org.ccnx.ccn.impl.security.crypto.CCNMerkleTree Class Reference
Extends the basic MerkleTree for use in CCN.
More...
List of all members.
Public Member Functions |
| CCNMerkleTree (ContentObject[] contentObjects, PrivateKey signingKey) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException |
| Build a CCNMerkleTree from a set of leaf ContentObjects.
|
byte[] | rootSignature () |
| Returns the root signature on the tree.
|
ContentName | segmentName (int leafIndex) |
| Generate the name of segment leafIndex, where leafIndex is the leaf number in this tree.
|
SignedInfo | segmentSignedInfo (int leafIndex) |
| Return the SignedInfo for a given segment.
|
Signature | segmentSignature (int leafIndex) |
| Set the signature for a particular segment.
|
void | setSignatures () |
| Sets the signatures of all the contained ContentObjects.
|
Static Public Attributes |
static final String | DEFAULT_MHT_ALGORITHM = "SHA256MHT" |
Protected Member Functions |
void | initializeTree (ContentObject[] contentObjects) throws NoSuchAlgorithmException |
| A version of initializeTree to go with the CCNMerkleTree(ContentObject []) constructor.
|
Signature | computeSignature (int leafIndex) |
| Construct the Signature for a given leaf.
|
void | computeLeafValues (ContentObject[] contentObjects) throws NoSuchAlgorithmException |
| Compute the leaf values of the ContentObjects in this tree.
|
byte[] | computeBlockDigest (int leafIndex, byte[] content, int offset, int length) |
| We need to incorporate the name of the content block and the signedInfo into the leaf digest of the tree.
|
Static Protected Member Functions |
static byte[] | computeRootSignature (byte[] root, PrivateKey signingKey) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException |
| Compute the signature on the root node.
|
Package Attributes |
byte[] | _rootSignature = null |
ContentObject[] | _segmentObjects = null |
Detailed Description
Extends the basic MerkleTree for use in CCN.
It incorporates the CCN ContentName for an object at each node, so that names are authenticated as well as content in a way that intermediary CCN nodes can verify.
For each leaf node in the CCNMerkleTree, we compute its digest in exactly the same way we would compute the digest of a ContentObject node for signing on its own (incorporating the name, authentication metadata, and content). We then combine all these leaf digests together into a MerkleTree, and sign the root node.
To generate a leaf block digest, therefore, we need to know
- the content of the block
- the name for the block (which, for segmented content, includes the segmented number. If we're buffering content and building trees per buffer, the fragment numbers may carry across buffers (e.g. leaf 0 of this tree might be fragment 37 of the content as a whole)
- the authentication metadata. In the case of fragmented content, this is likely to be the same for all blocks. In the case of other content, the publisher is likely to be the same, but the timestamp and even maybe the type could be different -- i.e. you could use a CCNMerkleTree to amortize signature costs over any collection of data, not just a set of fragments.
So, we either need to hand in all the names, or have a function to call to get the name for each block.
Note: There is no requirement that a CCNMerkleTree be built only from the segments of a single piece of content, although that is the most common use. One can build and verify a CCNMerkleTree built out of an arbitrary set of ContentObjects; this may be a useful way of limiting the number of signatures generated on constrained platforms. Eventually the CCNSegmenter will be extended to handle such collections of arbitrary objects.
Constructor & Destructor Documentation
org.ccnx.ccn.impl.security.crypto.CCNMerkleTree.CCNMerkleTree |
( |
ContentObject[] |
contentObjects, |
|
|
PrivateKey |
signingKey | |
|
) |
| | throws NoSuchAlgorithmException, InvalidKeyException, SignatureException |
Build a CCNMerkleTree from a set of leaf ContentObjects.
- Parameters:
-
| contentObjects | must be at least 2 blocks, or will throw IllegalArgumentException. |
| signingKey | key to sign the root with |
- Exceptions:
-
| NoSuchAlgorithmException | if key or DEFAULT_DIGEST_ALGORITHM are unknown |
| InvalidKeyException | if signingKey is invalid |
| SignatureException | if we cannot sign |
Member Function Documentation
byte [] org.ccnx.ccn.impl.security.crypto.CCNMerkleTree.computeBlockDigest |
( |
int |
leafIndex, |
|
|
byte[] |
content, |
|
|
int |
offset, |
|
|
int |
length | |
|
) |
| | [protected] |
We need to incorporate the name of the content block and the signedInfo into the leaf digest of the tree.
