IBR-DTNSuite  0.12
SecurityManager.cpp
Go to the documentation of this file.
1 /*
2  * SecurityManager.cpp
3  *
4  * Copyright (C) 2011 IBR, TU Braunschweig
5  *
6  * Written-by: Johannes Morgenroth <morgenroth@ibr.cs.tu-bs.de>
7  *
8  * Licensed under the Apache License, Version 2.0 (the "License");
9  * you may not use this file except in compliance with the License.
10  * You may obtain a copy of the License at
11  *
12  * http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing, software
15  * distributed under the License is distributed on an "AS IS" BASIS,
16  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17  * See the License for the specific language governing permissions and
18  * limitations under the License.
19  *
20  */
21 
22 #include "security/SecurityManager.h"
23 #include "security/SecurityKeyManager.h"
24 #include "core/BundleCore.h"
25 #include "routing/QueueBundleEvent.h"
26 #include <ibrdtn/security/PayloadIntegrityBlock.h>
27 #include <ibrcommon/Logger.h>
28 
29 #ifdef __DEVELOPMENT_ASSERTIONS__
30 #include <cassert>
31 #endif
32 
33 namespace dtn
34 {
35  namespace security
36  {
37  SecurityManager& SecurityManager::getInstance()
38  {
39  static SecurityManager sec_man;
40  return sec_man;
41  }
42 
43  SecurityManager::SecurityManager()
44  : _accept_only_bab(false), _accept_only_pib(false)
45  {
46  }
47 
48  SecurityManager::~SecurityManager()
49  {
50  }
51 
52  void SecurityManager::auth(dtn::data::Bundle &bundle) const throw (KeyMissingException)
53  {
54  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "auth bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
55 
56  try {
57  // try to load the local key
58  const SecurityKey key = SecurityKeyManager::getInstance().get(dtn::core::BundleCore::local, SecurityKey::KEY_SHARED);
59 
60  // sign the bundle with BABs
61  dtn::security::BundleAuthenticationBlock::auth(bundle, key);
62  } catch (const SecurityKeyManager::KeyNotFoundException &ex) {
63  throw KeyMissingException(ex.what());
64  }
65  }
66 
67  void SecurityManager::sign(dtn::data::Bundle &bundle) const throw (KeyMissingException)
68  {
69  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "sign bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
70 
71  try {
72  // try to load the local key
73  const SecurityKey key = SecurityKeyManager::getInstance().get(dtn::core::BundleCore::local, SecurityKey::KEY_PRIVATE);
74 
75  // sign the bundle with PIB
76  dtn::security::PayloadIntegrityBlock::sign(bundle, key, bundle.destination.getNode());
77  } catch (const SecurityKeyManager::KeyNotFoundException &ex) {
78  throw KeyMissingException(ex.what());
79  }
80  }
81 
82  void SecurityManager::verify(dtn::data::Bundle &bundle) const throw (VerificationFailedException)
83  {
84  verifyBAB(bundle);
85  verifyPIB(bundle);
86  }
87 
88  void SecurityManager::verifyPIB(dtn::data::Bundle &bundle) const throw (VerificationFailedException)
89  {
90  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "verify signed bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
91 
92  // iterate through all blocks
93  for (dtn::data::Bundle::iterator it = bundle.begin(); it != bundle.end();)
94  {
95  const dtn::data::Block &block = (**it);
96 
97  if (block.getType() == dtn::security::PayloadConfidentialBlock::BLOCK_TYPE) {
98  // payload after a PCB can not verified until the payload is decrypted
99  break;
100  }
101 
102  try {
103  const dtn::security::PayloadIntegrityBlock& pib = dynamic_cast<const dtn::security::PayloadIntegrityBlock&>(block);
104 
105  const SecurityKey key = SecurityKeyManager::getInstance().get(pib.getSecuritySource(bundle), SecurityKey::KEY_PUBLIC);
106 
107  // try to verify the bundle with the key for the current PIB
108  dtn::security::PayloadIntegrityBlock::verify(bundle, key);
109 
110  // if we are the security destination
111  if (pib.isSecurityDestination(bundle, dtn::core::BundleCore::local)) {
112  // remove the valid PIB
113  bundle.erase(it++);
114  } else {
115  ++it;
116  }
117 
118  // set the verify bit, after verification
119  bundle.set(dtn::data::Bundle::DTNSEC_STATUS_VERIFIED, true);
120 
121  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 5) << "Bundle " << bundle.toString() << " successfully verified" << IBRCOMMON_LOGGER_ENDL;
122  continue;
123  } catch (const SecurityKeyManager::KeyNotFoundException&) {
124  // un-set the verify bit
125  bundle.set(dtn::data::Bundle::DTNSEC_STATUS_VERIFIED, false);
126  } catch (const std::bad_cast&) {
127  // current block is not a PIB
128  }
129 
130  ++it;
131  }
132  }
133 
134  void SecurityManager::verifyBAB(dtn::data::Bundle &bundle) const throw (VerificationFailedException)
135  {
136  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "verify authenticated bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
137 
138  // iterate over all BABs of this bundle
139  dtn::data::Bundle::find_iterator it(bundle.begin(), dtn::security::BundleAuthenticationBlock::BLOCK_TYPE);
140  while (it.next(bundle.end()))
141  {
142  const dtn::security::BundleAuthenticationBlock& bab = dynamic_cast<const dtn::security::BundleAuthenticationBlock&>(**it);
143 
144  // look for the right BAB-factory
145  const dtn::data::EID node = bab.getSecuritySource(bundle);
146 
147  try {
148  // try to load the key of the BAB
149  const SecurityKey key = SecurityKeyManager::getInstance().get(node, SecurityKey::KEY_SHARED);
150 
151  // verify the bundle
152  dtn::security::BundleAuthenticationBlock::verify(bundle, key);
153 
154  // strip all BAB of this bundle
155  dtn::security::BundleAuthenticationBlock::strip(bundle);
156 
157  // set the verify bit, after verification
158  bundle.set(dtn::data::Bundle::DTNSEC_STATUS_AUTHENTICATED, true);
159 
160  // at least one BAB has been authenticated, we're done!
