public void testUnlimitedRecords()
{
fixture_ = new ValidationPolicyCommandInterestFixture(
new ValidationPolicyCommandInterest.Options(15 * 1000.0d, -1));
ArrayList <PibIdentity> identities = new ArrayList <PibIdentity>();
for (int i = 0; i < 20; ++i)
{
PibIdentity identity = fixture_.addSubCertificate(new Name(
"/Security/V2/ValidatorFixture/Sub" + i),
fixture_.identity_);
fixture_.cache_.insert(identity.getDefaultKey()
.getDefaultCertificate());
ILOG.J2CsMapping.Collections.Collections.Add(identities, identity);
}
// Signed at 0 seconds.
Interest interest1 = fixture_.makeCommandInterest(identities[0]);
fixture_.setNowOffsetMilliseconds(1 * 1000.0d);
for (int i_0 = 0; i_0 < 20; ++i_0)
{
// Signed at +1 seconds.
Interest interest2 = fixture_
.makeCommandInterest(identities[i_0]);
validateExpectSuccess(interest2, "Should succeed");
}
validateExpectFailure(interest1, "Should fail (timestamp reorder)");
}
/// <summary>
/// Add an identity for the identityName.
/// </summary>
///
/// <param name="identityName">The name of the identity.</param>
/// <param name="params"></param>
/// <returns>The created PibIdentity instance.</returns>
public PibIdentity addIdentity(Name identityName, KeyParams paras)
{
PibIdentity identity = keyChain_.createIdentityV2(identityName, paras);
ILOG.J2CsMapping.Collections.Collections.Add(identityNames_, identityName);
return(identity);
}
/// <summary>
/// Set this to type SignerType.ID according to the given PibIdentity.
/// This does not change the digest algorithm.
/// </summary>
///
/// <param name="identity">identity.getName().</param>
/// <returns>This SigningInfo.</returns>
public SigningInfo setPibIdentity(PibIdentity identity)
{
reset(net.named_data.jndn.security.SigningInfo.SignerType.ID);
if (identity != null)
{
name_ = identity.getName();
}
identity_ = identity;
return(this);
}
/// <summary>
/// Save the identity's certificate to a file.
/// </summary>
///
/// <param name="identity">The PibIdentity.</param>
/// <param name="filePath">The file path, which should be writable.</param>
/// <returns>True if successful.</returns>
public bool saveCertificate(PibIdentity identity, String filePath)
{
try {
CertificateV2 certificate = identity.getDefaultKey()
.getDefaultCertificate();
return(saveCertificateToFile(certificate, filePath));
} catch (Pib.Error ex) {
return(false);
}
}
public void testLimitedRecords()
{
fixture_ = new ValidationPolicyCommandInterestFixture(
new ValidationPolicyCommandInterest.Options(15 * 1000.0d, 3));
PibIdentity identity1 = fixture_.addSubCertificate(new Name(
"/Security/V2/ValidatorFixture/Sub1"), fixture_.identity_);
fixture_.cache_.insert(identity1.getDefaultKey()
.getDefaultCertificate());
PibIdentity identity2 = fixture_.addSubCertificate(new Name(
"/Security/V2/ValidatorFixture/Sub2"), fixture_.identity_);
fixture_.cache_.insert(identity2.getDefaultKey()
.getDefaultCertificate());
PibIdentity identity3 = fixture_.addSubCertificate(new Name(
"/Security/V2/ValidatorFixture/Sub3"), fixture_.identity_);
fixture_.cache_.insert(identity3.getDefaultKey()
.getDefaultCertificate());
PibIdentity identity4 = fixture_.addSubCertificate(new Name(
"/Security/V2/ValidatorFixture/Sub4"), fixture_.identity_);
fixture_.cache_.insert(identity4.getDefaultKey()
.getDefaultCertificate());
Interest interest1 = fixture_.makeCommandInterest(identity2);
Interest interest2 = fixture_.makeCommandInterest(identity3);
Interest interest3 = fixture_.makeCommandInterest(identity4);
// Signed at 0 seconds.
