Example #1
0
 /// <summary>
 /// Check the type of signature and use the publicKeyDer to verify the
 /// signedBlob using the appropriate signature algorithm.
 /// </summary>
 ///
 /// <param name="signature"></param>
 /// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param>
 /// <param name="publicKeyDer"></param>
 /// <returns>True if the signature is verified, false if failed.</returns>
 /// <exception cref="System.Security.SecurityException">if the signature type is not recognized or ifpublicKeyDer can't be decoded.</exception>
 protected static internal bool verifySignature(
     net.named_data.jndn.Signature signature, SignedBlob signedBlob,
     Blob publicKeyDer)
 {
     if (signature  is  Sha256WithRsaSignature ||
         signature  is  Sha256WithEcdsaSignature)
     {
         if (publicKeyDer.isNull())
         {
             return(false);
         }
         return(net.named_data.jndn.security.VerificationHelpers.verifySignature(signedBlob.signedBuf(),
                                                                                 signature.getSignature(), new PublicKey(publicKeyDer),
                                                                                 net.named_data.jndn.security.DigestAlgorithm.SHA256));
     }
     else if (signature  is  DigestSha256Signature)
     {
         return(net.named_data.jndn.security.VerificationHelpers.verifyDigest(signedBlob.signedBuf(),
                                                                              signature.getSignature(), net.named_data.jndn.security.DigestAlgorithm.SHA256));
     }
     else
     {
         // We don't expect this to happen.
         throw new SecurityException(
                   "PolicyManager.verify: Signature type is unknown");
     }
 }
        /// <summary>
        /// Verify the Data packet using the digest algorithm. This does not check the
        /// digest algorithm against the type of SignatureInfo in the Data packet such
        /// as DigestSha256Signature.
        /// </summary>
        ///
        /// <param name="data">The Data packet to verify.</param>
        /// <param name="digestAlgorithm">The digest algorithm, such as DigestAlgorithm.SHA256.</param>
        /// <param name="wireFormat">A WireFormat object used to encode the Data packet.</param>
        /// <returns>True if verification succeeds, false if verification fails.</returns>
        /// <exception cref="System.ArgumentException">for an invalid digestAlgorithm.</exception>
        public static bool verifyDataDigest(Data data,
                                            DigestAlgorithm digestAlgorithm, WireFormat wireFormat)
        {
            SignedBlob encoding = data.wireEncode(wireFormat);

            return(verifyDigest(encoding.signedBuf(), data.getSignature()
                                .getSignature(), digestAlgorithm));
        }
Example #3
0
        /// <summary>
        /// Verify the DigestSha256 signature on the SignedBlob by verifying that the
        /// digest of SignedBlob equals the signature.
        /// </summary>
        ///
        /// <param name="signature">The signature bits.</param>
        /// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param>
        /// <returns>true if the signature verifies, false if not.</returns>
        protected static internal bool verifyDigestSha256Signature(Blob signature,
                                                                   SignedBlob signedBlob)
        {
            // Set signedPortionDigest to the digest of the signed portion of the signedBlob.
            byte[] signedPortionDigest = net.named_data.jndn.util.Common
                                         .digestSha256(signedBlob.signedBuf());

            return(ILOG.J2CsMapping.Collections.Arrays.Equals(signedPortionDigest, signature.getImmutableArray()));
        }
Example #4
0
        /// <summary>
        /// Wire encode the data packet, compute an HmacWithSha256 and update the
        /// signature value.
        /// </summary>
        ///
        /// @note This method is an experimental feature. The API may change.
        /// <param name="data">The Data object to be signed. This updates its signature.</param>
        /// <param name="key">The key for the HmacWithSha256.</param>
        /// <param name="wireFormat">A WireFormat object used to encode the data packet.</param>
        public static void signWithHmacWithSha256(Data data, Blob key,
                                                  WireFormat wireFormat)
        {
            // Encode once to get the signed portion.
            SignedBlob encoding = data.wireEncode(wireFormat);

            byte[] signatureBytes = net.named_data.jndn.util.Common.computeHmacWithSha256(
                key.getImmutableArray(), encoding.signedBuf());
            data.getSignature().setSignature(new Blob(signatureBytes, false));
        }
Example #5
0
        /// <summary>
        /// Compute a new HmacWithSha256 for the data packet and verify it against the
        /// signature value.
        /// </summary>
        ///
        /// @note This method is an experimental feature. The API may change.
        /// <param name="data">The Data packet to verify.</param>
        /// <param name="key">The key for the HmacWithSha256.</param>
        /// <param name="wireFormat">A WireFormat object used to encode the data packet.</param>
        /// <returns>True if the signature verifies, otherwise false.</returns>
        public static bool verifyDataWithHmacWithSha256(Data data, Blob key,
                                                        WireFormat wireFormat)
        {
            // wireEncode returns the cached encoding if available.
            SignedBlob encoding = data.wireEncode(wireFormat);

            byte[] newSignatureBytes = net.named_data.jndn.util.Common.computeHmacWithSha256(
                key.getImmutableArray(), encoding.signedBuf());

            return(ILOG.J2CsMapping.NIO.ByteBuffer.wrap(newSignatureBytes).equals(
                       data.getSignature().getSignature().buf()));
        }
        /// <summary>
        /// Verify the Interest packet using the digest algorithm, where the last two
        /// name components are the SignatureInfo and signature bytes. This does not
        /// check the digest algorithm against the type of SignatureInfo such as
        /// DigestSha256Signature.
        /// </summary>
        ///
        /// <param name="interest">The Interest packet to verify.</param>
        /// <param name="digestAlgorithm">The digest algorithm, such as DigestAlgorithm.SHA256.</param>
        /// <param name="wireFormat">A WireFormat object used to decode the Interest packet.</param>
        /// <returns>True if verification succeeds, false if verification fails or
        /// cannot decode the Interest.</returns>
        /// <exception cref="System.ArgumentException">for an invalid digestAlgorithm.</exception>
        public static bool verifyInterestDigest(Interest interest,
                                                DigestAlgorithm digestAlgorithm, WireFormat wireFormat)
        {
            Signature signature = extractSignature(interest, wireFormat);

            if (signature == null)
            {
                return(false);
            }

