def getCertificate(self, certificateName, allowAny = False): """ Get a certificate from the identity storage. :param Name certificateName: The name of the requested certificate. :param bool allowAny: (optional) If False, only a valid certificate will be returned, otherwise validity is disregarded. If omitted, allowAny is False. :return: The requested certificate. If not found, return None. :rtype: Data """ chosenCert = None certificateUri = certificateName.toUri() cursor = self._database.cursor() #if not allowAny: # validityClause = " AND valid_flag=1" #else: validityClause = "" # use LIKE because key locators chop off timestamps # need to escape any percent signs in the certificate uri for sql's # sake, but still append % for LIKE escapedUri = certificateUri.replace('%', '\\%') full_statement = "SELECT certificate_data FROM Certificate WHERE cert_name LIKE ?"+validityClause+" ESCAPE '\\' ORDER BY cert_name DESC" #full_statement = "SELECT certificate_data FROM Certificate WHERE cert_name=?"+validityClause cursor.execute(full_statement, (escapedUri+'%', )) try: (certData, ) = cursor.fetchone() except TypeError: pass else: chosenCert = IdentityCertificate() chosenCert.wireDecode(bytearray(certData)) return chosenCert
def _processValidCertificate(self, data): # unpack the cert from the HMAC signed packet and verify try: newCert = IdentityCertificate() newCert.wireDecode(data.getContent()) self.log.info("Received certificate from controller") self.log.debug(str(newCert)) # NOTE: we download and install the root certificate without verifying it (!) # otherwise our policy manager will reject it. # we may need a static method on KeyChain to allow verifying before adding rootCertName = newCert.getSignature().getKeyLocator().getKeyName() # update trust rules so we trust the controller self._policyManager.setDeviceIdentity(self._configureIdentity) self._policyManager.updateTrustRules() def onRootCertificateDownload(interest, data): try: self._identityStorage.addCertificate(data) except SecurityException: # already exists pass self._keyChain.verifyData(newCert, self._finalizeCertificateDownload, self._certificateValidationFailed) def onRootCertificateTimeout(interest): # TODO: limit number of tries, then revert trust root + network prefix # reset salt, create new Hmac key self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) except Exception as e: self.log.exception("Could not import new certificate", exc_info=True)
def _processValidCertificate(self, data): # unpack the cert from the HMAC signed packet and verify try: newCert = IdentityCertificate() newCert.wireDecode(data.getContent()) self.log.info("Received certificate from controller") # NOTE: we download and install the root certificate without verifying it (!) # otherwise our policy manager will reject it. # we may need a static method on KeyChain to allow verifying before adding rootCertName = newCert.getSignature().getKeyLocator().getKeyName() # update trust rules so we trust the controller self._policyManager.setDeviceIdentity(self._configureIdentity) self._policyManager.updateTrustRules() def onRootCertificateDownload(interest, data): try: # zhehao: the root cert is downloaded and installed without verifying; should the root cert be preconfigured? # Insert root certificate so that we can verify newCert self._policyManager._certificateCache.insertCertificate(data) # Set the root cert as default for root identity try: self._identityManager.addCertificateAsIdentityDefault(IdentityCertificate(data)) except SecurityException as e: print("Error when addCertificateAsIdentityDefault for root: " + data.getName().toUri()) print(str(e)) self._rootCertificate = data try: # use the default configuration where possible # TODO: use environment variable for this, fall back to default fileName = os.path.expanduser('~/.ndn/.iot.root.cert') rootCertFile = open(fileName, "w") rootCertFile.write(Blob(b64encode(self._rootCertificate.wireEncode().toBytes()), False).toRawStr()) rootCertFile.close() except IOError as e: self.log.error("Cannot write to root certificate file: " + rootCertFile) print "Cannot write to root certificate file: " + rootCertFile except SecurityException as e: print(str(e)) # already exists, or got certificate in wrong format pass self._keyChain.verifyData(newCert, self._finalizeCertificateDownload, self._certificateValidationFailed) def onRootCertificateTimeout(interest): # TODO: limit number of tries, then revert trust root + network prefix # reset salt, create new Hmac key self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) except Exception as e: self.log.exception("Could not import new certificate", exc_info=True)
def test_refresh_10s(self): with open('policy_config/testData', 'r') as dataFile: encodedData = dataFile.read() data = Data() dataBlob = Blob(b64decode(encodedData)) data.wireDecode(dataBlob) # needed, since the KeyChain will express interests in unknown # certificates vr = doVerify(self.policyManager, data) self.assertTrue(vr.hasFurtherSteps, "ConfigPolicyManager did not create ValidationRequest for unknown certificate") self.assertEqual(vr.successCount, 0, "ConfigPolicyManager called success callback with pending ValidationRequest") self.assertEqual(vr.failureCount, 0, "ConfigPolicyManager called failure callback with pending ValidationRequest") # now save the cert data to our anchor directory, and wait # we have to sign it with the current identity or the # policy manager will create an interest for the signing certificate with open(self.testCertFile, 'w') as certFile: cert = IdentityCertificate() certData = b64decode(CERT_DUMP) cert.wireDecode(Blob(certData, False)) self.keyChain.signByIdentity(cert, self.identityName) encodedCert = b64encode(cert.wireEncode().toBuffer()) certFile.write(Blob(encodedCert, False).toRawStr()) # still too early for refresh to pick it up vr = doVerify(self.policyManager, data) self.assertTrue(vr.hasFurtherSteps, "ConfigPolicyManager refresh occured sooner than specified") self.assertEqual(vr.successCount, 0, "ConfigPolicyManager called success callback with pending ValidationRequest") self.assertEqual(vr.failureCount, 0, "ConfigPolicyManager called failure callback with pending ValidationRequest") time.sleep(6) # now we should find it vr = doVerify(self.policyManager, data) self.assertFalse(vr.hasFurtherSteps, "ConfigPolicyManager did not refresh certificate store") self.assertEqual(vr.successCount, 1, "Verification success called {} times instead of 1".format( vr.successCount)) self.assertEqual(vr.failureCount, 0, "ConfigPolicyManager did not verify valid signed data")
def test_refresh_10s(self): with open('policy_config/testData', 'r') as dataFile: encodedData = dataFile.read() data = Data() dataBlob = Blob(b64decode(encodedData)) data.wireDecode(dataBlob) # needed, since the KeyChain will express interests in unknown # certificates vr = doVerify(self.policyManager, data) self.assertTrue(vr.hasFurtherSteps, "ConfigPolicyManager did not create ValidationRequest for unknown certificate") self.assertEqual(vr.successCount, 0, "ConfigPolicyManager called success callback with pending ValidationRequest") self.assertEqual(vr.failureCount, 0, "ConfigPolicyManager called failure callback with pending ValidationRequest") # now save the cert data to our anchor directory, and wait # we have to sign it with the current identity or the # policy manager will create an interest for the signing certificate with open(self.testCertFile, 'w') as certFile: cert = IdentityCertificate() certData = b64decode(CERT_DUMP) cert.wireDecode(Blob(certData, False)) self.keyChain.signByIdentity(cert, self.identityName) encodedCert = b64encode(cert.wireEncode().toBytes()) certFile.write(Blob(encodedCert, False).toRawStr()) # still too early for refresh to pick it up vr = doVerify(self.policyManager, data) self.assertTrue(vr.hasFurtherSteps, "ConfigPolicyManager refresh occured sooner than specified") self.assertEqual(vr.successCount, 0, "ConfigPolicyManager called success callback with pending ValidationRequest") self.assertEqual(vr.failureCount, 0, "ConfigPolicyManager called failure callback with pending ValidationRequest") time.sleep(6) # now we should find it vr = doVerify(self.policyManager, data) self.assertFalse(vr.hasFurtherSteps, "ConfigPolicyManager did not refresh certificate store") self.assertEqual(vr.successCount, 1, "Verification success called {} times instead of 1".format( vr.successCount)) self.assertEqual(vr.failureCount, 0, "ConfigPolicyManager did not verify valid signed data")
def signByCertificate(self, target, certificateName, wireFormat=None): """ Sign the target based on the certificateName. If it is a Data object, set its signature. If it is an array, return a signature object. :param target: If this is a Data object, wire encode for signing, update its signature and key locator field and wireEncoding. If it is an array, sign it and return a Signature object. :param Name certificateName: The Name identifying the certificate which identifies the signing key. :param wireFormat: (optional) The WireFormat for calling encodeData, or WireFormat.getDefaultWireFormat() if omitted. :type wireFormat: A subclass of WireFormat :return: The Signature object (only if the target is an array). :rtype: An object of a subclass of Signature """ if wireFormat == None: # Don't use a default argument since getDefaultWireFormat can change. wireFormat = WireFormat.getDefaultWireFormat() if isinstance(target, Data): data = target digestAlgorithm = [0] signature = self._makeSignatureByCertificate( certificateName, digestAlgorithm) data.setSignature(signature) # Encode once to get the signed portion. encoding = data.wireEncode(wireFormat) data.getSignature().setSignature( self._privateKeyStorage.sign( encoding.toSignedBuffer(), IdentityCertificate.certificateNameToPublicKeyName( certificateName), digestAlgorithm[0])) # Encode again to include the signature. data.wireEncode(wireFormat) else: digestAlgorithm = [0] signature = self._makeSignatureByCertificate( certificateName, digestAlgorithm) signature.setSignature( self._privateKeyStorage.sign( target, IdentityCertificate.certificateNameToPublicKeyName( certificateName), digestAlgorithm[0])) return signature
