/// <summary> /// Asynchronously fetch a certificate. setCertificateStorage must have been /// called first. /// If the requested certificate exists in the storage, then this method will /// immediately call continueValidation with the certificate. If certificate is /// not available, then the implementation-specific doFetch will be called to /// asynchronously fetch the certificate. The successfully-retrieved /// certificate will be automatically added to the unverified cache of the /// certificate storage. /// When the requested certificate is retrieved, continueValidation is called. /// Otherwise, the fetcher implementation calls state.failed() with the /// appropriate error code and diagnostic message. /// </summary> /// /// <param name="certificateRequest"></param> /// <param name="state">The validation state.</param> /// <param name="continueValidation">is the fetched certificate and state is the ValidationState.</param> public void fetch(CertificateRequest certificateRequest, ValidationState state, CertificateFetcher.ValidationContinuation continueValidation) { if (certificateStorage_ == null) { throw new Exception( "CertificateFetcher.fetch: You must first call setCertificateStorage"); } CertificateV2 certificate = certificateStorage_ .getUnverifiedCertificateCache().find( certificateRequest.interest_); if (certificate != null) { logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE, "Found certificate in **un**verified key cache {0}", certificate.getName().toUri()); continueValidation.continueValidation(certificate, state); return; } // Rename continueValidation to avoid a loop. CertificateFetcher.ValidationContinuation outerContinueValidation_0 = continueValidation; // Fetch asynchronously. doFetch(certificateRequest, state, new CertificateFetcher.Anonymous_C0(this, outerContinueValidation_0)); }
/// <summary> /// Get the keyLocatorName and timestamp from the command interest. /// </summary> /// /// <param name="interest">The Interest to parse.</param> /// <param name="state">On error, this calls state.fail and returns false.</param> /// <param name="keyLocatorName">Set keyLocatorName[0] to the KeyLocator name.</param> /// <param name="timestamp_0"></param> /// <returns>On success, return true. On error, call state.fail and return false.</returns> private static bool parseCommandInterest(Interest interest, ValidationState state, Name[] keyLocatorName, double[] timestamp_0) { keyLocatorName[0] = new Name(); timestamp_0[0] = 0; Name name = interest.getName(); if (name.size() < net.named_data.jndn.security.CommandInterestSigner.MINIMUM_SIZE) { state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR, "Command interest name `" + interest.getName().toUri() + "` is too short")); return(false); } timestamp_0[0] = name.get(net.named_data.jndn.security.CommandInterestSigner.POS_TIMESTAMP).toNumber(); keyLocatorName[0] = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state); if (state.isOutcomeFailed()) { // Already failed. return(false); } return(true); }
protected internal override void doFetch(CertificateRequest certificateRequest, ValidationState state, CertificateFetcher.ValidationContinuation continueValidation) { state.fail(new ValidationError( net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Cannot fetch certificate " + certificateRequest.interest_.getName().toUri() + " in offline mode")); }
private void checkPolicyHelper(Name keyName, ValidationState state, ValidationPolicy.ValidationContinuation continueValidation) { PibIdentity identity; try { identity = pib_.getIdentity(net.named_data.jndn.security.pib.PibKey .extractIdentityFromKeyName(keyName)); } catch (Exception ex) { state.fail(new ValidationError( net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Cannot get the PIB identity for key " + keyName.toUri() + ": " + ex)); return; } PibKey key; try { key = identity.getKey(keyName); } catch (Exception ex_0) { state.fail(new ValidationError( net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Cannot get the PIB key " + keyName.toUri() + ": " + ex_0)); return; } CertificateV2 certificate; try { certificate = key.getDefaultCertificate(); } catch (Exception ex_1) { state.fail(new ValidationError( net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Cannot get the default certificate for key " + keyName.toUri() + ": " + ex_1)); return; } // Add the certificate as the temporary trust anchor. validator_.resetAnchors(); try { validator_.loadAnchor("", certificate); } catch (Exception ex_2) { // We don't expect this since we just retrieved the certificate. state.fail(new ValidationError( net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Cannot load the trust anchor for key " + keyName.toUri() + ": " + ex_2)); return; } continueValidation.continueValidation(new CertificateRequest( new Interest(keyName)), state); // Clear the temporary trust anchor. validator_.resetAnchors(); }
