def wireDecode(self, input):
"""
Decode the input as an NDN-TLV SafeBag and update this object.
:param input: The array with the bytes to decode.
:type input: A Blob or an array type with int elements
"""
if isinstance(input, Blob):
input = input.buf()
# Decode directly as TLV. We don't support the WireFormat abstraction
# because this isn't meant to go directly on the wire.
decoder = TlvDecoder(input)
endOffset = decoder.readNestedTlvsStart(Tlv.SafeBag_SafeBag)
# Get the bytes of the certificate and decode.
certificateBeginOffset = decoder.getOffset()
certificateEndOffset = decoder.readNestedTlvsStart(Tlv.Data)
decoder.seek(certificateEndOffset)
self._certificate = Data()
self._certificate.wireDecode(
decoder.getSlice(certificateBeginOffset, certificateEndOffset),
TlvWireFormat.get())
self._privateKeyBag = Blob(
decoder.readBlobTlv(Tlv.SafeBag_EncryptedKeyBag), True)
decoder.finishNestedTlvs(endOffset)
def onReceivedElement(self, element):
"""
This is called by the transport's ElementReader to process an
entire received Data or Interest element.
:param element: The bytes of the incoming element.
:type element: An array type with int elements
"""
lpPacket = None
if element[0] == Tlv.LpPacket_LpPacket:
# Decode the LpPacket and replace element with the fragment.
lpPacket = LpPacket()
# Set copy False so that the fragment is a slice which will be
# copied below. The header fields are all integers and don't need to
# be copied.
TlvWireFormat.get().decodeLpPacket(lpPacket, element, False)
element = lpPacket.getFragmentWireEncoding().buf()
# First, decode as Interest or Data.
data = None
decoder = TlvDecoder(element)
if decoder.peekType(Tlv.Data, len(element)):
data = Data()
data.wireDecode(element, TlvWireFormat.get())
if lpPacket != None:
data.setLpPacket(lpPacket)
# Now process as Interest or Data.
if data != None:
if self._onBtleData:
self._onBtleData(data)
def _processRecoveryInterest(self, interest, syncDigest, face):
logging.getLogger(__name__).info("processRecoveryInterest")
if self._logFind(syncDigest) != -1:
tempContent = SyncStateMsg()
for i in range(self._digestTree.size()):
content = getattr(tempContent, "ss").add()
content.name = self._digestTree.get(i).getDataPrefix()
content.type = SyncState_UPDATE
content.seqno.seq = self._digestTree.get(i).getSequenceNo()
content.seqno.session = self._digestTree.get(i).getSessionNo()
if len(getattr(tempContent, "ss")) != 0:
# TODO: Check if this works in Python 3.
#pylint: disable=E1103
array = tempContent.SerializeToString()
#pylint: enable=E1103
data = Data(interest.getName())
data.setContent(Blob(array))
if interest.getName().get(-1).toEscapedString() == "00":
# Limit the lifetime of replies to interest for "00" since
# they can be different.
data.getMetaInfo().setFreshnessPeriod(1000)
self._keyChain.sign(data, self._certificateName)
try:
face.putData(data)
except Exception as ex:
logging.getLogger(__name__).error(
"Error in face.putData: %s", str(ex))
return
logging.getLogger(__name__).info("send recovery data back")
logging.getLogger(__name__).info("%s", interest.getName().toUri())
def _createDKeyData(self, startTimeStamp, endTimeStamp, keyName,
privateKeyBlob, certificateKey):
"""
Create a D-KEY Data packet with an EncryptedContent for the given
private key, encrypted with the certificate key.
:param str startTimeStamp: The start time stamp string to put in the name.
:param str endTimeStamp: The end time stamp string to put in the name.
:param Name keyName The key name to put in the data packet name and the
EncryptedContent key locator.
:param Blob privateKeyBlob: A Blob of the encoded private key.
:param Blob certificateKey: The certificate key encoding, used to
encrypt the private key.
:return: The Data packet.
:rtype: Data
"""
name = Name(self._namespace)
name.append(Encryptor.NAME_COMPONENT_D_KEY)
name.append(startTimeStamp).append(endTimeStamp)
data = Data(name)
data.getMetaInfo().setFreshnessPeriod(
self._freshnessHours * GroupManager.MILLISECONDS_IN_HOUR)
encryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep)
Encryptor.encryptData(data, privateKeyBlob, keyName, certificateKey,
encryptParams)
self._keyChain.sign(data)
return data
def _processRecoveryInterest(self, interest, syncDigest, transport):
logging.getLogger(__name__).info("processRecoveryInterest")
if self._logFind(syncDigest) != -1:
tempContent = sync_state_pb2.SyncStateMsg()
for i in range(self._digestTree.size()):
content = getattr(tempContent, "ss").add()
content.name = self._applicationDataPrefixUri
content.type = SyncState_UPDATE
content.seqno.seq = self._sequenceNo
content.seqno.session = self._digestTree.get(i).getSessionNo()
if len(getattr(tempContent, "ss")) != 0:
# TODO: Check if this works in Python 3.
#pylint: disable=E1103
array = tempContent.SerializeToString()
#pylint: enable=E1103
data = Data(interest.getName())
data.setContent(Blob(array))
self._keyChain.sign(data, self._certificateName)
try:
transport.send(data.wireEncode().toBuffer())
except Exception as ex:
logging.getLogger(__name__).error(
"Error in transport.send: %s", str(ex))
return
logging.getLogger(__name__).info("send recovery data back")
logging.getLogger(__name__).info("%s", interest.getName().toUri())
def _createDKeyData(self, startTimeStamp, endTimeStamp, keyName,
privateKeyBlob, certificateKey):
"""
Create a D-KEY Data packet with an EncryptedContent for the given
private key, encrypted with the certificate key.
:param str startTimeStamp: The start time stamp string to put in the name.
:param str endTimeStamp: The end time stamp string to put in the name.
:param Name keyName The key name to put in the data packet name and the
EncryptedContent key locator.
:param Blob privateKeyBlob: A Blob of the encoded private key.
:param Blob certificateKey: The certificate key encoding, used to
encrypt the private key.
:return: The Data packet.
:rtype: Data
"""
name = Name(self._namespace)
name.append(Encryptor.NAME_COMPONENT_D_KEY)
name.append(startTimeStamp).append(endTimeStamp)
data = Data(name)
data.getMetaInfo().setFreshnessPeriod(
self._freshnessHours * GroupManager.MILLISECONDS_IN_HOUR)
encryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep)
Encryptor.encryptData(
data, privateKeyBlob, keyName, certificateKey, encryptParams)
self._keyChain.sign(data)
return data
def onReceivedElement(self, element):
"""
This is called by the transport's ElementReader to process an
entire received Data or Interest element.
:param element: The bytes of the incoming element.
:type element: An array type with int elements
"""
# First, decode as Interest or Data.
interest = None
data = None
decoder = TlvDecoder(element)
if decoder.peekType(Tlv.Interest, len(element)):
interest = Interest()
interest.wireDecode(element, TlvWireFormat.get())
elif decoder.peekType(Tlv.Data, len(element)):
data = Data()
data.wireDecode(element, TlvWireFormat.get())
# Now process as Interest or Data.
if interest != None:
# Call all interest filter callbacks which match.
for i in range(len(self._interestFilterTable)):
entry = self._interestFilterTable[i]
if entry.getFilter().doesMatch(interest.getName()):
includeFilter = True
# Use getcallargs to test if onInterest accepts 5 args.
try:
inspect.getcallargs(entry.getOnInterest(),
None, None, None, None, None)
except TypeError:
# Assume onInterest is old-style with 4 arguments.
includeFilter = False
if includeFilter:
try:
entry.getOnInterest()(
entry.getFilter().getPrefix(), interest,
entry.getFace(), entry.getInterestFilterId(),
entry.getFilter())
except:
logging.exception("Error in onInterest")
else:
# Old-style onInterest without the filter argument. We
# still pass a Face instead of Transport since Face also
# has a send method.
try:
entry.getOnInterest()(
entry.getFilter().getPrefix(), interest,
entry.getFace(), entry.getInterestFilterId())
except:
logging.exception("Error in onInterest")
elif data != None:
pendingInterests = self._extractEntriesForExpressedInterest(
data.getName())
for pendingInterest in pendingInterests:
try:
pendingInterest.getOnData()(pendingInterest.getInterest(), data)
except:
logging.exception("Error in onData")
def _processRecoveryInterest(self, interest, syncDigest, face):
logging.getLogger(__name__).info("processRecoveryInterest")
if self._logFind(syncDigest) != -1:
tempContent = sync_state_pb2.SyncStateMsg()
for i in range(self._digestTree.size()):
content = getattr(tempContent, "ss").add()
content.name = self._digestTree.get(i).getDataPrefix()
content.type = SyncState_UPDATE
content.seqno.seq = self._digestTree.get(i).getSequenceNo()
content.seqno.session = self._digestTree.get(i).getSessionNo()
if len(getattr(tempContent, "ss")) != 0:
# TODO: Check if this works in Python 3.
#pylint: disable=E1103
array = tempContent.SerializeToString()
#pylint: enable=E1103
data = Data(interest.getName())
data.setContent(Blob(array))
self._keyChain.sign(data, self._certificateName)
try:
face.putData(data)
except Exception as ex:
logging.getLogger(__name__).error(
"Error in face.putData: %s", str(ex))
return
logging.getLogger(__name__).info("send recovery data back")
logging.getLogger(__name__).info("%s",
interest.getName().toUri())
def __init__(self, data, successCallback, failureCallback):
super(DataValidationState, self).__init__()
# Make a copy.
self._data = Data(data)
self._successCallback = successCallback
self._failureCallback = failureCallback
if self._successCallback == None:
raise ValueError("The successCallback is None")
if self._failureCallback == None:
raise ValueError("The failureCallback is None")
def setName(self, name):
"""
Overrides Data.setName() to ensure that the new name is a valid identity
certificate name.
:param name: The new name for this IdentityCertificate
:type name: Name
"""
if (not self._isCorrectName(name)):
raise SecurityException("Bad format for identity certificate name!")
