def getCertificate(self, certificateName, allowAny = False):
"""
Get a certificate from the identity storage.
:param Name certificateName: The name of the requested certificate.
:param bool allowAny: (optional) If False, only a valid certificate will
be returned, otherwise validity is disregarded. If omitted,
allowAny is False.
:return: The requested certificate. If not found, return None.
:rtype: Data
"""
chosenCert = None
certificateUri = certificateName.toUri()
cursor = self._database.cursor()
#if not allowAny:
# validityClause = " AND valid_flag=1"
#else:
validityClause = ""
# use LIKE because key locators chop off timestamps
# need to escape any percent signs in the certificate uri for sql's
# sake, but still append % for LIKE
escapedUri = certificateUri.replace('%', '\\%')
full_statement = "SELECT certificate_data FROM Certificate WHERE cert_name LIKE ?"+validityClause+" ESCAPE '\\' ORDER BY cert_name DESC"
#full_statement = "SELECT certificate_data FROM Certificate WHERE cert_name=?"+validityClause
cursor.execute(full_statement, (escapedUri+'%', ))
try:
(certData, ) = cursor.fetchone()
except TypeError:
pass
else:
chosenCert = IdentityCertificate()
chosenCert.wireDecode(bytearray(certData))
return chosenCert
def _processValidCertificate(self, data):
# unpack the cert from the HMAC signed packet and verify
try:
newCert = IdentityCertificate()
newCert.wireDecode(data.getContent())
self.log.info("Received certificate from controller")
self.log.debug(str(newCert))
# NOTE: we download and install the root certificate without verifying it (!)
# otherwise our policy manager will reject it.
# we may need a static method on KeyChain to allow verifying before adding
rootCertName = newCert.getSignature().getKeyLocator().getKeyName()
# update trust rules so we trust the controller
self._policyManager.setDeviceIdentity(self._configureIdentity)
self._policyManager.updateTrustRules()
def onRootCertificateDownload(interest, data):
try:
self._identityStorage.addCertificate(data)
except SecurityException:
# already exists
pass
self._keyChain.verifyData(newCert, self._finalizeCertificateDownload, self._certificateValidationFailed)
def onRootCertificateTimeout(interest):
# TODO: limit number of tries, then revert trust root + network prefix
# reset salt, create new Hmac key
self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout)
self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout)
except Exception as e:
self.log.exception("Could not import new certificate", exc_info=True)
def _processValidCertificate(self, data):
# unpack the cert from the HMAC signed packet and verify
try:
newCert = IdentityCertificate()
newCert.wireDecode(data.getContent())
self.log.info("Received certificate from controller")
# NOTE: we download and install the root certificate without verifying it (!)
# otherwise our policy manager will reject it.
# we may need a static method on KeyChain to allow verifying before adding
rootCertName = newCert.getSignature().getKeyLocator().getKeyName()
# update trust rules so we trust the controller
self._policyManager.setDeviceIdentity(self._configureIdentity)
self._policyManager.updateTrustRules()
def onRootCertificateDownload(interest, data):
try:
# zhehao: the root cert is downloaded and installed without verifying; should the root cert be preconfigured?
# Insert root certificate so that we can verify newCert
self._policyManager._certificateCache.insertCertificate(data)
# Set the root cert as default for root identity
try:
self._identityManager.addCertificateAsIdentityDefault(IdentityCertificate(data))
except SecurityException as e:
print("Error when addCertificateAsIdentityDefault for root: " + data.getName().toUri())
print(str(e))
self._rootCertificate = data
try:
# use the default configuration where possible
# TODO: use environment variable for this, fall back to default
fileName = os.path.expanduser('~/.ndn/.iot.root.cert')
rootCertFile = open(fileName, "w")
rootCertFile.write(Blob(b64encode(self._rootCertificate.wireEncode().toBytes()), False).toRawStr())
rootCertFile.close()
except IOError as e:
self.log.error("Cannot write to root certificate file: " + rootCertFile)
print "Cannot write to root certificate file: " + rootCertFile
except SecurityException as e:
print(str(e))
# already exists, or got certificate in wrong format
pass
self._keyChain.verifyData(newCert, self._finalizeCertificateDownload, self._certificateValidationFailed)
def onRootCertificateTimeout(interest):
# TODO: limit number of tries, then revert trust root + network prefix
# reset salt, create new Hmac key
self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout)
self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout)
except Exception as e:
self.log.exception("Could not import new certificate", exc_info=True)
def test_refresh_10s(self):
with open('policy_config/testData', 'r') as dataFile:
encodedData = dataFile.read()
data = Data()
dataBlob = Blob(b64decode(encodedData))
data.wireDecode(dataBlob)
# needed, since the KeyChain will express interests in unknown
# certificates
vr = doVerify(self.policyManager, data)
self.assertTrue(vr.hasFurtherSteps,
"ConfigPolicyManager did not create ValidationRequest for unknown certificate")
self.assertEqual(vr.successCount, 0,
"ConfigPolicyManager called success callback with pending ValidationRequest")
self.assertEqual(vr.failureCount, 0,
"ConfigPolicyManager called failure callback with pending ValidationRequest")
# now save the cert data to our anchor directory, and wait
# we have to sign it with the current identity or the
# policy manager will create an interest for the signing certificate
with open(self.testCertFile, 'w') as certFile:
cert = IdentityCertificate()
certData = b64decode(CERT_DUMP)
cert.wireDecode(Blob(certData, False))
self.keyChain.signByIdentity(cert, self.identityName)
encodedCert = b64encode(cert.wireEncode().toBuffer())
certFile.write(Blob(encodedCert, False).toRawStr())
# still too early for refresh to pick it up
vr = doVerify(self.policyManager, data)
self.assertTrue(vr.hasFurtherSteps,
"ConfigPolicyManager refresh occured sooner than specified")
self.assertEqual(vr.successCount, 0,
"ConfigPolicyManager called success callback with pending ValidationRequest")
self.assertEqual(vr.failureCount, 0,
"ConfigPolicyManager called failure callback with pending ValidationRequest")
time.sleep(6)
# now we should find it
vr = doVerify(self.policyManager, data)
self.assertFalse(vr.hasFurtherSteps,
"ConfigPolicyManager did not refresh certificate store")
self.assertEqual(vr.successCount, 1,
"Verification success called {} times instead of 1".format(
vr.successCount))
self.assertEqual(vr.failureCount, 0,
"ConfigPolicyManager did not verify valid signed data")
def test_refresh_10s(self):
with open('policy_config/testData', 'r') as dataFile:
encodedData = dataFile.read()
data = Data()
dataBlob = Blob(b64decode(encodedData))
data.wireDecode(dataBlob)
# needed, since the KeyChain will express interests in unknown
# certificates
vr = doVerify(self.policyManager, data)
self.assertTrue(vr.hasFurtherSteps,
"ConfigPolicyManager did not create ValidationRequest for unknown certificate")
self.assertEqual(vr.successCount, 0,
"ConfigPolicyManager called success callback with pending ValidationRequest")
self.assertEqual(vr.failureCount, 0,
"ConfigPolicyManager called failure callback with pending ValidationRequest")
# now save the cert data to our anchor directory, and wait
# we have to sign it with the current identity or the
# policy manager will create an interest for the signing certificate
with open(self.testCertFile, 'w') as certFile:
cert = IdentityCertificate()
certData = b64decode(CERT_DUMP)
cert.wireDecode(Blob(certData, False))
self.keyChain.signByIdentity(cert, self.identityName)
encodedCert = b64encode(cert.wireEncode().toBytes())
certFile.write(Blob(encodedCert, False).toRawStr())
# still too early for refresh to pick it up
vr = doVerify(self.policyManager, data)
self.assertTrue(vr.hasFurtherSteps,
"ConfigPolicyManager refresh occured sooner than specified")
self.assertEqual(vr.successCount, 0,
"ConfigPolicyManager called success callback with pending ValidationRequest")
self.assertEqual(vr.failureCount, 0,
"ConfigPolicyManager called failure callback with pending ValidationRequest")
time.sleep(6)
# now we should find it
vr = doVerify(self.policyManager, data)
self.assertFalse(vr.hasFurtherSteps,
"ConfigPolicyManager did not refresh certificate store")
self.assertEqual(vr.successCount, 1,
"Verification success called {} times instead of 1".format(
vr.successCount))
self.assertEqual(vr.failureCount, 0,
"ConfigPolicyManager did not verify valid signed data")
def signByCertificate(self, target, certificateName, wireFormat=None):
"""
Sign the target based on the certificateName. If it is a Data object,
set its signature. If it is an array, return a signature object.
:param target: If this is a Data object, wire encode for signing,
update its signature and key locator field and wireEncoding. If it is
an array, sign it and return a Signature object.
:param Name certificateName: The Name identifying the certificate which
identifies the signing key.
:param wireFormat: (optional) The WireFormat for calling encodeData, or
WireFormat.getDefaultWireFormat() if omitted.
:type wireFormat: A subclass of WireFormat
:return: The Signature object (only if the target is an array).
:rtype: An object of a subclass of Signature
"""
if wireFormat == None:
# Don't use a default argument since getDefaultWireFormat can change.
wireFormat = WireFormat.getDefaultWireFormat()
if isinstance(target, Data):
data = target
digestAlgorithm = [0]
signature = self._makeSignatureByCertificate(
certificateName, digestAlgorithm)
data.setSignature(signature)
# Encode once to get the signed portion.
encoding = data.wireEncode(wireFormat)
data.getSignature().setSignature(
self._privateKeyStorage.sign(
encoding.toSignedBuffer(),
IdentityCertificate.certificateNameToPublicKeyName(
certificateName), digestAlgorithm[0]))
# Encode again to include the signature.
data.wireEncode(wireFormat)
else:
digestAlgorithm = [0]
signature = self._makeSignatureByCertificate(
certificateName, digestAlgorithm)
signature.setSignature(
self._privateKeyStorage.sign(
target,
IdentityCertificate.certificateNameToPublicKeyName(
certificateName), digestAlgorithm[0]))
return signature
def signByCertificate(self, target, certificateName, wireFormat = None):
"""
Sign the target based on the certificateName. If it is a Data object,
set its signature. If it is an array, return a signature object.
:param target: If this is a Data object, wire encode for signing,
update its signature and key locator field and wireEncoding. If it is
an array, sign it and return a Signature object.
:param Name certificateName: The Name identifying the certificate which
identifies the signing key.
:param wireFormat: (optional) The WireFormat for calling encodeData, or
WireFormat.getDefaultWireFormat() if omitted.
:type wireFormat: A subclass of WireFormat
:return: The Signature object (only if the target is an array).