def signByCertificate(self, target, certificateName, wireFormat = None): """ Sign the target based on the certificateName. If it is a Data object, set its signature. If it is an array, return a signature object. :param target: If this is a Data object, wire encode for signing, update its signature and key locator field and wireEncoding. If it is an array, sign it and return a Signature object. :param Name certificateName: The Name identifying the certificate which identifies the signing key. :param wireFormat: (optional) The WireFormat for calling encodeData, or WireFormat.getDefaultWireFormat() if omitted. :type wireFormat: A subclass of WireFormat :return: The Signature object (only if the target is an array). :rtype: An object of a subclass of Signature """ if wireFormat == None: # Don't use a default argument since getDefaultWireFormat can change. wireFormat = WireFormat.getDefaultWireFormat() if isinstance(target, Data): data = target digestAlgorithm = [0] signature = self._makeSignatureByCertificate( certificateName, digestAlgorithm) data.setSignature(signature) # Encode once to get the signed portion. encoding = data.wireEncode(wireFormat) data.getSignature().setSignature(self._privateKeyStorage.sign (encoding.toSignedBuffer(), IdentityCertificate.certificateNameToPublicKeyName(certificateName), digestAlgorithm[0])) # Encode again to include the signature. data.wireEncode(wireFormat) else: digestAlgorithm = [0] signature = self._makeSignatureByCertificate( certificateName, digestAlgorithm) signature.setSignature( self._privateKeyStorage.sign( target, IdentityCertificate.certificateNameToPublicKeyName(certificateName), digestAlgorithm[0])) return signature
def test_create_d_key_data(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.dKeyDatabaseFilePath), 2048, 1, self.keyChain) newCertificateBlob = self.certificate.wireEncode() newCertificate = IdentityCertificate() newCertificate.wireDecode(newCertificateBlob) # Encrypt the D-KEY. data = manager._createDKeyData( "20150825T000000", "20150827T000000", Name("/ndn/memberA/KEY"), self.decryptKeyBlob, newCertificate.getPublicKeyInfo().getKeyDer()) # Verify the encrypted D-KEY. dataContent = data.getContent() # Get the nonce key. # dataContent is a sequence of the two EncryptedContent. encryptedNonce = EncryptedContent() encryptedNonce.wireDecode(dataContent) self.assertEqual(0, encryptedNonce.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType()) blobNonce = encryptedNonce.getPayload() decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams) # Get the D-KEY. # Use the size of encryptedNonce to find the start of encryptedPayload. payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():] encryptedPayload = EncryptedContent() encryptedPayload.wireDecode(payloadContent) self.assertEqual(16, encryptedPayload.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType()) decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc) decryptParams.setInitialVector(encryptedPayload.getInitialVector()) blobPayload = encryptedPayload.getPayload() largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams) self.assertTrue(largePayload.equals(self.decryptKeyBlob))
def _makeSignatureByCertificate(self, certificateName, digestAlgorithm): """ Return a new Signature object based on the signature algorithm of the public key with keyName (derived from certificateName). :param Name certificateName: The full certificate name. :param Array digestAlgorithm: Set digestAlgorithm[0] to the signature algorithm's digest algorithm, e.g. DigestAlgorithm.SHA256 . :return: The related public key name. :rtype: Signature """ keyName = IdentityCertificate.certificateNameToPublicKeyName(certificateName) publicKey = self._privateKeyStorage.getPublicKey(keyName) keyType = publicKey.getKeyType() if keyType == KeyType.RSA: signature = Sha256WithRsaSignature() digestAlgorithm[0] = DigestAlgorithm.SHA256 signature.getKeyLocator().setType(KeyLocatorType.KEYNAME) signature.getKeyLocator().setKeyName(certificateName.getPrefix(-1)) return signature elif keyType == KeyType.ECDSA: signature = Sha256WithEcdsaSignature() digestAlgorithm[0] = DigestAlgorithm.SHA256 signature.getKeyLocator().setType(KeyLocatorType.KEYNAME) signature.getKeyLocator().setKeyName(certificateName.getPrefix(-1)) return signature else: raise SecurityException("Key type is not recognized")
def test_prepare_unsigned_certificate(self): identityStorage = MemoryIdentityStorage() privateKeyStorage = MemoryPrivateKeyStorage() identityManager = IdentityManager(identityStorage, privateKeyStorage) keyName = Name("/test/ksk-1457560485494") identityStorage.addKey(keyName, KeyType.RSA, Blob(PUBLIC_KEY)) subjectDescriptions = [] subjectDescriptions.append( CertificateSubjectDescription(TEST_OID, "TEST NAME")) newCertificate = identityManager.prepareUnsignedIdentityCertificate( keyName, keyName.getPrefix(1), self.toyCertNotBefore, self.toyCertNotAfter, subjectDescriptions) # Update the generated certificate version to equal the one in toyCert. newCertificate.setName( Name(newCertificate.getName().getPrefix(-1).append( self.toyCert.getName().get(-1)))) # Make a copy to test encoding. certificateCopy = IdentityCertificate(newCertificate) self.assertEqual( str(self.toyCert), str(certificateCopy), "Prepared unsigned certificate dump does not have the expected format" )
def setDefaultCertificateNameForKey(self, keyName, certificateName): """ Set the default certificate name for the corresponding key :param Name keyName: not used :param Name certificateName: The certificate name. """ if not self.doesCertificateExist(certificateName): raise SecurityException("Certificate does not exist") keyName = IdentityCertificate.certificateNameToPublicKeyName(certificateName) identityUri = keyName.getPrefix(-1).toUri() keyId = keyName.get(-1).toEscapedString() try: cursor = None currentDefault = self.getDefaultCertificateNameForKey(keyName) except SecurityException: pass else: cursor = self._database.cursor() cursor.execute("UPDATE Certificate SET default_cert=0 WHERE cert_name=? AND identity_name=? AND key_identifier=?", (currentDefault.toUri(), identityUri, keyId)) if cursor is None: cursor = self._database.cursor() cursor.execute("UPDATE Certificate SET default_cert=1 WHERE cert_name=? AND identity_name=? AND key_identifier=?", (certificateName.toUri(), identityUri, keyId)) self._database.commit() cursor.close()
def _makeSignatureByCertificate(self, certificateName, digestAlgorithm): """ Return a new Signature object based on the signature algorithm of the public key with keyName (derived from certificateName). :param Name certificateName: The full certificate name. :param Array digestAlgorithm: Set digestAlgorithm[0] to the signature algorithm's digest algorithm, e.g. DigestAlgorithm.SHA256 . :return: The related public key name. :rtype: Signature """ keyName = IdentityCertificate.certificateNameToPublicKeyName( certificateName) publicKey = self._privateKeyStorage.getPublicKey(keyName) keyType = publicKey.getKeyType() if keyType == KeyType.RSA: signature = Sha256WithRsaSignature() digestAlgorithm[0] = DigestAlgorithm.SHA256 signature.getKeyLocator().setType(KeyLocatorType.KEYNAME) signature.getKeyLocator().setKeyName(certificateName.getPrefix(-1)) return signature elif keyType == KeyType.ECDSA: signature = Sha256WithEcdsaSignature() digestAlgorithm[0] = DigestAlgorithm.SHA256 signature.getKeyLocator().setType(KeyLocatorType.KEYNAME) signature.getKeyLocator().setKeyName(certificateName.getPrefix(-1)) return signature else: raise SecurityException("Key type is not recognized")
def __init__(self, face, encryptResult, link = None): # Set up face self.face = face self._encryptResult = encryptResult self._link = link self.databaseFilePath = "policy_config/test_consumer_dpu.db" try: os.remove(self.databaseFilePath) except OSError: # no such file pass self.groupName = Name("/org/openmhealth/haitao") # Set up the keyChain. identityStorage = BasicIdentityStorage() privateKeyStorage = FilePrivateKeyStorage() self.keyChain = KeyChain( IdentityManager(identityStorage, privateKeyStorage), NoVerifyPolicyManager()) # Authorized identity identityName = Name("/ndn/edu/basel/dpu") # Function name: the function that this DPU provides self._functionName = "bounding_box" self._identityName = identityName self.certificateName = self.keyChain.createIdentityAndCertificate(identityName) # TODO: if using BasicIdentityStorage and FilePrivateKeyStorage # For some reason this newly generated cert is not installed by default, calling keyChain sign later would result in error #self.keyChain.installIdentityCertificate() self.face.setCommandSigningInfo(self.keyChain, self.certificateName) consumerKeyName = IdentityCertificate.certificateNameToPublicKeyName(self.certificateName) consumerCertificate = identityStorage.getCertificate(self.certificateName) self.consumer = Consumer( face, self.keyChain, self.groupName, identityName, Sqlite3ConsumerDb(self.databaseFilePath)) # TODO: Read the private key to decrypt d-key...this may or may not be ideal base64Content = None with open(privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri")) as keyFile: print privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri") base64Content = keyFile.read() #print base64Content der = Blob(base64.b64decode(base64Content), False) self.consumer.addDecryptionKey(consumerKeyName, der) self.memoryContentCache = MemoryContentCache(self.face) self.memoryContentCache.registerPrefix(identityName, self.onRegisterFailed, self.onDataNotFound) self.memoryContentCache.add(consumerCertificate) accessRequestInterest = Interest(Name(self.groupName).append("read_access_request").append(self.certificateName).appendVersion(int(time.time()))) self.face.expressInterest(accessRequestInterest, self.onAccessRequestData, self.onAccessRequestTimeout) print "Access request interest name: " + accessRequestInterest.getName().toUri() self._tasks = dict() return
