OpenDDS  Snapshot(2023/04/28-20:55)
AuthenticationBuiltInImpl.h
Go to the documentation of this file.
1 /*
2  *
3  *
4  * Distributed under the OpenDDS License.
5  * See: http://www.OpenDDS.org/license.html
6  */
7 
8 
9 
10 #ifndef OPENDDS_DCPS_SECURITY_AUTHENTICATIONBUILTINIMPL_H
11 #define OPENDDS_DCPS_SECURITY_AUTHENTICATIONBUILTINIMPL_H
12 
13 #include "OpenDDS_Security_Export.h"
14 #include "Authentication/LocalAuthCredentialData.h"
15 #include "SSL/DiffieHellman.h"
16 
17 #include <dds/DdsSecurityCoreC.h>
18 #include <dds/Versioned_Namespace.h>
19 #include <dds/DCPS/dcps_export.h>
20 #include <dds/DCPS/GuidUtils.h>
21 
22 #include <ace/Thread_Mutex.h>
23 
24 #include <map>
25 #include <string>
26 #include <memory>
27 
28 #if !defined (ACE_LACKS_PRAGMA_ONCE)
29 #pragma once
30 #endif /* ACE_LACKS_PRAGMA_ONCE */
31 
32 class DDS_TEST;
33 
34 OPENDDS_BEGIN_VERSIONED_NAMESPACE_DECL
35 
36 namespace OpenDDS {
37 namespace Security {
38 
39 const char Identity_Status_Token_Class_Id[] = "DDS:Auth:PKI-DH:1.0";
40 const char Auth_Peer_Cred_Token_Class_Id[] = "DDS:Auth:PKI-DH:1.0";
41 
42 const char dds_cert_sn[] = "dds.cert.sn";
43 const char dds_cert_algo[] = "dds.cert.algo";
44 
45 const char dds_ca_sn[] = "dds.ca.sn";
46 const char dds_ca_algo[] = "dds.ca.algo";
47 
48 /**
49 * @class AuthenticationBuiltInImpl
50 *
51 * @brief Implements the DDS built-in version of the Authentication
52 * plugin for the DDS Security Specification
53 *
54 * See the DDS security specification, OMG formal/17-09-20, for a description of
55 * the interface this class is implementing.
56 *
57 */
58 class OpenDDS_Security_Export AuthenticationBuiltInImpl
59  : public virtual DDS::Security::Authentication
60 {
61 public:
62 
63  /// include in PropertyQosPolicy to add optional properties to Handshake tokens
64  static const char* PROPERTY_HANDSHAKE_DEBUG;
65 
66  AuthenticationBuiltInImpl();
67  virtual ~AuthenticationBuiltInImpl();
68 
69  virtual ::DDS::Security::ValidationResult_t validate_local_identity(
70  ::DDS::Security::IdentityHandle & local_identity_handle,
71  DCPS::GUID_t & adjusted_participant_guid,
72  ::DDS::Security::DomainId_t domain_id,
73  const ::DDS::DomainParticipantQos & participant_qos,
74  const DCPS::GUID_t & candidate_participant_guid,
75  ::DDS::Security::SecurityException & ex);
76 
77  virtual ::CORBA::Boolean get_identity_token(
78  ::DDS::Security::IdentityToken & identity_token,
79  ::DDS::Security::IdentityHandle handle,
80  ::DDS::Security::SecurityException & ex);
81 
82  virtual ::CORBA::Boolean get_identity_status_token(
83  ::DDS::Security::IdentityStatusToken & identity_status_token,
84  ::DDS::Security::IdentityHandle handle,
85  ::DDS::Security::SecurityException & ex);
86 
87  virtual ::CORBA::Boolean set_permissions_credential_and_token(
88  ::DDS::Security::IdentityHandle handle,
89  const ::DDS::Security::PermissionsCredentialToken & permissions_credential,
90  const ::DDS::Security::PermissionsToken & permissions_token,
91  ::DDS::Security::SecurityException & ex);
92 
93  virtual ::DDS::Security::ValidationResult_t validate_remote_identity(
94  ::DDS::Security::IdentityHandle & remote_identity_handle,
95  ::DDS::Security::AuthRequestMessageToken & local_auth_request_token,
96  const ::DDS::Security::AuthRequestMessageToken & remote_auth_request_token,
97  ::DDS::Security::IdentityHandle local_identity_handle,
98  const ::DDS::Security::IdentityToken & remote_identity_token,
99  const DCPS::GUID_t & remote_participant_guid,
100  ::DDS::Security::SecurityException & ex);
101 
102  virtual ::DDS::Security::ValidationResult_t begin_handshake_request(
103  ::DDS::Security::HandshakeHandle & handshake_handle,
104  ::DDS::Security::HandshakeMessageToken & handshake_message,
105  ::DDS::Security::IdentityHandle initiator_identity_handle,
