/// <summary>
/// Asynchronously fetch a certificate. setCertificateStorage must have been
/// called first.
/// If the requested certificate exists in the storage, then this method will
/// immediately call continueValidation with the certificate. If certificate is
/// not available, then the implementation-specific doFetch will be called to
/// asynchronously fetch the certificate. The successfully-retrieved
/// certificate will be automatically added to the unverified cache of the
/// certificate storage.
/// When the requested certificate is retrieved, continueValidation is called.
/// Otherwise, the fetcher implementation calls state.failed() with the
/// appropriate error code and diagnostic message.
/// </summary>
///
/// <param name="certificateRequest"></param>
/// <param name="state">The validation state.</param>
/// <param name="continueValidation">is the fetched certificate and state is the ValidationState.</param>
public void fetch(CertificateRequest certificateRequest,
ValidationState state, CertificateFetcher.ValidationContinuation continueValidation)
{
if (certificateStorage_ == null)
{
throw new Exception(
"CertificateFetcher.fetch: You must first call setCertificateStorage");
}
CertificateV2 certificate = certificateStorage_
.getUnverifiedCertificateCache().find(
certificateRequest.interest_);
if (certificate != null)
{
logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE,
"Found certificate in **un**verified key cache {0}",
certificate.getName().toUri());
continueValidation.continueValidation(certificate, state);
return;
}
// Rename continueValidation to avoid a loop.
CertificateFetcher.ValidationContinuation outerContinueValidation_0 = continueValidation;
// Fetch asynchronously.
doFetch(certificateRequest, state, new CertificateFetcher.Anonymous_C0(this, outerContinueValidation_0));
}
/// <summary>
/// Get the keyLocatorName and timestamp from the command interest.
/// </summary>
///
/// <param name="interest">The Interest to parse.</param>
/// <param name="state">On error, this calls state.fail and returns false.</param>
/// <param name="keyLocatorName">Set keyLocatorName[0] to the KeyLocator name.</param>
/// <param name="timestamp_0"></param>
/// <returns>On success, return true. On error, call state.fail and return false.</returns>
private static bool parseCommandInterest(Interest interest,
ValidationState state, Name[] keyLocatorName, double[] timestamp_0)
{
keyLocatorName[0] = new Name();
timestamp_0[0] = 0;
Name name = interest.getName();
if (name.size() < net.named_data.jndn.security.CommandInterestSigner.MINIMUM_SIZE)
{
state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR,
"Command interest name `" + interest.getName().toUri()
+ "` is too short"));
return(false);
}
timestamp_0[0] = name.get(net.named_data.jndn.security.CommandInterestSigner.POS_TIMESTAMP).toNumber();
keyLocatorName[0] = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state);
if (state.isOutcomeFailed())
{
// Already failed.
return(false);
}
return(true);
}
protected internal override void doFetch(CertificateRequest certificateRequest,
ValidationState state, CertificateFetcher.ValidationContinuation continueValidation)
{
state.fail(new ValidationError(
net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Cannot fetch certificate "
+ certificateRequest.interest_.getName().toUri()
+ " in offline mode"));
}
private void checkPolicyHelper(Name keyName, ValidationState state,
ValidationPolicy.ValidationContinuation continueValidation)
{
PibIdentity identity;
try {
identity = pib_.getIdentity(net.named_data.jndn.security.pib.PibKey
.extractIdentityFromKeyName(keyName));
} catch (Exception ex) {
state.fail(new ValidationError(
net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Cannot get the PIB identity for key " + keyName.toUri()
+ ": " + ex));
return;
}
PibKey key;
try {
key = identity.getKey(keyName);
} catch (Exception ex_0) {
state.fail(new ValidationError(
net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Cannot get the PIB key " + keyName.toUri() + ": " + ex_0));
return;
}
CertificateV2 certificate;
try {
certificate = key.getDefaultCertificate();
} catch (Exception ex_1) {
state.fail(new ValidationError(
net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Cannot get the default certificate for key "
+ keyName.toUri() + ": " + ex_1));
return;
}
// Add the certificate as the temporary trust anchor.
validator_.resetAnchors();
try {
validator_.loadAnchor("", certificate);
} catch (Exception ex_2) {
// We don't expect this since we just retrieved the certificate.
