Class: ConfigPolicyManager

ConfigPolicyManager

new ConfigPolicyManager(configFileName, certificateCache, searchDepth, graceInterval, keyTimestampTtl, maxTrackedKeys)

ConfigPolicyManager manages trust according to a configuration file in the Validator Configuration File Format (http://redmine.named-data.net/projects/ndn-cxx/wiki/CommandValidatorConf) Once a rule is matched, the ConfigPolicyManager looks in the CertificateCache for the IdentityCertificate matching the name in the KeyLocator and uses its public key to verify the data packet or signed interest. If the certificate can't be found, it is downloaded, verified and installed. A chain of certificates will be followed to a maximum depth. If the new certificate is accepted, it is used to complete the verification. The KeyLocators of data packets and signed interests MUST contain a name for verification to succeed. Create a new ConfigPolicyManager which will act on the rules specified in the configuration and download unknown certificates when necessary.
Parameters:
Name Type Description
configFileName string (optional) If not null or empty, the path to the configuration file containing verification rules. (This only works in Node.js since it reads files using the "fs" module.) Otherwise, you should separately call load().
certificateCache CertificateCache (optional) A CertificateCache to hold known certificates. If this is null or omitted, then create an internal CertificateCache.
searchDepth number (optional) The maximum number of links to follow when verifying a certificate chain. If omitted, use a default.
graceInterval number (optional) The window of time difference (in milliseconds) allowed between the timestamp of the first interest signed with a new public key and the validation time. If omitted, use a default value.
keyTimestampTtl number (optional) How long a public key's last-used timestamp is kept in the store (milliseconds). If omitted, use a default value.
maxTrackedKeys number The maximum number of public key use timestamps to track. If omitted, use a default.
Source:

Methods

(static) expand(match, expansion) → {string}

Similar to Python expand, return expansion where every \1, \2, etc. is replaced by match[1], match[2], etc. Note: Even though this is a general utility function, we define it locally because it is only tested to work in the cases used by this class.
Parameters:
Name Type Description
match Object The match object from String.match.
expansion string The string with \1, \2, etc. to replace from match.
Source:
Returns:
The expanded string.
Type
string

(static) extractSignature(dataOrInterest, wireFormat) → {Signature}

Extract the signature information from the interest name or from the data packet or interest.
Parameters:
Name Type Description
dataOrInterest Data | Interest The object whose signature is needed.
wireFormat WireFormat (optional) The wire format used to decode signature information from the interest name.
Source:
Returns:
The object of a sublcass of Signature or null if can't decode.
Type
Signature

(static) matchesRelation(name, matchName, matchRelation) → {boolean}

Determines if a name satisfies the relation to matchName.
Parameters:
Name Type Description
name Name
matchName Name
matchRelation string Can be one of: 'is-prefix-of' - passes if the name is equal to or has the other name as a prefix 'is-strict-prefix-of' - passes if the name has the other name as a prefix, and is not equal 'equal' - passes if the two names are equal
Source:
Returns:
Type
boolean

checkSignatureMatch(signatureName, objectName, rule) → {boolean}

Once a rule is found to match data or a signed interest, the name in the KeyLocator must satisfy the condition in the 'checker' section of the rule, else the data or interest is rejected.
Parameters:
Name Type Description
signatureName Name The certificate name from the KeyLocator.
objectName Name The name of the data packet or interest. In the case of signed interests, this excludes the timestamp, nonce and signature components.
rule BoostInfoTree The rule from the configuration file that matches the data or interest.
Source:
Returns:
True if matches.
Type
boolean

checkSigningPolicy(dataName, certificateName) → {boolean}

Override to always indicate that the signing certificate name and data name satisfy the signing policy.
Parameters:
Name Type Description
dataName Name The name of data to be signed.
certificateName Name The name of signing certificate.
Source:
Returns:
True to indicate that the signing certificate can be used to sign the data.
Type
boolean

checkVerificationPolicy(dataOrInterest, stepCount, onVerified, onVerifyFailed, wireFormat) → {ValidationRequest}

