From 75b1c6b5d5459b95cba1dbc4a471a12e58614a9a Mon Sep 17 00:00:00 2001 From: Tianyuan Yu Date: Tue, 15 Aug 2023 05:38:52 +0000 Subject: [PATCH] refactor consumer certificate fetching --- examples/kp-aa-example.cpp | 19 ++++-- examples/kp-consumer-example.cpp | 40 ++++++++---- examples/kp-producer-example.cpp | 9 ++- examples/run-examples.sh | 9 ++- src/attribute-authority.cpp | 75 ++++++++++++++-------- src/attribute-authority.hpp | 15 +++-- src/param-fetcher.cpp | 1 - src/producer.cpp | 61 ++++++++++-------- src/producer.hpp | 2 +- src/trust-config.cpp | 37 ++++++++--- src/trust-config.hpp | 13 +++- tests/unit-tests/attribute-authority.t.cpp | 23 ++++--- tests/unit-tests/integrated-test.t.cpp | 35 ++++++---- tests/unit-tests/producer.t.cpp | 31 +++------ 14 files changed, 230 insertions(+), 140 deletions(-) diff --git a/examples/kp-aa-example.cpp b/examples/kp-aa-example.cpp index 65c9c35..372175a 100644 --- a/examples/kp-aa-example.cpp +++ b/examples/kp-aa-example.cpp @@ -28,21 +28,25 @@ namespace examples { using ndn::nacabe::KpAttributeAuthority; -ndn::KeyChain m_keyChain; -ndn::security::Certificate m_cert = m_keyChain.getPib().getIdentity("/example/aa").getDefaultKey().getDefaultCertificate(); class AttributeAuthority { public: AttributeAuthority() - : m_aa(m_cert, m_face, m_keyChain) + : m_aaCert(m_keyChain.getPib().getIdentity("/example/aa").getDefaultKey().getDefaultCertificate()) + , m_aa(m_aaCert, m_face, m_validator, m_keyChain) { auto consumerCert1 = m_keyChain.getPib().getIdentity("/example/consumer").getDefaultKey().getDefaultCertificate(); - m_aa.addNewPolicy(consumerCert1, "attribute"); + // 1. this approach will directly use the certificate passed in without validation + // m_aa.addNewPolicy(consumerCert1, "attribute"); + // 2. this approach will try fetch corresponding certificate when receiving + // corresponding DKEY Interest + m_aa.addNewPolicy("/example/consumer", "attribute"); + m_validator.load("trust-schema.conf"); // self certificate filter - m_face.setInterestFilter(m_cert.getKeyName(), + m_face.setInterestFilter(m_aaCert.getKeyName(), [this] (auto&...) { - m_face.put(m_cert); + m_face.put(m_aaCert); } ); } @@ -55,6 +59,9 @@ class AttributeAuthority private: ndn::Face m_face; + ndn::KeyChain m_keyChain; + ndn::ValidatorConfig m_validator{m_face}; + ndn::security::Certificate m_aaCert; KpAttributeAuthority m_aa; }; diff --git a/examples/kp-consumer-example.cpp b/examples/kp-consumer-example.cpp index f58f85b..384a37f 100644 --- a/examples/kp-consumer-example.cpp +++ b/examples/kp-consumer-example.cpp @@ -26,26 +26,43 @@ #include +using namespace ndn::time_literals; namespace examples { class Consumer { public: Consumer() - : m_producerCert(m_keyChain.getPib().getIdentity("/example/producer").getDefaultKey().getDefaultCertificate()) - , m_consumerCert(m_keyChain.getPib().getIdentity("/example/consumer").getDefaultKey().getDefaultCertificate()) - , m_consumer(m_face, m_keyChain, m_validator, m_consumerCert, - m_keyChain.getPib().getIdentity("/example/aa").getDefaultKey().getDefaultCertificate()) + : m_consumerCert(m_keyChain.getPib().getIdentity("/example/consumer").getDefaultKey().getDefaultCertificate()) { m_validator.load("trust-schema.conf"); - m_consumer.obtainDecryptionKey(); + m_face.registerPrefix(m_consumerCert.getIdentity(), + [this] (const ndn::Name& name) { + m_face.setInterestFilter(m_consumerCert.getKeyName(), + [=] (const auto&, const auto& interest) { + std::cout << ">> I: " << interest << std::endl; + // for