Project

General

Profile

Actions

Feature #5121

open

Reserve and enforce restriction for /localhost/identity namespace

Added by Alex Afanasyev over 4 years ago. Updated 5 months ago.

Status:
Code review
Priority:
Normal
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

De facto, we have reserved /localhost/identity namespace for special uses: digest256 identity and HMAC "identity". However, these restrictions not actively enforced and may lead to issues.

Several restrictions to consider:

  • key generation should fail if the prefix is /localhost/identity
  • validation should fail if the identity type is not handled explicitly

Current state:

$ ndnsec-keygen /localhost/identity/digest-sha256
Bv0BXAdECAlsb2NhbGhvc3QICGlkZW50aXR5CA1kaWdlc3Qtc2hhMjU2CANLRVkI
CE8m2jAVbn8cCARzZWxmCAn9AAABcxWeW1gUCRgBAhkEADbugBVbMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEOlpvgzk4y6eiu6mlY3v9oE+BnCBjhz/cL2GSn3Px
g6jhI9g94fO3zIrGP6Jhu+1GMsexBvY2Z34SepI41AJQkRZkGwEDHDUHMwgJbG9j
YWxob3N0CAhpZGVudGl0eQgNZGlnZXN0LXNoYTI1NggDS0VZCAhPJtowFW5/HP0A
/Sb9AP4PMTk3MDAxMDFUMDAwMDAw/QD/DzIwNDAwNjI4VDE2NTkyNhdGMEQCIFFJ
6j/YQNg6+0Rk0yMk0JguIAb53JJdh7LiTKrxUxgmAiBNVLczrI+PGJTyGEsiJHZk

$ ndnsec-ls-identity -vvv
* /localhost/identity/digest-sha256
  +->* /localhost/identity/digest-sha256/KEY/O%26%DA0%15n%7F%1C
       +->* /localhost/identity/digest-sha256/KEY/O%26%DA0%15n%7F%1C/self/%FD%00%00%01s%15%9E%5BX
            Certificate name:
              /localhost/identity/digest-sha256/KEY/O%26%DA0%15n%7F%1C/self/%FD%00%00%01s%15%9E%5BX
            Validity:
              NotBefore: 19700101T000000
              NotAfter: 20400628T165926
            Public key bits:
              MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOlpvgzk4y6eiu6mlY3v9oE+BnCBj
              hz/cL2GSn3Pxg6jhI9g94fO3zIrGP6Jhu+1GMsexBvY2Z34SepI41AJQkQ==
            Signature Information:
              Signature Type: SignatureSha256WithEcdsa
              Key Locator: Self-Signed Name=/localhost/identity/digest-sha256/KEY/O%26%DA0%15n%7F%1C

I also don't see anywhere restriction of /localhost/identity/digest-sha256 certificate fetching. If validator encounters a packet with key locator /localhost/identity/digest-sha256, it still will try to fetch it.


Related issues 1 (1 open0 closed)

Related to ndn-cxx - Feature #3075: Design support for SignatureHmacWithSha256In Progress

Actions
Actions

Also available in: Atom PDF