/// <summary> /// Encode this Data for a particular wire format. If wireFormat is the default /// wire format, also set the defaultWireEncoding field to the encoded result. /// </summary> /// /// <param name="wireFormat">A WireFormat object used to decode the input.</param> /// <returns>The encoded buffer.</returns> public SignedBlob wireEncode(WireFormat wireFormat) { if (!getDefaultWireEncoding().isNull() && getDefaultWireEncodingFormat() == wireFormat) { // We already have an encoding in the desired format. return(getDefaultWireEncoding()); } int[] signedPortionBeginOffset = new int[1]; int[] signedPortionEndOffset = new int[1]; Blob encoding = wireFormat.encodeData(this, signedPortionBeginOffset, signedPortionEndOffset); SignedBlob wireEncoding = new SignedBlob(encoding, signedPortionBeginOffset[0], signedPortionEndOffset[0]); if (wireFormat == net.named_data.jndn.encoding.WireFormat.getDefaultWireFormat()) { // This is the default wire encoding. setDefaultWireEncoding(wireEncoding, net.named_data.jndn.encoding.WireFormat.getDefaultWireFormat()); } return(wireEncoding); }
/// <summary> /// Check the type of signature and use the publicKeyDer to verify the /// signedBlob using the appropriate signature algorithm. /// </summary> /// /// <param name="signature"></param> /// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param> /// <param name="publicKeyDer"></param> /// <returns>True if the signature is verified, false if failed.</returns> /// <exception cref="System.Security.SecurityException">if the signature type is not recognized or ifpublicKeyDer can't be decoded.</exception> protected static internal bool verifySignature( net.named_data.jndn.Signature signature, SignedBlob signedBlob, Blob publicKeyDer) { if (signature is Sha256WithRsaSignature || signature is Sha256WithEcdsaSignature) { if (publicKeyDer.isNull()) { return(false); } return(net.named_data.jndn.security.VerificationHelpers.verifySignature(signedBlob.signedBuf(), signature.getSignature(), new PublicKey(publicKeyDer), net.named_data.jndn.security.DigestAlgorithm.SHA256)); } else if (signature is DigestSha256Signature) { return(net.named_data.jndn.security.VerificationHelpers.verifyDigest(signedBlob.signedBuf(), signature.getSignature(), net.named_data.jndn.security.DigestAlgorithm.SHA256)); } else { // We don't expect this to happen. throw new SecurityException( "PolicyManager.verify: Signature type is unknown"); } }
/// <summary> /// Check the type of signature and use the publicKeyDer to verify the /// signedBlob using the appropriate signature algorithm. /// </summary> /// /// <param name="signature"></param> /// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param> /// <param name="publicKeyDer"></param> /// <returns>True if the signature is verified, false if failed.</returns> /// <exception cref="System.Security.SecurityException">if the signature type is not recognized or ifpublicKeyDer can't be decoded.</exception> protected static internal bool verifySignature( net.named_data.jndn.Signature signature, SignedBlob signedBlob, Blob publicKeyDer) { if (signature is Sha256WithRsaSignature) { if (publicKeyDer.isNull()) { return(false); } return(verifySha256WithRsaSignature(signature.getSignature(), signedBlob, publicKeyDer)); } else if (signature is Sha256WithEcdsaSignature) { if (publicKeyDer.isNull()) { return(false); } return(verifySha256WithEcdsaSignature(signature.getSignature(), signedBlob, publicKeyDer)); } else if (signature is DigestSha256Signature) { return(verifyDigestSha256Signature(signature.getSignature(), signedBlob)); } else { // We don't expect this to happen. throw new SecurityException( "PolicyManager.verify: Signature type is unknown"); } }
