def _initialTimeOut(self, interest): """ Initial sync interest timeout, which means there are no other publishers yet. """ if not self._enabled: # Ignore callbacks after the application calls shutdown(). return logging.getLogger(__name__).info("initial sync timeout") logging.getLogger(__name__).info("no other people") self._sequenceNo += 1 if self._sequenceNo != 0: # Since there were no other users, we expect sequence no 0. raise RuntimeError( "ChronoSync: sequenceNo_ is not the expected value of 0 for first use.") tempContent = sync_state_pb2.SyncStateMsg() content = getattr(tempContent, "ss").add() content.name = self._applicationDataPrefixUri content.type = SyncState_UPDATE content.seqno.seq = self._sequenceNo content.seqno.session = self._sessionNo self._update(getattr(tempContent, "ss")) self._onInitialized() name = Name(self._applicationBroadcastPrefix) name.append(self._digestTree.getRoot()) retryInterest = Interest(name) retryInterest.setInterestLifetimeMilliseconds(self._syncLifetime) self._face.expressInterest(retryInterest, self._onData, self._syncTimeout) logging.getLogger(__name__).info("Syncinterest expressed:") logging.getLogger(__name__).info("%s", name.toUri())
def _createDKeyData(self, startTimeStamp, endTimeStamp, keyName, privateKeyBlob, certificateKey): """ Create a D-KEY Data packet with an EncryptedContent for the given private key, encrypted with the certificate key. :param str startTimeStamp: The start time stamp string to put in the name. :param str endTimeStamp: The end time stamp string to put in the name. :param Name keyName The key name to put in the data packet name and the EncryptedContent key locator. :param Blob privateKeyBlob: A Blob of the encoded private key. :param Blob certificateKey: The certificate key encoding, used to encrypt the private key. :return: The Data packet. :rtype: Data """ name = Name(self._namespace) name.append(Encryptor.NAME_COMPONENT_D_KEY) name.append(startTimeStamp).append(endTimeStamp) data = Data(name) data.getMetaInfo().setFreshnessPeriod( self._freshnessHours * GroupManager.MILLISECONDS_IN_HOUR) encryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) Encryptor.encryptData( data, privateKeyBlob, keyName, certificateKey, encryptParams) self._keyChain.sign(data) return data
def produce(self, data, timeSlot, content, onError=defaultOnError): """ Encrypt the given content with the content key that covers timeSlot, and update the data packet with the encrypted content and an appropriate data name. :param Data data: An empty Data object which is updated. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param Blob content: The content to encrypt. :param onError: (optional) This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. If omitted, use a default callback which does nothing. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onError: function object """ # Get a content key. contentKeyName = self.createContentKey(timeSlot, None, onError) contentKey = self._database.getContentKey(timeSlot) # Produce data. dataName = Name(self._namespace) dataName.append(Schedule.toIsoString(timeSlot)) data.setName(dataName) params = EncryptParams(EncryptAlgorithmType.AesCbc, 16) Encryptor.encryptData(data, content, contentKeyName, contentKey, params) self._keyChain.sign(data)
def _createDKeyData(self, startTimeStamp, endTimeStamp, keyName, privateKeyBlob, certificateKey): """ Create a D-KEY Data packet with an EncryptedContent for the given private key, encrypted with the certificate key. :param str startTimeStamp: The start time stamp string to put in the name. :param str endTimeStamp: The end time stamp string to put in the name. :param Name keyName The key name to put in the data packet name and the EncryptedContent key locator. :param Blob privateKeyBlob: A Blob of the encoded private key. :param Blob certificateKey: The certificate key encoding, used to encrypt the private key. :return: The Data packet. :rtype: Data """ name = Name(self._namespace) name.append(Encryptor.NAME_COMPONENT_D_KEY) name.append(startTimeStamp).append(endTimeStamp) data = Data(name) data.getMetaInfo().setFreshnessPeriod( self._freshnessHours * GroupManager.MILLISECONDS_IN_HOUR) encryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) Encryptor.encryptData(data, privateKeyBlob, keyName, certificateKey, encryptParams) self._keyChain.sign(data) return data
def _onData(self, interest, data): """ Process Sync Data. """ if not self._enabled: # Ignore callbacks after the application calls shutdown(). return logging.getLogger(__name__).info( "Sync ContentObject received in callback") logging.getLogger(__name__).info("name: %s", data.getName().toUri()) # TODO: Check if this works in Python 3. tempContent = SyncStateMsg() #pylint: disable=E1103 tempContent.ParseFromString(data.getContent().toBytes()) #pylint: enable=E1103 content = getattr(tempContent, "ss") if self._digestTree.getRoot() == "00": isRecovery = True #processing initial sync data self._initialOndata(content) else: self._update(content) if (interest.getName().size() == self._applicationBroadcastPrefix.size() + 2): # Assume this is a recovery interest. isRecovery = True else: isRecovery = False # Send the interests to fetch the application data. syncStates = [] for i in range(len(content)): syncState = content[i] # Only report UPDATE sync states. if syncState.type == SyncState_UPDATE: if len(syncState.application_info) > 0: applicationInfo = Blob(syncState.application_info, True) else: applicationInfo = Blob() syncStates.append( self.SyncState(syncState.name, syncState.seqno.session, syncState.seqno.seq, applicationInfo)) try: self._onReceivedSyncState(syncStates, isRecovery) except: logging.exception("Error in onReceivedSyncState") name = Name(self._applicationBroadcastPrefix) name.append(self._digestTree.getRoot()) syncInterest = Interest(name) syncInterest.setInterestLifetimeMilliseconds(self._syncLifetime) self._face.expressInterest(syncInterest, self._onData, self._syncTimeout) logging.getLogger(__name__).info("Syncinterest expressed:") logging.getLogger(__name__).info("%s", name.toUri())
def _onData(self, interest, data): """ Process Sync Data. """ if not self._enabled: # Ignore callbacks after the application calls shutdown(). return logging.getLogger(__name__).info( "Sync ContentObject received in callback") logging.getLogger(__name__).info( "name: %s", data.getName().toUri()) # TODO: Check if this works in Python 3. tempContent = SyncStateMsg() #pylint: disable=E1103 tempContent.ParseFromString(data.getContent().toBytes()) #pylint: enable=E1103 content = getattr(tempContent, "ss") if self._digestTree.getRoot() == "00": isRecovery = True #processing initial sync data self._initialOndata(content) else: self._update(content) if (interest.getName().size() == self._applicationBroadcastPrefix.size() + 2): # Assume this is a recovery interest. isRecovery = True else: isRecovery = False # Send the interests to fetch the application data. syncStates = [] for i in range(len(content)): syncState = content[i] # Only report UPDATE sync states. if syncState.type == SyncState_UPDATE: if len(syncState.application_info) > 0: applicationInfo = Blob(syncState.application_info, True) else: applicationInfo = Blob() syncStates.append(self.SyncState( syncState.name, syncState.seqno.session, syncState.seqno.seq, applicationInfo)) try: self._onReceivedSyncState(syncStates, isRecovery) except: logging.exception("Error in onReceivedSyncState") name = Name(self._applicationBroadcastPrefix) name.append(self._digestTree.getRoot()) syncInterest = Interest(name) syncInterest.setInterestLifetimeMilliseconds(self._syncLifetime) self._face.expressInterest(syncInterest, self._onData, self._syncTimeout) logging.getLogger(__name__).info("Syncinterest expressed:") logging.getLogger(__name__).info("%s", name.toUri())
def _sendRecovery(self, syncDigest): """ Send Recovery Interest. """ logging.getLogger(__name__).info("unknown digest: ") name = Name(self._applicationBroadcastPrefix) name.append("recovery").append(syncDigest) interest = Interest(name) interest.setInterestLifetimeMilliseconds(self._syncLifetime) self._face.expressInterest(interest, self._onData, self._syncTimeout) logging.getLogger(__name__).info("Recovery Syncinterest expressed:") logging.getLogger(__name__).info("%s", name.toUri())
def addMember(self, memberCertificate): """ Authorize a member identified by memberCertificate to decrypt data under the policy. :param CertificateV2 memberCertificate: The certificate that identifies the member to authorize. :return: The published KDK Data packet. :rtype: Data """ kdkName = Name(self._nacKey.getIdentityName()) kdkName.append(EncryptorV2.NAME_COMPONENT_KDK).append( # key-id self._nacKey.getName().get(-1)).append( EncryptorV2.NAME_COMPONENT_ENCRYPTED_BY).append( memberCertificate.getKeyName()) secretLength = 32 secret = bytearray(secretLength) for i in range(secretLength): secret[i] = _systemRandom.randint(0, 0xff) # To be compatible with OpenSSL which uses a null-terminated string, # replace each 0 with 1. And to be compatible with the Java security # library which interprets the secret as a char array converted to UTF8, # limit each byte to the ASCII range 1 to 127. for i in range(secretLength): if secret[i] == 0: secret[i] = 1 secret[i] &= 0x7f kdkSafeBag = self._keyChain.exportSafeBag( self._nacKey.getDefaultCertificate(), Blob(secret, False).toBytes()) memberKey = PublicKey(memberCertificate.getPublicKey()) encryptedContent = EncryptedContent() encryptedContent.setPayload(kdkSafeBag.wireEncode()) encryptedContent.setPayloadKey( memberKey.encrypt( Blob(secret, False).toBytes(), EncryptAlgorithmType.RsaOaep)) kdkData = Data(kdkName) kdkData.setContent(encryptedContent.wireEncodeV2()) # FreshnessPeriod can serve as a soft access control for revoking access. kdkData.getMetaInfo().setFreshnessPeriod( AccessManagerV2.DEFAULT_KDK_FRESHNESS_PERIOD_MS) self._keyChain.sign(kdkData, SigningInfo(self._identity)) self._storage.insert(kdkData) return kdkData
def constructKeyName(identityName, keyId): """ Construct a key name based on the appropriate naming conventions. :param Name identityName: The name of the identity. :param Name.Component keyId: The key ID name component. :return: The constructed name as a new Name. :rtype: Name """ keyName = Name(identityName) keyName.append(CertificateV2.KEY_COMPONENT).append(keyId) return keyName
def _decryptCKey(self, cKeyData, onPlainText, onError): """ Decrypt cKeyData. :param Data cKeyData: The C-KEY data packet. :param onPlainText: When the data packet is decrypted, this calls onPlainText(decryptedBlob) with the decrypted blob. :type onPlainText: function object :param onError: This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. :type onError: function object """ # Get the encrypted content. cKeyContent = cKeyData.getContent() cKeyEncryptedContent = EncryptedContent() try: cKeyEncryptedContent.wireDecode(cKeyContent) except Exception as ex: try: onError(EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex)) except: logging.exception("Error in onError") return eKeyName = cKeyEncryptedContent.getKeyLocator().getKeyName() dKeyName = eKeyName.getPrefix(-3) dKeyName.append(Encryptor.NAME_COMPONENT_D_KEY).append( eKeyName.getSubName(-2)) # Check if the decryption key is already in the store. if dKeyName in self._dKeyMap: dKey = self._dKeyMap[dKeyName] Consumer._decrypt(cKeyEncryptedContent, dKey, onPlainText, onError) else: # Get the D-Key Data. interestName = Name(dKeyName) interestName.append(Encryptor.NAME_COMPONENT_FOR).append( self._consumerName) interest = Interest(interestName) def onVerified(validDKeyData): def localOnPlainText(dKeyBits): # dKeyName is already a local copy. self._dKeyMap[dKeyName] = dKeyBits Consumer._decrypt(cKeyEncryptedContent, dKeyBits, onPlainText, onError) self._decryptDKey(validDKeyData, localOnPlainText, onError) self._sendInterest(interest, 1, self._dKeyLink, onVerified, onError)
def __init__(self, prefix, dataType, face, keyChain, database, repeatAttempts=None, keyRetrievalLink=None): self._face = face self._keyChain = keyChain self._database = database self._maxRepeatAttempts = 3 if repeatAttempts == None else repeatAttempts self._keyRetrievalLink = Producer.NO_LINK if keyRetrievalLink == None else Link(keyRetrievalLink) # The dictionary key is the key Name The value is a Producer._KeyInfo. self._eKeyInfo = {} # The dictionary key is the float time stamp. The value is a Producer._KeyRequest. self._keyRequests = {} fixedPrefix = Name(prefix) fixedDataType = Name(dataType) # Fill _ekeyInfo with all permutations of dataType, including the 'E-KEY' # component of the name. This will be used in createContentKey to send # interests without reconstructing names every time. fixedPrefix.append(Encryptor.NAME_COMPONENT_READ) while fixedDataType.size() > 0: nodeName = Name(fixedPrefix) nodeName.append(fixedDataType) nodeName.append(Encryptor.NAME_COMPONENT_E_KEY) self._eKeyInfo[nodeName] = Producer._KeyInfo() fixedDataType = fixedDataType.getPrefix(-1) fixedPrefix.append(dataType) self._namespace = Name(prefix) self._namespace.append(Encryptor.NAME_COMPONENT_SAMPLE) self._namespace.append(dataType)
def __init__(self, prefix, dataType, face, keyChain, database, repeatAttempts = None, keyRetrievalLink = None): self._face = face self._keyChain = keyChain self._database = database self._maxRepeatAttempts = (3 if repeatAttempts == None else repeatAttempts) self._keyRetrievalLink = (Producer.NO_LINK if keyRetrievalLink == None else Link(keyRetrievalLink)) # The dictionary key is the key Name The value is a Producer._KeyInfo. self._eKeyInfo = {} # The dictionary key is the float time stamp. The value is a Producer._KeyRequest. self._keyRequests = {} fixedPrefix = Name(prefix) fixedDataType = Name(dataType) # Fill _ekeyInfo with all permutations of dataType, including the 'E-KEY' # component of the name. This will be used in createContentKey to send # interests without reconstructing names every time. fixedPrefix.append(Encryptor.NAME_COMPONENT_READ) while fixedDataType.size() > 0: nodeName = Name(fixedPrefix) nodeName.append(fixedDataType) nodeName.append(Encryptor.NAME_COMPONENT_E_KEY) self._eKeyInfo[nodeName] = Producer._KeyInfo() fixedDataType = fixedDataType.getPrefix(-1) fixedPrefix.append(dataType) self._namespace = Name(prefix) self._namespace.append(Encryptor.NAME_COMPONENT_SAMPLE) self._namespace.append(dataType)
def _makeSelfSignedCertificate(keyName, privateKeyBag, publicKeyEncoding, password, digestAlgorithm, wireFormat): certificate = CertificateV2() # Set the name. now = Common.getNowMilliseconds() certificateName = Name(keyName) certificateName.append("self").appendVersion(int(now)) certificate.setName(certificateName) # Set the MetaInfo. certificate.getMetaInfo().setType(ContentType.KEY) # Set a one-hour freshness period. certificate.getMetaInfo().setFreshnessPeriod(3600 * 1000.0) # Set the content. publicKey = PublicKey(publicKeyEncoding) certificate.setContent(publicKey.getKeyDer()) # Create a temporary in-memory Tpm and import the private key. tpm = Tpm("", "", TpmBackEndMemory()) tpm._importPrivateKey(keyName, privateKeyBag.toBytes(), password) # Set the signature info. if publicKey.getKeyType() == KeyType.RSA: certificate.setSignature(Sha256WithRsaSignature()) elif publicKey.getKeyType() == KeyType.EC: certificate.setSignature(Sha256WithEcdsaSignature()) else: raise ValueError("Unsupported key type") signatureInfo = certificate.getSignature() KeyLocator.getFromSignature(signatureInfo).setType( KeyLocatorType.KEYNAME) KeyLocator.getFromSignature(signatureInfo).setKeyName(keyName) # Set a 20-year validity period. ValidityPeriod.getFromSignature(signatureInfo).setPeriod( now, now + 20 * 365 * 24 * 3600 * 1000.0) # Encode once to get the signed portion. encoding = certificate.wireEncode(wireFormat) signatureBytes = tpm.sign(encoding.toSignedBytes(), keyName, digestAlgorithm) signatureInfo.setSignature(signatureBytes) # Encode again to include the signature. certificate.wireEncode(wireFormat) return certificate
def _makeSelfSignedCertificate( keyName, privateKeyBag, publicKeyEncoding, password, digestAlgorithm, wireFormat): certificate = CertificateV2() # Set the name. now = Common.getNowMilliseconds() certificateName = Name(keyName) certificateName.append("self").appendVersion(int(now)) certificate.setName(certificateName) # Set the MetaInfo. certificate.getMetaInfo().setType(ContentType.KEY) # Set a one-hour freshness period. certificate.getMetaInfo().setFreshnessPeriod(3600 * 1000.0) # Set the content. publicKey = PublicKey(publicKeyEncoding) certificate.setContent(publicKey.getKeyDer()) # Create a temporary in-memory Tpm and import the private key. tpm = Tpm("", "", TpmBackEndMemory()) tpm._importPrivateKey(keyName, privateKeyBag.toBytes(), password) # Set the signature info. if publicKey.getKeyType() == KeyType.RSA: certificate.setSignature(Sha256WithRsaSignature()) elif publicKey.getKeyType() == KeyType.EC: certificate.setSignature(Sha256WithEcdsaSignature()) else: raise ValueError("Unsupported key type") signatureInfo = certificate.getSignature() KeyLocator.getFromSignature(signatureInfo).setType(KeyLocatorType.KEYNAME) KeyLocator.getFromSignature(signatureInfo).setKeyName(keyName) # Set a 20-year validity period. ValidityPeriod.getFromSignature(signatureInfo).setPeriod( now, now + 20 * 365 * 24 * 3600 * 1000.0) # Encode once to get the signed portion. encoding = certificate.wireEncode(wireFormat) signatureBytes = tpm.sign(encoding.toSignedBytes(), keyName, digestAlgorithm) signatureInfo.setSignature(signatureBytes) # Encode again to include the signature. certificate.wireEncode(wireFormat) return certificate