own certificate + m_face.put(m_consumerCert); + } + ); + m_consumer = std::make_shared( + m_face, m_keyChain, m_validator, m_consumerCert, + m_keyChain.getPib().getIdentity("/example/aa").getDefaultKey().getDefaultCertificate() + ); + m_consumer->obtainDecryptionKey(); + }, + [this] (const auto& prefix, const std::string& reason) { + std::cerr << "ERROR: Failed to register prefix '" << prefix + << "' with the local forwarder (" << reason << ")" << std::endl; + m_face.shutdown(); + } + ); } void run() { - ndn::Name dataName("/randomData"); - m_consumer.consume(m_producerCert.getIdentity().append(dataName), + m_consumer->consume("/example/producer/randomData", [] (const auto& result) { std::cout << "Received data: " << std::string(result.begin(), result.end()) << std::endl; }, @@ -53,8 +70,7 @@ class Consumer std::cout << "Error: " << error << std::endl; } ); - - m_face.processEvents(); + processEvents(1_s); } void processEvents(ndn::time::milliseconds ms) @@ -66,9 +82,8 @@ class Consumer ndn::Face m_face; ndn::KeyChain m_keyChain; ndn::ValidatorConfig m_validator{m_face}; - ndn::security::Certificate m_producerCert; ndn::security::Certificate m_consumerCert; - ndn::nacabe::Consumer m_consumer; + std::shared_ptr m_consumer; }; } // namespace examples @@ -76,11 +91,10 @@ class Consumer int main(int argc, char** argv) { - using namespace ndn::time_literals; try { examples::Consumer consumer; - consumer.processEvents(5_s); + consumer.processEvents(1_s); consumer.run(); return 0; } diff --git a/examples/kp-producer-example.cpp b/examples/kp-producer-example.cpp index bb78330..ef34689 100644 --- a/examples/kp-producer-example.cpp +++ b/examples/kp-producer-example.cpp @@ -29,13 +29,11 @@ namespace examples { -ndn::KeyChain m_keyChain; -ndn::security::Certificate m_cert = m_keyChain.getPib().getIdentity("/example/producer").getDefaultKey().getDefaultCertificate(); class Producer { public: Producer() - : m_producerCert(m_cert) + : m_producerCert(m_keyChain.getPib().getIdentity("/example/producer").getDefaultKey().getDefaultCertificate()) , m_producer(m_face, m_keyChain, m_validator, m_producerCert, m_keyChain.getPib().getIdentity("/example/aa").getDefaultKey().getDefaultCertificate()) { @@ -72,8 +70,8 @@ class Producer [=] (const auto&, const auto& interest) { std::cout << ">> I: " << interest << std::endl; // for own certificate - if (interest.getName().isPrefixOf(m_cert.getName())) { - m_face.put(m_cert); + if (interest.getName().isPrefixOf(m_producerCert.getName())) { + m_face.put(m_producerCert); } // for content data segments putSegments(interest, contentData); @@ -96,6 +94,7 @@ class Producer private: ndn::Face m_face; + ndn::KeyChain m_keyChain; ndn::ValidatorConfig m_validator{m_face}; ndn::security::Certificate m_producerCert; ndn::nacabe::Producer m_producer; diff --git a/examples/run-examples.sh b/examples/run-examples.sh index 0710f73..594f788 100644 --- a/examples/run-examples.sh +++ b/examples/run-examples.sh @@ -4,11 +4,12 @@ # If you would like to try on a normal user account, make sure that identity /consumerPrefix1, /aaPrefix, /producerPrefix # are not used, as these keys will be deleted. -if ndnsec list | grep "/example/consumer\|/example/aa\|/example/producer" +if ndnsec list | grep "/example" then echo "cleaning example identities" - ndnsec delete /example/consumer + ndnsec delete /example ndnsec delete /example/aa + ndnsec delete /example/consumer ndnsec delete /example/producer fi @@ -26,6 +27,9 @@ ndnsec sign-req /example/producer | ndnsec cert-gen -s /example -i example | ndn ndnsec key-gen -t r /example/consumer > /dev/null ndnsec sign-req /example/consumer | ndnsec cert-gen -s /example -i example | ndnsec cert-install - +# cp example-trust-anchor.cert $1/examples/example-trust-anchor.cert +# cp trust-schema.conf $1/examples/trust-schema.conf +nfdc cs erase /example $1/examples/kp-aa-example & aa_pid=$! sleep 1 @@ -39,6 +43,7 @@ exit_val=$? kill $aa_pid kill $pro_pid +ndnsec delete /example ndnsec delete /example/consumer ndnsec delete /example/aa ndnsec delete /example/producer diff --git a/src/attribute-authority.cpp b/src/attribute-authority.cpp index 35d3011..043b44b 100644 --- a/src/attribute-authority.cpp +++ b/src/attribute-authority.cpp @@ -31,9 +31,11 @@ namespace nacabe { NDN_LOG_INIT(nacabe.AttributeAuthority); AttributeAuthority::AttributeAuthority(const security::Certificate& identityCert, Face& face, - KeyChain& keyChain, const AbeType& abeType, size_t maxSegmentSize) + security::Validator& validator, KeyChain& keyChain, + const AbeType& abeType, size_t maxSegmentSize) : m_cert(identityCert) , m_face(face) + , m_validator(validator) , m_keyChain(keyChain) , m_abeType(abeType) , m_maxSegmentSize(maxSegmentSize) @@ -50,7 +52,7 @@ AttributeAuthority::AttributeAuthority(const security::Certificate& identityCert NDN_THROW(std::runtime_error("Unsupported ABE type: " + m_abeType)); } - // prefix registration + // prefix registrationexport NDN_LOG="nacabe.*=TRACE:ndn.security.Validator=DEBUG" m_registeredPrefix = m_face.registerPrefix(m_cert.getIdentity(), [this] (const Name& name) { NDN_LOG_TRACE("Prefix " << name << " registered successfully"); @@ -84,6 +86,7 @@ AttributeAuthority::onDecryptionKeyRequest(const Interest& request) Name supposedKeyName(request.getName().at(m_cert.getIdentity().size() + 1).blockFromValue()); if (requestName.at(-1).isSegment() && requestName.at(-2).isVersion()) { + NDN_LOG_DEBUG("For DKEY segment --------> " << requestName); auto mapIterator = m_segmentMap.find(requestName.getPrefix(-1)); if (mapIterator != m_segmentMap.end()) { for (auto data : mapIterator->second) { @@ -97,32 +100,49 @@ AttributeAuthority::onDecryptionKeyRequest(const Interest& request) NDN_LOG_DEBUG("KeyName --------> " << supposedKeyName); Name identityName = security::extractIdentityFromKeyName(supposedKeyName); // verify request and generate token - auto optionalCert = m_trustConfig.findCertificate(identityName); - if (!optionalCert) { - NDN_LOG_INFO("DKEY Request Interest cannot be authenticated: no certificate for " << identityName); - return; + auto optionalCert = m_trustConfig.findCertificateFromLocal(supposedKeyName); + if (optionalCert) { + NDN_LOG_INFO("Found local certificate for " << supposedKeyName << ", bypass certificate fetching..."); + auto dkSegments = generateDecryptionKeySegments(Name(request.getName()).appendVersion(), *optionalCert); + if (dkSegments.size() > 0) { + m_face.put(*dkSegments.at(0)); + } } - NDN_LOG_INFO("Find consumer(decryptor) certificate: " << optionalCert->getName()); - auto ABEPrvKey = getPrivateKey(identityName); - auto prvBuffer = ABEPrvKey.toBuffer(); - - // prepare segments - Data result; - Name resultName = Name(request.getName()).appendVersion(); - result.setName(resultName); - result.setFreshnessPeriod(5_s); - Block dkBlock = encryptDataContentWithCK(prvBuffer, optionalCert->getPublicKey()); - span dkSpan = make_span(dkBlock.data(), dkBlock.size()); - // the freshness period should be configurable, but this value shouldn't