/// <summary>
/// Set this to type SignerType.ID according to the given PibIdentity.
/// This does not change the digest algorithm.
/// </summary>
///
/// <param name="identity">identity.getName().</param>
/// <returns>This SigningInfo.</returns>
public SigningInfo setPibIdentity(PibIdentity identity)
{
reset(net.named_data.jndn.security.SigningInfo.SignerType.ID);
if (identity != null)
{
name_ = identity.getName();
}
identity_ = identity;
return(this);
}
/// <summary>
/// Create an AccessManagerV2 to serve the NAC public key for other data
/// producers to fetch, and to serve encrypted versions of the private keys
/// (as safe bags) for authorized consumers to fetch.
/// KEK and KDK naming:
/// [identity]/NAC/[dataset]/KEK /[key-id] (== KEK, public key)
/// [identity]/NAC/[dataset]/KDK/[key-id] /ENCRYPTED-BY/[user]/KEY/[key-id] (== KDK, encrypted private key)
/// \_____________ ______________/
/// \/
/// registered with NFD
/// </summary>
///
/// <param name="identity"></param>
/// <param name="dataset">The name of dataset that this manager is controlling.</param>
/// <param name="keyChain">The KeyChain used to sign Data packets.</param>
/// <param name="face"></param>
public AccessManagerV2(PibIdentity identity, Name dataset,
KeyChain keyChain, Face face)
{
this.storage_ = new InMemoryStorageRetaining();
identity_ = identity;
keyChain_ = keyChain;
face_ = face;
// The NAC identity is: <identity>/NAC/<dataset>
// Generate the NAC key.
PibIdentity nacIdentity = keyChain_.createIdentityV2(
new Name(identity.getName()).append(
net.named_data.jndn.encrypt.EncryptorV2.NAME_COMPONENT_NAC).append(dataset),
new RsaKeyParams());
nacKey_ = nacIdentity.getDefaultKey();
if (nacKey_.getKeyType() != net.named_data.jndn.security.KeyType.RSA)
{
logger_.log(ILOG.J2CsMapping.Util.Logging.Level.INFO,
"Cannot re-use existing KEK/KDK pair, as it is not an RSA key, regenerating");
nacKey_ = keyChain_.createKey(nacIdentity, new RsaKeyParams());
}
Name.Component nacKeyId = nacKey_.getName().get(-1);
Name kekPrefix = new Name(nacKey_.getIdentityName())
.append(net.named_data.jndn.encrypt.EncryptorV2.NAME_COMPONENT_KEK);
Data kekData = new Data(nacKey_.getDefaultCertificate());
kekData.setName(new Name(kekPrefix).append(nacKeyId));
kekData.getMetaInfo().setFreshnessPeriod(
DEFAULT_KEK_FRESHNESS_PERIOD_MS);
keyChain_.sign(kekData, new SigningInfo(identity_));
// A KEK looks like a certificate, but doesn't have a ValidityPeriod.
storage_.insert(kekData);
OnInterestCallback serveFromStorage = new AccessManagerV2.Anonymous_C1(this);
OnRegisterFailed onRegisterFailed = new AccessManagerV2.Anonymous_C0();
kekRegisteredPrefixId_ = face_.registerPrefix(kekPrefix,
serveFromStorage, onRegisterFailed);
Name kdkPrefix = new Name(nacKey_.getIdentityName()).append(
net.named_data.jndn.encrypt.EncryptorV2.NAME_COMPONENT_KDK).append(nacKeyId);
kdkRegisteredPrefixId_ = face_.registerPrefix(kdkPrefix,
serveFromStorage, onRegisterFailed);
}
public void testBasic()
{
PibMemory pibImpl = new PibMemory();
// Start with an empty container.
PibIdentityContainer container = new PibIdentityContainer(pibImpl);
Assert.AssertEquals(0, container.size());
Assert.AssertEquals(0, container.getIdentities_().Count);
// Add the first identity.
PibIdentity identity11 = container.add(fixture.id1);
Assert.AssertTrue(fixture.id1.equals(identity11.getName()));
Assert.AssertEquals(1, container.size());
Assert.AssertEquals(1, container.getIdentities_().Count);
Assert.AssertTrue(container.getIdentities_().Contains(fixture.id1));
// Add the same identity again.
