Project

General

Profile

Task #2242

Pair up SecPublicInfo and SecTpm

Added by Yingdi Yu over 4 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
11/30/2014
Due date:
% Done:

100%

Estimated time:

Description

It would be desired to pair up a TPM with a PublicInfoBase,
so that when KeyChain loads a PublicInfoBase, the corresponding TPM will be loaded as well.
As a result, user does not have to explicitly specify both TPM and PublicInfoBase.
Instead, user only needs to specify a PublicInfoBase,
so that it is guaranteed that the corresponding TPM will be loaded, and for any key that is described in PublicInfoBase, its private part can be found in the TPM.
This can avoid the "Private key does not exist" problem due to wrong configuration.

We defined the locator for TPM & PIB in #2260

And we also need to add two more method in SecPublicInfo:

void
SecPublicInfo::setTpmLocator(const std::string& locator);

std::string
SecPublicInfo::getTpmLocator();

The first method is used to associate a TPM to the PIB.
The second method can be used by KeyChain to get the TpmLocator from PIB, and use that to load the corresponding TPM.

Note that the default PIB (as specified in client.conf or compilation settings) is always paired up with the default TPM (which is also specified in client.conf or compilation settings).

If one change the default TPM but keep the PIB as the same, the PIB will be reset.

Note that ideally, one PIB should be paired up with only one TPM,
it is possible for two PIBs to share one TPM,
but one PIB can NEVER be shared by more than one TPMs.

With this change, the way in which a KeyChain is created will be changed because:

  • we need to accommodate the existing PIB.
  • we need to accommodate the existing KeyChain constructor interfaces.

As a result, now KeyChain will be created as follows:

  1. When the default KeyChain constructor is called, KeyChain will load the default PIB and the default TPM as specified in client.conf file or compilation settings. The TpmLocator in PIB will be set the to default TPM. If TpmLocator in PIB has been set before, then PIB will be reset and the default TpmLocator will be set in PIB.
  2. When other constructor is called, KeyChain will first check if the supplied PIB is the default one. If so, it will follow step 1. Otherwise, it load the PIB and get the TpmLocator from the PIB.
    2.1. If the supplied TpmLocator is the same as the one obtained from PIB, then KeyChain will load TPM.
    2.2. If the supplied TpmLocator mismatches the existing one, depending on whether a reset is needed, the constructor will throw an exception or reset the PIB and its TpmLocator.
    2.3. If the TpmLocator is not set in PIB, the supplied TpmLocator will be set in PIB. However this may cause some problem if the supplied Tpm does not match the PIB or the PIB has been previously shared by more than one PIBs.

Related issues

Related to ndn-cxx - Bug #2384: KeyChain regressions: impossible to create KeyChain using custom TPM/PIBClosed2015-01-15

Related to ndn-cxx - Bug #2391: KeyChain not using canonical PIB and TPM schemesClosed2015-01-16

Blocked by ndn-cxx - Feature #2260: KeyChain component indicatorClosed

Blocks ndn-cxx - Task #2926: Refactor KeyChainClosed

History

#1 Updated by Yingdi Yu over 4 years ago

  • Description updated (diff)

#2 Updated by Yingdi Yu over 4 years ago

  • Status changed from New to Code review
  • % Done changed from 0 to 100

#3 Updated by Yingdi Yu over 4 years ago

  • Description updated (diff)

#4 Updated by Yingdi Yu over 4 years ago

#5 Updated by Yingdi Yu over 4 years ago

  • Description updated (diff)

#6 Updated by Yingdi Yu over 4 years ago

  • Description updated (diff)

#7 Updated by Yingdi Yu over 4 years ago

  • Description updated (diff)

#8 Updated by Alex Afanasyev over 4 years ago

  • Related to Bug #2384: KeyChain regressions: impossible to create KeyChain using custom TPM/PIB added

#9 Updated by Alex Afanasyev over 4 years ago

  • Related to Bug #2391: KeyChain not using canonical PIB and TPM schemes added

#10 Updated by Alex Afanasyev over 4 years ago

  • Target version set to v0.3

#11 Updated by Alex Afanasyev over 4 years ago

  • Status changed from Code review to Closed

#12 Updated by Alex Afanasyev over 4 years ago

  • Status changed from Closed to In Progress
  • % Done changed from 100 to 80

I'm reopening this issue, as the description for default KeyChain constructor doesn't match the current implementation (while doing my correction, I misunderstood what it suppose to do).

#13 Updated by Junxiao Shi over 4 years ago

Also, ndn-cxx Application Developer Guide should be updated.

#14 Updated by Yingdi Yu about 4 years ago

#15 Updated by Alex Afanasyev over 3 years ago

  • Target version changed from v0.3 to v0.4

#16 Updated by Yingdi Yu about 3 years ago

  • Status changed from In Progress to Code review

#17 Updated by Yingdi Yu about 3 years ago

  • Status changed from Code review to Closed
  • % Done changed from 80 to 100

Also available in: Atom PDF