verification-helpers.cpp
Go to the documentation of this file.
1 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2 /*
3  * Copyright (c) 2013-2017 Regents of the University of California.
4  *
5  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6  *
7  * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8  * terms of the GNU Lesser General Public License as published by the Free Software
9  * Foundation, either version 3 of the License, or (at your option) any later version.
10  *
11  * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12  * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13  * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14  *
15  * You should have received copies of the GNU General Public License and GNU Lesser
16  * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17  * <http://www.gnu.org/licenses/>.
18  *
19  * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20  */
21 
22 #include "verification-helpers.hpp"
23 
24 #include "detail/openssl.hpp"
25 #include "pib/key.hpp"
26 #include "transform/bool-sink.hpp"
27 #include "transform/buffer-source.hpp"
28 #include "transform/digest-filter.hpp"
29 #include "transform/public-key.hpp"
30 #include "transform/stream-sink.hpp"
31 #include "transform/verifier-filter.hpp"
32 #include "v2/certificate.hpp"
33 #include "../data.hpp"
34 #include "../interest.hpp"
35 #include "../encoding/buffer-stream.hpp"
36 
37 namespace ndn {
38 namespace security {
39 
40 bool
41 verifySignature(const uint8_t* blob, size_t blobLen, const uint8_t* sig, size_t sigLen,
42  const v2::PublicKey& pKey)
43 {
44  bool result = false;
45  try {
46  using namespace transform;
47  bufferSource(blob, blobLen) >> verifierFilter(DigestAlgorithm::SHA256, pKey, sig, sigLen)
48  >> boolSink(result);
49  }
50  catch (const transform::Error&) {
51  return false;
52  }
53  return result;
54 }
55 
56 bool
57 verifySignature(const uint8_t* data, size_t dataLen, const uint8_t* sig, size_t sigLen,
58  const uint8_t* key, size_t keyLen)
59 {
60  v2::PublicKey pKey;
61  try {
62  pKey.loadPkcs8(key, keyLen);
63  }
64  catch (const transform::Error&) {
65  return false;
66  }
67 
68  return verifySignature(data, dataLen, sig, sigLen, pKey);
69 }
70 
71 static std::tuple<bool, const uint8_t*, size_t, const uint8_t*, size_t>
72 parse(const Data& data)
73 {
74  try {
75  return std::make_tuple(true,
76  data.wireEncode().value(),
77  data.wireEncode().value_size() - data.getSignature().getValue().size(),
78  data.getSignature().getValue().value(),
79  data.getSignature().getValue().value_size());
80  }
81  catch (const tlv::Error&) {
82  return std::make_tuple(false, nullptr, 0, nullptr, 0);
83  }
84 }
85 
86 static std::tuple<bool, const uint8_t*, size_t, const uint8_t*, size_t>
87 parse(const Interest& interest)
88 {
89  const Name& interestName = interest.getName();
90 
91  if (interestName.size() < signed_interest::MIN_SIZE)
92  return std::make_tuple(false, nullptr, 0, nullptr, 0);
93 
94  try {
95  const Block& nameBlock = interestName.wireEncode();
96 
97  return std::make_tuple(true,
98  nameBlock.value(), nameBlock.value_size() - interestName[signed_interest::POS_SIG_VALUE].size(),
99  interestName[signed_interest::POS_SIG_VALUE].blockFromValue().value(),
100  interestName[signed_interest::POS_SIG_VALUE].blockFromValue().value_size());
101  }
102  catch (const tlv::Error&) {
103  return std::make_tuple(false, nullptr, 0, nullptr, 0);
104  }
105 }
106 
107 static bool
108 verifySignature(const std::tuple<bool, const uint8_t*, size_t, const uint8_t*, size_t>& params,
109  const v2::PublicKey& pKey)
110 {
111  bool isParsable = false;
112  const uint8_t* buf = nullptr;
113  size_t bufLen = 0;
114  const uint8_t* sig = nullptr;
115  size_t sigLen = 0;
116 