def _sendSyncData(self, name, content): """ Send the sync Data. Check if the data will satisfy our own pending Interest. If it does, then remove it and then renew the sync interest. Otherwise, just send the Data. :param Name name: The basis to use for the Data name. :param Blob content: The content of the Data. """ logging.getLogger(__name__).debug( "Checking if the Data will satisfy our own pending interest") nameWithIblt = Name() nameWithIblt.append(self._iblt.encode()) # Append the hash of our IBLT so that the Data name should be different # for each node. Use abs() since hash() can return negative. dataName = Name(name).appendNumber(abs(hash(nameWithIblt))) # Check if our own Interest got satisfied. if self._outstandingInterestName.equals(name): logging.getLogger(__name__).debug( "Satisfies our own pending Interest") # Remove the outstanding interest. # Debug: Implement stopping an ongoing fetch. #if self._fetcher != None: # logging.getLogger(__name__).debug( # "Removing our pending interest from the Face (stopping fetcher)") # self._fetcher.stop() # self._outstandingInterestName = Name() self._outstandingInterestName = Name() logging.getLogger(__name__).debug("Sending sync Data") # Send Data after removing the pending sync interest on the Face. self._segmentPublisher.publish(name, dataName, content, self._syncReplyFreshnessPeriod, self._signingInfo) logging.getLogger(__name__).info( "sendSyncData: Renewing sync interest") self._sendSyncInterest() else: logging.getLogger(__name__).debug( "Sending Sync Data for not our own Interest") self._segmentPublisher.publish(name, dataName, content, self._syncReplyFreshnessPeriod, self._signingInfo)
def _encryptContentKey(self, encryptionKey, eKeyName, timeSlot, onEncryptedKeys, onError): """ Get the content key from the database_ and encrypt it for the timeSlot using encryptionKey. :param Blob encryptionKey: The encryption key value. :param Name eKeyName: The key name for the EncryptedContent. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object :return: True if encryption succeeds, otherwise False. :rtype: bool """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] keyName = Name(self._namespace) keyName.append(Encryptor.NAME_COMPONENT_C_KEY) keyName.append( Schedule.toIsoString(Producer._getRoundedTimeSlot(timeSlot))) contentKey = self._database.getContentKey(timeSlot) cKeyData = Data() cKeyData.setName(keyName) params = EncryptParams(EncryptAlgorithmType.RsaOaep) try: Encryptor.encryptData(cKeyData, contentKey, eKeyName, encryptionKey, params) except Exception as ex: try: onError(EncryptError.ErrorCode.EncryptionFailure, "encryptData error: " + repr(ex)) except: logging.exception("Error in onError") return False self._keyChain.sign(cKeyData) keyRequest.encryptedKeys.append(cKeyData) self._updateKeyRequest(keyRequest, timeCount, onEncryptedKeys) return True
def _encryptContentKey(self, encryptionKey, eKeyName, timeSlot, onEncryptedKeys, onError): """ Get the content key from the database_ and encrypt it for the timeSlot using encryptionKey. :param Blob encryptionKey: The encryption key value. :param Name eKeyName: The key name for the EncryptedContent. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object :return: True if encryption succeeds, otherwise False. :rtype: bool """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] keyName = Name(self._namespace) keyName.append(Encryptor.NAME_COMPONENT_C_KEY) keyName.append( Schedule.toIsoString(Producer._getRoundedTimeSlot(timeSlot))) contentKey = self._database.getContentKey(timeSlot) cKeyData = Data() cKeyData.setName(keyName) params = EncryptParams(EncryptAlgorithmType.RsaOaep) try: Encryptor.encryptData( cKeyData, contentKey, eKeyName, encryptionKey, params) except Exception as ex: try: onError(EncryptError.ErrorCode.EncryptionFailure, "encryptData error: " + repr(ex)) except: logging.exception("Error in onError") return False self._keyChain.sign(cKeyData) keyRequest.encryptedKeys.append(cKeyData) self._updateKeyRequest(keyRequest, timeCount, onEncryptedKeys) return True
def _decryptCKey(self, cKeyData, onPlainText, onError): """ Decrypt cKeyData. :param Data cKeyData: The C-KEY data packet. :param onPlainText: When the data packet is decrypted, this calls onPlainText(decryptedBlob) with the decrypted blob. :type onPlainText: function object :param onError: This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. :type onError: function object """ # Get the encrypted content. cKeyContent = cKeyData.getContent() cKeyEncryptedContent = EncryptedContent() try: cKeyEncryptedContent.wireDecode(cKeyContent) except Exception as ex: try: onError(EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex)) except: logging.exception("Error in onError") return eKeyName = cKeyEncryptedContent.getKeyLocator().getKeyName() dKeyName = eKeyName.getPrefix(-3) dKeyName.append(Encryptor.NAME_COMPONENT_D_KEY).append( eKeyName.getSubName(-2)) # Check if the decryption key is already in the store. if dKeyName in self._dKeyMap: dKey = self._dKeyMap[dKeyName] Consumer._decrypt(cKeyEncryptedContent, dKey, onPlainText, onError) else: # Get the D-Key Data. interestName = Name(dKeyName) interestName.append(Encryptor.NAME_COMPONENT_FOR).append( self._consumerName) interest = Interest(interestName) def onVerified(validDKeyData): def localOnPlainText(dKeyBits): # dKeyName is already a local copy. self._dKeyMap[dKeyName] = dKeyBits Consumer._decrypt( cKeyEncryptedContent, dKeyBits, onPlainText, onError) self._decryptDKey(validDKeyData, localOnPlainText, onError) self._sendInterest(interest, 1, self._dKeyLink, onVerified, onError)
def _sendSyncData(self, name, content): """ Send the sync Data. Check if the data will satisfy our own pending Interest. If it does, then remove it and then renew the sync interest. Otherwise, just send the Data. :param Name name: The basis to use for the Data name. :param Blob content: The content of the Data. """ logging.getLogger(__name__).debug( "Checking if the Data will satisfy our own pending interest") nameWithIblt = Name() nameWithIblt.append(self._iblt.encode()) # Append the hash of our IBLT so that the Data name should be different # for each node. Use abs() since hash() can return negative. dataName = Name(name).appendNumber(abs(hash(nameWithIblt))) # Check if our own Interest got satisfied. if self._outstandingInterestName.equals(name): logging.getLogger(__name__).debug("Satisfies our own pending Interest") # Remove the outstanding interest. # Debug: Implement stopping an ongoing fetch. #if self._fetcher != None: # logging.getLogger(__name__).debug( # "Removing our pending interest from the Face (stopping fetcher)") # self._fetcher.stop() # self._outstandingInterestName = Name() self._outstandingInterestName = Name() logging.getLogger(__name__).debug("Sending sync Data") # Send Data after removing the pending sync interest on the Face. self._segmentPublisher.publish( name, dataName, content, self._syncReplyFreshnessPeriod, self._signingInfo) logging.getLogger(__name__).info("sendSyncData: Renewing sync interest") self._sendSyncInterest() else: logging.getLogger(__name__).debug( "Sending Sync Data for not our own Interest") self._segmentPublisher.publish( name, dataName, content, self._syncReplyFreshnessPeriod, self._signingInfo)
def _decryptContent(self, data, onPlainText, onError): """ Decrypt the data packet. :param Data data: The data packet. This does not verify the packet. :param onPlainText: When the data packet is decrypted, this calls onPlainText(decryptedBlob) with the decrypted blob. :type onPlainText: function object :param onError: This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. :type onError: function object """ # Get the encrypted content. dataEncryptedContent = EncryptedContent() try: dataEncryptedContent.wireDecode(data.getContent()) except Exception as ex: Consumer._callOnError( onError, EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex)) return cKeyName = dataEncryptedContent.getKeyLocator().getKeyName() # Check if the content key is already in the store. if cKeyName in self._cKeyMap: cKey = self._cKeyMap[cKeyName] self._decrypt(dataEncryptedContent, cKey, onPlainText, onError) else: # Retrieve the C-KEY Data from the network. interestName = Name(cKeyName) interestName.append(Encryptor.NAME_COMPONENT_FOR).append( self._groupName) interest = Interest(interestName) def onVerified(validCKeyData): def localOnPlainText(cKeyBits): # cKeyName is already a copy inside the local # dataEncryptedContent. self._cKeyMap[cKeyName] = cKeyBits Consumer._decrypt(dataEncryptedContent, cKeyBits, onPlainText, onError) self._decryptCKey(validCKeyData, localOnPlainText, onError) self._sendInterest(interest, 1, self._cKeyLink, onVerified, onError)
def _createEKeyData(self, startTimeStamp, endTimeStamp, publicKeyBlob): """ Create an E-KEY Data packet for the given public key. :param str startTimeStamp: The start time stamp string to put in the name. :param str endTimeStamp: The end time stamp string to put in the name. :param Blob publicKeyBlob: A Blob of the public key DER. :return: The Data packet. :rtype: Data """ name = Name(self._namespace) name.append(Encryptor.NAME_COMPONENT_E_KEY).append(startTimeStamp).append(endTimeStamp) data = Data(name) data.getMetaInfo().setFreshnessPeriod(self._freshnessHours * GroupManager.MILLISECONDS_IN_HOUR) data.setContent(publicKeyBlob) self._keyChain.sign(data) return data
def toName(componentArray): """ Return a Name made from the component array in a Protobuf message object, assuming that it was defined with "repeated bytes". For example: message Name { repeated bytes component = 8; } :param Array componentArray: The array from the Protobuf message object representing the "repeated bytes" component array. :return: A new Name. :rtype: Name """ name = Name() for component in componentArray: name.append(Blob(component, True)) return name
def _sendSyncInterest(self): """ Send the sync interest for full synchronization. This forms the interest name: /<sync-prefix>/<own-IBLT>. This cancels any pending sync interest we sent earlier on the face. """ # Debug: Implement stopping an ongoing fetch. ## If we send two sync interest one after the other ## since there is no new data in the network yet, ## when data is available it may satisfy both of them #if self._fetcher != None: # self._fetcher.stop() # Sync Interest format for full sync: /<sync-prefix>/<ourLatestIBF> syncInterestName = Name(self._syncPrefix) # Append our latest IBLT. syncInterestName.append(self._iblt.encode()) self._outstandingInterestName = syncInterestName # random1 is from 0.0 to 1.0. random1 = self._systemRandom.random() # Get a jitter of +/- syncInterestLifetime_ * 0.2 . jitter = (random1 - 0.5) * (self._syncInterestLifetime * 0.2) self._face.callLater(self._syncInterestLifetime / 2 + jitter, self._sendSyncInterest) syncInterest = Interest(syncInterestName) syncInterest.setInterestLifetimeMilliseconds( self._syncInterestLifetime) syncInterest.refreshNonce() SegmentFetcher.fetch( self._face, syncInterest, None, lambda content: self._onSyncData(content, syncInterest), FullPSync2017._onError) logging.getLogger(__name__).debug("sendFullSyncInterest, nonce: " + syncInterest.getNonce().toHex() + ", hash: " + str(abs(hash(syncInterestName))))
def _createEKeyData(self, startTimeStamp, endTimeStamp, publicKeyBlob): """ Create an E-KEY Data packet for the given public key. :param str startTimeStamp: The start time stamp string to put in the name. :param str endTimeStamp: The end time stamp string to put in the name. :param Blob publicKeyBlob: A Blob of the public key DER. :return: The Data packet. :rtype: Data """ name = Name(self._namespace) name.append(Encryptor.NAME_COMPONENT_E_KEY).append( startTimeStamp).append(endTimeStamp) data = Data(name) data.getMetaInfo().setFreshnessPeriod( self._freshnessHours * GroupManager.MILLISECONDS_IN_HOUR) data.setContent(publicKeyBlob) self._keyChain.sign(data) return data
def _sendSyncInterest(self): """ Send the sync interest for full synchronization. This forms the interest name: /<sync-prefix>/<own-IBLT>. This cancels any pending sync interest we sent earlier on the face. """ # Debug: Implement stopping an ongoing fetch. ## If we send two sync interest one after the other ## since there is no new data in the network yet, ## when data is available it may satisfy both of them #if self._fetcher != None: # self._fetcher.stop() # Sync Interest format for full sync: /<sync-prefix>/<ourLatestIBF> syncInterestName = Name(self._syncPrefix) # Append our latest IBLT. syncInterestName.append(self._iblt.encode()) self._outstandingInterestName = syncInterestName # random1 is from 0.0 to 1.0. random1 = self._systemRandom.random() # Get a jitter of +/- syncInterestLifetime_ * 0.2 . jitter = (random1 - 0.5) * (self._syncInterestLifetime * 0.2) self._face.callLater( self._syncInterestLifetime / 2 + jitter, self._sendSyncInterest) syncInterest = Interest(syncInterestName) syncInterest.setInterestLifetimeMilliseconds(self._syncInterestLifetime) syncInterest.refreshNonce() SegmentFetcher.fetch( self._face, syncInterest, None, lambda content: self._onSyncData(content, syncInterest), FullPSync2017._onError) logging.getLogger(__name__).debug("sendFullSyncInterest, nonce: " + syncInterest.getNonce().toHex() + ", hash: " + str(abs(hash(syncInterestName))))
def _decryptContent(self, data, onPlainText, onError): """ Decrypt the data packet. :param Data data: The data packet. This does not verify the packet. :param onPlainText: When the data packet is decrypted, this calls onPlainText(decryptedBlob) with the decrypted blob. :type onPlainText: function object :param onError: This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. :type onError: function object """ # Get the encrypted content. dataEncryptedContent = EncryptedContent() try: dataEncryptedContent.wireDecode(data.getContent()) except Exception as ex: Consumer._callOnError(onError, EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex)) return cKeyName = dataEncryptedContent.getKeyLocator().getKeyName() # Check if the content key is already in the store. if cKeyName in self._cKeyMap: cKey = self._cKeyMap[cKeyName] self._decrypt(dataEncryptedContent, cKey, onPlainText, onError) else: # Retrieve the C-KEY Data from the network. interestName = Name(cKeyName) interestName.append(Encryptor.NAME_COMPONENT_FOR).append(self._groupName) interest = Interest(interestName) def onVerified(validCKeyData): def localOnPlainText(cKeyBits): # cKeyName is already a copy inside the local # dataEncryptedContent. self._cKeyMap[cKeyName] = cKeyBits Consumer._decrypt( dataEncryptedContent, cKeyBits, onPlainText, onError) self._decryptCKey(validCKeyData, localOnPlainText, onError) self._sendInterest(interest, 1, self._cKeyLink, onVerified, onError)
def _initialTimeOut(self, interest): """ Initial sync interest timeout, which means there are no other publishers yet. """ if not self._enabled: # Ignore callbacks after the application calls shutdown(). return logging.getLogger(__name__).info("initial sync timeout") logging.getLogger(__name__).info("no other people") self._sequenceNo += 1 if self._sequenceNo != 0: # Since there were no other users, we expect sequence no 0. raise RuntimeError( "ChronoSync: sequenceNo_ is not the expected value of 0 for first use." ) tempContent = SyncStateMsg() content = getattr(tempContent, "ss").add() content.name = self._applicationDataPrefixUri content.type = SyncState_UPDATE content.seqno.seq = self._sequenceNo content.seqno.session = self._sessionNo self._update(getattr(tempContent, "ss")) try: self._onInitialized() except: logging.exception("Error in onInitialized") name = Name(self._applicationBroadcastPrefix) name.append(self._digestTree.getRoot()) retryInterest = Interest(name) retryInterest.setInterestLifetimeMilliseconds(self._syncLifetime) self._face.expressInterest(retryInterest, self._onData, self._syncTimeout) logging.getLogger(__name__).info("Syncinterest expressed:") logging.getLogger(__name__).info("%s", name.toUri())
def expand(self, expandStr=""): """ :param str expandStr: :rtype: Name """ result = Name() backrefManager = (self._secondaryBackrefManager if self._isSecondaryUsed else self._primaryBackrefManager) backrefNo = backrefManager.size() if expandStr != "": usingExpand = expandStr else: usingExpand = self._expand offset = [0] while offset[0] < len(usingExpand): item = NdnRegexTopMatcher._getItemFromExpand(usingExpand, offset) if item[0] == '<': result.append(item[1:len(item) - 1]) if item[0] == '\\': index = int(item[1:len(item)]) if 0 == index: for component in self._matchResult: result.append(component) elif index <= backrefNo: for component in backrefManager.getBackref( index - 1).getMatchResult(): result.append(component) else: raise NdnRegexMatcherBase.Error( "Exceeded the range of back reference") return result
