2.1/doxygen/command-interest-validator_8hpp_source.html

 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 #ifndef NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP
 #define NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP

 #include "../security/validator.hpp"
 #include "../security/identity-certificate.hpp"
 #include "../security/sec-rule-specific.hpp"

 #include <list>

 namespace ndn {

 class CommandInterestValidator : public Validator
 {
 public:
   enum {
     POS_SIG_VALUE = -1,
     POS_SIG_INFO = -2,
     POS_RANDOM_VAL = -3,
     POS_TIMESTAMP = -4,

     MIN_LENGTH = 4,

     GRACE_INTERVAL = 3000 // ms
   };

   CommandInterestValidator(const time::milliseconds& graceInterval =
                            time::milliseconds(static_cast<int>(GRACE_INTERVAL)))
     : m_graceInterval(graceInterval < time::milliseconds::zero() ?
                       time::milliseconds(static_cast<int>(GRACE_INTERVAL)) : graceInterval)
   {
   }

   virtual
   ~CommandInterestValidator()
   {
   }

   void
   addInterestRule(const std::string& regex, const IdentityCertificate& certificate);

   void
   addInterestRule(const std::string& regex, const Name& keyName, const PublicKey& publicKey);

   void
   addInterestBypassRule(const std::string& regex);

   void
   reset();

 protected:
   virtual void
   checkPolicy(const Data& data,
               int stepCount,
               const OnDataValidated& onValidated,
               const OnDataValidationFailed& onValidationFailed,
               std::vector<shared_ptr<ValidationRequest> >& nextSteps)
   {
     onValidationFailed(data.shared_from_this(), "No policy for data checking");
   }

   virtual void
   checkPolicy(const Interest& interest,
               int stepCount,
               const OnInterestValidated& onValidated,
               const OnInterestValidationFailed& onValidationFailed,
               std::vector<shared_ptr<ValidationRequest> >& nextSteps);
 private:
   time::milliseconds m_graceInterval; //ms
   std::map<Name, PublicKey> m_trustAnchorsForInterest;
   std::list<SecRuleSpecific> m_trustScopeForInterest;

   typedef std::map<Name, time::system_clock::TimePoint> LastTimestampMap;
   LastTimestampMap m_lastTimestamp;
 };

 inline void
 CommandInterestValidator::addInterestRule(const std::string& regex,
                                           const IdentityCertificate& certificate)
 {
   Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificate.getName());
   addInterestRule(regex, keyName, certificate.getPublicKeyInfo());
 }

 inline void
 CommandInterestValidator::addInterestRule(const std::string& regex,
                                           const Name& keyName,
                                           const PublicKey& publicKey)
 {
   m_trustAnchorsForInterest[keyName] = publicKey;
   shared_ptr<Regex> interestRegex = make_shared<Regex>(regex);
   shared_ptr<Regex> signerRegex = Regex::fromName(keyName, true);
   m_trustScopeForInterest.push_back(SecRuleSpecific(interestRegex, signerRegex));
 }

 inline void
 CommandInterestValidator::addInterestBypassRule(const std::string& regex)
 {
   shared_ptr<Regex> interestRegex = make_shared<Regex>(regex);
   m_trustScopeForInterest.push_back(SecRuleSpecific(interestRegex));
 }

 inline void
 CommandInterestValidator::reset()
 {
   m_trustAnchorsForInterest.clear();
   m_trustScopeForInterest.clear();
 }

 inline void
 CommandInterestValidator::checkPolicy(const Interest& interest,
                                       int stepCount,
                                       const OnInterestValidated& onValidated,
                                       const OnInterestValidationFailed& onValidationFailed,
                                       std::vector<shared_ptr<ValidationRequest> >& nextSteps)
 {
   const Name& interestName = interest.getName();

   //Prepare
   if (interestName.size() < MIN_LENGTH)
     return onValidationFailed(interest.shared_from_this(),
                               "Interest is not signed: " + interest.getName().toUri());
   Name keyName;
   try
     {
       Signature signature(interestName[POS_SIG_INFO].blockFromValue(),
                           interestName[POS_SIG_VALUE].blockFromValue());

       if (signature.getType() != tlv::SignatureSha256WithRsa)
         return onValidationFailed(interest.shared_from_this(),
                                   "Require SignatureSha256WithRsa");

       SignatureSha256WithRsa sig(signature);

       const KeyLocator& keyLocator = sig.getKeyLocator();

       if (keyLocator.getType() != KeyLocator::KeyLocator_Name)
         return onValidationFailed(interest.shared_from_this(),
                                   "Key Locator is not a name");

       keyName = IdentityCertificate::certificateNameToPublicKeyName(keyLocator.getName());