Data.setName(self, name)
self._setPublicKeyName()
def setName(self, name):
"""
Overrides Data.setName() to ensure that the new name is a valid identity
certificate name.
:param name: The new name for this IdentityCertificate
:type name: Name
"""
if (not self._isCorrectName(name)):
raise SecurityException(
"Bad format for identity certificate name!")
Data.setName(self, name)
self._setPublicKeyName()
def wireDecode(self, buf, wireFormat = None):
"""
Override to call the base class wireDecode then check the certificate
format.
:param input: The array with the bytes to decode. If input is not a
Blob, then copy the bytes to save the defaultWireEncoding (otherwise
take another pointer to the same Blob).
:type input: A Blob or an array type with int elements
:param wireFormat: (optional) A WireFormat object used to decode this
Data object. If omitted, use WireFormat.getDefaultWireFormat().
:type wireFormat: A subclass of WireFormat
"""
Data.wireDecode(self, buf, wireFormat)
self._checkFormat()
def _broadcastSyncState(self, digest, syncMessage):
"""
Make a data packet with the syncMessage and with name
applicationBroadcastPrefix_ + digest. Sign and send.
:param str digest: The root digest as a hex string for the data packet
name.
:param sync_state_pb2.SyncState syncMessage:
"""
data = Data(self._applicationBroadcastPrefix)
data.getName().append(digest)
# TODO: Check if this works in Python 3.
data.setContent(Blob(syncMessage.SerializeToString()))
self._keyChain.sign(data, self._certificateName)
self._contentCache.add(data)
def wireDecode(self, buf, wireFormat=None):
"""
Override to call the base class wireDecode then check the certificate
format.
:param input: The array with the bytes to decode. If input is not a
Blob, then copy the bytes to save the defaultWireEncoding (otherwise
take another pointer to the same Blob).
:type input: A Blob or an array type with int elements
:param wireFormat: (optional) A WireFormat object used to decode this
Data object. If omitted, use WireFormat.getDefaultWireFormat().
:type wireFormat: A subclass of WireFormat
"""
Data.wireDecode(self, buf, wireFormat)
self._checkFormat()
def wireDecode(self, input):
"""
Decode the input as an NDN-TLV SafeBag and update this object.
:param input: The array with the bytes to decode.
:type input: A Blob or an array type with int elements
"""
if isinstance(input, Blob):
input = input.buf()
# Decode directly as TLV. We don't support the WireFormat abstraction
# because this isn't meant to go directly on the wire.
decoder = TlvDecoder(input)
endOffset = decoder.readNestedTlvsStart(Tlv.SafeBag_SafeBag)
# Get the bytes of the certificate and decode.
certificateBeginOffset = decoder.getOffset()
certificateEndOffset = decoder.readNestedTlvsStart(Tlv.Data)
decoder.seek(certificateEndOffset)
self._certificate = Data()
self._certificate.wireDecode(
decoder.getSlice(certificateBeginOffset, certificateEndOffset),
TlvWireFormat.get())
self._privateKeyBag = Blob(
decoder.readBlobTlv(Tlv.SafeBag_EncryptedKeyBag), True)
decoder.finishNestedTlvs(endOffset)
def _encryptContentKey(self, encryptionKey, eKeyName, timeSlot,
onEncryptedKeys, onError):
"""
Get the content key from the database_ and encrypt it for the timeSlot
using encryptionKey.
:param Blob encryptionKey: The encryption key value.
:param Name eKeyName: The key name for the EncryptedContent.
:param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC.
:param onEncryptedKeys: When there are no more interests to process,
this calls onEncryptedKeys(keys) where keys is a list of encrypted
content key Data packets. If onEncryptedKeys is None, this does not
use it.
:type onEncryptedKeys: function object
:param onError: This calls onError(errorCode, message) for an error.
:type onError: function object
:return: True if encryption succeeds, otherwise False.
:rtype: bool
"""
timeCount = round(timeSlot)
keyRequest = self._keyRequests[timeCount]
keyName = Name(self._namespace)
keyName.append(Encryptor.NAME_COMPONENT_C_KEY)
keyName.append(
Schedule.toIsoString(Producer._getRoundedTimeSlot(timeSlot)))
contentKey = self._database.getContentKey(timeSlot)
cKeyData = Data()
cKeyData.setName(keyName)
params = EncryptParams(EncryptAlgorithmType.RsaOaep)
try:
Encryptor.encryptData(cKeyData, contentKey, eKeyName,
encryptionKey, params)
except Exception as ex:
try:
onError(EncryptError.ErrorCode.EncryptionFailure,
"encryptData error: " + repr(ex))
except:
logging.exception("Error in onError")
return False
self._keyChain.sign(cKeyData)
keyRequest.encryptedKeys.append(cKeyData)
self._updateKeyRequest(keyRequest, timeCount, onEncryptedKeys)
return True
def _encryptContentKey(self, encryptionKey, eKeyName, timeSlot,
onEncryptedKeys, onError):
"""
Get the content key from the database_ and encrypt it for the timeSlot
using encryptionKey.
:param Blob encryptionKey: The encryption key value.
:param Name eKeyName: The key name for the EncryptedContent.
:param float timeSlot: The time slot as milliseconds since Jan 1, 1970 UTC.
:param onEncryptedKeys: When there are no more interests to process,
this calls onEncryptedKeys(keys) where keys is a list of encrypted
content key Data packets. If onEncryptedKeys is None, this does not
use it.
:type onEncryptedKeys: function object
:param onError: This calls onError(errorCode, message) for an error.
:type onError: function object
:return: True if encryption succeeds, otherwise False.
:rtype: bool
"""
timeCount = round(timeSlot)
keyRequest = self._keyRequests[timeCount]
keyName = Name(self._namespace)
keyName.append(Encryptor.NAME_COMPONENT_C_KEY)
keyName.append(
Schedule.toIsoString(Producer._getRoundedTimeSlot(timeSlot)))
contentKey = self._database.getContentKey(timeSlot)
cKeyData = Data()
cKeyData.setName(keyName)
params = EncryptParams(EncryptAlgorithmType.RsaOaep)
try:
Encryptor.encryptData(
cKeyData, contentKey, eKeyName, encryptionKey, params)
except Exception as ex:
try:
onError(EncryptError.ErrorCode.EncryptionFailure,
"encryptData error: " + repr(ex))
except:
logging.exception("Error in onError")
return False
self._keyChain.sign(cKeyData)
keyRequest.encryptedKeys.append(cKeyData)
self._updateKeyRequest(keyRequest, timeCount, onEncryptedKeys)
return True
def insert(self, data):
"""
Insert a Data packet. If a Data packet with the same name, including the
implicit digest, already exists, replace it.
:param Data data: The packet to insert, which is copied.
"""
self._cache[data.getFullName()] = Data(data)
def _createEKeyData(self, startTimeStamp, endTimeStamp, publicKeyBlob):
"""
Create an E-KEY Data packet for the given public key.
:param str startTimeStamp: The start time stamp string to put in the name.
:param str endTimeStamp: The end time stamp string to put in the name.
:param Blob publicKeyBlob: A Blob of the public key DER.
:return: The Data packet.
:rtype: Data
"""
name = Name(self._namespace)
name.append(Encryptor.NAME_COMPONENT_E_KEY).append(startTimeStamp).append(endTimeStamp)
data = Data(name)
data.getMetaInfo().setFreshnessPeriod(self._freshnessHours * GroupManager.MILLISECONDS_IN_HOUR)
data.setContent(publicKeyBlob)
self._keyChain.sign(data)
return data
def __init__(self, data, successCallback, failureCallback):
super(DataValidationState, self).__init__()
# Make a copy.
self._data = Data(data)
self._successCallback = successCallback
self._failureCallback = failureCallback
if self._successCallback == None:
raise ValueError("The successCallback is None")
if self._failureCallback == None:
raise ValueError("The failureCallback is None")
def wireDecode(self, input, wireFormat=None):
"""
Override to call the base class wireDecode then populate the list of
delegations from the content.
:param input: The array with the bytes to decode.
:type input: A Blob or an array type with int elements
:param wireFormat: (optional) A WireFormat object used to decode this
DelegationSet. If omitted, use WireFormat.getDefaultWireFormat().
:type wireFormat: A subclass of WireFormat
"""
if wireFormat == None:
# Don't use a default argument since getDefaultWireFormat can change.
wireFormat = WireFormat.getDefaultWireFormat()
Data.wireDecode(self, input, wireFormat)
if self.getMetaInfo().getType() != ContentType.LINK:
raise RuntimeError(
"Link.wireDecode: MetaInfo ContentType is not LINK.")
self._delegations.wireDecode(self.getContent())
def wireDecode(self, input, wireFormat = None):
"""
Override to call the base class wireDecode then populate the list of
delegations from the content.
:param input: The array with the bytes to decode.
:type input: A Blob or an array type with int elements
:param wireFormat: (optional) A WireFormat object used to decode this
DelegationSet. If omitted, use WireFormat.getDefaultWireFormat().
:type wireFormat: A subclass of WireFormat
"""
if wireFormat == None:
# Don't use a default argument since getDefaultWireFormat can change.
wireFormat = WireFormat.getDefaultWireFormat()
Data.wireDecode(self, input, wireFormat)
if self.getMetaInfo().getType() != ContentType.LINK:
raise RuntimeError(
"Link.wireDecode: MetaInfo ContentType is not LINK.")
self._delegations.wireDecode(self.getContent())
def onReceivedElement(self, element):
"""
This is called by the transport's ElementReader to process an
entire received Data or Interest element.
:param element: The bytes of the incoming element.
:type element: An array type with int elements
"""
lpPacket = None
if element[0] == Tlv.LpPacket_LpPacket:
# Decode the LpPacket and replace element with the fragment.
lpPacket = LpPacket()
# Set copy False so that the fragment is a slice which will be
# copied below. The header fields are all integers and don't need to
# be copied.
TlvWireFormat.get().decodeLpPacket(lpPacket, element, False)
element = lpPacket.getFragmentWireEncoding().buf()
# First, decode as Interest or Data.
data = None
decoder = TlvDecoder(element)
if decoder.peekType(Tlv.Data, len(element)):
data = Data()
data.wireDecode(element, TlvWireFormat.get())
if lpPacket != None:
data.setLpPacket(lpPacket)
# Now process as Interest or Data.
if data != None:
if self._onBtleData:
self._onBtleData(data)
def onReceivedElement(self, element):
"""
This is called by the transport's ElementReader to process an
entire received Data or Interest element.
