de/da9/command-interest-validator_8hpp_source.html

 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */

 #ifndef NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP

 #define NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP


 #include "../security/validator.hpp"

 #include "../security/identity-certificate.hpp"

 #include "../security/sec-rule-specific.hpp"


 namespace ndn {


 class CommandInterestValidator : public Validator

 {

 public:

   enum {

     POS_SIG_VALUE = -1,

     POS_SIG_INFO = -2,

     POS_RANDOM_VAL = -3,

     POS_TIMESTAMP = -4,


     MIN_LENGTH = 4,


     GRACE_INTERVAL = 3000 // ms

   };


   CommandInterestValidator(const time::milliseconds& graceInterval =

                            time::milliseconds(static_cast<int>(GRACE_INTERVAL)))

     : m_graceInterval(graceInterval < time::milliseconds::zero() ?

                       time::milliseconds(static_cast<int>(GRACE_INTERVAL)) : graceInterval)

   {

   }


   virtual

   ~CommandInterestValidator()

   {

   }


   void

   addInterestRule(const std::string& regex, const IdentityCertificate& certificate);


   void

   addInterestRule(const std::string& regex, const Name& keyName, const PublicKey& publicKey);


 protected:

   virtual void

   checkPolicy(const Data& data,

               int stepCount,

               const OnDataValidated& onValidated,

               const OnDataValidationFailed& onValidationFailed,

               std::vector<shared_ptr<ValidationRequest> >& nextSteps)

   {

     onValidationFailed(data.shared_from_this(), "No policy for data checking");

   }


   virtual void

   checkPolicy(const Interest& interest,

               int stepCount,

               const OnInterestValidated& onValidated,

               const OnInterestValidationFailed& onValidationFailed,

               std::vector<shared_ptr<ValidationRequest> >& nextSteps);

 private:

   time::milliseconds m_graceInterval; //ms

   std::map<Name, PublicKey> m_trustAnchorsForInterest;

   std::list<SecRuleSpecific> m_trustScopeForInterest;


   typedef std::map<Name, time::system_clock::TimePoint> LastTimestampMap;

   LastTimestampMap m_lastTimestamp;

 };


 inline void

 CommandInterestValidator::addInterestRule(const std::string& regex,

                                           const IdentityCertificate& certificate)

 {

   Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificate.getName());

   addInterestRule(regex, keyName, certificate.getPublicKeyInfo());

 }


 inline void

 CommandInterestValidator::addInterestRule(const std::string& regex,

                                           const Name& keyName,

                                           const PublicKey& publicKey)

 {

   m_trustAnchorsForInterest[keyName] = publicKey;

   shared_ptr<Regex> interestRegex = make_shared<Regex>(regex);

   shared_ptr<Regex> signerRegex = Regex::fromName(keyName, true);

   m_trustScopeForInterest.push_back(SecRuleSpecific(interestRegex, signerRegex));

 }


 inline void

 CommandInterestValidator::checkPolicy(const Interest& interest,

                                       int stepCount,

                                       const OnInterestValidated& onValidated,

                                       const OnInterestValidationFailed& onValidationFailed,

                                       std::vector<shared_ptr<ValidationRequest> >& nextSteps)

 {

   const Name& interestName = interest.getName();


   //Prepare

   if (interestName.size() < MIN_LENGTH)

     return onValidationFailed(interest.shared_from_this(),

                               "Interest is not signed: " + interest.getName().toUri());

   Name keyName;

   try

     {

       Signature signature(interestName[POS_SIG_INFO].blockFromValue(),

                           interestName[POS_SIG_VALUE].blockFromValue());


       if (signature.getType() != Signature::Sha256WithRsa)

         return onValidationFailed(interest.shared_from_this(),

                                   "Require SignatureSha256WithRsa");


       SignatureSha256WithRsa sig(signature);


       const KeyLocator& keyLocator = sig.getKeyLocator();


       if (keyLocator.getType() != KeyLocator::KeyLocator_Name)

         return onValidationFailed(interest.shared_from_this(),

                                   "Key Locator is not a name");


       keyName = IdentityCertificate::certificateNameToPublicKeyName(keyLocator.getName());


