dark/zerotiertspu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Flesh out membership certificate with signature, better serialize/deserialize, and rename parameter to qualifier to make better conceptual sense.

Browse source
This commit is contained in:
Adam Ierymenko 2013-10-04 12:24:21 -04:00
parent ca6c0fad08
commit ea4e1136dd
6 changed files with 314 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

136
node/Network.hpp
View file

@ -51,6 +51,7 @@
#include "Identity.hpp"
#include "InetAddress.hpp"
#include "BandwidthAccount.hpp"
#include "C25519.hpp"
namespace ZeroTier {
@ -86,37 +87,71 @@ public:
/**
* Certificate of network membership
*
* The COM consists of a series of three-element 64-bit tuples. These values
* are an id, a value, and a maximum delta. The ID is arbitrary and should be
* assigned using a scheme that makes every ID globally unique for a given
* type of parameter. ID 0 is reserved for the always-present timestamp
* parameter. The value is parameter-specific. The maximum delta is the
* maximum difference that is permitted between two values for determining
* whether a certificate permits two peers to speak to one another. A value
* of zero indicates that the values must equal.
* The COM contains a sorted set of three-element tuples called qualifiers.
* These contain an id, a value, and a maximum delta.
*
* Certificates of membership must be signed by the netconf master for the
* network in question. This permits members to verify these certs against
* the netconf master's public key before testing them.
* The ID is arbitrary and should be assigned using a scheme that makes
* every ID globally unique. ID 0 is reserved for the always-present
* validity timestamp and range, and ID 1 is reserved for the always-present
* network ID. IDs less than 65536 are reserved for future global
* assignment.
*
* The value's meaning is ID-specific and isn't important here. What's
* important is the value and the third member of the tuple: the maximum
* delta. The maximum delta is the maximum difference permitted between
* values for a given ID between certificates for the two certificates to
* themselves agree.
*
* Network membership is checked by checking whether a peer's certificate
* agrees with your own. The timestamp provides the fundamental criterion--
* each member of a private network must constantly obtain new certificates
* often enough to stay within the max delta for this qualifier. But other
* criteria could be added in the future for very special behaviors, things
* like latitude and longitude for instance.
*/
class CertificateOfMembership
{
public:
CertificateOfMembership() throw() {}
/**
* Certificate type codes, used in serialization
*
* Only one so far, and only one hopefully there shall be for quite some
* time.
*/
enum Type
{
COM_UINT64_ED25519 = 1 // tuples of unsigned 64's signed with Ed25519
};
/**
* Reserved COM IDs
*
* IDs below 65536 should be considered reserved for future global
* assignment here.
*/
enum ReservedIds
{
COM_RESERVED_ID_TIMESTAMP = 0, // timestamp, max delta defines cert life
COM_RESERVED_ID_NETWORK_ID = 1 // network ID, max delta always 0
};
CertificateOfMembership() {}
CertificateOfMembership(const char *s) { fromString(s); }
CertificateOfMembership(const std::string &s) { fromString(s.c_str()); }
/**
* Add a paramter to this certificate
* Add or update a qualifier in this certificate
*
* @param id Parameter ID
* @param value Parameter value
* @param maxDelta Parameter maximum difference with others
* Any signature is invalidated and signedBy is set to null.
*
* @param id Qualifier ID
* @param value Qualifier value
* @param maxDelta Qualifier maximum allowed difference (absolute value of difference)
*/
void addParameter(uint64_t id,uint64_t value,uint64_t maxDelta);
void setQualifier(uint64_t id,uint64_t value,uint64_t maxDelta);
/**
* @return Hex-serialized representation of this certificate (minus signature)
* @return String-serialized representation of this certificate
*/
std::string toString() const;
@ -138,36 +173,69 @@ public:
* paramters in this cert are present in the other and if they agree to
* within this cert's max delta value for each given parameter.
*
* Tuples present in other but not in this cert are ignored, but any
* tuples present in this cert but not in other result in 'false'.
*
* @param other Cert to compare with
* @return True if certs agree and 'other' may be communicated with
*/
bool compare(const CertificateOfMembership &other) const
bool agreesWith(const CertificateOfMembership &other) const
throw();
private:
struct _Parameter
/**
* Sign this certificate
*
* @param with Identity to sign with, must include private key
* @return True if signature was successful
*/
bool sign(const Identity &with);
/**
* Verify certificate against an identity
*
* @param id Identity to verify against
* @return True if certificate is signed by this identity and verification was successful
*/
bool verify(const Identity &id) const;
/**
* @return True if signed
*/
inline bool isSigned() const
throw()
{
_Parameter() throw() {}
_Parameter(uint64_t i,uint64_t v,uint64_t m) throw() :
return (_signedBy);
}
/**
* @return Address that signed this certificate or null address if none
*/
inline const Address &signedBy() const
throw()
{
return _signedBy;
}
private:
struct _Qualifier
{
_Qualifier() throw() {}
_Qualifier(uint64_t i,uint64_t v,uint64_t m) throw() :
id(i),
value(v),
maxDelta(m) {}
uint64_t id;
uint64_t value;
uint64_t maxDelta;
inline bool operator==(const _Qualifier &q) const throw() { return (id == q.id); } // for unique
inline bool operator<(const _Qualifier &q) const throw() { return (id < q.id); } // for sort
};
// Used with std::sort to ensure that _params are sorted
struct _SortByIdComparison
{
inline bool operator()(const _Parameter &a,const _Parameter &b) const
throw()
{
return (a.id < b.id);
}
};
std::vector<_Parameter> _params;
std::vector<_Qualifier> _qualifiers; // sorted by id and unique
Address _signedBy;
C25519::Signature _signature;
};
/**