Project

General

Profile

Bug #4339

Incorrect interpretation of checker.key-locator in v2:ValidatorConfig

Added by Zhiyi Zhang almost 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
2.00 h

Description

checker.key-locator is incorrectly interpreted as identity name instead of, as the name suggests, name of the key.

This result in authentication failure with NLSR rules:

       rule
        {
          id "NLSR ControlCommand Rule"
          for interest
          filter
          {
            type name
            regex ^<localhost><nlsr><prefix-update>[<advertise><withdraw>]<><><>$
          }
          checker
          {
            type customized
            sig-type rsa-sha256
            key-locator
            {
              type name
              regex ^<>*<KEY><>$ ; TODO: correct regex for key name
            }
          }
        }
        rule
        {
          id "NLSR Hierarchy Rule"
          for data
          filter
          {
            type name
            regex ^[^<KEY>]*<KEY><ksk-.*><ID-CERT><>$
          }
          checker
          {
            type hierarchical
            sig-type rsa-sha256
          }
        }
        trust-anchor
        {
         type file
         file-name "site.cert"
        }

Expected: success to match command interests and then check against trust anchor

Actual: failure to pass the first checker

1507222563.583 DEBUG: [PrefixUpdateProcessor] reject /localhost/nlsr/prefix-update/advertise/h%19%07%17%08%06prefix%08%02to%08%09advertise/%00%00%01I%9DY%8C%AA/%BF%D0Xr%9B%AF%8E%FD/%16%3D%1B%01%03%1C8%076%08%03edu%08%09test-site%08%0A%C1.Operator%08%09%FD%00%00%01I%9DY%8C%A0%08%03KEY%08%08%C1R%20%29%87O%CF%FE/%17H0F%02%21%00%BB-ZG%0D%06%B6%89%E3%22t%FD%3A%B5%94.WGS%F7%C1%01%15%84%7D%F6%F5t%C4%A8%A5%B8%02%21%00%C8T%12%27%9C%2C%0D%060x%15%C4%DE%03P%B5%CD%88.%AE%B5%D8%5Cc%04_%A2%E2%8A%D9%F3%02 signer=? Validation policy error (KeyLocator check failed: regex ^<>*<KEY><>$ for packet /localhost/nlsr/prefix-update/advertise/h%19%07%17%08%06prefix%08%02to%08%09advertise/%00%00%01I%9DY%8C%AA/%BF%D0Xr%9B%AF%8E%FD is invalid (KeyLocator=/edu/test-site/%C1.Operator/%FD%00%00%01I%9DY%8C%A0/KEY/%C1R%20%29%87O%CF%FE, identity=/edu/test-site/%C1.Operator/%FD%00%00%01I%9DY%8C%A0))
#1

Updated by Alex Afanasyev almost 3 years ago

  • Tracker changed from Task to Bug
  • Subject changed from Nail down the checker::key-locator configuration of Validator-config in security v2 to Incorrect interpretation of checker.key-locator in v2:ValidatorConfig
  • Description updated (diff)
  • Category set to Security
  • Status changed from New to Closed
  • Start date deleted (10/13/2017)

Also available in: Atom PDF