secured_vam_sender_receiver/

secured_vam_sender_receiver.rs

// SPDX-License-Identifier: AGPL-3.0-only
// Copyright (C) 2024 Fundació Privada Internet i Innovació Digital a Catalunya (i2CAT)

//! Secured VAM Sender and Receiver Example
//!
//! This example demonstrates sending and receiving ETSI TS 103 097-secured
//! VAMs using the `rustflexstack` security layer and the VRU Awareness
//! Service.
//!
//! Two instances are expected to run simultaneously, one with `--at 1` and the
//! other with `--at 2`.  Each loads its own Authorization Ticket from the
//! `certs/` directory (generated by `generate_certificate_chain`), signs
//! outgoing VAMs, and verifies incoming ones.
//!
//! Security is applied as a middleware layer between the GN router and the
//! link layer — outgoing packets are signed and incoming secured packets are
//! verified before being forwarded to the GN router.
//!
//! # Prerequisites
//! ```text
//! cargo run --example generate_certificate_chain --target x86_64-unknown-linux-gnu
//! ```
//!
//! # Running
//! ```text
//! # Terminal 1:
//! sudo cargo run --example secured_vam_sender_receiver --target x86_64-unknown-linux-gnu -- --at 1
//! # Terminal 2:
//! sudo cargo run --example secured_vam_sender_receiver --target x86_64-unknown-linux-gnu -- --at 2
//! ```
//!
//! If no interface is given the example falls back to `lo` (loopback), which
//! is sufficient to test send→receive on a single machine.

use std::env;
use std::fs;
use std::path::Path;
use std::sync::{mpsc, Arc, Mutex};
use std::thread;
use std::time::Duration;

use rustflexstack::btp::router::Router as BTPRouter;
use rustflexstack::facilities::location_service::{GpsFix, LocationService};
use rustflexstack::facilities::vru_awareness_service::{DeviceData, VruAwarenessService};
use rustflexstack::geonet::basic_header::{BasicHeader, BasicNH};
use rustflexstack::geonet::gn_address::{GNAddress, M, MID, ST};
use rustflexstack::geonet::mib::Mib;
use rustflexstack::geonet::position_vector::LongPositionVector;
use rustflexstack::geonet::router::Router as GNRouter;
use rustflexstack::link_layer::raw_link_layer::RawLinkLayer;

use rustflexstack::security::certificate::{Certificate, OwnCertificate};
use rustflexstack::security::certificate_library::CertificateLibrary;
use rustflexstack::security::ecdsa_backend::EcdsaBackend;
use rustflexstack::security::sign_service::SignService;
use rustflexstack::security::sn_sap::{ReportVerify, SNSignRequest, SNVerifyRequest};
use rustflexstack::security::verify_service::{verify_message, VerifyEvent};

const ITS_AID_VAM: u64 = 638;

/// Build the security stack: load certificates, create backend, sign & verify
/// services.  Returns a `SignService` ready for use.
fn build_security_stack(at_index: usize) -> SignService {
    let cert_dir = Path::new("certs");

    // ── Load certificates ────────────────────────────────────────────────
    let root_bytes = fs::read(cert_dir.join("root_ca.cert"))
        .expect("root_ca.cert not found — run generate_certificate_chain first");
    let aa_bytes = fs::read(cert_dir.join("aa.cert"))
        .expect("aa.cert not found — run generate_certificate_chain first");

    let root_ca = Certificate::from_bytes(&root_bytes, None);
    let aa = Certificate::from_bytes(&aa_bytes, Some(root_ca.clone()));

    // Load both ATs — one is "ours", the other is a known peer
    let at1_cert_bytes = fs::read(cert_dir.join("at1.cert")).expect("at1.cert not found");
    let at2_cert_bytes = fs::read(cert_dir.join("at2.cert")).expect("at2.cert not found");

    let at1 = Certificate::from_bytes(&at1_cert_bytes, Some(aa.clone()));
    let at2 = Certificate::from_bytes(&at2_cert_bytes, Some(aa.clone()));

    // Load our private key
    let own_key_file = if at_index == 1 { "at1.key" } else { "at2.key" };
    let key_bytes = fs::read(cert_dir.join(own_key_file))
        .unwrap_or_else(|_| panic!("{} not found", own_key_file));

    // ── Create backend and import key ────────────────────────────────────
    let mut backend = EcdsaBackend::new();
    let key_id = backend.import_signing_key(&key_bytes);

    let own_cert = if at_index == 1 {
        at1.clone()
    } else {
        at2.clone()
    };
    let peer_cert = if at_index == 1 {
        at2.clone()
    } else {
        at1.clone()
    };

    // ── Build certificate library ────────────────────────────────────────
    let cert_library = CertificateLibrary::new(
        &backend,
        vec![root_ca],
        vec![aa],
        vec![own_cert.clone(), peer_cert],
    );

