zero-trust-iot-library/zt-policy-engine_8cc_source.html

// === zt-policy-engine.cc ===

#include "zt-policy-engine.h"

#include <ns3/log.h>

#include <sstream>

#include <ctime>

#include <cryptopp/base64.h>

#include <cryptopp/filters.h>

#include <cryptopp/pssr.h>

#include <cryptopp/sha.h>


namespace ns3 {


NS_LOG_COMPONENT_DEFINE("ZtPolicyEngine");


TypeId ZtPolicyEngine::GetTypeId() {

  static TypeId tid = TypeId("ZtPolicyEngine")

    .SetParent<Object>()

    .SetGroupName("ZeroTrust")

    .AddConstructor<ZtPolicyEngine>();

  return tid;

}


void ZtPolicyEngine::AddAuthorized(uint32_t nodeId, const std::string& role) {

  authTable[nodeId] = role;

}


bool ZtPolicyEngine::Authorize(uint32_t nodeId, const std::string& role) {

  return authTable.find(nodeId) != authTable.end() && authTable[nodeId] == role;

}


void ZtPolicyEngine::SetCaPublicKey(RSA::PublicKey pub) {

  caPublicKey = pub;

}


void ZtPolicyEngine::Revoke(uint32_t nodeId) {

  revoke.insert(nodeId);

}


bool ZtPolicyEngine::AuthorizeWithCert(uint32_t nodeId, const std::string& role, const std::string& certStr) {

  if (revoke.find(nodeId) != revoke.end()) {

    NS_LOG_UNCOND("ZT-CERT: Node " << nodeId << " is revoked");

    return false;

  }


  std::string content, sig;

  size_t sigPos = certStr.find("|SIG:");

  if (sigPos == std::string::npos) return false;

  content = certStr.substr(0, sigPos);

  sig = certStr.substr(sigPos + 5);


  std::string decodedSig;

  CryptoPP::StringSource(sig, true, new CryptoPP::Base64Decoder(new CryptoPP::StringSink(decodedSig)));


  CryptoPP::RSASS<CryptoPP::PSSR, CryptoPP::SHA1>::Verifier verifier(caPublicKey);

  bool valid = false;

  CryptoPP::StringSource(decodedSig + content, true,

    new CryptoPP::SignatureVerificationFilter(verifier,

      new CryptoPP::ArraySink((byte*)&valid, sizeof(valid)),

      CryptoPP::SignatureVerificationFilter::PUT_RESULT | CryptoPP::SignatureVerificationFilter::SIGNATURE_AT_BEGIN));


  if (!valid) {

    NS_LOG_UNCOND("ZT-CERT: Signature invalid");

    return false;

  }


  std::istringstream ss(content);

  std::string token;

  uint32_t idParsed = 0;

  std::string roleParsed;

  time_t expiry = 0;


  while (std::getline(ss, token, '|')) {

    if (token.find("ID:") == 0)

      idParsed = std::stoul(token.substr(3));

    else if (token.find("ROLE:") == 0)

      roleParsed = token.substr(5);

    else if (token.find("EXP:") == 0)

      expiry = std::stol(token.substr(4));

  }


  if (idParsed != nodeId || roleParsed != role) {

    NS_LOG_UNCOND("ZT-CERT: Identity mismatch");

    return false;

  }


  if (std::time(nullptr) > expiry) {

    NS_LOG_UNCOND("ZT-CERT: Certificate expired");

    return false;

  }


  return true;

}


} // namespace ns3


ns3::ZtPolicyEngine
Implements policy enforcement for Zero Trust security in NS-3 simulations.
Definition zt-policy-engine.h:22

ns3::ZtPolicyEngine::AddAuthorized
void AddAuthorized(uint32_t nodeId, const std::string &role)
Add a node to the authorized list with a specified role.
Definition zt-policy-engine.cc:32

ns3::ZtPolicyEngine::revoke
std::unordered_set< uint32_t > revoke
List of revoked node IDs.
Definition zt-policy-engine.h:75

ns3::ZtPolicyEngine::authTable
std::unordered_map< uint32_t, std::string > authTable
Maps node ID to assigned role.
Definition zt-policy-engine.h:74

ns3::ZtPolicyEngine::GetTypeId
static TypeId GetTypeId()
Get the TypeId for ZtPolicyEngine.
Definition zt-policy-engine.cc:19

ns3::ZtPolicyEngine::Revoke
void Revoke(uint32_t nodeId)
Add a node ID to the revocation list.
Definition zt-policy-engine.cc:58

ns3::ZtPolicyEngine::Authorize
bool Authorize(uint32_t nodeId, const std::string &role)
Check if a node is authorized for a given role.
Definition zt-policy-engine.cc:42

ns3::ZtPolicyEngine::caPublicKey
RSA::PublicKey caPublicKey
Public key for certificate signature verification.
Definition zt-policy-engine.h:76

ns3::ZtPolicyEngine::SetCaPublicKey
void SetCaPublicKey(RSA::PublicKey pub)
Set the Certificate Authority's public key for verifying digital signatures.
Definition zt-policy-engine.cc:50

ns3::ZtPolicyEngine::AuthorizeWithCert
bool AuthorizeWithCert(uint32_t nodeId, const std::string &role, const std::string &certStr)
Perform certificate-based authorization for a node.
Definition zt-policy-engine.cc:76

ns3
Definition zt-encryption-utils.cc:10

ns3::NS_LOG_COMPONENT_DEFINE
NS_LOG_COMPONENT_DEFINE("ZtPolicyEngine")

zt-policy-engine.h