public void testOverwrite()
{
PibMemory pibImpl = new PibMemory();
try {
new PibKeyImpl(fixture.id1Key1Name, pibImpl);
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex) {
} catch (Exception ex_0) {
Assert.Fail("Did not throw the expected exception");
}
new PibKeyImpl(fixture.id1Key1Name, fixture.id1Key1.buf(), pibImpl);
PibKeyImpl key1 = new PibKeyImpl(fixture.id1Key1Name, pibImpl);
// Overwriting the key should work.
new PibKeyImpl(fixture.id1Key1Name, fixture.id1Key2.buf(), pibImpl);
PibKeyImpl key2 = new PibKeyImpl(fixture.id1Key1Name, pibImpl);
// key1 should have cached the original public key.
Assert.AssertTrue(!key1.getPublicKey().equals(key2.getPublicKey()));
Assert.AssertTrue(key2.getPublicKey().equals(fixture.id1Key2));
key1.addCertificate(fixture.id1Key1Cert1);
// Use the wire encoding to check equivalence.
Assert.AssertTrue(key1.getCertificate(fixture.id1Key1Cert1.getName())
.wireEncode().equals(fixture.id1Key1Cert1.wireEncode()));
CertificateV2 otherCert = new CertificateV2(fixture.id1Key1Cert1);
((Sha256WithRsaSignature)otherCert.getSignature()).getValidityPeriod()
.setPeriod(net.named_data.jndn.util.Common.getNowMilliseconds(),
net.named_data.jndn.util.Common.getNowMilliseconds() + 1000);
// Don't bother resigning so we don't have to load a private key.
Assert.AssertTrue(fixture.id1Key1Cert1.getName().equals(otherCert.getName()));
Assert.AssertTrue(otherCert.getContent().equals(
fixture.id1Key1Cert1.getContent()));
Assert.AssertFalse(otherCert.wireEncode().equals(
fixture.id1Key1Cert1.wireEncode()));
key1.addCertificate(otherCert);
Assert.AssertTrue(key1.getCertificate(fixture.id1Key1Cert1.getName())
.wireEncode().equals(otherCert.wireEncode()));
}
public void testOverwrite()
{
/* foreach */
foreach (PibDataFixture2 fixture in pibImpls)
{
PibImpl pib = fixture.pib;
// Check for id1Key1, which should not exist.
pib.removeIdentity(fixture.id1);
Assert.AssertEquals(false, pib.hasKey(fixture.id1Key1Name));
// Add id1Key1.
pib.addKey(fixture.id1, fixture.id1Key1Name, fixture.id1Key1.buf());
Assert.AssertEquals(true, pib.hasKey(fixture.id1Key1Name));
Blob keyBits = pib.getKeyBits(fixture.id1Key1Name);
Assert.AssertTrue(keyBits.equals(fixture.id1Key1));
// To check overwrite, add a key with the same name.
pib.addKey(fixture.id1, fixture.id1Key1Name, fixture.id1Key2.buf());
Blob keyBits2 = pib.getKeyBits(fixture.id1Key1Name);
Assert.AssertTrue(keyBits2.equals(fixture.id1Key2));
// Check for id1Key1Cert1, which should not exist.
pib.removeIdentity(fixture.id1);
Assert.AssertEquals(false,
pib.hasCertificate(fixture.id1Key1Cert1.getName()));
// Add id1Key1Cert1.
pib.addKey(fixture.id1, fixture.id1Key1Name, fixture.id1Key1.buf());
pib.addCertificate(fixture.id1Key1Cert1);
Assert.AssertEquals(true,
pib.hasCertificate(fixture.id1Key1Cert1.getName()));
CertificateV2 cert = pib.getCertificate(fixture.id1Key1Cert1
.getName());
Assert.AssertTrue(cert.wireEncode().equals(
fixture.id1Key1Cert1.wireEncode()));
// Create a fake certificate with the same name.
CertificateV2 cert2 = fixture.id1Key2Cert1;
cert2.setName(fixture.id1Key1Cert1.getName());
cert2.setSignature(fixture.id1Key2Cert1.getSignature());
pib.addCertificate(cert2);
CertificateV2 cert3 = pib.getCertificate(fixture.id1Key1Cert1
.getName());
Assert.AssertTrue(cert3.wireEncode().equals(cert2.wireEncode()));
// Check that both the key and certificate are overwritten.
