net.named_data.jndn.security

Class KeyChain

java.lang.Object

net.named_data.jndn.security.KeyChain

public class KeyChain
extends Object

KeyChain is the main class of the security library. The KeyChain class provides a set of interfaces to the security library such as identity management, policy configuration and packet signing and verification.

Note:

This class is an experimental feature. See the API docs for more detail at http://named-data.net/doc/ndn-ccl-api/key-chain.html .

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	KeyChain.Error A KeyChain.Error extends Exception and represents an error in KeyChain processing.
static class	KeyChain.InvalidSigningInfoError A KeyChain.InvalidSigningInfoError extends KeyChain.Error to indicate that the supplied SigningInfo is invalid.
static class	KeyChain.LocatorMismatchError A KeyChain.LocatorMismatchError extends KeyChain.Error to indicate that the supplied TPM locator does not match the locator stored in the PIB.
static interface	KeyChain.MakePibImpl
static interface	KeyChain.MakeTpmBackEnd

Field Summary

Fields

Modifier and Type	Field and Description
static RsaKeyParams	DEFAULT_KEY_PARAMS Deprecated. Use getDefaultKeyParams().

Constructor Summary

Constructors

Constructor and Description
KeyChain() Create a KeyChain with the default PIB and TPM, which are platform-dependent and can be overridden system-wide or individually by the user.
KeyChain(IdentityManager identityManager) Create a new security v1 KeyChain with the given IdentityManager and a NoVerifyPolicyManager.
KeyChain(IdentityManager identityManager, PolicyManager policyManager) Create a new security v1 KeyChain with the given IdentityManager and PolicyManager.
KeyChain(PibImpl pibImpl, TpmBackEnd tpmBackEnd) Create a security v2 KeyChain with explicitly-created PIB and TPM objects.
KeyChain(PibImpl pibImpl, TpmBackEnd tpmBackEnd, PolicyManager policyManager) Create a security v2 KeyChain with explicitly-created PIB and TPM objects, and that still uses the v1 PolicyManager.
KeyChain(String pibLocator, String tpmLocator) Create a KeyChain to use the PIB and TPM defined by the given locators.
KeyChain(String pibLocator, String tpmLocator, boolean allowReset) Create a KeyChain to use the PIB and TPM defined by the given locators.