:param element: The bytes of the incoming element.
:type element: An array type with int elements
"""
# The type codes for TLV Interest and Data packets are chosen to not
# conflict with the first byte of a binary XML packet, so we canjust
# look at the first byte.
if not (element[0] == Tlv.Interest or element[0] == Tlv.Data):
# Ignore non-TLV elements.
return
# First, decode as Interest or Data.
interest = None
data = None
decoder = TlvDecoder(element)
if decoder.peekType(Tlv.Interest, len(element)):
interest = Interest()
interest.wireDecode(element, TlvWireFormat.get())
elif decoder.peekType(Tlv.Data, len(element)):
data = Data()
data.wireDecode(element, TlvWireFormat.get())
# Now process as Interest or Data.
if interest != None:
entry = self._getEntryForRegisteredPrefix(interest.getName())
if entry != None:
entry.getOnInterest()(entry.getPrefix(), interest,
self._transport,
entry.getRegisteredPrefixId())
elif data != None:
pendingInterests = self._extractEntriesForExpressedInterest(
data.getName())
for pendingInterest in pendingInterests:
pendingInterest.getOnData()(pendingInterest.getInterest(),
data)
def __init__(self, identity, dataset, keyChain, face):
self._identity = identity
self._keyChain = keyChain
self._face = face
# storage_ is for the KEK and KDKs.
self._storage = InMemoryStorageRetaining()
# The NAC identity is: <identity>/NAC/<dataset>
# Generate the NAC key.
nacIdentity = self._keyChain.createIdentityV2(
Name(identity.getName())
.append(EncryptorV2.NAME_COMPONENT_NAC).append(dataset),
RsaKeyParams())
self._nacKey = nacIdentity.getDefaultKey()
if self._nacKey.getKeyType() != KeyType.RSA:
logging.getLogger(__name__).info(
"Cannot re-use existing KEK/KDK pair, as it is not an RSA key, regenerating")
self._nacKey = self._keyChain.createKey(nacIdentity, RsaKeyParams())
nacKeyId = self._nacKey.getName().get(-1)
kekPrefix = Name(self._nacKey.getIdentityName()).append(
EncryptorV2.NAME_COMPONENT_KEK)
kekData = Data(self._nacKey.getDefaultCertificate())
kekData.setName(Name(kekPrefix).append(nacKeyId))
kekData.getMetaInfo().setFreshnessPeriod(
AccessManagerV2.DEFAULT_KEK_FRESHNESS_PERIOD_MS)
self._keyChain.sign(kekData, SigningInfo(self._identity))
# kek looks like a cert, but doesn't have ValidityPeriod
self._storage.insert(kekData)
def serveFromStorage(prefix, interest, face, interestFilterId, filter):
data = self._storage.find(interest)
if data != None:
logging.getLogger(__name__).info("Serving " +
data.getName().toUri() + " from in-memory-storage")
try:
face.putData(data)
except:
logging.exception("AccessManagerV2: Error in Face.putData")
else:
logging.getLogger(__name__).info("Didn't find data for " +
interest.getName().toUri())
# TODO: Send NACK?
def onRegisterFailed(prefix):
logging.getLogger(__name__).error(
"AccessManagerV2: Failed to register prefix " + prefix.toUri())
self._kekRegisteredPrefixId = self._face.registerPrefix(
kekPrefix, serveFromStorage, onRegisterFailed)
kdkPrefix = Name(self._nacKey.getIdentityName()).append(
EncryptorV2.NAME_COMPONENT_KDK).append(nacKeyId)
self._kdkRegisteredPrefixId_ = self._face.registerPrefix(
kdkPrefix, serveFromStorage, onRegisterFailed)
def onReceivedElement(self, element):
"""
This is called by the transport's ElementReader to process an
entire received Data or Interest element.
:param element: The bytes of the incoming element.
:type element: An array type with int elements
"""
# The type codes for TLV Interest and Data packets are chosen to not
# conflict with the first byte of a binary XML packet, so we canjust
# look at the first byte.
if not (element[0] == Tlv.Interest or element[0] == Tlv.Data):
# Ignore non-TLV elements.
return
# First, decode as Interest or Data.
interest = None
data = None
decoder = TlvDecoder(element)
if decoder.peekType(Tlv.Interest, len(element)):
interest = Interest()
interest.wireDecode(element, TlvWireFormat.get())
elif decoder.peekType(Tlv.Data, len(element)):
data = Data()
data.wireDecode(element, TlvWireFormat.get())
# Now process as Interest or Data.
if interest != None:
entry = self._getEntryForRegisteredPrefix(interest.getName())
if entry != None:
entry.getOnInterest()(
entry.getPrefix(), interest, self._transport,
entry.getRegisteredPrefixId())
elif data != None:
pendingInterests = self._extractEntriesForExpressedInterest(
data.getName())
for pendingInterest in pendingInterests:
pendingInterest.getOnData()(pendingInterest.getInterest(), data)
def __init__(self,
arg1,
privateKeyBag=None,
publicKeyEncoding=None,
password=None,
digestAlgorithm=DigestAlgorithm.SHA256,
wireFormat=None):
if isinstance(arg1, Name):
keyName = arg1
if wireFormat == None:
# Don't use a default argument since getDefaultWireFormat can change.
wireFormat = WireFormat.getDefaultWireFormat()
self._certificate = SafeBag._makeSelfSignedCertificate(
keyName, privateKeyBag, publicKeyEncoding, password,
digestAlgorithm, wireFormat)
self._privateKeyBag = privateKeyBag
elif isinstance(arg1, Data):
# The certificate is supplied.
self._certificate = Data(arg1)
self._privateKeyBag = privateKeyBag
else:
# Assume the first argument is the encoded SafeBag.
self.wireDecode(arg1)
def addMember(self, memberCertificate):
"""
Authorize a member identified by memberCertificate to decrypt data under
the policy.
:param CertificateV2 memberCertificate: The certificate that identifies
the member to authorize.
:return: The published KDK Data packet.
:rtype: Data
"""
kdkName = Name(self._nacKey.getIdentityName())
kdkName.append(EncryptorV2.NAME_COMPONENT_KDK).append(
# key-id
self._nacKey.getName().get(-1)).append(
EncryptorV2.NAME_COMPONENT_ENCRYPTED_BY).append(
memberCertificate.getKeyName())
secretLength = 32
secret = bytearray(secretLength)
for i in range(secretLength):
secret[i] = _systemRandom.randint(0, 0xff)
# To be compatible with OpenSSL which uses a null-terminated string,
# replace each 0 with 1. And to be compatible with the Java security
# library which interprets the secret as a char array converted to UTF8,
# limit each byte to the ASCII range 1 to 127.
for i in range(secretLength):
if secret[i] == 0:
secret[i] = 1
secret[i] &= 0x7f
kdkSafeBag = self._keyChain.exportSafeBag(
self._nacKey.getDefaultCertificate(),
Blob(secret, False).toBytes())
memberKey = PublicKey(memberCertificate.getPublicKey())
encryptedContent = EncryptedContent()
encryptedContent.setPayload(kdkSafeBag.wireEncode())
encryptedContent.setPayloadKey(
memberKey.encrypt(
Blob(secret, False).toBytes(), EncryptAlgorithmType.RsaOaep))
kdkData = Data(kdkName)
kdkData.setContent(encryptedContent.wireEncodeV2())
# FreshnessPeriod can serve as a soft access control for revoking access.
kdkData.getMetaInfo().setFreshnessPeriod(
AccessManagerV2.DEFAULT_KDK_FRESHNESS_PERIOD_MS)
self._keyChain.sign(kdkData, SigningInfo(self._identity))
self._storage.insert(kdkData)
return kdkData
def __init__(self, arg1, privateKeyBag = None,
publicKeyEncoding = None, password = None,
digestAlgorithm = DigestAlgorithm.SHA256, wireFormat = None):
if isinstance(arg1, Name):
keyName = arg1
if wireFormat == None:
# Don't use a default argument since getDefaultWireFormat can change.
wireFormat = WireFormat.getDefaultWireFormat()
self._certificate = SafeBag._makeSelfSignedCertificate(
keyName, privateKeyBag, publicKeyEncoding, password,
digestAlgorithm, wireFormat)
self._privateKeyBag = privateKeyBag
elif isinstance(arg1, Data):
# The certificate is supplied.
self._certificate = Data(arg1)
self._privateKeyBag = privateKeyBag
else:
# Assume the first argument is the encoded SafeBag.
self.wireDecode(arg1)
def _broadcastSyncState(self, digest, syncMessage):
"""
Make a data packet with the syncMessage and with name
applicationBroadcastPrefix_ + digest. Sign and send.
:param str digest: The root digest as a hex string for the data packet
name.
:param sync_state_pb2.SyncState syncMessage:
"""
data = Data(self._applicationBroadcastPrefix)
data.getName().append(digest)
# TODO: Check if this works in Python 3.
data.setContent(Blob(syncMessage.SerializeToString()))
self._keyChain.sign(data, self._certificateName)
self._contentCache.add(data)
def _makeAndPublishCkData(self, onError):
"""
Make a CK Data packet for _ckName encrypted by the KEK in _kekData and
insert it in the _storage.
:param onError: On failure, this calls onError(errorCode, message) where
errorCode is from EncryptError.ErrorCode, and message is an error
string.
:type onError: function object
:return: True on success, else False.