def getCertificate(self, certificateName, allowAny = False): """ Get a certificate from the identity storage. :param Name certificateName: The name of the requested certificate. :param bool allowAny: (optional) If False, only a valid certificate will be returned, otherwise validity is disregarded. If omitted, allowAny is False. :return: The requested certificate. If not found, return None. :rtype: IdentityCertificate """ certificateNameUri = certificateName.toUri() if not (certificateNameUri in self._certificateStore): # Not found. Silently return None. return None certificate = IdentityCertificate() certificate.wireDecode(self._certificateStore[certificateNameUri]) return certificate
def getCertificate(self, certificateName, allowAny=False): """ Get a certificate from the identity storage. :param Name certificateName: The name of the requested certificate. :param bool allowAny: (optional) If False, only a valid certificate will be returned, otherwise validity is disregarded. If omitted, allowAny is False. :return: The requested certificate. If not found, return None. :rtype: IdentityCertificate """ certificateNameUri = certificateName.toUri() if not (certificateNameUri in self._certificateStore): # Not found. Silently return None. return None certificate = IdentityCertificate() certificate.wireDecode(self._certificateStore[certificateNameUri]) return certificate
def __init__(self, face): # Set up face self.face = face self.databaseFilePath = "policy_config/test_consumer.db" try: os.remove(self.databaseFilePath) except OSError: # no such file pass self.groupName = Name("/org/openmhealth/zhehao") # Set up the keyChain. identityStorage = BasicIdentityStorage() privateKeyStorage = FilePrivateKeyStorage() self.keyChain = KeyChain( IdentityManager(identityStorage, privateKeyStorage), NoVerifyPolicyManager()) # Authorized identity identityName = Name("/org/openmhealth/dvu-python-3") # Unauthorized identity #identityName = Name("/org/openmhealth/dvu-python-1") self.certificateName = self.keyChain.createIdentityAndCertificate(identityName) self.face.setCommandSigningInfo(self.keyChain, self.certificateName) consumerKeyName = IdentityCertificate.certificateNameToPublicKeyName(self.certificateName) consumerCertificate = identityStorage.getCertificate(self.certificateName) self.consumer = Consumer( face, self.keyChain, self.groupName, identityName, Sqlite3ConsumerDb(self.databaseFilePath)) # TODO: Read the private key to decrypt d-key...this may or may not be ideal base64Content = None with open(privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri")) as keyFile: print privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri") base64Content = keyFile.read() #print base64Content der = Blob(base64.b64decode(base64Content), False) self.consumer.addDecryptionKey(consumerKeyName, der) self.memoryContentCache = MemoryContentCache(self.face) self.memoryContentCache.registerPrefix(identityName, self.onRegisterFailed, self.onDataNotFound) self.memoryContentCache.add(consumerCertificate) accessRequestInterest = Interest(Name(self.groupName).append("read_access_request").append(self.certificateName).appendVersion(int(time.time()))) self.face.expressInterest(accessRequestInterest, self.onAccessRequestData, self.onAccessRequestTimeout) print "Access request interest name: " + accessRequestInterest.getName().toUri() self.consumeCatalog = True return
def getCertificate(self, certificateName): """ Get a certificate from the identity storage. :param Name certificateName: The name of the requested certificate. :return: The requested certificate. :rtype: IdentityCertificate :raises SecurityException: if the certificate doesn't exist. """ certificateNameUri = certificateName.toUri() if not (certificateNameUri in self._certificateStore): raise SecurityException( "MemoryIdentityStorage::getCertificate: The certificate does not exist") certificate = IdentityCertificate() try: certificate.wireDecode(self._certificateStore[certificateNameUri]) except ValueError: raise SecurityException( "MemoryIdentityStorage::getCertificate: The certificate cannot be decoded") return certificate
def getCertificate(self, certificateName): """ Get a certificate from the identity storage. :param Name certificateName: The name of the requested certificate. :return: The requested certificate. :rtype: IdentityCertificate :raises SecurityException: if the certificate doesn't exist. """ certificateNameUri = certificateName.toUri() if not (certificateNameUri in self._certificateStore): raise SecurityException( "MemoryIdentityStorage.getCertificate: The certificate does not exist" ) certificate = IdentityCertificate() try: certificate.wireDecode(self._certificateStore[certificateNameUri]) except ValueError: raise SecurityException( "MemoryIdentityStorage.getCertificate: The certificate cannot be decoded" ) return certificate
def _updateDeviceCapabilities(self, interest): """ Take the received capabilities update interest and update our directory listings. """ # we assume the sender is the one who signed the interest... signature = self._policyManager._extractSignature(interest) certificateName = signature.getKeyLocator().getKeyName() senderIdentity = IdentityCertificate.certificateNameToPublicKeyName( certificateName).getPrefix(-1) self.log.info('Updating capabilities for {}'.format( senderIdentity.toUri())) # get the params from the interest name messageComponent = interest.getName().get(self.prefix.size() + 1) message = UpdateCapabilitiesCommandMessage() ProtobufTlv.decode(message, messageComponent.getValue()) # we remove all the old capabilities for the sender tempDirectory = defaultdict(list) for keyword in self._directory: tempDirectory[keyword] = [ cap for cap in self._directory[keyword] if not senderIdentity.match(Name(cap['name'])) ] # then we add the ones from the message for capability in message.capabilities: capabilityPrefix = Name() for component in capability.commandPrefix.components: capabilityPrefix.append(component) commandUri = capabilityPrefix.toUri() if not senderIdentity.match(capabilityPrefix): self.log.error( "Node {} tried to register another prefix: {} - ignoring update" .format(senderIdentity.toUri(), commandUri)) else: for keyword in capability.keywords: allUris = [info['name'] for info in tempDirectory[keyword]] if capabilityPrefix not in allUris: listing = { 'signed': capability.needsSignature, 'name': commandUri } tempDirectory[keyword].append(listing) self._directory = tempDirectory
def createIdentity(self, identityName, params): """ Create an identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK. If a key pair or certificate for the identity already exists, use it. :deprecated: Use createIdentityAndCertificate which returns the certificate name instead of the key name. You can use IdentityCertificate.certificateNameToPublicKeyName to convert the certificate name to the key name. :param Name identityName: The name of the identity. :param KeyParams params: The key parameters if a key needs to be generated for the identity. :return: The key name of the auto-generated KSK of the identity. :rtype: Name """ return IdentityCertificate.certificateNameToPublicKeyName( self.createIdentityAndCertificate(identityName, params))
def addCertificate(self, certificate): """ Add a certificate to the identity storage. :param IdentityCertificate certificate: The certificate to be added. This makes a copy of the certificate. """ #TODO: actually check validity of certificate timestamp certificateName = certificate.getName() if self.doesCertificateExist(certificateName): raise SecurityException("Certificate has already been installed!") certCopy = IdentityCertificate(certificate) makeDefault = 0 keyName = certCopy.getPublicKeyName() keyInfo = certCopy.getPublicKeyInfo() if not self.doesKeyExist(keyName): self.addKey(keyName, keyInfo.getKeyType(), keyInfo.getKeyDer()) makeDefault = 1 else: # see if the key we already have matches this certificate keyBlob = self.getKey(keyName) if (keyBlob.isNull() or keyBlob.toBuffer() != keyInfo.getKeyDer().toBuffer()): raise SecurityException("Certificate does not match public key") keyId = keyName.get(-1).toEscapedString() identityUri = keyName.getPrefix(-1).toUri() certIssuer = certCopy.getSignature().getKeyLocator().getKeyName().toUri() encodedCert = buffer(bytearray(certCopy.wireEncode().buf())) notBefore = certCopy.getNotBefore() notAfter = certCopy.getNotAfter() cursor = self._database.cursor() cursor.execute("INSERT INTO Certificate VALUES(?,?,?,?,?,?,?,?,?)", (certificateName.toUri(), certIssuer, identityUri, keyId, notBefore, notAfter, encodedCert, 1, makeDefault)) self._database.commit() cursor.close()