Interest interest00 = fixture_.makeCommandInterest(identity1);
// Signed at +1 seconds.
fixture_.setNowOffsetMilliseconds(1 * 1000.0d);
Interest interest01 = fixture_.makeCommandInterest(identity1);
// Signed at +2 seconds.
fixture_.setNowOffsetMilliseconds(2 * 1000.0d);
Interest interest02 = fixture_.makeCommandInterest(identity1);
validateExpectSuccess(interest00, "Should succeed");
validateExpectSuccess(interest02, "Should succeed");
validateExpectSuccess(interest1, "Should succeed");
validateExpectSuccess(interest2, "Should succeed");
validateExpectSuccess(interest3, "Should succeed, forgets identity1");
validateExpectSuccess(
interest01,
"Should succeed despite timestamp is reordered, because the record has been evicted");
}
public void testValidateInterest()
{
PibIdentity identity = fixture_.addIdentity(new Name(
"/TestValidator/Null"));
Interest interest = new Interest(new Name("/Some/Other/Interest/Name"));
fixture_.keyChain_.sign(interest, new SigningInfo(identity));
ValidatorNull validator = new ValidatorNull();
validator.validate(interest, new TestValidatorNull.Anonymous_C1(), new TestValidatorNull.Anonymous_C0());
}
public void testValidateData()
{
PibIdentity identity = fixture_.addIdentity(new Name(
"/TestValidator/Null"));
Data data = new Data(new Name("/Some/Other/Data/Name"));
fixture_.keyChain_.sign(data, new SigningInfo(identity));
ValidatorNull validator = new ValidatorNull();
validator.validate(data, new TestValidatorNull.Anonymous_C3(), new TestValidatorNull.Anonymous_C2());
}
public void onData(Interest ckInterest, Data ckData)
{
try {
contentKey.pendingInterest = 0;
// TODO: Verify that the key is legitimate.
Name[] kdkPrefix = new Name[1];
Name[] kdkIdentityName = new Name[1];
Name[] kdkKeyName = new Name[1];
if (!DecryptorV2.extractKdkInfoFromCkName(ckData.getName(),
ckInterest.getName(), onError,
kdkPrefix, kdkIdentityName, kdkKeyName))
{
// The error has already been reported.
return;
}
// Check if the KDK already exists.
PibIdentity kdkIdentity = null;
try {
kdkIdentity = outer_DecryptorV2.internalKeyChain_.getPib()
.getIdentity(kdkIdentityName[0]);
} catch (Pib.Error ex) {
}
if (kdkIdentity != null)
{
PibKey kdkKey = null;
try {
kdkKey = kdkIdentity
.getKey(kdkKeyName[0]);
} catch (Pib.Error ex_0) {
}
if (kdkKey != null)
{
// The KDK was already fetched and imported.
net.named_data.jndn.encrypt.DecryptorV2.logger_.log(
ILOG.J2CsMapping.Util.Logging.Level.INFO,
"KDK {0} already exists, so directly using it to decrypt the CK",
kdkKeyName);
outer_DecryptorV2.decryptCkAndProcessPendingDecrypts(
contentKey, ckData,
kdkKeyName[0], onError);
return;
}
}
outer_DecryptorV2.fetchKdk(contentKey, kdkPrefix[0], ckData,
onError, net.named_data.jndn.encrypt.EncryptorV2.N_RETRIES);
} catch (Exception ex_1) {
onError.onError(net.named_data.jndn.encrypt.EncryptError.ErrorCode.General,
"Error in fetchCk onData: " + ex_1);
}
}
/// <summary>
/// Create an AccessManagerV2 to serve the NAC public key for other data
/// producers to fetch, and to serve encrypted versions of the private keys
/// (as safe bags) for authorized consumers to fetch.
/// KEK and KDK naming:
/// [identity]/NAC/[dataset]/KEK /[key-id] (== KEK, public key)
/// [identity]/NAC/[dataset]/KDK/[key-id] /ENCRYPTED-BY/[user]/KEY/[key-id] (== KDK, encrypted private key)
/// \_____________ ______________/
/// \/
/// registered with NFD
/// </summary>
///
/// <param name="identity"></param>
/// <param name="dataset">The name of dataset that this manager is controlling.</param>
/// <param name="keyChain">The KeyChain used to sign Data packets.</param>
/// <param name="face"></param>
public AccessManagerV2(PibIdentity identity, Name dataset,
KeyChain keyChain, Face face)
{
this.storage_ = new InMemoryStorageRetaining();
identity_ = identity;
keyChain_ = keyChain;
face_ = face;
// The NAC identity is: <identity>/NAC/<dataset>
// Generate the NAC key.