Method Summary

Modifier and Type	Method and Description
void	addCertificate(PibKey key, CertificateV2 certificate) Add a certificate for the key.
Name	createIdentity(Name identityName) Deprecated. Use createIdentityAndCertificate which returns the certificate name instead of the key name.
Name	createIdentity(Name identityName, KeyParams params) Deprecated. Use createIdentityAndCertificate which returns the certificate name instead of the key name.
Name	createIdentityAndCertificate(Name identityName) Create a security v1 identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.
Name	createIdentityAndCertificate(Name identityName, KeyParams params) Create a security v1 identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.
PibIdentity	createIdentityV2(Name identityName) Create a security V2 identity for identityName.
PibIdentity	createIdentityV2(Name identityName, KeyParams params) Create a security V2 identity for identityName.
PibKey	createKey(PibIdentity identity) Create a key for the identity according to getDefaultKeyParams().
PibKey	createKey(PibIdentity identity, KeyParams params) Create a key for the identity according to params.
Blob	createSigningRequest(Name keyName) Create a public key signing request.
void	deleteCertificate(PibKey key, Name certificateName) Delete the certificate with the given name from the given key.
void	deleteIdentity(Name identityName) Delete the identity from the public and private key storage.
void	deleteIdentity(PibIdentity identity) Delete the identity.
void	deleteKey(PibIdentity identity, PibKey key) Delete the given key of the given identity.
SafeBag	exportSafeBag(CertificateV2 certificate) Export a certificate and its corresponding private key in a SafeBag, with a null password which exports an unencrypted PKCS #8 PrivateKeyInfo.
SafeBag	exportSafeBag(CertificateV2 certificate, ByteBuffer password) Export a certificate and its corresponding private key in a SafeBag.
Name	generateEcdsaKeyPair(Name identityName) Generate a pair of ECDSA keys for the specified identity for a Data-Signing-Key and default keySize 256.
Name	generateEcdsaKeyPair(Name identityName, boolean isKsk) Generate a pair of ECDSA keys for the specified identity and default keySize 256.
Name	generateEcdsaKeyPair(Name identityName, boolean isKsk, int keySize) Generate a pair of ECDSA keys for the specified identity.
Name	generateEcdsaKeyPairAsDefault(Name identityName) Generate a pair of ECDSA keys for the specified identity and set it as default key for the identity for a Data-Signing-Key and using the default keySize 256.
Name	generateEcdsaKeyPairAsDefault(Name identityName, boolean isKsk) Generate a pair of ECDSA keys for the specified identity and set it as default key for the identity, using the default keySize 256.
Name	generateEcdsaKeyPairAsDefault(Name identityName, boolean isKsk, int keySize) Generate a pair of ECDSA keys for the specified identity and set it as default key for the identity.
Name	generateRSAKeyPair(Name identityName) Generate a pair of RSA keys for the specified identity for a Data-Signing-Key and default keySize 2048.
Name	generateRSAKeyPair(Name identityName, boolean isKsk) Generate a pair of RSA keys for the specified identity and default keySize 2048.
Name	generateRSAKeyPair(Name identityName, boolean isKsk, int keySize) Generate a pair of RSA keys for the specified identity.
Name	generateRSAKeyPairAsDefault(Name identityName) Generate a pair of RSA keys for the specified identity and set it as default key for the identity for a Data-Signing-Key and using the default keySize 2048.
Name	generateRSAKeyPairAsDefault(Name identityName, boolean isKsk) Generate a pair of RSA keys for the specified identity and set it as the default key for the identity, using the default keySize 2048.
Name	generateRSAKeyPairAsDefault(Name identityName, boolean isKsk, int keySize) Generate a pair of RSA keys for the specified identity and set it as the default key for the identity.
IdentityCertificate	getCertificate(Name certificateName) Get a certificate with the specified name.
Name	getDefaultCertificateName() Get the default certificate name of the default identity.
Name	getDefaultIdentity() Get the default identity.
static KeyParams	getDefaultKeyParams()
IdentityCertificate	getIdentityCertificate(Name certificateName) Deprecated. Use getCertificate.
IdentityManager	getIdentityManager() Get the identity manager given to or created by the constructor.
boolean	getIsSecurityV1() Get the flag set by the constructor if this is a security v1 or v2 KeyChain.
Pib	getPib()
Tpm	getTpm()
void	importSafeBag(SafeBag safeBag) Import a certificate and its corresponding private key encapsulated in a SafeBag, with a null password which imports an unencrypted PKCS #8 PrivateKeyInfo.
void	importSafeBag(SafeBag safeBag, ByteBuffer password) Import a certificate and its corresponding private key encapsulated in a SafeBag.
void	installIdentityCertificate(IdentityCertificate certificate) Install an identity certificate into the public key identity storage.
static void	registerPibBackend(String scheme, KeyChain.MakePibImpl makePibImpl) Add to the PIB factories map where scheme is the key and makePibImpl is the value.
static void	registerTpmBackend(String scheme, KeyChain.MakeTpmBackEnd makeTpmBackEnd) Add to the TPM factories map where scheme is the key and makeTpmBackEnd is the value.
void	revokeCertificate(Name certificateName) Revoke a certificate.
void	revokeKey(Name keyName) Revoke a key.
CertificateV2	selfSign(PibKey key) Generate a self-signed certificate for the public key and add it to the PIB.
CertificateV2	selfSign(PibKey key, WireFormat wireFormat) Generate a self-signed certificate for the public key and add it to the PIB.
void	setDefaultCertificate(PibKey key, CertificateV2 certificate) Set the certificate as the default certificate of the key.
void	setDefaultCertificateForKey(IdentityCertificate certificate) Set the certificate as the default for its corresponding key.
void	setDefaultIdentity(PibIdentity identity) Set the identity as the default identity.
void	setDefaultKey(PibIdentity identity, PibKey key) Set the key as the default key of identity.
void	setDefaultKeyForIdentity(Name keyName) Set a key as the default key of an identity.
void	setDefaultKeyForIdentity(Name keyName, Name identityNameCheck) Set a key as the default key of an identity.
void	setFace(Face face) Set the Face which will be used to fetch required certificates.
Blob	sign(ByteBuffer buffer) Sign the byte buffer using the default key of the default identity.
Signature	sign(ByteBuffer buffer, Name certificateName) Sign the byte buffer using a certificate name and return a Signature object.
Blob	sign(ByteBuffer buffer, SigningInfo params) Sign the byte buffer according to the supplied signing parameters.
void	sign(Data data) Wire encode the Data object, sign it with the default key of the default identity, and set its signature.
void	sign(Data data, Name certificateName) Wire encode the Data object, sign it and set its signature.
void	sign(Data data, Name certificateName, WireFormat wireFormat) Wire encode the Data object, sign it and set its signature.
void	sign(Data data, SigningInfo params) Wire encode the Data object, sign it according to the supplied signing parameters, and set its signature.
void	sign(Data data, SigningInfo params, WireFormat wireFormat) Wire encode the Data object, sign it according to the supplied signing parameters, and set its signature.
void	sign(Data data, WireFormat wireFormat) Wire encode the Data object, sign it with the default key of the default identity, and set its signature.
void	sign(Interest interest) Sign the Interest with the default key of the default identity.
void	sign(Interest interest, Name certificateName) Append a SignatureInfo to the Interest name, sign the name components and append a final name component with the signature bits.
void	sign(Interest interest, Name certificateName, WireFormat wireFormat) Append a SignatureInfo to the Interest name, sign the name components and append a final name component with the signature bits.
void	sign(Interest interest, SigningInfo params) Sign the Interest according to the supplied signing parameters.
void	sign(Interest interest, SigningInfo params, WireFormat wireFormat) Sign the Interest according to the supplied signing parameters.
void	sign(Interest interest, WireFormat wireFormat) Sign the Interest with the default key of the default identity.
Signature	signByIdentity(ByteBuffer buffer, Name identityName) Sign the byte buffer using an identity name and return a Signature object.
void	signByIdentity(Data data) Wire encode the Data object, sign it and set its signature.
void	signByIdentity(Data data, Name identityName) Wire encode the Data object, sign it and set its signature.
void	signByIdentity(Data data, Name identityName, WireFormat wireFormat) Wire encode the Data object, sign it and set its signature.
static void	signWithHmacWithSha256(Data data, Blob key) Wire encode the data packet, compute an HmacWithSha256 and update the signature value.
static void	signWithHmacWithSha256(Data data, Blob key, WireFormat wireFormat) Wire encode the data packet, compute an HmacWithSha256 and update the signature value.
static void	signWithHmacWithSha256(Interest interest, Blob key, Name keyName) Append a SignatureInfo to the Interest name, compute an HmacWithSha256 signature for the name components and append a final name component with the signature bits.
static void	signWithHmacWithSha256(Interest interest, Blob key, Name keyName, WireFormat wireFormat) Append a SignatureInfo to the Interest name, compute an HmacWithSha256 signature for the name components and append a final name component with the signature bits.
void	signWithSha256(Data data) Wire encode the Data object, digest it and set its SignatureInfo to a DigestSha256.
void	signWithSha256(Data data, WireFormat wireFormat) Wire encode the Data object, digest it and set its SignatureInfo to a DigestSha256.
void	signWithSha256(Interest interest) Append a SignatureInfo for DigestSha256 to the Interest name, digest the name components and append a final name component with the signature bits (which is the digest).
void	signWithSha256(Interest interest, WireFormat wireFormat) Append a SignatureInfo for DigestSha256 to the Interest name, digest the name components and append a final name component with the signature bits (which is the digest).
void	verifyData(Data data, OnVerified onVerified, OnDataValidationFailed onValidationFailed) Check the signature on the Data object and call either onVerify.onVerify or onValidationFailed.onDataValidationFailed.
void	verifyData(Data data, OnVerified onVerified, OnDataValidationFailed onValidationFailed, int stepCount)
void	verifyData(Data data, OnVerified onVerified, OnVerifyFailed onVerifyFailed) Deprecated. Use verifyData with OnDataValidationFailed.
static boolean	verifyDataWithHmacWithSha256(Data data, Blob key) Compute a new HmacWithSha256 for the data packet and verify it against the signature value.
static boolean	verifyDataWithHmacWithSha256(Data data, Blob key, WireFormat wireFormat) Compute a new HmacWithSha256 for the data packet and verify it against the signature value.
void	verifyInterest(Interest interest, OnVerifiedInterest onVerified, OnInterestValidationFailed onValidationFailed) Check the signature on the signed interest and call either onVerify.onVerifiedInterest or onValidationFailed.onInterestValidationFailed.
void	verifyInterest(Interest interest, OnVerifiedInterest onVerified, OnInterestValidationFailed onValidationFailed, int stepCount)
void	verifyInterest(Interest interest, OnVerifiedInterest onVerified, OnVerifyInterestFailed onVerifyFailed) Deprecated. Use verifyInterest with OnInterestValidationFailed.
static boolean	verifyInterestWithHmacWithSha256(Interest interest, Blob key) Compute a new HmacWithSha256 for all but the final name component and verify it against the signature value in the final name component.
static boolean	verifyInterestWithHmacWithSha256(Interest interest, Blob key, WireFormat wireFormat) Compute a new HmacWithSha256 for all but the final name component and verify it against the signature value in the final name component.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_KEY_PARAMS

public static final RsaKeyParams DEFAULT_KEY_PARAMS

Deprecated. Use getDefaultKeyParams().

Constructor Detail

KeyChain

public KeyChain(String pibLocator,
                String tpmLocator,
                boolean allowReset)
         throws KeyChain.Error,
                PibImpl.Error,
                SecurityException,
                IOException

Create a KeyChain to use the PIB and TPM defined by the given locators. This creates a security v2 KeyChain that uses CertificateV2, Pib, Tpm and Validator (instead of v1 Certificate, IdentityStorage, PrivateKeyStorage and PolicyManager).

Parameters:

pibLocator - The PIB locator, e.g., "pib-sqlite3:/example/dir".

tpmLocator - The TPM locator, e.g., "tpm-memory:".

allowReset - If true, the PIB will be reset when the supplied tpmLocator mismatches the one in the PIB.

Throws:

KeyChain.LocatorMismatchError - if the supplied TPM locator does not match the locator stored in the PIB.

KeyChain.Error

PibImpl.Error

SecurityException

IOException

KeyChain

public KeyChain(String pibLocator,
                String tpmLocator)
         throws KeyChain.Error,
                PibImpl.Error,
                SecurityException,
                IOException

Create a KeyChain to use the PIB and TPM defined by the given locators. Don't allow resetting the PIB when the supplied tpmLocator mismatches the one in the PIB. This creates a security v2 KeyChain that uses CertificateV2, Pib, Tpm and Validator (instead of v1 Certificate, IdentityStorage, PrivateKeyStorage and PolicyManager).

Parameters:

pibLocator - The PIB locator, e.g., "pib-sqlite3:/example/dir".

tpmLocator - The TPM locator, e.g., "tpm-memory:".

Throws:

KeyChain.LocatorMismatchError - if the supplied TPM locator does not match the locator stored in the PIB.

KeyChain.Error

PibImpl.Error

SecurityException

IOException

KeyChain

public KeyChain(PibImpl pibImpl,
                TpmBackEnd tpmBackEnd,
                PolicyManager policyManager)
         throws PibImpl.Error

Create a security v2 KeyChain with explicitly-created PIB and TPM objects, and that still uses the v1 PolicyManager.

Parameters:

pibImpl - An explicitly-created PIB object of a subclass of PibImpl.

tpmBackEnd - An explicitly-created TPM object of a subclass of TpmBackEnd.

policyManager - An object of a subclass of a security v1 PolicyManager.

Throws:

PibImpl.Error

KeyChain

public KeyChain(PibImpl pibImpl,
                TpmBackEnd tpmBackEnd)
         throws PibImpl.Error

Create a security v2 KeyChain with explicitly-created PIB and TPM objects. This sets the policy manager to a security v1 NoVerifyPolicyManager.

Parameters:

pibImpl - An explicitly-created PIB object of a subclass of PibImpl.

tpmBackEnd - An explicitly-created TPM object of a subclass of TpmBackEnd.

Throws:

PibImpl.Error

KeyChain

public KeyChain(IdentityManager identityManager,
                PolicyManager policyManager)

Create a new security v1 KeyChain with the given IdentityManager and PolicyManager. For security v2, use KeyChain(pibLocator, tpmLocator) or the default constructor if your .ndn folder is already initialized for v2.

Parameters:

identityManager - An object of a subclass of IdentityManager.

policyManager - An object of a subclass of PolicyManager.

KeyChain

public KeyChain(IdentityManager identityManager)

Create a new security v1 KeyChain with the given IdentityManager and a NoVerifyPolicyManager. For security v2, use KeyChain(pibLocator, tpmLocator) or the default constructor if your .ndn folder is already initialized for v2.

Parameters:

identityManager - An object of a subclass of IdentityManager.

KeyChain

public KeyChain()
         throws SecurityException,
                KeyChain.Error,
                PibImpl.Error,
                IOException

Create a KeyChain with the default PIB and TPM, which are platform-dependent and can be overridden system-wide or individually by the user. This creates a security v2 KeyChain that uses CertificateV2, Pib, Tpm and Validator. However, if the default security v1 database file still exists, and the default security v2 database file does not yet exists,then assume that the system is running an older NFD and create a security v1 KeyChain with the default IdentityManager and a NoVerifyPolicyManager. Note: To create a security v2 KeyChain on android, you must use the KeyChain constructor to provide AndroidSqlite3Pib and TpmBackEndFile objects which are initialized with the explicit directory for the Android filesDir.

Throws:

SecurityException

KeyChain.Error

PibImpl.Error

IOException

Method Detail

getPib

public final Pib getPib()

getTpm

public final Tpm getTpm()

getIsSecurityV1

public final boolean getIsSecurityV1()

Get the flag set by the constructor if this is a security v1 or v2 KeyChain.

Returns:

True if this is a security v1 KeyChain, false if this is a security v2 KeyChain.

createIdentityV2

public final PibIdentity createIdentityV2(Name identityName,
                                          KeyParams params)
                                   throws PibImpl.Error,
                                          Pib.Error,
                                          Tpm.Error,
                                          TpmBackEnd.Error,
                                          KeyChain.Error

Create a security V2 identity for identityName. This method will check if the identity exists in PIB and whether the identity has a default key and default certificate. If the identity does not exist, this method will create the identity in PIB. If the identity's default key does not exist, this method will create a key pair and set it as the identity's default key. If the key's default certificate is missing, this method will create a self-signed certificate for the key. If identityName did not exist and no default identity was selected before, the created identity will be set as the default identity.

Parameters:

identityName - The name of the identity.

params - The key parameters if a key needs to be generated for the identity.

Returns:

The created PibIdentity instance.

Throws:

PibImpl.Error

Pib.Error

Tpm.Error

TpmBackEnd.Error

KeyChain.Error

createIdentityV2

public final PibIdentity createIdentityV2(Name identityName)
                                   throws PibImpl.Error,
                                          Pib.Error,
                                          Tpm.Error,
                                          TpmBackEnd.Error,
                                          KeyChain.Error

Create a security V2 identity for identityName. This method will check if the identity exists in PIB and whether the identity has a default key and default certificate. If the identity does not exist, this method will create the identity in PIB. If the identity's default key does not exist, this method will create a key pair using getDefaultKeyParams() and set it as the identity's default key. If the key's default certificate is missing, this method will create a self-signed certificate for the key. If identityName did not exist and no default identity was selected before, the created identity will be set as the default identity.

Parameters:

identityName - The name of the identity.

Returns:

The created Identity instance.

Throws:

PibImpl.Error

Pib.Error

Tpm.Error

TpmBackEnd.Error

KeyChain.Error

deleteIdentity

public final void deleteIdentity(PibIdentity identity)
                          throws PibImpl.Error,
                                 TpmBackEnd.Error

Delete the identity. After this operation, the identity is invalid.

Parameters:

identity - The identity to delete.

Throws:

PibImpl.Error

TpmBackEnd.Error

setDefaultIdentity

public final void setDefaultIdentity(PibIdentity identity)
                              throws PibImpl.Error,
                                     Pib.Error

Set the identity as the default identity.

Parameters:

identity - The identity to make the default.

Throws:

PibImpl.Error

Pib.Error

createKey

public final PibKey createKey(PibIdentity identity,
                              KeyParams params)
                       throws Tpm.Error,
                              TpmBackEnd.Error,
                              PibImpl.Error,
                              Pib.Error,
                              KeyChain.Error

Create a key for the identity according to params. If the identity had no default key selected, the created key will be set as the default for this identity. This method will also create a self-signed certificate for the created key.

Parameters:

identity - A valid PibIdentity object.

params - The key parameters if a key needs to be generated for the identity.

Returns:

The new PibKey.

Throws:

Tpm.Error

TpmBackEnd.Error

PibImpl.Error

Pib.Error

KeyChain.Error

createKey

public final PibKey createKey(PibIdentity identity)
                       throws Tpm.Error,
                              TpmBackEnd.Error,
                              PibImpl.Error,
                              Pib.Error,
                              KeyChain.Error

Create a key for the identity according to getDefaultKeyParams(). If the identity had no default key selected, the created key will be set as the default for this identity. This method will also create a self-signed certificate for the created key.

Parameters:

identity - A valid PibIdentity object.

Returns:

The new PibKey.

Throws:

Tpm.Error

TpmBackEnd.Error

PibImpl.Error

Pib.Error

KeyChain.Error

deleteKey

public final void deleteKey(PibIdentity identity,
                            PibKey key)
                     throws PibImpl.Error,
                            TpmBackEnd.Error

Delete the given key of the given identity. The key becomes invalid.

Parameters:

identity - A valid PibIdentity object.

key - The key to delete.

Throws:

IllegalArgumentException - If the key does not belong to the identity.

PibImpl.Error

TpmBackEnd.Error

setDefaultKey

public final void setDefaultKey(PibIdentity identity,
                                PibKey key)
                         throws Pib.Error,
                                PibImpl.Error

Set the key as the default key of identity.

Parameters:

identity - A valid PibIdentity object.

key - The key to become the default.

Throws:

IllegalArgumentException - If the key does not belong to the identity.

Pib.Error

PibImpl.Error

addCertificate

public final void addCertificate(PibKey key,
                                 CertificateV2 certificate)
                          throws CertificateV2.Error,
                                 PibImpl.Error

Add a certificate for the key. If the key had no default certificate selected, the added certificate will be set as the default certificate for this key.

Parameters:

key - A valid PibKey object.

certificate - The certificate to add. This copies the object.

Throws:

IllegalArgumentException - If the key does not match the certificate.

CertificateV2.Error

PibImpl.Error

Note:

This method overwrites a certificate with the same name, without considering the implicit digest.

deleteCertificate

public final void deleteCertificate(PibKey key,
                                    Name certificateName)
                             throws PibImpl.Error

Delete the certificate with the given name from the given key. If the certificate does not exist, this does nothing.

Parameters:

key - A valid PibKey object.

certificateName - The name of the certificate to delete.

Throws:

IllegalArgumentException - If certificateName does not follow certificate naming conventions.

PibImpl.Error

setDefaultCertificate

public final void setDefaultCertificate(PibKey key,
                                        CertificateV2 certificate)
                                 throws PibImpl.Error,
                                        CertificateV2.Error,
                                        Pib.Error

Set the certificate as the default certificate of the key. The certificate will be added to the key, potentially overriding an existing certificate if it has the same name (without considering implicit digest).

Parameters:

key - A valid PibKey object.

certificate - The certificate to become the default. This copies the object.

Throws:

PibImpl.Error

CertificateV2.Error

Pib.Error

sign

public final void sign(Data data,
                       SigningInfo params,
                       WireFormat wireFormat)
                throws TpmBackEnd.Error,
                       PibImpl.Error,
                       KeyChain.Error

Wire encode the Data object, sign it according to the supplied signing parameters, and set its signature.

Parameters:

data - The Data object to be signed. This replaces its Signature object based on the type of key and other info in the SigningInfo params, and updates the wireEncoding.

params - The signing parameters.

wireFormat - A WireFormat object used to encode the input.

Throws:

KeyChain.Error - if signing fails.

KeyChain.InvalidSigningInfoError - if params is invalid, or if the identity, key or certificate specified in params does not exist.

TpmBackEnd.Error

PibImpl.Error

sign

public final void sign(Data data,
                       SigningInfo params)
                throws TpmBackEnd.Error,
                       PibImpl.Error,
                       KeyChain.Error

Wire encode the Data object, sign it according to the supplied signing parameters, and set its signature. Use the default WireFormat.getDefaultWireFormat().

Parameters:

data - The Data object to be signed. This replaces its Signature object based on the type of key and other info in the SigningInfo params, and updates the wireEncoding.

params - The signing parameters.

Throws:

KeyChain.Error - if signing fails.

KeyChain.InvalidSigningInfoError - if params is invalid, or if the identity, key or certificate specified in params does not exist.

TpmBackEnd.Error

PibImpl.Error

sign

public final void sign(Data data,
                       WireFormat wireFormat)
                throws SecurityException,
                       TpmBackEnd.Error,
                       PibImpl.Error,
                       KeyChain.Error

Wire encode the Data object, sign it with the default key of the default identity, and set its signature. If this is a security v1 KeyChain then use the IdentityManager to get the default identity. Otherwise use the PIB.

Parameters:

data - The Data object to be signed. This replaces its Signature object based on the type of key of the default identity, and updates the wireEncoding.

wireFormat - A WireFormat object used to encode the input.

Throws:

SecurityException

TpmBackEnd.Error

PibImpl.Error

KeyChain.Error

sign

public final void sign(Data data)
                throws SecurityException,
                       TpmBackEnd.Error,
                       PibImpl.Error,
                       KeyChain.Error

Wire encode the Data object, sign it with the default key of the default identity, and set its signature. If this is a security v1 KeyChain then use the IdentityManager to get the default identity. Otherwise use the PIB. Use the default WireFormat.getDefaultWireFormat().

Parameters:

data - The Data object to be signed. This replaces its Signature object based on the type of key of the default identity, and updates the wireEncoding.

Throws:

SecurityException

TpmBackEnd.Error

PibImpl.Error

KeyChain.Error

sign

public final void sign(Interest interest,
                       SigningInfo params,
                       WireFormat wireFormat)
                throws PibImpl.Error,
                       KeyChain.Error,
                       TpmBackEnd.Error

Sign the Interest according to the supplied signing parameters. Append a SignatureInfo to the Interest name, sign the encoded name components and append a final name component with the signature bits.

Parameters:

interest - The Interest object to be signed. This appends name components of SignatureInfo and the signature bits.

params - The signing parameters.

wireFormat - A WireFormat object used to encode the input and encode the appended components.

Throws:

KeyChain.Error - if signing fails.

KeyChain.InvalidSigningInfoError - if params is invalid, or if the identity, key or certificate specified in params does not exist.

PibImpl.Error

TpmBackEnd.Error

sign

public final void sign(Interest interest,
                       SigningInfo params)
                throws PibImpl.Error,
                       KeyChain.Error,
                       TpmBackEnd.Error

Sign the Interest according to the supplied signing parameters. Append a SignatureInfo to the Interest name, sign the encoded name components and append a final name component with the signature bits. Use the default WireFormat.getDefaultWireFormat().

Parameters:

interest - The Interest object to be signed. This appends name components of SignatureInfo and the signature bits.

params - The signing parameters.

Throws:

KeyChain.Error - if signing fails.

KeyChain.InvalidSigningInfoError - if params is invalid, or if the identity, key or certificate specified in params does not exist.

PibImpl.Error

TpmBackEnd.Error

sign

public final void sign(Interest interest,
                       WireFormat wireFormat)
                throws PibImpl.Error,
                       KeyChain.Error,
                       TpmBackEnd.Error,
                       SecurityException

Sign the Interest with the default key of the default identity. Append a SignatureInfo to the Interest name, sign the encoded name components and append a final name component with the signature bits. If this is a security v1 KeyChain then use the IdentityManager to get the default identity. Otherwise use the PIB.

Parameters:

interest - The Interest object to be signed. This appends name components of SignatureInfo and the signature bits.

wireFormat - A WireFormat object used to encode the input and encode the appended components.

Throws:

PibImpl.Error

KeyChain.Error

TpmBackEnd.Error

SecurityException

sign

public final void sign(Interest interest)
                throws PibImpl.Error,
                       KeyChain.Error,
                       TpmBackEnd.Error,
                       SecurityException

Sign the Interest with the default key of the default identity. Append a SignatureInfo to the Interest name, sign the encoded name components and append a final name component with the signature bits. Use the default WireFormat.getDefaultWireFormat(). If this is a security v1 KeyChain then use the IdentityManager to get the default identity. Otherwise use the PIB.

Parameters:

interest - The Interest object to be signed. This appends name components of SignatureInfo and the signature bits.

Throws:

PibImpl.Error

KeyChain.Error

TpmBackEnd.Error

SecurityException

sign

public final Blob sign(ByteBuffer buffer,
                       SigningInfo params)
                throws PibImpl.Error,
                       KeyChain.Error,
                       TpmBackEnd.Error

Sign the byte buffer according to the supplied signing parameters.

Parameters:

buffer - The byte buffer to be signed.

params - The signing parameters. If params refers to an identity, this selects the default key of the identity. If params refers to a key or certificate, this selects the corresponding key.

Returns:

The signature Blob, or an isNull Blob if params.getDigestAlgorithm() is unrecognized.

Throws:

PibImpl.Error

KeyChain.Error

TpmBackEnd.Error

sign

public final Blob sign(ByteBuffer buffer)
                throws PibImpl.Error,
                       KeyChain.Error,
                       TpmBackEnd.Error

Sign the byte buffer using the default key of the default identity.

Parameters:

buffer - The byte buffer to be signed.

Returns:

The signature Blob.

Throws:

PibImpl.Error

KeyChain.Error

TpmBackEnd.Error

selfSign

public final CertificateV2 selfSign(PibKey key,
                                    WireFormat wireFormat)
                             throws PibImpl.Error,
                                    KeyChain.Error,
                                    TpmBackEnd.Error

Generate a self-signed certificate for the public key and add it to the PIB. This creates the certificate name from the key name by appending "self" and a version based on the current time. If no default certificate for the key has been set, then set the certificate as the default for the key.

Parameters:

key - The PibKey with the key name and public key.

wireFormat - A WireFormat object used to encode the certificate.

Returns:

The new certificate.

Throws:

PibImpl.Error

KeyChain.Error

TpmBackEnd.Error

selfSign

public final CertificateV2 selfSign(PibKey key)
                             throws PibImpl.Error,
                                    KeyChain.Error,
                                    TpmBackEnd.Error

Generate a self-signed certificate for the public key and add it to the PIB. This creates the certificate name from the key name by appending "self" and a version based on the current time. If no default certificate for the key has been set, then set the certificate as the default for the key. Use the default WireFormat.getDefaultWireFormat() to encode the certificate.

Parameters:

key - The PibKey with the key name and public key.

Returns:

The new certificate.

Throws:

PibImpl.Error

KeyChain.Error

TpmBackEnd.Error

exportSafeBag

public final SafeBag exportSafeBag(CertificateV2 certificate,
                                   ByteBuffer password)
                            throws KeyChain.Error

Export a certificate and its corresponding private key in a SafeBag.

Parameters:

certificate - The certificate to export. This gets the key from the TPM using certificate.getKeyName().

password - The password for encrypting the private key, which should have characters in the range of 1 to 127. If the password is supplied, use it to put a PKCS #8 EncryptedPrivateKeyInfo in the SafeBag. If the password is null, put an unencrypted PKCS #8 PrivateKeyInfo in the SafeBag.

Returns:

A SafeBag carrying the certificate and private key.

Throws:

KeyChain.Error - certificate.getKeyName() key does not exist, if the password is null and the TPM does not support exporting an unencrypted private key, or for other errors exporting the private key.

exportSafeBag

public final SafeBag exportSafeBag(CertificateV2 certificate)
                            throws KeyChain.Error

Export a certificate and its corresponding private key in a SafeBag, with a null password which exports an unencrypted PKCS #8 PrivateKeyInfo.

Parameters:

certificate - The certificate to export. This gets the key from the TPM using certificate.getKeyName().

Returns:

A SafeBag carrying the certificate and private key.

Throws:

KeyChain.Error - certificate.getKeyName() key does not exist, if the TPM does not support exporting an unencrypted private key, or for other errors exporting the private key.

importSafeBag

public final void importSafeBag(SafeBag safeBag,
                                ByteBuffer password)
                         throws KeyChain.Error,
                                CertificateV2.Error,
                                TpmBackEnd.Error,
                                PibImpl.Error,
                                Pib.Error

Import a certificate and its corresponding private key encapsulated in a SafeBag. If the certificate and key are imported properly, the default setting will be updated as if a new key and certificate is added into this KeyChain.

Parameters:

safeBag - The SafeBag containing the certificate and private key. This copies the values from the SafeBag.

password - The password for decrypting the private key, which should have characters in the range of 1 to 127. If the password is supplied, use it to decrypt the PKCS #8 EncryptedPrivateKeyInfo. If the password is null, import an unencrypted PKCS #8 PrivateKeyInfo.

Throws:

KeyChain.Error - if the private key cannot be imported, or if a public key or private key of the same name already exists, or if a certificate of the same name already exists.

CertificateV2.Error

TpmBackEnd.Error

PibImpl.Error

Pib.Error

importSafeBag

public final void importSafeBag(SafeBag safeBag)
                         throws KeyChain.Error,
                                CertificateV2.Error,
                                TpmBackEnd.Error,
                                PibImpl.Error,
                                Pib.Error

Import a certificate and its corresponding private key encapsulated in a SafeBag, with a null password which imports an unencrypted PKCS #8 PrivateKeyInfo. If the certificate and key are imported properly, the default setting will be updated as if a new key and certificate is added into this KeyChain.

Parameters:

safeBag - The SafeBag containing the certificate and private key. This copies the values from the SafeBag.

Throws:

KeyChain.Error - if the private key cannot be imported, or if a public key or private key of the same name already exists, or if a certificate of the same name already exists.

CertificateV2.Error

TpmBackEnd.Error

PibImpl.Error

Pib.Error

registerPibBackend

public static void registerPibBackend(String scheme,
                                      KeyChain.MakePibImpl makePibImpl)

Add to the PIB factories map where scheme is the key and makePibImpl is the value. If your application has its own PIB implementations, this must be called before creating a KeyChain instance which uses your PIB scheme.

Parameters:

scheme - The PIB scheme.

makePibImpl - An interface with makePibImpl which takes the PIB location and returns a new PibImpl instance.

registerTpmBackend

public static void registerTpmBackend(String scheme,
                                      KeyChain.MakeTpmBackEnd makeTpmBackEnd)

Add to the TPM factories map where scheme is the key and makeTpmBackEnd is the value. If your application has its own TPM implementations, this must be called before creating a KeyChain instance which uses your TPM scheme.

Parameters:

scheme - The TPM scheme.

makeTpmBackEnd - An interface with makeTpmBackEnd which takes the TPM location and returns a new TpmBackEnd instance.

createIdentityAndCertificate

public final Name createIdentityAndCertificate(Name identityName,
                                               KeyParams params)
                                        throws SecurityException

Create a security v1 identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK. If a key pair or certificate for the identity already exists, use it.

Parameters:

identityName - The name of the identity.

params - The key parameters if a key needs to be generated for the identity.

Returns:

The name of the default certificate of the identity.

Throws:

SecurityException - if the identity has already been created.

createIdentityAndCertificate

public final Name createIdentityAndCertificate(Name identityName)
                                        throws SecurityException

Create a security v1 identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK. Use getDefaultKeyParams() to create the key if needed. If a key pair or certificate for the identity already exists, use it.

Parameters:

identityName - The name of the identity.

Returns:

The name of the default certificate of the identity.

Throws:

SecurityException - if the identity has already been created.

createIdentity

public final Name createIdentity(Name identityName,
                                 KeyParams params)
                          throws SecurityException

Deprecated. Use createIdentityAndCertificate which returns the certificate name instead of the key name.

Create a security v1 identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK.

Parameters:

identityName - The name of the identity.

params - The key parameters if a key needs to be generated for the identity.

Returns:

The key name of the auto-generated KSK of the identity.

Throws:

SecurityException - if the identity has already been created.

createIdentity

public final Name createIdentity(Name identityName)
                          throws SecurityException

Deprecated. Use createIdentityAndCertificate which returns the certificate name instead of the key name.

Create a security v1 identity by creating a pair of Key-Signing-Key (KSK) for this identity and a self-signed certificate of the KSK. Use getDefaultKeyParams() to create the key if needed.

Parameters:

identityName - The name of the identity.

Returns:

The key name of the auto-generated KSK of the identity.

Throws:

SecurityException - if the identity has already been created.

deleteIdentity

public final void deleteIdentity(Name identityName)
                          throws SecurityException

Delete the identity from the public and private key storage. If the identity to be deleted is the current default system default, this will not delete the identity and will return immediately.

Parameters:

identityName - The name of the identity.

Throws:

SecurityException

getDefaultIdentity

public final Name getDefaultIdentity()
                              throws SecurityException

Get the default identity.

Returns:

The name of default identity.

Throws:

SecurityException - if the default identity is not set.

getDefaultCertificateName

public final Name getDefaultCertificateName()
                                     throws SecurityException

Get the default certificate name of the default identity.

Returns:

The requested certificate name.

Throws:

SecurityException - if the default identity is not set or the default key name for the identity is not set or the default certificate name for the key name is not set.

generateRSAKeyPair

public final Name generateRSAKeyPair(Name identityName,
                                     boolean isKsk,
                                     int keySize)
                              throws SecurityException

Generate a pair of RSA keys for the specified identity.

Parameters:

identityName - The name of the identity.

isKsk - true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).

keySize - The size of the key.

Returns:

The generated key name.

Throws:

SecurityException

generateRSAKeyPair

public final Name generateRSAKeyPair(Name identityName,
                                     boolean isKsk)
                              throws SecurityException

Generate a pair of RSA keys for the specified identity and default keySize 2048.

Parameters:

identityName - The name of the identity.

isKsk - true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).

Returns:

The generated key name.

Throws:

SecurityException

generateRSAKeyPair

public final Name generateRSAKeyPair(Name identityName)
                              throws SecurityException

Generate a pair of RSA keys for the specified identity for a Data-Signing-Key and default keySize 2048.

Parameters:

identityName - The name of the identity.

Returns:

The generated key name.

Throws:

SecurityException

generateEcdsaKeyPair

public final Name generateEcdsaKeyPair(Name identityName,
                                       boolean isKsk,
                                       int keySize)
                                throws SecurityException

Generate a pair of ECDSA keys for the specified identity.

Parameters:

identityName - The name of the identity.

isKsk - true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).

keySize - The size of the key.

Returns:

The generated key name.

Throws:

SecurityException

generateEcdsaKeyPair

public final Name generateEcdsaKeyPair(Name identityName,
                                       boolean isKsk)
                                throws SecurityException

Generate a pair of ECDSA keys for the specified identity and default keySize 256.

Parameters:

identityName - The name of the identity.

isKsk - true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).

Returns:

The generated key name.

Throws:

SecurityException

generateEcdsaKeyPair

public final Name generateEcdsaKeyPair(Name identityName)
                                throws SecurityException

Generate a pair of ECDSA keys for the specified identity for a Data-Signing-Key and default keySize 256.

Parameters:

identityName - The name of the identity.

Returns:

The generated key name.

Throws:

SecurityException

setDefaultKeyForIdentity

public final void setDefaultKeyForIdentity(Name keyName,
                                           Name identityNameCheck)
                                    throws SecurityException

Set a key as the default key of an identity. The identity name is inferred from keyName.

Parameters:

keyName - The name of the key.

identityNameCheck - The identity name to check that the keyName contains the same identity name. If an empty name, it is ignored.

Throws:

SecurityException

setDefaultKeyForIdentity

public final void setDefaultKeyForIdentity(Name keyName)
                                    throws SecurityException

Set a key as the default key of an identity. The identity name is inferred from keyName.

Parameters:

keyName - The name of the key.

Throws:

SecurityException

generateRSAKeyPairAsDefault

public final Name generateRSAKeyPairAsDefault(Name identityName,
                                              boolean isKsk,
                                              int keySize)
                                       throws SecurityException

Generate a pair of RSA keys for the specified identity and set it as the default key for the identity.

Parameters:

identityName - The name of the identity.

isKsk - true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).

keySize - The size of the key.

Returns:

The generated key name.

Throws:

SecurityException

generateRSAKeyPairAsDefault

public final Name generateRSAKeyPairAsDefault(Name identityName,
                                              boolean isKsk)
                                       throws SecurityException

Generate a pair of RSA keys for the specified identity and set it as the default key for the identity, using the default keySize 2048.

Parameters:

identityName - The name of the identity.

isKsk - true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).

Returns:

The generated key name.

Throws:

SecurityException

generateRSAKeyPairAsDefault

public final Name generateRSAKeyPairAsDefault(Name identityName)
                                       throws SecurityException

Generate a pair of RSA keys for the specified identity and set it as default key for the identity for a Data-Signing-Key and using the default keySize 2048.

Parameters:

identityName - The name of the identity.

Returns:

The generated key name.

Throws:

SecurityException

generateEcdsaKeyPairAsDefault

public final Name generateEcdsaKeyPairAsDefault(Name identityName,
                                                boolean isKsk,
                                                int keySize)
                                         throws SecurityException

Generate a pair of ECDSA keys for the specified identity and set it as default key for the identity.

Parameters:

identityName - The name of the identity.

isKsk - true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).

keySize - The size of the key.

Returns:

The generated key name.

Throws:

SecurityException

generateEcdsaKeyPairAsDefault

public final Name generateEcdsaKeyPairAsDefault(Name identityName,
                                                boolean isKsk)
                                         throws SecurityException

Generate a pair of ECDSA keys for the specified identity and set it as default key for the identity, using the default keySize 256.