state.fail(new ValidationError(
net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Cannot load the trust anchor for key " + keyName.toUri()
+ ": " + ex_2));
return;
}
continueValidation.continueValidation(new CertificateRequest(
new Interest(keyName)), state);
// Clear the temporary trust anchor.
validator_.resetAnchors();
}
public Anonymous_C1(
CertificateFetcherFromNetwork paramouter_CertificateFetcherFromNetwork,
CertificateFetcher.ValidationContinuation continueValidation_0,
CertificateRequest certificateRequest_1, ValidationState state_2)
{
this.continueValidation = continueValidation_0;
this.certificateRequest = certificateRequest_1;
this.state = state_2;
this.outer_CertificateFetcherFromNetwork = paramouter_CertificateFetcherFromNetwork;
}
public override void checkPolicy(Interest interest, ValidationState state,
ValidationPolicy.ValidationContinuation continueValidation)
{
Name keyName = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state);
if (state.isOutcomeFailed())
{
// Already called state.fail() .
return;
}
checkPolicyHelper(keyName, state, continueValidation);
}
public void continueValidation(
CertificateRequest certificateRequest,
ValidationState state)
{
if (certificateRequest == null)
{
state.bypassValidation_();
}
else
{
// We need to fetch the key and validate it.
outer_Validator.requestCertificate(certificateRequest, state);
}
}
/// <summary>
/// Implement doFetch to use face_.expressInterest to fetch a certificate.
/// </summary>
///
/// <param name="certificateRequest_0"></param>
/// <param name="state_1">The validation state.</param>
/// <param name="continueValidation_2">is the fetched certificate and state is the ValidationState.</param>
protected internal override void doFetch(CertificateRequest certificateRequest_0,
ValidationState state_1,
CertificateFetcher.ValidationContinuation continueValidation_2)
{
try {
face_.expressInterest(certificateRequest_0.interest_, new CertificateFetcherFromNetwork.Anonymous_C2(continueValidation_2, state_1), new CertificateFetcherFromNetwork.Anonymous_C1(this, continueValidation_2, certificateRequest_0,
state_1), new CertificateFetcherFromNetwork.Anonymous_C0(this, state_1, certificateRequest_0,
continueValidation_2));
} catch (IOException ex) {
state_1.fail(new ValidationError(
net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Error in expressInterest: " + ex));
}
}
/// <summary>
/// Request a certificate for further validation.
/// </summary>
///
/// <param name="certificateRequest">The certificate request.</param>
/// <param name="state">The current validation state.</param>
internal void requestCertificate(CertificateRequest certificateRequest,
ValidationState state)
{
if (state.getDepth() >= maxDepth_)
{
state.fail(new ValidationError(
net.named_data.jndn.security.v2.ValidationError.EXCEEDED_DEPTH_LIMIT,
"Exceeded validation depth limit"));
return;
}
if (state
.hasSeenCertificateName(certificateRequest.interest_.getName()))
{
state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.LOOP_DETECTED,
"Validation loop detected for certificate `"
+ certificateRequest.interest_.getName().toUri()
+ "`"));
return;
}
logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE, "Retrieving {0}", certificateRequest.interest_
.getName().toUri());
CertificateV2 certificate_0 = findTrustedCertificate(certificateRequest.interest_);
if (certificate_0 != null)
{
logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE, "Found trusted certificate {0}",
certificate_0.getName().toUri());
certificate_0 = state.verifyCertificateChain_(certificate_0);
if (certificate_0 != null)
{
state.verifyOriginalPacket_(certificate_0);
}
for (int i = 0; i < state.getCertificateChain_().Count; ++i)
{
cacheVerifiedCertificate(state.getCertificateChain_()[i]);
}
return;
}
certificateFetcher_.fetch(certificateRequest, state,
new Validator.Anonymous_C0(this));
}
public override void checkPolicy(Interest interest, ValidationState state,
ValidationPolicy.ValidationContinuation continueValidation)
{
if (hasInnerPolicy())
{
throw new ValidatorConfigError(
"ValidationPolicyConfig must be a terminal inner policy");
}
if (shouldBypass_)
{
continueValidation.continueValidation(null, state);
return;
}
Name keyLocatorName = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state);
if (state.isOutcomeFailed())
{
// Already called state.fail() .