Blob keyBits3 = pib.getKeyBits(fixture.id1Key1Name);
Assert.AssertTrue(keyBits3.equals(fixture.id1Key2));
}
}
public void testRefresh10s()
{
StringBuilder encodedData = new StringBuilder();
TextReader dataFile = new FileReader(new FileInfo(System.IO.Path.Combine(policyConfigDirectory_.FullName, "testData")).FullName);
// Use "try/finally instead of "try-with-resources" or "using"
// which are not supported before Java 7.
try {
String line;
while ((line = dataFile.readLine()) != null)
{
encodedData.append(line);
}
} finally {
dataFile.close();
}
byte[] decodedData = net.named_data.jndn.util.Common.base64Decode(encodedData.toString());
Data data = new Data();
data.wireDecode(new Blob(decodedData, false));
// This test is needed, since the KeyChain will express interests in unknown
// certificates.
VerificationResult vr = doVerify(policyManager_, data);
Assert.AssertTrue(
"ConfigPolicyManager did not create ValidationRequest for unknown certificate",
vr.hasFurtherSteps_);
Assert.AssertEquals(
"ConfigPolicyManager called success callback with pending ValidationRequest",
0, vr.successCount_);
Assert.AssertEquals(
"ConfigPolicyManager called failure callback with pending ValidationRequest",
0, vr.failureCount_);
// Now save the cert data to our anchor directory, and wait.
// We have to sign it with the current identity or the policy manager will
// create an interest for the signing certificate.
CertificateV2 cert = new CertificateV2();
byte[] certData = net.named_data.jndn.util.Common.base64Decode(CERT_DUMP);
cert.wireDecode(new Blob(certData, false));
SigningInfo signingInfo = new SigningInfo();
signingInfo.setSigningIdentity(identityName_);
// Make sure the validity period is current for two years.
double now = net.named_data.jndn.util.Common.getNowMilliseconds();
signingInfo.setValidityPeriod(new ValidityPeriod(now, now + 2 * 365
* 24 * 3600 * 1000.0d));
keyChain_.sign(cert, signingInfo);
Blob signedCertBlob = cert.wireEncode();
String encodedCert = net.named_data.jndn.util.Common.base64Encode(signedCertBlob
.getImmutableArray());
var certFile = (new StreamWriter(
testCertFile_.FullName));
try {
certFile.Write(encodedCert, 0, encodedCert.Substring(0, encodedCert.Length));
certFile.flush();
} finally {
certFile.close();
}
// Still too early for refresh to pick it up.
vr = doVerify(policyManager_, data);
Assert.AssertTrue("ConfigPolicyManager refresh occured sooner than specified",
vr.hasFurtherSteps_);
Assert.AssertEquals(
"ConfigPolicyManager called success callback with pending ValidationRequest",
0, vr.successCount_);
Assert.AssertEquals(
"ConfigPolicyManager called failure callback with pending ValidationRequest",
0, vr.failureCount_);
ILOG.J2CsMapping.Threading.ThreadWrapper.sleep(6000);
// Now we should find it.
vr = doVerify(policyManager_, data);
Assert.AssertFalse("ConfigPolicyManager did not refresh certificate store",
vr.hasFurtherSteps_);
Assert.AssertEquals("Verification success called " + vr.successCount_
+ " times instead of 1", 1, vr.successCount_);
Assert.AssertEquals("ConfigPolicyManager did not verify valid signed data", 0,
vr.failureCount_);
}
public void testBasic()
{
PibMemory pibImpl = new PibMemory();
// Start with an empty container.
PibCertificateContainer container = new PibCertificateContainer(
fixture.id1Key1Name, pibImpl);
Assert.AssertEquals(0, container.size());
Assert.AssertEquals(0, container.getCertificates_().Count);
// Add a certificate.
container.add(fixture.id1Key1Cert1);
Assert.AssertEquals(1, container.size());
Assert.AssertEquals(1, container.getCertificates_().Count);
Assert.AssertTrue(container.getCertificates_().Contains(
fixture.id1Key1Cert1.getName()));
// Add the same certificate again.
container.add(fixture.id1Key1Cert1);
Assert.AssertEquals(1, container.size());
Assert.AssertEquals(1, container.getCertificates_().Count);
Assert.AssertTrue(container.getCertificates_().Contains(
fixture.id1Key1Cert1.getName()));
// Add another certificate.
container.add(fixture.id1Key1Cert2);
Assert.AssertEquals(2, container.size());
Assert.AssertEquals(2, container.getCertificates_().Count);
Assert.AssertTrue(container.getCertificates_().Contains(
fixture.id1Key1Cert1.getName()));
Assert.AssertTrue(container.getCertificates_().Contains(
fixture.id1Key1Cert2.getName()));
// Get the certificates.
