def _processValidCertificate(self, data):
# unpack the cert from the HMAC signed packet and verify
try:
newCert = IdentityCertificate()
newCert.wireDecode(data.getContent())
self.log.info("Received certificate from controller")
self.log.debug(str(newCert))
# NOTE: we download and install the root certificate without verifying it (!)
# otherwise our policy manager will reject it.
# we may need a static method on KeyChain to allow verifying before adding
rootCertName = newCert.getSignature().getKeyLocator().getKeyName()
# update trust rules so we trust the controller
self._policyManager.setDeviceIdentity(self._configureIdentity)
self._policyManager.updateTrustRules()
def onRootCertificateDownload(interest, data):
try:
self._identityStorage.addCertificate(data)
except SecurityException:
# already exists
pass
self._keyChain.verifyData(newCert, self._finalizeCertificateDownload, self._certificateValidationFailed)
def onRootCertificateTimeout(interest):
# TODO: limit number of tries, then revert trust root + network prefix
# reset salt, create new Hmac key
self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout)
self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout)
except Exception as e:
self.log.exception("Could not import new certificate", exc_info=True)
def _processValidCertificate(self, data):
# unpack the cert from the HMAC signed packet and verify
try:
newCert = IdentityCertificate()
newCert.wireDecode(data.getContent())
self.log.info("Received certificate from controller")
# NOTE: we download and install the root certificate without verifying it (!)
# otherwise our policy manager will reject it.
# we may need a static method on KeyChain to allow verifying before adding
rootCertName = newCert.getSignature().getKeyLocator().getKeyName()
# update trust rules so we trust the controller
self._policyManager.setDeviceIdentity(self._configureIdentity)
self._policyManager.updateTrustRules()
def onRootCertificateDownload(interest, data):
try:
# zhehao: the root cert is downloaded and installed without verifying; should the root cert be preconfigured?
# Insert root certificate so that we can verify newCert
self._policyManager._certificateCache.insertCertificate(data)
# Set the root cert as default for root identity
try:
self._identityManager.addCertificateAsIdentityDefault(IdentityCertificate(data))
except SecurityException as e:
print("Error when addCertificateAsIdentityDefault for root: " + data.getName().toUri())
print(str(e))
self._rootCertificate = data
try:
# use the default configuration where possible
# TODO: use environment variable for this, fall back to default
fileName = os.path.expanduser('~/.ndn/.iot.root.cert')
rootCertFile = open(fileName, "w")
rootCertFile.write(Blob(b64encode(self._rootCertificate.wireEncode().toBytes()), False).toRawStr())
rootCertFile.close()
except IOError as e:
self.log.error("Cannot write to root certificate file: " + rootCertFile)
print "Cannot write to root certificate file: " + rootCertFile
except SecurityException as e:
print(str(e))
# already exists, or got certificate in wrong format
pass
self._keyChain.verifyData(newCert, self._finalizeCertificateDownload, self._certificateValidationFailed)
def onRootCertificateTimeout(interest):
# TODO: limit number of tries, then revert trust root + network prefix
# reset salt, create new Hmac key
self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout)
self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout)
except Exception as e:
self.log.exception("Could not import new certificate", exc_info=True)
def _processValidCertificate(self, data):
# unpack the cert from the HMAC signed packet and verify
try:
newCert = IdentityCertificate()
newCert.wireDecode(data.getContent())
self.log.info("Received certificate from controller")
self.log.debug(str(newCert))
# NOTE: we download and install the root certificate without verifying it (!)
# otherwise our policy manager will reject it.
# we may need a static method on KeyChain to allow verifying before adding
rootCertName = newCert.getSignature().getKeyLocator().getKeyName()
# update trust rules so we trust the controller
self._policyManager.setDeviceIdentity(self._configureIdentity)
self._policyManager.updateTrustRules()
def onRootCertificateDownload(interest, data):
try:
self._identityStorage.addCertificate(data)
except SecurityException:
# already exists
pass
self._keyChain.verifyData(newCert,
self._finalizeCertificateDownload,
self._certificateValidationFailed)
def onRootCertificateTimeout(interest):
# TODO: limit number of tries, then revert trust root + network prefix
# reset salt, create new Hmac key
self.face.expressInterest(rootCertName,
onRootCertificateDownload,
onRootCertificateTimeout)
self.face.expressInterest(rootCertName, onRootCertificateDownload,
onRootCertificateTimeout)
except Exception as e:
self.log.exception("Could not import new certificate",
exc_info=True)
def addCertificate(self, certificate):
"""
Add a certificate to the identity storage.
