public void testPrepareUnsignedCertificate()
{
MemoryIdentityStorage identityStorage = new MemoryIdentityStorage();
MemoryPrivateKeyStorage privateKeyStorage = new MemoryPrivateKeyStorage();
IdentityManager identityManager = new IdentityManager(identityStorage,
privateKeyStorage);
Name keyName = new Name("/test/ksk-1457560485494");
identityStorage.addKey(keyName, net.named_data.jndn.security.KeyType.RSA,
new Blob(PUBLIC_KEY, false));
ArrayList subjectDescriptions = new ArrayList();
ILOG.J2CsMapping.Collections.Collections.Add(subjectDescriptions, new CertificateSubjectDescription(TEST_OID,
"TEST NAME"));
IdentityCertificate newCertificate = identityManager
.prepareUnsignedIdentityCertificate(keyName,
keyName.getPrefix(1), toyCertNotBefore,
toyCertNotAfter, subjectDescriptions);
// Update the generated certificate version to equal the one in toyCert.
newCertificate.setName(new Name(newCertificate.getName().getPrefix(-1)
.append(toyCert.getName().get(-1))));
// Make a copy to test encoding.
IdentityCertificate certificateCopy = new IdentityCertificate(
newCertificate);
Assert.AssertEquals(
"Prepared unsigned certificate dump does not have the expected format",
"" + toyCert, "" + certificateCopy);
}
public void testCertificateAddDelete()
{
Name identityName = new Name("/TestIdentityStorage/Identity")
.appendVersion((long)getNowSeconds());
identityManager.createIdentityAndCertificate(identityName,
net.named_data.jndn.security.KeyChain.getDefaultKeyParams());
Name keyName1 = identityManager
.getDefaultKeyNameForIdentity(identityName);
IdentityCertificate cert2 = identityManager.selfSign(keyName1);
identityStorage.addCertificate(cert2);
Name certName2 = cert2.getName();
Name certName1 = identityManager
.getDefaultCertificateNameForIdentity(identityName);
Assert.AssertFalse(
"New certificate was set as default without explicit request",
certName1.equals(certName2));
identityStorage.deleteCertificateInfo(certName1);
Assert.AssertTrue(identityStorage.doesCertificateExist(certName2));
Assert.AssertFalse(identityStorage.doesCertificateExist(certName1));
keyChain.deleteIdentity(identityName);
Assert.AssertFalse(identityStorage.doesCertificateExist(certName2));
}
/// <summary>
/// Add a new member with the given memberCertificate into a schedule named
/// scheduleName. If cert is an IdentityCertificate made from memberCertificate,
/// then the member's identity name is cert.getPublicKeyName().getPrefix(-1).
/// </summary>
///
/// <param name="scheduleName">The schedule name.</param>
/// <param name="memberCertificate">The member's certificate.</param>
/// <exception cref="GroupManagerDb.Error">If there's no schedule named scheduleName, ifthe member's identity name already exists, or other database error.</exception>
/// <exception cref="DerDecodingException">for error decoding memberCertificate as acertificate.</exception>
public void addMember(String scheduleName, Data memberCertificate)
{
IdentityCertificate cert = new IdentityCertificate(memberCertificate);
database_.addMember(scheduleName, cert.getPublicKeyName(), cert
.getPublicKeyInfo().getKeyDer());
}
public void testCreateDKeyData()
{
// Create the group manager.
GroupManager manager = new GroupManager(new Name("Alice"), new Name(
"data_type"), new Sqlite3GroupManagerDb(
dKeyDatabaseFilePath.FullName), 2048, 1, keyChain);
Blob newCertificateBlob = certificate.wireEncode();
IdentityCertificate newCertificate = new IdentityCertificate();
newCertificate.wireDecode(newCertificateBlob);
// Encrypt the D-KEY.
Data data = friendAccess.createDKeyData(manager, "20150825T000000",
"20150827T000000", new Name("/ndn/memberA/KEY"),
decryptKeyBlob, newCertificate.getPublicKeyInfo().getKeyDer());
// Verify the encrypted D-KEY.
