internal static void Transfer(SVX_MSG msg, Principal producer, Principal sender, Principal realRequestProducer, bool browserOnly) { if (producer == null || sender == null) { // Auto-generate them instead? But we'd need to know the issuer. // We may eventually have a global variable for the current party. throw new ArgumentNullException(); } if (VProgram_API.InVProgram) { if (browserOnly) { Contract.Assume(!VProgram_API.ActsFor(sender, VProgram_API.trustedServerPrincipal)); } } else { TransferProd(msg, producer, sender, realRequestProducer, browserOnly); } // Make the same metadata changes in the vProgram as in production. msg.SVX_producer = producer; msg.SVX_sender = sender; msg.SVX_placeholderRequestProducer = null; }
// I guess if you really want to try a Verify that might fail and catch // the exception, then the AssumeValidToken won't happen in that case. public void Verify(TParams theParams, string tokenValue) { RawVerifyWrapper(theParams, tokenValue); // I'm not sure this is necessary; hopefully it won't hurt. VProgram_API.Assert(tokenValue != null); VProgram_API.AssumeValidToken(tokenValue, theParams); }
internal override void Export(TMessage message, Principal receiver, Principal target) { var secret = accessor.Get(message); if (secret.knownReaders == null) { throw new InvalidOperationException("Secret was never imported??"); } if (!VProgram_API.KnownActsForAny(receiver, secret.knownReaders)) { throw new Exception("Secret is not allowed to be sent to receiver " + receiver); } if (target != null && !VProgram_API.KnownActsForAny(target, secret.knownReaders)) { throw new Exception("Secret is not allowed to be sent to target " + target); } foreach (var reader in getKnownReaders(message)) { if (!VProgram_API.KnownActsForAny(reader, secret.knownReaders)) { throw new Exception("Secret is not allowed to be sent to reader " + reader + " given by message structure"); } } secret.exportApproved = true; }
public string Generate(TParams theParams) { var tokenValue = RawGenerateWrapper(theParams); VProgram_API.AssumeValidToken(tokenValue, theParams); return(tokenValue); }
public PayloadSecret <TMessage> Generate(TMessage message, Entity currentPrincipal) { var readers = GetReaders(message); // None of these checks are really the business of the vProgram, and // in particular, !message.active will be a contradiction. if (!VProgram_API.InVProgram) { if (currentPrincipal != Signer) { throw new Exception("Misconfiguration: current principal is signing a message " + "but is not the designated signer for this secret generator."); } // XXX Would it be more consistent to make the message nondet instead? if (!message.active) { throw new InvalidOperationException("Cannot sign a message without an active SymT"); } if (!readers.Contains(currentPrincipal)) { throw new Exception("Misconfiguration: secret generated by a principal not on its reader list."); } } var secretValue = RawGenerateWrapper(message); VProgram_API.AssumeValidSecret(secretValue, message, readers); return(new PayloadSecret <TMessage> { theParams = message, secretValue = secretValue, knownReaders = readers }); }
// I guess if you really want to try a Verify that might fail and catch // the exception, then the AssumeValidSecret won't happen in that case. public void Verify(TParams theParams, Secret secret) { RawVerifyWrapper(theParams, secret); // I'm not sure this is necessary; hopefully it won't hurt. VProgram_API.Assert(secret.secretValue != null); VProgram_API.AssumeValidSecret(secret.secretValue, theParams, GetReaders(theParams)); }
// TODO: In the real SVX API, currentPrincipal should be an ambient // variable of some kind (maybe not global if we want to run tests that // simulate multiple principals in the same process). public Secret Generate(TParams theParams, Entity currentPrincipal) { var readers = GetReaders(theParams); if (!VProgram_API.InVProgram) { if (!readers.Contains(currentPrincipal)) { throw new Exception("Misconfiguration: secret generated by a principal not on its reader list."); } } var secretValue = RawGenerateWrapper(theParams); VProgram_API.AssumeValidSecret(secretValue, theParams, readers); return(new Secret { secretValue = secretValue, knownReaders = readers }); }
// To prevent a secret value from being leaked by passing it to a // PayloadSecretGenerator for the wrong secret format, which thinks the // secret part is a public part and extracts it, these methods are // restricted to be called only via a MessageStructure on import. TBD // what to do if this doesn't end up meeting our needs. internal void ExtractUnverified(PayloadSecret <TMessage> secret) { secret.theParams = RawExtractUnverified(secret.secretValue); VProgram_API.Assert(secret.theParams != null); }