public void testUnlimitedRecords()
{
fixture_ = new ValidationPolicyCommandInterestFixture(
new ValidationPolicyCommandInterest.Options(15 * 1000.0d, -1));
ArrayList <PibIdentity> identities = new ArrayList <PibIdentity>();
for (int i = 0; i < 20; ++i)
{
PibIdentity identity = fixture_.addSubCertificate(new Name(
"/Security/V2/ValidatorFixture/Sub" + i),
fixture_.identity_);
fixture_.cache_.insert(identity.getDefaultKey()
.getDefaultCertificate());
ILOG.J2CsMapping.Collections.Collections.Add(identities, identity);
}
// Signed at 0 seconds.
Interest interest1 = fixture_.makeCommandInterest(identities[0]);
fixture_.setNowOffsetMilliseconds(1 * 1000.0d);
for (int i_0 = 0; i_0 < 20; ++i_0)
{
// Signed at +1 seconds.
Interest interest2 = fixture_
.makeCommandInterest(identities[i_0]);
validateExpectSuccess(interest2, "Should succeed");
}
validateExpectFailure(interest1, "Should fail (timestamp reorder)");
}
/// <summary>
/// Save the identity's certificate to a file.
/// </summary>
///
/// <param name="identity">The PibIdentity.</param>
/// <param name="filePath">The file path, which should be writable.</param>
/// <returns>True if successful.</returns>
public bool saveCertificate(PibIdentity identity, String filePath)
{
try {
CertificateV2 certificate = identity.getDefaultKey()
.getDefaultCertificate();
return(saveCertificateToFile(certificate, filePath));
} catch (Pib.Error ex) {
return(false);
}
}
public void testFindByInterest()
{
anchorContainer.insert("group1", certificatePath1.FullName,
400.0d);
Interest interest = new Interest(identity1.getName());
Assert.AssertTrue(anchorContainer.find(interest) != null);
Interest interest1 = new Interest(identity1.getName().getPrefix(-1));
Assert.AssertTrue(anchorContainer.find(interest1) != null);
Interest interest2 = new Interest(
new Name(identity1.getName()).appendVersion(1));
Assert.AssertTrue(anchorContainer.find(interest2) == null);
CertificateV2 certificate3 = fixture.addCertificate(
identity1.getDefaultKey(), "3");
CertificateV2 certificate4 = fixture.addCertificate(
identity1.getDefaultKey(), "4");
CertificateV2 certificate5 = fixture.addCertificate(
identity1.getDefaultKey(), "5");
CertificateV2 certificate3Copy = new CertificateV2(certificate3);
anchorContainer.insert("group2", certificate3Copy);
anchorContainer.insert("group3", certificate4);
anchorContainer.insert("group4", certificate5);
Interest interest3 = new Interest(certificate3.getKeyName());
CertificateV2 foundCertificate = anchorContainer.find(interest3);
Assert.AssertTrue(foundCertificate != null);
Assert.AssertTrue(interest3.getName().isPrefixOf(foundCertificate.getName()));
Assert.AssertTrue(certificate3.getName().equals(foundCertificate.getName()));
interest3.getExclude().appendComponent(
certificate3.getName().get(net.named_data.jndn.security.v2.CertificateV2.ISSUER_ID_OFFSET));
foundCertificate = anchorContainer.find(interest3);
Assert.AssertTrue(foundCertificate != null);
Assert.AssertTrue(interest3.getName().isPrefixOf(foundCertificate.getName()));
Assert.AssertTrue(!foundCertificate.getName().equals(certificate3.getName()));
}
public void testLimitedRecords()
{
fixture_ = new ValidationPolicyCommandInterestFixture(
new ValidationPolicyCommandInterest.Options(15 * 1000.0d, 3));
PibIdentity identity1 = fixture_.addSubCertificate(new Name(
"/Security/V2/ValidatorFixture/Sub1"), fixture_.identity_);
fixture_.cache_.insert(identity1.getDefaultKey()
.getDefaultCertificate());
PibIdentity identity2 = fixture_.addSubCertificate(new Name(
"/Security/V2/ValidatorFixture/Sub2"), fixture_.identity_);
fixture_.cache_.insert(identity2.getDefaultKey()
.getDefaultCertificate());
PibIdentity identity3 = fixture_.addSubCertificate(new Name(
"/Security/V2/ValidatorFixture/Sub3"), fixture_.identity_);
fixture_.cache_.insert(identity3.getDefaultKey()
.getDefaultCertificate());
PibIdentity identity4 = fixture_.addSubCertificate(new Name(
"/Security/V2/ValidatorFixture/Sub4"), fixture_.identity_);
fixture_.cache_.insert(identity4.getDefaultKey()
.getDefaultCertificate());
Interest interest1 = fixture_.makeCommandInterest(identity2);
Interest interest2 = fixture_.makeCommandInterest(identity3);
Interest interest3 = fixture_.makeCommandInterest(identity4);
// Signed at 0 seconds.
