Project

General

Profile

Actions

Bug #3438

closed

Invalid default certificate created for existing default key of an identity

Added by Alex Afanasyev almost 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
Start date:
01/29/2016
Due date:
% Done:

100%

Estimated time:

Description

When an identity has a default key, but no associated certificate, signing with the identity will result in generating another key and self-signed certificate. Instead, a self-signed certificate should be created in this case.

To reproduce issue (http://gerrit.named-data.net/#/c/2692/1/tests/unit-tests/security/key-chain.t.cpp@422),

KeyChain keyChain;
Name ecdsaIdentity = Name("/ndn/test/ecdsa").appendVersion();
Name ecdsaKeyName = keyChain.generateEcdsaKeyPairAsDefault(ecdsaIdentity, false, 256);
BOOST_CHECK_NO_THROW(keyChain.sign(data, signingByIdentity(ecdsaIdentity)));
BOOST_CHECK_EQUAL(data.getSignature().getType(),
                  KeyChain::getSignatureType(EcdsaKeyParams().getKeyType(), DIGEST_ALGORITHM_SHA256));
BOOST_CHECK(ecdsaIdentity.isPrefixOf(data.getSignature().getKeyLocator().getName()));

if no certificate is available for the default key and its type does not corresponds to the DEFAULT_KEY_PARAMS a new pair of DEFAULT_KEY_PARAMS keys is created, set as default and used for
signing. Solved by checking the type of key of the default key pair for the identity.

Actions #1

Updated by Alex Afanasyev almost 9 years ago

  • Status changed from New to Code review
Actions #2

Updated by Junxiao Shi almost 9 years ago

I'm able to reproduce this issue on command line.

  1. ndnsec-keygen -tr /X > X.req creates a certificate request
  2. ndnsec-keygen -te /Y > /dev/null creates an ECDSA key and sets it as default, but there's no certificate
  3. ndnsec-certgen -N 'XX' -r X.req > /dev/null signs X.req with default identity /Y
  4. ndnsec-list -C shows /Y has two keys now, and the new key has a self-signed RSA certificate

But this issue occurs only when I specify ECDSA key in step2. This is probably due to the default being RSA.

Actions #3

Updated by José Quevedo almost 9 years ago

The issue with ndnsec-certgen is similar to the one found in KeyChain:

  • In the absence of a certificate KeyChain::createIdentity is called, specifying only the identityName, thus assuming params as DEFAULT_KEY_PARAMS.
  • In KeyChain::createIdentity, since the type of the default key for the identity does not match the type in DEFAULT_KEY_PARAMS (RSA), a new ksk key is created using DEFAULT_KEY_PARAMS and set as default for the identity.
Actions #4

Updated by Alex Afanasyev almost 9 years ago

  • Description updated (diff)
Actions #5

Updated by Alex Afanasyev over 8 years ago

  • Status changed from Code review to Closed
Actions

Also available in: Atom PDF