net.named_data.jndn.encrypt

Class EncryptorV2

java.lang.Object

net.named_data.jndn.encrypt.EncryptorV2

public class EncryptorV2
extends Object

EncryptorV2 encrypts the requested content for name-based access control (NAC) using security v2. For the meaning of "KEK", etc. see: https://github.com/named-data/name-based-access-control/blob/new/docs/spec.rst

Field Summary

Fields

Modifier and Type	Field and Description
static int	AES_IV_SIZE
static int	AES_KEY_SIZE
static int	N_RETRIES
static Name.Component	NAME_COMPONENT_CK
static Name.Component	NAME_COMPONENT_ENCRYPTED_BY
static Name.Component	NAME_COMPONENT_KDK
static Name.Component	NAME_COMPONENT_KEK
static Name.Component	NAME_COMPONENT_NAC
static double	RETRY_DELAY_AFTER_NACK_MS
static double	RETRY_DELAY_KEK_RETRIEVAL_MS

Constructor Summary

Constructors

Constructor and Description
EncryptorV2(Name accessPrefix, Name ckPrefix, SigningInfo ckDataSigningInfo, EncryptError.OnError onError, Validator validator, KeyChain keyChain, Face face) Create an EncryptorV2 with the given parameters.

Method Summary

Modifier and Type	Method and Description
void	clearKekData_() Set the internal kekData_ to null.
EncryptedContent	encrypt(byte[] plainData) Encrypt the plainData using the existing Content Key (CK) and return a new EncryptedContent.
HashMap	getCache_() Get the the storage cache, which should only be used for testing.
boolean	getIsKekRetrievalInProgress_() Get the isKekRetrievalInProgress_ flag.
void	regenerateCk() Create a new Content Key (CK) and publish the corresponding CK Data packet.
void	shutdown()
int	size() Get the number of packets stored in in-memory storage.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

NAME_COMPONENT_ENCRYPTED_BY

public static final Name.Component NAME_COMPONENT_ENCRYPTED_BY

NAME_COMPONENT_NAC

public static final Name.Component NAME_COMPONENT_NAC

NAME_COMPONENT_KEK

public static final Name.Component NAME_COMPONENT_KEK

NAME_COMPONENT_KDK

public static final Name.Component NAME_COMPONENT_KDK

NAME_COMPONENT_CK

public static final Name.Component NAME_COMPONENT_CK

RETRY_DELAY_AFTER_NACK_MS

public static final double RETRY_DELAY_AFTER_NACK_MS

See Also:

Constant Field Values

RETRY_DELAY_KEK_RETRIEVAL_MS

public static final double RETRY_DELAY_KEK_RETRIEVAL_MS

See Also:

Constant Field Values

AES_KEY_SIZE

public static final int AES_KEY_SIZE

See Also:

Constant Field Values

AES_IV_SIZE

public static final int AES_IV_SIZE

See Also:

Constant Field Values

N_RETRIES

public static final int N_RETRIES

See Also:

Constant Field Values

Constructor Detail

EncryptorV2

public EncryptorV2(Name accessPrefix,
                   Name ckPrefix,
                   SigningInfo ckDataSigningInfo,
                   EncryptError.OnError onError,
                   Validator validator,
                   KeyChain keyChain,
                   Face face)
            throws IOException,
                   SecurityException

Create an EncryptorV2 with the given parameters. This uses the face to register to receive Interests for the prefix {ckPrefix}/CK.

Parameters:

accessPrefix - The NAC prefix to fetch the Key Encryption Key (KEK) (e.g., /access/prefix/NAC/data/subset). This copies the Name.

ckPrefix - The prefix under which Content Keys (CK) will be generated. (Each will have a unique version appended.) This copies the Name.

ckDataSigningInfo - The SigningInfo parameters to sign the Content Key (CK) Data packet. This copies the SigningInfo.

onError - On failure to create the CK data (failed to fetch the KEK, failed to encrypt with the KEK, etc.), this calls onError.onError(errorCode, message) where errorCode is from the EncryptError.ErrorCode enum, and message is an error string. The encrypt method will continue trying to retrieve the KEK until success (with each attempt separated by RETRY_DELAY_KEK_RETRIEVAL_MS) and onError may be called multiple times. NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

validator - The validation policy to ensure correctness of the KEK.

keyChain - The KeyChain used to sign Data packets.

face - The Face that will be used to fetch the KEK and publish CK data.

Throws:

IOException

SecurityException

Method Detail

shutdown

public final void shutdown()

encrypt

public final EncryptedContent encrypt(byte[] plainData)
                               throws NoSuchAlgorithmException,
                                      NoSuchPaddingException,
                                      InvalidAlgorithmParameterException,
                                      IllegalBlockSizeException,
                                      BadPaddingException

Encrypt the plainData using the existing Content Key (CK) and return a new EncryptedContent.

Parameters:

plainData - The data to encrypt.

Returns:

The new EncryptedContent.

Throws:

NoSuchAlgorithmException

NoSuchPaddingException

InvalidAlgorithmParameterException

IllegalBlockSizeException

BadPaddingException

regenerateCk

public final void regenerateCk()

Create a new Content Key (CK) and publish the corresponding CK Data packet. This uses the onError given to the constructor to report errors.

size

public final int size()

Get the number of packets stored in in-memory storage.

Returns:

The number of packets.

getCache_

public final HashMap getCache_()

Get the the storage cache, which should only be used for testing.

Returns:

The storage cache.

getIsKekRetrievalInProgress_

public final boolean getIsKekRetrievalInProgress_()

Get the isKekRetrievalInProgress_ flag. This is only for testing.

Returns:

The isKekRetrievalInProgress_ flag;

clearKekData_

public final void clearKekData_()

Set the internal kekData_ to null. This is only for testing.