:rtype: An object of a subclass of Signature
"""
if wireFormat == None:
# Don't use a default argument since getDefaultWireFormat can change.
wireFormat = WireFormat.getDefaultWireFormat()
if isinstance(target, Data):
data = target
digestAlgorithm = [0]
signature = self._makeSignatureByCertificate(
certificateName, digestAlgorithm)
data.setSignature(signature)
# Encode once to get the signed portion.
encoding = data.wireEncode(wireFormat)
data.getSignature().setSignature(self._privateKeyStorage.sign
(encoding.toSignedBuffer(),
IdentityCertificate.certificateNameToPublicKeyName(certificateName),
digestAlgorithm[0]))
# Encode again to include the signature.
data.wireEncode(wireFormat)
else:
digestAlgorithm = [0]
signature = self._makeSignatureByCertificate(
certificateName, digestAlgorithm)
signature.setSignature(
self._privateKeyStorage.sign(
target,
IdentityCertificate.certificateNameToPublicKeyName(certificateName),
digestAlgorithm[0]))
return signature
def test_create_d_key_data(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.dKeyDatabaseFilePath), 2048, 1,
self.keyChain)
newCertificateBlob = self.certificate.wireEncode()
newCertificate = IdentityCertificate()
newCertificate.wireDecode(newCertificateBlob)
# Encrypt the D-KEY.
data = manager._createDKeyData(
"20150825T000000", "20150827T000000", Name("/ndn/memberA/KEY"),
self.decryptKeyBlob,
newCertificate.getPublicKeyInfo().getKeyDer())
# Verify the encrypted D-KEY.
dataContent = data.getContent()
# Get the nonce key.
# dataContent is a sequence of the two EncryptedContent.
encryptedNonce = EncryptedContent()
encryptedNonce.wireDecode(dataContent)
self.assertEqual(0, encryptedNonce.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.RsaOaep,
encryptedNonce.getAlgorithmType())
blobNonce = encryptedNonce.getPayload()
decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep)
nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce,
decryptParams)
# Get the D-KEY.
# Use the size of encryptedNonce to find the start of encryptedPayload.
payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():]
encryptedPayload = EncryptedContent()
encryptedPayload.wireDecode(payloadContent)
self.assertEqual(16, encryptedPayload.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.AesCbc,
encryptedPayload.getAlgorithmType())
decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc)
decryptParams.setInitialVector(encryptedPayload.getInitialVector())
blobPayload = encryptedPayload.getPayload()
largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams)
self.assertTrue(largePayload.equals(self.decryptKeyBlob))
def _makeSignatureByCertificate(self, certificateName, digestAlgorithm):
"""
Return a new Signature object based on the signature algorithm of the
public key with keyName (derived from certificateName).
:param Name certificateName: The full certificate name.
:param Array digestAlgorithm: Set digestAlgorithm[0] to the signature
algorithm's digest algorithm, e.g. DigestAlgorithm.SHA256 .
:return: The related public key name.
:rtype: Signature
"""
keyName = IdentityCertificate.certificateNameToPublicKeyName(certificateName)
publicKey = self._privateKeyStorage.getPublicKey(keyName)
keyType = publicKey.getKeyType()
if keyType == KeyType.RSA:
signature = Sha256WithRsaSignature()
digestAlgorithm[0] = DigestAlgorithm.SHA256
signature.getKeyLocator().setType(KeyLocatorType.KEYNAME)
signature.getKeyLocator().setKeyName(certificateName.getPrefix(-1))
return signature
elif keyType == KeyType.ECDSA:
signature = Sha256WithEcdsaSignature()
digestAlgorithm[0] = DigestAlgorithm.SHA256
signature.getKeyLocator().setType(KeyLocatorType.KEYNAME)
signature.getKeyLocator().setKeyName(certificateName.getPrefix(-1))
return signature
else:
raise SecurityException("Key type is not recognized")
def test_prepare_unsigned_certificate(self):
identityStorage = MemoryIdentityStorage()
privateKeyStorage = MemoryPrivateKeyStorage()
identityManager = IdentityManager(identityStorage, privateKeyStorage)
keyName = Name("/test/ksk-1457560485494")
identityStorage.addKey(keyName, KeyType.RSA, Blob(PUBLIC_KEY))
subjectDescriptions = []
subjectDescriptions.append(
CertificateSubjectDescription(TEST_OID, "TEST NAME"))
newCertificate = identityManager.prepareUnsignedIdentityCertificate(
keyName, keyName.getPrefix(1), self.toyCertNotBefore,
self.toyCertNotAfter, subjectDescriptions)
# Update the generated certificate version to equal the one in toyCert.
newCertificate.setName(
Name(newCertificate.getName().getPrefix(-1).append(
self.toyCert.getName().get(-1))))
# Make a copy to test encoding.
certificateCopy = IdentityCertificate(newCertificate)
self.assertEqual(
str(self.toyCert), str(certificateCopy),
"Prepared unsigned certificate dump does not have the expected format"
)
def setDefaultCertificateNameForKey(self, keyName, certificateName):
"""
Set the default certificate name for the corresponding key
:param Name keyName: not used
:param Name certificateName: The certificate name.
"""
if not self.doesCertificateExist(certificateName):
raise SecurityException("Certificate does not exist")
keyName = IdentityCertificate.certificateNameToPublicKeyName(certificateName)
identityUri = keyName.getPrefix(-1).toUri()
keyId = keyName.get(-1).toEscapedString()
try:
cursor = None
currentDefault = self.getDefaultCertificateNameForKey(keyName)
except SecurityException:
pass
else:
cursor = self._database.cursor()
cursor.execute("UPDATE Certificate SET default_cert=0 WHERE cert_name=? AND identity_name=? AND key_identifier=?",
(currentDefault.toUri(), identityUri, keyId))
if cursor is None:
cursor = self._database.cursor()
cursor.execute("UPDATE Certificate SET default_cert=1 WHERE cert_name=? AND identity_name=? AND key_identifier=?",
(certificateName.toUri(), identityUri, keyId))
self._database.commit()
cursor.close()
def _makeSignatureByCertificate(self, certificateName, digestAlgorithm):
"""
Return a new Signature object based on the signature algorithm of the
public key with keyName (derived from certificateName).
:param Name certificateName: The full certificate name.
:param Array digestAlgorithm: Set digestAlgorithm[0] to the signature
algorithm's digest algorithm, e.g. DigestAlgorithm.SHA256 .
:return: The related public key name.
:rtype: Signature
"""
keyName = IdentityCertificate.certificateNameToPublicKeyName(
certificateName)
publicKey = self._privateKeyStorage.getPublicKey(keyName)
keyType = publicKey.getKeyType()
if keyType == KeyType.RSA:
signature = Sha256WithRsaSignature()
digestAlgorithm[0] = DigestAlgorithm.SHA256
signature.getKeyLocator().setType(KeyLocatorType.KEYNAME)
signature.getKeyLocator().setKeyName(certificateName.getPrefix(-1))
return signature
elif keyType == KeyType.ECDSA:
signature = Sha256WithEcdsaSignature()
digestAlgorithm[0] = DigestAlgorithm.SHA256
signature.getKeyLocator().setType(KeyLocatorType.KEYNAME)
signature.getKeyLocator().setKeyName(certificateName.getPrefix(-1))
return signature
else:
raise SecurityException("Key type is not recognized")
def __init__(self, face, encryptResult, link = None):
# Set up face
self.face = face
self._encryptResult = encryptResult
self._link = link
self.databaseFilePath = "policy_config/test_consumer_dpu.db"
try:
os.remove(self.databaseFilePath)
except OSError:
# no such file
pass
self.groupName = Name("/org/openmhealth/haitao")
# Set up the keyChain.
identityStorage = BasicIdentityStorage()
privateKeyStorage = FilePrivateKeyStorage()
self.keyChain = KeyChain(
IdentityManager(identityStorage, privateKeyStorage),
NoVerifyPolicyManager())
# Authorized identity
identityName = Name("/ndn/edu/basel/dpu")
# Function name: the function that this DPU provides
self._functionName = "bounding_box"
self._identityName = identityName
self.certificateName = self.keyChain.createIdentityAndCertificate(identityName)
# TODO: if using BasicIdentityStorage and FilePrivateKeyStorage
# For some reason this newly generated cert is not installed by default, calling keyChain sign later would result in error
#self.keyChain.installIdentityCertificate()
self.face.setCommandSigningInfo(self.keyChain, self.certificateName)
consumerKeyName = IdentityCertificate.certificateNameToPublicKeyName(self.certificateName)
consumerCertificate = identityStorage.getCertificate(self.certificateName)
self.consumer = Consumer(
face, self.keyChain, self.groupName, identityName,
Sqlite3ConsumerDb(self.databaseFilePath))
# TODO: Read the private key to decrypt d-key...this may or may not be ideal
base64Content = None
with open(privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri")) as keyFile:
print privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri")
base64Content = keyFile.read()
#print base64Content
der = Blob(base64.b64decode(base64Content), False)
self.consumer.addDecryptionKey(consumerKeyName, der)
self.memoryContentCache = MemoryContentCache(self.face)
self.memoryContentCache.registerPrefix(identityName, self.onRegisterFailed, self.onDataNotFound)
self.memoryContentCache.add(consumerCertificate)
accessRequestInterest = Interest(Name(self.groupName).append("read_access_request").append(self.certificateName).appendVersion(int(time.time())))
self.face.expressInterest(accessRequestInterest, self.onAccessRequestData, self.onAccessRequestTimeout)
print "Access request interest name: " + accessRequestInterest.getName().toUri()
self._tasks = dict()
return
def test_create_d_key_data(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.dKeyDatabaseFilePath), 2048, 1,
self.keyChain)
newCertificateBlob = self.certificate.wireEncode()
newCertificate = IdentityCertificate()
newCertificate.wireDecode(newCertificateBlob)
# Encrypt the D-KEY.
data = manager._createDKeyData(
"20150825T000000", "20150827T000000", Name("/ndn/memberA/KEY"),
self.decryptKeyBlob, newCertificate.getPublicKeyInfo().getKeyDer())
# Verify the encrypted D-KEY.
dataContent = data.getContent()
# Get the nonce key.
# dataContent is a sequence of the two EncryptedContent.
encryptedNonce = EncryptedContent()
encryptedNonce.wireDecode(dataContent)
self.assertEqual(0, encryptedNonce.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType())
blobNonce = encryptedNonce.getPayload()
decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep)
nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams)
# Get the D-KEY.
# Use the size of encryptedNonce to find the start of encryptedPayload.
payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():]
encryptedPayload = EncryptedContent()
encryptedPayload.wireDecode(payloadContent)
self.assertEqual(16, encryptedPayload.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType())
decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc)
decryptParams.setInitialVector(encryptedPayload.getInitialVector())
blobPayload = encryptedPayload.getPayload()
largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams)
self.assertTrue(largePayload.equals(self.decryptKeyBlob))
def getCertificate(self, certificateName, allowAny = False):
"""
Get a certificate from the identity storage.
:param Name certificateName: The name of the requested certificate.
:param bool allowAny: (optional) If False, only a valid certificate will
be returned, otherwise validity is disregarded. If omitted,
allowAny is False.