PibIdentity nacIdentity = keyChain_.createIdentityV2(
new Name(identity.getName()).append(
net.named_data.jndn.encrypt.EncryptorV2.NAME_COMPONENT_NAC).append(dataset),
new RsaKeyParams());
nacKey_ = nacIdentity.getDefaultKey();
if (nacKey_.getKeyType() != net.named_data.jndn.security.KeyType.RSA)
{
logger_.log(ILOG.J2CsMapping.Util.Logging.Level.INFO,
"Cannot re-use existing KEK/KDK pair, as it is not an RSA key, regenerating");
nacKey_ = keyChain_.createKey(nacIdentity, new RsaKeyParams());
}
Name.Component nacKeyId = nacKey_.getName().get(-1);
Name kekPrefix = new Name(nacKey_.getIdentityName())
.append(net.named_data.jndn.encrypt.EncryptorV2.NAME_COMPONENT_KEK);
Data kekData = new Data(nacKey_.getDefaultCertificate());
kekData.setName(new Name(kekPrefix).append(nacKeyId));
kekData.getMetaInfo().setFreshnessPeriod(
DEFAULT_KEK_FRESHNESS_PERIOD_MS);
keyChain_.sign(kekData, new SigningInfo(identity_));
// A KEK looks like a certificate, but doesn't have a ValidityPeriod.
storage_.insert(kekData);
OnInterestCallback serveFromStorage = new AccessManagerV2.Anonymous_C1(this);
OnRegisterFailed onRegisterFailed = new AccessManagerV2.Anonymous_C0();
kekRegisteredPrefixId_ = face_.registerPrefix(kekPrefix,
serveFromStorage, onRegisterFailed);
Name kdkPrefix = new Name(nacKey_.getIdentityName()).append(
net.named_data.jndn.encrypt.EncryptorV2.NAME_COMPONENT_KDK).append(nacKeyId);
kdkRegisteredPrefixId_ = face_.registerPrefix(kdkPrefix,
serveFromStorage, onRegisterFailed);
}
public void testLoopedCertificateChain()
{
PibIdentity identity1 = fixture_.addIdentity(new Name("/loop"));
PibKey key1 = fixture_.keyChain_.createKey(identity1, new RsaKeyParams(
new Name.Component("key1")));
PibKey key2 = fixture_.keyChain_.createKey(identity1, new RsaKeyParams(
new Name.Component("key2")));
PibKey key3 = fixture_.keyChain_.createKey(identity1, new RsaKeyParams(
new Name.Component("key3")));
makeCertificate(key1, key2);
makeCertificate(key2, key3);
makeCertificate(key3, key1);
Data data = new Data(new Name("/loop/Data"));
fixture_.keyChain_.sign(data, new SigningInfo(key1));
validateExpectFailure(data,
"Should fail since the certificate chain loops");
Assert.AssertEquals(3, fixture_.face_.sentInterests_.Count);
}
public void setUp()
{
anchorContainer = new TrustAnchorContainer();
fixture = new IdentityManagementFixture();
// Create a directory and prepares two certificates.
certificateDirectoryPath = new FileInfo(System.IO.Path.Combine(net.named_data.jndn.tests.integration_tests.IntegrationTestsCommon.getPolicyConfigDirectory().FullName, "test-cert-dir"));
System.IO.Directory.CreateDirectory(certificateDirectoryPath.FullName);
certificatePath1 = new FileInfo(System.IO.Path.Combine(certificateDirectoryPath.FullName, "trust-anchor-1.cert"));
certificatePath2 = new FileInfo(System.IO.Path.Combine(certificateDirectoryPath.FullName, "trust-anchor-2.cert"));
identity1 = fixture.addIdentity(new Name("/TestAnchorContainer/First"));
certificate1 = identity1.getDefaultKey().getDefaultCertificate();
fixture.saveCertificateToFile(certificate1,
certificatePath1.FullName);
identity2 = fixture
.addIdentity(new Name("/TestAnchorContainer/Second"));
certificate2 = identity2.getDefaultKey().getDefaultCertificate();
fixture.saveCertificateToFile(certificate2,
certificatePath2.FullName);
}
/// <summary>
/// Issue a certificate for subIdentityName signed by issuer. If the identity
/// does not exist, it is created. A new key is generated as the default key
/// for the identity. A default certificate for the key is signed by the
/// issuer using its default certificate.
