Add certificate fetcher of ndns-appcert and ndns-cert
Validators are updated accordingly
Change-Id: Ibdee00b8f20243448a2ba3011ca87f85ce1ea516
diff --git a/tests/unit/validator/certificate-fetcher-ndns-app-cert.cpp b/tests/unit/validator/certificate-fetcher-ndns-app-cert.cpp
new file mode 100644
index 0000000..2efe67c
--- /dev/null
+++ b/tests/unit/validator/certificate-fetcher-ndns-app-cert.cpp
@@ -0,0 +1,142 @@
+/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
+/**
+ * Copyright (c) 2014-2017, Regents of the University of California.
+ *
+ * This file is part of NDNS (Named Data Networking Domain Name Service).
+ * See AUTHORS.md for complete list of NDNS authors and contributors.
+ *
+ * NDNS is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation,
+ * either version 3 of the License, or (at your option) any later version.
+ *
+ * NDNS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * NDNS, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "validator/validator.hpp"
+#include "validator/certificate-fetcher-ndns-appcert.hpp"
+#include "ndns-label.hpp"
+#include "util/cert-helper.hpp"
+#include "daemon/name-server.hpp"
+#include "daemon/rrset-factory.hpp"
+#include "mgmt/management-tool.hpp"
+
+#include "test-common.hpp"
+#include "dummy-forwarder.hpp"
+#include "unit/database-test-data.hpp"
+
+#include <ndn-cxx/util/io.hpp>
+#include <ndn-cxx/security/v2/validation-policy-simple-hierarchy.hpp>
+
+namespace ndn {
+namespace ndns {
+namespace tests {
+
+NDNS_LOG_INIT("AppCertFetcher")
+
+BOOST_AUTO_TEST_SUITE(AppCertFetcher)
+
+unique_ptr<security::v2::Validator>
+CreateValidatorAppCert(Face& face)
+{
+ return make_unique<security::v2::Validator>(make_unique<::ndn::security::v2::ValidationPolicySimpleHierarchy>(),
+ make_unique<CertificateFetcherAppCert>(face));
+}
+
+class AppCertFetcherFixture : public DbTestData
+{
+public:
+ AppCertFetcherFixture()
+ : m_forwarder(m_io, m_keyChain)
+ , m_face(m_forwarder.addFace())
+ , m_validator(CreateValidatorAppCert(m_face))
+ {
+ // build the data and certificate for this test
+ buildAppCertAndData();
+
+ auto validatorOnlyForConstructServer = NdnsValidatorBuilder::create(m_face, 10, 0, TEST_CONFIG_PATH "/" "validator.conf");
+ // initlize all servers
+ auto addServer = [&] (const Name& zoneName) {
+ Face& face = m_forwarder.addFace();
+ // validator is used only for check update signature
+ // no updates tested here, so validator will not be used
+ // passing m_validator is only for construct server
+ Name certName = CertHelper::getDefaultCertificateNameOfIdentity(m_keyChain,
+ Name(zoneName).append("NDNS"));
+ auto server = make_shared<NameServer>(zoneName, certName, face,
+ m_session, m_keyChain, *validatorOnlyForConstructServer);
+ m_servers.push_back(server);
+ };
+ addServer(m_testName);
+ addServer(m_netName);
+ addServer(m_ndnsimName);
+ advanceClocks(time::milliseconds(10), 1);
+ }
+
+ ~AppCertFetcherFixture()
+ {
+ m_face.getIoService().stop();
+ m_face.shutdown();
+ }
+
+private:
+ void
+ buildAppCertAndData()
+ {
+ // create NDNS-stored certificate and the signed data
+ Identity ndnsimIdentity = addIdentity(m_ndnsimName);
+ Key randomKey = m_keyChain.createKey(ndnsimIdentity);
+ Certificate ndnsStoredAppCert = randomKey.getDefaultCertificate();
