/// <summary>
        /// Asynchronously fetch a certificate. setCertificateStorage must have been
        /// called first.
        /// If the requested certificate exists in the storage, then this method will
        /// immediately call continueValidation with the certificate. If certificate is
        /// not available, then the implementation-specific doFetch will be called to
        /// asynchronously fetch the certificate. The successfully-retrieved
        /// certificate will be automatically added to the unverified cache of the
        /// certificate storage.
        /// When the requested certificate is retrieved, continueValidation is called.
        /// Otherwise, the fetcher implementation calls state.failed() with the
        /// appropriate error code and diagnostic message.
        /// </summary>
        ///
        /// <param name="certificateRequest"></param>
        /// <param name="state">The validation state.</param>
        /// <param name="continueValidation">is the fetched certificate and state is the ValidationState.</param>
        public void fetch(CertificateRequest certificateRequest,
                          ValidationState state, CertificateFetcher.ValidationContinuation continueValidation)
        {
            if (certificateStorage_ == null)
            {
                throw new Exception(
                          "CertificateFetcher.fetch: You must first call setCertificateStorage");
            }

            CertificateV2 certificate = certificateStorage_
                                        .getUnverifiedCertificateCache().find(
                certificateRequest.interest_);

            if (certificate != null)
            {
                logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE,
                            "Found certificate in **un**verified key cache {0}",
                            certificate.getName().toUri());
                continueValidation.continueValidation(certificate, state);
                return;
            }

            // Rename continueValidation to avoid a loop.
            CertificateFetcher.ValidationContinuation outerContinueValidation_0 = continueValidation;
            // Fetch asynchronously.
            doFetch(certificateRequest, state, new CertificateFetcher.Anonymous_C0(this, outerContinueValidation_0));
        }
        /// <summary>
        /// Get the keyLocatorName and timestamp from the command interest.
        /// </summary>
        ///
        /// <param name="interest">The Interest to parse.</param>
        /// <param name="state">On error, this calls state.fail and returns false.</param>
        /// <param name="keyLocatorName">Set keyLocatorName[0] to the KeyLocator name.</param>
        /// <param name="timestamp_0"></param>
        /// <returns>On success, return true. On error, call state.fail and return false.</returns>
        private static bool parseCommandInterest(Interest interest,
                                                 ValidationState state, Name[] keyLocatorName, double[] timestamp_0)
        {
            keyLocatorName[0] = new Name();
            timestamp_0[0]    = 0;

            Name name = interest.getName();

            if (name.size() < net.named_data.jndn.security.CommandInterestSigner.MINIMUM_SIZE)
            {
                state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR,
                                               "Command interest name `" + interest.getName().toUri()
                                               + "` is too short"));
                return(false);
            }

            timestamp_0[0] = name.get(net.named_data.jndn.security.CommandInterestSigner.POS_TIMESTAMP).toNumber();

            keyLocatorName[0] = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state);
            if (state.isOutcomeFailed())
            {
                // Already failed.
                return(false);
            }

            return(true);
        }
Exemple #3
0
 protected internal override void doFetch(CertificateRequest certificateRequest,
                                          ValidationState state, CertificateFetcher.ValidationContinuation continueValidation)
 {
     state.fail(new ValidationError(
                    net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
                    "Cannot fetch certificate "
                    + certificateRequest.interest_.getName().toUri()
                    + " in offline mode"));
 }
Exemple #4
0
        private void checkPolicyHelper(Name keyName, ValidationState state,
                                       ValidationPolicy.ValidationContinuation continueValidation)
        {
            PibIdentity identity;

            try {
                identity = pib_.getIdentity(net.named_data.jndn.security.pib.PibKey
                                            .extractIdentityFromKeyName(keyName));
            } catch (Exception ex) {
                state.fail(new ValidationError(
                               net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
                               "Cannot get the PIB identity for key " + keyName.toUri()
                               + ": " + ex));
                return;
            }