PibIdentity identity12 = container.add(fixture.id1);
Assert.AssertTrue(fixture.id1.equals(identity12.getName()));
Assert.AssertEquals(1, container.size());
Assert.AssertEquals(1, container.getIdentities_().Count);
Assert.AssertTrue(container.getIdentities_().Contains(fixture.id1));
// Add the second identity.
PibIdentity identity21 = container.add(fixture.id2);
Assert.AssertTrue(fixture.id2.equals(identity21.getName()));
Assert.AssertEquals(2, container.size());
Assert.AssertEquals(2, container.getIdentities_().Count);
Assert.AssertTrue(container.getIdentities_().Contains(fixture.id1));
Assert.AssertTrue(container.getIdentities_().Contains(fixture.id2));
// Get identities.
try {
container.get(fixture.id1);
} catch (Exception ex) {
Assert.Fail("Unexpected exception: " + ex.Message);
}
try {
container.get(fixture.id2);
} catch (Exception ex_0) {
Assert.Fail("Unexpected exception: " + ex_0.Message);
}
try {
container.get(new Name("/non-existing"));
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_1) {
} catch (Exception ex_2) {
Assert.Fail("Did not throw the expected exception");
}
// Check the identity.
PibIdentity identity1 = container.get(fixture.id1);
PibIdentity identity2 = container.get(fixture.id2);
Assert.AssertTrue(fixture.id1.equals(identity1.getName()));
Assert.AssertTrue(fixture.id2.equals(identity2.getName()));
// Create another container from the same PibImpl. The cache should be empty.
PibIdentityContainer container2 = new PibIdentityContainer(pibImpl);
Assert.AssertEquals(2, container2.size());
Assert.AssertEquals(0, container2.getIdentities_().Count);
// Get keys. The cache should be filled.
try {
container2.get(fixture.id1);
} catch (Exception ex_3) {
Assert.Fail("Unexpected exception: " + ex_3.Message);
}
Assert.AssertEquals(2, container2.size());
Assert.AssertEquals(1, container2.getIdentities_().Count);
try {
container2.get(fixture.id2);
} catch (Exception ex_4) {
Assert.Fail("Unexpected exception: " + ex_4.Message);
}
Assert.AssertEquals(2, container2.size());
Assert.AssertEquals(2, container2.getIdentities_().Count);
// Remove a key.
container2.remove(fixture.id1);
Assert.AssertEquals(1, container2.size());
Assert.AssertEquals(1, container2.getIdentities_().Count);
Assert.AssertTrue(!container2.getIdentities_().Contains(fixture.id1));
Assert.AssertTrue(container2.getIdentities_().Contains(fixture.id2));
// Remove another key.
container2.remove(fixture.id2);
Assert.AssertEquals(0, container2.size());
Assert.AssertEquals(0, container2.getIdentities_().Count);
Assert.AssertTrue(!container2.getIdentities_().Contains(fixture.id2));
}
public void testManagement()
{
Name identityName = new Name("/test/id");
Name identity2Name = new Name("/test/id2");
Assert.AssertEquals(0, fixture_.keyChain_.getPib().getIdentities_().size());
try {
fixture_.keyChain_.getPib().getDefaultIdentity();
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex) {
} catch (Exception ex_0) {
Assert.Fail("Did not throw the expected exception");
}
// Create an identity.
PibIdentity id = fixture_.keyChain_.createIdentityV2(identityName);
Assert.AssertTrue(id != null);
Assert.AssertTrue(fixture_.keyChain_.getPib().getIdentities_()
.getIdentities_().Contains(identityName));
// The first added identity becomes the default identity.
try {
fixture_.keyChain_.getPib().getDefaultIdentity();
} catch (Exception ex_1) {
Assert.Fail("Unexpected exception: " + ex_1.Message);
}
// The default key of the added identity must exist.
PibKey key = null;
try {
key = id.getDefaultKey();
} catch (Exception ex_2) {
Assert.Fail("Unexpected exception: " + ex_2.Message);
}
// The default certificate of the default key must exist.
try {
key.getDefaultCertificate();
} catch (Exception ex_3) {
Assert.Fail("Unexpected exception: " + ex_3.Message);
}
// Delete the key.
