A ConfigPolicyManager manages trust according to a configuration file in the Validator Configuration File Format. More...
#include <config-policy-manager.hpp>
Public Member Functions | |
| ConfigPolicyManager (const std::string &configFileName="", const ptr_lib::shared_ptr< CertificateCache > &certificateCache=ptr_lib::shared_ptr< CertificateCache >(), int searchDepth=5, Milliseconds graceInterval=3000, Milliseconds keyTimestampTtl=3600000, int maxTrackedKeys=1000) | |
| Create a new ConfigPolicyManager which will act on the rules specified in the configuration and download unknown certificates when necessary. More... | |
| ConfigPolicyManager (const std::string &configFileName, const ptr_lib::shared_ptr< CertificateCacheV2 > &certificateCache, int searchDepth=5, Milliseconds graceInterval=3000, Milliseconds keyTimestampTtl=3600000, int maxTrackedKeys=1000) | |
| Create a new ConfigPolicyManager which will act on the rules specified in the configuration and download unknown certificates when necessary. More... | |
| virtual | ~ConfigPolicyManager () |
| The virtual destructor. | |
| void | reset () |
| Reset the certificate cache and other fields to the constructor state. | |
| void | load (const std::string &configFileName) |
| Call reset() and load the configuration rules from the file. More... | |
| void | load (const std::string &input, const std::string &inputName) |
| Call reset() and load the configuration rules from the input. More... | |
| virtual bool | skipVerifyAndTrust (const Data &data) |
| Check if the received data packet can escape from verification and be trusted as valid. More... | |
| virtual bool | skipVerifyAndTrust (const Interest &interest) |
| Check if the received signed interest can escape from verification and be trusted as valid. More... | |
| virtual bool | requireVerify (const Data &data) |
| Check if this PolicyManager has a verification rule for the received data. More... | |
| virtual bool | requireVerify (const Interest &interest) |
| Check if this PolicyManager has a verification rule for the received signed interest. More... | |
| virtual ptr_lib::shared_ptr < ValidationRequest > | checkVerificationPolicy (const ptr_lib::shared_ptr< Data > &data, int stepCount, const OnVerified &onVerified, const OnDataValidationFailed &onValidationFailed) |
| Check whether the received data packet complies with the verification policy, and get the indication of the next verification step. More... | |
| virtual ptr_lib::shared_ptr < ValidationRequest > | checkVerificationPolicy (const ptr_lib::shared_ptr< Interest > &interest, int stepCount, const OnVerifiedInterest &onVerified, const OnInterestValidationFailed &onValidationFailed, WireFormat &wireFormat) |
| Check whether the received signed interest complies with the verification policy, and get the indication of the next verification step. More... | |
| virtual bool | checkSigningPolicy (const Name &dataName, const Name &certificateName) |
| Override to always indicate that the signing certificate name and data name satisfy the signing policy. More... | |
| virtual Name | inferSigningIdentity (const Name &dataName) |
| Infer the signing identity name according to the policy. More... | |
 Public Member Functions inherited from ndn::PolicyManager | |
| virtual | ~PolicyManager () |
| The virtual destructor. | |
Additional Inherited Members | |
| Static Protected Member Functions inherited from ndn::PolicyManager | |
| static bool | verifySignature (const Signature *signature, const SignedBlob &signedBlob, const Blob &publicKeyDer) |
| Check the type of signature and use the publicKeyDer to verify the signedBlob using the appropriate signature algorithm. More... | |
A ConfigPolicyManager manages trust according to a configuration file in the Validator Configuration File Format.
See: http://named-data.net/doc/ndn-cxx/current/tutorials/security-validator-config.html
Once a rule is matched, the ConfigPolicyManager looks in the certificate cache for the certificate matching the name in the KeyLocator and uses its public key to verify the data packet or signed interest. If the certificate can't be found, it is downloaded, verified and installed. A chain of certificates will be followed to a maximum depth. If the new certificate is accepted, it is used to complete the verification.
The KeyLocators of data packets and signed interests MUST contain a name for verification to succeed.
| ndn::ConfigPolicyManager::ConfigPolicyManager | ( | const std::string & | configFileName = "", |
| const ptr_lib::shared_ptr< CertificateCache > & | certificateCache = ptr_lib::shared_ptr< CertificateCache >(), |
||
| int | searchDepth = 5, |
||
| Milliseconds | graceInterval = 3000, |
||
| Milliseconds | keyTimestampTtl = 3600000, |
||
| int | maxTrackedKeys = 1000 |
||
| ) |
Create a new ConfigPolicyManager which will act on the rules specified in the configuration and download unknown certificates when necessary.
