def _generateCertificateForKey(self, keyName): # Let any raised SecurityExceptions bubble up. publicKeyBits = self._identityStorage.getKey(keyName) publicKey = PublicKey(publicKeyBits) timestamp = Common.getNowMilliseconds() # TODO: Specify where the 'KEY' component is inserted # to delegate responsibility for cert delivery. # cf: http://redmine.named-data.net/issues/1659 certificateName = keyName.getPrefix(-1).append('KEY').append( keyName.get(-1)) certificateName.append("ID-CERT").appendVersion(int(timestamp)) certificate = IdentityCertificate() certificate.setName(certificateName) certificate.setNotBefore(timestamp) certificate.setNotAfter( (timestamp + 2 * 365 * 24 * 3600 * 1000)) # about 2 years. certificate.setPublicKeyInfo(publicKey) # ndnsec likes to put the key name in a subject description. sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri()) certificate.addSubjectDescription(sd) certificate.encode() return certificate
def generateCertificateForKey(self, keyName): # let any raised SecurityExceptions bubble up publicKeyBits = self._identityStorage.getKey(keyName) publicKeyType = self._identityStorage.getKeyType(keyName) publicKey = PublicKey(publicKeyType, publicKeyBits) timestamp = Common.getNowMilliseconds() # TODO: specify where the 'KEY' component is inserted # to delegate responsibility for cert delivery certificateName = keyName.getPrefix(-1).append('KEY').append(keyName.get(-1)) certificateName.append("ID-CERT").append(Name.Component(struct.pack(">Q", timestamp))) certificate = IdentityCertificate(certificateName) certificate.setNotBefore(timestamp) certificate.setNotAfter((timestamp + 30*86400*1000)) # about a month certificate.setPublicKeyInfo(publicKey) # ndnsec likes to put the key name in a subject description sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri()) certificate.addSubjectDescription(sd) certificate.encode() return certificate
def _generateCertificateForKey(self, keyName): # Let any raised SecurityExceptions bubble up. publicKeyBits = self._identityStorage.getKey(keyName) publicKey = PublicKey(publicKeyBits) timestamp = Common.getNowMilliseconds() # TODO: Specify where the 'KEY' component is inserted # to delegate responsibility for cert delivery. # cf: http://redmine.named-data.net/issues/1659 certificateName = keyName.getPrefix(-1).append('KEY').append(keyName.get(-1)) certificateName.append("ID-CERT").appendVersion(int(timestamp)) certificate = IdentityCertificate() certificate.setName(certificateName) certificate.setNotBefore(timestamp) certificate.setNotAfter((timestamp + 2*365*24*3600*1000)) # about 2 years. certificate.setPublicKeyInfo(publicKey) # ndnsec likes to put the key name in a subject description. sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri()) certificate.addSubjectDescription(sd) certificate.encode() return certificate
def generateCertificateForKey(self, keyName): # let any raised SecurityExceptions bubble up publicKeyBits = self._identityStorage.getKey(keyName) publicKeyType = self._identityStorage.getKeyType(keyName) publicKey = PublicKey(publicKeyType, publicKeyBits) timestamp = Common.getNowMilliseconds() # TODO: specify where the 'KEY' component is inserted # to delegate responsibility for cert delivery certificateName = keyName.getPrefix(-1).append('KEY').append( keyName.get(-1)) certificateName.append("ID-CERT").append( Name.Component(struct.pack(">Q", timestamp))) certificate = IdentityCertificate(certificateName) certificate.setNotBefore(timestamp) certificate.setNotAfter( (timestamp + 30 * 86400 * 1000)) # about a month certificate.setPublicKeyInfo(publicKey) # ndnsec likes to put the key name in a subject description sd = CertificateSubjectDescription("2.5.4.41", keyName.toUri()) certificate.addSubjectDescription(sd) certificate.encode() return certificate
class TestGroupManager(ut.TestCase): def setUp(self): # Reuse the policy_config subdirectory for the temporary SQLite files. self.dKeyDatabaseFilePath = "policy_config/manager-d-key-test.db" try: os.remove(self.dKeyDatabaseFilePath) except OSError: # no such file pass self.eKeyDatabaseFilePath = "policy_config/manager-e-key-test.db" try: os.remove(self.eKeyDatabaseFilePath) except OSError: # no such file pass self.intervalDatabaseFilePath = "policy_config/manager-interval-test.db" try: os.remove(self.intervalDatabaseFilePath) except OSError: # no such file pass self.groupKeyDatabaseFilePath = "policy_config/manager-group-key-test.db" try: os.remove(self.groupKeyDatabaseFilePath) except OSError: # no such file pass params = RsaKeyParams() memberDecryptKey = RsaAlgorithm.generateKey(params) self.decryptKeyBlob = memberDecryptKey.getKeyBits() memberEncryptKey = RsaAlgorithm.deriveEncryptKey(self.decryptKeyBlob) self.encryptKeyBlob = memberEncryptKey.getKeyBits() # Generate the certificate. self.certificate = IdentityCertificate() self.certificate.