server.hpp

Go to the documentation of this file.

#ifndef NDNPH_APP_NDNCERT_SERVER_HPP
#define NDNPH_APP_NDNCERT_SERVER_HPP
#ifdef NDNPH_HAVE_MBED
 
#include "../../face/packet-handler.hpp"
#include "an.hpp"
#include "common.hpp"
 
namespace ndnph {
namespace ndncert {
namespace server {
 
class ChallengeRequest;
class ChallengeResponse;
 
struct ChallengeResult {
  bool success = false;
  bool decrementRetry = false;
  const char* challengeStatus = "";
  packet_struct::ParameterKV params;
};
struct ChallengeResult {…};
 
class Challenge {
public:
  virtual ~Challenge() = default;
 
  virtual tlv::Value getId() const = 0;
  virtual int getTimeLimit() const = 0;
  virtual int getRetryLimit() const = 0;
 
  virtual void clear() = 0;
 
  virtual ChallengeResult process(Region& region, const ChallengeRequest& request) = 0;
};
class Challenge {…};
 
using ChallengeList = std::array<Challenge*, detail::MaxChallenges::value>;
 
class CaProfile : public packet_struct::CaProfile {
public:
  Data::Signed toData(Region& region, const EcPrivateKey& signer) const {
    Encoder encoder(region);
    encoder.prepend([this](Encoder& encoder) { encoder.prependTlv(TT::CaPrefix, prefix); },
                    [](Encoder& encoder) { encoder.prependTlv(TT::CaInfo); },
                    [this](Encoder& encoder) {
                      encoder.prependTlv(TT::MaxValidityPeriod, tlv::NNI(maxValidityPeriod));
                    },
                    [this](Encoder& encoder) { encoder.prependTlv(TT::CaCertificate, cert); });
    encoder.trim();
 
    Name name = prefix.append(region, getCaComponent(), getInfoComponent(), convention::Version(),
                              convention::TimeValue(), convention::Segment(), 0);
 
    Data data = region.create<Data>();
    if (!encoder || !name || !data) {
      return Data::Signed();
    }
    data.setName(name);
    data.setFreshnessPeriod(30000);
    data.setIsFinalBlock(true);
    data.setContent(tlv::Value(encoder));
    return data.sign(signer);
  }
  Data::Signed toData(Region& region, const EcPrivateKey& signer) const  {…}
};
class CaProfile : public packet_struct::CaProfile {…};
 
class NewRequest : public packet_struct::NewRequest {
public:
  static bool isName(const CaProfile& profile, const Name& name) {
    return name.size() == profile.prefix.size() + 3 && profile.prefix.isPrefixOf(name) &&
           name[-3] == getCaComponent() && name[-2] == getNewComponent() &&
           name[-1].is<convention::ParamsDigest>();
  }
  static bool isName(const CaProfile& profile, const Name& name) {…}
 
  bool fromInterest(Region& region, const Interest& interest, const CaProfile& profile,
                    detail::ISigPolicy& signingPolicy) {
    return isName(profile, interest.getName()) &&
           EvDecoder::decodeValue(interest.getAppParameters().makeDecoder(),
                                  EvDecoder::def<TT::EcdhPub>(&ecdhPub),
                                  EvDecoder::def<TT::CertRequest>([&](const Decoder::Tlv& d) {
                                    certRequest = region.create<Data>();
                                    return !!certRequest && d.vd().decode(certRequest) &&
                                           pub.import(region, certRequest);
                                  })) &&
           interest.verify(pub) && signingPolicy.check(*interest.getSigInfo());
  }
  bool fromInterest(Region& region, const Interest& interest, const CaProfile& profile, {…}
 
public:
  EcPublicKey pub;
};
class NewRequest : public packet_struct::NewRequest {…};
 
class NewResponse : public packet_struct::NewResponse {
public:
  Data::Signed toData(Region& region, const Interest& newRequest, const ChallengeList& challenges,
                      const EcPrivateKey& signer) const {
    Encoder encoder(region);
    encoder.prepend(
      [this](Encoder& encoder) { encoder.prependTlv(TT::EcdhPub, ecdhPub); },
      [this](Encoder& encoder) { encoder.prependTlv(TT::Salt, tlv::Value(salt, sizeof(salt))); },
      [this](Encoder& encoder) {
        encoder.prependTlv(TT::RequestId, tlv::Value(requestId, sizeof(requestId)));
      },
      [&challenges](Encoder& encoder) {
        for (auto it = challenges.rbegin(); it != challenges.rend(); ++it) {
          const Challenge* ch = *it;
          if (ch != nullptr) {
            encoder.prependTlv(TT::Challenge, ch->getId());
          }
        }
      });
    encoder.trim();
 