:rtype: bool
"""
try:
kek = PublicKey(self._kekData.getContent())
content = EncryptedContent()
content.setPayload(
kek.encrypt(Blob(self._ckBits, False),
EncryptAlgorithmType.RsaOaep))
ckData = Data(
Name(self._ckName).append(
EncryptorV2.NAME_COMPONENT_ENCRYPTED_BY).append(
self._kekData.getName()))
ckData.setContent(content.wireEncodeV2())
# FreshnessPeriod can serve as a soft access control for revoking access.
ckData.getMetaInfo().setFreshnessPeriod(
EncryptorV2.DEFAULT_CK_FRESHNESS_PERIOD_MS)
self._keyChain.sign(ckData, self._ckDataSigningInfo)
self._storage.insert(ckData)
logging.getLogger(__name__).info("Publishing CK data: " +
ckData.getName().toUri())
return True
except Exception as ex:
onError(
EncryptError.ErrorCode.EncryptionFailure,
"Failed to encrypt generated CK with KEK " +
self._kekData.getName().toUri())
return False
def _createEKeyData(self, startTimeStamp, endTimeStamp, publicKeyBlob):
"""
Create an E-KEY Data packet for the given public key.
:param str startTimeStamp: The start time stamp string to put in the name.
:param str endTimeStamp: The end time stamp string to put in the name.
:param Blob publicKeyBlob: A Blob of the public key DER.
:return: The Data packet.
:rtype: Data
"""
name = Name(self._namespace)
name.append(Encryptor.NAME_COMPONENT_E_KEY).append(
startTimeStamp).append(endTimeStamp)
data = Data(name)
data.getMetaInfo().setFreshnessPeriod(
self._freshnessHours * GroupManager.MILLISECONDS_IN_HOUR)
data.setContent(publicKeyBlob)
self._keyChain.sign(data)
return data
def _makeAndPublishCkData(self, onError):
"""
Make a CK Data packet for _ckName encrypted by the KEK in _kekData and
insert it in the _storage.
:param onError: On failure, this calls onError(errorCode, message) where
errorCode is from EncryptError.ErrorCode, and message is an error
string.
:type onError: function object
:return: True on success, else False.
:rtype: bool
"""
try:
kek = PublicKey(self._kekData.getContent())
content = EncryptedContent()
content.setPayload(kek.encrypt
(Blob(self._ckBits, False), EncryptAlgorithmType.RsaOaep))
ckData = Data(
Name(self._ckName).append(EncryptorV2.NAME_COMPONENT_ENCRYPTED_BY)
.append(self._kekData.getName()))
ckData.setContent(content.wireEncodeV2())
# FreshnessPeriod can serve as a soft access control for revoking access.
ckData.getMetaInfo().setFreshnessPeriod(
EncryptorV2.DEFAULT_CK_FRESHNESS_PERIOD_MS)
self._keyChain.sign(ckData, self._ckDataSigningInfo)
self._storage.insert(ckData)
logging.getLogger(__name__).info("Publishing CK data: " +
ckData.getName().toUri())
return True
except Exception as ex:
onError(EncryptError.ErrorCode.EncryptionFailure,
"Failed to encrypt generated CK with KEK " +
self._kekData.getName().toUri())
return False
def wireDecode(self, buf, wireFormat = None):
"""
Make sure the fields are populated after decoding
"""
Data.wireDecode(self, buf, wireFormat)
self.decode()
def onReceivedElement(self, element):
"""
This is called by the transport's ElementReader to process an
entire received Data or Interest element.
:param element: The bytes of the incoming element.
:type element: An array type with int elements
"""
lpPacket = None
if element[0] == Tlv.LpPacket_LpPacket:
# Decode the LpPacket and replace element with the fragment.
lpPacket = LpPacket()
# Set copy False so that the fragment is a slice which will be
# copied below. The header fields are all integers and don't need to
# be copied.
TlvWireFormat.get().decodeLpPacket(lpPacket, element, False)
element = lpPacket.getFragmentWireEncoding().buf()
# First, decode as Interest or Data.
interest = None
data = None
decoder = TlvDecoder(element)
if decoder.peekType(Tlv.Interest, len(element)):
interest = Interest()
interest.wireDecode(element, TlvWireFormat.get())
if lpPacket != None:
interest.setLpPacket(lpPacket)
elif decoder.peekType(Tlv.Data, len(element)):
data = Data()
data.wireDecode(element, TlvWireFormat.get())
if lpPacket != None:
data.setLpPacket(lpPacket)
if lpPacket != None:
# We have decoded the fragment, so remove the wire encoding to save
# memory.
lpPacket.setFragmentWireEncoding(Blob())
networkNack = NetworkNack.getFirstHeader(lpPacket)
if networkNack != None:
if interest == None:
# We got a Nack but not for an Interest, so drop the packet.
return
pendingInterests = []
self._pendingInterestTable.extractEntriesForNackInterest(
interest, pendingInterests)
for pendingInterest in pendingInterests:
try:
pendingInterest.getOnNetworkNack()(
pendingInterest.getInterest(), networkNack)
except:
logging.exception("Error in onNetworkNack")
# We have processed the network Nack packet.
return
# Now process as Interest or Data.
if interest != None:
# Call all interest filter callbacks which match.
matchedFilters = []
self._interestFilterTable.getMatchedFilters(
interest, matchedFilters)
for i in range(len(matchedFilters)):
entry = matchedFilters[i]
includeFilter = True
onInterestCall = entry.getOnInterest()
# If onInterest is not a function nor a method assumes it is a
# calleable object
if (not inspect.isfunction(onInterestCall)
and not inspect.ismethod(onInterestCall)):
onInterestCall = onInterestCall.__call__
# Use getcallargs to test if onInterest accepts 5 args.
try:
inspect.getcallargs(onInterestCall, None, None, None, None,
None)
except TypeError:
# Assume onInterest is old-style with 4 arguments.
includeFilter = False
if includeFilter:
try:
entry.getOnInterest()(entry.getFilter().getPrefix(),
interest, entry.getFace(),
entry.getInterestFilterId(),
entry.getFilter())
except:
logging.exception("Error in onInterest")
else:
# Old-style onInterest without the filter argument. We
# still pass a Face instead of Transport since Face also
# has a send method.
try:
entry.getOnInterest()(entry.getFilter().getPrefix(),
interest, entry.getFace(),
entry.getInterestFilterId())
except:
logging.exception("Error in onInterest")
elif data != None:
pendingInterests = []
self._pendingInterestTable.extractEntriesForExpressedInterest(
data, pendingInterests)
for pendingInterest in pendingInterests:
try:
pendingInterest.getOnData()(pendingInterest.getInterest(),
data)
except:
logging.exception("Error in onData")
def onReceivedElement(self, element):
"""
This is called by the transport's ElementReader to process an
entire received Data or Interest element.
:param element: The bytes of the incoming element.
:type element: An array type with int elements
"""
lpPacket = None
if element[0] == Tlv.LpPacket_LpPacket:
# Decode the LpPacket and replace element with the fragment.
lpPacket = LpPacket()
# Set copy False so that the fragment is a slice which will be
# copied below. The header fields are all integers and don't need to
# be copied.
TlvWireFormat.get().decodeLpPacket(lpPacket, element, False)
element = lpPacket.getFragmentWireEncoding().buf()
# First, decode as Interest or Data.
interest = None
data = None
decoder = TlvDecoder(element)
if decoder.peekType(Tlv.Interest, len(element)):
interest = Interest()
interest.wireDecode(element, TlvWireFormat.get())
if lpPacket != None:
interest.setLpPacket(lpPacket)
elif decoder.peekType(Tlv.Data, len(element)):
data = Data()
data.wireDecode(element, TlvWireFormat.get())
if lpPacket != None:
data.setLpPacket(lpPacket)
if lpPacket != None:
# We have decoded the fragment, so remove the wire encoding to save
# memory.
lpPacket.setFragmentWireEncoding(Blob())
networkNack = NetworkNack.getFirstHeader(lpPacket)
if networkNack != None:
if interest == None:
# We got a Nack but not for an Interest, so drop the packet.
return
pendingInterests = []
self._pendingInterestTable.extractEntriesForNackInterest(
interest, pendingInterests)
for pendingInterest in pendingInterests:
try:
pendingInterest.getOnNetworkNack()(
pendingInterest.getInterest(), networkNack)
except:
logging.exception("Error in onNetworkNack")
# We have processed the network Nack packet.
return
# Now process as Interest or Data.
if interest != None:
# Call all interest filter callbacks which match.
matchedFilters = []
self._interestFilterTable.getMatchedFilters(interest, matchedFilters)
for i in range(len(matchedFilters)):
entry = matchedFilters[i]
includeFilter = True
onInterestCall = entry.getOnInterest()
# If onInterest is not a function nor a method assumes it is a
# calleable object
if (not inspect.isfunction(onInterestCall) and
not inspect.ismethod(onInterestCall)):
onInterestCall = onInterestCall.__call__
# Use getcallargs to test if onInterest accepts 5 args.
try:
inspect.getcallargs(onInterestCall,
None, None, None, None, None)
except TypeError:
# Assume onInterest is old-style with 4 arguments.
includeFilter = False
if includeFilter:
try:
entry.getOnInterest()(
entry.getFilter().getPrefix(), interest,
entry.getFace(), entry.getInterestFilterId(),
entry.getFilter())
except:
logging.exception("Error in onInterest")
else:
# Old-style onInterest without the filter argument. We
# still pass a Face instead of Transport since Face also
# has a send method.
try:
entry.getOnInterest()(
entry.getFilter().getPrefix(), interest,
entry.getFace(), entry.getInterestFilterId())
except:
logging.exception("Error in onInterest")
elif data != None:
pendingInterests = []
self._pendingInterestTable.extractEntriesForExpressedInterest(
data, pendingInterests)
for pendingInterest in pendingInterests:
try:
pendingInterest.getOnData()(pendingInterest.getInterest(), data)
except:
logging.exception("Error in onData")
def _registerPrefixHelper(
self, registeredPrefixId, prefix, onInterest, onRegisterFailed, flags,
wireFormat, face):
"""
Do the work of registerPrefix to register with NDNx once we have an
_ndndId.
:param int registeredPrefixId: The getNextEntryId() which registerPrefix
got so it could return it to the caller. If this is 0, then don't add
to _registeredPrefixTable (assuming it has already been done).