public Anonymous_C1( CertificateFetcherFromNetwork paramouter_CertificateFetcherFromNetwork, CertificateFetcher.ValidationContinuation continueValidation_0, CertificateRequest certificateRequest_1, ValidationState state_2) { this.continueValidation = continueValidation_0; this.certificateRequest = certificateRequest_1; this.state = state_2; this.outer_CertificateFetcherFromNetwork = paramouter_CertificateFetcherFromNetwork; }
public override void checkPolicy(Interest interest, ValidationState state, ValidationPolicy.ValidationContinuation continueValidation) { Name keyName = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state); if (state.isOutcomeFailed()) { // Already called state.fail() . return; } checkPolicyHelper(keyName, state, continueValidation); }
public void continueValidation( CertificateRequest certificateRequest, ValidationState state) { if (certificateRequest == null) { state.bypassValidation_(); } else { // We need to fetch the key and validate it. outer_Validator.requestCertificate(certificateRequest, state); } }
/// <summary> /// Implement doFetch to use face_.expressInterest to fetch a certificate. /// </summary> /// /// <param name="certificateRequest_0"></param> /// <param name="state_1">The validation state.</param> /// <param name="continueValidation_2">is the fetched certificate and state is the ValidationState.</param> protected internal override void doFetch(CertificateRequest certificateRequest_0, ValidationState state_1, CertificateFetcher.ValidationContinuation continueValidation_2) { try { face_.expressInterest(certificateRequest_0.interest_, new CertificateFetcherFromNetwork.Anonymous_C2(continueValidation_2, state_1), new CertificateFetcherFromNetwork.Anonymous_C1(this, continueValidation_2, certificateRequest_0, state_1), new CertificateFetcherFromNetwork.Anonymous_C0(this, state_1, certificateRequest_0, continueValidation_2)); } catch (IOException ex) { state_1.fail(new ValidationError( net.named_data.jndn.security.v2.ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Error in expressInterest: " + ex)); } }
/// <summary> /// Request a certificate for further validation. /// </summary> /// /// <param name="certificateRequest">The certificate request.</param> /// <param name="state">The current validation state.</param> internal void requestCertificate(CertificateRequest certificateRequest, ValidationState state) { if (state.getDepth() >= maxDepth_) { state.fail(new ValidationError( net.named_data.jndn.security.v2.ValidationError.EXCEEDED_DEPTH_LIMIT, "Exceeded validation depth limit")); return; } if (state .hasSeenCertificateName(certificateRequest.interest_.getName())) { state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.LOOP_DETECTED, "Validation loop detected for certificate `" + certificateRequest.interest_.getName().toUri() + "`")); return; } logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE, "Retrieving {0}", certificateRequest.interest_ .getName().toUri()); CertificateV2 certificate_0 = findTrustedCertificate(certificateRequest.interest_); if (certificate_0 != null) { logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE, "Found trusted certificate {0}", certificate_0.getName().toUri()); certificate_0 = state.verifyCertificateChain_(certificate_0); if (certificate_0 != null) { state.verifyOriginalPacket_(certificate_0); } for (int i = 0; i < state.getCertificateChain_().Count; ++i) { cacheVerifiedCertificate(state.getCertificateChain_()[i]); } return; } certificateFetcher_.fetch(certificateRequest, state, new Validator.Anonymous_C0(this)); }
public override void checkPolicy(Interest interest, ValidationState state, ValidationPolicy.ValidationContinuation continueValidation) { if (hasInnerPolicy()) { throw new ValidatorConfigError( "ValidationPolicyConfig must be a terminal inner policy"); } if (shouldBypass_) { continueValidation.continueValidation(null, state); return; } Name keyLocatorName = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state); if (state.isOutcomeFailed()) { // Already called state.fail() . return; } for (int i = 0; i < interestRules_.Count; ++i) { ConfigRule rule = interestRules_[i]; if (rule.match(true, interest.getName())) { if (rule.check(true, interest.getName(), keyLocatorName, state)) { continueValidation .continueValidation(new CertificateRequest( new Interest(keyLocatorName)), state); return; } else { // rule.check failed and already called state.fail() . return; } } } state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR, "No rule matched for interest `" + interest.getName().toUri() + "`")); }