affect much - auto dkSegments = m_segmenter.segment(dkSpan, resultName, m_maxSegmentSize, 4_s); - m_segmentMap.emplace(resultName, dkSegments); - m_face.put(*dkSegments.at(0)); + else { + m_trustConfig.findCertificateFromNetwork(m_face, m_validator, supposedKeyName, + [&] (const security::Certificate& cert) { + NDN_LOG_INFO("Validated consumer(decryptor) certificate: " << cert.getName()); + auto dkSegments = generateDecryptionKeySegments(Name(request.getName()).appendVersion(), cert); + if (dkSegments.size() > 0) { + m_face.put(*dkSegments.at(0)); + } + }, + [supposedKeyName] (const std::string& errorInfo) { + NDN_LOG_INFO("Cannot encrypt DKEY: no verified certificate for " << supposedKeyName << ", errorInfo:" << errorInfo); + } + ); + }; } else { // ignore } } +SPtrVector +AttributeAuthority::generateDecryptionKeySegments(const Name& objName, const security::Certificate& cert) +{ + // prepare segments + auto ABEPrvKey = getPrivateKey(cert.getIdentity()); + auto prvBuffer = ABEPrvKey.toBuffer(); + Block dkBlock = encryptDataContentWithCK(prvBuffer, cert.getPublicKey()); + span dkSpan = make_span(dkBlock.data(), dkBlock.size()); + // the freshness period should be configurable, but this value shouldn't affect much + auto dkSegments = m_segmenter.segment(dkSpan, objName, m_maxSegmentSize, 4_s); + + m_segmentMap.emplace(objName, dkSegments); + return dkSegments; +} + void AttributeAuthority::onPublicParamsRequest(const Interest& interest) { @@ -144,9 +164,9 @@ AttributeAuthority::onPublicParamsRequest(const Interest& interest) m_face.put(result); } -CpAttributeAuthority::CpAttributeAuthority(const security::Certificate& identityCert, - Face& face, KeyChain& keyChain) - : AttributeAuthority(identityCert, face, keyChain, ABE_TYPE_CP_ABE) +CpAttributeAuthority::CpAttributeAuthority(const security::Certificate& identityCert, Face& face, + security::Validator& validator, KeyChain& keyChain) + : AttributeAuthority(identityCert, face, validator, keyChain, ABE_TYPE_CP_ABE) { } @@ -175,9 +195,10 @@ CpAttributeAuthority::getPrivateKey(Name identityName) return algo::ABESupport::getInstance().cpPrvKeyGen(m_pubParams, m_masterKey, attrs); } -KpAttributeAuthority::KpAttributeAuthority(const security::Certificate& identityCert, - Face& face, KeyChain& keyChain, size_t maxSegmentSize) - : AttributeAuthority(identityCert, face, keyChain, ABE_TYPE_KP_ABE, maxSegmentSize) +KpAttributeAuthority::KpAttributeAuthority(const security::Certificate& identityCert, Face& face, + security::Validator& validator, KeyChain& keyChain, + size_t maxSegmentSize) + : AttributeAuthority(identityCert, face, validator, keyChain, ABE_TYPE_KP_ABE, maxSegmentSize) { } diff --git a/src/attribute-authority.hpp b/src/attribute-authority.hpp index 6e66044..cad81ff 100644 --- a/src/attribute-authority.hpp +++ b/src/attribute-authority.hpp @@ -39,8 +39,8 @@ class AttributeAuthority : noncopyable { protected: AttributeAuthority(const security::Certificate& identityCert, Face& m_face, - KeyChain& keyChain, const AbeType& abeType, - size_t maxSegmentSize = 1500); + security::Validator& validator, KeyChain& keyChain, + const AbeType& abeType, size_t maxSegmentSize = 1500); virtual ~AttributeAuthority(); @@ -49,6 +49,9 @@ class AttributeAuthority : noncopyable getPrivateKey(Name identityName) = 0; private: + SPtrVector + generateDecryptionKeySegments(const Name& objName, const security::Certificate& cert); + void onDecryptionKeyRequest(const Interest& interest); @@ -59,6 +62,7 @@ class AttributeAuthority : noncopyable security::Certificate m_cert; Face& m_face; KeyChain& m_keyChain; + security::Validator& m_validator; TrustConfig m_trustConfig; ssize_t m_maxSegmentSize; std::map> m_segmentMap; @@ -77,7 +81,8 @@ class AttributeAuthority : noncopyable class CpAttributeAuthority: public AttributeAuthority { public: - CpAttributeAuthority(const security::Certificate& identityCert, Face& m_face, KeyChain& keyChain); + CpAttributeAuthority(const security::Certificate& identityCert, Face& m_face, + security::Validator& validator, KeyChain& keyChain); /** * @brief Add a new policy into the state. @@ -111,7 +116,9 @@ class CpAttributeAuthority: public AttributeAuthority class KpAttributeAuthority: public AttributeAuthority { public: - KpAttributeAuthority(const security::Certificate& identityCert, Face& m_face, KeyChain& keyChain, size_t maxSegmentSize = 1500); + KpAttributeAuthority(const security::Certificate& identityCert, Face& m_face, + security::Validator& validator, KeyChain& keyChain, + size_t maxSegmentSize = 1500); /** * @brief Add a new policy into the state. diff --git a/src/param-fetcher.cpp b/src/param-fetcher.cpp index 338b6f4..e2803eb 100644 --- a/src/param-fetcher.cpp +++ b/src/param-fetcher.cpp @@ -57,7 +57,6 @@ void ParamFetcher::onAttributePubParams(const Data& pubParamData) { NDN_LOG_INFO("[onAttributePubParams()] Get public parameters"); - // auto optionalAAKey = m_trustConfig.findCertificate(m_attrAuthorityPrefix); m_validator.validate(pubParamData, [this, pubParamData] (const Data& data) { diff --git a/src/producer.cpp b/src/producer.cpp index a5b5914..f4a5669 100644 --- a/src/producer.cpp +++ b/src/producer.cpp @@ -58,7 +58,7 @@ Producer::Producer(Face& face, KeyChain& keyChain, Interest publicParamInterestTemplate) : Producer(face, keyChain, m_validator, identityCert, attrAuthorityCertificate, publicParamInterestTemplate) { - m_dataOwnerPrefix = dataOwnerCertificate.getIdentity(); + m_dataOwnerKeyName = dataOwnerCertificate.getKeyName(); m_trustConfig.addOrUpdateCertificate(dataOwnerCertificate); // prefix registration @@ -291,41 +291,52 @@ Producer::findMatchedAttributes(const Name& dataName) void Producer::onPolicyInterest(const Interest& interest) { - NDN_LOG_DEBUG("On policy Interest:"< attrs; + for (const auto& e: attrBlock.elements()) { + attrs.emplace_back(readString(e)); + } + addNewAttributes(dataPrefix, attrs); + success = true; + } + Data reply = replyTemplate; + reply.setName(interest.getName()); + reply.setContent(makeStringBlock(tlv::Content, success ? "success" : "failure")); + m_keyChain.sign(reply, signingByCertificate(m_cert)); + m_face.put(reply); + }; if (optionalDataOwnerKey) { if (!security::verifySignature(interest, *optionalDataOwnerKey)) { NDN_LOG_INFO("Policy interest cannot be authenticated: bad signature"); return; } + generateReply(interest); } else { - NDN_LOG_INFO("Policy interest cannot be authenticated: no certificate"); - return; - } - bool success = false; - if (m_paramFetcher.getAbeType() == ABE_TYPE_CP_ABE) { - addNewPolicy(dataPrefix, encoding::readString(interest.getName().at(m_cert.getIdentity().size() + 2))); - success = true; - } - else if (m_paramFetcher.getAbeType() == ABE_TYPE_KP_ABE) { - auto& attrBlock = interest.getName().at(m_cert.getIdentity().size() + 2); - attrBlock.parse(); - std::vector attrs; - for (const auto& e: attrBlock.elements()) { - attrs.emplace_back(readString(e)); - } - addNewAttributes(dataPrefix, attrs); - success = true; + // Policy Interest is signed, using validator