    Data data = region.create<Data>();
    if (!encoder || !data || !newRequest) {
      return Data::Signed();
    }
    data.setName(newRequest.getName());
    data.setFreshnessPeriod(4000);
    data.setContent(tlv::Value(encoder));
    return data.sign(signer);
  }
  Data::Signed toData(Region& region, const Interest& newRequest, const ChallengeList& challenges, {…}
};
class NewResponse : public packet_struct::NewResponse {…};
 
class ChallengeRequest : public packet_struct::ChallengeRequest<Challenge> {
public:
  static bool isName(const CaProfile& profile, const Name& name) {
    return name.size() == profile.prefix.size() + 4 && profile.prefix.isPrefixOf(name) &&
           name[-4] == getCaComponent() && name[-3] == getChallengeComponent() &&
           name[-2].type() == TT::GenericNameComponent &&
           name[-2].length() == detail::RequestIdLen::value &&
           name[-1].is<convention::ParamsDigest>();
  }
  static bool isName(const CaProfile& profile, const Name& name) {…}
 
  static const uint8_t* parseName(const CaProfile& profile, const Name& name) {
    return isName(profile, name) ? name[-2].value() : nullptr;
  }
  static const uint8_t* parseName(const CaProfile& profile, const Name& name) {…}
 
  bool fromInterest(Region& region, const Interest& interest, const CaProfile& profile,
                    const uint8_t* requestId, detail::SessionKey& sessionKey,
                    const EcPublicKey& verifier, const ChallengeList& challenges,
                    detail::ISigPolicy& signingPolicy) {
    const uint8_t* actualRequestId = parseName(profile, interest.getName());
    if (actualRequestId == nullptr ||
        !std::equal(requestId, requestId + detail::RequestIdLen::value, actualRequestId) ||
        !interest.verify(verifier) || !signingPolicy.check(*interest.getSigInfo())) {
      return false;
    }
 
    auto decrypted = sessionKey.decrypt(region, interest.getAppParameters(), requestId);
    packet_struct::ParameterKV::Parser paramsParser(params);
    return !!decrypted &&
           EvDecoder::decodeValue(
             decrypted.makeDecoder(),
             EvDecoder::def<TT::SelectedChallenge, false, 1>([&](const Decoder::Tlv& d) {
               for (const auto& ch : challenges) {
                 if (ch == nullptr) {
                   continue;
                 }
                 if (ch->getId() == tlv::Value(d.value, d.length)) {
                   challenge = ch;
                   return true;
                 }
               }
               return false;
             }),
             EvDecoder::def<TT::ParameterKey, true, 2>(
               [&](const Decoder::Tlv& d) { return paramsParser.parseKey(d); }),
             EvDecoder::def<TT::ParameterValue, true, 2>(
               [&](const Decoder::Tlv& d) { return paramsParser.parseValue(d); })) &&
           challenge != nullptr;
  }
  bool fromInterest(Region& region, const Interest& interest, const CaProfile& profile, {…}
};
class ChallengeRequest : public packet_struct::ChallengeRequest<Challenge> {…};
 
class ChallengeResponse : public packet_struct::ChallengeResponse {
public:
  Data::Signed toData(Region& region, const Interest& challengeRequest, const uint8_t* requestId,
                      detail::SessionKey& sessionKey, const EcPrivateKey& signer) const {
    Encoder encoder(region);
    switch (status) {
      case Status::FAILURE:
        break;
      case Status::SUCCESS:
        encoder.prepend(
          [this](Encoder& encoder) { encoder.prependTlv(TT::IssuedCertName, issuedCertName); },
          [this](Encoder& encoder) { detail::encodeFwHint(encoder, fwHint); });
        break;
      default:
        encoder.prepend(
          [this](Encoder& encoder) { encoder.prependTlv(TT::ChallengeStatus, challengeStatus); },
          tlv::NniElement<>(TT::RemainingTries, remainingTries),
          [this](Encoder& encoder) {
            uint64_t remainingTime =
              std::max<int>(0, port::Clock::sub(expireTime, port::Clock::now())) / 1000;
            encoder.prependTlv(TT::RemainingTime, tlv::NNI(remainingTime));
          },
          params);
        break;
    }
    encoder.prepend(tlv::NniElement<>(TT::Status, status));
    encoder.trim();
    if (!encoder) {
      return Data::Signed();
    }
    auto encrypted = sessionKey.encrypt(region, tlv::Value(encoder), requestId);
 
