private double notBefore_; // MillisecondsSince1970
#endregion Fields
#region Constructors
/// <summary>
/// The default constructor.
/// </summary>
///
public Certificate()
{
this.subjectDescriptionList_ = new ArrayList();
this.extensionList_ = new ArrayList();
this.notBefore_ = System.Double.MaxValue;
this.notAfter_ = -System.Double.MaxValue;
this.key_ = new PublicKey();
}
/// <summary>
/// Populate the fields by the decoding DER data from the Content.
/// </summary>
///
private void decode()
{
DerNode parsedNode = net.named_data.jndn.encoding.der.DerNode.parse(getContent().buf());
// We need to ensure that there are:
// validity (notBefore, notAfter)
// subject list
// public key
// (optional) extension list
IList rootChildren = parsedNode.getChildren();
// 1st: validity info
IList validityChildren = net.named_data.jndn.encoding.der.DerNode.getSequence(rootChildren, 0)
.getChildren();
notBefore_ = ((Double)((net.named_data.jndn.encoding.der.DerNode.DerGeneralizedTime )validityChildren[0]).toVal());
notAfter_ = ((Double)((net.named_data.jndn.encoding.der.DerNode.DerGeneralizedTime )validityChildren[1]).toVal());
// 2nd: subjectList
IList subjectChildren = net.named_data.jndn.encoding.der.DerNode.getSequence(rootChildren, 1)
.getChildren();
for (int i = 0; i < subjectChildren.Count; ++i) {
net.named_data.jndn.encoding.der.DerNode.DerSequence sd = net.named_data.jndn.encoding.der.DerNode.getSequence(subjectChildren, i);
IList descriptionChildren = sd.getChildren();
String oidStr = (String) ((DerNode) descriptionChildren[0])
.toVal();
String value_ren = ""
+ ((Blob) ((DerNode) descriptionChildren[1]).toVal());
addSubjectDescription(new CertificateSubjectDescription(oidStr,
value_ren));
}
// 3rd: public key
Blob publicKeyInfo = ((DerNode) rootChildren[2]).encode();
try {
key_ = new PublicKey(publicKeyInfo);
} catch (UnrecognizedKeyFormatException ex) {
throw new DerDecodingException(ex.Message);
}
if (rootChildren.Count > 3) {
IList extensionChildren = net.named_data.jndn.encoding.der.DerNode.getSequence(rootChildren, 3)
.getChildren();
for (int i_0 = 0; i_0 < extensionChildren.Count; ++i_0) {
net.named_data.jndn.encoding.der.DerNode.DerSequence extInfo = net.named_data.jndn.encoding.der.DerNode.getSequence(extensionChildren, i_0);
IList children = extInfo.getChildren();
String oidStr_1 = (String) ((DerNode) children[0]).toVal();
bool isCritical = (bool)(((Boolean)((net.named_data.jndn.encoding.der.DerNode.DerBoolean )children[1]).toVal()));
Blob value_2 = (Blob) ((DerNode) children[2]).toVal();
addExtension(new CertificateExtension(oidStr_1, isCritical, value_2));
}
}
}
/// <summary>
/// Generate a self-signed certificate for a public key.
/// </summary>
///
/// <param name="keyName">The name of the public key.</param>
/// <returns>The generated certificate.</returns>
public IdentityCertificate selfSign(Name keyName)
{
IdentityCertificate certificate = new IdentityCertificate();
Blob keyBlob = identityStorage_.getKey(keyName);
PublicKey publicKey = new PublicKey(keyBlob);
Calendar calendar = ILOG.J2CsMapping.Util.Calendar.getInstance();
double notBefore = (double) calendar.getTimeInMillis();
calendar.add(ILOG.J2CsMapping.Util.Calendar.YEAR, 2);
double notAfter = (double) calendar.getTimeInMillis();
certificate.setNotBefore(notBefore);
certificate.setNotAfter(notAfter);
Name certificateName = keyName.getPrefix(-1).append("KEY")
.append(keyName.get(-1)).append("ID-CERT")
.appendVersion((long) certificate.getNotBefore());
certificate.setName(certificateName);
certificate.setPublicKeyInfo(publicKey);
certificate.addSubjectDescription(new CertificateSubjectDescription(
"2.5.4.41", keyName.toUri()));
try {
certificate.encode();
} catch (DerEncodingException ex) {
// We don't expect this to happen.
ILOG.J2CsMapping.Util.Logging.Logger.getLogger(typeof(IdentityManager).FullName).log(ILOG.J2CsMapping.Util.Logging.Level.SEVERE,
null, ex);
return null;
} catch (DerDecodingException ex_0) {
// We don't expect this to happen.
