NS-3 based Named Data Networking (NDN) simulator
ndnSIM 2.0: NDN, CCN, CCNx, content centric networks 		API Documentation
validator-regex.cpp
Go to the documentation of this file.
1 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
24 #include "common.hpp"
25 
26 #include "validator-regex.hpp"
27 #include "signature-sha256-with-rsa.hpp"
28 #include "certificate-cache-ttl.hpp"
29 
30 namespace ndn {
31 
32 const shared_ptr<CertificateCache> ValidatorRegex::DEFAULT_CERTIFICATE_CACHE;
33 
34 ValidatorRegex::ValidatorRegex(Face* face,
35  shared_ptr<CertificateCache> certificateCache,
36  const int stepLimit)
37  : Validator(face)
38  , m_stepLimit(stepLimit)
39  , m_certificateCache(certificateCache)
40 {
41  if (!static_cast<bool>(m_certificateCache) && face != nullptr)
42  m_certificateCache = make_shared<CertificateCacheTtl>(ref(face->getIoService()));
43 }
44 
45 ValidatorRegex::ValidatorRegex(Face& face,
46  shared_ptr<CertificateCache> certificateCache,
47  const int stepLimit)
48  : Validator(face)
49  , m_stepLimit(stepLimit)
50  , m_certificateCache(certificateCache)
51 {
52  if (!static_cast<bool>(m_certificateCache))
53  m_certificateCache = make_shared<CertificateCacheTtl>(ref(face.getIoService()));
54 }
55 
56 void
57 ValidatorRegex::addDataVerificationRule(shared_ptr<SecRuleRelative> rule)
58 {
59  rule->isPositive() ? m_verifyPolicies.push_back(rule) : m_mustFailVerify.push_back(rule);
60 }
61 
62 void
63 ValidatorRegex::addTrustAnchor(shared_ptr<IdentityCertificate> certificate)
64 {
65  m_trustAnchors[certificate->getName().getPrefix(-1)] = certificate;
66 }
67 
68 void
69 ValidatorRegex::onCertificateValidated(const shared_ptr<const Data>& signCertificate,
70  const shared_ptr<const Data>& data,
71  const OnDataValidated& onValidated,
72  const OnDataValidationFailed& onValidationFailed)
73 {
74  shared_ptr<IdentityCertificate> certificate =
75  make_shared<IdentityCertificate>(*signCertificate);
76 
77  if (!certificate->isTooLate() && !certificate->isTooEarly())
78  {
79  if (static_cast<bool>(m_certificateCache))
80  m_certificateCache->insertCertificate(certificate);
81 
82  if (verifySignature(*data, certificate->getPublicKeyInfo()))
83  return onValidated(data);
84  else
85  return onValidationFailed(data,
86  "Cannot verify signature: " +
87  data->getName().toUri());
88  }
89  else
90  {
91  return onValidationFailed(data,
92  "Signing certificate " +
93  signCertificate->getName().toUri() +
94  " is no longer valid.");
95  }
96 }
97 
98 void
99 ValidatorRegex::onCertificateValidationFailed(const shared_ptr<const Data>& signCertificate,
100  const std::string& failureInfo,
101  const shared_ptr<const Data>& data,
102  const OnDataValidationFailed& onValidationFailed)
103 {
104  onValidationFailed(data, failureInfo);
105 }
106 
107 void
108 ValidatorRegex::checkPolicy(const Data& data,
109  int nSteps,
110  const OnDataValidated& onValidated,
111  const OnDataValidationFailed& onValidationFailed,
112  std::vector<shared_ptr<ValidationRequest> >& nextSteps)
113 {
114  if (m_stepLimit == nSteps)
115  return onValidationFailed(data.shared_from_this(),
116  "Maximum steps of validation reached: " +
117  data.getName().toUri());
118 
119  for (RuleList::iterator it = m_mustFailVerify.begin();
120  it != m_mustFailVerify.end();
121  it++)
122  if ((*it)->satisfy(data))
123  return onValidationFailed(data.shared_from_this(),
124  "Comply with mustFail policy: " +
125  data.getName().toUri());
126 
127  for (RuleList::iterator it = m_verifyPolicies.begin();
128  it != m_verifyPolicies.end();
129  it++)
130  {
131  if ((*it)->satisfy(data))
132  {
133  try
134  {
135  if (!data.getSignature().hasKeyLocator())
136  return onValidationFailed(data.shared_from_this(),
137  "Key Locator is missing in Data packet: " +
138  data.getName().toUri());
139 
140  const KeyLocator& keyLocator = data.getSignature().getKeyLocator();
141  if (keyLocator.getType() != KeyLocator::KeyLocator_Name)
142  return onValidationFailed(data.shared_from_this(),
143  "Key Locator is not a name: " +
144  data.getName().toUri());
145 
146 
147  const Name& keyLocatorName = keyLocator.getName();
148  shared_ptr<const Certificate> trustedCert;
149  if (m_trustAnchors.end() == m_trustAnchors.find(keyLocatorName) &&
150  static_cast<bool>(m_certificateCache))
151  trustedCert = m_certificateCache->getCertificate(keyLocatorName);
152  else
153  trustedCert = m_trustAnchors[keyLocatorName];
154 
155  if (static_cast<bool>(trustedCert))
156  {
157  if (verifySignature(data, data.getSignature(), trustedCert->getPublicKeyInfo()))
158  return onValidated(data.shared_from_this());
159  else
160  return onValidationFailed(data.shared_from_this(),
161  "Cannot verify signature: " +
162  data.getName().toUri());
163  }
164  else
165  {
166  // KeyLocator is not a trust anchor
167 
168  OnDataValidated onKeyValidated =
169  bind(&ValidatorRegex::onCertificateValidated, this, _1,
170  data.shared_from_this(), onValidated, onValidationFailed);
171 
172  OnDataValidationFailed onKeyValidationFailed =
173  bind(&ValidatorRegex::onCertificateValidationFailed, this, _1, _2,
174  data.shared_from_this(), onValidationFailed);
175 
176  Interest interest(keyLocatorName);
177  shared_ptr<ValidationRequest> nextStep =
178  make_shared<ValidationRequest>(interest,
179  onKeyValidated,
180  onKeyValidationFailed,
181  3,
182  nSteps + 1);
183 
184  nextSteps.push_back(nextStep);
185 
186  return;
187  }
188  }
189  catch (KeyLocator::Error& e)
190  {
191  return onValidationFailed(data.shared_from_this(),
192  "Key Locator is not a name: " +
193  data.getName().toUri());
194  }
195  catch (tlv::Error& e)
196  {
197  return onValidationFailed(data.shared_from_this(),
198  "Cannot decode signature");
199  }
200  }
201  }
202 
203  return onValidationFailed(data.shared_from_this(),
204  "No policy found for data: " + data.getName().toUri());
205 }
206 
207 } // namespace ndn
ndn
Copyright (c) 2011-2015 Regents of the University of California.