Interest interest00 = fixture_.makeCommandInterest(identity1);
// Signed at +1 seconds.
fixture_.setNowOffsetMilliseconds(1 * 1000.0d);
Interest interest01 = fixture_.makeCommandInterest(identity1);
// Signed at +2 seconds.
fixture_.setNowOffsetMilliseconds(2 * 1000.0d);
Interest interest02 = fixture_.makeCommandInterest(identity1);
validateExpectSuccess(interest00, "Should succeed");
validateExpectSuccess(interest02, "Should succeed");
validateExpectSuccess(interest1, "Should succeed");
validateExpectSuccess(interest2, "Should succeed");
validateExpectSuccess(interest3, "Should succeed, forgets identity1");
validateExpectSuccess(
interest01,
"Should succeed despite timestamp is reordered, because the record has been evicted");
}
/// <summary>
/// Create an AccessManagerV2 to serve the NAC public key for other data
/// producers to fetch, and to serve encrypted versions of the private keys
/// (as safe bags) for authorized consumers to fetch.
/// KEK and KDK naming:
/// [identity]/NAC/[dataset]/KEK /[key-id] (== KEK, public key)
/// [identity]/NAC/[dataset]/KDK/[key-id] /ENCRYPTED-BY/[user]/KEY/[key-id] (== KDK, encrypted private key)
/// \_____________ ______________/
/// \/
/// registered with NFD
/// </summary>
///
/// <param name="identity"></param>
/// <param name="dataset">The name of dataset that this manager is controlling.</param>
/// <param name="keyChain">The KeyChain used to sign Data packets.</param>
/// <param name="face"></param>
public AccessManagerV2(PibIdentity identity, Name dataset,
KeyChain keyChain, Face face)
{
this.storage_ = new InMemoryStorageRetaining();
identity_ = identity;
keyChain_ = keyChain;
face_ = face;
// The NAC identity is: <identity>/NAC/<dataset>
// Generate the NAC key.
PibIdentity nacIdentity = keyChain_.createIdentityV2(
new Name(identity.getName()).append(
net.named_data.jndn.encrypt.EncryptorV2.NAME_COMPONENT_NAC).append(dataset),
new RsaKeyParams());
nacKey_ = nacIdentity.getDefaultKey();
if (nacKey_.getKeyType() != net.named_data.jndn.security.KeyType.RSA)
{
logger_.log(ILOG.J2CsMapping.Util.Logging.Level.INFO,
"Cannot re-use existing KEK/KDK pair, as it is not an RSA key, regenerating");
nacKey_ = keyChain_.createKey(nacIdentity, new RsaKeyParams());
}
Name.Component nacKeyId = nacKey_.getName().get(-1);
Name kekPrefix = new Name(nacKey_.getIdentityName())
.append(net.named_data.jndn.encrypt.EncryptorV2.NAME_COMPONENT_KEK);
Data kekData = new Data(nacKey_.getDefaultCertificate());
kekData.setName(new Name(kekPrefix).append(nacKeyId));
kekData.getMetaInfo().setFreshnessPeriod(
DEFAULT_KEK_FRESHNESS_PERIOD_MS);
keyChain_.sign(kekData, new SigningInfo(identity_));
// A KEK looks like a certificate, but doesn't have a ValidityPeriod.
storage_.insert(kekData);
OnInterestCallback serveFromStorage = new AccessManagerV2.Anonymous_C1(this);
OnRegisterFailed onRegisterFailed = new AccessManagerV2.Anonymous_C0();
kekRegisteredPrefixId_ = face_.registerPrefix(kekPrefix,
serveFromStorage, onRegisterFailed);
Name kdkPrefix = new Name(nacKey_.getIdentityName()).append(
net.named_data.jndn.encrypt.EncryptorV2.NAME_COMPONENT_KDK).append(nacKeyId);
kdkRegisteredPrefixId_ = face_.registerPrefix(kdkPrefix,
serveFromStorage, onRegisterFailed);
}
/// <summary>
/// Issue a certificate for subIdentityName signed by issuer. If the identity
/// does not exist, it is created. A new key is generated as the default key
/// for the identity. A default certificate for the key is signed by the
/// issuer using its default certificate.