:return: The requested certificate. If not found, return None.
:rtype: IdentityCertificate
"""
certificateNameUri = certificateName.toUri()
if not (certificateNameUri in self._certificateStore):
# Not found. Silently return None.
return None
certificate = IdentityCertificate()
certificate.wireDecode(self._certificateStore[certificateNameUri])
return certificate
def getCertificate(self, certificateName, allowAny=False):
"""
Get a certificate from the identity storage.
:param Name certificateName: The name of the requested certificate.
:param bool allowAny: (optional) If False, only a valid certificate will
be returned, otherwise validity is disregarded. If omitted,
allowAny is False.
:return: The requested certificate. If not found, return None.
:rtype: IdentityCertificate
"""
certificateNameUri = certificateName.toUri()
if not (certificateNameUri in self._certificateStore):
# Not found. Silently return None.
return None
certificate = IdentityCertificate()
certificate.wireDecode(self._certificateStore[certificateNameUri])
return certificate
def __init__(self, face):
# Set up face
self.face = face
self.databaseFilePath = "policy_config/test_consumer.db"
try:
os.remove(self.databaseFilePath)
except OSError:
# no such file
pass
self.groupName = Name("/org/openmhealth/zhehao")
# Set up the keyChain.
identityStorage = BasicIdentityStorage()
privateKeyStorage = FilePrivateKeyStorage()
self.keyChain = KeyChain(
IdentityManager(identityStorage, privateKeyStorage),
NoVerifyPolicyManager())
# Authorized identity
identityName = Name("/org/openmhealth/dvu-python-3")
# Unauthorized identity
#identityName = Name("/org/openmhealth/dvu-python-1")
self.certificateName = self.keyChain.createIdentityAndCertificate(identityName)
self.face.setCommandSigningInfo(self.keyChain, self.certificateName)
consumerKeyName = IdentityCertificate.certificateNameToPublicKeyName(self.certificateName)
consumerCertificate = identityStorage.getCertificate(self.certificateName)
self.consumer = Consumer(
face, self.keyChain, self.groupName, identityName,
Sqlite3ConsumerDb(self.databaseFilePath))
# TODO: Read the private key to decrypt d-key...this may or may not be ideal
base64Content = None
with open(privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri")) as keyFile:
print privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri")
base64Content = keyFile.read()
#print base64Content
der = Blob(base64.b64decode(base64Content), False)
self.consumer.addDecryptionKey(consumerKeyName, der)
self.memoryContentCache = MemoryContentCache(self.face)
self.memoryContentCache.registerPrefix(identityName, self.onRegisterFailed, self.onDataNotFound)
self.memoryContentCache.add(consumerCertificate)
accessRequestInterest = Interest(Name(self.groupName).append("read_access_request").append(self.certificateName).appendVersion(int(time.time())))
self.face.expressInterest(accessRequestInterest, self.onAccessRequestData, self.onAccessRequestTimeout)
print "Access request interest name: " + accessRequestInterest.getName().toUri()
self.consumeCatalog = True
return
def _processValidCertificate(self, data):
# unpack the cert from the HMAC signed packet and verify
try:
newCert = IdentityCertificate()
newCert.wireDecode(data.getContent())
self.log.info("Received certificate from controller")
self.log.debug(str(newCert))
# NOTE: we download and install the root certificate without verifying it (!)
# otherwise our policy manager will reject it.
# we may need a static method on KeyChain to allow verifying before adding
rootCertName = newCert.getSignature().getKeyLocator().getKeyName()
# update trust rules so we trust the controller
self._policyManager.setDeviceIdentity(self._configureIdentity)
self._policyManager.updateTrustRules()
def onRootCertificateDownload(interest, data):
try:
self._identityStorage.addCertificate(data)
except SecurityException:
# already exists
pass
self._keyChain.verifyData(newCert,
self._finalizeCertificateDownload,
self._certificateValidationFailed)
def onRootCertificateTimeout(interest):
# TODO: limit number of tries, then revert trust root + network prefix
# reset salt, create new Hmac key
self.face.expressInterest(rootCertName,
onRootCertificateDownload,
onRootCertificateTimeout)
self.face.expressInterest(rootCertName, onRootCertificateDownload,
onRootCertificateTimeout)
except Exception as e:
self.log.exception("Could not import new certificate",
exc_info=True)
def getCertificate(self, certificateName):
"""
Get a certificate from the identity storage.
:param Name certificateName: The name of the requested certificate.
:return: The requested certificate.
:rtype: IdentityCertificate
:raises SecurityException: if the certificate doesn't exist.
"""
certificateNameUri = certificateName.toUri()
if not (certificateNameUri in self._certificateStore):
raise SecurityException(
"MemoryIdentityStorage::getCertificate: The certificate does not exist")
certificate = IdentityCertificate()
try:
certificate.wireDecode(self._certificateStore[certificateNameUri])
except ValueError:
raise SecurityException(
"MemoryIdentityStorage::getCertificate: The certificate cannot be decoded")
return certificate
def getCertificate(self, certificateName):
"""
Get a certificate from the identity storage.
:param Name certificateName: The name of the requested certificate.
:return: The requested certificate.
:rtype: IdentityCertificate
:raises SecurityException: if the certificate doesn't exist.
"""
certificateNameUri = certificateName.toUri()
if not (certificateNameUri in self._certificateStore):
raise SecurityException(
"MemoryIdentityStorage.getCertificate: The certificate does not exist"
)
certificate = IdentityCertificate()
try:
certificate.wireDecode(self._certificateStore[certificateNameUri])
except ValueError:
raise SecurityException(
"MemoryIdentityStorage.getCertificate: The certificate cannot be decoded"
)
return certificate
def _updateDeviceCapabilities(self, interest):
"""
Take the received capabilities update interest and update our directory listings.
"""
# we assume the sender is the one who signed the interest...
signature = self._policyManager._extractSignature(interest)
certificateName = signature.getKeyLocator().getKeyName()
senderIdentity = IdentityCertificate.certificateNameToPublicKeyName(
certificateName).getPrefix(-1)
self.log.info('Updating capabilities for {}'.format(
senderIdentity.toUri()))
# get the params from the interest name
messageComponent = interest.getName().get(self.prefix.size() + 1)
message = UpdateCapabilitiesCommandMessage()
ProtobufTlv.decode(message, messageComponent.getValue())
# we remove all the old capabilities for the sender
tempDirectory = defaultdict(list)
for keyword in self._directory:
tempDirectory[keyword] = [
cap for cap in self._directory[keyword]
if not senderIdentity.match(Name(cap['name']))
]
# then we add the ones from the message
for capability in message.capabilities:
capabilityPrefix = Name()
for component in capability.commandPrefix.components:
capabilityPrefix.append(component)
commandUri = capabilityPrefix.toUri()
if not senderIdentity.match(capabilityPrefix):
self.log.error(
"Node {} tried to register another prefix: {} - ignoring update"
.format(senderIdentity.toUri(), commandUri))
else:
for keyword in capability.keywords:
allUris = [info['name'] for info in tempDirectory[keyword]]
if capabilityPrefix not in allUris:
listing = {
'signed': capability.needsSignature,
'name': commandUri
}
tempDirectory[keyword].append(listing)
self._directory = tempDirectory
def createIdentity(self, identityName, params):
"""
Create an identity by creating a pair of Key-Signing-Key (KSK) for this
identity and a self-signed certificate of the KSK. If a key pair or
certificate for the identity already exists, use it.
:deprecated: Use createIdentityAndCertificate which returns the
certificate name instead of the key name. You can use
IdentityCertificate.certificateNameToPublicKeyName to convert the
certificate name to the key name.
:param Name identityName: The name of the identity.
:param KeyParams params: The key parameters if a key needs to be
generated for the identity.
:return: The key name of the auto-generated KSK of the identity.
:rtype: Name
"""
return IdentityCertificate.certificateNameToPublicKeyName(
self.createIdentityAndCertificate(identityName, params))
def createIdentity(self, identityName, params):
"""
Create an identity by creating a pair of Key-Signing-Key (KSK) for this
identity and a self-signed certificate of the KSK. If a key pair or
certificate for the identity already exists, use it.
:deprecated: Use createIdentityAndCertificate which returns the
certificate name instead of the key name. You can use
IdentityCertificate.certificateNameToPublicKeyName to convert the
certificate name to the key name.
:param Name identityName: The name of the identity.
:param KeyParams params: The key parameters if a key needs to be
generated for the identity.
:return: The key name of the auto-generated KSK of the identity.
:rtype: Name
"""
return IdentityCertificate.certificateNameToPublicKeyName(
self.createIdentityAndCertificate(identityName, params))
def addCertificate(self, certificate):
"""
Add a certificate to the identity storage.
:param IdentityCertificate certificate: The certificate to be added.
This makes a copy of the certificate.
"""
#TODO: actually check validity of certificate timestamp
certificateName = certificate.getName()
if self.doesCertificateExist(certificateName):
raise SecurityException("Certificate has already been installed!")
certCopy = IdentityCertificate(certificate)
makeDefault = 0
keyName = certCopy.getPublicKeyName()
keyInfo = certCopy.getPublicKeyInfo()
if not self.doesKeyExist(keyName):
self.addKey(keyName, keyInfo.getKeyType(), keyInfo.getKeyDer())
makeDefault = 1
else:
# see if the key we already have matches this certificate
keyBlob = self.getKey(keyName)
if (keyBlob.isNull() or keyBlob.toBuffer() !=
keyInfo.getKeyDer().toBuffer()):
raise SecurityException("Certificate does not match public key")
keyId = keyName.get(-1).toEscapedString()
identityUri = keyName.getPrefix(-1).toUri()
certIssuer = certCopy.getSignature().getKeyLocator().getKeyName().toUri()
encodedCert = buffer(bytearray(certCopy.wireEncode().buf()))
notBefore = certCopy.getNotBefore()
notAfter = certCopy.getNotAfter()
cursor = self._database.cursor()
cursor.execute("INSERT INTO Certificate VALUES(?,?,?,?,?,?,?,?,?)",
(certificateName.toUri(), certIssuer, identityUri, keyId,
notBefore, notAfter, encodedCert, 1, makeDefault))
self._database.commit()
cursor.close()
def onRootCertificateDownload(interest, data):
try:
# zhehao: the root cert is downloaded and installed without verifying; should the root cert be preconfigured?
# Insert root certificate so that we can verify newCert
self._policyManager._certificateCache.insertCertificate(
data)
# Set the root cert as default for root identity
try:
self._identityManager.addCertificateAsIdentityDefault(
IdentityCertificate(data))
except SecurityException as e:
print(
"Error when addCertificateAsIdentityDefault for root: "
+ data.getName().toUri())
print(str(e))
self._rootCertificate = data
try:
# use the default configuration where possible
# TODO: use environment variable for this, fall back to default
fileName = os.path.expanduser('~/.ndn/.iot.root.cert')
rootCertFile = open(fileName, "w")
rootCertFile.write(
Blob(
b64encode(self._rootCertificate.wireEncode().
toBytes()), False).toRawStr())
rootCertFile.close()
except IOError as e:
self.log.error(
"Cannot write to root certificate file: " +
rootCertFile)
print "Cannot write to root certificate file: " + rootCertFile
except SecurityException as e:
print(str(e))
# already exists, or got certificate in wrong format
pass
self._keyChain.verifyData(newCert,
self._finalizeCertificateDownload,
self._certificateValidationFailed)
def signInterestByCertificate(self,
interest,
certificateName,
wireFormat=None):
"""
Append a SignatureInfo to the Interest name, sign the name components
and append a final name component with the signature bits.