Blob dataContent = data.getContent();
// Get the nonce key.
// dataContent is a sequence of the two EncryptedContent.
EncryptedContent encryptedNonce = new EncryptedContent();
encryptedNonce.wireDecode(dataContent);
Assert.AssertEquals(0, encryptedNonce.getInitialVector().size());
Assert.AssertEquals(net.named_data.jndn.encrypt.algo.EncryptAlgorithmType.RsaOaep,
encryptedNonce.getAlgorithmType());
Blob blobNonce = encryptedNonce.getPayload();
EncryptParams decryptParams = new EncryptParams(
net.named_data.jndn.encrypt.algo.EncryptAlgorithmType.RsaOaep);
Blob nonce = net.named_data.jndn.encrypt.algo.RsaAlgorithm.decrypt(decryptKeyBlob, blobNonce,
decryptParams);
// Get the D-KEY.
// Use the size of encryptedNonce to find the start of encryptedPayload.
ByteBuffer payloadContent = dataContent.buf().duplicate();
payloadContent.position(encryptedNonce.wireEncode().size());
EncryptedContent encryptedPayload = new EncryptedContent();
encryptedPayload.wireDecode(payloadContent);
Assert.AssertEquals(16, encryptedPayload.getInitialVector().size());
Assert.AssertEquals(net.named_data.jndn.encrypt.algo.EncryptAlgorithmType.AesCbc,
encryptedPayload.getAlgorithmType());
decryptParams.setAlgorithmType(net.named_data.jndn.encrypt.algo.EncryptAlgorithmType.AesCbc);
decryptParams.setInitialVector(encryptedPayload.getInitialVector());
Blob blobPayload = encryptedPayload.getPayload();
Blob largePayload = net.named_data.jndn.encrypt.algo.AesAlgorithm.decrypt(nonce, blobPayload,
decryptParams);
Assert.AssertTrue(largePayload.equals(decryptKeyBlob));
}
/// <summary>
/// Get the default certificate from the identity storage and return its name.
/// If there is no default identity or default certificate, then create one.
/// </summary>
///
/// <returns>The default certificate name.</returns>
private Name prepareDefaultCertificateName()
{
IdentityCertificate signingCertificate = identityManager_
.getDefaultCertificate();
if (signingCertificate == null)
{
setDefaultCertificate();
signingCertificate = identityManager_.getDefaultCertificate();
}
return(signingCertificate.getName());
}
/// <summary>
/// Add a certificate to the identity storage. Also call addKey to ensure that
/// the certificate key exists. If the certificate is already installed, don't
/// replace it.
/// </summary>
///
/// <param name="certificate"></param>
public sealed override void addCertificate(IdentityCertificate certificate)
{
Name certificateName = certificate.getName();
Name keyName = certificate.getPublicKeyName();
addKey(keyName, certificate.getPublicKeyInfo().getKeyType(),
certificate.getPublicKeyInfo().getKeyDer());
if (doesCertificateExist(certificateName))
{
return;
}
// Insert the certificate.
try {
PreparedStatement statement = database_
.prepareStatement("INSERT INTO Certificate (cert_name, cert_issuer, identity_name, key_identifier, not_before, not_after, certificate_data) "
+ "values (?, ?, ?, ?, datetime(?, 'unixepoch'), datetime(?, 'unixepoch'), ?)");
statement.setString(1, certificateName.toUri());
Name signerName = net.named_data.jndn.KeyLocator.getFromSignature(
certificate.getSignature()).getKeyName();
statement.setString(2, signerName.toUri());
String keyId = keyName.get(-1).toEscapedString();
Name identity = keyName.getPrefix(-1);
statement.setString(3, identity.toUri());
statement.setString(4, keyId);
// Convert from milliseconds to seconds since 1/1/1970.
statement.setLong(5,
(long)(Math.Floor(certificate.getNotBefore() / 1000.0d)));
statement.setLong(6,
(long)(Math.Floor(certificate.getNotAfter() / 1000.0d)));
// wireEncode returns the cached encoding if available.
statement.setBytes(7, certificate.wireEncode().getImmutableArray());
try {
statement.executeUpdate();
} finally {
statement.close();
}
} catch (SQLException exception) {
throw new SecurityException("BasicIdentityStorage: SQLite error: "
+ exception);
}
}
/// <summary>
/// Add a certificate to the identity storage. Also call addKey to ensure that
/// the certificate key exists. If the certificate is already installed, don't
/// replace it.