def onRootCertificateDownload(interest, data): try: # zhehao: the root cert is downloaded and installed without verifying; should the root cert be preconfigured? # Insert root certificate so that we can verify newCert self._policyManager._certificateCache.insertCertificate( data) # Set the root cert as default for root identity try: self._identityManager.addCertificateAsIdentityDefault( IdentityCertificate(data)) except SecurityException as e: print( "Error when addCertificateAsIdentityDefault for root: " + data.getName().toUri()) print(str(e)) self._rootCertificate = data try: # use the default configuration where possible # TODO: use environment variable for this, fall back to default fileName = os.path.expanduser('~/.ndn/.iot.root.cert') rootCertFile = open(fileName, "w") rootCertFile.write( Blob( b64encode(self._rootCertificate.wireEncode(). toBytes()), False).toRawStr()) rootCertFile.close() except IOError as e: self.log.error( "Cannot write to root certificate file: " + rootCertFile) print "Cannot write to root certificate file: " + rootCertFile except SecurityException as e: print(str(e)) # already exists, or got certificate in wrong format pass self._keyChain.verifyData(newCert, self._finalizeCertificateDownload, self._certificateValidationFailed)
def signInterestByCertificate(self, interest, certificateName, wireFormat=None): """ Append a SignatureInfo to the Interest name, sign the name components and append a final name component with the signature bits. :param Interest interest: The Interest object to be signed. This appends name components of SignatureInfo and the signature bits. :param Name certificateName: The certificate name of the key to use for signing. :param wireFormat: (optional) A WireFormat object used to encode the input. If omitted, use WireFormat.getDefaultWireFormat(). :type wireFormat: A subclass of WireFormat """ if wireFormat == None: # Don't use a default argument since getDefaultWireFormat can change. wireFormat = WireFormat.getDefaultWireFormat() digestAlgorithm = [0] signature = self._makeSignatureByCertificate(certificateName, digestAlgorithm) # Append the encoded SignatureInfo. interest.getName().append(wireFormat.encodeSignatureInfo(signature)) # Append an empty signature so that the "signedPortion" is correct. interest.getName().append(Name.Component()) # Encode once to get the signed portion, and sign. encoding = interest.wireEncode(wireFormat) signature.setSignature( self._privateKeyStorage.sign( encoding.toSignedBuffer(), IdentityCertificate.certificateNameToPublicKeyName( certificateName), digestAlgorithm[0])) # Remove the empty signature and append the real one. interest.setName(interest.getName().getPrefix(-1).append( wireFormat.encodeSignatureValue(signature)))
def _updateDeviceCapabilities(self, interest): """ Take the received capabilities update interest and update our directory listings. """ # we assume the sender is the one who signed the interest... signature = self._policyManager._extractSignature(interest) certificateName = signature.getKeyLocator().getKeyName() senderIdentity = IdentityCertificate.certificateNameToPublicKeyName(certificateName).getPrefix(-1) self.log.info('Updating capabilities for {}'.format(senderIdentity.toUri())) # get the params from the interest name messageComponent = interest.getName().get(self.prefix.size()+1) message = UpdateCapabilitiesCommandMessage() ProtobufTlv.decode(message, messageComponent.getValue()) # we remove all the old capabilities for the sender tempDirectory = defaultdict(list) for keyword in self._directory: tempDirectory[keyword] = [cap for cap in self._directory[keyword] if not senderIdentity.match(Name(cap['name']))] # then we add the ones from the message for capability in message.capabilities: capabilityPrefix = Name() for component in capability.commandPrefix.components: capabilityPrefix.append(component) commandUri = capabilityPrefix.toUri() if not senderIdentity.match(capabilityPrefix): self.log.error("Node {} tried to register another prefix: {} - ignoring update".format( senderIdentity.toUri(),commandUri)) else: for keyword in capability.keywords: allUris = [info['name'] for info in tempDirectory[keyword]] if capabilityPrefix not in allUris: listing = {'signed':capability.needsSignature, 'name':commandUri} tempDirectory[keyword].append(listing) self._directory= tempDirectory
def signInterestByCertificate(self, interest, certificateName, wireFormat = None): """ Append a SignatureInfo to the Interest name, sign the name components and append a final name component with the signature bits. :param Interest interest: The Interest object to be signed. This appends name components of SignatureInfo and the signature bits. :param Name certificateName: The certificate name of the key to use for signing. :param wireFormat: (optional) A WireFormat object used to encode the input. If omitted, use WireFormat.getDefaultWireFormat(). :type wireFormat: A subclass of WireFormat """ if wireFormat == None: # Don't use a default argument since getDefaultWireFormat can change. wireFormat = WireFormat.getDefaultWireFormat() digestAlgorithm = [0] signature = self._makeSignatureByCertificate( certificateName, digestAlgorithm) # Append the encoded SignatureInfo. interest.getName().append(wireFormat.encodeSignatureInfo(signature)) # Append an empty signature so that the "signedPortion" is correct. interest.getName().append(Name.Component()) # Encode once to get the signed portion, and sign. encoding = interest.wireEncode(wireFormat) signature.setSignature(self._privateKeyStorage.sign (encoding.toSignedBuffer(), IdentityCertificate.certificateNameToPublicKeyName(certificateName), digestAlgorithm[0])) # Remove the empty signature and append the real one. interest.setName(interest.getName().getPrefix(-1).append( wireFormat.encodeSignatureValue(signature)))
def __init__(self, face): # Set up face self.face = face self.databaseFilePath = "policy_config/test_consumer.db" try: os.remove(self.databaseFilePath) except OSError: # no such file pass self.groupName = Name("/org/openmhealth/haitao") # Set up the keyChain. identityStorage = BasicIdentityStorage() privateKeyStorage = FilePrivateKeyStorage() self.keyChain = KeyChain( IdentityManager(identityStorage, privateKeyStorage), NoVerifyPolicyManager()) # Authorized identity identityName = Name("/org/openmhealth/dvu-python-3") # Unauthorized identity #identityName = Name("/org/openmhealth/dvu-python-1") self.certificateName = self.keyChain.createIdentityAndCertificate( identityName) self.face.setCommandSigningInfo(self.keyChain, self.certificateName) consumerKeyName = IdentityCertificate.certificateNameToPublicKeyName( self.certificateName) consumerCertificate = identityStorage.getCertificate( self.certificateName) self.consumer = Consumer(face, self.keyChain, self.groupName, identityName, Sqlite3ConsumerDb(self.databaseFilePath)) # TODO: Read the private key to decrypt d-key...this may or may not be ideal base64Content = None with open( privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri")) as keyFile: print privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri") base64Content = keyFile.read() #print base64Content der = Blob(base64.b64decode(base64Content), False) self.consumer.addDecryptionKey(consumerKeyName, der) self.memoryContentCache = MemoryContentCache(self.face) self.memoryContentCache.registerPrefix(identityName, self.onRegisterFailed, self.onDataNotFound) self.memoryContentCache.add(consumerCertificate) accessRequestInterest = Interest( Name(self.groupName).append("read_access_request").append( self.certificateName).appendVersion(int(time.time()))) self.face.expressInterest(accessRequestInterest, self.onAccessRequestData, self.onAccessRequestTimeout) print "Access request interest name: " + accessRequestInterest.getName( ).toUri() self.consumeCatalog = True return
def generateCertificateForKey(self, keyName): # let any raised SecurityExceptions bubble up publicKeyBits = self._identityStorage.getKey(keyName) publicKeyType = self._identityStorage.getKeyType(keyName) publicKey = PublicKey(publicKeyType, publicKeyBits) timestamp = Common.getNowMilliseconds() # TODO: specify where the 'KEY' component is inserted # to delegate responsibility for cert delivery certificateName = keyName.getPrefix(-1).append('KEY').append(keyName.get(-1)) certificateName.append("ID-CERT").append(Name.Component(struct.pack(">Q", timestamp))) certificate = IdentityCertificate(certificateName) certificate.setNotBefore(timestamp) certificate.setNotAfter((timestamp + 30*86400*1000)) # about a month certificate.setPublicKeyInfo(publicKey) # ndnsec likes to put the key name in a subject description sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri()) certificate.addSubjectDescription(sd) certificate.encode() return certificate
def __init__(self, face, identityName, groupName, catalogPrefix, rawDataPrefix, producerDbFilePath, consumerDbFilePath, encrypted=False): self.face = face # Set up the keyChain. identityStorage = BasicIdentityStorage() privateKeyStorage = FilePrivateKeyStorage() self.keyChain = KeyChain( IdentityManager(identityStorage, privateKeyStorage), NoVerifyPolicyManager()) self.identityName = Name(identityName) self.groupName = Name(groupName) self.rawDataPrefix = rawDataPrefix self.catalogPrefix = catalogPrefix self.certificateName = self.keyChain.createIdentityAndCertificate( self.identityName) self.face.setCommandSigningInfo(self.keyChain, self.certificateName) # Set up the memoryContentCache self.memoryContentCache = MemoryContentCache(self.face) self.memoryContentCache.registerPrefix(self.identityName, self.onRegisterFailed, self.onDataNotFound) self.producerPrefix = Name(identityName) self.producerSuffix = Name() self.producer = DPUProducer(face, self.memoryContentCache, self.producerPrefix, self.producerSuffix, self.keyChain, self.certificateName, producerDbFilePath) # Put own (consumer) certificate in memoryContentCache consumerKeyName = IdentityCertificate.certificateNameToPublicKeyName( self.certificateName) consumerCertificate = identityStorage.getCertificate( self.certificateName, True) # TODO: request that this DPU be added as a trusted group member self.remainingTasks = dict() try: os.remove(consumerDbFilePath) except OSError: # no such file pass self.consumer = Consumer(face, self.keyChain, self.groupName, consumerKeyName, Sqlite3ConsumerDb(consumerDbFilePath)) # TODO: Read the private key to decrypt d-key...this may or may not be ideal base64Content = None with open( privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri")) as keyFile: base64Content = keyFile.read() der = Blob(base64.b64decode(base64Content), False) self.consumer.addDecryptionKey(consumerKeyName, der) self.memoryContentCache.add(consumerCertificate) self.encrypted = encrypted self.rawData = [] self.catalogFetchFinished = False self.remainingData = 0 return