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123")) contentPublicKey = PublicKey(self.encryptKeyBlob) self.certificate.setPublicKeyInfo(contentPublicKey) self.certificate.setNotBefore(0) self.certificate.setNotAfter(0) self.certificate.encode() signatureInfoBlob = Blob(SIG_INFO, False) signatureValueBlob = Blob(SIG_VALUE, False) signature = TlvWireFormat.get().decodeSignatureInfoAndValue( signatureInfoBlob.buf(), signatureValueBlob.buf()) self.certificate.setSignature(signature) self.certificate.wireEncode() # Set up the keyChain. identityStorage = MemoryIdentityStorage() privateKeyStorage = MemoryPrivateKeyStorage() self.keyChain = KeyChain( IdentityManager(identityStorage, privateKeyStorage), NoVerifyPolicyManager()) identityName = Name("TestGroupManager") self.keyChain.createIdentityAndCertificate(identityName) self.keyChain.getIdentityManager().setDefaultIdentity(identityName) def tearDown(self): try: os.remove(self.dKeyDatabaseFilePath) except OSError: pass try: os.remove(self.eKeyDatabaseFilePath) except OSError: pass try: os.remove(self.intervalDatabaseFilePath) except OSError: pass try: os.remove(self.groupKeyDatabaseFilePath) except OSError: pass def setManager(self, manager): # Set up the first schedule. schedule1 = Schedule() interval11 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 5, 10, 2, RepetitiveInterval.RepeatUnit.DAY) interval12 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 6, 8, 1, RepetitiveInterval.RepeatUnit.DAY) interval13 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 7, 8) schedule1.addWhiteInterval(interval11) schedule1.addWhiteInterval(interval12) schedule1.addBlackInterval(interval13) # Set up the second schedule. schedule2 = Schedule() interval21 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 9, 12, 1, RepetitiveInterval.RepeatUnit.DAY) interval22 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 6, 8) interval23 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 2, 4) schedule2.addWhiteInterval(interval21) schedule2.addWhiteInterval(interval22) schedule2.addBlackInterval(interval23) # Add them to the group manager database. manager.addSchedule("schedule1", schedule1) manager.addSchedule("schedule2", schedule2) # Make some adaptions to certificate. dataBlob = self.certificate.wireEncode() memberA = Data() memberA.wireDecode(dataBlob, TlvWireFormat.get()) memberA.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123")) memberB = Data() memberB.wireDecode(dataBlob, TlvWireFormat.get()) memberB.setName(Name("/ndn/memberB/KEY/ksk-123/ID-CERT/123")) memberC = Data() memberC.wireDecode(dataBlob, TlvWireFormat.get()) memberC.setName(Name("/ndn/memberC/KEY/ksk-123/ID-CERT/123")) # Add the members to the database. manager.addMember("schedule1", memberA) manager.addMember("schedule1", memberB) manager.addMember("schedule2", memberC) def test_create_d_key_data(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.dKeyDatabaseFilePath), 2048, 1, self.keyChain) newCertificateBlob = self.certificate.wireEncode() newCertificate = IdentityCertificate() newCertificate.wireDecode(newCertificateBlob) # Encrypt the D-KEY. data = manager._createDKeyData( "20150825T000000", "20150827T000000", Name("/ndn/memberA/KEY"), self.decryptKeyBlob, newCertificate.getPublicKeyInfo().getKeyDer()) # Verify the encrypted D-KEY. dataContent = data.getContent() # Get the nonce key. # dataContent is a sequence of the two EncryptedContent. encryptedNonce = EncryptedContent() encryptedNonce.wireDecode(dataContent) self.assertEqual(0, encryptedNonce.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType()) blobNonce = encryptedNonce.getPayload() decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams) # Get the D-KEY. # Use the size of encryptedNonce to find the start of encryptedPayload. payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():] encryptedPayload = EncryptedContent() encryptedPayload.wireDecode(payloadContent) self.assertEqual(16, encryptedPayload.