def benchmarkDecodeDataSeconds(nIterations, useCrypto, keyType, encoding): """ Loop to decode a data packet nIterations times. :param int nIterations: The number of iterations. :param bool useCrypto: If true, verify the signature. If false, don't verify. :param KeyType keyType: KeyType.RSA or EC, used if useCrypto is True. :param Blob encoding: The wire encoding to decode. :return: The number of seconds for all iterations. :rtype: float """ # Initialize the KeyChain in case useCrypto is true. keyChain = KeyChain("pib-memory:", "tpm-memory:") # This puts the public key in the pibImpl used by the SelfVerifyPolicyManager. keyChain.importSafeBag(SafeBag (Name("/testname/KEY/123"), Blob(DEFAULT_EC_PRIVATE_KEY_DER if keyType == KeyType.EC else DEFAULT_RSA_PRIVATE_KEY_DER, False), Blob(DEFAULT_EC_PUBLIC_KEY_DER if keyType == KeyType.EC else DEFAULT_RSA_PUBLIC_KEY_DER, False))) validator = Validator(ValidationPolicyFromPib(keyChain.getPib())) start = getNowSeconds() for i in range(nIterations): data = Data() data.wireDecode(encoding) if useCrypto: validator.validate(data,onVerifySuccess, onVerifyFailed) finish = getNowSeconds() return finish - start
def main(): # Silence the warning from Interest wire encode. Interest.setDefaultCanBePrefix(True) # The default Face will connect using a Unix socket, or to "localhost". face = Face() memberName = Name("/first/user") memberKeyName = Name(memberName).append(Name("/KEY/%0C%87%EB%E6U%27B%D6")) memberKeyChain = KeyChain("pib-memory:", "tpm-memory:") memberKeyChain.importSafeBag(SafeBag (memberKeyName, Blob(MEMBER_PRIVATE_KEY, False), Blob(MEMBER_PUBLIC_KEY, False))) # TODO: Use a real Validator. decryptor = DecryptorV2( memberKeyChain.getPib().getIdentity(memberName).getDefaultKey(), ValidatorNull(), memberKeyChain, face) contentPrefix = Name("/testname/content") contentNamespace = Namespace(contentPrefix) contentNamespace.setFace(face) contentNamespace.setDecryptor(decryptor) enabled = [True] def onSegmentedObject(objectNamespace): dump("Got segmented content", objectNamespace.obj.toRawStr()) enabled[0] = False SegmentedObjectHandler(contentNamespace, onSegmentedObject).objectNeeded() while enabled[0]: face.processEvents() # We need to sleep for a few milliseconds so we don't use 100% of the CPU. time.sleep(0.01)
def delete_security_object(name, kind): key_chain = KeyChain() logging.info("Delete security object %s %s", name, kind) if kind == "c": id_name = CertificateV2.extractIdentityFromCertName(Name(name)) key_name = CertificateV2.extractKeyNameFromCertName(Name(name)) cur_id = key_chain.getPib().getIdentity(id_name) cur_key = cur_id.getKey(key_name) key_chain.deleteCertificate(cur_key, Name(name)) elif kind == "k": id_name = PibKey.extractIdentityFromKeyName(Name(name)) cur_id = key_chain.getPib().getIdentity(id_name) cur_key = cur_id.getKey(Name(name)) key_chain.deleteKey(cur_id, cur_key) else: key_chain.deleteIdentity(Name(name))
def create_identity(name): key_chain = KeyChain() try: cur_id = key_chain.getPib().getIdentity(Name(name)) key_chain.createKey(cur_id) except Pib.Error: key_chain.createIdentityV2(Name(name))
def main(): # Silence the warning from Interest wire encode. Interest.setDefaultCanBePrefix(True) interest = Interest() interest.wireDecode(TlvInterest) dump("Interest:") dumpInterest(interest) # Set the name again to clear the cached encoding so we encode again. interest.setName(interest.getName()) encoding = interest.wireEncode() dump("") dump("Re-encoded interest", encoding.toHex()) reDecodedInterest = Interest() reDecodedInterest.wireDecode(encoding) dump("Re-decoded Interest:") dumpInterest(reDecodedInterest) freshInterest = (Interest(Name("/ndn/abc")) .setMustBeFresh(False) .setMinSuffixComponents(4) .setMaxSuffixComponents(6) .setInterestLifetimeMilliseconds(30000) .setChildSelector(1) .setMustBeFresh(True)) freshInterest.getKeyLocator().setType(KeyLocatorType.KEY_LOCATOR_DIGEST) freshInterest.getKeyLocator().setKeyData(bytearray( [0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F])) freshInterest.getExclude().appendComponent(Name("abc")[0]).appendAny() freshInterest.getForwardingHint().add(1, Name("/A")) dump(freshInterest.toUri()) # Set up the KeyChain. keyChain = KeyChain("pib-memory:", "tpm-memory:") keyChain.importSafeBag(SafeBag (Name("/testname/KEY/123"), Blob(DEFAULT_RSA_PRIVATE_KEY_DER, False), Blob(DEFAULT_RSA_PUBLIC_KEY_DER, False))) validator = Validator(ValidationPolicyFromPib(keyChain.getPib())) # Make a Face just so that we can sign the interest. face = Face("localhost") face.setCommandSigningInfo(keyChain, keyChain.getDefaultCertificateName()) face.makeCommandInterest(freshInterest) reDecodedFreshInterest = Interest() reDecodedFreshInterest.wireDecode(freshInterest.wireEncode()) dump("") dump("Re-decoded fresh Interest:") dumpInterest(reDecodedFreshInterest) validator.validate( reDecodedFreshInterest, makeSuccessCallback("Freshly-signed Interest"), makeFailureCallback("Freshly-signed Interest"))
def main(): # Silence the warning from Interest wire encode. Interest.setDefaultCanBePrefix(True) interest = Interest() interest.wireDecode(TlvInterest) dump("Interest:") dumpInterest(interest) # Set the name again to clear the cached encoding so we encode again. interest.setName(interest.getName()) encoding = interest.wireEncode() dump("") dump("Re-encoded interest", encoding.toHex()) reDecodedInterest = Interest() reDecodedInterest.wireDecode(encoding) dump("Re-decoded Interest:") dumpInterest(reDecodedInterest) freshInterest = (Interest( Name("/ndn/abc")).setMustBeFresh(False).setMinSuffixComponents( 4).setMaxSuffixComponents(6).setInterestLifetimeMilliseconds( 30000).setChildSelector(1).setMustBeFresh(True)) freshInterest.getKeyLocator().setType(KeyLocatorType.KEY_LOCATOR_DIGEST) freshInterest.getKeyLocator().setKeyData( bytearray([ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F ])) freshInterest.getExclude().appendComponent(Name("abc")[0]).appendAny() freshInterest.getForwardingHint().add(1, Name("/A")) dump(freshInterest.toUri()) # Set up the KeyChain. keyChain = KeyChain("pib-memory:", "tpm-memory:") keyChain.importSafeBag( SafeBag(Name("/testname/KEY/123"), Blob(DEFAULT_RSA_PRIVATE_KEY_DER, False), Blob(DEFAULT_RSA_PUBLIC_KEY_DER, False))) validator = Validator(ValidationPolicyFromPib(keyChain.getPib())) # Make a Face just so that we can sign the interest. face = Face("localhost") face.setCommandSigningInfo(keyChain, keyChain.getDefaultCertificateName()) face.makeCommandInterest(freshInterest) reDecodedFreshInterest = Interest() reDecodedFreshInterest.wireDecode(freshInterest.wireEncode()) dump("") dump("Re-decoded fresh Interest:") dumpInterest(reDecodedFreshInterest) validator.validate(reDecodedFreshInterest, makeSuccessCallback("Freshly-signed Interest"), makeFailureCallback("Freshly-signed Interest"))
def main(): data = Data() data.wireDecode(TlvData) dump("Decoded Data:") dumpData(data) # Set the content again to clear the cached encoding so we encode again. data.setContent(data.getContent()) encoding = data.wireEncode() reDecodedData = Data() reDecodedData.wireDecode(encoding) dump("") dump("Re-decoded Data:") dumpData(reDecodedData) # Set up the KeyChain. keyChain = KeyChain("pib-memory:", "tpm-memory:") keyChain.importSafeBag( SafeBag(Name("/testname/KEY/123"), Blob(DEFAULT_RSA_PRIVATE_KEY_DER, False), Blob(DEFAULT_RSA_PUBLIC_KEY_DER, False))) validator = Validator(ValidationPolicyFromPib(keyChain.getPib())) validator.validate(reDecodedData, makeSuccessCallback("Re-decoded Data"), makeFailureCallback("Re-decoded Data")) freshData = Data(Name("/ndn/abc")) freshData.setContent("SUCCESS!") freshData.getMetaInfo().setFreshnessPeriod(5000) freshData.getMetaInfo().setFinalBlockId(Name("/%00%09")[0]) keyChain.sign(freshData) dump("") dump("Freshly-signed Data:") dumpData(freshData) validator.validate(freshData, makeSuccessCallback("Freshly-signed Data"), makeFailureCallback("Freshly-signed Data"))
