net.named_data.jndn.security.policy

Class ConfigPolicyManager

java.lang.Object

net.named_data.jndn.security.policy.PolicyManager

net.named_data.jndn.security.policy.ConfigPolicyManager

public class ConfigPolicyManager
extends PolicyManager

A ConfigPolicyManager manages trust according to a configuration file in the Validator Configuration File Format (http://redmine.named-data.net/projects/ndn-cxx/wiki/CommandValidatorConf) Once a rule is matched, the ConfigPolicyManager looks in the CertificateCache for the IdentityCertificate matching the name in the KeyLocator and uses its public key to verify the data packet or signed interest. If the certificate can't be found, it is downloaded, verified and installed. A chain of certificates will be followed to a maximum depth. If the new certificate is accepted, it is used to complete the verification. The KeyLocators of data packets and signed interests MUST contain a name for verification to succeed.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static interface	ConfigPolicyManager.Friend A class implements Friend if it has a method setConfigPolicyManagerFriendAccess which setFriendAccess calls to set the FriendAccess object.
static class	ConfigPolicyManager.FriendAccess A friend class can call the methods of FriendAccess to access private methods.

Constructor Summary

Constructors

Constructor and Description
ConfigPolicyManager() Create a new ConfigPolicyManager which will act on the rules specified in the configuration and download unknown certificates when necessary.
ConfigPolicyManager(String configFileName)
ConfigPolicyManager(String configFileName, CertificateCache certificateCache)
ConfigPolicyManager(String configFileName, CertificateCache certificateCache, int searchDepth)
ConfigPolicyManager(String configFileName, CertificateCache certificateCache, int searchDepth, double graceInterval)
ConfigPolicyManager(String configFileName, CertificateCache certificateCache, int searchDepth, double graceInterval, double keyTimestampTtl)
ConfigPolicyManager(String configFileName, CertificateCache certificateCache, int searchDepth, double graceInterval, double keyTimestampTtl, int maxTrackedKeys) Create a new ConfigPolicyManager which will act on the rules specified in the configuration and download unknown certificates when necessary.

Method Summary

Methods

Modifier and Type	Method and Description
boolean	checkSigningPolicy(Name dataName, Name certificateName) Override to always indicate that the signing certificate name and data name satisfy the signing policy.
ValidationRequest	checkVerificationPolicy(Data data, int stepCount, OnVerified onVerified, OnVerifyFailed onVerifyFailed) Check whether the received data packet complies with the verification policy, and get the indication of the next verification step.
ValidationRequest	checkVerificationPolicy(Interest interest, int stepCount, OnVerifiedInterest onVerified, OnVerifyInterestFailed onVerifyFailed, WireFormat wireFormat) Check whether the received signed interest complies with the verification policy, and get the indication of the next verification step.
Name	inferSigningIdentity(Name dataName) Infer the signing identity name according to the policy.
void	load(String configFileName) Call reset() and load the configuration rules from the file.
void	load(String input, String inputName) Call reset() and load the configuration rules from the input.
boolean	requireVerify(Data data) Check if this PolicyManager has a verification rule for the received data.
boolean	requireVerify(Interest interest) Check if this PolicyManager has a verification rule for the received signed interest.
void	reset() Reset the certificate cache and other fields to the constructor state.
static void	setFriendAccess(ConfigPolicyManager.Friend friend) Call friend.setConfigPolicyManagerFriendAccess to pass an instance of a FriendAccess class to allow a friend class to call private methods.
boolean	skipVerifyAndTrust(Data data) Check if the received data packet can escape from verification and be trusted as valid.
boolean	skipVerifyAndTrust(Interest interest) Check if the received signed interest can escape from verification and be trusted as valid.

Methods inherited from class net.named_data.jndn.security.policy.PolicyManager

checkVerificationPolicy, verifyDigestSha256Signature, verifySha256WithEcdsaSignature, verifySha256WithRsaSignature, verifySignature

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ConfigPolicyManager

public ConfigPolicyManager(String configFileName,
                   CertificateCache certificateCache,
                   int searchDepth,
                   double graceInterval,
                   double keyTimestampTtl,
                   int maxTrackedKeys)
                    throws IOException,
                           SecurityException

Create a new ConfigPolicyManager which will act on the rules specified in the configuration and download unknown certificates when necessary.

Parameters:

configFileName - (optional) If not null or empty, the path to the configuration file containing verification rules. Otherwise, you should separately call load().

certificateCache - (optional) A CertificateCache to hold known certificates. If this is null or omitted, then create an internal CertificateCache.

searchDepth - (optional) The maximum number of links to follow when verifying a certificate chain.

graceInterval - (optional) The window of time difference (in milliseconds) allowed between the timestamp of the first interest signed with a new public key and the validation time. If omitted, use a default value.

keyTimestampTtl - (optional) How long a public key's last-used timestamp is kept in the store (milliseconds). If omitted, use a default value.

maxTrackedKeys - The maximum number of public key use timestamps to track.