return;
}
for (int i = 0; i < interestRules_.Count; ++i)
{
ConfigRule rule = interestRules_[i];
if (rule.match(true, interest.getName()))
{
if (rule.check(true, interest.getName(), keyLocatorName, state))
{
continueValidation
.continueValidation(new CertificateRequest(
new Interest(keyLocatorName)), state);
return;
}
else
{
// rule.check failed and already called state.fail() .
return;
}
}
}
state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR,
"No rule matched for interest `" + interest.getName().toUri()
+ "`"));
}
public override void checkPolicy(Interest interest, ValidationState state,
ValidationPolicy.ValidationContinuation continueValidation)
{
Name[] keyName_0 = new Name[1];
double[] timestamp_1 = new double[1];
if (!parseCommandInterest(interest, state, keyName_0, timestamp_1))
{
return;
}
if (!checkTimestamp(state, keyName_0[0], timestamp_1[0]))
{
return;
}
getInnerPolicy().checkPolicy(interest, state, continueValidation);
}
/// <summary>
/// Recursively validate the certificates in the certification chain.
/// </summary>
///
/// <param name="certificate_0">The certificate to check.</param>
/// <param name="state">The current validation state.</param>
internal void validateCertificate(CertificateV2 certificate_0,
ValidationState state)
{
logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE, "Start validating certificate {0}", certificate_0
.getName().toUri());
if (!certificate_0.isValid())
{
state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.EXPIRED_CERTIFICATE,
"Retrieved certificate is not yet valid or expired `"
+ certificate_0.getName().toUri() + "`"));
return;
}
policy_.checkCertificatePolicy(certificate_0, state,
new Validator.Anonymous_C1(this, certificate_0));
}
public void continueValidation(
CertificateRequest certificateRequest,
ValidationState state)
{
if (certificateRequest == null)
{
state.fail(new ValidationError(
net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR,
"Validation policy is not allowed to designate `"
+ certificate.getName().toUri()
+ "` as a trust anchor"));
}
else
{
// We need to fetch the key and validate it.
state.addCertificate(certificate);
outer_Validator.requestCertificate(certificateRequest, state);
}
}
/// <summary>
/// A helper method for getKeyLocatorName.
/// </summary>
///
private static Name getKeyLocatorNameFromSignature(Signature signatureInfo,
ValidationState state)
{
if (!net.named_data.jndn.KeyLocator.canGetFromSignature(signatureInfo))
{
state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.INVALID_KEY_LOCATOR,
"KeyLocator is missing"));
return(new Name());
}
KeyLocator keyLocator = net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo);
if (keyLocator.getType() != net.named_data.jndn.KeyLocatorType.KEYNAME)
{
state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.INVALID_KEY_LOCATOR,
"KeyLocator type is not Name"));
return(new Name());
}
return(keyLocator.getKeyName());
}
/// <param name="state">On error, this calls state.fail and returns false.</param>
/// <param name="keyName_0">The key name.</param>
/// <param name="timestamp_1">The timestamp as milliseconds since Jan 1, 1970 UTC.</param>
/// <returns>On success, return true. On error, call state.fail and return false.</returns>
private bool checkTimestamp(ValidationState state, Name keyName_0,
double timestamp_1)
{
cleanUp();
// nowOffsetMilliseconds_ is only used for testing.
double now = net.named_data.jndn.util.Common.getNowMilliseconds() + nowOffsetMilliseconds_;
if (timestamp_1 < now - options_.gracePeriod_ ||
timestamp_1 > now + options_.gracePeriod_)
{
state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR,
"Timestamp is outside the grace period for key "
+ keyName_0.toUri()));
return(false);
}
int index = findByKeyName(keyName_0);
if (index >= 0)
{
if (timestamp_1 <= container_[index].timestamp_)
{
state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR,
"Timestamp is reordered for key " + keyName_0.toUri()));
return(false);
}
}
InterestValidationState interestState = (InterestValidationState)state;
interestState
.addSuccessCallback(new ValidationPolicyCommandInterest.Anonymous_C0(this, timestamp_1, keyName_0));
return(true);
}
public override void checkPolicy(Interest interest, ValidationState state,
ValidationPolicy.ValidationContinuation continueValidation)
{
Name keyLocatorName = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state);
if (state.isOutcomeFailed())
{
// Already called state.fail().)
return;
}
if (keyLocatorName.getPrefix(-2).isPrefixOf(interest.getName()))
{
continueValidation.continueValidation(new CertificateRequest(
new Interest(keyLocatorName)), state);
}
else
{
state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.INVALID_KEY_LOCATOR,
"Interest signing policy violation for "
+ interest.getName().toUri() + " by "
+ keyLocatorName.toUri()));
}
}
public override void checkPolicy(Data data, ValidationState state,
ValidationPolicy.ValidationContinuation continueValidation)
{
getInnerPolicy().checkPolicy(data, state, continueValidation);
}
/// <summary>
/// Extract the KeyLocator Name from a Data packet.