            PibKey key;

            try {
                key = identity.getKey(keyName);
            } catch (Exception ex_0) {
                state.fail(new ValidationError(
                               net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
                               "Cannot get the PIB key " + keyName.toUri() + ": " + ex_0));
                return;
            }

            CertificateV2 certificate;

            try {
                certificate = key.getDefaultCertificate();
            } catch (Exception ex_1) {
                state.fail(new ValidationError(
                               net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
                               "Cannot get the default certificate for key "
                               + keyName.toUri() + ": " + ex_1));
                return;
            }

            // Add the certificate as the temporary trust anchor.
            validator_.resetAnchors();
            try {
                validator_.loadAnchor("", certificate);
            } catch (Exception ex_2) {
                // We don't expect this since we just retrieved the certificate.
                state.fail(new ValidationError(
                               net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
                               "Cannot load the trust anchor for key " + keyName.toUri()
                               + ": " + ex_2));
                return;
            }

            continueValidation.continueValidation(new CertificateRequest(
                                                      new Interest(keyName)), state);
            // Clear the temporary trust anchor.
            validator_.resetAnchors();
        }
Exemple #5
0
 public Anonymous_C1(
     CertificateFetcherFromNetwork paramouter_CertificateFetcherFromNetwork,
     CertificateFetcher.ValidationContinuation continueValidation_0,
     CertificateRequest certificateRequest_1, ValidationState state_2)
 {
     this.continueValidation = continueValidation_0;
     this.certificateRequest = certificateRequest_1;
     this.state = state_2;
     this.outer_CertificateFetcherFromNetwork = paramouter_CertificateFetcherFromNetwork;
 }
Exemple #6
0
        public override void checkPolicy(Interest interest, ValidationState state,
                                         ValidationPolicy.ValidationContinuation continueValidation)
        {
            Name keyName = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state);

            if (state.isOutcomeFailed())
            {
                // Already called state.fail() .
                return;
            }

            checkPolicyHelper(keyName, state, continueValidation);
        }
Exemple #7
0
 public void continueValidation(
     CertificateRequest certificateRequest,
     ValidationState state)
 {
     if (certificateRequest == null)
     {
         state.bypassValidation_();
     }
     else
     {
         // We need to fetch the key and validate it.
         outer_Validator.requestCertificate(certificateRequest, state);
     }
 }
Exemple #8
0
 /// <summary>
 /// Implement doFetch to use face_.expressInterest to fetch a certificate.
 /// </summary>
 ///
 /// <param name="certificateRequest_0"></param>
 /// <param name="state_1">The validation state.</param>
 /// <param name="continueValidation_2">is the fetched certificate and state is the ValidationState.</param>
 protected internal override void doFetch(CertificateRequest certificateRequest_0,
                                          ValidationState state_1,
                                          CertificateFetcher.ValidationContinuation continueValidation_2)
 {
     try {
         face_.expressInterest(certificateRequest_0.interest_, new CertificateFetcherFromNetwork.Anonymous_C2(continueValidation_2, state_1), new CertificateFetcherFromNetwork.Anonymous_C1(this, continueValidation_2, certificateRequest_0,
                                                                                                                                                                                             state_1), new CertificateFetcherFromNetwork.Anonymous_C0(this, state_1, certificateRequest_0,
                                                                                                                                                                                                                                                      continueValidation_2));
     } catch (IOException ex) {
         state_1.fail(new ValidationError(
                          net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
                          "Error in expressInterest: " + ex));
     }
 }
Exemple #9
0
        /// <summary>
        /// Request a certificate for further validation.
        /// </summary>
        ///
        /// <param name="certificateRequest">The certificate request.</param>
        /// <param name="state">The current validation state.</param>
        internal void requestCertificate(CertificateRequest certificateRequest,
                                         ValidationState state)
        {
            if (state.getDepth() >= maxDepth_)
            {
                state.fail(new ValidationError(
                               net.named_data.jndn.security.v2.ValidationError.EXCEEDED_DEPTH_LIMIT,
                               "Exceeded validation depth limit"));
                return;
            }