/// </summary>
///
/// <param name="subIdentityName">The name to issue the certificate for.</param>
/// <param name="issuer">The identity of the signer.</param>
/// <param name="params"></param>
/// <returns>The sub identity.</returns>
internal PibIdentity addSubCertificate(Name subIdentityName, PibIdentity issuer,
KeyParams paras)
{
PibIdentity subIdentity = addIdentity(subIdentityName, paras);
CertificateV2 request = subIdentity.getDefaultKey()
.getDefaultCertificate();
request.setName(request.getKeyName().append("parent").appendVersion(1));
SigningInfo certificateParams = new SigningInfo(issuer);
// Validity period of 20 years.
double now = net.named_data.jndn.util.Common.getNowMilliseconds();
certificateParams.setValidityPeriod(new ValidityPeriod(now, now + 20
* 365 * 24 * 3600 * 1000.0d));
// Skip the AdditionalDescription.
keyChain_.sign(request, certificateParams);
keyChain_.setDefaultCertificate(subIdentity.getDefaultKey(), request);
return(subIdentity);
}
/// <summary>
/// Create a SigningInfo of type SignerType.ID according to the given
/// PibIdentity. The digest algorithm is set to DigestAlgorithm.SHA256.
/// </summary>
///
/// <param name="identity">identity.getName().</param>
public SigningInfo(PibIdentity identity)
{
this.validityPeriod_ = new ValidityPeriod();
digestAlgorithm_ = net.named_data.jndn.security.DigestAlgorithm.SHA256;
setPibIdentity(identity);
}
public void testBasic()
{
PibMemory pibImpl = new PibMemory();
// Start with an empty container.
PibIdentityContainer container = new PibIdentityContainer(pibImpl);
Assert.AssertEquals(0, container.size());
Assert.AssertEquals(0, container.getIdentities_().Count);
// Add the first identity.
PibIdentity identity11 = container.add(fixture.id1);
Assert.AssertTrue(fixture.id1.equals(identity11.getName()));
Assert.AssertEquals(1, container.size());
Assert.AssertEquals(1, container.getIdentities_().Count);
Assert.AssertTrue(container.getIdentities_().Contains(fixture.id1));
// Add the same identity again.
PibIdentity identity12 = container.add(fixture.id1);
Assert.AssertTrue(fixture.id1.equals(identity12.getName()));
Assert.AssertEquals(1, container.size());
Assert.AssertEquals(1, container.getIdentities_().Count);
Assert.AssertTrue(container.getIdentities_().Contains(fixture.id1));
// Add the second identity.
PibIdentity identity21 = container.add(fixture.id2);
Assert.AssertTrue(fixture.id2.equals(identity21.getName()));
Assert.AssertEquals(2, container.size());
Assert.AssertEquals(2, container.getIdentities_().Count);
Assert.AssertTrue(container.getIdentities_().Contains(fixture.id1));
Assert.AssertTrue(container.getIdentities_().Contains(fixture.id2));
// Get identities.
try {
container.get(fixture.id1);
} catch (Exception ex) {
Assert.Fail("Unexpected exception: " + ex.Message);
}
try {
container.get(fixture.id2);
} catch (Exception ex_0) {
Assert.Fail("Unexpected exception: " + ex_0.Message);
}
try {
container.get(new Name("/non-existing"));
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_1) {
} catch (Exception ex_2) {
Assert.Fail("Did not throw the expected exception");
}
// Check the identity.
PibIdentity identity1 = container.get(fixture.id1);
PibIdentity identity2 = container.get(fixture.id2);
Assert.AssertTrue(fixture.id1.equals(identity1.getName()));
Assert.AssertTrue(fixture.id2.equals(identity2.getName()));
// Create another container from the same PibImpl. The cache should be empty.
