2.3/doxygen/validator_8cpp_source.html

 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 #include "validator.hpp"
 #include "../util/crypto.hpp"

 #include "v1/cryptopp.hpp"

 namespace ndn {
 namespace security {

 static Oid SECP256R1("1.2.840.10045.3.1.7");
 static Oid SECP384R1("1.3.132.0.34");

 Validator::Validator(Face* face)
   : m_face(face)
 {
 }

 Validator::Validator(Face& face)
   : m_face(&face)
 {
 }

 Validator::~Validator() = default;

 void
 Validator::validate(const Interest& interest,
                     const OnInterestValidated& onValidated,
                     const OnInterestValidationFailed& onValidationFailed,
                     int nSteps)
 {
   std::vector<shared_ptr<ValidationRequest> > nextSteps;
   checkPolicy(interest, nSteps, onValidated, onValidationFailed, nextSteps);

   if (nextSteps.empty()) {
     // If there is no nextStep,
     // that means InterestPolicy has already been able to verify the Interest.
     // No more further processes.
     return;
   }

   OnFailure onFailure = bind(onValidationFailed, interest.shared_from_this(), _1);
   afterCheckPolicy(nextSteps, onFailure);
 }

 void
 Validator::validate(const Data& data,
                     const OnDataValidated& onValidated,
                     const OnDataValidationFailed& onValidationFailed,
                     int nSteps)
 {
   std::vector<shared_ptr<ValidationRequest> > nextSteps;
   checkPolicy(data, nSteps, onValidated, onValidationFailed, nextSteps);

   if (nextSteps.empty()) {
     // If there is no nextStep,
     // that means Data Policy has already been able to verify the Interest.
     // No more further processes.
     return;
   }

   OnFailure onFailure = bind(onValidationFailed, data.shared_from_this(), _1);
   afterCheckPolicy(nextSteps, onFailure);
 }

 void
 Validator::onData(const Interest& interest,
                   const Data& data,
                   const shared_ptr<ValidationRequest>& nextStep)
 {
   shared_ptr<const Data> certificateData = preCertificateValidation(data);

   if (!static_cast<bool>(certificateData))
     return nextStep->m_onDataValidationFailed(data.shared_from_this(),
                                               "Cannot decode cert: " + data.getName().toUri());

   validate(*certificateData,
            nextStep->m_onDataValidated, nextStep->m_onDataValidationFailed,
            nextStep->m_nSteps);
 }

 bool
 Validator::verifySignature(const Data& data, const v1::PublicKey& key)
 {
   if (!data.getSignature().hasKeyLocator())
     return false;

   return verifySignature(data.wireEncode().value(),
                          data.wireEncode().value_size() -
                          data.getSignature().getValue().size(),
                          data.getSignature(), key);
 }

 bool
 Validator::verifySignature(const Interest& interest, const v1::PublicKey& key)
 {
   const Name& name = interest.getName();

   if (name.size() < signed_interest::MIN_LENGTH_SIG_ONLY)
     return false;

   Signature sig;
   try {
     sig.setInfo(name[signed_interest::POS_SIG_INFO].blockFromValue());
     sig.setValue(name[signed_interest::POS_SIG_VALUE].blockFromValue());
   }
   catch (const tlv::Error&) {
     return false;
   }

   if (!sig.hasKeyLocator())
     return false;

   const Block& nameWire = name.wireEncode();
   return verifySignature(nameWire.value(),
                          nameWire.value_size() - name[signed_interest::POS_SIG_VALUE].size(),
                          sig, key);
 }

 bool
 Validator::verifySignature(const uint8_t* buf,
                            const size_t size,
                            const Signature& sig,
                            const v1::PublicKey& key)
 {
   try {
     using namespace CryptoPP;

     switch (sig.getType()) {
       case tlv::SignatureSha256WithRsa: {
         if (key.getKeyType() != KeyType::RSA)
           return false;

         RSA::PublicKey publicKey;
         ByteQueue queue;

         queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
         publicKey.Load(queue);

         RSASS<PKCS1v15, SHA256>::Verifier verifier(publicKey);
         return verifier.VerifyMessage(buf, size,
                                       sig.getValue().value(), sig.getValue().value_size());
       }

       case tlv::SignatureSha256WithEcdsa: {
         if (key.getKeyType() != KeyType::EC)
           return false;