/// <summary> /// Check the type of signatureInfo to get the KeyLocator. Look in the /// IdentityStorage or PibImpl for the public key with the name in the KeyLocator (if /// available) and use it to verify the signedBlob. If the public key can't be /// found, return false. (This is a generalized method which can verify both a /// Data packet and an interest.) /// </summary> /// /// <param name="signatureInfo"></param> /// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param> /// <param name="failureReason"></param> /// <returns>True if the signature is verified, false if failed.</returns> private bool verify(Signature signatureInfo, SignedBlob signedBlob, String[] failureReason) { Blob publicKeyDer = null; if (net.named_data.jndn.KeyLocator.canGetFromSignature(signatureInfo)) { publicKeyDer = getPublicKeyDer( net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo), failureReason); if (publicKeyDer.isNull()) { return(false); } } if (net.named_data.jndn.security.policy.PolicyManager.verifySignature(signatureInfo, signedBlob, publicKeyDer)) { return(true); } else { failureReason[0] = "The signature did not verify with the given public key"; return(false); } }
public void extractEntriesForNackInterest( Interest interest, ArrayList <Entry> entries) { SignedBlob encoding = interest.wireEncode(); // Go backwards through the list so we can remove entries. for (int i = table_.Count - 1; i >= 0; --i) { PendingInterestTable.Entry pendingInterest = table_[i]; if (pendingInterest.getOnNetworkNack() == null) { continue; } // wireEncode returns the encoding cached when the interest was sent (if // it was the default wire encoding). if (pendingInterest.getInterest().wireEncode().equals(encoding)) { ILOG.J2CsMapping.Collections.Collections.Add(entries, table_[i]); // We let the callback from callLater call _processInterestTimeout, but // for efficiency, mark this as removed so that it returns right away. ILOG.J2CsMapping.Collections.Collections.RemoveAt(table_, i); pendingInterest.setIsRemoved(); } } }
/// <summary> /// Verify the Data packet using the digest algorithm. This does not check the /// digest algorithm against the type of SignatureInfo in the Data packet such /// as DigestSha256Signature. /// </summary> /// /// <param name="data">The Data packet to verify.</param> /// <param name="digestAlgorithm">The digest algorithm, such as DigestAlgorithm.SHA256.</param> /// <param name="wireFormat">A WireFormat object used to encode the Data packet.</param> /// <returns>True if verification succeeds, false if verification fails.</returns> /// <exception cref="System.ArgumentException">for an invalid digestAlgorithm.</exception> public static bool verifyDataDigest(Data data, DigestAlgorithm digestAlgorithm, WireFormat wireFormat) { SignedBlob encoding = data.wireEncode(wireFormat); return(verifyDigest(encoding.signedBuf(), data.getSignature() .getSignature(), digestAlgorithm)); }
private void setDefaultWireEncoding(SignedBlob defaultWireEncoding, WireFormat defaultWireEncodingFormat) { defaultWireEncoding_ = defaultWireEncoding; defaultWireEncodingFormat_ = defaultWireEncodingFormat; // Set getDefaultWireEncodingChangeCount_ so that the next call to // getDefaultWireEncoding() won't clear defaultWireEncoding_. getDefaultWireEncodingChangeCount_ = getChangeCount(); }
/// <summary> /// Verify the DigestSha256 signature on the SignedBlob by verifying that the /// digest of SignedBlob equals the signature. /// </summary> /// /// <param name="signature">The signature bits.</param> /// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param> /// <returns>true if the signature verifies, false if not.</returns> protected static internal bool verifyDigestSha256Signature(Blob signature, SignedBlob signedBlob) { // Set signedPortionDigest to the digest of the signed portion of the signedBlob. byte[] signedPortionDigest = net.named_data.jndn.util.Common .digestSha256(signedBlob.signedBuf()); return(ILOG.J2CsMapping.Collections.Arrays.Equals(signedPortionDigest, signature.getImmutableArray())); }
/// <summary> /// Wire encode the data packet, compute an HmacWithSha256 and update the /// signature value. /// </summary> /// /// @note This method is an experimental feature. The API may change. /// <param name="data">The Data object to be signed. This updates its signature.</param> /// <param name="key">The key for the HmacWithSha256.</param> /// <param name="wireFormat">A WireFormat object used to encode the data packet.</param> public static void signWithHmacWithSha256(Data data, Blob key, WireFormat wireFormat) { // Encode once to get the signed portion. SignedBlob encoding = data.wireEncode(wireFormat); byte[] signatureBytes = net.named_data.jndn.util.Common.computeHmacWithSha256( key.getImmutableArray(), encoding.signedBuf()); data.getSignature().setSignature(new Blob(signatureBytes, false)); }