PibIdentityContainer container2 = new PibIdentityContainer(pibImpl);
Assert.AssertEquals(2, container2.size());
Assert.AssertEquals(0, container2.getIdentities_().Count);
// Get keys. The cache should be filled.
try {
container2.get(fixture.id1);
} catch (Exception ex_3) {
Assert.Fail("Unexpected exception: " + ex_3.Message);
}
Assert.AssertEquals(2, container2.size());
Assert.AssertEquals(1, container2.getIdentities_().Count);
try {
container2.get(fixture.id2);
} catch (Exception ex_4) {
Assert.Fail("Unexpected exception: " + ex_4.Message);
}
Assert.AssertEquals(2, container2.size());
Assert.AssertEquals(2, container2.getIdentities_().Count);
// Remove a key.
container2.remove(fixture.id1);
Assert.AssertEquals(1, container2.size());
Assert.AssertEquals(1, container2.getIdentities_().Count);
Assert.AssertTrue(!container2.getIdentities_().Contains(fixture.id1));
Assert.AssertTrue(container2.getIdentities_().Contains(fixture.id2));
// Remove another key.
container2.remove(fixture.id2);
Assert.AssertEquals(0, container2.size());
Assert.AssertEquals(0, container2.getIdentities_().Count);
Assert.AssertTrue(!container2.getIdentities_().Contains(fixture.id2));
}
public void testManagement()
{
Name identityName = new Name("/test/id");
Name identity2Name = new Name("/test/id2");
Assert.AssertEquals(0, fixture_.keyChain_.getPib().getIdentities_().size());
try {
fixture_.keyChain_.getPib().getDefaultIdentity();
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex) {
} catch (Exception ex_0) {
Assert.Fail("Did not throw the expected exception");
}
// Create an identity.
PibIdentity id = fixture_.keyChain_.createIdentityV2(identityName);
Assert.AssertTrue(id != null);
Assert.AssertTrue(fixture_.keyChain_.getPib().getIdentities_()
.getIdentities_().Contains(identityName));
// The first added identity becomes the default identity.
try {
fixture_.keyChain_.getPib().getDefaultIdentity();
} catch (Exception ex_1) {
Assert.Fail("Unexpected exception: " + ex_1.Message);
}
// The default key of the added identity must exist.
PibKey key = null;
try {
key = id.getDefaultKey();
} catch (Exception ex_2) {
Assert.Fail("Unexpected exception: " + ex_2.Message);
}
// The default certificate of the default key must exist.
try {
key.getDefaultCertificate();
} catch (Exception ex_3) {
Assert.Fail("Unexpected exception: " + ex_3.Message);
}
// Delete the key.
Name key1Name = key.getName();
try {
id.getKey(key1Name);
} catch (Exception ex_4) {
Assert.Fail("Unexpected exception: " + ex_4.Message);
}
Assert.AssertEquals(1, id.getKeys_().size());
fixture_.keyChain_.deleteKey(id, key);
/* TODO: Implement key validity.
* // The key instance should not be valid anymore.
* assertTrue(!key);
*/
try {
id.getKey(key1Name);
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_5) {
} catch (Exception ex_6) {
Assert.Fail("Did not throw the expected exception");
}
Assert.AssertEquals(0, id.getKeys_().size());
// Create another key.
fixture_.keyChain_.createKey(id);
// The added key becomes the default key.
try {
id.getDefaultKey();
} catch (Exception ex_7) {
Assert.Fail("Unexpected exception: " + ex_7.Message);
}
PibKey key2 = id.getDefaultKey();
Assert.AssertTrue(key2 != null);
Assert.AssertTrue(!key2.getName().equals(key1Name));
Assert.AssertEquals(1, id.getKeys_().size());
try {
key2.getDefaultCertificate();
} catch (Exception ex_8) {
Assert.Fail("Unexpected exception: " + ex_8.Message);
}
// Create a third key.
PibKey key3 = fixture_.keyChain_.createKey(id);
Assert.AssertTrue(!key3.getName().equals(key2.getName()));
// The added key will not be the default key, because the default key already exists.
Assert.AssertTrue(id.getDefaultKey().getName().equals(key2.getName()));
Assert.AssertEquals(2, id.getKeys_().size());
try {
key3.getDefaultCertificate();
} catch (Exception ex_9) {
Assert.Fail("Unexpected exception: " + ex_9.Message);
}
// Delete the certificate.
Assert.AssertEquals(1, key3.getCertificates_().size());
CertificateV2 key3Cert1 = (CertificateV2)ILOG.J2CsMapping.Collections.Collections.ToArray(key3.getCertificates_()
.getCertificates_().Values)[0];
Name key3CertName = key3Cert1.getName();
fixture_.keyChain_.deleteCertificate(key3, key3CertName);
Assert.AssertEquals(0, key3.getCertificates_().size());
try {
key3.getDefaultCertificate();
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_10) {
} catch (Exception ex_11) {
Assert.Fail("Did not throw the expected exception");
}
// Add a certificate.
fixture_.keyChain_.addCertificate(key3, key3Cert1);
Assert.AssertEquals(1, key3.getCertificates_().size());
try {
key3.getDefaultCertificate();
} catch (Exception ex_12) {
Assert.Fail("Unexpected exception: " + ex_12.Message);
}
// Overwriting the certificate should work.
fixture_.keyChain_.addCertificate(key3, key3Cert1);
Assert.AssertEquals(1, key3.getCertificates_().size());
// Add another certificate.
CertificateV2 key3Cert2 = new CertificateV2(key3Cert1);
Name key3Cert2Name = new Name(key3.getName());
key3Cert2Name.append("Self");
key3Cert2Name.appendVersion(1);
key3Cert2.setName(key3Cert2Name);
fixture_.keyChain_.addCertificate(key3, key3Cert2);
Assert.AssertEquals(2, key3.getCertificates_().size());
// Set the default certificate.
Assert.AssertTrue(key3.getDefaultCertificate().getName().equals(key3CertName));
fixture_.keyChain_.setDefaultCertificate(key3, key3Cert2);
Assert.AssertTrue(key3.getDefaultCertificate().getName().equals(key3Cert2Name));
// Set the default key.
Assert.AssertTrue(id.getDefaultKey().getName().equals(key2.getName()));
fixture_.keyChain_.setDefaultKey(id, key3);
Assert.AssertTrue(id.getDefaultKey().getName().equals(key3.getName()));
// Set the default identity.
PibIdentity id2 = fixture_.keyChain_.createIdentityV2(identity2Name);
Assert.AssertTrue(fixture_.keyChain_.getPib().getDefaultIdentity().getName()
.equals(id.getName()));
fixture_.keyChain_.setDefaultIdentity(id2);
Assert.AssertTrue(fixture_.keyChain_.getPib().getDefaultIdentity().getName()
.equals(id2.getName()));
// Delete an identity.
fixture_.keyChain_.deleteIdentity(id);
/* TODO: Implement identity validity.
* // The identity instance should not be valid any more.
* BOOST_CHECK(!id);
*/
try {
fixture_.keyChain_.getPib().getIdentity(identityName);
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_13) {
} catch (Exception ex_14) {
Assert.Fail("Did not throw the expected exception");
}
Assert.AssertTrue(!fixture_.keyChain_.getPib().getIdentities_()
.getIdentities_().Contains(identityName));
}
internal Interest makeCommandInterest(PibIdentity identity)
{
return(signer_.makeCommandInterest(new Name(identity.getName())
.append("CMD"), new SigningInfo(identity)));
}
/// <summary>
/// Issue a certificate for subIdentityName signed by issuer. If the identity
/// does not exist, it is created. A new key is generated as the default key
/// for the identity. A default certificate for the key is signed by the
/// issuer using its default certificate.
/// Use KeyChain.getDefaultKeyParams().
/// </summary>
///
/// <param name="subIdentityName">The name to issue the certificate for.</param>
/// <param name="issuer">The identity of the signer.</param>
/// <returns>The sub identity.</returns>
internal PibIdentity addSubCertificate(Name subIdentityName, PibIdentity issuer)
{
return(addSubCertificate(subIdentityName, issuer,
net.named_data.jndn.security.KeyChain.getDefaultKeyParams()));
}