            SignedBlob encoding = interest.wireEncode(wireFormat);

            return(verifyDigest(encoding.signedBuf(), signature.getSignature(),
                                digestAlgorithm));
        }
Example #7
0
        /// <summary>
        /// Verify the ECDSA signature on the SignedBlob using the given public key.
        /// </summary>
        ///
        /// <param name="signature">The signature bits.</param>
        /// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param>
        /// <param name="publicKeyDer">The DER-encoded public key used to verify the signature.</param>
        /// <returns>true if the signature verifies, false if not.</returns>
        protected static internal bool verifySha256WithEcdsaSignature(Blob signature,
                                                                      SignedBlob signedBlob, Blob publicKeyDer)
        {
            KeyFactory keyFactory = null;

            try {
                keyFactory = System.KeyFactory.getInstance("EC");
            } catch (Exception exception) {
                // Don't expect this to happen.
                throw new SecurityException("EC is not supported: "
                                            + exception.Message);
            }

            System.SecurityPublicKey publicKey = null;
            try {
                publicKey = keyFactory.generatePublic(new X509EncodedKeySpec(
                                                          publicKeyDer.getImmutableArray()));
            } catch (InvalidKeySpecException exception_0) {
                // Don't expect this to happen.
                throw new SecurityException("X509EncodedKeySpec is not supported: "
                                            + exception_0.Message);
            }

            System.SecuritySignature ecSignature = null;
            try {
                ecSignature = System.SecuritySignature
                              .getInstance("SHA256withECDSA");
            } catch (Exception e) {
                // Don't expect this to happen.
                throw new SecurityException(
                          "SHA256withECDSA algorithm is not supported");
            }

            try {
                ecSignature.initVerify(publicKey);
            } catch (InvalidKeyException exception_1) {
                throw new SecurityException("InvalidKeyException: "
                                            + exception_1.Message);
            }
            try {
                ecSignature.update(signedBlob.signedBuf());
                return(ecSignature.verify(signature.getImmutableArray()));
            } catch (SignatureException exception_2) {
                throw new SecurityException("SignatureException: "
                                            + exception_2.Message);
            }
        }
Example #8
0
        private static CertificateV2 makeSelfSignedCertificate(Name keyName,
                                                               Blob privateKeyBag, Blob publicKeyEncoding, ByteBuffer password,
                                                               DigestAlgorithm digestAlgorithm, WireFormat wireFormat)
        {
            CertificateV2 certificate = new CertificateV2();

            // Set the name.
            double now             = net.named_data.jndn.util.Common.getNowMilliseconds();
            Name   certificateName = new Name(keyName);

            certificateName.append("self").appendVersion((long)now);
            certificate.setName(certificateName);

            // Set the MetaInfo.
            certificate.getMetaInfo().setType(net.named_data.jndn.ContentType.KEY);
            // Set a one-hour freshness period.
            certificate.getMetaInfo().setFreshnessPeriod(3600 * 1000.0d);

            // Set the content.
            PublicKey publicKey = null;

            try {
                publicKey = new PublicKey(publicKeyEncoding);
            } catch (UnrecognizedKeyFormatException ex) {
                // Promote to Pib.Error.
                throw new Pib.Error("Error decoding public key " + ex);
            }
            certificate.setContent(publicKey.getKeyDer());

            // Create a temporary in-memory Tpm and import the private key.
            Tpm tpm = new Tpm("", "", new TpmBackEndMemory());

            tpm.importPrivateKey_(keyName, privateKeyBag.buf(), password);

            // Set the signature info.
            if (publicKey.getKeyType() == net.named_data.jndn.security.KeyType.RSA)
            {
                certificate.setSignature(new Sha256WithRsaSignature());
            }
            else if (publicKey.getKeyType() == net.named_data.jndn.security.KeyType.EC)
            {
                certificate.setSignature(new Sha256WithEcdsaSignature());
            }
            else
            {
                throw new AssertionError("Unsupported key type");
            }
            Signature signatureInfo = certificate.getSignature();

            net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo).setType(
                net.named_data.jndn.KeyLocatorType.KEYNAME);
            net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo).setKeyName(keyName);

            // Set a 20-year validity period.
            net.named_data.jndn.security.ValidityPeriod.getFromSignature(signatureInfo).setPeriod(now,
                                                                                                  now + 20 * 365 * 24 * 3600 * 1000.0d);

            // Encode once to get the signed portion.
            SignedBlob encoding       = certificate.wireEncode(wireFormat);
            Blob       signatureBytes = tpm.sign(encoding.signedBuf(), keyName,
                                                 digestAlgorithm);

            signatureInfo.setSignature(signatureBytes);

            // Encode again to include the signature.
            certificate.wireEncode(wireFormat);

            return(certificate);
        }