/// <summary>
/// Encode this Data for a particular wire format. If wireFormat is the default
/// wire format, also set the defaultWireEncoding field to the encoded result.
/// </summary>
///
/// <param name="wireFormat">A WireFormat object used to decode the input.</param>
/// <returns>The encoded buffer.</returns>
public SignedBlob wireEncode(WireFormat wireFormat)
{
if (!getDefaultWireEncoding().isNull() &&
getDefaultWireEncodingFormat() == wireFormat)
{
// We already have an encoding in the desired format.
return(getDefaultWireEncoding());
}
int[] signedPortionBeginOffset = new int[1];
int[] signedPortionEndOffset = new int[1];
Blob encoding = wireFormat.encodeData(this, signedPortionBeginOffset,
signedPortionEndOffset);
SignedBlob wireEncoding = new SignedBlob(encoding,
signedPortionBeginOffset[0], signedPortionEndOffset[0]);
if (wireFormat == net.named_data.jndn.encoding.WireFormat.getDefaultWireFormat())
{
// This is the default wire encoding.
setDefaultWireEncoding(wireEncoding,
net.named_data.jndn.encoding.WireFormat.getDefaultWireFormat());
}
return(wireEncoding);
}
/// <summary>
/// Check the type of signature and use the publicKeyDer to verify the
/// signedBlob using the appropriate signature algorithm.
/// </summary>
///
/// <param name="signature"></param>
/// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param>
/// <param name="publicKeyDer"></param>
/// <returns>True if the signature is verified, false if failed.</returns>
/// <exception cref="System.Security.SecurityException">if the signature type is not recognized or ifpublicKeyDer can't be decoded.</exception>
protected static internal bool verifySignature(
net.named_data.jndn.Signature signature, SignedBlob signedBlob,
Blob publicKeyDer)
{
if (signature is Sha256WithRsaSignature ||
signature is Sha256WithEcdsaSignature)
{
if (publicKeyDer.isNull())
{
return(false);
}
return(net.named_data.jndn.security.VerificationHelpers.verifySignature(signedBlob.signedBuf(),
signature.getSignature(), new PublicKey(publicKeyDer),
net.named_data.jndn.security.DigestAlgorithm.SHA256));
}
else if (signature is DigestSha256Signature)
{
return(net.named_data.jndn.security.VerificationHelpers.verifyDigest(signedBlob.signedBuf(),
signature.getSignature(), net.named_data.jndn.security.DigestAlgorithm.SHA256));
}
else
{
// We don't expect this to happen.
throw new SecurityException(
"PolicyManager.verify: Signature type is unknown");
}
}
/// <summary>
/// Check the type of signature and use the publicKeyDer to verify the
/// signedBlob using the appropriate signature algorithm.
/// </summary>
///
/// <param name="signature"></param>
/// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param>
/// <param name="publicKeyDer"></param>
/// <returns>True if the signature is verified, false if failed.</returns>
/// <exception cref="System.Security.SecurityException">if the signature type is not recognized or ifpublicKeyDer can't be decoded.</exception>
protected static internal bool verifySignature(
net.named_data.jndn.Signature signature, SignedBlob signedBlob,
Blob publicKeyDer)
{
if (signature is Sha256WithRsaSignature)
{
if (publicKeyDer.isNull())
{
return(false);
}
return(verifySha256WithRsaSignature(signature.getSignature(),
signedBlob, publicKeyDer));
}
else if (signature is Sha256WithEcdsaSignature)
{
if (publicKeyDer.isNull())
{
return(false);
}
return(verifySha256WithEcdsaSignature(signature.getSignature(),
signedBlob, publicKeyDer));
}
else if (signature is DigestSha256Signature)
{
return(verifyDigestSha256Signature(signature.getSignature(),
signedBlob));
}
else
{
// We don't expect this to happen.
throw new SecurityException(
"PolicyManager.verify: Signature type is unknown");
}
}
/// <summary>
/// Check the type of signatureInfo to get the KeyLocator. Look in the
/// IdentityStorage or PibImpl for the public key with the name in the KeyLocator (if
/// available) and use it to verify the signedBlob. If the public key can't be
/// found, return false. (This is a generalized method which can verify both a
/// Data packet and an interest.)