       //Check if command is in the trusted scope

       bool isInScope = false;

       for (std::list<SecRuleSpecific>::iterator scopeIt = m_trustScopeForInterest.begin();

            scopeIt != m_trustScopeForInterest.end();

            ++scopeIt)

         {

           if (scopeIt->satisfy(interestName, keyName))

             {

               isInScope = true;

               break;

             }

         }

       if (isInScope == false)

         return onValidationFailed(interest.shared_from_this(),

                                   "Signer cannot be authorized for the command: " +

                                   keyName.toUri());


       //Check signature

       if (!Validator::verifySignature(interestName.wireEncode().value(),

                                       interestName.wireEncode().value_size() -

                                       interestName[-1].size(),

                                       sig, m_trustAnchorsForInterest[keyName]))

         return onValidationFailed(interest.shared_from_this(),

                                   "Signature cannot be validated: " +

                                   interest.getName().toUri());


       //Check if timestamp is valid

       time::system_clock::TimePoint interestTime =

         time::fromUnixTimestamp(time::milliseconds(interestName.get(POS_TIMESTAMP).toNumber()));


       time::system_clock::TimePoint currentTime = time::system_clock::now();


       LastTimestampMap::iterator timestampIt = m_lastTimestamp.find(keyName);

       if (timestampIt == m_lastTimestamp.end())

         {

           if (!(currentTime - m_graceInterval <= interestTime &&

                 interestTime <= currentTime + m_graceInterval))

             return onValidationFailed(interest.shared_from_this(),

                                       "The command is not in grace interval: " +

                                       interest.getName().toUri());

         }

       else

         {

           if (interestTime <= timestampIt->second)

             return onValidationFailed(interest.shared_from_this(),

                                       "The command is outdated: " +

                                       interest.getName().toUri());

         }


       //Update timestamp

       if (timestampIt == m_lastTimestamp.end())

         {

           m_lastTimestamp[keyName] = interestTime;

         }

       else

         {

           timestampIt->second = interestTime;

         }

     }

   catch (Signature::Error& e)

     {

       return onValidationFailed(interest.shared_from_this(),

                                 "No valid signature");

     }

   catch (IdentityCertificate::Error& e)

     {

       return onValidationFailed(interest.shared_from_this(),

                                 "Cannot locate the signing key");

     }

   catch (Tlv::Error& e)

     {

       return onValidationFailed(interest.shared_from_this(),

                                 "Cannot decode signature related TLVs");

     }


   return onValidated(interest.shared_from_this());

 }


 } // namespace ndn


 #endif // NDN_UTIL_COMMAND_INTEREST_VALIDATOR_HPP

ndn::SignatureSha256WithRsa
Representing of SHA256-with-RSA signature in a data packet.
Definition: signature-sha256-with-rsa.hpp:18

ndn::Interest::getName
const Name & getName() const
Definition: interest.hpp:182

ndn::CommandInterestValidator
Definition: command-interest-validator.hpp:16

ndn::RegexTopMatcher::fromName
static shared_ptr< RegexTopMatcher > fromName(const Name &name, bool hasAnchor=false)
Definition: regex-top-matcher.cpp:177

ndn::SecRuleSpecific
Definition: sec-rule-specific.hpp:17

ndn::CommandInterestValidator::addInterestRule
void addInterestRule(const std::string &regex, const IdentityCertificate &certificate)
Definition: command-interest-validator.hpp:75

ndn::IdentityCertificate::certificateNameToPublicKeyName
static Name certificateNameToPublicKeyName(const Name &certificateName)
Get the public key name from the full certificate name.
Definition: identity-certificate.cpp:59

ndn::Interest
An Interest holds a Name and other fields for an interest.
Definition: interest.hpp:24

ndn::Certificate::getPublicKeyInfo
PublicKey & getPublicKeyInfo()
Definition: certificate.hpp:149

ndn::KeyLocator::KeyLocator_Name
Definition: key-locator.hpp:31

ndn::Data::getName
const Name & getName() const
Definition: data.hpp:346

ndn::Signature::getType
uint32_t getType() const
Definition: signature.hpp:50

ndn::Name::toUri
std::string toUri() const
Encode this name as a URI.
Definition: name.hpp:536

ndn::KeyLocator::getName
const Name & getName() const
Definition: key-locator.hpp:169