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType()) decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc) decryptParams.setInitialVector(encryptedPayload.getInitialVector()) blobPayload = encryptedPayload.getPayload() largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams) self.assertTrue(largePayload.equals(self.decryptKeyBlob)) def test_create_e_key_data(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.eKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) data = manager._createEKeyData("20150825T090000", "20150825T110000", self.encryptKeyBlob) self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T110000", data.getName().toUri()) contentBlob = data.getContent() self.assertTrue(self.encryptKeyBlob.equals(contentBlob)) def test_calculate_interval(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.intervalDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) memberKeys = {} timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager._calculateInterval(timePoint1, memberKeys) self.assertEqual("20150825T090000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150825T100000", Schedule.toIsoString(result.getEndTime())) timePoint2 = Schedule.fromIsoString("20150827T073000") result = manager._calculateInterval(timePoint2, memberKeys) self.assertEqual("20150827T070000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150827T080000", Schedule.toIsoString(result.getEndTime())) timePoint3 = Schedule.fromIsoString("20150827T043000") result = manager._calculateInterval(timePoint3, memberKeys) self.assertEqual(False, result.isValid()) timePoint4 = Schedule.fromIsoString("20150827T053000") result = manager._calculateInterval(timePoint4, memberKeys) self.assertEqual("20150827T050000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150827T060000", Schedule.toIsoString(result.getEndTime())) def test_get_group_key(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) # Get the data list from the group manager. timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager.getGroupKey(timePoint1) self.assertEqual(4, len(result)) # The first data packet contains the group's encryption key (public key). data = result[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data.getName().toUri()) groupEKey = EncryptKey(data.getContent()) # Get the second data packet and decrypt. data = result[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data.getName().toUri()) ####################################################### Start decryption. dataContent = data.getContent() # Get the nonce key. # dataContent is a sequence of the two EncryptedContent. encryptedNonce = EncryptedContent() encryptedNonce.wireDecode(dataContent) self.assertEqual(0, encryptedNonce.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType()) decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) blobNonce = encryptedNonce.getPayload() nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams) # Get the payload. # Use the size of encryptedNonce to find the start of encryptedPayload. payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():] encryptedPayload = EncryptedContent() encryptedPayload.wireDecode(payloadContent) self.assertEqual(16, encryptedPayload.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType()) decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc) decryptParams.setInitialVector(encryptedPayload.getInitialVector()) blobPayload = encryptedPayload.getPayload() largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams) # Get the group D-KEY. groupDKey = DecryptKey(largePayload) ####################################################### End decryption. # Check the D-KEY. derivedGroupEKey = RsaAlgorithm.deriveEncryptKey( groupDKey.getKeyBits()) self.assertTrue(groupEKey.getKeyBits().equals( derivedGroupEKey.getKeyBits())) # Check the third data packet. data = result[2] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberB/ksk-123", data.getName().toUri()) # Check the fourth data packet. data = result[3] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberC/ksk-123", data.getName().toUri()) # Check invalid time stamps for getting the group key. timePoint2 = Schedule.fromIsoString("20150826T083000") self.assertEqual(0, len(manager.getGroupKey(timePoint2))) timePoint3 = Schedule.fromIsoString("20150827T023000") self.assertEqual(0, len(manager.getGroupKey(timePoint3))) def test_get_group_key_without_regeneration(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) # Get the data list from the group manager. timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager.getGroupKey(timePoint1) self.assertEqual(4, len(result)) # The first data packet contains the group's encryption key (public key). data1 = result[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data1.getName().toUri()) groupEKey1 = EncryptKey(data1.getContent()) # Get the second data packet and decrypt. data = result[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data.getName().toUri()) # Add new members to the database. dataBlob = self.certificate.wireEncode() memberD = Data() memberD.wireDecode(dataBlob) memberD.setName(Name("/ndn/memberD/KEY/ksk-123/ID-CERT/123")) manager.addMember("schedule1", memberD) result2 = manager.getGroupKey(timePoint1, False) self.assertEqual(5, len(result2)) # Check that the new EKey is the same as the previous one. data2 = result2[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data2.getName().toUri()) groupEKey2 = EncryptKey(data2.getContent()) self.assertTrue(groupEKey1.getKeyBits().equals( groupEKey2.getKeyBits())) # Check the second data packet. data2 = result2[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data2.getName().toUri())
def prepareUnsignedIdentityCertificate(self, keyName, publicKey, signingIdentity, notBefore, notAfter, subjectDescription=None, certPrefix=None): """ Prepare an unsigned identity certificate. :param Name keyName: The key name, e.g., `/{identity_name}/ksk-123456`. :param PublicKey publicKey: (optional) The public key to sign. If ommited, use the keyName to get the public key from the identity storage. :param Name signingIdentity: The signing identity. :param float notBefore: See IdentityCertificate. :param float notAfter: See IdentityCertificate. :param Array<CertificateSubjectDescription> subjectDescription: A list of CertificateSubjectDescription. See IdentityCertificate. If None or empty, this adds a an ATTRIBUTE_NAME based on the keyName. :param Name certPrefix: (optional) The prefix before the `KEY` component. If None, this infers the certificate name according to the relation between the signingIdentity and the subject identity. If the signingIdentity is a prefix of the subject identity, `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted after subject identity (i.e., before `ksk-...`). :return: The unsigned IdentityCertificate, or None if the inputs are invalid. :rtype: IdentityCertificate """ if not isinstance(publicKey, PublicKey): # The publicKey was omitted. Shift arguments. certPrefix = subjectDescription subjectDescription = notAfter notAfter = notBefore notBefore = signingIdentity signingIdentity = publicKey publicKey = PublicKey(self._identityStorage.getKey(keyName)) if keyName.size() < 1: return None tempKeyIdPrefix = keyName.get(-1).toEscapedString() if len(tempKeyIdPrefix) < 4: return None keyIdPrefix = tempKeyIdPrefix[0:4] if keyIdPrefix != "ksk-" and keyIdPrefix != "dsk-": return None certificate = IdentityCertificate() certName = Name() if certPrefix == None: # No certificate prefix hint, so infer the prefix. if signingIdentity.match(keyName): certName.append(signingIdentity) \ .append("KEY") \ .append(keyName.getSubName(signingIdentity.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: certName.append(keyName.getPrefix(-1)) \ .append("KEY") \ .append(keyName.get(-1)) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: # A cert prefix hint is supplied, so determine the cert name. if certPrefix.match(keyName) and not certPrefix.equals(keyName): certName.append(certPrefix) \ .append("KEY") \ .append(keyName.getSubName(certPrefix.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: return None certificate.setName(certName) certificate.setNotBefore(notBefore) certificate.setNotAfter(notAfter) certificate.setPublicKeyInfo(publicKey) if subjectDescription == None or len(subjectDescription) == 0: certificate.addSubjectDescription( CertificateSubjectDescription("2.5.4.41", keyName.getPrefix(-1).toUri())) else: for i in range(len(subjectDescription)): certificate.addSubjectDescription(subjectDescription[i]) try: certificate.encode() except Exception as ex: raise SecurityException("DerEncodingException: " + str(ex)) return certificate
