validation-policy.cpp
Go to the documentation of this file.
1 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2 /*
3  * Copyright (c) 2013-2023 Regents of the University of California.
4  *
5  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6  *
7  * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8  * terms of the GNU Lesser General Public License as published by the Free Software
9  * Foundation, either version 3 of the License, or (at your option) any later version.
10  *
11  * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12  * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13  * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14  *
15  * You should have received copies of the GNU General Public License and GNU Lesser
16  * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17  * <http://www.gnu.org/licenses/>.
18  *
19  * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20  */
21 
22 #include "ndn-cxx/security/validation-policy.hpp"
23 #include "ndn-cxx/security/signing-info.hpp"
24 
25 namespace ndn::security {
26 
27 void
28 ValidationPolicy::setInnerPolicy(unique_ptr<ValidationPolicy> innerPolicy)
29 {
30  if (innerPolicy == nullptr) {
31  NDN_THROW(std::invalid_argument("Inner policy argument cannot be nullptr"));
32  }
33 
34  if (m_validator != nullptr) {
35  innerPolicy->setValidator(*m_validator);
36  }
37 
38  if (m_innerPolicy == nullptr) {
39  m_innerPolicy = std::move(innerPolicy);
40  }
41  else {
42  m_innerPolicy->setInnerPolicy(std::move(innerPolicy));
43  }
44 }
45 
46 ValidationPolicy&
47 ValidationPolicy::getInnerPolicy()
48 {
49  return *m_innerPolicy;
50 }
51 
52 void
53 ValidationPolicy::setValidator(Validator& validator)
54 {
55  m_validator = &validator;
56  if (m_innerPolicy != nullptr) {
57  m_innerPolicy->setValidator(validator);
58  }
59 }
60 
61 Name
62 getKeyLocatorName(const SignatureInfo& si, ValidationState& state)
63 {
64  if (si.getSignatureType() == tlv::DigestSha256) {
65  return SigningInfo::getDigestSha256Identity();
66  }
67 
68  if (!si.hasKeyLocator()) {
69  state.fail({ValidationError::INVALID_KEY_LOCATOR, "KeyLocator is missing"});
70  return {};
71  }
72 
73  const KeyLocator& kl = si.getKeyLocator();
74  if (kl.getType() != tlv::Name) {
75  state.fail({ValidationError::INVALID_KEY_LOCATOR, "KeyLocator type is not Name"});
76  return {};
77  }
78 
79  return kl.getName();
80 }
81 
82 SignatureInfo
83 getSignatureInfo(const Interest& interest, ValidationState& state)
84 {
85  auto fmt = state.getTag<SignedInterestFormatTag>();
86  BOOST_ASSERT(fmt);
87 
88  if (*fmt == SignedInterestFormat::V03) {
89  BOOST_ASSERT(interest.getSignatureInfo().has_value());
90  return *interest.getSignatureInfo();
91  }
92 
93  // Try the old Signed Interest format from Packet Specification v0.2
94  const Name& name = interest.getName();
95  if (name.size() < signed_interest::MIN_SIZE) {
96  state.fail({ValidationError::MALFORMED_SIGNATURE,
97  "Interest name too short `" + name.toUri() + "`"});
98  return {};
99  }
100 
101  try {
102  return SignatureInfo(name[signed_interest::POS_SIG_INFO].blockFromValue());
103  }
104  catch (const tlv::Error& e) {
105  state.fail({ValidationError::MALFORMED_SIGNATURE,
106  "Malformed SignatureInfo in `" + name.toUri() + "`: " + e.what()});
107  return {};
108  }
109 }
110 
111 Name
112 extractIdentityNameFromKeyLocator(const Name& keyLocator)
113 {
114  // handling special cases
115  if (keyLocator == SigningInfo::getDigestSha256Identity() ||
116  keyLocator == SigningInfo::getHmacIdentity()) {
117  return keyLocator;
118  }
119 
120  auto len = static_cast<ssize_t>(keyLocator.size());
121  // note that KEY_COMPONENT_OFFSET is negative
122  auto lowerBound = std::max<ssize_t>(len + Certificate::KEY_COMPONENT_OFFSET, 0);
123  for (ssize_t i = len - 1; i >= lowerBound; --i) {
124  if (keyLocator[i] == Certificate::KEY_COMPONENT) {
125  return keyLocator.getPrefix(i);
126  }
127  }
128 
129  NDN_THROW(KeyLocator::Error("KeyLocator `" + keyLocator.toUri() +
130  "` does not respect the naming conventions"));
131 }
132 
133 } // namespace ndn::security
ndn::Interest
Represents an Interest packet.
Definition: interest.hpp:50
ndn::Interest::getSignatureInfo
std::optional< SignatureInfo > getSignatureInfo() const
Get the InterestSignatureInfo element.
Definition: interest.cpp:552
ndn::Interest::getName
const Name & getName() const noexcept
Get the Interest name.
Definition: interest.hpp:179
ndn::KeyLocator::getName
const Name & getName() const
Get nested Name element.
Definition: key-locator.cpp:137
ndn::KeyLocator::getType
uint32_t getType() const
Definition: key-locator.cpp:112
ndn::Name
Represents an absolute name.