/// </summary>
///
/// <param name="certificate"></param>
public override void addCertificate(IdentityCertificate certificate)
{
Name certificateName = certificate.getName();
Name keyName = certificate.getPublicKeyName();
addKey(keyName, certificate.getPublicKeyInfo().getKeyType(),
certificate.getPublicKeyInfo().getKeyDer());
if (doesCertificateExist(certificateName))
{
return;
}
// Insert the certificate.
ILOG.J2CsMapping.Collections.Collections.Put(certificateStore_, certificateName.toUri(), certificate.wireEncode());
}
/// <summary>
/// Get a certificate from the identity storage.
/// </summary>
///
/// <param name="certificateName">The name of the requested certificate.</param>
/// <returns>The requested certificate.</returns>
/// <exception cref="System.Security.SecurityException">if the certificate doesn't exist.</exception>
public override IdentityCertificate getCertificate(Name certificateName)
{
Blob certificateDer = (Blob)ILOG.J2CsMapping.Collections.Collections.Get(certificateStore_, certificateName
.toUri());
if (certificateDer == null)
{
throw new SecurityException(
"MemoryIdentityStorage.getKey: The certificate does not exist");
}
IdentityCertificate certificate = new IdentityCertificate();
try {
certificate.wireDecode(certificateDer);
} catch (EncodingException ex) {
throw new SecurityException(
"MemoryIdentityStorage.getKey: The certificate cannot be decoded");
}
return(certificate);
}
/// <summary>
/// Fetch a certificate from the cache.
/// </summary>
///
/// <param name="certificateName"></param>
/// <returns>A new copy of the IdentityCertificate, or null if not found.</returns>
public IdentityCertificate getCertificate(Name certificateName)
{
Blob certData = (Blob)ILOG.J2CsMapping.Collections.Collections.Get(cache_, certificateName.toUri());
if (certData == null)
{
return(null);
}
IdentityCertificate cert = new IdentityCertificate();
try {
cert.wireDecode(certData.buf());
} catch (EncodingException ex) {
ILOG.J2CsMapping.Util.Logging.Logger.getLogger(typeof(CertificateCache).FullName).log(
ILOG.J2CsMapping.Util.Logging.Level.SEVERE, null, ex);
throw new Exception(ex.Message);
}
return(cert);
}
/// <summary>
/// Get a certificate from the identity storage.
/// </summary>
///
/// <param name="certificateName">The name of the requested certificate.</param>
/// <returns>The requested certificate.</returns>
/// <exception cref="System.Security.SecurityException">if the certificate doesn't exist.</exception>
public sealed override IdentityCertificate getCertificate(Name certificateName)
{
try {
PreparedStatement statement;
statement = database_.prepareStatement(net.named_data.jndn.security.identity.Sqlite3IdentityStorageBase.SELECT_getCertificate);
statement.setString(1, certificateName.toUri());
IdentityCertificate certificate = new IdentityCertificate();
try {
SqlDataReader result = statement.executeQuery();
if (result.NextResult())
{
try {
certificate.wireDecode(new Blob(result
.getBytes("certificate_data"), false));
} catch (EncodingException ex) {
throw new SecurityException(
"BasicIdentityStorage: Error decoding certificate data: "
+ ex);
}
}
else
{
throw new SecurityException(
"BasicIdentityStorage.getKey: The key certificate not exist");
}
} finally {
statement.close();
}
return(certificate);
} catch (SQLException exception) {
throw new SecurityException("BasicIdentityStorage: SQLite error: "
+ exception);
}
}
public void setUp()
{
// Don't show INFO log messages.