117  std::tie(isParsable, buf, bufLen, sig, sigLen) = params;
118 
119  if (isParsable)
120  return verifySignature(buf, bufLen, sig, sigLen, pKey);
121  else
122  return false;
123 }
124 
125 static bool
126 verifySignature(const std::tuple<bool, const uint8_t*, size_t, const uint8_t*, size_t>& params,
127  const uint8_t* key, size_t keyLen)
128 {
129  bool isParsable = false;
130  const uint8_t* buf = nullptr;
131  size_t bufLen = 0;
132  const uint8_t* sig = nullptr;
133  size_t sigLen = 0;
134 
135  std::tie(isParsable, buf, bufLen, sig, sigLen) = params;
136 
137  if (isParsable)
138  return verifySignature(buf, bufLen, sig, sigLen, key, keyLen);
139  else
140  return false;
141 }
142 
143 bool
144 verifySignature(const Data& data, const v2::PublicKey& key)
145 {
146  return verifySignature(parse(data), key);
147 }
148 
149 bool
150 verifySignature(const Interest& interest, const v2::PublicKey& key)
151 {
152  return verifySignature(parse(interest), key);
153 }
154 
155 bool
156 verifySignature(const Data& data, const pib::Key& key)
157 {
158  return verifySignature(parse(data), key.getPublicKey().data(), key.getPublicKey().size());
159 }
160 
161 bool
162 verifySignature(const Interest& interest, const pib::Key& key)
163 {
164  return verifySignature(parse(interest), key.getPublicKey().data(), key.getPublicKey().size());
165 }
166 
167 bool
168 verifySignature(const Data& data, const uint8_t* key, size_t keyLen)
169 {
170  return verifySignature(parse(data), key, keyLen);
171 }
172 
173 bool
174 verifySignature(const Interest& interest, const uint8_t* key, size_t keyLen)
175 {
176  return verifySignature(parse(interest), key, keyLen);
177 }
178 
179 bool
180 verifySignature(const Data& data, const v2::Certificate& cert)
181 {
182  return verifySignature(parse(data), cert.getContent().value(), cert.getContent().value_size());
183 }
184 
185 bool
186 verifySignature(const Interest& interest, const v2::Certificate& cert)
187 {
188  return verifySignature(parse(interest), cert.getContent().value(), cert.getContent().value_size());
189 }
190 
192 
193 bool
194 verifyDigest(const uint8_t* blob, size_t blobLen, const uint8_t* digest, size_t digestLen,
195  DigestAlgorithm algorithm)
196 {
197  using namespace transform;
198 
199  OBufferStream os;
200  try {
201  bufferSource(blob, blobLen) >> digestFilter(algorithm) >> streamSink(os);
202  }
203  catch (const transform::Error&) {
204  return false;
205  }
206  ConstBufferPtr result = os.buf();
207 
208  if (result->size() != digestLen)
209  return false;
210 
211  // constant-time buffer comparison to mitigate timing attacks
212  return CRYPTO_memcmp(result->data(), digest, digestLen) == 0;
213 }
214 
215 bool
216 verifyDigest(const Data& data, DigestAlgorithm algorithm)
217 {
218  bool isParsable = false;
219  const uint8_t* buf = nullptr;
220  size_t bufLen = 0;
221  const uint8_t* sig = nullptr;
222  size_t sigLen = 0;
223 
224  std::tie(isParsable, buf, bufLen, sig, sigLen) = parse(data);
225 
226  if (isParsable) {
227  return verifyDigest(buf, bufLen, sig, sigLen, algorithm);
228  }
229  else {
230  return false;
231  }
232 }
233 
234 bool
235 verifyDigest(const Interest& interest, DigestAlgorithm algorithm)
236 {
237  bool isParsable = false;
238  const uint8_t* buf = nullptr;
239  size_t bufLen = 0;
240  const uint8_t* sig = nullptr;
241  size_t sigLen = 0;
242 
243  std::tie(isParsable, buf, bufLen, sig, sigLen) = parse(interest);
244 
245  if (isParsable) {
246  return verifyDigest(buf, bufLen, sig, sigLen, algorithm);
247  }
248  else {
249  return false;
250  }
251 }
252 
253 } // namespace security
254 } // namespace ndn
ndn::Interest::getName
const Name & getName() const
Definition: interest.hpp:139
ndn
Copyright (c) 2013-2017 Regents of the University of California.
