Hybrid ICN (hICN) plugin  v21.06-rc0-4-g18fa668
verifier.h
1 /*
2  * Copyright (c) 2017-2021 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #pragma once
17 
18 #include <hicn/transport/auth/common.h>
19 #include <hicn/transport/auth/policies.h>
20 #include <hicn/transport/core/content_object.h>
21 #include <hicn/transport/errors/errors.h>
22 #include <hicn/transport/interfaces/callbacks.h>
23 
24 extern "C" {
25 #include <openssl/evp.h>
26 #include <openssl/hmac.h>
27 #include <openssl/pem.h>
28 #include <openssl/x509.h>
29 }
30 
31 namespace transport {
32 namespace auth {
33 
34 class Verifier {
35  // The base Verifier class.
36  public:
37  using SuffixMap = std::unordered_map<Suffix, CryptoHash>;
38  using PolicyMap = std::unordered_map<Suffix, VerificationPolicy>;
39 
40  // The VerificationFailedCallback will be called by the transport if a
41  // data packet (either a manifest or a content object) was not validated.
42  // The application decides what to do then by returning a
43  // VerificationPolicy object.
44  using VerificationFailedCallback = std::function<auth::VerificationPolicy(
45  const core::ContentObject &content_object, std::error_code ec)>;
46 
47  // The list of VerificationPolicy that will trigger the
48  // VerificationFailedCallback.
49  static const std::vector<VerificationPolicy> DEFAULT_FAILED_POLICIES;
50 
51  Verifier();
52 
53  virtual ~Verifier();
54 
55  // Verify a single packet or buffer.
56  virtual bool verifyPacket(PacketPtr packet);
57  virtual bool verifyBuffer(const std::vector<uint8_t> &buffer,
58  const std::vector<uint8_t> &signature,
59  CryptoHashType hash_type) = 0;
60  virtual bool verifyBuffer(const utils::MemBuf *buffer,
61  const std::vector<uint8_t> &signature,
62  CryptoHashType hash_type) = 0;
63 
64  // Verify a batch of packets. Return a mapping from packet suffixes to their
65  // VerificationPolicy.
66  virtual PolicyMap verifyPackets(const std::vector<PacketPtr> &packets);
67  VerificationPolicy verifyPackets(PacketPtr packet) {
68  return verifyPackets(std::vector<PacketPtr>{packet})
69  .at(packet->getName().getSuffix());
70  }
71 
72  // Verify that a set of packet hashes are present in another set of hashes
73  // that was extracted from manifests. Return a mapping from packet suffixes to
74  // their VerificationPolicy.
75  virtual PolicyMap verifyHashes(const SuffixMap &packet_map,
76  const SuffixMap &suffix_map);
77 
78  // Verify that a batch of packets are valid using a map from packet suffixes
79  // to hashes. A packet is considered valid if its hash is present in the map.
80  // Return a mapping from packet suffixes to their VerificationPolicy.
81  virtual PolicyMap verifyPackets(const std::vector<PacketPtr> &packets,
82  const SuffixMap &suffix_map);
83  VerificationPolicy verifyPackets(PacketPtr packet,
84  const SuffixMap &suffix_map) {
85  return verifyPackets(std::vector<PacketPtr>{packet}, suffix_map)
86  .at(packet->getName().getSuffix());
87  }
88 
89  // Set the callback called when packet verification fails.
90  void setVerificationFailedCallback(
91  VerificationFailedCallback verification_failed_cb,
92  const std::vector<VerificationPolicy> &failed_policies =
93  DEFAULT_FAILED_POLICIES);
94 
95  // Retrieve the VerificationFailedCallback function.
96  void getVerificationFailedCallback(
97  VerificationFailedCallback **verification_failed_cb);
98 
99  protected:
100  VerificationFailedCallback verification_failed_cb_;
101  std::vector<VerificationPolicy> failed_policies_;
102 
103  // Call VerificationFailedCallback if it is set and update the packet policy.
104  void callVerificationFailedCallback(PacketPtr packet,
105  VerificationPolicy &policy);
106 };
107 
108 class VoidVerifier : public Verifier {
109  // This class is the default socket verifier. It ignores any packet signature
110  // and always returns true.
111  public:
112  bool verifyPacket(PacketPtr packet) override;
113  bool verifyBuffer(const std::vector<uint8_t> &buffer,
114  const std::vector<uint8_t> &signature,
115  CryptoHashType hash_type) override;
116  bool verifyBuffer(const utils::MemBuf *buffer,
117  const std::vector<uint8_t> &signature,
118  CryptoHashType hash_type) override;
119 
120  PolicyMap verifyPackets(const std::vector<PacketPtr> &packets) override;
121 
122  PolicyMap verifyPackets(const std::vector<PacketPtr> &packets,
123  const SuffixMap &suffix_map) override;
124 };
125 
126 class AsymmetricVerifier : public Verifier {
127  // This class uses asymmetric verification to validate packets. The public key
128  // can be directly set or extracted from a certificate.
129  public:
130  AsymmetricVerifier() = default;
131 
132  // Construct an AsymmetricVerifier from an asymmetric key.
133  AsymmetricVerifier(std::shared_ptr<EVP_PKEY> key);
134 
135  // Construct an AsymmetricVerifier from a certificate file.
136  AsymmetricVerifier(const std::string &cert_path);
137  AsymmetricVerifier(std::shared_ptr<X509> cert);
138 
139  // Set the asymmetric key.
140  void setKey(std::shared_ptr<EVP_PKEY> key);
141 
142  // Extract the public key from a certificate.
143  void useCertificate(const std::string &cert_path);
144  void useCertificate(std::shared_ptr<X509> cert);
145 
146  bool verifyBuffer(const std::vector<uint8_t> &buffer,
147  const std::vector<uint8_t> &signature,
148  CryptoHashType hash_type) override;
149  bool verifyBuffer(const utils::MemBuf *buffer,
150  const std::vector<uint8_t> &signature,
151  CryptoHashType hash_type) override;
152 
153  private:
154  std::shared_ptr<EVP_PKEY> key_;
155 };
156 
157 class SymmetricVerifier : public Verifier {
158  // This class uses symmetric verification to validate packets. The symmetric
159  // key is derived from a passphrase.
160  public:
161  SymmetricVerifier() = default;
162 
163  // Construct a SymmetricVerifier from a passphrase.
164  SymmetricVerifier(const std::string &passphrase);
165 
166  // Create and set a symmetric key from a passphrase.
167  void setPassphrase(const std::string &passphrase);
168 
169  bool verifyBuffer(const std::vector<uint8_t> &buffer,
170  const std::vector<uint8_t> &signature,
171  CryptoHashType hash_type) override;
172  bool verifyBuffer(const utils::MemBuf *buffer,
173  const std::vector<uint8_t> &signature,
174  CryptoHashType hash_type) override;
175 
176  protected:
177  std::shared_ptr<EVP_PKEY> key_;
178 };
179 
180 } // namespace auth
181 } // namespace transport
transport::core::Packet
Definition: packet.h:51
transport::core::ContentObject
Definition: content_object.h:29
transport::auth::VoidVerifier
Definition: verifier.h:108
transport
Definition: forwarder_config.h:32
transport::auth::SymmetricVerifier
Definition: verifier.h:157
transport::auth::AsymmetricVerifier
Definition: verifier.h:126
transport::auth::Verifier
Definition: verifier.h:34
utils::MemBuf
Definition: membuf.h:45
Generated by   doxygen 1.8.17