def __init__(self, identity, dataset, keyChain, face):
self._identity = identity
self._keyChain = keyChain
self._face = face
# storage_ is for the KEK and KDKs.
self._storage = InMemoryStorageRetaining()
# The NAC identity is: <identity>/NAC/<dataset>
# Generate the NAC key.
nacIdentity = self._keyChain.createIdentityV2(
Name(identity.getName())
.append(EncryptorV2.NAME_COMPONENT_NAC).append(dataset),
RsaKeyParams())
self._nacKey = nacIdentity.getDefaultKey()
if self._nacKey.getKeyType() != KeyType.RSA:
logging.getLogger(__name__).info(
"Cannot re-use existing KEK/KDK pair, as it is not an RSA key, regenerating")
self._nacKey = self._keyChain.createKey(nacIdentity, RsaKeyParams())
nacKeyId = self._nacKey.getName().get(-1)
kekPrefix = Name(self._nacKey.getIdentityName()).append(
EncryptorV2.NAME_COMPONENT_KEK)
kekData = Data(self._nacKey.getDefaultCertificate())
kekData.setName(Name(kekPrefix).append(nacKeyId))
kekData.getMetaInfo().setFreshnessPeriod(
AccessManagerV2.DEFAULT_KEK_FRESHNESS_PERIOD_MS)
self._keyChain.sign(kekData, SigningInfo(self._identity))
# kek looks like a cert, but doesn't have ValidityPeriod
self._storage.insert(kekData)
def serveFromStorage(prefix, interest, face, interestFilterId, filter):
data = self._storage.find(interest)
if data != None:
logging.getLogger(__name__).info("Serving " +
data.getName().toUri() + " from in-memory-storage")
try:
face.putData(data)
except:
logging.exception("AccessManagerV2: Error in Face.putData")
else:
logging.getLogger(__name__).info("Didn't find data for " +
interest.getName().toUri())
# TODO: Send NACK?
def onRegisterFailed(prefix):
logging.getLogger(__name__).error(
"AccessManagerV2: Failed to register prefix " + prefix.toUri())
self._kekRegisteredPrefixId = self._face.registerPrefix(
kekPrefix, serveFromStorage, onRegisterFailed)
kdkPrefix = Name(self._nacKey.getIdentityName()).append(
EncryptorV2.NAME_COMPONENT_KDK).append(nacKeyId)
self._kdkRegisteredPrefixId_ = self._face.registerPrefix(
kdkPrefix, serveFromStorage, onRegisterFailed)
def setName(self, name):
"""
Overrides Data.setName() to ensure that the new name is a valid identity
certificate name.
:param name: The new name for this IdentityCertificate
:type name: Name
"""
if (not self._isCorrectName(name)):
raise SecurityException("Bad format for identity certificate name!")
Data.setName(self, name)
self._setPublicKeyName()
def setName(self, name):
"""
Overrides Data.setName() to ensure that the new name is a valid identity
certificate name.
:param name: The new name for this IdentityCertificate
:type name: Name
"""
if (not self._isCorrectName(name)):
raise SecurityException(
"Bad format for identity certificate name!")
Data.setName(self, name)
self._setPublicKeyName()
def _encryptContentKey(self, encryptionKey, eKeyName, timeSlot,
onEncryptedKeys, onError):
"""
Get the content key from the database_ and encrypt it for the timeSlot
using encryptionKey.
:param Blob encryptionKey: The encryption key value.
:param Name eKeyName: The key name for the EncryptedContent.
:param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC.
:param onEncryptedKeys: When there are no more interests to process,
this calls onEncryptedKeys(keys) where keys is a list of encrypted
content key Data packets. If onEncryptedKeys is None, this does not
use it.
:type onEncryptedKeys: function object
:param onError: This calls onError(errorCode, message) for an error.
:type onError: function object
:return: True if encryption succeeds, otherwise False.
:rtype: bool
"""
timeCount = round(timeSlot)
keyRequest = self._keyRequests[timeCount]
keyName = Name(self._namespace)
keyName.append(Encryptor.NAME_COMPONENT_C_KEY)
keyName.append(
Schedule.toIsoString(Producer._getRoundedTimeSlot(timeSlot)))
contentKey = self._database.getContentKey(timeSlot)
cKeyData = Data()
cKeyData.setName(keyName)
params = EncryptParams(EncryptAlgorithmType.RsaOaep)
try:
Encryptor.encryptData(cKeyData, contentKey, eKeyName,
encryptionKey, params)
except Exception as ex:
try:
onError(EncryptError.ErrorCode.EncryptionFailure,
"encryptData error: " + repr(ex))
except:
logging.exception("Error in onError")
return False
self._keyChain.sign(cKeyData)
keyRequest.encryptedKeys.append(cKeyData)
self._updateKeyRequest(keyRequest, timeCount, onEncryptedKeys)
return True
def _encryptContentKey(self, encryptionKey, eKeyName, timeSlot,
onEncryptedKeys, onError):
"""
Get the content key from the database_ and encrypt it for the timeSlot
using encryptionKey.
:param Blob encryptionKey: The encryption key value.
:param Name eKeyName: The key name for the EncryptedContent.
:param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC.
:param onEncryptedKeys: When there are no more interests to process,
this calls onEncryptedKeys(keys) where keys is a list of encrypted
content key Data packets. If onEncryptedKeys is None, this does not
use it.
:type onEncryptedKeys: function object
:param onError: This calls onError(errorCode, message) for an error.
:type onError: function object
:return: True if encryption succeeds, otherwise False.
:rtype: bool
"""
timeCount = round(timeSlot)
keyRequest = self._keyRequests[timeCount]
keyName = Name(self._namespace)
keyName.append(Encryptor.NAME_COMPONENT_C_KEY)
keyName.append(
Schedule.toIsoString(Producer._getRoundedTimeSlot(timeSlot)))
contentKey = self._database.getContentKey(timeSlot)
cKeyData = Data()
cKeyData.setName(keyName)
params = EncryptParams(EncryptAlgorithmType.RsaOaep)
try:
Encryptor.encryptData(
cKeyData, contentKey, eKeyName, encryptionKey, params)
except Exception as ex:
try:
onError(EncryptError.ErrorCode.EncryptionFailure,
"encryptData error: " + repr(ex))
except:
logging.exception("Error in onError")
return False
self._keyChain.sign(cKeyData)
keyRequest.encryptedKeys.append(cKeyData)
self._updateKeyRequest(keyRequest, timeCount, onEncryptedKeys)
return True