            if (state
                .hasSeenCertificateName(certificateRequest.interest_.getName()))
            {
                state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.LOOP_DETECTED,
                                               "Validation loop detected for certificate `"
                                               + certificateRequest.interest_.getName().toUri()
                                               + "`"));
                return;
            }

            logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE, "Retrieving {0}", certificateRequest.interest_
                        .getName().toUri());

            CertificateV2 certificate_0 = findTrustedCertificate(certificateRequest.interest_);

            if (certificate_0 != null)
            {
                logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE, "Found trusted certificate {0}",
                            certificate_0.getName().toUri());

                certificate_0 = state.verifyCertificateChain_(certificate_0);
                if (certificate_0 != null)
                {
                    state.verifyOriginalPacket_(certificate_0);
                }

                for (int i = 0; i < state.getCertificateChain_().Count; ++i)
                {
                    cacheVerifiedCertificate(state.getCertificateChain_()[i]);
                }

                return;
            }

            certificateFetcher_.fetch(certificateRequest, state,
                                      new Validator.Anonymous_C0(this));
        }
Exemple #10
0
        public override void checkPolicy(Interest interest, ValidationState state,
                                         ValidationPolicy.ValidationContinuation continueValidation)
        {
            if (hasInnerPolicy())
            {
                throw new ValidatorConfigError(
                          "ValidationPolicyConfig must be a terminal inner policy");
            }

            if (shouldBypass_)
            {
                continueValidation.continueValidation(null, state);
                return;
            }

            Name keyLocatorName = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state);

            if (state.isOutcomeFailed())
            {
                // Already called state.fail() .
                return;
            }

            for (int i = 0; i < interestRules_.Count; ++i)
            {
                ConfigRule rule = interestRules_[i];

                if (rule.match(true, interest.getName()))
                {
                    if (rule.check(true, interest.getName(), keyLocatorName, state))
                    {
                        continueValidation
                        .continueValidation(new CertificateRequest(
                                                new Interest(keyLocatorName)), state);
                        return;
                    }
                    else
                    {
                        // rule.check failed and already called state.fail() .
                        return;
                    }
                }
            }

            state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR,
                                           "No rule matched for interest `" + interest.getName().toUri()
                                           + "`"));
        }
        public override void checkPolicy(Interest interest, ValidationState state,
                                         ValidationPolicy.ValidationContinuation continueValidation)
        {
            Name[]   keyName_0   = new Name[1];
            double[] timestamp_1 = new double[1];
            if (!parseCommandInterest(interest, state, keyName_0, timestamp_1))
            {
                return;
            }

            if (!checkTimestamp(state, keyName_0[0], timestamp_1[0]))
            {
                return;
            }

            getInnerPolicy().checkPolicy(interest, state, continueValidation);
        }
Exemple #12
0
        /// <summary>
        /// Recursively validate the certificates in the certification chain.
        /// </summary>
        ///
        /// <param name="certificate_0">The certificate to check.</param>
        /// <param name="state">The current validation state.</param>
        internal void validateCertificate(CertificateV2 certificate_0,
                                          ValidationState state)
        {
            logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE, "Start validating certificate {0}", certificate_0
                        .getName().toUri());

            if (!certificate_0.isValid())
            {
                state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.EXPIRED_CERTIFICATE,
                                               "Retrieved certificate is not yet valid or expired `"
                                               + certificate_0.getName().toUri() + "`"));
                return;
            }

