Zero Trust IoT library
Loading...
Searching...
No Matches
Public Member Functions | Private Attributes
ZtPolicyEngineWithCert Class Reference

Simulates a Zero Trust policy engine that enforces access control using certificates. More...

#include <zt-certificate.h>

Collaboration diagram for ZtPolicyEngineWithCert:

Public Member Functions

void SetCaPublicKey (CryptoPP::RSA::PublicKey pub)
 Sets the CA's public key used for certificate verification.
 
void Revoke (uint32_t nodeId)
 Revokes a node by its ID, preventing it from being authorized.
 
bool Authorize (uint32_t nodeId, const std::string &role, const std::string &certStr)
 Authorizes a node based on its certificate.
 

Private Attributes

CryptoPP::RSA::PublicKey caPublicKey
 Trusted public key used for signature verification.
 
std::unordered_set< uint32_t > revoke
 Set of node IDs that are explicitly revoked.
 

Detailed Description

Simulates a Zero Trust policy engine that enforces access control using certificates.

This engine validates node certificates, verifies digital signatures, checks role and expiry, and maintains a list of revoked node IDs.

Definition at line 51 of file zt-certificate.h.

Member Function Documentation

◆ Authorize()

bool ZtPolicyEngineWithCert::Authorize ( uint32_t  nodeId,
const std::string &  role,
const std::string &  certStr 
)

Authorizes a node based on its certificate.

Verifies and authorizes a node based on its certificate.

Parameters
nodeIdThe node's claimed ID.
roleThe role the node claims to perform.
certStrThe certificate string presented by the node.
Returns
True if the certificate is valid, not expired, matches the node, and not revoked.
Parameters
nodeIdID of the node attempting access
roleRole of the node
certStrCertificate string to validate
Returns
True if the certificate is valid and authorization succeeds

Definition at line 79 of file zt-certificate.cc.

79 {
80 using namespace ns3;
81
82 if (revoke.find(nodeId) != revoke.end()) {
83 NS_LOG_UNCOND("ZT-CERT: Node " << nodeId << " is revoked");
84 return false;
85 }
86
87 std::string content, sig;
88 size_t sigPos = certStr.find("|SIG:");
89 if (sigPos == std::string::npos) return false;
90 content = certStr.substr(0, sigPos);
91 sig = certStr.substr(sigPos + 5);
92
93 std::string decodedSig;
94 StringSource(sig, true, new Base64Decoder(new StringSink(decodedSig)));
95
96 RSASS<PSSR, SHA1>::Verifier verifier(caPublicKey);
97 bool valid = false;
98 StringSource(decodedSig + content, true,
99 new SignatureVerificationFilter(verifier,
100 new ArraySink((byte*)&valid, sizeof(valid)),
101 SignatureVerificationFilter::PUT_RESULT | SignatureVerificationFilter::SIGNATURE_AT_BEGIN));
102
103 if (!valid) {
104 NS_LOG_UNCOND("ZT-CERT: Signature invalid");
105 return false;
106 }
107
108 std::istringstream ss(content);
109 std::string token;
110 uint32_t idParsed = 0;
111 std::string roleParsed;
112 time_t expiry = 0;
113
114 while (std::getline(ss, token, '|')) {
115 if (token.find("ID:") == 0)
116 idParsed = std::stoul(token.substr(3));
117 else if (token.find("ROLE:") == 0)
118 roleParsed = token.substr(5);
119 else if (token.find("EXP:") == 0)
120 expiry = std::stol(token.substr(4));
121 }
122
123 if (idParsed != nodeId || roleParsed != role) {
124 NS_LOG_UNCOND("ZT-CERT: Identity mismatch");
125 return false;
126 }
127
128 time_t now = std::time(nullptr);
129 if (now > expiry) {
130 NS_LOG_UNCOND("ZT-CERT: Certificate expired");
131 return false;
132 }
133
134 return true;
135}
ZtPolicyEngineWithCert::caPublicKey
CryptoPP::RSA::PublicKey caPublicKey
Trusted public key used for signature verification.
Definition zt-certificate.h:75
ZtPolicyEngineWithCert::revoke
std::unordered_set< uint32_t > revoke
Set of node IDs that are explicitly revoked.
Definition zt-certificate.h:76

◆ Revoke()

void ZtPolicyEngineWithCert::Revoke ( uint32_t  nodeId)

Revokes a node by its ID, preventing it from being authorized.

Revokes access for a specific node.

Parameters
nodeIdThe node ID to be added to the revocation list.
nodeIdID of the node to be revoked

Definition at line 68 of file zt-certificate.cc.

68 {
69 revoke.insert(nodeId);
70}

◆ SetCaPublicKey()

void ZtPolicyEngineWithCert::SetCaPublicKey ( CryptoPP::RSA::PublicKey  pub)

Sets the CA's public key used for certificate verification.

Sets the CA public key for the policy engine.

Parameters
pubThe public RSA key of the trusted Certificate Authority.
pubRSA public key of the certificate authority

Definition at line 60 of file zt-certificate.cc.

60 {
61 caPublicKey = pub;
62}

Field Documentation

◆ caPublicKey

CryptoPP::RSA::PublicKey ZtPolicyEngineWithCert::caPublicKey
private

Trusted public key used for signature verification.

Definition at line 75 of file zt-certificate.h.

◆ revoke

std::unordered_set<uint32_t> ZtPolicyEngineWithCert::revoke
private

Set of node IDs that are explicitly revoked.

Definition at line 76 of file zt-certificate.h.

The documentation for this class was generated from the following files: