Project

General

Profile

Actions

Feature #5112

closed

Include certificate name in KeyLocator

Added by Junxiao Shi over 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
3.00 h

Description

Currently, KeyLocator in Interest/Data signature carries the key name only.
When there are multiple certificates issued to the same key, including when the certificate has been renewed on the same key, the validator may be retrieving an unexpected certificate.

This issue is to put the certificate name into KeyLocator during signing, so that the validator can retrieve the certificate without additional configuration.


Related issues 5 (2 open3 closed)

Related to NFD - Feature #5114: Accommodate certificate name in KeyLocator in /localhop/nfd/rib validation rulesClosedJunxiao Shi

Actions
Related to ndn-cxx - Feature #5142: ValidatorConfig: Accommodate certificate name in hierarchical checkerClosedJunxiao Shi

Actions
Related to NLSR - Feature #5195: nlsr.conf: accommodate certificate name in KeyLocatorClosedJunxiao Shi

Actions
Related to ndns - Feature #5203: Accommodate certificate name in KeyLocatorNew

Actions
Blocks ndn-cxx - Feature #5113: Override certificate name parts in KeyLocatorNew

Actions
Actions #2

Updated by Davide Pesavento over 4 years ago

  • Category set to Security
Actions #3

Updated by Junxiao Shi over 4 years ago

  • Related to Feature #5114: Accommodate certificate name in KeyLocator in /localhop/nfd/rib validation rules added
Actions #4

Updated by Junxiao Shi over 4 years ago

  • Blocks Feature #5113: Override certificate name parts in KeyLocator added
Actions #5

Updated by Alex Afanasyev over 4 years ago

  • Tags set to security
Actions #6

Updated by Junxiao Shi almost 4 years ago

  • Related to Feature #5142: ValidatorConfig: Accommodate certificate name in hierarchical checker added
Actions #7

Updated by Junxiao Shi almost 3 years ago

  • Status changed from New to In Progress
  • Assignee set to Junxiao Shi
  • % Done changed from 0 to 20
Actions #8

Updated by Junxiao Shi over 2 years ago

  • % Done changed from 20 to 50
Actions #9

Updated by Junxiao Shi over 2 years ago

  • Related to Feature #5195: nlsr.conf: accommodate certificate name in KeyLocator added
Actions #10

Updated by Junxiao Shi over 2 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 50 to 100
Actions #11

Updated by Davide Pesavento over 2 years ago

  • Target version set to 0.8.1
Actions #12

Updated by Davide Pesavento over 2 years ago

I suspect this change is causing test failures in ndns: https://jenkins.named-data.net/job/ndns/1351/OS=Ubuntu-20.04/console
Junxiao, can you take a look please?

Actions #13

Updated by Junxiao Shi over 2 years ago

  • Status changed from Closed to In Progress
  • % Done changed from 100 to 50

Reopen due to test failures in NLSR and ndns.

Actions #14

Updated by Davide Pesavento over 2 years ago

I'm afraid this broke ndncert too https://jenkins.named-data.net/job/ndncert/446/
Ignore the ASan errors, I think those happen only because an earlier BOOST_CHECK should have been a BOOST_REQUIRE. The real failure is just before the Asan error.

Actions #15

Updated by Davide Pesavento over 2 years ago

ndn-tools is also affected. Fix here: https://gerrit.named-data.net/c/ndn-tools/+/6698

...and NFD, please fix. https://github.com/yoursunny/ndn-cxx-breaks/runs/6088291933?check_suite_focus=true

Basically almost all actively used projects were broken by this change.

Actions #16

Updated by Davide Pesavento over 2 years ago

Btw, is there an easy way to get the identity or key name that signed a packet, regardless of what's in the KeyLocator (cert or key)? If not, we should consider adding some convenience functions such as SignatureInfo::getSigningKey() or something like that.

Actions #17

Updated by Junxiao Shi over 2 years ago

Davide Pesavento wrote in #note-16:

is there an easy way to get the identity or key name that signed a packet, regardless of what's in the KeyLocator (cert or key)? If not, we should consider adding some convenience functions such as SignatureInfo::getSigningKey() or something like that.

This doesn't belong in SignatureInfo.
It can be a free function: NDNgo has keychain.ToKeyName.
It can also be a method of KeyLocator type.

Actions #18

Updated by Davide Pesavento over 2 years ago

There's no conceptual difference between KeyLocator and SignatureInfo in this regard. And it's supposed to be a convenience function, so the fewer chained method calls to get what I want, the better (within limits of course). So SignatureInfo seems about right to me.

Actions #19

Updated by Junxiao Shi over 2 years ago

  • % Done changed from 50 to 70
Actions #20

Updated by Davide Pesavento over 2 years ago

  • % Done changed from 70 to 90
Actions #21

Updated by Junxiao Shi over 2 years ago

  • Blocks Feature #5203: Accommodate certificate name in KeyLocator added
Actions #22

Updated by Junxiao Shi over 2 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

ndns is still broken. Unfortunately, I don't have sufficient understanding of the protocol in order to solve it. Someone else needs to help.
ndns problems are split to #5203 and this issue is closed.

Actions #23

Updated by Davide Pesavento over 2 years ago

  • Blocks deleted (Feature #5203: Accommodate certificate name in KeyLocator)
Actions #24

Updated by Davide Pesavento over 2 years ago

  • Related to Feature #5203: Accommodate certificate name in KeyLocator added
Actions

Also available in: Atom PDF