            policy_.checkCertificatePolicy(certificate_0, state,
                                           new Validator.Anonymous_C1(this, certificate_0));
        }
Exemple #13
0
 public void continueValidation(
     CertificateRequest certificateRequest,
     ValidationState state)
 {
     if (certificateRequest == null)
     {
         state.fail(new ValidationError(
                        net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR,
                        "Validation policy is not allowed to designate `"
                        + certificate.getName().toUri()
                        + "` as a trust anchor"));
     }
     else
     {
         // We need to fetch the key and validate it.
         state.addCertificate(certificate);
         outer_Validator.requestCertificate(certificateRequest, state);
     }
 }
        /// <summary>
        /// A helper method for getKeyLocatorName.
        /// </summary>
        ///
        private static Name getKeyLocatorNameFromSignature(Signature signatureInfo,
                                                           ValidationState state)
        {
            if (!net.named_data.jndn.KeyLocator.canGetFromSignature(signatureInfo))
            {
                state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.INVALID_KEY_LOCATOR,
                                               "KeyLocator is missing"));
                return(new Name());
            }

            KeyLocator keyLocator = net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo);

            if (keyLocator.getType() != net.named_data.jndn.KeyLocatorType.KEYNAME)
            {
                state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.INVALID_KEY_LOCATOR,
                                               "KeyLocator type is not Name"));
                return(new Name());
            }

            return(keyLocator.getKeyName());
        }
        /// <param name="state">On error, this calls state.fail and returns false.</param>
        /// <param name="keyName_0">The key name.</param>
        /// <param name="timestamp_1">The timestamp as milliseconds since Jan 1, 1970 UTC.</param>
        /// <returns>On success, return true. On error, call state.fail and return false.</returns>
        private bool checkTimestamp(ValidationState state, Name keyName_0,
                                    double timestamp_1)
        {
            cleanUp();

            // nowOffsetMilliseconds_ is only used for testing.
            double now = net.named_data.jndn.util.Common.getNowMilliseconds() + nowOffsetMilliseconds_;

            if (timestamp_1 < now - options_.gracePeriod_ ||
                timestamp_1 > now + options_.gracePeriod_)
            {
                state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR,
                                               "Timestamp is outside the grace period for key "
                                               + keyName_0.toUri()));
                return(false);
            }

            int index = findByKeyName(keyName_0);

            if (index >= 0)
            {
                if (timestamp_1 <= container_[index].timestamp_)
                {
                    state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR,
                                                   "Timestamp is reordered for key " + keyName_0.toUri()));
                    return(false);
                }
            }

            InterestValidationState interestState = (InterestValidationState)state;

            interestState
            .addSuccessCallback(new ValidationPolicyCommandInterest.Anonymous_C0(this, timestamp_1, keyName_0));

            return(true);
        }
Exemple #16
0
        public override void checkPolicy(Interest interest, ValidationState state,
                                         ValidationPolicy.ValidationContinuation continueValidation)
        {
            Name keyLocatorName = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state);

            if (state.isOutcomeFailed())
            {
                // Already called state.fail().)
                return;
            }

