d9/d0b/verification-helpers_8cpp_source.html

 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
  * Copyright (c) 2013-2020 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
  * ndn-cxx library is free software: you can redistribute it and/or modify it under the
  * terms of the GNU Lesser General Public License as published by the Free Software
  * Foundation, either version 3 of the License, or (at your option) any later version.
  *
  * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
  * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
  * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.
  *
  * You should have received copies of the GNU General Public License and GNU Lesser
  * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see
  * <http://www.gnu.org/licenses/>.
  *
  * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
  */

 #include "ndn-cxx/security/verification-helpers.hpp"

 #include "ndn-cxx/data.hpp"
 #include "ndn-cxx/encoding/buffer-stream.hpp"
 #include "ndn-cxx/interest.hpp"
 #include "ndn-cxx/security/certificate.hpp"
 #include "ndn-cxx/security/impl/openssl.hpp"
 #include "ndn-cxx/security/pib/key.hpp"
 #include "ndn-cxx/security/tpm/tpm.hpp"
 #include "ndn-cxx/security/transform/bool-sink.hpp"
 #include "ndn-cxx/security/transform/buffer-source.hpp"
 #include "ndn-cxx/security/transform/digest-filter.hpp"
 #include "ndn-cxx/security/transform/public-key.hpp"
 #include "ndn-cxx/security/transform/stream-sink.hpp"
 #include "ndn-cxx/security/transform/verifier-filter.hpp"

 namespace ndn {
 namespace security {

 namespace {

 class ParseResult
 {
 public:
   ParseResult() = default;

   ParseResult(InputBuffers bufs, const uint8_t* sig, size_t sigLen)
     : bufs(std::move(bufs))
     , sig(sig)
     , sigLen(sigLen)
   {
   }

 public:
   InputBuffers bufs;
   const uint8_t* sig = nullptr;
   size_t sigLen = 0;
 };

 } // namespace

 bool
 verifySignature(const InputBuffers& blobs, const uint8_t* sig, size_t sigLen,
                 const transform::PublicKey& key)
 {
   bool result = false;
   try {
     using namespace transform;
     bufferSource(blobs) >> verifierFilter(DigestAlgorithm::SHA256, key, sig, sigLen)
                         >> boolSink(result);
   }
   catch (const transform::Error&) {
     return false;
   }

   return result;
 }

 bool
 verifySignature(const uint8_t* blob, size_t blobLen, const uint8_t* sig, size_t sigLen,
                 const transform::PublicKey& key)
 {
   return verifySignature({{blob, blobLen}}, sig, sigLen, key);
 }

 bool
 verifySignature(const InputBuffers& blobs, const uint8_t* sig, size_t sigLen,
                 const uint8_t* key, size_t keyLen)
 {
   transform::PublicKey pKey;
   try {
     pKey.loadPkcs8(key, keyLen);
   }
   catch (const transform::Error&) {
     return false;
   }

   return verifySignature(blobs, sig, sigLen, pKey);
 }

 bool
 verifySignature(const uint8_t* blob, size_t blobLen, const uint8_t* sig, size_t sigLen,
                 const uint8_t* key, size_t keyLen)
 {
   return verifySignature({{blob, blobLen}}, sig, sigLen, key, keyLen);
 }

 static ParseResult
 parse(const Data& data)
 {
   try {
     return ParseResult(data.extractSignedRanges(),
                        data.getSignatureValue().value(),
                        data.getSignatureValue().value_size());
   }
   catch (const tlv::Error&) {
     return ParseResult();
   }
 }

 static ParseResult
 parse(const Interest& interest)
 {
   try {
     interest.wireEncode();

     if (interest.getSignatureInfo() && interest.getSignatureValue().isValid()) {
       // Verify using v0.3 Signed Interest semantics
       Block sigValue = interest.getSignatureValue();
       return ParseResult(interest.extractSignedRanges(),
                          sigValue.value(),
                          sigValue.value_size());
     }
     else {
       // Verify using older Signed Interest semantics
       const Name& interestName = interest.getName();
       if (interestName.size() < signed_interest::MIN_SIZE) {
         return ParseResult();
       }

       const Block& nameBlock = interestName.wireEncode();
       Block sigValue = interestName[signed_interest::POS_SIG_VALUE].blockFromValue();
       return ParseResult({{nameBlock.value(),
                            nameBlock.value_size() - interestName[signed_interest::POS_SIG_VALUE].size()}},
                          sigValue.value(),
                          sigValue.value_size());
     }
   }
   catch (const tlv::Error&) {
     return ParseResult();
   }
 }

 static bool
 verifySignature(ParseResult params, const transform::PublicKey& key)
 {
   return !params.bufs.empty() && verifySignature(params.bufs, params.sig, params.sigLen, key);
 }

 static bool
 verifySignature(ParseResult params, const tpm::Tpm& tpm, const Name& keyName,
                 DigestAlgorithm digestAlgorithm)
 {
   return !params.bufs.empty() && bool(tpm.verify(params.bufs, params.sig, params.sigLen, keyName, digestAlgorithm));
 }