Essentially, we want the leaf digest to be the same thing we would use for signing a stand-alone ContentObject.
- Parameters:
-
| leafIndex | the index of the leaf to sign |
| content | the content array containing the leaf content |
| offset | the offset into content where the leaf start |
| length | the length of content for this leaf |
- Returns:
- the block digest
Reimplemented from org.ccnx.ccn.impl.security.crypto.MerkleTree.
void org.ccnx.ccn.impl.security.crypto.CCNMerkleTree.computeLeafValues |
( |
ContentObject[] |
contentObjects |
) |
throws NoSuchAlgorithmException [protected] |
Compute the leaf values of the ContentObjects in this tree.
- Parameters:
-
| contentObjects | the content |
- Exceptions:
-
| NoSuchAlgorithmException | if the digestAlgorithm unknown |
static byte [] org.ccnx.ccn.impl.security.crypto.CCNMerkleTree.computeRootSignature |
( |
byte[] |
root, |
|
|
PrivateKey |
signingKey | |
|
) |
| | throws InvalidKeyException, SignatureException, NoSuchAlgorithmException [static, protected] |
Compute the signature on the root node.
It's already a digest, so in theory we could just wrap it up in some PKCS#1 padding, encrypt it with our private key, and voila! A signature. But there are basically no crypto software packages that provide signature primitives that take already-digested data and just do the padding and encryption, and so we'd be asking anyone attempting to implement CCN MHT signing (including ourselves) to re-implement a very complicated wheel, across a number of signature algorithms. We might also want to sign with a key that does not support the digest algorithm we used to compute the root (for example, DSA). So take the computationally very slightly more expensive, but vastly simpler (implementation-wise) approach of taking our digest and signing it with a standard signing API -- which means digesting it one more time for the signature. So we sign (digest + encrypt) the root digest.
- Parameters:
-
| root | the root digest to sign |
| signingKey | the key to sign with |
- Returns:
- the bytes of the signature
- Exceptions:
-
| InvalidKeyException | |
| SignatureException | |
| NoSuchAlgorithmException | |
Signature org.ccnx.ccn.impl.security.crypto.CCNMerkleTree.computeSignature |
( |
int |
leafIndex |
) |
[protected] |
Construct the Signature for a given leaf.
This is composed of the rootSignature(), which is the same for all nodes, and the DER encoded MerklePath for this leaf as the witness.
- Parameters:
-
| leafIndex | the leaf to compute the signature for |
- Returns:
- the signature
void org.ccnx.ccn.impl.security.crypto.CCNMerkleTree.initializeTree |
( |
ContentObject[] |
contentObjects |
) |
throws NoSuchAlgorithmException [protected] |
A version of initializeTree to go with the CCNMerkleTree(ContentObject []) constructor.
- Parameters:
-
| contentObjects | objects to build into the tree |
- Exceptions:
-
| NoSuchAlgorithmException | if the default digest algorithm unknown |
byte [] org.ccnx.ccn.impl.security.crypto.CCNMerkleTree.rootSignature |
( |
|
) |
|
Returns the root signature on the tree.
- Returns:
- the root signature
ContentName org.ccnx.ccn.impl.security.crypto.CCNMerkleTree.segmentName |
( |
int |
leafIndex |
) |
|
Generate the name of segment leafIndex, where leafIndex is the leaf number in this tree.
The overall index of leafIndex should be leafIndex + baseNameIndex().
- Parameters:
-
| leafIndex | the leaf whose blockName to generate |
- Returns:
- the name
Signature org.ccnx.ccn.impl.security.crypto.CCNMerkleTree.segmentSignature |
( |
int |
leafIndex |
) |
|
Set the signature for a particular segment.
- Parameters:
-
| leafIndex | the leaf segment to set the signature for |
- Returns:
- the Signature
SignedInfo org.ccnx.ccn.impl.security.crypto.CCNMerkleTree.segmentSignedInfo |
( |
int |
leafIndex |
) |
|
Return the SignedInfo for a given segment.
- Parameters:
-
| leafIndex | the index of the leaf whose SignedInfo we want |
- Returns:
- the SignedInfo
The documentation for this class was generated from the following file:
- src/org/ccnx/ccn/impl/security/crypto/CCNMerkleTree.java