Merge pull request #167 from tianyuan129/main

introduce inter-domain

Author: tianyuan129

.gitignore

@@ -11,6 +11,7 @@ wasm_exec.js
 # Compiler folders
 .vscode
 .idea
+.gocache
 
 # Temporary
 .env

std/security/cert_cache.go

@@ -21,6 +21,46 @@ type certCacheEntry struct {
 	expiry time.Time
 }
 
+// CertListCache stores validated CertList Data packets keyed by prefix and full name.
+type CertListCache struct {
+	cache sync.Map
+}
+
+// NewCertListCache creates a new CertListCache.
+func NewCertListCache() *CertListCache {
+	return &CertListCache{}
+}
+
+// Get returns a cached CertList for the given prefix or full name.
+func (clc *CertListCache) Get(prefix enc.Name) (ndn.Data, bool) {
+	if v, ok := clc.cache.Load(prefix.TlvStr()); ok {
+		if data, ok := v.(ndn.Data); ok {
+			return data, true
+		}
+	}
+	return nil, false
+}
+
+// Put stores a CertList, preferring newer versions.
+func (clc *CertListCache) Put(anchorKeyName enc.Name, data ndn.Data) {
+	prefix, err := CertListPrefix(anchorKeyName)
+	if err != nil {
+		return
+	}
+	key := prefix.TlvStr()
+	if v, ok := clc.cache.Load(key); ok {
+		if old, ok := v.(ndn.Data); ok && !isCertListNewer(old, data) {
+			return
+		}
+	}
+	clc.cache.Store(key, data)
+	clc.cache.Store(data.Name().TlvStr(), data)
+}
+
+func isCertListNewer(old, new ndn.Data) bool {
+	return CertListVersion(new.Name()) > CertListVersion(old.Name())
+}
+
 // (AI GENERATED DESCRIPTION): Creates and returns a new, empty CertCache instance.
 func NewCertCache() *CertCache {
 	return &CertCache{}

std/security/certificate.go

@@ -1,6 +1,8 @@
 package security
 
 import (
+	"fmt"
+	"io"
 	"time"
 
 	enc "github.com/named-data/ndnd/std/encoding"
@@ -14,6 +16,9 @@ import (
 type SignCertArgs struct {
 	// Signer is the private key used to sign the certificate.
 	Signer ndn.Signer
+	// SignerName sets the KeyLocator of the signature to a specific
+	// name. Optional; defaults to the signer’s key name.
+	SignerName enc.Name
 	// Data is the CSR or Key to be signed.
 	Data ndn.Data
 	// IssuerId is the issuer ID to be included in the certificate name.
@@ -65,7 +70,22 @@ func SignCert(args SignCertArgs) (enc.Wire, error) {
 		SigNotAfter:  optional.Some(args.NotAfter),
 		CrossSchema:  args.CrossSchema,
 	}
-	cert, err := spec.Spec{}.MakeData(certName, cfg, enc.Wire{pk}, args.Signer)
+	signer := args.Signer
+	if len(args.SignerName) > 0 {
+		locatorKey, err := KeyNameFromLocator(args.SignerName)
+		if err != nil {
+			return nil, err
+		}
+		if !locatorKey.Equal(args.Signer.KeyName()) {
+			return nil, ndn.ErrInvalidValue{Item: "SignerName", Value: args.SignerName}
+		}
+		signer = &sig.ContextSigner{
+			Signer:         args.Signer,
+			KeyLocatorName: args.SignerName,
+		}
+	}
+
+	cert, err := spec.Spec{}.MakeData(certName, cfg, enc.Wire{pk}, signer)
 	if err != nil {
 		return nil, err
 	}
@@ -144,3 +164,54 @@ func getPubKey(data ndn.Data) ([]byte, enc.Name, error) {
 		return nil, nil, ndn.ErrInvalidValue{Item: "Data.ContentType", Value: contentType}
 	}
 }
+
+// EncodeCertList encodes a list of certificate names as a TLV sequence of Name TLVs.
+func EncodeCertList(names []enc.Name) (enc.Wire, error) {
+	if len(names) == 0 {
+		return nil, ndn.ErrInvalidValue{Item: "CertList", Value: "empty"}
+	}
+	length := 0
+	for _, n := range names {
+		length += len(n.Bytes())
+	}
+	buf := make([]byte, length)
+	pos := 0
+	for _, n := range names {
+		nb := n.Bytes()
+		copy(buf[pos:], nb)
+		pos += len(nb)
+	}
+	return enc.Wire{buf}, nil
+}
+
+// DecodeCertList decodes the content of a CertList into certificate names.
+func DecodeCertList(content enc.Wire) ([]enc.Name, error) {
+	reader := enc.NewWireView(content)
+	names := make([]enc.Name, 0)
+	for !reader.IsEOF() {
+		typ, err := reader.ReadTLNum()
+		if err != nil {
+			return nil, err
+		}
+		l, err := reader.ReadTLNum()
+		if err != nil {
+			return nil, err
+		}
+		if typ != enc.TypeName {
+			return nil, fmt.Errorf("unexpected TLV type %x in CertList", typ)
+		}
+		nameView := reader.Delegate(int(l))
+		if nameView.Length() != int(l) {
+			return nil, io.ErrUnexpectedEOF
+		}
+		name, err := nameView.ReadName()
+		if err != nil {
+			return nil, err
+		}
+		names = append(names, name)
+	}
+	if len(names) == 0 {
+		return nil, ndn.ErrInvalidValue{Item: "CertList", Value: "empty"}
+	}
+	return names, nil
+}

std/security/certificate_test.go

@@ -82,15 +82,15 @@ func TestSignCertOther(t *testing.T) {
 	aliceSigner := tu.NoErr(signer.UnmarshalSecret(aliceKeyData))
 