 static bool
 verifySignature(ParseResult params, const uint8_t* key, size_t keyLen)
 {
   return !params.bufs.empty() && verifySignature(params.bufs, params.sig, params.sigLen, key, keyLen);
 }

 bool
 verifySignature(const Data& data, const transform::PublicKey& key)
 {
   return verifySignature(parse(data), key);
 }

 bool
 verifySignature(const Interest& interest, const transform::PublicKey& key)
 {
   return verifySignature(parse(interest), key);
 }

 bool
 verifySignature(const Data& data, const pib::Key& key)
 {
   return verifySignature(parse(data), key.getPublicKey().data(), key.getPublicKey().size());
 }

 bool
 verifySignature(const Interest& interest, const pib::Key& key)
 {
   return verifySignature(parse(interest), key.getPublicKey().data(), key.getPublicKey().size());
 }

 bool
 verifySignature(const Data& data, const uint8_t* key, size_t keyLen)
 {
   return verifySignature(parse(data), key, keyLen);
 }

 bool
 verifySignature(const Interest& interest, const uint8_t* key, size_t keyLen)
 {
   return verifySignature(parse(interest), key, keyLen);
 }

 bool
 verifySignature(const Data& data, const v2::Certificate& cert)
 {
   return verifySignature(parse(data), cert.getContent().value(), cert.getContent().value_size());
 }

 bool
 verifySignature(const Interest& interest, const v2::Certificate& cert)
 {
   return verifySignature(parse(interest), cert.getContent().value(), cert.getContent().value_size());
 }

 bool
 verifySignature(const Data& data, const tpm::Tpm& tpm,
                 const Name& keyName, DigestAlgorithm digestAlgorithm)
 {
   return verifySignature(parse(data), tpm, keyName, digestAlgorithm);
 }

 bool
 verifySignature(const Interest& interest, const tpm::Tpm& tpm,
                 const Name& keyName, DigestAlgorithm digestAlgorithm)
 {
   return verifySignature(parse(interest), tpm, keyName, digestAlgorithm);
 }


 bool
 verifyDigest(const InputBuffers& bufs, const uint8_t* digest, size_t digestLen,
              DigestAlgorithm algorithm)
 {
   using namespace transform;

   OBufferStream os;
   try {
     bufferSource(bufs) >> digestFilter(algorithm) >> streamSink(os);
   }
   catch (const transform::Error&) {
     return false;
   }
   ConstBufferPtr result = os.buf();

   if (result->size() != digestLen) {
     return false;
   }

   // constant-time buffer comparison to mitigate timing attacks
   return CRYPTO_memcmp(result->data(), digest, digestLen) == 0;
 }

 bool
 verifyDigest(const uint8_t* blob, size_t blobLen, const uint8_t* digest, size_t digestLen,
              DigestAlgorithm algorithm)
 {
   return verifyDigest({{blob, blobLen}}, digest, digestLen, algorithm);
 }

 bool
 verifyDigest(const Data& data, DigestAlgorithm algorithm)
 {
   ParseResult parseResult = parse(data);
   return !parseResult.bufs.empty() && verifyDigest(parseResult.bufs, parseResult.sig,
                                                    parseResult.sigLen, algorithm);
 }

 bool
 verifyDigest(const Interest& interest, DigestAlgorithm algorithm)
 {
   ParseResult parseResult = parse(interest);
   return !parseResult.bufs.empty() && verifyDigest(parseResult.bufs, parseResult.sig,
                                                    parseResult.sigLen, algorithm);
 }

 } // namespace security
 } // namespace ndn
ndn
Definition: data.cpp:26

ndn::security::v2::Certificate
The certificate following the certificate format naming convention.
Definition: certificate.hpp:81

verification-helpers.hpp

verifier-filter.hpp

key.hpp

std
STL namespace.

ndn::Block::value_size
size_t value_size() const noexcept
Return the size of TLV-VALUE, aka TLV-LENGTH.
Definition: block.cpp:308

ndn::signed_interest::MIN_SIZE
const size_t MIN_SIZE
minimal number of components for Signed Interest
Definition: security-common.hpp:39

ndn::Interest::extractSignedRanges
InputBuffers extractSignedRanges() const
Extract ranges of Interest covered by the signature in Packet Specification v0.3. ...
Definition: interest.cpp:640

ndn::Block
Represents a TLV element of the NDN packet format.
Definition: block.hpp:42

ndn::Interest
Represents an Interest packet.
Definition: interest.hpp:50

ndn::security::transform::PublicKey
Abstraction of public key in crypto transformation.
Definition: public-key.hpp:35

ndn::Data::getSignatureValue
const Block & getSignatureValue() const noexcept
Get SignatureValue.
Definition: data.hpp:251