/// The Data packet must contain a KeyLocator of type KEYNAME.
/// Otherwise, state.fail is invoked with INVALID_KEY_LOCATOR.
/// </summary>
///
/// <param name="data">The Data packet with the KeyLocator.</param>
/// <param name="state">On error, this calls state.fail and returns an empty Name.</param>
/// <returns>The KeyLocator name, or an empty Name for failure.</returns>
public static Name getKeyLocatorName(Data data, ValidationState state)
{
return(getKeyLocatorNameFromSignature(data.getSignature(), state));
}
public Anonymous_C2(CertificateFetcher.ValidationContinuation continueValidation_0,
ValidationState state_1)
{
this.continueValidation = continueValidation_0;
this.state = state_1;
}
/// <summary>
/// Check the Interest against the policy.
/// Your derived class must implement this.
/// Depending on implementation of the policy, this check can be done
/// synchronously or asynchronously.
/// See the checkPolicy(Data) documentation for the semantics.
/// </summary>
///
/// <param name="interest">The Interest packet to check.</param>
/// <param name="state">The ValidationState of this validation.</param>
/// <param name="continueValidation"></param>
public abstract void checkPolicy(Interest interest, ValidationState state,
ValidationPolicy.ValidationContinuation continueValidation);
/// <summary>
/// Check the certificate against the policy.
/// This base class implementation just calls checkPolicy(Data, ...). Your
/// derived class may override.
/// Depending on implementation of the policy, this check can be done
/// synchronously or asynchronously.
/// See the checkPolicy(Data) documentation for the semantics.
/// </summary>
///
/// <param name="certificate">The certificate to check.</param>
/// <param name="state">The ValidationState of this validation.</param>
/// <param name="continueValidation"></param>
public void checkCertificatePolicy(CertificateV2 certificate,
ValidationState state, ValidationPolicy.ValidationContinuation continueValidation)
{
checkPolicy(certificate, state, continueValidation);
}
/// <summary>
/// Check the Data packet against the policy.
/// Your derived class must implement this.
/// Depending on the implementation of the policy, this check can be done
/// synchronously or asynchronously.
/// The semantics of checkPolicy are as follows:
/// If the packet violates the policy, then the policy should call
/// state.fail() with an appropriate error code and error description.
/// If the packet conforms to the policy and no further key retrievals are
/// necessary, then the policy should call
/// continueValidation.continueValidation(null, state).
/// If the packet conforms to the policy and a key needs to be fetched, then
/// the policy should call
/// continueValidation.continueValidation({appropriate-key-request-instance}, state).
/// </summary>
///
/// <param name="data">The Data packet to check.</param>
/// <param name="state">The ValidationState of this validation.</param>
/// <param name="continueValidation"></param>
public abstract void checkPolicy(Data data, ValidationState state,
ValidationPolicy.ValidationContinuation continueValidation);
public void continueValidation(CertificateV2 certificate_0,
ValidationState state)
{
outer_Validator.validateCertificate(certificate_0, state);
}
public void continueValidation(CertificateV2 certificate,
ValidationState state)
{
outer_CertificateFetcher.certificateStorage_.cacheUnverifiedCertificate(certificate);
outerContinueValidation.continueValidation(certificate, state);
}
/// <summary>
/// An implementation to fetch a certificate asynchronously. The subclass must
/// implement this method.
/// </summary>
///
/// <param name="certificateRequest"></param>
/// <param name="state">The validation state.</param>
/// <param name="continueValidation">is the fetched certificate and state is the ValidationState.</param>
protected abstract internal void doFetch(CertificateRequest certificateRequest,
ValidationState state, CertificateFetcher.ValidationContinuation continueValidation);
public override void checkPolicy(Interest interest, ValidationState state,
ValidationPolicy.ValidationContinuation continueValidation)
{
continueValidation.continueValidation(null, state);
}