Definition: common.hpp:66
ndn::security::v2::Certificate
The certificate following the certificate format naming convention.
Definition: certificate.hpp:81
ndn::Data::getSignature
const Signature & getSignature() const
Get Signature.
Definition: data.hpp:182
ndn::signed_interest::MIN_SIZE
const size_t MIN_SIZE
minimal number of components for Signed Interest
Definition: security-common.hpp:37
ndn::Name::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder) const
Fast encoding or block size estimation.
Definition: name.cpp:131
ndn::Block
Represents a TLV element of NDN packet format.
Definition: block.hpp:42
ndn::Interest
represents an Interest packet
Definition: interest.hpp:42
ndn::Signature::getValue
const Block & getValue() const
Get SignatureValue.
Definition: signature.hpp:99
ndn::Block::size
size_t size() const
Get size of encoded wire, including Type-Length-Value.
Definition: block.cpp:299
ndn::security::verifyDigest
bool verifyDigest(const uint8_t *blob, size_t blobLen, const uint8_t *digest, size_t digestLen, DigestAlgorithm algorithm)
Verify blob against digest using algorithm.
Definition: verification-helpers.cpp:194
ndn::Data::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder, bool wantUnsignedPortionOnly=false) const
Fast encoding or block size estimation.
Definition: data.cpp:48
ndn::security::pib::Key
A frontend handle of a key instance.
Definition: key.hpp:49
ndn::security::transform::streamSink
unique_ptr< Sink > streamSink(std::ostream &os)
Definition: stream-sink.cpp:53
ndn::Name::size
size_t size() const
Get number of components.
Definition: name.hpp:154
ndn::security::transform::digestFilter
unique_ptr< Transform > digestFilter(DigestAlgorithm algo)
Definition: digest-filter.cpp:78
ndn::KeyIdType::SHA256
Use the SHA256 hash of the public key as the key id.
ndn::Name
Represents an absolute name.
Definition: name.hpp:42
ndn::security::transform::Error
Base class of transformation error.
Definition: transform-base.hpp:47
ndn::security::transform::verifierFilter
unique_ptr< Transform > verifierFilter(DigestAlgorithm algo, const PublicKey &key, const uint8_t *sig, size_t sigLen)
Definition: verifier-filter.cpp:94
ndn::Block::value_size
size_t value_size() const
Get size of TLV-VALUE aka TLV-LENGTH.
Definition: block.cpp:317
ndn::signed_interest::POS_SIG_VALUE
const ssize_t POS_SIG_VALUE
Definition: security-common.hpp:31
ndn::security::pib::Key::getPublicKey
const Buffer & getPublicKey() const
Get public key bits.
Definition: key.cpp:56
ndn::security::verifySignature
bool verifySignature(const uint8_t *blob, size_t blobLen, const uint8_t *sig, size_t sigLen, const v2::PublicKey &pKey)
Verify blob using key against sig.
Definition: verification-helpers.cpp:41
ndn::OBufferStream::buf
shared_ptr< Buffer > buf()
Flush written data to the stream and return shared pointer to the underlying buffer.
Definition: buffer-stream.cpp:54
ndn::Data::getContent
const Block & getContent() const
Get Content.
Definition: data.cpp:185
ndn::security::parse
static std::tuple< bool, const uint8_t *, size_t, const uint8_t *, size_t > parse(const Data &data)
Definition: verification-helpers.cpp:72
ndn::Block::value
const uint8_t * value() const
Get pointer to TLV-VALUE.
Definition: block.cpp:311
ndn::OBufferStream
implements an output stream that constructs ndn::Buffer
Definition: buffer-stream.hpp:70
ndn::Data
Represents a Data packet.
Definition: data.hpp:35
ndn::security::transform::boolSink
unique_ptr< Sink > boolSink(bool &value)
Definition: bool-sink.cpp:51
ndn::tlv::Error
represents an error in TLV encoding or decoding
Definition: encoding/tlv.hpp:50
ndn::ConstBufferPtr
shared_ptr< const Buffer > ConstBufferPtr
Definition: buffer.hpp:89