/// <summary>
/// Make a CK Data packet for ckName_ encrypted by the KEK in kekData_ and
/// insert it in the storage_.
/// </summary>
///
/// <param name="onError_0">error string.</param>
/// <returns>True on success, else false.</returns>
internal bool makeAndPublishCkData(net.named_data.jndn.encrypt.EncryptError.OnError onError_0)
{
try {
PublicKey kek = new PublicKey(kekData_.getContent());
EncryptedContent content = new EncryptedContent();
content.setPayload(kek.encrypt(ckBits_,
net.named_data.jndn.encrypt.algo.EncryptAlgorithmType.RsaOaep));
Data ckData = new Data(new Name(ckName_).append(
NAME_COMPONENT_ENCRYPTED_BY).append(kekData_.getName()));
ckData.setContent(content.wireEncodeV2());
// FreshnessPeriod can serve as a soft access control for revoking access.
ckData.getMetaInfo().setFreshnessPeriod(
DEFAULT_CK_FRESHNESS_PERIOD_MS);
keyChain_.sign(ckData, ckDataSigningInfo_);
storage_.insert(ckData);
logger_.log(ILOG.J2CsMapping.Util.Logging.Level.INFO, "Publishing CK data: {0}", ckData.getName());
return(true);
} catch (Exception ex) {
onError_0.onError(net.named_data.jndn.encrypt.EncryptError.ErrorCode.EncryptionFailure,
"Failed to encrypt generated CK with KEK "
+ kekData_.getName().toUri());
return(false);
}
}
/// <summary>
/// Authorize a member identified by memberCertificate to decrypt data under
/// the policy.
/// </summary>
///
/// <param name="memberCertificate"></param>
/// <returns>The published KDK Data packet.</returns>
public Data addMember(CertificateV2 memberCertificate)
{
Name kdkName = new Name(nacKey_.getIdentityName());
kdkName.append(net.named_data.jndn.encrypt.EncryptorV2.NAME_COMPONENT_KDK)
.append(nacKey_.getName().get(-1))
// key-id
.append(net.named_data.jndn.encrypt.EncryptorV2.NAME_COMPONENT_ENCRYPTED_BY)
.append(memberCertificate.getKeyName());
int secretLength = 32;
byte[] secret = new byte[secretLength];
net.named_data.jndn.util.Common.getRandom().nextBytes(secret);
// To be compatible with OpenSSL which uses a null-terminated string,
// replace each 0 with 1. And to be compatible with the Java security
// library which interprets the secret as a char array converted to UTF8,
// limit each byte to the ASCII range 1 to 127.
for (int i = 0; i < secretLength; ++i)
{
if (secret[i] == 0)
{
secret[i] = 1;
}
secret[i] &= 0x7f;
}
SafeBag kdkSafeBag = keyChain_.exportSafeBag(
nacKey_.getDefaultCertificate(), ILOG.J2CsMapping.NIO.ByteBuffer.wrap(secret));
PublicKey memberKey = new PublicKey(memberCertificate.getPublicKey());
EncryptedContent encryptedContent = new EncryptedContent();
encryptedContent.setPayload(kdkSafeBag.wireEncode());
encryptedContent.setPayloadKey(memberKey.encrypt(secret,
net.named_data.jndn.encrypt.algo.EncryptAlgorithmType.RsaOaep));
Data kdkData = new Data(kdkName);
kdkData.setContent(encryptedContent.wireEncodeV2());
// FreshnessPeriod can serve as a soft access control for revoking access.
kdkData.getMetaInfo().setFreshnessPeriod(
DEFAULT_KDK_FRESHNESS_PERIOD_MS);
keyChain_.sign(kdkData, new SigningInfo(identity_));
storage_.insert(kdkData);
return(kdkData);
}