def encryptData(data, payload, keyName, key, params): """ Prepare an encrypted data packet by encrypting the payload using the key according to the params. In addition, this prepares the encoded EncryptedContent with the encryption result using keyName and params. The encoding is set as the content of the data packet. If params defines an asymmetric encryption algorithm and the payload is larger than the maximum plaintext size, this encrypts the payload with a symmetric key that is asymmetrically encrypted and provided as a nonce in the content of the data packet. The packet's <dataName>/ is updated to be <dataName>/FOR/<keyName> :param Data data: The data packet which is updated. :param Blob payload: The payload to encrypt. :param Name keyName: The key name for the EncryptedContent. :param Blob key: The encryption key value. :param EncryptParams params: The parameters for encryption. """ data.getName().append(Encryptor.NAME_COMPONENT_FOR).append(keyName) algorithmType = params.getAlgorithmType() if (algorithmType == EncryptAlgorithmType.AesCbc or algorithmType == EncryptAlgorithmType.AesEcb): content = Encryptor._encryptSymmetric(payload, key, keyName, params) data.setContent(content.wireEncode(TlvWireFormat.get())) elif (algorithmType == EncryptAlgorithmType.RsaPkcs or algorithmType == EncryptAlgorithmType.RsaOaep): # Cryptography doesn't have a direct way to get the maximum plain text # size, so try to encrypt the payload first and catch the error if # it is too big. try: content = Encryptor._encryptAsymmetric(payload, key, keyName, params) data.setContent(content.wireEncode(TlvWireFormat.get())) return except ValueError as ex: message = ex.args[0] if not ("Data too long for key size" in message): raise ex # Else the payload is larger than the maximum plaintext size. Continue. # 128-bit nonce. nonceKeyBuffer = bytearray(16) for i in range(16): nonceKeyBuffer[i] = _systemRandom.randint(0, 0xff) nonceKey = Blob(nonceKeyBuffer, False) nonceKeyName = Name(keyName) nonceKeyName.append("nonce") symmetricParams = EncryptParams(EncryptAlgorithmType.AesCbc, AesAlgorithm.BLOCK_SIZE) nonceContent = Encryptor._encryptSymmetric(payload, nonceKey, nonceKeyName, symmetricParams) payloadContent = Encryptor._encryptAsymmetric( nonceKey, key, keyName, params) nonceContentEncoding = nonceContent.wireEncode() payloadContentEncoding = payloadContent.wireEncode() content = bytearray(nonceContentEncoding.size() + payloadContentEncoding.size()) content[0:payloadContentEncoding.size( )] = payloadContentEncoding.buf() content[payloadContentEncoding.size():] = nonceContentEncoding.buf( ) data.setContent(Blob(content, False)) else: raise RuntimeError("Unsupported encryption method")
class Producer(object): """ Create a Producer to use the given ProducerDb, Face and other values. A producer can produce data with a naming convention: <prefix>/SAMPLE/<dataType>/[timestamp] The produced data packet is encrypted with a content key, which is stored in the ProducerDb database. A producer also needs to produce data containing a content key encrypted with E-KEYs. A producer can retrieve E-KEYs through the face, and will re-try for at most repeatAttemps times when E-KEY retrieval fails. :param Name prefix: The producer name prefix. This makes a copy of the Name. :param Name dataType: The dataType portion of the producer name. This makes a copy of the Name. :param Face face: The face used to retrieve keys. :param KeyChain keyChain: The keyChain used to sign data packets. :param ProducerDb database: The ProducerDb database for storing keys. :param int repeatAttempts: (optional) The maximum retry for retrieving keys. If omitted, use a default value of 3. :param Link keyRetrievalLink: (optional) The Link object to use in Interests for key retrieval. This makes a copy of the Link object. If the Link object's getDelegations().size() is zero, don't use it. If omitted, don't use a Link object. """ def __init__(self, prefix, dataType, face, keyChain, database, repeatAttempts=None, keyRetrievalLink=None): self._face = face self._keyChain = keyChain self._database = database self._maxRepeatAttempts = (3 if repeatAttempts == None else repeatAttempts) self._keyRetrievalLink = (Producer.NO_LINK if keyRetrievalLink == None else Link(keyRetrievalLink)) # The dictionary key is the key Name The value is a Producer._KeyInfo. self._eKeyInfo = {} # The dictionary key is the float time stamp. The value is a Producer._KeyRequest. self._keyRequests = {} fixedPrefix = Name(prefix) fixedDataType = Name(dataType) # Fill _ekeyInfo with all permutations of dataType, including the 'E-KEY' # component of the name. This will be used in createContentKey to send # interests without reconstructing names every time. fixedPrefix.append(Encryptor.NAME_COMPONENT_READ) while fixedDataType.size() > 0: nodeName = Name(fixedPrefix) nodeName.append(fixedDataType) nodeName.append(Encryptor.NAME_COMPONENT_E_KEY) self._eKeyInfo[nodeName] = Producer._KeyInfo() fixedDataType = fixedDataType.getPrefix(-1) fixedPrefix.append(dataType) self._namespace = Name(prefix) self._namespace.append(Encryptor.NAME_COMPONENT_SAMPLE) self._namespace.append(dataType) @staticmethod def defaultOnError(errorCode, message): """ The default onError callback which does nothing. """ # Do nothing. pass def createContentKey(self, timeSlot, onEncryptedKeys, onError=defaultOnError): """ Create the content key corresponding to the timeSlot. This first checks if the content key exists. For an existing content key, this returns the content key name directly. If the key does not exist, this creates one and encrypts it using the corresponding E-KEYs. The encrypted content keys are passed to the onEncryptedKeys callback. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: If this creates a content key, then this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onEncryptedKeys: function object :param onError: (optional) This calls errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. If omitted, use a default callback which does nothing. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onError: function object :return: The content key name. :rtype: Name """ hourSlot = Producer._getRoundedTimeSlot(timeSlot) # Create the content key name. contentKeyName = Name(self._namespace) contentKeyName.append(Encryptor.NAME_COMPONENT_C_KEY) contentKeyName.append(Schedule.toIsoString(hourSlot)) # Check if we have created the content key before. if self._database.hasContentKey(timeSlot): # We have created the content key. Return its name directly. return contentKeyName # We haven't created the content key. Create one and add it into the # database. aesParams = AesKeyParams(128) contentKeyBits = AesAlgorithm.generateKey(aesParams).getKeyBits() self._database.addContentKey(timeSlot, contentKeyBits) # Now we need to retrieve the E-KEYs for content key encryption. timeCount = round(timeSlot) self._keyRequests[timeCount] = Producer._KeyRequest(len( self._eKeyInfo)) keyRequest = self._keyRequests[timeCount] # Send interests for all nodes in the tree. for keyName in self._eKeyInfo: # For each current E-KEY. keyInfo = self._eKeyInfo[keyName] if (timeSlot < keyInfo.beginTimeSlot or timeSlot >= keyInfo.endTimeSlot): # The current E-KEY cannot cover the content key, so retrieve one. keyRequest.repeatAttempts[keyName] = 0 self._sendKeyInterest(Interest(keyName), timeSlot, onEncryptedKeys, onError) else: # The current E-KEY can cover the content key. # Encrypt the content key directly. eKeyName = Name(keyName) eKeyName.append(Schedule.toIsoString(keyInfo.beginTimeSlot)) eKeyName.append(Schedule.toIsoString(keyInfo.endTimeSlot)) self._encryptContentKey(keyInfo.keyBits, eKeyName, timeSlot, onEncryptedKeys, onError) return contentKeyName def produce(self, data, timeSlot, content, onError=defaultOnError): """ Encrypt the given content with the content key that covers timeSlot, and update the data packet with the encrypted content and an appropriate data name. :param Data data: An empty Data object which is updated. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param Blob content: The content to encrypt. :param onError: (optional) This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. If omitted, use a default callback which does nothing. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onError: function object """ # Get a content key. contentKeyName = self.createContentKey(timeSlot, None, onError) contentKey = self._database.getContentKey(timeSlot) # Produce data. dataName = Name(self._namespace) dataName.append(Schedule.toIsoString(timeSlot)) data.setName(dataName) params = EncryptParams(EncryptAlgorithmType.AesCbc, 16) Encryptor.encryptData(data, content, contentKeyName, contentKey, params) self._keyChain.sign(data) class _KeyInfo(object): def __init__(self): self.beginTimeSlot = 0.0 self.endTimeSlot = 0.0 self.keyBits = None # Blob class _KeyRequest(object): def __init__(self, interests): self.interestCount = interests # int # The dictionary key is the Name. The value is an int count. self.repeatAttempts = {} self.encryptedKeys = [] # of Data @staticmethod def _getRoundedTimeSlot(timeSlot): """ Round timeSlot to the nearest whole hour, so that we can store content keys uniformly (by start of the hour). :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :return: The start of the hour as milliseconds since Jan 1, 1970 UTC. :rtype: float """ return round(math.floor(round(timeSlot) / 3600000.0) * 3600000.0) def _sendKeyInterest(self, interest, timeSlot, onEncryptedKeys, onError): """ Send an interest with the given name through the face with callbacks to _handleCoveringKey, _handleTimeout and _handleNetworkNack. :param Interest interest: The interest to send. :param float timeSlot: The time slot, passed to _handleCoveringKey, _handleTimeout and _handleNetworkNack. :param onEncryptedKeys: The OnEncryptedKeys callback, passed to _handleCoveringKey, _handleTimeout and _handleNetworkNack. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object """ def onKey(interest, data): self._handleCoveringKey(interest, data, timeSlot, onEncryptedKeys, onError) def onTimeout(interest): self._handleTimeout(interest, timeSlot, onEncryptedKeys, onError) def onNetworkNack(interest, networkNack): self._handleNetworkNack(interest, networkNack, timeSlot, onEncryptedKeys, onError) if self._keyRetrievalLink.getDelegations().size() == 0: # We can use the supplied interest without copying. request = interest else: # Copy the supplied interest and add the Link. request = Interest(interest) # This will use a cached encoding if available. request.setLinkWireEncoding(self._keyRetrievalLink.wireEncode()) self._face.expressInterest(request, onKey, onTimeout, onNetworkNack) def _handleTimeout(self, interest, timeSlot, onEncryptedKeys, onError): """ This is called from an expressInterest timeout to update the state of keyRequest. :param Interest interest: The timed-out interest. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] interestName = interest.getName() if keyRequest.repeatAttempts[interestName] < self._maxRepeatAttempts: # Increase the retrial count. keyRequest.repeatAttempts[interestName] += 1 self._sendKeyInterest(interest, timeSlot, onEncryptedKeys, onError) else: # Treat an eventual timeout as a network Nack. self._handleNetworkNack(interest, NetworkNack(), timeSlot, onEncryptedKeys, onError) def _handleNetworkNack(self, interest, networkNack, timeSlot, onEncryptedKeys, onError): """ This is called from an expressInterest OnNetworkNack to handle a network Nack for the E-KEY requested through the Interest. Decrease the outstanding E-KEY interest count for the C-KEY corresponding to the timeSlot. :param Interest interest: The interest given to expressInterest. :param NetworkNack networkNack: The returned NetworkNack (unused). :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object """ # We have run out of options.... timeCount = round(timeSlot) self._updateKeyRequest(self._keyRequests[timeCount], timeCount, onEncryptedKeys) def _updateKeyRequest(self, keyRequest, timeCount, onEncryptedKeys): """ Decrease the count of outstanding E-KEY interests for the C-KEY for timeCount. If the count decreases to 0, invoke onEncryptedKeys. :param Producer._KeyRequest keyRequest: The KeyRequest with the interestCount to update. :param float timeCount: The time count for indexing keyRequests_. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object """ keyRequest.interestCount -= 1 if keyRequest.interestCount == 0 and onEncryptedKeys != None: try: onEncryptedKeys(keyRequest.encryptedKeys) except: logging.exception("Error in onEncryptedKeys") if timeCount in self._keyRequests: del self._keyRequests[timeCount] def _handleCoveringKey(self, interest, data, timeSlot, onEncryptedKeys, onError): """ This is called from an expressInterest OnData to check that the encryption key contained in data fits the timeSlot. This sends a refined interest if required. :param Interest interest: The interest given to expressInterest. :param Data data: The fetched Data packet. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] interestName = interest.getName() keyName = data.getName() begin = Schedule.fromIsoString( str(keyName.get(Producer.START_TIME_STAMP_INDEX).getValue())) end = Schedule.fromIsoString( str(keyName.get(Producer.END_TIME_STAMP_INDEX).getValue())) if timeSlot >= end: # If the received E-KEY covers some earlier period, try to retrieve # an E-KEY covering a later one. keyRequest.repeatAttempts[interestName] = 0 self._sendKeyInterest(Interest(interestName), timeSlot, onEncryptedKeys, onError) else: # If the received E-KEY covers the content key, encrypt the content. encryptionKey = data.getContent() # If everything is correct, save the E-KEY as the current key. if self._encryptContentKey(encryptionKey, keyName, timeSlot, onEncryptedKeys, onError): keyInfo = self._eKeyInfo[interestName] keyInfo.beginTimeSlot = begin keyInfo.endTimeSlot = end keyInfo.keyBits = encryptionKey def _encryptContentKey(self, encryptionKey, eKeyName, timeSlot, onEncryptedKeys, onError): """ Get the content key from the database_ and encrypt it for the timeSlot using encryptionKey. :param Blob encryptionKey: The encryption key value. :param Name eKeyName: The key name for the EncryptedContent. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object :return: True if encryption succeeds, otherwise False. :rtype: bool """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] keyName = Name(self._namespace) keyName.append(Encryptor.NAME_COMPONENT_C_KEY) keyName.append( Schedule.toIsoString(Producer._getRoundedTimeSlot(timeSlot))) contentKey = self._database.getContentKey(timeSlot) cKeyData = Data() cKeyData.setName(keyName) params = EncryptParams(EncryptAlgorithmType.RsaOaep) try: Encryptor.encryptData(cKeyData, contentKey, eKeyName, encryptionKey, params) except Exception as ex: try: onError(EncryptError.ErrorCode.EncryptionFailure, "encryptData error: " + repr(ex)) except: logging.exception("Error in onError") return False self._keyChain.sign(cKeyData) keyRequest.encryptedKeys.append(cKeyData) self._updateKeyRequest(keyRequest, timeCount, onEncryptedKeys) return True START_TIME_STAMP_INDEX = -2 END_TIME_STAMP_INDEX = -1 NO_LINK = Link()
def createContentKey(self, timeSlot, onEncryptedKeys, onError=defaultOnError): """ Create the content key corresponding to the timeSlot. This first checks if the content key exists. For an existing content key, this returns the content key name directly. If the key does not exist, this creates one and encrypts it using the corresponding E-KEYs. The encrypted content keys are passed to the onEncryptedKeys callback. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: If this creates a content key, then this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onEncryptedKeys: function object :param onError: (optional) This calls errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. If omitted, use a default callback which does nothing. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onError: function object :return: The content key name. :rtype: Name """ hourSlot = Producer._getRoundedTimeSlot(timeSlot) # Create the content key name. contentKeyName = Name(self._namespace) contentKeyName.append(Encryptor.NAME_COMPONENT_C_KEY) contentKeyName.append(Schedule.toIsoString(hourSlot)) # Check if we have created the content key before. if self._database.hasContentKey(timeSlot): # We have created the content key. Return its name directly. return contentKeyName # We haven't created the content key. Create one and add it into the # database. aesParams = AesKeyParams(128) contentKeyBits = AesAlgorithm.generateKey(aesParams).getKeyBits() self._database.addContentKey(timeSlot, contentKeyBits) # Now we need to retrieve the E-KEYs for content key encryption. timeCount = round(timeSlot) self._keyRequests[timeCount] = Producer._KeyRequest(len( self._eKeyInfo)) keyRequest = self._keyRequests[timeCount] # Send interests for all nodes in the tree. for keyName in self._eKeyInfo: # For each current E-KEY. keyInfo = self._eKeyInfo[keyName] if (timeSlot < keyInfo.beginTimeSlot or timeSlot >= keyInfo.endTimeSlot): # The current E-KEY cannot cover the content key, so retrieve one. keyRequest.repeatAttempts[keyName] = 0 self._sendKeyInterest(Interest(keyName), timeSlot, onEncryptedKeys, onError) else: # The current E-KEY can cover the content key. # Encrypt the content key directly. eKeyName = Name(keyName) eKeyName.append(Schedule.toIsoString(keyInfo.beginTimeSlot)) eKeyName.append(Schedule.toIsoString(keyInfo.endTimeSlot)) self._encryptContentKey(keyInfo.keyBits, eKeyName, timeSlot, onEncryptedKeys, onError) return contentKeyName
