Actions
Bug #1889
closed
NFD/NRD startup fails in tpm=file mode if some PIB entries are stored in osx-keychain TPM
Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
08/18/2014
Due date:
% Done:
0%
Estimated time:
Description
If the PIB holds entries held in the osx-keychain TPM, but NRD/NFD are started with tpm=file in client.conf, startup fails.
Steps to reproduce:
- rm -rf ~/.ndn/ndnsec-* [Optional!]
- Set tpm=file in client.conf
- Run nfd-start, default identity will be created. Then, nfd-stop.
- Switch to tpm=osx-keychain in client.conf.
- Run ndnsec-keygen /localhost/foo | ndnsec-install-cert -
- Set tpm=file in client.conf
- Run nfd-start, should fail as follows: 1408410473.015812 FATAL: [NFD] private key doesn't exists 1408410475.013264 INFO: [RibManager] Listening on: /localhost/nfd/rib 1408410475.015285 FATAL: [NRD] private key doesn't exists
- Run sqlite3 ~/.ndn/ndnsec-public-info.db 'delete from Identity where identity_name="/localhost/foo";'
- Run nfd-start, should work fine.
Updated by Yingdi Yu over 10 years ago
Currently, the ndn-cxx (and also NFD/NRD) assumes that there is only one TPM for one PIB. We do not expect client to change the TPM. This problem should be solved when PIB can support multiple TPMs, but I wonder do we have for now any application that has to put its keys into different TPMs?
Updated by Junxiao Shi over 10 years ago
- Project changed from NFD to ndn-cxx
- Category set to Security
- Status changed from New to Rejected
It's unsupported to use two TPMs.
When changing TPM, user should delete PIB as well.
Updated by Jeff Burke over 10 years ago
Ok. This limitation should be documented, and instructions provided to change from one TPM to the other.
Updated by Junxiao Shi over 10 years ago
#1906 should document this limitation and the correct steps.
Actions