Throws:

IOException

SecurityException

ConfigPolicyManager

public ConfigPolicyManager(String configFileName,
                   CertificateCache certificateCache,
                   int searchDepth,
                   double graceInterval,
                   double keyTimestampTtl)
                    throws IOException,
                           SecurityException

Throws:

IOException

SecurityException

ConfigPolicyManager

public ConfigPolicyManager(String configFileName,
                   CertificateCache certificateCache,
                   int searchDepth,
                   double graceInterval)
                    throws IOException,
                           SecurityException

Throws:

IOException

SecurityException

ConfigPolicyManager

public ConfigPolicyManager(String configFileName,
                   CertificateCache certificateCache,
                   int searchDepth)
                    throws IOException,
                           SecurityException

Throws:

IOException

SecurityException

ConfigPolicyManager

public ConfigPolicyManager(String configFileName,
                   CertificateCache certificateCache)
                    throws IOException,
                           SecurityException

Throws:

IOException

SecurityException

ConfigPolicyManager

public ConfigPolicyManager(String configFileName)
                    throws IOException,
                           SecurityException

Throws:

IOException

SecurityException

ConfigPolicyManager

public ConfigPolicyManager()

Create a new ConfigPolicyManager which will act on the rules specified in the configuration and download unknown certificates when necessary. Use default parameter values. You must call load().

Method Detail

reset

public final void reset()

Reset the certificate cache and other fields to the constructor state.

load

public final void load(String configFileName)
                throws IOException,
                       SecurityException

Call reset() and load the configuration rules from the file.

Parameters:

configFileName - The path to the configuration file containing the verification rules.

Throws:

IOException

SecurityException

load

public void load(String input,
        String inputName)
          throws IOException,
                 SecurityException

Call reset() and load the configuration rules from the input.

Parameters:

input - The contents of the configuration rules, with lines separated by "\n" or "\r\n".

inputName - Used for log messages, etc.

Throws:

IOException

SecurityException

skipVerifyAndTrust

public final boolean skipVerifyAndTrust(Data data)

Check if the received data packet can escape from verification and be trusted as valid. If the configuration file contains the trust anchor 'any', nothing is verified.

Specified by:

skipVerifyAndTrust in class PolicyManager

Parameters:

data - The received data packet.

Returns:

true if the data does not need to be verified to be trusted as valid, otherwise false.

skipVerifyAndTrust

public final boolean skipVerifyAndTrust(Interest interest)

Check if the received signed interest can escape from verification and be trusted as valid. If the configuration file contains the trust anchor 'any', nothing is verified.

Specified by:

skipVerifyAndTrust in class PolicyManager

Parameters:

interest - The received interest.

Returns:

true if the interest does not need to be verified to be trusted as valid, otherwise false.

requireVerify

public final boolean requireVerify(Data data)

Check if this PolicyManager has a verification rule for the received data. If the configuration file contains the trust anchor 'any', nothing is verified.

Specified by:

requireVerify in class PolicyManager

Parameters:

data - The received data packet.

Returns:

true if the data must be verified, otherwise false.

requireVerify

public final boolean requireVerify(Interest interest)

Check if this PolicyManager has a verification rule for the received signed interest. If the configuration file contains the trust anchor 'any', nothing is verified.

Specified by:

requireVerify in class PolicyManager

Parameters:

interest - The received interest.

Returns:

true if the interest must be verified, otherwise false.

checkVerificationPolicy

public final ValidationRequest checkVerificationPolicy(Data data,
                                        int stepCount,
                                        OnVerified onVerified,
                                        OnVerifyFailed onVerifyFailed)
                                                throws SecurityException

Check whether the received data packet complies with the verification policy, and get the indication of the next verification step.

Specified by:

checkVerificationPolicy in class PolicyManager

Parameters:

data - The Data object with the signature to check.

stepCount - The number of verification steps that have been done, used to track the verification progress.

onVerified - If the signature is verified, this calls onVerified.onVerified(data). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

onVerifyFailed - If the signature check fails, this calls onVerifyFailed.onVerifyFailed(data). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

Returns:

the indication of next verification step, null if there is no further step.

Throws:

SecurityException

checkVerificationPolicy

public final ValidationRequest checkVerificationPolicy(Interest interest,
                                        int stepCount,
                                        OnVerifiedInterest onVerified,
                                        OnVerifyInterestFailed onVerifyFailed,
                                        WireFormat wireFormat)
                                                throws SecurityException

Check whether the received signed interest complies with the verification policy, and get the indication of the next verification step.

Specified by:

checkVerificationPolicy in class PolicyManager

Parameters:

interest - The interest with the signature to check.

stepCount - The number of verification steps that have been done, used to track the verification progress.

onVerified - If the signature is verified, this calls onVerified(interest). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

onVerifyFailed - If the signature check fails, this calls onVerifyFailed(interest). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

Returns:

the indication of next verification step, null if there is no further step.

Throws:

SecurityException

checkSigningPolicy

public final boolean checkSigningPolicy(Name dataName,
                         Name certificateName)

Override to always indicate that the signing certificate name and data name satisfy the signing policy.

Specified by:

checkSigningPolicy in class PolicyManager

Parameters:

dataName - The name of data to be signed.

certificateName - The name of signing certificate.

Returns:

true to indicate that the signing certificate can be used to sign the data.

inferSigningIdentity

public final Name inferSigningIdentity(Name dataName)

Infer the signing identity name according to the policy. If the signing identity cannot be inferred, return an empty name.

Specified by:

inferSigningIdentity in class PolicyManager

Parameters:

dataName - The name of data to be signed.

Returns:

The signing identity or an empty name if cannot infer.

setFriendAccess

public static void setFriendAccess(ConfigPolicyManager.Friend friend)

Call friend.setConfigPolicyManagerFriendAccess to pass an instance of a FriendAccess class to allow a friend class to call private methods.

Parameters:

friend - The friend class for calling setConfigPolicyManagerFriendAccess. This uses friend.getClass() to make sure that it is a friend class. Therefore, only a friend class gets an implementation of FriendAccess.