def main(): data = Data() data.wireDecode(TlvData) dump("Decoded Data:") dumpData(data) # Set the content again to clear the cached encoding so we encode again. data.setContent(data.getContent()) encoding = data.wireEncode() reDecodedData = Data() reDecodedData.wireDecode(encoding) dump("") dump("Re-decoded Data:") dumpData(reDecodedData) # Set up the KeyChain. keyChain = KeyChain("pib-memory:", "tpm-memory:") keyChain.importSafeBag(SafeBag (Name("/testname/KEY/123"), Blob(DEFAULT_RSA_PRIVATE_KEY_DER, False), Blob(DEFAULT_RSA_PUBLIC_KEY_DER, False))) validator = Validator(ValidationPolicyFromPib(keyChain.getPib())) validator.validate(reDecodedData, makeSuccessCallback("Re-decoded Data"), makeFailureCallback("Re-decoded Data")) freshData = Data(Name("/ndn/abc")) freshData.setContent("SUCCESS!") freshData.getMetaInfo().setFreshnessPeriod(5000) freshData.getMetaInfo().setFinalBlockId(Name("/%00%09")[0]) keyChain.sign(freshData) dump("") dump("Freshly-signed Data:") dumpData(freshData) validator.validate(freshData, makeSuccessCallback("Freshly-signed Data"), makeFailureCallback("Freshly-signed Data"))
def benchmarkDecodeDataSeconds(nIterations, useCrypto, keyType, encoding): """ Loop to decode a data packet nIterations times. :param int nIterations: The number of iterations. :param bool useCrypto: If true, verify the signature. If false, don't verify. :param KeyType keyType: KeyType.RSA or EC, used if useCrypto is True. :param Blob encoding: The wire encoding to decode. :return: The number of seconds for all iterations. :rtype: float """ # Initialize the KeyChain in case useCrypto is true. keyChain = KeyChain("pib-memory:", "tpm-memory:") # This puts the public key in the pibImpl used by the SelfVerifyPolicyManager. keyChain.importSafeBag( SafeBag( Name("/testname/KEY/123"), Blob( DEFAULT_EC_PRIVATE_KEY_DER if keyType == KeyType.EC else DEFAULT_RSA_PRIVATE_KEY_DER, False), Blob( DEFAULT_EC_PUBLIC_KEY_DER if keyType == KeyType.EC else DEFAULT_RSA_PUBLIC_KEY_DER, False))) validator = Validator(ValidationPolicyFromPib(keyChain.getPib())) start = getNowSeconds() for i in range(nIterations): data = Data() data.wireDecode(encoding) if useCrypto: validator.validate(data, onVerifySuccess, onVerifyFailed) finish = getNowSeconds() return finish - start
class TestPolicyManagerV2(ut.TestCase): def setUp(self): testCertDirectory = 'policy_config/certs' self.testCertFile = os.path.join(testCertDirectory, 'test.cert') self.pibImpl = PibMemory() self.tpmBackEnd = TpmBackEndMemory() self.policyManager = ConfigPolicyManager( 'policy_config/simple_rules.conf', CertificateCacheV2()) self.identityName = Name('/TestConfigPolicyManager/temp') # to match the anchor cert self.keyName = Name( self.identityName).append("KEY").append("ksk-1416010123") self.pibImpl.addKey(self.identityName, self.keyName, TEST_RSA_PUBLIC_KEY_DER) # Set the password to None since we have an unencrypted PKCS #8 private key. self.tpmBackEnd.importKey(self.keyName, TEST_RSA_PRIVATE_KEY_PKCS8, None) self.keyChain = KeyChain(self.pibImpl, self.tpmBackEnd, self.policyManager) pibKey = self.keyChain.getPib().getIdentity(self.identityName).getKey( self.keyName) # selfSign adds to the PIB. self.keyChain.selfSign(pibKey) def tearDown(self): try: os.remove(self.testCertFile) except OSError: pass def test_interest_timestamp(self): interestName = Name('/ndn/ucla/edu/something') certName = self.keyChain.getPib().getIdentity( self.identityName).getKey( self.keyName).getDefaultCertificate().getName() face = Face("localhost") face.setCommandSigningInfo(self.keyChain, certName) oldInterest = Interest(interestName) face.makeCommandInterest(oldInterest) time.sleep(0.1) # make sure timestamps are different newInterest = Interest(interestName) face.makeCommandInterest(newInterest) vr = doVerify(self.policyManager, newInterest) self.assertFalse( vr.hasFurtherSteps, "ConfigPolicyManager returned ValidationRequest but certificate is known" ) self.assertEqual(vr.failureCount, 0, "Verification of valid interest failed") self.assertEqual( vr.successCount, 1, "Verification success called {} times instead of 1".format( vr.successCount)) vr = doVerify(self.policyManager, oldInterest) self.assertFalse( vr.hasFurtherSteps, "ConfigPolicyManager returned ValidationRequest but certificate is known" ) self.assertEqual(vr.successCount, 0, "Verification of stale interest succeeded") self.assertEqual( vr.failureCount, 1, "Failure callback called {} times instead of 1".format( vr.failureCount)) def test_refresh_10s(self): with open('policy_config/testData', 'r') as dataFile: encodedData = dataFile.read() data = Data() dataBlob = Blob(b64decode(encodedData)) data.wireDecode(dataBlob) # This test is needed, since the KeyChain will express interests in # unknown certificates. vr = doVerify(self.policyManager, data) self.assertTrue( vr.hasFurtherSteps, "ConfigPolicyManager did not create ValidationRequest for unknown certificate" ) self.assertEqual( vr.successCount, 0, "ConfigPolicyManager called success callback with pending ValidationRequest" ) self.assertEqual( vr.failureCount, 0, "ConfigPolicyManager called failure callback with pending ValidationRequest" ) # Now save the cert data to our anchor directory, and wait. # We have to sign it with the current identity or the policy manager # will create an interest for the signing certificate. cert = CertificateV2() certData = b64decode(CERT_DUMP) cert.wireDecode(Blob(certData, False)) signingInfo = SigningInfo() signingInfo.setSigningIdentity(self.identityName) # Make sure the validity period is current for two years. now = Common.getNowMilliseconds() signingInfo.setValidityPeriod( ValidityPeriod(now, now + 2 * 365 * 24 * 3600 * 1000.0)) self.keyChain.sign(cert, signingInfo) encodedCert = b64encode(cert.wireEncode().toBytes()) with open(self.testCertFile, 'w') as certFile: certFile.write(Blob(encodedCert, False).toRawStr()) # Still too early for refresh to pick it up. vr = doVerify(self.policyManager, data) self.assertTrue( vr.hasFurtherSteps, "ConfigPolicyManager refresh occured sooner than specified") self.assertEqual( vr.successCount, 0, "ConfigPolicyManager called success callback with pending ValidationRequest" ) self.assertEqual( vr.failureCount, 0, "ConfigPolicyManager called failure callback with pending ValidationRequest" ) time.sleep(6) # Now we should find it. vr = doVerify(self.policyManager, data) self.assertFalse( vr.hasFurtherSteps, "ConfigPolicyManager did not refresh certificate store") self.assertEqual( vr.successCount, 1, "Verification success called {} times instead of 1".format( vr.successCount)) self.assertEqual( vr.failureCount, 0, "ConfigPolicyManager did not verify valid signed data")
class Experiment: _maxSegmentPayloadLength = 8192 def __init__(self, absPath, maxAttributes): self.keyChain = KeyChain("pib-memory:", "tpm-memory:") self.keyChain.createIdentityV2("/test/identity") self.validator = Validator( ValidationPolicyFromPib(self.keyChain.getPib())) # , filename, groupSize, nAttributes, absPath, keepData = False): # sys.stderr.write ("Using NDN-ABS authority, signer, and verifier database from %s\n" % absPath) self.db = ndnabs.PickleDb(absPath) self.signer = ndnabs.Signer(self.db) self.verifier = ndnabs.Verifier(self.db) try: info = self.signer.get_public_params_info() if info.getName().getPrefix( -2).toUri() != "/icn2019/test/authority": raise RuntimeError( 'NDN-ABS authority exists, but not setup for experiment. Use `ndnabs setup -f /icn2019/test/authority` to force-setup the authority' ) except: raise RuntimeError( "Public parameters are not properly installed for the signer/verifier" ) maxAttributes = [ b'attribute%d' % i for i in range(1, maxAttributes + 1) ] for attr in maxAttributes: if not attr in self.signer.get_attributes(): raise RuntimeError( "%s attribute missing. Generate attributes for the experiment using `ndnabs gen-secret %s | ndnabs install-secret`" % (str(attr, 'utf-8'), ' '.join( [str(i, 'utf-8') for i in maxAttributes]))) # self.attributes = [b'attribute%d' % i for i in range(1, nAttributes + 1)] # self._setupAbs(absPath) # self._readDataAndCreateManifests(filename, groupSize, keepData) def setupAbs(self, nAttributes): self.attributes = [ b'attribute%d' % i for i in range(1, nAttributes + 1) ] def _createManifest(self, name, manifestBuffer, nManifests): manifest = Data(name) manifest.setContent(manifestBuffer[0:nManifests * SHA256_DIGEST_SIZE]) return manifest def readDataAndCreateManifests(self, filename, groupSize, keepData): if groupSize < 1: raise RuntimeError("Group size cannot be less than 1") self.allChunks = [ ] # for holding the generated data packets, including unsigned manifests self.allManifests = [ ] # for storing first unsigned manifest packets, which are then signed in-place self.rawDataCount = 0 self.ndnChunkCount = 0 seqNo = 0 # sequence number of data packets chunkNo = 0 # number of the chunk in the group with open(filename, 'rb') as f: # prepare space to store all manifests of the group (last manifest will not use all the space) def allocateBufferForDigests(): return bytearray(groupSize * SHA256_DIGEST_SIZE) digests = allocateBufferForDigests() while f.readable(): chunkPayload = f.read(self._maxSegmentPayloadLength) if len(chunkPayload) == 0: break self.rawDataCount = self.rawDataCount + len(chunkPayload) chunk = Data( Name("/icn2019/test/data").appendSequenceNumber(seqNo)) seqNo = seqNo + 1 chunk.setContent(chunkPayload) digestSignature = DigestSha256Signature() digestSignature.setSignature( Blob(bytearray(SHA256_DIGEST_SIZE)) ) # not real a valid signature, but ok for the experiment chunk.setSignature(digestSignature) if keepData: self.allChunks.append(chunk) # only data chunks; manifest sizes counted separatedly, as they are signed self.ndnChunkCount = self.ndnChunkCount + chunk.wireEncode( ).size() # For storing data packet to a file # with open(writepath + "-1.txt", "wb") as dataf # dataf.write(dpacket_bytes) implicitDigest = chunk.getFullName()[-1].getValue() offset = chunkNo * SHA256_DIGEST_SIZE digests[offset:offset + SHA256_DIGEST_SIZE] = implicitDigest.toBytes()[:] chunkNo = chunkNo + 1 if chunkNo == groupSize: manifest = self._createManifest( Name("/icn2019/test/data").appendSequenceNumber(seqNo), digests, groupSize) # full group seqNo = seqNo + 1 self.allChunks.append(manifest) self.allManifests.append(manifest) chunkNo = 0 digests = allocateBufferForDigests() if chunkNo != 0: manifest = self._createManifest( Name("/icn2019/test/data").appendSequenceNumber(seqNo), digests, groupSize) # partial group self.allChunks.append(manifest) self.allManifests.append(manifest) self.nDataChunks = seqNo - len( self.allManifests ) # number of data packets, excluding the manifests def signManifestsABS(self): self.manifestCount = 0 self.signatureCounts = [] for manifest in self.allManifests: self.signer.sign(manifest, self.attributes) self.manifestCount = self.manifestCount + manifest.wireEncode( ).size() self.signatureCounts.append( manifest.getSignature().getSignature().size()) def verifyManifestsABS(self): for manifest in self.allManifests: if not self.signer.verify(manifest.wireEncode()): sys.stderr.write("Failed to verify %s\n" % manifest.getName()) def signManifestsRSA(self): self.manifestCount = 0 self.signatureCounts = [] for manifest in self.allManifests: self.keyChain.sign(manifest) self.manifestCount = self.manifestCount + manifest.wireEncode( ).size() self.signatureCounts.append( manifest.getSignature().getSignature().size()) def verifyManifestsRSA(self): def onSuccess(*k, **kw): pass def onFailure(data, *k, **kw): sys.stderr.write("Failed to verify %s\n" % manifest.getName()) for manifest in self.allManifests: self.validator.validate(manifest, onSuccess, onFailure)