    // ── Create sign service and add own certificate ──────────────────────
    let mut sign_service = SignService::new(backend, cert_library);
    let own = OwnCertificate::new(own_cert, key_id);
    sign_service.add_own_certificate(own);

    sign_service
}

fn main() {
    // ── Parse arguments ──────────────────────────────────────────────────
    let args: Vec<String> = env::args().collect();
    let mut at_index: usize = 1;
    let mut iface = "lo".to_string();

    let mut i = 1;
    while i < args.len() {
        match args[i].as_str() {
            "--at" => {
                i += 1;
                at_index = args[i].parse::<usize>().expect("--at must be 1 or 2");
                assert!(at_index == 1 || at_index == 2, "--at must be 1 or 2");
            }
            "--iface" | "-i" => {
                i += 1;
                iface = args[i].clone();
            }
            other => {
                // Positional argument: interface name
                iface = other.to_string();
            }
        }
        i += 1;
    }

    println!("=== Secured VAM Sender/Receiver (VRU Awareness Service) ===");
    println!("AT index: {}", at_index);
    println!("Interface: {}", iface);

    // ── Build security stack ─────────────────────────────────────────────
    let sign_service = build_security_stack(at_index);
    println!(
        "Security stack loaded. Own AT HashedId8: {:02x?}",
        sign_service
            .cert_library
            .own_certificates
            .keys()
            .next()
            .unwrap()
    );

    // Wrap in Arc<Mutex> so it can be shared between threads
    let sign_service = Arc::new(Mutex::new(sign_service));

    // ── Generate a random locally-administered MAC ───────────────────────
    let mac = {
        use std::time::{SystemTime, UNIX_EPOCH};
        let seed = SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .unwrap()
            .subsec_nanos()
            ^ (at_index as u32 * 0x1234_5678); // different seed per AT
        [
            0x02u8,
            (seed >> 24) as u8,
            (seed >> 16) as u8,
            (seed >> 8) as u8,
            seed as u8,
            at_index as u8,
        ]
    };
    println!(
        "MAC: {:02X}:{:02X}:{:02X}:{:02X}:{:02X}:{:02X}",
        mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]
    );

    // ── MIB ──────────────────────────────────────────────────────────────
    let mut mib = Mib::new();
    mib.itsGnLocalGnAddr = GNAddress::new(M::GnMulticast, ST::Cyclist, MID::new(mac));
    mib.itsGnBeaconServiceRetransmitTimer = 0;

    // ── Location Service ─────────────────────────────────────────────────
    let mut loc_svc = LocationService::new();
    let gn_gps_rx = loc_svc.subscribe();
    let vru_gps_rx = loc_svc.subscribe();

    // ── Spawn GN router and BTP router ───────────────────────────────────
    let (gn_handle, gn_to_ll_rx, gn_to_btp_rx) = GNRouter::spawn(mib, None, None, None);
    let (btp_handle, btp_to_gn_rx) = BTPRouter::spawn(mib);

    // ── Wire RawLinkLayer ────────────────────────────────────────────────
    let (ll_to_gn_tx, ll_to_gn_rx) = mpsc::channel::<Vec<u8>>();

    // ── Security middleware: TX path ─────────────────────────────────────
    //
    // Intercept packets from GN router → link layer.
    // Sign the payload (CommonHeader + extended header + data) and wrap
    // in a secured GN packet with BasicNH::SecuredPacket.
    let (secured_ll_tx, secured_ll_rx) = mpsc::channel::<Vec<u8>>();
    let sign_svc_tx = Arc::clone(&sign_service);
    thread::spawn(move || {
        while let Ok(packet) = gn_to_ll_rx.recv() {
            if packet.len() < 4 {
                let _ = secured_ll_tx.send(packet);
                continue;
            }
            let bh_bytes: [u8; 4] = packet[0..4].try_into().unwrap();
            let bh = BasicHeader::decode(bh_bytes);

            match bh.nh {
                BasicNH::CommonHeader if packet.len() > 4 => {
                    let inner_payload = &packet[4..];

                    let request = SNSignRequest {
                        tbs_message: inner_payload.to_vec(),
                        its_aid: ITS_AID_VAM,
                        permissions: vec![],
                        generation_location: None,
                    };

                    let sec_message = {
                        let mut svc = sign_svc_tx.lock().unwrap();
                        svc.sign_request(&request).sec_message
                    };

                    // Build new packet: BasicHeader(nh=SecuredPacket) + sec_message
                    let mut new_bh = bh;
                    new_bh.nh = BasicNH::SecuredPacket;
                    let secured_packet: Vec<u8> = new_bh
                        .encode()
                        .iter()
                        .copied()
                        .chain(sec_message.iter().copied())
                        .collect();
                    let _ = secured_ll_tx.send(secured_packet);
                }
                _ => {
                    // Pass through (e.g. beacons)
                    let _ = secured_ll_tx.send(packet);
                }
            }
        }
    });

    // The link layer reads from secured_ll_rx (post-signing)
    let raw_ll = RawLinkLayer::new(ll_to_gn_tx, secured_ll_rx, &iface, mac);
    raw_ll.start();