+ RrsetFactory rf(TEST_DATABASE.string(), m_ndnsimName, m_keyChain,
+ CertHelper::getIdentity(m_keyChain, Name(m_ndnsimName).append(label::NDNS_ITERATIVE_QUERY))
+ .getDefaultKey()
+ .getDefaultCertificate()
+ .getName());
+ rf.onlyCheckZone();
+ Rrset appCertRrset = rf.generateCertRrset(randomKey.getName().getSubName(-2),
+ VERSION_USE_UNIX_TIMESTAMP, DEFAULT_RR_TTL,
+ ndnsStoredAppCert);
+ ManagementTool tool(TEST_DATABASE.string(), m_keyChain);
+ tool.addRrset(appCertRrset);
+
+ m_appCertSignedData = Data(Name(m_ndnsimName).append("randomData"));
+ m_keyChain.sign(m_appCertSignedData, signingByCertificate(ndnsStoredAppCert));
+
+ // load this certificate as the trust anchor
+ m_validator->loadAnchor("", std::move(ndnsStoredAppCert));
+ }
+
+public:
+ DummyForwarder m_forwarder;
+ ndn::Face& m_face;
+ unique_ptr<security::v2::Validator> m_validator;
+ std::vector<shared_ptr<ndns::NameServer>> m_servers;
+ Data m_appCertSignedData;
+};
+
+
+BOOST_FIXTURE_TEST_CASE(Basic, AppCertFetcherFixture)
+{
+ bool hasValidated = false;
+ m_validator->validate(m_appCertSignedData,
+ [&] (const Data& data) {
+ hasValidated = true;
+ BOOST_CHECK(true);
+ },
+ [&] (const Data& data, const security::v2::ValidationError& str) {
+ hasValidated = true;
+ BOOST_CHECK(false);
+ });
+ advanceClocks(time::milliseconds(10), 1000);
+ BOOST_CHECK_EQUAL(hasValidated, true);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
+
+} // namespace tests
+} // namespace ndns
+} // namespace ndn
diff --git a/tests/unit/validator/validator.cpp b/tests/unit/validator/validator.cpp
index 54d1dd8..3434916 100644
--- a/tests/unit/validator/validator.cpp
+++ b/tests/unit/validator/validator.cpp
@@ -18,9 +18,13 @@
*/
#include "validator/validator.hpp"
+#include "ndns-label.hpp"
+#include "util/cert-helper.hpp"
+#include "daemon/name-server.hpp"
#include "test-common.hpp"
-#include "util/cert-helper.hpp"
+#include "dummy-forwarder.hpp"
+#include "unit/database-test-data.hpp"
#include <ndn-cxx/util/io.hpp>
@@ -32,179 +36,135 @@
BOOST_AUTO_TEST_SUITE(Validator)
-class Fixture : public IdentityManagementFixture
+class ValidatorTestFixture : public DbTestData
{
public:
- Fixture()
- : m_testId1("/test02")
- , m_testId2("/test02/ndn")
- , m_testId3("/test02/ndn/edu")
- , m_randomId("/test03")
- , m_face(m_keyChain, {false, true})
+ ValidatorTestFixture()
+ : m_forwarder(m_io, m_keyChain)
+ , m_face(m_forwarder.addFace())
+ , m_validator(NdnsValidatorBuilder::create(m_face, 500, 0, TEST_CONFIG_PATH "/" "validator.conf"))
{
- m_randomDsk = createRoot(Name(m_randomId).append("NDNS")); // generate a root cert
-
- m_dsk1 = createRoot(Name(m_testId1).append("NDNS")); // replace to root cert
- m_dsk2 = createIdentity(Name(m_testId2).append("NDNS"), m_dsk1);
- m_dsk3 = createIdentity(Name(m_testId3).append("NDNS"), m_dsk2);
-
- m_face.onSendInterest.connect(bind(&Fixture::respondInterest, this, _1));
+ // generate a random cert
+ // check how does name-server test do
+ // initlize all servers
+ auto addServer = [&] (const Name& zoneName) {
+ Face& face = m_forwarder.addFace();
+ // validator is used only for check update signature
+ // no updates tested here, so validator will not be used
+ // passing m_validator is only for construct server