class Producer(object): """ Create a Producer to use the given ProducerDb, Face and other values. A producer can produce data with a naming convention: <prefix>/SAMPLE/<dataType>/[timestamp] The produced data packet is encrypted with a content key, which is stored in the ProducerDb database. A producer also needs to produce data containing a content key encrypted with E-KEYs. A producer can retrieve E-KEYs through the face, and will re-try for at most repeatAttemps times when E-KEY retrieval fails. :param Name prefix: The producer name prefix. This makes a copy of the Name. :param Name dataType: The dataType portion of the producer name. This makes a copy of the Name. :param Face face: The face used to retrieve keys. :param KeyChain keyChain: The keyChain used to sign data packets. :param ProducerDb database: The ProducerDb database for storing keys. :param int repeatAttempts: (optional) The maximum retry for retrieving keys. If omitted, use a default value of 3. :param Link keyRetrievalLink: (optional) The Link object to use in Interests for key retrieval. This makes a copy of the Link object. If the Link object's getDelegations().size() is zero, don't use it. If omitted, don't use a Link object. """ def __init__(self, prefix, dataType, face, keyChain, database, repeatAttempts=None, keyRetrievalLink=None): self._face = face self._keyChain = keyChain self._database = database self._maxRepeatAttempts = (3 if repeatAttempts == None else repeatAttempts) self._keyRetrievalLink = (Producer.NO_LINK if keyRetrievalLink == None else Link(keyRetrievalLink)) # The dictionary key is the key Name The value is a Producer._KeyInfo. self._eKeyInfo = {} # The dictionary key is the float time stamp. The value is a Producer._KeyRequest. self._keyRequests = {} fixedPrefix = Name(prefix) fixedDataType = Name(dataType) # Fill _ekeyInfo with all permutations of dataType, including the 'E-KEY' # component of the name. This will be used in createContentKey to send # interests without reconstructing names every time. fixedPrefix.append(Encryptor.NAME_COMPONENT_READ) while fixedDataType.size() > 0: nodeName = Name(fixedPrefix) nodeName.append(fixedDataType) nodeName.append(Encryptor.NAME_COMPONENT_E_KEY) self._eKeyInfo[nodeName] = Producer._KeyInfo() fixedDataType = fixedDataType.getPrefix(-1) fixedPrefix.append(dataType) self._namespace = Name(prefix) self._namespace.append(Encryptor.NAME_COMPONENT_SAMPLE) self._namespace.append(dataType) @staticmethod def defaultOnError(errorCode, message): """ The default onError callback which does nothing. """ # Do nothing. pass def createContentKey(self, timeSlot, onEncryptedKeys, onError=defaultOnError): """ Create the content key corresponding to the timeSlot. This first checks if the content key exists. For an existing content key, this returns the content key name directly. If the key does not exist, this creates one and encrypts it using the corresponding E-KEYs. The encrypted content keys are passed to the onEncryptedKeys callback. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: If this creates a content key, then this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onEncryptedKeys: function object :param onError: (optional) This calls errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. If omitted, use a default callback which does nothing. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onError: function object :return: The content key name. :rtype: Name """ hourSlot = Producer._getRoundedTimeSlot(timeSlot) # Create the content key name. contentKeyName = Name(self._namespace) contentKeyName.append(Encryptor.NAME_COMPONENT_C_KEY) contentKeyName.append(Schedule.toIsoString(hourSlot)) # Check if we have created the content key before. if self._database.hasContentKey(timeSlot): # We have created the content key. Return its name directly. return contentKeyName # We haven't created the content key. Create one and add it into the # database. aesParams = AesKeyParams(128) contentKeyBits = AesAlgorithm.generateKey(aesParams).getKeyBits() self._database.addContentKey(timeSlot, contentKeyBits) # Now we need to retrieve the E-KEYs for content key encryption. timeCount = round(timeSlot) self._keyRequests[timeCount] = Producer._KeyRequest(len( self._eKeyInfo)) keyRequest = self._keyRequests[timeCount] # Check if the current E-KEYs can cover the content key. timeRange = Exclude() Producer.excludeAfter(timeRange, Name.Component(Schedule.toIsoString(timeSlot))) # Send interests for all nodes in the tree. for keyName in self._eKeyInfo: # For each current E-KEY. keyInfo = self._eKeyInfo[keyName] if (timeSlot < keyInfo.beginTimeSlot or timeSlot >= keyInfo.endTimeSlot): # The current E-KEY cannot cover the content key, so retrieve one. keyRequest.repeatAttempts[keyName] = 0 self._sendKeyInterest( Interest(keyName).setExclude(timeRange).setChildSelector( 1), timeSlot, onEncryptedKeys, onError) else: # The current E-KEY can cover the content key. # Encrypt the content key directly. eKeyName = Name(keyName) eKeyName.append(Schedule.toIsoString(keyInfo.beginTimeSlot)) eKeyName.append(Schedule.toIsoString(keyInfo.endTimeSlot)) self._encryptContentKey(keyInfo.keyBits, eKeyName, timeSlot, onEncryptedKeys, onError) return contentKeyName def produce(self, data, timeSlot, content, onError=defaultOnError): """ Encrypt the given content with the content key that covers timeSlot, and update the data packet with the encrypted content and an appropriate data name. :param Data data: An empty Data object which is updated. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param Blob content: The content to encrypt. :param onError: (optional) This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. If omitted, use a default callback which does nothing. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onError: function object """ # Get a content key. contentKeyName = self.createContentKey(timeSlot, None, onError) contentKey = self._database.getContentKey(timeSlot) # Produce data. dataName = Name(self._namespace) dataName.append(Schedule.toIsoString(timeSlot)) data.setName(dataName) params = EncryptParams(EncryptAlgorithmType.AesCbc, 16) Encryptor.encryptData(data, content, contentKeyName, contentKey, params) self._keyChain.sign(data) class _KeyInfo(object): def __init__(self): self.beginTimeSlot = 0.0 self.endTimeSlot = 0.0 self.keyBits = None # Blob class _KeyRequest(object): def __init__(self, interests): self.interestCount = interests # int # The dictionary key is the Name. The value is an int count. self.repeatAttempts = {} self.encryptedKeys = [] # of Data @staticmethod def _getRoundedTimeSlot(timeSlot): """ Round timeSlot to the nearest whole hour, so that we can store content keys uniformly (by start of the hour). :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :return: The start of the hour as milliseconds since Jan 1, 1970 UTC. :rtype: float """ return round(math.floor(round(timeSlot) / 3600000.0) * 3600000.0) def _sendKeyInterest(self, interest, timeSlot, onEncryptedKeys, onError): """ Send an interest with the given name through the face with callbacks to _handleCoveringKey, _handleTimeout and _handleNetworkNack. :param Interest interest: The interest to send. :param float timeSlot: The time slot, passed to _handleCoveringKey, _handleTimeout and _handleNetworkNack. :param onEncryptedKeys: The OnEncryptedKeys callback, passed to _handleCoveringKey, _handleTimeout and _handleNetworkNack. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object """ def onKey(interest, data): self._handleCoveringKey(interest, data, timeSlot, onEncryptedKeys, onError) def onTimeout(interest): self._handleTimeout(interest, timeSlot, onEncryptedKeys, onError) def onNetworkNack(interest, networkNack): self._handleNetworkNack(interest, networkNack, timeSlot, onEncryptedKeys, onError) if self._keyRetrievalLink.getDelegations().size() == 0: # We can use the supplied interest without copying. request = interest else: # Copy the supplied interest and add the Link. request = Interest(interest) # This will use a cached encoding if available. request.setLinkWireEncoding(self._keyRetrievalLink.wireEncode()) self._face.expressInterest(request, onKey, onTimeout, onNetworkNack) def _handleTimeout(self, interest, timeSlot, onEncryptedKeys, onError): """ This is called from an expressInterest timeout to update the state of keyRequest. :param Interest interest: The timed-out interest. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] interestName = interest.getName() if keyRequest.repeatAttempts[interestName] < self._maxRepeatAttempts: # Increase the retrial count. keyRequest.repeatAttempts[interestName] += 1 self._sendKeyInterest(interest, timeSlot, onEncryptedKeys, onError) else: # Treat an eventual timeout as a network Nack. self._handleNetworkNack(interest, NetworkNack(), timeSlot, onEncryptedKeys, onError) def _handleNetworkNack(self, interest, networkNack, timeSlot, onEncryptedKeys, onError): """ This is called from an expressInterest OnNetworkNack to handle a network Nack for the E-KEY requested through the Interest. Decrease the outstanding E-KEY interest count for the C-KEY corresponding to the timeSlot. :param Interest interest: The interest given to expressInterest. :param NetworkNack networkNack: The returned NetworkNack (unused). :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object """ # We have run out of options.... timeCount = round(timeSlot) self._updateKeyRequest(self._keyRequests[timeCount], timeCount, onEncryptedKeys) def _updateKeyRequest(self, keyRequest, timeCount, onEncryptedKeys): """ Decrease the count of outstanding E-KEY interests for the C-KEY for timeCount. If the count decreases to 0, invoke onEncryptedKeys. :param Producer._KeyRequest keyRequest: The KeyRequest with the interestCount to update. :param float timeCount: The time count for indexing keyRequests_. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object """ keyRequest.interestCount -= 1 if keyRequest.interestCount == 0 and onEncryptedKeys != None: try: onEncryptedKeys(keyRequest.encryptedKeys) except: logging.exception("Error in onEncryptedKeys") if timeCount in self._keyRequests: del self._keyRequests[timeCount] def _handleCoveringKey(self, interest, data, timeSlot, onEncryptedKeys, onError): """ This is called from an expressInterest OnData to check that the encryption key contained in data fits the timeSlot. This sends a refined interest if required. :param Interest interest: The interest given to expressInterest. :param Data data: The fetched Data packet. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] interestName = interest.getName() keyName = data.getName() begin = Schedule.fromIsoString( str(keyName.get(Producer.START_TIME_STAMP_INDEX).getValue())) end = Schedule.fromIsoString( str(keyName.get(Producer.END_TIME_STAMP_INDEX).getValue())) if timeSlot >= end: # If the received E-KEY covers some earlier period, try to retrieve # an E-KEY covering a later one. timeRange = Exclude(interest.getExclude()) Producer.excludeBefore( timeRange, keyName.get(Producer.START_TIME_STAMP_INDEX)) keyRequest.repeatAttempts[interestName] = 0 self._sendKeyInterest( Interest(interestName).setExclude(timeRange).setChildSelector( 1), timeSlot, onEncryptedKeys, onError) else: # If the received E-KEY covers the content key, encrypt the content. encryptionKey = data.getContent() # If everything is correct, save the E-KEY as the current key. if self._encryptContentKey(encryptionKey, keyName, timeSlot, onEncryptedKeys, onError): keyInfo = self._eKeyInfo[interestName] keyInfo.beginTimeSlot = begin keyInfo.endTimeSlot = end keyInfo.keyBits = encryptionKey def _encryptContentKey(self, encryptionKey, eKeyName, timeSlot, onEncryptedKeys, onError): """ Get the content key from the database_ and encrypt it for the timeSlot using encryptionKey. :param Blob encryptionKey: The encryption key value. :param Name eKeyName: The key name for the EncryptedContent. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object :return: True if encryption succeeds, otherwise False. :rtype: bool """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] keyName = Name(self._namespace) keyName.append(Encryptor.NAME_COMPONENT_C_KEY) keyName.append( Schedule.toIsoString(Producer._getRoundedTimeSlot(timeSlot))) contentKey = self._database.getContentKey(timeSlot) cKeyData = Data() cKeyData.setName(keyName) params = EncryptParams(EncryptAlgorithmType.RsaOaep) try: Encryptor.encryptData(cKeyData, contentKey, eKeyName, encryptionKey, params) except Exception as ex: try: onError(EncryptError.ErrorCode.EncryptionFailure, "encryptData error: " + repr(ex)) except: logging.exception("Error in onError") return False self._keyChain.sign(cKeyData) keyRequest.encryptedKeys.append(cKeyData) self._updateKeyRequest(keyRequest, timeCount, onEncryptedKeys) return True # TODO: Move this to be the main representation inside the Exclude object. class ExcludeEntry(object): """ Create a new ExcludeEntry. :param Name.Component component: :param bool anyFollowsComponent: """ def __init__(self, component, anyFollowsComponent): self._component = component self._anyFollowsComponent = anyFollowsComponent @staticmethod def getExcludeEntries(exclude): """ Create a list of ExcludeEntry from the Exclude object. :param Exclude exclude: The Exclude object to read. :return: A new array of ExcludeEntry. :rtype: Array<ExcludeEntry> """ entries = [] for i in range(exclude.size()): if exclude.get(i).getType() == Exclude.ANY: if len(entries) == 0: # Add a "beginning ANY". entries.append( Producer.ExcludeEntry(Name.Component(), True)) else: # Set anyFollowsComponent of the final component. entries[len(entries) - 1]._anyFollowsComponent = True else: entries.append( Producer.ExcludeEntry( exclude.get(i).getComponent(), False)) return entries @staticmethod def setExcludeEntries(exclude, entries): """ Set the Exclude object from the array of ExcludeEntry. :param Exclude exclude: The Exclude object to update. :param Array<ExcludeEntry> entries: The array of ExcludeEntry. """ exclude.clear() for i in range(len(entries)): entry = entries[i] if (i == 0 and entry._component.getValue().size() == 0 and entry._anyFollowsComponent): # This is a "beginning ANY". exclude.appendAny() else: exclude.appendComponent(entry._component) if entry._anyFollowsComponent: exclude.appendAny() @staticmethod def findEntryBeforeOrAt(entries, component): """ Get the latest entry in the array whose component is less than or equal to component. :param Array<ExcludeEntry> entries: The array of ExcludeEntry. :param Name.Component component: The component to compare. :return: The index of the found entry, or -1 if not found. :rtype: int """ i = len(entries) - 1 while i >= 0: if entries[i]._component.compare(component) <= 0: break i -= 1 return i @staticmethod def excludeAfter(exclude, fromComponent): """ Exclude all components in the range beginning at "fromComponent". :param Exclude exclude: The Exclude object to update. :param Name.Component fromComponent: The first component in the exclude range. """ entries = Producer.getExcludeEntries(exclude) iFoundFrom = Producer.findEntryBeforeOrAt(entries, fromComponent) if iFoundFrom < 0: # There is no entry before "fromComponent" so insert at the beginning. entries.insert(0, Producer.ExcludeEntry(fromComponent, True)) iNewFrom = 0 else: foundFrom = entries[iFoundFrom] if not foundFrom._anyFollowsComponent: if foundFrom._component.equals(fromComponent): # There is already an entry with "fromComponent", so just # set the "ANY" flag. foundFrom._anyFollowsComponent = True iNewFrom = iFoundFrom else: # Insert following the entry before "fromComponent". entries.insert(iFoundFrom + 1, Producer.ExcludeEntry(fromComponent, True)) iNewFrom = iFoundFrom + 1 else: # The entry before "fromComponent" already has an "ANY" flag, # so do nothing. iNewFrom = iFoundFrom # Remove intermediate entries since they are inside the range. iRemoveBegin = iNewFrom + 1 entries[iRemoveBegin:] = [] Producer.setExcludeEntries(exclude, entries) @staticmethod def excludeBefore(exclude, to): """ Exclude all components in the range ending at "to". :param Exclude exclude: The Exclude object to update. :param