/// </summary>
///
/// <param name="subIdentityName">The name to issue the certificate for.</param>
/// <param name="issuer">The identity of the signer.</param>
/// <param name="params"></param>
/// <returns>The sub identity.</returns>
internal PibIdentity addSubCertificate(Name subIdentityName, PibIdentity issuer,
KeyParams paras)
{
PibIdentity subIdentity = addIdentity(subIdentityName, paras);
CertificateV2 request = subIdentity.getDefaultKey()
.getDefaultCertificate();
request.setName(request.getKeyName().append("parent").appendVersion(1));
SigningInfo certificateParams = new SigningInfo(issuer);
// Validity period of 20 years.
double now = net.named_data.jndn.util.Common.getNowMilliseconds();
certificateParams.setValidityPeriod(new ValidityPeriod(now, now + 20
* 365 * 24 * 3600 * 1000.0d));
// Skip the AdditionalDescription.
keyChain_.sign(request, certificateParams);
keyChain_.setDefaultCertificate(subIdentity.getDefaultKey(), request);
return(subIdentity);
}
public void setUp()
{
anchorContainer = new TrustAnchorContainer();
fixture = new IdentityManagementFixture();
// Create a directory and prepares two certificates.
certificateDirectoryPath = new FileInfo(System.IO.Path.Combine(net.named_data.jndn.tests.integration_tests.IntegrationTestsCommon.getPolicyConfigDirectory().FullName, "test-cert-dir"));
System.IO.Directory.CreateDirectory(certificateDirectoryPath.FullName);
certificatePath1 = new FileInfo(System.IO.Path.Combine(certificateDirectoryPath.FullName, "trust-anchor-1.cert"));
certificatePath2 = new FileInfo(System.IO.Path.Combine(certificateDirectoryPath.FullName, "trust-anchor-2.cert"));
identity1 = fixture.addIdentity(new Name("/TestAnchorContainer/First"));
certificate1 = identity1.getDefaultKey().getDefaultCertificate();
fixture.saveCertificateToFile(certificate1,
certificatePath1.FullName);
identity2 = fixture
.addIdentity(new Name("/TestAnchorContainer/Second"));
certificate2 = identity2.getDefaultKey().getDefaultCertificate();
fixture.saveCertificateToFile(certificate2,
certificatePath2.FullName);
}
public void testManagement()
{
Name identityName = new Name("/test/id");
Name identity2Name = new Name("/test/id2");
Assert.AssertEquals(0, fixture_.keyChain_.getPib().getIdentities_().size());
try {
fixture_.keyChain_.getPib().getDefaultIdentity();
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex) {
} catch (Exception ex_0) {
Assert.Fail("Did not throw the expected exception");
}
// Create an identity.
PibIdentity id = fixture_.keyChain_.createIdentityV2(identityName);
Assert.AssertTrue(id != null);
Assert.AssertTrue(fixture_.keyChain_.getPib().getIdentities_()
.getIdentities_().Contains(identityName));
// The first added identity becomes the default identity.
try {
fixture_.keyChain_.getPib().getDefaultIdentity();
} catch (Exception ex_1) {
Assert.Fail("Unexpected exception: " + ex_1.Message);
}
// The default key of the added identity must exist.
PibKey key = null;
try {
key = id.getDefaultKey();
} catch (Exception ex_2) {
Assert.Fail("Unexpected exception: " + ex_2.Message);
}
// The default certificate of the default key must exist.
try {
key.getDefaultCertificate();
} catch (Exception ex_3) {
Assert.Fail("Unexpected exception: " + ex_3.Message);
}
// Delete the key.
Name key1Name = key.getName();
try {
id.getKey(key1Name);
} catch (Exception ex_4) {
Assert.Fail("Unexpected exception: " + ex_4.Message);
}
Assert.AssertEquals(1, id.getKeys_().size());
fixture_.keyChain_.deleteKey(id, key);
/* TODO: Implement key validity.
* // The key instance should not be valid anymore.