:param Interest interest: The Interest object to be signed. This appends
name components of SignatureInfo and the signature bits.
:param Name certificateName: The certificate name of the key to use for
signing.
:param wireFormat: (optional) A WireFormat object used to encode the
input. If omitted, use WireFormat.getDefaultWireFormat().
:type wireFormat: A subclass of WireFormat
"""
if wireFormat == None:
# Don't use a default argument since getDefaultWireFormat can change.
wireFormat = WireFormat.getDefaultWireFormat()
digestAlgorithm = [0]
signature = self._makeSignatureByCertificate(certificateName,
digestAlgorithm)
# Append the encoded SignatureInfo.
interest.getName().append(wireFormat.encodeSignatureInfo(signature))
# Append an empty signature so that the "signedPortion" is correct.
interest.getName().append(Name.Component())
# Encode once to get the signed portion, and sign.
encoding = interest.wireEncode(wireFormat)
signature.setSignature(
self._privateKeyStorage.sign(
encoding.toSignedBuffer(),
IdentityCertificate.certificateNameToPublicKeyName(
certificateName), digestAlgorithm[0]))
# Remove the empty signature and append the real one.
interest.setName(interest.getName().getPrefix(-1).append(
wireFormat.encodeSignatureValue(signature)))
def _updateDeviceCapabilities(self, interest):
"""
Take the received capabilities update interest and update our directory listings.
"""
# we assume the sender is the one who signed the interest...
signature = self._policyManager._extractSignature(interest)
certificateName = signature.getKeyLocator().getKeyName()
senderIdentity = IdentityCertificate.certificateNameToPublicKeyName(certificateName).getPrefix(-1)
self.log.info('Updating capabilities for {}'.format(senderIdentity.toUri()))
# get the params from the interest name
messageComponent = interest.getName().get(self.prefix.size()+1)
message = UpdateCapabilitiesCommandMessage()
ProtobufTlv.decode(message, messageComponent.getValue())
# we remove all the old capabilities for the sender
tempDirectory = defaultdict(list)
for keyword in self._directory:
tempDirectory[keyword] = [cap for cap in self._directory[keyword]
if not senderIdentity.match(Name(cap['name']))]
# then we add the ones from the message
for capability in message.capabilities:
capabilityPrefix = Name()
for component in capability.commandPrefix.components:
capabilityPrefix.append(component)
commandUri = capabilityPrefix.toUri()
if not senderIdentity.match(capabilityPrefix):
self.log.error("Node {} tried to register another prefix: {} - ignoring update".format(
senderIdentity.toUri(),commandUri))
else:
for keyword in capability.keywords:
allUris = [info['name'] for info in tempDirectory[keyword]]
if capabilityPrefix not in allUris:
listing = {'signed':capability.needsSignature,
'name':commandUri}
tempDirectory[keyword].append(listing)
self._directory= tempDirectory
def signInterestByCertificate(self, interest, certificateName, wireFormat = None):
"""
Append a SignatureInfo to the Interest name, sign the name components
and append a final name component with the signature bits.
:param Interest interest: The Interest object to be signed. This appends
name components of SignatureInfo and the signature bits.
:param Name certificateName: The certificate name of the key to use for
signing.
:param wireFormat: (optional) A WireFormat object used to encode the
input. If omitted, use WireFormat.getDefaultWireFormat().
:type wireFormat: A subclass of WireFormat
"""
if wireFormat == None:
# Don't use a default argument since getDefaultWireFormat can change.
wireFormat = WireFormat.getDefaultWireFormat()
digestAlgorithm = [0]
signature = self._makeSignatureByCertificate(
certificateName, digestAlgorithm)
# Append the encoded SignatureInfo.
interest.getName().append(wireFormat.encodeSignatureInfo(signature))
# Append an empty signature so that the "signedPortion" is correct.
interest.getName().append(Name.Component())
# Encode once to get the signed portion, and sign.
encoding = interest.wireEncode(wireFormat)
signature.setSignature(self._privateKeyStorage.sign
(encoding.toSignedBuffer(),
IdentityCertificate.certificateNameToPublicKeyName(certificateName),
digestAlgorithm[0]))
# Remove the empty signature and append the real one.
interest.setName(interest.getName().getPrefix(-1).append(
wireFormat.encodeSignatureValue(signature)))
def __init__(self, face):
# Set up face
self.face = face
self.databaseFilePath = "policy_config/test_consumer.db"
try:
os.remove(self.databaseFilePath)
except OSError:
# no such file
pass
self.groupName = Name("/org/openmhealth/haitao")
# Set up the keyChain.
identityStorage = BasicIdentityStorage()
privateKeyStorage = FilePrivateKeyStorage()
self.keyChain = KeyChain(
IdentityManager(identityStorage, privateKeyStorage),
NoVerifyPolicyManager())
# Authorized identity
identityName = Name("/org/openmhealth/dvu-python-3")
# Unauthorized identity
#identityName = Name("/org/openmhealth/dvu-python-1")
self.certificateName = self.keyChain.createIdentityAndCertificate(
identityName)
self.face.setCommandSigningInfo(self.keyChain, self.certificateName)
consumerKeyName = IdentityCertificate.certificateNameToPublicKeyName(
self.certificateName)
consumerCertificate = identityStorage.getCertificate(
self.certificateName)
self.consumer = Consumer(face, self.keyChain, self.groupName,
identityName,
Sqlite3ConsumerDb(self.databaseFilePath))
# TODO: Read the private key to decrypt d-key...this may or may not be ideal
base64Content = None
with open(
privateKeyStorage.nameTransform(consumerKeyName.toUri(),
".pri")) as keyFile:
print privateKeyStorage.nameTransform(consumerKeyName.toUri(),
".pri")
base64Content = keyFile.read()
#print base64Content
der = Blob(base64.b64decode(base64Content), False)
self.consumer.addDecryptionKey(consumerKeyName, der)
self.memoryContentCache = MemoryContentCache(self.face)
self.memoryContentCache.registerPrefix(identityName,
self.onRegisterFailed,
self.onDataNotFound)
self.memoryContentCache.add(consumerCertificate)
accessRequestInterest = Interest(
Name(self.groupName).append("read_access_request").append(
self.certificateName).appendVersion(int(time.time())))
self.face.expressInterest(accessRequestInterest,
self.onAccessRequestData,
self.onAccessRequestTimeout)
print "Access request interest name: " + accessRequestInterest.getName(
).toUri()
self.consumeCatalog = True
return
def generateCertificateForKey(self, keyName):
# let any raised SecurityExceptions bubble up
publicKeyBits = self._identityStorage.getKey(keyName)
publicKeyType = self._identityStorage.getKeyType(keyName)
publicKey = PublicKey(publicKeyType, publicKeyBits)
timestamp = Common.getNowMilliseconds()
# TODO: specify where the 'KEY' component is inserted
# to delegate responsibility for cert delivery
certificateName = keyName.getPrefix(-1).append('KEY').append(keyName.get(-1))
certificateName.append("ID-CERT").append(Name.Component(struct.pack(">Q", timestamp)))
certificate = IdentityCertificate(certificateName)
certificate.setNotBefore(timestamp)
certificate.setNotAfter((timestamp + 30*86400*1000)) # about a month
certificate.setPublicKeyInfo(publicKey)
# ndnsec likes to put the key name in a subject description
sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri())
certificate.addSubjectDescription(sd)
certificate.encode()
return certificate
def __init__(self,
face,
identityName,
groupName,
catalogPrefix,
rawDataPrefix,
producerDbFilePath,
consumerDbFilePath,
encrypted=False):
self.face = face
# Set up the keyChain.
identityStorage = BasicIdentityStorage()
privateKeyStorage = FilePrivateKeyStorage()
self.keyChain = KeyChain(
IdentityManager(identityStorage, privateKeyStorage),
NoVerifyPolicyManager())
self.identityName = Name(identityName)
self.groupName = Name(groupName)
self.rawDataPrefix = rawDataPrefix
self.catalogPrefix = catalogPrefix
self.certificateName = self.keyChain.createIdentityAndCertificate(
self.identityName)
self.face.setCommandSigningInfo(self.keyChain, self.certificateName)
# Set up the memoryContentCache
self.memoryContentCache = MemoryContentCache(self.face)
self.memoryContentCache.registerPrefix(self.identityName,
self.onRegisterFailed,
self.onDataNotFound)
self.producerPrefix = Name(identityName)
self.producerSuffix = Name()
self.producer = DPUProducer(face, self.memoryContentCache,
self.producerPrefix, self.producerSuffix,
self.keyChain, self.certificateName,
producerDbFilePath)
# Put own (consumer) certificate in memoryContentCache
consumerKeyName = IdentityCertificate.certificateNameToPublicKeyName(
self.certificateName)
consumerCertificate = identityStorage.getCertificate(
self.certificateName, True)
# TODO: request that this DPU be added as a trusted group member
self.remainingTasks = dict()
try:
os.remove(consumerDbFilePath)
except OSError:
# no such file
pass
self.consumer = Consumer(face, self.keyChain, self.groupName,
consumerKeyName,
Sqlite3ConsumerDb(consumerDbFilePath))
# TODO: Read the private key to decrypt d-key...this may or may not be ideal
base64Content = None
with open(
privateKeyStorage.nameTransform(consumerKeyName.toUri(),
".pri")) as keyFile:
base64Content = keyFile.read()
der = Blob(base64.b64decode(base64Content), False)
self.consumer.addDecryptionKey(consumerKeyName, der)
self.memoryContentCache.add(consumerCertificate)
self.encrypted = encrypted
self.rawData = []
self.catalogFetchFinished = False
self.remainingData = 0
return
def _generateCertificateForKey(self, keyName):
# Let any raised SecurityExceptions bubble up.
publicKeyBits = self._identityStorage.getKey(keyName)
publicKey = PublicKey(publicKeyBits)
timestamp = Common.getNowMilliseconds()
# TODO: Specify where the 'KEY' component is inserted
# to delegate responsibility for cert delivery.
# cf: http://redmine.named-data.net/issues/1659
certificateName = keyName.getPrefix(-1).append('KEY').append(
keyName.get(-1))
certificateName.append("ID-CERT").appendVersion(int(timestamp))
certificate = IdentityCertificate()
certificate.setName(certificateName)
certificate.setNotBefore(timestamp)
certificate.setNotAfter(
(timestamp + 2 * 365 * 24 * 3600 * 1000)) # about 2 years.