instead. + m_validator.validate(interest, + [&] (const Interest& interest) { + NDN_LOG_INFO("Policy interest validated"); + generateReply(interest); + }, + [] (auto&&, const ndn::security::ValidationError& error) { + NDN_LOG_INFO("Policy interest validator failure: " << error.getInfo()); + } + ); } - Data reply = replyTemplate; - reply.setName(interest.getName()); - reply.setContent(makeStringBlock(tlv::Content, success ? "success" : "failure")); - m_keyChain.sign(reply, signingByCertificate(m_cert)); - m_face.put(reply); } SPtrVector diff --git a/src/producer.hpp b/src/producer.hpp index abb641b..f5cc535 100644 --- a/src/producer.hpp +++ b/src/producer.hpp @@ -195,7 +195,7 @@ class Producer : noncopyable KeyChain& m_keyChain; security::Validator& m_validator; Name m_attrAuthorityPrefix; - Name m_dataOwnerPrefix; + Name m_dataOwnerKeyName; TrustConfig m_trustConfig; ScopedRegisteredPrefixHandle m_registeredPrefix; diff --git a/src/trust-config.cpp b/src/trust-config.cpp index dae5e1e..394f2a0 100644 --- a/src/trust-config.cpp +++ b/src/trust-config.cpp @@ -19,7 +19,6 @@ */ #include "trust-config.hpp" - #include #include @@ -46,33 +45,33 @@ TrustConfig::load(const std::string& fileName) void TrustConfig::parse(const JsonSection& jsonConfig) { - m_knownIdentities.clear(); + m_knownKeys.clear(); auto caList = jsonConfig.get_child("certificate-list"); auto it = caList.begin(); for (; it != caList.end(); it++) { std::istringstream ss(it->second.get("certificate")); auto certItem = *io::load(ss); - m_knownIdentities.insert(std::make_pair(certItem.getIdentity(), certItem)); + m_knownKeys.insert(std::make_pair(certItem.getKeyName(), certItem)); } } void TrustConfig::addOrUpdateCertificate(const security::Certificate& certificate) { - auto search = m_knownIdentities.find(certificate.getIdentity()); - if (search != m_knownIdentities.end()) { + auto search = m_knownKeys.find(certificate.getKeyName()); + if (search != m_knownKeys.end()) { search->second = certificate; } else { - m_knownIdentities.insert(std::make_pair(certificate.getIdentity(), certificate)); + m_knownKeys.insert(std::make_pair(certificate.getKeyName(), certificate)); } } std::optional -TrustConfig::findCertificate(const Name& identityName) const +TrustConfig::findCertificateFromLocal(const Name& KeyName) const { - auto search = m_knownIdentities.find(identityName); - if (search != m_knownIdentities.end()) { + auto search = m_knownKeys.find(KeyName); + if (search != m_knownKeys.end()) { return search->second; } else { @@ -80,5 +79,25 @@ TrustConfig::findCertificate(const Name& identityName) const } } +void +TrustConfig::findCertificateFromNetwork(Face& face, security::Validator& validator, + const Name& KeyName, + const FetchCertSuccessCb& onSuccess, + const FetchCertFailureCb& onFailure) +{ + Interest interest(KeyName); + interest.setCanBePrefix(true); + face.expressInterest(interest, + [=, &validator](const Interest&, const Data& data) { + validator.validate(data, + [onSuccess] (const Data& data) {onSuccess(security::Certificate(data));}, + [onFailure] (auto&&, const ndn::security::ValidationError& error) {onFailure(error.getInfo());} + ); + }, + [onFailure](auto&&...) {onFailure("nack");}, + [onFailure](auto&&...) {onFailure("timeout");} + ); +} + } // namespace nacabe } // namespace ndn diff --git a/src/trust-config.hpp b/src/trust-config.hpp index 61fc9f5..b4bbde3 100644 --- a/src/trust-config.hpp +++ b/src/trust-config.hpp @@ -27,10 +27,11 @@ namespace ndn { namespace nacabe { - class