def get(self, keyName): """ Get the key with name keyName from the container. :param Name keyName: The name of the key. :return: The PibKey object. :rtype: PibKey :raises ValueError: If keyName does not match the identity name. :raises Pib.Error: If the key does not exist. """ if not self._identityName.equals( PibKey.extractIdentityFromKeyName(keyName)): raise ValueError("Key name `" + keyName.toUri() + "` does not match identity `" + self._identityName.toUri() + "`") try: pibKeyImpl = self._keys[keyName] except KeyError: pibKeyImpl = None if pibKeyImpl == None: pibKeyImpl = PibKeyImpl(keyName, self._pibImpl) # Copy the Name. self._keys[Name(keyName)] = pibKeyImpl return PibKey(pibKeyImpl)
def get(self, keyName): """ Get the key with name keyName from the container. :param Name keyName: The name of the key. :return: The PibKey object. :rtype: PibKey :raises ValueError: If keyName does not match the identity name. :raises Pib.Error: If the key does not exist. """ if not self._identityName.equals(PibKey.extractIdentityFromKeyName(keyName)): raise ValueError("Key name `" + keyName.toUri() + "` does not match identity `" + self._identityName.toUri() + "`") try: pibKeyImpl = self._keys[keyName] except KeyError: pibKeyImpl = None if pibKeyImpl == None: pibKeyImpl = PibKeyImpl(keyName, self._pibImpl) # Copy the Name. self._keys[Name(keyName)] = pibKeyImpl return PibKey(pibKeyImpl)
def setKeyName(keyHandle, identityName, params): """ Set the key name in keyHandle according to identityName and params. :param TpmKeyHandle keyHandle: :param Name identityName: :param KeyParams params: """ if params.getKeyIdType() == KeyIdType.USER_SPECIFIED: keyId = params.getKeyId() elif params.getKeyIdType() == KeyIdType.SHA256: sha256 = hashes.Hash(hashes.SHA256(), backend=default_backend()) sha256.update(keyHandle.derivePublicKey().toBytes()) digest = sha256.finalize() keyId = Name.Component(digest) elif params.getKeyIdType() == KeyIdType.RANDOM: if params.getKeyId().getValue().size() == 0: raise TpmBackEnd.Error( "setKeyName: The keyId is empty for type RANDOM") keyId = params.getKeyId() else: raise TpmBackEnd.Error( "setKeyName: unrecognized params.getKeyIdType()") keyHandle.setKeyName(PibKey.constructKeyName(identityName, keyId))
def test_key_management(self): for tpm in self.backEndList: identityName = Name("/Test/KeyName") keyId = Name.Component("1") keyName = PibKey.constructKeyName(identityName, keyId) # The key should not exist. self.assertEquals(False, tpm.hasKey(keyName)) self.assertTrue(tpm.getKeyHandle(keyName) == None) # Create a key, which should exist. self.assertTrue( tpm.createKey(identityName, RsaKeyParams(keyId)) != None) self.assertTrue(tpm.hasKey(keyName)) self.assertTrue(tpm.getKeyHandle(keyName) != None) # Create a key with the same name, which should throw an error. try: tpm.createKey(identityName, RsaKeyParams(keyId)) self.fail("Did not throw the expected exception") except Tpm.Error: pass else: self.fail("Did not throw the expected exception") # Delete the key, then it should not exist. tpm.deleteKey(keyName) self.assertEquals(False, tpm.hasKey(keyName)) self.assertTrue(tpm.getKeyHandle(keyName) == None)
def test_key_management(self): for tpm in self.backEndList: identityName = Name("/Test/KeyName") keyId = Name.Component("1") keyName = PibKey.constructKeyName(identityName, keyId) # The key should not exist. self.assertEqual(False, tpm.hasKey(keyName)) self.assertTrue(tpm.getKeyHandle(keyName) == None) # Create a key, which should exist. self.assertTrue( tpm.createKey(identityName, RsaKeyParams(keyId)) != None) self.assertTrue(tpm.hasKey(keyName)) self.assertTrue(tpm.getKeyHandle(keyName) != None) # Create a key with the same name, which should throw an error. try: tpm.createKey(identityName, RsaKeyParams(keyId)) self.fail("Did not throw the expected exception") except Tpm.Error: pass else: self.fail("Did not throw the expected exception") # Delete the key, then it should not exist. tpm.deleteKey(keyName) self.assertEqual(False, tpm.hasKey(keyName)) self.assertTrue(tpm.getKeyHandle(keyName) == None)