certificate.setPublicKeyInfo(publicKey)
# ndnsec likes to put the key name in a subject description.
sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri())
certificate.addSubjectDescription(sd)
certificate.encode()
return certificate
def _processValidCertificate(self, data):
# unpack the cert from the HMAC signed packet and verify
try:
newCert = IdentityCertificate()
newCert.wireDecode(data.getContent())
self.log.info("Received certificate from controller")
# NOTE: we download and install the root certificate without verifying it (!)
# otherwise our policy manager will reject it.
# we may need a static method on KeyChain to allow verifying before adding
rootCertName = newCert.getSignature().getKeyLocator().getKeyName()
# update trust rules so we trust the controller
self._policyManager.setDeviceIdentity(self._configureIdentity)
self._policyManager.updateTrustRules()
def onRootCertificateDownload(interest, data):
try:
# zhehao: the root cert is downloaded and installed without verifying; should the root cert be preconfigured?
# Insert root certificate so that we can verify newCert
self._policyManager._certificateCache.insertCertificate(
data)
# Set the root cert as default for root identity
try:
self._identityManager.addCertificateAsIdentityDefault(
IdentityCertificate(data))
except SecurityException as e:
print(
"Error when addCertificateAsIdentityDefault for root: "
+ data.getName().toUri())
print(str(e))
self._rootCertificate = data
try:
# use the default configuration where possible
# TODO: use environment variable for this, fall back to default
fileName = os.path.expanduser('~/.ndn/.iot.root.cert')
rootCertFile = open(fileName, "w")
rootCertFile.write(
Blob(
b64encode(self._rootCertificate.wireEncode().
toBytes()), False).toRawStr())
rootCertFile.close()
except IOError as e:
self.log.error(
"Cannot write to root certificate file: " +
rootCertFile)
print "Cannot write to root certificate file: " + rootCertFile
except SecurityException as e:
print(str(e))
# already exists, or got certificate in wrong format
pass
self._keyChain.verifyData(newCert,
self._finalizeCertificateDownload,
self._certificateValidationFailed)
def onRootCertificateTimeout(interest):
# TODO: limit number of tries, then revert trust root + network prefix
# reset salt, create new Hmac key
self.face.expressInterest(rootCertName,
onRootCertificateDownload,
onRootCertificateTimeout)
self.face.expressInterest(rootCertName, onRootCertificateDownload,
onRootCertificateTimeout)
except Exception as e:
self.log.exception("Could not import new certificate",
exc_info=True)
from pyndn.security import KeyType, KeyChain, RsaKeyParams, SecurityException
from pyndn.security.certificate import IdentityCertificate
from pyndn.security.identity import IdentityManager
from pyndn.security.identity import BasicIdentityStorage, FilePrivateKeyStorage, MemoryIdentityStorage, MemoryPrivateKeyStorage
from pyndn.security.policy import NoVerifyPolicyManager
# Set up the keyChain.
identityStorage = BasicIdentityStorage()
privateKeyStorage = FilePrivateKeyStorage()
keyChain = KeyChain(IdentityManager(identityStorage, privateKeyStorage),
NoVerifyPolicyManager())
# dvu identity
identityName = Name("/org/openmhealth/dvu")
certificateName = keyChain.createIdentityAndCertificate(identityName)
keyName = IdentityCertificate.certificateNameToPublicKeyName(certificateName)
certificate = identityStorage.getCertificate(certificateName)
print keyName
print certificateName
print certificate
print privateKeyStorage.nameTransform(keyName.toUri(), ".pri")
#with open(privateKeyStorage.nameTransform(keyName.toUri(), ".pri")) as keyFile:
# base64Content = keyFile.read()
# decoded = base64.b64decode(base64Content)
# print decoded
# for i in range(0, len(decoded)):
# print int(decoded[i])
face = Face()
face.setCommandSigningInfo(keyChain, certificateName)
certificateNamePrefix = Name(identityName).append("KEY")
def __init__(self, face, encryptResult, defaultPrefix, link = None):
# Set up face
self.face = face
self._encryptResult = encryptResult
self._link = link
self.databaseFilePath = "policy_config/test_consumer_dpu.db"
try:
os.remove(self.databaseFilePath)
except OSError:
# no such file
pass
self.groupName = Name(defaultPrefix)
# Set up the keyChain.
identityStorage = BasicIdentityStorage()
privateKeyStorage = FilePrivateKeyStorage()
self.keyChain = KeyChain(
IdentityManager(identityStorage, privateKeyStorage),
NoVerifyPolicyManager())
# Authorized identity
identityName = Name("/ndn/edu/basel/dpu")
# Function name: the function that this DPU provides
self._functionName = "bounding_box"
self._identityName = identityName
self.certificateName = self.keyChain.createIdentityAndCertificate(identityName)
# TODO: if using BasicIdentityStorage and FilePrivateKeyStorage
# For some reason this newly generated cert is not installed by default, calling keyChain sign later would result in error
#self.keyChain.installIdentityCertificate()
self.memoryContentCache = MemoryContentCache(self.face)
try:
commandSigningKeyChain = KeyChain()
print "Default certificate name is: " + self.keyChain.getDefaultCertificateName().toUri()
self.face.setCommandSigningInfo(commandSigningKeyChain, commandSigningKeyChain.getDefaultCertificateName())
self.memoryContentCache.registerPrefix(identityName, self.onRegisterFailed, self.onDataNotFound)
except SecurityException as e:
print str(e)
print "Cannot use default certificate, use created certificate in FilePrivateKeyStorage"
self.face.setCommandSigningInfo(self.keyChain, self.certificateName)
self.memoryContentCache.registerPrefix(identityName, self.onRegisterFailed, self.onDataNotFound)
consumerKeyName = IdentityCertificate.certificateNameToPublicKeyName(self.certificateName)
consumerCertificate = identityStorage.getCertificate(self.certificateName)
self.consumer = Consumer(
face, self.keyChain, self.groupName, identityName,
Sqlite3ConsumerDb(self.databaseFilePath))
# TODO: Read the private key to decrypt d-key...this may or may not be ideal
base64Content = None
with open(privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri")) as keyFile:
print privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri")
base64Content = keyFile.read()
#print base64Content
der = Blob(base64.b64decode(base64Content), False)
self.consumer.addDecryptionKey(consumerKeyName, der)
self.memoryContentCache.add(consumerCertificate)
accessRequestInterest = Interest(Name(self.groupName).append("read_access_request").append(self.certificateName).appendVersion(int(time.time())))
self.face.expressInterest(accessRequestInterest, self.onAccessRequestData, self.onAccessRequestTimeout)
print "Access request interest name: " + accessRequestInterest.getName().toUri()
self._tasks = dict()
return
class TestGroupManager(ut.TestCase):
def setUp(self):
# Reuse the policy_config subdirectory for the temporary SQLite files.
self.dKeyDatabaseFilePath = "policy_config/manager-d-key-test.db"
try:
os.remove(self.dKeyDatabaseFilePath)
except OSError:
# no such file
pass
self.eKeyDatabaseFilePath = "policy_config/manager-e-key-test.db"
try:
os.remove(self.eKeyDatabaseFilePath)
except OSError:
# no such file
pass
self.intervalDatabaseFilePath = "policy_config/manager-interval-test.db"
try:
os.remove(self.intervalDatabaseFilePath)
except OSError:
# no such file
pass
self.groupKeyDatabaseFilePath = "policy_config/manager-group-key-test.db"
try:
os.remove(self.groupKeyDatabaseFilePath)
except OSError:
# no such file
pass
params = RsaKeyParams()
memberDecryptKey = RsaAlgorithm.generateKey(params)
self.decryptKeyBlob = memberDecryptKey.getKeyBits()
memberEncryptKey = RsaAlgorithm.deriveEncryptKey(self.decryptKeyBlob)
self.encryptKeyBlob = memberEncryptKey.getKeyBits()
# Generate the certificate.
self.certificate = IdentityCertificate()
self.certificate.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123"))
contentPublicKey = PublicKey(self.encryptKeyBlob)
self.certificate.setPublicKeyInfo(contentPublicKey)
self.certificate.setNotBefore(0)
self.certificate.setNotAfter(0)
self.certificate.encode()
signatureInfoBlob = Blob(SIG_INFO, False)
signatureValueBlob = Blob(SIG_VALUE, False)
signature = TlvWireFormat.get().decodeSignatureInfoAndValue(
signatureInfoBlob.buf(), signatureValueBlob.buf())
self.certificate.setSignature(signature)
self.certificate.wireEncode()
# Set up the keyChain.
identityStorage = MemoryIdentityStorage()
privateKeyStorage = MemoryPrivateKeyStorage()
self.keyChain = KeyChain(
IdentityManager(identityStorage, privateKeyStorage),
NoVerifyPolicyManager())
identityName = Name("TestGroupManager")
self.keyChain.createIdentityAndCertificate(identityName)
self.keyChain.getIdentityManager().setDefaultIdentity(identityName)
def tearDown(self):
try:
os.remove(self.dKeyDatabaseFilePath)
except OSError:
pass
try:
os.remove(self.eKeyDatabaseFilePath)
except OSError:
pass
try:
os.remove(self.intervalDatabaseFilePath)
except OSError:
pass
try:
os.remove(self.groupKeyDatabaseFilePath)
except OSError:
pass
def setManager(self, manager):
# Set up the first schedule.
schedule1 = Schedule()
interval11 = RepetitiveInterval(
Schedule.fromIsoString("20150825T000000"),
Schedule.fromIsoString("20150827T000000"), 5, 10, 2,
RepetitiveInterval.RepeatUnit.DAY)
interval12 = RepetitiveInterval(
Schedule.fromIsoString("20150825T000000"),
Schedule.fromIsoString("20150827T000000"), 6, 8, 1,
RepetitiveInterval.RepeatUnit.DAY)
interval13 = RepetitiveInterval(
Schedule.fromIsoString("20150827T000000"),
Schedule.fromIsoString("20150827T000000"), 7, 8)
schedule1.addWhiteInterval(interval11)
schedule1.addWhiteInterval(interval12)
schedule1.addBlackInterval(interval13)
# Set up the second schedule.
schedule2 = Schedule()
interval21 = RepetitiveInterval(
Schedule.fromIsoString("20150825T000000"),
Schedule.fromIsoString("20150827T000000"), 9, 12, 1,
RepetitiveInterval.RepeatUnit.DAY)
interval22 = RepetitiveInterval(
Schedule.fromIsoString("20150827T000000"),
Schedule.fromIsoString("20150827T000000"), 6, 8)
interval23 = RepetitiveInterval(
Schedule.fromIsoString("20150827T000000"),
Schedule.fromIsoString("20150827T000000"), 2, 4)
schedule2.addWhiteInterval(interval21)
schedule2.addWhiteInterval(interval22)
schedule2.addBlackInterval(interval23)
# Add them to the group manager database.
manager.addSchedule("schedule1", schedule1)
manager.addSchedule("schedule2", schedule2)
# Make some adaptions to certificate.
dataBlob = self.certificate.wireEncode()
memberA = Data()
memberA.wireDecode(dataBlob, TlvWireFormat.get())
memberA.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123"))
memberB = Data()
memberB.wireDecode(dataBlob, TlvWireFormat.get())
memberB.setName(Name("/ndn/memberB/KEY/ksk-123/ID-CERT/123"))
memberC = Data()
memberC.wireDecode(dataBlob, TlvWireFormat.get())
memberC.setName(Name("/ndn/memberC/KEY/ksk-123/ID-CERT/123"))
# Add the members to the database.
manager.addMember("schedule1", memberA)
manager.addMember("schedule1", memberB)
manager.addMember("schedule2", memberC)
def test_create_d_key_data(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.dKeyDatabaseFilePath), 2048, 1,
self.keyChain)
newCertificateBlob = self.certificate.wireEncode()
newCertificate = IdentityCertificate()
newCertificate.wireDecode(newCertificateBlob)
# Encrypt the D-KEY.
data = manager._createDKeyData(
"20150825T000000", "20150827T000000", Name("/ndn/memberA/KEY"),
self.decryptKeyBlob, newCertificate.getPublicKeyInfo().getKeyDer())
# Verify the encrypted D-KEY.
dataContent = data.getContent()