161  break;
162  } catch (const SecurityKeyManager::KeyNotFoundException&) {
163  // no key for this node found
164  }
165  }
166  }
167 
168  void SecurityManager::fastverify(const dtn::data::Bundle &bundle) const throw (VerificationFailedException)
169  {
170  // do a fast verify without manipulating the bundle
171  const dtn::daemon::Configuration::Security &secconf = dtn::daemon::Configuration::getInstance().getSecurity();
172 
173  if (secconf.getLevel() & dtn::daemon::Configuration::Security::SECURITY_LEVEL_ENCRYPTED)
174  {
175  // check if the bundle is encrypted and throw an exception if not
176  //throw VerificationFailedException("Bundle is not encrypted");
177  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "encryption required, verify bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
178 
179  if (std::count(bundle.begin(), bundle.end(), dtn::security::PayloadConfidentialBlock::BLOCK_TYPE) == 0)
180  throw VerificationFailedException("No PCB available!");
181  }
182 
183  if (secconf.getLevel() & dtn::daemon::Configuration::Security::SECURITY_LEVEL_SIGNED)
184  {
185  // check if the bundle is signed and throw an exception if not
186  //throw VerificationFailedException("Bundle is not signed");
187  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "signature required, verify bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
188 
189  if (std::count(bundle.begin(), bundle.end(), dtn::security::PayloadIntegrityBlock::BLOCK_TYPE) == 0)
190  throw VerificationFailedException("No PIB available!");
191  }
192 
193  if (secconf.getLevel() & dtn::daemon::Configuration::Security::SECURITY_LEVEL_AUTHENTICATED)
194  {
195  // check if the bundle is signed and throw an exception if not
196  //throw VerificationFailedException("Bundle is not signed");
197  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "authentication required, verify bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
198 
199  if (std::count(bundle.begin(), bundle.end(), dtn::security::BundleAuthenticationBlock::BLOCK_TYPE) == 0)
200  throw VerificationFailedException("No BAB available!");
201  }
202  }
203 
204  void SecurityManager::decrypt(dtn::data::Bundle &bundle) const throw (DecryptException, KeyMissingException)
205  {
206  // check if the bundle has to be decrypted, return when not
207  if (std::count(bundle.begin(), bundle.end(), dtn::security::PayloadConfidentialBlock::BLOCK_TYPE) <= 0) return;
208 
209  // decrypt
210  try {
211  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "decrypt bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
212 
213  // get the encryption key
214  dtn::security::SecurityKey key = SecurityKeyManager::getInstance().get(dtn::core::BundleCore::local, dtn::security::SecurityKey::KEY_PRIVATE);
215 
216  // encrypt the payload of the bundle
217  dtn::security::PayloadConfidentialBlock::decrypt(bundle, key);
218 
219  bundle.set(dtn::data::Bundle::DTNSEC_STATUS_CONFIDENTIAL, true);
220  } catch (const ibrcommon::Exception &ex) {
221  throw DecryptException(ex.what());
222  }
223  }
224 
225  void SecurityManager::encrypt(dtn::data::Bundle &bundle) const throw (EncryptException, KeyMissingException)
226  {
227  try {
228  IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "encrypt bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
229 
230  // get the encryption key
231  dtn::security::SecurityKey key = SecurityKeyManager::getInstance().get(bundle.destination, dtn::security::SecurityKey::KEY_PUBLIC);
232 
233  // encrypt the payload of the bundle
234  dtn::security::PayloadConfidentialBlock::encrypt(bundle, key, dtn::core::BundleCore::local);
235  } catch (const ibrcommon::Exception &ex) {
236  throw EncryptException(ex.what());
237  }
238  }
239  }
240 }