    Data data = region.create<Data>();
    if (!encrypted || !data || !challengeRequest) {
      return Data::Signed();
    }
    data.setName(challengeRequest.getName());
    data.setFreshnessPeriod(4000);
    data.setContent(encrypted);
    return data.sign(signer);
  }
  Data::Signed toData(Region& region, const Interest& challengeRequest, const uint8_t* requestId, {…}
};
class ChallengeResponse : public packet_struct::ChallengeResponse {…};
 
inline Data::Signed
makeError(Region& region, const Interest& interest, uint8_t errorCode, const EcPrivateKey& signer) {
  Encoder encoder(region);
  encoder.prepend(tlv::NniElement<>(TT::ErrorCode, errorCode),
                  [](Encoder& encoder) { encoder.prependTlv(TT::ErrorInfo); });
  encoder.trim();
 
  Data data = region.create<Data>();
  if (!encoder || !data || !interest) {
    return Data::Signed();
  }
  data.setName(interest.getName());
  data.setFreshnessPeriod(4000);
  data.setContent(tlv::Value(encoder));
  return data.sign(signer);
}
makeError(Region& region, const Interest& interest, uint8_t errorCode, const EcPrivateKey& signer) {…}
 
class Session {
public:
  explicit Session(const CaProfile& profile, const EcPrivateKey& signer,
                   const ChallengeList& challenges)
    : m_challengeRegion(makeSubRegion(m_region, 512))
    , m_profile(profile)
    , m_signer(signer)
    , m_challenges(challenges)
    , m_signingPolicy(detail::makeISigPolicy()) {
    NDNPH_ASSERT(m_challengeRegion != nullptr);
    for (Challenge* ch : challenges) {
      if (ch != nullptr) {
        ch->clear();
      }
    }
  }
  explicit Session(const CaProfile& profile, const EcPrivateKey& signer, {…}
 
  Data::Signed handleNewRequest(Region& packetRegion, const Interest& interest) {
    if (!m_newRequest.fromInterest(m_region, interest, m_profile, m_signingPolicy)) {
      NDNPH_NDNCERT_LOG("NewRequest parse error");
      return makeError(packetRegion, interest, ErrorCode::BadParameterFormat, m_signer);
    }
 
    // TODO check ValidityPeriod
 
    mbedtls::Mpi ecdhPvt;
    if (mbedtls_ecdh_gen_public(mbedtls::P256::group(), ecdhPvt, m_newResponse.ecdhPub,
                                mbedtls::rng, nullptr) != 0 ||
        !port::RandomSource::generate(m_newResponse.salt, sizeof(m_newResponse.salt)) ||
        !port::RandomSource::generate(m_newResponse.requestId, sizeof(m_newResponse.requestId)) ||
        !m_sessionKey.makeKey(ecdhPvt, m_newRequest.ecdhPub, m_newResponse.salt,
                              m_newResponse.requestId)) {
      NDNPH_NDNCERT_LOG("NewRequest ECDH or session key error");
      return Data::Signed();
    }
 
    NDNPH_NDNCERT_LOG("NewResponse continue");
    return m_newResponse.toData(packetRegion, interest, m_challenges, m_signer);
  }
  Data::Signed handleNewRequest(Region& packetRegion, const Interest& interest) {…}
 