def remove(self, keyName): """ Remove the key with name keyName from the container, and its related certificates. If the key does not exist, do nothing. :param Name keyName: The name of the key. :raises ValueError: If keyName does not match the identity name. """ if not self._identityName.equals(PibKey.extractIdentityFromKeyName(keyName)): raise ValueError("Key name `" + keyName.toUri() + "` does not match identity `" + self._identityName.toUri() + "`") try: self._keyNames.remove(keyName) except KeyError: # Do nothing if it doesn't exist. pass try: del self._keys[keyName] except KeyError: # Do nothing if it doesn't exist. pass self._pibImpl.removeKey(keyName)
def remove(self, keyName): """ Remove the key with name keyName from the container, and its related certificates. If the key does not exist, do nothing. :param Name keyName: The name of the key. :raises ValueError: If keyName does not match the identity name. """ if not self._identityName.equals( PibKey.extractIdentityFromKeyName(keyName)): raise ValueError("Key name `" + keyName.toUri() + "` does not match identity `" + self._identityName.toUri() + "`") try: self._keyNames.remove(keyName) except KeyError: # Do nothing if it doesn't exist. pass try: del self._keys[keyName] except KeyError: # Do nothing if it doesn't exist. pass self._pibImpl.removeKey(keyName)
def __init__(self, keyName, arg2, arg3=None): self._defaultCertificate = None if isinstance(arg2, PibImpl): # PibKeyImpl(keyName, pibImpl) pibImpl = arg2 self._identityName = PibKey.extractIdentityFromKeyName(keyName) self._keyName = Name(keyName) self._certificates = PibCertificateContainer(keyName, pibImpl) self._pibImpl = pibImpl if pibImpl == None: raise ValueError("The pibImpl is None") self._keyEncoding = self._pibImpl.getKeyBits(self._keyName) try: publicKey = PublicKey(self._keyEncoding) except: # We don't expect this since we just fetched the encoding. raise Pib.Error("Error decoding public key") self._keyType = publicKey.getKeyType() else: # PibKeyImpl(keyName, keyEncoding, pibImpl) keyEncoding = arg2 pibImpl = arg3 self._identityName = PibKey.extractIdentityFromKeyName(keyName) self._keyName = Name(keyName) self._keyEncoding = Blob(keyEncoding, True) self._certificates = PibCertificateContainer(keyName, pibImpl) self._pibImpl = pibImpl if pibImpl == None: raise ValueError("The pibImpl is None") try: publicKey = PublicKey(self._keyEncoding) self._keyType = publicKey.getKeyType() except: raise ValueError("Invalid key encoding") self._pibImpl.addKey(self._identityName, self._keyName, keyEncoding)
def __init__(self, keyName, arg2, arg3 = None): self._defaultCertificate = None if isinstance(arg2, PibImpl): # PibKeyImpl(keyName, pibImpl) pibImpl = arg2 self._identityName = PibKey.extractIdentityFromKeyName(keyName) self._keyName = Name(keyName) self._certificates = PibCertificateContainer(keyName, pibImpl) self._pibImpl = pibImpl if pibImpl == None: raise ValueError("The pibImpl is None") self._keyEncoding = self._pibImpl.getKeyBits(self._keyName) try: publicKey = PublicKey(self._keyEncoding) except: # We don't expect this since we just fetched the encoding. raise Pib.Error("Error decoding public key") self._keyType = publicKey.getKeyType() else: # PibKeyImpl(keyName, keyEncoding, pibImpl) keyEncoding = arg2 pibImpl = arg3 self._identityName = PibKey.extractIdentityFromKeyName(keyName) self._keyName = Name(keyName) self._keyEncoding = Blob(keyEncoding, True) self._certificates = PibCertificateContainer(keyName, pibImpl) self._pibImpl = pibImpl if pibImpl == None: raise ValueError("The pibImpl is None") try: publicKey = PublicKey(self._keyEncoding) self._keyType = publicKey.getKeyType() except: raise ValueError("Invalid key encoding") self._pibImpl.addKey(self._identityName, self._keyName, keyEncoding)
