Project

General

Profile

Actions

Feature #5004

open

CertificateBundle encoding and decoding

Added by Junxiao Shi about 5 years ago. Updated about 1 year ago.

Status:
In Progress
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

20%

Estimated time:
6.00 h

Description

Implement CertificateBundle low-level encoding and decoding API, as specified in #2766-30.

This issue includes these functions and types:

  • deriveCertBundleName
  • deriveCertBundlePrefixFromKeyLocator
  • encodeCertBundle
  • CertBundleDecoder

Related issues 3 (3 open0 closed)

Blocks ndn-cxx - Feature #5005: CertificateBundle publisherNew

Actions
Blocks ndn-cxx - Feature #5007: CertificateBundle fetcherNew

Actions
Blocked by ndn-cxx - Feature #4696: SegmentPublisher: segmentation utilityNew

Actions
Actions #1

Updated by Junxiao Shi about 5 years ago

Actions #2

Updated by Junxiao Shi about 5 years ago

  • Tags set to CertificateBundle
Actions #3

Updated by Junxiao Shi about 5 years ago

Actions #4

Updated by Junxiao Shi about 5 years ago

  • Description updated (diff)
Actions #6

Updated by Jeremy Clark about 5 years ago

  • Status changed from New to In Progress
Actions #7

Updated by Jeremy Clark about 5 years ago

For the deriveCertBundleName and deriveCertBundlePrefixFromKeyLocator functions, what should they return if the name passed to the function isn't correct?

Actions #8

Updated by Junxiao Shi about 5 years ago

what should they return if the name passed to the function isn't correct?

If argument is wrong, throw std::invalid_argument exception.

Actions #9

Updated by Junxiao Shi about 5 years ago

  • Blocked by Feature #4696: SegmentPublisher: segmentation utility added
Actions #10

Updated by Junxiao Shi about 5 years ago

Part of this task is blocked by #4696 because encodeCertBundle relies on SegmentPublisher.
Other parts are not blocked. You can submit a Gerrit Change when unblocked parts are ready.

Actions #12

Updated by Jeremy Clark about 5 years ago

Should I ignore encodeCertBundle for now, write the skeleton of the method around the call to the SegmentPublisher, or include a simple segmentation implementation within it?

Actions #13

Updated by Junxiao Shi about 5 years ago

Should I ignore encodeCertBundle for now, write the skeleton of the method around the call to the SegmentPublisher, or include a simple segmentation implementation within it?

You should submit a Change without encodeCertBundle and anything else that depend on SegmentPublisher.
You should also push the assignee of #4696 to complete his/her assignment, so that you can continue working on encodeCertBundle.
In either case, "simple segmentation implementation" is NOT part of this task.

Actions #14

Updated by Jeremy Clark almost 5 years ago

Since the bundle decoder is a stream decoder, when a data segment is appended, should the decoder check if that segment is (or is part of) a certificate?

Does it make each bundle available as they are decoded?

Actions #15

Updated by Junxiao Shi almost 5 years ago

when a data segment is appended, should the decoder check if that segment is (or is part of) a certificate?
Does it make each bundle available as they are decoded?

Yes. The logic would be similar as reading top-level TLV packets from a stream socket.

Actions #16

Updated by Jeremy Clark almost 5 years ago

Is it possible for a data segment to contain part of two different certificates? For example, if segments are 8000 bytes each and a certificate is 9000, would the first certificate be contained in the first and second segment and the start of the second certificate also be contained in the second segment?

If this is the case, is there a class in ndn-cxx for reading TLV data directly?

Actions #17

Updated by Junxiao Shi almost 5 years ago

Is it possible for a data segment to contain part of two different certificates? For example, if segments are 8000 bytes each and a certificate is 9000, would the first certificate be contained in the first and second segment and the start of the second certificate also be contained in the second segment?

Yes, this is allowed by protocol.

is there a class in ndn-cxx for reading TLV data directly?

SegmentFetcher and SegmentPublisher are expected to expose a streaming interface. Decoding and encoding certificates in the payload stream of a segmented object shall be similar as decoding and encoding L3 packets in a Unix socket.

Actions #18

Updated by Ashlesh Gawande almost 5 years ago

is there a class in ndn-cxx for reading TLV data directly?

SegmentFetcher and SegmentPublisher are expected to expose a streaming interface. Decoding and encoding certificates in the payload stream of a segmented object shall be similar as decoding and encoding L3 packets in a Unix socket.

Could you please point to the code?

Actions #20

Updated by Jeremy Clark almost 5 years ago

What is the SegmentFetcher exposing its streaming interface to? Is the purpose of the append function in the CertBundleDecoder not to accept incoming segments from the Fetcher?

Actions #21

Updated by Junxiao Shi almost 5 years ago

What is the SegmentFetcher exposing its streaming interface to? Is the purpose of the append function in the CertBundleDecoder not to accept incoming segments from the Fetcher?

CertBundleFetcher would use SegmentFetcher to retrieve the segments, and pass each received segment to CertBundleDecoder::append.

Actions #22

Updated by Jeremy Clark almost 5 years ago

Ok. What do you mean by "expose a streaming interface?"

Actions #23

Updated by Junxiao Shi over 4 years ago

Ok. What do you mean by "expose a streaming interface?"

This means the decoder can incrementally accept input, and emit successfully decoded certificates as they are received.
In TypeScript analogy, it's a function that accepts AsyncIterable<Uint8Array> type and returns AsyncIterable<Certificate> type.

Actions #24

Updated by Alex Afanasyev over 4 years ago

  • Tags changed from CertificateBundle to CertificateBundle, security
Actions #25

Updated by Jeremy Clark over 4 years ago

The design states that "A producer MAY provide one or more certificate bundle names in the RDR metadata."

Should creation of the metadata packets be part of the publishing API or is my goal here just to extend the existing MetadataObject with the ability to create such packets?

Actions #26

Updated by Junxiao Shi over 4 years ago

MetadataObject needs to have an extension for Certificate Bundle name, but publishing RDR metadata isn't certificate bundle's responsibility.

Actions #27

Updated by Davide Pesavento over 4 years ago

  • % Done changed from 0 to 20
Actions #28

Updated by Davide Pesavento over 3 years ago

  • Target version changed from 0.8.0 to 0.9.0
Actions #29

Updated by Davide Pesavento about 1 year ago

  • Tags changed from security, CertificateBundle to CertificateBundle
  • Assignee deleted (Jeremy Clark)
  • Target version deleted (0.9.0)
Actions

Also available in: Atom PDF