  Data::Signed handleChallengeRequest(Region& packetRegion, const Interest& interest) {
    m_challengeRegion->reset();
    Challenge* prevChallenge = m_challengeRequest.challenge;
    if (!m_challengeRequest.fromInterest(*m_challengeRegion, interest, m_profile,
                                         m_newResponse.requestId, m_sessionKey, m_newRequest.pub,
                                         m_challenges, m_signingPolicy)) {
      NDNPH_NDNCERT_LOG("ChallengeRequest parse error");
      return makeError(packetRegion, interest, ErrorCode::BadParameterFormat, m_signer);
    }
 
    auto now = port::Clock::now();
    if (prevChallenge == nullptr) {
      m_challengeResponse.status = Status::CHALLENGE;
      m_challengeResponse.remainingTries = m_challengeRequest.challenge->getRetryLimit();
      m_challengeResponse.expireTime =
        port::Clock::add(now, m_challengeRequest.challenge->getTimeLimit());
    } else if (m_challengeRequest.challenge != prevChallenge) {
      NDNPH_NDNCERT_LOG("ChallengeRequest wrong challenge");
      return makeError(packetRegion, interest, ErrorCode::OutOfTries, m_signer);
    }
 
    if (m_challengeResponse.remainingTries == 0) {
      NDNPH_NDNCERT_LOG("ChallengeRequest out of tries");
      return makeError(packetRegion, interest, ErrorCode::OutOfTries, m_signer);
    }
    if (port::Clock::isBefore(m_challengeResponse.expireTime, now)) {
      NDNPH_NDNCERT_LOG("ChallengeRequest out of time");
      return makeError(packetRegion, interest, ErrorCode::OutOfTime, m_signer);
    }
 
    ChallengeResult result =
      m_challengeRequest.challenge->process(*m_challengeRegion, m_challengeRequest);
    m_challengeResponse.challengeStatus = tlv::Value::fromString(result.challengeStatus);
    m_challengeResponse.params = result.params;
    if (result.success) {
      m_issuedCert = m_region.create<Data>();
      auto validity = certificate::getValidity(m_newRequest.certRequest);
      if (m_issuedCert.decodeFrom(m_newRequest.pub.buildCertificate(
            m_region, m_newRequest.pub.getName(), validity, m_signer)) &&
          !!(m_challengeResponse.issuedCertName = m_issuedCert.getFullName(m_region))) {
        m_challengeResponse.status = Status::SUCCESS;
        m_challengeResponse.fwHint = m_profile.prefix.append(m_region, getCaComponent());
        NDNPH_NDNCERT_LOG("ChallengeResponse cert issued");
      } else {
        m_challengeResponse.status = Status::PENDING;
        NDNPH_NDNCERT_LOG("ChallengeResponse cert issuance error");
      }
    } else if (result.decrementRetry) {
      --m_challengeResponse.remainingTries;
      NDNPH_NDNCERT_LOG("ChallengeResponse decrement retry");
    } else {
      NDNPH_NDNCERT_LOG("ChallengeResponse continue");
    }
 
    return m_challengeResponse.toData(packetRegion, interest, m_newResponse.requestId, m_sessionKey,
                                      m_signer);
  }
  Data::Signed handleChallengeRequest(Region& packetRegion, const Interest& interest) {…}
 
  const Name& getIssuedCertName() const {
    return m_challengeResponse.issuedCertName;
  }
  const Name& getIssuedCertName() const  {…}
 
  const Data& getIssuedCert() const {
    return m_issuedCert;
  }
  const Data& getIssuedCert() const  {…}
 
private:
  StaticRegion<2048> m_region;
  Region* m_challengeRegion = nullptr;
  const CaProfile& m_profile;
  const EcPrivateKey& m_signer;
  ChallengeList m_challenges;
  detail::ISigPolicy m_signingPolicy;
  NewRequest m_newRequest;
  NewResponse m_newResponse;
  detail::SessionKey m_sessionKey;
  ChallengeRequest m_challengeRequest;
  ChallengeResponse m_challengeResponse;
  Data m_issuedCert;
};
class Session {…};
 
class Server : public PacketHandler {
public:
  struct Options {
    Face& face;
 
    const CaProfile& profile;
 
    const ChallengeList& challenges;
 
    const EcPrivateKey& signer;
  };
  struct Options {…};
 
  explicit Server(const Options& opts)
    : PacketHandler(opts.face)
    , m_profile(opts.profile)
    , m_challenges(opts.challenges)
    , m_signer(opts.signer) {}
  explicit Server(const Options& opts) {…}
 