def createKey(self, identityName, params): """ Create a key for the identityName according to params. :param Name identityName: The name if the identity. :param KeyParams params: The KeyParams for creating the key. :return: The handle of the created key. :rtype: TpmKeyHandle :raises TpmBackEnd.Error: If the key cannot be created. """ # Do key name checking. if params.getKeyIdType() == KeyIdType.USER_SPECIFIED: # The keyId is pre-set. keyName = PibKey.constructKeyName(identityName, params.getKeyId()) if self.hasKey(keyName): raise Tpm.Error("Key `" + keyName.toUri() + "` already exists") elif params.getKeyIdType() == KeyIdType.SHA256: # The key name will be assigned in setKeyName after the key is generated. pass elif params.getKeyIdType() == KeyIdType.RANDOM: random = bytearray(8) while True: for i in range(len(random)): random[i] = _systemRandom.randint(0, 0xff) keyId = Name.Component(Blob(random, False)) keyName = PibKey.constructKeyName(identityName, keyId) if not self.hasKey(keyName): # We got a unique one. break params.setKeyId(keyId) else: raise Tpm.Error("Unsupported key id type") return self._doCreateKey(identityName, params)
def delete_security_object(name, kind): key_chain = KeyChain() logging.info("Delete security object %s %s", name, kind) if kind == "c": id_name = CertificateV2.extractIdentityFromCertName(Name(name)) key_name = CertificateV2.extractKeyNameFromCertName(Name(name)) cur_id = key_chain.getPib().getIdentity(id_name) cur_key = cur_id.getKey(key_name) key_chain.deleteCertificate(cur_key, Name(name)) elif kind == "k": id_name = PibKey.extractIdentityFromKeyName(Name(name)) cur_id = key_chain.getPib().getIdentity(id_name) cur_key = cur_id.getKey(Name(name)) key_chain.deleteKey(cur_id, cur_key) else: key_chain.deleteIdentity(Name(name))
def getKeysOfIdentity(self, identityName): """ Get all the key names of the identity with the name identityName. The returned key names can be used to create a KeyContainer. With a key name and a backend implementation, one can create a Key front end instance. :param Name identityName: The name of the identity. :return: The set of key names. The Name objects are fresh copies. If the identity does not exist, return an empty set. :rtype: set of Name """ ids = set() for keyName in self._keys: if identityName.equals(PibKey.extractIdentityFromKeyName(keyName)): # Copy the name. ids.add(Name(keyName)) return ids
def getKeysOfIdentity(self, identityName): """ Get all the key names of the identity with the name identityName. The returned key names can be used to create a KeyContainer. With a key name and a backend implementation, one can create a Key front end instance. :param Name identityName: The name of the identity. :return: The set of key names. The Name objects are fresh copies. If the identity does not exist, return an empty set. :rtype: set of Name """ ids = set() for keyName in self._keys: if identityName.equals(PibKey.extractIdentityFromKeyName(keyName)): # Copy the name. ids.add(Name(keyName)) return ids
def _checkPolicyHelper(self, keyName, state, continueValidation): """ :param Name keyName: :param ValidationState state: :param continueValidation: :type continueValidation: function object """ try: identity = self._pib.getIdentity( PibKey.extractIdentityFromKeyName(keyName)) except Exception as ex: state.fail( ValidationError( ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Cannot get the PIB identity for key " + keyName.toUri() + ": " + repr(ex))) return try: key = identity.getKey(keyName) except Exception as ex: state.fail( ValidationError( ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Cannot get the PIB key " + keyName.toUri() + ": " + repr(ex))) return try: certificate = key.getDefaultCertificate() except Exception as ex: state.fail( ValidationError( ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Cannot get the default certificate for key " + keyName.toUri() + ": " + repr(ex))) return # Add the certificate as the temporary trust anchor. self._validator.resetAnchors() self._validator.loadAnchor("", certificate) continueValidation(CertificateRequest(Interest(keyName)), state) # Clear the temporary trust anchor. self._validator.resetAnchors()
def constructKeyName(identityName, params): """ Construct the key name according to identityName and params. :param Name identityName: :param KeyParams params: """ if params.getKeyIdType() == KeyIdType.USER_SPECIFIED: keyId = params.getKeyId() # We don't have the keyHandle, so we can't support KeyIdType.SHA256. elif params.getKeyIdType() == KeyIdType.RANDOM: if params.getKeyId().getValue().size() == 0: raise TpmBackEnd.Error( "setKeyName: The keyId is empty for type RANDOM") keyId = params.getKeyId() else: raise TpmBackEnd.Error( "setKeyName: unrecognized params.getKeyIdType()") return PibKey.constructKeyName(identityName, keyId)