Parameters:

identityName - The name of the identity.

isKsk - true for generating a Key-Signing-Key (KSK), false for a Data-Signing-Key (KSK).

Returns:

The generated key name.

Throws:

SecurityException

generateEcdsaKeyPairAsDefault

public final Name generateEcdsaKeyPairAsDefault(Name identityName)
                                         throws SecurityException

Generate a pair of ECDSA keys for the specified identity and set it as default key for the identity for a Data-Signing-Key and using the default keySize 256.

Parameters:

identityName - The name of the identity.

Returns:

The generated key name.

Throws:

SecurityException

createSigningRequest

public final Blob createSigningRequest(Name keyName)
                                throws SecurityException

Create a public key signing request.

Parameters:

keyName - The name of the key.

Returns:

The signing request data.

Throws:

SecurityException - if the keyName is not found.

installIdentityCertificate

public final void installIdentityCertificate(IdentityCertificate certificate)
                                      throws SecurityException

Install an identity certificate into the public key identity storage.

Parameters:

certificate - The certificate to to added.

Throws:

SecurityException

setDefaultCertificateForKey

public final void setDefaultCertificateForKey(IdentityCertificate certificate)
                                       throws SecurityException

Set the certificate as the default for its corresponding key.

Parameters:

certificate - The certificate.

Throws:

SecurityException

getCertificate

public final IdentityCertificate getCertificate(Name certificateName)
                                         throws SecurityException,
                                                DerDecodingException

Get a certificate with the specified name.

Parameters:

certificateName - The name of the requested certificate.

Returns:

The requested certificate.

Throws:

SecurityException

DerDecodingException

getIdentityCertificate

public final IdentityCertificate getIdentityCertificate(Name certificateName)
                                                 throws SecurityException,
                                                        DerDecodingException

Deprecated. Use getCertificate.

Throws:

SecurityException

DerDecodingException

revokeKey

public final void revokeKey(Name keyName)

Revoke a key.

Parameters:

keyName - The name of the key that will be revoked.

revokeCertificate

public final void revokeCertificate(Name certificateName)

Revoke a certificate.

Parameters:

certificateName - The name of the certificate that will be revoked.

getIdentityManager

public final IdentityManager getIdentityManager()

Get the identity manager given to or created by the constructor.

Returns:

The identity manager.

sign

public final void sign(Data data,
                       Name certificateName,
                       WireFormat wireFormat)
                throws SecurityException

Wire encode the Data object, sign it and set its signature.

Parameters:

data - The Data object to be signed. This updates its signature and key locator field and wireEncoding.

certificateName - The certificate name of the key to use for signing.

wireFormat - A WireFormat object used to encode the input.

Throws:

SecurityException

sign

public final void sign(Data data,
                       Name certificateName)
                throws SecurityException

Wire encode the Data object, sign it and set its signature. Use the default WireFormat.getDefaultWireFormat().

Parameters:

data - The Data object to be signed. This updates its signature and key locator field and wireEncoding.

certificateName - The certificate name of the key to use for signing.

Throws:

SecurityException

sign

public final void sign(Interest interest,
                       Name certificateName,
                       WireFormat wireFormat)
                throws SecurityException

Append a SignatureInfo to the Interest name, sign the name components and append a final name component with the signature bits.

Parameters:

interest - The Interest object to be signed. This appends name components of SignatureInfo and the signature bits.

certificateName - The certificate name of the key to use for signing.

wireFormat - A WireFormat object used to encode the input.

Throws:

SecurityException

sign

public final void sign(Interest interest,
                       Name certificateName)
                throws SecurityException

Append a SignatureInfo to the Interest name, sign the name components and append a final name component with the signature bits.

Parameters:

interest - The Interest object to be signed. This appends name components of SignatureInfo and the signature bits.

certificateName - The certificate name of the key to use for signing.

Throws:

SecurityException

sign

public Signature sign(ByteBuffer buffer,
                      Name certificateName)
               throws SecurityException

Sign the byte buffer using a certificate name and return a Signature object.

Parameters:

buffer - The byte array to be signed.

certificateName - The certificate name used to get the signing key and which will be put into KeyLocator.

Returns:

The Signature.

Throws:

SecurityException

signByIdentity

public final void signByIdentity(Data data,
                                 Name identityName,
                                 WireFormat wireFormat)
                          throws SecurityException

Wire encode the Data object, sign it and set its signature.

Parameters:

data - The Data object to be signed. This updates its signature and key locator field and wireEncoding.

identityName - The identity name for the key to use for signing. If empty, infer the signing identity from the data packet name.

wireFormat - A WireFormat object used to encode the input. If omitted, use WireFormat getDefaultWireFormat().

Throws:

SecurityException

signByIdentity

public final void signByIdentity(Data data,
                                 Name identityName)
                          throws SecurityException

Wire encode the Data object, sign it and set its signature.

Parameters:

data - The Data object to be signed. This updates its signature and key locator field and wireEncoding. Use the default WireFormat.getDefaultWireFormat().

identityName - The identity name for the key to use for signing. If empty, infer the signing identity from the data packet name.

Throws:

SecurityException

signByIdentity

public final void signByIdentity(Data data)
                          throws SecurityException

Wire encode the Data object, sign it and set its signature.

Parameters:

data - The Data object to be signed. This updates its signature and key locator field and wireEncoding. Infer the signing identity from the data packet name. Use the default WireFormat.getDefaultWireFormat().

Throws:

SecurityException

signByIdentity

public Signature signByIdentity(ByteBuffer buffer,
                                Name identityName)
                         throws SecurityException

Sign the byte buffer using an identity name and return a Signature object.

Parameters:

buffer - The byte array to be signed.

identityName - The identity name.

Returns:

The Signature.

Throws:

SecurityException

signWithSha256

public final void signWithSha256(Data data,
                                 WireFormat wireFormat)
                          throws SecurityException

Wire encode the Data object, digest it and set its SignatureInfo to a DigestSha256.

Parameters:

data - The Data object to be signed. This updates its signature and wireEncoding.

wireFormat - A WireFormat object used to encode the input.

Throws:

SecurityException

signWithSha256

public final void signWithSha256(Data data)
                          throws SecurityException

Wire encode the Data object, digest it and set its SignatureInfo to a DigestSha256.

Parameters:

data - The Data object to be signed. This updates its signature and wireEncoding.

Throws:

SecurityException

signWithSha256

public final void signWithSha256(Interest interest,
                                 WireFormat wireFormat)
                          throws SecurityException

Append a SignatureInfo for DigestSha256 to the Interest name, digest the name components and append a final name component with the signature bits (which is the digest).

Parameters:

interest - The Interest object to be signed. This appends name components of SignatureInfo and the signature bits.

wireFormat - A WireFormat object used to encode the input.

Throws:

SecurityException

signWithSha256

public final void signWithSha256(Interest interest)
                          throws SecurityException

Append a SignatureInfo for DigestSha256 to the Interest name, digest the name components and append a final name component with the signature bits (which is the digest).

Parameters:

interest - The Interest object to be signed. This appends name components of SignatureInfo and the signature bits.