ILOG.J2CsMapping.Util.Logging.Logger.getLogger("").setLevel(ILOG.J2CsMapping.Util.Logging.Level.WARNING);
policyConfigDirectory_ = net.named_data.jndn.tests.integration_tests.IntegrationTestsCommon
.getPolicyConfigDirectory();
testCertFile_ = new FileInfo(System.IO.Path.Combine(new FileInfo(System.IO.Path.Combine(policyConfigDirectory_.FullName, "certs")).FullName, "test.cert"));
identityStorage_ = new MemoryIdentityStorage();
privateKeyStorage_ = new MemoryPrivateKeyStorage();
identityManager_ = new IdentityManager(identityStorage_,
privateKeyStorage_);
policyManager_ = new ConfigPolicyManager(new FileInfo(System.IO.Path.Combine(policyConfigDirectory_.FullName, "simple_rules.conf")).FullName);
identityName_ = new Name("/TestConfigPolicyManager/temp");
// To match the anchor cert.
Name keyName = new Name(identityName_).append("ksk-1416010123");
identityStorage_.addKey(keyName, net.named_data.jndn.security.KeyType.RSA, new Blob(
DEFAULT_RSA_PUBLIC_KEY_DER, false));
privateKeyStorage_.setKeyPairForKeyName(keyName, net.named_data.jndn.security.KeyType.RSA,
DEFAULT_RSA_PUBLIC_KEY_DER, DEFAULT_RSA_PRIVATE_KEY_DER);
IdentityCertificate cert = identityManager_.selfSign(keyName);
identityStorage_.setDefaultKeyNameForIdentity(keyName);
identityManager_.addCertificateAsDefault(cert);
face_ = new Face("localhost");
keyChain_ = new KeyChain(identityManager_, policyManager_);
keyName_ = keyName;
net.named_data.jndn.security.policy.ConfigPolicyManager.setFriendAccess(this);
}
public void testEcdsaIdentity()
{
if (!testEcdsa_)
{
return;
}
Name identityName = new Name("/TestSqlIdentityStorage/KeyType/ECDSA");
Name keyName = identityManager
.generateEcdsaKeyPairAsDefault(identityName);
IdentityCertificate cert = identityManager.selfSign(keyName);
identityManager.addCertificateAsIdentityDefault(cert);
// Check the self-signature.
VerifyCounter counter = new VerifyCounter();
keyChain.verifyData(cert, counter, counter);
Assert.AssertEquals("Verification callback was not used.", 1,
counter.onVerifiedCallCount_);
keyChain.deleteIdentity(identityName);
Assert.AssertFalse(identityStorage.doesKeyExist(keyName));
}
public void testRefresh10s()
{
StringBuilder encodedData = new StringBuilder();
TextReader dataFile = new FileReader(new FileInfo(System.IO.Path.Combine(policyConfigDirectory_.FullName, "testData")).FullName);
// Use "try/finally instead of "try-with-resources" or "using"
// which are not supported before Java 7.
try {
String line;
while ((line = dataFile.readLine()) != null)
{
encodedData.append(line);
}
} finally {
dataFile.close();
}
byte[] decodedData = net.named_data.jndn.util.Common.base64Decode(encodedData.toString());
Data data = new Data();
data.wireDecode(new Blob(decodedData, false));
// This test is needed, since the KeyChain will express interests in unknown
// certificates.
VerificationResult vr = doVerify(policyManager_, data);
Assert.AssertTrue(
"ConfigPolicyManager did not create ValidationRequest for unknown certificate",
vr.hasFurtherSteps_);
Assert.AssertEquals(
"ConfigPolicyManager called success callback with pending ValidationRequest",
0, vr.successCount_);
Assert.AssertEquals(
"ConfigPolicyManager called failure callback with pending ValidationRequest",
0, vr.failureCount_);
// Now save the cert data to our anchor directory, and wait.
// We have to sign it with the current identity or the policy manager will
// create an interest for the signing certificate.