ILOG.J2CsMapping.Util.Logging.Logger.getLogger(typeof(IdentityManager).FullName).log(ILOG.J2CsMapping.Util.Logging.Level.SEVERE,
null, ex_0);
return null;
}
signByCertificate(certificate, certificate.getName());
return certificate;
}
public void setPublicKeyInfo(PublicKey key)
{
key_ = key;
}
/// <summary>
/// Prepare an unsigned identity certificate.
/// </summary>
///
/// <param name="keyName">The key name, e.g., `/{identity_name}/ksk-123456`.</param>
/// <param name="publicKey">The public key to sign.</param>
/// <param name="signingIdentity">The signing identity.</param>
/// <param name="notBefore">See IdentityCertificate.</param>
/// <param name="notAfter">See IdentityCertificate.</param>
/// <param name="subjectDescription">on the keyName.</param>
/// <param name="certPrefix">signingIdentity and the subject identity. If the signingIdentity is a prefix of the subject identity, `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted after subject identity (i.e., before `ksk-...`).</param>
/// <returns>The unsigned IdentityCertificate, or null if the inputs are invalid.</returns>
public IdentityCertificate prepareUnsignedIdentityCertificate(
Name keyName, PublicKey publicKey, Name signingIdentity,
double notBefore, double notAfter, IList subjectDescription,
Name certPrefix)
{
if (keyName.size() < 1)
return null;
String tempKeyIdPrefix = keyName.get(-1).toEscapedString();
if (tempKeyIdPrefix.Length < 4)
return null;
String keyIdPrefix = tempKeyIdPrefix.Substring(0,(4)-(0));
if (!keyIdPrefix.equals("ksk-") && !keyIdPrefix.equals("dsk-"))
return null;
IdentityCertificate certificate = new IdentityCertificate();
Name certName = new Name();
if (certPrefix == null) {
// No certificate prefix hint, so infer the prefix.
if (signingIdentity.match(keyName))
certName.append(signingIdentity).append("KEY")
.append(keyName.getSubName(signingIdentity.size()))
.append("ID-CERT")
.appendVersion((long) net.named_data.jndn.util.Common.getNowMilliseconds());
else
certName.append(keyName.getPrefix(-1)).append("KEY")
.append(keyName.get(-1)).append("ID-CERT")
.appendVersion((long) net.named_data.jndn.util.Common.getNowMilliseconds());
} else {
// A cert prefix hint is supplied, so determine the cert name.
if (certPrefix.match(keyName) && !certPrefix.equals(keyName))
certName.append(certPrefix).append("KEY")
.append(keyName.getSubName(certPrefix.size()))
.append("ID-CERT")
.appendVersion((long) net.named_data.jndn.util.Common.getNowMilliseconds());
else
return null;
}
certificate.setName(certName);
certificate.setNotBefore(notBefore);
certificate.setNotAfter(notAfter);
certificate.setPublicKeyInfo(publicKey);
if (subjectDescription == null || (subjectDescription.Count==0))
certificate
.addSubjectDescription(new CertificateSubjectDescription(
"2.5.4.41", keyName.getPrefix(-1).toUri()));
else {
for (int i = 0; i < subjectDescription.Count; ++i)
certificate
.addSubjectDescription((CertificateSubjectDescription) subjectDescription[i]);
}
try {
certificate.encode();
} catch (DerEncodingException ex) {
throw new SecurityException("DerEncodingException: " + ex);
} catch (DerDecodingException ex_0) {
throw new SecurityException("DerDecodingException: " + ex_0);
}
return certificate;
}
/// <summary>
/// Prepare an unsigned identity certificate. This infers the certificate name
/// according to the relation between the signingIdentity and the subject
/// identity. If the signingIdentity is a prefix of the subject identity, `KEY`
/// will be inserted after the signingIdentity, otherwise `KEY` is inserted
/// after subject identity (i.e., before `ksk-...`).
/// </summary>
///
/// <param name="keyName">The key name, e.g., `/{identity_name}/ksk-123456`.</param>
/// <param name="publicKey">The public key to sign.</param>
/// <param name="signingIdentity">The signing identity.</param>
/// <param name="notBefore">See IdentityCertificate.</param>
/// <param name="notAfter">See IdentityCertificate.</param>
/// <param name="subjectDescription">on the keyName.</param>
/// <returns>The unsigned IdentityCertificate, or null if the inputs are invalid.</returns>
public IdentityCertificate prepareUnsignedIdentityCertificate(
Name keyName, PublicKey publicKey, Name signingIdentity,
double notBefore, double notAfter, IList subjectDescription)
{
return prepareUnsignedIdentityCertificate(keyName, publicKey,
signingIdentity, notBefore, notAfter, subjectDescription, null);
}
/// <summary>
/// Use the keyName to get the public key from the identity storage and
/// prepare an unsigned identity certificate.
