validator.cpp
Go to the documentation of this file.
1 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2 /*
3  * Copyright (c) 2013-2017 Regents of the University of California.
4  *
5  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6  *
7  * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8  * terms of the GNU Lesser General Public License as published by the Free Software
9  * Foundation, either version 3 of the License, or (at your option) any later version.
10  *
11  * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12  * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13  * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14  *
15  * You should have received copies of the GNU General Public License and GNU Lesser
16  * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17  * <http://www.gnu.org/licenses/>.
18  *
19  * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20  */
21 
22 #include "validator.hpp"
23 
24 #include "face.hpp"
26 #include "util/logger.hpp"
27 
28 namespace ndn {
29 namespace security {
30 namespace v2 {
31 
33 
34 #define NDN_LOG_DEBUG_DEPTH(x) NDN_LOG_DEBUG(std::string(state->getDepth() + 1, '>') << " " << x)
35 #define NDN_LOG_TRACE_DEPTH(x) NDN_LOG_TRACE(std::string(state->getDepth() + 1, '>') << " " << x)
36 
37 Validator::Validator(unique_ptr<ValidationPolicy> policy, unique_ptr<CertificateFetcher> certFetcher)
38  : m_policy(std::move(policy))
39  , m_certFetcher(std::move(certFetcher))
40  , m_maxDepth(25)
41 {
42  BOOST_ASSERT(m_policy != nullptr);
43  BOOST_ASSERT(m_certFetcher != nullptr);
44  m_policy->setValidator(*this);
45  m_certFetcher->setCertificateStorage(*this);
46 }
47 
48 Validator::~Validator() = default;
49 
52 {
53  return *m_policy;
54 }
55 
58 {
59  return *m_certFetcher;
60 }
61 
62 void
64 {
65  m_maxDepth = depth;
66 }
67 
68 size_t
70 {
71  return m_maxDepth;
72 }
73 
74 void
76  const DataValidationSuccessCallback& successCb,
77  const DataValidationFailureCallback& failureCb)
78 {
79  auto state = make_shared<DataValidationState>(data, successCb, failureCb);
80  NDN_LOG_DEBUG_DEPTH("Start validating data " << data.getName());
81 
82  m_policy->checkPolicy(data, state,
83  [this] (const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state) {
84  if (certRequest == nullptr) {
85  state->bypassValidation();
86  }
87  else {
88  // need to fetch key and validate it
89  requestCertificate(certRequest, state);
90  }
91  });
92 }
93 
94 void
95 Validator::validate(const Interest& interest,
96  const InterestValidationSuccessCallback& successCb,
97  const InterestValidationFailureCallback& failureCb)
98 {
99  auto state = make_shared<InterestValidationState>(interest, successCb, failureCb);
100  NDN_LOG_DEBUG_DEPTH("Start validating interest " << interest.getName());
101 
102  m_policy->checkPolicy(interest, state,
103  [this] (const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state) {
104  if (certRequest == nullptr) {
105  state->bypassValidation();
106  }
107  else {
108  // need to fetch key and validate it
109  requestCertificate(certRequest, state);
110  }
111  });
112 }
113 
114 void
115 Validator::validate(const Certificate& cert, const shared_ptr<ValidationState>& state)
116 {
117  NDN_LOG_DEBUG_DEPTH("Start validating certificate " << cert.getName());
118 
119  if (!cert.isValid()) {
120  return state->fail({ValidationError::Code::EXPIRED_CERT, "Retrieved certificate is not yet valid or expired "
121  "`" + cert.getName().toUri() + "`"});
122  }
123 
124  m_policy->checkPolicy(cert, state,
125  [this, cert] (const shared_ptr<CertificateRequest>& certRequest, const shared_ptr<ValidationState>& state) {
126  if (certRequest == nullptr) {
127  state->fail({ValidationError::POLICY_ERROR, "Validation policy is not allowed to designate `" +
128  cert.getName().toUri() + "` as a trust anchor"});
129  }
130  else {
131  // need to fetch key and validate it
132  state->addCertificate(cert);
133  requestCertificate(certRequest, state);
134  }
135  });
136 }
137 
138 void
139 Validator::requestCertificate(const shared_ptr<CertificateRequest>& certRequest,
140  const shared_ptr<ValidationState>& state)
141 {
142  // TODO configurable check for the maximum number of steps
143  if (state->getDepth() >= m_maxDepth) {
144  state->fail({ValidationError::Code::EXCEEDED_DEPTH_LIMIT,
145  "Exceeded validation depth limit (" + to_string(m_maxDepth) + ")"});
146  return;
147  }
148 
149  if (state->hasSeenCertificateName(certRequest->m_interest.getName())) {
150  state->fail({ValidationError::Code::LOOP_DETECTED,
151  "Validation loop detected for certificate `" + certRequest->m_interest.getName().toUri() + "`"});
152  return;
153  }