+ Name certName = CertHelper::getDefaultCertificateNameOfIdentity(m_keyChain,
+ Name(zoneName).append("NDNS"));
+ auto server = make_shared<NameServer>(zoneName, certName, face,
+ m_session, m_keyChain, *m_validator);
+ m_servers.push_back(server);
+ };
+ addServer(m_testName);
+ addServer(m_netName);
+ addServer(m_ndnsimName);
+ m_ndnsimCert = CertHelper::getDefaultCertificateNameOfIdentity(m_keyChain,
+ Name(m_ndnsimName).append("NDNS"));
+ m_randomCert = m_keyChain.createIdentity("/random/identity").getDefaultKey()
+ .getDefaultCertificate().getName();
+ advanceClocks(time::milliseconds(10), 1);
}
- ~Fixture()
+ ~ValidatorTestFixture()
{
m_face.getIoService().stop();
m_face.shutdown();
}
- const Key
- createIdentity(const Name& id, const Key& parentKey)
- {
- Identity identity = addIdentity(id);
- Key defaultKey = identity.getDefaultKey();
- m_keyChain.deleteKey(identity, defaultKey);
-
- Key ksk = m_keyChain.createKey(identity);
- Name defaultKskCert = ksk.getDefaultCertificate().getName();
- m_keyChain.deleteCertificate(ksk, defaultKskCert);
-
- Key dsk = m_keyChain.createKey(identity);
- Name defaultDskCert = dsk.getDefaultCertificate().getName();
- m_keyChain.deleteCertificate(dsk, defaultDskCert);
-
- auto kskCert = CertHelper::createCertificate(m_keyChain, ksk, parentKey, "CERT", time::days(100));
- auto dskCert = CertHelper::createCertificate(m_keyChain, dsk, ksk, "CERT", time::days(100));
-
- m_keyChain.addCertificate(ksk, kskCert);
- m_keyChain.addCertificate(dsk, dskCert);
-
- m_keyChain.setDefaultKey(identity, dsk);
- return dsk;
- }
-
- const Key
- createRoot(const Name& root)
- {
- Identity rootIdentity = addIdentity(root);
- auto cert = rootIdentity.getDefaultKey().getDefaultCertificate();
- ndn::io::save(cert, TEST_CONFIG_PATH "/anchors/root.cert");
- NDNS_LOG_TRACE("save root cert "<< m_rootCert <<
- " to: " << TEST_CONFIG_PATH "/anchors/root.cert");
- return rootIdentity.getDefaultKey();
- }
-
- void
- respondInterest(const Interest& interest)
- {
- Name keyName = interest.getName();
- Name identityName = keyName.getPrefix(-2);
- NDNS_LOG_TRACE("validator needs cert of KEY: " << keyName);
- auto cert = m_keyChain.getPib().getIdentity(identityName)
- .getKey(keyName)
- .getDefaultCertificate();
- m_face.getIoService().post([this, cert] {
- m_face.receive(cert);
- });
- }
-
public:
- Name m_testId1;
- Name m_testId2;
- Name m_testId3;
- Name m_randomId;
-
- Name m_rootCert;
-
- Key m_dsk1;
- Key m_dsk2;
- Key m_dsk3;
-
- Key m_randomDsk;
-
- ndn::util::DummyClientFace m_face;
+ DummyForwarder m_forwarder;
+ ndn::Face& m_face;
+ unique_ptr<security::v2::Validator> m_validator;
+ std::vector<shared_ptr<ndns::NameServer>> m_servers;
+ Name m_ndnsimCert;
+ Name m_randomCert;
};
-BOOST_FIXTURE_TEST_CASE(Basic, Fixture)
+BOOST_FIXTURE_TEST_CASE(Basic, ValidatorTestFixture)
{
- // validator must be created after root key is saved to the target
- auto validator = NdnsValidatorBuilder::create(m_face, TEST_CONFIG_PATH "/" "validator.conf");
+ SignatureInfo info;
+ info.setValidityPeriod(security::ValidityPeriod(time::system_clock::TimePoint::min(),
+ time::system_clock::now() + time::days(10)));
// case1: record of testId3, signed by its dsk, should be successful validated.
