ns3::ZtPolicyEngine Class Reference

Implements policy enforcement for Zero Trust security in NS-3 simulations. More...

#include <zt-policy-engine.h>

Inheritance diagram for ns3::ZtPolicyEngine:

Collaboration diagram for ns3::ZtPolicyEngine:

Public Member Functions
void	AddAuthorized (uint32_t nodeId, const std::string &role)
	Add a node to the authorized list with a specified role.
bool	Authorize (uint32_t nodeId, const std::string &role)
	Check if a node is authorized for a given role.
void	SetCaPublicKey (RSA::PublicKey pub)
	Set the Certificate Authority's public key for verifying digital signatures.
void	Revoke (uint32_t nodeId)
	Add a node ID to the revocation list.
bool	AuthorizeWithCert (uint32_t nodeId, const std::string &role, const std::string &certStr)
	Perform certificate-based authorization for a node.

Static Public Member Functions
static TypeId	GetTypeId ()
	Get the TypeId for ZtPolicyEngine.

Private Attributes
std::unordered_map< uint32_t, std::string >	authTable
	Maps node ID to assigned role.
std::unordered_set< uint32_t >	revoke
	List of revoked node IDs.
RSA::PublicKey	caPublicKey
	Public key for certificate signature verification.

Detailed Description

Implements policy enforcement for Zero Trust security in NS-3 simulations.

The ZtPolicyEngine class is responsible for enforcing identity-based access control, managing certificate validation, revocations, and dynamic role-based authorization.

Definition at line 22 of file zt-policy-engine.h.

Member Function Documentation

AddAuthorized()

void ns3::ZtPolicyEngine::AddAuthorized	(	uint32_t	nodeId,
		const std::string &	role
	)

Add a node to the authorized list with a specified role.

Add an authorized node and its assigned role.

Parameters

nodeId	The node ID to authorize.
role	The role assigned to the node (e.g., "sensor", "gateway").
nodeId	The ID of the node.
role	The assigned role for the node (e.g., "sensor", "gateway").

Definition at line 32 of file zt-policy-engine.cc.

                                                                         {
  authTable[nodeId] = role;
}

Authorize()

bool ns3::ZtPolicyEngine::Authorize	(	uint32_t	nodeId,
		const std::string &	role
	)

Check if a node is authorized for a given role.

Check if a node is authorized based on its ID and expected role.

Parameters

nodeId	The ID of the requesting node.
role	The required role for access.

Returns

True if authorized, false otherwise.

Parameters

nodeId	The ID of the node requesting access.
role	The expected role the node must have.

Returns

True if the node is authorized and role matches, false otherwise.

Definition at line 42 of file zt-policy-engine.cc.

                                                                     {
  return authTable.find(nodeId) != authTable.end() && authTable[nodeId] == role;
}

AuthorizeWithCert()

bool ns3::ZtPolicyEngine::AuthorizeWithCert	(	uint32_t	nodeId,
		const std::string &	role,
		const std::string &	certStr
	)

Perform certificate-based authorization for a node.

Authorize a node using certificate validation.

This checks:

• If the node is revoked
• If the certificate signature is valid
• If the certificate identity matches the request
• If the certificate is not expired

Parameters

nodeId	The ID of the requesting node.
role	The required role for access.
certStr	The certificate string (including fields and base64-encoded signature).

Returns

True if certificate is valid and authorized, false otherwise.

This function checks:

• Whether the node is revoked.
• If the certificate has a valid signature.
• If the ID and role match the expected values.
• Whether the certificate has expired.

Parameters

nodeId	The ID of the node requesting access.
role	The expected role for the node.
certStr	The full certificate string including signature.

Returns

True if all certificate checks pass and the node is authorized, false otherwise.

Definition at line 76 of file zt-policy-engine.cc.