Definition: ndn-strategy-choice-helper.hpp:34
ndn::ValidatorRegex::onCertificateValidationFailed
void onCertificateValidationFailed(const shared_ptr< const Data > &signCertificate, const std::string &failureInfo, const shared_ptr< const Data > &data, const OnDataValidationFailed &onValidationFailed)
Definition: validator-regex.cpp:99
ndn::ValidatorRegex::onCertificateValidated
void onCertificateValidated(const shared_ptr< const Data > &signCertificate, const shared_ptr< const Data > &data, const OnDataValidated &onValidated, const OnDataValidationFailed &onValidationFailed)
Definition: validator-regex.cpp:69
ndn::ValidatorRegex::m_certificateCache
shared_ptr< CertificateCache > m_certificateCache
Definition: validator-regex.hpp:122
ndn::ValidatorRegex::checkPolicy
virtual void checkPolicy(const Data &data, int nSteps, const OnDataValidated &onValidated, const OnDataValidationFailed &onValidationFailed, std::vector< shared_ptr< ValidationRequest > > &nextSteps)
Check the Data against policy and return the next validation step if necessary.
Definition: validator-regex.cpp:108
ndn::Signature::hasKeyLocator
bool hasKeyLocator() const
Check if SignatureInfo block has a KeyLocator.
Definition: signature.hpp:123
ndn::Signature::getKeyLocator
const KeyLocator & getKeyLocator() const
Get KeyLocator.
Definition: signature.hpp:134
ndn::Interest
represents an Interest packet
Definition: interest.hpp:45
ndn::KeyLocator::KeyLocator_Name
indicates KeyLocator contains a Name
Definition: key-locator.hpp:49
ndn::Data::getName
const Name & getName() const
Get name of the Data packet.
Definition: data.hpp:343
nfd::cs::iterator
Table::const_iterator iterator
Definition: cs-internal.hpp:41
ndn::Name::toUri
std::string toUri() const
Encode this name as a URI.
Definition: name.cpp:183
ndn::KeyLocator::getName
const Name & getName() const
get Name element
Definition: key-locator.cpp:138
ndn::OnDataValidated
function< void(const shared_ptr< const Data > &)> OnDataValidated
Callback to report a successful Data validation.
Definition: validation-request.hpp:38
ndn::ValidatorRegex::ValidatorRegex
ValidatorRegex(Face *face=nullptr, shared_ptr< CertificateCache > certificateCache=DEFAULT_CERTIFICATE_CACHE, const int stepLimit=3)
Definition: validator-regex.cpp:34
ndn::ValidatorRegex::DEFAULT_CERTIFICATE_CACHE
static const shared_ptr< CertificateCache > DEFAULT_CERTIFICATE_CACHE
Definition: validator-regex.hpp:115
ndn::KeyLocator::getType
Type getType() const
Definition: key-locator.hpp:101
ndn::ValidatorRegex::m_trustAnchors
std::map< Name, shared_ptr< IdentityCertificate > > m_trustAnchors
Definition: validator-regex.hpp:125
ndn::OnDataValidationFailed
function< void(const shared_ptr< const Data > &, const std::string &)> OnDataValidationFailed
Callback to report a failed Data validation.
Definition: validation-request.hpp:42
ndn::Face
Abstraction to communicate with local or remote NDN forwarder.
Definition: face.hpp:100
ndn::Name
Name abstraction to represent an absolute name.
Definition: name.hpp:46
ndn::Face::getIoService
boost::asio::io_service & getIoService()
Return nullptr (kept for compatibility)
Definition: face.hpp:548
ndn::ValidatorRegex::addDataVerificationRule
void addDataVerificationRule(shared_ptr< SecRuleRelative > rule)
Add a rule for data verification.
Definition: validator-regex.cpp:57
ndn::Data::getSignature
const Signature & getSignature() const
Definition: data.hpp:373
ndn::ValidatorRegex::addTrustAnchor
void addTrustAnchor(shared_ptr< IdentityCertificate > certificate)
Add a trust anchor.
Definition: validator-regex.cpp:63
ndn::Validator::verifySignature
static bool verifySignature(const Data &data, const PublicKey &publicKey)
Verify the data using the publicKey.
Definition: validator.cpp:106
ndn::Data
represents a Data packet
Definition: data.hpp:39
ndn::Validator
Validator is one of the main classes of the security library.
Definition: validator.hpp:46
ndn::tlv::Error
represents an error in TLV encoding or decoding
Definition: tlv.hpp:50