def get(self, keyName):
"""
Get the key with name keyName from the container.
:param Name keyName: The name of the key.
:return: The PibKey object.
:rtype: PibKey
:raises ValueError: If keyName does not match the identity name.
:raises Pib.Error: If the key does not exist.
"""
if not self._identityName.equals(
PibKey.extractIdentityFromKeyName(keyName)):
raise ValueError("Key name `" + keyName.toUri() +
"` does not match identity `" +
self._identityName.toUri() + "`")
try:
pibKeyImpl = self._keys[keyName]
except KeyError:
pibKeyImpl = None
if pibKeyImpl == None:
pibKeyImpl = PibKeyImpl(keyName, self._pibImpl)
# Copy the Name.
self._keys[Name(keyName)] = pibKeyImpl
return PibKey(pibKeyImpl)
def get(self, keyName):
"""
Get the key with name keyName from the container.
:param Name keyName: The name of the key.
:return: The PibKey object.
:rtype: PibKey
:raises ValueError: If keyName does not match the identity name.
:raises Pib.Error: If the key does not exist.
"""
if not self._identityName.equals(PibKey.extractIdentityFromKeyName(keyName)):
raise ValueError("Key name `" + keyName.toUri() +
"` does not match identity `" + self._identityName.toUri() + "`")
try:
pibKeyImpl = self._keys[keyName]
except KeyError:
pibKeyImpl = None
if pibKeyImpl == None:
pibKeyImpl = PibKeyImpl(keyName, self._pibImpl)
# Copy the Name.
self._keys[Name(keyName)] = pibKeyImpl
return PibKey(pibKeyImpl)
def setKeyName(keyHandle, identityName, params):
"""
Set the key name in keyHandle according to identityName and params.
:param TpmKeyHandle keyHandle:
:param Name identityName:
:param KeyParams params:
"""
if params.getKeyIdType() == KeyIdType.USER_SPECIFIED:
keyId = params.getKeyId()
elif params.getKeyIdType() == KeyIdType.SHA256:
sha256 = hashes.Hash(hashes.SHA256(), backend=default_backend())
sha256.update(keyHandle.derivePublicKey().toBytes())
digest = sha256.finalize()
keyId = Name.Component(digest)
elif params.getKeyIdType() == KeyIdType.RANDOM:
if params.getKeyId().getValue().size() == 0:
raise TpmBackEnd.Error(
"setKeyName: The keyId is empty for type RANDOM")
keyId = params.getKeyId()
else:
raise TpmBackEnd.Error(
"setKeyName: unrecognized params.getKeyIdType()")
keyHandle.setKeyName(PibKey.constructKeyName(identityName, keyId))
def test_key_management(self):
for tpm in self.backEndList:
identityName = Name("/Test/KeyName")
keyId = Name.Component("1")
keyName = PibKey.constructKeyName(identityName, keyId)
# The key should not exist.
self.assertEquals(False, tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) == None)
# Create a key, which should exist.
self.assertTrue(
tpm.createKey(identityName, RsaKeyParams(keyId)) != None)
self.assertTrue(tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) != None)
# Create a key with the same name, which should throw an error.
try:
tpm.createKey(identityName, RsaKeyParams(keyId))
self.fail("Did not throw the expected exception")
except Tpm.Error:
pass
else:
self.fail("Did not throw the expected exception")
# Delete the key, then it should not exist.
tpm.deleteKey(keyName)
self.assertEquals(False, tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) == None)
def test_key_management(self):
for tpm in self.backEndList:
identityName = Name("/Test/KeyName")
keyId = Name.Component("1")
keyName = PibKey.constructKeyName(identityName, keyId)
# The key should not exist.
self.assertEqual(False, tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) == None)
# Create a key, which should exist.
self.assertTrue(
tpm.createKey(identityName, RsaKeyParams(keyId)) != None)
self.assertTrue(tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) != None)
# Create a key with the same name, which should throw an error.
try:
tpm.createKey(identityName, RsaKeyParams(keyId))
self.fail("Did not throw the expected exception")
except Tpm.Error:
pass
else:
self.fail("Did not throw the expected exception")
# Delete the key, then it should not exist.
tpm.deleteKey(keyName)
self.assertEqual(False, tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) == None)
def remove(self, keyName):
"""
Remove the key with name keyName from the container, and its related
certificates. If the key does not exist, do nothing.
:param Name keyName: The name of the key.
:raises ValueError: If keyName does not match the identity name.