IdentityCertificate cert = new IdentityCertificate();
byte[] certData = net.named_data.jndn.util.Common.base64Decode(CERT_DUMP);
cert.wireDecode(new Blob(certData, false));
keyChain_.signByIdentity(cert, identityName_);
Blob signedCertBlob = cert.wireEncode();
String encodedCert = net.named_data.jndn.util.Common.base64Encode(signedCertBlob
.getImmutableArray());
var certFile = (new StreamWriter(
testCertFile_.FullName));
try {
certFile.Write(encodedCert, 0, encodedCert.Substring(0, encodedCert.Length));
certFile.flush();
} finally {
certFile.close();
}
// Still too early for refresh to pick it up.
vr = doVerify(policyManager_, data);
Assert.AssertTrue("ConfigPolicyManager refresh occured sooner than specified",
vr.hasFurtherSteps_);
Assert.AssertEquals(
"ConfigPolicyManager called success callback with pending ValidationRequest",
0, vr.successCount_);
Assert.AssertEquals(
"ConfigPolicyManager called failure callback with pending ValidationRequest",
0, vr.failureCount_);
ILOG.J2CsMapping.Threading.ThreadWrapper.sleep(6000);
// Now we should find it.
vr = doVerify(policyManager_, data);
Assert.AssertFalse("ConfigPolicyManager did not refresh certificate store",
vr.hasFurtherSteps_);
Assert.AssertEquals("Verification success called " + vr.successCount_
+ " times instead of 1", 1, vr.successCount_);
Assert.AssertEquals("ConfigPolicyManager did not verify valid signed data", 0,
vr.failureCount_);
}
/// <summary> /// Add a certificate to the identity storage. Also call addKey to ensure that /// the certificate key exists. If the certificate is already installed, don't /// replace it. /// </summary> /// /// <param name="certificate"></param> public abstract void addCertificate(IdentityCertificate certificate);
public void testAutoCreateIdentity()
{
Name keyName1 = new Name(
"/TestSqlIdentityStorage/KeyType/RSA/ksk-12345");
Name identityName = keyName1.getPrefix(-1);
byte[] decodedKey = net.named_data.jndn.util.Common.base64Decode(RSA_DER);
identityStorage.addKey(keyName1, net.named_data.jndn.security.KeyType.RSA, new Blob(decodedKey,
false));
identityStorage.setDefaultKeyNameForIdentity(keyName1);
Assert.AssertTrue("Key was not added", identityStorage.doesKeyExist(keyName1));
Assert.AssertTrue("Identity for key was not automatically created",
identityStorage.doesIdentityExist(identityName));
Assert.AssertTrue("Default key was not set on identity creation",
identityManager.getDefaultKeyNameForIdentity(identityName)
.equals(keyName1));
try {
identityStorage.getDefaultCertificateNameForKey(keyName1);
Assert.Fail();
} catch (SecurityException ex) {
}
// We have no private key for signing.
try {
identityManager.selfSign(keyName1);
Assert.Fail();
} catch (SecurityException ex_0) {
}
try {
identityStorage.getDefaultCertificateNameForKey(keyName1);
Assert.Fail();
} catch (SecurityException ex_1) {
}
try {
identityManager.getDefaultCertificateNameForIdentity(identityName);
Assert.Fail();
} catch (SecurityException ex_2) {
}
Name keyName2 = identityManager
.generateRSAKeyPairAsDefault(identityName);
IdentityCertificate cert = identityManager.selfSign(keyName2);
identityManager.addCertificateAsIdentityDefault(cert);
Name certName1 = identityManager
.getDefaultCertificateNameForIdentity(identityName);
Name certName2 = identityStorage
.getDefaultCertificateNameForKey(keyName2);
Assert.AssertTrue(
"Key-certificate mapping and identity-certificate mapping are not consistent",
certName1.equals(certName2));
keyChain.deleteIdentity(identityName);
Assert.AssertFalse(identityStorage.doesKeyExist(keyName1));
}
public void testStress()
{
Name identityName = new Name("/TestSecPublicInfoSqlite3/Delete")
.appendVersion((long)getNowSeconds());
// ndn-cxx returns the cert name, but the IndentityManager docstring
// specifies a key.