Name.Component to: The last component in the exclude range. """ Producer.excludeRange(exclude, Name.Component(), to) @staticmethod def excludeRange(exclude, fromComponent, to): """ Exclude all components in the range beginning at "fromComponent" and ending at "to". :param Exclude exclude: The Exclude object to update. :param Name.Component fromComponent: The first component in the exclude range. :param Name.Component to: The last component in the exclude range. """ if fromComponent.compare(to) >= 0: if fromComponent.compare(to) == 0: raise RuntimeError( "excludeRange: from == to. To exclude a single component, sue excludeOne." ) else: raise RuntimeError( "excludeRange: from must be less than to. Invalid range: [" + fromComponent.toEscapedString() + ", " + to.toEscapedString() + "]") entries = Producer.getExcludeEntries(exclude) iFoundFrom = Producer.findEntryBeforeOrAt(entries, fromComponent) if iFoundFrom < 0: # There is no entry before "fromComponent" so insert at the beginning. entries.insert(0, Producer.ExcludeEntry(fromComponent, True)) iNewFrom = 0 else: foundFrom = entries[iFoundFrom] if not foundFrom._anyFollowsComponent: if foundFrom._component.equals(fromComponent): # There is already an entry with "fromComponent", so just # set the "ANY" flag. foundFrom._anyFollowsComponent = True iNewFrom = iFoundFrom else: # Insert following the entry before "fromComponent". entries.insert(iFoundFrom + 1, Producer.ExcludeEntry(fromComponent, True)) iNewFrom = iFoundFrom + 1 else: # The entry before "fromComponent" already has an "ANY" flag, # so do nothing. iNewFrom = iFoundFrom # We have at least one "fromComponent" before "to", so we know this will # find an entry. iFoundTo = Producer.findEntryBeforeOrAt(entries, to) foundTo = entries[iFoundTo] if iFoundTo == iNewFrom: # Insert the "to" immediately after the "fromComponent". entries.insert(iNewFrom + 1, Producer.ExcludeEntry(to, False)) else: if not foundTo._anyFollowsComponent: if foundTo._component.equals(to): # The "to" entry already exists. Remove up to it. iRemoveEnd = iFoundTo else: # Insert following the previous entry, which will be removed. entries.insert(iFoundTo + 1, Producer.ExcludeEntry(to, False)) iRemoveEnd = iFoundTo + 1 else: # "to" follows a component which is already followed by "ANY", # meaning the new range now encompasses it, so remove the component. iRemoveEnd = iFoundTo + 1 # Remove intermediate entries since they are inside the range. iRemoveBegin = iNewFrom + 1 entries[iRemoveBegin:iRemoveEnd] = [] Producer.setExcludeEntries(exclude, entries) START_TIME_STAMP_INDEX = -2 END_TIME_STAMP_INDEX = -1 NO_LINK = Link()
def getGroupKey(self, timeSlot, needRegenerate = True): """ Create a group key for the interval into which timeSlot falls. This creates a group key if it doesn't exist, and encrypts the key using the public key of each eligible member. :param float timeSlot: The time slot to cover as milliseconds since Jan 1, 1970 UTC. :param bool needRegenerate: (optional) needRegenerate should be True if this is the first time this method is called, or a member was removed. needRegenerate can be False if this is not the first time this method is called, or a member was added. If omitted, use True. :return: A List of Data packets where the first is the E-KEY data packet with the group's public key and the rest are the D-KEY data packets with the group's private key encrypted with the public key of each eligible member. :raises GroupManagerDb.Error: For a database error. :raises SecurityException: For an error using the security KeyChain. """ unsortedMemberKeys = {} result = [] # Get the time interval. finalInterval = self._calculateInterval(timeSlot, unsortedMemberKeys) if finalInterval.isValid() == False: return result startTimeStamp = Schedule.toIsoString(finalInterval.getStartTime()) endTimeStamp = Schedule.toIsoString(finalInterval.getEndTime()) # Generate the private and public keys. eKeyName = Name(self._namespace) eKeyName.append(Encryptor.NAME_COMPONENT_E_KEY).append( startTimeStamp).append(endTimeStamp) if not needRegenerate and self._database.hasEKey(eKeyName): (publicKeyBlob, privateKeyBlob) = self._getEKey(eKeyName) else: (privateKeyBlob, publicKeyBlob) = self._generateKeyPair() if self._database.hasEKey(eKeyName): self._deleteEKey(eKeyName) self._addEKey(eKeyName, publicKeyBlob, privateKeyBlob) # Add the first element to the result. # The E-KEY (public key) data packet name convention is: # /<data_type>/E-KEY/[start-ts]/[end-ts] data = self._createEKeyData(startTimeStamp, endTimeStamp, publicKeyBlob) result.append(data) # Encrypt the private key with the public key from each member's certificate. # Sort the key names. for keyName in sorted(unsortedMemberKeys.keys()): certificateKey = unsortedMemberKeys[keyName] # Generate the name of the packet. # The D-KEY (private key) data packet name convention is: # /<data_type>/D-KEY/[start-ts]/[end-ts]/[member-name] data = self._createDKeyData( startTimeStamp, endTimeStamp, keyName, privateKeyBlob, certificateKey) result.append(data) return result
def getGroupKey(self, timeSlot, needRegenerate=True): """ Create a group key for the interval into which timeSlot falls. This creates a group key if it doesn't exist, and encrypts the key using the public key of each eligible member. :param float timeSlot: The time slot to cover as milliseconds since Jan 1, 1970 UTC. :param bool needRegenerate: (optional) needRegenerate should be True if this is the first time this method is called, or a member was removed. needRegenerate can be False if this is not the first time this method is called, or a member was added. If omitted, use True. :return: A List of Data packets where the first is the E-KEY data packet with the group's public key and the rest are the D-KEY data packets with the group's private key encrypted with the public key of each eligible member. :raises GroupManagerDb.Error: For a database error. :raises SecurityException: For an error using the security KeyChain. """ unsortedMemberKeys = {} result = [] # Get the time interval. finalInterval = self._calculateInterval(timeSlot, unsortedMemberKeys) if finalInterval.isValid() == False: return result startTimeStamp = Schedule.toIsoString(finalInterval.getStartTime()) endTimeStamp = Schedule.toIsoString(finalInterval.getEndTime()) # Generate the private and public keys. eKeyName = Name(self._namespace) eKeyName.append(Encryptor.NAME_COMPONENT_E_KEY).append( startTimeStamp).append(endTimeStamp) if not needRegenerate and self._database.hasEKey(eKeyName): (publicKeyBlob, privateKeyBlob) = self._getEKey(eKeyName) else: (privateKeyBlob, publicKeyBlob) = self._generateKeyPair() if self._database.hasEKey(eKeyName): self._deleteEKey(eKeyName) self._addEKey(eKeyName, publicKeyBlob, privateKeyBlob) # Add the first element to the result. # The E-KEY (public key) data packet name convention is: # /<data_type>/E-KEY/[start-ts]/[end-ts] data = self._createEKeyData(startTimeStamp, endTimeStamp, publicKeyBlob) result.append(data) # Encrypt the private key with the public key from each member's certificate. # Sort the key names. for keyName in sorted(unsortedMemberKeys.keys()): certificateKey = unsortedMemberKeys[keyName] # Generate the name of the packet. # The D-KEY (private key) data packet name convention is: # /<data_type>/D-KEY/[start-ts]/[end-ts]/[member-name] data = self._createDKeyData(startTimeStamp, endTimeStamp, keyName, privateKeyBlob, certificateKey) result.append(data) return result
def prepareUnsignedIdentityCertificate(self, keyName, publicKey, signingIdentity, notBefore, notAfter, subjectDescription=None, certPrefix=None): """ Prepare an unsigned identity certificate. :param Name keyName: The key name, e.g., `/{identity_name}/ksk-123456`. :param PublicKey publicKey: (optional) The public key to sign. If ommited, use the keyName to get the public key from the identity storage. :param Name signingIdentity: The signing identity. :param float notBefore: See IdentityCertificate. :param float notAfter: See IdentityCertificate. :param Array<CertificateSubjectDescription> subjectDescription: A list of CertificateSubjectDescription. See IdentityCertificate. If None or empty, this adds a an ATTRIBUTE_NAME based on the keyName. :param Name certPrefix: (optional) The prefix before the `KEY` component. If None, this infers the certificate name according to the relation between the signingIdentity and the subject identity. If the signingIdentity is a prefix of the subject identity, `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted after subject identity (i.e., before `ksk-...`). :return: The unsigned IdentityCertificate, or None if the inputs are invalid. :rtype: IdentityCertificate """ if not isinstance(publicKey, PublicKey): # The publicKey was omitted. Shift arguments. certPrefix = subjectDescription subjectDescription = notAfter notAfter = notBefore notBefore = signingIdentity signingIdentity = publicKey publicKey = PublicKey(self._identityStorage.getKey(keyName)) if keyName.size() < 1: return None tempKeyIdPrefix = keyName.get(-1).toEscapedString() if len(tempKeyIdPrefix) < 4: return None keyIdPrefix = tempKeyIdPrefix[0:4] if keyIdPrefix != "ksk-" and keyIdPrefix != "dsk-": return None certificate = IdentityCertificate() certName = Name() if certPrefix == None: # No certificate prefix hint, so infer the prefix. if signingIdentity.match(keyName): certName.append(signingIdentity) \ .append("KEY") \ .append(keyName.getSubName(signingIdentity.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: certName.append(keyName.getPrefix(-1)) \ .append("KEY") \ .append(keyName.get(-1)) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: # A cert prefix hint is supplied, so determine the cert name. if certPrefix.match(keyName) and not certPrefix.equals(keyName): certName.append(certPrefix) \ .append("KEY") \ .append(keyName.getSubName(certPrefix.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: return None certificate.setName(certName) certificate.setNotBefore(notBefore) certificate.setNotAfter(notAfter) certificate.setPublicKeyInfo(publicKey) if subjectDescription == None or len(subjectDescription) == 0: certificate.addSubjectDescription( CertificateSubjectDescription("2.5.4.41", keyName.getPrefix(-1).toUri())) else: for i in range(len(subjectDescription)): certificate.addSubjectDescription(subjectDescription[i]) try: certificate.encode() except Exception as ex: raise SecurityException("DerEncodingException: " + str(ex)) return certificate
class EncryptorV2(object): """ Create an EncryptorV2 with the given parameters. This uses the face to register to receive Interests for the prefix {ckPrefix}/CK. :param Name accessPrefix: The NAC prefix to fetch the Key Encryption Key (KEK) (e.g., /access/prefix/NAC/data/subset). This copies the Name. :param Name ckPrefix: The prefix under which Content Keys (CK) will be generated. (Each will have a unique version appended.) This copies the Name. :param SigningInfo ckDataSigningInfo: The SigningInfo parameters to sign the Content Key (CK) Data packet. This copies the SigningInfo. :param onError: On failure to create the CK data (failed to fetch the KEK, failed to encrypt with the KEK, etc.), this calls onError(errorCode, message) where errorCode is from EncryptError.ErrorCode and message is a str. The encrypt method will continue trying to retrieve the KEK until success (with each attempt separated by RETRY_DELAY_KEK_RETRIEVAL_MS) and onError may be called multiple times. NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onError: function object :param Validator validator: The validation policy to ensure correctness of the KEK. :param KeyChain keyChain: The KeyChain used to sign Data packets. :param Face face: The Face that will be used to fetch the KEK and publish CK data. """ def __init__(self, accessPrefix, ckPrefix, ckDataSigningInfo, onError, validator, keyChain, face): # Copy the Name. self._accessPrefix = Name(accessPrefix) self._ckPrefix = Name(ckPrefix) self._ckBits = bytearray(EncryptorV2.AES_KEY_SIZE) self._ckDataSigningInfo = SigningInfo(ckDataSigningInfo) self._isKekRetrievalInProgress = False self._onError = onError self._keyChain = keyChain self._face = face self._kekData = None # Storage for encrypted CKs. self._storage = InMemoryStorageRetaining() self._kekPendingInterestId = 0 self.regenerateCk() def onInterest(prefix, interest, face, interestFilterId, filter): data = self._storage.find(interest) if data != None: logging.getLogger(__name__).info("Serving " + data.getName().toUri() + " from InMemoryStorage") try: face.putData(data) except: logging.exception("Error in Face.putData") else: logging.getLogger(__name__).info( "Didn't find CK data for " + interest.getName().toUri()) # TODO: Send NACK? def onRegisterFailed(prefix): logging.getLogger(__name__).error( "Failed to register prefix " + prefix.toUri()) self._ckRegisteredPrefixId = self._face.registerPrefix( Name(ckPrefix).append(EncryptorV2.NAME_COMPONENT_CK), onInterest, onRegisterFailed) def shutdown(self): self._face.unsetInterestFilter(self._ckRegisteredPrefixId) if self._kekPendingInterestId > 0: self._face.removePendingInterest(self._kekPendingInterestId) def encrypt(self, plainData): """ Encrypt the plainData using the existing Content Key (CK) and return a new EncryptedContent. :param plainData: The data to encrypt. :type plainData: Blob or an array which implements the buffer protocol :return: The new EncryptedContent. :rtype: EncryptedContent """ # Generate the initial vector. initialVector = bytearray(EncryptorV2.AES_IV_SIZE) for i in range(len(initialVector)): initialVector[i] = _systemRandom.randint(0, 0xff) params = EncryptParams(EncryptAlgorithmType.AesCbc) params.setInitialVector(Blob(initialVector, False)) encryptedData = AesAlgorithm.encrypt( Blob(self._ckBits, False), Blob(plainData, False), params) content = EncryptedContent() content.setInitialVector(params.getInitialVector()) content.setPayload(encryptedData) content.setKeyLocatorName(self._ckName) return content def regenerateCk(self): """ Create a new Content Key (CK) and publish the corresponding CK Data packet. This uses the onError given to the constructor to report errors. """ # TODO: Ensure that the CK Data packet for the old CK is published when # the CK is updated before the KEK is fetched. self._ckName = Name(self._ckPrefix) self._ckName.append(EncryptorV2.NAME_COMPONENT_CK) # The version is the ID of the CK. self._ckName.appendVersion(int(Common.getNowMilliseconds())) logging.getLogger(__name__).info("Generating new CK: " + self._ckName.toUri()) for i in range(len(self._ckBits)): self._ckBits[i] = _systemRandom.randint(0, 0xff) # One implication: If the CK is updated before the KEK is fetched, then # the KDK for the old CK will not be published. if self._kekData == None: self._retryFetchingKek() else: self._makeAndPublishCkData(self._onError) def size(self): """ Get the number of packets stored in in-memory storage. :return: The number of packets. :rtype: int """ return self._storage.size() def _retryFetchingKek(self): if self._isKekRetrievalInProgress: return logging.getLogger(__name__).info("Retrying fetching of the KEK") self._isKekRetrievalInProgress = True def onReady(): logging.getLogger(__name__).info("The KEK was retrieved and published") self._isKekRetrievalInProgress = False def onError(errorCode, message): logging.getLogger(__name__).info("Failed to retrieve KEK: " + message) self._isKekRetrievalInProgress = False self._onError(errorCode, message) self._fetchKekAndPublishCkData(onReady, onError, EncryptorV2.N_RETRIES) def _fetchKekAndPublishCkData(self, onReady, onError, nTriesLeft): """ Create an Interest for <access-prefix>/KEK to retrieve the <access-prefix>/KEK/<key-id> KEK Data packet, and set _kekData. :param onReady: When the KEK is retrieved and published, this calls onReady(). :type onError: function object :param onError: On failure, this calls onError(errorCode, message) where errorCode is from EncryptError.ErrorCode, and message is an error string. :type onError: function object :param int nTriesLeft: The number of retries for expressInterest timeouts. """ logging.getLogger(__name__).info("Fetching KEK: " + Name(self._accessPrefix).append(EncryptorV2.NAME_COMPONENT_KEK).toUri()) if self._kekPendingInterestId > 0: onError(EncryptError.ErrorCode.General, "fetchKekAndPublishCkData: There is already a _kekPendingInterestId") return def onData(interest, kekData): self._kekPendingInterestId = 0 # TODO: Verify if the key is legitimate. self._kekData = kekData if self._makeAndPublishCkData(onError): onReady() # Otherwise, failure has already been reported. def onTimeout(interest): self._kekPendingInterestId = 0 if nTriesLeft > 1: self._fetchKekAndPublishCkData(onReady, onError, nTriesLeft - 1) else: onError(EncryptError.ErrorCode.KekRetrievalTimeout, "Retrieval of KEK [" + interest.getName().toUri() + "] timed out") logging.getLogger(__name__).info( "Scheduling retry after all timeouts") self._face.callLater( EncryptorV2.RETRY_DELAY_KEK_RETRIEVAL_MS, self._retryFetchingKek) def onNetworkNack(interest, networkNack): self._kekPendingInterestId = 0 if nTriesLeft > 1: def callback(): self._fetchKekAndPublishCkData(onReady, onError, nTriesLeft - 1) self._face.callLater(EncryptorV2.RETRY_DELAY_AFTER_NACK_MS, callback) else: onError(EncryptError.ErrorCode.KekRetrievalFailure, "Retrieval of KEK [" + interest.getName().toUri() + "] failed. Got NACK (" + str(networkNack.getReason()) + ")") logging.getLogger(__name__).info("Scheduling retry from NACK") self._face.callLater( EncryptorV2.RETRY_DELAY_KEK_RETRIEVAL_MS, self._retryFetchingKek) try: self._kekPendingInterestId = self._face.expressInterest( Interest(Name(self._accessPrefix).append(EncryptorV2.NAME_COMPONENT_KEK)) .setMustBeFresh(True) .setCanBePrefix(True), onData, onTimeout, onNetworkNack) except Exception as ex: onError(EncryptError.ErrorCode.General, "expressInterest error: " + repr(ex)) def _makeAndPublishCkData(self, onError): """ Make a CK Data packet for _ckName encrypted by the KEK in _kekData and insert it in the _storage. :param onError: On failure, this calls onError(errorCode, message) where errorCode is from EncryptError.ErrorCode, and message is an error string. :type onError: function object :return: True on success, else False. :rtype: bool """ try: kek = PublicKey(self._kekData.getContent()) content = EncryptedContent() content.setPayload(kek.encrypt (Blob(self._ckBits, False), EncryptAlgorithmType.RsaOaep)) ckData = Data( Name(self._ckName).append(EncryptorV2.NAME_COMPONENT_ENCRYPTED_BY) .append(self._kekData.getName())) ckData.setContent(content.wireEncodeV2()) # FreshnessPeriod can serve as a soft access control for revoking access. ckData.getMetaInfo().setFreshnessPeriod( EncryptorV2.DEFAULT_CK_FRESHNESS_PERIOD_MS) self._keyChain.sign(ckData, self._ckDataSigningInfo) self._storage.insert(ckData) logging.getLogger(__name__).info("Publishing CK data: " + ckData.getName().toUri()) return True except Exception as ex: onError(EncryptError.ErrorCode.EncryptionFailure, "Failed to encrypt generated CK with KEK " + self._kekData.getName().toUri()) return False NAME_COMPONENT_ENCRYPTED_BY = Name.Component("ENCRYPTED-BY") NAME_COMPONENT_NAC = Name.Component("NAC") NAME_COMPONENT_KEK = Name.Component("KEK") NAME_COMPONENT_KDK = Name.Component("KDK") NAME_COMPONENT_CK = Name.Component("CK") RETRY_DELAY_AFTER_NACK_MS = 1000.0 RETRY_DELAY_KEK_RETRIEVAL_MS = 60 * 1000.0 AES_KEY_SIZE = 32 AES_IV_SIZE = 16 N_RETRIES = 3 DEFAULT_CK_FRESHNESS_PERIOD_MS = 3600 * 1000.0
