Feature #5112
closedInclude certificate name in KeyLocator
100%
Description
Currently, KeyLocator in Interest/Data signature carries the key name only.
When there are multiple certificates issued to the same key, including when the certificate has been renewed on the same key, the validator may be retrieving an unexpected certificate.
This issue is to put the certificate name into KeyLocator during signing, so that the validator can retrieve the certificate without additional configuration.
Updated by Junxiao Shi over 4 years ago
Cross-project links:
https://github.com/named-data/python-ndn/issues/13
https://github.com/named-data-iot/ndn-lite/issues/72
NDNts will get this feature as well.
Updated by Junxiao Shi over 4 years ago
- Related to Feature #5114: Accommodate certificate name in KeyLocator in /localhop/nfd/rib validation rules added
Updated by Junxiao Shi over 4 years ago
- Blocks Feature #5113: Override certificate name parts in KeyLocator added
Updated by Junxiao Shi almost 4 years ago
- Related to Feature #5142: ValidatorConfig: Accommodate certificate name in hierarchical checker added
Updated by Junxiao Shi almost 3 years ago
- Status changed from New to In Progress
- Assignee set to Junxiao Shi
- % Done changed from 0 to 20
Updated by Junxiao Shi almost 3 years ago
- Related to Feature #5195: nlsr.conf: accommodate certificate name in KeyLocator added
Updated by Junxiao Shi over 2 years ago
- Status changed from In Progress to Closed
- % Done changed from 50 to 100
Updated by Davide Pesavento over 2 years ago
I suspect this change is causing test failures in ndns: https://jenkins.named-data.net/job/ndns/1351/OS=Ubuntu-20.04/console
Junxiao, can you take a look please?
Updated by Junxiao Shi over 2 years ago
- Status changed from Closed to In Progress
- % Done changed from 100 to 50
Reopen due to test failures in NLSR and ndns.
Updated by Davide Pesavento over 2 years ago
I'm afraid this broke ndncert too https://jenkins.named-data.net/job/ndncert/446/
Ignore the ASan errors, I think those happen only because an earlier BOOST_CHECK
should have been a BOOST_REQUIRE
. The real failure is just before the Asan error.
Updated by Davide Pesavento over 2 years ago
ndn-tools is also affected. Fix here: https://gerrit.named-data.net/c/ndn-tools/+/6698
...and NFD, please fix. https://github.com/yoursunny/ndn-cxx-breaks/runs/6088291933?check_suite_focus=true
Basically almost all actively used projects were broken by this change.
Updated by Davide Pesavento over 2 years ago
Btw, is there an easy way to get the identity or key name that signed a packet, regardless of what's in the KeyLocator (cert or key)? If not, we should consider adding some convenience functions such as SignatureInfo::getSigningKey()
or something like that.
Updated by Junxiao Shi over 2 years ago
Davide Pesavento wrote in #note-16:
is there an easy way to get the identity or key name that signed a packet, regardless of what's in the KeyLocator (cert or key)? If not, we should consider adding some convenience functions such as
SignatureInfo::getSigningKey()
or something like that.
This doesn't belong in SignatureInfo
.
It can be a free function: NDNgo has keychain.ToKeyName.
It can also be a method of KeyLocator type.
Updated by Davide Pesavento over 2 years ago
There's no conceptual difference between KeyLocator and SignatureInfo in this regard. And it's supposed to be a convenience function, so the fewer chained method calls to get what I want, the better (within limits of course). So SignatureInfo seems about right to me.
Updated by Junxiao Shi over 2 years ago
- Blocks Feature #5203: Accommodate certificate name in KeyLocator added
Updated by Junxiao Shi over 2 years ago
- Status changed from In Progress to Closed
- % Done changed from 90 to 100
ndns is still broken. Unfortunately, I don't have sufficient understanding of the protocol in order to solve it. Someone else needs to help.
ndns problems are split to #5203 and this issue is closed.
Updated by Davide Pesavento over 2 years ago
- Blocks deleted (Feature #5203: Accommodate certificate name in KeyLocator)
Updated by Davide Pesavento over 2 years ago
- Related to Feature #5203: Accommodate certificate name in KeyLocator added