106  ::DDS::Security::IdentityHandle replier_identity_handle,
107  const ::DDS::OctetSeq & serialized_local_participant_data,
108  ::DDS::Security::SecurityException & ex);
109 
110  virtual ::DDS::Security::ValidationResult_t begin_handshake_reply(
111  ::DDS::Security::HandshakeHandle & handshake_handle,
112  ::DDS::Security::HandshakeMessageToken & handshake_message_out,
113  ::DDS::Security::IdentityHandle initiator_identity_handle,
114  ::DDS::Security::IdentityHandle replier_identity_handle,
115  const ::DDS::OctetSeq & serialized_local_participant_data,
116  ::DDS::Security::SecurityException & ex);
117 
118  virtual ::DDS::Security::ValidationResult_t process_handshake(
119  ::DDS::Security::HandshakeMessageToken & handshake_message_out,
120  const ::DDS::Security::HandshakeMessageToken & handshake_message_in,
121  ::DDS::Security::HandshakeHandle handshake_handle,
122  ::DDS::Security::SecurityException & ex);
123 
124  virtual ::DDS::Security::SharedSecretHandle* get_shared_secret(
125  ::DDS::Security::HandshakeHandle handshake_handle,
126  ::DDS::Security::SecurityException & ex);
127 
128  virtual ::CORBA::Boolean get_authenticated_peer_credential_token(
129  ::DDS::Security::AuthenticatedPeerCredentialToken & peer_credential_token,
130  ::DDS::Security::HandshakeHandle handshake_handle,
131  ::DDS::Security::SecurityException & ex);
132 
133  virtual ::CORBA::Boolean set_listener(
134  ::DDS::Security::AuthenticationListener_ptr listener,
135  ::DDS::Security::SecurityException & ex);
136 
137  virtual ::CORBA::Boolean return_identity_token(
138  const ::DDS::Security::IdentityToken & token,
139  ::DDS::Security::SecurityException & ex);
140 
141  virtual ::CORBA::Boolean return_identity_status_token(
142  const ::DDS::Security::IdentityStatusToken & token,
143  ::DDS::Security::SecurityException & ex);
144 
145  virtual ::CORBA::Boolean return_authenticated_peer_credential_token(
146  const ::DDS::Security::AuthenticatedPeerCredentialToken & peer_credential_token,
147  ::DDS::Security::SecurityException & ex);
148 
149  virtual ::CORBA::Boolean return_handshake_handle(
150  ::DDS::Security::HandshakeHandle handshake_handle,
151  ::DDS::Security::SecurityException & ex);
152 
153  virtual ::CORBA::Boolean return_identity_handle(
154  ::DDS::Security::IdentityHandle identity_handle,
155  ::DDS::Security::SecurityException & ex);
156 
157  virtual ::CORBA::Boolean return_sharedsecret_handle(
158  ::DDS::Security::SharedSecretHandle* sharedsecret_handle,
159  ::DDS::Security::SecurityException & ex);
160 
161 private:
162 
163  struct RemoteParticipantData : public DCPS::RcObject {
164  typedef DCPS::RcHandle<RemoteParticipantData> shared_ptr;
165 
166  // Identity data
167 
168  DCPS::GUID_t participant_guid;
169  DDS::Security::IdentityHandle local_participant;
170 
171  // Handshake data
172 
173  DDS::Security::AuthRequestMessageToken local_auth_request;
174  DDS::Security::AuthRequestMessageToken remote_auth_request;
175  DDS::Security::IdentityHandle initiator_identity;
176  DDS::Security::IdentityHandle replier_identity;
177  DDS::Security::SharedSecretHandle_var shared_secret;
178  DDS::Security::HandshakeMessageToken request;
179  DDS::Security::HandshakeMessageToken reply;
180  DDS::Security::ValidationResult_t state;
181  SSL::DiffieHellman::unique_ptr diffie_hellman;
182  SSL::Certificate::unique_ptr certificate;
183  DDS::OctetSeq c_perm;
184  DDS::OctetSeq hash_c1;
185  DDS::OctetSeq hash_c2;
186 
187  RemoteParticipantData()
188  : participant_guid(DCPS::GUID_UNKNOWN)
189  , local_participant(DDS::HANDLE_NIL)
190  , initiator_identity(DDS::HANDLE_NIL)
191  , replier_identity(DDS::HANDLE_NIL)
192  , state(DDS::Security::VALIDATION_FAILED)
193  {
194  }
195  };
196  typedef std::map<DDS::Security::IdentityHandle, RemoteParticipantData::shared_ptr> RemoteParticipantMap;
