def _processValidCertificate(self, data): # unpack the cert from the HMAC signed packet and verify try: newCert = IdentityCertificate() newCert.wireDecode(data.getContent()) self.log.info("Received certificate from controller") self.log.debug(str(newCert)) # NOTE: we download and install the root certificate without verifying it (!) # otherwise our policy manager will reject it. # we may need a static method on KeyChain to allow verifying before adding rootCertName = newCert.getSignature().getKeyLocator().getKeyName() # update trust rules so we trust the controller self._policyManager.setDeviceIdentity(self._configureIdentity) self._policyManager.updateTrustRules() def onRootCertificateDownload(interest, data): try: self._identityStorage.addCertificate(data) except SecurityException: # already exists pass self._keyChain.verifyData(newCert, self._finalizeCertificateDownload, self._certificateValidationFailed) def onRootCertificateTimeout(interest): # TODO: limit number of tries, then revert trust root + network prefix # reset salt, create new Hmac key self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) except Exception as e: self.log.exception("Could not import new certificate", exc_info=True)
def _processValidCertificate(self, data): # unpack the cert from the HMAC signed packet and verify try: newCert = IdentityCertificate() newCert.wireDecode(data.getContent()) self.log.info("Received certificate from controller") # NOTE: we download and install the root certificate without verifying it (!) # otherwise our policy manager will reject it. # we may need a static method on KeyChain to allow verifying before adding rootCertName = newCert.getSignature().getKeyLocator().getKeyName() # update trust rules so we trust the controller self._policyManager.setDeviceIdentity(self._configureIdentity) self._policyManager.updateTrustRules() def onRootCertificateDownload(interest, data): try: # zhehao: the root cert is downloaded and installed without verifying; should the root cert be preconfigured? # Insert root certificate so that we can verify newCert self._policyManager._certificateCache.insertCertificate(data) # Set the root cert as default for root identity try: self._identityManager.addCertificateAsIdentityDefault(IdentityCertificate(data)) except SecurityException as e: print("Error when addCertificateAsIdentityDefault for root: " + data.getName().toUri()) print(str(e)) self._rootCertificate = data try: # use the default configuration where possible # TODO: use environment variable for this, fall back to default fileName = os.path.expanduser('~/.ndn/.iot.root.cert') rootCertFile = open(fileName, "w") rootCertFile.write(Blob(b64encode(self._rootCertificate.wireEncode().toBytes()), False).toRawStr()) rootCertFile.close() except IOError as e: self.log.error("Cannot write to root certificate file: " + rootCertFile) print "Cannot write to root certificate file: " + rootCertFile except SecurityException as e: print(str(e)) # already exists, or got certificate in wrong format pass self._keyChain.verifyData(newCert, self._finalizeCertificateDownload, self._certificateValidationFailed) def onRootCertificateTimeout(interest): # TODO: limit number of tries, then revert trust root + network prefix # reset salt, create new Hmac key self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) except Exception as e: self.log.exception("Could not import new certificate", exc_info=True)
def addCertificate(self, certificate): """ Add a certificate to the identity storage. :param IdentityCertificate certificate: The certificate to be added. This makes a copy of the certificate. """ #TODO: actually check validity of certificate timestamp certificateName = certificate.getName() if self.doesCertificateExist(certificateName): raise SecurityException("Certificate has already been installed!") certCopy = IdentityCertificate(certificate) makeDefault = 0 keyName = certCopy.getPublicKeyName() keyInfo = certCopy.getPublicKeyInfo() if not self.doesKeyExist(keyName): self.addKey(keyName, keyInfo.getKeyType(), keyInfo.getKeyDer()) makeDefault = 1 else: # see if the key we already have matches this certificate keyBlob = self.getKey(keyName) if (keyBlob.isNull() or keyBlob.toBuffer() != keyInfo.getKeyDer().toBuffer()): raise SecurityException("Certificate does not match public key") keyId = keyName.get(-1).toEscapedString() identityUri = keyName.getPrefix(-1).toUri() certIssuer = certCopy.getSignature().getKeyLocator().getKeyName().toUri() encodedCert = buffer(bytearray(certCopy.wireEncode().buf())) notBefore = certCopy.getNotBefore() notAfter = certCopy.getNotAfter() cursor = self._database.cursor() cursor.execute("INSERT INTO Certificate VALUES(?,?,?,?,?,?,?,?,?)", (certificateName.toUri(), certIssuer, identityUri, keyId, notBefore, notAfter, encodedCert, 1, makeDefault)) self._database.commit() cursor.close()
def _processValidCertificate(self, data): # unpack the cert from the HMAC signed packet and verify try: newCert = IdentityCertificate() newCert.wireDecode(data.getContent()) self.log.info("Received certificate from controller") # NOTE: we download and install the root certificate without verifying it (!) # otherwise our policy manager will reject it. # we may need a static method on KeyChain to allow verifying before adding rootCertName = newCert.getSignature().getKeyLocator().getKeyName() # update trust rules so we trust the controller self._policyManager.setDeviceIdentity(self._configureIdentity) self._policyManager.updateTrustRules() def onRootCertificateDownload(interest, data): try: # zhehao: the root cert is downloaded and installed without verifying; should the root cert be preconfigured? # Insert root certificate so that we can verify newCert self._policyManager._certificateCache.insertCertificate( data) # Set the root cert as default for root identity try: self._identityManager.addCertificateAsIdentityDefault( IdentityCertificate(data)) except SecurityException as e: print( "Error when addCertificateAsIdentityDefault for root: " + data.getName().toUri()) print(str(e)) self._rootCertificate = data try: # use the default configuration where possible # TODO: use environment variable for this, fall back to default fileName = os.path.expanduser('~/.ndn/.iot.root.cert') rootCertFile = open(fileName, "w") rootCertFile.write( Blob( b64encode(self._rootCertificate.wireEncode(). toBytes()), False).toRawStr()) rootCertFile.close() except IOError as e: self.log.error( "Cannot write to root certificate file: " + rootCertFile) print "Cannot write to root certificate file: " + rootCertFile except SecurityException as e: print(str(e)) # already exists, or got certificate in wrong format pass self._keyChain.verifyData(newCert, self._finalizeCertificateDownload, self._certificateValidationFailed) def onRootCertificateTimeout(interest): # TODO: limit number of tries, then revert trust root + network prefix # reset salt, create new Hmac key self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) self.face.expressInterest(rootCertName, onRootCertificateDownload, onRootCertificateTimeout) except Exception as e: self.log.exception("Could not import new certificate", exc_info=True)