def checkNames(self, packetName, keyLocatorName, state): """ :param Name packetName: :param Name keyLocatorName: :param ValidationState state: :rtype: bool """ # packetName is not used in this check. identity = PibKey.extractIdentityFromKeyName(keyLocatorName) result = ConfigNameRelation.checkNameRelation( self._relation, self._name, identity) if not result: state.fail(ValidationError(ValidationError.POLICY_ERROR, "KeyLocator check failed: name relation " + self._name.toUri() + " " + ConfigNameRelation.toString(self._relation) + " for packet " + packetName.toUri() + " is invalid (KeyLocator=" + keyLocatorName.toUri() + ", identity=" + identity.toUri() + ")")) return result
def _checkPolicyHelper(self, keyName, state, continueValidation): """ :param Name keyName: :param ValidationState state: :param continueValidation: :type continueValidation: function object """ try: identity = self._pib.getIdentity( PibKey.extractIdentityFromKeyName(keyName)) except Exception as ex: state.fail(ValidationError (ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Cannot get the PIB identity for key " + keyName.toUri() + ": " + repr(ex))) return try: key = identity.getKey(keyName) except Exception as ex: state.fail(ValidationError (ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Cannot get the PIB key " + keyName.toUri() + ": " + repr(ex))) return try: certificate = key.getDefaultCertificate() except Exception as ex: state.fail(ValidationError (ValidationError.CANNOT_RETRIEVE_CERTIFICATE, "Cannot get the default certificate for key " + keyName.toUri() + ": " + repr(ex))) return # Add the certificate as the temporary trust anchor. self._validator.resetAnchors() self._validator.loadAnchor("", certificate) continueValidation(CertificateRequest(Interest(keyName)), state) # Clear the temporary trust anchor. self._validator.resetAnchors()
def removeKey(self, keyName): """ Remove the key with keyName and its related certificates. If the key does not exist, do nothing. :param Name keyName: The name of the key. """ identityName = PibKey.extractIdentityFromKeyName(keyName) try: del self._keys[keyName] except KeyError: # Do nothing if it doesn't exist. pass try: del self._defaultKeyNames[identityName] except KeyError: # Do nothing if it doesn't exist. pass for certificateName in self.getCertificatesOfKey(keyName): self.removeCertificate(certificateName)
def removeKey(self, keyName): """ Remove the key with keyName and its related certificates. If the key does not exist, do nothing. :param Name keyName: The name of the key. """ identityName = PibKey.extractIdentityFromKeyName(keyName) try: del self._keys[keyName] except KeyError: # Do nothing if it doesn't exist. pass try: del self._defaultKeyNames[identityName] except KeyError: # Do nothing if it doesn't exist. pass for certificateName in self.getCertificatesOfKey(keyName): self.removeCertificate(certificateName)
def add(self, key, keyName): """ Add a key with name keyName into the container. If a key with the same name already exists, this replaces it. :param key: The buffer of encoded key bytes. :type key: an array which implements the buffer protocol :param Name keyName: The name of the key, which is copied. :return: The PibKey object. :rtype: PibKey :raises ValueError: If the name of the key does not match the identity name. """ if not self._identityName.equals(PibKey.extractIdentityFromKeyName(keyName)): raise ValueError("The key name `" + keyName.toUri() + "` does not match the identity name `" + self._identityName.toUri() + "`") # Copy the Name. self._keyNames.add(Name(keyName)) self._keys[Name(keyName)] = PibKeyImpl(keyName, key, self._pibImpl) return self.get(keyName)
def add(self, key, keyName): """ Add a key with name keyName into the container. If a key with the same name already exists, this replaces it. :param key: The buffer of encoded key bytes. :type key: an array which implements the buffer protocol :param Name keyName: The name of the key, which is copied. :return: The PibKey object. :rtype: PibKey :raises ValueError: If the name of the key does not match the identity name. """ if not self._identityName.equals( PibKey.extractIdentityFromKeyName(keyName)): raise ValueError("The key name `" + keyName.toUri() + "` does not match the identity name `" + self._identityName.toUri() + "`") # Copy the Name. self._keyNames.add(Name(keyName)) self._keys[Name(keyName)] = PibKeyImpl(keyName, key, self._pibImpl) return self.get(keyName)