try {
container.get(fixture.id1Key1Cert1.getName());
} catch (Exception ex) {
Assert.Fail("Unexpected exception: " + ex.Message);
}
try {
container.get(fixture.id1Key1Cert2.getName());
} catch (Exception ex_0) {
Assert.Fail("Unexpected exception: " + ex_0.Message);
}
Name id1Key1Cert3Name = new Name(fixture.id1Key1Name);
id1Key1Cert3Name.append("issuer").appendVersion(3);
try {
container.get(id1Key1Cert3Name);
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_1) {
} catch (Exception ex_2) {
Assert.Fail("Did not throw the expected exception");
}
// Check the certificates.
CertificateV2 cert1 = container.get(fixture.id1Key1Cert1.getName());
CertificateV2 cert2 = container.get(fixture.id1Key1Cert2.getName());
// Use the wire encoding to check equivalence.
Assert.AssertTrue(cert1.wireEncode().equals(fixture.id1Key1Cert1.wireEncode()));
Assert.AssertTrue(cert2.wireEncode().equals(fixture.id1Key1Cert2.wireEncode()));
// Create another container with the same PibImpl. The cache should be empty.
PibCertificateContainer container2 = new PibCertificateContainer(
fixture.id1Key1Name, pibImpl);
Assert.AssertEquals(2, container2.size());
Assert.AssertEquals(0, container2.getCertificates_().Count);
// Get a certificate. The cache should be filled.
try {
container2.get(fixture.id1Key1Cert1.getName());
} catch (Exception ex_3) {
Assert.Fail("Unexpected exception: " + ex_3.Message);
}
Assert.AssertEquals(2, container2.size());
Assert.AssertEquals(1, container2.getCertificates_().Count);
try {
container2.get(fixture.id1Key1Cert2.getName());
} catch (Exception ex_4) {
Assert.Fail("Unexpected exception: " + ex_4.Message);
}
Assert.AssertEquals(2, container2.size());
Assert.AssertEquals(2, container2.getCertificates_().Count);
// Remove a certificate.
container2.remove(fixture.id1Key1Cert1.getName());
Assert.AssertEquals(1, container2.size());
Assert.AssertEquals(1, container2.getCertificates_().Count);
Assert.AssertTrue(!container2.getCertificates_().Contains(
fixture.id1Key1Cert1.getName()));
Assert.AssertTrue(container2.getCertificates_().Contains(
fixture.id1Key1Cert2.getName()));
// Remove another certificate.
container2.remove(fixture.id1Key1Cert2.getName());
Assert.AssertEquals(0, container2.size());
Assert.AssertEquals(0, container2.getCertificates_().Count);
Assert.AssertTrue(!container2.getCertificates_().Contains(
fixture.id1Key1Cert2.getName()));
}
public void testCertificateOperation()
{
PibMemory pibImpl = new PibMemory();
PibKeyImpl key11 = new PibKeyImpl(fixture.id1Key1Name,
fixture.id1Key1.buf(), pibImpl);
try {
new PibKeyImpl(fixture.id1Key1Name, pibImpl);
} catch (Exception ex) {
Assert.Fail("Unexpected exception: " + ex.Message);
}
// The key should not have any certificates.
Assert.AssertEquals(0, key11.getCertificates_().size());
// Getting a non-existing certificate should throw Pib.Error.
try {
key11.getCertificate(fixture.id1Key1Cert1.getName());
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_0) {
} catch (Exception ex_1) {
Assert.Fail("Did not throw the expected exception");
}
// Getting the non-existing default certificate should throw Pib.Error.
try {
key11.getDefaultCertificate();
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_2) {
} catch (Exception ex_3) {
Assert.Fail("Did not throw the expected exception");
}
// Setting a non-existing certificate as the default should throw Pib.Error.
try {
key11.setDefaultCertificate(fixture.id1Key1Cert1.getName());
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_4) {
} catch (Exception ex_5) {
Assert.Fail("Did not throw the expected exception");
}
// Add a certificate.
key11.addCertificate(fixture.id1Key1Cert1);
try {
key11.getCertificate(fixture.id1Key1Cert1.getName());
} catch (Exception ex_6) {
Assert.Fail("Unexpected exception: " + ex_6.Message);
}
// The new certificate becomes the default when there was no default.
try {
key11.getDefaultCertificate();
} catch (Exception ex_7) {
Assert.Fail("Unexpected exception: " + ex_7.Message);
}
CertificateV2 defaultCert0 = key11.getDefaultCertificate();
Assert.AssertTrue(fixture.id1Key1Cert1.getName()
.equals(defaultCert0.getName()));
// Use the wire encoding to check equivalence.