private:
  bool processInterest(Interest interest) final {
    StaticRegion<1024> packetRegion;
    const Name& interestName = interest.getName();
    if (NewRequest::isName(m_profile, interestName)) {
      m_session.reset(new Session(m_profile, m_signer, m_challenges));
      reply(m_session->handleNewRequest(packetRegion, interest));
      return true;
    } else if (m_session != nullptr && ChallengeRequest::isName(m_profile, interestName)) {
      reply(m_session->handleChallengeRequest(packetRegion, interest));
      return true;
    } else if (m_session != nullptr && m_session->getIssuedCertName() == interestName) {
      reply(m_session->getIssuedCert());
      return true;
    }
    return false;
  }
  bool processInterest(Interest interest) final {…}
 
private:
  const CaProfile& m_profile;
  ChallengeList m_challenges;
  const EcPrivateKey& m_signer;
  std::unique_ptr<Session> m_session;
};
class Server : public PacketHandler {…};
 
class NopChallenge : public Challenge {
public:
  tlv::Value getId() const override {
    return challenge_consts::nop();
  }
  tlv::Value getId() const override  {…}
 
  int getTimeLimit() const override {
    return 60000;
  }
  int getTimeLimit() const override  {…}
 
  int getRetryLimit() const override {
    return 1;
  }
  int getRetryLimit() const override  {…}
 
  void clear() override {}
 
  ChallengeResult process(Region&, const ChallengeRequest&) override {
    ChallengeResult result;
    result.success = true;
    return result;
  }
  ChallengeResult process(Region&, const ChallengeRequest&) override  {…}
};
class NopChallenge : public Challenge {…};
 
class PossessionChallenge : public Challenge {
public:
  tlv::Value getId() const override {
    return challenge_consts::possession();
  }
  tlv::Value getId() const override  {…}
 
  int getTimeLimit() const override {
    return 60000;
  }
  int getTimeLimit() const override  {…}
 
  int getRetryLimit() const override {
    return 1;
  }
  int getRetryLimit() const override  {…}
 
  void clear() override {
    m_cert = tlv::Value();
  }
  void clear() override  {…}
 
  ChallengeResult process(Region&, const ChallengeRequest& request) override {
    tlv::Value proof = request.params.get(challenge_consts::proof());
    if (!proof) {
      return process0(request);
    }
 
    ChallengeResult result;
    result.success = process1(proof);
    result.decrementRetry = !result.success;
    return result;
  }
  ChallengeResult process(Region&, const ChallengeRequest& request) override  {…}
 
private:
  ChallengeResult process0(const ChallengeRequest& request) {
    m_cert = request.params.get(challenge_consts::issuedcert());
 
    StaticRegion<2048> temp;
    ndnph::Data data = temp.create<ndnph::Data>();
    NDNPH_ASSERT(!!data);
 
    m_region.reset();
    if (!(m_cert.makeDecoder().decode(data) && m_pub.import(temp, data) &&
          certificate::getValidity(data).includesUnix())) {
      // don't reveal the error until proof is submitted
      m_pub = EcPublicKey();
    }
    // TODO check certificate revocation
    // TODO check name assignment policy
 
    ChallengeResult result;
    if (!port::RandomSource::generate(m_nonce, sizeof(m_nonce))) {
      // server error, decrement retry to fail the challenge
      result.decrementRetry = true;
      result.challengeStatus = "server-error";
      return result;
    }
 
    result.challengeStatus = "need-proof";
    result.params.set(challenge_consts::nonce(), tlv::Value(m_nonce, sizeof(m_nonce)));
    return result;
  }
 
  bool process1(tlv::Value proof) {
    return m_pub.verify({tlv::Value(m_nonce, sizeof(m_nonce))}, proof.begin(), proof.size());
  }
 
private:
  StaticRegion<256> m_region;
  EcPublicKey m_pub;
  tlv::Value m_cert;
  uint8_t m_nonce[16];
};
class PossessionChallenge : public Challenge {…};
 
} // namespace server
namespace server {…}
 
using Server = server::Server;
 
} // namespace ndncert
} // namespace ndnph
 
#endif // NDNPH_HAVE_MBED
#endif // NDNPH_APP_NDNCERT_SERVER_HPP