"""
if not self._identityName.equals(PibKey.extractIdentityFromKeyName(keyName)):
raise ValueError("Key name `" + keyName.toUri() +
"` does not match identity `" + self._identityName.toUri() + "`")
try:
self._keyNames.remove(keyName)
except KeyError:
# Do nothing if it doesn't exist.
pass
try:
del self._keys[keyName]
except KeyError:
# Do nothing if it doesn't exist.
pass
self._pibImpl.removeKey(keyName)
def remove(self, keyName):
"""
Remove the key with name keyName from the container, and its related
certificates. If the key does not exist, do nothing.
:param Name keyName: The name of the key.
:raises ValueError: If keyName does not match the identity name.
"""
if not self._identityName.equals(
PibKey.extractIdentityFromKeyName(keyName)):
raise ValueError("Key name `" + keyName.toUri() +
"` does not match identity `" +
self._identityName.toUri() + "`")
try:
self._keyNames.remove(keyName)
except KeyError:
# Do nothing if it doesn't exist.
pass
try:
del self._keys[keyName]
except KeyError:
# Do nothing if it doesn't exist.
pass
self._pibImpl.removeKey(keyName)
def __init__(self, keyName, arg2, arg3=None):
self._defaultCertificate = None
if isinstance(arg2, PibImpl):
# PibKeyImpl(keyName, pibImpl)
pibImpl = arg2
self._identityName = PibKey.extractIdentityFromKeyName(keyName)
self._keyName = Name(keyName)
self._certificates = PibCertificateContainer(keyName, pibImpl)
self._pibImpl = pibImpl
if pibImpl == None:
raise ValueError("The pibImpl is None")
self._keyEncoding = self._pibImpl.getKeyBits(self._keyName)
try:
publicKey = PublicKey(self._keyEncoding)
except:
# We don't expect this since we just fetched the encoding.
raise Pib.Error("Error decoding public key")
self._keyType = publicKey.getKeyType()
else:
# PibKeyImpl(keyName, keyEncoding, pibImpl)
keyEncoding = arg2
pibImpl = arg3
self._identityName = PibKey.extractIdentityFromKeyName(keyName)
self._keyName = Name(keyName)
self._keyEncoding = Blob(keyEncoding, True)
self._certificates = PibCertificateContainer(keyName, pibImpl)
self._pibImpl = pibImpl
if pibImpl == None:
raise ValueError("The pibImpl is None")
try:
publicKey = PublicKey(self._keyEncoding)
self._keyType = publicKey.getKeyType()
except:
raise ValueError("Invalid key encoding")
self._pibImpl.addKey(self._identityName, self._keyName,
keyEncoding)
def __init__(self, keyName, arg2, arg3 = None):
self._defaultCertificate = None
if isinstance(arg2, PibImpl):
# PibKeyImpl(keyName, pibImpl)
pibImpl = arg2
self._identityName = PibKey.extractIdentityFromKeyName(keyName)
self._keyName = Name(keyName)
self._certificates = PibCertificateContainer(keyName, pibImpl)
self._pibImpl = pibImpl
if pibImpl == None:
raise ValueError("The pibImpl is None")
self._keyEncoding = self._pibImpl.getKeyBits(self._keyName)
try:
publicKey = PublicKey(self._keyEncoding)
except:
# We don't expect this since we just fetched the encoding.
raise Pib.Error("Error decoding public key")
self._keyType = publicKey.getKeyType()
else:
# PibKeyImpl(keyName, keyEncoding, pibImpl)
keyEncoding = arg2
pibImpl = arg3
self._identityName = PibKey.extractIdentityFromKeyName(keyName)
self._keyName = Name(keyName)
self._keyEncoding = Blob(keyEncoding, True)
self._certificates = PibCertificateContainer(keyName, pibImpl)
self._pibImpl = pibImpl
if pibImpl == None:
raise ValueError("The pibImpl is None")
try:
publicKey = PublicKey(self._keyEncoding)
self._keyType = publicKey.getKeyType()
except:
raise ValueError("Invalid key encoding")
self._pibImpl.addKey(self._identityName, self._keyName, keyEncoding)
def createKey(self, identityName, params):
"""
Create a key for the identityName according to params.
:param Name identityName: The name if the identity.
:param KeyParams params: The KeyParams for creating the key.
:return: The handle of the created key.
:rtype: TpmKeyHandle
:raises TpmBackEnd.Error: If the key cannot be created.