def _generateCertificateForKey(self, keyName): # Let any raised SecurityExceptions bubble up. publicKeyBits = self._identityStorage.getKey(keyName) publicKey = PublicKey(publicKeyBits) timestamp = Common.getNowMilliseconds() # TODO: Specify where the 'KEY' component is inserted # to delegate responsibility for cert delivery. # cf: http://redmine.named-data.net/issues/1659 certificateName = keyName.getPrefix(-1).append('KEY').append( keyName.get(-1)) certificateName.append("ID-CERT").appendVersion(int(timestamp)) certificate = IdentityCertificate() certificate.setName(certificateName) certificate.setNotBefore(timestamp) certificate.setNotAfter( (timestamp + 2 * 365 * 24 * 3600 * 1000)) # about 2 years. certificate.setPublicKeyInfo(publicKey) # ndnsec likes to put the key name in a subject description. sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri()) certificate.addSubjectDescription(sd) certificate.encode() return certificate
def _processValidCertificate(self, data): # unpack the cert from the HMAC signed packet and verify try: newCert = IdentityCertificate() newCert.wireDecode(data.getContent()) self.log.info("Received certificate from controller") # NOTE: we download and install the root certificate without verifying it (!) # otherwise our policy manager will reject it. # we may need a static method on KeyChain to allow verifying before adding rootCertName = newCert.getSignature().getKeyLocator().getKeyName() # update trust rules so we trust the controller self._policyManager.setDeviceIdentity(self._configureIdentity) self._policyManager.updateTrustRules() def onRootCertificateDownload(interest, data): try: # zhehao: the root cert is downloaded and installed without verifying; should the root cert be preconfigured? # Insert root certificate so that we can verify newCert self._policyManager._certificateCache.insertCertificate( data) # Set the root cert as default for root identity try: self._identityManager.addCertificateAsIdentityDefault( IdentityCertificate(data)) except SecurityException as e: print( "Error when addCertificateAsIdentityDefault for root: " + data.getName().toUri()) print(str(e)) self._rootCertificate = data try: # use the default configuration where possible # TODO: use environment variable for this, fall back to default fileName = os.path.expanduser('~/.ndn/.iot.root.cert') rootCertFile = open(fileName, "w") rootCertFile.write( Blob( b64encode(self._rootCertificate.wireEncode(). toBytes()), False).toRawStr()) rootCertFile.close() except IOError as e: self.log.error( "Cannot write to root certificate file: " + rootCertFile) print "Cannot write to root certificate file: " + rootCertFile except SecurityException as e: print(str(e)) # already exists, or got certificate in wrong format pass self._keyChain.verifyData(newCert, self._finalizeCertificateDownload, self._certificateValidationFailed) def onRootCertificateTimeout(interest): # TODO: limit number of tries, then revert trust root + network prefix # reset salt, create new Hmac key self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) except Exception as e: self.log.exception("Could not import new certificate", exc_info=True)
from pyndn.security import KeyType, KeyChain, RsaKeyParams, SecurityException from pyndn.security.certificate import IdentityCertificate from pyndn.security.identity import IdentityManager from pyndn.security.identity import BasicIdentityStorage, FilePrivateKeyStorage, MemoryIdentityStorage, MemoryPrivateKeyStorage from pyndn.security.policy import NoVerifyPolicyManager # Set up the keyChain. identityStorage = BasicIdentityStorage() privateKeyStorage = FilePrivateKeyStorage() keyChain = KeyChain(IdentityManager(identityStorage, privateKeyStorage), NoVerifyPolicyManager()) # dvu identity identityName = Name("/org/openmhealth/dvu") certificateName = keyChain.createIdentityAndCertificate(identityName) keyName = IdentityCertificate.certificateNameToPublicKeyName(certificateName) certificate = identityStorage.getCertificate(certificateName) print keyName print certificateName print certificate print privateKeyStorage.nameTransform(keyName.toUri(), ".pri") #with open(privateKeyStorage.nameTransform(keyName.toUri(), ".pri")) as keyFile: # base64Content = keyFile.read() # decoded = base64.b64decode(base64Content) # print decoded # for i in range(0, len(decoded)): # print int(decoded[i]) face = Face() face.setCommandSigningInfo(keyChain, certificateName) certificateNamePrefix = Name(identityName).append("KEY")
def __init__(self, face, encryptResult, defaultPrefix, link = None): # Set up face self.face = face self._encryptResult = encryptResult self._link = link self.databaseFilePath = "policy_config/test_consumer_dpu.db" try: os.remove(self.databaseFilePath) except OSError: # no such file pass self.groupName = Name(defaultPrefix) # Set up the keyChain. identityStorage = BasicIdentityStorage() privateKeyStorage = FilePrivateKeyStorage() self.keyChain = KeyChain( IdentityManager(identityStorage, privateKeyStorage), NoVerifyPolicyManager()) # Authorized identity identityName = Name("/ndn/edu/basel/dpu") # Function name: the function that this DPU provides self._functionName = "bounding_box" self._identityName = identityName self.certificateName = self.keyChain.createIdentityAndCertificate(identityName) # TODO: if using BasicIdentityStorage and FilePrivateKeyStorage # For some reason this newly generated cert is not installed by default, calling keyChain sign later would result in error #self.keyChain.installIdentityCertificate() self.memoryContentCache = MemoryContentCache(self.face) try: commandSigningKeyChain = KeyChain() print "Default certificate name is: " + self.keyChain.getDefaultCertificateName().toUri() self.face.setCommandSigningInfo(commandSigningKeyChain, commandSigningKeyChain.getDefaultCertificateName()) self.memoryContentCache.registerPrefix(identityName, self.onRegisterFailed, self.onDataNotFound) except SecurityException as e: print str(e) print "Cannot use default certificate, use created certificate in FilePrivateKeyStorage" self.face.setCommandSigningInfo(self.keyChain, self.certificateName) self.memoryContentCache.registerPrefix(identityName, self.onRegisterFailed, self.onDataNotFound) consumerKeyName = IdentityCertificate.certificateNameToPublicKeyName(self.certificateName) consumerCertificate = identityStorage.getCertificate(self.certificateName) self.consumer = Consumer( face, self.keyChain, self.groupName, identityName, Sqlite3ConsumerDb(self.databaseFilePath)) # TODO: Read the private key to decrypt d-key...this may or may not be ideal base64Content = None with open(privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri")) as keyFile: print privateKeyStorage.nameTransform(consumerKeyName.toUri(), ".pri") base64Content = keyFile.read() #print base64Content der = Blob(base64.b64decode(base64Content), False) self.consumer.addDecryptionKey(consumerKeyName, der) self.memoryContentCache.add(consumerCertificate) accessRequestInterest = Interest(Name(self.groupName).append("read_access_request").append(self.certificateName).appendVersion(int(time.time()))) self.face.expressInterest(accessRequestInterest, self.onAccessRequestData, self.onAccessRequestTimeout) print "Access request interest name: " + accessRequestInterest.getName().toUri() self._tasks = dict() return
class TestGroupManager(ut.TestCase): def setUp(self): # Reuse the policy_config subdirectory for the temporary SQLite files. self.dKeyDatabaseFilePath = "policy_config/manager-d-key-test.db" try: os.remove(self.dKeyDatabaseFilePath) except OSError: # no such file pass self.eKeyDatabaseFilePath = "policy_config/manager-e-key-test.db" try: os.remove(self.eKeyDatabaseFilePath) except OSError: # no such file pass self.intervalDatabaseFilePath = "policy_config/manager-interval-test.db" try: os.remove(self.intervalDatabaseFilePath) except OSError: # no such file pass self.groupKeyDatabaseFilePath = "policy_config/manager-group-key-test.db" try: os.remove(self.groupKeyDatabaseFilePath) except OSError: # no such file pass params = RsaKeyParams() memberDecryptKey = RsaAlgorithm.generateKey(params) self.decryptKeyBlob = memberDecryptKey.getKeyBits() memberEncryptKey = RsaAlgorithm.deriveEncryptKey(self.decryptKeyBlob) self.encryptKeyBlob = memberEncryptKey.getKeyBits() # Generate the certificate. self.certificate = IdentityCertificate() self.certificate.