/// </summary>
///
/// <param name="signatureInfo"></param>
/// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param>
/// <param name="failureReason"></param>
/// <returns>True if the signature is verified, false if failed.</returns>
private bool verify(Signature signatureInfo, SignedBlob signedBlob,
String[] failureReason)
{
Blob publicKeyDer = null;
if (net.named_data.jndn.KeyLocator.canGetFromSignature(signatureInfo))
{
publicKeyDer = getPublicKeyDer(
net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo), failureReason);
if (publicKeyDer.isNull())
{
return(false);
}
}
if (net.named_data.jndn.security.policy.PolicyManager.verifySignature(signatureInfo, signedBlob, publicKeyDer))
{
return(true);
}
else
{
failureReason[0] = "The signature did not verify with the given public key";
return(false);
}
}
public void extractEntriesForNackInterest(
Interest interest, ArrayList <Entry> entries)
{
SignedBlob encoding = interest.wireEncode();
// Go backwards through the list so we can remove entries.
for (int i = table_.Count - 1; i >= 0; --i)
{
PendingInterestTable.Entry pendingInterest = table_[i];
if (pendingInterest.getOnNetworkNack() == null)
{
continue;
}
// wireEncode returns the encoding cached when the interest was sent (if
// it was the default wire encoding).
if (pendingInterest.getInterest().wireEncode().equals(encoding))
{
ILOG.J2CsMapping.Collections.Collections.Add(entries, table_[i]);
// We let the callback from callLater call _processInterestTimeout, but
// for efficiency, mark this as removed so that it returns right away.
ILOG.J2CsMapping.Collections.Collections.RemoveAt(table_, i);
pendingInterest.setIsRemoved();
}
}
}
/// <summary>
/// Verify the Data packet using the digest algorithm. This does not check the
/// digest algorithm against the type of SignatureInfo in the Data packet such
/// as DigestSha256Signature.
/// </summary>
///
/// <param name="data">The Data packet to verify.</param>
/// <param name="digestAlgorithm">The digest algorithm, such as DigestAlgorithm.SHA256.</param>
/// <param name="wireFormat">A WireFormat object used to encode the Data packet.</param>
/// <returns>True if verification succeeds, false if verification fails.</returns>
/// <exception cref="System.ArgumentException">for an invalid digestAlgorithm.</exception>
public static bool verifyDataDigest(Data data,
DigestAlgorithm digestAlgorithm, WireFormat wireFormat)
{
SignedBlob encoding = data.wireEncode(wireFormat);
return(verifyDigest(encoding.signedBuf(), data.getSignature()
.getSignature(), digestAlgorithm));
}
private void setDefaultWireEncoding(SignedBlob defaultWireEncoding,
WireFormat defaultWireEncodingFormat)
{
defaultWireEncoding_ = defaultWireEncoding;
defaultWireEncodingFormat_ = defaultWireEncodingFormat;
// Set getDefaultWireEncodingChangeCount_ so that the next call to
// getDefaultWireEncoding() won't clear defaultWireEncoding_.
getDefaultWireEncodingChangeCount_ = getChangeCount();
}
/// <summary>
/// Verify the DigestSha256 signature on the SignedBlob by verifying that the
/// digest of SignedBlob equals the signature.
/// </summary>
///
/// <param name="signature">The signature bits.</param>
/// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param>
/// <returns>true if the signature verifies, false if not.</returns>
protected static internal bool verifyDigestSha256Signature(Blob signature,
SignedBlob signedBlob)
{
// Set signedPortionDigest to the digest of the signed portion of the signedBlob.
byte[] signedPortionDigest = net.named_data.jndn.util.Common
.digestSha256(signedBlob.signedBuf());
return(ILOG.J2CsMapping.Collections.Arrays.Equals(signedPortionDigest, signature.getImmutableArray()));
}
/// <summary>
/// Wire encode the data packet, compute an HmacWithSha256 and update the
/// signature value.
/// </summary>
///
/// @note This method is an experimental feature. The API may change.
/// <param name="data">The Data object to be signed. This updates its signature.</param>
/// <param name="key">The key for the HmacWithSha256.</param>
/// <param name="wireFormat">A WireFormat object used to encode the data packet.</param>
public static void signWithHmacWithSha256(Data data, Blob key,
WireFormat wireFormat)
{
// Encode once to get the signed portion.