def _decryptCKey(self, cKeyData, onPlainText, onError): """ Decrypt cKeyData. :param Data cKeyData: The C-KEY data packet. :param onPlainText: When the data packet is decrypted, this calls onPlainText(decryptedBlob) with the decrypted blob. :type onPlainText: function object :param onError: This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. :type onError: function object """ # Get the encrypted content. cKeyContent = cKeyData.getContent() cKeyEncryptedContent = EncryptedContent() try: cKeyEncryptedContent.wireDecode(cKeyContent) except Exception as ex: try: onError(EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex)) except: logging.exception("Error in onError") return eKeyName = cKeyEncryptedContent.getKeyLocator().getKeyName() dKeyName = eKeyName.getPrefix(-3) dKeyName.append(Encryptor.NAME_COMPONENT_D_KEY).append( eKeyName.getSubName(-2)) # Check if the decryption key is already in the store. if dKeyName in self._dKeyMap: dKey = self._dKeyMap[dKeyName] Consumer._decrypt(cKeyEncryptedContent, dKey, onPlainText, onError) else: # Get the D-Key Data. interestName = Name(dKeyName) interestName.append(Encryptor.NAME_COMPONENT_FOR).append( self._consumerName) interest = Interest(interestName) # Prepare the callback functions. def onData(dKeyInterest, dKeyData): # The Interest has no selectors, so assume the library correctly # matched with the Data name before calling onData. try: def onVerified(validDKeyData): def localOnPlainText(dKeyBits): # dKeyName is already a local copy. self._dKeyMap[dKeyName] = dKeyBits Consumer._decrypt( cKeyEncryptedContent, dKeyBits, onPlainText, onError) self._decryptDKey(validDKeyData, localOnPlainText, onError) self._keyChain.verifyData( dKeyData, onVerified, lambda d: Consumer._callOnError(onError, EncryptError.ErrorCode.Validation, "verifyData failed")) except Exception as ex: try: onError(EncryptError.ErrorCode.General, "verifyData error: " + repr(ex)) except: logging.exception("Error in onError") def onTimeout(dKeyInterest): # We should re-try at least once. try: self._face.expressInterest( interest, onData, lambda contentInterest: Consumer._callOnError(onError, EncryptError.ErrorCode.Timeout, interest.getName().toUri())) except Exception as ex: try: onError(EncryptError.ErrorCode.General, "expressInterest error: " + repr(ex)) except: logging.exception("Error in onError") # Express the Interest. try: self._face.expressInterest(interest, onData, onTimeout) except Exception as ex: try: onError(EncryptError.ErrorCode.General, "expressInterest error: " + repr(ex)) except: logging.exception("Error in onError")
def createContentKey(self, timeSlot, onEncryptedKeys, onError=defaultOnError): """ Create the content key corresponding to the timeSlot. This first checks if the content key exists. For an existing content key, this returns the content key name directly. If the key does not exist, this creates one and encrypts it using the corresponding E-KEYs. The encrypted content keys are passed to the onEncryptedKeys callback. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: If this creates a content key, then this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onEncryptedKeys: function object :param onError: (optional) This calls errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. If omitted, use a default callback which does nothing. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onError: function object :return: The content key name. :rtype: Name """ hourSlot = Producer._getRoundedTimeSlot(timeSlot) # Create the content key name. contentKeyName = Name(self._namespace) contentKeyName.append(Encryptor.NAME_COMPONENT_C_KEY) contentKeyName.append(Schedule.toIsoString(hourSlot)) # Check if we have created the content key before. if self._database.hasContentKey(timeSlot): # We have created the content key. Return its name directly. return contentKeyName # We haven't created the content key. Create one and add it into the # database. aesParams = AesKeyParams(128) contentKeyBits = AesAlgorithm.generateKey(aesParams).getKeyBits() self._database.addContentKey(timeSlot, contentKeyBits) # Now we need to retrieve the E-KEYs for content key encryption. timeCount = round(timeSlot) self._keyRequests[timeCount] = Producer._KeyRequest(len(self._eKeyInfo)) keyRequest = self._keyRequests[timeCount] # Check if the current E-KEYs can cover the content key. timeRange = Exclude() Producer.excludeAfter(timeRange, Name.Component(Schedule.toIsoString(timeSlot))) # Send interests for all nodes in the tree. for keyName in self._eKeyInfo: # For each current E-KEY. keyInfo = self._eKeyInfo[keyName] if timeSlot < keyInfo.beginTimeSlot or timeSlot >= keyInfo.endTimeSlot: # The current E-KEY cannot cover the content key, so retrieve one. keyRequest.repeatAttempts[keyName] = 0 self._sendKeyInterest( Interest(keyName).setExclude(timeRange).setChildSelector(1), timeSlot, onEncryptedKeys, onError ) else: # The current E-KEY can cover the content key. # Encrypt the content key directly. eKeyName = Name(keyName) eKeyName.append(Schedule.toIsoString(keyInfo.beginTimeSlot)) eKeyName.append(Schedule.toIsoString(keyInfo.endTimeSlot)) self._encryptContentKey(keyInfo.keyBits, eKeyName, timeSlot, onEncryptedKeys, onError) return contentKeyName
def _fetchKdk(self, contentKey, kdkPrefix, ckData, onError, nTriesLeft): """ :param DecryptorV2.ContentKey contentKey: :param Name kdkPrefix: :param Data ckData: :param onError: On error, this calls onError(errorCode, message) :type onError: function object :param int nTriesLeft: """ # <kdk-prefix>/KDK/<kdk-id> /ENCRYPTED-BY /<credential-identity>/KEY/<key-id> # \ / \ / # ----------- ------------- --------------- --------------- # \/ \/ # from the CK data from configuration kdkName = Name(kdkPrefix) kdkName.append(EncryptorV2.NAME_COMPONENT_ENCRYPTED_BY).append( self._credentialsKey.getName()) logging.getLogger(__name__).info("Fetching KDK " + kdkName.toUri()) def onData(kdkInterest, kdkData): try: contentKey.pendingInterest = 0 # TODO: Verify that the key is legitimate. isOk = self._decryptAndImportKdk(kdkData, onError) if not isOk: return # This way of getting the kdkKeyName is a bit hacky. kdkKeyName = kdkPrefix.getPrefix(-2).append("KEY").append( kdkPrefix.get(-1)) self._decryptCkAndProcessPendingDecrypts( contentKey, ckData, kdkKeyName, onError) except Exception as ex: onError(EncryptError.ErrorCode.General, "Error in fetchCk onData: " + repr(ex)) def onTimeout(interest): contentKey.pendingInterest = 0 if nTriesLeft > 1: self._fetchKdk(contentKey, kdkPrefix, ckData, onError, nTriesLeft - 1) else: onError( EncryptError.ErrorCode.KdkRetrievalTimeout, "Retrieval of KDK [" + interest.getName().toUri() + "] timed out") def onNetworkNack(interest, networkNack): contentKey.pendingInterest = 0 onError( EncryptError.ErrorCode.KdkRetrievalFailure, "Retrieval of KDK [" + interest.getName().toUri() + "] failed. Got NACK (" + str(networkNack.getReason()) + ")") try: contentKey.pendingInterest = self._face.expressInterest( Interest(kdkName).setMustBeFresh(True).setCanBePrefix(False), onData, onTimeout, onNetworkNack) except Exception as ex: onError(EncryptError.ErrorCode.General, "expressInterest error: " + repr(ex))
def _decryptCKey(self, cKeyData, onPlainText, onError): """ Decrypt cKeyData. :param Data cKeyData: The C-KEY data packet. :param onPlainText: When the data packet is decrypted, this calls onPlainText(decryptedBlob) with the decrypted blob. :type onPlainText: function object :param onError: This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. :type onError: function object """ # Get the encrypted content. cKeyContent = cKeyData.getContent() cKeyEncryptedContent = EncryptedContent() try: cKeyEncryptedContent.wireDecode(cKeyContent) except Exception as ex: try: onError(EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex)) except: logging.exception("Error in onError") return eKeyName = cKeyEncryptedContent.getKeyLocator().getKeyName() dKeyName = eKeyName.getPrefix(-3) dKeyName.append(Encryptor.NAME_COMPONENT_D_KEY).append( eKeyName.getSubName(-2)) # Check if the decryption key is already in the store. if dKeyName in self._dKeyMap: dKey = self._dKeyMap[dKeyName] Consumer._decrypt(cKeyEncryptedContent, dKey, onPlainText, onError) else: # Get the D-Key Data. interestName = Name(dKeyName) interestName.append(Encryptor.NAME_COMPONENT_FOR).append( self._consumerName) interest = Interest(interestName) # Prepare the callback functions. def onData(dKeyInterest, dKeyData): # The Interest has no selectors, so assume the library correctly # matched with the Data name before calling onData. try: def onVerified(validDKeyData): def localOnPlainText(dKeyBits): # dKeyName is already a local copy. self._dKeyMap[dKeyName] = dKeyBits Consumer._decrypt(cKeyEncryptedContent, dKeyBits, onPlainText, onError) self._decryptDKey(validDKeyData, localOnPlainText, onError) self._keyChain.verifyData( dKeyData, onVerified, lambda d: Consumer._callOnError( onError, EncryptError.ErrorCode.Validation, "verifyData failed")) except Exception as ex: try: onError(EncryptError.ErrorCode.General, "verifyData error: " + repr(ex)) except: logging.exception("Error in onError") def onTimeout(dKeyInterest): # We should re-try at least once. try: self._face.expressInterest( interest, onData, lambda contentInterest: Consumer._callOnError( onError, EncryptError.ErrorCode.Timeout, interest.getName().toUri())) except Exception as ex: try: onError(EncryptError.ErrorCode.General, "expressInterest error: " + repr(ex)) except: logging.exception("Error in onError") # Express the Interest. try: self._face.expressInterest(interest, onData, onTimeout) except Exception as ex: try: onError(EncryptError.ErrorCode.General, "expressInterest error: " + repr(ex)) except: logging.exception("Error in onError")
def _processSyncInterest(self, index, syncDigest, face): """ Common interest processing, using digest log to find the difference after syncDigest. :return: True if sent a data packet to satisfy the interest, otherwise False. :rtype: bool """ nameList = [] # of str sequenceNoList = [] # of int sessionNoList = [] # of int for j in range(index + 1, len(self._digestLog)): temp = self._digestLog[j].getData( ) # array of sync_state_pb2.SyncState. for i in range(len(temp)): syncState = temp[i] if syncState.type != SyncState_UPDATE: continue if self._digestTree.find(syncState.name, syncState.seqno.session) != -1: n = -1 for k in range(len(nameList)): if nameList[k] == syncState.name: n = k break if n == -1: nameList.append(syncState.name) sequenceNoList.append(syncState.seqno.seq) sessionNoList.append(syncState.seqno.session) else: sequenceNoList[n] = syncState.seqno.seq sessionNoList[n] = syncState.seqno.session tempContent = SyncStateMsg() for i in range(len(nameList)): content = getattr(tempContent, "ss").add() content.name = nameList[i] content.type = SyncState_UPDATE content.seqno.seq = sequenceNoList[i] content.seqno.session = sessionNoList[i] sent = False if len(getattr(tempContent, "ss")) != 0: name = Name(self._applicationBroadcastPrefix) name.append(syncDigest) # TODO: Check if this works in Python 3. #pylint: disable=E1103 array = tempContent.SerializeToString() #pylint: enable=E1103 data = Data(name) data.setContent(Blob(array)) self._keyChain.sign(data, self._certificateName) try: face.putData(data) except Exception as ex: logging.getLogger(__name__).error("Error in face.putData: %s", str(ex)) return sent = True logging.getLogger(__name__).info("Sync Data send") logging.getLogger(__name__).info("%s", name.toUri()) return sent
def _processSyncInterest(self, index, syncDigest, face): """ Common interest processing, using digest log to find the difference after syncDigest. :return: True if sent a data packet to satisfy the interest, otherwise False. :rtype: bool """ nameList = [] # of str sequenceNoList = [] # of int sessionNoList = [] # of int for j in range(index + 1, len(self._digestLog)): temp = self._digestLog[j].getData() # array of sync_state_pb2.SyncState. for i in range(len(temp)): syncState = temp[i] if syncState.type != SyncState_UPDATE: continue if self._digestTree.find( syncState.name, syncState.seqno.session) != -1: n = -1 for k in range(len(nameList)): if nameList[k] == syncState.name: n = k break if n == -1: nameList.append(syncState.name) sequenceNoList.append(syncState.seqno.seq) sessionNoList.append(syncState.seqno.session) else: sequenceNoList[n] = syncState.seqno.seq sessionNoList[n] = syncState.seqno.session tempContent = SyncStateMsg() for i in range(len(nameList)): content = getattr(tempContent, "ss").add() content.name = nameList[i] content.type = SyncState_UPDATE content.seqno.seq = sequenceNoList[i] content.seqno.session = sessionNoList[i] sent = False if len(getattr(tempContent, "ss")) != 0: name = Name(self._applicationBroadcastPrefix) name.append(syncDigest) # TODO: Check if this works in Python 3. #pylint: disable=E1103 array = tempContent.SerializeToString() #pylint: enable=E1103 data = Data(name) data.setContent(Blob(array)) self._keyChain.sign(data, self._certificateName) try: face.putData(data) except Exception as ex: logging.getLogger(__name__).error( "Error in face.putData: %s", str(ex)) return sent = True logging.getLogger(__name__).info("Sync Data send") logging.getLogger(__name__).info("%s", name.toUri()) return sent
