def _get_name_bytes_wo_tl(name: NonStrictName) -> bytes:
# remove name's TL as key to support efficient prefix search
name = Name.to_bytes(name)
offset = 0
offset += parse_tl_num(name, offset)[1]
offset += parse_tl_num(name, offset)[1]
return name[offset:]
async def main():
global local_anchor
import_safebag("sec/client.safebag", "1234")
# parse again to read prv key into memory
request = CertRequest()
with open("sec/client.safebag", "r") as safebag:
wire = safebag.read()
wire = base64.b64decode(wire)
wire = parse_and_check_tl(wire, SecurityV2TypeNumber.SAFE_BAG)
bag = SafeBag.parse(wire)
# attach the testbed-signed certificate
request.testbed_signed = bag.certificate_v2
# parse the key bag to obtain private key
testbed_signed = CertificateV2Value.parse(bag.certificate_v2)
key_bag = bytes(bag.encrypted_key_bag)
privateKey = serialization.load_der_private_key(key_bag, password=b'1234', backend=default_backend())
client_prv_key = privateKey.private_bytes(Encoding.DER, PrivateFormat.PKCS8, NoEncryption())
# parse trust anchor and self-assigns a name, then create self-signed certificate
with open("sec/client.anchor", "r") as anchor:
wire = anchor.read()
wire = base64.b64decode(wire)
local_anchor = parse_certificate(wire)
# self-assign a name and create corresponding key pair
client_name = local_anchor.name[:-4] + [testbed_signed.name[-5]]
client_identity = app.keychain.touch_identity(client_name)
# attach newly generated self-assigned certificate
cert = client_identity.default_key().default_cert().data
cert = parse_certificate(cert)
request.self_signed = cert.encode()
try:
# express the first interest to fetch a token/secret code
timestamp = ndn.utils.timestamp()
name = Name.from_str('/edge/_ca/new-cert') + [Component.from_timestamp(timestamp)]
logging.info(f'Sending Interest {Name.to_str(name)}, {InterestParam(must_be_fresh=True, lifetime=6000)}')
data_name, meta_info, content = await app.express_interest(
name, app_param=request.encode(), must_be_fresh=True, can_be_prefix=False, lifetime=6000,
identity=client_identity, validator=verify_ecdsa_signature)
# sign it use the private key, to prove the certificate possesion
h = SHA256.new()
h.update(bytes(content))
pk = ECC.import_key(client_prv_key)
signature = DSS.new(pk, 'fips-186-3', 'der').sign(h)
logging.info(f'Getting Data {Name.to_str(name)}, begin signing the token {bytes(content)}')
# express the second interest to fetch the issued certificate
name = Name.from_str('/edge/_ca/challenge') + [Component.from_timestamp(timestamp)]
logging.info(f'Sending Interest {Name.to_str(name)}, {InterestParam(must_be_fresh=True, lifetime=6000)}')
data_name, meta_info, content = await app.express_interest(
name, app_param=signature, must_be_fresh=True, can_be_prefix=False, lifetime=6000,
identity=client_identity, validator=verify_ecdsa_signature)
# parse the issued certificate and install
issued_cert = parse_certificate(content)
logging.info("Issued certificate: %s", Name.to_str(issued_cert.name))
app.keychain.import_cert(Name.to_bytes(issued_cert.name[:-2]), Name.to_bytes(issued_cert.name), bytes(content))
except InterestNack as e:
print(f'Nacked with reason={e.reason}')
except InterestTimeout:
print(f'Timeout')
except InterestCanceled:
print(f'Canceled')
except ValidationFailure:
print(f'Data failed to validate')
app.shutdown()