SignedBlob encoding = data.wireEncode(wireFormat);
byte[] signatureBytes = net.named_data.jndn.util.Common.computeHmacWithSha256(
key.getImmutableArray(), encoding.signedBuf());
data.getSignature().setSignature(new Blob(signatureBytes, false));
}
/// <summary>
/// Compute a new HmacWithSha256 for the data packet and verify it against the
/// signature value.
/// </summary>
///
/// @note This method is an experimental feature. The API may change.
/// <param name="data">The Data packet to verify.</param>
/// <param name="key">The key for the HmacWithSha256.</param>
/// <param name="wireFormat">A WireFormat object used to encode the data packet.</param>
/// <returns>True if the signature verifies, otherwise false.</returns>
public static bool verifyDataWithHmacWithSha256(Data data, Blob key,
WireFormat wireFormat)
{
// wireEncode returns the cached encoding if available.
SignedBlob encoding = data.wireEncode(wireFormat);
byte[] newSignatureBytes = net.named_data.jndn.util.Common.computeHmacWithSha256(
key.getImmutableArray(), encoding.signedBuf());
return(ILOG.J2CsMapping.NIO.ByteBuffer.wrap(newSignatureBytes).equals(
data.getSignature().getSignature().buf()));
}
/// <summary>
/// Return a pointer to the defaultWireEncoding, which was encoded with
/// getDefaultWireEncodingFormat().
/// </summary>
///
/// <returns>The default wire encoding. Its pointer may be null.</returns>
public SignedBlob getDefaultWireEncoding()
{
if (getDefaultWireEncodingChangeCount_ != getChangeCount())
{
// The values have changed, so the default wire encoding is invalidated.
defaultWireEncoding_ = new SignedBlob();
defaultWireEncodingFormat_ = null;
getDefaultWireEncodingChangeCount_ = getChangeCount();
}
return(defaultWireEncoding_);
}
public Task <SignedBlob> UriForUpload(string Oid, long size, CancellationToken token)
{
var blob = new SignedBlob
{
Uri = MakePreAuthenticatedUrl(Oid, BlobSasPermissions.Write),
Expiry = _config.Expiry,
Headers = new Dictionary <string, string>
{
["Content-Type"] = BlobConstants.UploadMimeType,
["x-ms-blob-type"] = "BlockBlob"
}
};
return(Task.FromResult(blob));
}
/// <summary>
/// Verify the Interest packet using the digest algorithm, where the last two
/// name components are the SignatureInfo and signature bytes. This does not
/// check the digest algorithm against the type of SignatureInfo such as
/// DigestSha256Signature.
/// </summary>
///
/// <param name="interest">The Interest packet to verify.</param>
/// <param name="digestAlgorithm">The digest algorithm, such as DigestAlgorithm.SHA256.</param>
/// <param name="wireFormat">A WireFormat object used to decode the Interest packet.</param>
/// <returns>True if verification succeeds, false if verification fails or
/// cannot decode the Interest.</returns>
/// <exception cref="System.ArgumentException">for an invalid digestAlgorithm.</exception>
public static bool verifyInterestDigest(Interest interest,
DigestAlgorithm digestAlgorithm, WireFormat wireFormat)
{
Signature signature = extractSignature(interest, wireFormat);
if (signature == null)
{
return(false);
}
SignedBlob encoding = interest.wireEncode(wireFormat);
return(verifyDigest(encoding.signedBuf(), signature.getSignature(),
digestAlgorithm));
}
/// <summary>
/// Verify the ECDSA signature on the SignedBlob using the given public key.
/// </summary>
///
/// <param name="signature">The signature bits.</param>
/// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param>
/// <param name="publicKeyDer">The DER-encoded public key used to verify the signature.</param>
/// <returns>true if the signature verifies, false if not.</returns>
protected static internal bool verifySha256WithEcdsaSignature(Blob signature,
SignedBlob signedBlob, Blob publicKeyDer)
{
KeyFactory keyFactory = null;
try {
keyFactory = System.KeyFactory.getInstance("EC");
} catch (Exception exception) {
// Don't expect this to happen.
throw new SecurityException("EC is not supported: "
+ exception.Message);
}
System.SecurityPublicKey publicKey = null;
try {
publicKey = keyFactory.generatePublic(new X509EncodedKeySpec(
publicKeyDer.getImmutableArray()));
} catch (InvalidKeySpecException exception_0) {
// Don't expect this to happen.