            if (keyLocatorName.getPrefix(-2).isPrefixOf(interest.getName()))
            {
                continueValidation.continueValidation(new CertificateRequest(
                                                          new Interest(keyLocatorName)), state);
            }
            else
            {
                state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.INVALID_KEY_LOCATOR,
                                               "Interest signing policy violation for "
                                               + interest.getName().toUri() + " by "
                                               + keyLocatorName.toUri()));
            }
        }
 public override void checkPolicy(Data data, ValidationState state,
                                  ValidationPolicy.ValidationContinuation continueValidation)
 {
     getInnerPolicy().checkPolicy(data, state, continueValidation);
 }
 /// <summary>
 /// Extract the KeyLocator Name from a Data packet.
 /// The Data packet must contain a KeyLocator of type KEYNAME.
 /// Otherwise, state.fail is invoked with INVALID_KEY_LOCATOR.
 /// </summary>
 ///
 /// <param name="data">The Data packet with the KeyLocator.</param>
 /// <param name="state">On error, this calls state.fail and returns an empty Name.</param>
 /// <returns>The KeyLocator name, or an empty Name for failure.</returns>
 public static Name getKeyLocatorName(Data data, ValidationState state)
 {
     return(getKeyLocatorNameFromSignature(data.getSignature(), state));
 }
Exemple #19
0
 public Anonymous_C2(CertificateFetcher.ValidationContinuation continueValidation_0,
                     ValidationState state_1)
 {
     this.continueValidation = continueValidation_0;
     this.state = state_1;
 }
 /// <summary>
 /// Check the Interest against the policy.
 /// Your derived class must implement this.
 /// Depending on implementation of the policy, this check can be done
 /// synchronously or asynchronously.
 /// See the checkPolicy(Data) documentation for the semantics.
 /// </summary>
 ///
 /// <param name="interest">The Interest packet to check.</param>
 /// <param name="state">The ValidationState of this validation.</param>
 /// <param name="continueValidation"></param>
 public abstract void checkPolicy(Interest interest, ValidationState state,
                                  ValidationPolicy.ValidationContinuation continueValidation);
 /// <summary>
 /// Check the certificate against the policy.
 /// This base class implementation just calls checkPolicy(Data, ...). Your
 /// derived class may override.
 /// Depending on implementation of the policy, this check can be done
 /// synchronously or asynchronously.
 /// See the checkPolicy(Data) documentation for the semantics.
 /// </summary>
 ///
 /// <param name="certificate">The certificate to check.</param>
 /// <param name="state">The ValidationState of this validation.</param>
 /// <param name="continueValidation"></param>
 public void checkCertificatePolicy(CertificateV2 certificate,
                                    ValidationState state, ValidationPolicy.ValidationContinuation continueValidation)
 {
     checkPolicy(certificate, state, continueValidation);
 }
 /// <summary>
 /// Check the Data packet against the policy.
 /// Your derived class must implement this.
 /// Depending on the implementation of the policy, this check can be done
 /// synchronously or asynchronously.
 /// The semantics of checkPolicy are as follows:
 /// If the packet violates the policy, then the policy should call
 /// state.fail() with an appropriate error code and error description.
 /// If the packet conforms to the policy and no further key retrievals are
 /// necessary, then the policy should call
 /// continueValidation.continueValidation(null, state).
 /// If the packet conforms to the policy and a key needs to be fetched, then
 /// the policy should call
 /// continueValidation.continueValidation({appropriate-key-request-instance}, state).
 /// </summary>
 ///
 /// <param name="data">The Data packet to check.</param>
 /// <param name="state">The ValidationState of this validation.</param>
 /// <param name="continueValidation"></param>
 public abstract void checkPolicy(Data data, ValidationState state,
                                  ValidationPolicy.ValidationContinuation continueValidation);
Exemple #23
0
 public void continueValidation(CertificateV2 certificate_0,
                                ValidationState state)
 {
     outer_Validator.validateCertificate(certificate_0, state);
 }
 public void continueValidation(CertificateV2 certificate,
                                ValidationState state)
 {
     outer_CertificateFetcher.certificateStorage_.cacheUnverifiedCertificate(certificate);
     outerContinueValidation.continueValidation(certificate, state);
 }
 /// <summary>
 /// An implementation to fetch a certificate asynchronously. The subclass must
 /// implement this method.
 /// </summary>
 ///
 /// <param name="certificateRequest"></param>
 /// <param name="state">The validation state.</param>
 /// <param name="continueValidation">is the fetched certificate and state is the ValidationState.</param>
 protected abstract internal void doFetch(CertificateRequest certificateRequest,
                                          ValidationState state, CertificateFetcher.ValidationContinuation continueValidation);
 public override void checkPolicy(Interest interest, ValidationState state,
                                  ValidationPolicy.ValidationContinuation continueValidation)
 {
     continueValidation.continueValidation(null, state);
 }