ValidatorTestFixture()
+ : m_forwarder(m_io, m_keyChain)
+ , m_face(m_forwarder.addFace())
+ , m_validator(NdnsValidatorBuilder::create(m_face, 500, 0, TEST_CONFIG_PATH "/" "validator.conf"))
{
- m_randomDsk = createRoot(Name(m_randomId).append("NDNS")); // generate a root cert
-
- m_dsk1 = createRoot(Name(m_testId1).append("NDNS")); // replace to root cert
- m_dsk2 = createIdentity(Name(m_testId2).append("NDNS"), m_dsk1);
- m_dsk3 = createIdentity(Name(m_testId3).append("NDNS"), m_dsk2);
-
- m_face.onSendInterest.connect(bind(&Fixture::respondInterest, this, _1));
+ // generate a random cert
+ // check how does name-server test do
+ // initlize all servers
+ auto addServer = [&] (const Name& zoneName) {
+ Face& face = m_forwarder.addFace();
+ // validator is used only for check update signature
+ // no updates tested here, so validator will not be used
+ // passing m_validator is only for construct server
+ Name certName = CertHelper::getDefaultCertificateNameOfIdentity(m_keyChain,
+ Name(zoneName).append("NDNS"));
+ auto server = make_shared<NameServer>(zoneName, certName, face,
+ m_session, m_keyChain, *m_validator);
+ m_servers.push_back(server);
+ };
+ addServer(m_testName);
+ addServer(m_netName);
+ addServer(m_ndnsimName);
+ m_ndnsimCert = CertHelper::getDefaultCertificateNameOfIdentity(m_keyChain,
+ Name(m_ndnsimName).append("NDNS"));
+ m_randomCert = m_keyChain.createIdentity("/random/identity").getDefaultKey()
+ .getDefaultCertificate().getName();
+ advanceClocks(time::milliseconds(10), 1);
}
- ~Fixture()
+ ~ValidatorTestFixture()
{
m_face.getIoService().stop();
m_face.shutdown();
}
- const Key
- createIdentity(const Name& id, const Key& parentKey)
- {
- Identity identity = addIdentity(id);
- Key defaultKey = identity.getDefaultKey();
- m_keyChain.deleteKey(identity, defaultKey);
-
- Key ksk = m_keyChain.createKey(identity);
- Name defaultKskCert = ksk.getDefaultCertificate().getName();
- m_keyChain.deleteCertificate(ksk, defaultKskCert);
-
- Key dsk = m_keyChain.createKey(identity);
- Name defaultDskCert = dsk.getDefaultCertificate().getName();
- m_keyChain.deleteCertificate(dsk, defaultDskCert);
-
- auto kskCert = CertHelper::createCertificate(m_keyChain, ksk, parentKey, "CERT", time::days(100));
- auto dskCert = CertHelper::createCertificate(m_keyChain, dsk, ksk, "CERT", time::days(100));
-
- m_keyChain.addCertificate(ksk, kskCert);
- m_keyChain.addCertificate(dsk, dskCert);
-
- m_keyChain.setDefaultKey(identity, dsk);
- return dsk;
- }
-
- const Key
- createRoot(const Name& root)
- {
- Identity rootIdentity = addIdentity(root);
- auto cert = rootIdentity.getDefaultKey().getDefaultCertificate();
- ndn::io::save(cert, TEST_CONFIG_PATH "/anchors/root.cert");
- NDNS_LOG_TRACE("save root cert "<< m_rootCert <<
- " to: " << TEST_CONFIG_PATH "/anchors/root.cert");
- return rootIdentity.getDefaultKey();
- }
-
- void
- respondInterest(const Interest& interest)
- {
- Name keyName = interest.getName();
- Name identityName = keyName.getPrefix(-2);
- NDNS_LOG_TRACE("validator needs cert of KEY: " << keyName);
- auto cert = m_keyChain.getPib().getIdentity(identityName)
- .getKey(keyName)
- .getDefaultCertificate();
- m_face.getIoService().post([this, cert] {
- m_face.receive(cert);
- });
- }
-
public:
- Name m_testId1;
- Name m_testId2;
- Name m_testId3;
- Name m_randomId;
-
- Name m_rootCert;
-
- Key m_dsk1;
- Key m_dsk2;
- Key m_dsk3;
-
- Key m_randomDsk;
-
- ndn::util::DummyClientFace m_face;
+ DummyForwarder m_forwarder;
+ ndn::Face& m_face;
+ unique_ptr<security::v2::Validator> m_validator;
+ std::vector<shared_ptr<ndns::NameServer>> m_servers;
+ Name m_ndnsimCert;
+ Name m_randomCert;
};
-BOOST_FIXTURE_TEST_CASE(Basic, Fixture)
+BOOST_FIXTURE_TEST_CASE(Basic, ValidatorTestFixture)
{
- // validator must be created after root key is saved to the target
- auto validator = NdnsValidatorBuilder::create(m_face, TEST_CONFIG_PATH "/" "validator.conf");
+ SignatureInfo info;
+ info.setValidityPeriod(security::ValidityPeriod(time::system_clock::TimePoint::min(),
+ time::system_clock::now() + time::days(10)));
// case1: record of testId3, signed by its dsk, should be successful validated.