class ClientModule(): def __init__(self, caPrefix): self.ecdh = ECDHState() self.face = Face() self.keyChain = KeyChain() self.key = None self.caPrefix = caPrefix self.anchor = CertificateV2() self.anchor.wireDecode( Blob( b64decode( "Bv0DgQc7CANuZG4IA2VkdQgHbWVtcGhpcwgIYWdhd2FuZGUIA0tFWQgIo6cuGT4GVKEIAk5BCAn9AAABbQxT3hEUCRgBAhkEADbugBX9ASYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDII1sLOE7cCQVTKoGjeM5o/mxWqhMx0siLHJ81Ee/eUCNAMxA0w1oxAoTGQ8HbNP3vShZfvMJ/11Jiqus2wAWlNjRWvQShNv5MueU8kYtOGTbiqr/I1EpSRQ2aJX3s49CoskoWMzf6knK4ELleH3/EBUPGJK0cpHHdFOjwlzO3Y3Rtc/DhHVTVsBWvPS1wKgnzBFO36k73gAQJi4bOc0ggPPcK3UfVzpz8XTe+IcS2N9jew+kDqoZaL+HHz26PIAwQvXQFXPhE6y/nH/4yes24DlK3u+vHTQHXRKcLNSpYvmS6KrHvt2t01Fk0hXxeFkbh4XaE73eXB9AzNw+AccovAgMBAAEW/QEHGwEBHCQHIggDbmRuCANlZHUIB21lbXBoaXMIA0tFWQgI9bIQPIJIGTf9AP0m/QD+DzIwMTkwOTA2VDE1MjQ0Nf0A/w8yMDIwMDkwNlQxNTI0NDX9AQKw/QIAD/0CAQdhZHZpc29y/QICAP0CACH9AgEFZW1haWz9AgIUYWdhd2FuZGVAbWVtcGhpcy5lZHX9AgAf/QIBCGZ1bGxuYW1l/QICD0FzaGxlc2ggR2F3YW5kZf0CAA39AgEFZ3JvdXD9AgIA/QIAD/0CAQdob21ldXJs/QICAP0CAC39AgEMb3JnYW5pemF0aW9u/QICGVRoZSBVbml2ZXJzaXR5IG9mIE1lbXBoaXMX/QEAMZ4XLBqFjABr/k58Gq6GrNfaDMb+NLyJYF5X2mDwKnUgp1is83eg/90LqO8AVGYdyirKfr23HP4565iJXhOmFgRbP+faN++0oUTXdUSvDm43Rp+OCHr9uGPPYjUjUeNhrD7Fxfq5m3EHNMxQqnVJOODpVrF3D0EYJ4Q4IETmxrSmuDpH9I92fs7rU/51aNAZbU7DewPmcq/IrY4RO5G9pfYR+gu/gyO/L8gN39EhBbsOYWOh3EYOdAJlSktP1evL/5yRdQq7bVLyG6dZSsYQ1x4XDJ9epUesZ+TbCK/lXfRrmFG9uk8TI/rZNAYfUiQifnsNvRu34PcyELiFJ/h2xA==" ))) self.identityName = "" self.status = None self.requestId = None self.challenges = None def sendProbeInterest(self): probeInterest = Interest( Name(self.caPrefix).append("CA").append("_PROBE")) probeInterest.setMustBeFresh(True) probeInterest.setCanBePrefix(False) probeInterest.setApplicationParameters( json.dumps({"email": "*****@*****.**"}, indent=4)) probeInterest.appendParametersDigestToName() print("Expressing interest: {}".format(probeInterest.getName())) self.face.expressInterest(probeInterest, self.onProbeData, self.onTimeout) def onProbeData(self, interest, data): """ Content: { "email": "*****@*****.**", "UID": "", "name: "\/ndn\/edu\/memphis\/agawande\/6046888920342781294" } 1) Verify signature 2) Extract name component from the json to use as identity """ if not VerificationHelpers.verifyDataSignature(data, self.anchor): print("Cannot verify signature from: {}".format(self.caPrefix)) else: print("Successfully verified data with hard-coded certificate") try: self.identityName = Name( json.loads(data.getContent().__str__())['name']) if self.identityName == "": print("Name received from server is empty") sys.exit(0) except Exception as e: print(e) print("Got namespace {} from server".format(self.identityName)) self.generateKeyAndSendNewInterest(data) def generateKeyAndSendNewInterest(self, probeTokenData): """ """ pib = self.keyChain.getPib() try: identity = pib.getIdentity(self.identityName) self.key = self.keyChain.createKey(identity) except Exception as e: identity = self.keyChain.createIdentityV2(self.identityName) self.key = identity.getDefaultKey() cert = CertificateV2() cert.setName( Name(self.key.getName()).append("cert-request").appendVersion( int(time.time()))) cert.getMetaInfo().setType(ContentType.KEY) cert.getMetaInfo().setFreshnessPeriod(24 * 3600) cert.setContent(self.key.getPublicKey()) signingInfo = SigningInfo(self.key) now = Common.getNowMilliseconds() signingInfo.setValidityPeriod( ValidityPeriod(now, now + 24 * 3600 * 1000.0)) self.keyChain.sign(cert, signingInfo) #cert = self.keyChain.selfSign(self.key) # Does not work because validity period is greater than certserver default interestName = Name(self.caPrefix).append("CA").append("_NEW") newInterest = Interest(interestName) newInterest.setMustBeFresh(True) newInterest.setCanBePrefix(False) ecdhPub = "{}\n".format(self.ecdh.getBase64PubKey()) ecdhCertReq = "{}\n".format( b64encode(cert.wireEncode().toBytes()).decode('utf-8')) probeToken = "{}\n".format( b64encode(probeTokenData.wireEncode().toBytes()).decode('utf-8')) jsonDump = json.dumps( { "ecdh-pub": ecdhPub, "cert-request": ecdhCertReq, "probe-token": probeToken }, indent=4) print(jsonDump) newInterest.setApplicationParameters(jsonDump) newInterest.appendParametersDigestToName() self.keyChain.sign(newInterest, SigningInfo(self.key)) print(newInterest.getName()) self.face.expressInterest(newInterest, self.onNewData, self.onTimeout) def onNewData(self, interest, data): """ !! Again \n in public key?? Got data: { "ecdh-pub": "Aqxofe3QdsAfgbtS8TMxv31oudNKoSV307ci5gNXm88h\n", "salt": "12935684137560555161", "request-id": "14275252044236690531", "status": "0", "challenges": [ { "challenge-id": "Email" } ] } 1. Verify data 2. Derive shared secret """ content = data.getContent() print("Got data: ", content) if not VerificationHelpers.verifyDataSignature(data, self.anchor): print("Cannot verify signature from: {}".format(self.caPrefix)) else: print("Successfully verified data with hard-coded certificate") contentJson = json.loads(content.__str__()) peerKeyBase64 = contentJson['ecdh-pub'] self.status = contentJson['status'] self.requestId = contentJson['request-id'] self.challenges = contentJson['challenges'] print(peerKeyBase64) serverPubKey = ec.EllipticCurvePublicKey.from_encoded_point( ec.SECP256R1(), b64decode(peerKeyBase64)) shared_key = self.ecdh.private_key.exchange(ec.ECDH(), serverPubKey) derived_key = HKDF(algorithm=hashes.SHA256(), length=32, salt=contentJson['salt'].encode(), info=b'handshake data', backend=default_backend()).derive(shared_key) self.ecdh.derived_key = derived_key print(shared_key) for t in shared_key: print(t) challengeInterestName = Name( self.caPrefix).append("CA").append("_CHALLENGE").append( self.requestId) challengeInterest = Interest(challengeInterestName) challengeInterest.setMustBeFresh(True) challengeInterest.setCanBePrefix(False) # Encrypt the interest parameters challengeJson = json.dumps( { "selected-challenge": "Email", "email": "*****@*****.**" }, indent=4) raw = self.pad(challengeJson, 16) print("raw", raw) iv = Random.new().read(AES.block_size) #cipher = AES.new(self.ecdh.derived_key, AES.MODE_CBC, iv) cipher = AES.new(shared_key, AES.MODE_CBC, iv) print(iv) xx = cipher.encrypt(raw) print(cipher.decrypt(xx)) print("Printing iv:") for t in iv: print(t) encoder = TlvEncoder(256) saveLength = len(encoder) encoder.writeBlobTlv(632, iv) encoder.writeBlobTlv(630, cipher.encrypt(raw)) #encoder.writeTypeAndLength(36, len(encoder) - saveLength) challengeInterest.setApplicationParameters(Blob(encoder.getOutput())) challengeInterest.appendParametersDigestToName() self.keyChain.sign(challengeInterest, SigningInfo(self.key)) with open('foobar.tlv', 'wb') as f: f.write(challengeInterest.wireEncode().buf()) self.face.expressInterest(challengeInterest, self.onChallengeData, self.onTimeout) def onChallengeData(self, interest, data): print("Got data: ", data) def pad(self, s, blocksize): return s + (blocksize - len(s) % blocksize) * ' ' def onTimeout(self, interest): print("Got timeout for interest: {}".format(interest.getName())) def start(self): while True: self.face.processEvents() # We need to sleep for a few milliseconds so we don't use 100% of the CPU. time.sleep(0.01)