Definition: name.hpp:45
ndn::Name::getPrefix
PartialName getPrefix(ssize_t nComponents) const
Returns a prefix of the name.
Definition: name.hpp:241
ndn::Name::size
size_t size() const noexcept
Returns the number of components.
Definition: name.hpp:180
ndn::Name::toUri
void toUri(std::ostream &os, name::UriFormat format=name::UriFormat::DEFAULT) const
Write URI representation of the name to the output stream.
Definition: name.cpp:324
ndn::SignatureInfo
Represents a SignatureInfo or InterestSignatureInfo TLV element.
Definition: signature-info.hpp:34
ndn::SignatureInfo::getSignatureType
int32_t getSignatureType() const noexcept
Get the SignatureType.
Definition: signature-info.hpp:114
ndn::SignatureInfo::hasKeyLocator
bool hasKeyLocator() const noexcept
Check if KeyLocator is present.
Definition: signature-info.hpp:128
ndn::SignatureInfo::getKeyLocator
const KeyLocator & getKeyLocator() const
Get the KeyLocator element.
Definition: signature-info.cpp:183
ndn::SimpleTag
Provides a tag type for simple types.
Definition: tag.hpp:56
ndn::TagHost::getTag
std::shared_ptr< T > getTag() const
Get a tag item.
Definition: tag-host.hpp:72
ndn::security::Certificate::KEY_COMPONENT_OFFSET
static constexpr ssize_t KEY_COMPONENT_OFFSET
Definition: certificate.hpp:155
ndn::security::Certificate::KEY_COMPONENT
static const name::Component KEY_COMPONENT
Definition: certificate.hpp:158
ndn::security::SigningInfo::getDigestSha256Identity
static const Name & getDigestSha256Identity()
A localhost identity to indicate that the signature is generated using SHA-256.
Definition: signing-info.cpp:32
ndn::security::SigningInfo::getHmacIdentity
static const Name & getHmacIdentity()
A localhost identity to indicate that the signature is generated using an HMAC key.
Definition: signing-info.cpp:39
ndn::security::ValidationError::INVALID_KEY_LOCATOR
@ INVALID_KEY_LOCATOR
The KeyLocator element is missing or has an invalid format.
Definition: validation-error.hpp:60
ndn::security::ValidationError::MALFORMED_SIGNATURE
@ MALFORMED_SIGNATURE
The signature (e.g., SignatureInfo element) is missing or malformed.
Definition: validation-error.hpp:48
ndn::security::ValidationPolicy
Abstraction that implements a validation policy for Interest and Data packets.
Definition: validation-policy.hpp:36
ndn::security::ValidationPolicy::setValidator
void setValidator(Validator &validator)
Set validator to which the policy is associated.
Definition: validation-policy.cpp:53
ndn::security::ValidationPolicy::getInnerPolicy
ValidationPolicy & getInnerPolicy()
Return the inner policy.
Definition: validation-policy.cpp:47
ndn::security::ValidationPolicy::setInnerPolicy
void setInnerPolicy(unique_ptr< ValidationPolicy > innerPolicy)
Set inner policy.
Definition: validation-policy.cpp:28
ndn::security::ValidationPolicy::m_innerPolicy
unique_ptr< ValidationPolicy > m_innerPolicy
Definition: validation-policy.hpp:145
ndn::security::ValidationState::fail
virtual void fail(const ValidationError &error)=0
Call the failure callback.
ndn::security::Validator
Interface for validating data and interest packets.
Definition: validator.hpp:61
ndn::tlv::Error
Represents an error in TLV encoding or decoding.
Definition: tlv.hpp:54
NDN_THROW
#define NDN_THROW(e)
Definition: exception.hpp:56
ndn::security
Contains the ndn-cxx security framework.
Definition: additional-description.cpp:26
ndn::security::extractIdentityNameFromKeyLocator
Name extractIdentityNameFromKeyLocator(const Name &keyLocator)
Extract identity name from key, version-less certificate, or certificate name.
Definition: validation-policy.cpp:112
ndn::security::SignedInterestFormat::V03
@ V03
Sign Interest using Packet Specification v0.3 semantics.
ndn::security::getSignatureInfo
SignatureInfo getSignatureInfo(const Interest &interest, ValidationState &state)
Extract SignatureInfo from a signed Interest.
Definition: validation-policy.cpp:83
ndn::security::getKeyLocatorName
Name getKeyLocatorName(const SignatureInfo &si, ValidationState &state)
Extract the KeyLocator name from a SignatureInfo element.
Definition: validation-policy.cpp:62
ndn::signed_interest::MIN_SIZE
constexpr size_t MIN_SIZE
Minimum number of name components for an old-style Signed Interest.
Definition: security-common.hpp:45
ndn::signed_interest::POS_SIG_INFO
constexpr ssize_t POS_SIG_INFO
Definition: security-common.hpp:38
ndn::tlv::Name
@ Name
Definition: tlv.hpp:71
ndn::tlv::SignatureInfo
@ SignatureInfo
Definition: tlv.hpp:94
ndn::tlv::DigestSha256
@ DigestSha256
Definition: tlv.hpp:128