Assert.AssertTrue(fixture.id1Key1Cert1.wireEncode().equals(
defaultCert0.wireEncode()));
// Remove the certificate.
key11.removeCertificate(fixture.id1Key1Cert1.getName());
try {
key11.getCertificate(fixture.id1Key1Cert1.getName());
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_8) {
} catch (Exception ex_9) {
Assert.Fail("Did not throw the expected exception");
}
try {
key11.getDefaultCertificate();
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_10) {
} catch (Exception ex_11) {
Assert.Fail("Did not throw the expected exception");
}
// Set the default certificate directly.
try {
key11.setDefaultCertificate(fixture.id1Key1Cert1);
} catch (Exception ex_12) {
Assert.Fail("Unexpected exception: " + ex_12.Message);
}
try {
key11.getDefaultCertificate();
} catch (Exception ex_13) {
Assert.Fail("Unexpected exception: " + ex_13.Message);
}
try {
key11.getCertificate(fixture.id1Key1Cert1.getName());
} catch (Exception ex_14) {
Assert.Fail("Unexpected exception: " + ex_14.Message);
}
// Check the default cert.
CertificateV2 defaultCert1 = key11.getDefaultCertificate();
Assert.AssertTrue(fixture.id1Key1Cert1.getName()
.equals(defaultCert1.getName()));
Assert.AssertTrue(defaultCert1.wireEncode().equals(
fixture.id1Key1Cert1.wireEncode()));
// Add another certificate.
key11.addCertificate(fixture.id1Key1Cert2);
Assert.AssertEquals(2, key11.getCertificates_().size());
// Set the default certificate using a name.
try {
key11.setDefaultCertificate(fixture.id1Key1Cert2.getName());
} catch (Exception ex_15) {
Assert.Fail("Unexpected exception: " + ex_15.Message);
}
try {
key11.getDefaultCertificate();
} catch (Exception ex_16) {
Assert.Fail("Unexpected exception: " + ex_16.Message);
}
CertificateV2 defaultCert2 = key11.getDefaultCertificate();
Assert.AssertTrue(fixture.id1Key1Cert2.getName()
.equals(defaultCert2.getName()));
Assert.AssertTrue(defaultCert2.wireEncode().equals(
fixture.id1Key1Cert2.wireEncode()));
// Remove a certificate.
key11.removeCertificate(fixture.id1Key1Cert1.getName());
try {
key11.getCertificate(fixture.id1Key1Cert1.getName());
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_17) {
} catch (Exception ex_18) {
Assert.Fail("Did not throw the expected exception");
}
Assert.AssertEquals(1, key11.getCertificates_().size());
// Set the default certificate directly again, which should change the default.
try {
key11.setDefaultCertificate(fixture.id1Key1Cert1);
} catch (Exception ex_19) {
Assert.Fail("Unexpected exception: " + ex_19.Message);
}
CertificateV2 defaultCert3 = key11.getDefaultCertificate();
Assert.AssertTrue(fixture.id1Key1Cert1.getName()
.equals(defaultCert3.getName()));
Assert.AssertTrue(defaultCert3.wireEncode().equals(
fixture.id1Key1Cert1.wireEncode()));
Assert.AssertEquals(2, key11.getCertificates_().size());
// Remove all certificates.
key11.removeCertificate(fixture.id1Key1Cert1.getName());
try {
key11.getCertificate(fixture.id1Key1Cert1.getName());
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_20) {
} catch (Exception ex_21) {
Assert.Fail("Did not throw the expected exception");
}
Assert.AssertEquals(1, key11.getCertificates_().size());
key11.removeCertificate(fixture.id1Key1Cert2.getName());
try {
key11.getCertificate(fixture.id1Key1Cert2.getName());
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_22) {
} catch (Exception ex_23) {
Assert.Fail("Did not throw the expected exception");
}
try {
key11.getDefaultCertificate();
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_24) {
} catch (Exception ex_25) {
Assert.Fail("Did not throw the expected exception");
}
Assert.AssertEquals(0, key11.getCertificates_().size());
}
/// <summary>
/// Add the certificate. If a certificate with the same name (without implicit
/// digest) already exists, then overwrite the certificate. If the key or
/// identity does not exist, they will be created. If no default certificate
/// for the key has been set, then set the added certificate as the default for
/// the key. If no default key was set for the identity, it will be set as the
/// default key for the identity. If no default identity was selected, the
/// certificate's identity becomes the default.