"""
if not WireFormat.ENABLE_NDNX:
# We can get here if the command signing info is set, but running NDNx.
raise RuntimeError(
"registerPrefix with NDNx is deprecated. To enable while you upgrade your code to use NFD, set WireFormat.ENABLE_NDNX = True")
# Create a ForwardingEntry.
# Note: ndnd ignores any freshness that is larger than 3600 seconds and
# sets 300 seconds instead. To register "forever", (=2000000000 sec),
# the freshness period must be omitted.
forwardingEntry = ForwardingEntry()
forwardingEntry.setAction("selfreg")
forwardingEntry.setPrefix(prefix)
forwardingEntry.setForwardingFlags(flags)
content = forwardingEntry.wireEncode(wireFormat)
# Set the ForwardingEntry as the content of a Data packet and sign.
data = Data()
data.setContent(content)
# Set the name to a random value so that each request is unique.
nonce = bytearray(4)
for i in range(len(nonce)):
nonce[i] = _systemRandom.randint(0, 0xff)
data.getName().append(nonce)
# The ndnd ignores the signature, so set to blank values.
data.getSignature().getKeyLocator().setType(
KeyLocatorType.KEY_LOCATOR_DIGEST)
data.getSignature().getKeyLocator().setKeyData(
Blob(bytearray(32), False))
data.getSignature().setSignature(Blob(bytearray(128), False))
encodedData = data.wireEncode(wireFormat)
# Create an interest where the name has the encoded Data packet.
interestName = Name().append("ndnx").append(self._ndndId).append(
"selfreg").append(encodedData)
interest = Interest(interestName)
interest.setInterestLifetimeMilliseconds(4000.0)
interest.setScope(1)
if registeredPrefixId != 0:
interestFilterId = 0
if onInterest != None:
# registerPrefix was called with the "combined" form that includes
# the callback, so add an InterestFilterEntry.
interestFilterId = self.getNextEntryId()
self.setInterestFilter(
interestFilterId, InterestFilter(prefix), onInterest, face)
self._registeredPrefixTable.append(Node._RegisteredPrefix(
registeredPrefixId, prefix, interestFilterId))
# Send the registration interest.
response = Node._RegisterResponse(
self, prefix, onInterest, onRegisterFailed, flags, wireFormat, False,
face)
self.expressInterest(
self.getNextEntryId(), interest, response.onData, response.onTimeout,
wireFormat, face)
def onReceivedElement(self, element):
"""
This is called by the transport's ElementReader to process an
entire received Data or Interest element.
:param element: The bytes of the incoming element.
:type element: An array type with int elements
"""
# The type codes for TLV Interest and Data packets are chosen to not
# conflict with the first byte of a binary XML packet, so we canjust
# look at the first byte.
if not (element[0] == Tlv.Interest or element[0] == Tlv.Data):
# Ignore non-TLV elements.
# Assume it is Binary XML.
if not WireFormat.ENABLE_NDNX:
raise RuntimeError(
"BinaryXmlWireFormat (NDNx) is deprecated. To enable while you upgrade your network to use NDN-TLV, set WireFormat.ENABLE_NDNX = True")
return
# First, decode as Interest or Data.
interest = None
data = None
decoder = TlvDecoder(element)
if decoder.peekType(Tlv.Interest, len(element)):
interest = Interest()
interest.wireDecode(element, TlvWireFormat.get())
elif decoder.peekType(Tlv.Data, len(element)):
data = Data()
data.wireDecode(element, TlvWireFormat.get())
# Now process as Interest or Data.
if interest != None:
# Call all interest filter callbacks which match.
for i in range(len(self._interestFilterTable)):
entry = self._interestFilterTable[i]
if entry.getFilter().doesMatch(interest.getName()):
includeFilter = True
# Use getcallargs to test if onInterest accepts 5 args.
try:
inspect.getcallargs(entry.getOnInterest(),
None, None, None, None, None)
except TypeError:
# Assume onInterest is old-style with 4 arguments.
includeFilter = False
if includeFilter:
entry.getOnInterest()(
entry.getFilter().getPrefix(), interest,
entry.getFace(), entry.getInterestFilterId(),
entry.getFilter())
else:
# Old-style onInterest without the filter argument. We
# still pass a Face instead of Transport since Face also
# has a send method.
entry.getOnInterest()(
entry.getFilter().getPrefix(), interest,
entry.getFace(), entry.getInterestFilterId())
elif data != None:
pendingInterests = self._extractEntriesForExpressedInterest(
data.getName())
for pendingInterest in pendingInterests:
pendingInterest.getOnData()(pendingInterest.getInterest(), data)
def onReceivedElement(self, element):
"""
This is called by the transport's ElementReader to process an
entire received Data or Interest element.
:param element: The bytes of the incoming element.
:type element: An array type with int elements
"""
lpPacket = None
if element[0] == Tlv.LpPacket_LpPacket:
# Decode the LpPacket and replace element with the fragment.
lpPacket = LpPacket()
# Set copy False so that the fragment is a slice which will be
# copied below. The header fields are all integers and don't need to
# be copied.
TlvWireFormat.get().decodeLpPacket(lpPacket, element, False)
element = lpPacket.getFragmentWireEncoding().buf()
# First, decode as Interest or Data.
interest = None
data = None
decoder = TlvDecoder(element)
if decoder.peekType(Tlv.Interest, len(element)):
interest = Interest()
interest.wireDecode(element, TlvWireFormat.get())
if lpPacket != None:
interest.setLpPacket(lpPacket)
elif decoder.peekType(Tlv.Data, len(element)):
data = Data()
data.wireDecode(element, TlvWireFormat.get())
if lpPacket != None:
data.setLpPacket(lpPacket)
if lpPacket != None:
# We have decoded the fragment, so remove the wire encoding to save
# memory.
lpPacket.setFragmentWireEncoding(Blob())
networkNack = NetworkNack.getFirstHeader(lpPacket)
if networkNack != None:
if interest == None:
# We got a Nack but not for an Interest, so drop the packet.
return
pendingInterests = []
self._pendingInterestTable.extractEntriesForNackInterest(
interest, pendingInterests)
for pendingInterest in pendingInterests:
try:
pendingInterest.getOnNetworkNack()(
pendingInterest.getInterest(), networkNack)
except:
logging.exception("Error in onNetworkNack")
# We have processed the network Nack packet.
return
# Now process as Interest or Data.
if interest != None:
self._dispatchInterest(interest)
elif data != None:
self._satisfyPendingInterests(data)
def _registerPrefixHelper(self, registeredPrefixId, prefix, onInterest,
onRegisterFailed, flags, wireFormat):
"""
Do the work of registerPrefix to register with NDNx once we have an
ndndId_.
:param int registeredPrefixId: The
_RegisteredPrefix.getNextRegisteredPrefixId() which registerPrefix got
so it could return it to the caller. If this is 0, then don't add to
registeredPrefixTable_ (assuming it has already been done).
"""
# Create a ForwardingEntry.
# Note: ndnd ignores any freshness that is larger than 3600 seconds and
# sets 300 seconds instead. To register "forever", (=2000000000 sec),
# the freshness period must be omitted.
forwardingEntry = ForwardingEntry()
forwardingEntry.setAction("selfreg")
forwardingEntry.setPrefix(prefix)
forwardingEntry.setForwardingFlags(flags)
content = forwardingEntry.wireEncode(wireFormat)
# Set the ForwardingEntry as the content of a Data packet and sign.
data = Data()
data.setContent(content)
# Set the name to a random value so that each request is unique.
nonce = bytearray(4)
for i in range(len(nonce)):
nonce[i] = _systemRandom.randint(0, 0xff)
data.getName().append(nonce)
# The ndnd ignores the signature, so set to blank values.
data.getSignature().getKeyLocator().setType(
KeyLocatorType.KEY_LOCATOR_DIGEST)
data.getSignature().getKeyLocator().setKeyData(
Blob(bytearray(32), False))
data.getSignature().setSignature(Blob(bytearray(128), False))
encodedData = data.wireEncode(wireFormat)
# Create an interest where the name has the encoded Data packet.
interestName = Name().append("ndnx").append(
self._ndndId).append("selfreg").append(encodedData)
interest = Interest(interestName)
interest.setInterestLifetimeMilliseconds(4000.0)
interest.setScope(1)
encodedInterest = interest.wireEncode(wireFormat)
if registeredPrefixId != 0:
# Save the onInterest callback and send the registration interest.
self._registeredPrefixTable.append(
Node._RegisteredPrefix(registeredPrefixId, prefix, onInterest))
response = Node._RegisterResponse(self, prefix, onInterest,
onRegisterFailed, flags, wireFormat,
False)
self.expressInterest(interest, response.onData, response.onTimeout,
wireFormat)
def _registerPrefixHelper(
self, registeredPrefixId, prefix, onInterest, onRegisterFailed, flags,
wireFormat):
"""
Do the work of registerPrefix to register with NDNx once we have an
_ndndId.
:param int registeredPrefixId: The
_RegisteredPrefix.getNextRegisteredPrefixId() which registerPrefix got
so it could return it to the caller. If this is 0, then don't add to
_registeredPrefixTable (assuming it has already been done).
"""
# Create a ForwardingEntry.
# Note: ndnd ignores any freshness that is larger than 3600 seconds and
# sets 300 seconds instead. To register "forever", (=2000000000 sec),
# the freshness period must be omitted.
forwardingEntry = ForwardingEntry()
forwardingEntry.setAction("selfreg")
forwardingEntry.setPrefix(prefix)
forwardingEntry.setForwardingFlags(flags)
content = forwardingEntry.wireEncode(wireFormat)
# Set the ForwardingEntry as the content of a Data packet and sign.
data = Data()
data.setContent(content)
# Set the name to a random value so that each request is unique.
nonce = bytearray(4)
for i in range(len(nonce)):
nonce[i] = _systemRandom.randint(0, 0xff)
data.getName().append(nonce)
# The ndnd ignores the signature, so set to blank values.
data.getSignature().getKeyLocator().setType(
KeyLocatorType.KEY_LOCATOR_DIGEST)
data.getSignature().getKeyLocator().setKeyData(
Blob(bytearray(32), False))
data.getSignature().setSignature(Blob(bytearray(128), False))
encodedData = data.wireEncode(wireFormat)
# Create an interest where the name has the encoded Data packet.
interestName = Name().append("ndnx").append(self._ndndId).append(
"selfreg").append(encodedData)
interest = Interest(interestName)
interest.setInterestLifetimeMilliseconds(4000.0)
interest.setScope(1)
encodedInterest = interest.wireEncode(wireFormat)
if registeredPrefixId != 0:
# Save the onInterest callback and send the registration interest.
self._registeredPrefixTable.append(Node._RegisteredPrefix(
registeredPrefixId, prefix, onInterest))
response = Node._RegisterResponse(
self, prefix, onInterest, onRegisterFailed, flags, wireFormat, False)
self.expressInterest(
interest, response.onData, response.onTimeout, wireFormat)
def _processSyncInterest(self, index, syncDigest, face):
"""
Common interest processing, using digest log to find the difference
after syncDigest.