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123")) contentPublicKey = PublicKey(self.encryptKeyBlob) self.certificate.setPublicKeyInfo(contentPublicKey) self.certificate.setNotBefore(0) self.certificate.setNotAfter(0) self.certificate.encode() signatureInfoBlob = Blob(SIG_INFO, False) signatureValueBlob = Blob(SIG_VALUE, False) signature = TlvWireFormat.get().decodeSignatureInfoAndValue( signatureInfoBlob.buf(), signatureValueBlob.buf()) self.certificate.setSignature(signature) self.certificate.wireEncode() # Set up the keyChain. identityStorage = MemoryIdentityStorage() privateKeyStorage = MemoryPrivateKeyStorage() self.keyChain = KeyChain( IdentityManager(identityStorage, privateKeyStorage), NoVerifyPolicyManager()) identityName = Name("TestGroupManager") self.keyChain.createIdentityAndCertificate(identityName) self.keyChain.getIdentityManager().setDefaultIdentity(identityName) def tearDown(self): try: os.remove(self.dKeyDatabaseFilePath) except OSError: pass try: os.remove(self.eKeyDatabaseFilePath) except OSError: pass try: os.remove(self.intervalDatabaseFilePath) except OSError: pass try: os.remove(self.groupKeyDatabaseFilePath) except OSError: pass def setManager(self, manager): # Set up the first schedule. schedule1 = Schedule() interval11 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 5, 10, 2, RepetitiveInterval.RepeatUnit.DAY) interval12 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 6, 8, 1, RepetitiveInterval.RepeatUnit.DAY) interval13 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 7, 8) schedule1.addWhiteInterval(interval11) schedule1.addWhiteInterval(interval12) schedule1.addBlackInterval(interval13) # Set up the second schedule. schedule2 = Schedule() interval21 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 9, 12, 1, RepetitiveInterval.RepeatUnit.DAY) interval22 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 6, 8) interval23 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 2, 4) schedule2.addWhiteInterval(interval21) schedule2.addWhiteInterval(interval22) schedule2.addBlackInterval(interval23) # Add them to the group manager database. manager.addSchedule("schedule1", schedule1) manager.addSchedule("schedule2", schedule2) # Make some adaptions to certificate. dataBlob = self.certificate.wireEncode() memberA = Data() memberA.wireDecode(dataBlob, TlvWireFormat.get()) memberA.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123")) memberB = Data() memberB.wireDecode(dataBlob, TlvWireFormat.get()) memberB.setName(Name("/ndn/memberB/KEY/ksk-123/ID-CERT/123")) memberC = Data() memberC.wireDecode(dataBlob, TlvWireFormat.get()) memberC.setName(Name("/ndn/memberC/KEY/ksk-123/ID-CERT/123")) # Add the members to the database. manager.addMember("schedule1", memberA) manager.addMember("schedule1", memberB) manager.addMember("schedule2", memberC) def test_create_d_key_data(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.dKeyDatabaseFilePath), 2048, 1, self.keyChain) newCertificateBlob = self.certificate.wireEncode() newCertificate = IdentityCertificate() newCertificate.wireDecode(newCertificateBlob) # Encrypt the D-KEY. data = manager._createDKeyData( "20150825T000000", "20150827T000000", Name("/ndn/memberA/KEY"), self.decryptKeyBlob, newCertificate.getPublicKeyInfo().getKeyDer()) # Verify the encrypted D-KEY. dataContent = data.getContent() # Get the nonce key. # dataContent is a sequence of the two EncryptedContent. encryptedNonce = EncryptedContent() encryptedNonce.wireDecode(dataContent) self.assertEqual(0, encryptedNonce.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType()) blobNonce = encryptedNonce.getPayload() decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams) # Get the D-KEY. # Use the size of encryptedNonce to find the start of encryptedPayload. payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():] encryptedPayload = EncryptedContent() encryptedPayload.wireDecode(payloadContent) self.assertEqual(16, encryptedPayload.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType()) decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc) decryptParams.setInitialVector(encryptedPayload.getInitialVector()) blobPayload = encryptedPayload.getPayload() largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams) self.assertTrue(largePayload.equals(self.decryptKeyBlob)) def test_create_e_key_data(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.eKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) data = manager._createEKeyData( "20150825T090000", "20150825T110000", self.encryptKeyBlob) self.assertEqual("/Alice/READ/data_type/E-KEY/20150825T090000/20150825T110000", data.getName().toUri()) contentBlob = data.getContent() self.assertTrue(self.encryptKeyBlob.equals(contentBlob)) def test_calculate_interval(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.intervalDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) memberKeys = {} timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager._calculateInterval(timePoint1, memberKeys) self.assertEqual("20150825T090000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150825T100000", Schedule.toIsoString(result.getEndTime())) timePoint2 = Schedule.fromIsoString("20150827T073000") result = manager._calculateInterval(timePoint2, memberKeys) self.assertEqual("20150827T070000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150827T080000", Schedule.toIsoString(result.getEndTime())) timePoint3 = Schedule.fromIsoString("20150827T043000") result = manager._calculateInterval(timePoint3, memberKeys) self.assertEqual(False, result.isValid()) timePoint4 = Schedule.fromIsoString("20150827T053000") result = manager._calculateInterval(timePoint4, memberKeys) self.assertEqual("20150827T050000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150827T060000", Schedule.toIsoString(result.getEndTime())) def test_get_group_key(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) # Get the data list from the group manager. timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager.getGroupKey(timePoint1) self.assertEqual(4, len(result)) # The first data packet contains the group's encryption key (public key). data = result[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data.getName().toUri()) groupEKey = EncryptKey(data.getContent()) # Get the second data packet and decrypt. data = result[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data.getName().toUri()) ####################################################### Start decryption. dataContent = data.getContent() # Get the nonce key. # dataContent is a sequence of the two EncryptedContent. encryptedNonce = EncryptedContent() encryptedNonce.wireDecode(dataContent) self.assertEqual(0, encryptedNonce.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType()) decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) blobNonce = encryptedNonce.getPayload() nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams) # Get the payload. # Use the size of encryptedNonce to find the start of encryptedPayload. payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():] encryptedPayload = EncryptedContent() encryptedPayload.wireDecode(payloadContent) self.assertEqual(16, encryptedPayload.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType()) decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc) decryptParams.setInitialVector(encryptedPayload.getInitialVector()) blobPayload = encryptedPayload.getPayload() largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams) # Get the group D-KEY. groupDKey = DecryptKey(largePayload) ####################################################### End decryption. # Check the D-KEY. derivedGroupEKey = RsaAlgorithm.deriveEncryptKey(groupDKey.getKeyBits()) self.assertTrue(groupEKey.getKeyBits().equals(derivedGroupEKey.getKeyBits())) # Check the third data packet. data = result[2] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberB/ksk-123", data.getName().toUri()) # Check the fourth data packet. data = result[3] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberC/ksk-123", data.getName().toUri()) # Check invalid time stamps for getting the group key. timePoint2 = Schedule.fromIsoString("20150826T083000") self.assertEqual(0, len(manager.getGroupKey(timePoint2))) timePoint3 = Schedule.fromIsoString("20150827T023000") self.assertEqual(0, len(manager.getGroupKey(timePoint3))) def test_get_group_key_without_regeneration(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) # Get the data list from the group manager. timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager.getGroupKey(timePoint1) self.assertEqual(4, len(result)) # The first data packet contains the group's encryption key (public key). data1 = result[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data1.getName().toUri()) groupEKey1 = EncryptKey(data1.getContent()) # Get the second data packet and decrypt. data = result[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data.getName().toUri()) # Add new members to the database. dataBlob = self.certificate.wireEncode() memberD = Data() memberD.wireDecode(dataBlob) memberD.setName(Name("/ndn/memberD/KEY/ksk-123/ID-CERT/123")) manager.addMember("schedule1", memberD) result2 = manager.getGroupKey(timePoint1, False) self.assertEqual(5, len(result2)) # Check that the new EKey is the same as the previous one. data2 = result2[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data2.getName().toUri()) groupEKey2 = EncryptKey(data2.getContent()) self.assertTrue(groupEKey1.getKeyBits().equals(groupEKey2.getKeyBits())); # Check the second data packet. data2 = result2[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data2.getName().toUri())
def setUp(self): # Reuse the policy_config subdirectory for the temporary SQLite files. self.dKeyDatabaseFilePath = "policy_config/manager-d-key-test.db" try: os.remove(self.dKeyDatabaseFilePath) except OSError: # no such file pass self.eKeyDatabaseFilePath = "policy_config/manager-e-key-test.db" try: os.remove(self.eKeyDatabaseFilePath) except OSError: # no such file pass self.intervalDatabaseFilePath = "policy_config/manager-interval-test.db" try: os.remove(self.intervalDatabaseFilePath) except OSError: # no such file pass self.groupKeyDatabaseFilePath = "policy_config/manager-group-key-test.db" try: os.remove(self.groupKeyDatabaseFilePath) except OSError: # no such file pass params = RsaKeyParams() memberDecryptKey = RsaAlgorithm.generateKey(params) self.decryptKeyBlob = memberDecryptKey.getKeyBits() memberEncryptKey = RsaAlgorithm.deriveEncryptKey(self.decryptKeyBlob) self.encryptKeyBlob = memberEncryptKey.getKeyBits() # Generate the certificate. self.certificate = IdentityCertificate() self.certificate.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123")) contentPublicKey = PublicKey(self.encryptKeyBlob) self.certificate.setPublicKeyInfo(contentPublicKey) self.certificate.setNotBefore(0) self.certificate.setNotAfter(0) self.certificate.encode() signatureInfoBlob = Blob(SIG_INFO, False) signatureValueBlob = Blob(SIG_VALUE, False) signature = TlvWireFormat.get().decodeSignatureInfoAndValue( signatureInfoBlob.buf(), signatureValueBlob.buf()) self.certificate.setSignature(signature) self.certificate.wireEncode() # Set up the keyChain. identityStorage = MemoryIdentityStorage() privateKeyStorage = MemoryPrivateKeyStorage() self.keyChain = KeyChain( IdentityManager(identityStorage, privateKeyStorage), NoVerifyPolicyManager()) identityName = Name("TestGroupManager") self.keyChain.createIdentityAndCertificate(identityName) self.keyChain.getIdentityManager().setDefaultIdentity(identityName)