         ECDSA<ECP, SHA256>::PublicKey publicKey;
         ByteQueue queue;

         queue.Put(reinterpret_cast<const byte*>(key.get().buf()), key.get().size());
         publicKey.Load(queue);

         ECDSA<ECP, SHA256>::Verifier verifier(publicKey);

         uint32_t length = 0;
         StringSource src(key.get().buf(), key.get().size(), true);
         BERSequenceDecoder subjectPublicKeyInfo(src);
         {
           BERSequenceDecoder algorithmInfo(subjectPublicKeyInfo);
           {
             Oid algorithm;
             algorithm.decode(algorithmInfo);

             Oid curveId;
             curveId.decode(algorithmInfo);

             if (curveId == SECP256R1)
               length = 256;
             else if (curveId == SECP384R1)
               length = 384;
             else
               return false;
           }
         }

         switch (length) {
           case 256: {
             uint8_t buffer[64];
             size_t usedSize = DSAConvertSignatureFormat(buffer, sizeof(buffer), DSA_P1363,
                                                         sig.getValue().value(),
                                                         sig.getValue().value_size(),
                                                         DSA_DER);
             return verifier.VerifyMessage(buf, size, buffer, usedSize);
           }

           case 384: {
             uint8_t buffer[96];
             size_t usedSize = DSAConvertSignatureFormat(buffer, sizeof(buffer), DSA_P1363,
                                                         sig.getValue().value(),
                                                         sig.getValue().value_size(),
                                                         DSA_DER);
             return verifier.VerifyMessage(buf, size, buffer, usedSize);
           }

           default:
             return false;
         }
       }

       default:
         // Unsupported sig type
         return false;
     }
   }
   catch (const CryptoPP::Exception& e) {
     return false;
   }
 }

 bool
 Validator::verifySignature(const uint8_t* buf, const size_t size, const DigestSha256& sig)
 {
   try {
     ConstBufferPtr buffer = crypto::computeSha256Digest(buf, size);
     const Block& sigValue = sig.getValue();

     if (buffer != nullptr &&
         buffer->size() == sigValue.value_size() &&
         buffer->size() == crypto::SHA256_DIGEST_SIZE) {
       const uint8_t* p1 = buffer->buf();
       const uint8_t* p2 = sigValue.value();

       return 0 == memcmp(p1, p2, crypto::SHA256_DIGEST_SIZE);
     }
     else
       return false;
   }
   catch (const CryptoPP::Exception& e) {
     return false;
   }
 }

 void
 Validator::onNack(const Interest& interest,
                   const lp::Nack& nack,
                   int remainingRetries,
                   const OnFailure& onFailure,
                   const shared_ptr<ValidationRequest>& validationRequest)
 {
   if (remainingRetries > 0) {
     Interest newInterest = Interest(interest);
     newInterest.refreshNonce();

     //Express the same interest with different nonce and decremented remainingRetries.
     m_face->expressInterest(newInterest,
                             bind(&Validator::onData, this, _1, _2, validationRequest),
                             bind(&Validator::onNack, this, _1, _2,
                                  remainingRetries - 1, onFailure, validationRequest),
                             bind(&Validator::onTimeout, this, _1,
                                  remainingRetries - 1, onFailure, validationRequest));
   }
   else {
     onFailure("Cannot fetch cert: " + interest.getName().toUri());
   }
 }

 void
 Validator::onTimeout(const Interest& interest,
                      int remainingRetries,
                      const OnFailure& onFailure,
                      const shared_ptr<ValidationRequest>& validationRequest)
 {
   if (remainingRetries > 0) {
     Interest newInterest = Interest(interest);
     newInterest.refreshNonce();

     // Express the same interest with different nonce and decremented remainingRetries.
     m_face->expressInterest(newInterest,
                             bind(&Validator::onData, this, _1, _2, validationRequest),
                             bind(&Validator::onNack, this, _1, _2,
                                  remainingRetries - 1, onFailure, validationRequest),
                             bind(&Validator::onTimeout, this, _1,
                                  remainingRetries - 1, onFailure, validationRequest));
   }
   else {
     onFailure("Cannot fetch cert: " + interest.getName().toUri());
   }
 }

 void
 Validator::afterCheckPolicy(const std::vector<shared_ptr<ValidationRequest>>& nextSteps,
                             const OnFailure& onFailure)
 {
   if (m_face == nullptr) {
     onFailure("Require more information to validate the packet!");
     return;
   }

   for (shared_ptr<ValidationRequest> step : nextSteps) {
     m_face->expressInterest(step->m_interest,
                             bind(&Validator::onData, this, _1, _2, step),
                             bind(&Validator::onNack, this, _1, _2,
                                  step->m_nRetries, onFailure, step),
                             bind(&Validator::onTimeout,
                                  this, _1, step->m_nRetries,
                                  onFailure,
                                  step));
   }
 }