* assertTrue(!key);
*/
try {
id.getKey(key1Name);
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_5) {
} catch (Exception ex_6) {
Assert.Fail("Did not throw the expected exception");
}
Assert.AssertEquals(0, id.getKeys_().size());
// Create another key.
fixture_.keyChain_.createKey(id);
// The added key becomes the default key.
try {
id.getDefaultKey();
} catch (Exception ex_7) {
Assert.Fail("Unexpected exception: " + ex_7.Message);
}
PibKey key2 = id.getDefaultKey();
Assert.AssertTrue(key2 != null);
Assert.AssertTrue(!key2.getName().equals(key1Name));
Assert.AssertEquals(1, id.getKeys_().size());
try {
key2.getDefaultCertificate();
} catch (Exception ex_8) {
Assert.Fail("Unexpected exception: " + ex_8.Message);
}
// Create a third key.
PibKey key3 = fixture_.keyChain_.createKey(id);
Assert.AssertTrue(!key3.getName().equals(key2.getName()));
// The added key will not be the default key, because the default key already exists.
Assert.AssertTrue(id.getDefaultKey().getName().equals(key2.getName()));
Assert.AssertEquals(2, id.getKeys_().size());
try {
key3.getDefaultCertificate();
} catch (Exception ex_9) {
Assert.Fail("Unexpected exception: " + ex_9.Message);
}
// Delete the certificate.
Assert.AssertEquals(1, key3.getCertificates_().size());
CertificateV2 key3Cert1 = (CertificateV2)ILOG.J2CsMapping.Collections.Collections.ToArray(key3.getCertificates_()
.getCertificates_().Values)[0];
Name key3CertName = key3Cert1.getName();
fixture_.keyChain_.deleteCertificate(key3, key3CertName);
Assert.AssertEquals(0, key3.getCertificates_().size());
try {
key3.getDefaultCertificate();
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_10) {
} catch (Exception ex_11) {
Assert.Fail("Did not throw the expected exception");
}
// Add a certificate.
fixture_.keyChain_.addCertificate(key3, key3Cert1);
Assert.AssertEquals(1, key3.getCertificates_().size());
try {
key3.getDefaultCertificate();
} catch (Exception ex_12) {
Assert.Fail("Unexpected exception: " + ex_12.Message);
}
// Overwriting the certificate should work.
fixture_.keyChain_.addCertificate(key3, key3Cert1);
Assert.AssertEquals(1, key3.getCertificates_().size());
// Add another certificate.
CertificateV2 key3Cert2 = new CertificateV2(key3Cert1);
Name key3Cert2Name = new Name(key3.getName());
key3Cert2Name.append("Self");
key3Cert2Name.appendVersion(1);
key3Cert2.setName(key3Cert2Name);
fixture_.keyChain_.addCertificate(key3, key3Cert2);
Assert.AssertEquals(2, key3.getCertificates_().size());
// Set the default certificate.
Assert.AssertTrue(key3.getDefaultCertificate().getName().equals(key3CertName));
fixture_.keyChain_.setDefaultCertificate(key3, key3Cert2);
Assert.AssertTrue(key3.getDefaultCertificate().getName().equals(key3Cert2Name));
// Set the default key.
Assert.AssertTrue(id.getDefaultKey().getName().equals(key2.getName()));
fixture_.keyChain_.setDefaultKey(id, key3);
Assert.AssertTrue(id.getDefaultKey().getName().equals(key3.getName()));
// Set the default identity.
PibIdentity id2 = fixture_.keyChain_.createIdentityV2(identity2Name);
Assert.AssertTrue(fixture_.keyChain_.getPib().getDefaultIdentity().getName()
.equals(id.getName()));
fixture_.keyChain_.setDefaultIdentity(id2);
Assert.AssertTrue(fixture_.keyChain_.getPib().getDefaultIdentity().getName()
.equals(id2.getName()));
// Delete an identity.
fixture_.keyChain_.deleteIdentity(id);
/* TODO: Implement identity validity.
* // The identity instance should not be valid any more.
* BOOST_CHECK(!id);
*/
try {
fixture_.keyChain_.getPib().getIdentity(identityName);
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_13) {
} catch (Exception ex_14) {
Assert.Fail("Did not throw the expected exception");
}
Assert.AssertTrue(!fixture_.keyChain_.getPib().getIdentities_()
.getIdentities_().Contains(identityName));
}