/// </summary>
///
/// <param name="keyName">The key name, e.g., `/{identity_name}/ksk-123456`.</param>
/// <param name="signingIdentity">The signing identity.</param>
/// <param name="notBefore">See IdentityCertificate.</param>
/// <param name="notAfter">See IdentityCertificate.</param>
/// <param name="subjectDescription">on the keyName.</param>
/// <param name="certPrefix">signingIdentity and the subject identity. If the signingIdentity is a prefix of the subject identity, `KEY` will be inserted after the signingIdentity, otherwise `KEY` is inserted after subject identity (i.e., before `ksk-...`).</param>
/// <returns>The unsigned IdentityCertificate, or null the public is not in the
/// identity storage or if the inputs are invalid.</returns>
public IdentityCertificate prepareUnsignedIdentityCertificate(
Name keyName, Name signingIdentity, double notBefore,
double notAfter, IList subjectDescription, Name certPrefix)
{
PublicKey publicKey;
try {
publicKey = new PublicKey(identityStorage_.getKey(keyName));
} catch (SecurityException e) {
return null;
}
return prepareUnsignedIdentityCertificate(keyName, publicKey,
signingIdentity, notBefore, notAfter, subjectDescription,
certPrefix);
}
/// <summary>
/// Create an identity certificate for a public key supplied by the caller.
/// </summary>
///
/// <param name="certificatePrefix">The name of public key to be signed.</param>
/// <param name="publicKey">The public key to be signed.</param>
/// <param name="signerCertificateName">The name of signing certificate.</param>
/// <param name="notBefore">The notBefore value in the validity field of the generated certificate.</param>
/// <param name="notAfter">The notAfter vallue in validity field of the generated certificate.</param>
/// <returns>The generated identity certificate.</returns>
public IdentityCertificate createIdentityCertificate(
Name certificatePrefix, PublicKey publicKey,
Name signerCertificateName, double notBefore, double notAfter)
{
IdentityCertificate certificate = new IdentityCertificate();
Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
Name certificateName = new Name(certificatePrefix);
certificateName.append("ID-CERT").appendVersion(
(long) net.named_data.jndn.util.Common.getNowMilliseconds());
certificate.setName(certificateName);
certificate.setNotBefore(notBefore);
certificate.setNotAfter(notAfter);
certificate.setPublicKeyInfo(publicKey);
certificate.addSubjectDescription(new CertificateSubjectDescription(
"2.5.4.41", keyName.toUri()));
try {
certificate.encode();
} catch (DerEncodingException ex) {
throw new SecurityException("DerDecodingException: " + ex);
} catch (DerDecodingException ex_0) {
throw new SecurityException("DerEncodingException: " + ex_0);
}
Sha256WithRsaSignature sha256Sig = new Sha256WithRsaSignature();
KeyLocator keyLocator = new KeyLocator();
keyLocator.setType(net.named_data.jndn.KeyLocatorType.KEYNAME);
keyLocator.setKeyName(signerCertificateName);
sha256Sig.setKeyLocator(keyLocator);
certificate.setSignature(sha256Sig);
SignedBlob unsignedData = certificate.wireEncode();
IdentityCertificate signerCertificate;
try {
signerCertificate = getCertificate(signerCertificateName);
} catch (DerDecodingException ex_1) {
throw new SecurityException("DerDecodingException: " + ex_1);
}
Name signerkeyName = signerCertificate.getPublicKeyName();
Blob sigBits = privateKeyStorage_.sign(unsignedData.signedBuf(),
signerkeyName);
sha256Sig.setSignature(sigBits);
return certificate;
}
/// <summary>
/// Create an identity certificate for a public key managed by this IdentityManager.
/// </summary>
///
/// <param name="certificatePrefix">The name of public key to be signed.</param>
/// <param name="signerCertificateName">The name of signing certificate.</param>
/// <param name="notBefore"></param>
/// <param name="notAfter"></param>
/// <returns>The name of generated identity certificate.</returns>
public Name createIdentityCertificate(Name certificatePrefix,
Name signerCertificateName, double notBefore, double notAfter)
{
Name keyName = getKeyNameFromCertificatePrefix(certificatePrefix);
Blob keyBlob = identityStorage_.getKey(keyName);
PublicKey publicKey = new PublicKey(keyBlob);
IdentityCertificate certificate = createIdentityCertificate(
certificatePrefix, publicKey, signerCertificateName, notBefore,
notAfter);
identityStorage_.addCertificate(certificate);
return certificate.getName();
}
/// <summary>
/// Create an identity by creating a pair of Key-Signing-Key (KSK) for this
/// identity and a self-signed certificate of the KSK. If a key pair or
/// certificate for the identity already exists, use it.