class TestPolicyManagerV2(ut.TestCase): def setUp(self): testCertDirectory = 'policy_config/certs' self.testCertFile = os.path.join(testCertDirectory, 'test.cert') self.pibImpl = PibMemory() self.tpmBackEnd = TpmBackEndMemory() self.policyManager = ConfigPolicyManager( 'policy_config/simple_rules.conf', CertificateCacheV2()) self.identityName = Name('/TestConfigPolicyManager/temp') # to match the anchor cert self.keyName = Name(self.identityName).append("KEY").append("ksk-1416010123") self.pibImpl.addKey(self.identityName, self.keyName, TEST_RSA_PUBLIC_KEY_DER) # Set the password to None since we have an unencrypted PKCS #8 private key. self.tpmBackEnd.importKey(self.keyName, TEST_RSA_PRIVATE_KEY_PKCS8, None) self.keyChain = KeyChain(self.pibImpl, self.tpmBackEnd, self.policyManager) pibKey = self.keyChain.getPib().getIdentity(self.identityName).getKey( self.keyName) # selfSign adds to the PIB. self.keyChain.selfSign(pibKey) def tearDown(self): try: os.remove(self.testCertFile) except OSError: pass def test_interest_timestamp(self): interestName = Name('/ndn/ucla/edu/something') certName = self.keyChain.getPib().getIdentity(self.identityName).getKey( self.keyName).getDefaultCertificate().getName() face = Face("localhost") face.setCommandSigningInfo(self.keyChain, certName) oldInterest = Interest(interestName) face.makeCommandInterest(oldInterest) time.sleep(0.1) # make sure timestamps are different newInterest = Interest(interestName) face.makeCommandInterest(newInterest) vr = doVerify(self.policyManager, newInterest) self.assertFalse(vr.hasFurtherSteps, "ConfigPolicyManager returned ValidationRequest but certificate is known") self.assertEqual(vr.failureCount, 0, "Verification of valid interest failed") self.assertEqual(vr.successCount, 1, "Verification success called {} times instead of 1".format( vr.successCount)) vr = doVerify(self.policyManager, oldInterest) self.assertFalse(vr.hasFurtherSteps, "ConfigPolicyManager returned ValidationRequest but certificate is known") self.assertEqual(vr.successCount, 0, "Verification of stale interest succeeded") self.assertEqual(vr.failureCount, 1, "Failure callback called {} times instead of 1".format( vr.failureCount)) def test_refresh_10s(self): with open('policy_config/testData', 'r') as dataFile: encodedData = dataFile.read() data = Data() dataBlob = Blob(b64decode(encodedData)) data.wireDecode(dataBlob) # This test is needed, since the KeyChain will express interests in # unknown certificates. vr = doVerify(self.policyManager, data) self.assertTrue(vr.hasFurtherSteps, "ConfigPolicyManager did not create ValidationRequest for unknown certificate") self.assertEqual(vr.successCount, 0, "ConfigPolicyManager called success callback with pending ValidationRequest") self.assertEqual(vr.failureCount, 0, "ConfigPolicyManager called failure callback with pending ValidationRequest") # Now save the cert data to our anchor directory, and wait. # We have to sign it with the current identity or the policy manager # will create an interest for the signing certificate. cert = CertificateV2() certData = b64decode(CERT_DUMP) cert.wireDecode(Blob(certData, False)) signingInfo = SigningInfo() signingInfo.setSigningIdentity(self.identityName) # Make sure the validity period is current for two years. now = Common.getNowMilliseconds() signingInfo.setValidityPeriod(ValidityPeriod (now, now + 2 * 365 * 24 * 3600 * 1000.0)) self.keyChain.sign(cert, signingInfo) encodedCert = b64encode(cert.wireEncode().toBytes()) with open(self.testCertFile, 'w') as certFile: certFile.write(Blob(encodedCert, False).toRawStr()) # Still too early for refresh to pick it up. vr = doVerify(self.policyManager, data) self.assertTrue(vr.hasFurtherSteps, "ConfigPolicyManager refresh occured sooner than specified") self.assertEqual(vr.successCount, 0, "ConfigPolicyManager called success callback with pending ValidationRequest") self.assertEqual(vr.failureCount, 0, "ConfigPolicyManager called failure callback with pending ValidationRequest") time.sleep(6) # Now we should find it. vr = doVerify(self.policyManager, data) self.assertFalse(vr.hasFurtherSteps, "ConfigPolicyManager did not refresh certificate store") self.assertEqual(vr.successCount, 1, "Verification success called {} times instead of 1".format( vr.successCount)) self.assertEqual(vr.failureCount, 0, "ConfigPolicyManager did not verify valid signed data")