Name dataName;
dataName
- .append(m_testId3)
+ .append(m_ndnsimName)
.append("NDNS")
.append("rrLabel")
.append("rrType")
.appendVersion();
shared_ptr<Data> data = make_shared<Data>(dataName);
- m_keyChain.sign(*data, signingByKey(m_dsk3));
+ m_keyChain.sign(*data, signingByCertificate(m_ndnsimCert).setSignatureInfo(info));
bool hasValidated = false;
- validator->validate(*data,
- [&] (const Data& data) {
- hasValidated = true;
- BOOST_CHECK(true);
- },
- [&] (const Data& data, const security::v2::ValidationError& str) {
- hasValidated = true;
- BOOST_CHECK(false);
- });
+ m_validator->validate(*data,
+ [&] (const Data& data) {
+ hasValidated = true;
+ BOOST_CHECK(true);
+ },
+ [&] (const Data& data, const security::v2::ValidationError& str) {
+ hasValidated = true;
+ BOOST_CHECK(false);
+ });
- m_face.processEvents(time::milliseconds(-1));
-
+ advanceClocks(time::seconds(3), 100);
+ // m_io.run();
BOOST_CHECK_EQUAL(hasValidated, true);
// case2: signing testId2's data by testId3's key, which should failed in validation
dataName = Name();
dataName
- .append(m_testId2)
+ .append(m_netName)
.append("NDNS")
.append("rrLabel")
.append("CERT")
.appendVersion();
data = make_shared<Data>(dataName);
- m_keyChain.sign(*data, signingByKey(m_dsk3)); // key's owner's name is longer than data owner's
+ m_keyChain.sign(*data, signingByCertificate(m_ndnsimCert)); // key's owner's name is longer than data owner's
hasValidated = false;
- validator->validate(*data,
- [&] (const Data& data) {
- hasValidated = true;
- BOOST_CHECK(false);
- },
- [&] (const Data& data, const security::v2::ValidationError& str) {
- hasValidated = true;
- BOOST_CHECK(true);
- });
+ m_validator->validate(*data,
+ [&] (const Data& data) {
+ hasValidated = true;
+ BOOST_CHECK(false);
+ },
+ [&] (const Data& data, const security::v2::ValidationError& str) {
+ hasValidated = true;
+ BOOST_CHECK(true);
+ });
- m_face.processEvents(time::milliseconds(-1));
+ advanceClocks(time::seconds(3), 100);
// cannot pass verification due to key's owner's name is longer than data owner's
BOOST_CHECK_EQUAL(hasValidated, true);
- // case4: totally wrong key to sign
+ // case3: totally wrong key to sign
dataName = Name();
dataName
- .append(m_testId2)
+ .append(m_ndnsimName)
.append("NDNS")
.append("rrLabel")
.append("CERT")
.appendVersion();
data = make_shared<Data>(dataName);
- m_keyChain.sign(*data, signingByKey(m_randomDsk));
+ m_keyChain.sign(*data, signingByCertificate(m_randomCert));
hasValidated = false;
- validator->validate(*data,
- [&] (const Data& data) {
- hasValidated = true;
- BOOST_CHECK(false);
- },
- [&] (const Data& data, const security::v2::ValidationError& str) {
- hasValidated = true;
- BOOST_CHECK(true);
- });
+ m_validator->validate(*data,
+ [&] (const Data& data) {
+ hasValidated = true;
+ BOOST_CHECK(false);
+ },
+ [&] (const Data& data, const security::v2::ValidationError& str) {
+ hasValidated = true;
+ BOOST_CHECK(true);
+ });
- m_face.processEvents(time::milliseconds(-1));
+ advanceClocks(time::seconds(3), 100);
// cannot pass due to a totally mismatched key
BOOST_CHECK_EQUAL(hasValidated, true);
}
diff --git a/tools/ndns-daemon.cpp b/tools/ndns-daemon.cpp
index 549cd34..9b80431 100644
--- a/tools/ndns-daemon.cpp
+++ b/tools/ndns-daemon.cpp
@@ -95,7 +95,7 @@
validatorConfigFile = item->second.get_value<std::string>();
}
NDNS_LOG_INFO("ValidatorConfigFile = " << validatorConfigFile);
- m_validator = NdnsValidatorBuilder::create(m_validatorFace, validatorConfigFile);
+ m_validator = NdnsValidatorBuilder::create(m_validatorFace, 500, 0, validatorConfigFile);
for (const auto& option : section) {
Name name;
diff --git a/validator.conf.sample.in b/validator.conf.sample.in
index 4bc401f..1793354 100644
--- a/validator.conf.sample.in
+++ b/validator.conf.sample.in
@@ -18,7 +18,7 @@
{
k-regex ^([^<NDNS>]*)<NDNS>(<>*)<KEY><>$
k-expand \\1\\2
- h-relation is-prefix-of ; ksk should be signed by dkey in parent zone
+ h-relation equal ; ksk should be signed by dkey in parent zone
p-regex ^([^<NDNS>]*)<NDNS><KEY><><><>$
p-expand \\1
}