# Get the nonce key.
# dataContent is a sequence of the two EncryptedContent.
encryptedNonce = EncryptedContent()
encryptedNonce.wireDecode(dataContent)
self.assertEqual(0, encryptedNonce.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType())
blobNonce = encryptedNonce.getPayload()
decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep)
nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams)
# Get the D-KEY.
# Use the size of encryptedNonce to find the start of encryptedPayload.
payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():]
encryptedPayload = EncryptedContent()
encryptedPayload.wireDecode(payloadContent)
self.assertEqual(16, encryptedPayload.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType())
decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc)
decryptParams.setInitialVector(encryptedPayload.getInitialVector())
blobPayload = encryptedPayload.getPayload()
largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams)
self.assertTrue(largePayload.equals(self.decryptKeyBlob))
def test_create_e_key_data(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.eKeyDatabaseFilePath), 1024, 1,
self.keyChain)
self.setManager(manager)
data = manager._createEKeyData(
"20150825T090000", "20150825T110000", self.encryptKeyBlob)
self.assertEqual("/Alice/READ/data_type/E-KEY/20150825T090000/20150825T110000",
data.getName().toUri())
contentBlob = data.getContent()
self.assertTrue(self.encryptKeyBlob.equals(contentBlob))
def test_calculate_interval(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.intervalDatabaseFilePath), 1024, 1,
self.keyChain)
self.setManager(manager)
memberKeys = {}
timePoint1 = Schedule.fromIsoString("20150825T093000")
result = manager._calculateInterval(timePoint1, memberKeys)
self.assertEqual("20150825T090000", Schedule.toIsoString(result.getStartTime()))
self.assertEqual("20150825T100000", Schedule.toIsoString(result.getEndTime()))
timePoint2 = Schedule.fromIsoString("20150827T073000")
result = manager._calculateInterval(timePoint2, memberKeys)
self.assertEqual("20150827T070000", Schedule.toIsoString(result.getStartTime()))
self.assertEqual("20150827T080000", Schedule.toIsoString(result.getEndTime()))
timePoint3 = Schedule.fromIsoString("20150827T043000")
result = manager._calculateInterval(timePoint3, memberKeys)
self.assertEqual(False, result.isValid())
timePoint4 = Schedule.fromIsoString("20150827T053000")
result = manager._calculateInterval(timePoint4, memberKeys)
self.assertEqual("20150827T050000", Schedule.toIsoString(result.getStartTime()))
self.assertEqual("20150827T060000", Schedule.toIsoString(result.getEndTime()))
def test_get_group_key(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1,
self.keyChain)
self.setManager(manager)
# Get the data list from the group manager.
timePoint1 = Schedule.fromIsoString("20150825T093000")
result = manager.getGroupKey(timePoint1)
self.assertEqual(4, len(result))
# The first data packet contains the group's encryption key (public key).
data = result[0]
self.assertEqual(
"/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000",
data.getName().toUri())
groupEKey = EncryptKey(data.getContent())
# Get the second data packet and decrypt.
data = result[1]
self.assertEqual(
"/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123",
data.getName().toUri())
####################################################### Start decryption.
dataContent = data.getContent()
# Get the nonce key.
# dataContent is a sequence of the two EncryptedContent.
encryptedNonce = EncryptedContent()
encryptedNonce.wireDecode(dataContent)
self.assertEqual(0, encryptedNonce.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType())
decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep)
blobNonce = encryptedNonce.getPayload()
nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams)
# Get the payload.
# Use the size of encryptedNonce to find the start of encryptedPayload.
payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():]
encryptedPayload = EncryptedContent()
encryptedPayload.wireDecode(payloadContent)
self.assertEqual(16, encryptedPayload.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType())
decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc)
decryptParams.setInitialVector(encryptedPayload.getInitialVector())
blobPayload = encryptedPayload.getPayload()
largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams)
# Get the group D-KEY.
groupDKey = DecryptKey(largePayload)
####################################################### End decryption.
# Check the D-KEY.
derivedGroupEKey = RsaAlgorithm.deriveEncryptKey(groupDKey.getKeyBits())
self.assertTrue(groupEKey.getKeyBits().equals(derivedGroupEKey.getKeyBits()))
# Check the third data packet.
data = result[2]
self.assertEqual(
"/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberB/ksk-123",
data.getName().toUri())
# Check the fourth data packet.
data = result[3]
self.assertEqual(
"/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberC/ksk-123",
data.getName().toUri())
# Check invalid time stamps for getting the group key.
timePoint2 = Schedule.fromIsoString("20150826T083000")
self.assertEqual(0, len(manager.getGroupKey(timePoint2)))
timePoint3 = Schedule.fromIsoString("20150827T023000")
self.assertEqual(0, len(manager.getGroupKey(timePoint3)))
def test_get_group_key_without_regeneration(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1,
self.keyChain)
self.setManager(manager)
# Get the data list from the group manager.
timePoint1 = Schedule.fromIsoString("20150825T093000")
result = manager.getGroupKey(timePoint1)
self.assertEqual(4, len(result))
# The first data packet contains the group's encryption key (public key).
data1 = result[0]
self.assertEqual(
"/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000",
data1.getName().toUri())
groupEKey1 = EncryptKey(data1.getContent())
# Get the second data packet and decrypt.
data = result[1]
self.assertEqual(
"/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123",
data.getName().toUri())
# Add new members to the database.
dataBlob = self.certificate.wireEncode()
memberD = Data()
memberD.wireDecode(dataBlob)
memberD.setName(Name("/ndn/memberD/KEY/ksk-123/ID-CERT/123"))
manager.addMember("schedule1", memberD)
result2 = manager.getGroupKey(timePoint1, False)
self.assertEqual(5, len(result2))
# Check that the new EKey is the same as the previous one.
data2 = result2[0]
self.assertEqual(
"/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000",
data2.getName().toUri())
groupEKey2 = EncryptKey(data2.getContent())
self.assertTrue(groupEKey1.getKeyBits().equals(groupEKey2.getKeyBits()));
# Check the second data packet.
data2 = result2[1]
self.assertEqual(
"/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123",
data2.getName().toUri())
def setUp(self):
# Reuse the policy_config subdirectory for the temporary SQLite files.
self.dKeyDatabaseFilePath = "policy_config/manager-d-key-test.db"
try:
os.remove(self.dKeyDatabaseFilePath)
except OSError:
# no such file
pass
self.eKeyDatabaseFilePath = "policy_config/manager-e-key-test.db"
try:
os.remove(self.eKeyDatabaseFilePath)
except OSError:
# no such file
pass
self.intervalDatabaseFilePath = "policy_config/manager-interval-test.db"
try:
os.remove(self.intervalDatabaseFilePath)
except OSError:
# no such file
pass
self.groupKeyDatabaseFilePath = "policy_config/manager-group-key-test.db"
try:
os.remove(self.groupKeyDatabaseFilePath)
except OSError:
# no such file
pass
params = RsaKeyParams()
memberDecryptKey = RsaAlgorithm.generateKey(params)
self.decryptKeyBlob = memberDecryptKey.getKeyBits()
memberEncryptKey = RsaAlgorithm.deriveEncryptKey(self.decryptKeyBlob)
self.encryptKeyBlob = memberEncryptKey.getKeyBits()
# Generate the certificate.
self.certificate = IdentityCertificate()
self.certificate.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123"))
contentPublicKey = PublicKey(self.encryptKeyBlob)
self.certificate.setPublicKeyInfo(contentPublicKey)
self.certificate.setNotBefore(0)
self.certificate.setNotAfter(0)
self.certificate.encode()
signatureInfoBlob = Blob(SIG_INFO, False)
signatureValueBlob = Blob(SIG_VALUE, False)
signature = TlvWireFormat.get().decodeSignatureInfoAndValue(
signatureInfoBlob.buf(), signatureValueBlob.buf())
self.certificate.setSignature(signature)
self.certificate.wireEncode()
# Set up the keyChain.
identityStorage = MemoryIdentityStorage()
privateKeyStorage = MemoryPrivateKeyStorage()
self.keyChain = KeyChain(
IdentityManager(identityStorage, privateKeyStorage),
NoVerifyPolicyManager())
identityName = Name("TestGroupManager")
self.keyChain.createIdentityAndCertificate(identityName)
self.keyChain.getIdentityManager().setDefaultIdentity(identityName)
def _generateCertificateForKey(self, keyName):
# Let any raised SecurityExceptions bubble up.
publicKeyBits = self._identityStorage.getKey(keyName)
publicKey = PublicKey(publicKeyBits)
timestamp = Common.getNowMilliseconds()
# TODO: Specify where the 'KEY' component is inserted
# to delegate responsibility for cert delivery.
# cf: http://redmine.named-data.net/issues/1659
certificateName = keyName.getPrefix(-1).append('KEY').append(keyName.get(-1))
certificateName.append("ID-CERT").appendVersion(int(timestamp))
certificate = IdentityCertificate()
certificate.setName(certificateName)
certificate.setNotBefore(timestamp)
certificate.setNotAfter((timestamp + 2*365*24*3600*1000)) # about 2 years.