This creates a security v1 PolicyManager to verify certificates in format v1. To verify certificate format v2, use the ConfigPolicyManager with a CertificateCacheV2.
| configFileName | (optional) If not empty, the path to the configuration file containing verification rules. Otherwise, you should separately call load(). |
| certificateCache | (optional) A CertificateCache to hold known certificates. If this is null or omitted, then create an internal CertificateCache. |
| searchDepth | (optional) The maximum number of links to follow when verifying a certificate chain. |
| graceInterval | (optional) The window of time difference (in milliseconds) allowed between the timestamp of the first interest signed with a new public key and the validation time. If omitted, use a default value. |
| keyTimestampTtl | (optional) How long a public key's last-used timestamp is kept in the store (milliseconds). If omitted, use a default value. |
| maxTrackedKeys | (optional) The maximum number of public key use timestamps to track. If omitted, use a default. |
| ndn::ConfigPolicyManager::ConfigPolicyManager | ( | const std::string & | configFileName, |
| const ptr_lib::shared_ptr< CertificateCacheV2 > & | certificateCache, | ||
| int | searchDepth = 5, |
||
| Milliseconds | graceInterval = 3000, |
||
| Milliseconds | keyTimestampTtl = 3600000, |
||
| int | maxTrackedKeys = 1000 |
||
| ) |
Create a new ConfigPolicyManager which will act on the rules specified in the configuration and download unknown certificates when necessary.
This uses certificate format v2.
| configFileName | If not empty, the path to the configuration file containing verification rules. Otherwise, you can give an empty string and separately call load(). |
| certificateCache | A CertificateCacheV2 to hold known certificates. |
| searchDepth | (optional) The maximum number of links to follow when verifying a certificate chain. |
| graceInterval | (optional) The window of time difference (in milliseconds) allowed between the timestamp of the first interest signed with a new public key and the validation time. If omitted, use a default value. |
| keyTimestampTtl | (optional) How long a public key's last-used timestamp is kept in the store (milliseconds). If omitted, use a default value. |
| maxTrackedKeys | (optional) The maximum number of public key use timestamps to track. If omitted, use a default. |
|
virtual |
Override to always indicate that the signing certificate name and data name satisfy the signing policy.
| dataName | The name of data to be signed. |
| certificateName | The name of signing certificate. |
Implements ndn::PolicyManager.
|
virtual |
Check whether the received data packet complies with the verification policy, and get the indication of the next verification step.
| data | The Data object with the signature to check. |
| stepCount | The number of verification steps that have been done, used to track the verification progress. |
| onVerified | If the signature is verified, this calls onVerified(data). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions. |
| onValidationFailed | If the signature check fails, this calls onValidationFailed(data, reason). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions. |
Implements ndn::PolicyManager.
|
virtual |
Check whether the received signed interest complies with the verification policy, and get the indication of the next verification step.
| interest | The interest with the signature to check. |
| stepCount | The number of verification steps that have been done, used to track the verification progress. |
| onVerified | If the signature is verified, this calls onVerified(interest). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions. |
| onValidationFailed | If the signature check fails, this calls onValidationFailed(interest, reason). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions. |
Implements ndn::PolicyManager.
Infer the signing identity name according to the policy.
If the signing identity cannot be inferred, return an empty name.
| dataName | The name of data to be signed. |
Implements ndn::PolicyManager.
| void ndn::ConfigPolicyManager::load | ( | const std::string & | configFileName | ) |
Call reset() and load the configuration rules from the file.
| configFileName | The path to the configuration file containing the verification rules. |
| void ndn::ConfigPolicyManager::load | ( | const std::string & | input, |
| const std::string & | inputName | ||
| ) |
Call reset() and load the configuration rules from the input.
| input | The contents of the configuration rules, with lines separated by "\n" or "\r\n". |
| inputName | Used for log messages, etc. |
|
virtual |
Check if this PolicyManager has a verification rule for the received data.
If the configuration file contains the trust anchor 'any', nothing is verified.
| data | The received data packet. |
Implements ndn::PolicyManager.
|
virtual |
Check if this PolicyManager has a verification rule for the received signed interest.
If the configuration file contains the trust anchor 'any', nothing is verified.
| interest | The received interest. |
Implements ndn::PolicyManager.
|
virtual |
Check if the received data packet can escape from verification and be trusted as valid.
If the configuration file contains the trust anchor 'any', nothing is verified.
| data | The received data packet. |
Implements ndn::PolicyManager.
|
virtual |
Check if the received signed interest can escape from verification and be trusted as valid.
If the configuration file contains the trust anchor 'any', nothing is verified.
| interest | The received interest. |
Implements ndn::PolicyManager.
1.8.6
