Project

General

Profile

Actions

Task #3920

closed

Convert existing validator implementations to v2::Validator

Added by Alex Afanasyev about 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:

Description

Goals:

  • Before TrustSchemaPolicy is implemented, this conversion would allow removal of all v1 keychain and validation code
  • The commit should also remove the unused code (e.g. ValidatorRegex)
  • For existing use of v1 validator in ndn-cxx, convert to v2 validator

The v2::Validator would take ValidationPolicy to check whether signed data/interest satisfy the validation policy.

ValidationPolicy:

  • ValidationPolicyAcceptAll: accept all signed interest/data without checking
  • ValidationPolicyCommandInterest: to check the timestamp of a stop-and-wait command Interest.
  • ValidationPolicySimpleHierarchy: check the signature using a simple hierarchy trust model. The validator would directly fetch certificates according to KeyLocator.
  • ValidationPolicyConf: enable the naming convention check based on configure

In some cases, we may want more complex and fine-grained trust model when validating data packets and signed interest packets. To enable more complex and flexible policy, we introduce inner policy as the member variable of ValidationPolicy. This inner policy enables the combination of multiple policies.

The outer policy can do policy check based on its own rules and delegate the rest part of the check to inner policy. If a packet cannot pass the outer ValidationPolicy, it won't be passed to inner ValidationPolicy.

e.g. To check the stop-and-wait command interest, the packet needs to satisfy 1. signature validation rules and 2. timestamp check. In this case, one can create a ValidationPolicySimpleHierarchy as the outer check and set the inner ValidationPolicy to be ValidationPolicyCommandInterest. With the combined ValidationPolicy, the signature of incoming packets would first be checked by outer policy and the timestamp of command interest would then be checked by inner policy.


Related issues 4 (0 open4 closed)

Related to ndn-cxx - Task #3289: Validator RefactoringClosedAlex Afanasyev10/26/2015

Actions
Blocks NFD - Task #4089: Adapt to ndn-cxx v2::KeyChain and ValidatorClosedJunxiao Shi05/24/2017

Actions
Blocks ndn-tools - Feature #4205: Restore PIB service after ndn-cxx security v2 and other breaking changesRejected

Actions
Blocks ndn-cxx - Task #4246: Remove v1 security frameworkClosedAlex Afanasyev

Actions
Actions

Also available in: Atom PDF