154 
155  NDN_LOG_DEBUG_DEPTH("Retrieving " << certRequest->m_interest.getName());
156 
157  auto cert = findTrustedCert(certRequest->m_interest);
158  if (cert != nullptr) {
159  NDN_LOG_TRACE_DEPTH("Found trusted certificate " << cert->getName());
160 
161  cert = state->verifyCertificateChain(*cert);
162  if (cert != nullptr) {
163  state->verifyOriginalPacket(*cert);
164  }
165  for (auto trustedCert = std::make_move_iterator(state->m_certificateChain.begin());
166  trustedCert != std::make_move_iterator(state->m_certificateChain.end());
167  ++trustedCert) {
168  cacheVerifiedCertificate(*trustedCert);
169  }
170  return;
171  }
172 
173  m_certFetcher->fetch(certRequest, state, [this] (const Certificate& cert, const shared_ptr<ValidationState>& state) {
174  validate(cert, state);
175  });
176 }
177 
179 // Trust anchor management
181 
182 // to change visibility from protected to public
183 
184 void
185 Validator::loadAnchor(const std::string& groupId, Certificate&& cert)
186 {
187  CertificateStorage::loadAnchor(groupId, std::move(cert));
188 }
189 
190 void
191 Validator::loadAnchor(const std::string& groupId, const std::string& certfilePath,
192  time::nanoseconds refreshPeriod, bool isDir)
193 {
194  CertificateStorage::loadAnchor(groupId, certfilePath, refreshPeriod, isDir);
195 }
196 
197 void
199 {
201 }
202 
203 void
205 {
206  CertificateStorage::cacheVerifiedCert(std::move(cert));
207 }
208 
209 void
211 {
213 }
214 
215 } // namespace v2
216 } // namespace security
217 } // namespace ndn
bool isValid(const time::system_clock::TimePoint &ts=time::system_clock::now()) const
Check if the certificate is valid at ts.
void loadAnchor(const std::string &groupId, Certificate &&cert)
load static trust anchor.
Copyright (c) 2013-2017 Regents of the University of California.
Definition: common.hpp:66
The certificate following the certificate format naming convention.
Definition: certificate.hpp:81
function< void(const Data &data)> DataValidationSuccessCallback
Callback to report a successful Data validation.
Interface used by the validator to fetch missing certificates.
#define NDN_LOG_DEBUG_DEPTH(x)
Definition: validator.cpp:34
#define NDN_LOG_TRACE_DEPTH(x)
Definition: validator.cpp:35
void cacheVerifiedCertificate(Certificate &&cert)
Cache verified cert a period of time (1 hour)
Definition: validator.cpp:204
STL namespace.
represents an Interest packet
Definition: interest.hpp:42
function< void(const Data &data, const ValidationError &error)> DataValidationFailureCallback
Callback to report a failed Data validation.
#define NDN_LOG_INIT(name)
declare a log module
Definition: logger.hpp:101
void setMaxDepth(size_t depth)
Set the maximum depth of the certificate chain.
Definition: validator.cpp:63
Abstraction that implements validation policy for Data and Interest packets.
CertificateFetcher & getFetcher()
Definition: validator.cpp:57
std::string toUri() const
Get URI representation of the name.
Definition: name.cpp:122
ValidationPolicy & getPolicy()
Definition: validator.cpp:51
void resetVerifiedCerts()
Remove any cached verified certificates.
void cacheVerifiedCert(Certificate &&cert)
Cache verified certificate a period of time (1 hour)
void validate(const Data &data, const DataValidationSuccessCallback &successCb, const DataValidationFailureCallback &failureCb)
Asynchronously validate data.
Definition: validator.cpp:75
void loadAnchor(const std::string &groupId, Certificate &&cert)
load static trust anchor.
Definition: validator.cpp:185
size_t getMaxDepth() const
Definition: validator.cpp:69
const Certificate * findTrustedCert(const Interest &interestForCert) const
Find a trusted certificate in trust anchor container or in verified cache.
void resetAnchors()
remove any previously loaded static or dynamic trust anchor
void resetVerifiedCertificates()
Remove any cached verified certificates.
Definition: validator.cpp:210
Validator(unique_ptr< ValidationPolicy > policy, unique_ptr< CertificateFetcher > certFetcher)
Validator constructor.
Definition: validator.cpp:37
function< void(const Interest &interest, const ValidationError &error)> InterestValidationFailureCallback
Callback to report a failed Interest validation.
const Name & getName() const
Get name.
Definition: data.hpp:121
void resetAnchors()
remove any previously loaded static or dynamic trust anchor
Definition: validator.cpp:198
std::string to_string(const V &v)
Definition: backports.hpp:84
Represents a Data packet.
Definition: data.hpp:35
function< void(const Interest &interest)> InterestValidationSuccessCallback
Callback to report a successful Interest validation.
Interface for validating data and interest packets.
Definition: validator.hpp:61