TrustConfig { public: + using FetchCertSuccessCb = std::function; + using FetchCertFailureCb = std::function; void load(const std::string& fileName); @@ -38,14 +39,20 @@ class TrustConfig addOrUpdateCertificate(const security::Certificate& certificate); std::optional - findCertificate(const Name& identityName) const; + findCertificateFromLocal(const Name& KeyName) const; + + void + findCertificateFromNetwork(Face& face, security::Validator& validator, + const Name& KeyName, + const FetchCertSuccessCb& onSuccess, + const FetchCertFailureCb& onFailure); private: void parse(const JsonSection& jsonConfig); private: - std::map m_knownIdentities; + std::map m_knownKeys; }; } // namespace nacabe diff --git a/tests/unit-tests/attribute-authority.t.cpp b/tests/unit-tests/attribute-authority.t.cpp index 9485a9b..93c59f4 100644 --- a/tests/unit-tests/attribute-authority.t.cpp +++ b/tests/unit-tests/attribute-authority.t.cpp @@ -38,6 +38,9 @@ class TestAttributeAuthorityFixture : public IdentityManagementTimeFixture , attrAuthorityPrefix("/example/aa") { security::pib::Identity anchorId = addIdentity("/example"); + auto anchorCert = anchorId.getDefaultKey().getDefaultCertificate(); + saveCertToFile(anchorCert, "example-trust-anchor.cert"); + security::pib::Identity consumerId = addIdentity("/example/consumer", RsaKeyParams()); addSubCertificate("/example/consumer", anchorId); consumerCert = consumerId.getDefaultKey().getDefaultCertificate(); @@ -59,7 +62,9 @@ BOOST_FIXTURE_TEST_SUITE(TestAttributeAuthority, TestAttributeAuthorityFixture) BOOST_AUTO_TEST_CASE(Constructor) { util::DummyClientFace face(io, {true, true}); - CpAttributeAuthority aa(authorityCert, face, m_keyChain); + security::ValidatorConfig validator(face); + validator.load("trust-schema.conf"); + CpAttributeAuthority aa(authorityCert, face, validator, m_keyChain); BOOST_CHECK(!aa.m_pubParams.m_pub.empty()); BOOST_CHECK(!aa.m_masterKey.m_msk.empty()); } @@ -67,7 +72,9 @@ BOOST_AUTO_TEST_CASE(Constructor) BOOST_AUTO_TEST_CASE(OnPublicParams) { util::DummyClientFace face(io, {true, true}); - CpAttributeAuthority aa(authorityCert, face, m_keyChain); + security::ValidatorConfig validator(face); + validator.load("trust-schema.conf"); + CpAttributeAuthority aa(authorityCert, face, validator, m_keyChain); Name interestName = attrAuthorityPrefix; Interest request(interestName.append(PUBLIC_PARAMS)); request.setCanBePrefix(true); @@ -103,7 +110,9 @@ BOOST_AUTO_TEST_CASE(OnPrvKey) "attr6", "attr7", "attr8", "attr9", "attr10"}; util::DummyClientFace face(io, {true, true}); - CpAttributeAuthority aa(authorityCert, face, m_keyChain); + security::ValidatorConfig validator(face); + validator.load("trust-schema.conf"); + CpAttributeAuthority aa(authorityCert, face, validator, m_keyChain); aa.addNewPolicy(consumerCert, attrList); auto identity = consumerCert.getIdentity(); @@ -118,17 +127,13 @@ BOOST_AUTO_TEST_CASE(OnPrvKey) interest.setMustBeFresh(true); interest.setCanBePrefix(true); - m_keyChain.sign(interest, security::signingByCertificate(consumerCert)); - advanceClocks(time::milliseconds(20), 60); int count = 0; face.onSendData.connect([&] (const Data& response) { count++; - BOOST_CHECK(security::verifySignature(response, authorityCert)); }); face.receive(interest); - advanceClocks(time::milliseconds(20), 60); BOOST_CHECK_EQUAL(count, 1); } @@ -138,7 +143,9 @@ BOOST_AUTO_TEST_CASE(OnKpPrvKey) Policy policy = "(a or b) and (c or d)"; util::DummyClientFace face(io, {true, true}); - KpAttributeAuthority