:return: True if sent a data packet to satisfy the interest, otherwise
False.
:rtype: bool
"""
nameList = [] # of str
sequenceNoList = [] # of int
sessionNoList = [] # of int
for j in range(index + 1, len(self._digestLog)):
temp = self._digestLog[j].getData() # array of sync_state_pb2.SyncState.
for i in range(len(temp)):
syncState = temp[i]
if syncState.type != SyncState_UPDATE:
continue
if self._digestTree.find(
syncState.name, syncState.seqno.session) != -1:
n = -1
for k in range(len(nameList)):
if nameList[k] == syncState.name:
n = k
break
if n == -1:
nameList.append(syncState.name)
sequenceNoList.append(syncState.seqno.seq)
sessionNoList.append(syncState.seqno.session)
else:
sequenceNoList[n] = syncState.seqno.seq
sessionNoList[n] = syncState.seqno.session
tempContent = SyncStateMsg()
for i in range(len(nameList)):
content = getattr(tempContent, "ss").add()
content.name = nameList[i]
content.type = SyncState_UPDATE
content.seqno.seq = sequenceNoList[i]
content.seqno.session = sessionNoList[i]
sent = False
if len(getattr(tempContent, "ss")) != 0:
name = Name(self._applicationBroadcastPrefix)
name.append(syncDigest)
# TODO: Check if this works in Python 3.
#pylint: disable=E1103
array = tempContent.SerializeToString()
#pylint: enable=E1103
data = Data(name)
data.setContent(Blob(array))
self._keyChain.sign(data, self._certificateName)
try:
face.putData(data)
except Exception as ex:
logging.getLogger(__name__).error(
"Error in face.putData: %s", str(ex))
return
sent = True
logging.getLogger(__name__).info("Sync Data send")
logging.getLogger(__name__).info("%s", name.toUri())
return sent
from pyndn.forwarding_flags import ForwardingFlags
for p in [("name",Name("yes"),Name("another")), ("faceId", 32, None), ("localControlFeature", 1, None), ("origin", 2, 9), ("cost", 1, None), ("forwardingFlags", ForwardingFlags(), ForwardingFlags()), ("expirationPeriod", 1000.1, None)]:
res = testPropertyRW( ControlParameters(), p[0], [p[1],p[2]])
if not res[0]: print(res)
# Data
#
from pyndn.data import Data
from pyndn.name import Name
from pyndn.meta_info import MetaInfo
from pyndn.signature import Signature
from pyndn.util.blob import Blob
# We do not test the signature property because clone is not yet implemented for it.
#
for p in [("name",Name("yes"),Name("another")), ("metaInfo", MetaInfo(), MetaInfo()), ("content", Blob("foo"), Blob("bar"))]:
res = testPropertyRW( Data(), p[0], [p[1],p[2]])
if not res[0]: print(res)
# ForwardingFlags
# All boolean, so use shortcut below
#
from pyndn.forwarding_flags import ForwardingFlags
for p in ["active", "childInherit", "advertise", "last", "capture", "local", "tap", "captureOk"]:
res = testPropertyRW( ForwardingFlags(), p, [True, False] )
if not res[0]: print(res)
# Interest
# TODO: We do not check exclude because there is no equals() for it yet.
# TODO: When passing None as the KeyLocator, it generates a blank KeyLocator object, so equivalence checks fail. Don't check None.
#
from pyndn.name import Name
def publish(self, interestName, dataName, content, freshnessPeriod,
signingInfo = SigningInfo()):
"""
Put all the segments in the memory store.
:param Name interestName: If the Interest name ends in a segment,
immediately send the Data packet for the segment to the Face.
:param Name dataName: The Data name, which has components after the
Interest name.
:param Blob content: The content of the data to be segmented.
:param float freshnessPeriod The freshness period of the segments,
in milliseconds.
:param SigningInfo signingInfo (optional) The SigningInfo for signing
segment Data packets. If omitted, use the default SigningInfo().
"""
interestSegment = 0
if interestName[-1].isSegment():
interestSegment = interestName[-1].toSegment()
rawBuffer = content.buf()
iSegmentBegin = 0
iEnd = len(content)
maxPacketSize = int(Common.MAX_NDN_PACKET_SIZE / 2)
totalSegments = int(len(content) / maxPacketSize)
finalBlockId = Name.Component.fromSegment(totalSegments)
segmentPrefix = Name(dataName)
segmentPrefix.appendVersion(int(Common.getNowMilliseconds()))
segmentNo = 0
while(True):
iSegmentEnd = iSegmentBegin + maxPacketSize
if iSegmentEnd > iEnd:
iSegmentEnd = iEnd
segmentName = Name(segmentPrefix)
segmentName.appendSegment(segmentNo)
data = Data(segmentName)
data.setContent(Blob(rawBuffer[iSegmentBegin : iSegmentEnd]))
data.getMetaInfo().setFreshnessPeriod(freshnessPeriod)
data.getMetaInfo().setFinalBlockId(finalBlockId)
iSegmentBegin = iSegmentEnd
self._keyChain.sign(data, signingInfo)
# Only send the segment to the Face if it has a pending interest.
# Otherwise, the segment is unsolicited.
if interestSegment == segmentNo:
self._face.putData(data)
# Until InMemoryStorageFifo implements an eviction policy, use InMemoryStorageRetaining.
# storage_.insert(*data, freshnessPeriod)
self._storage.insert(data)
# Make and return a callback since segmentName is different each time.
def makeCallback(localSegmentName):
def callback():
self._storage.remove(localSegmentName)
return callback
self._face.callLater(freshnessPeriod, makeCallback(segmentName))
segmentNo += 1
if not (iSegmentBegin < iEnd):
break
def onReceivedElement(self, element):
"""
This is called by the transport's ElementReader to process an
entire received Data or Interest element.
:param element: The bytes of the incoming element.
:type element: An array type with int elements
"""
lpPacket = None
if element[0] == Tlv.LpPacket_LpPacket:
# Decode the LpPacket and replace element with the fragment.
lpPacket = LpPacket()
# Set copy False so that the fragment is a slice which will be
# copied below. The header fields are all integers and don't need to
# be copied.
TlvWireFormat.get().decodeLpPacket(lpPacket, element, False)
element = lpPacket.getFragmentWireEncoding().buf()
# First, decode as Interest or Data.
interest = None
data = None
decoder = TlvDecoder(element)
if decoder.peekType(Tlv.Interest, len(element)):
interest = Interest()
interest.wireDecode(element, TlvWireFormat.get())
if lpPacket != None:
interest.setLpPacket(lpPacket)
elif decoder.peekType(Tlv.Data, len(element)):
data = Data()
data.wireDecode(element, TlvWireFormat.get())
if lpPacket != None:
data.setLpPacket(lpPacket)
if lpPacket != None:
# We have decoded the fragment, so remove the wire encoding to save
# memory.
lpPacket.setFragmentWireEncoding(Blob())
networkNack = NetworkNack.getFirstHeader(lpPacket)
if networkNack != None:
if interest == None:
# We got a Nack but not for an Interest, so drop the packet.
return
pendingInterests = []
self._pendingInterestTable.extractEntriesForNackInterest(
interest, pendingInterests)
for pendingInterest in pendingInterests:
try:
pendingInterest.getOnNetworkNack()(
pendingInterest.getInterest(), networkNack)
except:
logging.exception("Error in onNetworkNack")
# We have processed the network Nack packet.
return
# Now process as Interest or Data.
if interest != None:
self._dispatchInterest(interest)
elif data != None:
self._satisfyPendingInterests(data)
class DataValidationState(ValidationState):
"""
Create a DataValidationState for the Data packet. The caller must ensure
that the state instance is valid until the validation finishes (i.e., until
validateCertificateChain() and validateOriginalPacket() have been called).
:param Data data: The Date packet being validated, which is copied.
:param successCallback: This calls successCallback(data) to report a
successful Data validation.
:type successCallback: function object
:param failureCallback: This calls failureCallback(data, error) to report a
failed Data validation, where error is a ValidationError.
:type failureCallback: function object
"""
def __init__(self, data, successCallback, failureCallback):
super(DataValidationState, self).__init__()
# Make a copy.
self._data = Data(data)
self._successCallback = successCallback
self._failureCallback = failureCallback
if self._successCallback == None:
raise ValueError("The successCallback is None")
if self._failureCallback == None:
raise ValueError("The failureCallback is None")
def fail(self, error):
"""
Call the failure callback.
:param ValidationError error:
"""
logging.getLogger(__name__).info("" + str(error))
try:
self._failureCallback(self._data, error)
except:
logging.exception("Error in failureCallback")
self.setOutcome(False)
def getOriginalData(self):
"""
Get the original Data packet being validated which was given to the
constructor.
:return: The original Data packet.
:rtype: Data
"""
return self._data
def _verifyOriginalPacket(self, trustedCertificate):
"""
Verify the signature of the original packet. This is only called by the
Validator class.
:param CertificateV2 trustedCertificate: The certificate that signs the
original packet.
"""
if VerificationHelpers.verifyDataSignature(self._data,
trustedCertificate):
logging.getLogger(__name__).info("OK signature for data `" +
self._data.getName().toUri() +
"`")
try:
self._successCallback(self._data)
except:
logging.exception("Error in successCallback")
self.setOutcome(True)
else:
self.fail(
ValidationError(
ValidationError.INVALID_SIGNATURE,
"Invalid signature of data `" +
self._data.getName().toUri() + "`"))
def _bypassValidation(self):
"""
Call the success callback of the original packet without signature
validation. This is only called by the Validator class.