 } // namespace security
 } // namespace ndn
ndn::Oid::decode
void decode(CryptoPP::BufferedTransformation &in)
Definition: oid.cpp:135

ndn::security::OnInterestValidationFailed
function< void(const shared_ptr< const Interest > &, const std::string &)> OnInterestValidationFailed
Callback to report a failed Interest validation.
Definition: validation-request.hpp:37

ndn::security::Validator::validate
void validate(const Data &data, const OnDataValidated &onValidated, const OnDataValidationFailed &onValidationFailed)
Validate Data and call either onValidated or onValidationFailed.
Definition: validator.hpp:81

ndn
Copyright (c) 2011-2015 Regents of the University of California.
Definition: ndn-strategy-choice-helper.hpp:34

ndn::Name::toUri
std::string toUri() const
Encode this name as a URI.
Definition: name.cpp:171

ndn::security::v1::PublicKey::get
const Buffer & get() const
Definition: public-key.hpp:72

CryptoPP
Copyright (c) 2013-2016 Regents of the University of California.
Definition: oid.hpp:29

ndn::security::Validator::preCertificateValidation
virtual shared_ptr< const Data > preCertificateValidation(const Data &data)
Hooks.
Definition: validator.hpp:278

ndn::security::Validator::checkPolicy
virtual void checkPolicy(const Data &data, int nSteps, const OnDataValidated &onValidated, const OnDataValidationFailed &onValidationFailed, std::vector< shared_ptr< ValidationRequest >> &nextSteps)=0
Check the Data against policy and return the next validation step if necessary.

ndn::tlv::SignatureSha256WithRsa
Definition: tlv.hpp:97

ndn::Interest::refreshNonce
void refreshNonce()
Refresh nonce.
Definition: interest.cpp:91

ndn::Block::value_size
size_t value_size() const
Definition: block.cpp:529

ndn::Data::getName
const Name & getName() const
Get name of the Data packet.
Definition: data.hpp:318

ndn::KeyType::RSA

ndn::crypto::SHA256_DIGEST_SIZE
static const size_t SHA256_DIGEST_SIZE
number of octets in a SHA256 digest
Definition: crypto.hpp:32

ndn::DigestSha256
Represent a SHA256 digest.
Definition: digest-sha256.hpp:33

ndn::Signature::setInfo
void setInfo(const Block &info)
Set SignatureInfo from a block.
Definition: signature.cpp:44

ndn::security::Validator::afterCheckPolicy
virtual void afterCheckPolicy(const std::vector< shared_ptr< ValidationRequest >> &nextSteps, const OnFailure &onFailure)
trigger after checkPolicy is done.
Definition: validator.cpp:305

validator.hpp

ndn::Block
Class representing a wire element of NDN-TLV packet format.
Definition: block.hpp:43

ndn::Interest
represents an Interest packet
Definition: interest.hpp:42

ndn::Block::value
const uint8_t * value() const
Definition: block.cpp:520

ndn::security::OnDataValidationFailed
function< void(const shared_ptr< const Data > &, const std::string &)> OnDataValidationFailed
Callback to report a failed Data validation.
Definition: validation-request.hpp:44

ndn::Signature::hasKeyLocator
bool hasKeyLocator() const
Check if SignatureInfo block has a KeyLocator.
Definition: signature.hpp:132

ndn::security::OnDataValidated
function< void(const shared_ptr< const Data > &)> OnDataValidated
Callback to report a successful Data validation.
Definition: validation-request.hpp:40

ndn::security::Validator::~Validator
virtual ~Validator()

ndn::lp::Nack
represents a Network Nack
Definition: nack.hpp:40

ndn::security::OnInterestValidated
function< void(const shared_ptr< const Interest > &)> OnInterestValidated
Callback to report a successful Interest validation.
Definition: validation-request.hpp:33

ndn::Block::size
size_t size() const
Definition: block.cpp:504

cryptopp.hpp

ndn::security::Validator::Validator
Validator(Face *face=nullptr)
Validator constructor.
Definition: validator.cpp:36