/// </summary>
///
/// <param name="identityName">The name of the identity.</param>
/// <param name="params">The key parameters if a key needs to be generated for the identity.</param>
/// <returns>The name of the default certificate of the identity.</returns>
/// <exception cref="System.Security.SecurityException">if the identity has already been created.</exception>
public Name createIdentityAndCertificate(Name identityName,
KeyParams paras)
{
identityStorage_.addIdentity(identityName);
Name keyName = null;
bool generateKey = true;
try {
keyName = identityStorage_
.getDefaultKeyNameForIdentity(identityName);
PublicKey key = new PublicKey(identityStorage_.getKey(keyName));
if (key.getKeyType() == paras.getKeyType())
// The key exists and has the same type, so don't need to generate one.
generateKey = false;
} catch (SecurityException ex) {
}
if (generateKey) {
keyName = generateKeyPair(identityName, true, paras);
identityStorage_.setDefaultKeyNameForIdentity(keyName);
}
Name certName = null;
bool makeCert = true;
try {
certName = identityStorage_
.getDefaultCertificateNameForKey(keyName);
// The cert exists, so don't need to make it.
makeCert = false;
} catch (SecurityException ex_0) {
}
if (makeCert) {
IdentityCertificate selfCert = selfSign(keyName);
addCertificateAsIdentityDefault(selfCert);
certName = selfCert.getName();
}
return certName;
}
public void setUp()
{
// Don't show INFO log messages.
ILOG.J2CsMapping.Util.Logging.Logger.getLogger("").setLevel(ILOG.J2CsMapping.Util.Logging.Level.WARNING);
FileInfo policyConfigDirectory = net.named_data.jndn.tests.integration_tests.IntegrationTestsCommon
.getPolicyConfigDirectory();
dKeyDatabaseFilePath = new FileInfo(System.IO.Path.Combine(policyConfigDirectory.FullName,"manager-d-key-test.db"));
dKeyDatabaseFilePath.delete();
eKeyDatabaseFilePath = new FileInfo(System.IO.Path.Combine(policyConfigDirectory.FullName,"manager-e-key-test.db"));
eKeyDatabaseFilePath.delete();
intervalDatabaseFilePath = new FileInfo(System.IO.Path.Combine(policyConfigDirectory.FullName,"manager-interval-test.db"));
intervalDatabaseFilePath.delete();
groupKeyDatabaseFilePath = new FileInfo(System.IO.Path.Combine(policyConfigDirectory.FullName,"manager-group-key-test.db"));
groupKeyDatabaseFilePath.delete();
RsaKeyParams paras = new RsaKeyParams();
DecryptKey memberDecryptKey = net.named_data.jndn.encrypt.algo.RsaAlgorithm.generateKey(paras);
decryptKeyBlob = memberDecryptKey.getKeyBits();
EncryptKey memberEncryptKey = net.named_data.jndn.encrypt.algo.RsaAlgorithm
.deriveEncryptKey(decryptKeyBlob);
encryptKeyBlob = memberEncryptKey.getKeyBits();
// Generate the certificate.
certificate.setName(new Name("/ndn/memberA/KEY/ksk-123/ID-CERT/123"));
PublicKey contentPublicKey = new PublicKey(encryptKeyBlob);
certificate.setPublicKeyInfo(contentPublicKey);
certificate.encode();
Blob signatureInfoBlob = new Blob(SIG_INFO, false);
Blob signatureValueBlob = new Blob(SIG_VALUE, false);
Signature signature = net.named_data.jndn.encoding.TlvWireFormat.get().decodeSignatureInfoAndValue(
signatureInfoBlob.buf(), signatureValueBlob.buf());
certificate.setSignature(signature);
certificate.wireEncode();
// Set up the keyChain.
MemoryIdentityStorage identityStorage = new MemoryIdentityStorage();
MemoryPrivateKeyStorage privateKeyStorage = new MemoryPrivateKeyStorage();
keyChain = new KeyChain(new IdentityManager(identityStorage,
privateKeyStorage), new NoVerifyPolicyManager());
Name identityName = new Name("TestGroupManager");
keyChain.createIdentityAndCertificate(identityName);
keyChain.getIdentityManager().setDefaultIdentity(identityName);
net.named_data.jndn.encrypt.GroupManager.setFriendAccess(this);
}
