internal static void Transfer(SVX_MSG msg, Principal producer, Principal sender,
Principal realRequestProducer, bool browserOnly)
{
if (producer == null || sender == null)
{
// Auto-generate them instead? But we'd need to know the issuer.
// We may eventually have a global variable for the current party.
throw new ArgumentNullException();
}
if (VProgram_API.InVProgram)
{
if (browserOnly)
{
Contract.Assume(!VProgram_API.ActsFor(sender, VProgram_API.trustedServerPrincipal));
}
}
else
{
TransferProd(msg, producer, sender, realRequestProducer, browserOnly);
}
// Make the same metadata changes in the vProgram as in production.
msg.SVX_producer = producer;
msg.SVX_sender = sender;
msg.SVX_placeholderRequestProducer = null;
}
// I guess if you really want to try a Verify that might fail and catch
// the exception, then the AssumeValidToken won't happen in that case.
public void Verify(TParams theParams, string tokenValue)
{
RawVerifyWrapper(theParams, tokenValue);
// I'm not sure this is necessary; hopefully it won't hurt.
VProgram_API.Assert(tokenValue != null);
VProgram_API.AssumeValidToken(tokenValue, theParams);
}
internal override void Export(TMessage message, Principal receiver, Principal target)
{
var secret = accessor.Get(message);
if (secret.knownReaders == null)
{
throw new InvalidOperationException("Secret was never imported??");
}
if (!VProgram_API.KnownActsForAny(receiver, secret.knownReaders))
{
throw new Exception("Secret is not allowed to be sent to receiver " + receiver);
}
if (target != null && !VProgram_API.KnownActsForAny(target, secret.knownReaders))
{
throw new Exception("Secret is not allowed to be sent to target " + target);
}
foreach (var reader in getKnownReaders(message))
{
if (!VProgram_API.KnownActsForAny(reader, secret.knownReaders))
{
throw new Exception("Secret is not allowed to be sent to reader " + reader + " given by message structure");
}
}
secret.exportApproved = true;
}
public string Generate(TParams theParams)
{
var tokenValue = RawGenerateWrapper(theParams);
VProgram_API.AssumeValidToken(tokenValue, theParams);
return(tokenValue);
}
public PayloadSecret <TMessage> Generate(TMessage message, Entity currentPrincipal)
{
var readers = GetReaders(message);
// None of these checks are really the business of the vProgram, and
// in particular, !message.active will be a contradiction.
if (!VProgram_API.InVProgram)
{
if (currentPrincipal != Signer)
{
throw new Exception("Misconfiguration: current principal is signing a message " +
"but is not the designated signer for this secret generator.");
}
// XXX Would it be more consistent to make the message nondet instead?
if (!message.active)
{
throw new InvalidOperationException("Cannot sign a message without an active SymT");
}
if (!readers.Contains(currentPrincipal))
{
throw new Exception("Misconfiguration: secret generated by a principal not on its reader list.");
}
}
var secretValue = RawGenerateWrapper(message);
VProgram_API.AssumeValidSecret(secretValue, message, readers);
return(new PayloadSecret <TMessage>
{
theParams = message,
secretValue = secretValue,
knownReaders = readers
});
}
// I guess if you really want to try a Verify that might fail and catch
// the exception, then the AssumeValidSecret won't happen in that case.
public void Verify(TParams theParams, Secret secret)
{
RawVerifyWrapper(theParams, secret);
// I'm not sure this is necessary; hopefully it won't hurt.
VProgram_API.Assert(secret.secretValue != null);
VProgram_API.AssumeValidSecret(secret.secretValue, theParams, GetReaders(theParams));
}
// TODO: In the real SVX API, currentPrincipal should be an ambient
// variable of some kind (maybe not global if we want to run tests that
// simulate multiple principals in the same process).
public Secret Generate(TParams theParams, Entity currentPrincipal)
{
var readers = GetReaders(theParams);
if (!VProgram_API.InVProgram)
{
if (!readers.Contains(currentPrincipal))
{
throw new Exception("Misconfiguration: secret generated by a principal not on its reader list.");
}
}
var secretValue = RawGenerateWrapper(theParams);
VProgram_API.AssumeValidSecret(secretValue, theParams, readers);
return(new Secret {
secretValue = secretValue,
knownReaders = readers
});
}
// To prevent a secret value from being leaked by passing it to a
// PayloadSecretGenerator for the wrong secret format, which thinks the
// secret part is a public part and extracts it, these methods are
// restricted to be called only via a MessageStructure on import. TBD
// what to do if this doesn't end up meeting our needs.
internal void ExtractUnverified(PayloadSecret <TMessage> secret)
{
secret.theParams = RawExtractUnverified(secret.secretValue);
VProgram_API.Assert(secret.theParams != null);
}