:param IdentityCertificate certificate: The certificate to be added.
This makes a copy of the certificate.
"""
#TODO: actually check validity of certificate timestamp
certificateName = certificate.getName()
if self.doesCertificateExist(certificateName):
raise SecurityException("Certificate has already been installed!")
certCopy = IdentityCertificate(certificate)
makeDefault = 0
keyName = certCopy.getPublicKeyName()
keyInfo = certCopy.getPublicKeyInfo()
if not self.doesKeyExist(keyName):
self.addKey(keyName, keyInfo.getKeyType(), keyInfo.getKeyDer())
makeDefault = 1
else:
# see if the key we already have matches this certificate
keyBlob = self.getKey(keyName)
if (keyBlob.isNull() or keyBlob.toBuffer() !=
keyInfo.getKeyDer().toBuffer()):
raise SecurityException("Certificate does not match public key")
keyId = keyName.get(-1).toEscapedString()
identityUri = keyName.getPrefix(-1).toUri()
certIssuer = certCopy.getSignature().getKeyLocator().getKeyName().toUri()
encodedCert = buffer(bytearray(certCopy.wireEncode().buf()))
notBefore = certCopy.getNotBefore()
notAfter = certCopy.getNotAfter()
cursor = self._database.cursor()
cursor.execute("INSERT INTO Certificate VALUES(?,?,?,?,?,?,?,?,?)",
(certificateName.toUri(), certIssuer, identityUri, keyId,
notBefore, notAfter, encodedCert, 1, makeDefault))
self._database.commit()
cursor.close()
def _processValidCertificate(self, data):
# unpack the cert from the HMAC signed packet and verify
try:
newCert = IdentityCertificate()
newCert.wireDecode(data.getContent())
self.log.info("Received certificate from controller")
# NOTE: we download and install the root certificate without verifying it (!)
# otherwise our policy manager will reject it.
# we may need a static method on KeyChain to allow verifying before adding
rootCertName = newCert.getSignature().getKeyLocator().getKeyName()
# update trust rules so we trust the controller
self._policyManager.setDeviceIdentity(self._configureIdentity)
self._policyManager.updateTrustRules()
def onRootCertificateDownload(interest, data):
try:
# zhehao: the root cert is downloaded and installed without verifying; should the root cert be preconfigured?
# Insert root certificate so that we can verify newCert
self._policyManager._certificateCache.insertCertificate(
data)
# Set the root cert as default for root identity
try:
self._identityManager.addCertificateAsIdentityDefault(
IdentityCertificate(data))
except SecurityException as e:
print(
"Error when addCertificateAsIdentityDefault for root: "
+ data.getName().toUri())
print(str(e))
self._rootCertificate = data
try:
# use the default configuration where possible
# TODO: use environment variable for this, fall back to default
fileName = os.path.expanduser('~/.ndn/.iot.root.cert')
rootCertFile = open(fileName, "w")
rootCertFile.write(
Blob(
b64encode(self._rootCertificate.wireEncode().
toBytes()), False).toRawStr())
rootCertFile.close()
except IOError as e:
self.log.error(
"Cannot write to root certificate file: " +
rootCertFile)
print "Cannot write to root certificate file: " + rootCertFile
except SecurityException as e:
print(str(e))
# already exists, or got certificate in wrong format
pass
self._keyChain.verifyData(newCert,
self._finalizeCertificateDownload,
self._certificateValidationFailed)
def onRootCertificateTimeout(interest):
# TODO: limit number of tries, then revert trust root + network prefix
# reset salt, create new Hmac key
self.face.expressInterest(rootCertName,
onRootCertificateDownload,
onRootCertificateTimeout)
self.face.expressInterest(rootCertName, onRootCertificateDownload,
onRootCertificateTimeout)
except Exception as e:
self.log.exception("Could not import new certificate",
exc_info=True)