    // ── Security middleware: RX path ─────────────────────────────────────
    //
    // Intercept packets from link layer → GN router.
    // If BasicNH::SecuredPacket, verify and extract, then forward
    // with BasicNH::CommonHeader.
    let gn_h_rx = gn_handle.clone();
    let sign_svc_rx = Arc::clone(&sign_service);
    thread::spawn(move || {
        while let Ok(packet) = ll_to_gn_rx.recv() {
            if packet.len() < 4 {
                gn_h_rx.send_incoming_packet(packet);
                continue;
            }
            let bh_bytes: [u8; 4] = packet[0..4].try_into().unwrap();
            let bh = BasicHeader::decode(bh_bytes);

            match bh.nh {
                BasicNH::SecuredPacket if packet.len() > 4 => {
                    let sec_message = &packet[4..];
                    let request = SNVerifyRequest {
                        message: sec_message.to_vec(),
                    };

                    let (confirm, _events) = {
                        let mut svc = sign_svc_rx.lock().unwrap();
                        let svc = &mut *svc;
                        let result = verify_message(&request, &svc.backend, &mut svc.cert_library);
                        // Process VerifyEvents for P2PCD
                        for event in &result.1 {
                            match event {
                                VerifyEvent::UnknownAt(h8) => {
                                    svc.notify_unknown_at(h8);
                                }
                                VerifyEvent::InlineP2pcdRequest(h3s) => {
                                    svc.notify_inline_p2pcd_request(h3s);
                                }
                                VerifyEvent::ReceivedCaCertificate(cert) => {
                                    svc.notify_received_ca_certificate(cert.as_ref().clone());
                                }
                            }
                        }
                        result
                    };

                    if confirm.report == ReportVerify::Success {
                        println!(
                            "[SEC RX] Verified OK — ITS-AID={}, cert={:02x?}",
                            confirm.its_aid,
                            &confirm.certificate_id[..],
                        );
                        // Rebuild the packet: BasicHeader(nh=CommonHeader) + plain_message
                        let mut new_bh = bh;
                        new_bh.nh = BasicNH::CommonHeader;
                        let plain_packet: Vec<u8> = new_bh
                            .encode()
                            .iter()
                            .copied()
                            .chain(confirm.plain_message.iter().copied())
                            .collect();
                        gn_h_rx.send_incoming_packet(plain_packet);
                    } else {
                        eprintln!("[SEC RX] Verification failed: {:?}", confirm.report);
                    }
                }
                _ => {
                    // Non-secured packet — forward directly
                    gn_h_rx.send_incoming_packet(packet);
                }
            }
        }
    });

    // ── GN → BTP ─────────────────────────────────────────────────────────
    let btp_h1 = btp_handle.clone();
    thread::spawn(move || {
        while let Ok(ind) = gn_to_btp_rx.recv() {
            btp_h1.send_gn_data_indication(ind);
        }
    });

    // ── BTP → GN ─────────────────────────────────────────────────────────
    let gn_h2 = gn_handle.clone();
    thread::spawn(move || {
        while let Ok(req) = btp_to_gn_rx.recv() {
            gn_h2.send_gn_data_request(req);
        }
    });

    // ── LocationService → GN position vector ─────────────────────────────
    let gn_h3 = gn_handle.clone();
    thread::spawn(move || {
        while let Ok(fix) = gn_gps_rx.recv() {
            let mut epv = LongPositionVector::decode([0u8; 24]);
            epv.update_from_gps(
                fix.latitude,
                fix.longitude,
                fix.speed_mps,
                fix.heading_deg,
                fix.pai,
            );
            gn_h3.update_position_vector(epv);
        }
    });

    // ── VRU Awareness Service ────────────────────────────────────────────
    let station_id = u32::from_be_bytes([mac[2], mac[3], mac[4], mac[5]]);
    let device_data = DeviceData {
        station_id,
        station_type: 2, // cyclist
    };

    let (vru_svc, vam_rx) = VruAwarenessService::new(btp_handle.clone(), device_data);
    vru_svc.start(vru_gps_rx);

    // ── Decoded VAM printer ──────────────────────────────────────────────
    thread::spawn(move || {
        while let Ok(vam) = vam_rx.recv() {
            let lat = vam
                .vam
                .vam_parameters
                .basic_container
                .reference_position
                .latitude
                .0 as f64
                / 1e7;
            let lon = vam
                .vam
                .vam_parameters
                .basic_container
                .reference_position
                .longitude
                .0 as f64
                / 1e7;
            println!(
                "[VAM RX] station={:>10}  lat={:.5}  lon={:.5}",
                vam.header.0.station_id.0, lat, lon,
            );
        }
    });

    // ── GPS publisher (simulates a VRU GNSS sensor at 10 Hz) ─────────────
    thread::sleep(Duration::from_millis(100));
    println!("Publishing GPS fixes @ 10 Hz — Ctrl+C to stop\n");

    loop {
        thread::sleep(Duration::from_millis(100));
        // 41.552°N  2.134°E — Parc Tecnològic del Vallès
        loc_svc.publish(GpsFix {
            latitude: 41.552,
            longitude: 2.134,
            altitude_m: 120.0,
            speed_mps: 1.5,
            heading_deg: 90.0,
            pai: true,
        });
    }
}