def checkNames(self, packetName, keyLocatorName, state): """ :param Name packetName: :param Name keyLocatorName: :param ValidationState state: :rtype: bool """ # packetName is not used in this check. identity = PibKey.extractIdentityFromKeyName(keyLocatorName) result = ConfigNameRelation.checkNameRelation(self._relation, self._name, identity) if not result: state.fail( ValidationError( ValidationError.POLICY_ERROR, "KeyLocator check failed: name relation " + self._name.toUri() + " " + ConfigNameRelation.toString(self._relation) + " for packet " + packetName.toUri() + " is invalid (KeyLocator=" + keyLocatorName.toUri() + ", identity=" + identity.toUri() + ")")) return result
def test_basic(self): fixture = self.fixture pibImpl = PibMemory() # Start with an empty container. container = PibKeyContainer(fixture.id1, pibImpl) self.assertEqual(0, container.size()) self.assertEqual(0, len(container._keys)) # Add the first key. key11 = container.add(fixture.id1Key1.buf(), fixture.id1Key1Name) self.assertTrue(fixture.id1Key1Name.equals(key11.getName())) self.assertTrue(key11.getPublicKey().equals(fixture.id1Key1)) self.assertEqual(1, container.size()) self.assertEqual(1, len(container._keys)) self.assertTrue(fixture.id1Key1Name in container._keys) # Add the same key again. key12 = container.add(fixture.id1Key1.buf(), fixture.id1Key1Name) self.assertTrue(fixture.id1Key1Name.equals(key12.getName())) self.assertTrue(key12.getPublicKey().equals(fixture.id1Key1)) self.assertEqual(1, container.size()) self.assertEqual(1, len(container._keys)) self.assertTrue(fixture.id1Key1Name in container._keys) # Add the second key. key21 = container.add(fixture.id1Key2.buf(), fixture.id1Key2Name) self.assertTrue(fixture.id1Key2Name.equals(key21.getName())) self.assertTrue(key21.getPublicKey().equals(fixture.id1Key2)) self.assertEqual(2, container.size()) self.assertEqual(2, len(container._keys)) self.assertTrue(fixture.id1Key1Name in container._keys) self.assertTrue(fixture.id1Key2Name in container._keys) # Get keys. try: container.get(fixture.id1Key1Name) except Exception as ex: self.fail("Unexpected exception: " + str(ex)) try: container.get(fixture.id1Key2Name) except Exception as ex: self.fail("Unexpected exception: " + str(ex)) id1Key3Name = PibKey.constructKeyName( fixture.id1, Name.Component("non-existing-id")) try: container.get(id1Key3Name) self.fail("Did not throw the expected exception") except Pib.Error: pass else: self.fail("Did not throw the expected exception") # Get and check keys. key1 = container.get(fixture.id1Key1Name) key2 = container.get(fixture.id1Key2Name) self.assertTrue(fixture.id1Key1Name.equals(key1.getName())) self.assertTrue(key1.getPublicKey().equals(fixture.id1Key1)) self.assertEqual(fixture.id1Key2Name, key2.getName()) self.assertTrue(key2.getPublicKey().equals(fixture.id1Key2)) # Create another container using the same PibImpl. The cache should be empty. container2 = PibKeyContainer(fixture.id1, pibImpl) self.assertEqual(2, container2.size()) self.assertEqual(0, len(container2._keys)) # Get a key. The cache should be filled. try: container2.get(fixture.id1Key1Name) except Exception as ex: self.fail("Unexpected exception: " + str(ex)) self.assertEqual(2, container2.size()) self.assertEqual(1, len(container2._keys)) try: container2.get(fixture.id1Key2Name) except Exception as ex: self.fail("Unexpected exception: " + str(ex)) self.assertEqual(2, container2.size()) self.assertEqual(2, len(container2._keys)) # Remove a key. container2.remove(fixture.id1Key1Name) self.assertEqual(1, container2.size()) self.assertEqual(1, len(container2._keys)) self.assertTrue(not (fixture.id1Key1Name in container2._keys)) self.assertTrue(fixture.id1Key2Name in container2._keys) # Remove another key. container2.remove(fixture.id1Key2Name) self.assertEqual(0, container2.size()) self.assertEqual(0, len(container2._keys)) self.assertTrue(not (fixture.id1Key2Name in container2._keys))