IBR-DTNSuite  0.10
SecurityManager.cpp
Go to the documentation of this file.
1 /*
2  * SecurityManager.cpp
3  *
4  * Copyright (C) 2011 IBR, TU Braunschweig
5  *
6  * Written-by: Johannes Morgenroth <morgenroth@ibr.cs.tu-bs.de>
7  *
8  * Licensed under the Apache License, Version 2.0 (the "License");
9  * you may not use this file except in compliance with the License.
10  * You may obtain a copy of the License at
11  *
12  * http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing, software
15  * distributed under the License is distributed on an "AS IS" BASIS,
16  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17  * See the License for the specific language governing permissions and
18  * limitations under the License.
19  *
20  */
21 
22 #include "security/SecurityManager.h"
23 #include "security/SecurityKeyManager.h"
24 #include "core/BundleCore.h"
25 #include "routing/QueueBundleEvent.h"
26 #include <ibrdtn/security/PayloadIntegrityBlock.h>
27 #include <ibrcommon/Logger.h>
28 
29 #include <openssl/rsa.h>
30 #include <openssl/pem.h>
31 #include <openssl/err.h>
32 
33 #ifdef __DEVELOPMENT_ASSERTIONS__
34 #include <cassert>
35 #endif
36 
37 namespace dtn
38 {
39  namespace security
40  {
41  SecurityManager& SecurityManager::getInstance()
42  {
43  static SecurityManager sec_man;
44  return sec_man;
45  }
46 
47  SecurityManager::SecurityManager()
48  : _accept_only_bab(false), _accept_only_pib(false)
49  {
50  }
51 
52  SecurityManager::~SecurityManager()
53  {
54  }
55 
56  void SecurityManager::auth(dtn::data::Bundle &bundle) const throw (KeyMissingException)
57  {
58  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "auth bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
59 
60  try {
61  // try to load the local key
62  const SecurityKey key = SecurityKeyManager::getInstance().get(dtn::core::BundleCore::local, SecurityKey::KEY_SHARED);
63 
64  // sign the bundle with BABs
65  dtn::security::BundleAuthenticationBlock::auth(bundle, key);
66  } catch (const SecurityKeyManager::KeyNotFoundException &ex) {
67  throw KeyMissingException(ex.what());
68  }
69  }
70 
71  void SecurityManager::sign(dtn::data::Bundle &bundle) const throw (KeyMissingException)
72  {
73  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "sign bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
74 
75  try {
76  // try to load the local key
77  const SecurityKey key = SecurityKeyManager::getInstance().get(dtn::core::BundleCore::local, SecurityKey::KEY_PRIVATE);
78 
79  // sign the bundle with PIB
80  dtn::security::PayloadIntegrityBlock::sign(bundle, key, bundle.destination.getNode());
81  } catch (const SecurityKeyManager::KeyNotFoundException &ex) {
82  throw KeyMissingException(ex.what());
83  }
84  }
85 
86  void SecurityManager::verify(dtn::data::Bundle &bundle) const throw (VerificationFailedException)
87  {
88  verifyBAB(bundle);
89  verifyPIB(bundle);
90  }
91 
92  void SecurityManager::verifyPIB(dtn::data::Bundle &bundle) const throw (VerificationFailedException)
93  {
94  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "verify signed bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
95 
96  // iterate over all PIBs of this bundle
97  dtn::data::Bundle::find_iterator it(bundle.begin(), dtn::security::PayloadIntegrityBlock::BLOCK_TYPE);
98  while (it.next(bundle.end()))
99  {
100  const dtn::security::PayloadIntegrityBlock& pib = dynamic_cast<const dtn::security::PayloadIntegrityBlock&>(**it);
101 
102  try {
103  const SecurityKey key = SecurityKeyManager::getInstance().get(pib.getSecuritySource(bundle), SecurityKey::KEY_PUBLIC);
104 
105  if (pib.isSecurityDestination(bundle, dtn::core::BundleCore::local))
106  {
107  try {
108  dtn::security::PayloadIntegrityBlock::strip(bundle, key);
109 
110  // set the verify bit, after verification
111  bundle.set(dtn::data::Bundle::DTNSEC_STATUS_VERIFIED, true);
112 
113  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 5) << "Bundle from " << bundle.source.getString() << " successfully verified using PayloadIntegrityBlock" << IBRCOMMON_LOGGER_ENDL;
114  return;
115  } catch (const ibrcommon::Exception&) {
116  throw VerificationFailedException();
117  }
118  }
119  else
120  {
121  try {
122  dtn::security::PayloadIntegrityBlock::verify(bundle, key);
123 
124  // set the verify bit, after verification
125  bundle.set(dtn::data::Bundle::DTNSEC_STATUS_VERIFIED, true);
126 
127  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 5) << "Bundle from " << bundle.source.getString() << " successfully verified using PayloadIntegrityBlock" << IBRCOMMON_LOGGER_ENDL;
128  } catch (const ibrcommon::Exception&) {
129  throw VerificationFailedException();
130  }
131  }
132  } catch (const ibrcommon::Exception&) {
133  // key not found?