Name key1Name = key.getName();
try {
id.getKey(key1Name);
} catch (Exception ex_4) {
Assert.Fail("Unexpected exception: " + ex_4.Message);
}
Assert.AssertEquals(1, id.getKeys_().size());
fixture_.keyChain_.deleteKey(id, key);
/* TODO: Implement key validity.
* // The key instance should not be valid anymore.
* assertTrue(!key);
*/
try {
id.getKey(key1Name);
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_5) {
} catch (Exception ex_6) {
Assert.Fail("Did not throw the expected exception");
}
Assert.AssertEquals(0, id.getKeys_().size());
// Create another key.
fixture_.keyChain_.createKey(id);
// The added key becomes the default key.
try {
id.getDefaultKey();
} catch (Exception ex_7) {
Assert.Fail("Unexpected exception: " + ex_7.Message);
}
PibKey key2 = id.getDefaultKey();
Assert.AssertTrue(key2 != null);
Assert.AssertTrue(!key2.getName().equals(key1Name));
Assert.AssertEquals(1, id.getKeys_().size());
try {
key2.getDefaultCertificate();
} catch (Exception ex_8) {
Assert.Fail("Unexpected exception: " + ex_8.Message);
}
// Create a third key.
PibKey key3 = fixture_.keyChain_.createKey(id);
Assert.AssertTrue(!key3.getName().equals(key2.getName()));
// The added key will not be the default key, because the default key already exists.
Assert.AssertTrue(id.getDefaultKey().getName().equals(key2.getName()));
Assert.AssertEquals(2, id.getKeys_().size());
try {
key3.getDefaultCertificate();
} catch (Exception ex_9) {
Assert.Fail("Unexpected exception: " + ex_9.Message);
}
// Delete the certificate.
Assert.AssertEquals(1, key3.getCertificates_().size());
CertificateV2 key3Cert1 = (CertificateV2)ILOG.J2CsMapping.Collections.Collections.ToArray(key3.getCertificates_()
.getCertificates_().Values)[0];
Name key3CertName = key3Cert1.getName();
fixture_.keyChain_.deleteCertificate(key3, key3CertName);
Assert.AssertEquals(0, key3.getCertificates_().size());
try {
key3.getDefaultCertificate();
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_10) {
} catch (Exception ex_11) {
Assert.Fail("Did not throw the expected exception");
}
// Add a certificate.
fixture_.keyChain_.addCertificate(key3, key3Cert1);
Assert.AssertEquals(1, key3.getCertificates_().size());
try {
key3.getDefaultCertificate();
} catch (Exception ex_12) {
Assert.Fail("Unexpected exception: " + ex_12.Message);
}
// Overwriting the certificate should work.
fixture_.keyChain_.addCertificate(key3, key3Cert1);
Assert.AssertEquals(1, key3.getCertificates_().size());
// Add another certificate.
CertificateV2 key3Cert2 = new CertificateV2(key3Cert1);
Name key3Cert2Name = new Name(key3.getName());
key3Cert2Name.append("Self");
key3Cert2Name.appendVersion(1);
key3Cert2.setName(key3Cert2Name);
fixture_.keyChain_.addCertificate(key3, key3Cert2);
Assert.AssertEquals(2, key3.getCertificates_().size());
// Set the default certificate.
Assert.AssertTrue(key3.getDefaultCertificate().getName().equals(key3CertName));
fixture_.keyChain_.setDefaultCertificate(key3, key3Cert2);
Assert.AssertTrue(key3.getDefaultCertificate().getName().equals(key3Cert2Name));
// Set the default key.
Assert.AssertTrue(id.getDefaultKey().getName().equals(key2.getName()));
fixture_.keyChain_.setDefaultKey(id, key3);
Assert.AssertTrue(id.getDefaultKey().getName().equals(key3.getName()));
// Set the default identity.