ndn::OnDataValidated
function< void(const shared_ptr< const Data > &)> OnDataValidated
Callback to report a successful Data validation.
Definition: validation-request.hpp:23

ndn::CommandInterestValidator::~CommandInterestValidator
virtual ~CommandInterestValidator()
Definition: command-interest-validator.hpp:38

ndn::SignatureSha256WithRsa::getKeyLocator
const KeyLocator & getKeyLocator() const
Definition: signature-sha256-with-rsa.hpp:55

ndn::OnDataValidationFailed
function< void(const shared_ptr< const Data > &, const std::string &)> OnDataValidationFailed
Callback to report a failed Data validation.
Definition: validation-request.hpp:27

ndn::CommandInterestValidator::POS_SIG_INFO
Definition: command-interest-validator.hpp:21

ndn::Name::size
size_t size() const
Get the number of components.
Definition: name.hpp:329

ndn::IdentityCertificate::Error
Definition: identity-certificate.hpp:20

ndn::Name
A Name holds an array of Name::Component and represents an NDN name.
Definition: name.hpp:26

ndn::CommandInterestValidator::MIN_LENGTH
Definition: command-interest-validator.hpp:25

ndn::Name::wireEncode
size_t wireEncode(EncodingImpl< T > &block) const
Fast encoding or block size estimation.
Definition: name.hpp:711

ndn::CommandInterestValidator::POS_TIMESTAMP
Definition: command-interest-validator.hpp:23

ndn::time::system_clock::TimePoint
time_point TimePoint
Definition: time.hpp:55

ndn::CommandInterestValidator::CommandInterestValidator
CommandInterestValidator(const time::milliseconds &graceInterval=time::milliseconds(static_cast< int >(GRACE_INTERVAL)))
Definition: command-interest-validator.hpp:30

ndn::KeyLocator
Definition: key-locator.hpp:16

ndn::OnInterestValidationFailed
function< void(const shared_ptr< const Interest > &, const std::string &)> OnInterestValidationFailed
Callback to report a failed Interest validation.
Definition: validation-request.hpp:20

ndn::time::fromUnixTimestamp
system_clock::TimePoint fromUnixTimestamp(const milliseconds &duration)
Convert UNIX timestamp to system_clock::TimePoint.
Definition: time.hpp:116

ndn::KeyLocator::getType
uint32_t getType() const
Definition: key-locator.hpp:76

ndn::CommandInterestValidator::GRACE_INTERVAL
Definition: command-interest-validator.hpp:27

ndn::Validator::verifySignature
static bool verifySignature(const Data &data, const PublicKey &publicKey)
Verify the data using the publicKey.
Definition: validator.cpp:128

ndn::CommandInterestValidator::checkPolicy
virtual void checkPolicy(const Data &data, int stepCount, const OnDataValidated &onValidated, const OnDataValidationFailed &onValidationFailed, std::vector< shared_ptr< ValidationRequest > > &nextSteps)
Check the Data against policy and return the next validation step if necessary.
Definition: command-interest-validator.hpp:50

ndn::CommandInterestValidator::POS_SIG_VALUE
Definition: command-interest-validator.hpp:20

ndn::Signature::Error
Definition: signature.hpp:18

ndn::PublicKey
Definition: public-key.hpp:19

ndn::Data
Definition: data.hpp:21

ndn::name::Component::toNumber
uint64_t toNumber() const
Interpret this name component as nonNegativeInteger.
Definition: name-component.hpp:435

ndn::Validator
Validator is one of the main classes of the security library.
Definition: validator.hpp:27

ndn::OnInterestValidated
function< void(const shared_ptr< const Interest > &)> OnInterestValidated
Callback to report a successful Interest validation.
Definition: validation-request.hpp:16

ndn::CommandInterestValidator::POS_RANDOM_VAL
Definition: command-interest-validator.hpp:22

ndn::IdentityCertificate
Definition: identity-certificate.hpp:17

ndn::Name::get
const Component & get(ssize_t i) const
Get the component at the given index.
Definition: name.hpp:340

ndn::Signature::Sha256WithRsa
Definition: signature.hpp:30

ndn::Tlv::Error
Definition: tlv.hpp:25

ndn::Signature
A Signature is storage for the signature-related information (info and value) in a Data packet...
Definition: signature.hpp:15