 	// self signed alice's key
-	aliceCert, err := sec.SignCert(sec.SignCertArgs{
+	aliceCertWire, err := sec.SignCert(sec.SignCertArgs{
 		Signer:    aliceSigner,
 		Data:      aliceKeyData,
 		IssuerId:  ISSUER,
 		NotBefore: T1,
 		NotAfter:  T2,
 	})
 	require.NoError(t, err)
-	aliceCertData, _, err := spec_2022.Spec{}.ReadData(enc.NewWireView(aliceCert))
+	aliceCertData, _, err := spec_2022.Spec{}.ReadData(enc.NewWireView(aliceCertWire))
 	require.NoError(t, err)
 
 	// parse existing certificate
@@ -136,3 +136,71 @@ func TestSignCertOther(t *testing.T) {
 	require.Equal(t, 64, len(signature.SigValue())) // ed25519
 	require.True(t, tu.NoErr(signer.ValidateData(newCert, newSigCov, aliceCertData)))
 }
+
+func TestSignCertWithSignerCertName(t *testing.T) {
+	tu.SetT(t)
+
+	aliceKey, _ := base64.StdEncoding.DecodeString(KEY_ALICE)
+	aliceKeyData, _, _ := spec_2022.Spec{}.ReadData(enc.NewBufferView(aliceKey))
+	aliceSigner := tu.NoErr(signer.UnmarshalSecret(aliceKeyData))
+
+	// self signed alice's key to obtain a certificate name for the KeyLocator
+	aliceCertWire := tu.NoErr(sec.SignCert(sec.SignCertArgs{
+		Signer:    aliceSigner,
+		Data:      aliceKeyData,
+		IssuerId:  ISSUER,
+		NotBefore: T1,
+		NotAfter:  T2,
+	}))
+	aliceCertData, _, _ := spec_2022.Spec{}.ReadData(enc.NewWireView(aliceCertWire))
+
+	// parse existing certificate
+	rootCert, _ := base64.StdEncoding.DecodeString(CERT_ROOT)
+	rootCertData, _, _ := spec_2022.Spec{}.ReadData(enc.NewBufferView(rootCert))
+
+	// sign root cert with alice's key but force the KeyLocator to use alice's cert name
+	newCertB := tu.NoErr(sec.SignCert(sec.SignCertArgs{
+		Signer:     aliceSigner,
+		SignerName: aliceCertData.Name(),
+		Data:       rootCertData,
+		IssuerId:   ISSUER,
+		NotBefore:  T1,
+		NotAfter:   T2,
+	}))
+	newCert, newSigCov, err := spec_2022.Spec{}.ReadData(enc.NewWireView(newCertB))
+	require.NoError(t, err)
+
+	signature := newCert.Signature()
+	require.Equal(t, aliceCertData.Name(), signature.KeyName())
+	require.True(t, tu.NoErr(signer.ValidateData(newCert, newSigCov, aliceCertData)))
+
+	t.Run("mismatched signer cert name", func(t *testing.T) {
+		_, err := sec.SignCert(sec.SignCertArgs{
+			Signer:     aliceSigner,
+			SignerName: rootCertData.Name(), // wrong key name
+			Data:       rootCertData,
+			IssuerId:   ISSUER,
+			NotBefore:  T1,
+			NotAfter:   T2,
+		})
+		require.Error(t, err)
+	})
+}
+
+func TestEncodeDecodeCertList(t *testing.T) {
+	tu.SetT(t)
+	n1 := tu.NoErr(enc.NameFromStr("/ndn/alice/KEY/aa/self/v=1"))
+	n2 := tu.NoErr(enc.NameFromStr("/ndn/alice/KEY/bb/ndn/v=2"))
+
+	wire, err := sec.EncodeCertList([]enc.Name{n1, n2})
+	require.NoError(t, err)
+	decoded, err := sec.DecodeCertList(wire)
+	require.NoError(t, err)
+	require.Equal(t, []enc.Name{n1, n2}, decoded)
+
+	_, err = sec.EncodeCertList(nil)
+	require.Error(t, err)
+
+	_, err = sec.DecodeCertList(enc.Wire{[]byte{0x01, 0x02}})
+	require.Error(t, err)
+}

