def __init__(self, identity, dataset, keyChain, face): self._identity = identity self._keyChain = keyChain self._face = face # storage_ is for the KEK and KDKs. self._storage = InMemoryStorageRetaining() # The NAC identity is: <identity>/NAC/<dataset> # Generate the NAC key. nacIdentity = self._keyChain.createIdentityV2( Name(identity.getName()) .append(EncryptorV2.NAME_COMPONENT_NAC).append(dataset), RsaKeyParams()) self._nacKey = nacIdentity.getDefaultKey() if self._nacKey.getKeyType() != KeyType.RSA: logging.getLogger(__name__).info( "Cannot re-use existing KEK/KDK pair, as it is not an RSA key, regenerating") self._nacKey = self._keyChain.createKey(nacIdentity, RsaKeyParams()) nacKeyId = self._nacKey.getName().get(-1) kekPrefix = Name(self._nacKey.getIdentityName()).append( EncryptorV2.NAME_COMPONENT_KEK) kekData = Data(self._nacKey.getDefaultCertificate()) kekData.setName(Name(kekPrefix).append(nacKeyId)) kekData.getMetaInfo().setFreshnessPeriod( AccessManagerV2.DEFAULT_KEK_FRESHNESS_PERIOD_MS) self._keyChain.sign(kekData, SigningInfo(self._identity)) # kek looks like a cert, but doesn't have ValidityPeriod self._storage.insert(kekData) def serveFromStorage(prefix, interest, face, interestFilterId, filter): data = self._storage.find(interest) if data != None: logging.getLogger(__name__).info("Serving " + data.getName().toUri() + " from in-memory-storage") try: face.putData(data) except: logging.exception("AccessManagerV2: Error in Face.putData") else: logging.getLogger(__name__).info("Didn't find data for " + interest.getName().toUri()) # TODO: Send NACK? def onRegisterFailed(prefix): logging.getLogger(__name__).error( "AccessManagerV2: Failed to register prefix " + prefix.toUri()) self._kekRegisteredPrefixId = self._face.registerPrefix( kekPrefix, serveFromStorage, onRegisterFailed) kdkPrefix = Name(self._nacKey.getIdentityName()).append( EncryptorV2.NAME_COMPONENT_KDK).append(nacKeyId) self._kdkRegisteredPrefixId_ = self._face.registerPrefix( kdkPrefix, serveFromStorage, onRegisterFailed)
def setName(self, name): """ Overrides Data.setName() to ensure that the new name is a valid identity certificate name. :param name: The new name for this IdentityCertificate :type name: Name """ if (not self._isCorrectName(name)): raise SecurityException("Bad format for identity certificate name!") Data.setName(self, name) self._setPublicKeyName()
def setName(self, name): """ Overrides Data.setName() to ensure that the new name is a valid identity certificate name. :param name: The new name for this IdentityCertificate :type name: Name """ if (not self._isCorrectName(name)): raise SecurityException( "Bad format for identity certificate name!") Data.setName(self, name) self._setPublicKeyName()
def _encryptContentKey(self, encryptionKey, eKeyName, timeSlot, onEncryptedKeys, onError): """ Get the content key from the database_ and encrypt it for the timeSlot using encryptionKey. :param Blob encryptionKey: The encryption key value. :param Name eKeyName: The key name for the EncryptedContent. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object :return: True if encryption succeeds, otherwise False. :rtype: bool """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] keyName = Name(self._namespace) keyName.append(Encryptor.NAME_COMPONENT_C_KEY) keyName.append( Schedule.toIsoString(Producer._getRoundedTimeSlot(timeSlot))) contentKey = self._database.getContentKey(timeSlot) cKeyData = Data() cKeyData.setName(keyName) params = EncryptParams(EncryptAlgorithmType.RsaOaep) try: Encryptor.encryptData(cKeyData, contentKey, eKeyName, encryptionKey, params) except Exception as ex: try: onError(EncryptError.ErrorCode.EncryptionFailure, "encryptData error: " + repr(ex)) except: logging.exception("Error in onError") return False self._keyChain.sign(cKeyData) keyRequest.encryptedKeys.append(cKeyData) self._updateKeyRequest(keyRequest, timeCount, onEncryptedKeys) return True
def _encryptContentKey(self, encryptionKey, eKeyName, timeSlot, onEncryptedKeys, onError): """ Get the content key from the database_ and encrypt it for the timeSlot using encryptionKey. :param Blob encryptionKey: The encryption key value. :param Name eKeyName: The key name for the EncryptedContent. :param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC. :param onEncryptedKeys: When there are no more interests to process, this calls onEncryptedKeys(keys) where keys is a list of encrypted content key Data packets. If onEncryptedKeys is None, this does not use it. :type onEncryptedKeys: function object :param onError: This calls onError(errorCode, message) for an error. :type onError: function object :return: True if encryption succeeds, otherwise False. :rtype: bool """ timeCount = round(timeSlot) keyRequest = self._keyRequests[timeCount] keyName = Name(self._namespace) keyName.append(Encryptor.NAME_COMPONENT_C_KEY) keyName.append( Schedule.toIsoString(Producer._getRoundedTimeSlot(timeSlot))) contentKey = self._database.getContentKey(timeSlot) cKeyData = Data() cKeyData.setName(keyName) params = EncryptParams(EncryptAlgorithmType.RsaOaep) try: Encryptor.encryptData( cKeyData, contentKey, eKeyName, encryptionKey, params) except Exception as ex: try: onError(EncryptError.ErrorCode.EncryptionFailure, "encryptData error: " + repr(ex)) except: logging.exception("Error in onError") return False self._keyChain.sign(cKeyData) keyRequest.encryptedKeys.append(cKeyData) self._updateKeyRequest(keyRequest, timeCount, onEncryptedKeys) return True