"""
logging.getLogger(
__name__).info("Signature verification bypassed for data `" +
self._data.getName().toUri() + "`")
try:
self._successCallback(self._data)
except:
logging.exception("Error in successCallback")
self.setOutcome(True)
def wireDecode(self, buf, wireFormat = None):
"""
Make sure the fields are populated after decoding
"""
Data.wireDecode(self, buf, wireFormat)
self.decode()
class SafeBag(object):
"""
There are three forms of the SafeBag constructor:
SafeBag(certificate, privateKeyBag) - Create a SafeBag with the given
certificate and private key.
SafeBag(keyName, privateKeyBag, publicKeyEncoding [, password,
digestAlgorithm, wireFormat]) - Create a SafeBag with given private key
and a new self-signed certificate for the given public key.
SafeBag(input) - Create a SafeBag by decoding the input as an NDN-TLV SafeBag.
:param Data certificate: The certificate data packet (used only for
SafeBag(certificate, privateKeyBag)). This copies the object.
:param Blob privateKeyBag: The encoded private key. If encrypted, this is a
PKCS #8 EncryptedPrivateKeyInfo. If not encrypted, this is an unencrypted
PKCS #8 PrivateKeyInfo.
:param password: (optional) The password for decrypting the private key in
order to sign the self-signed certificate, which should have characters in
the range of 1 to 127. If the password is supplied, use it to decrypt the
PKCS #8 EncryptedPrivateKeyInfo. If the password is omitted or None,
privateKeyBag is an unencrypted PKCS #8 PrivateKeyInfo.
:type password: an array which implements the buffer protocol
:param int digestAlgorithm: (optional) The digest algorithm for signing the
self-signed certificate. If omitted, use DigestAlgorithm.SHA256 .
:type digestAlgorithm: int from the DigestAlgorithm enum
:param WireFormat wireFormat: (optional) A WireFormat object used to encode
the self-signed certificate in order to sign it. If omitted, use
WireFormat.getDefaultWireFormat().
:param input: The array with the bytes to decode.
:type input: A Blob or an array type with int elements
"""
def __init__(self,
arg1,
privateKeyBag=None,
publicKeyEncoding=None,
password=None,
digestAlgorithm=DigestAlgorithm.SHA256,
wireFormat=None):
if isinstance(arg1, Name):
keyName = arg1
if wireFormat == None:
# Don't use a default argument since getDefaultWireFormat can change.
wireFormat = WireFormat.getDefaultWireFormat()
self._certificate = SafeBag._makeSelfSignedCertificate(
keyName, privateKeyBag, publicKeyEncoding, password,
digestAlgorithm, wireFormat)
self._privateKeyBag = privateKeyBag
elif isinstance(arg1, Data):
# The certificate is supplied.
self._certificate = Data(arg1)
self._privateKeyBag = privateKeyBag
else:
# Assume the first argument is the encoded SafeBag.
self.wireDecode(arg1)
def getCertificate(self):
"""
Get the certificate data packet.
:return: The certificate as a Data packet. If you need to process it as
a certificate object then you must create a new CertificateV2(data).
:rtype: Data
"""
return self._certificate
def getPrivateKeyBag(self):
"""
Get the encoded private key.
:return: The encoded private key. If encrypted, this is a PKCS #8
EncryptedPrivateKeyInfo. If not encrypted, this is an unencrypted PKCS
#8 PrivateKeyInfo.
:rtype: Blob
"""
return self._privateKeyBag
def wireDecode(self, input):
"""
Decode the input as an NDN-TLV SafeBag and update this object.
:param input: The array with the bytes to decode.
:type input: A Blob or an array type with int elements
"""
if isinstance(input, Blob):
input = input.buf()
# Decode directly as TLV. We don't support the WireFormat abstraction
# because this isn't meant to go directly on the wire.
decoder = TlvDecoder(input)
endOffset = decoder.readNestedTlvsStart(Tlv.SafeBag_SafeBag)
# Get the bytes of the certificate and decode.
certificateBeginOffset = decoder.getOffset()
certificateEndOffset = decoder.readNestedTlvsStart(Tlv.Data)
decoder.seek(certificateEndOffset)
self._certificate = Data()
self._certificate.wireDecode(
decoder.getSlice(certificateBeginOffset, certificateEndOffset),
TlvWireFormat.get())
self._privateKeyBag = Blob(
decoder.readBlobTlv(Tlv.SafeBag_EncryptedKeyBag), True)
decoder.finishNestedTlvs(endOffset)
def wireEncode(self, wireFormat=None):
"""
Encode this as an NDN-TLV SafeBag.
:return: The encoded byte array as a Blob.
:rtype: Blob
"""
# Encode directly as TLV. We don't support the WireFormat abstraction
# because this isn't meant to go directly on the wire.
encoder = TlvEncoder(256)
saveLength = len(encoder)
# Encode backwards.
encoder.writeBlobTlv(Tlv.SafeBag_EncryptedKeyBag,
self._privateKeyBag.buf())
# Add the entire Data packet encoding as is.
encoder.writeBuffer(
self._certificate.wireEncode(TlvWireFormat.get()).buf())
encoder.writeTypeAndLength(Tlv.SafeBag_SafeBag,
len(encoder) - saveLength)
return Blob(encoder.getOutput(), False)
@staticmethod
def _makeSelfSignedCertificate(keyName, privateKeyBag, publicKeyEncoding,
password, digestAlgorithm, wireFormat):
certificate = CertificateV2()
# Set the name.
now = Common.getNowMilliseconds()
certificateName = Name(keyName)
certificateName.append("self").appendVersion(int(now))
certificate.setName(certificateName)
# Set the MetaInfo.
certificate.getMetaInfo().setType(ContentType.KEY)
# Set a one-hour freshness period.
certificate.getMetaInfo().setFreshnessPeriod(3600 * 1000.0)
# Set the content.
publicKey = PublicKey(publicKeyEncoding)
certificate.setContent(publicKey.getKeyDer())
# Create a temporary in-memory Tpm and import the private key.
tpm = Tpm("", "", TpmBackEndMemory())
tpm._importPrivateKey(keyName, privateKeyBag.toBytes(), password)
# Set the signature info.
if publicKey.getKeyType() == KeyType.RSA:
certificate.setSignature(Sha256WithRsaSignature())
elif publicKey.getKeyType() == KeyType.EC:
certificate.setSignature(Sha256WithEcdsaSignature())
else:
raise ValueError("Unsupported key type")
signatureInfo = certificate.getSignature()
KeyLocator.getFromSignature(signatureInfo).setType(
KeyLocatorType.KEYNAME)
KeyLocator.getFromSignature(signatureInfo).setKeyName(keyName)
# Set a 20-year validity period.
ValidityPeriod.getFromSignature(signatureInfo).setPeriod(
now, now + 20 * 365 * 24 * 3600 * 1000.0)
# Encode once to get the signed portion.
encoding = certificate.wireEncode(wireFormat)
signatureBytes = tpm.sign(encoding.toSignedBytes(), keyName,
digestAlgorithm)
signatureInfo.setSignature(signatureBytes)
# Encode again to include the signature.
certificate.wireEncode(wireFormat)
return certificate
class DataValidationState(ValidationState):
"""
Create a DataValidationState for the Data packet. The caller must ensure
that the state instance is valid until the validation finishes (i.e., until
validateCertificateChain() and validateOriginalPacket() have been called).
:param Data data: The Date packet being validated, which is copied.
:param successCallback: This calls successCallback(data) to report a
successful Data validation.
:type successCallback: function object
:param failureCallback: This calls failureCallback(data, error) to report a
failed Data validation, where error is a ValidationError.
:type failureCallback: function object
"""
def __init__(self, data, successCallback, failureCallback):
super(DataValidationState, self).__init__()
# Make a copy.
self._data = Data(data)
self._successCallback = successCallback
self._failureCallback = failureCallback
if self._successCallback == None:
raise ValueError("The successCallback is None")
if self._failureCallback == None:
raise ValueError("The failureCallback is None")
def fail(self, error):
"""
Call the failure callback.
:param ValidationError error:
"""
logging.getLogger(__name__).info("" + str(error))
try:
self._failureCallback(self._data, error)
except:
logging.exception("Error in failureCallback")
self.setOutcome(False)
def getOriginalData(self):
"""
Get the original Data packet being validated which was given to the
constructor.
:return: The original Data packet.
:rtype: Data
"""
return self._data
def _verifyOriginalPacket(self, trustedCertificate):
"""
Verify the signature of the original packet. This is only called by the
Validator class.
:param CertificateV2 trustedCertificate: The certificate that signs the
original packet.
"""
if VerificationHelpers.verifyDataSignature(self._data, trustedCertificate):
logging.getLogger(__name__).info("OK signature for data `" +
self._data.getName().toUri() + "`")
try:
self._successCallback(self._data)
except:
logging.exception("Error in successCallback")
self.setOutcome(True)
else:
self.fail(ValidationError(ValidationError.INVALID_SIGNATURE,
"Invalid signature of data `" + self._data.getName().toUri() + "`"))
def _bypassValidation(self):
"""
Call the success callback of the original packet without signature
validation. This is only called by the Validator class.
"""
logging.getLogger(__name__).info("Signature verification bypassed for data `" +
self._data.getName().toUri() + "`")
try:
self._successCallback(self._data)
except:
logging.exception("Error in successCallback")
self.setOutcome(True)
def _processSyncInterest(self, index, syncDigest, face):
"""
Common interest processing, using digest log to find the difference
after syncDigest.
:return: True if sent a data packet to satisfy the interest, otherwise
False.