Check whether the received data packet or interest complies with the verification policy, and get the indication of the next verification step.
Parameters:
Name Type Description
dataOrInterest Data | Interest The Data object or interest with the signature to check.
stepCount number The number of verification steps that have been done, used to track the verification progress.
onVerified function If the signature is verified, this calls onVerified(dataOrInterest). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.
onVerifyFailed function If the signature check fails, this calls onVerifyFailed(dataOrInterest). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.
wireFormat WireFormat
Source:
Returns:
The indication of next verification step, or null if there is no further step.
Type
ValidationRequest

findMatchingRule(objName, matchType) → {BoostInfoTree}

Search the configuration file for the first rule that matches the data or signed interest name. In the case of interests, the name to match should exclude the timestamp, nonce, and signature components.
Parameters:
Name Type Description
objName Name The name to be matched.
matchType string The rule type to match, "data" or "interest".
Source:
Returns:
The matching rule, or null if not found.
Type
BoostInfoTree

interestTimestampIsFresh(keyName, timestamp) → {boolean}

Determine whether the timestamp from the interest is newer than the last use of this key, or within the grace interval on first use.
Parameters:
Name Type Description
keyName Name The name of the public key used to sign the interest.
timestamp number The timestamp extracted from the interest name.
Source:
Returns:
True if timestamp is fresh as described above.
Type
boolean

load(configFileName, input, inputName)

Call reset() and load the configuration rules from the file name or the input string. There are two forms: load(configFileName) reads configFileName from the file system. (This only works in Node.js since it reads files using the "fs" module.) load(input, inputName) reads from the input, in which case inputName is used only for log messages, etc.
Parameters:
Name Type Description
configFileName string The path to the file containing configuration rules.
input string The contents of the configuration rules, with lines separated by "\n" or "\r\n".
inputName string Use with input for log messages, etc.
Source:

loadTrustAnchorCertificates()

The configuration file allows 'trust anchor' certificates to be preloaded. The certificates may also be loaded from a directory, and if the 'refresh' option is set to an interval, the certificates are reloaded at the specified interval.
Source:

lookupCertificate(certID, isPath) → {IdentityCertificate}

This looks up certificates specified as base64-encoded data or file names. These are cached by filename or encoding to avoid repeated reading of files or decoding.
Parameters:
Name Type Description
certID string
isPath boolean
Source:
Returns:
Type
IdentityCertificate

requireVerify(dataOrInterest) → {boolean}

Check if this PolicyManager has a verification rule for the received data. If the configuration file contains the trust anchor 'any', nothing is verified.
Parameters:
Name Type Description
dataOrInterest Data | Interest The received data packet or interest.
Source:
Returns:
true if the data must be verified, otherwise false.
Type
boolean

reset()

Reset the certificate cache and other fields to the constructor state.
Source:

skipVerifyAndTrust(dataOrInterest) → {boolean}

Check if the received signed interest can escape from verification and be trusted as valid. If the configuration file contains the trust anchor 'any', nothing is verified.
Parameters:
Name Type Description
dataOrInterest Data | Interest The received data packet or interest.
Source:
Returns:
true if the data or interest does not need to be verified to be trusted as valid, otherwise false.
Type
boolean

updateTimestampForKey(keyName, timestamp)

Trim the table size down if necessary, and insert/update the latest interest signing timestamp for the key. Any key which has not been used within the TTL period is purged. If the table is still too large, the oldest key is purged.
Parameters:
Name Type Description
keyName Name The name of the public key used to sign the interest.
timestamp number The timestamp extracted from the interest name.
Source:

verify(signatureInfo, signedBlob, onComplete)

Check the type of signatureInfo to get the KeyLocator. Look in the IdentityStorage for the public key with the name in the KeyLocator and use it to verify the signedBlob. If the public key can't be found, return false. (This is a generalized method which can verify both a data packet and an interest.)
Parameters:
Name Type Description
signatureInfo Signature An object of a subclass of Signature, e.g. Sha256WithRsaSignature.
signedBlob SignedBlob The SignedBlob with the signed portion to verify.
onComplete function This calls onComplete(true) if the signature verifies, otherwise onComplete(false).
Source: