Project

General

Profile

Actions

Feature #4588

closed

ndnsec export/import: accept passphrase from command line option

Added by Junxiao Shi over 6 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Category:
Tools
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
3.00 h

Description

ndnsec export and ndnsec import require a passphrase to encrypt and decrypt the SafeBag, and they use getpass function to receive passphrase input from an interactive terminal. It is difficult to invoke these programs using an automated process such as NFD IntegrationTests.
This issue introduces a command line option to these programs, to enable passphrase entry from an automated process.


Related issues 1 (0 open1 closed)

Has duplicate ndn-cxx - Feature #4633: Allow password to be specified to ndnsec-import/export on command lineDuplicate

Actions
Actions #1

Updated by Junxiao Shi over 6 years ago

  • Assignee set to Junxiao Shi

I plan to introduce ndnsec export --passout and ndnsec import --passin options. The syntax will be a subset of openssl pass phrase options:

  • pass:password sets the passphrase to the given string. This option is insecure.
  • env:var sets the passphrase to the environment variable. This option is insecure.
  • fd:number reads the passphrase from the given file descriptor using C API. This option is secure.
  • file:pathname and stdin are not supported.

The programs would not attempt to cleanse the memory used by command line option or environment variable.

All passphrase entry facilities, including existing getpass, will be encapsulated into src/util/passphrase.hpp. Its API looks like:

class PassPhrase
{
public:
  static optional<PassPhrase> prompt(const std::string& command_line_option, const std::string& prompt_for_getpass);
  // does not include "confirm" step; return nullopt if failure; blank password is allowed

  ~PassPhrase(); // cleanse

  const char* get() const;

  size_t size() const;
};

Passphrases are limited to 255 chars excluding NUL terminator. I believe this is a reasonable limit.

Actions #2

Updated by Davide Pesavento over 6 years ago

  • Has duplicate Feature #4633: Allow password to be specified to ndnsec-import/export on command line added
Actions #3

Updated by Davide Pesavento over 6 years ago

  • Related to Bug #4379: integration tests: fix broken tests added
Actions #4

Updated by Eric Newberry over 6 years ago

Can this issue be expedited? It's causing the integration tests to be unavoidably broken.

Actions #5

Updated by Davide Pesavento over 6 years ago

  • Assignee deleted (Junxiao Shi)
  • Priority changed from Normal to High

I don't think Junxiao is working on this. I suggest you find another assignee or implement it yourself :)

Actions #6

Updated by Davide Pesavento over 6 years ago

  • Related to deleted (Bug #4379: integration tests: fix broken tests)
Actions #7

Updated by Davide Pesavento over 6 years ago

  • Blocks Bug #4379: integration tests: fix broken tests added
Actions #8

Updated by Davide Pesavento over 6 years ago

  • Status changed from New to In Progress
  • Assignee set to Alex Afanasyev
Actions #9

Updated by Junxiao Shi over 6 years ago

https://gerrit.named-data.net/c/ndn-cxx/+/4804

It’s a partial solution. I do intend to work on the full note-1 solution at some point, so reassign this issue to me once that change merges.

Actions #10

Updated by Alex Afanasyev over 6 years ago

  • Status changed from In Progress to New
  • Assignee changed from Alex Afanasyev to Junxiao Shi
  • Priority changed from High to Normal
  • % Done changed from 0 to 40
Actions #11

Updated by Junxiao Shi over 6 years ago

  • Blocks deleted (Bug #4379: integration tests: fix broken tests)
Actions #12

Updated by Davide Pesavento about 5 years ago

  • Target version deleted (v0.7)
Actions #13

Updated by Junxiao Shi over 3 years ago

  • Status changed from New to Closed
  • Assignee changed from Junxiao Shi to Alex Afanasyev
  • % Done changed from 40 to 100

Junxiao Shi wrote in #note-9:

https://gerrit.named-data.net/c/ndn-cxx/+/4804

It’s a partial solution. I do intend to work on the full note-1 solution at some point, so reassign this issue to me once that change merges.

Plan canceled.

Actions

Also available in: Atom PDF