ndn::Buffer::buf
uint8_t * buf()
Definition: buffer.hpp:87

ndn::Signature::setValue
void setValue(const Block &value)
Get SignatureValue from a block.
Definition: signature.cpp:50

ndn::Signature::getValue
const Block & getValue() const
Get SignatureValue in the wire format.
Definition: signature.hpp:105

ndn::Face
Provide a communication channel with local or remote NDN forwarder.
Definition: face.hpp:125

ndn::KeyType::EC

face

ndn::Oid
Definition: oid.hpp:35

ndn::Name
Name abstraction to represent an absolute name.
Definition: name.hpp:46

ndn::signed_interest::POS_SIG_VALUE
const ssize_t POS_SIG_VALUE
Definition: security-common.hpp:33

ndn::security::Validator::OnFailure
function< void(const std::string &)> OnFailure
Definition: validator.hpp:242

ndn::security::Validator::onData
void onData(const Interest &interest, const Data &data, const shared_ptr< ValidationRequest > &nextStep)
Process the received certificate.
Definition: validator.cpp:89

ndn::Name::size
size_t size() const
Get the number of components.
Definition: name.hpp:400

ndn::security::SECP384R1
static Oid SECP384R1("1.3.132.0.34")

ndn::signed_interest::POS_SIG_INFO
const ssize_t POS_SIG_INFO
Definition: security-common.hpp:34

ndn::security::Validator::m_face
Face * m_face
Definition: validator.hpp:331

ndn::crypto::computeSha256Digest
ConstBufferPtr computeSha256Digest(const uint8_t *data, size_t dataLength)
Compute the sha-256 digest of data.
Definition: crypto.cpp:31

ndn::Data::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder, bool wantUnsignedPortionOnly=false) const
Fast encoding or block size estimation.
Definition: data.cpp:52

ndn::signed_interest::MIN_LENGTH_SIG_ONLY
const size_t MIN_LENGTH_SIG_ONLY
minimal number of components for Signed Interest
Definition: security-common.hpp:46

ndn::Name::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder) const
Fast encoding or block size estimation.
Definition: name.cpp:122

ndn::Signature::getType
uint32_t getType() const
Get signature type.
Definition: signature.hpp:123

ndn::Face::expressInterest
const PendingInterestId * expressInterest(const Interest &interest, const DataCallback &afterSatisfied, const NackCallback &afterNacked, const TimeoutCallback &afterTimeout)
Express Interest.
Definition: face.cpp:132

ndn::security::Validator::onNack
virtual void onNack(const Interest &interest, const lp::Nack &nack, int nRemainingRetries, const OnFailure &onFailure, const shared_ptr< ValidationRequest > &validationRequest)
trigger when interest retrieves a Nack.
Definition: validator.cpp:258

ndn::security::Validator::verifySignature
static bool verifySignature(const Data &data, const v1::PublicKey &publicKey)
Verify the data using the publicKey.
Definition: validator.cpp:105

ndn::Data::getSignature
const Signature & getSignature() const
Definition: data.hpp:348

ndn::tlv::SignatureSha256WithEcdsa
Definition: tlv.hpp:99

ndn::security::v1::PublicKey
Definition: public-key.hpp:43

ndn::ConstBufferPtr
shared_ptr< const Buffer > ConstBufferPtr
Definition: buffer.hpp:33

ndn::Data
represents a Data packet
Definition: data.hpp:37

ndn::tlv::Interest
Definition: tlv.hpp:61

ndn::security::v1::PublicKey::getKeyType
KeyType getKeyType() const
Definition: public-key.hpp:85

ndn::name
Definition: name-component.cpp:36

security

ndn::tlv::Error
represents an error in TLV encoding or decoding
Definition: tlv.hpp:50

ndn::Interest::getName
const Name & getName() const
Definition: interest.hpp:215

ndn::Signature
A Signature is storage for the signature-related information (info and value) in a Data packet...
Definition: signature.hpp:33

ndn::security::SECP256R1
static Oid SECP256R1("1.2.840.10045.3.1.7")

ndn::security::Validator::onTimeout
virtual void onTimeout(const Interest &interest, int nRemainingRetries, const OnFailure &onFailure, const shared_ptr< ValidationRequest > &validationRequest)
trigger when interest for certificate times out.
Definition: validator.cpp:282