Drop old Certificate type from Network.

node/Network.cpp

@@ -199,7 +199,7 @@ void Network::setConfiguration(const Network::Config &conf)
 		}
 	} catch ( ... ) {
 		_configuration = Config();
-		_myCertificate = Certificate();
+		_myCertificate = CertificateOfMembership();
 		_lastConfigUpdate = 0;
 		LOG("unexpected exception handling config for network %.16llx, retrying fetch...",(unsigned long long)_id);
 	}
@@ -218,7 +218,7 @@ void Network::requestConfiguration()
 	_r->sw->send(outp,true);
 }
 
-void Network::addMembershipCertificate(const Address &peer,const Certificate &cert)
+void Network::addMembershipCertificate(const Address &peer,const CertificateOfMembership &cert)
 {
 	Mutex::Lock _l(_lock);
 	if (!_configuration.isOpen())
@@ -232,10 +232,10 @@ bool Network::isAllowed(const Address &peer) const
 		Mutex::Lock _l(_lock);
 		if (_configuration.isOpen())
 			return true;
-		std::map<Address,Certificate>::const_iterator pc(_membershipCertificates.find(peer));
+		std::map<Address,CertificateOfMembership>::const_iterator pc(_membershipCertificates.find(peer));
 		if (pc == _membershipCertificates.end())
 			return false;
-		return _myCertificate.qualifyMembership(pc->second);
+		return _myCertificate.compare(pc->second);
 	} catch (std::exception &exc) {
 		TRACE("isAllowed() check failed for peer %s: unexpected exception: %s",peer.toString().c_str(),exc.what());
 	} catch ( ... ) {
@@ -263,8 +263,8 @@ void Network::clean()
 				writeError = true;
 		}
 
-		for(std::map<Address,Certificate>::iterator i=(_membershipCertificates.begin());i!=_membershipCertificates.end();) {
+		for(std::map<Address,CertificateOfMembership>::iterator i=(_membershipCertificates.begin());i!=_membershipCertificates.end();) {
-			if (_myCertificate.qualifyMembership(i->second)) {
+			if (_myCertificate.compare(i->second)) {
 				if ((!writeError)&&(mcdb)) {
 					char tmp[ZT_ADDRESS_LENGTH];
 					i->first.copyTo(tmp,ZT_ADDRESS_LENGTH);

node/Network.hpp

@@ -169,95 +169,12 @@ public:
 		std::vector<_Parameter> _params;
 	};
 
-	/**
-	 * A certificate of network membership for private network participation
-	 *
-	 * Certificates consist of a dictionary containing one or more values with
-	 * optional max delta paramters. A max delta paramter defines the maximum
-	 * absolute value of the difference between each set of two values in order
-	 * for two certificates to match. If there is no max delta parameter, each
-	 * value is compared for straightforward string equality. Values must be
-	 * in hexadecimal (and may be negative) for max delta comparison purposes.
-	 * Decimals are not allowed, so decimal values must be multiplied by some
-	 * factor to convert them to integers with the required relative precision.
-	 * Math is done in 64-bit, allowing plenty of room for this.
-	 *
-	 * This allows membership in a network to be defined not only in terms of
-	 * absolute parameters but also relative comparisons. For example, a network
-	 * could be created that defined membership in terms of a geographic radius.
-	 * Its certificates would contain latitude, longitude, and a max delta for
-	 * each defining the radius.
-	 *
-	 * Max deltas are prefixed by "~". For example, a max delta for "longitude"
-	 * would be "~longitude".
-	 *
-	 * One value and its associated max delta is just about always present: a
-	 * timestamp. This represents the time the certificate was issued by the
-	 * netconf controller. Each peer requests netconf updates periodically with
-	 * new certificates, so this causes peers that are no longer members of the
-	 * network to lose the ability to communicate with their certificate's "ts"
-	 * field differs from everyone else's "ts" by more than "~ts".
-	 */
-	class Certificate : private Dictionary
-	{
-	public:
-		Certificate() {}
-		Certificate(const char *s) : Dictionary(s) {}
-		Certificate(const std::string &s) : Dictionary(s) {}
-		inline std::string toString() const { return Dictionary::toString(); }
-
-		/**
-		 * Sign this certificate
-		 *
-		 * @param with Signing identity -- the identity of this network's controller
-		 * @return Signature or empty string on failure
-		 */
-		inline std::string sign(const Identity &with) const
-		{
-			unsigned char dig[32];
-			_shaForSignature(dig);
-			return with.sign(dig);
-		}
-
-		/**
-		 * Verify this certificate's signature
-		 *
-		 * @param with Signing identity -- the identity of this network's controller
-		 * @param sig Signature
-		 * @param siglen Length of signature in bytes
-		 */
-		inline bool verify(const Identity &with,const void *sig,unsigned int siglen) const
-		{
-			unsigned char dig[32];
-			_shaForSignature(dig);
-			return with.verifySignature(dig,sig,siglen);
-		}
-
-		/**
-		 * Check if another peer is indeed a current member of this network
-		 *
-		 * Fields with companion ~fields are compared with the defined maximum
-		 * delta in this certificate. Fields without ~fields are compared for
-		 * equality.
-		 *
-		 * This does not verify the certificate's signature!
-		 * 
-		 * @param mc Peer membership certificate
-		 * @return True if mc's membership in this network is current
-		 */
-		bool qualifyMembership(const Certificate &mc) const;
-
-	private:
-		void _shaForSignature(unsigned char *dig) const;
-	};
-
 	/**
 	 * Preload and rates of accrual for multicast group bandwidth limits
 	 *
 	 * Key is multicast group in lower case hex format: MAC (without :s) /
 	 * ADI (hex). Value is preload, maximum balance, and rate of accrual in
-	 * hex. These are signed hex numbers, so a negative value can be prefixed
+	 * hex.
-	 * with '-'.
 	 */
 	class MulticastRates : private Dictionary
 	{
@@ -402,12 +319,12 @@ public:
 		/**
 		 * @return Certificate of membership for this network, or empty cert if none
 		 */
-		inline Certificate certificateOfMembership() const
+		inline CertificateOfMembership certificateOfMembership() const
 		{
 			const_iterator cm(find("com"));
 			if (cm == end())
-				return Certificate();
+				return CertificateOfMembership();
-			else return Certificate(cm->second);
+			else return CertificateOfMembership(cm->second);
 		}
 
 		/**
@@ -602,7 +519,7 @@ public:
 	 * @param peer Peer that owns certificate
 	 * @param cert Certificate itself
 	 */
-	void addMembershipCertificate(const Address &peer,const Certificate &cert);
+	void addMembershipCertificate(const Address &peer,const CertificateOfMembership &cert);
 
 	/**
 	 * @param peer Peer address to check
@@ -679,11 +596,11 @@ private:
 	std::set<MulticastGroup> _multicastGroups;
 
 	// Membership certificates supplied by other peers on this network
-	std::map<Address,Certificate> _membershipCertificates;
+	std::map<Address,CertificateOfMembership> _membershipCertificates;
 
 	// Configuration from network master node
 	Config _configuration;
-	Certificate _myCertificate; // memoized from _configuration
+	CertificateOfMembership _myCertificate; // memoized from _configuration
 	MulticastRates _mcRates; // memoized from _configuration
 
 	// Ethertype whitelist bit field, set from config, for really fast lookup