       //Check if command is in the trusted scope
       bool isInScope = false;
       for (std::list<SecRuleSpecific>::iterator scopeIt = m_trustScopeForInterest.begin();
            scopeIt != m_trustScopeForInterest.end();
            ++scopeIt)
         {
           if (scopeIt->satisfy(interestName, keyName))
             {
               if (scopeIt->isExempted())
                 {
                   return onValidated(interest.shared_from_this());
                 }

               isInScope = true;
               break;
             }
         }
       if (isInScope == false)
         return onValidationFailed(interest.shared_from_this(),
                                   "Signer cannot be authorized for the command: " +
                                   keyName.toUri());

       //Check signature
       if (!Validator::verifySignature(interestName.wireEncode().value(),
                                       interestName.wireEncode().value_size() -
                                       interestName[-1].size(),
                                       sig, m_trustAnchorsForInterest[keyName]))
         return onValidationFailed(interest.shared_from_this(),
                                   "Signature cannot be validated: " +
                                   interest.getName().toUri());

       //Check if timestamp is valid
       time::system_clock::TimePoint interestTime =
         time::fromUnixTimestamp(time::milliseconds(interestName.get(POS_TIMESTAMP).toNumber()));

       time::system_clock::TimePoint currentTime = time::system_clock::now();

       LastTimestampMap::iterator timestampIt = m_lastTimestamp.find(keyName);
       if (timestampIt == m_lastTimestamp.end())
         {
           if (!(currentTime - m_graceInterval <= interestTime &&
                 interestTime <= currentTime + m_graceInterval))
             return onValidationFailed(interest.shared_from_this(),
                                       "The command is not in grace interval: " +
                                       interest.getName().toUri());
         }
       else
         {
           if (interestTime <= timestampIt->second)
             return onValidationFailed(interest.shared_from_this(),
                                       "The command is outdated: " +
                                       interest.getName().toUri());
         }

       //Update timestamp
       if (timestampIt == m_lastTimestamp.end())
         {
           m_lastTimestamp[keyName] = interestTime;
         }
       else
         {
           timestampIt->second = interestTime;
         }
     }
   catch (Signature::Error& e)
     {
       return onValidationFailed(interest.shared_from_this(),
                                 "No valid signature");
     }
   catch (IdentityCertificate::Error& e)
     {
       return onValidationFailed(interest.shared_from_this(),
                                 "Cannot locate the signing key");
     }
   catch (tlv::Error& e)
     {
       return onValidationFailed(interest.shared_from_this(),
                                 "Cannot decode signature related TLVs");
     }

   return onValidated(interest.shared_from_this());
 }

 } // namespace ndn

 #endif // NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP
ndn::SignatureSha256WithRsa
Represent a SHA256-with-RSA signature.
Definition: signature-sha256-with-rsa.hpp:32

ndn::Interest::getName
const Name & getName() const
Definition: interest.hpp:216

ndn
Copyright (c) 2011-2015 Regents of the University of California.
Definition: ndn-strategy-choice-helper.hpp:34

ndn::CommandInterestValidator
Helper class to validate CommandInterests.
Definition: command-interest-validator.hpp:42

ndn::RegexTopMatcher::fromName
static shared_ptr< RegexTopMatcher > fromName(const Name &name, bool hasAnchor=false)
Definition: regex-top-matcher.cpp:201

ndn::CommandInterestValidator::MIN_LENGTH
Definition: command-interest-validator.hpp:51

ndn::tlv::SignatureSha256WithRsa
Definition: tlv.hpp:97

ndn::SecRuleSpecific
Definition: sec-rule-specific.hpp:33

ndn::CommandInterestValidator::addInterestRule
void addInterestRule(const std::string &regex, const IdentityCertificate &certificate)
add an Interest rule that allows a specific certificate
Definition: command-interest-validator.hpp:129

ndn::IdentityCertificate::certificateNameToPublicKeyName
static Name certificateNameToPublicKeyName(const Name &certificateName)
Get the public key name from the full certificate name.
Definition: identity-certificate.cpp:109

ndn::Signature::getKeyLocator
const KeyLocator & getKeyLocator() const
Get KeyLocator.
Definition: signature.hpp:134

ndn::Name::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder) const
Fast encoding or block size estimation.
Definition: name.cpp:69

ndn::Interest
represents an Interest packet
Definition: interest.hpp:45

ndn::KeyLocator::KeyLocator_Name
indicates KeyLocator contains a Name
Definition: key-locator.hpp:49

ndn::time::system_clock::now
static time_point now() noexcept
Definition: time.cpp:45

ndn::time
Definition: time-custom-clock.hpp:28

ndn::Certificate::getPublicKeyInfo
PublicKey & getPublicKeyInfo()
Definition: certificate.hpp:171