/// <summary> /// Compute a new HmacWithSha256 for the data packet and verify it against the /// signature value. /// </summary> /// /// @note This method is an experimental feature. The API may change. /// <param name="data">The Data packet to verify.</param> /// <param name="key">The key for the HmacWithSha256.</param> /// <param name="wireFormat">A WireFormat object used to encode the data packet.</param> /// <returns>True if the signature verifies, otherwise false.</returns> public static bool verifyDataWithHmacWithSha256(Data data, Blob key, WireFormat wireFormat) { // wireEncode returns the cached encoding if available. SignedBlob encoding = data.wireEncode(wireFormat); byte[] newSignatureBytes = net.named_data.jndn.util.Common.computeHmacWithSha256( key.getImmutableArray(), encoding.signedBuf()); return(ILOG.J2CsMapping.NIO.ByteBuffer.wrap(newSignatureBytes).equals( data.getSignature().getSignature().buf())); }
/// <summary> /// Return a pointer to the defaultWireEncoding, which was encoded with /// getDefaultWireEncodingFormat(). /// </summary> /// /// <returns>The default wire encoding. Its pointer may be null.</returns> public SignedBlob getDefaultWireEncoding() { if (getDefaultWireEncodingChangeCount_ != getChangeCount()) { // The values have changed, so the default wire encoding is invalidated. defaultWireEncoding_ = new SignedBlob(); defaultWireEncodingFormat_ = null; getDefaultWireEncodingChangeCount_ = getChangeCount(); } return(defaultWireEncoding_); }
public Task <SignedBlob> UriForUpload(string Oid, long size, CancellationToken token) { var blob = new SignedBlob { Uri = MakePreAuthenticatedUrl(Oid, BlobSasPermissions.Write), Expiry = _config.Expiry, Headers = new Dictionary <string, string> { ["Content-Type"] = BlobConstants.UploadMimeType, ["x-ms-blob-type"] = "BlockBlob" } }; return(Task.FromResult(blob)); }
/// <summary> /// Verify the Interest packet using the digest algorithm, where the last two /// name components are the SignatureInfo and signature bytes. This does not /// check the digest algorithm against the type of SignatureInfo such as /// DigestSha256Signature. /// </summary> /// /// <param name="interest">The Interest packet to verify.</param> /// <param name="digestAlgorithm">The digest algorithm, such as DigestAlgorithm.SHA256.</param> /// <param name="wireFormat">A WireFormat object used to decode the Interest packet.</param> /// <returns>True if verification succeeds, false if verification fails or /// cannot decode the Interest.</returns> /// <exception cref="System.ArgumentException">for an invalid digestAlgorithm.</exception> public static bool verifyInterestDigest(Interest interest, DigestAlgorithm digestAlgorithm, WireFormat wireFormat) { Signature signature = extractSignature(interest, wireFormat); if (signature == null) { return(false); } SignedBlob encoding = interest.wireEncode(wireFormat); return(verifyDigest(encoding.signedBuf(), signature.getSignature(), digestAlgorithm)); }
/// <summary> /// Verify the ECDSA signature on the SignedBlob using the given public key. /// </summary> /// /// <param name="signature">The signature bits.</param> /// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param> /// <param name="publicKeyDer">The DER-encoded public key used to verify the signature.</param> /// <returns>true if the signature verifies, false if not.