"""
# Do key name checking.
if params.getKeyIdType() == KeyIdType.USER_SPECIFIED:
# The keyId is pre-set.
keyName = PibKey.constructKeyName(identityName, params.getKeyId())
if self.hasKey(keyName):
raise Tpm.Error("Key `" + keyName.toUri() + "` already exists")
elif params.getKeyIdType() == KeyIdType.SHA256:
# The key name will be assigned in setKeyName after the key is generated.
pass
elif params.getKeyIdType() == KeyIdType.RANDOM:
random = bytearray(8)
while True:
for i in range(len(random)):
random[i] = _systemRandom.randint(0, 0xff)
keyId = Name.Component(Blob(random, False))
keyName = PibKey.constructKeyName(identityName, keyId)
if not self.hasKey(keyName):
# We got a unique one.
break
params.setKeyId(keyId)
else:
raise Tpm.Error("Unsupported key id type")
return self._doCreateKey(identityName, params)
def delete_security_object(name, kind):
key_chain = KeyChain()
logging.info("Delete security object %s %s", name, kind)
if kind == "c":
id_name = CertificateV2.extractIdentityFromCertName(Name(name))
key_name = CertificateV2.extractKeyNameFromCertName(Name(name))
cur_id = key_chain.getPib().getIdentity(id_name)
cur_key = cur_id.getKey(key_name)
key_chain.deleteCertificate(cur_key, Name(name))
elif kind == "k":
id_name = PibKey.extractIdentityFromKeyName(Name(name))
cur_id = key_chain.getPib().getIdentity(id_name)
cur_key = cur_id.getKey(Name(name))
key_chain.deleteKey(cur_id, cur_key)
else:
key_chain.deleteIdentity(Name(name))
def getKeysOfIdentity(self, identityName):
"""
Get all the key names of the identity with the name identityName. The
returned key names can be used to create a KeyContainer. With a key name
and a backend implementation, one can create a Key front end instance.
:param Name identityName: The name of the identity.
:return: The set of key names. The Name objects are fresh copies. If the
identity does not exist, return an empty set.
:rtype: set of Name
"""
ids = set()
for keyName in self._keys:
if identityName.equals(PibKey.extractIdentityFromKeyName(keyName)):
# Copy the name.
ids.add(Name(keyName))
return ids
def getKeysOfIdentity(self, identityName):
"""
Get all the key names of the identity with the name identityName. The
returned key names can be used to create a KeyContainer. With a key name
and a backend implementation, one can create a Key front end instance.
:param Name identityName: The name of the identity.
:return: The set of key names. The Name objects are fresh copies. If the
identity does not exist, return an empty set.
:rtype: set of Name
"""
ids = set()
for keyName in self._keys:
if identityName.equals(PibKey.extractIdentityFromKeyName(keyName)):
# Copy the name.
ids.add(Name(keyName))
return ids
def _checkPolicyHelper(self, keyName, state, continueValidation):
"""
:param Name keyName:
:param ValidationState state:
:param continueValidation:
:type continueValidation: function object
"""
try:
identity = self._pib.getIdentity(
PibKey.extractIdentityFromKeyName(keyName))
except Exception as ex:
state.fail(
ValidationError(
ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Cannot get the PIB identity for key " + keyName.toUri() +
": " + repr(ex)))
return
try:
key = identity.getKey(keyName)
except Exception as ex:
state.fail(
ValidationError(
ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Cannot get the PIB key " + keyName.toUri() + ": " +
repr(ex)))
return
try:
certificate = key.getDefaultCertificate()
except Exception as ex:
state.fail(
ValidationError(
ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Cannot get the default certificate for key " +
keyName.toUri() + ": " + repr(ex)))
return
# Add the certificate as the temporary trust anchor.
self._validator.resetAnchors()
self._validator.loadAnchor("", certificate)
continueValidation(CertificateRequest(Interest(keyName)), state)
# Clear the temporary trust anchor.
self._validator.resetAnchors()
def constructKeyName(identityName, params):
"""
Construct the key name according to identityName and params.