std/security/name_convention.go

@@ -53,3 +53,67 @@ func GetIdentityFromCertName(name enc.Name) (enc.Name, error) {
 	}
 	return GetIdentityFromKeyName(keyName)
 }
+
+// CertListPrefix returns /<domain>/KEY/<keyid>/32=auth for the given key name.
+func CertListPrefix(keyName enc.Name) (enc.Name, error) {
+	if _, err := GetIdentityFromKeyName(keyName); err != nil {
+		return nil, err
+	}
+	return keyName.Append(enc.NewKeywordComponent("auth")), nil
+}
+
+// CertListNameMatches checks whether the CertList name is under /<domain>/KEY/<keyid>/32=auth[/<version>].
+func CertListNameMatches(keyName, listName enc.Name) bool {
+	prefix, err := CertListPrefix(keyName)
+	if err != nil {
+		return false
+	}
+	listName = stripImplicitDigest(listName)
+	if len(listName) < len(prefix) {
+		return false
+	}
+	if !prefix.Equal(listName.Prefix(len(prefix))) {
+		return false
+	}
+	rest := listName[len(prefix):]
+	if len(rest) == 0 {
+		return true
+	}
+	if len(rest) == 1 && rest[0].IsVersion() {
+		return true
+	}
+	return false
+}
+
+// CertListVersion returns the version component on the CertList name, or zero if absent.
+func CertListVersion(name enc.Name) uint64 {
+	name = stripImplicitDigest(name)
+	if name.At(-1).IsVersion() {
+		return name.At(-1).NumberVal()
+	}
+	return 0
+}
+
+func stripImplicitDigest(name enc.Name) enc.Name {
+	if name.At(-1).Typ == enc.TypeImplicitSha256DigestComponent {
+		return name.Prefix(-1)
+	}
+	return name
+}
+
+// KeyNameFromLocator extracts /<identity>/KEY/<keyid> from a KeyLocator name
+// that may be a key name, certificate name, or cert name without version.
+func KeyNameFromLocator(name enc.Name) (enc.Name, error) {
+	name = stripImplicitDigest(name)
+	if len(name) < 3 {
+		return nil, ndn.ErrInvalidValue{Item: "KEY component"}
+	} else {
+		for i := len(name) - 2; i >= 0; i-- {
+			comp := name.At(i)
+			if comp.String() == "KEY" || comp.IsKeyword("KEY") {
+				return name[:i+2], nil
+			}
+		}
+		return nil, ndn.ErrInvalidValue{Item: "KEY component"}
+	}
+}

std/security/name_convention_test.go

@@ -82,3 +82,55 @@ func TestGetKeyNameFromCertName(t *testing.T) {
 	_, err = sec.GetKeyNameFromCertName(enc.Name{})
 	require.Error(t, err)
 }
+
+func TestCertListNaming(t *testing.T) {
+	tu.SetT(t)
+
+	keyName := tu.NoErr(enc.NameFromStr("/my/test/identity/KEY/kid"))
+	prefix, err := sec.CertListPrefix(keyName)
+	require.NoError(t, err)
+	require.True(t, prefix.At(-1).IsKeyword("auth"))
+
+	// Exact prefix and version
+	require.True(t, sec.CertListNameMatches(keyName, prefix))
+	withVer := prefix.Append(enc.NewVersionComponent(1))
+	require.True(t, sec.CertListNameMatches(keyName, withVer))
+	// implicit digest stripped
+	withDigest := withVer.Append(enc.Component{Typ: enc.TypeImplicitSha256DigestComponent})
+	require.True(t, sec.CertListNameMatches(keyName, withDigest))
+
+	// Wrong auth type (generic, not keyword)
+	wrongAuth := keyName.Append(enc.NewGenericComponent("auth"))
+	require.False(t, sec.CertListNameMatches(keyName, wrongAuth))
+	// Extra components or wrong key
+	require.False(t, sec.CertListNameMatches(keyName, withVer.Append(enc.NewSegmentComponent(0))))
+	require.False(t, sec.CertListNameMatches(tu.NoErr(enc.NameFromStr("/other/KEY/kid")), withVer))
+
+	// Version parsing
+	require.Equal(t, uint64(1), sec.CertListVersion(withVer))
+	require.Equal(t, uint64(1), sec.CertListVersion(withDigest))
+	require.Equal(t, uint64(0), sec.CertListVersion(prefix))
+}
+
+func TestAnchorKeyNameFromLocator(t *testing.T) {
+	tu.SetT(t)
+
+	keyName := tu.NoErr(enc.NameFromStr("/my/test/identity/KEY/kid"))
+	certName := keyName.Append(enc.NewGenericComponent("issuer"), enc.NewVersionComponent(5))
+	issuerOnly := keyName.Append(enc.NewGenericComponent("issuer"))
+
+	got, err := sec.KeyNameFromLocator(keyName)
+	require.NoError(t, err)
+	require.Equal(t, keyName, got)
+
+	got, err = sec.KeyNameFromLocator(certName)
+	require.NoError(t, err)
+	require.Equal(t, keyName, got)
+
+	got, err = sec.KeyNameFromLocator(issuerOnly)
+	require.NoError(t, err)
+	require.Equal(t, keyName, got)
+
+	_, err = sec.KeyNameFromLocator(tu.NoErr(enc.NameFromStr("/wrong/components")))
+	require.Error(t, err)
+}