aa(authorityCert, face, m_keyChain); + security::ValidatorConfig validator(face); + validator.load("trust-schema.conf"); + KpAttributeAuthority aa(authorityCert, face, validator, m_keyChain); aa.addNewPolicy(consumerCert, policy); auto identity = consumerCert.getIdentity(); diff --git a/tests/unit-tests/integrated-test.t.cpp b/tests/unit-tests/integrated-test.t.cpp index 5845f7a..cf35e57 100644 --- a/tests/unit-tests/integrated-test.t.cpp +++ b/tests/unit-tests/integrated-test.t.cpp @@ -107,7 +107,9 @@ BOOST_AUTO_TEST_CASE(Cp) { // set up AA NDN_LOG_INFO("Create Attribute Authority. AA prefix: " << aaCert.getIdentity()); - CpAttributeAuthority aa(aaCert, aaFace, m_keyChain); + security::ValidatorConfig validator(aaFace); + validator.load("trust-schema.conf"); + CpAttributeAuthority aa(aaCert, aaFace, validator, m_keyChain); advanceClocks(time::milliseconds(20), 60); // define attr list for consumer rights @@ -158,7 +160,7 @@ BOOST_AUTO_TEST_CASE(Cp) BOOST_CHECK(producer.m_paramFetcher.getPublicParams().m_pub != ""); // set up data owner - NDN_LOG_INFO("Create Data Owner. Data Owner prefix:"<(&c1)->receive(setPolicyInterest); c2.expressInterest(setPolicyInterest, [&](const Interest&, const Data& response) { BOOST_CHECK(security::verifySignature(response, producerCert)); @@ -125,7 +126,9 @@ BOOST_AUTO_TEST_CASE(OnPolicyInterest) // /producer/SET_POLICY/dataPrefix/policy NDN_LOG_DEBUG("data prefix:" << setPolicyInterest.getName().getSubName(2, 1)); NDN_LOG_DEBUG(setPolicyInterest.getName().getSubName(3, 1)); - + c1.receive(ownerCert); + advanceClocks(time::milliseconds(20), 60); + c1.receive(anchorCert); advanceClocks(time::milliseconds(20), 60); auto policyFound = producer.findMatchedPolicy(dataPrefix); @@ -172,7 +175,6 @@ BOOST_AUTO_TEST_CASE(OnKpPolicyInterest) m_keyChain.sign(setPolicyInterest, signingByCertificate(ownerCert)); NDN_LOG_DEBUG("Before receive, interest name:" << setPolicyInterest.getName()); - //dynamic_cast(&c1)->receive(setPolicyInterest); c2.expressInterest(setPolicyInterest, [&](const Interest&, const Data& response) { BOOST_CHECK(security::verifySignature(response, producerCert)); @@ -181,36 +183,21 @@ BOOST_AUTO_TEST_CASE(OnKpPolicyInterest) [](const Interest&, const lp::Nack&) {}, [](const Interest&) {} ); - NDN_LOG_DEBUG("set policy Interest:" << setPolicyInterest.getName()); // /producer/SET_POLICY/dataPrefix/policy NDN_LOG_DEBUG("Data prefix:" << setPolicyInterest.getName().getSubName(2, 1)); NDN_LOG_DEBUG(setPolicyInterest.getName().getSubName(3, 1)); + c1.receive(ownerCert); + advanceClocks(time::milliseconds(20), 60); + c1.receive(anchorCert); advanceClocks(time::milliseconds(20), 60); auto attributesFound = producer.findMatchedAttributes(dataPrefix); BOOST_CHECK_EQUAL(producer.m_attributes.size(), 1); BOOST_CHECK_EQUAL(attributesFound.size(), 1); BOOST_CHECK_EQUAL(attributesFound[0], "attr1"); - - advanceClocks(time::milliseconds(20), 60); - - c2.expressInterest(setPolicyInterest, - [&](const Interest&, const Data& response) { - BOOST_CHECK(security::verifySignature(response, producerCert)); - BOOST_CHECK_EQUAL(readString(response.getContent()), "success"); - }, - [](const Interest&, const lp::Nack&) {}, - [](const Interest&) {} - ); - advanceClocks(time::milliseconds(20), 60); - - attributesFound = producer.findMatchedAttributes(dataPrefix); - BOOST_CHECK_EQUAL(producer.m_attributes.size(), 1); - BOOST_CHECK_EQUAL(attributesFound.size(), 1); - BOOST_CHECK_EQUAL(attributesFound[0], "attr1"); } BOOST_AUTO_TEST_CASE(EncryptContent)