def _generateCertificateForKey(self, keyName): # Let any raised SecurityExceptions bubble up. publicKeyBits = self._identityStorage.getKey(keyName) publicKey = PublicKey(publicKeyBits) timestamp = Common.getNowMilliseconds() # TODO: Specify where the 'KEY' component is inserted # to delegate responsibility for cert delivery. # cf: http://redmine.named-data.net/issues/1659 certificateName = keyName.getPrefix(-1).append('KEY').append(keyName.get(-1)) certificateName.append("ID-CERT").appendVersion(int(timestamp)) certificate = IdentityCertificate() certificate.setName(certificateName) certificate.setNotBefore(timestamp) certificate.setNotAfter((timestamp + 2*365*24*3600*1000)) # about 2 years. certificate.setPublicKeyInfo(publicKey) # ndnsec likes to put the key name in a subject description. sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri()) certificate.addSubjectDescription(sd) certificate.encode() return certificate
class TestGroupManager(ut.TestCase): def setUp(self): # Reuse the policy_config subdirectory for the temporary SQLite files. self.dKeyDatabaseFilePath = "policy_config/manager-d-key-test.db" try: os.remove(self.dKeyDatabaseFilePath) except OSError: # no such file pass self.eKeyDatabaseFilePath = "policy_config/manager-e-key-test.db" try: os.remove(self.eKeyDatabaseFilePath) except OSError: # no such file pass self.intervalDatabaseFilePath = "policy_config/manager-interval-test.db" try: os.remove(self.intervalDatabaseFilePath) except OSError: # no such file pass self.groupKeyDatabaseFilePath = "policy_config/manager-group-key-test.db" try: os.remove(self.groupKeyDatabaseFilePath) except OSError: # no such file pass params = RsaKeyParams() memberDecryptKey = RsaAlgorithm.generateKey(params) self.decryptKeyBlob = memberDecryptKey.getKeyBits() memberEncryptKey = RsaAlgorithm.deriveEncryptKey(self.decryptKeyBlob) self.encryptKeyBlob = memberEncryptKey.getKeyBits() # Generate the certificate. self.certificate = IdentityCertificate() self.certificate.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123")) contentPublicKey = PublicKey(self.encryptKeyBlob) self.certificate.setPublicKeyInfo(contentPublicKey) self.certificate.setNotBefore(0) self.certificate.setNotAfter(0) self.certificate.encode() signatureInfoBlob = Blob(SIG_INFO, False) signatureValueBlob = Blob(SIG_VALUE, False) signature = TlvWireFormat.get().decodeSignatureInfoAndValue( signatureInfoBlob.buf(), signatureValueBlob.buf()) self.certificate.setSignature(signature) self.certificate.wireEncode() # Set up the keyChain. identityStorage = MemoryIdentityStorage() privateKeyStorage = MemoryPrivateKeyStorage() self.keyChain = KeyChain( IdentityManager(identityStorage, privateKeyStorage), NoVerifyPolicyManager()) identityName = Name("TestGroupManager") self.keyChain.createIdentityAndCertificate(identityName) self.keyChain.getIdentityManager().setDefaultIdentity(identityName) def tearDown(self): try: os.remove(self.dKeyDatabaseFilePath) except OSError: pass try: os.remove(self.eKeyDatabaseFilePath) except OSError: pass try: os.remove(self.intervalDatabaseFilePath) except OSError: pass try: os.remove(self.groupKeyDatabaseFilePath) except OSError: pass def setManager(self, manager): # Set up the first schedule. schedule1 = Schedule() interval11 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 5, 10, 2, RepetitiveInterval.RepeatUnit.DAY) interval12 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 6, 8, 1, RepetitiveInterval.RepeatUnit.DAY) interval13 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 7, 8) schedule1.addWhiteInterval(interval11) schedule1.addWhiteInterval(interval12) schedule1.addBlackInterval(interval13) # Set up the second schedule. schedule2 = Schedule() interval21 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 9, 12, 1, RepetitiveInterval.RepeatUnit.DAY) interval22 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 6, 8) interval23 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 2, 4) schedule2.addWhiteInterval(interval21) schedule2.addWhiteInterval(interval22) schedule2.addBlackInterval(interval23) # Add them to the group manager database. manager.addSchedule("schedule1", schedule1) manager.addSchedule("schedule2", schedule2) # Make some adaptions to certificate. dataBlob = self.certificate.wireEncode() memberA = Data() memberA.wireDecode(dataBlob, TlvWireFormat.get()) memberA.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123")) memberB = Data() memberB.wireDecode(dataBlob, TlvWireFormat.get()) memberB.setName(Name("/ndn/memberB/KEY/ksk-123/ID-CERT/123")) memberC = Data() memberC.wireDecode(dataBlob, TlvWireFormat.get()) memberC.setName(Name("/ndn/memberC/KEY/ksk-123/ID-CERT/123")) # Add the members to the database. manager.addMember("schedule1", memberA) manager.addMember("schedule1", memberB) manager.addMember("schedule2", memberC) def test_create_d_key_data(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.dKeyDatabaseFilePath), 2048, 1, self.keyChain) newCertificateBlob = self.certificate.wireEncode() newCertificate = IdentityCertificate() newCertificate.wireDecode(newCertificateBlob) # Encrypt the D-KEY. data = manager._createDKeyData( "20150825T000000", "20150827T000000", Name("/ndn/memberA/KEY"), self.decryptKeyBlob, newCertificate.getPublicKeyInfo().getKeyDer()) # Verify the encrypted D-KEY. dataContent = data.getContent() # Get the nonce key. # dataContent is a sequence of the two EncryptedContent. encryptedNonce = EncryptedContent() encryptedNonce.wireDecode(dataContent) self.assertEqual(0, encryptedNonce.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType()) blobNonce = encryptedNonce.getPayload() decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams) # Get the D-KEY. # Use the size of encryptedNonce to find the start of encryptedPayload. payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():] encryptedPayload = EncryptedContent() encryptedPayload.wireDecode(payloadContent) self.assertEqual(16, encryptedPayload.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType()) decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc) decryptParams.setInitialVector(encryptedPayload.getInitialVector()) blobPayload = encryptedPayload.getPayload() largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams) self.assertTrue(largePayload.equals(self.decryptKeyBlob)) def test_create_e_key_data(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.eKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) data = manager._createEKeyData("20150825T090000", "20150825T110000", self.encryptKeyBlob) self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T110000", data.getName().toUri()) contentBlob = data.getContent() self.assertTrue(self.encryptKeyBlob.equals(contentBlob)) def test_calculate_interval(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.intervalDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) memberKeys = {} timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager._calculateInterval(timePoint1, memberKeys) self.assertEqual("20150825T090000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150825T100000", Schedule.toIsoString(result.getEndTime())) timePoint2 = Schedule.fromIsoString("20150827T073000") result = manager._calculateInterval(timePoint2, memberKeys) self.assertEqual("20150827T070000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150827T080000", Schedule.toIsoString(result.getEndTime())) timePoint3 = Schedule.fromIsoString("20150827T043000") result = manager._calculateInterval(timePoint3, memberKeys) self.assertEqual(False, result.isValid()) timePoint4 = Schedule.fromIsoString("20150827T053000") result = manager._calculateInterval(timePoint4, memberKeys) self.assertEqual("20150827T050000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150827T060000", Schedule.toIsoString(result.getEndTime())) def test_get_group_key(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) # Get the data list from the group manager. timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager.getGroupKey(timePoint1) self.assertEqual(4, len(result)) # The first data packet contains the group's encryption key (public key). data = result[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data.getName().toUri()) groupEKey = EncryptKey(data.getContent()) # Get the second data packet and decrypt. data = result[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data.getName().toUri()) ####################################################### Start decryption. dataContent = data.getContent() # Get the nonce key. # dataContent is a sequence of the two EncryptedContent. encryptedNonce = EncryptedContent() encryptedNonce.wireDecode(dataContent) self.assertEqual(0, encryptedNonce.