Name dataName;
dataName
- .append(m_testId3)
+ .append(m_ndnsimName)
.append("NDNS")
.append("rrLabel")
.append("rrType")
.appendVersion();
shared_ptr<Data> data = make_shared<Data>(dataName);
- m_keyChain.sign(*data, signingByKey(m_dsk3));
+ m_keyChain.sign(*data, signingByCertificate(m_ndnsimCert).setSignatureInfo(info));
bool hasValidated = false;
- validator->validate(*data,
- [&] (const Data& data) {
- hasValidated = true;
- BOOST_CHECK(true);
- },
- [&] (const Data& data, const security::v2::ValidationError& str) {
- hasValidated = true;
- BOOST_CHECK(false);
- });
+ m_validator->validate(*data,
+ [&] (const Data& data) {
+ hasValidated = true;
+ BOOST_CHECK(true);
+ },
+ [&] (const Data& data, const security::v2::ValidationError& str) {
+ hasValidated = true;
+ BOOST_CHECK(false);
+ });
- m_face.processEvents(time::milliseconds(-1));
-
+ advanceClocks(time::seconds(3), 100);
+ // m_io.run();
BOOST_CHECK_EQUAL(hasValidated, true);
// case2: signing testId2's data by testId3's key, which should failed in validation
dataName = Name();
dataName
- .append(m_testId2)
+ .append(m_netName)
.append("NDNS")
.append("rrLabel")
.append("CERT")
.appendVersion();
data = make_shared<Data>(dataName);
- m_keyChain.sign(*data, signingByKey(m_dsk3)); // key's owner's name is longer than data owner's
+ m_keyChain.sign(*data, signingByCertificate(m_ndnsimCert)); // key's owner's name is longer than data owner's
hasValidated = false;
- validator->validate(*data,
- [&] (const Data& data) {
- hasValidated = true;
- BOOST_CHECK(false);
- },
- [&] (const Data& data, const security::v2::ValidationError& str) {
- hasValidated = true;
- BOOST_CHECK(true);
- });
+ m_validator->validate(*data,
+ [&] (const Data& data) {
+ hasValidated = true;
+ BOOST_CHECK(false);
+ },
+ [&] (const Data& data, const security::v2::ValidationError& str) {
+ hasValidated = true;
+ BOOST_CHECK(true);
+ });
- m_face.processEvents(time::milliseconds(-1));
+ advanceClocks(time::seconds(3), 100);
// cannot pass verification due to key's owner's name is longer than data owner's
BOOST_CHECK_EQUAL(hasValidated, true);
- // case4: totally wrong key to sign
+ // case3: totally wrong key to sign
dataName = Name();
dataName
- .append(m_testId2)
+ .append(m_ndnsimName)
.append("NDNS")
.append("rrLabel")
.append("CERT")
.appendVersion();
data = make_shared<Data>(dataName);
- m_keyChain.sign(*data, signingByKey(m_randomDsk));
+ m_keyChain.sign(*data, signingByCertificate(m_randomCert));
hasValidated = false;
- validator->validate(*data,
- [&] (const Data& data) {
- hasValidated = true;
- BOOST_CHECK(false);
- },
- [&] (const Data& data, const security::v2::ValidationError& str) {
- hasValidated = true;
- BOOST_CHECK(true);
- });
+ m_validator->validate(*data,
+ [&] (const Data& data) {
+ hasValidated = true;
+ BOOST_CHECK(false);
+ },
+ [&] (const Data& data, const security::v2::ValidationError& str) {
+ hasValidated = true;
+ BOOST_CHECK(true);
+ });
- m_face.processEvents(time::milliseconds(-1));
+ advanceClocks(time::seconds(3), 100);
// cannot pass due to a totally mismatched key
BOOST_CHECK_EQUAL(hasValidated, true);
}