security: Correctly handle Sha256-signed Command Interests

Change-Id: Ibcda11627a4be0498dfd894df8b976cb65da308a Refs: #4635
named-data · Jun 18, 2018 · 31fd467 · 31fd467
1 parent 57d02b6
commit 31fd467
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 4 deletions.
diff --git a/src/security/v2/validation-policy.cpp b/src/security/v2/validation-policy.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
-/**
- * Copyright (c) 2013-2017 Regents of the University of California.
+/*
+ * Copyright (c) 2013-2018 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -20,6 +20,7 @@
  */
 
 #include "validation-policy.hpp"
+#include "../signing-info.hpp"
 
 namespace ndn {
 namespace security {
@@ -62,6 +63,10 @@ ValidationPolicy::setValidator(Validator& validator)
 static Name
 getKeyLocatorName(const SignatureInfo& si, ValidationState& state)
 {
+  if (si.getSignatureType() == tlv::DigestSha256) {
+    return SigningInfo::getDigestSha256Identity();
+  }
+
   if (!si.hasKeyLocator()) {
     state.fail({ValidationError::Code::INVALID_KEY_LOCATOR, "KeyLocator is missing"});
     return Name();

diff --git a/src/security/v2/validation-policy.hpp b/src/security/v2/validation-policy.hpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2017 Regents of the University of California.
+ * Copyright (c) 2013-2018 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *

diff --git a/tests/unit-tests/security/v2/validation-policy-command-interest.t.cpp b/tests/unit-tests/security/v2/validation-policy-command-interest.t.cpp
@@ -90,10 +90,14 @@ BOOST_AUTO_TEST_CASE(Basic)
 {
   auto i1 = makeCommandInterest(identity);
   VALIDATE_SUCCESS(i1, "Should succeed (within grace period)");
+  VALIDATE_FAILURE(i1, "Should fail (replay attack)");
 
   advanceClocks(5_ms);
   auto i2 = makeCommandInterest(identity);
   VALIDATE_SUCCESS(i2, "Should succeed (timestamp larger than previous)");
+
+  auto i3 =  m_signer.makeCommandInterest(Name(identity.getName()).append("CMD"), signingWithSha256());
+  VALIDATE_FAILURE(i3, "Should fail (Sha256 signature violates policy)");
 }
 
 BOOST_AUTO_TEST_CASE(DataPassthru)
@@ -103,6 +107,20 @@ BOOST_AUTO_TEST_CASE(DataPassthru)
   VALIDATE_SUCCESS(d1, "Should succeed (fallback on inner validation policy for data)");
 }
 
+using ValidationPolicyAcceptAllCommands = ValidationPolicyCommandInterestFixture<DefaultOptions,
+                                                                                 ValidationPolicyAcceptAll>;
+
+BOOST_FIXTURE_TEST_CASE(SignedWithSha256, ValidationPolicyAcceptAllCommands) // Bug 4635
+{
+  auto i1 = m_signer.makeCommandInterest("/hello/world/CMD", signingWithSha256());
+  VALIDATE_SUCCESS(i1, "Should succeed (within grace period)");
+  VALIDATE_FAILURE(i1, "Should fail (replay attack)");
+
+  advanceClocks(5_ms);
+  auto i2 = m_signer.makeCommandInterest("/hello/world/CMD", signingWithSha256());
+  VALIDATE_SUCCESS(i2, "Should succeed (timestamp larger than previous)");
+}
+
 BOOST_AUTO_TEST_SUITE_END() // Accepts
 
 BOOST_AUTO_TEST_SUITE(Rejects)

diff --git a/tests/unit-tests/security/validator-config.t.cpp b/tests/unit-tests/security/validator-config.t.cpp
@@ -1,6 +1,6 @@
 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
 /*
- * Copyright (c) 2013-2017 Regents of the University of California.
+ * Copyright (c) 2013-2018 Regents of the University of California.
  *
  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
  *
@@ -20,6 +20,7 @@
  */
 
 #include "security/validator-config.hpp"
+#include "security/command-interest-signer.hpp"
 #include "security/v2/certificate-fetcher-offline.hpp"
 #include "util/dummy-client-face.hpp"
 
@@ -126,6 +127,30 @@ BOOST_AUTO_TEST_CASE(FromSection)
 
 BOOST_AUTO_TEST_SUITE_END() // Loads
 
+
+BOOST_FIXTURE_TEST_CASE(ValidateCommandInterestWithDigestSha256, ValidatorConfigFixture) // Bug 4635
+{
+  validator.load(configFile);
+
+  CommandInterestSigner signer(m_keyChain);
+  auto i = signer.makeCommandInterest("/hello/world/CMD", signingWithSha256());
+  size_t nValidated = 0, nFailed = 0;
+
+  validator.validate(i, [&] (auto&&...) { ++nValidated; }, [&] (auto&&...) { ++nFailed; });
+  BOOST_CHECK_EQUAL(nValidated, 1);
+  BOOST_CHECK_EQUAL(nFailed, 0);
+
+  validator.validate(i, [&] (auto&&...) { ++nValidated; }, [&] (auto&&...) { ++nFailed; });
+  BOOST_CHECK_EQUAL(nValidated, 1);
+  BOOST_CHECK_EQUAL(nFailed, 1);
+
+  i = signer.makeCommandInterest("/hello/world/CMD", signingWithSha256());
+  validator.validate(i, [&] (auto&&...) { ++nValidated; }, [&] (auto&&...) { ++nFailed; });
+  BOOST_CHECK_EQUAL(nValidated, 2);
+  BOOST_CHECK_EQUAL(nFailed, 1);
+}
+
+
 BOOST_AUTO_TEST_SUITE_END() // TestValidatorConfig
 BOOST_AUTO_TEST_SUITE_END() // Security