digest-filter.hpp

public-key.hpp

ndn::security::tpm::Tpm
TPM front-end class.
Definition: tpm.hpp:65

ndn::Interest::getSignatureInfo
optional< SignatureInfo > getSignatureInfo() const
Get the InterestSignatureInfo.
Definition: interest.cpp:546

ndn::security::tpm::Tpm::verify
boost::logic::tribool verify(const InputBuffers &bufs, const uint8_t *sig, size_t sigLen, const Name &keyName, DigestAlgorithm digestAlgorithm) const
Verify discontiguous ranges using the key with name keyName and using the digest digestAlgorithm.
Definition: tpm.cpp:97

stream-sink.hpp

buffer-source.hpp

ndn::Data::extractSignedRanges
InputBuffers extractSignedRanges() const
Extract ranges of Data covered by the signature.
Definition: data.cpp:330

ndn::security::pib::Key
A frontend handle of a key instance.
Definition: key.hpp:49

data.hpp

ndn::security::verifyDigest
bool verifyDigest(const InputBuffers &bufs, const uint8_t *digest, size_t digestLen, DigestAlgorithm algorithm)
Verify blobs against digest using algorithm.
Definition: verification-helpers.cpp:239

sigLen
size_t sigLen
Definition: verification-helpers.cpp:58

ndn::security::transform::streamSink
unique_ptr< Sink > streamSink(std::ostream &os)
Definition: stream-sink.cpp:53

sig
const uint8_t * sig
Definition: verification-helpers.cpp:57

ndn::security::transform::PublicKey::loadPkcs8
void loadPkcs8(const uint8_t *buf, size_t size)
Load the public key in PKCS#8 format from a buffer buf.
Definition: public-key.cpp:88

ndn::security::transform::bufferSource
BufferSource bufferSource
Definition: buffer-source.hpp:81

certificate.hpp

ndn::security::transform::digestFilter
unique_ptr< Transform > digestFilter(DigestAlgorithm algo)
Definition: digest-filter.cpp:76

ndn::KeyIdType::SHA256
Use the SHA-256 hash of the public key as key id.

interest.hpp

ndn::Name
Represents an absolute name.
Definition: name.hpp:44

ndn::security::transform::Error
Base class of transformation error.
Definition: transform-base.hpp:48

ndn::security::transform::verifierFilter
unique_ptr< Transform > verifierFilter(DigestAlgorithm algo, const PublicKey &key, const uint8_t *sig, size_t sigLen)
Definition: verifier-filter.cpp:130

ndn::signed_interest::POS_SIG_VALUE
const ssize_t POS_SIG_VALUE
Definition: security-common.hpp:33

ndn::security::verifySignature
bool verifySignature(const InputBuffers &blobs, const uint8_t *sig, size_t sigLen, const transform::PublicKey &key)
Verify blobs using key against sig.
Definition: verification-helpers.cpp:64

ndn::Name::size
size_t size() const
Returns the number of components.
Definition: name.hpp:154

tpm.hpp

ndn::Interest::getSignatureValue
Block getSignatureValue() const
Get the InterestSignatureValue.
Definition: interest.cpp:590

ndn::Interest::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder) const
Prepend wire encoding to encoder.
Definition: interest.cpp:89

ndn::Block::isValid
bool isValid() const noexcept
Check if the Block is valid.
Definition: block.hpp:188

ndn::Block::value
const uint8_t * value() const noexcept
Return a raw pointer to the beginning of TLV-VALUE.
Definition: block.cpp:302

ndn::OBufferStream::buf
shared_ptr< Buffer > buf()
Flush written data to the stream and return shared pointer to the underlying buffer.
Definition: buffer-stream.cpp:54

ndn::Data::getContent
const Block & getContent() const noexcept
Get the Content element.
Definition: data.hpp:172

ndn::Interest::getName
const Name & getName() const noexcept
Definition: interest.hpp:174

ndn::security::pib::Key::getPublicKey
const Buffer & getPublicKey() const
Get public key bits.
Definition: key.cpp:56

ndn::Name::wireEncode
size_t wireEncode(EncodingImpl< TAG > &encoder) const
Fast encoding or block size estimation.
Definition: name.cpp:117

ndn::OBufferStream
implements an output stream that constructs ndn::Buffer
Definition: buffer-stream.hpp:70

ndn::security::parse
static ParseResult parse(const Data &data)
Definition: verification-helpers.cpp:110

bufs
InputBuffers bufs
Definition: verification-helpers.cpp:56

ndn::Data
Represents a Data packet.
Definition: data.hpp:39

buffer-stream.hpp

ndn::DigestAlgorithm
DigestAlgorithm
Definition: security-common.hpp:105

ndn::security::transform::boolSink
unique_ptr< Sink > boolSink(bool &value)
Definition: bool-sink.cpp:51

ndn::tlv::Error
represents an error in TLV encoding or decoding
Definition: tlv.hpp:51

bool-sink.hpp

ndn::ConstBufferPtr
shared_ptr< const Buffer > ConstBufferPtr
Definition: buffer.hpp:126