:param Name identityName:
:param KeyParams params:
"""
if params.getKeyIdType() == KeyIdType.USER_SPECIFIED:
keyId = params.getKeyId()
# We don't have the keyHandle, so we can't support KeyIdType.SHA256.
elif params.getKeyIdType() == KeyIdType.RANDOM:
if params.getKeyId().getValue().size() == 0:
raise TpmBackEnd.Error(
"setKeyName: The keyId is empty for type RANDOM")
keyId = params.getKeyId()
else:
raise TpmBackEnd.Error(
"setKeyName: unrecognized params.getKeyIdType()")
return PibKey.constructKeyName(identityName, keyId)
def checkNames(self, packetName, keyLocatorName, state):
"""
:param Name packetName:
:param Name keyLocatorName:
:param ValidationState state:
:rtype: bool
"""
# packetName is not used in this check.
identity = PibKey.extractIdentityFromKeyName(keyLocatorName)
result = ConfigNameRelation.checkNameRelation(
self._relation, self._name, identity)
if not result:
state.fail(ValidationError(ValidationError.POLICY_ERROR,
"KeyLocator check failed: name relation " + self._name.toUri() + " " +
ConfigNameRelation.toString(self._relation) + " for packet " +
packetName.toUri() + " is invalid (KeyLocator=" +
keyLocatorName.toUri() + ", identity=" + identity.toUri() + ")"))
return result
def _checkPolicyHelper(self, keyName, state, continueValidation):
"""
:param Name keyName:
:param ValidationState state:
:param continueValidation:
:type continueValidation: function object
"""
try:
identity = self._pib.getIdentity(
PibKey.extractIdentityFromKeyName(keyName))
except Exception as ex:
state.fail(ValidationError
(ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Cannot get the PIB identity for key " + keyName.toUri() + ": " +
repr(ex)))
return
try:
key = identity.getKey(keyName)
except Exception as ex:
state.fail(ValidationError
(ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Cannot get the PIB key " + keyName.toUri() + ": " + repr(ex)))
return
try:
certificate = key.getDefaultCertificate()
except Exception as ex:
state.fail(ValidationError
(ValidationError.CANNOT_RETRIEVE_CERTIFICATE,
"Cannot get the default certificate for key " + keyName.toUri() +
": " + repr(ex)))
return
# Add the certificate as the temporary trust anchor.
self._validator.resetAnchors()
self._validator.loadAnchor("", certificate)
continueValidation(CertificateRequest(Interest(keyName)), state)
# Clear the temporary trust anchor.
self._validator.resetAnchors()
def removeKey(self, keyName):
"""
Remove the key with keyName and its related certificates. If the key
does not exist, do nothing.
:param Name keyName: The name of the key.
"""
identityName = PibKey.extractIdentityFromKeyName(keyName)
try:
del self._keys[keyName]
except KeyError:
# Do nothing if it doesn't exist.
pass
try:
del self._defaultKeyNames[identityName]
except KeyError:
# Do nothing if it doesn't exist.
pass
for certificateName in self.getCertificatesOfKey(keyName):
self.removeCertificate(certificateName)
def removeKey(self, keyName):
"""
Remove the key with keyName and its related certificates. If the key
does not exist, do nothing.
:param Name keyName: The name of the key.
"""
identityName = PibKey.extractIdentityFromKeyName(keyName)
try:
del self._keys[keyName]
except KeyError:
# Do nothing if it doesn't exist.
pass
try:
del self._defaultKeyNames[identityName]
except KeyError:
# Do nothing if it doesn't exist.
pass
for certificateName in self.getCertificatesOfKey(keyName):
self.removeCertificate(certificateName)
def add(self, key, keyName):
"""
Add a key with name keyName into the container. If a key with the same
name already exists, this replaces it.
:param key: The buffer of encoded key bytes.
:type key: an array which implements the buffer protocol
:param Name keyName: The name of the key, which is copied.
:return: The PibKey object.
:rtype: PibKey
:raises ValueError: If the name of the key does not match the identity
name.
"""
if not self._identityName.equals(PibKey.extractIdentityFromKeyName(keyName)):
raise ValueError("The key name `" + keyName.toUri() +
"` does not match the identity name `" +
self._identityName.toUri() + "`")
# Copy the Name.
self._keyNames.add(Name(keyName))
self._keys[Name(keyName)] = PibKeyImpl(keyName, key, self._pibImpl)
return self.get(keyName)
def add(self, key, keyName):
"""
Add a key with name keyName into the container. If a key with the same
name already exists, this replaces it.
:param key: The buffer of encoded key bytes.
:type key: an array which implements the buffer protocol
:param Name keyName: The name of the key, which is copied.
:return: The PibKey object.
:rtype: PibKey
:raises ValueError: If the name of the key does not match the identity
name.
