Project

General

Profile

Actions
Copy link

Feature #5112

closed

Include certificate name in KeyLocator

Added by Junxiao Shi about 5 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Junxiao Shi
Category:
Security
Target version:
0.8.1
Start date:
Due date:
% Done:

100%

Estimated time:
3.00 h
Tags:
security

Description

Currently, KeyLocator in Interest/Data signature carries the key name only.
When there are multiple certificates issued to the same key, including when the certificate has been renewed on the same key, the validator may be retrieving an unexpected certificate.

This issue is to put the certificate name into KeyLocator during signing, so that the validator can retrieve the certificate without additional configuration.

Related issues 5 (2 open3 closed)

Related to NFD - Feature #5114: Accommodate certificate name in KeyLocator in /localhop/nfd/rib validation rulesClosedJunxiao Shi

Actions
Related to ndn-cxx - Feature #5142: ValidatorConfig: Accommodate certificate name in hierarchical checkerClosedJunxiao Shi

Actions
Related to NLSR - Feature #5195: nlsr.conf: accommodate certificate name in KeyLocatorClosedJunxiao Shi

Actions
Related to ndns - Feature #5203: Accommodate certificate name in KeyLocatorNew

Actions
Blocks ndn-cxx - Feature #5113: Override certificate name parts in KeyLocatorNew

Actions
Actions
Copy link
 #2

Updated by Davide Pesavento about 5 years ago

  • Category set to Security
Actions
Copy link
 #3

Updated by Junxiao Shi about 5 years ago

  • Related to Feature #5114: Accommodate certificate name in KeyLocator in /localhop/nfd/rib validation rules added
Actions
Copy link
 #4

Updated by Junxiao Shi about 5 years ago

  • Blocks Feature #5113: Override certificate name parts in KeyLocator added
Actions
Copy link
 #5

Updated by Alex Afanasyev about 5 years ago

  • Tags set to security
Actions
Copy link
 #6

Updated by Junxiao Shi over 4 years ago

  • Related to Feature #5142: ValidatorConfig: Accommodate certificate name in hierarchical checker added
Actions
Copy link
 #7

Updated by Junxiao Shi over 3 years ago

  • Status changed from New to In Progress
  • Assignee set to Junxiao Shi
  • % Done changed from 0 to 20
Actions
Copy link
 #8

Updated by Junxiao Shi over 3 years ago

  • % Done changed from 20 to 50
Actions
Copy link
 #9

Updated by Junxiao Shi over 3 years ago

  • Related to Feature #5195: nlsr.conf: accommodate certificate name in KeyLocator added
Actions
Copy link
 #10

Updated by Junxiao Shi over 3 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 50 to 100
Actions
Copy link
 #11

Updated by Davide Pesavento over 3 years ago

  • Target version set to 0.8.1
Actions
Copy link
 #12

Updated by Davide Pesavento over 3 years ago

I suspect this change is causing test failures in ndns: https://jenkins.named-data.net/job/ndns/1351/OS=Ubuntu-20.04/console
Junxiao, can you take a look please?

Actions
Copy link
 #13

Updated by Junxiao Shi over 3 years ago

  • Status changed from Closed to In Progress
  • % Done changed from 100 to 50

Reopen due to test failures in NLSR and ndns.

Actions
Copy link
 #14

Updated by Davide Pesavento over 3 years ago

I'm afraid this broke ndncert too https://jenkins.named-data.net/job/ndncert/446/
Ignore the ASan errors, I think those happen only because an earlier BOOST_CHECK should have been a BOOST_REQUIRE. The real failure is just before the Asan error.

Actions
Copy link
 #15

Updated by Davide Pesavento over 3 years ago

ndn-tools is also affected. Fix here: https://gerrit.named-data.net/c/ndn-tools/+/6698

...and NFD, please fix. https://github.com/yoursunny/ndn-cxx-breaks/runs/6088291933?check_suite_focus=true

Basically almost all actively used projects were broken by this change.

Actions
Copy link
 #16

Updated by Davide Pesavento over 3 years ago

Btw, is there an easy way to get the identity or key name that signed a packet, regardless of what's in the KeyLocator (cert or key)? If not, we should consider adding some convenience functions such as SignatureInfo::getSigningKey() or something like that.

Actions
Copy link
 #17

Updated by Junxiao Shi over 3 years ago

Davide Pesavento wrote in #note-16:

is there an easy way to get the identity or key name that signed a packet, regardless of what's in the KeyLocator (cert or key)? If not, we should consider adding some convenience functions such as SignatureInfo::getSigningKey() or something like that.

This doesn't belong in SignatureInfo.
It can be a free function: NDNgo has keychain.ToKeyName.
It can also be a method of KeyLocator type.

Actions
Copy link
 #18

Updated by Davide Pesavento over 3 years ago

There's no conceptual difference between KeyLocator and SignatureInfo in this regard. And it's supposed to be a convenience function, so the fewer chained method calls to get what I want, the better (within limits of course). So SignatureInfo seems about right to me.

Actions
Copy link
 #19

Updated by Junxiao Shi over 3 years ago

  • % Done changed from 50 to 70
Actions
Copy link
 #20

Updated by Davide Pesavento about 3 years ago

  • % Done changed from 70 to 90
Actions
Copy link
 #21

Updated by Junxiao Shi about 3 years ago

  • Blocks Feature #5203: Accommodate certificate name in KeyLocator added
Actions
Copy link
 #22

Updated by Junxiao Shi about 3 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

ndns is still broken. Unfortunately, I don't have sufficient understanding of the protocol in order to solve it. Someone else needs to help.
ndns problems are split to #5203 and this issue is closed.

Actions
Copy link
 #23

Updated by Davide Pesavento about 3 years ago

  • Blocks deleted (Feature #5203: Accommodate certificate name in KeyLocator)
Actions
Copy link
 #24

Updated by Davide Pesavento about 3 years ago

  • Related to Feature #5203: Accommodate certificate name in KeyLocator added
Actions
Copy link

Also available in: Atom PDF