ndn::Data::getName
const Name & getName() const
Get name of the Data packet.
Definition: data.hpp:343

nfd::cs::iterator
Table::const_iterator iterator
Definition: cs-internal.hpp:41

ndn::Signature::getType
uint32_t getType() const
Get signature type.
Definition: signature.hpp:114

ndn::CommandInterestValidator::addInterestBypassRule
void addInterestBypassRule(const std::string &regex)
add an Interest rule that allows any signer
Definition: command-interest-validator.hpp:148

ndn::Name::toUri
std::string toUri() const
Encode this name as a URI.
Definition: name.cpp:183

ndn::KeyLocator::getName
const Name & getName() const
get Name element
Definition: key-locator.cpp:138

ndn::OnDataValidated
function< void(const shared_ptr< const Data > &)> OnDataValidated
Callback to report a successful Data validation.
Definition: validation-request.hpp:38

ndn::CommandInterestValidator::POS_SIG_VALUE
Definition: command-interest-validator.hpp:46

ndn::CommandInterestValidator::~CommandInterestValidator
virtual ~CommandInterestValidator()
Definition: command-interest-validator.hpp:64

ndn::CommandInterestValidator::POS_RANDOM_VAL
Definition: command-interest-validator.hpp:48

ndn::CommandInterestValidator::POS_SIG_INFO
Definition: command-interest-validator.hpp:47

ndn::KeyLocator::getType
Type getType() const
Definition: key-locator.hpp:101

ndn::OnDataValidationFailed
function< void(const shared_ptr< const Data > &, const std::string &)> OnDataValidationFailed
Callback to report a failed Data validation.
Definition: validation-request.hpp:42

ndn::CommandInterestValidator::GRACE_INTERVAL
Definition: command-interest-validator.hpp:53

ndn::Name::size
size_t size() const
Get the number of components.
Definition: name.hpp:408

ndn::CommandInterestValidator::reset
void reset()
Remove all installed Interest rules (e.g., when reinitialization needed)
Definition: command-interest-validator.hpp:155

ndn::IdentityCertificate::Error
Definition: identity-certificate.hpp:35

ndn::Name
Name abstraction to represent an absolute name.
Definition: name.hpp:46

ndn::time::system_clock::TimePoint
time_point TimePoint
Definition: time.hpp:78

ndn::CommandInterestValidator::CommandInterestValidator
CommandInterestValidator(const time::milliseconds &graceInterval=time::milliseconds(static_cast< int >(GRACE_INTERVAL)))
Definition: command-interest-validator.hpp:56

ndn::KeyLocator
Definition: key-locator.hpp:30

ndn::OnInterestValidationFailed
function< void(const shared_ptr< const Interest > &, const std::string &)> OnInterestValidationFailed
Callback to report a failed Interest validation.
Definition: validation-request.hpp:35

ndn::time::fromUnixTimestamp
system_clock::TimePoint fromUnixTimestamp(const milliseconds &duration)
Convert UNIX timestamp to system_clock::TimePoint.
Definition: time.cpp:124

ndn::Validator::verifySignature
static bool verifySignature(const Data &data, const PublicKey &publicKey)
Verify the data using the publicKey.
Definition: validator.cpp:106

ndn::CommandInterestValidator::checkPolicy
virtual void checkPolicy(const Data &data, int stepCount, const OnDataValidated &onValidated, const OnDataValidationFailed &onValidationFailed, std::vector< shared_ptr< ValidationRequest > > &nextSteps)
Check the Data against policy and return the next validation step if necessary.
Definition: command-interest-validator.hpp:104

ndn::Signature::Error
Definition: signature.hpp:36

ndn::CommandInterestValidator::POS_TIMESTAMP
Definition: command-interest-validator.hpp:49

ndn::PublicKey
Definition: public-key.hpp:41

ndn::Data
represents a Data packet
Definition: data.hpp:39

ndn::name::Component::toNumber
uint64_t toNumber() const
Interpret this name component as nonNegativeInteger.
Definition: name-component.cpp:239

ndn::Validator
Validator is one of the main classes of the security library.
Definition: validator.hpp:46

ndn::OnInterestValidated
function< void(const shared_ptr< const Interest > &)> OnInterestValidated
Callback to report a successful Interest validation.
Definition: validation-request.hpp:31

ndn::IdentityCertificate
Definition: identity-certificate.hpp:32

ndn::Name::get
const Component & get(ssize_t i) const
Get the component at the given index.
Definition: name.hpp:419

ndn::tlv::Error
represents an error in TLV encoding or decoding
Definition: tlv.hpp:50

ndn::Signature
A Signature is storage for the signature-related information (info and value) in a Data packet...
Definition: signature.hpp:33