"""
if not self._identityName.equals(
PibKey.extractIdentityFromKeyName(keyName)):
raise ValueError("The key name `" + keyName.toUri() +
"` does not match the identity name `" +
self._identityName.toUri() + "`")
# Copy the Name.
self._keyNames.add(Name(keyName))
self._keys[Name(keyName)] = PibKeyImpl(keyName, key, self._pibImpl)
return self.get(keyName)
def checkNames(self, packetName, keyLocatorName, state):
"""
:param Name packetName:
:param Name keyLocatorName:
:param ValidationState state:
:rtype: bool
"""
# packetName is not used in this check.
identity = PibKey.extractIdentityFromKeyName(keyLocatorName)
result = ConfigNameRelation.checkNameRelation(self._relation,
self._name, identity)
if not result:
state.fail(
ValidationError(
ValidationError.POLICY_ERROR,
"KeyLocator check failed: name relation " +
self._name.toUri() + " " +
ConfigNameRelation.toString(self._relation) +
" for packet " + packetName.toUri() +
" is invalid (KeyLocator=" + keyLocatorName.toUri() +
", identity=" + identity.toUri() + ")"))
return result
def test_basic(self):
fixture = self.fixture
pibImpl = PibMemory()
# Start with an empty container.
container = PibKeyContainer(fixture.id1, pibImpl)
self.assertEqual(0, container.size())
self.assertEqual(0, len(container._keys))
# Add the first key.
key11 = container.add(fixture.id1Key1.buf(), fixture.id1Key1Name)
self.assertTrue(fixture.id1Key1Name.equals(key11.getName()))
self.assertTrue(key11.getPublicKey().equals(fixture.id1Key1))
self.assertEqual(1, container.size())
self.assertEqual(1, len(container._keys))
self.assertTrue(fixture.id1Key1Name in container._keys)
# Add the same key again.
key12 = container.add(fixture.id1Key1.buf(), fixture.id1Key1Name)
self.assertTrue(fixture.id1Key1Name.equals(key12.getName()))
self.assertTrue(key12.getPublicKey().equals(fixture.id1Key1))
self.assertEqual(1, container.size())
self.assertEqual(1, len(container._keys))
self.assertTrue(fixture.id1Key1Name in container._keys)
# Add the second key.
key21 = container.add(fixture.id1Key2.buf(), fixture.id1Key2Name)
self.assertTrue(fixture.id1Key2Name.equals(key21.getName()))
self.assertTrue(key21.getPublicKey().equals(fixture.id1Key2))
self.assertEqual(2, container.size())
self.assertEqual(2, len(container._keys))
self.assertTrue(fixture.id1Key1Name in container._keys)
self.assertTrue(fixture.id1Key2Name in container._keys)
# Get keys.
try:
container.get(fixture.id1Key1Name)
except Exception as ex:
self.fail("Unexpected exception: " + str(ex))
try:
container.get(fixture.id1Key2Name)
except Exception as ex:
self.fail("Unexpected exception: " + str(ex))
id1Key3Name = PibKey.constructKeyName(
fixture.id1, Name.Component("non-existing-id"))
try:
container.get(id1Key3Name)
self.fail("Did not throw the expected exception")
except Pib.Error:
pass
else:
self.fail("Did not throw the expected exception")
# Get and check keys.
key1 = container.get(fixture.id1Key1Name)
key2 = container.get(fixture.id1Key2Name)
self.assertTrue(fixture.id1Key1Name.equals(key1.getName()))
self.assertTrue(key1.getPublicKey().equals(fixture.id1Key1))
self.assertEqual(fixture.id1Key2Name, key2.getName())
self.assertTrue(key2.getPublicKey().equals(fixture.id1Key2))
# Create another container using the same PibImpl. The cache should be empty.
container2 = PibKeyContainer(fixture.id1, pibImpl)
self.assertEqual(2, container2.size())
self.assertEqual(0, len(container2._keys))
# Get a key. The cache should be filled.
try:
container2.get(fixture.id1Key1Name)
except Exception as ex:
self.fail("Unexpected exception: " + str(ex))
self.assertEqual(2, container2.size())
self.assertEqual(1, len(container2._keys))
try:
container2.get(fixture.id1Key2Name)
except Exception as ex:
self.fail("Unexpected exception: " + str(ex))
self.assertEqual(2, container2.size())
self.assertEqual(2, len(container2._keys))
# Remove a key.
container2.remove(fixture.id1Key1Name)
self.assertEqual(1, container2.size())
self.assertEqual(1, len(container2._keys))
self.assertTrue(not (fixture.id1Key1Name in container2._keys))
self.assertTrue(fixture.id1Key2Name in container2._keys)
# Remove another key.
container2.remove(fixture.id1Key2Name)
self.assertEqual(0, container2.size())
self.assertEqual(0, len(container2._keys))
self.assertTrue(not (fixture.id1Key2Name in container2._keys))