/// </summary>
///
/// <param name="certificate">The certificate to add. This copies the object.</param>
/// <exception cref="PibImpl.Error">for a non-semantic (database access) error.</exception>
public override void addCertificate(CertificateV2 certificate)
{
// Ensure the key exists.
Blob content = certificate.getContent();
addKey(certificate.getIdentity(), certificate.getKeyName(),
content.buf());
if (!hasCertificate(certificate.getName()))
{
try {
PreparedStatement statement = database_
.prepareStatement(net.named_data.jndn.security.pib.PibSqlite3Base.INSERT_addCertificate);
statement.setBytes(1, certificate.getKeyName().wireEncode()
.getImmutableArray());
statement.setBytes(2, certificate.getName().wireEncode()
.getImmutableArray());
statement.setBytes(3, certificate.wireEncode()
.getImmutableArray());
try {
statement.executeUpdate();
} finally {
statement.close();
}
} catch (SQLException exception) {
throw new PibImpl.Error("PibSqlite3: SQLite error: "
+ exception);
}
}
else
{
try {
PreparedStatement statement_0 = database_
.prepareStatement(net.named_data.jndn.security.pib.PibSqlite3Base.UPDATE_addCertificate);
statement_0.setBytes(1, certificate.wireEncode()
.getImmutableArray());
statement_0.setBytes(2, certificate.getName().wireEncode()
.getImmutableArray());
try {
statement_0.executeUpdate();
} finally {
statement_0.close();
}
} catch (SQLException exception_1) {
throw new PibImpl.Error("PibSqlite3: SQLite error: "
+ exception_1);
}
}
if (!hasDefaultCertificateOfKey(certificate.getKeyName()))
{
try {
setDefaultCertificateOfKey(certificate.getKeyName(),
certificate.getName());
} catch (Pib.Error ex) {
throw new PibImpl.Error(
"PibSqlite3: Error setting the default certificate: "
+ ex);
}
}
}
private static CertificateV2 makeSelfSignedCertificate(Name keyName,
Blob privateKeyBag, Blob publicKeyEncoding, ByteBuffer password,
DigestAlgorithm digestAlgorithm, WireFormat wireFormat)
{
CertificateV2 certificate = new CertificateV2();
// Set the name.
double now = net.named_data.jndn.util.Common.getNowMilliseconds();
Name certificateName = new Name(keyName);
certificateName.append("self").appendVersion((long)now);
certificate.setName(certificateName);
// Set the MetaInfo.
certificate.getMetaInfo().setType(net.named_data.jndn.ContentType.KEY);
// Set a one-hour freshness period.
certificate.getMetaInfo().setFreshnessPeriod(3600 * 1000.0d);
// Set the content.
PublicKey publicKey = null;
try {
publicKey = new PublicKey(publicKeyEncoding);
} catch (UnrecognizedKeyFormatException ex) {
// Promote to Pib.Error.
throw new Pib.Error("Error decoding public key " + ex);
}
certificate.setContent(publicKey.getKeyDer());
// Create a temporary in-memory Tpm and import the private key.
Tpm tpm = new Tpm("", "", new TpmBackEndMemory());
tpm.importPrivateKey_(keyName, privateKeyBag.buf(), password);
// Set the signature info.
if (publicKey.getKeyType() == net.named_data.jndn.security.KeyType.RSA)
{
certificate.setSignature(new Sha256WithRsaSignature());
}
else if (publicKey.getKeyType() == net.named_data.jndn.security.KeyType.EC)
{
certificate.setSignature(new Sha256WithEcdsaSignature());
}
else
{
throw new AssertionError("Unsupported key type");
}
Signature signatureInfo = certificate.getSignature();
net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo).setType(
net.named_data.jndn.KeyLocatorType.KEYNAME);
net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo).setKeyName(keyName);
// Set a 20-year validity period.
net.named_data.jndn.security.ValidityPeriod.getFromSignature(signatureInfo).setPeriod(now,
now + 20 * 365 * 24 * 3600 * 1000.0d);
// Encode once to get the signed portion.
SignedBlob encoding = certificate.wireEncode(wireFormat);
Blob signatureBytes = tpm.sign(encoding.signedBuf(), keyName,
digestAlgorithm);
signatureInfo.setSignature(signatureBytes);
// Encode again to include the signature.
certificate.wireEncode(wireFormat);
return(certificate);
}