certificate.setPublicKeyInfo(publicKey)
# ndnsec likes to put the key name in a subject description.
sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri())
certificate.addSubjectDescription(sd)
certificate.encode()
return certificate
class TestGroupManager(ut.TestCase):
def setUp(self):
# Reuse the policy_config subdirectory for the temporary SQLite files.
self.dKeyDatabaseFilePath = "policy_config/manager-d-key-test.db"
try:
os.remove(self.dKeyDatabaseFilePath)
except OSError:
# no such file
pass
self.eKeyDatabaseFilePath = "policy_config/manager-e-key-test.db"
try:
os.remove(self.eKeyDatabaseFilePath)
except OSError:
# no such file
pass
self.intervalDatabaseFilePath = "policy_config/manager-interval-test.db"
try:
os.remove(self.intervalDatabaseFilePath)
except OSError:
# no such file
pass
self.groupKeyDatabaseFilePath = "policy_config/manager-group-key-test.db"
try:
os.remove(self.groupKeyDatabaseFilePath)
except OSError:
# no such file
pass
params = RsaKeyParams()
memberDecryptKey = RsaAlgorithm.generateKey(params)
self.decryptKeyBlob = memberDecryptKey.getKeyBits()
memberEncryptKey = RsaAlgorithm.deriveEncryptKey(self.decryptKeyBlob)
self.encryptKeyBlob = memberEncryptKey.getKeyBits()
# Generate the certificate.
self.certificate = IdentityCertificate()
self.certificate.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123"))
contentPublicKey = PublicKey(self.encryptKeyBlob)
self.certificate.setPublicKeyInfo(contentPublicKey)
self.certificate.setNotBefore(0)
self.certificate.setNotAfter(0)
self.certificate.encode()
signatureInfoBlob = Blob(SIG_INFO, False)
signatureValueBlob = Blob(SIG_VALUE, False)
signature = TlvWireFormat.get().decodeSignatureInfoAndValue(
signatureInfoBlob.buf(), signatureValueBlob.buf())
self.certificate.setSignature(signature)
self.certificate.wireEncode()
# Set up the keyChain.
identityStorage = MemoryIdentityStorage()
privateKeyStorage = MemoryPrivateKeyStorage()
self.keyChain = KeyChain(
IdentityManager(identityStorage, privateKeyStorage),
NoVerifyPolicyManager())
identityName = Name("TestGroupManager")
self.keyChain.createIdentityAndCertificate(identityName)
self.keyChain.getIdentityManager().setDefaultIdentity(identityName)
def tearDown(self):
try:
os.remove(self.dKeyDatabaseFilePath)
except OSError:
pass
try:
os.remove(self.eKeyDatabaseFilePath)
except OSError:
pass
try:
os.remove(self.intervalDatabaseFilePath)
except OSError:
pass
try:
os.remove(self.groupKeyDatabaseFilePath)
except OSError:
pass
def setManager(self, manager):
# Set up the first schedule.
schedule1 = Schedule()
interval11 = RepetitiveInterval(
Schedule.fromIsoString("20150825T000000"),
Schedule.fromIsoString("20150827T000000"), 5, 10, 2,
RepetitiveInterval.RepeatUnit.DAY)
interval12 = RepetitiveInterval(
Schedule.fromIsoString("20150825T000000"),
Schedule.fromIsoString("20150827T000000"), 6, 8, 1,
RepetitiveInterval.RepeatUnit.DAY)
interval13 = RepetitiveInterval(
Schedule.fromIsoString("20150827T000000"),
Schedule.fromIsoString("20150827T000000"), 7, 8)
schedule1.addWhiteInterval(interval11)
schedule1.addWhiteInterval(interval12)
schedule1.addBlackInterval(interval13)
# Set up the second schedule.
schedule2 = Schedule()
interval21 = RepetitiveInterval(
Schedule.fromIsoString("20150825T000000"),
Schedule.fromIsoString("20150827T000000"), 9, 12, 1,
RepetitiveInterval.RepeatUnit.DAY)
interval22 = RepetitiveInterval(
Schedule.fromIsoString("20150827T000000"),
Schedule.fromIsoString("20150827T000000"), 6, 8)
interval23 = RepetitiveInterval(
Schedule.fromIsoString("20150827T000000"),
Schedule.fromIsoString("20150827T000000"), 2, 4)
schedule2.addWhiteInterval(interval21)
schedule2.addWhiteInterval(interval22)
schedule2.addBlackInterval(interval23)
# Add them to the group manager database.
manager.addSchedule("schedule1", schedule1)
manager.addSchedule("schedule2", schedule2)
# Make some adaptions to certificate.
dataBlob = self.certificate.wireEncode()
memberA = Data()
memberA.wireDecode(dataBlob, TlvWireFormat.get())
memberA.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123"))
memberB = Data()
memberB.wireDecode(dataBlob, TlvWireFormat.get())
memberB.setName(Name("/ndn/memberB/KEY/ksk-123/ID-CERT/123"))
memberC = Data()
memberC.wireDecode(dataBlob, TlvWireFormat.get())
memberC.setName(Name("/ndn/memberC/KEY/ksk-123/ID-CERT/123"))
# Add the members to the database.
manager.addMember("schedule1", memberA)
manager.addMember("schedule1", memberB)
manager.addMember("schedule2", memberC)
def test_create_d_key_data(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.dKeyDatabaseFilePath), 2048, 1,
self.keyChain)
newCertificateBlob = self.certificate.wireEncode()
newCertificate = IdentityCertificate()
newCertificate.wireDecode(newCertificateBlob)
# Encrypt the D-KEY.
data = manager._createDKeyData(
"20150825T000000", "20150827T000000", Name("/ndn/memberA/KEY"),
self.decryptKeyBlob,
newCertificate.getPublicKeyInfo().getKeyDer())
# Verify the encrypted D-KEY.
dataContent = data.getContent()
# Get the nonce key.
# dataContent is a sequence of the two EncryptedContent.
encryptedNonce = EncryptedContent()
encryptedNonce.wireDecode(dataContent)
self.assertEqual(0, encryptedNonce.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.RsaOaep,
encryptedNonce.getAlgorithmType())
blobNonce = encryptedNonce.getPayload()
decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep)
nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce,
decryptParams)
# Get the D-KEY.
# Use the size of encryptedNonce to find the start of encryptedPayload.
payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():]
encryptedPayload = EncryptedContent()
encryptedPayload.wireDecode(payloadContent)
self.assertEqual(16, encryptedPayload.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.AesCbc,
encryptedPayload.getAlgorithmType())
decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc)
decryptParams.setInitialVector(encryptedPayload.getInitialVector())
blobPayload = encryptedPayload.getPayload()
largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams)
self.assertTrue(largePayload.equals(self.decryptKeyBlob))
def test_create_e_key_data(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.eKeyDatabaseFilePath), 1024, 1,
self.keyChain)
self.setManager(manager)
data = manager._createEKeyData("20150825T090000", "20150825T110000",
self.encryptKeyBlob)
self.assertEqual(
"/Alice/READ/data_type/E-KEY/20150825T090000/20150825T110000",
data.getName().toUri())
contentBlob = data.getContent()
self.assertTrue(self.encryptKeyBlob.equals(contentBlob))
def test_calculate_interval(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.intervalDatabaseFilePath), 1024, 1,
self.keyChain)
self.setManager(manager)
memberKeys = {}
timePoint1 = Schedule.fromIsoString("20150825T093000")
result = manager._calculateInterval(timePoint1, memberKeys)
self.assertEqual("20150825T090000",
Schedule.toIsoString(result.getStartTime()))
self.assertEqual("20150825T100000",
Schedule.toIsoString(result.getEndTime()))
timePoint2 = Schedule.fromIsoString("20150827T073000")
result = manager._calculateInterval(timePoint2, memberKeys)
self.assertEqual("20150827T070000",
Schedule.toIsoString(result.getStartTime()))
self.assertEqual("20150827T080000",
Schedule.toIsoString(result.getEndTime()))
timePoint3 = Schedule.fromIsoString("20150827T043000")
result = manager._calculateInterval(timePoint3, memberKeys)
self.assertEqual(False, result.isValid())
timePoint4 = Schedule.fromIsoString("20150827T053000")
result = manager._calculateInterval(timePoint4, memberKeys)
self.assertEqual("20150827T050000",
Schedule.toIsoString(result.getStartTime()))
self.assertEqual("20150827T060000",
Schedule.toIsoString(result.getEndTime()))
def test_get_group_key(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1,
self.keyChain)
self.setManager(manager)
# Get the data list from the group manager.
timePoint1 = Schedule.fromIsoString("20150825T093000")
result = manager.getGroupKey(timePoint1)
self.assertEqual(4, len(result))
# The first data packet contains the group's encryption key (public key).
data = result[0]
self.assertEqual(
"/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000",
data.getName().toUri())
groupEKey = EncryptKey(data.getContent())
# Get the second data packet and decrypt.
data = result[1]
self.assertEqual(
"/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123",
data.getName().toUri())
####################################################### Start decryption.
dataContent = data.getContent()
# Get the nonce key.
# dataContent is a sequence of the two EncryptedContent.
encryptedNonce = EncryptedContent()
encryptedNonce.wireDecode(dataContent)
self.assertEqual(0, encryptedNonce.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.RsaOaep,
encryptedNonce.getAlgorithmType())
decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep)
blobNonce = encryptedNonce.getPayload()
nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce,
decryptParams)
# Get the payload.
# Use the size of encryptedNonce to find the start of encryptedPayload.
payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():]
encryptedPayload = EncryptedContent()
encryptedPayload.wireDecode(payloadContent)
self.assertEqual(16, encryptedPayload.getInitialVector().size())
self.assertEqual(EncryptAlgorithmType.AesCbc,
encryptedPayload.getAlgorithmType())
decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc)
decryptParams.setInitialVector(encryptedPayload.getInitialVector())
blobPayload = encryptedPayload.getPayload()
largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams)
# Get the group D-KEY.
groupDKey = DecryptKey(largePayload)
####################################################### End decryption.