PibIdentity id2 = fixture_.keyChain_.createIdentityV2(identity2Name);
Assert.AssertTrue(fixture_.keyChain_.getPib().getDefaultIdentity().getName()
.equals(id.getName()));
fixture_.keyChain_.setDefaultIdentity(id2);
Assert.AssertTrue(fixture_.keyChain_.getPib().getDefaultIdentity().getName()
.equals(id2.getName()));
// Delete an identity.
fixture_.keyChain_.deleteIdentity(id);
/* TODO: Implement identity validity.
* // The identity instance should not be valid any more.
* BOOST_CHECK(!id);
*/
try {
fixture_.keyChain_.getPib().getIdentity(identityName);
Assert.Fail("Did not throw the expected exception");
} catch (Pib.Error ex_13) {
} catch (Exception ex_14) {
Assert.Fail("Did not throw the expected exception");
}
Assert.AssertTrue(!fixture_.keyChain_.getPib().getIdentities_()
.getIdentities_().Contains(identityName));
}
internal Interest makeCommandInterest(PibIdentity identity)
{
return(signer_.makeCommandInterest(new Name(identity.getName())
.append("CMD"), new SigningInfo(identity)));
}
public void testInsert()
{
// Static
anchorContainer.insert("group1", certificate1);
Assert.AssertTrue(anchorContainer.find(certificate1.getName()) != null);
Assert.AssertTrue(anchorContainer.find(identity1.getName()) != null);
CertificateV2 certificate = anchorContainer
.find(certificate1.getName());
try {
// Re-inserting the same certificate should do nothing.
anchorContainer.insert("group1", certificate1);
} catch (Exception ex) {
Assert.Fail("Unexpected exception: " + ex.Message);
}
// It should still be the same instance of the certificate.
Assert.AssertTrue(certificate == anchorContainer.find(certificate1.getName()));
// Cannot add a dynamic group when the static already exists.
try {
anchorContainer.insert("group1",
certificatePath1.FullName, 400.0d);
Assert.Fail("Did not throw the expected exception");
} catch (TrustAnchorContainer.Error ex_0) {
} catch (Exception ex_1) {
Assert.Fail("Did not throw the expected exception");
}
Assert.AssertEquals(1, anchorContainer.getGroup("group1").size());
Assert.AssertEquals(1, anchorContainer.size());
// From file
anchorContainer.insert("group2", certificatePath2.FullName,
400.0d);
Assert.AssertTrue(anchorContainer.find(certificate2.getName()) != null);
Assert.AssertTrue(anchorContainer.find(identity2.getName()) != null);
try {
anchorContainer.insert("group2", certificate2);
Assert.Fail("Did not throw the expected exception");
} catch (TrustAnchorContainer.Error ex_2) {
} catch (Exception ex_3) {
Assert.Fail("Did not throw the expected exception");
}
try {
anchorContainer.insert("group2",
certificatePath2.FullName, 400.0d);
Assert.Fail("Did not throw the expected exception");
} catch (TrustAnchorContainer.Error ex_4) {
} catch (Exception ex_5) {
Assert.Fail("Did not throw the expected exception");
}
Assert.AssertEquals(1, anchorContainer.getGroup("group2").size());
Assert.AssertEquals(2, anchorContainer.size());
certificatePath2.delete();
// Wait for the refresh period to expire.
ILOG.J2CsMapping.Threading.ThreadWrapper.sleep(500);
Assert.AssertTrue(anchorContainer.find(identity2.getName()) == null);
Assert.AssertTrue(anchorContainer.find(certificate2.getName()) == null);
Assert.AssertEquals(0, anchorContainer.getGroup("group2").size());
Assert.AssertEquals(1, anchorContainer.size());
TrustAnchorGroup group = anchorContainer.getGroup("group1");
Assert.AssertTrue(group is StaticTrustAnchorGroup);
StaticTrustAnchorGroup staticGroup = (StaticTrustAnchorGroup)group;
Assert.AssertEquals(1, staticGroup.size());
staticGroup.remove(certificate1.getName());
Assert.AssertEquals(0, staticGroup.size());
Assert.AssertEquals(0, anchorContainer.size());
try {
anchorContainer.getGroup("non-existing-group");
Assert.Fail("Did not throw the expected exception");
} catch (TrustAnchorContainer.Error ex_6) {
} catch (Exception ex_7) {
Assert.Fail("Did not throw the expected exception");
}
}