197 
198  struct LocalParticipantData : public DCPS::RcObject {
199  typedef DCPS::RcHandle<LocalParticipantData> shared_ptr;
200 
201  DCPS::GUID_t participant_guid;
202  LocalAuthCredentialData::shared_ptr credentials;
203  RemoteParticipantMap validated_remotes;
204  bool handshake_debug;
205 
206  LocalParticipantData()
207  : participant_guid(DCPS::GUID_UNKNOWN)
208  , credentials()
209  , validated_remotes()
210  , handshake_debug(false)
211  {
212  }
213  ~LocalParticipantData();
214  };
215  typedef std::map<DDS::Security::IdentityHandle, LocalParticipantData::shared_ptr> LocalParticipantMap;
216  LocalParticipantMap local_participants_;
217 
218  LocalParticipantData::shared_ptr get_local_participant(DDS::Security::IdentityHandle handle);
219 
220  typedef std::pair<LocalParticipantData::shared_ptr, RemoteParticipantData::shared_ptr> HandshakeDataPair;
221  typedef std::map<DDS::Security::HandshakeHandle, HandshakeDataPair> HandshakeDataMap;
222  HandshakeDataMap handshake_data_;
223 
224  HandshakeDataPair get_handshake_data(DDS::Security::HandshakeHandle handle);
225 
226  /// @brief Finds the local and remote data objects associated with h1 and h2 and
227  /// creates a new handshake pair with them. It does not matter which handle is local
228  /// and which is remote.
229  /// @param h1 Either a local or remote handle.
230  /// @param h2 Either a local or remote handle.
231  HandshakeDataPair make_handshake_pair(DDS::Security::IdentityHandle h1,
232  DDS::Security::IdentityHandle h2);
233 
234  DDS::Security::ValidationResult_t process_handshake_reply(
235  DDS::Security::HandshakeMessageToken & handshake_message_out,
236  const DDS::Security::HandshakeMessageToken & handshake_message_in,
237  DDS::Security::HandshakeHandle handshake_handle,
238  DDS::Security::SecurityException & ex);
239 
240  DDS::Security::ValidationResult_t process_final_handshake(
241  const DDS::Security::HandshakeMessageToken & handshake_message_in,
242  DDS::Security::HandshakeHandle handshake_handle,
243  DDS::Security::SecurityException & ex);
244 
245  bool is_handshake_initiator(const DCPS::GUID_t& local, const DCPS::GUID_t& remote);
246 
247  bool check_class_versions(const char* remote_class_id);
248 
249  std::string build_class_id(const std::string& message_ext);
250 
251  std::string get_extension(const char* class_id);
252 
253  CORBA::Long get_next_handle();
254 
255  struct was_guid_validated
256  {
257  was_guid_validated(const DCPS::GUID_t& expected) : expected_(expected) {}
258 
259  bool operator()(const RemoteParticipantMap::value_type& validated) const
260  {
261  return (expected_ == validated.second->participant_guid);
262  }
263  private:
264  const DCPS::GUID_t& expected_;
265  };
266 
267  struct local_has_remote_handle
268  {
269  local_has_remote_handle(DDS::Security::IdentityHandle h) : h_(h) {}
270 
271  bool operator()(const LocalParticipantMap::value_type& local) const
272  {
273  const RemoteParticipantMap& remotes = local.second->validated_remotes;
274  return remotes.find(h_) != remotes.end();
275  }
276  private:
277  DDS::Security::IdentityHandle h_;
278  };
279 
280  DDS::Security::AuthenticationListener_ptr listener_ptr_;
281 
282  ACE_Thread_Mutex identity_mutex_;
283  ACE_Thread_Mutex handshake_mutex_;
284  ACE_Thread_Mutex handle_mutex_;
285 
286  CORBA::Long next_handle_;
287 
288 };
289 } // namespace Security
290 } // namespace OpenDDS
291 
292 OPENDDS_END_VERSIONED_NAMESPACE_DECL
293 
294 #endif
CORBA::Long
ACE_CDR::Long Long
OpenDDS::Security::Auth_Peer_Cred_Token_Class_Id
const char Auth_Peer_Cred_Token_Class_Id[]
Definition: AuthenticationBuiltInImpl.h:40
DDS::HANDLE_NIL
const InstanceHandle_t HANDLE_NIL
Definition: DdsDcpsInfrastructure.idl:47
OpenDDS::DCPS::GUID_UNKNOWN
const GUID_t GUID_UNKNOWN
Nil value for GUID.