def prepareUnsignedIdentityCertificate(self, keyName, publicKey, signingIdentity, notBefore, notAfter, subjectDescription = None, certPrefix = None): """ Prepare an unsigned identity certificate. :param Name keyName: The key name, e.g., `/{identity_name}/ksk-123456`. :param PublicKey publicKey: (optional) The public key to sign. If ommited, use the keyName to get the public key from the identity storage. :param Name signingIdentity: The signing identity. :param float notBefore: See IdentityCertificate. :param float notAfter: See IdentityCertificate. :param Array<CertificateSubjectDescription> subjectDescription: A list of CertificateSubjectDescription. See IdentityCertificate. If None or empty, this adds a an ATTRIBUTE_NAME based on the keyName. :param Name certPrefix: (optional) The prefix before the `KEY` component. If None, this infers the certificate name according to the relation between the signingIdentity and the subject identity. If the signingIdentity is a prefix of the subject identity, `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted after subject identity (i.e., before `ksk-...`). :return: The unsigned IdentityCertificate, or None if the inputs are invalid. :rtype: IdentityCertificate """ if not isinstance(publicKey, PublicKey): # The publicKey was omitted. Shift arguments. certPrefix = subjectDescription subjectDescription = notAfter notAfter = notBefore notBefore = signingIdentity signingIdentity = publicKey publicKey = PublicKey(self._identityStorage.getKey(keyName)) if keyName.size() < 1: return None tempKeyIdPrefix = keyName.get(-1).toEscapedString() if len(tempKeyIdPrefix) < 4: return None keyIdPrefix = tempKeyIdPrefix[0:4] if keyIdPrefix != "ksk-" and keyIdPrefix != "dsk-": return None certificate = IdentityCertificate() certName = Name() if certPrefix == None: # No certificate prefix hint, so infer the prefix. if signingIdentity.match(keyName): certName.append(signingIdentity) \ .append("KEY") \ .append(keyName.getSubName(signingIdentity.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: certName.append(keyName.getPrefix(-1)) \ .append("KEY") \ .append(keyName.get(-1)) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: # A cert prefix hint is supplied, so determine the cert name. if certPrefix.match(keyName) and not certPrefix.equals(keyName): certName.append(certPrefix) \ .append("KEY") \ .append(keyName.getSubName(certPrefix.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: return None certificate.setName(certName) certificate.setNotBefore(notBefore) certificate.setNotAfter(notAfter) certificate.setPublicKeyInfo(publicKey) if subjectDescription == None or len(subjectDescription) == 0: certificate.addSubjectDescription(CertificateSubjectDescription( "2.5.4.41", keyName.getPrefix(-1).toUri())) else: for i in range(len(subjectDescription)): certificate.addSubjectDescription(subjectDescription[i]) try: certificate.encode() except Exception as ex: raise SecurityException("DerEncodingException: " + str(ex)) return certificate
def encryptData(data, payload, keyName, key, params): """ Prepare an encrypted data packet by encrypting the payload using the key according to the params. In addition, this prepares the encoded EncryptedContent with the encryption result using keyName and params. The encoding is set as the content of the data packet. If params defines an asymmetric encryption algorithm and the payload is larger than the maximum plaintext size, this encrypts the payload with a symmetric key that is asymmetrically encrypted and provided as a nonce in the content of the data packet. The packet's <dataName>/ is updated to be <dataName>/FOR/<keyName> :param Data data: The data packet which is updated. :param Blob payload: The payload to encrypt. :param Name keyName: The key name for the EncryptedContent. :param Blob key: The encryption key value. :param EncryptParams params: The parameters for encryption. """ data.getName().append(Encryptor.NAME_COMPONENT_FOR).append(keyName) algorithmType = params.getAlgorithmType() if (algorithmType == EncryptAlgorithmType.AesCbc or algorithmType == EncryptAlgorithmType.AesEcb): content = Encryptor._encryptSymmetric(payload, key, keyName, params) data.setContent(content.wireEncode(TlvWireFormat.get())) elif (algorithmType == EncryptAlgorithmType.RsaPkcs or algorithmType == EncryptAlgorithmType.RsaOaep): # Cryptography doesn't have a direct way to get the maximum plain text # size, so try to encrypt the payload first and catch the error if # it is too big. try: content = Encryptor._encryptAsymmetric(payload, key, keyName, params) data.setContent(content.wireEncode(TlvWireFormat.get())) return except ValueError as ex: message = ex.args[0] if not ("Data too long for key size" in message): raise ex # Else the payload is larger than the maximum plaintext size. Continue. # 128-bit nonce. nonceKeyBuffer = bytearray(16) for i in range(16): nonceKeyBuffer[i] = _systemRandom.randint(0, 0xff) nonceKey = Blob(nonceKeyBuffer, False) nonceKeyName = Name(keyName) nonceKeyName.append("nonce") symmetricParams = EncryptParams( EncryptAlgorithmType.AesCbc, AesAlgorithm.BLOCK_SIZE) nonceContent = Encryptor._encryptSymmetric( payload, nonceKey, nonceKeyName, symmetricParams) payloadContent = Encryptor._encryptAsymmetric( nonceKey, key, keyName, params) nonceContentEncoding = nonceContent.wireEncode() payloadContentEncoding = payloadContent.wireEncode() content = bytearray( nonceContentEncoding.size() + payloadContentEncoding.size()) content[0:payloadContentEncoding.size()] = payloadContentEncoding.buf() content[payloadContentEncoding.size():] = nonceContentEncoding.buf() data.setContent(Blob(content, False)) else: raise RuntimeError("Unsupported encryption method")
class Producer(object): """ Create a Producer to use the given ProducerDb, Face and other values. A producer can produce data with a naming convention: <prefix>/SAMPLE/<dataType>/[timestamp] The produced data packet is encrypted with a content key, which is stored in the ProducerDb database. A producer also needs to produce data containing a content key encrypted with E-KEYs. A producer can retrieve E-KEYs through the face, and will re-try for at most repeatAttemps times when E-KEY retrieval fails. :param Name prefix: The producer name prefix. This makes a copy of the Name. :param Name dataType: The dataType portion of the producer name. This makes a copy of the Name. :param Face face: The face used to retrieve keys. :param KeyChain keyChain: The keyChain used to sign data packets. :param ProducerDb database: The ProducerDb database for storing keys. :param int repeatAttempts: (optional) The maximum retry for retrieving keys. If omitted, use a default value of 3. :param Link keyRetrievalLink: (optional) The Link object to use in Interests for key retrieval. This makes a copy of the Link object. If the Link object's getDelegations().size() is zero, don't use it. If omitted, don't use a Link object. """ def __init__(self, prefix, dataType, face, keyChain, database, repeatAttempts=None, keyRetrievalLink=None): self._face = face self._keyChain = keyChain self._database = database self._maxRepeatAttempts = 3 if repeatAttempts == None else repeatAttempts self._keyRetrievalLink = Producer.NO_LINK if keyRetrievalLink == None else Link(keyRetrievalLink) # The dictionary key is the key Name The value is a Producer._KeyInfo. self._eKeyInfo = {} # The dictionary key is the float time stamp. The value is a Producer._KeyRequest. self._keyRequests = {} fixedPrefix = Name(prefix) fixedDataType = Name(dataType) # Fill _ekeyInfo with all permutations of dataType, including the 'E-KEY' # component of the name. This will be used in createContentKey to send # interests without reconstructing names every time. fixedPrefix.append(Encryptor.NAME_COMPONENT_READ) while fixedDataType.size() > 0: nodeName = Name(fixedPrefix) nodeName.append(fixedDataType) nodeName.append(Encryptor.NAME_COMPONENT_E_KEY) self._eKeyInfo[nodeName] = Producer._KeyInfo() fixedDataType = fixedDataType.getPrefix(-1) fixedPrefix.append(dataType) self._namespace = Name(prefix) self._namespace.append(Encryptor.NAME_COMPONENT_SAMPLE) self._namespace.append(dataType) @staticmethod def defaultOnError(errorCode, message): """ The default onError callback which does nothing. """ # Do nothing. pass def createContentKey(self, timeSlot, onEncryptedKeys, onError=defaultOnError): """ Create the content key corresponding to the timeSlot. This first checks if the content key exists. For an existing content key, this returns the content key name directly. If the key does not exist, this creates one and encrypts it using the corresponding E-KEYs. The encrypted content keys are passed to the onEncryptedKeys callback. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: If this creates a content key, then this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onEncryptedKeys: function object :param onError: (optional) This calls errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. If omitted, use a default callback which does nothing. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onError: function object :return: The content key name. :rtype: Name """ hourSlot = Producer._getRoundedTimeSlot(timeSlot) # Create the content key name. contentKeyName = Name(self._namespace) contentKeyName.append(Encryptor.NAME_COMPONENT_C_KEY) contentKeyName.append(Schedule.toIsoString(hourSlot)) # Check if we have created the content key before. if self._database.hasContentKey(timeSlot): # We have created the content key. Return its name directly. return contentKeyName # We haven't created the content key. Create one and add it into the # database. aesParams = AesKeyParams(128) contentKeyBits = AesAlgorithm.generateKey(aesParams).getKeyBits() self._database.addContentKey(timeSlot, contentKeyBits) # Now we need to retrieve the E-KEYs for content key encryption. timeCount = round(timeSlot) self._keyRequests[timeCount] = Producer._KeyRequest(len(self._eKeyInfo)) keyRequest = self._keyRequests[timeCount] # Check if the current E-KEYs can cover the content key. timeRange = Exclude() Producer.excludeAfter(timeRange, Name.Component(Schedule.toIsoString(timeSlot))) # Send interests for all nodes in the tree. for keyName in self._eKeyInfo: # For each current E-KEY. keyInfo = self._eKeyInfo[keyName] if timeSlot < keyInfo.beginTimeSlot or timeSlot >= keyInfo.endTimeSlot: # The current E-KEY cannot cover the content key, so retrieve one. keyRequest.repeatAttempts[keyName] = 0 self._sendKeyInterest( Interest(keyName).setExclude(timeRange).setChildSelector(1), timeSlot, onEncryptedKeys, onError ) else: # The current E-KEY can cover the content key. # Encrypt the content key directly. eKeyName = Name(keyName) eKeyName.append(Schedule.toIsoString(keyInfo.beginTimeSlot)) eKeyName.append(Schedule.toIsoString(keyInfo.endTimeSlot)) self._encryptContentKey(keyInfo.keyBits, eKeyName, timeSlot, onEncryptedKeys, onError) return contentKeyName def produce(self, data, timeSlot, content, onError=defaultOnError): """ Encrypt the given content with the content key that covers timeSlot, and update the data packet with the encrypted content and an appropriate data name. :param Data data: An empty Data object which is updated. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param Blob content: The content to encrypt. :param onError: (optional) This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. If omitted, use a default callback which does nothing. NOTE: The library will log any exceptions raised by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onError: function object """ # Get a content key. contentKeyName = self.createContentKey(timeSlot, None, onError) contentKey = self._database.getContentKey(timeSlot) # Produce data. dataName = Name(self._namespace) dataName.append(Schedule.toIsoString(timeSlot)) data.setName(dataName) params = EncryptParams(EncryptAlgorithmType.AesCbc, 16) Encryptor.encryptData(data, content, contentKeyName, contentKey, params) self._keyChain.sign(data) class _KeyInfo(object): def __init__(self): self.beginTimeSlot = 0.0 self.endTimeSlot = 0.0 self.keyBits = None # Blob class _KeyRequest(object): def __init__(self, interests): self.interestCount = interests # int # The dictionary key is the Name. The value is an int count. self.repeatAttempts = {} self.encryptedKeys = [] # of Data @staticmethod def _getRoundedTimeSlot(timeSlot): """ Round timeSlot to the nearest whole hour, so that we can store content keys uniformly (by start of the hour). :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :return: The start of the hour as milliseconds since Jan 1, 1970 UTC. :rtype: float """ return round(math.floor(round(timeSlot) / 3600000.0) * 3600000.0) def _sendKeyInterest(self, interest, timeSlot, onEncryptedKeys, onError): """ Send an interest with the given name through the face with callbacks to _handleCoveringKey, _handleTimeout and _handleNetworkNack. :param Interest interest: The interest to send. :param float timeSlot: The time slot, passed to _handleCoveringKey, _handleTimeout and _handleNetworkNack. :param onEncryptedKeys: The OnEncryptedKeys callback, passed to _handleCoveringKey, _handleTimeout and _handleNetworkNack. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object """ def onKey(interest, data): self._handleCoveringKey(interest, data, timeSlot, onEncryptedKeys, onError) def onTimeout(interest): self._handleTimeout(interest, timeSlot, onEncryptedKeys, onError) def onNetworkNack(interest, networkNack): self._handleNetworkNack(interest, networkNack, timeSlot, onEncryptedKeys, onError) if self._keyRetrievalLink.getDelegations().size() == 0: # We can use the supplied interest without copying. request = interest else: # Copy the supplied interest and add the Link. request = Interest(interest) # This will use a cached encoding if available. request.setLinkWireEncoding(self._keyRetrievalLink.wireEncode()) self._face.expressInterest(request, onKey, onTimeout, onNetworkNack) def _handleTimeout(self, interest, timeSlot, onEncryptedKeys, onError): """ This is called from an expressInterest timeout to update the state of keyRequest. :param Interest interest: The timed-out interest. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] interestName = interest.getName() if keyRequest.repeatAttempts[interestName] < self._maxRepeatAttempts: # Increase the retrial count. keyRequest.repeatAttempts[interestName] += 1 self._sendKeyInterest(interest, timeSlot, onEncryptedKeys, onError) else: # Treat an eventual timeout as a network Nack. self._handleNetworkNack(interest, NetworkNack(), timeSlot, onEncryptedKeys, onError) def _handleNetworkNack(self, interest, networkNack, timeSlot, onEncryptedKeys, onError): """ This is called from an expressInterest OnNetworkNack to handle a network Nack for the E-KEY requested through the Interest. Decrease the outstanding E-KEY interest count for the C-KEY corresponding to the timeSlot. :param Interest interest: The interest given to expressInterest. :param NetworkNack networkNack: The returned NetworkNack (unused). :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object """ # We have run out of options.... timeCount = round(timeSlot) self._updateKeyRequest(self._keyRequests[timeCount], timeCount, onEncryptedKeys) def _updateKeyRequest(self, keyRequest, timeCount, onEncryptedKeys): """ Decrease the count of outstanding E-KEY interests for the C-KEY for timeCount. If the count decreases to 0, invoke onEncryptedKeys. :param Producer._KeyRequest keyRequest: The KeyRequest with the interestCount to update. :param float timeCount: The time count for indexing keyRequests_. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object """ keyRequest.interestCount -= 1 if keyRequest.interestCount == 0 and onEncryptedKeys != None: try: onEncryptedKeys(keyRequest.encryptedKeys) except: logging.exception("Error in onEncryptedKeys") if timeCount in self._keyRequests: del self._keyRequests[timeCount] def _handleCoveringKey(self, interest, data, timeSlot, onEncryptedKeys, onError): """ This is called from an expressInterest OnData to check that the encryption key contained in data fits the timeSlot. This sends a refined interest if required. :param Interest interest: The interest given to expressInterest. :param Data data: The fetched Data packet. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] interestName = interest.getName() keyName = data.getName() begin = Schedule.fromIsoString(str(keyName.get(Producer.START_TIME_STAMP_INDEX).getValue())) end = Schedule.fromIsoString(str(keyName.get(Producer.END_TIME_STAMP_INDEX).getValue())) if timeSlot >= end: # If the received E-KEY covers some earlier period, try to retrieve # an E-KEY covering a later one. timeRange = Exclude(interest.getExclude()) Producer.excludeBefore(timeRange, keyName.get(Producer.START_TIME_STAMP_INDEX)) keyRequest.repeatAttempts[interestName] = 0 self._sendKeyInterest( Interest(interestName).setExclude(timeRange).setChildSelector(1), timeSlot, onEncryptedKeys, onError ) else: # If the received E-KEY covers the content key, encrypt the content. encryptionKey = data.getContent() # If everything is correct, save the E-KEY as the current key. if self._encryptContentKey(encryptionKey, keyName, timeSlot, onEncryptedKeys, onError): keyInfo = self._eKeyInfo[interestName] keyInfo.beginTimeSlot = begin keyInfo.endTimeSlot = end keyInfo.keyBits = encryptionKey def _encryptContentKey(self, encryptionKey, eKeyName, timeSlot, onEncryptedKeys, onError): """ Get the content key from the database_ and encrypt it for the timeSlot using encryptionKey. :param Blob encryptionKey: The encryption key value. :param Name eKeyName: The key name for the EncryptedContent. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object :return: True if encryption succeeds, otherwise False. :rtype: bool """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] keyName = Name(self._namespace) keyName.append(Encryptor.NAME_COMPONENT_C_KEY) keyName.append(Schedule.toIsoString(Producer._getRoundedTimeSlot(timeSlot))) contentKey = self._database.getContentKey(timeSlot) cKeyData = Data() cKeyData.setName(keyName) params = EncryptParams(EncryptAlgorithmType.RsaOaep) try: Encryptor.encryptData(cKeyData, contentKey, eKeyName, encryptionKey, params) except Exception as ex: try: onError(EncryptError.ErrorCode.EncryptionFailure, "encryptData error: " + repr(ex)) except: logging.exception("Error in onError") return False self._keyChain.sign(cKeyData) keyRequest.encryptedKeys.append(cKeyData) self._updateKeyRequest(keyRequest, timeCount, onEncryptedKeys) return True # TODO: Move this to be the main representation inside the Exclude object. class ExcludeEntry(object): """ Create a new ExcludeEntry. :param Name.Component component: :param bool anyFollowsComponent: """ def __init__(self, component, anyFollowsComponent): self._component = component self._anyFollowsComponent = anyFollowsComponent @staticmethod def getExcludeEntries(exclude): """ Create a list of ExcludeEntry from the Exclude object. :param Exclude exclude: The Exclude object to read. :return: A new array of ExcludeEntry. :rtype: Array<ExcludeEntry> """ entries = [] for i in range(exclude.size()): if exclude.get(i).getType() == Exclude.ANY: if len(entries) == 0: # Add a "beginning ANY". entries.append(Producer.ExcludeEntry(Name.Component(), True)) else: # Set anyFollowsComponent of the final component. entries[len(entries) - 1]._anyFollowsComponent = True else: entries.append(Producer.ExcludeEntry(exclude.get(i).getComponent(), False)) return entries @staticmethod def setExcludeEntries(exclude, entries): """ Set the Exclude object from the array of ExcludeEntry. :param Exclude exclude: The Exclude object to update. :param Array<ExcludeEntry> entries: The array of ExcludeEntry. """ exclude.clear() for i in range(len(entries)): entry = entries[i] if i == 0 and entry._component.getValue().size() == 0 and entry._anyFollowsComponent: # This is a "beginning ANY". exclude.appendAny() else: exclude.appendComponent(entry._component) if entry._anyFollowsComponent: exclude.appendAny() @staticmethod def findEntryBeforeOrAt(entries, component): """ Get the latest entry in the array whose component is less than or equal to component. :param Array<ExcludeEntry> entries: The array of ExcludeEntry. :param Name.Component component: The component to compare. :return: The index of the found entry, or -1 if not found. :rtype: int """ i = len(entries) - 1 while i >= 0: if entries[i]._component.compare(component) <= 0: break i -= 1 return i @staticmethod def excludeAfter(exclude, fromComponent): """ Exclude all components in the range beginning at "fromComponent". :param Exclude exclude: The Exclude object to update. :param Name.Component fromComponent: The first component in the exclude range. """ entries = Producer.getExcludeEntries(exclude) iFoundFrom = Producer.findEntryBeforeOrAt(entries, fromComponent) if iFoundFrom < 0: # There is no entry before "fromComponent" so insert at the beginning. entries.insert(0, Producer.ExcludeEntry(fromComponent, True)) iNewFrom = 0 else: foundFrom = entries[iFoundFrom] if not foundFrom._anyFollowsComponent: if foundFrom._component.equals(fromComponent): # There is already an entry with "fromComponent", so just # set the "ANY" flag. foundFrom._anyFollowsComponent = True iNewFrom = iFoundFrom else: # Insert following the entry before "fromComponent". entries.insert(iFoundFrom + 1, Producer.ExcludeEntry(fromComponent, True)) iNewFrom = iFoundFrom + 1 else: # The entry before "fromComponent" already has an "ANY" flag, # so do nothing. iNewFrom = iFoundFrom # Remove intermediate entries since they are inside the range. iRemoveBegin = iNewFrom + 1 entries[iRemoveBegin:] = [] Producer.setExcludeEntries(exclude, entries) @staticmethod def excludeBefore(exclude, to): """ Exclude all components in the range ending at "to". :param Exclude exclude: The Exclude object to update. :param Name.Component to: The last component in the exclude range. """ Producer.excludeRange(exclude, Name.Component(), to) @staticmethod def excludeRange(exclude, fromComponent, to): """ Exclude all components in the range beginning at "fromComponent" and ending at "to". :param Exclude exclude: The Exclude object to update. :param Name.Component fromComponent: The first component in the exclude range. :param Name.Component to: The last component in the exclude range. """ if fromComponent.compare(to) >= 0: if fromComponent.compare(to) == 0: raise RuntimeError("excludeRange: from == to. To exclude a single component, sue excludeOne.") else: raise RuntimeError( "excludeRange: from must be less than to. Invalid range: [" + fromComponent.toEscapedString() + ", " + to.toEscapedString() + "]" ) entries = Producer.getExcludeEntries(exclude) iFoundFrom = Producer.findEntryBeforeOrAt(entries, fromComponent) if iFoundFrom < 0: # There is no entry before "fromComponent" so insert at the beginning. entries.insert(0, Producer.ExcludeEntry(fromComponent, True)) iNewFrom = 0 else: foundFrom = entries[iFoundFrom] if not foundFrom._anyFollowsComponent: if foundFrom._component.equals(fromComponent): # There is already an entry with "fromComponent", so just # set the "ANY" flag. foundFrom._anyFollowsComponent = True iNewFrom = iFoundFrom else: # Insert following the entry before "fromComponent". entries.insert(iFoundFrom + 1, Producer.ExcludeEntry(fromComponent, True)) iNewFrom = iFoundFrom + 1 else: # The entry before "fromComponent" already has an "ANY" flag, # so do nothing. iNewFrom = iFoundFrom # We have at least one "fromComponent" before "to", so we know this will # find an entry. iFoundTo = Producer.findEntryBeforeOrAt(entries, to) foundTo = entries[iFoundTo] if iFoundTo == iNewFrom: # Insert the "to" immediately after the "fromComponent". entries.insert(iNewFrom + 1, Producer.ExcludeEntry(to, False)) else: if not foundTo._anyFollowsComponent: if foundTo._component.equals(to): # The "to" entry already exists. Remove up to it. iRemoveEnd = iFoundTo else: # Insert following the previous entry, which will be removed. entries.insert(iFoundTo + 1, Producer.ExcludeEntry(to, False)) iRemoveEnd = iFoundTo + 1 else: # "to" follows a component which is already followed by "ANY", # meaning the new range now encompasses it, so remove the component. iRemoveEnd = iFoundTo + 1 # Remove intermediate entries since they are inside the range. iRemoveBegin = iNewFrom + 1 entries[iRemoveBegin:iRemoveEnd] = [] Producer.setExcludeEntries(exclude, entries) START_TIME_STAMP_INDEX = -2 END_TIME_STAMP_INDEX = -1 NO_LINK = Link()
class EncryptorV2(object): """ Create an EncryptorV2 with the given parameters. This uses the face to register to receive Interests for the prefix {ckPrefix}/CK. :param Name accessPrefix: The NAC prefix to fetch the Key Encryption Key (KEK) (e.g., /access/prefix/NAC/data/subset). This copies the Name. :param Name ckPrefix: The prefix under which Content Keys (CK) will be generated. (Each will have a unique version appended.) This copies the Name. :param SigningInfo ckDataSigningInfo: The SigningInfo parameters to sign the Content Key (CK) Data packet. This copies the SigningInfo. :param onError: On failure to create the CK data (failed to fetch the KEK, failed to encrypt with the KEK, etc.), this calls onError(errorCode, message) where errorCode is from EncryptError.ErrorCode and message is a str. The encrypt method will continue trying to retrieve the KEK until success (with each attempt separated by RETRY_DELAY_KEK_RETRIEVAL_MS) and onError may be called multiple times. NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions. :type onError: function object :param Validator validator: The validation policy to ensure correctness of the KEK. :param KeyChain keyChain: The KeyChain used to sign Data packets. :param Face face: The Face that will be used to fetch the KEK and publish CK data. """ def __init__(self, accessPrefix, ckPrefix, ckDataSigningInfo, onError, validator, keyChain, face): # Copy the Name. self._accessPrefix = Name(accessPrefix) self._ckPrefix = Name(ckPrefix) self._ckBits = bytearray(EncryptorV2.AES_KEY_SIZE) self._ckDataSigningInfo = SigningInfo(ckDataSigningInfo) self._isKekRetrievalInProgress = False self._onError = onError self._keyChain = keyChain self._face = face self._kekData = None # Storage for encrypted CKs. self._storage = InMemoryStorageRetaining() self._kekPendingInterestId = 0 self.regenerateCk() def onInterest(prefix, interest, face, interestFilterId, filter): data = self._storage.find(interest) if data != None: logging.getLogger(__name__).info("Serving " + data.getName().toUri() + " from InMemoryStorage") try: face.putData(data) except: logging.exception("Error in Face.putData") else: logging.getLogger(__name__).info("Didn't find CK data for " + interest.getName().toUri()) # TODO: Send NACK? def onRegisterFailed(prefix): logging.getLogger(__name__).error("Failed to register prefix " + prefix.toUri()) self._ckRegisteredPrefixId = self._face.registerPrefix( Name(ckPrefix).append(EncryptorV2.NAME_COMPONENT_CK), onInterest, onRegisterFailed) def shutdown(self): self._face.unsetInterestFilter(self._ckRegisteredPrefixId) if self._kekPendingInterestId > 0: self._face.removePendingInterest(self._kekPendingInterestId) def encrypt(self, plainData): """ Encrypt the plainData using the existing Content Key (CK) and return a new EncryptedContent. :param plainData: The data to encrypt. :type plainData: Blob or an array which implements the buffer protocol :return: The new EncryptedContent. :rtype: EncryptedContent """ # Generate the initial vector. initialVector = bytearray(EncryptorV2.AES_IV_SIZE) for i in range(len(initialVector)): initialVector[i] = _systemRandom.randint(0, 0xff) params = EncryptParams(EncryptAlgorithmType.AesCbc) params.setInitialVector(Blob(initialVector, False)) encryptedData = AesAlgorithm.encrypt(Blob(self._ckBits, False), Blob(plainData, False), params) content = EncryptedContent() content.setInitialVector(params.getInitialVector()) content.setPayload(encryptedData) content.setKeyLocatorName(self._ckName) return content def regenerateCk(self): """ Create a new Content Key (CK) and publish the corresponding CK Data packet. This uses the onError given to the constructor to report errors. """ # TODO: Ensure that the CK Data packet for the old CK is published when # the CK is updated before the KEK is fetched. self._ckName = Name(self._ckPrefix) self._ckName.append(EncryptorV2.NAME_COMPONENT_CK) # The version is the ID of the CK. self._ckName.appendVersion(int(Common.getNowMilliseconds())) logging.getLogger(__name__).info("Generating new CK: " + self._ckName.toUri()) for i in range(len(self._ckBits)): self._ckBits[i] = _systemRandom.randint(0, 0xff) # One implication: If the CK is updated before the KEK is fetched, then # the KDK for the old CK will not be published. if self._kekData == None: self._retryFetchingKek() else: self._makeAndPublishCkData(self._onError) def size(self): """ Get the number of packets stored in in-memory storage. :return: The number of packets. :rtype: int """ return self._storage.size() def _retryFetchingKek(self): if self._isKekRetrievalInProgress: return logging.getLogger(__name__).info("Retrying fetching of the KEK") self._isKekRetrievalInProgress = True def onReady(): logging.getLogger(__name__).info( "The KEK was retrieved and published") self._isKekRetrievalInProgress = False def onError(errorCode, message): logging.getLogger(__name__).info("Failed to retrieve KEK: " + message) self._isKekRetrievalInProgress = False self._onError(errorCode, message) self._fetchKekAndPublishCkData(onReady, onError, EncryptorV2.N_RETRIES) def _fetchKekAndPublishCkData(self, onReady, onError, nTriesLeft): """ Create an Interest for <access-prefix>/KEK to retrieve the <access-prefix>/KEK/<key-id> KEK Data packet, and set _kekData. :param onReady: When the KEK is retrieved and published, this calls onReady(). :type onError: function object :param onError: On failure, this calls onError(errorCode, message) where errorCode is from EncryptError.ErrorCode, and message is an error string. :type onError: function object :param int nTriesLeft: The number of retries for expressInterest timeouts. """ logging.getLogger(__name__).info("Fetching KEK: " + Name( self._accessPrefix).append(EncryptorV2.NAME_COMPONENT_KEK).toUri()) if self._kekPendingInterestId > 0: onError( EncryptError.ErrorCode.General, "fetchKekAndPublishCkData: There is already a _kekPendingInterestId" ) return def onData(interest, kekData): self._kekPendingInterestId = 0 # TODO: Verify if the key is legitimate. self._kekData = kekData if self._makeAndPublishCkData(onError): onReady() # Otherwise, failure has already been reported. def onTimeout(interest): self._kekPendingInterestId = 0 if nTriesLeft > 1: self._fetchKekAndPublishCkData(onReady, onError, nTriesLeft - 1) else: onError( EncryptError.ErrorCode.KekRetrievalTimeout, "Retrieval of KEK [" + interest.getName().toUri() + "] timed out") logging.getLogger(__name__).info( "Scheduling retry after all timeouts") self._face.callLater(EncryptorV2.RETRY_DELAY_KEK_RETRIEVAL_MS, self._retryFetchingKek) def onNetworkNack(interest, networkNack): self._kekPendingInterestId = 0 if nTriesLeft > 1: def callback(): self._fetchKekAndPublishCkData(onReady, onError, nTriesLeft - 1) self._face.callLater(EncryptorV2.RETRY_DELAY_AFTER_NACK_MS, callback) else: onError( EncryptError.ErrorCode.KekRetrievalFailure, "Retrieval of KEK [" + interest.getName().toUri() + "] failed. Got NACK (" + str(networkNack.getReason()) + ")") logging.getLogger(__name__).info("Scheduling retry from NACK") self._face.callLater(EncryptorV2.RETRY_DELAY_KEK_RETRIEVAL_MS, self._retryFetchingKek) try: self._kekPendingInterestId = self._face.expressInterest( Interest( Name(self._accessPrefix).append( EncryptorV2.NAME_COMPONENT_KEK)).setMustBeFresh( True).setCanBePrefix(True), onData, onTimeout, onNetworkNack) except Exception as ex: onError(EncryptError.ErrorCode.General, "expressInterest error: " + repr(ex)) def _makeAndPublishCkData(self, onError): """ Make a CK Data packet for _ckName encrypted by the KEK in _kekData and insert it in the _storage. :param onError: On failure, this calls onError(errorCode, message) where errorCode is from EncryptError.ErrorCode, and message is an error string. :type onError: function object :return: True on success, else False. :rtype: bool """ try: kek = PublicKey(self._kekData.getContent()) content = EncryptedContent() content.setPayload( kek.encrypt(Blob(self._ckBits, False), EncryptAlgorithmType.RsaOaep)) ckData = Data( Name(self._ckName).append( EncryptorV2.NAME_COMPONENT_ENCRYPTED_BY).append( self._kekData.getName())) ckData.setContent(content.wireEncodeV2()) # FreshnessPeriod can serve as a soft access control for revoking access. ckData.getMetaInfo().setFreshnessPeriod( EncryptorV2.DEFAULT_CK_FRESHNESS_PERIOD_MS) self._keyChain.sign(ckData, self._ckDataSigningInfo) self._storage.insert(ckData) logging.getLogger(__name__).info("Publishing CK data: " + ckData.getName().toUri()) return True except Exception as ex: onError( EncryptError.ErrorCode.EncryptionFailure, "Failed to encrypt generated CK with KEK " + self._kekData.getName().toUri()) return False NAME_COMPONENT_ENCRYPTED_BY = Name.Component("ENCRYPTED-BY") NAME_COMPONENT_NAC = Name.Component("NAC") NAME_COMPONENT_KEK = Name.Component("KEK") NAME_COMPONENT_KDK = Name.Component("KDK") NAME_COMPONENT_CK = Name.Component("CK") RETRY_DELAY_AFTER_NACK_MS = 1000.0 RETRY_DELAY_KEK_RETRIEVAL_MS = 60 * 1000.0 AES_KEY_SIZE = 32 AES_IV_SIZE = 16 N_RETRIES = 3 DEFAULT_CK_FRESHNESS_PERIOD_MS = 3600 * 1000.0
def _fetchKdk(self, contentKey, kdkPrefix, ckData, onError, nTriesLeft): """ :param DecryptorV2.ContentKey contentKey: :param Name kdkPrefix: :param Data ckData: :param onError: On error, this calls onError(errorCode, message) :type onError: function object :param int nTriesLeft: """ # <kdk-prefix>/KDK/<kdk-id> /ENCRYPTED-BY /<credential-identity>/KEY/<key-id> # \ / \ / # ----------- ------------- --------------- --------------- # \/ \/ # from the CK data from configuration kdkName = Name(kdkPrefix) kdkName.append(EncryptorV2.NAME_COMPONENT_ENCRYPTED_BY).append( self._credentialsKey.getName()) logging.getLogger(__name__).info("Fetching KDK " + kdkName.toUri()) def onData(kdkInterest, kdkData): try: contentKey.pendingInterest = 0 # TODO: Verify that the key is legitimate. isOk = self._decryptAndImportKdk(kdkData, onError) if not isOk: return # This way of getting the kdkKeyName is a bit hacky. kdkKeyName = kdkPrefix.getPrefix(-2).append("KEY").append( kdkPrefix.get(-1)) self._decryptCkAndProcessPendingDecrypts( contentKey, ckData, kdkKeyName, onError) except Exception as ex: onError(EncryptError.ErrorCode.General, "Error in fetchCk onData: " + repr(ex)) def onTimeout(interest): contentKey.pendingInterest = 0 if nTriesLeft > 1: self._fetchKdk( contentKey, kdkPrefix, ckData, onError, nTriesLeft - 1) else: onError(EncryptError.ErrorCode.KdkRetrievalTimeout, "Retrieval of KDK [" + interest.getName().toUri() + "] timed out") def onNetworkNack(interest, networkNack): contentKey.pendingInterest = 0 onError(EncryptError.ErrorCode.KdkRetrievalFailure, "Retrieval of KDK [" + interest.getName().toUri() + "] failed. Got NACK (" + str(networkNack.getReason()) + ")") try: contentKey.pendingInterest = self._face.expressInterest( Interest(kdkName).setMustBeFresh(True).setCanBePrefix(False), onData, onTimeout, onNetworkNack) except Exception as ex: onError(EncryptError.ErrorCode.General, "expressInterest error: " + repr(ex))