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType()) decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) blobNonce = encryptedNonce.getPayload() nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams) # Get the payload. # Use the size of encryptedNonce to find the start of encryptedPayload. payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():] encryptedPayload = EncryptedContent() encryptedPayload.wireDecode(payloadContent) self.assertEqual(16, encryptedPayload.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType()) decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc) decryptParams.setInitialVector(encryptedPayload.getInitialVector()) blobPayload = encryptedPayload.getPayload() largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams) # Get the group D-KEY. groupDKey = DecryptKey(largePayload) ####################################################### End decryption. # Check the D-KEY. derivedGroupEKey = RsaAlgorithm.deriveEncryptKey( groupDKey.getKeyBits()) self.assertTrue(groupEKey.getKeyBits().equals( derivedGroupEKey.getKeyBits())) # Check the third data packet. data = result[2] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberB/ksk-123", data.getName().toUri()) # Check the fourth data packet. data = result[3] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberC/ksk-123", data.getName().toUri()) # Check invalid time stamps for getting the group key. timePoint2 = Schedule.fromIsoString("20150826T083000") self.assertEqual(0, len(manager.getGroupKey(timePoint2))) timePoint3 = Schedule.fromIsoString("20150827T023000") self.assertEqual(0, len(manager.getGroupKey(timePoint3))) def test_get_group_key_without_regeneration(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) # Get the data list from the group manager. timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager.getGroupKey(timePoint1) self.assertEqual(4, len(result)) # The first data packet contains the group's encryption key (public key). data1 = result[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data1.getName().toUri()) groupEKey1 = EncryptKey(data1.getContent()) # Get the second data packet and decrypt. data = result[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data.getName().toUri()) # Add new members to the database. dataBlob = self.certificate.wireEncode() memberD = Data() memberD.wireDecode(dataBlob) memberD.setName(Name("/ndn/memberD/KEY/ksk-123/ID-CERT/123")) manager.addMember("schedule1", memberD) result2 = manager.getGroupKey(timePoint1, False) self.assertEqual(5, len(result2)) # Check that the new EKey is the same as the previous one. data2 = result2[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data2.getName().toUri()) groupEKey2 = EncryptKey(data2.getContent()) self.assertTrue(groupEKey1.getKeyBits().equals( groupEKey2.getKeyBits())) # Check the second data packet. data2 = result2[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data2.getName().toUri())
def prepareUnsignedIdentityCertificate(self, keyName, publicKey, signingIdentity, notBefore, notAfter, subjectDescription = None, certPrefix = None): """ Prepare an unsigned identity certificate. :param Name keyName: The key name, e.g., `/{identity_name}/ksk-123456`. :param PublicKey publicKey: (optional) The public key to sign. If ommited, use the keyName to get the public key from the identity storage. :param Name signingIdentity: The signing identity. :param float notBefore: See IdentityCertificate. :param float notAfter: See IdentityCertificate. :param Array<CertificateSubjectDescription> subjectDescription: A list of CertificateSubjectDescription. See IdentityCertificate. If None or empty, this adds a an ATTRIBUTE_NAME based on the keyName. :param Name certPrefix: (optional) The prefix before the `KEY` component. If None, this infers the certificate name according to the relation between the signingIdentity and the subject identity. If the signingIdentity is a prefix of the subject identity, `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted after subject identity (i.e., before `ksk-...`). :return: The unsigned IdentityCertificate, or None if the inputs are invalid. :rtype: IdentityCertificate """ if not isinstance(publicKey, PublicKey): # The publicKey was omitted. Shift arguments. certPrefix = subjectDescription subjectDescription = notAfter notAfter = notBefore notBefore = signingIdentity signingIdentity = publicKey publicKey = PublicKey(self._identityStorage.getKey(keyName)) if keyName.size() < 1: return None tempKeyIdPrefix = keyName.get(-1).toEscapedString() if len(tempKeyIdPrefix) < 4: return None keyIdPrefix = tempKeyIdPrefix[0:4] if keyIdPrefix != "ksk-" and keyIdPrefix != "dsk-": return None certificate = IdentityCertificate() certName = Name() if certPrefix == None: # No certificate prefix hint, so infer the prefix. if signingIdentity.match(keyName): certName.append(signingIdentity) \ .append("KEY") \ .append(keyName.getSubName(signingIdentity.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: certName.append(keyName.getPrefix(-1)) \ .append("KEY") \ .append(keyName.get(-1)) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: # A cert prefix hint is supplied, so determine the cert name. if certPrefix.match(keyName) and not certPrefix.equals(keyName): certName.append(certPrefix) \ .append("KEY") \ .append(keyName.getSubName(certPrefix.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: return None certificate.setName(certName) certificate.setNotBefore(notBefore) certificate.setNotAfter(notAfter) certificate.setPublicKeyInfo(publicKey) if subjectDescription == None or len(subjectDescription) == 0: certificate.addSubjectDescription(CertificateSubjectDescription( "2.5.4.41", keyName.getPrefix(-1).toUri())) else: for i in range(len(subjectDescription)): certificate.addSubjectDescription(subjectDescription[i]) try: certificate.encode() except Exception as ex: raise SecurityException("DerEncodingException: " + str(ex)) return certificate
def generateCertificateForKey(self, keyName): # let any raised SecurityExceptions bubble up publicKeyBits = self._identityStorage.getKey(keyName) publicKeyType = self._identityStorage.getKeyType(keyName) publicKey = PublicKey(publicKeyType, publicKeyBits) timestamp = Common.getNowMilliseconds() # TODO: specify where the 'KEY' component is inserted # to delegate responsibility for cert delivery certificateName = keyName.getPrefix(-1).append('KEY').append( keyName.get(-1)) certificateName.append("ID-CERT").append( Name.Component(struct.pack(">Q", timestamp))) certificate = IdentityCertificate(certificateName) certificate.setNotBefore(timestamp) certificate.setNotAfter( (timestamp + 30 * 86400 * 1000)) # about a month certificate.setPublicKeyInfo(publicKey) # ndnsec likes to put the key name in a subject description sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri()) certificate.addSubjectDescription(sd) certificate.encode() return certificate
def prepareUnsignedIdentityCertificate(self, keyName, publicKey, signingIdentity, notBefore, notAfter, subjectDescription=None, certPrefix=None): """ Prepare an unsigned identity certificate. :param Name keyName: The key name, e.g., `/{identity_name}/ksk-123456`. :param PublicKey publicKey: (optional) The public key to sign. If ommited, use the keyName to get the public key from the identity storage. :param Name signingIdentity: The signing identity. :param float notBefore: See IdentityCertificate. :param float notAfter: See IdentityCertificate. :param Array<CertificateSubjectDescription> subjectDescription: A list of CertificateSubjectDescription. See IdentityCertificate. If None or empty, this adds a an ATTRIBUTE_NAME based on the keyName. :param Name certPrefix: (optional) The prefix before the `KEY` component. If None, this infers the certificate name according to the relation between the signingIdentity and the subject identity. If the signingIdentity is a prefix of the subject identity, `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted after subject identity (i.e., before `ksk-...`). :return: The unsigned IdentityCertificate, or None if the inputs are invalid. :rtype: IdentityCertificate """ if not isinstance(publicKey, PublicKey): # The publicKey was omitted. Shift arguments. certPrefix = subjectDescription subjectDescription = notAfter notAfter = notBefore notBefore = signingIdentity signingIdentity = publicKey publicKey = PublicKey(self._identityStorage.getKey(keyName)) if keyName.size() < 1: return None tempKeyIdPrefix = keyName.get(-1).toEscapedString() if len(tempKeyIdPrefix) < 4: return None keyIdPrefix = tempKeyIdPrefix[0:4] if keyIdPrefix != "ksk-" and keyIdPrefix != "dsk-": return None certificate = IdentityCertificate() certName = Name() if certPrefix == None: # No certificate prefix hint, so infer the prefix. if signingIdentity.match(keyName): certName.append(signingIdentity) \ .append("KEY") \ .append(keyName.getSubName(signingIdentity.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: certName.append(keyName.getPrefix(-1)) \ .append("KEY") \ .append(keyName.get(-1)) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: # A cert prefix hint is supplied, so determine the cert name. if certPrefix.match(keyName) and not certPrefix.equals(keyName): certName.append(certPrefix) \ .append("KEY") \ .append(keyName.getSubName(certPrefix.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: return None certificate.setName(certName) certificate.setNotBefore(notBefore) certificate.setNotAfter(notAfter) certificate.setPublicKeyInfo(publicKey) if subjectDescription == None or len(subjectDescription) == 0: certificate.addSubjectDescription( CertificateSubjectDescription("2.5.4.41", keyName.getPrefix(-1).toUri())) else: for i in range(len(subjectDescription)): certificate.addSubjectDescription(subjectDescription[i]) try: certificate.encode() except Exception as ex: raise SecurityException("DerEncodingException: " + str(ex)) return certificate