134  }
135  }
136  }
137 
138  void SecurityManager::verifyBAB(dtn::data::Bundle &bundle) const throw (VerificationFailedException)
139  {
140  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "verify authenticated bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
141 
142  // iterate over all BABs of this bundle
143  dtn::data::Bundle::find_iterator it(bundle.begin(), dtn::security::BundleAuthenticationBlock::BLOCK_TYPE);
144  while (it.next(bundle.end()))
145  {
146  const dtn::security::BundleAuthenticationBlock& bab = dynamic_cast<const dtn::security::BundleAuthenticationBlock&>(**it);
147 
148  // look for the right BAB-factory
149  const dtn::data::EID node = bab.getSecuritySource(bundle);
150 
151  try {
152  // try to load the key of the BAB
153  const SecurityKey key = SecurityKeyManager::getInstance().get(node, SecurityKey::KEY_SHARED);
154 
155  // verify the bundle
156  dtn::security::BundleAuthenticationBlock::verify(bundle, key);
157 
158  // strip all BAB of this bundle
159  dtn::security::BundleAuthenticationBlock::strip(bundle);
160 
161  // set the verify bit, after verification
162  bundle.set(dtn::data::Bundle::DTNSEC_STATUS_AUTHENTICATED, true);
163 
164  // at least one BAB has been authenticated, we're done!
165  break;
166  } catch (const SecurityKeyManager::KeyNotFoundException&) {
167  // no key for this node found
168  } catch (const ibrcommon::Exception &ex) {
169  // verification failed
170  throw SecurityManager::VerificationFailedException(ex.what());
171  }
172  }
173  }
174 
175  void SecurityManager::fastverify(const dtn::data::Bundle &bundle) const throw (VerificationFailedException)
176  {
177  // do a fast verify without manipulating the bundle
178  const dtn::daemon::Configuration::Security &secconf = dtn::daemon::Configuration::getInstance().getSecurity();
179 
180  if (secconf.getLevel() & dtn::daemon::Configuration::Security::SECURITY_LEVEL_ENCRYPTED)
181  {
182  // check if the bundle is encrypted and throw an exception if not
183  //throw VerificationFailedException("Bundle is not encrypted");
184  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "encryption required, verify bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
185 
186  if (std::count(bundle.begin(), bundle.end(), dtn::security::PayloadConfidentialBlock::BLOCK_TYPE) == 0)
187  throw VerificationFailedException("No PCB available!");
188  }
189 
190  if (secconf.getLevel() & dtn::daemon::Configuration::Security::SECURITY_LEVEL_SIGNED)
191  {
192  // check if the bundle is signed and throw an exception if not
193  //throw VerificationFailedException("Bundle is not signed");
194  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "signature required, verify bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
195 
196  if (std::count(bundle.begin(), bundle.end(), dtn::security::PayloadIntegrityBlock::BLOCK_TYPE) == 0)
197  throw VerificationFailedException("No PIB available!");
198  }
199 
200  if (secconf.getLevel() & dtn::daemon::Configuration::Security::SECURITY_LEVEL_AUTHENTICATED)
201  {
202  // check if the bundle is signed and throw an exception if not
203  //throw VerificationFailedException("Bundle is not signed");
204  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "authentication required, verify bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
205 
206  if (std::count(bundle.begin(), bundle.end(), dtn::security::BundleAuthenticationBlock::BLOCK_TYPE) == 0)
207  throw VerificationFailedException("No BAB available!");
208  }
209  }
210 
211  void SecurityManager::decrypt(dtn::data::Bundle &bundle) const throw (DecryptException, KeyMissingException)
212  {
213  // check if the bundle has to be decrypted, return when not
214  if (std::count(bundle.begin(), bundle.end(), dtn::security::PayloadConfidentialBlock::BLOCK_TYPE) <= 0) return;
215 
216  // decrypt
217  try {
218  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "decrypt bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
219 
220  // get the encryption key
221  dtn::security::SecurityKey key = SecurityKeyManager::getInstance().get(dtn::core::BundleCore::local, dtn::security::SecurityKey::KEY_PRIVATE);
222 
223  // encrypt the payload of the bundle
224  dtn::security::PayloadConfidentialBlock::decrypt(bundle, key);
225 
226  bundle.set(dtn::data::Bundle::DTNSEC_STATUS_CONFIDENTIAL, true);
227  } catch (const ibrcommon::Exception &ex) {
228  throw DecryptException(ex.what());
229  }
230  }
231 
232  void SecurityManager::encrypt(dtn::data::Bundle &bundle) const throw (EncryptException, KeyMissingException)
233  {
234  try {
235  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "encrypt bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
236 
237  // get the encryption key
238  dtn::security::SecurityKey key = SecurityKeyManager::getInstance().get(bundle.destination, dtn::security::SecurityKey::KEY_PUBLIC);
239 
240  // encrypt the payload of the bundle
241  dtn::security::PayloadConfidentialBlock::encrypt(bundle, key, dtn::core::BundleCore::local);
242  } catch (const ibrcommon::Exception &ex) {
243  throw EncryptException(ex.what());
244  }
245  }
246  }
247 }