                                                                                                       {
  if (revoke.find(nodeId) != revoke.end()) {
    NS_LOG_UNCOND("ZT-CERT: Node " << nodeId << " is revoked");
    return false;
  }
 
  std::string content, sig;
  size_t sigPos = certStr.find("|SIG:");
  if (sigPos == std::string::npos) return false;
  content = certStr.substr(0, sigPos);
  sig = certStr.substr(sigPos + 5);
 
  std::string decodedSig;
  CryptoPP::StringSource(sig, true, new CryptoPP::Base64Decoder(new CryptoPP::StringSink(decodedSig)));
 
  CryptoPP::RSASS<CryptoPP::PSSR, CryptoPP::SHA1>::Verifier verifier(caPublicKey);
  bool valid = false;
  CryptoPP::StringSource(decodedSig + content, true,
    new CryptoPP::SignatureVerificationFilter(verifier,
      new CryptoPP::ArraySink((byte*)&valid, sizeof(valid)),
      CryptoPP::SignatureVerificationFilter::PUT_RESULT | CryptoPP::SignatureVerificationFilter::SIGNATURE_AT_BEGIN));
 
  if (!valid) {
    NS_LOG_UNCOND("ZT-CERT: Signature invalid");
    return false;
  }
 
  std::istringstream ss(content);
  std::string token;
  uint32_t idParsed = 0;
  std::string roleParsed;
  time_t expiry = 0;
 
  while (std::getline(ss, token, '|')) {
    if (token.find("ID:") == 0)
      idParsed = std::stoul(token.substr(3));
    else if (token.find("ROLE:") == 0)
      roleParsed = token.substr(5);
    else if (token.find("EXP:") == 0)
      expiry = std::stol(token.substr(4));
  }
 
  if (idParsed != nodeId || roleParsed != role) {
    NS_LOG_UNCOND("ZT-CERT: Identity mismatch");
    return false;
  }
 
  if (std::time(nullptr) > expiry) {
    NS_LOG_UNCOND("ZT-CERT: Certificate expired");
    return false;
  }
 
  return true;
}

GetTypeId()

TypeId ns3::ZtPolicyEngine::GetTypeId ( )

static

Get the TypeId for ZtPolicyEngine.

Returns

TypeId object used for NS-3 runtime type identification.

The TypeId object for this class.

Definition at line 19 of file zt-policy-engine.cc.

                                 {
  static TypeId tid = TypeId("ZtPolicyEngine")
    .SetParent<Object>()
    .SetGroupName("ZeroTrust")
    .AddConstructor<ZtPolicyEngine>();
  return tid;
}

Revoke()

void ns3::ZtPolicyEngine::Revoke

(

uint32_t

nodeId

)

Add a node ID to the revocation list.

Revoke a node by adding its ID to the revocation list.

Parameters

nodeId	The ID of the node to revoke.
nodeId	The ID of the node to be revoked.

Definition at line 58 of file zt-policy-engine.cc.

                                           {
  revoke.insert(nodeId);
}

SetCaPublicKey()

void ns3::ZtPolicyEngine::SetCaPublicKey

(

RSA::PublicKey

pub

)

Set the Certificate Authority's public key for verifying digital signatures.

Set the public key of the Certificate Authority used for signature verification.

Parameters

pub	The RSA public key of the CA.

Definition at line 50 of file zt-policy-engine.cc.

                                                    {
  caPublicKey = pub;
}

Field Documentation

authTable

std::unordered_map<uint32_t, std::string> ns3::ZtPolicyEngine::authTable

private

Maps node ID to assigned role.

Definition at line 74 of file zt-policy-engine.h.

caPublicKey

RSA::PublicKey ns3::ZtPolicyEngine::caPublicKey

private

Public key for certificate signature verification.

Definition at line 76 of file zt-policy-engine.h.

revoke

std::unordered_set<uint32_t> ns3::ZtPolicyEngine::revoke

private

List of revoked node IDs.

Definition at line 75 of file zt-policy-engine.h.

---

The documentation for this class was generated from the following files:

• model/zt-policy-engine.h
• model/zt-policy-engine.cc