Name certName1 = keyChain.createIdentityAndCertificate(identityName);
Name keyName1 = net.named_data.jndn.security.certificate.IdentityCertificate
.certificateNameToPublicKeyName(certName1);
Name keyName2 = keyChain.generateRSAKeyPairAsDefault(identityName);
IdentityCertificate cert2 = identityManager.selfSign(keyName2);
Name certName2 = cert2.getName();
identityManager.addCertificateAsDefault(cert2);
Name keyName3 = keyChain.generateRSAKeyPairAsDefault(identityName);
IdentityCertificate cert3 = identityManager.selfSign(keyName3);
Name certName3 = cert3.getName();
identityManager.addCertificateAsDefault(cert3);
IdentityCertificate cert4 = identityManager.selfSign(keyName3);
identityManager.addCertificateAsDefault(cert4);
Name certName4 = cert4.getName();
IdentityCertificate cert5 = identityManager.selfSign(keyName3);
identityManager.addCertificateAsDefault(cert5);
Name certName5 = cert5.getName();
Assert.AssertTrue(identityStorage.doesIdentityExist(identityName));
Assert.AssertTrue(identityStorage.doesKeyExist(keyName1));
Assert.AssertTrue(identityStorage.doesKeyExist(keyName2));
Assert.AssertTrue(identityStorage.doesKeyExist(keyName3));
Assert.AssertTrue(identityStorage.doesCertificateExist(certName1));
Assert.AssertTrue(identityStorage.doesCertificateExist(certName2));
Assert.AssertTrue(identityStorage.doesCertificateExist(certName3));
Assert.AssertTrue(identityStorage.doesCertificateExist(certName4));
Assert.AssertTrue(identityStorage.doesCertificateExist(certName5));
identityStorage.deleteCertificateInfo(certName5);
Assert.AssertFalse(identityStorage.doesCertificateExist(certName5));
Assert.AssertTrue(identityStorage.doesCertificateExist(certName4));
Assert.AssertTrue(identityStorage.doesCertificateExist(certName3));
Assert.AssertTrue(identityStorage.doesKeyExist(keyName2));
identityStorage.deletePublicKeyInfo(keyName3);
Assert.AssertFalse(identityStorage.doesCertificateExist(certName4));
Assert.AssertFalse(identityStorage.doesCertificateExist(certName3));
Assert.AssertFalse(identityStorage.doesKeyExist(keyName3));
Assert.AssertTrue(identityStorage.doesKeyExist(keyName2));
Assert.AssertTrue(identityStorage.doesKeyExist(keyName1));
Assert.AssertTrue(identityStorage.doesIdentityExist(identityName));
keyChain.deleteIdentity(identityName);
Assert.AssertFalse(identityStorage.doesCertificateExist(certName2));
Assert.AssertFalse(identityStorage.doesKeyExist(keyName2));
Assert.AssertFalse(identityStorage.doesCertificateExist(certName1));
Assert.AssertFalse(identityStorage.doesKeyExist(keyName1));
Assert.AssertFalse(identityStorage.doesIdentityExist(identityName));
}
/// <summary>
/// Install an identity certificate into the public key identity storage.
/// </summary>
///
/// <param name="certificate">The certificate to to added.</param>
public void installIdentityCertificate(IdentityCertificate certificate)
{
identityManager_.addCertificate(certificate);
}
/// <summary>
/// Set the certificate as the default for its corresponding key.
/// </summary>
///
/// <param name="certificate">The certificate.</param>
public void setDefaultCertificateForKey(
IdentityCertificate certificate)
{
identityManager_.setDefaultCertificateForKey(certificate);
}
/// <summary>
/// Insert the certificate into the cache. Assumes the timestamp is not yet
/// removed from the name.
/// </summary>
///
/// <param name="certificate">The certificate to copy and insert.</param>
public void insertCertificate(IdentityCertificate certificate)
{
Name certName = certificate.getName().getPrefix(-1);
ILOG.J2CsMapping.Collections.Collections.Put(cache_, certName.toUri(), certificate.wireEncode());
}