</returns> protected static internal bool verifySha256WithEcdsaSignature(Blob signature, SignedBlob signedBlob, Blob publicKeyDer) { KeyFactory keyFactory = null; try { keyFactory = System.KeyFactory.getInstance("EC"); } catch (Exception exception) { // Don't expect this to happen. throw new SecurityException("EC is not supported: " + exception.Message); } System.SecurityPublicKey publicKey = null; try { publicKey = keyFactory.generatePublic(new X509EncodedKeySpec( publicKeyDer.getImmutableArray())); } catch (InvalidKeySpecException exception_0) { // Don't expect this to happen. throw new SecurityException("X509EncodedKeySpec is not supported: " + exception_0.Message); } System.SecuritySignature ecSignature = null; try { ecSignature = System.SecuritySignature .getInstance("SHA256withECDSA"); } catch (Exception e) { // Don't expect this to happen. throw new SecurityException( "SHA256withECDSA algorithm is not supported"); } try { ecSignature.initVerify(publicKey); } catch (InvalidKeyException exception_1) { throw new SecurityException("InvalidKeyException: " + exception_1.Message); } try { ecSignature.update(signedBlob.signedBuf()); return(ecSignature.verify(signature.getImmutableArray())); } catch (SignatureException exception_2) { throw new SecurityException("SignatureException: " + exception_2.Message); } }
/// <summary> /// Check the type of signatureInfo to get the KeyLocator. Look in the /// IdentityStorage for the public key with the name in the KeyLocator (if /// available) and use it to verify the signedBlob. If the public key can't be /// found, return false. (This is a generalized method which can verify both a /// Data packet and an interest.) /// </summary> /// /// <param name="signatureInfo"></param> /// <param name="signedBlob">the SignedBlob with the signed portion to verify.</param> /// <returns>True if the signature is verified, false if failed.</returns> private bool verify(net.named_data.jndn.Signature signatureInfo, SignedBlob signedBlob) { Blob publicKeyDer = null; if (net.named_data.jndn.KeyLocator.canGetFromSignature(signatureInfo)) { publicKeyDer = getPublicKeyDer(net.named_data.jndn.KeyLocator .getFromSignature(signatureInfo)); if (publicKeyDer.isNull()) { return(false); } } return(net.named_data.jndn.security.policy.PolicyManager.verifySignature(signatureInfo, signedBlob, publicKeyDer)); }
private static CertificateV2 makeSelfSignedCertificate(Name keyName, Blob privateKeyBag, Blob publicKeyEncoding, ByteBuffer password, DigestAlgorithm digestAlgorithm, WireFormat wireFormat) { CertificateV2 certificate = new CertificateV2(); // Set the name. double now = net.named_data.jndn.util.Common.getNowMilliseconds(); Name certificateName = new Name(keyName); certificateName.append("self").appendVersion((long)now); certificate.setName(certificateName); // Set the MetaInfo. certificate.getMetaInfo().setType(net.named_data.jndn.ContentType.KEY); // Set a one-hour freshness period. certificate.getMetaInfo().setFreshnessPeriod(3600 * 1000.0d); // Set the content. PublicKey publicKey = null; try { publicKey = new PublicKey(publicKeyEncoding); } catch (UnrecognizedKeyFormatException ex) { // Promote to Pib.Error. throw new Pib.Error("Error decoding public key " + ex); } certificate.setContent(publicKey.getKeyDer()); // Create a temporary in-memory Tpm and import the private key. Tpm tpm = new Tpm("", "", new TpmBackEndMemory()); tpm.importPrivateKey_(keyName, privateKeyBag.buf(), password); // Set the signature info. if (publicKey.getKeyType() == net.named_data.jndn.security.KeyType.RSA) { certificate.setSignature(new Sha256WithRsaSignature()); } else if (publicKey.getKeyType() == net.named_data.jndn.security.KeyType.EC) { certificate.setSignature(new Sha256WithEcdsaSignature()); } else { throw new AssertionError("Unsupported key type"); } Signature signatureInfo = certificate.getSignature(); net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo).setType( net.named_data.jndn.KeyLocatorType.KEYNAME); net.named_data.jndn.KeyLocator.getFromSignature(signatureInfo).setKeyName(keyName); // Set a 20-year validity period. net.named_data.jndn.security.ValidityPeriod.getFromSignature(signatureInfo).setPeriod(now, now + 20 * 365 * 24 * 3600 * 1000.0d); // Encode once to get the signed portion. SignedBlob encoding = certificate.wireEncode(wireFormat); Blob signatureBytes = tpm.sign(encoding.signedBuf(), keyName, digestAlgorithm); signatureInfo.setSignature(signatureBytes); // Encode again to include the signature. certificate.wireEncode(wireFormat); return(certificate); }