public override void checkPolicy(Interest interest, ValidationState state, ValidationPolicy.ValidationContinuation continueValidation) { Name[] keyName_0 = new Name[1]; double[] timestamp_1 = new double[1]; if (!parseCommandInterest(interest, state, keyName_0, timestamp_1)) { return; } if (!checkTimestamp(state, keyName_0[0], timestamp_1[0])) { return; } getInnerPolicy().checkPolicy(interest, state, continueValidation); }
/// <summary> /// Recursively validate the certificates in the certification chain. /// </summary> /// /// <param name="certificate_0">The certificate to check.</param> /// <param name="state">The current validation state.</param> internal void validateCertificate(CertificateV2 certificate_0, ValidationState state) { logger_.log(ILOG.J2CsMapping.Util.Logging.Level.FINE, "Start validating certificate {0}", certificate_0 .getName().toUri()); if (!certificate_0.isValid()) { state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.EXPIRED_CERTIFICATE, "Retrieved certificate is not yet valid or expired `" + certificate_0.getName().toUri() + "`")); return; } policy_.checkCertificatePolicy(certificate_0, state, new Validator.Anonymous_C1(this, certificate_0)); }
public void continueValidation( CertificateRequest certificateRequest, ValidationState state) { if (certificateRequest == null) { state.fail(new ValidationError( net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR, "Validation policy is not allowed to designate `" + certificate.getName().toUri() + "` as a trust anchor")); } else { // We need to fetch the key and validate it. state.addCertificate(certificate); outer_Validator.requestCertificate(certificateRequest, state); } }
/// <summary> /// A helper method for getKeyLocatorName. /// </summary> /// private static Name getKeyLocatorNameFromSignature(Signature signatureInfo, ValidationState state) { if (!net.named_data.jndn.KeyLocator.canGetFromSignature(signatureInfo)) { state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.INVALID_KEY_LOCATOR, "KeyLocator is missing")); return(new Name()); } KeyLocator keyLocator = net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo); if (keyLocator.getType() != net.named_data.jndn.KeyLocatorType.KEYNAME) { state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.INVALID_KEY_LOCATOR, "KeyLocator type is not Name")); return(new Name()); } return(keyLocator.getKeyName()); }
/// <param name="state">On error, this calls state.fail and returns false.</param> /// <param name="keyName_0">The key name.</param> /// <param name="timestamp_1">The timestamp as milliseconds since Jan 1, 1970 UTC.</param> /// <returns>On success, return true. On error, call state.fail and return false.</returns> private bool checkTimestamp(ValidationState state, Name keyName_0, double timestamp_1) { cleanUp(); // nowOffsetMilliseconds_ is only used for testing. double now = net.named_data.jndn.util.Common.getNowMilliseconds() + nowOffsetMilliseconds_; if (timestamp_1 < now - options_.gracePeriod_ || timestamp_1 > now + options_.gracePeriod_) { state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR, "Timestamp is outside the grace period for key " + keyName_0.toUri())); return(false); } int index = findByKeyName(keyName_0); if (index >= 0) { if (timestamp_1 <= container_[index].timestamp_) { state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.POLICY_ERROR, "Timestamp is reordered for key " + keyName_0.toUri())); return(false); } } InterestValidationState interestState = (InterestValidationState)state; interestState .addSuccessCallback(new ValidationPolicyCommandInterest.Anonymous_C0(this, timestamp_1, keyName_0)); return(true); }
public override void checkPolicy(Interest interest, ValidationState state, ValidationPolicy.ValidationContinuation continueValidation) { Name keyLocatorName = net.named_data.jndn.security.v2.ValidationPolicy.getKeyLocatorName(interest, state); if (state.isOutcomeFailed()) { // Already called state.fail().) return; } if (keyLocatorName.getPrefix(-2).isPrefixOf(interest.getName())) { continueValidation.continueValidation(new CertificateRequest( new Interest(keyLocatorName)), state); } else { state.fail(new ValidationError(net.named_data.jndn.security.v2.ValidationError.INVALID_KEY_LOCATOR, "Interest signing policy violation for " + interest.getName().toUri() + " by " + keyLocatorName.toUri())); } }