Definition: GuidUtils.h:59
DDS::Security::DomainId_t
DDS::DomainId_t DomainId_t
Definition: DdsSecurityCore.idl:217
OpenDDS::Security::AuthenticationBuiltInImpl::was_guid_validated::operator()
bool operator()(const RemoteParticipantMap::value_type &validated) const
Definition: AuthenticationBuiltInImpl.h:259
OpenDDS::Security::AuthenticationBuiltInImpl::RemoteParticipantMap
std::map< DDS::Security::IdentityHandle, RemoteParticipantData::shared_ptr > RemoteParticipantMap
Definition: AuthenticationBuiltInImpl.h:196
OpenDDS::Security::AuthenticationBuiltInImpl::HandshakeDataPair
std::pair< LocalParticipantData::shared_ptr, RemoteParticipantData::shared_ptr > HandshakeDataPair
Definition: AuthenticationBuiltInImpl.h:220
DDS::Security::AuthRequestMessageToken
MessageToken AuthRequestMessageToken
Definition: DdsSecurityCore.idl:42
DDS::OctetSeq
sequence< octet > OctetSeq
Definition: DdsDcpsCore.idl:64
DDS
The End User API.
Definition: DataDurabilityCache.h:45
OpenDDS_Security_Export
#define OpenDDS_Security_Export
Definition: OpenDDS_Security_Export.h:25
DDS::Security::HandshakeMessageToken
MessageToken HandshakeMessageToken
Definition: DdsSecurityCore.idl:43
OpenDDS::Security::Identity_Status_Token_Class_Id
const char Identity_Status_Token_Class_Id[]
Definition: AuthenticationBuiltInImpl.h:39
OPENDDS_END_VERSIONED_NAMESPACE_DECL
#define OPENDDS_END_VERSIONED_NAMESPACE_DECL
Definition: Versioned_Namespace.h:48
OpenDDS::Security::AuthenticationBuiltInImpl::LocalParticipantMap
std::map< DDS::Security::IdentityHandle, LocalParticipantData::shared_ptr > LocalParticipantMap
Definition: AuthenticationBuiltInImpl.h:215
DDS::Security::PermissionsCredentialToken
Token PermissionsCredentialToken
Definition: DdsSecurityCore.idl:46
OpenDDS::Security::AuthenticationBuiltInImpl::local_has_remote_handle::operator()
bool operator()(const LocalParticipantMap::value_type &local) const
Definition: AuthenticationBuiltInImpl.h:271
OpenDDS::Security::AuthenticationBuiltInImpl::listener_ptr_
DDS::Security::AuthenticationListener_ptr listener_ptr_
Definition: AuthenticationBuiltInImpl.h:280
OpenDDS
The Internal API and Implementation of OpenDDS.
Definition: AddressCache.h:28
DDS::Security::AuthenticatedPeerCredentialToken
Token AuthenticatedPeerCredentialToken
Definition: DdsSecurityCore.idl:45
OpenDDS::Security::AuthenticationBuiltInImpl::HandshakeDataMap
std::map< DDS::Security::HandshakeHandle, HandshakeDataPair > HandshakeDataMap
Definition: AuthenticationBuiltInImpl.h:221
OpenDDS::Security::AuthenticationBuiltInImpl
Implements the DDS built-in version of the Authentication plugin for the DDS Security Specification...
Definition: AuthenticationBuiltInImpl.h:58
OpenDDS::Security::AuthenticationBuiltInImpl::PROPERTY_HANDSHAKE_DEBUG
static const char * PROPERTY_HANDSHAKE_DEBUG
include in PropertyQosPolicy to add optional properties to Handshake tokens
Definition: AuthenticationBuiltInImpl.h:64
Generated by   doxygen 1.8.13