throw new SecurityException("X509EncodedKeySpec is not supported: "
+ exception_0.Message);
}
System.SecuritySignature ecSignature = null;
try {
ecSignature = System.SecuritySignature
.getInstance("SHA256withECDSA");
} catch (Exception e) {
// Don't expect this to happen.
throw new SecurityException(
"SHA256withECDSA algorithm is not supported");
}
try {
ecSignature.initVerify(publicKey);
} catch (InvalidKeyException exception_1) {
throw new SecurityException("InvalidKeyException: "
+ exception_1.Message);
}
try {
ecSignature.update(signedBlob.signedBuf());
return(ecSignature.verify(signature.getImmutableArray()));
} catch (SignatureException exception_2) {
throw new SecurityException("SignatureException: "
+ exception_2.Message);
}
}
/// <summary>
/// Check the type of signatureInfo to get the KeyLocator. Look in the
/// IdentityStorage for the public key with the name in the KeyLocator (if
/// available) and use it to verify the signedBlob. If the public key can't be
/// found, return false. (This is a generalized method which can verify both a
/// Data packet and an interest.)
/// </summary>
///
/// <param name="signatureInfo"></param>
/// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param>
/// <returns>True if the signature is verified, false if failed.</returns>
private bool verify(net.named_data.jndn.Signature signatureInfo,
SignedBlob signedBlob)
{
Blob publicKeyDer = null;
if (net.named_data.jndn.KeyLocator.canGetFromSignature(signatureInfo))
{
publicKeyDer = getPublicKeyDer(net.named_data.jndn.KeyLocator
.getFromSignature(signatureInfo));
if (publicKeyDer.isNull())
{
return(false);
}
}
return(net.named_data.jndn.security.policy.PolicyManager.verifySignature(signatureInfo, signedBlob, publicKeyDer));
}
private static CertificateV2 makeSelfSignedCertificate(Name keyName,
Blob privateKeyBag, Blob publicKeyEncoding, ByteBuffer password,
DigestAlgorithm digestAlgorithm, WireFormat wireFormat)
{
CertificateV2 certificate = new CertificateV2();
// Set the name.
double now = net.named_data.jndn.util.Common.getNowMilliseconds();
Name certificateName = new Name(keyName);
certificateName.append("self").appendVersion((long)now);
certificate.setName(certificateName);
// Set the MetaInfo.
certificate.getMetaInfo().setType(net.named_data.jndn.ContentType.KEY);
// Set a one-hour freshness period.
certificate.getMetaInfo().setFreshnessPeriod(3600 * 1000.0d);
// Set the content.
PublicKey publicKey = null;
try {
publicKey = new PublicKey(publicKeyEncoding);
} catch (UnrecognizedKeyFormatException ex) {
// Promote to Pib.Error.
throw new Pib.Error("Error decoding public key " + ex);
}
certificate.setContent(publicKey.getKeyDer());
// Create a temporary in-memory Tpm and import the private key.
Tpm tpm = new Tpm("", "", new TpmBackEndMemory());
tpm.importPrivateKey_(keyName, privateKeyBag.buf(), password);
// Set the signature info.
if (publicKey.getKeyType() == net.named_data.jndn.security.KeyType.RSA)
{
certificate.setSignature(new Sha256WithRsaSignature());
}
else if (publicKey.getKeyType() == net.named_data.jndn.security.KeyType.EC)
{
certificate.setSignature(new Sha256WithEcdsaSignature());
}
else
{
throw new AssertionError("Unsupported key type");
}
Signature signatureInfo = certificate.getSignature();
net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo).setType(
net.named_data.jndn.KeyLocatorType.KEYNAME);
net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo).setKeyName(keyName);
// Set a 20-year validity period.
net.named_data.jndn.security.ValidityPeriod.getFromSignature(signatureInfo).setPeriod(now,
now + 20 * 365 * 24 * 3600 * 1000.0d);
// Encode once to get the signed portion.
SignedBlob encoding = certificate.wireEncode(wireFormat);
Blob signatureBytes = tpm.sign(encoding.signedBuf(), keyName,
digestAlgorithm);
signatureInfo.setSignature(signatureBytes);
// Encode again to include the signature.
certificate.wireEncode(wireFormat);
return(certificate);
}