public override void checkPolicy(Data data, ValidationState state, ValidationPolicy.ValidationContinuation continueValidation) { getInnerPolicy().checkPolicy(data, state, continueValidation); }
/// <summary> /// Extract the KeyLocator Name from a Data packet. /// The Data packet must contain a KeyLocator of type KEYNAME. /// Otherwise, state.fail is invoked with INVALID_KEY_LOCATOR. /// </summary> /// /// <param name="data">The Data packet with the KeyLocator.</param> /// <param name="state">On error, this calls state.fail and returns an empty Name.</param> /// <returns>The KeyLocator name, or an empty Name for failure.</returns> public static Name getKeyLocatorName(Data data, ValidationState state) { return(getKeyLocatorNameFromSignature(data.getSignature(), state)); }
public Anonymous_C2(CertificateFetcher.ValidationContinuation continueValidation_0, ValidationState state_1) { this.continueValidation = continueValidation_0; this.state = state_1; }
/// <summary> /// Check the Interest against the policy. /// Your derived class must implement this. /// Depending on implementation of the policy, this check can be done /// synchronously or asynchronously. /// See the checkPolicy(Data) documentation for the semantics. /// </summary> /// /// <param name="interest">The Interest packet to check.</param> /// <param name="state">The ValidationState of this validation.</param> /// <param name="continueValidation"></param> public abstract void checkPolicy(Interest interest, ValidationState state, ValidationPolicy.ValidationContinuation continueValidation);
/// <summary> /// Check the certificate against the policy. /// This base class implementation just calls checkPolicy(Data, ...). Your /// derived class may override. /// Depending on implementation of the policy, this check can be done /// synchronously or asynchronously. /// See the checkPolicy(Data) documentation for the semantics. /// </summary> /// /// <param name="certificate">The certificate to check.</param> /// <param name="state">The ValidationState of this validation.</param> /// <param name="continueValidation"></param> public void checkCertificatePolicy(CertificateV2 certificate, ValidationState state, ValidationPolicy.ValidationContinuation continueValidation) { checkPolicy(certificate, state, continueValidation); }
/// <summary> /// Check the Data packet against the policy. /// Your derived class must implement this. /// Depending on the implementation of the policy, this check can be done /// synchronously or asynchronously. /// The semantics of checkPolicy are as follows: /// If the packet violates the policy, then the policy should call /// state.fail() with an appropriate error code and error description. /// If the packet conforms to the policy and no further key retrievals are /// necessary, then the policy should call /// continueValidation.continueValidation(null, state). /// If the packet conforms to the policy and a key needs to be fetched, then /// the policy should call /// continueValidation.continueValidation({appropriate-key-request-instance}, state). /// </summary> /// /// <param name="data">The Data packet to check.</param> /// <param name="state">The ValidationState of this validation.</param> /// <param name="continueValidation"></param> public abstract void checkPolicy(Data data, ValidationState state, ValidationPolicy.ValidationContinuation continueValidation);
public void continueValidation(CertificateV2 certificate_0, ValidationState state) { outer_Validator.validateCertificate(certificate_0, state); }
public void continueValidation(CertificateV2 certificate, ValidationState state) { outer_CertificateFetcher.certificateStorage_.cacheUnverifiedCertificate(certificate); outerContinueValidation.continueValidation(certificate, state); }
/// <summary> /// An implementation to fetch a certificate asynchronously. The subclass must /// implement this method. /// </summary> /// /// <param name="certificateRequest"></param> /// <param name="state">The validation state.</param> /// <param name="continueValidation">is the fetched certificate and state is the ValidationState.</param> protected abstract internal void doFetch(CertificateRequest certificateRequest, ValidationState state, CertificateFetcher.ValidationContinuation continueValidation);
public override void checkPolicy(Interest interest, ValidationState state, ValidationPolicy.ValidationContinuation continueValidation) { continueValidation.continueValidation(null, state); }