def prepareUnsignedIdentityCertificate(self, keyName, publicKey, signingIdentity, notBefore, notAfter, subjectDescription = None, certPrefix = None): """ Prepare an unsigned identity certificate. :param Name keyName: The key name, e.g., `/{identity_name}/ksk-123456`. :param PublicKey publicKey: (optional) The public key to sign. If ommited, use the keyName to get the public key from the identity storage. :param Name signingIdentity: The signing identity. :param float notBefore: See IdentityCertificate. :param float notAfter: See IdentityCertificate. :param Array<CertificateSubjectDescription> subjectDescription: A list of CertificateSubjectDescription. See IdentityCertificate. If None or empty, this adds a an ATTRIBUTE_NAME based on the keyName. :param Name certPrefix: (optional) The prefix before the `KEY` component. If None, this infers the certificate name according to the relation between the signingIdentity and the subject identity. If the signingIdentity is a prefix of the subject identity, `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted after subject identity (i.e., before `ksk-...`). :return: The unsigned IdentityCertificate, or None if the inputs are invalid. :rtype: IdentityCertificate """ if not isinstance(publicKey, PublicKey): # The publicKey was omitted. Shift arguments. certPrefix = subjectDescription subjectDescription = notAfter notAfter = notBefore notBefore = signingIdentity signingIdentity = publicKey publicKey = PublicKey(self._identityStorage.getKey(keyName)) if keyName.size() < 1: return None tempKeyIdPrefix = keyName.get(-1).toEscapedString() if len(tempKeyIdPrefix) < 4: return None keyIdPrefix = tempKeyIdPrefix[0:4] if keyIdPrefix != "ksk-" and keyIdPrefix != "dsk-": return None certificate = IdentityCertificate() certName = Name() if certPrefix == None: # No certificate prefix hint, so infer the prefix. if signingIdentity.match(keyName): certName.append(signingIdentity) \ .append("KEY") \ .append(keyName.getSubName(signingIdentity.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: certName.append(keyName.getPrefix(-1)) \ .append("KEY") \ .append(keyName.get(-1)) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: # A cert prefix hint is supplied, so determine the cert name. if certPrefix.match(keyName) and not certPrefix.equals(keyName): certName.append(certPrefix) \ .append("KEY") \ .append(keyName.getSubName(certPrefix.size())) \ .append("ID-CERT") \ .appendVersion(int(Common.getNowMilliseconds())) else: return None certificate.setName(certName) certificate.setNotBefore(notBefore) certificate.setNotAfter(notAfter) certificate.setPublicKeyInfo(publicKey) if subjectDescription == None or len(subjectDescription) == 0: certificate.addSubjectDescription(CertificateSubjectDescription( "2.5.4.41", keyName.getPrefix(-1).toUri())) else: for i in range(len(subjectDescription)): certificate.addSubjectDescription(subjectDescription[i]) try: certificate.encode() except Exception as ex: raise SecurityException("DerEncodingException: " + str(ex)) return certificate
class TestGroupManager(ut.TestCase): def setUp(self): # Reuse the policy_config subdirectory for the temporary SQLite files. self.dKeyDatabaseFilePath = "policy_config/manager-d-key-test.db" try: os.remove(self.dKeyDatabaseFilePath) except OSError: # no such file pass self.eKeyDatabaseFilePath = "policy_config/manager-e-key-test.db" try: os.remove(self.eKeyDatabaseFilePath) except OSError: # no such file pass self.intervalDatabaseFilePath = "policy_config/manager-interval-test.db" try: os.remove(self.intervalDatabaseFilePath) except OSError: # no such file pass self.groupKeyDatabaseFilePath = "policy_config/manager-group-key-test.db" try: os.remove(self.groupKeyDatabaseFilePath) except OSError: # no such file pass params = RsaKeyParams() memberDecryptKey = RsaAlgorithm.generateKey(params) self.decryptKeyBlob = memberDecryptKey.getKeyBits() memberEncryptKey = RsaAlgorithm.deriveEncryptKey(self.decryptKeyBlob) self.encryptKeyBlob = memberEncryptKey.getKeyBits() # Generate the certificate. self.certificate = IdentityCertificate() self.certificate.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123")) contentPublicKey = PublicKey(self.encryptKeyBlob) self.certificate.setPublicKeyInfo(contentPublicKey) self.certificate.setNotBefore(0) self.certificate.setNotAfter(0) self.certificate.encode() signatureInfoBlob = Blob(SIG_INFO, False) signatureValueBlob = Blob(SIG_VALUE, False) signature = TlvWireFormat.get().decodeSignatureInfoAndValue( signatureInfoBlob.buf(), signatureValueBlob.buf()) self.certificate.setSignature(signature) self.certificate.wireEncode() # Set up the keyChain. identityStorage = MemoryIdentityStorage() privateKeyStorage = MemoryPrivateKeyStorage() self.keyChain = KeyChain( IdentityManager(identityStorage, privateKeyStorage), NoVerifyPolicyManager()) identityName = Name("TestGroupManager") self.keyChain.createIdentityAndCertificate(identityName) self.keyChain.getIdentityManager().setDefaultIdentity(identityName) def tearDown(self): try: os.remove(self.dKeyDatabaseFilePath) except OSError: pass try: os.remove(self.eKeyDatabaseFilePath) except OSError: pass try: os.remove(self.intervalDatabaseFilePath) except OSError: pass try: os.remove(self.groupKeyDatabaseFilePath) except OSError: pass def setManager(self, manager): # Set up the first schedule. schedule1 = Schedule() interval11 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 5, 10, 2, RepetitiveInterval.RepeatUnit.DAY) interval12 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 6, 8, 1, RepetitiveInterval.RepeatUnit.DAY) interval13 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 7, 8) schedule1.addWhiteInterval(interval11) schedule1.addWhiteInterval(interval12) schedule1.addBlackInterval(interval13) # Set up the second schedule. schedule2 = Schedule() interval21 = RepetitiveInterval( Schedule.fromIsoString("20150825T000000"), Schedule.fromIsoString("20150827T000000"), 9, 12, 1, RepetitiveInterval.RepeatUnit.DAY) interval22 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 6, 8) interval23 = RepetitiveInterval( Schedule.fromIsoString("20150827T000000"), Schedule.fromIsoString("20150827T000000"), 2, 4) schedule2.addWhiteInterval(interval21) schedule2.addWhiteInterval(interval22) schedule2.addBlackInterval(interval23) # Add them to the group manager database. manager.addSchedule("schedule1", schedule1) manager.addSchedule("schedule2", schedule2) # Make some adaptions to certificate. dataBlob = self.certificate.wireEncode() memberA = Data() memberA.wireDecode(dataBlob, TlvWireFormat.get()) memberA.setName(Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123")) memberB = Data() memberB.wireDecode(dataBlob, TlvWireFormat.get()) memberB.setName(Name("/ndn/memberB/KEY/ksk-123/ID-CERT/123")) memberC = Data() memberC.wireDecode(dataBlob, TlvWireFormat.get()) memberC.setName(Name("/ndn/memberC/KEY/ksk-123/ID-CERT/123")) # Add the members to the database. manager.addMember("schedule1", memberA) manager.addMember("schedule1", memberB) manager.addMember("schedule2", memberC) def test_create_d_key_data(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.dKeyDatabaseFilePath), 2048, 1, self.keyChain) newCertificateBlob = self.certificate.wireEncode() newCertificate = IdentityCertificate() newCertificate.wireDecode(newCertificateBlob) # Encrypt the D-KEY. data = manager._createDKeyData( "20150825T000000", "20150827T000000", Name("/ndn/memberA/KEY"), self.decryptKeyBlob, newCertificate.getPublicKeyInfo().getKeyDer()) # Verify the encrypted D-KEY. dataContent = data.getContent() # Get the nonce key. # dataContent is a sequence of the two EncryptedContent. encryptedNonce = EncryptedContent() encryptedNonce.wireDecode(dataContent) self.assertEqual(0, encryptedNonce.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType()) blobNonce = encryptedNonce.getPayload() decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams) # Get the D-KEY. # Use the size of encryptedNonce to find the start of encryptedPayload. payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():] encryptedPayload = EncryptedContent() encryptedPayload.wireDecode(payloadContent) self.assertEqual(16, encryptedPayload.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType()) decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc) decryptParams.setInitialVector(encryptedPayload.getInitialVector()) blobPayload = encryptedPayload.getPayload() largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams) self.assertTrue(largePayload.equals(self.decryptKeyBlob)) def test_create_e_key_data(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.eKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) data = manager._createEKeyData( "20150825T090000", "20150825T110000", self.encryptKeyBlob) self.assertEqual("/Alice/READ/data_type/E-KEY/20150825T090000/20150825T110000", data.getName().toUri()) contentBlob = data.getContent() self.assertTrue(self.encryptKeyBlob.equals(contentBlob)) def test_calculate_interval(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.intervalDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) memberKeys = {} timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager._calculateInterval(timePoint1, memberKeys) self.assertEqual("20150825T090000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150825T100000", Schedule.toIsoString(result.getEndTime())) timePoint2 = Schedule.fromIsoString("20150827T073000") result = manager._calculateInterval(timePoint2, memberKeys) self.assertEqual("20150827T070000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150827T080000", Schedule.toIsoString(result.getEndTime())) timePoint3 = Schedule.fromIsoString("20150827T043000") result = manager._calculateInterval(timePoint3, memberKeys) self.assertEqual(False, result.isValid()) timePoint4 = Schedule.fromIsoString("20150827T053000") result = manager._calculateInterval(timePoint4, memberKeys) self.assertEqual("20150827T050000", Schedule.toIsoString(result.getStartTime())) self.assertEqual("20150827T060000", Schedule.toIsoString(result.getEndTime())) def test_get_group_key(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) # Get the data list from the group manager. timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager.getGroupKey(timePoint1) self.assertEqual(4, len(result)) # The first data packet contains the group's encryption key (public key). data = result[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data.getName().toUri()) groupEKey = EncryptKey(data.getContent()) # Get the second data packet and decrypt. data = result[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data.getName().toUri()) ####################################################### Start decryption. dataContent = data.getContent() # Get the nonce key. # dataContent is a sequence of the two EncryptedContent. encryptedNonce = EncryptedContent() encryptedNonce.wireDecode(dataContent) self.assertEqual(0, encryptedNonce.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.RsaOaep, encryptedNonce.getAlgorithmType()) decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) blobNonce = encryptedNonce.getPayload() nonce = RsaAlgorithm.decrypt(self.decryptKeyBlob, blobNonce, decryptParams) # Get the payload. # Use the size of encryptedNonce to find the start of encryptedPayload. payloadContent = dataContent.buf()[encryptedNonce.wireEncode().size():] encryptedPayload = EncryptedContent() encryptedPayload.wireDecode(payloadContent) self.assertEqual(16, encryptedPayload.getInitialVector().size()) self.assertEqual(EncryptAlgorithmType.AesCbc, encryptedPayload.getAlgorithmType()) decryptParams.setAlgorithmType(EncryptAlgorithmType.AesCbc) decryptParams.setInitialVector(encryptedPayload.getInitialVector()) blobPayload = encryptedPayload.getPayload() largePayload = AesAlgorithm.decrypt(nonce, blobPayload, decryptParams) # Get the group D-KEY. groupDKey = DecryptKey(largePayload) ####################################################### End decryption. # Check the D-KEY. derivedGroupEKey = RsaAlgorithm.deriveEncryptKey(groupDKey.getKeyBits()) self.assertTrue(groupEKey.getKeyBits().equals(derivedGroupEKey.getKeyBits())) # Check the third data packet. data = result[2] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberB/ksk-123", data.getName().toUri()) # Check the fourth data packet. data = result[3] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberC/ksk-123", data.getName().toUri()) # Check invalid time stamps for getting the group key. timePoint2 = Schedule.fromIsoString("20150826T083000") self.assertEqual(0, len(manager.getGroupKey(timePoint2))) timePoint3 = Schedule.fromIsoString("20150827T023000") self.assertEqual(0, len(manager.getGroupKey(timePoint3))) def test_get_group_key_without_regeneration(self): # Create the group manager. manager = GroupManager( Name("Alice"), Name("data_type"), Sqlite3GroupManagerDb(self.groupKeyDatabaseFilePath), 1024, 1, self.keyChain) self.setManager(manager) # Get the data list from the group manager. timePoint1 = Schedule.fromIsoString("20150825T093000") result = manager.getGroupKey(timePoint1) self.assertEqual(4, len(result)) # The first data packet contains the group's encryption key (public key). data1 = result[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data1.getName().toUri()) groupEKey1 = EncryptKey(data1.getContent()) # Get the second data packet and decrypt. data = result[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data.getName().toUri()) # Add new members to the database. dataBlob = self.certificate.wireEncode() memberD = Data() memberD.wireDecode(dataBlob) memberD.setName(Name("/ndn/memberD/KEY/ksk-123/ID-CERT/123")) manager.addMember("schedule1", memberD) result2 = manager.getGroupKey(timePoint1, False) self.assertEqual(5, len(result2)) # Check that the new EKey is the same as the previous one. data2 = result2[0] self.assertEqual( "/Alice/READ/data_type/E-KEY/20150825T090000/20150825T100000", data2.getName().toUri()) groupEKey2 = EncryptKey(data2.getContent()) self.assertTrue(groupEKey1.getKeyBits().equals(groupEKey2.getKeyBits())); # Check the second data packet. data2 = result2[1] self.assertEqual( "/Alice/READ/data_type/D-KEY/20150825T090000/20150825T100000/FOR/ndn/memberA/ksk-123", data2.getName().toUri())