# Check the D-KEY.
derivedGroupEKey = RsaAlgorithm.deriveEncryptKey(
groupDKey.getKeyBits())
self.assertTrue(groupEKey.getKeyBits().equals(
derivedGroupEKey.getKeyBits()))
# Check the third data packet.
data = result[2]
self.assertEqual(
"/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberB/ksk-123",
data.getName().toUri())
# Check the fourth data packet.
data = result[3]
self.assertEqual(
"/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberC/ksk-123",
data.getName().toUri())
# Check invalid time stamps for getting the group key.
timePoint2 = Schedule.fromIsoString("20150826T083000")
self.assertEqual(0, len(manager.getGroupKey(timePoint2)))
timePoint3 = Schedule.fromIsoString("20150827T023000")
self.assertEqual(0, len(manager.getGroupKey(timePoint3)))
def test_get_group_key_without_regeneration(self):
# Create the group manager.
manager = GroupManager(
Name("Alice"), Name("data_type"),
Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1,
self.keyChain)
self.setManager(manager)
# Get the data list from the group manager.
timePoint1 = Schedule.fromIsoString("20150825T093000")
result = manager.getGroupKey(timePoint1)
self.assertEqual(4, len(result))
# The first data packet contains the group's encryption key (public key).
data1 = result[0]
self.assertEqual(
"/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000",
data1.getName().toUri())
groupEKey1 = EncryptKey(data1.getContent())
# Get the second data packet and decrypt.
data = result[1]
self.assertEqual(
"/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123",
data.getName().toUri())
# Add new members to the database.
dataBlob = self.certificate.wireEncode()
memberD = Data()
memberD.wireDecode(dataBlob)
memberD.setName(Name("/ndn/memberD/KEY/ksk-123/ID-CERT/123"))
manager.addMember("schedule1", memberD)
result2 = manager.getGroupKey(timePoint1, False)
self.assertEqual(5, len(result2))
# Check that the new EKey is the same as the previous one.
data2 = result2[0]
self.assertEqual(
"/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000",
data2.getName().toUri())
groupEKey2 = EncryptKey(data2.getContent())
self.assertTrue(groupEKey1.getKeyBits().equals(
groupEKey2.getKeyBits()))
# Check the second data packet.
data2 = result2[1]
self.assertEqual(
"/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123",
data2.getName().toUri())
def setUp(self):
# Reuse the policy_config subdirectory for the temporary SQLite files.
self.dKeyDatabaseFilePath = "policy_config/manager-d-key-test.db"
try:
os.remove(self.dKeyDatabaseFilePath)
except OSError:
# no such file
pass
self.eKeyDatabaseFilePath = "policy_config/manager-e-key-test.db"
try:
os.remove(self.eKeyDatabaseFilePath)
except OSError:
# no such file
pass
self.intervalDatabaseFilePath = "policy_config/manager-interval-test.db"
try:
os.remove(self.intervalDatabaseFilePath)
except OSError:
# no such file
pass
self.groupKeyDatabaseFilePath = "policy_config/manager-group-key-test.db"
try:
os.remove(self.groupKeyDatabaseFilePath)
except OSError:
# no such file
pass
params = RsaKeyParams()
memberDecryptKey = RsaAlgorithm.generateKey(params)
self.decryptKeyBlob = memberDecryptKey.getKeyBits()
memberEncryptKey = RsaAlgorithm.deriveEncryptKey(self.decryptKeyBlob)
self.encryptKeyBlob = memberEncryptKey.getKeyBits()
# Generate the certificate.
self.certificate = IdentityCertificate()
self.certificate.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123"))
contentPublicKey = PublicKey(self.encryptKeyBlob)
self.certificate.setPublicKeyInfo(contentPublicKey)
self.certificate.setNotBefore(0)
self.certificate.setNotAfter(0)
self.certificate.encode()
signatureInfoBlob = Blob(SIG_INFO, False)
signatureValueBlob = Blob(SIG_VALUE, False)
signature = TlvWireFormat.get().decodeSignatureInfoAndValue(
signatureInfoBlob.buf(), signatureValueBlob.buf())
self.certificate.setSignature(signature)
self.certificate.wireEncode()
# Set up the keyChain.
identityStorage = MemoryIdentityStorage()
privateKeyStorage = MemoryPrivateKeyStorage()
self.keyChain = KeyChain(
IdentityManager(identityStorage, privateKeyStorage),
NoVerifyPolicyManager())
identityName = Name("TestGroupManager")
self.keyChain.createIdentityAndCertificate(identityName)
self.keyChain.getIdentityManager().setDefaultIdentity(identityName)
def prepareUnsignedIdentityCertificate(self, keyName, publicKey,
signingIdentity, notBefore, notAfter, subjectDescription = None,
certPrefix = None):
"""
Prepare an unsigned identity certificate.
:param Name keyName: The key name, e.g., `/{identity_name}/ksk-123456`.
:param PublicKey publicKey: (optional) The public key to sign. If
ommited, use the keyName to get the public key from the identity
storage.
:param Name signingIdentity: The signing identity.
:param float notBefore: See IdentityCertificate.
:param float notAfter: See IdentityCertificate.
:param Array<CertificateSubjectDescription> subjectDescription: A list
of CertificateSubjectDescription. See IdentityCertificate. If None or
empty, this adds a an ATTRIBUTE_NAME based on the keyName.
:param Name certPrefix: (optional) The prefix before the `KEY`
component. If None, this infers the certificate name according to the
relation between the signingIdentity and the subject identity. If the
signingIdentity is a prefix of the subject identity, `KEY` will be
inserted after the signingIdentity, otherwise `KEY` is inserted after
subject identity (i.e., before `ksk-...`).
:return: The unsigned IdentityCertificate, or None if the inputs are
invalid.
:rtype: IdentityCertificate
"""
if not isinstance(publicKey, PublicKey):
# The publicKey was omitted. Shift arguments.
certPrefix = subjectDescription
subjectDescription = notAfter
notAfter = notBefore
notBefore = signingIdentity
signingIdentity = publicKey
publicKey = PublicKey(self._identityStorage.getKey(keyName))
if keyName.size() < 1:
return None
tempKeyIdPrefix = keyName.get(-1).toEscapedString()
if len(tempKeyIdPrefix) < 4:
return None
keyIdPrefix = tempKeyIdPrefix[0:4]
if keyIdPrefix != "ksk-" and keyIdPrefix != "dsk-":
return None
certificate = IdentityCertificate()
certName = Name()
if certPrefix == None:
# No certificate prefix hint, so infer the prefix.
if signingIdentity.match(keyName):
certName.append(signingIdentity) \
.append("KEY") \
.append(keyName.getSubName(signingIdentity.size())) \
.append("ID-CERT") \
.appendVersion(int(Common.getNowMilliseconds()))
else:
certName.append(keyName.getPrefix(-1)) \
.append("KEY") \
.append(keyName.get(-1)) \
.append("ID-CERT") \
.appendVersion(int(Common.getNowMilliseconds()))
else:
# A cert prefix hint is supplied, so determine the cert name.
if certPrefix.match(keyName) and not certPrefix.equals(keyName):
certName.append(certPrefix) \
.append("KEY") \
.append(keyName.getSubName(certPrefix.size())) \
.append("ID-CERT") \
.appendVersion(int(Common.getNowMilliseconds()))
else:
return None
certificate.setName(certName)
certificate.setNotBefore(notBefore)
certificate.setNotAfter(notAfter)
certificate.setPublicKeyInfo(publicKey)
if subjectDescription == None or len(subjectDescription) == 0:
certificate.addSubjectDescription(CertificateSubjectDescription(
"2.5.4.41", keyName.getPrefix(-1).toUri()))
else:
for i in range(len(subjectDescription)):
certificate.addSubjectDescription(subjectDescription[i])
try:
certificate.encode()
except Exception as ex:
raise SecurityException("DerEncodingException: " + str(ex))
return certificate
def generateCertificateForKey(self, keyName):
# let any raised SecurityExceptions bubble up
publicKeyBits = self._identityStorage.getKey(keyName)
publicKeyType = self._identityStorage.getKeyType(keyName)
publicKey = PublicKey(publicKeyType, publicKeyBits)
timestamp = Common.getNowMilliseconds()
# TODO: specify where the 'KEY' component is inserted
# to delegate responsibility for cert delivery
certificateName = keyName.getPrefix(-1).append('KEY').append(
keyName.get(-1))
certificateName.append("ID-CERT").append(
Name.Component(struct.pack(">Q", timestamp)))
certificate = IdentityCertificate(certificateName)
certificate.setNotBefore(timestamp)
certificate.setNotAfter(
(timestamp + 30 * 86400 * 1000)) # about a month
certificate.setPublicKeyInfo(publicKey)
# ndnsec likes to put the key name in a subject description
sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri())
certificate.addSubjectDescription(sd)
certificate.encode()
return certificate
def prepareUnsignedIdentityCertificate(self,
keyName,
publicKey,
signingIdentity,
notBefore,
notAfter,
subjectDescription=None,
certPrefix=None):
"""
Prepare an unsigned identity certificate.
:param Name keyName: The key name, e.g., `/{identity_name}/ksk-123456`.
:param PublicKey publicKey: (optional) The public key to sign. If
ommited, use the keyName to get the public key from the identity
storage.
:param Name signingIdentity: The signing identity.
:param float notBefore: See IdentityCertificate.
:param float notAfter: See IdentityCertificate.
:param Array<CertificateSubjectDescription> subjectDescription: A list
of CertificateSubjectDescription. See IdentityCertificate. If None or
empty, this adds a an ATTRIBUTE_NAME based on the keyName.
:param Name certPrefix: (optional) The prefix before the `KEY`
component. If None, this infers the certificate name according to the
relation between the signingIdentity and the subject identity. If the
signingIdentity is a prefix of the subject identity, `KEY` will be
inserted after the signingIdentity, otherwise `KEY` is inserted after
subject identity (i.e., before `ksk-...`).
:return: The unsigned IdentityCertificate, or None if the inputs are
invalid.
:rtype: IdentityCertificate
"""
if not isinstance(publicKey, PublicKey):
# The publicKey was omitted. Shift arguments.
certPrefix = subjectDescription
subjectDescription = notAfter
notAfter = notBefore
notBefore = signingIdentity
signingIdentity = publicKey
publicKey = PublicKey(self._identityStorage.getKey(keyName))
if keyName.size() < 1:
return None
tempKeyIdPrefix = keyName.get(-1).toEscapedString()
if len(tempKeyIdPrefix) < 4:
return None
keyIdPrefix = tempKeyIdPrefix[0:4]
if keyIdPrefix != "ksk-" and keyIdPrefix != "dsk-":
return None
certificate = IdentityCertificate()
certName = Name()
if certPrefix == None:
# No certificate prefix hint, so infer the prefix.
if signingIdentity.match(keyName):
certName.append(signingIdentity) \
.append("KEY") \
.append(keyName.getSubName(signingIdentity.size())) \
.append("ID-CERT") \
.appendVersion(int(Common.getNowMilliseconds()))
else:
certName.append(keyName.getPrefix(-1)) \
.append("KEY") \
.append(keyName.get(-1)) \
.append("ID-CERT") \
.appendVersion(int(Common.getNowMilliseconds()))
else:
# A cert prefix hint is supplied, so determine the cert name.
if certPrefix.match(keyName) and not certPrefix.equals(keyName):
certName.append(certPrefix) \
.append("KEY") \
.append(keyName.getSubName(certPrefix.size())) \
.append("ID-CERT") \
.appendVersion(int(Common.getNowMilliseconds()))
else:
return None
certificate.setName(certName)
certificate.setNotBefore(notBefore)
certificate.setNotAfter(notAfter)
certificate.setPublicKeyInfo(publicKey)
if subjectDescription == None or len(subjectDescription) == 0:
certificate.addSubjectDescription(
CertificateSubjectDescription("2.5.4.41",
keyName.getPrefix(-1).toUri()))
else:
for i in range(len(subjectDescription)):
certificate.addSubjectDescription(subjectDescription[i])
try:
certificate.encode()
except Exception as ex:
raise SecurityException("DerEncodingException: " + str(ex))
return certificate