Throws:

SecurityException

verifyData

public final void verifyData(Data data,
                             OnVerified onVerified,
                             OnDataValidationFailed onValidationFailed,
                             int stepCount)
                      throws SecurityException

Throws:

SecurityException

verifyData

public final void verifyData(Data data,
                             OnVerified onVerified,
                             OnDataValidationFailed onValidationFailed)
                      throws SecurityException

Check the signature on the Data object and call either onVerify.onVerify or onValidationFailed.onDataValidationFailed. We use callback functions because verify may fetch information to check the signature.

Parameters:

data - The Data object with the signature to check. It is an error if data does not have a wireEncoding. To set the wireEncoding, you can call data.wireDecode.

onVerified - If the signature is verified, this calls onVerified.onVerified(data). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

onValidationFailed - If the signature check fails, this calls onValidationFailed.onDataValidationFailed(data, reason). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

Throws:

SecurityException

verifyData

public final void verifyData(Data data,
                             OnVerified onVerified,
                             OnVerifyFailed onVerifyFailed)
                      throws SecurityException

Deprecated. Use verifyData with OnDataValidationFailed.

Check the signature on the Data object and call either onVerify.onVerify or onVerifyFailed.onVerifyFailed. We use callback functions because verify may fetch information to check the signature.

Parameters:

data - The Data object with the signature to check. It is an error if data does not have a wireEncoding. To set the wireEncoding, you can call data.wireDecode.

onVerified - If the signature is verified, this calls onVerified.onVerified(data). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

onVerifyFailed - If the signature check fails, this calls onVerifyFailed.onVerifyFailed(data). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

Throws:

SecurityException

verifyInterest

public final void verifyInterest(Interest interest,
                                 OnVerifiedInterest onVerified,
                                 OnInterestValidationFailed onValidationFailed,
                                 int stepCount)
                          throws SecurityException

Throws:

SecurityException

verifyInterest

public final void verifyInterest(Interest interest,
                                 OnVerifiedInterest onVerified,
                                 OnInterestValidationFailed onValidationFailed)
                          throws SecurityException

Check the signature on the signed interest and call either onVerify.onVerifiedInterest or onValidationFailed.onInterestValidationFailed. We use callback functions because verify may fetch information to check the signature.

Parameters:

interest - The interest with the signature to check.

onVerified - If the signature is verified, this calls onVerified.onVerifiedInterest(interest). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

onValidationFailed - If the signature check fails, this calls onValidationFailed.onInterestValidationFailed(interest, reason). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

Throws:

SecurityException

verifyInterest

public final void verifyInterest(Interest interest,
                                 OnVerifiedInterest onVerified,
                                 OnVerifyInterestFailed onVerifyFailed)
                          throws SecurityException

Deprecated. Use verifyInterest with OnInterestValidationFailed.

Check the signature on the signed interest and call either onVerify.onVerifiedInterest or onVerifyFailed.onVerifyInterestFailed. We use callback functions because verify may fetch information to check the signature.

Parameters:

interest - The interest with the signature to check.

onVerified - If the signature is verified, this calls onVerified.onVerifiedInterest(interest). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

onVerifyFailed - If the signature check fails, this calls onVerifyFailed.onVerifyInterestFailed(interest). NOTE: The library will log any exceptions thrown by this callback, but for better error handling the callback should catch and properly handle any exceptions.

Throws:

SecurityException

setFace

public final void setFace(Face face)

Set the Face which will be used to fetch required certificates.

Parameters:

face - The Face object.

signWithHmacWithSha256

public static void signWithHmacWithSha256(Data data,
                                          Blob key,
                                          WireFormat wireFormat)

Wire encode the data packet, compute an HmacWithSha256 and update the signature value.

Parameters:

data - The Data object to be signed. This updates its signature.

key - The key for the HmacWithSha256.

wireFormat - A WireFormat object used to encode the data packet.

Note:

This method is an experimental feature. The API may change.

signWithHmacWithSha256

public static void signWithHmacWithSha256(Data data,
                                          Blob key)

Wire encode the data packet, compute an HmacWithSha256 and update the signature value. Use the default WireFormat.getDefaultWireFormat().

Parameters:

data - The Data object to be signed. This updates its signature.

key - The key for the HmacWithSha256.

Note:

This method is an experimental feature. The API may change.

signWithHmacWithSha256

public static void signWithHmacWithSha256(Interest interest,
                                          Blob key,
                                          Name keyName,
                                          WireFormat wireFormat)

Append a SignatureInfo to the Interest name, compute an HmacWithSha256 signature for the name components and append a final name component with the signature bits.

Parameters:

interest - The Interest object to be signed. This appends name components of SignatureInfo and the signature bits.

key - The key for the HmacWithSha256.

keyName - The name of the key for the KeyLocator in the SignatureInfo.

wireFormat - A WireFormat object used to encode the input.

Note:

This method is an experimental feature. The API may change.

signWithHmacWithSha256

public static void signWithHmacWithSha256(Interest interest,
                                          Blob key,
                                          Name keyName)

Append a SignatureInfo to the Interest name, compute an HmacWithSha256 signature for the name components and append a final name component with the signature bits. Use the default WireFormat.getDefaultWireFormat().

Parameters:

interest - The Interest object to be signed. This appends name components of SignatureInfo and the signature bits.

key - The key for the HmacWithSha256.

keyName - The name of the key for the KeyLocator in the SignatureInfo.

Note:

This method is an experimental feature. The API may change.

verifyDataWithHmacWithSha256

public static boolean verifyDataWithHmacWithSha256(Data data,
                                                   Blob key,
                                                   WireFormat wireFormat)

Compute a new HmacWithSha256 for the data packet and verify it against the signature value.

Parameters:

data - The Data packet to verify.

key - The key for the HmacWithSha256.

wireFormat - A WireFormat object used to encode the data packet.

Returns:

True if the signature verifies, otherwise false.

Note:

This method is an experimental feature. The API may change.

verifyDataWithHmacWithSha256

public static boolean verifyDataWithHmacWithSha256(Data data,
                                                   Blob key)

Compute a new HmacWithSha256 for the data packet and verify it against the signature value. Use the default WireFormat.getDefaultWireFormat().

Parameters:

data - The Data packet to verify.

key - The key for the HmacWithSha256.

Returns:

True if the signature verifies, otherwise false.

Note:

This method is an experimental feature. The API may change.

verifyInterestWithHmacWithSha256

public static boolean verifyInterestWithHmacWithSha256(Interest interest,
                                                       Blob key,
                                                       WireFormat wireFormat)

Compute a new HmacWithSha256 for all but the final name component and verify it against the signature value in the final name component.

Parameters:

interest - The Interest object to verify.

key - The key for the HmacWithSha256.

wireFormat - A WireFormat object used to encode the input.

Returns:

True if the signature verifies, otherwise false.

Note:

This method is an experimental feature. The API may change.

verifyInterestWithHmacWithSha256

public static boolean verifyInterestWithHmacWithSha256(Interest interest,
                                                       Blob key)

Compute a new HmacWithSha256 for all but the final name component and verify it against the signature value in the final name component. Use the default WireFormat.getDefaultWireFormat().

Parameters:

interest - The Interest object to verify.

key - The key for the HmacWithSha256.

Returns:

True if the signature verifies, otherwise false.

Note:

This method is an experimental feature. The API may change.

getDefaultKeyParams

public static KeyParams getDefaultKeyParams()