void SecurityManager::fastverify(const dtn::data::Bundle &bundle) const throw (VerificationFailedException)
{
// do a fast verify without manipulating the bundle
const dtn::daemon::Configuration::Security &secconf = dtn::daemon::Configuration::getInstance().getSecurity();
if (secconf.getLevel() & dtn::daemon::Configuration::Security::SECURITY_LEVEL_ENCRYPTED)
{
// check if the bundle is encrypted and throw an exception if not
//throw VerificationFailedException("Bundle is not encrypted");
IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "encryption required, verify bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
if (std::count(bundle.begin(), bundle.end(), dtn::security::PayloadConfidentialBlock::BLOCK_TYPE) == 0)
throw VerificationFailedException("No PCB available!");
}
if (secconf.getLevel() & dtn::daemon::Configuration::Security::SECURITY_LEVEL_SIGNED)
{
// check if the bundle is signed and throw an exception if not
//throw VerificationFailedException("Bundle is not signed");
IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "signature required, verify bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
if (std::count(bundle.begin(), bundle.end(), dtn::security::PayloadIntegrityBlock::BLOCK_TYPE) == 0)
throw VerificationFailedException("No PIB available!");
}
if (secconf.getLevel() & dtn::daemon::Configuration::Security::SECURITY_LEVEL_AUTHENTICATED)
{
// check if the bundle is signed and throw an exception if not
//throw VerificationFailedException("Bundle is not signed");
IBRCOMMON_LOGGER_DEBUG_TAG("SecurityManager", 10) << "authentication required, verify bundle: " << bundle.toString() << IBRCOMMON_LOGGER_ENDL;
if (std::count(bundle.begin(), bundle.end(), dtn::security::BundleAuthenticationBlock::BLOCK_TYPE) == 0)
throw VerificationFailedException("No BAB available!");
}
}
void PayloadIntegrityBlock::verify(const dtn::data::Bundle &bundle, const SecurityKey &key)
{
// iterate over all PIBs to find the right one
dtn::data::Bundle::const_find_iterator it(bundle.begin(), PayloadIntegrityBlock::BLOCK_TYPE);
while (it.next(bundle.end()))
{
const PayloadIntegrityBlock &sb = dynamic_cast<const PayloadIntegrityBlock&>(**it);
// check if we have the public key of the security source
// skip this block if the given key isn't the right one
if (!sb.isSecuritySource(bundle, key.reference)) continue;
// check the correct algorithm
if (sb._ciphersuite_id != SecurityBlock::PIB_RSA_SHA256)
{
throw VerificationFailedException("can not verify the PIB because of an invalid algorithm");
}
EVP_PKEY *pkey = key.getEVP();
if (pkey == NULL) throw VerificationFailedException("verification error");
ibrcommon::RSASHA256Stream rs2s(pkey, true);
// serialize the bundle in the mutable form
dtn::security::MutableSerializer ms(rs2s, &sb);
(dtn::data::DefaultSerializer&)ms << bundle; rs2s << std::flush;
try {
int ret = rs2s.getVerification(sb._security_result.get(SecurityBlock::integrity_signature));
SecurityKey::free(pkey);
if (ret > 0)
{
// success!
return;
}
else if (ret < 0)
{
throw VerificationFailedException("verification error");
}
} catch (const ElementMissingException&) {
// This PIB can not verified due to a missing integrity signature
throw VerificationFailedException("Integrity signature is missing!");
}
}
throw VerificationFailedException("verification failed");
}