:rtype: bool
"""
nameList = [] # of str
sequenceNoList = [] # of int
sessionNoList = [] # of int
for j in range(index + 1, len(self._digestLog)):
temp = self._digestLog[j].getData(
) # array of sync_state_pb2.SyncState.
for i in range(len(temp)):
syncState = temp[i]
if syncState.type != SyncState_UPDATE:
continue
if self._digestTree.find(syncState.name,
syncState.seqno.session) != -1:
n = -1
for k in range(len(nameList)):
if nameList[k] == syncState.name:
n = k
break
if n == -1:
nameList.append(syncState.name)
sequenceNoList.append(syncState.seqno.seq)
sessionNoList.append(syncState.seqno.session)
else:
sequenceNoList[n] = syncState.seqno.seq
sessionNoList[n] = syncState.seqno.session
tempContent = SyncStateMsg()
for i in range(len(nameList)):
content = getattr(tempContent, "ss").add()
content.name = nameList[i]
content.type = SyncState_UPDATE
content.seqno.seq = sequenceNoList[i]
content.seqno.session = sessionNoList[i]
sent = False
if len(getattr(tempContent, "ss")) != 0:
name = Name(self._applicationBroadcastPrefix)
name.append(syncDigest)
# TODO: Check if this works in Python 3.
#pylint: disable=E1103
array = tempContent.SerializeToString()
#pylint: enable=E1103
data = Data(name)
data.setContent(Blob(array))
self._keyChain.sign(data, self._certificateName)
try:
face.putData(data)
except Exception as ex:
logging.getLogger(__name__).error("Error in face.putData: %s",
str(ex))
return
sent = True
logging.getLogger(__name__).info("Sync Data send")
logging.getLogger(__name__).info("%s", name.toUri())
return sent
def publish(self,
interestName,
dataName,
content,
freshnessPeriod,
signingInfo=SigningInfo()):
"""
Put all the segments in the memory store.
:param Name interestName: If the Interest name ends in a segment,
immediately send the Data packet for the segment to the Face.
:param Name dataName: The Data name, which has components after the
Interest name.
:param Blob content: The content of the data to be segmented.
:param float freshnessPeriod The freshness period of the segments,
in milliseconds.
:param SigningInfo signingInfo (optional) The SigningInfo for signing
segment Data packets. If omitted, use the default SigningInfo().
"""
interestSegment = 0
if interestName[-1].isSegment():
interestSegment = interestName[-1].toSegment()
rawBuffer = content.buf()
iSegmentBegin = 0
iEnd = len(content)
maxPacketSize = int(Common.MAX_NDN_PACKET_SIZE / 2)
totalSegments = int(len(content) / maxPacketSize)
finalBlockId = Name.Component.fromSegment(totalSegments)
segmentPrefix = Name(dataName)
segmentPrefix.appendVersion(int(Common.getNowMilliseconds()))
segmentNo = 0
while (True):
iSegmentEnd = iSegmentBegin + maxPacketSize
if iSegmentEnd > iEnd:
iSegmentEnd = iEnd
segmentName = Name(segmentPrefix)
segmentName.appendSegment(segmentNo)
data = Data(segmentName)
data.setContent(Blob(rawBuffer[iSegmentBegin:iSegmentEnd]))
data.getMetaInfo().setFreshnessPeriod(freshnessPeriod)
data.getMetaInfo().setFinalBlockId(finalBlockId)
iSegmentBegin = iSegmentEnd
self._keyChain.sign(data, signingInfo)
# Only send the segment to the Face if it has a pending interest.
# Otherwise, the segment is unsolicited.
if interestSegment == segmentNo:
self._face.putData(data)
# Until InMemoryStorageFifo implements an eviction policy, use InMemoryStorageRetaining.
# storage_.insert(*data, freshnessPeriod)
self._storage.insert(data)
# Make and return a callback since segmentName is different each time.
def makeCallback(localSegmentName):
def callback():
self._storage.remove(localSegmentName)
return callback
self._face.callLater(freshnessPeriod, makeCallback(segmentName))
segmentNo += 1
if not (iSegmentBegin < iEnd):
break
class SafeBag(object):
"""
There are three forms of the SafeBag constructor:
SafeBag(certificate, privateKeyBag) - Create a SafeBag with the given
certificate and private key.
SafeBag(keyName, privateKeyBag, publicKeyEncoding [, password,
digestAlgorithm, wireFormat]) - Create a SafeBag with given private key
and a new self-signed certificate for the given public key.
SafeBag(input) - Create a SafeBag by decoding the input as an NDN-TLV SafeBag.
:param Data certificate: The certificate data packet (used only for
SafeBag(certificate, privateKeyBag)). This copies the object.
:param Blob privateKeyBag: The encoded private key. If encrypted, this is a
PKCS #8 EncryptedPrivateKeyInfo. If not encrypted, this is an unencrypted
PKCS #8 PrivateKeyInfo.
:param password: (optional) The password for decrypting the private key in
order to sign the self-signed certificate, which should have characters in
the range of 1 to 127. If the password is supplied, use it to decrypt the
PKCS #8 EncryptedPrivateKeyInfo. If the password is omitted or None,
privateKeyBag is an unencrypted PKCS #8 PrivateKeyInfo.
:type password: an array which implements the buffer protocol
:param int digestAlgorithm: (optional) The digest algorithm for signing the
self-signed certificate. If omitted, use DigestAlgorithm.SHA256 .
:type digestAlgorithm: int from the DigestAlgorithm enum
:param WireFormat wireFormat: (optional) A WireFormat object used to encode
the self-signed certificate in order to sign it. If omitted, use
WireFormat.getDefaultWireFormat().
:param input: The array with the bytes to decode.
:type input: A Blob or an array type with int elements
"""
def __init__(self, arg1, privateKeyBag = None,
publicKeyEncoding = None, password = None,
digestAlgorithm = DigestAlgorithm.SHA256, wireFormat = None):
if isinstance(arg1, Name):
keyName = arg1
if wireFormat == None:
# Don't use a default argument since getDefaultWireFormat can change.
wireFormat = WireFormat.getDefaultWireFormat()
self._certificate = SafeBag._makeSelfSignedCertificate(
keyName, privateKeyBag, publicKeyEncoding, password,
digestAlgorithm, wireFormat)
self._privateKeyBag = privateKeyBag
elif isinstance(arg1, Data):
# The certificate is supplied.
self._certificate = Data(arg1)
self._privateKeyBag = privateKeyBag
else:
# Assume the first argument is the encoded SafeBag.
self.wireDecode(arg1)
def getCertificate(self):
"""
Get the certificate data packet.
:return: The certificate as a Data packet. If you need to process it as
a certificate object then you must create a new CertificateV2(data).
:rtype: Data
"""
return self._certificate
def getPrivateKeyBag(self):
"""
Get the encoded private key.
:return: The encoded private key. If encrypted, this is a PKCS #8
EncryptedPrivateKeyInfo. If not encrypted, this is an unencrypted PKCS
#8 PrivateKeyInfo.
:rtype: Blob
"""
return self._privateKeyBag
def wireDecode(self, input):
"""
Decode the input as an NDN-TLV SafeBag and update this object.
:param input: The array with the bytes to decode.
:type input: A Blob or an array type with int elements
"""
if isinstance(input, Blob):
input = input.buf()
# Decode directly as TLV. We don't support the WireFormat abstraction
# because this isn't meant to go directly on the wire.
decoder = TlvDecoder(input)
endOffset = decoder.readNestedTlvsStart(Tlv.SafeBag_SafeBag)
# Get the bytes of the certificate and decode.
certificateBeginOffset = decoder.getOffset()
certificateEndOffset = decoder.readNestedTlvsStart(Tlv.Data)
decoder.seek(certificateEndOffset)
self._certificate = Data()
self._certificate.wireDecode(
decoder.getSlice(certificateBeginOffset, certificateEndOffset),
TlvWireFormat.get())
self._privateKeyBag = Blob(
decoder.readBlobTlv(Tlv.SafeBag_EncryptedKeyBag), True)
decoder.finishNestedTlvs(endOffset)
def wireEncode(self, wireFormat = None):
"""
Encode this as an NDN-TLV SafeBag.
:return: The encoded byte array as a Blob.
:rtype: Blob
"""
# Encode directly as TLV. We don't support the WireFormat abstraction
# because this isn't meant to go directly on the wire.
encoder = TlvEncoder(256)
saveLength = len(encoder)
# Encode backwards.
encoder.writeBlobTlv(
Tlv.SafeBag_EncryptedKeyBag, self._privateKeyBag.buf())
# Add the entire Data packet encoding as is.
encoder.writeBuffer(
self._certificate.wireEncode(TlvWireFormat.get()).buf())
encoder.writeTypeAndLength(
Tlv.SafeBag_SafeBag, len(encoder) - saveLength)
return Blob(encoder.getOutput(), False)
@staticmethod
def _makeSelfSignedCertificate(
keyName, privateKeyBag, publicKeyEncoding, password, digestAlgorithm,
wireFormat):
certificate = CertificateV2()
# Set the name.
now = Common.getNowMilliseconds()
certificateName = Name(keyName)
certificateName.append("self").appendVersion(int(now))
certificate.setName(certificateName)
# Set the MetaInfo.
certificate.getMetaInfo().setType(ContentType.KEY)
# Set a one-hour freshness period.
certificate.getMetaInfo().setFreshnessPeriod(3600 * 1000.0)
# Set the content.
publicKey = PublicKey(publicKeyEncoding)
certificate.setContent(publicKey.getKeyDer())
# Create a temporary in-memory Tpm and import the private key.
tpm = Tpm("", "", TpmBackEndMemory())
tpm._importPrivateKey(keyName, privateKeyBag.toBytes(), password)
# Set the signature info.
if publicKey.getKeyType() == KeyType.RSA:
certificate.setSignature(Sha256WithRsaSignature())
elif publicKey.getKeyType() == KeyType.EC:
certificate.setSignature(Sha256WithEcdsaSignature())
else:
raise ValueError("Unsupported key type")
signatureInfo = certificate.getSignature()
KeyLocator.getFromSignature(signatureInfo).setType(KeyLocatorType.KEYNAME)
KeyLocator.getFromSignature(signatureInfo).setKeyName(keyName)
# Set a 20-year validity period.
ValidityPeriod.getFromSignature(signatureInfo).setPeriod(
now, now + 20 * 365 * 24 * 3600 * 1000.0)
# Encode once to get the signed portion.
encoding = certificate.wireEncode(wireFormat)
signatureBytes = tpm.sign(encoding.toSignedBytes(), keyName,
digestAlgorithm)
signatureInfo.setSignature(signatureBytes)
# Encode again to include the signature.
certificate.wireEncode(wireFormat)
return certificate